Create and manage target group
Creating and managing target groups, including creation, listing, updating information, and connecting listeners, are described below.
Create target group
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Click the [Create target group] button in the upper right corner.
-
In the Step 1: Configure target group screen, enter the settings and click the [Next] button.
Step 1. Create target group
Category Item Description Load balancer Availability Zone (AZ) Select from the available AZs in the project Load balancer Provides a list of all Load Balancers in the selected availability zone Listener Provides a list of all Listeners for the selected load balancer and the option 'No Listener' Basic information Target group name The target group name Protocol Selectable target group protocol based on listener protocol
- TCP Listener:HTTP
,TCP
- UDP Listener:UDP
Algorithm - Round Robin
: Distributes traffic sequentially among targets in the target group
-Least connections
: Distributes traffic preferentially to targets with fewer connections
-Source IP Hash
: Ensures that traffic from the same client IP header always goes to the same targetSticky session Can be set to use or not use only in the following Listener x target group combinations (TLS Listener is not supported)
-TCP x TCP
,UDP x UDP
- Otherwise: 'Not Used' (Disabled)Sticky session type Selectable types based on Listener x target group combinations
-TCP x TCP
: Source IP
-UDP x UDP
: Source IPStickiness duration Activated only when using Sticky Sessions (HTTP Cookie, App Cookie)
- Integer between 1 and 604800 (Default: 3600 seconds for HTTP Cookie, 360 seconds for others)Cookie name Activated only when using Sticky Sessions (App Cookie)
- The name of the App cookie used by the user's application must be entered
- Allowed characters: Alphabets, numbers, and some special characters (!
#
$
%
^
&
_
*
+
~
-
)
- Allowed length: 1-255 charactersSticky IP-netmask Activated only when using Sticky Sessions (Source IP)
- Entered in IPv4 address format only (Default:255.255.255.255
)Health check Health check Enable or disable health check Type Selectable types based on target group protocol
- HTTP target group:HTTP
,PING
- TCP target group:PING
,TCP
- UDP target group:TCP
,HTTP
HTTP method - Set only if the health check type is HTTP
- Choose fromCONNECT
,DELETE
,GET
,HEAD
,OPTIONS
,PATCH
,POST
,PUT
,TRACE
HTTP version - Set only if the health check type is HTTP
- Choose from 1 or 1.1HTTP status code - Set only if the health check type is HTTP
- Enter a single code, comma-separated multiple codes, or a range of codes specified by hyphens (-
)Check path Enter in URL format Check interval Integer between 1 and 3600 (Default: 30 seconds)
- Must be greater than the timeoutTimeout Integer between 1 and 900 (Default: 5 seconds)
- Must be less than the check intervalTransition criteria (success) Integer between 1 and 10 (Default: 5) Transition criteria (failure) Integer between 1 and 10 (Default: 2) infoIf the algorithm is
Source IP Hash
, traffic from a single source will always be directed to the same target, so there is no need for Sticky Session configuration. Sticky session settings are required for specifying the duration of the session; thus, usingSource IP Hash
is recommended if you want to maintain the session consistently. -
In the Step 2: Add targets screen, you can add resources as targets that are in the same AZ and Virtual Private Cloud (VPC) as the selected Load Balancer.
-
Select the instances to add as targets and enter the port number.
-
Click the [Add target] button.
cautionDSRNLB requires that the port number of the connected Listener matches the port number of the target group's targets. target groups already connected to another Listener cannot be connected to a different Listener. Additionally, all targets in a target group must have the same port number configured.
-
After adding targets, click the [Next] button.
-
In the Step 3: Review screen, review the settings and click the [Create] button.
- After creating a target group, you need to set the target's security group. Go to Target Group > Target tab and check the Health check IP address and add the IP address to the security group inbound policy of the target.
- The IP address is used as a service port, so even if you do not use health check, you must open it through the inbound policy settings.
Manage target group
You can modify or delete existing target groups, or add new targets from the target group details screen.
View list of target groups
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Review the list of target groups.
