Using Your Own Load Balancer
Page last updated:
This guide describes how to use your own load balancer and forward traffic to your Elastic Runtime router IP address.
Pivotal Cloud Foundry (PCF) deploys with a single instance of HAProxy for use in lab and test environments. Production environments should use a highly-available customer-provided load balancing solution that does the following:
- Provides load balancing to each of the PCF Router IPs
- Supports SSL termination with wildcard DNS location
- Adds appropriate
x-forwarded-protoHTTP headers to incoming requests
- (Optional) Supports WebSockets
To integrate your own load balancer with PCF, you must ensure the following:
- WebSocket connections are not blocked for Loggregator functionality.
- The load balancer must be able to reach the Gorouter IPs.
Follow the instructions below to use your own load balancer.
Deploy a PCF Installation virtual machine. The procedure you follow depends on the IaaS you use:
In your load balancer, register the IP addresses that you assigned to PCF.
Configure your Pivotal Operations Manager and Ops Manager Director as described in Installing Pivotal Cloud Foundry, then add Elastic Runtime.
Do not click Install after adding Elastic Runtime.
In Pivotal Operations Manager, click the Elastic Runtime tile.
In the Router IPs field, enter the IP address or addresses for PCF that you registered with your load balancer in Step 2.
In the HAProxy IPs field, delete any existing IP addresses. This field should be blank.
Under Configure the point-of-entry to this environment, choose one of the following:
- External Load Balancer with Encryption: Select this option if your deployment uses an external load balancer that can forward encrypted traffic to the Elastic Runtime Router, or for a development environment that does not require load balancing. Complete the fields for the Router SSL Termination Certificate and Private Key and Router SSL Ciphers.
- External Load Balancer without Encryption: Select this option if your deployment uses an external load balancer that cannot forward encrypted traffic to the Elastic Runtime Router, or for a development environment that does not require load balancing.
For details about providing SSL termination certificates and keys, see the Providing a Certificate for your SSL Termination Point topic.
If you are not using SSL encryption or if you are using self-signed certificates, select Disable SSL certificate verification for this environment.
Select the Disable insecure cookies on the Router checkbox to turn on the secure flag for cookies generated by the router.
In the Choose whether or not to enable route services section, choose either Enable route services or Disable route services. Route services are a class of marketplace services that perform filtering or content transformation on application requests and responses. See the Route Services topic for details.
- If you enable route services, check Ignore SSL certificate verification on route services for the routing tier to reject requests that are not signed by a trusted CA.
Optionally, use the Applications Subnet field if you need to avoid address collision with a third-party service on the same subnet as your apps. Enter a CIDR subnet mask specifying the range of available IP addresses assigned to your app containers. The IP range must be different from the network used by the system VMs.
Optionally, you can change the value in the Applications Network Maximum Transmission Unit (MTU) field. Pivotal recommends setting the MTU value for your application network to
1454. Some configurations, such as networks that use GRE tunnels, may require a smaller MTU value.
Optionally, increase the number of seconds in the Router Timeout to Backends field to accommodate larger uploads over connections with high latency.
Return to the Ops Manager Installation Dashboard