OpenMCF logoOpenMCF

Loading...

OCI Application Load Balancer

Deploys an OCI Application Load Balancer (Layer 7) with backend sets, listeners, SSL certificates, virtual hostnames, and rule sets as a single atomic deployment unit. Supports HTTP, HTTP/2, TCP, and gRPC protocols with flexible bandwidth, cookie-based session persistence, health checking, and rule-based request/response manipulation including HTTP redirects, header injection, and access control.

What Gets Created

When you deploy an OciApplicationLoadBalancer resource, OpenMCF provisions:

  • Application Load Balancer — an oci_load_balancer_load_balancer resource in the specified compartment with the configured shape, bandwidth, and subnet placement. Standard OpenMCF freeform tags are applied for resource tracking.
  • Backend Sets — one or more oci_load_balancer_backend_set resources defining load balancing policy, health checking, and optional SSL and session persistence configuration for each group of backends.
  • Backends — oci_load_balancer_backend resources for each backend server defined within a backend set. Created only when backends are specified in the backend set configuration.
  • Listeners — one or more oci_load_balancer_listener resources defining the ports, protocols, and routing to backend sets. Listeners are created after all other sub-resources to ensure correct dependency ordering.
  • Certificates — oci_load_balancer_certificate resources for TLS/SSL termination. Created only when certificates are specified.
  • Hostnames — oci_load_balancer_hostname resources for virtual host-based routing. Created only when hostnames are specified.
  • Rule Sets — oci_load_balancer_rule_set resources for request/response manipulation including HTTP redirects, header injection, access control, and connection limits. Created only when rule sets are specified.

Prerequisites

  • OCI credentials configured via environment variables or OpenMCF provider config (API Key, Instance Principal, Security Token, Resource Principal, or OKE Workload Identity)
  • A compartment OCID where the load balancer will be created — literal value or reference to an OciCompartment resource
  • At least one subnet OCID for load balancer placement — literal value or reference to an OciSubnet resource. For high availability, provide subnets in two different availability domains
  • Backend server IP addresses and ports for at least one backend set (backends can be added later, but a load balancer without backends does not route traffic)
  • PEM-encoded TLS certificates if configuring HTTPS listeners or backend SSL

Quick Start

Create a file load-balancer.yaml:

apiVersion: oci.openmcf.org/v1
kind: OciApplicationLoadBalancer
metadata:
  name: web-lb
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.OciApplicationLoadBalancer.web-lb
spec:
  compartmentId:
    value: "ocid1.compartment.oc1..example"
  shape: "flexible"
  shapeDetails:
    minimumBandwidthInMbps: 10
    maximumBandwidthInMbps: 100
  subnetIds:
    - value: "ocid1.subnet.oc1.iad.example"
  backendSets:
    - name: "web-backend"
      policy: round_robin
      healthChecker:
        protocol: http
        urlPath: "/health"
        port: 8080
      backends:
        - ipAddress: "10.0.1.10"
          port: 8080
        - ipAddress: "10.0.1.11"
          port: 8080
  listeners:
    - name: "http-listener"
      port: 80
      protocol: http
      defaultBackendSetName: "web-backend"

Deploy:

openmcf apply -f load-balancer.yaml

This creates a public flexible-shape load balancer with 10–100 Mbps bandwidth, one backend set using round-robin distribution with HTTP health checks on /health, two backend servers on port 8080, and one HTTP listener on port 80. The load balancer OCID and assigned IP addresses are exported as stack outputs.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
compartmentIdStringValueOrRefOCID of the compartment where the load balancer will be created. Can reference an OciCompartment resource via valueFrom.Required
shapestringLoad balancer shape. Use "flexible" for configurable bandwidth (recommended). Deprecated fixed shapes ("100Mbps", "400Mbps", "8000Mbps") are accepted for backward compatibility.Minimum 1 character
subnetIdsStringValueOrRef[]OCIDs of subnets where the load balancer will be provisioned. For regional load balancers (recommended), provide subnets in two different availability domains for high availability. Changing subnets after creation forces recreation. Can reference OciSubnet resources via valueFrom.Minimum 1 item
backendSetsBackendSet[]Backend sets defining groups of backend servers with load balancing policies and health checking. Each listener routes traffic to exactly one default backend set. See backendSet fields.Minimum 1 item
listenersListener[]Listeners defining ports and protocols on which the load balancer accepts client connections. See listener fields.Minimum 1 item

