Integrating a network load balancer with IBM Cloud DNS Services
IBM Cloud® Network Load Balancer for VPC allows you to bind a DNS zone from IBM Cloud DNS Services to move all DNS resolutions into private networks.
IBM Cloud DNS Services provides private DNS to VPC users. Private DNS zones are resolvable only on IBM Cloud, and only from explicitly permitted networks in an account or with cross-account access.
Do not remove or modify the DNS records created by the load balancer service. Doing so can result in your private DNS and load balancer configurations becoming out of sync, which can cause data path issues.
For more information about linking your own private DNS record name to a load balancer, refer to the solution tutorial Team based privacy using IAM, VPC, Transit Gateway and DNS.
Before you begin
Before binding DNS zones to load balancers, you must first create DNS zones and grant load balancer service access.
-
DNS zones must be created before they can be bound to a load balancer. For more information, see Managing DNS zones.
-
To give a load balancer access to your DNS zone, you must enable service-to-service authorization. This grants your load balancer access to the DNS zone. For more information, see Granting access between services. Make sure to choose VPC Infrastructure Services as the source service, Load Balancer for VPC as the resource type, DNS Services as the target service, and assign the Manager service access role.
Working with DNS zones in the UI
You can bind and unbind DNS zones to a network load balancer during provisioning, or to an existing load balancer.
Binding DNS zones when creating a load balancer in the UI
You can bind a DNS zone to a load balancer when you create a load balancer. If you do not specify a DNS zone during load balancer creation, the default zone is used. By default, the load balancer hostname is a subdomain of lb.appdomain.cloud
and is publicly visible.
To bind a DNS zone when creating a load balancer, follow these steps:
- From your browser, open the IBM Cloud console and log in to your account.
- Select the Navigation Menu , then click Infrastructure > Network > Load balancers.
- Click Create.
- Configure the VPC, type, subnet, listeners, and pools as needed.
- Under the DNS type section, choose Private.
- Click Bind+ to enter DNS instance, and DNS zone information.
- Click Create to provision the load balancer.
Binding a DNS zone to an existing load balancer in the UI
To bind a DNS zone to an existing load balancer, follow these steps:
- From your browser, open the IBM Cloud console and log in to your account.
- Select the Navigation Menu , then click Infrastructure > Network > Load balancers.
- From the list of load balancers, select the load balancer to view its details page.
- Click Bind private DNS in the Private DNS section.
- Enter the DNS instance, and DNS zone information.
- Click Bind private DNS to bind the DNS zone to your load balancer.
When migrating to a private DNS zone for an existing load balancer, the default A records in lb.appdomain.cloud
are removed. To prepare your client devices, create a CNAME record with the default hostname under the wanted private
DNS zone before the migration. After configuring all client devices to use the new private DNS zone, you can then delete the CNAME record and begin the migration. This allows the client devices to cache the private DNS hostname until the
A records are created.
Unbinding a DNS zone to an existing load balancer in the UI
To unbind a DNS zone from a load balancer, follow these steps:
- From your browser, open the IBM Cloud console and log in to your account.
- Select the Navigation Menu , then click Infrastructure > Network > Load balancers.
- From the list of load balancers, select the load balancer to view its details page.
- Click the Unbind button in the Private DNS section
- Verify the action by clicking Unbind again.
Working with DNS zones from the CLI
You can bind and unbind DNS zones to a network load balancer during provisioning, or to an existing load balancer.
Creating a load balancer bound to a private DNS zone from the CLI
You need the CRN of the private DNS that you want to bind to your load balancer. To find it, click Navigation Menu > Resource List from the IBM Cloud console. Click the table row of the DNS whose CRN you want to find. The CRN is shown in the side panel that appears.
To create a network load balancer with a private DNS zone, follow these steps:
-
Set up your CLI environment.