Category Description Target group name Displays the name and ID assigned at creation Provisioning status Information on whether the target group has been created successfully or if modification or deletion is in progress Operating status Information on whether the created target group is in an operational state Protocol The protocol used for routing traffic to targets Load balancer The name and ID of the load balancer connected to the target group VPC The name and ID of the VPC containing the load balancer [More] icon Provides options for renaming, listener connection settings, algorithm settings, etc
View target group details
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Select a target group to.
-
In the details screen, you can check detailed information, targets, health check, and attributes.
Target group details
Category Description Details View detailed information of the target group Targets View the list of added targets and detailed information of each target Health check View health check settings Attributes View attributes of the target group
Rename target group
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Click the [More] icon > Rename target group.
-
In the popup, enter the new name and click the [Rename] button.
Delete target group
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Click the [More] icon > select Delete target group.
-
In the popup, enter the confirmation text and click the [Delete] button.
Configure listener connection
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Click the [More] icon and select Configure listener connection.
-
In the popup, change the connection settings and click the [Apply] button.
Target group - Listener connection
A target group in DSRNLB can only be connected to a single listener created on one DSRNLB.
Set algorithm
- Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
- Click the [More] icon > select Set algorithm.
- In the popup, change the algorithm and click the [Apply] button.
Configure target
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Click the target group where you want to change the target settings.
-
In the details screen, click the Target tab, then click the [Configure target] button.
-
In the popup, review the registered targets and delete or add targets as needed, then click the [Apply] button.
caution- All targets in a single target group must be set to the same port number.
- When using DSRNLB, the load balancer and target Instances must exist within the same Subnet.
Set traffic weight
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Select the target group to change the traffic weight settings.
-
In the details screen, click the Target tab, then click the [Set traffic weight] button.
-
In the popup, change the weights and click the [Set] button.
- Traffic weight can be entered as integers between
0
and256
. - Weights are converted to a weight conversion value using the following formula:
- Weight Conversion: (Weight/256)*100 (rounded up to the nearest tenth)
- Ratio: Weight Conversion / Sum of Weight Conversions
- Traffic weight can be entered as integers between
Set health check
To perform a successful health check with DSRNLB
, additional settings for target Instances are required. Refer to Configure target instance for more details.
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Select the target group to change the health check settings.
-
In the details screen, click the Health check tab, then click the [Configure health check] button.
-
In the popup, change the health check status or settings.
Configure health check
Category Description Target group The name of the current target group Protocol Types selectable based on the target group's protocol
- HTTP target group:HTTP
,PING
- TCP target group:PING
,TCP
- UDP target group:TCP
,HTTP
Health check Status Type: Type of health check
-PING
: Sends packets to the target and checks the response (ICMP Ping)
-HTTP
: Sends packets to the configured path and checks the response
-HTTPS
: Checks the response for targets using certificates in the same way as HTTP
-TCP
: Checks the target's state using TCP Protocol portsInterval: Target health check interval (seconds)
- 1~3600 secondsTimeout: Maximum waiting time for a delayed response from the target (seconds)
- If the specified time is exceeded, the communication with the target is considered failed
- Set to a value less than the interval
- 1~900 secondsTransition criteria (success): Number of consecutive successful health checks required to consider a target healthy Transition criteria (failure): Number of consecutive failed health checks required to consider a target unhealthy and exclude it from traffic distribution -
If the health check type is
HTTP
orHTTPS
, additional attributes can be set.Category Description HTTP method Choose from GET
,HEAD
,OPTIONS
,POST
,PUT
,TRACE
,PATCH
,DELETE
,CONNECT
HTTP version Choose from 1.0
or1.1
HTTP status code Set the expected HTTP status codes for responses from the target
- If the target responds with the user-configured HTTP status code, the health check is considered successful
- Example of single status code:200
,201
- Example of multiple status codes:201
,202
,401
,402
- Example of range: 200-500Check path Enter the path for the health check in URL format -
Click the [Apply] button.
