{"id":947,"date":"2026-04-17T05:52:26","date_gmt":"2026-04-17T05:52:26","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-network-load-balancer-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity\/"},"modified":"2026-04-17T05:52:26","modified_gmt":"2026-04-17T05:52:26","slug":"oracle-cloud-network-load-balancer-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-network-load-balancer-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-edge-and-connectivity\/","title":{"rendered":"Oracle Cloud Network Load Balancer Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking, Edge, and Connectivity"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Networking, Edge, and Connectivity<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Oracle Cloud Network Load Balancer<\/strong> is a managed, Layer 4 (transport-layer) load balancing service designed to distribute TCP and UDP<\/strong> traffic across backend servers with low latency<\/strong> and high throughput<\/strong>.<\/p>\n\n\n\n

In simple terms: you place a Network Load Balancer in front of multiple servers (VMs, bare metal, or IP-based targets), and clients connect to a single IP address. The service then forwards each connection to a healthy backend so your application can scale and survive failures.<\/p>\n\n\n\n

Technically, Network Load Balancer operates at Layer 4: it does not understand HTTP paths, headers, or cookies. Instead, it balances traffic based on transport information (such as destination port and connection flows). It integrates natively with Oracle Cloud networking constructs like VCNs, subnets, route tables, security lists, and Network Security Groups (NSGs)<\/strong> and is managed via the Console, API, CLI, and Terraform.<\/p>\n\n\n\n

What problem it solves:<\/strong> it provides a highly available front door for TCP\/UDP services (APIs over TCP, gaming, IoT protocols, DNS, syslog, custom protocols, database proxies) without the overhead of application-layer (Layer 7) processing\u2014and without you having to operate your own HAProxy\/Nginx\/LVS fleet.<\/p>\n\n\n\n

2. What is Network Load Balancer?<\/h2>\n\n\n\n

Official purpose (OCI service intent):<\/strong> Network Load Balancer in Oracle Cloud Infrastructure (Oracle Cloud) provides Layer 4<\/strong> load balancing for TCP and UDP<\/strong> traffic, distributing connections across multiple backends while performing health checks to route traffic only to healthy targets.<\/p>\n\n\n\n

Core capabilities<\/h3>\n\n\n\n
    \n
  • Load balancing for TCP and UDP<\/strong> workloads (transport-layer).<\/li>\n
  • Public or private<\/strong> load balancer deployment, depending on whether you need internet-facing or internal-only traffic.<\/li>\n
  • Backend health checks<\/strong> to detect failures and stop sending traffic to unhealthy servers.<\/li>\n
  • Highly available managed service<\/strong> so you don\u2019t manage load balancer nodes, failover, patching, or scaling of the load balancer infrastructure.<\/li>\n
  • Native Oracle Cloud networking integration<\/strong> with VCNs, subnets, NSGs\/security lists, and routing.<\/li>\n<\/ul>\n\n\n\n

    Major components (conceptual model)<\/h3>\n\n\n\n

    While exact UI labels may evolve, Network Load Balancer implementations typically include:<\/p>\n\n\n\n

      \n
    • Network Load Balancer (NLB)<\/strong>: the load balancer resource itself, attached to a subnet, providing one or more front-end addresses.<\/li>\n
    • Listener<\/strong>: a front-end protocol\/port that accepts client connections (for example TCP\/80 or UDP\/53).<\/li>\n
    • Backend set<\/strong>: a logical group of backend servers and a health check policy.<\/li>\n
    • Backends<\/strong>: the actual targets (commonly private IP:port combinations) that receive forwarded traffic.<\/li>\n
    • Health check<\/strong>: the probe configuration that determines whether a backend is healthy for receiving traffic.<\/li>\n<\/ul>\n\n\n\n

      Service type and scope<\/h3>\n\n\n\n
        \n
      • Service type:<\/strong> Managed load balancer (LBaaS) focused on Layer 4<\/strong>.<\/li>\n
      • Scope:<\/strong> Network Load Balancer is created within an Oracle Cloud compartment<\/strong> and attached to a VCN subnet<\/strong> in a region.<\/li>\n
      • Regional vs. zonal:<\/strong> Oracle Cloud networking resources are generally regional in nature (VCNs and regional subnets). Network Load Balancer is designed for regional high availability<\/strong>. Availability and implementation details can vary by region\u2014verify in official docs<\/strong> for any region-specific constraints.<\/li>\n<\/ul>\n\n\n\n

        How it fits into the Oracle Cloud ecosystem<\/h3>\n\n\n\n

        Network Load Balancer is part of Oracle Cloud\u2019s Networking, Edge, and Connectivity<\/strong> portfolio, complementing:\n– Oracle Cloud Load Balancer<\/strong> (application-capable load balancing and more advanced L7-style features)\n– VCN<\/strong> primitives (subnets, route tables, gateways, NSGs)\n– Compute<\/strong> (VMs\/bare metal backends)\n– Monitoring & Alarms<\/strong> (operational metrics)\n– Logging & Audit<\/strong> (governance; access logging availability depends on service capabilities\u2014verify in official docs<\/strong>)<\/p>\n\n\n\n

        3. Why use Network Load Balancer?<\/h2>\n\n\n\n

        Business reasons<\/h3>\n\n\n\n
          \n
        • Higher availability without custom engineering:<\/strong> you avoid building\/operating a redundant load balancer layer.<\/li>\n
        • Faster time to production:<\/strong> an NLB can be provisioned in minutes with consistent patterns across environments.<\/li>\n
        • Cost control via managed service:<\/strong> reduces operational overhead compared to self-managed HAProxy\/Nginx fleets.<\/li>\n<\/ul>\n\n\n\n

          Technical reasons<\/h3>\n\n\n\n
            \n
          • Layer 4 performance:<\/strong> ideal when you need minimal overhead and high throughput for TCP\/UDP.<\/li>\n
          • Protocol flexibility:<\/strong> works for non-HTTP protocols where a Layer 7 proxy is unnecessary or harmful.<\/li>\n
          • Health-based routing:<\/strong> keeps traffic away from failed or overloaded instances when health checks fail.<\/li>\n<\/ul>\n\n\n\n

            Operational reasons<\/h3>\n\n\n\n
              \n
            • Managed lifecycle:<\/strong> patching and scaling of the load balancer infrastructure is handled by Oracle Cloud.<\/li>\n
            • Automation:<\/strong> infrastructure-as-code support via OCI APIs, CLI, and Terraform makes it CI\/CD-friendly.<\/li>\n
            • Clear separation:<\/strong> NLB provides a stable front-end endpoint while backends scale up\/down behind it.<\/li>\n<\/ul>\n\n\n\n

              Security\/compliance reasons<\/h3>\n\n\n\n
                \n
              • Network segmentation:<\/strong> place backends in private subnets; expose only the NLB.<\/li>\n
              • Policy-based access control:<\/strong> compartment-level IAM policies can strictly control who can create\/modify NLBs.<\/li>\n
              • Reduced attack surface:<\/strong> backends do not need public IPs; only NLB subnet must be exposed (for public use cases).<\/li>\n<\/ul>\n\n\n\n

                Scalability\/performance reasons<\/h3>\n\n\n\n
                  \n
                • Horizontal scaling:<\/strong> add\/remove backends without changing the client endpoint.<\/li>\n
                • High availability:<\/strong> reduces single points of failure at the entry point.<\/li>\n<\/ul>\n\n\n\n

                  When teams should choose it<\/h3>\n\n\n\n

                  Choose Network Load Balancer when:\n– You need TCP or UDP<\/strong> load balancing.\n– You want low latency<\/strong> and minimal proxy overhead.\n– You don\u2019t need HTTP-aware features like host\/path routing.\n– You want to keep servers private and present a single stable IP endpoint.<\/p>\n\n\n\n

                  When they should not choose it<\/h3>\n\n\n\n

                  Avoid Network Load Balancer when:\n– You need Layer 7<\/strong> features (HTTP header routing, URL path routing, cookie-based session persistence, header manipulation).\n– You need integrated WAF<\/strong>-style HTTP protections at the load balancer layer (generally Layer 7).\n– You require application-level observability (detailed HTTP access logs, request tracing at the proxy) and NLB doesn\u2019t provide it for your needs (capabilities vary\u2014verify in official docs<\/strong>).<\/p>\n\n\n\n

                  4. Where is Network Load Balancer used?<\/h2>\n\n\n\n

                  Industries<\/h3>\n\n\n\n
                    \n
                  • SaaS and B2B platforms serving TCP-based APIs<\/li>\n
                  • Financial services (internal services, trading gateways, risk engines using TCP)<\/li>\n
                  • Telecom and media (streaming control planes, signaling, UDP-based services)<\/li>\n
                  • Gaming (real-time multiplayer backends over UDP\/TCP)<\/li>\n
                  • Manufacturing\/IoT (MQTT-like TCP traffic, custom telemetry protocols)<\/li>\n
                  • Education and research (HPC control services, internal registries)<\/li>\n<\/ul>\n\n\n\n

                    Team types<\/h3>\n\n\n\n
                      \n
                    • Platform engineering teams standardizing entry points<\/li>\n
                    • DevOps\/SRE teams improving reliability and scaling<\/li>\n
                    • Network\/security teams enforcing segmentation and exposure controls<\/li>\n
                    • Application teams exposing TCP services without rewriting<\/li>\n<\/ul>\n\n\n\n