-
Use the terminal to log in to your account. After you enter the password, the system prompts which account and region that you want to use:
ibmcloud login --sso
-
Create your load balancer:
ibmcloud is lbc pdns-nlb-example private --subnet 0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024 --family application --dns-instance-crn crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c:: --dns-zone-id 0671b738-57f0-468e-8086-10bc480ac00e
Sample output:
ID r014-e424acb0-24af-49a0-ab50-c5969304eb94
Name pdns-nlb-example
CRN crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e424acb0-24af-49a0-ab50-c5969304eb94
Family Application
Datapath logging active false
Host name e424acb0-us-east.example.com
Subnets ID Name
0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024 lb-subnet
Public IPs
Private IPs
Provision status create_pending
Operating status offline
Is public false
Listeners
Pools ID Name
Resource group ID Name
42c4f51adc3147b4b4049ad9826c30a1 Default
Created 2023-02-10T13:18:11-06:00
DNS Instance CRN Zone
crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c:: 0671b738-57f0-468e-8086-10bc480ac00e
Instance Group Supported -
SourceIP Session Supported -
Security groups ID Name
r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e astonish-backing-shadiness-frostlike-cosmos-hunk
UDP Supported false
Binding an existing load balancer to a private DNS zone from the CLI
You need the CRN of the private DNS that you want to bind to your load balancer. To find it, click Navigation Menu > Resource List from the IBM Cloud console. Click the table row of the DNS whose CRN you want to find. The CRN is shown in the side panel that appears.
To use the CLI to update a network load balancer with a private DNS zone, follow these steps:
-
Set up your CLI environment.
-
Log in to your account using the CLI. After you enter the password, the system prompts which account and region that you want to use:
ibmcloud login --sso
-
Update your load balancer with the private DNS zone information:
ibmcloud is load-balancer-update pdns-nlb-update-example --dns-instance-crn crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c:: --dns-zone-id 0671b738-57f0-468e-8086-10bc480ac00e
Sample output:
ID r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3
Name pdns-nlb-update-example
CRN crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3
Family Application
Datapath logging active false
Host name e68a40fb-us-east.example.com
Subnets ID Name
0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024 lb-subnet
Public IPs
Reserved IPs ID Address Subnet
0767-16871e0f-c43a-4b6e-8491-a3e075362046 10.241.64.11 0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024
0767-a7db5d37-42cf-473e-ab27-07b679d64ceb 10.241.64.12 0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024
Provision status update_pending
Operating status online
Is public false
Listeners
Pools ID Name
Resource group ID Name
42c4f51adc3147b4b4049ad9826c30a1 Default
Created 2023-02-10T13:36:44-06:00
DNS Instance CRN Zone
crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c:: 0671b738-57f0-468e-8086-10bc480ac00e
Instance Group Supported -
SourceIP Session Supported -
Security groups ID Name
r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e astonish-backing-shadiness-frostlike-cosmos-hunk
UDP Supported false
Unbinding an existing load balancer from a private DNS zone from the CLI
To update a network load balancer with the default public DNS zone, follow these steps:
-
Set up your CLI environment.
-
Log in to your account. After you enter the password, the system prompts which account and region that you want to use:
ibmcloud login --sso
-
Update your load balancer with
reset-dns
flag.ibmcloud is load-balancer-update pdns-nlb-update-example --reset-dns
Sample output:
ID r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3
Name pdns-nlb-update-example
CRN crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3
Family Application
Datapath logging active false
Host name e68a40fb-us-east.lb.appdomain.cloud
Subnets ID Name
0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024 lb-subnet
Public IPs
Reserved IPs ID Address Subnet
0767-16871e0f-c43a-4b6e-8491-a3e075362046 10.241.64.11 0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024
0767-a7db5d37-42cf-473e-ab27-07b679d64ceb 10.241.64.12 0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024
Provision status update_pending
Operating status online
Is public false
Listeners
Pools ID Name
Resource group ID Name
42c4f51adc3147b4b4049ad9826c30a1 Default
Created 2023-02-10T13:36:44-06:00
Instance Group Supported -
SourceIP Session Supported -
Security groups ID Name
r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e astonish-backing-shadiness-frostlike-cosmos-hunk
UDP Supported false
Working with DNS zones with the API
You can bind and unbind DNS zones to a network load balancer during provisioning, or to an existing load balancer.