Optional Fields

FieldTypeDefaultDescription
displayNamestringmetadata.nameHuman-readable name for the load balancer shown in the OCI Console.
shapeDetailsShapeDetails—Bandwidth configuration for flexible-shape load balancers. Required when shape is "flexible". Ignored for fixed shapes. See shapeDetails fields.
isPrivateboolfalseWhen true, creates a private load balancer not accessible from the public internet. Private load balancers receive only private IP addresses. Changing after creation forces recreation.
networkSecurityGroupIdsStringValueOrRef[]—OCIDs of network security groups applied to the load balancer. Can reference OciSecurityGroup resources via valueFrom.
isDeleteProtectionEnabledboolfalseWhen true, prevents accidental deletion. Must be explicitly disabled before the load balancer can be deleted.
ipModestring"IPV4"IP version mode. Accepted values: "IPV4", "IPV6".
reservedIpsReservedIp[]—Pre-created reserved public IPs to assign. When omitted, OCI assigns ephemeral public IPs. See reservedIp fields.
isRequestIdEnabledboolfalseWhen true, the load balancer adds a request ID header to each request for tracing and debugging.
requestIdHeaderstringOCI defaultCustom header name for the request ID. Only effective when isRequestIdEnabled is true.
certificatesCertificate[]—TLS/SSL certificates for HTTPS termination. Referenced by name in listener and backend set SSL configurations. See certificate fields.
hostnamesHostname[]—Virtual hostnames for host-based routing. Referenced by name in listener configurations. See hostname fields.
ruleSetsRuleSet[]—Rule sets for request/response manipulation. Referenced by name in listener configurations. See ruleSet fields.

shapeDetails Fields

FieldTypeDescriptionValidation
minimumBandwidthInMbpsint32Minimum bandwidth in Mbps. The load balancer always provides at least this bandwidth.10–8000
maximumBandwidthInMbpsint32Maximum bandwidth in Mbps. The load balancer can burst up to this bandwidth. Must be >= minimumBandwidthInMbps.10–8000

reservedIp Fields

FieldTypeDescriptionValidation
idstringOCID of the reserved public IP to assign to the load balancer.Minimum 1 character

backendSet Fields

FieldTypeDescriptionValidation
namestringUnique name for this backend set within the load balancer. Listeners reference backend sets by this name.Minimum 1 character
policyenumLoad balancing policy. Values: round_robin, least_connections, ip_hash.Required (cannot be unspecified)
healthCheckerHealthCheckerHealth checker monitoring backend availability. The load balancer removes unhealthy backends from rotation until they pass again. See healthChecker fields.Required
backendsBackend[]Backend servers in this set. When omitted, the backend set is created without backends (useful when backends are added dynamically). See backend fields.Optional
sslConfigurationSslConfigurationSSL configuration for encrypting traffic between the load balancer and backend servers (backend SSL / re-encryption). See sslConfiguration fields.Optional
backendMaxConnectionsint32Maximum simultaneous connections per backend. When omitted, connections are unlimited.Optional
lbCookieSessionPersistenceLbCookieSessionPersistenceConfigLoad-balancer-managed cookie persistence. The LB injects and tracks a cookie to pin clients to backends. Mutually exclusive with appCookieSessionPersistence. See lbCookieSessionPersistenceConfig fields.Optional
appCookieSessionPersistenceSessionPersistenceConfigApplication-managed cookie persistence. The LB reads an existing application cookie for backend affinity. Mutually exclusive with lbCookieSessionPersistence. See sessionPersistenceConfig fields.Optional

