X

Step Up to Modern Cloud Development

  • July 19, 2018

Oracle Load Balancer Classic configuration with Terraform

Stephen Cross
Director, Partner Enablement

(Originally published on Medium)

This article provides an introduction to using the Load Balancer resources to provision and configure an Oracle Cloud Infrastructure Load Balancer Classic instance using Terraform

When using the Load Balancer Classic resources with the opc Terraform Provider the  lbaas_endpoint  attribute must be set in the provider configuration.

provider "opc" {
  version         = "~> 1.2"
  user            = "${var.user}"
  password        = "${var.password}"
  identity_domain = "${var.compute_service_id}"
  endpoint        = "${var.compute_endpoint}"
  lbaas_endpoint  = "https://lbaas-1111111.balancer.oraclecloud.com"
}

First we create the main Load Balancer instance resource. The Server Pool, Listener and Policy resources will be created as child resources associated to this instance.

resource "opc_lbaas_load_balancer" "lb1" {
  name        = "examplelb1"
  region      = "uscom-central-1"
  description = "My Example Load Balancer"
  scheme      = "INTERNET_FACING"
  permitted_methods = ["GET", "HEAD", "POST"]
  ip_network        = "/Compute-${var.domain}/${var.user}/ipnet1"
}

To define the set of servers the load balancer will be directing traffic to we create a Server Pool, sometimes referred to as an origin server pool. Each server is defined by the combination of the target IP address, or hostname, and port. For the brevity of this example we’ll assume we already have a couple instances on an existing IP Network with a web service running on port  8080 

resource "opc_lbaas_server_pool" "serverpool1" {
  load_balancer = "${opc_lbaas_load_balancer.lb1.id}"
  name          = "serverpool1"
  servers  = ["192.168.1.2:8080", "192.168.1.3:8080"]
  vnic_set = "/Compute-${var.domain}/${var.user}/vnicset1"
}

The Listener resource defines what incoming traffic the Load Balancer will direct to a specific server pool. Multiple Server Pools and Listeners can be defined for a single Load Balancer instance. For now we’ll assume all the traffic is HTTP, both to the load balancer and between the load balancer and the server pool. We’ll look at securing traffic with HTTPS later. In this example the load balancer is managing inbound requests for a site  http://mywebapp.example.com  and directing them to the server pool we defined above.

resource "opc_lbaas_listener" "listener1" {
  load_balancer = "${opc_lbaas_load_balancer.lb1.id}"
  name          = "http-listener"
  balancer_protocol = "HTTP"
  port              = 80
  virtual_hosts     = ["mywebapp.example.com"]
  server_protocol = "HTTP"
  server_pool     = "${opc_lbaas_server_pool.serverpool1.uri}"
  policies = [
    "${opc_lbaas_policy.load_balancing_mechanism_policy.uri}",
  ]
}

Policies are used to define how the Listener processes the incoming traffic. In the Listener definition we are referencing a Load Balancing Mechanism Policy to set how the load balancer allocates the traffic across the available servers in the server pool. Additional policy type could also be defined to control session affinity of

resource "opc_lbaas_policy" "load_balancing_mechanism_policy" {
  load_balancer = "${opc_lbaas_load_balancer.lb1.id}"
  name          = "roundrobin"
  load_balancing_mechanism_policy {
    load_balancing_mechanism = "round_robin"
  }
}

With that, our first basic Load Balancer configuration is complete. Well almost. The last step is to configure the DNS CNAME record to point the source domain name (e.g. mywebapp.example.com ) to the canonical host name of load balancer instance. The exact steps to do this will be dependent on your DNS provider. To get the  canonical_host_name add the following output.

output "canonical_host_name" {
  value = "${opc_lbaas_load_balancer.lb1.canonical_host_name}"
}

Helpful Hint: if you are just creating the load balancer for testing and you don’t have access to a DNS name you can redirect, a workaround is to set the  virtual host  in the listener configuration to the load balancers canonical host name, you can then use the canonical host name directly for the inbound service URL, e.g.

resource "opc_lbaas_listener" "listener1" { 
  ...
  virtual_hosts     = [
    "${opc_lbaas_load_balancer.lb1.canonical_host_name}"
  ]
  ...
}

Configuring the Load Balancer for HTTPS

There are two separate aspects to configuring the Load Balancer for HTTPS traffic, the first is to enable inbound HTTPS requests to the Load Balancer, often referred to as SSL or TLS termination or offloading. The second is the use of HTTPS for traffic between the Load Balancer and the servers in the origin server pool.

