This section highlights the observability features of the Network Load Balancer (NLB) access logging. The NLB supports extensive logging, which provide visibility into the network traffic. When enabled, all logs are transmitted to our observability system, where they can be queried and analyzed for valuable insights. Central logging must be enabled for this functionality, ensuring effective monitoring and troubleshooting of network traffic. This allows for proactive identification and resolution of potential issues, enhancing overall network performance and reliability.
Note: This feature is only available for newly created NLBs in non-US datacenters and requires central logging to be enabled as a prerequisite.
Once central logging is enabled, logs from your NLB will be sent to the logging service. You can access and analyze these logs using a dedicated Grafana instance.
Note: The Grafana URL where the logs will be available will follow the pattern as in this example: https://grafana.d6b7a2374abe.dev.logging.de-txl.ionos.com/
where d6b7a2374abe
is a hash of the contract number.
Requirement: Enabling central logging is mandatory for the NLB to send logs.
Configuration: Send a POST
request to the NLB endpoint to enable central logging. Here's an example using curl:
Note:
Set centralLogging to true.
Replace datacenterId
and TOKEN
with your actual data center ID and authorization token.
Note: We can enable/disable central logging via PUT requests as well.
Note: Enabling central logging incurs additional costs.
Select the NLB element to open its properties in the Inspector pane on the right. The name of the NLB and the number of balanced Network Interface Cards (NIC)are displayed at the top of the pane.
Configuration options are grouped under the following three tabs:
NLB Listener accepts connections from clients through an exposed IP address (Primary IPv4) and configured listener port. The Listener interface can also monitor additional IPs (Add IP). Listener IPs can be private (for local networks) or public (exposed to the Internet). Public IPs must be reserved before they can be used. For more information, see Listener.
Provide the following information in the Settings:
Name: You can use the default or enter a new name for the NLB.
By clicking on Load Balancer you can show or hide the Primary IPv4 and Add IP settings.
Primary IPv4: Assign the first (primary) Listener IP address. For Automatic, no entry is required; a private primary Listener IP address will be assigned automatically on provisioning.
For private IP, enter a private IP address directly. For public IP, Public IP is required for an NLB that is connected to the Internet.
Public IPs must be reserved first. You can reserve public IPs by following the steps in Reserve an IPv4 address.
Add IP: Assign one or more additional Listener IPs; additional IPs are optional. For private IP, choose Add private IP and enter the address directly.
Reserve public IP: Available only when no reserved public IPs exist. Select Add IP > Reserve public IP, enter a name for the IP block, the number of IPs to be reserved, and select Reserve IPs.
Public IP: Public IPs must already have been reserved. Select Add IP and choose a reserved IP block name from the drop-down list, then select a reserved IP address.
Multiple IPs: Use Add IP again to add as many IPs as needed. All added private and public IPs are listed below the IP settings.
Configuration changes are saved only once the VDC is provisioned.
Forwarding rules define how your traffic is distributed to the targets. More than one forwarding rule can be created for the same load balancer.
In Forwarding rules tab, you can create a Forwarding rule, add its Target or adjust the Health-Check settings.
Select + Add forwarding rules to create a rule. Provide the following information:
Name: Enter the name of the rule.
Algorithm: Select an algorithm from the drop-down list. The algorithm involves defining the conditions that determine how incoming traffic is distributed among the targets in the target group.
Round Robin: Allows equal distribution of requests among the servers with time. It distributes incoming network traffic or requests across servers in a circular, sequential order based on their weights.
Least connections: Allows the distribution of incoming network traffic or requests among a group of servers based on the current number of active connections. The server with the fewest active connections receives the next request.
Random: Allows the distribution of incoming requests randomly among the available servers.
Source IP: Allows IP address of incoming network requests to determine how to distribute the traffic among the available servers.
Protocol: This field is preset and defines how data is transmitted between devices. The default value is set to TCP.
Listener IP: Select an IP address from the drop-down list. It is the address that you use to reach the load balancer.
Listener Port: Select a port from the drop-down list. It is the port on which the load balancer will receive the incoming requests.
Select Create to create the forwarding rule.
Result: A forwarding rule is successfully created. Select the name of the forwarding rule to expand or collapse its settings. You can use the Add forwarding rule option again to create as many rules as needed. All of the forwarding rules are listed on the right side under the Forwarding rules tab.
Select Add target to add targets for your forwarding rule and provide the following information:
Target IP: Select a Target IP value from the drop-down list. A Target IP is assigned so that the addresses of all hosts on a given network share a common prefix.
Target port: Select a value from the drop-down list. This is the specific port on which a service or application is running on a server.
