Load Balancer

Managed L4/L7 load balancing backed by HAProxy with auto TLS, health checks, sticky sessions, and rate limiting.

Load Balancer

The Load Balancer service provides managed L4 and L7 load balancing backed by HAProxy. The Load Balancer Agent handles configuration, TLS certificates, health checks, and dynamic backend updates.

Features

  • L4 (TCP) and L7 (HTTP/HTTPS) load balancing
  • Auto TLS via Let's Encrypt — certificates are provisioned and renewed automatically
  • Health checks — configurable HTTP, TCP, or custom health checks for backends
  • Sticky sessions — cookie-based or source-IP session affinity
  • Rate limiting — protect backends from traffic spikes with configurable rate limits
  • Hot-reload — backend changes are applied without dropping connections

Create a Load Balancer

HTTP Load Balancer

agentmetal lb create \
  --name web-lb \
  --type http \
  --vpc prod

TCP Load Balancer

agentmetal lb create \
  --name db-lb \
  --type tcp \
  --port 5432 \
  --vpc prod

Add Backends

agentmetal lb backend add web-lb \
  --target web-1:8080 \
  --target web-2:8080 \
  --health-check "http:/health:5s"

Configure TLS

TLS is enabled by default for HTTP load balancers. Provide your domain for automatic certificate provisioning:

agentmetal lb tls set web-lb --domain app.example.com

The agent requests a certificate from Let's Encrypt, configures HAProxy to serve HTTPS, and sets up automatic renewal.

Sticky Sessions

Enable cookie-based sticky sessions:

agentmetal lb sticky set web-lb --mode cookie --cookie-name SERVERID

Rate Limiting

Protect your backends from excessive traffic:

agentmetal lb rate-limit set web-lb --requests 100 --window 60s --action deny

What the Agent Manages

The Load Balancer Agent performs these operations:

  1. HAProxy installation — installs HAProxy on a dedicated VM and applies a base configuration
  2. Frontend/backend setup — generates HAProxy configuration from your load balancer spec, including listeners, backends, and ACLs
  3. TLS management — uses certbot to obtain and renew certificates, configures HAProxy SSL termination
  4. Health checking — configures HAProxy health checks and monitors backend availability
  5. Hot-reload — applies configuration changes by reloading HAProxy without dropping active connections
  6. DNS integration — creates DNS records pointing to the load balancer's public IP

API

curl -X POST http://localhost:8080/v1/load-balancers \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "web-lb",
    "spec": {
      "type": "http",
      "vpc": "prod",
      "tls": { "domain": "app.example.com", "autoRenew": true },
      "backends": [
        { "target": "web-1:8080", "weight": 50 },
        { "target": "web-2:8080", "weight": 50 }
      ],
      "healthCheck": { "path": "/health", "interval": "5s" }
    }
  }'