Skip to main content

Create and manage target group

This guide describes how to create a target group, view the list, modify configurations, set listener connections, and manage other related tasks.

Create target group

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Click the Create target group button at the top right.

  3. In the Step 1: Configure target group screen, enter the required settings and click Next.

    Image Step 1: Configure target group

    CategoryFieldDescription
    Load balancerAvailability zoneSelect from available zones
    Load balancerLists all load balancers in the selected zone
    ListenerLists all listeners of the selected load balancer and an option for ‘Do not select listener’
    Basic infoTarget group nameName of the target group
    ProtocolSelectable based on the listener’s protocol:
    - TCP listener: HTTP, TCP
    - UDP listener: UDP
    AlgorithmChoose from Round Robin, Least Connections, Source IP:
    - Round Robin: Distributes traffic sequentially
    - Least Connections: Prioritizes targets with fewer connections
    - Source IP: Always routes traffic from the same client IP to the same target
    Sticky sessionEnabled only for the following combinations:
    - TCP x TCP, UDP x UDP
    - Others: Fixed to 'Disabled'
    Sticky session typeAvailable for:
    - TCP x TCP: Source IP
    - UDP x UDP: Source IP
    Stickiness durationEnabled only when using HTTP or App cookies
    - Integer between 1 and 604800
    Cookie nameRequired when using App cookies
    - Must match the application's cookie name
    - Allowed: A-Z, a-z, 0-9, and specific special characters
    - Length: 1–255 characters
    Health checkHealth checkEnable or disable
    TypeAvailable types based on protocol:
    - HTTP: HTTP, PING
    - TCP: PING, TCP
    - UDP: TCP, HTTP
    HTTP methodSelect when HTTP is used: CONNECT, DELETE, GET, etc.
    HTTP versionChoose between 1.0 or 1.1
    HTTP status codesAcceptable codes: single, comma-separated, or range
    Check pathEnter as URL path
    IntervalInteger from 1 to 3600 (default: 30 sec); must be greater than timeout
    TimeoutInteger from 1 to 900 (default: 5 sec); must be less than interval
    Success thresholdInteger from 1 to 10 (default: 5)
    Failure thresholdInteger from 1 to 10 (default: 2)
    info

    If the algorithm is set to Source IP, sticky session is implicitly maintained without requiring additional configuration. To maintain long-term stickiness, it is recommended to use Source IP.

  4. In Step 2: Add targets, select resources in the same availability zone and VPC as the selected load balancer.

  5. Select the instance(s) to add and enter the port number.

  6. Click Add target.

    • Filter added targets by IP, port, instance name, instance ID, status.
    caution

    DSRNLB requires that the listener protocol and target port number match. A target group already connected to a listener cannot be reused in another listener. All targets in a group must use the same port number.

  7. After adding the targets, click Next.

  8. In Step 3: Review, confirm the settings and click Create.

info

After creating the target group, configure the security group rules.
Go to Target group > Target tab to check the health check IP addresses and add them to the inbound rules of the target’s security group.

Manage target group

You can modify or delete an existing target group, or add new targets from the target group detail screen.

View list of target groups

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Review the list of target groups. Use filters to easily locate the desired target group if needed.

    ItemDescription
    Target group nameName and ID assigned at creation
    Provisioning statusIndicates whether the target group is active, being modified, or being deleted
    Operational statusIndicates whether the target group is currently usable
    ProtocolProtocol used to route traffic to targets
    Load balancerName and ID of the associated load balancer
    VPCName and ID of the VPC containing the load balancer
    [More] iconAllows renaming, listener connection, algorithm configuration, target management, traffic weight adjustment, health check configuration, sticky session setup, or deletion

View target group details

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Select the target group to view its details.

  3. In the detail screen, use the tabs to check information about details, targets, health checks, and properties.

    Image Target group details

    TabDescription
    DetailsView general information about the target group
    TargetView the list of registered targets and their details
    Health checkView current health check configuration
    PropertiesView target group properties

Rename target group

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Click the [More] icon of the target group you want to rename.

  3. From the menu, select Rename target group.

  4. In the popup, modify the name and click the Change button.

Delete target group

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Click the [More] icon of the target group you want to delete.

  3. Select Delete target group from the menu.

  4. In the popup, enter the confirmation phrase and click Delete.

Configure listener connection

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Click the [More] icon for the target group to modify.