                      Workloads<\/h3>\n\n\n\n
                        \n
                      • TCP APIs (including gRPC-over-TCP patterns where L7 routing isn\u2019t needed)<\/li>\n
                      • UDP services (DNS, telemetry ingestion, some real-time protocols)<\/li>\n
                      • Custom binary protocols<\/li>\n
                      • Internal east-west traffic load balancing (private NLB)<\/li>\n<\/ul>\n\n\n\n

                        Architectures<\/h3>\n\n\n\n
                          \n
                        • Multi-tier VCN architectures with public edge + private application tiers<\/li>\n
                        • Hub-and-spoke networks where shared services are fronted by internal NLBs<\/li>\n
                        • Hybrid connectivity where on-prem clients reach OCI backends via FastConnect\/VPN and a private NLB<\/li>\n<\/ul>\n\n\n\n

                          Production vs dev\/test usage<\/h3>\n\n\n\n
                            \n
                          • Production:<\/strong> stable endpoint, health checks, controlled exposure, and operational metrics are strong drivers.<\/li>\n
                          • Dev\/test:<\/strong> useful for validating scaling and failure behavior; but be cost-aware since load balancers can accrue hourly usage charges (pricing varies\u2014see the Pricing section).<\/li>\n<\/ul>\n\n\n\n

                            5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                            Below are realistic scenarios where Oracle Cloud Network Load Balancer is a strong fit.<\/p>\n\n\n\n

                            1) Internet-facing TCP API endpoint<\/h3>\n\n\n\n
                              \n
                            • Problem:<\/strong> You run multiple stateless API servers and need one stable IP\/port for clients.<\/li>\n
                            • Why NLB fits:<\/strong> Layer 4 TCP balancing is fast and doesn\u2019t require HTTP awareness.<\/li>\n
                            • Example:<\/strong> Mobile apps connect to api.example.com:443<\/code> which resolves to an NLB public IP forwarding to multiple API VMs.<\/li>\n<\/ul>\n\n\n\n

                              2) Internal service load balancing (private endpoint)<\/h3>\n\n\n\n
                                \n
                              • Problem:<\/strong> Many internal microservices need a stable endpoint for a TCP service in a private subnet.<\/li>\n
                              • Why NLB fits:<\/strong> Private NLB exposes a single internal IP and keeps traffic within the VCN.<\/li>\n
                              • Example:<\/strong> Internal \u201cauth\u201d service listens on TCP\/8443; private NLB forwards requests from app tier to auth backends.<\/li>\n<\/ul>\n\n\n\n

                                3) UDP-based DNS forwarding tier<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> You need resilient DNS forwarding\/recursor endpoints with scaling and health checks.<\/li>\n
                                • Why NLB fits:<\/strong> Supports UDP load balancing for DNS traffic.<\/li>\n
                                • Example:<\/strong> Clients send UDP\/53 to an NLB which forwards to multiple DNS resolvers in private subnets.<\/li>\n<\/ul>\n\n\n\n

                                  4) Telemetry ingestion over TCP (custom protocol)<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> Devices send telemetry over a proprietary TCP protocol; you need scaling and failover.<\/li>\n
                                  • Why NLB fits:<\/strong> Works well for non-HTTP protocols without requiring L7 termination.<\/li>\n
                                  • Example:<\/strong> Thousands of sensors connect to TCP\/9000 on an NLB distributing connections across ingestion nodes.<\/li>\n<\/ul>\n\n\n\n

                                    5) Gaming backend (UDP sessions)<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Real-time game servers need UDP load distribution and fast failover.<\/li>\n
                                    • Why NLB fits:<\/strong> UDP support and low latency at Layer 4.<\/li>\n
                                    • Example:<\/strong> Players connect to UDP\/27015 on an NLB; sessions distribute across game server fleet.<\/li>\n<\/ul>\n\n\n\n

                                      6) Database proxy tier (TCP)<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> You operate database proxies (or read-only replicas behind a proxy layer) and want a stable endpoint.<\/li>\n
                                      • Why NLB fits:<\/strong> TCP load balancing and health checks can keep traffic away from failed proxies.<\/li>\n
                                      • Example:<\/strong> Apps connect to NLB TCP\/6432 which forwards to pgBouncer instances.<\/li>\n<\/ul>\n\n\n\n

                                        7) Syslog \/ log forwarding collectors (UDP\/TCP)<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Many systems send syslog to a central endpoint; collectors must scale.<\/li>\n
                                        • Why NLB fits:<\/strong> Supports UDP\/TCP; keeps collectors private.<\/li>\n
                                        • Example:<\/strong> Syslog over UDP\/514 hits NLB and distributes to collectors; collectors forward to a SIEM.<\/li>\n<\/ul>\n\n\n\n

                                          8) Blue\/green deployments for TCP services<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> You want to roll out a new version of a TCP service with minimal client disruption.<\/li>\n
                                          • Why NLB fits:<\/strong> Move traffic by adding\/removing backends or switching backend sets (capabilities vary by configuration).<\/li>\n
                                          • Example:<\/strong> Add new backend pool \u201cgreen,\u201d validate health, then gradually drain \u201cblue.\u201d<\/li>\n<\/ul>\n\n\n\n

                                            9) Hybrid access to OCI backends (FastConnect\/VPN)<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> On-prem clients need to reach OCI services through private connectivity.<\/li>\n
                                            • Why NLB fits:<\/strong> Private NLB provides a stable private endpoint for on-prem routing.<\/li>\n
                                            • Example:<\/strong> ERP on-prem connects over FastConnect to private NLB IP that fronts TCP application servers in OCI.<\/li>\n<\/ul>\n\n\n\n

                                              10) Inbound TLS passthrough to service mesh\/gateway<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> You terminate TLS inside your cluster or gateway and want the load balancer to just forward TCP.<\/li>\n
                                              • Why NLB fits:<\/strong> As Layer 4, it can forward TCP connections without HTTP termination.<\/li>\n
                                              • Example:<\/strong> NLB forwards TCP\/443 to an internal ingress gateway that handles TLS and routing.<\/li>\n<\/ul>\n\n\n\n

                                                6. Core Features<\/h2>\n\n\n\n

                                                The exact feature set can evolve by region and release. The items below reflect core, widely expected capabilities of Oracle Cloud Network Load Balancer; confirm any region-specific details in the official documentation.<\/p>\n\n\n\n

                                                1) Layer 4 load balancing for TCP and UDP<\/h3>\n\n\n\n
                                                  \n
                                                • What it does:<\/strong> Distributes transport connections\/flows to backends.<\/li>\n
                                                • Why it matters:<\/strong> Keeps latency low and supports non-HTTP protocols.<\/li>\n
                                                • Practical benefit:<\/strong> Works for DNS (UDP), telemetry protocols, database proxies, and generic TCP services.<\/li>\n
                                                • Caveats:<\/strong> No HTTP header\/path routing; not a WAF; not an application gateway.<\/li>\n<\/ul>\n\n\n\n

                                                  2) Public and private load balancer options<\/h3>\n\n\n\n
                                                    \n
                                                  • What it does:<\/strong> Allows internet-facing (public) or internal-only (private) endpoints.<\/li>\n
                                                  • Why it matters:<\/strong> Supports both edge and east-west use cases.<\/li>\n
                                                  • Practical benefit:<\/strong> Keep backends private while exposing only the NLB.<\/li>\n
                                                  • Caveats:<\/strong> Public endpoints must be protected by security rules; private endpoints require correct routing from clients (VCN peering\/FastConnect\/VPN).<\/li>\n<\/ul>\n\n\n\n

                                                    3) Backend sets and health checks<\/h3>\n\n\n\n
                                                      \n
                                                    • What it does:<\/strong> Groups backends and probes them for availability.<\/li>\n
                                                    • Why it matters:<\/strong> Automated failover; prevents blackholing traffic to dead instances.<\/li>\n
                                                    • Practical benefit:<\/strong> You can patch or replace instances and rely on health checks to gate traffic.<\/li>\n
                                                    • Caveats:<\/strong> Health check types\/behavior (TCP vs higher-layer checks) depend on service implementation\u2014use TCP checks if you want the most universally supported approach.<\/li>\n<\/ul>\n\n\n\n

                                                      4) Listener configuration per protocol\/port<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does:<\/strong> Exposes one or more front-end ports (e.g., TCP\/80, TCP\/443, UDP\/53).<\/li>\n
                                                      • Why it matters:<\/strong> One NLB can represent multiple service entry points if supported.<\/li>\n
                                                      • Practical benefit:<\/strong> Reduce resource sprawl and simplify endpoint management.<\/li>\n
                                                      • Caveats:<\/strong> Listener count and port range limits are subject to OCI quotas\/limits.<\/li>\n<\/ul>\n\n\n\n

                                                        5) High availability (managed service)<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Oracle Cloud runs redundant infrastructure so a single LB node failure doesn\u2019t take you down.<\/li>\n
                                                        • Why it matters:<\/strong> Load balancer HA is non-trivial to build correctly and consistently.<\/li>\n
                                                        • Practical benefit:<\/strong> You focus on backends and app logic rather than LB redundancy.<\/li>\n
                                                        • Caveats:<\/strong> Your architecture must still be HA: place backends across failure domains\/availability domains when possible.<\/li>\n<\/ul>\n\n\n\n

