Use NLB to balance loads for IPv6 services - Server Load Balancer

Network Load Balancer (NLB) can forward IPv6 requests. This topic describes how to add IPv4 and IPv6 Elastic Compute Service (ECS) instances to a dual-stack NLB instance. This way, IPv6 clients can access IPv4 and IPv6 services deployed on the backend servers of the NLB instance.

Example

The following figure shows an example in this topic. A company wants NLB to forward requests from IPv6 clients to allow IPv6 clients to access IPv4 and IPv6 services in virtual private clouds (VPCs). To meet this requirement, the company needs to create an IPv4 ECS instance and an IPv4 ECS instance. The company also needs to create a dual-stack NLB instance and create a server group that supports IPv6. Then, IPv6 clients can access the IPv4 and IPv6 services on the ECS instances, which function as backend servers of the NLB instance.

Limits

For more information about the regions in which dual-stack NLB instances are available, see Regions that support dual-stack.
If you want to enable the dual-stack feature, you must enable IPv6 for the vSwitches in the zones of the VPC.
Dual-stack NLB instances can forward requests from IPv6 clients to IPv4 and IPv6 backend services.
You cannot upgrade existing IPv4 NLB instances to dual-stack NLB instances. You can only create dual-stack NLB instances.
When you create a listener for an IPv4 NLB instance, you cannot associate the listener with server groups for which IPv6 is enabled.

Prerequisites

A VPC (VPC1) is created in the China (Shanghai) region, and IPv6 is enabled for the VPC. After you enable IPv6, an IPv6 gateway is automatically created. Make sure that Internet bandwidth is enabled for the IPv6 gateway.
- For more information about how to enable IPv6 for a VPC, see Create a dual-stack VPC.
- For more information about how to enable Internet bandwidth for IPv6 gateways, see Enable and manage IPv6 Internet bandwidth.
A vSwitch (vSwitch1) is created in China (Shanghai) Zone E, and another vSwitch (vSwitch2) is created in China (Shanghai) Zone G. IPv6 is enabled for vSwitch1 and vSwitch2. For more information, see Create a vSwitch that supports IPv4 and IPv6.
A domain name is registered, and an Internet content provider (ICP) number is obtained for the domain name. For more information, see Register a domain name on Alibaba Cloud and ICP filing process.

Step 1: Create and configure ECS instances

Log on to the VPC console.
In the left-side navigation pane, click vSwitch.
Select the region of the vSwitch. In this example, China (Shanghai) is selected.
On the vSwitch page, find the vSwitch that you want to manage and choose Add Cloud Service > ECS Instance in the Actions column.

On the Custom Launch tab of the Elastic Compute Service page, create an IPv4 ECS instance named ECS01 and an IPv6 ECS instance named ECS02. The security groups to which the ECS instances are added must allow traffic on port 80. For more information, see Create an instance on the Custom Launch tab.

Click to view the ECS configurations

ECS instance	Region	VPC	vSwitch	IP version	Image
ECS01	China (Shanghai)	VPC1	vSwitch1 in Zone E	IPv4	Alibaba Cloud Linux
ECS02	China (Shanghai)	VPC1	vSwitch2 in Zone G	IPv6 Note When you create an IPv6 ECS instance, select Assign IPv6 Address Free of Charge in the IPv6 section.	Alibaba Cloud Linux

Remotely log on to ECS01 and ECS02. For more information, see Connection method overview.

Run the following commands on ECS01 to deploy an NGINX service:

yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! this is ipv4 rs." > index.html

Run the following commands on ECS02 to deploy an NGINX service:

yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! this is ipv6 rs." > index.html

Assign a static IPv6 address to ECS02.
Note
Skip this step if Assign IPv6 Address Free of Charge is selected in the IPv6 section.
In this example, an IPv6 address is manually assigned to ECS02. For more information, see Step 4: Configure an IPv6 address.
1. Run the vi /etc/sysconfig/network-scripts/ifcfg-eth0 command to open the configuration file of the network interface controller (NIC). Replace eth0 in the command with the actual identifier of the NIC. Add the following configurations to the file:
```
DHCPV6C=yes
IPV6INIT=yes
```
2. After you add the configurations, press the Esc key, enter :wq, and then press the Enter key to save and exit the file.
3. Restart ECS02.
```
reboot
```
4. Restart ECS02 to check whether IPv6 is enabled for ECS02.
  Run the ip addr | grep inet6 or ifconfig | grep inet6 command.
  - If the command output contains the information about inet6, IPv6 is enabled for ECS02.
  - If the command output does not contain the information about inet6, IPv6 is disabled for ECS02.
The following figure shows that IPv6 is enabled for ECS02.

Step 2: Configure a security group rule for ECS02

Configure a security group rule for ECS02 to allow inbound IPv6 traffic.

