Load balancing#

General information#

The Load Balancers service automatically distributes inbound traffic across a target group of instances in one or more availability zones.This helps to distribute the request processing more evenly among virtual machines and improve availability and reliability of supported applications.

The resources included in the target group are regularly polled to check their health. If any instance fails, no traffic is routed to it. When a failed instance recovers, it starts receiving traffic again. You can always add new instances to, or exclude unnecessary ones from, the target group to maintain the current load level.

There are special entities, listeners, for receiving inbound traffic during load balancing. The listener receives requests from clients at the specified IP address, port, and protocol.

Currently, NGN Cloud supports network load balancers (NLBs) only. They work at OSI Layer 4 and allow you to distribute TCP or UDP traffic. Traffic is distributed according to the 5-tuple hash algorithm, which takes into account:

  • protocol;

  • source address and port;

  • destination address and port.

The traffic of a TCP or UDP connection between the same source and destination are routed to the same target for its entire lifetime.

Depending on the traffic source, NLBs are divided into:

  • сетевые балансировщики внешней нагрузки;

  • сетевые балансировщики внутренней нагрузки.

The former have public (external) IP addresses and are accessible from the Internet. The latter have private (internal) IP addresses and are accessible only within the VPC where they were created. Both types of balancers use private IP addresses to forward traffic to targets.

Key concepts#

Load balancer acts as a single point of entry for client traffic, which is evenly distributed among the targets.

Network load balancer works at OSI Layer 4 and distributes TCP or UDP traffic. It can receive traffic at multiple addresses/ports. By default, traffic to a specific address is distributed among targets in the same availability zone.


In the future, we plan to add load balancing across different availability zones for traffic coming to a specific address.

Internet-facing network balancer distributes traffic from clients in the Internet. Elastic IP addresses are assigned to the network interface of the balancer.

Internal network balancer distributes traffic only from clients in the same VPC. The network interface of the balancer can only have a private IP address.

Listener monitors requests from clients at a given IP address, port and protocol and forwards them to the target group for further processing. For each listener, only one target group can be specified; however, different listeners of the same balancer can be associated with different target groups.

Target group aggregates target resources, i.e. instances among which traffic is distributed. A target group can only be associated with one load balancer but used by multiple traffic listeners of this load balancer.

Balancer instance is responsible for distributing traffic in a specific availability zone where there are targets. It maps to a special interface of the subnet that was specified when the balancer was created.

Before you begin#

To get started with the Load Balancing service, follow these steps:

  1. Create a project, if you don’t have one.

  2. In the IAM section create a user with the ELB administrator or Cloud administrator role and add this user to the project.

  3. Make sure that the project has all the required resources – subnets, SSH keys, and security groups. Otherwise, create them.


Security groups must include the required permitting rules so that the targets can receive traffic from the load balancer.

Usage restrictions#

When using network balancers, the following restrictions should be taken into account:

  1. Balancing traffic between targets in different availability zones is not supported yet. A balancer instance can only distribute traffic between targets in the same availability zone to which it belongs.

  2. To create an internal network balancer in the selected VPC, the following conditions must be met:

    • there is only one route table;

    • the route propagation feature is enabled;

    • there are no subnets to which external networks are attached.


    If any of the above conditions cannot be met but you need an internal load balancer to distribute traffic only within one availability zone, then, to create it, submit a request via our support portal or send it to support@ngn.com.tr.


    Once the load balancer has been created, no changes are allowed to the VPC configuration, which violate the restrictions listed in this item.

  3. If an internal load balancer is required to distribute traffic from attached external networks, then its operation is subject to the following conditions:

    • the external network must be attached to a virtual switch rather than VPC;

    • in each availability zone where a balancer instance will be placed, you should create an instance to route traffic between the VPC and the external network. This instance will be responsible for routing traffic to the balancer in this availability zone. It must have at least two network interfaces, one of which must be attached to a subnet in the desired VPC and the other, to the virtual switch which the external network is attached to.


      Load balancing with asymmetric routing (when traffic from an external network comes to the balancer instance through one availability zone and exits through another) is not supported. Traffic must enter and exit the VPC through the same availability zone.

    • To access internal DNS resolver in the VPC, 1) configure a DNS forwarder or SNAT for DNS traffic on the instance used for traffic routing, and 2) access the DNS from external networks through this DNS forwarder/SNAT.