                                                          6) Works with IP-based backends in VCN networking<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Targets are typically addressed by private IP and port.<\/li>\n
                                                          • Why it matters:<\/strong> Decouples backends from specific compute constructs; works across VMs and appliances.<\/li>\n
                                                          • Practical benefit:<\/strong> You can load balance to custom appliances, containers on VMs, or on-prem reachable IPs (subject to routing and security).<\/li>\n
                                                          • Caveats:<\/strong> Ensure routing and security rules permit the NLB to reach backend IPs.<\/li>\n<\/ul>\n\n\n\n

                                                            7) Native integration with security lists and Network Security Groups (NSGs)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Uses VCN subnet security and NSGs to control inbound\/outbound traffic.<\/li>\n
                                                            • Why it matters:<\/strong> Consistent security posture with the rest of Oracle Cloud networking.<\/li>\n
                                                            • Practical benefit:<\/strong> Least-privilege rules: only allow required ports from NLB subnet to backends.<\/li>\n
                                                            • Caveats:<\/strong> Misconfigured NSG\/security lists are the #1 cause of \u201cunhealthy backend\u201d issues.<\/li>\n<\/ul>\n\n\n\n

                                                              8) Observability via metrics (Monitoring service)<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Publishes LB metrics for traffic, backend health, and performance indicators (exact metric names vary).<\/li>\n
                                                              • Why it matters:<\/strong> Enables SRE practices: alerts, SLO tracking, and capacity planning.<\/li>\n
                                                              • Practical benefit:<\/strong> Alarm when healthy backend count drops or traffic spikes.<\/li>\n
                                                              • Caveats:<\/strong> Access logging\/flow logging availability varies by service\u2014use VCN Flow Logs where appropriate and verify<\/strong> NLB-specific logs in docs.<\/li>\n<\/ul>\n\n\n\n

                                                                9) Automation via Console, API, CLI, and Terraform<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> Fully manageable as code.<\/li>\n
                                                                • Why it matters:<\/strong> Repeatable environments, safe changes, and auditability.<\/li>\n
                                                                • Practical benefit:<\/strong> Use Terraform to create NLBs per environment with consistent naming and tagging.<\/li>\n
                                                                • Caveats:<\/strong> Apply change control; load balancers are critical shared infrastructure.<\/li>\n<\/ul>\n\n\n\n

                                                                  10) Compartment-based governance and tagging<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does:<\/strong> Uses OCI compartments and tags for governance, billing, and access control.<\/li>\n
                                                                  • Why it matters:<\/strong> Network services can sprawl quickly without governance.<\/li>\n
                                                                  • Practical benefit:<\/strong> Allocate costs by project\/team; enforce policies per compartment.<\/li>\n
                                                                  • Caveats:<\/strong> Tagging is only effective if enforced via policy and used consistently.<\/li>\n<\/ul>\n\n\n\n

                                                                    7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                    High-level architecture<\/h3>\n\n\n\n

                                                                    A Network Load Balancer sits inside a VCN subnet and exposes one or more front-end addresses. Clients connect to the listener. The NLB selects a healthy backend from a backend set and forwards the connection (TCP) or flow (UDP).<\/p>\n\n\n\n

                                                                    Request\/data\/control flow<\/h3>\n\n\n\n
                                                                      \n
                                                                    • Control plane (management):<\/strong><\/li>\n
                                                                    • You create\/update the NLB using Console\/API\/CLI\/Terraform.<\/li>\n
                                                                    • IAM policies control who can manage the resource.<\/li>\n
                                                                    • Audit logs record API calls (via OCI Audit).<\/li>\n
                                                                    • Data plane (traffic):<\/strong><\/li>\n
                                                                    • Client connects to NLB frontend IP:port.<\/li>\n
                                                                    • NLB forwards to a healthy backend IP:port.<\/li>\n
                                                                    • Health checks continually evaluate backend health; unhealthy backends are removed from rotation.<\/li>\n<\/ul>\n\n\n\n

                                                                      Integrations with related services<\/h3>\n\n\n\n
                                                                        \n
                                                                      • VCN & Subnets:<\/strong> NLB is attached to a subnet (public or private). Route tables and gateways determine reachability.<\/li>\n
                                                                      • NSGs\/Security Lists:<\/strong> Enforce inbound access to the NLB and backend access from the NLB to targets.<\/li>\n
                                                                      • Compute (VM\/BM):<\/strong> Common backend targets.<\/li>\n
                                                                      • Monitoring & Alarms:<\/strong> Metrics-based alerting for backend health and traffic.<\/li>\n
                                                                      • Logging\/Audit:<\/strong> Audit records management operations; traffic logging depends on features\u2014verify in official docs<\/strong>.<\/li>\n
                                                                      • Terraform\/Resource Manager:<\/strong> Infrastructure as code provisioning and changes.<\/li>\n<\/ul>\n\n\n\n

                                                                        Dependency services<\/h3>\n\n\n\n

                                                                        At minimum, you need:\n– A VCN<\/strong>\n– A subnet<\/strong> (often regional)\n– Backend targets<\/strong> reachable from that subnet via VCN routing\n– Correct security rules<\/strong> (NLB ingress and backend ingress)<\/p>\n\n\n\n

                                                                        Security\/authentication model<\/h3>\n\n\n\n
                                                                          \n
                                                                        • IAM:<\/strong> Policies grant permissions to create and manage network load balancers and to use networking resources (subnets, NSGs).<\/li>\n
                                                                        • Network security:<\/strong> Implemented through security lists\/NSGs and route tables.<\/li>\n<\/ul>\n\n\n\n

                                                                          Networking model (practical view)<\/h3>\n\n\n\n
                                                                            \n
                                                                          • For a public NLB<\/strong>, inbound client traffic comes from the internet to the NLB\u2019s public endpoint; backend traffic stays within the VCN to private IPs.<\/li>\n
                                                                          • For a private NLB<\/strong>, both clients and backends are internal; clients reach the NLB via VCN routing (local, peering, DRG, FastConnect, or VPN).<\/li>\n<\/ul>\n\n\n\n

                                                                            Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Track:<\/li>\n
                                                                            • Healthy backend count<\/li>\n
                                                                            • Connection\/packet\/byte rates (exact metrics vary)<\/li>\n
                                                                            • Error conditions (health check failures, backend resets)<\/li>\n
                                                                            • Use:<\/li>\n
                                                                            • OCI Monitoring alarms<\/strong> for thresholds and anomaly indicators<\/li>\n
                                                                            • OCI Audit<\/strong> to detect and investigate configuration changes<\/li>\n
                                                                            • VCN Flow Logs<\/strong> (where enabled) to debug traffic patterns at subnet\/VNIC level (useful when access logs aren\u2019t available)<\/li>\n<\/ul>\n\n\n\n