If the target of the target group uses SELinux options provided by newer CentOS distributions like CentOS 8 Stream, SELinux will block shell_exec_t
calls. Therefore, PING
type health checks will not function.
Set sticky session
Sticky Sessions can be configured for some target groups depending on the Listener and target group protocol.
Sticky session options by listener and target group protocol
Target group\Listener | HTTP | HTTPS | TCP | UDP |
---|---|---|---|---|
HTTP | HTTP Cookie, App Cookie | X | X | X |
HTTPS | X | X | X | X |
TCP | X | X | Source IP | X |
UDP | X | X | X | Source IP |
PROXY | X | X | X | X |
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Select the target group to change the sticky session settings.
-
In the detail screen, click the Attributes tab and then click the [Configure sticky session] button.
-
In the popup, change the settings and click the [Apply] button.
Configure target instance
To use DSRNLB correctly, additional settings are required for the target instances based on their operating system. Create the instances to be used as targets beforehand, then perform the following tasks. Failure to do so will result in unsuccessful health checks.
Change source/destination check
-
Go to KakaoCloud Console > Virtual Machine > Instance menu.
-
Click the [More] icon and select Change source/destination check.
-
In the popup, select Disable source/destination check and click the [Complete] button.
caution- Instances set to disable source/destination checks will receive all packets that do not have themselves as the destination. To minimize security risks, configure the security group policies in detail.
- To use DSRNLB, the security group of the target instance must allow inbound traffic from DSRNLB's private IP and Listener port number.
- Instances set to disable source/destination checks will receive all packets that do not have themselves as the destination. To minimize security risks, configure the security group policies in detail.
Configure network on target instance
Using DSRNLB requires additional network configuration on the target instance based on its operating system, including Address Resolution Protocol (ARP) settings and Loopback address settings.
- Linux Operating Systems
- Windows Operating Systems
-
Connect to the target instance via SSH.
-
Enter the following commands.
<private_ip_of_dsrnlb>
is the private IP address of the DSRNLB associated with this target group (e.g., 10.0.3.49).cautionThe following commands must be executed with root privileges. Switch to root using the
sudo -i
command before running these commands.Network Configurationsysctl -w net.ipv4.conf.all.arp_ignore=1
sysctl -w net.ipv4.conf.all.arp_announce=2
ip a del 127.0.0.1 dev lo
ip a add <private_ip_of_dsrnlb>/32 dev lo
ip link set dev lo upHow to maintain settings after rebootFor the above configuration, you will need to reapply the settings every time the instance is rebooted. To ensure the settings are maintained after a reboot, additional steps are required. For detailed instructions, please refer to Set up crontab to automatically run scripts at boot.
Set up crontab to automatically run scripts at boot
For Linux operating systems, the settings you previously configured will be reset and need to be reapplied when the instance is rebooted. To ensure the settings are applied after a reboot, you can save the configuration steps as a script file and use the crontab
command to execute this script at boot.
-
Open the crontab file with the following command:
Open Crontab Filecrontab -e
-
Add a line to the file using the
@reboot
expression to automatically execute the code at reboot.Add Code to Run at Reboot@reboot sh /<file_directory>/<file_name>
Parameter Description <file_directory>
Path where the executable file is located <file_name>
Name of the shell script file to be executed at boot
- Example: @reboot sh /home/setup_dsr.sh -
Write the shell script that will be executed. This example script performs the tasks described in Configure network on target instance and Bind process running on target instance to DSRNLB's private IPP.
setup_dsr.sh#!/bin/sh
sysctl -w net.ipv4.conf.all.arp_ignore=1
sysctl -w net.ipv4.conf.all.arp_announce=2
ip a del 127.0.0.1 dev lo
# The private IP address of the DSRNLB that this target instance will be associated with in the target group
ip a add 172.30.4.237/32 dev lo
ip link set dev lo up
# When using a UDP Listener, bind the Process running on the target instance to the DSRNLB's private IP (UDP Server execution)
# When using a UDP Listener, bind the Process running on the target instance to the DSRNLB's private IP (UDP Server execution)
python3 /home/sample_python_udp_server.py -
Adjust the permissions of the script and Python files to ensure they can be executed. Enter the path to each file or navigate to the directory where the files are located and execute the following commands:
Grant Execute Permissionschmod +x setup_dsr.sh
chmod +x sample_python_udp_server.py -
Verify that the settings persist after rebooting.