Creating a load balancer bound to a private DNS zone with the API
You need the CRN of the private DNS that you want to bind to your load balancer. To find it, click Navigation Menu > Resource List from the IBM Cloud console. Click the table row of the DNS whose CRN you want to find. The CRN is shown in the side panel that appears.
To specify a private DNS zone during creation:
Specify the dns
information in the POST /load_balancers
call. For more information about this creation payload, see Creating an application load balancer with the API.
{
"name": "pdns-nlb-example",
"is_public": false,
"dns": {
"instance": {
"crn": "crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::"
},
"zone": {
"id": "0671b738-57f0-468e-8086-10bc480ac00e"
}
},
"subnets": [
{
"id": "0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024"
}
]
}
Sample output:
{
"id": "r014-eac21cde-a4ce-4980-b037-fc3507112955",
"name": "pdns-nlb-example",
"href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancers/r014-eac21cde-a4ce-4980-b037-fc3507112955",
"crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-eac21cde-a4ce-4980-b037-fc3507112955",
"is_public": false,
"created_at": "2023-02-13T18:58:12Z",
"hostname": "eac21cde-us-east.example.com",
"listeners": [],
"operating_status": "offline",
"pools": [],
"private_ips": [],
"provisioning_status": "create_pending",
"public_ips": [],
"subnets": [
{
"id": "0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
"href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
"crn": "crn:v1:bluemix:public:is:us-east-2:a/be636a7a6e4d4b6296bedf669ce8f757::subnet:0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
"name": "lb-subnet"
}
],
"resource_group": {
"id": "42c4f51adc3147b4b4049ad9826c30a1",
"href": "https://resource-controller.cloud.ibm.com/v1/resource_groups/42c4f51adc3147b4b4049ad9826c30a1",
"name": "Default"
},
"resource_type": "load_balancer",
"logging": {
"datapath": {
"active": false
}
},
"profile": {
"href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancer/profiles/dynamic",
"name": "dynamic",
"family": "Application"
},
"security_groups": [
{
"id": "r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
"href": "https://us-east.iaas.cloud.ibm.com/v1/security_groups/r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
"crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::security-group:r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
"name": "astonish-backing-shadiness-frostlike-cosmos-hunk"
}
],
"security_group_supported": true,
"route_mode": false,
"udp_supported": false,
"dns": {
"instance": {
"crn": "crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::"
},
"zone": {
"id": "0671b738-57f0-468e-8086-10bc480ac00e"
}
}
}
Binding an existing load balancer to a private DNS zone with the API
You need the CRN of the private DNS that you want to bind to your load balancer. To find it, click Navigation Menu > Resource List from the IBM Cloud console. Click the table row of the DNS whose CRN you want to find. The CRN is shown in the side panel that appears.
To use the API to bind an existing load balancer to a private DNS zone:
Specify the dns
information in the PATCH /load_balancers
call. For more information about this PATCH
payload, see Creating an application load balancer with the API.
