# How to add a Load Balancer to a ZTNA Inverse Flow on Digibee ## Overview In a ZTNA (Zero Trust Network Access) [Inverse Flow](/documentation/developer-guide/connectivity-management/ztna/ztna-inverse-flow.md), communication is initiated from outside the Platform toward Digibee's internal pipelines. Traffic follows this path: > External endpoint → Load Balancer → Edge Router(s) → Digibee Integration Platform Without a **Load Balancer**, all traffic is directed to a single Edge Router, creating a single point of failure: if the Edge Router becomes unavailable, communication is interrupted. With a Load Balancer in your infrastructure, traffic is distributed across two or more Edge Routers, ensuring high availability and integration continuity even if one instance fails. The Load Balancer described in this quickstart is a component of your own cloud infrastructure (AWS, Azure, GCP, or on-premises), not a native component of the Digibee Integration Platform. You are responsible for provisioning and maintaining it. ## What you'll need Before you begin, make sure you have: * [Connectivity Manager](/documentation/developer-guide/platform-administration/administration/new-access-control/access-control-roles.md#connectivity-manager) permission in your Digibee Platform realm. * The ZTNA Inverse Flow enabled in your realm. If it has not been enabled yet, contact Digibee Support and provide your Edge Router details: * The IP address or DNS of the Edge Router you configured in your infrastructure. * The port to send traffic to. * At least two Edge Routers registered and active in the same environment (Test or Production). To learn how to create an Edge Router, see [how to add a new Edge Router connection](/documentation/developer-guide/connectivity-management/ztna/new-connections.md). * An Inverse Network Mapping already configured. If you have not created one yet, see [how to create an Inverse Network Mapping](/documentation/developer-guide/connectivity-management/ztna/ztna-inverse-flow.md#create-inverse-network-mappings). * Access to your cloud platform console (AWS, Azure, or GCP) or your on-premises infrastructure to provision the Load Balancer. ## Step by step {% stepper %} {% step %} ### Prepare the Edge Routers to receive traffic from the Load Balancer The Load Balancer performs periodic health checks on Edge Routers to determine which instances are ready to receive traffic. For these checks to work, each Edge Router must have the health check port accessible from the Load Balancer. If the firewall rule is not configured correctly, the Load Balancer will mark the Edge Routers as unhealthy and will not distribute traffic to them, even if they are running. By default, Edge Routers expose the health check endpoint on **TCP port 8081** at the path `/health-checks`. 1. On each Edge Router instance, add a firewall rule to allow health check requests originating from the Load Balancer: ```shellscript sudo ufw allow from proto tcp to any port 8081 ``` 2. Replace `` with the IP address or CIDR block of your cloud infrastructure. Refer to your cloud provider's documentation to get the IP ranges used by health checks. {% endstep %} {% step %} ### Create the Load Balancer in your cloud infrastructure Create a **Network Load Balancer** in your cloud platform console and configure it to distribute traffic across the Edge Routers. {% tabs %} {% tab title="AWS" %} 1. In the AWS console, go to **EC2**, then **Load Balancers**, and click **Create load balancer**. 2. Select the **Network Load Balancer** type. 3. Fill in the basic settings: name, scheme (internal or internet-facing), and IP address type (only IPv4 is supported). 4. Go to **EC2**, then **Target Groups**, and create a Target Group with the following settings: 1. **Protocol:** TCP 2. **Port:** Port configured in your Inverse Network Mapping 3. **Health check protocol:** HTTPS 4. **Health check port:** 8081 5. **Health check path:** `/health-checks` 5. Register the two or more Edge Routers as targets in the Target Group. 6. Associate the Target Group with the Load Balancer and complete the creation. {% endtab %} {% tab title="Azure" %} 1. In the Azure portal, search for **Load Balancer** and click **Create Load Balancer**. 2. Select the following options: **Standard**, **Internal**, and **Regional**. 3. Configure the **Frontend IP** with the private address that will receive traffic. 4. Configure the **Backend Pool** by adding the two or more Edge Routers as backend instances. 