Verify Settings# Check ARP settings
sysctl -a | grep net.ipv4.conf.all.arp_ignore
sysctl -a | grep net.ipv4.conf.all.arp_announce
# Check Loopback IP address
ip a
# Verify that the UDP Server is running properly (check the port number specified in the Python script)
netstat -tuln | grep 12345
Step 1. Install Microsoft KM-TEST loopback adapter
-
Search for Run in the search box at the bottom left corner of the Windows desktop and select it.
-
In the Run window, type
hdwwiz
and click [OK]. -
The Add Hardware Wizard will appear. Click [Next].
-
Select Install the hardware that I manually select from a list (Advanced).
-
Choose Network Adapters and click [Next].
-
In Manufacturer, select
Microsoft
, then chooseMicrosoft KM-TEST Loopback Adapter
in Model. Click [Next]. -
Click [Next] to proceed with the installation.
-
Click [Finish] when the installation is complete.
Step 2. Configure IP settings for the adapter
-
Search for Network Status in the search box at the bottom left corner of the Windows desktop and select it.
-
In the Network Status window, click Change adapter options.
-
In the Network Connections window, locate the Ethernet labeled as Unidentified Network. Right-click this Ethernet and select [Properties].
-
In the Ethernet Properties window, select Internet Protocol Version 4 (TCP/IPv4) and click [Properties].
-
In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select the [General] tab and choose Use the following IP address. Enter the following information:
- IP Address (I): Private IP address of DSRNLB
- Subnet Mask (U): 255.255.255.255
Step 3. Ignore ARP requests and configure weak host model
-
Search for Command Prompt in the search box at the bottom left corner of the Windows desktop and select it.
-
Enter the following command to set the adapter to ignore ARP requests.
<loopback_adapter_name>
refers to the name of the newly added adapter from Step 1. Install Microsoft KM-TEST Loopback Adapter.Ignore ARP Requestsnetsh interface ipv4 set interface <loopback_adapter_name> metric=254
-
Enter the following commands to configure the Weak Host Model.
<default_network_adapter_name>
refers to the name of the default adapter, not the newly added one (e.g., tap6d769000e-0a).Weak Host Model 설정netsh interface ipv4 set interface <default_network_adapter_name> weakhostreceive=enabled
netsh interface ipv4 set interface <loopback_adapter_name> weakhostreceive=enabled
netsh interface ipv4 set interface <loopback_adapter_name> weakhostsend=enabled
Additional configuration for target instance when using UDP listener
When using the UDP Listener for DSRNLB, the target instance must run a Linux-based operating system. Additionally, one of the following three configurations must be applied. Even if the configuration is correctly completed, packet loss may occur due to the nature of UDP communication, leading to occasional failures.
- Bind process running on target instance to DSRNLB's private IP
- Use iptables provided by the Linux Kernel for stateful NAT configuration
- Use nftables provided by the Linux Kernel for stateless NAT configuration
Bind process running on target instance to DSRNLB's private IP
-
On the target instance, create the following example code. This example is written in Python, but you may use an appropriate programming language as needed.
sample_python_udp_server.pyimport socket
localIP = "172.30.4.237" # DSRNLB's Private IP
localPort = 12345 # Port number used by the UDP Server created and run by this source code
bufferSize = 1024
msgFromServer = "Hello UDP Client, this is Simple UDP Server."
bytesToSend = str.encode(msgFromServer)
# Create a datagram socket
UDPServerSocket = socket.socket(family=socket.AF_INET, type=socket.SOCK_DGRAM)
# Bind to address and ip
UDPServerSocket.bind((localIP, localPort))
print("UDP server up and listening")
# Listen for incoming datagrams
while(True):
bytesAddressPair = UDPServerSocket.recvfrom(bufferSize)
message = bytesAddressPair[0]
address = bytesAddressPair[1]
clientMsg = "Message from Client:{}".format(message)
clientIP = "Client IP Address:{}".format(address)
print(clientMsg)
print(clientIP)
# Sending a reply to client
UDPServerSocket.sendto(bytesToSend, address) -
Run the example code.