  3. Select Configure listener connection from the menu.

  4. In the popup, update the listener connection settings and click Apply.

    • If not yet connected, you can select a listener from the list.
    • To disconnect, choose the Do not connect listener option.

    Image Configure listener connection

caution

A DSRNLB target group can only be connected to a single listener created under the same DSRNLB.

Set algorithm

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Click the [More] icon for the target group to modify.

  3. Select Set algorithm from the menu.

  4. In the popup, change the algorithm and click Apply.

Configure target

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Click the target group to modify.

  3. In the detail screen, go to the Target tab and click Configure target.

  4. In the popup, review the registered targets, delete or add new ones, then click Apply.

    • To revert changes, click the Revert button at the top of the added targets list.
    caution
    • All targets within a group must use the same port number.
    • When using DSRNLB, the load balancer and target instances must be in the same subnet.

Set traffic weight

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Select the target group to modify.

  3. In the detail screen, go to the Target tab and click Set traffic weight.

  4. In the popup, adjust the weight and click Set.

    • Traffic weights must be integers between 0 and 256.
    • Converted weight = (weight / 256) * 100 (rounded up)
    • Ratio = converted weight / sum of converted weights

Set health check

info

For DSRNLB, proper health checks require target instance configuration.

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Select the target group to modify.

  3. In the detail screen, go to the Health check tab and click Configure health check.

  4. In the popup, enable or disable health checks or modify the settings.

    Image Configure health check

    FieldDescription
    Target groupName of the current target group
    ProtocolType options vary by protocol:
    - HTTP: HTTP, PING
    - TCP: PING, TCP
    - UDP: TCP, HTTP
    Enable health checkType:
    - PING: Uses ICMP ping
    - HTTP: Sends a request to a path and checks response
    - HTTPS: Verifies response with certificate like HTTP
    - TCP: Uses TCP port to check status
    Interval: Health check frequency in seconds (1–3600)
    Timeout: Max wait time for a response (1–900), must be less than interval
    Success threshold: Number of consecutive successes to mark as healthy
    Failure threshold: Number of consecutive failures to mark as unhealthy
  5. If the type is HTTP or HTTPS, additional settings are available:

    FieldDescription
    HTTP methodChoose from GET, HEAD, OPTIONS, POST, PUT, TRACE, PATCH, DELETE, CONNECT
    HTTP versionSelect 1.0 or 1.1
    HTTP status codesExpected response codes:
    - Single: 200, 201
    - Multiple: 201, 202, 401, 402
    - Range: 200-500
    PathURL path to use for health checks
  6. Click the Apply button.

caution

If a target is using the latest CentOS with SELinux enabled, the shell_exec_t call may be blocked. In such cases, PING type health checks will not function.

Configure sticky session

Sticky session settings can be applied only to specific target groups depending on the listener and target group protocol combinations.

Sticky session options by listener and target group protocol
Target group\ListenerHTTPHTTPSTCPUDP
HTTPHTTP cookie, App cookieXXX
HTTPSXXXX
TCPXXSource IPX
UDPXXXSource IP
PROXYXXXX
  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target groups menu.

  2. Click the target group for which you want to modify the sticky session configuration.

  3. In the detail screen, click the Properties tab and then click the Configure sticky session button.

  4. In the Configure sticky session popup window, enable or disable the sticky session option and modify any settings as necessary. Click the Apply button to save the changes.

Configure target instance

To use DSRNLB properly, additional configuration is required on the target instance based on the operating system. After creating the instance that will be designated as a target, perform the following tasks. Failure to do so will result in improper health check behavior.

Modify allowed address pairs

  1. Go to the KakaoCloud Console > Virtual Machine > Instance menu.

  2. Click the More icon of the instance to be set as a target.

  3. In the More menu, select Modify allowed address pairs.

  4. In the Modify allowed address pairs popup, select the network interface of the target instance that is in the same VPC and availability zone as the DSRNLB. Then, enter the private IP address of the DSRNLB as the allowed IP for packet transmission. Click the [Apply] button.

Warning
  • To use DSRNLB, the target instance’s security group must allow inbound traffic from the DSRNLB's private IP and listener port.

Configure network on target instance

To use DSRNLB, additional configuration is required depending on the operating system of the target instance. This includes Address Resolution Protocol (ARP) settings and loopback address configuration.

  1. Connect to the target instance via SSH.

  2. Run the following commands. Replace <private_ip_of_dsrnlb> with the private IP address of the DSRNLB that is associated with the target group (e.g., 10.0.3.49).