5. Configure the **Health Probe**: 1. Protocol: TCP 2. Port: 8081 6. Configure the **Load Balancing Rule** to forward incoming traffic to the Edge Routers. 7. Add the following firewall rule on each Edge Router to allow Azure health checks: ```shellscript sudo ufw allow in to any port 8081 proto tcp from 168.63.129.16 ``` {% endtab %} {% tab title="GCP" %} 1. In the GCP console, go to **Compute Engine**, then **Instance Groups**. Create an **Unmanaged Instance Group** for each availability zone that will contain Edge Routers. 2. Add the Edge Routers to the corresponding Instance Group. 3. Go to **Compute Engine**, then **Health Checks**, and create a health check with the following settings: * **Protocol**: TCP * **Port**: 8081 4. Create an **Internal TCP/UDP Load Balancer** (select **Only between my VMs** and **Single region only**). 5. Associate the Instance Group as the backend and apply the health check you created. 6. Configure the **Frontend** with the IP address and port that will receive external traffic. 7. Allow GCP health checks on each Edge Router: ```shellscript sudo ufw allow from 130.211.0.0/22 proto tcp to any port 8081 sudo ufw allow from 35.191.0.0/16 proto tcp to any port 8081 ``` {% endtab %} {% endtabs %} {% hint style="info" %} After creation, note the IP address or DNS of the Load Balancer. You will need this information to update the Inverse Network Mapping in Digibee. {% endhint %} {% endstep %} {% step %} ### Update the Inverse Network Mapping with the Load Balancer address With the Load Balancer provisioned, update the Inverse Network Mapping in Digibee so that traffic is directed to the Load Balancer instead of to an individual Edge Router. 1. On the Digibee Integration Platform home page, click **Connectivity** in the upper right corner. 2. Click the **Network Mapping** tab. 3. Locate the Inverse Flow Network Mapping you want to update. Inverse flows are identified with a **reverse direction icon** (⏮️). 4. Click the **edit icon (pencil)** next to the Network Mapping. 5. In the **Host** field, replace the individual Edge Router address with the IP address or DNS of the Load Balancer created in the previous step. 6. Confirm that the **Port** is aligned with the Load Balancer configuration. 7. Click **Save**. After saving, traffic arriving at the Inverse Flow will pass through the Load Balancer, which will distribute it across available Edge Routers. If an Edge Router fails the health check, the Load Balancer will automatically redirect traffic to the remaining ones. {% endstep %} {% step %} ### Validate the configuration 1. Send a test request to the Inverse Flow endpoint. 2. Check in your cloud platform console whether the Load Balancer is distributing traffic across the Edge Routers and whether all targets have a **Healthy** status. 3. To simulate an Edge Router failure, pause one of the instances and confirm that requests continue to be processed by the remaining ones. {% endstep %} {% endstepper %}
What to do if Edge Routers appear as unhealthy in the Load Balancer? If Edge Routers appear as unhealthy in the Target Group or Backend Pool, check the following: * Confirm that port 8081 is open in the firewall of each Edge Router for the health check IPs of your cloud provider. * Confirm that the health check is configured with the correct protocol (HTTPS for AWS, TCP for Azure and GCP) and the path `/health-checks` where applicable. * Verify that the Edge Router is running and correctly registered in the Digibee Integration Platform. You can confirm the status in the **Edge Router** tab on the Connectivity page.
## Next steps Now that the Load Balancer is distributing traffic across your Edge Routers, read [ZTNA requirements ](/documentation/developer-guide/connectivity-management/ztna/prerequisites-ztna.md)to understand the Edge Router VM sizing recommendations and ensure your infrastructure is prepared to handle the expected traffic volume. ## Related topics * [How to add new Edge Router connections](/documentation/developer-guide/connectivity-management/ztna/new-connections.md): Learn how to register new Edge Routers in the Digibee Integration Platform. * [ZTNA groups](/documentation/developer-guide/connectivity-management/ztna/ztna-groups.md): Learn how to organize your Edge Routers into groups to simplify route management. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.digibee.com/documentation/developer-guide/connectivity-management/ztna/ztna-inverse-flow/inverse-load-balancer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.