Oracle Cloud Infrastructure Documentation

Creating a Worker Load Balancer Subnet (VCN-Native Pod)

Create the following resources in the order listed:

  1. Worker load balancer security list

  2. Worker load balancer subnet

Create a Worker Load Balancer Security List

Create a security list. See Creating a Security List. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

This security list defines traffic, such as applications, that is allowed to contact the worker load balancer.

For this example, use the following input for the worker load balancer subnet security list. These sources and destinations are examples; adjust these for your applications.

Note

When you create an external load balancer for your containerized applications (see Exposing Containerized Applications), remember to add that load balancer service front-end port to this security list.

Console property

CLI property

  • Name: workerlb-seclist

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: workerlb-seclist

One egress security rule:

  • Stateless: uncheck the box

  • Egress CIDR: 0.0.0.0/0

  • IP Protocol: All protocols

  • Description: "Allow all outgoing traffic."

One egress security rule:

--egress-security-rules

  • isStateless: false

  • destination: 0.0.0.0/0

  • destinationType: CIDR_BLOCK

  • protocol: all

  • description: "Allow all outgoing traffic."

Two ingress security rules:

Two ingress security rules:

--ingress-security-rules

Ingress Rule 1

  • Stateless: uncheck the box

  • Ingress CIDR: kube_client_cidr

  • IP Protocol: TCP

    • Destination Port Range: 80

  • Description: "Allow inbound traffic for applications."

Ingress Rule 1

  • isStateless: false

  • source: kube_client_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 80

    • min: 80

  • description: "Allow inbound traffic for applications."

Ingress Rule 2

  • Stateless: uncheck the box

  • Ingress CIDR: kube_client_cidr

  • IP Protocol: TCP

    • Destination Port Range: 443

  • Description: "Allow inbound traffic for applications."

Ingress Rule 2

  • isStateless: false

  • source: kube_client_cidr

  • sourceType: CIDR_BLOCK

  • protocol: 6

  • tcpOptions

    destinationPortRange

    • max: 443

    • min: 443

  • description: "Allow inbound traffic for applications."

Create the Worker Load Balancer Subnet

Create a subnet. See Creating a Subnet. For Terraform input, see Example Terraform Scripts (VCN-Native Pod).

For this example, use the following input to create the worker load balancer subnet. Use the OCID of the VCN that was created in Creating a VCN (VCN-Native Pod). Create the worker load balancer subnet in the same compartment where you created the VCN.

Create either a private or a public worker load balancer subnet. Create a public worker load balancer subnet to use with a public cluster. Create a private worker load balancer subnet to expose applications in a private cluster.

Create a Public Worker Load Balancer Subnet

Console property

CLI property

  • Name: service-lb

  • CIDR Block: workerlb_cidr

  • Route Table: Select "public" from the list

  • Public Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: servicelb

  • Security Lists: Select "workerlb-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: service-lb

  • --cidr-block: workerlb_cidr

  • --dns-label: servicelb

  • --prohibit-public-ip-on-vnic: false

  • --route-table-id: OCID of the "public" route table

  • --security-list-ids: OCIDs of the "workerlb-seclist" security list and the "Default Security List for oketest-vcn" security list

The difference in the following private subnet is the VCN private route table is used instead of the public route table.

Create a VCN Private Worker Load Balancer Subnet

Console property

CLI property

  • Name: service-lb

  • CIDR Block: workerlb_cidr

  • Route Table: Select "vcn_private" from the list

  • Private Subnet: check the box

  • DNS Hostnames:

    Use DNS Hostnames in this Subnet: check the box

    • DNS Label: servicelb

  • Security Lists: Select "workerlb-seclist" and "Default Security List for oketest-vcn" from the list

  • --vcn-id: ocid1.vcn.oke_vcn_id

  • --display-name: service-lb

  • --cidr-block: workerlb_cidr

  • --dns-label: servicelb

  • --prohibit-public-ip-on-vnic: true

  • --route-table-id: OCID of the "vcn_private" route table

  • --security-list-ids: OCIDs of the "workerlb-seclist" security list and the "Default Security List for oketest-vcn" security list