Overview
Network Load Balancer (NLB) is a pre-configured VDC element that provides connection-based layer 4 load balancing features and functionality. It is fully managed by IONOS Cloud, deeply integrated into our Software-Defined Networking (SDN) stack, and includes the automatic disaster recovery and robust security features required for fault-tolerant applications.
The current version of the NLB includes an automatic disaster recovery mechanism; in event of an outage, the service will recover automatically within a few minutes.
NLB serves as a single entry and exit point for all client traffic. Connection requests are accepted by the listener. Sessions are distributed for parallel processing across multiple compute resources (targets) according to defined forwarding rules. NLB keeps active sessions mapped to the same targets (sticky sessions) and performs health checks, routing traffic only to the healthy targets.
NLB is a proxy load balancer, client connections are terminated at the balancer and mapped 1:1 to connections that the balancer initiates to targets. This is called two-arm load balancing because the load balancer has two arms (interfaces) - one facing clients and the other facing targets.
NLB provides the following features:
  • Performance
  • Scalability
  • Redundancy and fault tolerance
  • Deployment flexibility
  • Reduced or zero downtime
  • Fully-managed service
  • High throughput — low latency
  • Health monitoring
  • Sticky sessions
New High availability (HA) uptime features for the NLB are in fast-track development. Once implemented, HA will be rolled out automatically across all preexisting NLB instances, reducing failover recovery from minutes to seconds.

Network Address Translation modifies IP header network address information to direct traffic as it transits from public to private address space.
NLB performs destination NAT (DNAT) to map (connect) the clients to the targets. Source NAT (SNAT) is not supported; targets cannot initiate network connections through the load balancer.

Sticky sessions (source IP affinity) maintain client sessions mapped to the same targets for as long as the TCP sessions stay active.

The client-facing arm of the load balancer, the listener accepts the connections from clients through an exposed IP address and configured listener port. NLB has a single listener interface that can support multiple IPs with different forwarding rules.
The listener of a public load balancer is exposed to and accepts client connections directly from the Internet. Public load balancers serve as edge devices that handle "north-south" traffic, flowing in and out of the data center.
The listener of a private load balancer is exposed to a private network. Private load balancers handle "east-west" traffic, flowing internally within the data center.
Listener IPs are configured in the Settings tab of the Inspector.
NLB comes with basic firewall rules that are applied automatically based on the forwarding rules, and cannot be changed. However, additional firewall rules can be configured for the NICs of the targets.

NLB backend exposes a private IP to targets as the source of client traffic.
Backend private IP is derived from the network mask of the target network connected; if no LAN is connected to the Southern interface, no default IP can be set.
Once a target network is connected and the changes are provisioned, the backend identifies the network mask and reserves recommended IP x.x.x.225 automatically.
Target network can be configured manually; any potential IP conflicts will have to be resolved at the provisioning stage.
Multiple backend private IPs can be configured with different rules on the same NLB.
Backend IPs are configured in the Private IP tab of the Inspector.

Targets are the compute resources, such as VM instances, containers, microservices, or appliances, to which the traffic is distributed for processing. NLB backend serves registered targets using an IP address and a TCP port.
Targets can be added or removed and capacities scaled without disrupting the overall flow of connection requests. Targets are configured per Forwarding rule.
The traffic is distributed in proportion to the target "weight" relative to the combined weight of all targets. A target with a higher weight receives a greater share of traffic. The default target weight is 1, and the maximum is 256. Target weight is configured for each target.
NLB performs Health checks to ensure that traffic is forwarded only to active targets. All health check-related metrics can be customized. Learn more about Health checks.

NLB operates at TCP/IP layer 4 of the Open Systems Interconnection (OSI) model. NLB will distribute any TCP-based network traffic, including upper application layer protocols, such as HTTP and HTTPS. However, rules and health checks are strictly TCP-based, which means that HTTP rules (e.g., routing decisions based on the URL) are not supported.
SNAT Support: Managed NLB is not configured to support Source NAT (SNAT); targets cannot initiate network connections through the load balancer.
Export as PDF
Copy link
On this page
Key Concepts
Limitations