healthChecker Fields

FieldTypeDescriptionValidation
protocolenumHealth check protocol. Values: http, tcp.Required (cannot be unspecified)
portint32Port to probe. When omitted or 0, uses the backend's traffic port.Optional
urlPathstringURL path for HTTP health checks (e.g., "/health"). Required when protocol is http. Ignored for tcp.Optional
returnCodeint32Expected HTTP status code (e.g., 200). When omitted, any 2xx status is healthy.Optional
responseBodyRegexstringRegex pattern to match against the response body. When omitted, body content is not checked.Optional
intervalMsint32Interval between health checks in milliseconds.Default: 30000
timeoutInMillisint32Maximum wait time for a response in milliseconds.Default: 3000
retriesint32Consecutive failures before marking a backend unhealthy.Default: 3
isForcePlainTextboolWhen true, forces plain text health checks even when the backend set has SSL configured.Optional

backend Fields

FieldTypeDescriptionValidation
ipAddressstringIP address of the backend server.Minimum 1 character
portint32Port on which the backend listens for traffic.1–65535
weightint32Relative weight for traffic distribution. Higher weights receive proportionally more traffic.Default: 1
backupboolWhen true, this backend only receives traffic when all non-backup backends are unhealthy.Optional
drainboolWhen true, existing connections complete but no new connections are sent to this backend.Optional
offlineboolWhen true, the backend is taken offline. No traffic is sent to offline backends.Optional
maxConnectionsint32Maximum simultaneous connections to this backend. When omitted, the backend set's backendMaxConnections applies.Optional

sslConfiguration Fields

Used in both backend sets (backend-facing SSL / re-encryption) and listeners (client-facing SSL termination).

FieldTypeDescription
certificateIdsstring[]OCIDs of OCI Certificate Service certificates. Preferred over certificateName for managed certificate lifecycle.
certificateNamestringName of a certificate defined in this load balancer's certificates list.
cipherSuiteNamestringCipher suite for SSL negotiation. Example: "oci-default-ssl-cipher-suite-v1".
protocolsstring[]TLS protocol versions to accept. Example: ["TLSv1.2", "TLSv1.3"].
serverOrderPreferencestringCipher order preference. Values: "ENABLED" (server preference), "DISABLED" (client preference).
trustedCertificateAuthorityIdsstring[]OCIDs of trusted CA certificates for verifying backend server certificates (backend SSL) or client certificates (mutual TLS on listener).
verifyDepthint32Maximum certificate chain verification depth. Default: 5.
verifyPeerCertificateboolWhen true, verifies the peer's certificate. For backend SSL: verifies the backend server certificate. For listener SSL with mutual TLS: verifies the client certificate.
hasSessionResumptionboolWhen true, enables TLS session resumption for improved performance. Only applicable in listener SSL context. Ignored for backend set SSL.

lbCookieSessionPersistenceConfig Fields

FieldTypeDescription
cookieNamestringCookie name. When omitted, OCI generates a default name.
disableFallbackboolWhen true, clients without the cookie are rejected instead of being assigned to a new backend.
domainstringDomain attribute for the Set-Cookie header. When omitted, applies to the request domain.
isHttpOnlyboolWhen true, the cookie is marked HttpOnly (not accessible to JavaScript).
isSecureboolWhen true, the cookie is marked Secure (only sent over HTTPS).
maxAgeInSecondsint32Cookie lifetime in seconds. When omitted or 0, the cookie is a session cookie (expires when the browser closes).
pathstringPath attribute for the Set-Cookie header. Default: "/".