                                                                              Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                              flowchart LR\n  C[Client] -->|TCP\/80 or UDP\/53| NLB[Oracle Cloud\\nNetwork Load Balancer]\n  NLB --> B1[Backend 1\\n10.0.1.10:80]\n  NLB --> B2[Backend 2\\n10.0.1.11:80]\n  HC[Health Checks] -.-> B1\n  HC -.-> B2\n<\/code><\/pre>\n\n\n\n
                                                                              Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                              flowchart TB\n  Internet((Internet)) --> Edge[Oracle Cloud Edge\\n(DDoS protections at edge)]\n  Edge --> PubNLB[Public Network Load Balancer\\nSubnet: Public]\n\n  subgraph VCN[VCN 10.0.0.0\/16]\n    direction TB\n\n    subgraph PublicSubnet[Public Subnet]\n      PubNLB\n    end\n\n    subgraph PrivateAppSubnets[Private App Subnets (regional)]\n      App1[App VM 1\\nNSG: app-nsg]\n      App2[App VM 2\\nNSG: app-nsg]\n      AutoScale[Instance Pool \/ Autoscaling\\n(optional)]\n    end\n\n    subgraph DataSubnet[Private Data Subnet]\n      DB[(Database \/ Service)]\n    end\n\n    PubNLB -->|Forward TCP| App1\n    PubNLB -->|Forward TCP| App2\n    App1 --> DB\n    App2 --> DB\n  end\n\n  Ops[Monitoring + Alarms] --- PubNLB\n  Audit[OCI Audit] --- PubNLB\n  Bastion[OCI Bastion\\n(Admin SSH)] --> App1\n  Bastion --> App2\n<\/code><\/pre>\n\n\n\n
                                                                              8. Prerequisites<\/h2>\n\n\n\n
                                                                              Before you start, confirm the following.<\/p>\n\n\n\n
                                                                              Tenancy and compartment requirements<\/h3>\n\n\n\n
                                                                                \n
                                                                              • An active Oracle Cloud<\/strong> tenancy.<\/li>\n
                                                                              • Access to a compartment<\/strong> where you can create networking and compute resources.<\/li>\n<\/ul>\n\n\n\n
                                                                                Permissions \/ IAM policies<\/h3>\n\n\n\n
                                                                                You typically need permissions to:\n– Create\/manage Network Load Balancer<\/strong>\n– Use\/manage VCNs, subnets, NSGs\/security lists<\/strong>\n– Read instances and private IPs (if needed for backend discovery)<\/p>\n\n\n\n
                                                                                OCI IAM policy syntax and exact resource-type names can vary by service family. Use the official IAM policy reference and Network Load Balancer documentation to confirm the correct policy statements for your environment:\n– https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/home.htm\n– https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/NetworkLoadBalancer\/home.htm<\/p>\n\n\n\n
                                                                                Billing requirements<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Network Load Balancer is generally a paid service<\/strong> (usage-based). Oracle Cloud Free Tier\/Always Free eligibility varies by resource type and region\u2014verify in official docs and pricing<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                                                                  Tools (recommended)<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Oracle Cloud Console (web UI)<\/li>\n
                                                                                  • OCI CLI (optional but useful): https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/li>\n
                                                                                  • SSH client to connect to compute instances<\/li>\n
                                                                                  • Optional: Terraform OCI provider for IaC: https:\/\/registry.terraform.io\/providers\/oracle\/oci\/latest\/docs<\/li>\n<\/ul>\n\n\n\n
                                                                                    Region availability<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Network Load Balancer is not necessarily available in all regions or may have region-specific constraints. Verify region availability<\/strong> in the official documentation.<\/li>\n<\/ul>\n\n\n\n
                                                                                      Quotas\/limits<\/h3>\n\n\n\n
                                                                                      Plan for limits such as:\n– Maximum number of load balancers per compartment\n– Maximum listeners\/backend sets\/backends\n– Bandwidth\/throughput shaping constraints (service-defined)<\/p>\n\n\n\n
                                                                                      Check current limits here:\n– https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/General\/Concepts\/servicelimits.htm<\/p>\n\n\n\n
                                                                                      Prerequisite services<\/h3>\n\n\n\n
                                                                                      For the hands-on lab you will need:\n– VCN with at least:\n  – One public subnet<\/strong> (for a public NLB)\n  – One private subnet<\/strong> (for backend instances)\n– Two compute instances (VMs) in the private subnet (or public if you simplify, though private is recommended)<\/p>\n\n\n\n
                                                                                      9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                      Oracle Cloud Network Load Balancer pricing is usage-based<\/strong>. Exact prices vary by region and can change, so do not rely on static numbers in a tutorial.<\/p>\n\n\n\n
                                                                                      Pricing dimensions (typical model)<\/h3>\n\n\n\n
                                                                                      From Oracle Cloud pricing patterns for networking services, Network Load Balancer costs commonly depend on some combination of:\n– Load balancer hours<\/strong> (how long the NLB exists\/provisions)\n– Bandwidth\/throughput capacity<\/strong> or data processed<\/strong> (GB in\/out through the NLB)\n– Possibly additional features<\/strong> (if applicable in your region)<\/p>\n\n\n\n
                                                                                      For authoritative pricing, use:\n– Official Oracle Cloud price list (Networking section): https:\/\/www.oracle.com\/cloud\/price-list\/\n– OCI cost estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html\n– Network Load Balancer documentation: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/NetworkLoadBalancer\/home.htm<\/p>\n\n\n\n
                                                                                      Free tier<\/h3>\n\n\n\n
                                                                                      Oracle Cloud Free Tier includes some Always Free resources, but load balancer free usage is not guaranteed<\/strong> and varies by service and region. Verify<\/strong> current Free Tier coverage:\n– https:\/\/www.oracle.com\/cloud\/free\/<\/p>\n\n\n\n
                                                                                      Main cost drivers<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Number of NLBs<\/strong> and how long they run (dev\/test environments often forget to delete them).<\/li>\n
                                                                                      • Traffic volume<\/strong> (GB processed) in production.<\/li>\n
                                                                                      • Cross-zone\/region\/hybrid network patterns<\/strong> (if traffic traverses gateways or DRG, additional networking charges may apply).<\/li>\n
                                                                                      • Backend compute<\/strong> costs (VMs\/bare metal), which usually exceed LB cost for heavy workloads.<\/li>\n<\/ul>\n\n\n\n
                                                                                        Hidden or indirect costs to watch<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Data egress to the internet<\/strong>: Public internet egress is commonly billed separately.<\/li>\n
                                                                                        • Inter-region traffic<\/strong>: If you front multi-region architectures, inter-region data transfer can become a major cost.<\/li>\n
                                                                                        • Logging\/monitoring ingestion<\/strong>: If you enable VCN flow logs or other logs at high volume, Logging ingestion\/storage can add costs.<\/li>\n
                                                                                        • NAT Gateway \/ Bastion<\/strong>: If used for patching or admin access, they may have their own costs.<\/li>\n<\/ul>\n\n\n\n
                                                                                          Cost optimization tips<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Use private NLBs<\/strong> for internal traffic when possible (can reduce exposure and may reduce egress-related costs depending on architecture).<\/li>\n
                                                                                          • Right-size environments:<\/li>\n
                                                                                          • For dev\/test, keep NLB lifetime short and automate cleanup.<\/li>\n
                                                                                          • Prefer regional subnets<\/strong> and keep traffic inside the region\/VCN when possible.<\/li>\n
                                                                                          • Set Monitoring alarms<\/strong> on unusual traffic spikes and on \u201cresource exists\u201d checks (tag-based governance helps).<\/li>\n<\/ul>\n\n\n\n
                                                                                            Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n
                                                                                            A low-cost lab environment typically includes:\n– 1 Network Load Balancer running for a few hours\n– 2 small compute instances\n– Minimal traffic (curl tests)<\/p>\n\n\n\n
                                                                                            To estimate:\n1. In the cost estimator, add Network Load Balancer<\/strong> for your region and specify the smallest practical usage duration.\n2. Add Compute<\/strong> for the instances and any boot volume\/storage.\n3. Add any internet egress<\/strong> if you expect significant external traffic.<\/p>\n\n\n\n
                                                                                            Example production cost considerations<\/h3>\n\n\n\n
                                                                                            In production, estimate and track:\n– Expected sustained throughput and peak traffic windows\n– Number of environments (prod, staging, DR)\n– Multi-region strategy (active-active doubles LB footprint)\n– Logging and monitoring ingestion volume\n– Egress patterns (internet vs private circuits)<\/p>\n\n\n\n
                                                                                            10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                            This lab deploys a public Network Load Balancer<\/strong> that distributes TCP\/80<\/strong> traffic to two private backend VMs running NGINX. You\u2019ll verify traffic distribution and backend health, then clean up.<\/p>\n\n\n\n
                                                                                            Objective<\/h3>\n\n\n\n
                                                                                            Create an Oracle Cloud Network Load Balancer<\/strong> with:\n– One TCP listener<\/strong> on port 80\n– One backend set with two backend servers<\/strong>\n– Health checks so only healthy backends receive traffic\n– A public endpoint for testing with curl<\/code><\/p>\n\n\n\n
                                                                                            Lab Overview<\/h3>\n\n\n\n
                                                                                            You will:\n1. Create networking (VCN + subnets + NSGs\/security rules).\n2. Launch two backend compute instances and install NGINX.\n3. Create a Network Load Balancer, listener, backend set, and backends.\n4. Validate load balancing behavior.\n5. Troubleshoot common issues.\n6. Clean up all resources to stop billing.<\/p>\n\n\n\n
                                                                                            \n
                                                                                            Cost note: This lab may incur charges for the load balancer, compute, and data transfer. Use a short duration and delete resources afterward.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                            \n\n\n\n
                                                                                            Step 1: Create a compartment and choose a region<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            1. In the Oracle Cloud Console, confirm the region<\/strong> you will use.<\/li>\n
                                                                                            2. Create or select a compartment<\/strong> for the lab (recommended).<\/li>\n<\/ol>\n\n\n\n
                                                                                              Expected outcome:<\/strong> You have a dedicated compartment and region selected for all lab resources.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 2: Create a VCN with public and private subnets<\/h3>\n\n\n\n
                                                                                              You can use the VCN wizard or create manually. The key is to have:\n– A public subnet<\/strong> for the public NLB\n– A private subnet<\/strong> for backend instances<\/p>\n\n\n\n
                                                                                              Console path:<\/strong> Networking \u2192 Virtual Cloud Networks \u2192 Create VCN<\/p>\n\n\n\n
                                                                                              Recommended (example) CIDRs:\n– VCN: 10.0.0.0\/16<\/code>\n– Public subnet: 10.0.0.0\/24<\/code>\n– Private subnet: 10.0.1.0\/24<\/code><\/p>\n\n\n\n
                                                                                              Ensure:\n– Public subnet has a route to an Internet Gateway<\/strong>\n– Private subnet has no direct route to the Internet Gateway (optional NAT gateway if you need outbound patching)<\/p>\n\n\n\n
                                                                                              Expected outcome:<\/strong> VCN created with one public subnet and one private subnet.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 3: Create Network Security Groups (recommended)<\/h3>\n\n\n\n
                                                                                              Use NSGs for clearer, least-privilege rules.<\/p>\n\n\n\n
                                                                                              Create two NSGs:\n1. nlb-public-nsg<\/code> (attached to the NLB, if supported by the NLB configuration in your region)\n2. app-backend-nsg<\/code> (attached to backend VMs)<\/p>\n\n\n\n