Weight: Enter a target weight from 1 to 256. This value refers to the relative capacity or priority assigned to each target within the group. A target with a higher weight gets a larger share of traffic. The default weight value is set to 1.
Proxy Protocol: Select a value from the drop-down list to enable it. You can preserve and send the connection information to your backend instances, such as Apache, NGINX, or an ingress controller inside Kubernetes. Ensure your backend instances are up and running and have proxy protocol enabled. The following options are available for the Proxy Protocol:
none: for disabling the proxy protocol
v1: for plain text format
v2: for binary format
v2ssl: for encrypted binary format
Select Add Target to create the new target.
Result: A target is successfully created for your forwarding rule.
Select the Settings option next to the Health Check field to configure the Health Check Settings for this forwarding rule. A Health Check Settings window will open up. Provide the following information:
Client timeout: Enter the duration in which the NLB will not break the TCP connection established with the client. The default value is set to 50000 milliseconds(ms). This inactivity timeout is applied when the client is expected to acknowledge or send the data.
Connection timeout: Enter the maximum amount of time the load balancer is willing to wait for a response from the server before considering the server unhealthy. The default value is set to 5000 milliseconds(ms).
Target timeout: Enter the maximum amount of time the load balancer is willing to wait for a response from the server when performing a health check on that server. The default value is set to 50000 milliseconds(ms).
Retries: Enter the number of attempts the load balancer will make to establish a successful connection or receive a valid response from the server before marking it as unhealthy. The default value is set to 3.
Result: The Health-Check Settings are successfully configured for your forwarding rule.
NLB backend exposes a private IP to targets as the source of client traffic. The backend IP address is configurable and defaults to x.x.x.225. Backend IPs are listed in the NLB Inspector under the Private IPs tab.
It is best to use the default IP address in most cases. To change an already-provisioned IP, delete the existing IP address first and then add a new one.
Select the arrow and then select Remove IP to delete the IP address.
Enter an IP address in CIDR notation (e.g. 10.10.10.225/24), and click Add IP. The new IP must be private and match the subnet mask of the Target network.
Use Add IP again to add as many private IPs as needed. All added IPs are listed under the Private IPs.
The Managed Network Load Balancer (NLB) is a pre-configured VDC element that provides connection-based layer 4 load balancing features and functionality. It is fully managed by IONOS, deeply integrated into our Software-Defined Networking (SDN) stack, deployed in a highly available setup, and offers robust security features required for fault-tolerant applications.
NLB serves as a single entry and exit point for all client traffic. Connection requests are accepted by the listener, and according to the defined forwarding rules, the sessions are distributed for parallel processing across multiple compute resources (targets). NLB keeps active sessions mapped to the same targets (sticky sessions), performs health checks, and routes traffic only to healthy targets.
NLB is a proxy load balancer, client connections are terminated at the balancer and mapped 1:1 to connections that the balancer initiates to targets. This is called two-arm load balancing because the load balancer has two arms (interfaces) - one facing clients and the other facing targets.
NLB provides the following features:
Performance
Scalability
Redundancy and fault tolerance
Deployment flexibility
Reduced or zero downtime
Fully-managed service
High throughput — low latency
Health monitoring
Sticky sessions
High Availability
In NLB, you can enable Proxy Protocol for targets, to provide enhanced flexibility and compatibility in handling incoming connections.
NAT modifies IP header network address information to direct traffic as it moves from public to private address space. In the context of the Managed Network Load Balancer, this means that client connections are terminated on the load balancer, and the load balancer initiates a dedicated connection with the backend target servers.
NLB performs destination NAT (DNAT) to map (connect) the clients to the targets. Source NAT (SNAT) is not supported; targets cannot initiate network connections through the load balancer.
Forwarding rules are configuration settings that dictate how network traffic is forwarded from a source to a destination in the context of network devices, such as routers or switches. These rules determine the routing path and actions taken on incoming packets.
Sticky sessions (source IP affinity) maintain client sessions mapped to the same targets for as long as the TCP sessions stay active.
The client-facing arm of the load balancer, the listener accepts the connections from clients through an exposed IP address and configured listener port. NLB has a single listener interface that can support multiple IPs with different forwarding rules.
The listener of a public load balancer is exposed to and accepts client connections directly from the Internet. Public load balancers serve as edge devices that handle "north-south" traffic flowing in and out of the data center.
The listener of a private load balancer is exposed to a private network. Private load balancers handle "east-west" traffic flowing internally within the data center.
Listener IPs are configured in the Settings tab of the Inspector.
NLB comes with basic firewall rules that are applied automatically based on the forwarding rules and cannot be changed. However, additional firewall rules can be configured for the NICs of the targets.