Use iptables provided by the Linux Kernel for stateful NAT configuration
NAT operations use additional CPU resources, and since DNAT is 'Stateful,' memory consumption can also be high.
-
On the target instance, create the following example code. This example is written in Python, but you can substitute it with an appropriate programming language as needed.
- This example code is the same as above, but the
localIP
address is changed to0.0.0.0
.
sample_python_udp_server.pyimport socket
localIP = "0.0.0.0"
localPort = 12345 # Port number used by the UDP Server created and run by this source code
bufferSize = 1024
msgFromServer = "Hello UDP Client, this is Simple UDP Server."
bytesToSend = str.encode(msgFromServer)
# Create a datagram socket
UDPServerSocket = socket.socket(family=socket.AF_INET, type=socket.SOCK_DGRAM)
# Bind to address and ip
UDPServerSocket.bind((localIP, localPort))
print("UDP server up and listening")
# Listen for incoming datagrams
while(True):
bytesAddressPair = UDPServerSocket.recvfrom(bufferSize)
message = bytesAddressPair[0]
address = bytesAddressPair[1]
clientMsg = "Message from Client:{}".format(message)
clientIP = "Client IP Address:{}".format(address)
print(clientMsg)
print(clientIP)
# Sending a reply to client
UDPServerSocket.sendto(bytesToSend, address) - This example code is the same as above, but the
-
Run the example code.
-
Add iptables DNAT rules by entering the following commands:
iptables -p udp -t nat -A POSTROUTING -j RETURN -d <private_ip_of_target> --dport <udp_server_port>
iptables -p udp -t nat -A PREROUTING -j DNAT --dport <udp_server_port> --to-destination <private_ip_of_target> -d <private_ip_of_dsrnlb>
Item | Description |
---|---|
<private_ip_of_target> | Private IP address of the target instance |
<udp_server_port> | Port number set in the example code (localPort value) |
<private_ip_of_dsrnlb> | Private IP address of the DSRNLB associated with the target group to which the target instance is added |
Use nftables provided by the Linux Kernel for stateless NAT configuration
To use nftables, your Linux kernel version must be 4.10 or higher.
-
Write the example code from step 1 in Use iptables provided by the Linux Kernel for stateful NAT configuration.
-
Execute the example code.
-
Enter the following command:
Modify Source Address in IP Header of Transmitted Packetnft add table raw
nft add chain raw postrouting {type filter hook postrouting priority 300 \; }
nft add rule raw postrouting ip saddr <private_ip_of_target> udp sport <udp_server_port> ip saddr set <private_ip_of_dsrnlb>Category Description <private_ip_of_target>
Private IP address of target instance <udp_server_port>
Port number set in the example code above (localPort value) <private_ip_of_dsrnlb>
Private IP address of DSRNLB connected to target group where target instance will be set
Manage target
You can view, modify, and delete targets added to the target group.
Two health check IPs are generated per subnet where the target is located. For health checks, communication must be allowed through these IPs. Please refer to View health check IP and Allow communication with health check IP to add an inbound policy to the security group.
View health check IP
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Select a target group.
-
In the detail screen, select the Target tab.
-
Click the Health check IP per subnet to view the list of health check IPs.
Allow communication with health check IP
There are two methods to allow communication with health check IPs in the security group. Choose one of the following methods for convenience.
Method 1. Register an inbound policy allowing the IP in the existing security group of the target instance
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
View the health check IP and select the target group to allow communication.
-
Select the Target tab.
