TCP Load Balancer

Objective

This guide provides instructions on how to create a TCP load balancer in F5® Distributed Cloud Console (Console) using guided configuration that walks you through the steps of configuring metadata to advanced configuration. This includes configuring the required objects for the virtual host. To learn more about virtual host concepts, see Virtual Host.

Using guided creation for TCP load balancer, you can create the following types of load balancers:

  • TCP load balancer
  • TCP load balancer with your own TLS certificate
  • TCP load balancer with automatic TLS certificate (minted by F5® Distributed Cloud Services)

Using the instructions provided in this guide, you can perform the following:

  • Create and advertise a TCP load balancer
  • Create and advertise a TCP load balancer with your TLS certificate or with the certificate minted by Distributed Cloud Services

Note: Distributed Cloud Services support automatic certificate generation and management. You can either delegate your domain to Distributed Cloud Services or add the CNAME record to your DNS records in case you do not delegate the domain to Distributed Cloud Services. See Automatic Certificate Generation for certificates managed by Distributed Cloud Services. See Delegate Domain for more information on how to delegate your domain to Distributed Cloud Services.


Prerequisites

The following prerequisites apply:

  • An F5® Distributed Cloud Services Account. If you do not have an account, see Create an Account.

  • A valid DNS domain delegated to Distributed Cloud Services. For instructions on how to delegate your domain, see Domain Delegation.

  • A Distributed Cloud Services CE site in cases of deploying your applications on CE site. If you do not have a site, create a site using the instructions included in the Site Management guides. See vK8s Deployment guides to deploy your applications on Distributed Cloud Services network cloud or edge cloud.


Configuration

The following video shows a tutorial for TCP load balancer creation:

The configuration option to create the TCP load balancer guides you through the steps for required configuration. This document covers each guided step and explains the required actions to be performed for each step.

Step 1: Navigate to the TCP load balancer configuration page.
  • Log into Console.

  • Click Load Balancers.

Figure: Console Homepage
Figure: Console Homepage

  • Select your namespace from the menu.

  • Select Manage > Load Balancers > TCP Load Balancers.

Step 2: Start load balancer creation process.
  • Click Add TCP Load Balancer to open the load balancer creation form.

Figure: Load Creation Form
Figure: Load Creation Form

  • In the Metadata section, enter a name for your TCP load balancer.

  • Optionally, set labels and enter a description for your TCP load balancer.

Figure: Creation Form
Figure: Creation Form

Step 3: Configure domain and listening port.
  • In the Basic Configuration section, perform the following:

    • Click Add Item to add a domain. You can add more than one domain.

    • In the Domains field, enter the name of the domain to be used with this load balancer.

    • In the Listen Port field, enter a number. This is the TCP listening port.

    • Optionally, from the SNI and Default LB choice menu, select whether to enable Server Name Indication (SNI) for this load balancer. To display the SNI and Default LB option, enable the Show Advanced Fields option.

    • Optionally, select Automatically Manage DNS Records to have your DNS records managed by Distributed Cloud Services.

Figure: List of Domains
Figure: List of Domains

Step 4: Configure origin pools.
  • In the Origin Pools field, perform the following:

    • Click Add Item to open the configuration form.

    • From the Origin Pool drop-down menu, select an existing origin pool or click Add Item to create and apply a new origin pool.

  • Optionally, enter values for the Weight and Priority fields.

  • Click Apply.

Figure: Origin Pool Configuration
Figure: Origin Pool Configuration

Note: You can click Add Item to add more routes per your requirements.

Step 5: Configure VIP advertisement.

Note: In case of tenants with shared VIPs, advertising on a public network is supported only with the proxy type TCP_PROXY_WITH_SNI and on port 443.

  • From the Where to Advertise the VIP menu, select an option:

    • Advertise On Public: This option advertises the load balancer on a public network. Default option.

    • Advertise Custom: This option enables you to configure your own advertisement policy.

Figure: Advertise VIP
Figure: Advertise VIP

  • To configure a custom VIP:

    • Select Advertise Custom.

    • Click Configure.

    • Click Add Item.