Log on to the ECS console.
In the top navigation bar, select the region of the security group. In this example, China (Shanghai) is selected.
In the left-side navigation pane, choose Network & Security > Security Groups.
On the Security Groups page, find the security group that you want to manage and click Manage Rules in the Actions column.
On the Security Group Details tab, click the Inbound tab in the Access Rule section.

Click Add Rule and configure the parameters. Then, click Save in the Actions column. The following table describes the parameters.

Parameter	Description
Action	Select an action for the rule. In this example, Allow is selected.
Priority	Select a priority for the rule. A smaller value indicates a higher priority. Valid values: 1 to 100. In this example, the default value 1 is used.
Protocol Type	Select the type of allowed requests. In this example, All ICMP (IPv6) is selected.
Port Range	Specify a range of ports to accept requests from IPv6 clients. If you set the Protocol Type parameter to All ICMP (IPv6), -1/-1 is automatically selected from the Destination drop-down list and cannot be modified.
Authorization Object	Enter the IPv6 CIDR block to which the rule applies. In this example, `::/0` is used, which indicates that the rule applies to all IPv6 addresses. Note You can specify IPv6 addresses based on your business requirements.

Step 3: Create an NLB instance

Log on to the NLB console.
On the Instances page, click Create NLB.

On the buy page, configure the parameters and click Buy Now.

The following table describes only some of the parameters. Keep the default values for other parameters. For more information, see Create and manage an NLB instance.

Configuration example

Parameter	Description
Region	Select the region in which you want to create the NLB instance.
Network Type	Select a network type for the NLB instance. The system assigns public or private IP addresses to the NLB instance based on the selected network type. In this example, Internet is selected. Note The Internet network type is supported only by IPv4 NLB instances. By default, IPv6 NLB instances are internal-facing. In this example, an Internet-facing IPv6 NLB instance is required. Perform Step 4 to change the IPv6 address to a public IPv6 address.
VPC	Select the VPC in which you want to deploy the NLB instance. Note Make sure that the IPv6 feature is enabled for the VPC.
Zone	Select at least two zones. In this example, Shanghai Zone E and Shanghai Zone G are selected. vSwitch1 in Shanghai Zone E and vSwitch2 in Shanghai Zone G are selected.
IP Version	Select an IP version for the NLB instance. In this example, Dual-stack Networking is selected.
Instance Name	Enter a name for the NLB instance.
Resource Group	Select a resource group for the NLB instance.
Service-linked Role	The first time you create an NLB instance, click Create Service-linked Role to create the AliyunServiceRoleForNlb service-linked role. The role is assigned the AliyunServiceRolePolicyForNlb policy, which allows NLB to access other cloud services. For more information, see System policies for NLB.

After you create a dual-stack NLB instance, it is assigned a private IPv6 address by default. Perform the following step to change the private IPv6 address to a public IPv6 address.
1. Return to the Instances page, and click the ID of the NLB instance.
2. On the Instance Details tab, navigate to the Basic Information section and find the Network parameter. Then, click Change Network Type next to IPv6:Private.
3. In the Change Network Type message, click OK.
  After you compete the preceding operations, the private IPv6 address is changed to a public IPv6 address.

Step 4: Create a server group

In the top navigation bar, select the region in which the NLB instance is deployed.
On the Server Groups page, click Create Server Group.

In the Create Server Group dialog box, configure the parameters and click Create.

The following table describes only the key parameters. Other parameters use the default values. For more information, see Create and manage a server group.

Parameter	Description
Server Group Type	Select a server group type. In this example, Server Type is selected.
Server Group Name	Enter a name for the server group.
VPC	Select a VPC for the server group. Note Make sure that IPv6 is enabled for the VPC and the VPC is in the same region as the NLB instance.
Backend Server Protocol	Select a backend protocol. In this example, TCP is selected.
Scheduling Algorithm	Select a scheduling algorithm. In this example, Weighted Round-Robin is selected.
IPv6	Specify whether to enable IPv6. In this example, IPv6 is enabled.
Health Check	Specify whether to enable the health check feature. In this example, the default setting is used.

In the Actions column, click Modify Backend Server and then click Add Backend Server .
In the Add Backend Server panel, set Server Type to ECS/ENI, select ECS01 and ECS02, select the IPv4 address of ECS01 and the IPv6 address of ECS02 in the IP column, and then click Next.
In the Ports/Weights step, configure a weight and a port for ECS01 and ECS02 and click OK.
In this example, both ECS instances use port 80 and the default weight 100.

Step 5: Configure listeners

In the left-side navigation pane, choose NLB > Instances.
On the Instances page, find the NLB instance and click Create Listener in the Actions column.

In the Configure Listener step, configure the parameters and click Next.

The following table describes only some of the parameters. Keep the default values for other parameters. For more information, see Add a TCP listener.

Parameter	Description
Select Listener Protocol	Select a listener protocol. In this example, TCP is selected.
Listener Port	Specify the listener port to receive and forward requests to backend servers. In this example, port `80` is selected.
Listener Name	Enter a name for the listener.
Advanced Settings	In this example, the default settings are used. You can click Modify to modify the settings.