                                                                                              Rules to add:<\/strong><\/p>\n\n\n\n
                                                                                              A) NLB ingress rule<\/strong> (allow clients to reach the NLB)\n– Ingress to nlb-public-nsg<\/code>:\n  – Source: 0.0.0.0\/0<\/code>\n  – Protocol: TCP\n  – Destination port: 80<\/p>\n\n\n\n
                                                                                              B) Backend ingress rule<\/strong> (allow NLB to reach backends on 80)\n– Ingress to app-backend-nsg<\/code>:\n  – Source: the public subnet CIDR<\/strong> (example 10.0.0.0\/24<\/code>) or the NLB subnet CIDR\n  – Protocol: TCP\n  – Destination port: 80<\/p>\n\n\n\n
                                                                                              \n
                                                                                              If NSG attachment to NLB is not available in your region\/tenant, apply equivalent rules using security lists<\/strong> on the subnets. Always follow current OCI documentation for the NLB networking model.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                              Expected outcome:<\/strong> Security rules exist for inbound TCP\/80 to the NLB and from the NLB subnet to backend servers.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 4: Launch two backend compute instances in the private subnet<\/h3>\n\n\n\n
                                                                                              Launch two VMs (Oracle Linux is a common choice).<\/p>\n\n\n\n
                                                                                              Console path:<\/strong> Compute \u2192 Instances \u2192 Create instance<\/p>\n\n\n\n
                                                                                              For each instance:\n– Subnet: Private subnet<\/strong>\n– Assign public IP: No<\/strong> (keep private)\n– NSG: attach app-backend-nsg<\/code>\n– Add an SSH key you control<\/p>\n\n\n\n
                                                                                              Install NGINX and set unique index pages<\/h4>\n\n\n\n
                                                                                              Connect through a bastion, private access method, or temporarily assign a public IP for lab purposes (least secure). A safer approach is OCI Bastion:\n– https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/p>\n\n\n\n
                                                                                              Once connected via SSH, run:<\/p>\n\n\n\n
                                                                                              sudo dnf -y install nginx\nsudo systemctl enable --now nginx\n\necho \"Hello from $(hostname) - $(hostname -I)\" | sudo tee \/usr\/share\/nginx\/html\/index.html\nsudo firewall-cmd --permanent --add-service=http || true\nsudo firewall-cmd --reload || true\n<\/code><\/pre>\n\n\n\n
                                                                                              Repeat on both instances.<\/p>\n\n\n\n
                                                                                              Expected outcome:<\/strong>\n– Both VMs run NGINX and respond on TCP\/80.\n– Each serves a slightly different page so you can see load distribution.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 5: Create the Network Load Balancer (public)<\/h3>\n\n\n\n
                                                                                              Console path:<\/strong> Networking \u2192 Network Load Balancers \u2192 Create Network Load Balancer<\/p>\n\n\n\n
                                                                                              Configure:\n– Type: Public<\/strong>\n– Subnet: Public subnet<\/strong>\n– (Optional) NSG: attach nlb-public-nsg<\/code> if the UI supports it for NLB in your region<\/p>\n\n\n\n
                                                                                              When the NLB is created, note:\n– The public IP address<\/strong> (or public endpoint information)<\/p>\n\n\n\n
                                                                                              Expected outcome:<\/strong> NLB exists with a public endpoint.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 6: Create a backend set and add backends<\/h3>\n\n\n\n
                                                                                              In the NLB configuration:\n1. Create a backend set<\/strong> (name example: web-bes<\/code>)\n2. Add backends<\/strong> using the private IPs of the two VMs:\n   – Backend 1: 10.0.1.10:80<\/code> (example)\n   – Backend 2: 10.0.1.11:80<\/code> (example)<\/p>\n\n\n\n
                                                                                              Configure a health check<\/strong>:\n– Use a simple TCP<\/strong> health check to port 80 (most universally supported for Layer 4).\n– Interval\/timeout\/retries: use defaults unless you have a reason to tune.<\/p>\n\n\n\n
                                                                                              Expected outcome:<\/strong>\n– Backends appear in the backend set.\n– After a short time, backend health should become Healthy<\/strong>.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 7: Create a TCP listener on port 80<\/h3>\n\n\n\n
                                                                                              Create a listener:\n– Protocol: TCP<\/strong>\n– Port: 80<\/strong>\n– Default backend set: web-bes<\/code><\/p>\n\n\n\n
                                                                                              Expected outcome:<\/strong> Listener becomes active; NLB starts accepting connections on port 80.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 8: Validate from your local machine<\/h3>\n\n\n\n
                                                                                              From your laptop\/terminal:<\/p>\n\n\n\n
                                                                                              NLB_IP=\"<your_nlb_public_ip>\"\ncurl -s \"http:\/\/$NLB_IP\/\"\ncurl -s \"http:\/\/$NLB_IP\/\"\ncurl -s \"http:\/\/$NLB_IP\/\"\n<\/code><\/pre>\n\n\n\n
                                                                                              You should see alternating responses such as:<\/p>\n\n\n\n
                                                                                                \n
                                                                                              • Hello from web-1 - 10.0.1.10 ...<\/code><\/li>\n
                                                                                              • Hello from web-2 - 10.0.1.11 ...<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                Expected outcome:<\/strong> Requests succeed and rotate across both backends over multiple attempts.<\/p>\n\n\n\n
                                                                                                \n\n\n\n
                                                                                                Validation<\/h3>\n\n\n\n
                                                                                                Use this checklist:\n– NLB shows the listener as Active<\/strong>\n– Backend set shows 2 healthy backends<\/strong>\n– curl http:\/\/<NLB_IP>\/<\/code> returns content\n– If one backend is stopped, traffic still succeeds (after health check detects failure)<\/p>\n\n\n\n
                                                                                                To test failover:\n1. Stop NGINX on one backend:\n   bash\n   sudo systemctl stop nginx<\/code>\n2. Wait for the health check interval to mark it unhealthy.\n3. Run curl<\/code> several times again.<\/p>\n\n\n\n
                                                                                                Expected outcome:<\/strong> Only the healthy backend responds.<\/p>\n\n\n\n
                                                                                                \n\n\n\n
                                                                                                Troubleshooting<\/h3>\n\n\n\n
                                                                                                Common issues and fixes:<\/p>\n\n\n\n
                                                                                                  \n
                                                                                                1. \n
                                                                                                  Backends show \u201cUnhealthy\u201d<\/strong>\n   – Check backend VM is listening on port 80:\n     bash\n     sudo ss -lntp | grep ':80'<\/code>\n   – Check OS firewall allows TCP\/80 (Oracle Linux firewall-cmd steps above).\n   – Check app-backend-nsg<\/code> ingress allows TCP\/80 from the NLB subnet CIDR<\/strong>.\n   – Verify route tables allow traffic within the VCN (usually automatic for intra-VCN).<\/p>\n<\/li>\n
                                                                                                2. \n
                                                                                                  NLB public IP doesn\u2019t respond<\/strong>\n   – Confirm the NLB is in a public subnet<\/strong> with a route to an Internet Gateway.\n   – Confirm NLB ingress security rule allows TCP\/80 from 0.0.0.0\/0<\/code>.\n   – Check any local corporate firewall restrictions.<\/p>\n<\/li>\n
                                                                                                3. \n
                                                                                                  Only one backend ever responds<\/strong>\n   – Confirm both backends are healthy.\n   – Ensure both are in the backend set and port is correct.\n   – Some load distribution behaviors can be connection\/flow-based; try closing connections between tests (curl does this by default) and repeat.<\/p>\n<\/li>\n
                                                                                                4. \n
                                                                                                  SSH access to private instances<\/strong>\n   – Use OCI Bastion or a jump host.\n   – Avoid assigning public IPs to private tier in real deployments.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Cleanup<\/h3>\n\n\n\n
                                                                                                  To stop ongoing charges, delete resources in this order:<\/p>\n\n\n\n
                                                                                                    \n
                                                                                                  1. Delete the Network Load Balancer<\/strong> (and any reserved public IPs if separately billed\/managed).<\/li>\n
                                                                                                  2. Terminate the two compute instances<\/strong>.<\/li>\n
                                                                                                  3. Delete NSGs<\/strong> (optional if deleting the VCN).<\/li>\n
                                                                                                  4. Delete the VCN<\/strong> (this will remove subnets, route tables, gateways\u2014confirm dependencies first).<\/li>\n<\/ol>\n\n\n\n
                                                                                                    Expected outcome:<\/strong> All lab resources are removed, and billing stops for those resources.<\/p>\n\n\n\n
                                                                                                    11. Best Practices<\/h2>\n\n\n\n
                                                                                                    Architecture best practices<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Use Network Load Balancer<\/strong> for TCP\/UDP and Oracle Cloud Load Balancer<\/strong> when you need HTTP-aware features.<\/li>\n
                                                                                                    • Keep backends in private subnets<\/strong>; expose only the load balancer.<\/li>\n
                                                                                                    • Distribute backend instances across fault domains\/availability domains<\/strong> where applicable.<\/li>\n
                                                                                                    • Design for failure:<\/li>\n
                                                                                                    • Health checks should reflect real service readiness<\/li>\n
                                                                                                    • Automate backend replacement (instance pools, autoscaling, or CI-driven rebuild)<\/li>\n<\/ul>\n\n\n\n
                                                                                                      IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Use least privilege:<\/li>\n
                                                                                                      • Separate roles for network admins vs app operators.<\/li>\n
                                                                                                      • Use compartments to isolate environments:<\/li>\n
                                                                                                      • network-prod<\/code>, app-prod<\/code>, network-nonprod<\/code>, etc.<\/li>\n
                                                                                                      • Require tags (if your governance model supports tag defaults and tag enforcement).<\/li>\n<\/ul>\n\n\n\n
                                                                                                        Cost best practices<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Delete unused load balancers in dev\/test.<\/li>\n
                                                                                                        • Monitor traffic volume and egress patterns; optimize data flows (keep traffic within region\/VCN when possible).<\/li>\n
                                                                                                        • Use alarms to detect abnormal traffic spikes early.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          Performance best practices<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Prefer L4 load balancing for simple TCP\/UDP services where you don\u2019t need proxy behavior.<\/li>\n
                                                                                                          • Ensure backend instances have sufficient NIC throughput and OS tuning for expected concurrency.<\/li>\n
                                                                                                          • Validate health check intervals:<\/li>\n
                                                                                                          • Too frequent can add noise\/overhead<\/li>\n
                                                                                                          • Too slow delays failover<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Reliability best practices<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Use at least two backends<\/strong> for HA.<\/li>\n