{
"dns": {
"instance": {
"crn": "crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::"
},
"zone": {
"id": "0671b738-57f0-468e-8086-10bc480ac00e"
}
}
}
Sample output:
{
"id": "r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
"name": "pdns-nlb-update-example",
"href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancers/r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
"crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
"is_public": false,
"created_at": "2023-02-10T19:36:44Z",
"hostname": "e68a40fb-us-east.example.com",
"listeners": [],
"operating_status": "online",
"pools": [],
"private_ips": [
{
"address": "10.241.64.11",
"href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024/reserved_ips/0767-16871e0f-c43a-4b6e-8491-a3e075362046",
"id": "0767-16871e0f-c43a-4b6e-8491-a3e075362046",
"name": "yapping-extract-reawake-bullhorn",
"resource_type": "subnet_reserved_ip"
},
{
"address": "10.241.64.12",
"href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024/reserved_ips/0767-a7db5d37-42cf-473e-ab27-07b679d64ceb",
"id": "0767-a7db5d37-42cf-473e-ab27-07b679d64ceb",
"name": "dioxide-stylized-headway-despise",
"resource_type": "subnet_reserved_ip"
}
],
"provisioning_status": "update_pending",
"public_ips": [],
"subnets": [
{
"id": "0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
"href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
"crn": "crn:v1:bluemix:public:is:us-east-2:a/be636a7a6e4d4b6296bedf669ce8f757::subnet:0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
"name": "lb-subnet"
}
],
"resource_group": {
"id": "42c4f51adc3147b4b4049ad9826c30a1",
"href": "https://resource-controller.cloud.ibm.com/v1/resource_groups/42c4f51adc3147b4b4049ad9826c30a1",
"name": "Default"
},
"resource_type": "load_balancer",
"logging": {
"datapath": {
"active": false
}
},
"profile": {
"href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancer/profiles/dynamic",
"name": "dynamic",
"family": "Application"
},
"security_groups": [
{
"id": "r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
"href": "https://us-east.iaas.cloud.ibm.com/v1/security_groups/r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
"crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::security-group:r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
"name": "astonish-backing-shadiness-frostlike-cosmos-hunk"
}
],
"security_group_supported": true,
"route_mode": false,
"udp_supported": false,
"dns": {
"instance": {
"crn": "crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::"
},
"zone": {
"id": "0671b738-57f0-468e-8086-10bc480ac00e"
}
}
}
Unbinding an existing load balancer from a private DNS zone with the API
To use the API to unbind an existing load balancer to a private DNS zone:
Specify null dns
information in the PATCH /load_balancers call
. For more information about this PATCH
payload, see Creating an application load balancer with the API.
{
"dns": null
}
Sample output:
{
"id": "r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
"name": "pdns-nlb-update-example",
"href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancers/r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
"crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
"is_public": false,
"created_at": "2023-02-10T19:36:44Z",
"hostname": "e68a40fb-us-east.lb.appdomain.cloud",
"listeners": [],
"operating_status": "online",
"pools": [],
"private_ips": [
{
"address": "10.241.64.11",
"href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024/reserved_ips/0767-16871e0f-c43a-4b6e-8491-a3e075362046",
"id": "0767-16871e0f-c43a-4b6e-8491-a3e075362046",
"name": "yapping-extract-reawake-bullhorn",
"resource_type": "subnet_reserved_ip"
},
{
"address": "10.241.64.12",
"href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024/reserved_ips/0767-a7db5d37-42cf-473e-ab27-07b679d64ceb",
"id": "0767-a7db5d37-42cf-473e-ab27-07b679d64ceb",
"name": "dioxide-stylized-headway-despise",
"resource_type": "subnet_reserved_ip"
}
],
"provisioning_status": "update_pending",
"public_ips": [],
"subnets": [
{
"id": "0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
"href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
"crn": "crn:v1:bluemix:public:is:us-east-2:a/be636a7a6e4d4b6296bedf669ce8f757::subnet:0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
"name": "lb-subnet"
}
],
"resource_group": {
"id": "42c4f51adc3147b4b4049ad9826c30a1",
"href": "https://resource-controller.cloud.ibm.com/v1/resource_groups/42c4f51adc3147b4b4049ad9826c30a1",
"name": "Default"
},
"resource_type": "load_balancer",
"logging": {
"datapath": {
"active": false
}
},
"profile": {
"href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancer/profiles/dynamic",
"name": "dynamic",
"family": "Application"
},
"security_groups": [
{
"id": "r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
"href": "https://us-east.iaas.cloud.ibm.com/v1/security_groups/r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
"crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::security-group:r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
"name": "astonish-backing-shadiness-frostlike-cosmos-hunk"
}
],
"security_group_supported": true,
"route_mode": false,
"udp_supported": false,
"dns": null
}