In the Server Group step, select Server Type and select a server group from the drop-down list next to Server Type, confirm the backend servers, and then click Next.
In the Confirm step, confirm the configurations and click Submit.
Click OK to return to the Listener tab. After the status of the listener in the Health Check Status changes to Healthy, ECS01 and ECS02 can forward requests from the NLB instance.

Step 6: Configure DNS records

In actual business scenarios, we recommend that you use CNAME records to map custom domain names to the domain name of your NLB instance.

In the left-side navigation pane, choose NLB > Instances.
On the Instances page, copy the domain name of the NLB instance that you want to manage.

Perform the following steps to create a CNAME record:

Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, click Add Domain Name.
In the Add Domain Name dialog box, enter your domain name and click OK.
Important
Before you add a CNAME record, you must use a TXT record to verify the ownership of the domain name.
Find the domain name that you want to manage and click DNS Settings in the Actions column.
On the DNS Settings page, click Add DNS Record.

In the Add DNS Record panel, set the following parameters and click OK.

Parameter	Description
Record Type	Select CNAME from the drop-down list.
Hostname	Enter the prefix of the domain name. In this example, `@` is entered. Note If the domain name is a root domain name, enter @.
DNS Request Source	Select Default.
Record Value	Enter the CNAME, which is the domain name of the NLB instance.
TTL	Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. In this example, the default value is used.

Step 7: Verify the result

Obtain the test domain name.
1. If you configured a CNAME record to map a custom domain name to the domain name of the NLB instance, use the custom domain name as the test domain name.
2. If you do not use a custom domain name, log on to the NLB console, select the region where the NLB instance is deployed, and copy the domain name of the NLB instance in the Domain Name column. Use the domain name as the test domain name.
Test the availability of the NLB instance.
Note
To test the availability of the NLB instance, make sure that your client supports IPv6.
1. Use a Linux client that can access IPv6 services to perform tests. If you use CentOS and telnet is not installed, run the yum install -y telnet command to install telnet.
2. Run the telnet Domain name Port command. In the following response packet, Connected to nlb-... indicates that the NLB instance can forward requests to backend servers.
```
Trying *.*.*.*...
Connected to www.example.com.
Escape character is '^]'
```
  Access the domain name, such as http://Domain name from a browser. The following figure shows that the NLB instance can forward requests to backend servers.
(Optional) Simulate faults.
1. Run the systemctl stop nginx.service command on ECS01 to stop the application.
2. Wait for a few minutes and run the telnet Domain name Port command again. The Connected to nlb-... response packet is returned.
```
Trying *.*.*.*...
Connected to www.example.com.
Escape character is '^]'
```
  Access the domain name, such as http://Domain name from a browser. The following figure shows that the NLB instance can forward requests to backend servers.
3. Run the systemctl start nginx.service command on ECS01 to restart the application, and run the systemctl stop nginx.service command on ECS02 to stop the application.
4. Wait for a few minutes and run the telnet Domain name Port command again. The Connected to nlb-... echo reply packet is returned.
```
Trying *.*.*.*...
Connected to www.example.com.
Escape character is '^]'
```
  Access the domain name, such as http://Domain name from a browser. The following figure shows that the NLB instance can forward requests to backend servers.
5. The test results show that the failure of a single backend server does not affect the availability of the NLB instance.

Release resources

Release the ECS instances and the security groups.
1. Delete ECS01 and its security group:
  1. Log on to the ECS console. In the top navigation bar, select the region in which ECS01 instance resides, and click the icon on the right side of ECS01. In the dialog box that appears, select Release to immediately release the instance.
  2. Log on to the ECS console. In the top navigation bar, select the region in which ECS01 resides, select the security group of ECS01, and then click Delete to delete the security group.
2. Repeat the preceding steps to delete ECS02 and its security group.
(Optional) Delete DNS records.
For more information, see Delete a DNS Record.
Release NLB resources.
1. Log on to the ECS console. In the top navigation bar, select the region where the NLB instance resides, and click the icon on the right of the NLB instance. In the dialog box that appears, select Release and click OK.
2. Log on to the NLB console. In the top navigation bar, select the region in which the NLB instance resides. On the Server Groups page, click the icon on the right side of the server group. In the dialog box that appears, select Delete and click OK.
Release VPC resources.
1. Log on to the VPC console. In the top navigation bar, select the region where the VPC resides.
2. Click Delete in the Actions column and select Forcefully Delete to delete the VPC and the vSwitches.

References

For more information about the use scenarios and components of NLB, see What is NLB?
For more information about the features of NLB, see Functions and features.
For more information about NLB quotas and how to increase quotas, see Limits.
For more information about the regions in which NLB is available, see Regions and zones in which NLB is available.
For more information about the billing of NLB, see NLB billing rules.