HTTPS SSL/TLS Termination

To configure the Load Balancer listener to accept inbound HTTPS requests for encrypted traffic between the client and the Load Balancer, create a Server Certificate providing the PEM encoded certificate and private key, and the concatenated set of PEM encoded certificates for the CA certification chain.

resource "opc_lbaas_certificate" "cert1" {
  name = "server-cert"
  type = "SERVER"
  private_key = "${var.private_key_pem}"
  certificate_body = "${var.cert_pem}"
  certificate_chain = "${var.ca_cert_pem}"
}

Now update the existing, or create a new listener for HTTPS

resource "opc_lbaas_listener" "listener2" {
  load_balancer = "${opc_lbaas_load_balancer.lb1.id}"
  name          = "https-listener"
  balancer_protocol = "HTTPS"
  port              = 443
  certificates      = ["${opc_lbaas_certificate.cert1.uri}"]
  virtual_hosts     = ["mywebapp.example.com"]
  server_protocol = "HTTP"
  server_pool     = "${opc_lbaas_server_pool.serverpool1.uri}"
  policies = [
    "${opc_lbaas_policy.load_balancing_mechanism_policy.uri}",
  ]
}

Note that the server pool protocol is still HTTP, in this configuration traffic is only encrypted between the client and the load balancer.

HTTP to HTTPS redirect

A common pattern required for many web applications is to ensure that any initial incoming requests over HTTP are redirected to HTTPS for secure site communication. To do this we can we can update the original HTTP listeners we created above with a new redirect policy

resource "opc_lbaas_policy" "redirect_policy" {
  load_balancer = "${opc_lbaas_load_balancer.lb1.id}"
  name          = "example_redirect_policy"
  redirect_policy {
    redirect_uri = "https://${var.dns_name}"
    response_code = 301
  }
}
resource "opc_lbaas_listener" "listener1" {
  load_balancer = "${opc_lbaas_load_balancer.lb1.id}"
  name          = "http-listener"
  balancer_protocol = "HTTP"
  port              = 80
  virtual_hosts     = ["mywebapp.example.com"]
  server_protocol = "HTTP"
  server_pool     = "${opc_lbaas_server_pool.serverpool1.uri}"
  policies = [
    "${opc_lbaas_policy.redirect_policy.uri}",
  ]
}

HTTPS between Load Balancer and Server Pool

HTTPS between the Load Balancer and Server Pool should be used if the server pool is accessed over the Public Internet, and can also be used for extra security when accessing servers within the Oracle Cloud Infrastructure over the private IP Network.

This configuration assumes the backend servers are already configured to server their content over HTTPS.

To configure the Load Balancer to communicate securely with the backend servers create a Trusted Certificate, providing the PEM encoded Certificate and CA authority certificate chain for the backend servers.

resource "opc_lbaas_certificate" "cert2" {
  name = "trusted-cert"
  type = "TRUSTED"
  certificate_body = "${var.cert_pem}"
  certificate_chain = "${var.ca_cert_pem}"
}

Next create a Trusted Certificate Policy referencing the Trusted Certificate

resource "opc_lbaas_policy" "trusted_certificate_policy" {
  load_balancer = "${opc_lbaas_load_balancer.lb1.id}"
  name          = "example_trusted_certificate_policy"
  trusted_certificate_policy {
    trusted_certificate = "${opc_lbaas_certificate.cert2.uri}"
  }
}

And finally update the listeners server pool configuration to HTTPS, adding the trusted certificate policy

resource "opc_lbaas_listener" "listener2" {
  load_balancer = "${opc_lbaas_load_balancer.lb1.id}"
  name          = "https-listener"
  balancer_protocol = "HTTPS"
  port              = 443
  certificates      = ["${opc_lbaas_certificate.cert1.uri}"]
  virtual_hosts     = ["mywebapp.example.com"]
  server_protocol = "HTTPS"
  server_pool     = "${opc_lbaas_server_pool.serverpool1.uri}"
  policies = [
    "${opc_lbaas_policy.load_balancing_mechanism_policy.uri}",
    "${opc_lbaas_policy.trusted_certificate_policy.uri}
  ]
}

More Information

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content

Oracle

Integrated Cloud Applications & Platform Services