46_1 ‐ Create Load balancer and setup connectivity with Application server in private network - SanjeevOCI/Ocidocs GitHub Wiki
Objective
Create an OCI Load Balancer that fronts application servers in a private subnet, following best practices for subnet design, routing, gateways, NSGs, and health checks. Validate end-to-end connectivity from the internet (or private network) to the app servers.
This lab assumes you already have a VCN and spoke VCN. If not, create them first. The steps below focus on the Web Layer using Load Balancer + private app servers.
Reference Architecture
Step 1 — Configure the Web Layer in the Spoke VCN
Since the spoke contains the Application Server, we front it with a Load Balancer in a dedicated web subnet.
1a) Create a Web Subnet
Define a subnet for the Load Balancer:
1b) Create a Route Table & Security List for the Web Subnet
Best practice: each subnet should have its own route table and security list (or better, NSG).
1c) Update Subnet Associations
Associate the new route table and security list with the web-subnet, and remove the default ones.
✅ Now we have a dedicated route table and security list for the web-subnet.
Step 2 — Create the Load Balancer
Navigate: Menu → Networking → Load Balancer → Create Load Balancer for web traffic.
✅ Load Balancer is created.
Step 3 — How Load Balancer Works
- The Load Balancer has a public IP.
- The Listener is configured (HTTP/80).
- Requests → Listener → Backend Set → Backend Servers (port 80).
Step 4 — Security Rules for Connectivity
3a) Allow inbound Port 80 in Web Subnet
So LB can receive HTTP traffic:
3b) Allow egress to App Subnet
Get CIDR of app subnet (e.g., 10.0.1.0/24) and allow egress port 80:
Final Outcome
- ✅ Web-subnet created with its own route table & security list
- ✅ Public Load Balancer deployed in the web-subnet
- ✅ Listener + Backend Set configured on port 80
- ✅ Security list rules updated for HTTP ingress and egress to private app subnet
- ✅ Traffic from internet → Load Balancer → App servers is validated