    Warning

    The following commands must be executed with root privileges. Use sudo -i to switch to root before proceeding.

    Network configuration
    sysctl -w net.ipv4.conf.all.arp_ignore=1
    sysctl -w net.ipv4.conf.all.arp_announce=2
    ip a del 127.0.0.1 dev lo
    ip a add <private_ip_of_dsrnlb>/32 dev lo
    ip link set dev lo up
    Persist settings after reboot

    These settings must be reapplied after each instance reboot. To make them persistent, refer to Set up crontab to automatically run scripts at boot.

  3. If the target instance is based on an Ubuntu image, DNS resolver settings must be configured for proper DNS resolution.

    info

    For instances in VPCs created before February 21, 2024, add the address VPC network IPv4 CIDR + 2 to the /etc/resolv.conf file. For VPCs created after this date, add 169.254.169.253.

    Edit /etc/resolv.conf
    nameserver 169.254.169.253 # Add 169.254.169.253 or "VPC network IPv4 CIDR + 2"

    nameserver 127.0.0.53
    options edns0 trust-ad
    search kr-central-2.c.kakaoi.io
    Note: Persist DNS resolver settings after reboot
    1. Modify the systemd-resolved service configuration:

      sudo vi /etc/systemd/resolved.conf
      /etc/systemd/resolved.conf
      [Resolve]
      DNS=169.254.169.253 # For instances in VPCs created before Feb 21, 2024, use "VPC network IPv4 CIDR + 2"
    2. Restart the systemd-resolved service:

      sudo systemctl restart systemd-resolved 
    3. Link /etc/resolv.conf to systemd-resolved:

      sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
Set up crontab to automatically run scripts at boot

On Linux operating systems, the configurations applied earlier may be reset when the instance is rebooted, requiring reconfiguration. To retain the settings after reboot, you can save the previous configuration steps into a script file and configure the crontab command to execute the script automatically upon reboot.

  1. Open the crontab file using the following command:

    Open crontab file
    crontab -e
  2. Add an @reboot expression to the file to specify the script to be executed automatically on reboot:

    Add script for automatic execution on reboot
    @reboot sh /<file_directory>/<file_name>
    ParameterDescription
    <file_directory>Directory where the script file is located
    <file_name>Name of the shell script to execute at boot
    - Example: @reboot sh /home/setup_dsr.sh
  3. Write the shell script to be executed. The following example script executes the network configuration steps described in Configure network on target instance and the steps in Bind process running on target instance to DSRNLB's private IP.

    setup_dsr.sh
    #!/bin/sh
    sysctl -w net.ipv4.conf.all.arp_ignore=1
    sysctl -w net.ipv4.conf.all.arp_announce=2

    ip a del 127.0.0.1 dev lo

    # Private IP address of the DSRNLB associated with the target group
    ip a add 172.30.4.237/32 dev lo

    ip link set dev lo up

    # If using a UDP listener, bind the process on the target instance to the DSRNLB's private IP (start UDP server)
    python3 /home/sample_python_udp_server.py
  4. Grant execute permission to the shell script and Python script. Specify the full file paths or navigate to the directory containing the files before executing:

    Grant execute permission
    chmod +x setup_dsr.sh
    chmod +x sample_python_udp_server.py
  5. After rebooting the instance, verify that the settings have been retained:

    Verify each configuration item
    # Check ARP settings
    sysctl -a | grep net.ipv4.conf.all.arp_ignore
    sysctl -a | grep net.ipv4.conf.all.arp_announce

    # Check loopback IP address
    ip a

    # Confirm the UDP server is running correctly (check the port number defined in the Python script)
    netstat -tuln | grep 12345

Additional configuration for target instance when using UDP listener

When using the UDP listener of DSRNLB, only Linux-based operating systems are supported. Additionally, one of the following three configurations must be applied to use the service. Even if the configuration is completed correctly, due to the nature of UDP communication, packet loss may occur and it may intermittently fail to function properly.