sessionPersistenceConfig Fields

FieldTypeDescriptionValidation
cookieNamestringName of the application cookie used for session affinity.Minimum 1 character
disableFallbackboolWhen true, clients without the cookie are rejected instead of being assigned to a new backend.Optional

listener Fields

FieldTypeDescriptionValidation
namestringUnique name for this listener within the load balancer.Minimum 1 character
portint32Port on which the listener accepts connections.1–65535
protocolenumListener protocol. Values: http, http2, tcp, grpc.Required (cannot be unspecified)
defaultBackendSetNamestringName of the backend set that receives traffic from this listener. Must match a backend set defined in backendSets.Minimum 1 character
sslConfigurationSslConfigurationSSL configuration for client-facing encryption (SSL termination). Required for HTTPS listeners. See sslConfiguration fields.Optional
connectionConfigurationConnectionConfigurationConnection timeout and proxy protocol settings. See connectionConfiguration fields.Optional
hostnameNamesstring[]Names of hostname resources in this load balancer's hostnames list. When set, the listener only handles requests matching these hostnames (virtual host routing).Optional
ruleSetNamesstring[]Names of rule set resources in this load balancer's ruleSets list. Rule sets are applied in the order specified.Optional
routingPolicyNamestringName of a routing policy for content-based routing. Routing policies are managed outside this component.Optional

connectionConfiguration Fields

FieldTypeDescription
idleTimeoutInSecondsint64Maximum idle time in seconds before the load balancer closes the connection. Applies to both client-side and backend-side connections.
backendTcpProxyProtocolVersionint32Proxy protocol version (1 or 2). When set, the load balancer prepends proxy protocol headers to backend connections, allowing backends to see the original client IP.

certificate Fields

FieldTypeDescriptionValidation
certificateNamestringUnique name for this certificate within the load balancer. SSL configurations reference certificates by this name.Minimum 1 character
caCertificatestringPEM-encoded CA certificate chain.Optional
publicCertificatestringPEM-encoded public certificate.Optional
privateKeystringPEM-encoded private key. Sensitive.Optional
passphrasestringPassphrase for an encrypted private key. Sensitive.Optional

hostname Fields

FieldTypeDescriptionValidation
namestringUnique name for this hostname resource within the load balancer. Listeners reference hostnames by this name.Minimum 1 character
hostnamestringFully qualified domain name (FQDN) to match against the HTTP Host header. Example: "app.example.com".Minimum 1 character

ruleSet Fields

FieldTypeDescriptionValidation
namestringUnique name for this rule set within the load balancer. Listeners reference rule sets by this name.Minimum 1 character
itemsRuleSetItem[]Rules in this set. See ruleSetItem fields.Minimum 1 item

ruleSetItem Fields

The action field determines which other fields are relevant for each rule:

ActionRelevant Fields
add_http_request_headerheader, value
add_http_response_headerheader, value
extend_http_request_header_valueheader, prefix, suffix
extend_http_response_header_valueheader, prefix, suffix
remove_http_request_headerheader
remove_http_response_headerheader
redirectredirectUri, responseCode, conditions
allowconditions
control_access_using_http_methodsallowedMethods, statusCode
http_headerareInvalidCharactersAllowed, httpLargeHeaderSizeInKb
ip_based_max_connectionsdefaultMaxConnections, ipMaxConnections
FieldTypeDescriptionValidation
actionenumRule action type. See the action-to-field mapping above.Required (cannot be unspecified)
headerstringHTTP header name. Used by header add/remove/extend actions.Optional
valuestringHeader value. Used by add_http_request_header and add_http_response_header.Optional
prefixstringPrefix to prepend to an existing header value. Used by extend actions.Optional
suffixstringSuffix to append to an existing header value. Used by extend actions.Optional
redirectUriRedirectUriRedirect URI template. Used by the redirect action. See redirectUri fields.Optional
responseCodeint32HTTP response code for the redirect (e.g., 301, 302, 307, 308). Used by the redirect action.Optional
conditionsRuleSetItemCondition[]Conditions that must be met for this rule to apply. Used by redirect and allow actions. See ruleSetItemCondition fields.Optional
allowedMethodsstring[]Allowed HTTP methods. Requests using other methods receive the statusCode response. Used by control_access_using_http_methods.Optional
statusCodeint32HTTP status code returned when access is denied (e.g., 403, 405). Used by control_access_using_http_methods.Optional
areInvalidCharactersAllowedboolWhen true, allows invalid characters in HTTP headers. Used by http_header.Optional
httpLargeHeaderSizeInKbint32Maximum HTTP header size in KB. Used by http_header.Optional
defaultMaxConnectionsint32Default maximum connections per IP when no specific IP rule matches. Used by ip_based_max_connections.Optional
ipMaxConnectionsIpMaxConnection[]Per-IP connection limits. Used by ip_based_max_connections. See ipMaxConnection fields.Optional
descriptionstringDescription of the rule.Optional