    • From the Select Where to Advertise menu, select an option:

      • Site

      • Virtual Site

      • vK8s Service Network on RE

      • Virtual Network

    • From the Site Network menu, select a network type. Or select both types in case you selected Site or Virtual Site as the advertisement location.

    • Select an appropriate reference object from the Site Reference menu.

    • For Site only, enable Show Advanced Fields and then enter an IP address in the IP Address field.

    • Configure a TCP listener port or select the default option from the TCP Listen Port Choice menu. The default option sets port 80 for HTTP and port 443 for HTTPS. Select TCP Listen Port to enter a custom port number.

    • Select Apply.

    • Select Apply again to apply the custom advertise VIP configuration.

Step 6: Set the load balancing type.

In the Load Balancing Control section, configure the load balancer.

  • From the Load Balancer Type menu, select an option:

    • TCP: This creates a standard TCP load balancer.

    • TLS over TCP with Automatic Certificate: This creates the TCP load balancer with an automatic TLS certificate. If you select this option, select whether to have Distributed Cloud Services manage your DNS records with Automatically Manage DNS Records. This option requires you to have delegated your domain to Distributed Cloud Services.

    • TLS over TCP with Custom Certificate: This creates the TCP load balancer with your custom TLS certificate.

Note: In case of applications that use protocols, such as FTPS or Application Layer Gateway (ALG), where the protocol expects a response, the TCP load balancer using TLS is not supported. For this use case, the load balancer does not support the additional protocol specific response in the message sequence.

Automatic Certificate
  • If you select the TLS over TCP with Automatic Certificate option, select a security level from the TLS Security Level menu. The following options are supported:

    • High: This option uses TLS v1.2 with PFS ciphers and strong algorithms.

    • Medium: This option uses TLS v1.0 with PFS ciphers and medium strength algorithms.

    • Low: This option uses TLS v1.0 with non-PFS ciphers and weak algorithms.

    • Custom: This option allows you to configure a custom security level.

Figure
Figure: TLS Security Levels

  • For the Custom security level, perform the following:

    • From the Minimum TLS version menu, select an option for the minimum TLS version, or you can have F5 Distributed Cloud Services choose the optimal version for you.

    • From the Maximum TLS version menu, select an option for the maximum TLS version, or you can have F5 Distributed Cloud Services choose the optimal version for you.

    • From the Cipher Suites menu, select the cipher suite. You can choose more than one suite using the Add Item option.

Figure
Figure: TLS Custom Security Configuration

Custom Certificate
  • If you select the TLS over TCP with Custom Certificate option, click Configure. Perform the following:

    • Select a security level from the TLS Security Level menu. The following options are supported:

    • High: This option uses TLS v1.2 with PFS ciphers and strong algorithms.

    • Medium: This option uses TLS v1.0 with PFS ciphers and medium strength algorithms.

    • Low: This option uses TLS v1.0 with non-PFS ciphers and weak algorithms.

    • Custom: This option allows you to configure a custom security level.

  • In the TLS Certificates section, click Add Item.

  • For the Certificate, enter it in PEM or Base64 format.

  • In the Private Key section, click Configure the blindfold secret, and then click Apply.

  • Click Apply.

  • Click Apply to complete the TLS certificate configuration.

Step 7: Set the load balancing control.
  • From the Load Balancing Control menu, select an option:

    • Round Robin

    • Least Active Connections

    • Random

    • Source IP Stickiness

Step 8: Set advanced configuration.
  • In the Advanced Configuration section, enable the Show Advanced Fields option.

  • From the Idle Timeout field, set an amount for the stream.

  • Optionally, configure cluster retraction:

    • From the Select Cluster retract option menu, select an option to specify whether the cluster is retracted or not.

Figure: Advanced Options
Figure: Advanced Options

Step 9: Complete creating the load balancer.
  • Click Save and Exit.

  • Verify that the requests to the configured domain are processed successfully using a terminal.

The following sample shows an example command sent for a DNS query over TCP:

dig +tcp @dns.mydistributed.cloud www.mydistributed.cloud

Concepts


API References