Load Balancer Instance

A load balancer instance is the top-level object. It owns the VIPs, hosts the listeners, and binds to the global VPC that holds the backends. Everything else — listeners, backend pools, health checks — is configured inside an instance.

What It Does

• Presents one entry point at the VIP. Clients see one Elastic IP per protocol family (IPv4 or IPv6); the load balancer picks which backend handles each flow.

• Passes traffic through to backends. Sessions terminate on the backend, not on the load balancer. Backends see the real client IP as the source.

• Distributes traffic across backends. Each listener uses its configured scheduling algorithm and respects session persistence if enabled.

• Isolates failing backends. Paired health checks remove unhealthy servers from scheduling and re-admit them when they recover.

• Is highly available out of the box. The instance itself stays reachable without any active/standby configuration on your side.

VIPs

A VIP is the Elastic IP clients connect to. One instance can hold multiple VIPs, and every listener applies to traffic arriving on every VIP.

IPv4 vs IPv6. An instance is either IPv4 or IPv6. Dual-stack is achieved by creating one instance per family with the same backends and listeners.

Multiple VIPs on one instance. You can assign multiple EIPs to a single instance if you want several public addresses to front the same backend pool — for example, for DNS round-robin at the address level, or to migrate clients between addresses. Listeners apply to all of them.

Private/internal VIPs are not supported today — every VIP is a public Elastic IP. If you need an internal-only service endpoint, use direct VPC connectivity to the backends instead.

Global VPC and Backends

The instance binds to a global VPC at creation time, and backends are referenced by their private IP inside that VPC. The instance is regional — backends must live in the same region as the load balancer. A single listener can mix backends from multiple subnets within that region.

Cross-region backends are not supported today. If you need to load-balance across regions, create one load balancer per region and steer clients at the DNS layer.

Backends outside the attached VPC cannot be registered. If you need to front a service in a different VPC, stand up a separate load balancer in that VPC.

High Availability

Each instance is internally redundant. The VIP stays reachable without any pairing, active/standby configuration, or keepalive setup on your side — the platform handles availability for you. From your side, the load balancer looks like one service endpoint.

Ingress Filtering

Two layers of filtering are available on the instance itself, independent of anything on the backends:

• Whitelist — a CIDR list. Only source addresses in the list can reach the VIP. Everything else is dropped at the load balancer.

• Security group — a named security-group ID bound to the instance. Rules are evaluated in priority order and can allow or deny based on protocol, port, and source CIDR (IPv4 or IPv6).

Both are evaluated before the listener's scheduler runs, so filtered traffic never consumes backend connections.

Relationship to Other Products

Limits