ruleSetItemCondition Fields

FieldTypeDescriptionValidation
attributeNamestringAttribute to evaluate. Values: "PATH", "SOURCE_IP_ADDRESS", "SOURCE_VCN_ID", "SOURCE_VCN_IP_ADDRESS".Minimum 1 character
attributeValuestringValue to match against the attribute.Minimum 1 character
operatorstringMatching operator. Values: "EXACT_MATCH", "FORCE_LONGEST_PREFIX_MATCH", "PREFIX_MATCH", "SUFFIX_MATCH".Default: "EXACT_MATCH"

redirectUri Fields

FieldTypeDescription
protocolstringTarget protocol. Use "{protocol}" to preserve the original request's protocol.
hoststringTarget hostname. Use "{host}" to preserve the original request's hostname.
portint32Target port. Use 0 to preserve the original request's port.
pathstringTarget path. Use "{path}" to preserve the original request's path.
querystringTarget query string. Use "{query}" to preserve the original request's query string.

ipMaxConnection Fields

FieldTypeDescription
ipAddressesstring[]IP addresses to apply this connection limit to.
maxConnectionsint32Maximum simultaneous connections allowed from these IPs.

Examples

Minimal HTTP Load Balancer

A public HTTP load balancer distributing traffic across two backends with round-robin policy and HTTP health checking:

apiVersion: oci.openmcf.org/v1
kind: OciApplicationLoadBalancer
metadata:
  name: web-lb
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.OciApplicationLoadBalancer.web-lb
spec:
  compartmentId:
    value: "ocid1.compartment.oc1..example"
  shape: "flexible"
  shapeDetails:
    minimumBandwidthInMbps: 10
    maximumBandwidthInMbps: 100
  subnetIds:
    - value: "ocid1.subnet.oc1.iad.example"
  backendSets:
    - name: "web-backend"
      policy: round_robin
      healthChecker:
        protocol: http
        urlPath: "/health"
        port: 8080
      backends:
        - ipAddress: "10.0.1.10"
          port: 8080
        - ipAddress: "10.0.1.11"
          port: 8080
  listeners:
    - name: "http-listener"
      port: 80
      protocol: http
      defaultBackendSetName: "web-backend"

HTTPS with SSL Termination and HTTP Redirect

An HTTPS load balancer with a certificate for SSL termination. The HTTP listener on port 80 redirects all traffic to HTTPS using a rule set:

apiVersion: oci.openmcf.org/v1
kind: OciApplicationLoadBalancer
metadata:
  name: secure-web
  org: acme
  env: staging
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: acme
    pulumi.openmcf.org/project: platform
    pulumi.openmcf.org/stack.name: staging.OciApplicationLoadBalancer.secure-web
spec:
  compartmentId:
    value: "ocid1.compartment.oc1..example"
  shape: "flexible"
  shapeDetails:
    minimumBandwidthInMbps: 10
    maximumBandwidthInMbps: 100
  subnetIds:
    - value: "ocid1.subnet.oc1.iad.example"
  certificates:
    - certificateName: "app-cert"
      publicCertificate: |
        -----BEGIN CERTIFICATE-----
        MIIBkTCB+wIJALxyz...
        -----END CERTIFICATE-----
      privateKey: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIEpAIBAAKCAQEA...
        -----END RSA PRIVATE KEY-----
  backendSets:
    - name: "web-backend"
      policy: round_robin
      healthChecker:
        protocol: http
        urlPath: "/health"
        port: 8080
      backends:
        - ipAddress: "10.0.1.10"
          port: 8080
        - ipAddress: "10.0.1.11"
          port: 8080
  ruleSets:
    - name: "http-to-https"
      items:
        - action: redirect
          redirectUri:
            protocol: "https"
            host: "{host}"
            port: 443
            path: "{path}"
            query: "{query}"
          responseCode: 301
  listeners:
    - name: "http-redirect"
      port: 80
      protocol: http
      defaultBackendSetName: "web-backend"
      ruleSetNames:
        - "http-to-https"
    - name: "https-listener"
      port: 443
      protocol: http
      defaultBackendSetName: "web-backend"
      sslConfiguration:
        certificateName: "app-cert"
        protocols:
          - "TLSv1.2"
          - "TLSv1.3"

Multi-Domain with Virtual Hostname Routing

A load balancer serving two applications on the same IP address using virtual hostname routing. Each hostname routes to a different backend set:

apiVersion: oci.openmcf.org/v1
kind: OciApplicationLoadBalancer
metadata:
  name: multi-domain-lb
  org: acme
  env: prod
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: acme
    pulumi.openmcf.org/project: platform
    pulumi.openmcf.org/stack.name: prod.OciApplicationLoadBalancer.multi-domain-lb
spec:
  compartmentId:
    value: "ocid1.compartment.oc1..example"
  shape: "flexible"
  shapeDetails:
    minimumBandwidthInMbps: 100
    maximumBandwidthInMbps: 400
  subnetIds:
    - value: "ocid1.subnet.oc1.iad.example-ad1"
    - value: "ocid1.subnet.oc1.iad.example-ad2"
  hostnames:
    - name: "api-host"
      hostname: "api.example.com"
    - name: "app-host"
      hostname: "app.example.com"
  backendSets:
    - name: "api-backend"
      policy: least_connections
      healthChecker:
        protocol: http
        urlPath: "/healthz"
        port: 3000
      backends:
        - ipAddress: "10.0.1.20"
          port: 3000
        - ipAddress: "10.0.1.21"
          port: 3000
    - name: "app-backend"
      policy: round_robin
      healthChecker:
        protocol: http
        urlPath: "/ready"
        port: 8080
      backends:
        - ipAddress: "10.0.2.10"
          port: 8080
        - ipAddress: "10.0.2.11"
          port: 8080
  listeners:
    - name: "api-listener"
      port: 80
      protocol: http
      defaultBackendSetName: "api-backend"
      hostnameNames:
        - "api-host"
    - name: "app-listener"
      port: 80
      protocol: http
      defaultBackendSetName: "app-backend"
      hostnameNames:
        - "app-host"

Full Production Load Balancer

A production load balancer with HTTPS, HTTP-to-HTTPS redirect, security headers, LB-managed session persistence, delete protection, request tracing, NSGs, and infrastructure references via valueFrom:

