How to add a Load Balancer to a ZTNA Inverse Flow on Digibee

Learn how to configure a Load Balancer in a ZTNA Inverse Flow on the Digibee Integration Platform.

Overview

In a ZTNA (Zero Trust Network Access) Inverse Flow, communication is initiated from outside the Platform toward Digibee's internal pipelines. Traffic follows this path:

External endpoint → Load Balancer → Edge Router(s) → Digibee Integration Platform

Without a Load Balancer, all traffic is directed to a single Edge Router, creating a single point of failure: if the Edge Router becomes unavailable, communication is interrupted.

With a Load Balancer in your infrastructure, traffic is distributed across two or more Edge Routers, ensuring high availability and integration continuity even if one instance fails.

The Load Balancer described in this quickstart is a component of your own cloud infrastructure (AWS, Azure, GCP, or on-premises), not a native component of the Digibee Integration Platform. You are responsible for provisioning and maintaining it.

What you'll need

Before you begin, make sure you have:

Connectivity Manager permission in your Digibee Platform realm.
The ZTNA Inverse Flow enabled in your realm. If it has not been enabled yet, contact Digibee Support and provide your Edge Router details:
- The IP address or DNS of the Edge Router you configured in your infrastructure.
- The port to send traffic to.
At least two Edge Routers registered and active in the same environment (Test or Production). To learn how to create an Edge Router, see how to add a new Edge Router connection.
An Inverse Network Mapping already configured. If you have not created one yet, see how to create an Inverse Network Mapping.
Access to your cloud platform console (AWS, Azure, or GCP) or your on-premises infrastructure to provision the Load Balancer.

Step by step

Prepare the Edge Routers to receive traffic from the Load Balancer

The Load Balancer performs periodic health checks on Edge Routers to determine which instances are ready to receive traffic. For these checks to work, each Edge Router must have the health check port accessible from the Load Balancer.

If the firewall rule is not configured correctly, the Load Balancer will mark the Edge Routers as unhealthy and will not distribute traffic to them, even if they are running.

By default, Edge Routers expose the health check endpoint on TCP port 8081 at the path /health-checks.

On each Edge Router instance, add a firewall rule to allow health check requests originating from the Load Balancer:

sudo ufw allow from <Load-Balancer-IP-or-CIDR> proto tcp to any port 8081

Replace <Load-Balancer-IP-or-CIDR> with the IP address or CIDR block of your cloud infrastructure. Refer to your cloud provider's documentation to get the IP ranges used by health checks.

Create the Load Balancer in your cloud infrastructure

Create a Network Load Balancer in your cloud platform console and configure it to distribute traffic across the Edge Routers.

In the AWS console, go to EC2, then Load Balancers, and click Create load balancer.
Select the Network Load Balancer type.
Fill in the basic settings: name, scheme (internal or internet-facing), and IP address type (only IPv4 is supported).
Go to EC2, then Target Groups, and create a Target Group with the following settings:
1. Protocol: TCP
2. Port: Port configured in your Inverse Network Mapping
3. Health check protocol: HTTPS
4. Health check port: 8081
5. Health check path: /health-checks
Register the two or more Edge Routers as targets in the Target Group.
Associate the Target Group with the Load Balancer and complete the creation.

In the Azure portal, search for Load Balancer and click Create Load Balancer.
Select the following options: Standard, Internal, and Regional.
Configure the Frontend IP with the private address that will receive traffic.
Configure the Backend Pool by adding the two or more Edge Routers as backend instances.
Configure the Health Probe:
1. Protocol: TCP
2. Port: 8081
Configure the Load Balancing Rule to forward incoming traffic to the Edge Routers.
Add the following firewall rule on each Edge Router to allow Azure health checks:

sudo ufw allow in to any port 8081 proto tcp from 168.63.129.16

In the GCP console, go to Compute Engine, then Instance Groups. Create an Unmanaged Instance Group for each availability zone that will contain Edge Routers.
Add the Edge Routers to the corresponding Instance Group.
Go to Compute Engine, then Health Checks, and create a health check with the following settings:
- Protocol: TCP
- Port: 8081
Create an Internal TCP/UDP Load Balancer (select Only between my VMs and Single region only).
Associate the Instance Group as the backend and apply the health check you created.
Configure the Frontend with the IP address and port that will receive external traffic.
Allow GCP health checks on each Edge Router:

sudo ufw allow from 130.211.0.0/22 proto tcp to any port 8081
sudo ufw allow from 35.191.0.0/16 proto tcp to any port 8081

After creation, note the IP address or DNS of the Load Balancer. You will need this information to update the Inverse Network Mapping in Digibee.

Update the Inverse Network Mapping with the Load Balancer address

With the Load Balancer provisioned, update the Inverse Network Mapping in Digibee so that traffic is directed to the Load Balancer instead of to an individual Edge Router.

On the Digibee Integration Platform home page, click Connectivity in the upper right corner.
Click the Network Mapping tab.
Locate the Inverse Flow Network Mapping you want to update. Inverse flows are identified with a reverse direction icon (⏮️).
Click the edit icon (pencil) next to the Network Mapping.
In the Host field, replace the individual Edge Router address with the IP address or DNS of the Load Balancer created in the previous step.
Confirm that the Port is aligned with the Load Balancer configuration.
Click Save.

After saving, traffic arriving at the Inverse Flow will pass through the Load Balancer, which will distribute it across available Edge Routers. If an Edge Router fails the health check, the Load Balancer will automatically redirect traffic to the remaining ones.

Validate the configuration

Send a test request to the Inverse Flow endpoint.
Check in your cloud platform console whether the Load Balancer is distributing traffic across the Edge Routers and whether all targets have a Healthy status.
To simulate an Edge Router failure, pause one of the instances and confirm that requests continue to be processed by the remaining ones.

What to do if Edge Routers appear as unhealthy in the Load Balancer?

If Edge Routers appear as unhealthy in the Target Group or Backend Pool, check the following:

Confirm that port 8081 is open in the firewall of each Edge Router for the health check IPs of your cloud provider.
Confirm that the health check is configured with the correct protocol (HTTPS for AWS, TCP for Azure and GCP) and the path /health-checks where applicable.
Verify that the Edge Router is running and correctly registered in the Digibee Integration Platform. You can confirm the status in the Edge Router tab on the Connectivity page.

Next steps

Now that the Load Balancer is distributing traffic across your Edge Routers, read ZTNA requirements to understand the Edge Router VM sizing recommendations and ensure your infrastructure is prepared to handle the expected traffic volume.

How to add new Edge Router connections: Learn how to register new Edge Routers in the Digibee Integration Platform.
ZTNA groups: Learn how to organize your Edge Routers into groups to simplify route management.

PreviousZTNA Inverse Flow NextZTNA Groups

Last updated 21 days ago

Was this helpful?