-
Click on Health check IP by subnet to view the health check IP list. Keep the health check IP query screen open or copy the list.
-
In the Target list at the bottom of the tab detail view, check the instance to allow communication with the health check IP and select the security group name of the instance.
- If there are multiple connected security groups, select any one to register.
- If the same policy has already been added to one or more of the connected security groups, it means that communication is already allowed.
-
Click the [Manage inbound rules] button in the Inbound rules tab.
-
In the popup, click the [Add] button at the bottom of the Inbound Policy tab to add a new policy input field.
-
Based on the detailed information from Step 5 in the Target Group > Target Tab, enter the policy information and click the [Apply] button on the right.
Inbound policy configuration
Field Description Protocol Protocol for communication (TCP, UDP, ICMP, ALL), select based on the health check type of the target group
- If the health check type is PING:ICMP
- If the health check type is HTTP, HTTPS, TCP:TCP
Packet source Source IP to allow access
- Enter the health check IP identified in the target details
- Register each of the two health check IPs generated in the Subnet that includes the targetPort Port for communication
- Enter the monitoring port of the targetPolicy description (Optional) Description of the policy -
Click the [Close] button.
Method 2. Create a new security group for health check and attach it to the target instance
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
View the health check IP and select the target group to allow communication.
-
Select the Target tab in the detail view.
-
Click on Health check IP per subnet. Keep the health check IP query screen open or copy the list.
-
Refer to Create security group to go to the new security group creation screen.
-
In the popup, enter the security group name and description, and add the inbound policy.
-
Based on the detailed information from Step 3 in the Target Group > Target tab , enter all policy information.
- Register all health check IPs in one security group and connect the entire target instance to this security group.
Or, create security groups by subnet and register only the health check IP generated in that Subnet, then connect only the target Instances in the same Subnet.
Inbound policy configuration
Field Description Protocol Protocol for communication (TCP, UDP, ICMP, ALL), select based on the health check type of the target group
- If the health check type is PING:ICMP
- If the health check type is HTTP, HTTPS, TCP:TCP
Packet source Source IP to allow access
- Enter the health check IP identified in the target details
- Register each of the two health check IPs generated in the Subnet that includes the target
- If managing with a single security group, register each of the entire health check IPsPort Port for communication
- Enter the monitoring port of the target
- Can be entered as a single port or a rangePolicy description (Optional) Description of the policy - Register all health check IPs in one security group and connect the entire target instance to this security group.
-
Click the [Create] button to complete the creation of the security group.
-
In the Security group list, click the [More] icon > [Modify association] button to connect the target instance.
Set monitoring port
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Select the target group to modify.
-
Select the Target tab in the detail view.
-
Check the list of targets added to the target group.
-
Select the [More] icon > [Set monitoring port].
-
In the popup, change the information.
- Set to the same port as the target port: The traffic port and monitoring port are the same
- Set to different port from the target port: The traffic port and monitoring port are different, so enter the monitoring port
-
Click the [Apply] button.
View target
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Select a target group.
-
Select the Target tab in the detail view.
-
Check the list of targets added to the target group.
Field Description IP Target IP Port Target port Provisioning status Information on whether the target was added successfully or if it is in the process of modification or deletion Operating status Information on whether the added target is available Instance Name and ID of the target instance Subnet Name of the subnet containing the target Security group security group connected to the target instance Monitoring port Port where health check is performed Weight Weight ratio calculated based on the input weight [More] icon Provides functions for setting the monitoring port and disconnecting the target
Modify target
The port of the added target cannot be modified. If you want to change the port, delete the target and perform the target configuration again.
Detach target
-
Go to KakaoCloud Console > Beyond Networking Service > Load Balancing > Target Group..
-
Select the target group to disconnect the target.
-
Select the Target tab in the detail view.
-
Check the list of targets added to the target group.
-
Select the [More] icon amd [Detach target].
-
In the popup, click the [Detach] button.
Detaching the target will not delete the instance. To reconnect, please add it again.