apiVersion: oci.openmcf.org/v1
kind: OciApplicationLoadBalancer
metadata:
  name: prod-lb
  org: acme
  env: prod
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: acme
    pulumi.openmcf.org/project: platform
    pulumi.openmcf.org/stack.name: prod.OciApplicationLoadBalancer.prod-lb
spec:
  compartmentId:
    valueFrom:
      kind: OciCompartment
      name: prod-compartment
      fieldPath: status.outputs.compartmentId
  shape: "flexible"
  shapeDetails:
    minimumBandwidthInMbps: 100
    maximumBandwidthInMbps: 400
  subnetIds:
    - valueFrom:
        kind: OciSubnet
        name: public-subnet-ad1
        fieldPath: status.outputs.subnetId
    - valueFrom:
        kind: OciSubnet
        name: public-subnet-ad2
        fieldPath: status.outputs.subnetId
  isPrivate: false
  isDeleteProtectionEnabled: true
  isRequestIdEnabled: true
  requestIdHeader: "X-Request-ID"
  networkSecurityGroupIds:
    - valueFrom:
        kind: OciSecurityGroup
        name: lb-nsg
        fieldPath: status.outputs.networkSecurityGroupId
  certificates:
    - certificateName: "prod-cert"
      publicCertificate: |
        -----BEGIN CERTIFICATE-----
        MIIBkTCB+wIJALxyz...
        -----END CERTIFICATE-----
      caCertificate: |
        -----BEGIN CERTIFICATE-----
        MIIBkTCB+wIJALabc...
        -----END CERTIFICATE-----
      privateKey: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIEpAIBAAKCAQEA...
        -----END RSA PRIVATE KEY-----
  backendSets:
    - name: "web-backend"
      policy: round_robin
      healthChecker:
        protocol: http
        urlPath: "/health"
        port: 8080
        returnCode: 200
        intervalMs: 10000
        timeoutInMillis: 3000
        retries: 3
      backends:
        - ipAddress: "10.0.1.10"
          port: 8080
          weight: 3
        - ipAddress: "10.0.1.11"
          port: 8080
          weight: 3
        - ipAddress: "10.0.1.12"
          port: 8080
          weight: 1
          backup: true
      lbCookieSessionPersistence:
        cookieName: "LB_SESSION"
        isHttpOnly: true
        isSecure: true
        maxAgeInSeconds: 3600
        path: "/"
  hostnames:
    - name: "www-host"
      hostname: "www.example.com"
  ruleSets:
    - name: "http-to-https"
      items:
        - action: redirect
          redirectUri:
            protocol: "https"
            host: "{host}"
            port: 443
            path: "{path}"
            query: "{query}"
          responseCode: 301
    - name: "security-headers"
      items:
        - action: add_http_response_header
          header: "Strict-Transport-Security"
          value: "max-age=31536000; includeSubDomains"
        - action: add_http_response_header
          header: "X-Content-Type-Options"
          value: "nosniff"
  listeners:
    - name: "http-redirect"
      port: 80
      protocol: http
      defaultBackendSetName: "web-backend"
      ruleSetNames:
        - "http-to-https"
    - name: "https-listener"
      port: 443
      protocol: http
      defaultBackendSetName: "web-backend"
      sslConfiguration:
        certificateName: "prod-cert"
        protocols:
          - "TLSv1.2"
          - "TLSv1.3"
        cipherSuiteName: "oci-default-ssl-cipher-suite-v1"
        serverOrderPreference: "ENABLED"
      hostnameNames:
        - "www-host"
      ruleSetNames:
        - "security-headers"
      connectionConfiguration:
        idleTimeoutInSeconds: 300

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
load_balancer_idstringOCID of the load balancer.
ip_addressesstringComma-separated IP addresses assigned to the load balancer. For public load balancers, includes the public IP(s). For private load balancers, includes the private IP(s).

Related Components

  • OciCompartment — provides the compartment referenced by compartmentId via valueFrom
  • OciSubnet — provides subnets referenced by subnetIds via valueFrom
  • OciSecurityGroup — manages network security rules applied to the load balancer (networkSecurityGroupIds) via valueFrom
  • OciNetworkLoadBalancer — Layer 4 (TCP/UDP) load balancing with source IP preservation, for workloads that do not need HTTP-level features

Next article

OCI Autonomous Database

OCI Autonomous Database Deploys an Oracle Cloud Infrastructure Autonomous Database — a fully managed, self-driving database service supporting OLTP (ATP), data warehouse (ADW), JSON (AJD), APEX, and lakehouse workloads. The component handles compute and storage sizing, networking, encryption, Data Guard, and backup retention through a single manifest. What Gets Created When you deploy an OciAutonomousDatabase resource, OpenMCF provisions: Autonomous Database — an ocidatabaseautonomousdatabase...
Read next article
Presets
3 ready-to-deploy configurationsView presets →