Bind process running on target instance to DSRNLB's private IP
  1. On the target instance, create a script with the following sample code. This example is written in Python, but you may use any programming language suitable for your environment.

    sample_python_udp_server.py
    import socket

    localIP = "172.30.4.237" # Private IP address of the DSRNLB
    localPort = 12345 # Port number used by this UDP server
    bufferSize = 1024

    msgFromServer = "Hello UDP Client, this is Simple UDP Server."
    bytesToSend = str.encode(msgFromServer)

    # Create a datagram socket
    UDPServerSocket = socket.socket(family=socket.AF_INET, type=socket.SOCK_DGRAM)

    # Bind to address and IP
    UDPServerSocket.bind((localIP, localPort))

    print("UDP server up and listening")
    # Listen for incoming datagrams
    while(True):
    bytesAddressPair = UDPServerSocket.recvfrom(bufferSize)
    message = bytesAddressPair[0]
    address = bytesAddressPair[1]
    clientMsg = "Message from Client:{}".format(message)
    clientIP = "Client IP Address:{}".format(address)
    print(clientMsg)
    print(clientIP)

    # Sending a reply to client
    UDPServerSocket.sendto(bytesToSend, address)
  2. Run the script on the target instance.

Use iptables provided by the Linux kernel for stateful NAT configuration
Warning

Using NAT consumes additional CPU resources, and because DNAT is stateful, it may also increase memory usage.

  1. On the target instance, create a script using the same example above, but modify the localIP value to 0.0.0.0.

    sample_python_udp_server.py
    import socket

    localIP = "0.0.0.0"
    localPort = 12345
    bufferSize = 1024

    msgFromServer = "Hello UDP Client, this is Simple UDP Server."
    bytesToSend = str.encode(msgFromServer)

    UDPServerSocket = socket.socket(family=socket.AF_INET, type=socket.SOCK_DGRAM)
    UDPServerSocket.bind((localIP, localPort))

    print("UDP server up and listening")
    while(True):
    bytesAddressPair = UDPServerSocket.recvfrom(bufferSize)
    message = bytesAddressPair[0]
    address = bytesAddressPair[1]
    clientMsg = "Message from Client:{}".format(message)
    clientIP = "Client IP Address:{}".format(address)
    print(clientMsg)
    print(clientIP)

    UDPServerSocket.sendto(bytesToSend, address)
  2. Run the script on the target instance.

  3. Add the following iptables DNAT rules:

    Add DNAT rules
    iptables -p udp -t nat -A POSTROUTING -j RETURN -d <private_ip_of_target> --dport <udp_server_port>
    iptables -p udp -t nat -A PREROUTING -j DNAT --dport <udp_server_port> --to-destination <private_ip_of_target> -d <private_ip_of_dsrnlb>
    ParameterDescription
    <private_ip_of_target>Private IP address of the target instance
    <udp_server_port>Port number specified in the example script (localPort)
    <private_ip_of_dsrnlb>Private IP address of the DSRNLB associated with the target group
Use nftables provided by the Linux kernel for stateless NAT configuration
info

To use nftables, the Linux kernel version must be 4.10 or higher.

  1. On the target instance, follow step 1 from Use iptables provided by the Linux kernel for stateful NAT configuration.

  2. Run the example script on the target instance.

  3. Run the following commands:

    Modify source address in IP header for outgoing packets
    nft add table raw
    nft add chain raw postrouting {type filter hook postrouting priority 300 \; }
    nft add rule raw postrouting ip saddr <private_ip_of_target> udp sport <udp_server_port> ip saddr set <private_ip_of_dsrnlb>
    ParameterDescription
    <private_ip_of_target>Private IP address of the target instance
    <udp_server_port>Port number specified in the example script (localPort)
    <private_ip_of_dsrnlb>Private IP address of the DSRNLB associated with the target group

Manage target

You can view, modify, and delete targets added to a target group.

caution

Two health check IPs are created for each subnet that contains a target. To ensure proper health checks, communication must be allowed from these IPs.
Refer to View health check IP and Allow communication with health check IP to add the appropriate inbound rules to the security group.

View health check IP

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target group menu.

  2. Select the target group for which you want to view the health check IPs.

  3. In the detailed view, click the Target tab.

  4. Click Health check IP by subnet at the top of the tab to view the list of health check IPs.

Allow communication with health check IP

There are two methods to configure security groups for allowing communication with health check IPs.
Choose one of the following methods based on your convenience.

Option 1: Add inbound rules to the target instance's existing security group
  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target group menu.

  2. Select the target group for which to allow communication with health check IPs.

  3. In the detailed view, click the Target tab.

  4. Click Health check IP by subnet at the top of the tab to view the list of health check IPs. Keep the view open or copy the IPs.

  5. In the Target list section below, find the instance you want to allow communication with, and click its associated security group name.

    • If multiple security groups are attached, choose one arbitrarily to register the rule.
    • If the rule already exists in any one of the connected security groups, communication is already permitted.
  6. In the Security group detail view, go to the Inbound rules tab and click the [Manage inbound rules] button.