NLB backend exposes a private IP to targets as the source of client traffic.
Backend private IP is derived from the network mask of the target network connected; if no LAN is connected to the Southern interface, no default IP can be set.
Once a target network is connected and the changes are provisioned, the backend identifies the network mask and reserves recommended IP x.x.x.225 automatically.
Target network can be configured manually; any potential IP conflicts will have to be resolved at the provisioning stage.
Multiple backend private IPs can be configured with different rules on the same NLB.
Backend IPs are configured in the Private IP tab of the Inspector.
Targets are the compute resources, such as VM instances, containers, microservices, or appliances, to which the traffic is distributed for processing. NLB backend serves registered targets using an IP address and a TCP port.
Targets can be added or removed and capacities scaled without disrupting the overall flow of connection requests. Targets are configured per Forwarding rule.
The traffic is distributed in proportion to the target weight relative to the combined weight of all targets. A target with a higher weight receives a greater share of traffic. The default target weight is 1, and the maximum is 256. Target weight is configured for each target.
You can also enable Proxy Protocol to preserve and send the client IP details.
NLB performs Health checks to ensure that traffic is forwarded only to active targets. All health check-related metrics can be customized. Learn more about Health checks.
The Managed Network Load Balancer will be regularly maintained by IONOS and updated with the latest software versions and new features. IONOS reserves a weekly maintenance window which it can use for regular updates. It is scheduled every Monday between 02:00 - 04:00 am local time of the data center in which the Managed Network Load Balancer service is deployed. During maintenance, a service interruption of up to 5 seconds may occur. Aside from that service interruption, no further service impact is anticipated, and the Managed Network Load Balancer will continue to operate within its service description and configuration.
Additional update deployments may be carried out outside the maintenance window, for example, in the case of urgent security patches.
NLB operates at TCP/IP layer 4 of the Open Systems Interconnection (OSI) model. NLB will distribute any TCP-based network traffic, including upper application layer protocols, such as HTTP and HTTPS. However, rules and health checks are strictly TCP-based, which means that HTTP rules (e.g., routing decisions based on the URL) are not supported.
SNAT Support: Managed NLB is not configured to support Source NAT (SNAT); targets cannot initiate network connections through the load balancer.
Prerequisites: The Network Load Balancer (NLB) needs a private network with targets (such as VM instances), to distribute the client sessions. The targets must be provisioned already, and the connection requests can come through the internet access element or a separate private network.
Add the NLB element by dragging it into the Workspace.
Connect NLB. NLB element has two interfaces, "Northern" at the top and "Southern" at the bottom. The northern interface is the Listener that connects to the clients, and the southern interface is the Backend that connects to the targets. Connect the northern interface (Listener) to the internet access element or a private network.
Connect the southern interface (Backend) to the private network containing the targets.
An existing NLB can be modified at any time. Please note that the provisioning process cannot be undone. Your password may be required for editing some of the elements as an additional security measure.
If you need to delete the NLB, right-click the element and choose Delete.
The load balancers created in the DCD enable load balancing on several servers in the network using the round-robin method.
The load balancer receives an IP address from the DHCP. Alternatively, you can assign a reserved IP address to it via its NIC. All servers connected to the load balancer receive this IP address. Direct communication between the servers (via the load balancer network) is, therefore, not possible.
An additional management network is thus recommended for configuring servers with a load balancer. Configuration via the load balancer is hardly possible since the round-robin procedure prevents a targeted connection with certain servers.
Drag the load balancer element from the palette into the workspace.
Connect the load balancer to the required servers.
Connect the load balancer to internet access.
Set the properties of the load balancer by selecting the element in the workspace** and opening its properties in the Inspector > Settings:
Name: Enter a name.
Name (NIC): Enter a name for the NIC of the load balancer.
The MAC address will be assigned automatically upon provisioning and cannot be changed.
Primary IP: The primary IP address is automatically assigned by the IONOS DHCP server. You can, however, enter an IP address for manual assignment by selecting one of the reserved IP addresses from the drop-down list. Private IP addresses (according to RFC 1918) must be entered manually.
DHCP: It is often necessary to run a DHCP server in your virtual data center (e.g., PXE boot for fast rollout of VMs). If you use your own DHCP server, clear this check box so that the IONOS DHCP server does not reassign your IPs.
In the Balanced NICs tab, you can check which servers are connected to the load balancer through which NIC.
(Optional) Make further changes to your data center.
Provision your changes.
The load balancer is now active according to your settings.
Learn how to configure a Network Load Balancer inside of the DCD.
Configure Settings, Private IP's and Forwarding Rules.
Learn how to access logging system