                                                                                                            • Keep immutable infrastructure patterns (replace instances rather than patching in place, where feasible).<\/li>\n
                                                                                                            • Consider multi-region DR if the service is business critical (front with DNS failover \/ traffic management).<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Operations best practices<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Create dashboards and alarms:<\/li>\n
                                                                                                              • Healthy backends count<\/li>\n
                                                                                                              • Connection\/throughput anomalies<\/li>\n
                                                                                                              • Use change control for NLB listener\/backend changes.<\/li>\n
                                                                                                              • Record configuration in IaC (Terraform) to prevent drift.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Naming convention example:<\/li>\n
                                                                                                                • nlb-<env>-<app>-<region>-public<\/code><\/li>\n
                                                                                                                • bes-<env>-<app>-tcp80<\/code><\/li>\n
                                                                                                                • Tags:<\/li>\n
                                                                                                                • CostCenter<\/code>, Owner<\/code>, Environment<\/code>, DataClassification<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                  12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                  Identity and access model<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • OCI IAM controls who can:<\/li>\n
                                                                                                                  • Create\/delete NLBs<\/li>\n
                                                                                                                  • Modify listeners\/backend sets\/backends<\/li>\n
                                                                                                                  • Attach NLBs to subnets\/NSGs<\/li>\n
                                                                                                                  • Scope access by compartment<\/strong> and use separate compartments for prod vs non-prod.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Encryption<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Network Load Balancer is Layer 4; encryption strategy depends on your design:<\/li>\n
                                                                                                                    • If your protocol is TLS, terminate TLS at the backend (TLS passthrough) or use a Layer 7\/termination-capable service when required.<\/li>\n
                                                                                                                    • For any TLS termination features on NLB (if available in your region), verify in official docs<\/strong> and manage certificates properly.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      Network exposure<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Public NLB:<\/li>\n
                                                                                                                      • Restrict inbound ports to the minimum required (e.g., TCP\/443 only).<\/li>\n
                                                                                                                      • Consider IP allowlists where possible.<\/li>\n
                                                                                                                      • Private NLB:<\/li>\n
                                                                                                                      • Limit who can reach it via NSGs and routing (DRG route tables, security rules).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Secrets handling<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Avoid embedding secrets in instance user-data or images.<\/li>\n
                                                                                                                        • Use OCI Vault<\/strong> for secrets\/keys where appropriate:<\/li>\n
                                                                                                                        • https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/KeyManagement\/home.htm<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Audit\/logging<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Use OCI Audit<\/strong> to track configuration changes to the NLB and networking resources.<\/li>\n
                                                                                                                          • For traffic troubleshooting, use VCN Flow Logs<\/strong> where appropriate; verify if NLB provides native traffic logs in your region.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Compliance considerations<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Ensure network segmentation meets compliance (PCI, HIPAA, SOC2) requirements:<\/li>\n
                                                                                                                            • Backends in private subnet<\/li>\n
                                                                                                                            • Strict ingress rules<\/li>\n
                                                                                                                            • Controlled admin access (Bastion)<\/li>\n
                                                                                                                            • Use tagging and compartments to support auditability and cost allocation.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Leaving NLB listener open to 0.0.0.0\/0<\/code> on admin\/debug ports.<\/li>\n
                                                                                                                              • Allowing backend instances to have public IPs \u201ctemporarily\u201d and forgetting to remove them.<\/li>\n
                                                                                                                              • Overly broad NSG rules (e.g., allowing all VCN traffic to backend ports).<\/li>\n
                                                                                                                              • No monitoring\/alarms on backend health, leading to silent partial outages.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Default to private subnets<\/strong> for backends.<\/li>\n
                                                                                                                                • Use Bastion<\/strong> or private connectivity for administration.<\/li>\n
                                                                                                                                • Enforce least-privilege NSG rules:<\/li>\n
                                                                                                                                • NLB subnet \u2192 backend ports only<\/li>\n
                                                                                                                                • Client sources \u2192 NLB listener ports only<\/li>\n
                                                                                                                                • Use IaC with code review for NLB and security changes.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                  Always confirm current limitations in official docs (service capabilities evolve). Common limitations\/gotchas for Layer 4 load balancers include:<\/p>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Not Layer 7:<\/strong> no HTTP path routing, header-based routing, cookie persistence, or rewrites.<\/li>\n
                                                                                                                                  • Observability gaps vs L7:<\/strong> detailed HTTP access logs and request-level tracing may not exist (or may differ). Use app-level logs and VCN flow logs as needed.<\/li>\n
                                                                                                                                  • Health check nuance:<\/strong> TCP health checks confirm port reachability, not full application correctness.<\/li>\n
                                                                                                                                  • Security rule complexity:<\/strong> NLB + private subnets commonly fail due to missing NSG rules or wrong CIDR sources.<\/li>\n
                                                                                                                                  • Subnet placement constraints:<\/strong> NLB is attached to specific subnet(s); multi-subnet designs differ from L7 load balancers. Verify<\/strong> current NLB subnet requirements.<\/li>\n
                                                                                                                                  • Quotas:<\/strong> listener limits, backend limits, and NLB count per compartment can block deployments.<\/li>\n
                                                                                                                                  • Traffic distribution behavior:<\/strong> some L4 load balancers distribute by connection\/flow; repeated requests from one client may look \u201csticky\u201d depending on client behavior.<\/li>\n
                                                                                                                                  • Hybrid routing:<\/strong> when clients come from on-prem, ensure DRG route tables and security rules permit traffic to the NLB and backends.<\/li>\n
                                                                                                                                  • Data transfer billing surprises:<\/strong> internet egress and inter-region transfer can dominate costs at scale.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                    Alternatives inside Oracle Cloud<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Oracle Cloud Load Balancer<\/strong> (the broader load balancer service): better for HTTP\/HTTPS and advanced features.<\/li>\n
                                                                                                                                    • DNS-based distribution \/ Traffic Management<\/strong> (where applicable): good for global routing and failover, not a replacement for L4\/L7 balancing.<\/li>\n
                                                                                                                                    • Self-managed HAProxy\/Nginx\/Envoy on Compute:<\/strong> maximum flexibility at the cost of operations burden.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      Alternatives in other clouds<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • AWS Network Load Balancer<\/strong> (L4)<\/li>\n
                                                                                                                                      • Azure Load Balancer<\/strong> (L4)<\/li>\n
                                                                                                                                      • Google Cloud TCP\/UDP Load Balancing<\/strong> (regional\/global variants)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Comparison table<\/h3>\n\n\n\n
                                                                                                                                        \n\n\n\n\n\n\n\n\n
                                                                                                                                        Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                        Oracle Cloud Network Load Balancer<\/strong><\/td>\nTCP\/UDP services needing low latency<\/td>\nManaged HA, L4 performance, VCN-native<\/td>\nNot L7; fewer HTTP features<\/td>\nNon-HTTP or simple TCP\/UDP entry points; private\/internal endpoints<\/td>\n<\/tr>\n
                                                                                                                                        Oracle Cloud Load Balancer<\/strong><\/td>\nHTTP\/HTTPS and application delivery<\/td>\nMore app-aware capabilities (routing, TLS termination features depending on config)<\/td>\nMore overhead; not ideal for raw UDP workloads<\/td>\nWeb apps, HTTP APIs, need L7 controls<\/td>\n<\/tr>\n
                                                                                                                                        OCI DNS \/ Traffic Management (where applicable)<\/strong><\/td>\nGlobal routing\/failover<\/td>\nGreat for multi-region steering<\/td>\nNot a per-connection load balancer<\/td>\nMulti-region active\/active steering combined with regional LBs<\/td>\n<\/tr>\n
                                                                                                                                        Self-managed HAProxy\/Nginx on Compute<\/strong><\/td>\nCustom features or edge cases<\/td>\nFull control, custom modules<\/td>\nOperational burden, patching, HA design<\/td>\nWhen managed services don\u2019t meet requirements or for specialized protocols<\/td>\n<\/tr>\n
                                                                                                                                        AWS NLB \/ Azure Load Balancer \/ GCP TCP\/UDP LB<\/strong><\/td>\nCross-cloud parity<\/td>\nMature ecosystems, familiar patterns<\/td>\nDifferent IAM\/networking models<\/td>\nIf you\u2019re implementing the same architecture across multiple clouds<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                        15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                        Enterprise example: Hybrid financial services risk engine<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Problem:<\/strong> An on-prem risk engine must call OCI-hosted pricing services over TCP with strict uptime and private connectivity.<\/li>\n
                                                                                                                                        • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                        • On-prem \u2192 FastConnect \u2192 DRG \u2192 VCN<\/li>\n
                                                                                                                                        • Private Network Load Balancer<\/strong> fronting multiple pricing service instances in private subnets<\/li>\n
                                                                                                                                        • Backends spread across fault domains\/availability domains (where available)<\/li>\n
                                                                                                                                        • Monitoring alarms on backend health and latency indicators<\/li>\n
