Create TCP Load Balancer

• Log into Console.

• Click Multi-Cloud App Connect.

Figure: Console Homepage

• Select your namespace from the menu.

• Select Manage > Load Balancers > TCP Load Balancers.

• Click Add TCP Load Balancer to open the load balancer creation form.

Figure: Load Creation Form

• In the Metadata section, enter a name for your TCP load balancer.

• Optionally, set labels and enter a description for your TCP load balancer.

Figure: Creation Form

• In the Basic Configuration section, perform the following:

  • Click Add Item to add a domain. You can add more than one domain.

  • In the Domains field, enter the name of the domain to be used with this load balancer.

  • In the Listen Port field, enter a number. This is the TCP listening port. If you require multiple ports, then enable the Show Advanced Fields toggle for the Basic Configuration section, select Port Ranges from the Listen Port drop-down menu, and then enter a list of non-overlapping port ranges with a maximum of 64 ports in the list, e.g. 443,100-120,8080,9080-9089.

  • Optionally, from the SNI and Default LB choice menu, select whether to enable Server Name Indication (SNI) for this load balancer. To display the SNI and Default LB option, enable the Show Advanced Fields option.

  • Optionally, select Automatically Manage DNS Records to have your DNS records managed by Distributed Cloud Services.

Figure: List of Domains

• In the Origin Pools field, perform the following:

  • Click Add Item to open the configuration form.

  • From the Origin Pool drop-down menu, select an existing origin pool or click Add Item to create and apply a new origin pool.

• Optionally, enter values for the Weight and Priority fields.

• Click Apply.

Figure: Origin Pool Configuration

Note: You can click Add Item to add more routes per your requirements.

Note: In case of tenants with shared VIPs, advertising on a public network is supported only with the proxy type TCP_PROXY_WITH_SNI and on port 443.

• From the Where to Advertise the VIP menu, select an option:

  • Advertise On Public: This option advertises the load balancer on a public network. Default option.

  • Advertise Custom: This option enables you to configure your own advertisement policy.

Figure: Advertise VIP

• To configure a custom VIP:

  • Select Advertise Custom.

  • Click Configure.

  • Click Add Item.

  • From the Select Where to Advertise menu, select an option:

    • Site

    • Virtual Site

    • vK8s Service Network on RE

    • Virtual Network

  • From the Site Network menu, select a network type. Or select both types in case you selected Site or Virtual Site as the advertisement location.

  • Select an appropriate reference object from the Site Reference menu.

  • For Site only, enable Show Advanced Fields and then enter an IP address in the IP Address field.

  • Configure a TCP listener port or select the default option from the TCP Listen Port Choice menu. The default option sets port 80 for HTTP and port 443 for HTTPS. Select TCP Listen Port to enter a custom port number.

  • Select Apply.

  • Select Apply again to apply the custom advertise VIP configuration.

In the Load Balancing Control section, configure the load balancer.

• From the Load Balancer Type menu, select an option:

  • TCP: This creates a standard TCP load balancer.

  • TLS over TCP with Automatic Certificate: This creates the TCP load balancer with an automatic TLS certificate. If you select this option, select whether to have Distributed Cloud Services manage your DNS records with Automatically Manage DNS Records. This option requires you to have delegated your domain to Distributed Cloud Services.

  • TLS over TCP with Custom Certificate: This creates the TCP load balancer with your custom TLS certificate.

Note: Do not add both wildcard and top level domains (for example, *.example.com and example.com) if you are using an automatic certificate for different load balancers.

Note: In case of applications that use protocols, such as FTPS or Application Layer Gateway (ALG), where the protocol expects a response, the TCP load balancer using TLS is not supported. For this use case, the load balancer does not support the additional protocol specific response in the message sequence.

Automatic Certificate

Note: Domain delegation is not supported for automatic certificates for customer edge (CE) sites.

• If you select the TLS over TCP with Automatic Certificate option, select a security level from the TLS Security Level menu. The following options are supported:

  • High: This option uses TLS v1.2 with PFS ciphers and strong algorithms.

  • Medium: This option uses TLS v1.0 with PFS ciphers and medium strength algorithms.

  • Low: This option uses TLS v1.0 with non-PFS ciphers and weak algorithms.

  • Custom: This option allows you to configure a custom security level.

Figure: TLS Security Levels

• For the Custom security level, perform the following:

  • From the Minimum TLS version menu, select an option for the minimum TLS version, or you can have F5 Distributed Cloud Services choose the optimal version for you.

  • From the Maximum TLS version menu, select an option for the maximum TLS version, or you can have F5 Distributed Cloud Services choose the optimal version for you.

  • From the Cipher Suites menu, select the cipher suite. You can choose more than one suite using the Add Item option.

Figure: TLS Custom Security Configuration

• From the Load Balancing Control menu, select an option:

  • Round Robin

  • Least Active Connections

  • Random

  • Source IP Stickiness

• From the Service Policies menu, select an option to apply the service policy. The following options are available:

  • Apply Namespace Service Policies: This option applies the active service policies of the namespace to the load balancer.

  • Do Not Apply Service Policies: This option does not apply any service policy.

  • Apply Specified Service Policies: This option applies a specific service policy to the load balancer.

• To apply a specific service policy, select Apply Specified Service Policies, and perform the following:

  • Click Configure.

  • From the Policies page, click Configure, select a service policy from the drop-down, and then click Apply. You can add more than one policy using the Add Item button.

  • Click Apply in the Policies page.

• In the Advanced Configuration section, enable the Show Advanced Fields option.

• From the Idle Timeout field, set an amount for the stream.

• Optionally, configure cluster retraction:

  • From the Select Cluster retract option menu, select an option to specify whether the cluster is retracted or not.

Figure: Advanced Options

• Click Save and Exit.

• Verify that the requests to the configured domain are processed successfully using a terminal.

The following sample shows an example command sent for a DNS query over TCP:

dig +tcp @dns.mydistributed.cloud www.mydistributed.cloud