  7. In the Manage security group rules popup, click [Add] at the bottom of the inbound rules section to create a new rule.

    Image Manage security group rules

  8. Based on the information from Step 5 in the Target group > Target tab, fill in the rule details and click the [Apply] button on the right.

    FieldDescription
    ProtocolSelect the protocol used for communication (TCP, UDP, ICMP, ALL) based on the target group’s health check type
    - If PING: ICMP
    - If HTTP, HTTPS, TCP: TCP
    Packet source (Source)Source IPs to be allowed
    - Enter the health check IPs identified earlier
    - Register both health check IPs per subnet
    PortPort used for communication
    - Enter the monitor port of the target
    Rule description (optional)Description for the rule
  9. Click the [Close] button at the bottom of the popup to complete rule registration.

Option 2: Create a new security group for health checks and attach it to the target instance
  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target group menu.

  2. Select the target group for which to allow communication with health check IPs.

  3. In the detailed view, click the Target tab.

  4. Click Health check IP by subnet at the top of the tab to view the list of health check IPs.
    Keep the view open or copy the list.

  5. Refer to Create security group to open the security group creation page.

  6. In the Create security group popup, enter a name and description, then add inbound rules.

    Image Create security group

  7. Based on the detailed information in Step 3 from the Target group > Target tab, fill in all rule details.

    • You can register all health check IPs to one security group and attach it to all target instances.
      Alternatively, create a separate security group per subnet, register only the health check IPs for that subnet, and attach it to instances within that subnet.
    FieldDescription
    ProtocolSelect the protocol used for communication (TCP, UDP, ICMP, ALL) based on the target group’s health check type
    - If PING: ICMP
    - If HTTP, HTTPS, TCP: TCP
    Packet source (Source)Source IPs to be allowed
    - Enter the health check IPs
    - Register both health check IPs for each subnet
    - If managing with a single security group, register all health check IPs
    PortPort used for communication
    - Enter the monitor port of the target
    - Can be a single port or a range
    Rule description (optional)Description for the rule
  8. Click [Create] to finish security group creation.

  9. In the Security group list, click the [Manage attached resources] button next to the created group, and attach it to the target instance(s).

Set monitoring port

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target group menu.

  2. Select the target group containing the target to modify.

  3. Click the Target tab in the detailed view.

  4. Check the list of targets added to the group.

  5. Click the [More] icon next to the target whose monitoring port you want to change.

  6. In the More menu, select [Set monitoring port].

  7. In the Set monitoring port popup, configure the settings:

    • Set same as target port: Monitoring port is the same as the traffic port.
    • Set differently from target port: Monitoring port differs from traffic port; manually enter the port.
  8. Click the [Apply] button.

View target

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target group menu.

  2. Click the target group whose targets you want to view.

  3. In the detailed view, click the Target tab.

  4. Review the list of targets in the group. Use filters as needed to easily find the desired target.

    FieldDescription
    IPTarget IP
    PortTarget port
    InstanceName and ID of the target instance
    SubnetSubnet to which the target belongs
    Security groupSecurity group(s) attached to the target instance
    Monitoring portPort used for health checks
    Weight ratioCalculated weight ratio based on the input weight
    Provisioning statusIndicates whether the target was added successfully or is being modified or removed
    Operating statusIndicates whether the added target is currently available
    [More] iconProvides options to set monitoring port or detach the target

Modify target

info

The port of an added target cannot be modified. To change the port, delete the target and add it again using Configure target.

Detach target

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target group menu.

  2. Click the target group from which you want to detach a target.

  3. In the detailed view, click the Target tab.

  4. Review the list of targets in the group.

  5. Click the [More] icon for the target to be detached.

  6. Select [Detach target] from the More menu.

  7. In the Detach target popup, enter the confirmation phrase and click [Detach].

info

Detaching a target does not delete the instance. To reconnect it, go to Configure target and add it again.

Detach target

  1. Go to the KakaoCloud Console > Beyond Networking Service > Load Balancing > Target group menu.

  2. Click the target group from which you want to detach a target.

  3. In the detailed view, click the Target tab.

  4. Review the list of targets added to the group.

  5. Click the [More] icon for the target you want to detach.

  6. From the More menu, select [Detach target].

  7. In the Detach target popup, enter the confirmation phrase, then click the [Detach] button.

info

Detaching a target does not delete the instance. To reconnect the instance, go to Configure target and add it again.