Overview & Initial setup
What is Load Balancer?
A Load Balancer distributes traffic across a group of virtual servers or backend resources. Modern websites and applications must serve hundreds of thousands of customers a day with millions of concurrent requests — a single server cannot keep up.
Instead of relying on a single server, FPT Cloud Load Balancer intelligently distributes traffic across multiple servers. It continuously monitors server health and automatically redirects traffic to healthy servers if one becomes unavailable, ensuring uninterrupted service until the failed server recovers.
Key benefits
- Performance optimization: Even distribution of requests maximizes processing throughput.
- High availability: Automatic failover maintains service continuity.
- Reliability: Continuous health checks ensure that only healthy backend servers receive traffic.
- Scalability: Easily scale out by adding members to the Server Pool as demand grows.
Plan before you deploy
Before implementing Load Balancer, plan for:
- Number of backend servers based on workload.
- Appropriate package (size) — FPT Cloud offers four high-availability tiers: Basic-1, Basic-2, Standard, Advanced.
- Region placement for optimal latency.
- Load-balancing algorithm (Round Robin, Least Connections, ...).
Initial setup
Before using the FPT Cloud Load Balancer service, complete the following steps:
- Create an FPT Cloud account and log in to FPT Cloud Portal.
- Create a virtual server on FPT Cloud.
- Attach a Security Group to the virtual server.
Create an account and log in to FPT Cloud Portal
- Go to https://console.fptcloud.com and log in with your FPT Cloud account credentials.
- Select the correct Tenant, Region, and VPC for your service.
If you do not yet have an FPT Cloud account, visit https://fptcloud.com/, click Sign Up, and follow the instructions. The support team will contact you to confirm your account details.
Create a virtual server
FPT Cloud Load Balancer supports load balancing for virtual servers on FPT Cloud. Refer to the FPT Cloud Server documentation for instructions on creating and managing virtual servers.
Attach a Security Group to the virtual server
A Security Group acts as a network firewall at the virtual machine level, controlling inbound and outbound traffic. By default, FPT Cloud virtual machines allow all outbound traffic but block all inbound traffic — so if no Security Group is configured, Load Balancer cannot reach the service ports on the backend and health checks will always report DOWN.
Load Balancer requires specific ports to be opened on the backend servers so that traffic forwarded from the Load Balancer is accepted. You must open:
- The service ports that your application listens on (for example: HTTP port 80, HTTPS port 443, ...).
- The health-check ports that the Load Balancer uses to verify server health (often the same as the service port).
Required inbound ports by scenario
| Scenario | Backend inbound port to open | Source |
|---|---|---|
| Web HTTP | TCP 80 | Load Balancer subnet |
| Web HTTPS (SSL terminated at backend) | TCP 443 | Load Balancer subnet |
| Web HTTPS (SSL terminated at Load Balancer) | TCP 80 | Load Balancer subnet |
| Custom API | TCP <service-port> | Load Balancer subnet |
| Dedicated health-check endpoint (HTTP/TCP) | TCP <health-check-port> | Load Balancer subnet |
The Load Balancer subnet is the internal IP range the Load Balancer uses to send requests to backends. You can find it under the Overview tab → Subnet of the Load Balancer after creation. For a quick start, you may temporarily allow the entire VPC CIDR and later narrow it down to the exact subnet for tighter security.
Example
To create a Load Balancer named LB1 that balances traffic to a web server running on port 80 across two virtual machines, A and B:
- Create a new Security Group dedicated to this web-server cluster. Refer to the FPT Cloud Server documentation for instructions on creating and managing Security Groups.
- Add an Inbound rule for port 80 (TCP) — Source is the Load Balancer subnet (see the Overview tab of
LB1). - Add an Inbound rule for the health-check port (for example, port 80 if the health check uses HTTP, or a separate port if you expose a dedicated health-check endpoint).
- Keep the default Outbound rule (
allow all) or at minimum allow responses back to the Load Balancer subnet. - Attach the Security Group to virtual machines A and B from each VM's detail page on the FPT Cloud Portal.
- If
LB1is an External Load Balancer (with a Public IP assigned), also attach an appropriate Security Group toLB1itself to allow traffic from the internet — typically openTCP 80/TCP 443with Source0.0.0.0/0.
If several backend servers share the same port configuration, you can reuse the same Security Group across all of them — just make sure the Inbound rules cover every service port and every health-check port. When you later change a service port, you only need to update the shared Security Group — no per-VM action required.
After attaching the Security Group, check the Members tab of the Server Pool. If a member stays DOWN after 30–60 seconds, verify the following:
- The health-check port on the Server Pool matches the port opened in the Security Group.
- The Source of the Inbound rule actually covers the Load Balancer subnet.
- The backend application is genuinely listening on that port (
netstat -tlnporss -tlnp).