Load Balancers
A load balancer distributes incoming traffic across a pool of backend instances. Frostmoln offers two providers; choose at create time based on the features you need.
Choosing a provider
| Amphora (default) | OVN | |
|---|---|---|
| Layer | L4 and L7 (HTTP/HTTPS) | L4 only |
| TLS termination | Yes | No |
| Source IP preservation | Via X-Forwarded-For (L7) | Yes — real client IP at L4 |
| Overhead | Runs a load-balancer VM | No VM (built into the network fabric) |
| Best for | Web apps, TLS, path/host routing | High-throughput L4, source-IP-sensitive workloads |
Select the provider explicitly:
fm network load-balancer create \
--name web-lb \
--provider amphora \
--vpc my-vpc \
--allowed-cidr 0.0.0.0/0Provider is fixed for the lifetime of the load balancer
There is no in-place migration between providers. To switch from Amphora to OVN (or back), delete the load balancer and create a new one.
Allowed CIDRs are required
Every listener must declare the client CIDRs allowed to reach it via allowed_cidrs — this is required, not defaulted. Use 0.0.0.0/0 to accept traffic from anywhere, or narrow it to known ranges. A listener with no allowed CIDRs will not accept traffic.
Source IP preservation
If your backend needs the real client IP:
- OVN (L4) preserves the client source IP end to end.
- Amphora (L7) terminates the connection; read the client IP from the
X-Forwarded-Forheader your application receives.
Listeners, pools, and health monitors
- A listener accepts traffic on a protocol/port (e.g. HTTPS:443).
- A pool is the set of backend members (instances) it forwards to.
- A health monitor probes members and removes unhealthy ones from rotation.
Attach a floating IP to make the load balancer reachable from the internet, and allow the listener ports in the relevant security group.