                                                                                                                                        • Why Network Load Balancer was chosen:<\/strong><\/li>\n
                                                                                                                                        • L4 TCP service, no need for HTTP routing<\/li>\n
                                                                                                                                        • Private endpoint aligns with compliance and segmentation<\/li>\n
                                                                                                                                        • Managed HA reduces operations risk<\/li>\n
                                                                                                                                        • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                        • Stable endpoint for on-prem clients<\/li>\n
                                                                                                                                        • Automated failover from unhealthy instances<\/li>\n
                                                                                                                                        • Reduced change windows (backend rotation without client-side changes)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Startup\/small-team example: IoT telemetry ingestion<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Problem:<\/strong> A small team ingests telemetry from devices over a custom TCP protocol and needs to scale quickly.<\/li>\n
                                                                                                                                          • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                          • Public Network Load Balancer<\/strong> on TCP\/9000<\/li>\n
                                                                                                                                          • Backends are autoscaled compute instances running ingestion service<\/li>\n
                                                                                                                                          • Data stored in managed database\/streaming service (depending on design)<\/li>\n
                                                                                                                                          • Alerts when backend health drops below threshold<\/li>\n
                                                                                                                                          • Why Network Load Balancer was chosen:<\/strong><\/li>\n
                                                                                                                                          • Supports generic TCP without forcing HTTP<\/li>\n
                                                                                                                                          • Simple operational model<\/li>\n
                                                                                                                                          • Allows the team to keep backends private and replace them frequently<\/li>\n
                                                                                                                                          • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                          • Smooth scaling during device onboarding waves<\/li>\n
                                                                                                                                          • Fewer outages due to single instance failures<\/li>\n
                                                                                                                                          • Simpler deployments with immutable backend replacement<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            16. FAQ<\/h2>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            1. \n
                                                                                                                                              Is Oracle Cloud Network Load Balancer Layer 4 or Layer 7?<\/strong>\n   Network Load Balancer is primarily a Layer 4<\/strong> service for TCP and UDP<\/strong> traffic. If you need HTTP-aware routing, evaluate Oracle Cloud Load Balancer.<\/p>\n<\/li>\n
                                                                                                                                            2. \n
                                                                                                                                              Can I use Network Load Balancer for HTTP\/HTTPS web apps?<\/strong>\n   You can forward TCP\/80 or TCP\/443, but you won\u2019t get Layer 7 features like path routing. For typical web apps, Oracle Cloud Load Balancer is often a better fit.<\/p>\n<\/li>\n
                                                                                                                                            3. \n
                                                                                                                                              Does Network Load Balancer support UDP?<\/strong>\n   Yes, UDP is a key use case for Network Load Balancer.<\/p>\n<\/li>\n
                                                                                                                                            4. \n
                                                                                                                                              Can I create an internal-only load balancer?<\/strong>\n   Yes. Use a private<\/strong> Network Load Balancer in a private subnet and ensure clients have private network reachability.<\/p>\n<\/li>\n
                                                                                                                                            5. \n
                                                                                                                                              Do my backend servers need public IP addresses?<\/strong>\n   No. A common best practice is to keep backends on private IPs<\/strong> in private subnets.<\/p>\n<\/li>\n
                                                                                                                                            6. \n
                                                                                                                                              How does health checking work?<\/strong>\n   The NLB performs health checks (often TCP-based) to decide whether a backend should receive traffic. Configure intervals and thresholds appropriate to your application\u2019s recovery time.<\/p>\n<\/li>\n
                                                                                                                                            7. \n
                                                                                                                                              What is the most common reason for unhealthy backends?<\/strong>\n   Security rules: missing NSG\/security list ingress allowing the NLB subnet to reach backend ports, or OS firewall blocking the port.<\/p>\n<\/li>\n
                                                                                                                                            8. \n
                                                                                                                                              Can I attach Network Load Balancer to multiple subnets?<\/strong>\n   Subnet attachment models vary by load balancer type and OCI implementation. Verify in official docs<\/strong> for current NLB subnet requirements in your region.<\/p>\n<\/li>\n
                                                                                                                                            9. \n
                                                                                                                                              How do I do TLS termination?<\/strong>\n   If you need TLS termination at the load balancer, evaluate Oracle Cloud Load Balancer or confirm whether your NLB configuration supports it (verify in official docs<\/strong>). Many L4 designs do TLS passthrough and terminate on the backend.<\/p>\n<\/li>\n
                                                                                                                                            10. \n
                                                                                                                                              Does Network Load Balancer preserve the client source IP?<\/strong>\n   Source IP preservation behavior can depend on the service and configuration. Verify in official docs<\/strong> and validate with packet captures or application logs.<\/p>\n<\/li>\n
                                                                                                                                            11. \n
                                                                                                                                              Can I use Network Load Balancer with Kubernetes (OKE)?<\/strong>\n   OKE commonly provisions Oracle Cloud Load Balancer for Service type=LoadBalancer<\/code>. NLB integration may be possible depending on OCI\/OKE features and annotations\u2014verify in official OKE docs<\/strong>.<\/p>\n<\/li>\n
                                                                                                                                            12. \n
                                                                                                                                              How do I monitor Network Load Balancer health?<\/strong>\n   Use OCI Monitoring<\/strong> metrics and create alarms on healthy backend count and traffic anomalies. Use OCI Audit<\/strong> for configuration changes.<\/p>\n<\/li>\n
                                                                                                                                            13. \n
                                                                                                                                              How do I restrict who can change the load balancer?<\/strong>\n   Use compartment-scoped IAM policies<\/strong> and separate admin roles. Limit \u201cmanage\u201d permissions to a small group.<\/p>\n<\/li>\n
                                                                                                                                            14. \n
                                                                                                                                              What happens during backend maintenance?<\/strong>\n   Put backend into maintenance by stopping the service or removing it from the backend set; health checks should mark it unhealthy and drain traffic (depending on behavior). Plan maintenance windows and validate.<\/p>\n<\/li>\n
                                                                                                                                            15. \n
                                                                                                                                              Is Network Load Balancer global?<\/strong>\n   It is generally regional<\/strong> in scope and attached to regional networking constructs. Use DNS\/traffic steering for multi-region architectures.<\/p>\n<\/li>\n
                                                                                                                                            16. \n
                                                                                                                                              What is the difference between NLB and a reverse proxy?<\/strong>\n   NLB is a managed L4 traffic distributor; a reverse proxy is typically L7 and can modify HTTP traffic. Choose based on protocol needs and operational preference.<\/p>\n<\/li>\n
                                                                                                                                            17. \n
                                                                                                                                              How do I estimate cost accurately?<\/strong>\n   Use the official OCI price list<\/strong> and cost estimator<\/strong> for your region and expected traffic profile. Costs are sensitive to runtime duration and data processed.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                              17. Top Online Resources to Learn Network Load Balancer<\/h2>\n\n\n\n
                                                                                                                                              \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                              Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                              Official documentation<\/td>\nNetwork Load Balancer docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/NetworkLoadBalancer\/home.htm<\/td>\nPrimary reference for capabilities, limits, and configuration steps<\/td>\n<\/tr>\n
                                                                                                                                              Official documentation<\/td>\nOCI Networking overview: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Network\/home.htm<\/td>\nHelps you understand VCNs, subnets, routing, gateways, and security<\/td>\n<\/tr>\n
                                                                                                                                              Official documentation<\/td>\nOCI IAM overview: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/home.htm<\/td>\nRequired to secure who can manage NLB resources<\/td>\n<\/tr>\n
                                                                                                                                              Official pricing<\/td>\nOracle Cloud Price List: https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\nAuthoritative pricing categories and SKUs (region-dependent)<\/td>\n<\/tr>\n
                                                                                                                                              Official calculator<\/td>\nOCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\nBuild realistic estimates for lab and production<\/td>\n<\/tr>\n
                                                                                                                                              Official limits<\/td>\nService Limits: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/General\/Concepts\/servicelimits.htm<\/td>\nUnderstand quotas and request limit increases<\/td>\n<\/tr>\n
                                                                                                                                              Architecture center<\/td>\nOracle Architecture Center: https:\/\/docs.oracle.com\/en\/solutions\/<\/td>\nReference architectures and patterns for production designs<\/td>\n<\/tr>\n
                                                                                                                                              Official CLI docs<\/td>\nOCI CLI install\/use: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/td>\nAutomate NLB provisioning and operations<\/td>\n<\/tr>\n
                                                                                                                                              Terraform provider docs<\/td>\nOCI Terraform Provider: https:\/\/registry.terraform.io\/providers\/oracle\/oci\/latest\/docs<\/td>\nInfrastructure-as-code patterns for repeatable deployments<\/td>\n<\/tr>\n
