Create a Load Balancer with Runtime Manager

You can use Runtime Manager to create a dedicated load balancer (DLB) in your CloudHub environment.


Before creating a load balancer, perform the following:

  • Ensure that your profile is authorized to perform this action by adding the CloudHub Network Administrator permission to the profile of the organization where you are creating the load balancer.

    Similarly, the administrator role of the same organization also provides the authorization required.

  • Create an Anypoint Virtual Private Cloud (Anypoint VPC) in the organization where you want to create a load balancer.

  • Create at least one certificate and private key for your certificate.

Create a Load Balancer

  1. From Anypoint Platform, click Runtime Manager.

  2. Click Load Balancers > Create Load Balancer.

  3. Enter a name for your load balancer.

    The CloudHub DLB name must be unique across all DLBs defined in Anypoint Platform (by all MuleSoft customers). For this reason, you might want to append your organization name to your DLB name.

    You cannot change the name of a DLB after you create it. To change the name, delete and re-create it using the new name.

    Each dedicated load balancer exposes an external domain lb-name.lb.anypointdns.net name where lb-name is the name you provide.

    The CloudHub DLB name cannot start with internal-.

  4. Select a target Anypoint VPC from the drop-down list.

  5. Specify the amount of time the DLB waits for a response from the Mule application in the Timeout in Seconds field.

    The default value is 300 seconds.

  6. Add any allowlisted classless inter-domain routing (CIDR) as required.

    The IP addresses you specify here are the only IP addresses that can access the load balancer. The default value is

  7. Select the inbound HTTP mode for the load balancer.

    This property specifies the behavior of the load balancer when receiving an HTTP request. Valid values are:

    • Off

      Causes the load balancer to silently drop the request.

    • On

      Accepts the inbound request on the default SSL endpoint using the HTTP protocol.

    • Redirect

      Redirects the request to the same URL using the HTTPS protocol.

  8. Specify options:

    • Enable Static IPs specifies to use static IPs, which persist when the DLB restarts.

      For more information about static IP addresses, see Static IP Addresses.

    • Keep URL encoding specifies that the DLB passes only the %20 and %23 characters as is.

      If you deselect this option, the DLB decodes the encoded part of the request URI before passing it to the CloudHub worker.

    • Support TLS 1.0 specifies to support TLS 1.0 between the client and the DLB.

    • Upstream TLS 1.2 specifies to force TLS 1.2 between the DLB and the upstream CloudHub worker.

    • Forward Client Certificate specifies that the DLB forwards the client certificate to the CloudHub worker.

  9. Add a certificate.

    1. Click Add certificate:

      Add certificate option in the Create Load Balancer page
      Figure 1. The arrow shows the Add certificate option in the Create Load Balancer page.
    2. On the Create Load Balancer | Add certificate page, select Choose File to upload both public key and private key files.

    3. If you want to add a client certificate, click Choose File to upload the file.

      The client certificate is a trusted CA certificate used to verify client certificates.

    4. If you want to add URL mapping rules, click the > icon to display the options:

      Expand icon in the *Create Load Balancer Add certificate* page
      Figure 2. The arrow shows the expand icon in the Create Load Balancer | Add certificate page.

      If you add more than one URL mapping rule, order the rules in the list according to the priority in which they should be applied.

      Click Add New Rule, and then specify the input path, target app, output path, and protocol.

    5. Click Save Certificate.

  10. Click Create Load Balancer.

Enable TLS 1.0 on a DLB Using Runtime Manager

Although TLS 1.0 is not recommended due to security vulnerabilities, you can enable support if required for communication with legacy clients.

You can enable TLS 1.0 support only on the default SSL endpoint of the DLB. Enabling TLS 1.0 support applies to the entire DLB, not a single SSL endpoint.

For security reasons, do not leave TLS 1.0 enabled. After you no longer need TLS 1.0, replace the default cipher suite, for example, with NewDefault.

To enable TLS support:

  1. Select the Support TLS 1.0 option.

  2. Using the API, change the default cipher suite to OldDefault.

Was this article helpful? Thanks for your feedback!
View on GitHub