                                                                                                                                              Official tutorials<\/td>\nOracle Cloud Tutorials (landing): https:\/\/docs.oracle.com\/en\/learn\/<\/td>\nHands-on learning paths; search for load balancing and networking labs<\/td>\n<\/tr>\n
                                                                                                                                              Official YouTube<\/td>\nOracle Cloud Infrastructure channel: https:\/\/www.youtube.com\/@OracleCloudInfrastructure<\/td>\nVideos and walkthroughs (search within channel for load balancing)<\/td>\n<\/tr>\n
                                                                                                                                              Community (reputable)<\/td>\nOCI GitHub org: https:\/\/github.com\/oracle<\/td>\nSamples and tooling; validate relevance and currency to NLB<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                              18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                              The following training providers may offer Oracle Cloud, networking, and load balancing-oriented learning. Confirm current course catalogs directly on their sites.<\/p>\n\n\n\n
                                                                                                                                              \n\n\n\n\n\n\n\n\n
                                                                                                                                              Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                              DevOpsSchool.com<\/td>\nBeginners to working engineers<\/td>\nDevOps, cloud operations, CI\/CD, networking fundamentals<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                              ScmGalaxy.com<\/td>\nStudents, junior engineers<\/td>\nSCM, DevOps foundations, cloud basics<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                              CLoudOpsNow.in<\/td>\nCloud\/ops practitioners<\/td>\nCloud operations, monitoring, reliability practices<\/td>\nCheck website<\/td>\nhttps:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                              SreSchool.com<\/td>\nSREs, platform teams<\/td>\nSRE principles, observability, reliability engineering<\/td>\nCheck website<\/td>\nhttps:\/\/sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                              AiOpsSchool.com<\/td>\nOps + automation teams<\/td>\nAIOps concepts, automation, monitoring analytics<\/td>\nCheck website<\/td>\nhttps:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                              19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                              These sites may function as trainer profiles, training portals, or platforms. Verify offerings, credentials, and course relevance before purchase.<\/p>\n\n\n\n
                                                                                                                                              \n\n\n\n\n\n\n\n
                                                                                                                                              Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                              RajeshKumar.xyz<\/td>\nDevOps\/cloud coaching (check specifics)<\/td>\nBeginners to intermediate engineers<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                              devopstrainer.in<\/td>\nDevOps training and mentoring<\/td>\nDevOps engineers, SREs<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                              devopsfreelancer.com<\/td>\nDevOps consulting\/training marketplace (verify)<\/td>\nTeams seeking short-term help<\/td>\nhttps:\/\/devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                              devopssupport.in<\/td>\nOperational support and training resources (verify)<\/td>\nOps teams and engineers<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                              20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                              These organizations may provide consulting services related to cloud architecture, DevOps, and operations. Validate service scope and references directly with each provider.<\/p>\n\n\n\n
                                                                                                                                              \n\n\n\n\n\n\n
                                                                                                                                              Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                              cotocus.com<\/td>\nCloud\/DevOps services (verify specialization)<\/td>\nArchitecture, migrations, operations<\/td>\nDesigning VCN + NLB patterns; implementing monitoring\/alarms; IaC rollout<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                              DevOpsSchool.com<\/td>\nDevOps and cloud consulting\/training<\/td>\nDevOps transformation, platform engineering<\/td>\nStandardizing NLB + compute deployment patterns; CI\/CD + Terraform enablement<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                              DEVOPSCONSULTING.IN<\/td>\nDevOps consulting (verify portfolio)<\/td>\nAutomation, reliability, operations<\/td>\nBuilding production-ready OCI networking landing zone; NLB operational runbooks<\/td>\nhttps:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                              21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                              What to learn before this service<\/h3>\n\n\n\n
                                                                                                                                              To use Oracle Cloud Network Load Balancer effectively, learn:\n– OCI fundamentals: compartments, VCNs, subnets, route tables, gateways\n– IP networking: CIDR, TCP vs UDP, stateful firewalls, NAT\n– Security basics: least privilege, NSGs vs security lists\n– Linux server basics: systemd, firewall, ports, troubleshooting tools (ss<\/code>, tcpdump<\/code>, curl<\/code>)<\/p>\n\n\n\n
                                                                                                                                              What to learn after this service<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Oracle Cloud Load Balancer (for L7 needs)<\/li>\n
                                                                                                                                              • OCI DNS and multi-region design (failover and traffic steering)<\/li>\n
                                                                                                                                              • Observability: Monitoring, Logging, alarms, dashboards, SLOs<\/li>\n
                                                                                                                                              • IaC: Terraform modules, drift detection, policy-as-code<\/li>\n
                                                                                                                                              • Advanced networking: DRG, FastConnect, VPN, peering architectures<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Cloud Engineer \/ Cloud Network Engineer<\/li>\n
                                                                                                                                                • Solutions Architect<\/li>\n
                                                                                                                                                • DevOps Engineer \/ Platform Engineer<\/li>\n
                                                                                                                                                • Site Reliability Engineer (SRE)<\/li>\n
                                                                                                                                                • Security Engineer (network segmentation and exposure)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                  Oracle offers OCI certifications; availability and names can change. Start by checking Oracle University and OCI certification pages and map your learning plan to:\n– OCI Foundations\n– OCI Architect\n– OCI Networking-focused training (if available)<\/p>\n\n\n\n
                                                                                                                                                  Verify current certifications here:\n– https:\/\/education.oracle.com\/<\/p>\n\n\n\n
                                                                                                                                                  Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Build a private NLB fronting an internal TCP service reachable via VPN\/DRG.<\/li>\n
                                                                                                                                                  • Deploy blue\/green backends and practice safe cutover using backend membership changes.<\/li>\n
                                                                                                                                                  • Create Terraform modules for NLB + NSGs + backend compute and add CI validation.<\/li>\n
                                                                                                                                                  • Implement alarms on backend health and run a chaos test (stop one backend).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Backend:<\/strong> A target server (usually an IP:port) that receives traffic from the load balancer.<\/li>\n
                                                                                                                                                    • Backend set:<\/strong> A logical group of backends with a shared health check policy.<\/li>\n
                                                                                                                                                    • CIDR:<\/strong> IP address range notation (e.g., 10.0.0.0\/16<\/code>).<\/li>\n
                                                                                                                                                    • Compartment:<\/strong> OCI governance boundary used for access control and cost tracking.<\/li>\n
                                                                                                                                                    • DRG (Dynamic Routing Gateway):<\/strong> OCI gateway for hybrid connectivity (VPN\/FastConnect) and advanced routing.<\/li>\n
                                                                                                                                                    • Fault domain:<\/strong> OCI construct for spreading instances across hardware to reduce correlated failures.<\/li>\n
                                                                                                                                                    • Health check:<\/strong> Probe used to decide if a backend should receive traffic.<\/li>\n
                                                                                                                                                    • IAM policy:<\/strong> Authorization rules defining who can manage OCI resources.<\/li>\n
                                                                                                                                                    • Listener:<\/strong> Front-end port\/protocol configuration that accepts client traffic.<\/li>\n
                                                                                                                                                    • NSG (Network Security Group):<\/strong> Virtual firewall applied to VNICs\/resources to control traffic.<\/li>\n
                                                                                                                                                    • Public subnet:<\/strong> Subnet that can host resources reachable from the internet via an Internet Gateway (with proper routing and security).<\/li>\n
                                                                                                                                                    • Private subnet:<\/strong> Subnet without direct internet exposure (no direct route to Internet Gateway).<\/li>\n
                                                                                                                                                    • Layer 4 (L4):<\/strong> Transport layer (TCP\/UDP) load balancing, not application-aware.<\/li>\n
                                                                                                                                                    • VCN (Virtual Cloud Network):<\/strong> OCI virtual network containing subnets, routing, and security controls.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      23. Summary<\/h2>\n\n\n\n
                                                                                                                                                      Oracle Cloud Network Load Balancer<\/strong> (in Networking, Edge, and Connectivity<\/strong>) is a managed Layer 4<\/strong> load balancer for TCP and UDP<\/strong> services. It matters because it provides a stable endpoint, health-based failover, and managed high availability without the operational burden of running your own load balancer fleet.<\/p>\n\n\n\n
                                                                                                                                                      It fits best in Oracle Cloud architectures where you need low-latency transport load balancing<\/strong>, private backend segmentation, and straightforward scaling. Cost is driven by how long the NLB runs<\/strong> and how much traffic it processes<\/strong>, plus indirect networking costs (especially internet egress). Security success depends on correct IAM policies<\/strong>, subnet routing<\/strong>, and NSG\/security list rules<\/strong>\u2014most real-world issues come from misconfigured network controls.<\/p>\n\n\n\n
                                                                                                                                                      Use Network Load Balancer when you need TCP\/UDP distribution and don\u2019t need HTTP-aware routing; choose Oracle Cloud Load Balancer when you need Layer 7 features.<\/p>\n\n\n\n
                                                                                                                                                      Next learning step:<\/strong> implement the same lab via Terraform<\/strong> and add Monitoring alarms<\/strong> for backend health so you can operate Network Load Balancer like production infrastructure.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                      Networking, Edge, and Connectivity<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74,62],"tags":[],"class_list":["post-947","post","type-post","status-publish","format-standard","hentry","category-networking-edge-and-connectivity","category-oracle-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=947"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/947\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=947"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=947"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}