Dedicated Load Balancer Tutorial

logo cloud active logo hybrid disabled logo server disabled logo pcf disabled


This tutorial follows the configuration presented in the VPC Tutorial so it assumes that you either completed those instructions or created a VPC and configured it similarly to the example.
It is also recommended for you to be familiar with the CloudHub architecture.


This tutorial walks you through the creation of a dedicated load balancer configuring an SSL endpoint for 2-way SSL authentication and mapping lists.

This feature will eventually be built into the Runtime Manager UI, however currently it’s only available as a service that can be used via the Anypoint Command Line Interface.

Each load balancer can be associated with one or more SSL endpoints. Such endpoints are identified by their certificate names.
Certificates are an important component of your dedicated load balancer. When creating a load balancer, at least one SSL endpoint needs to be configured, meaning that each load balancer needs to have at least one certificate associated to it.
Understanding how to manage certificates, is therefore quite useful when managing dedicated load balancers.

Provide a Certificate

Create a custom self-signed certificate for the domain lb-tutorial-cert.

Keep in mind that self-signed certificates are usually set for testing purposes or specific internal usages. You should not use this self-signed certificate in production.

The following guide shows you how to create a self-signed certificate to use in this example.

  1. In your terminal type, cd to your Documents folder:

    > cd /Users/myuser/Documents/
  2. Run an openssl request for a new self signed certificate, valid for 10 years:

    > openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
  3. After hitting return, you’ll be prompted to complete a few details for your certificate.
    As a guide, pass the following values:

    Country Name (2 letter code) [AU]: US
    State or Province Name (full name) [Some-State]: California
    Locality Name (eg, city) []:San Francisco
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:MuleSoft
    Organizational Unit Name (eg, section) []: VPC Tutorial
    Common Name (e.g. server FQDN or YOUR name) []: lb-tutorial-cert
    Email Address []

You created a certificate and private key pair, with a common name lb-tutorial-cert.

Create a Load Balancer

A load balancer can be created using the load-balancer create command.

cloudhub load-balancer create (1)
vpc-tutorial (2)
lb-tutorial  (3)
/Users/myuser/Documents/cert.pem /Users/myuser/Documents/key.pem  (4)
--http on (5)
--verificationMode on
  1. Pass vpc-tutorial as the vpc name in which you want to create the load balancer.
    In order to keep consistency among tutorials, we are using components created in the VPC tutorial.

  2. Name the load balancer lb-tutorial.
    The load balancer’s name must be unique.
    Each load balancer has an internal domain name: internal-<lb-name> where <lb-name> is the name you set here.

  3. Pass the path to a .pem file certificate and its key
    We are using the self-signed certificate created earlier, along with its private key: cert.pem and key.pem.
    The certificate that you upload to the Load Balancer must be contained in one pem encoded and unencrypted file.
    Your private key file needs to be passphraseless.

  4. Set the option for the http method to on.
    This sets the load balancer to accept all http requests and forwards it to your default SSL endpoint. In this case, the only ssl endpoint configured is lb-tutorial-cert

  5. Set the option for the verificationMode to on
    This instructs the SSL endpoint to always verify the certificate

When the operation succeeds, the CLI returns an acknowledgement similar to the following:

Created Load balancer lb-tutorial with Common Name lb-tutorial-cert

In order to display the details of the newly created load balancer, use the load-balancer describe command:

cloudhub load-balancer describe lb-tutorial

The output gives you the load balancer details:

│ Name                         │ lb-tutorial                      │
│ Domain                       │            │
│ State                        │ STARTED                          │
│ VPC                          │ vpc-tutorial                     │
│ IPs                          │,     │
│ Common Name                  │ lb-test                          │
│ TLSv1                        │ Disabled                         │
│ Proxy mappings               │                                  │
│ Whitelisted IPs              │                        │

Now that your VPC has a dedicated load balancer, create a URL mapping list to redirect traffic from your load balancer, to your specific application domain name:

> cloudhub load-balancer mappings add (1)
lb-tutorial (2)
0 (3)
/{app}/ (4)
{app} (5)
  1. Set lb-tutorial as the target for this new mapping rule

  2. Set the index priority for this mapping rule to 0
    This rule now has the first priority.

  3. Set the input URL as /{app}/
    This rule uses patterns so that every value passed as {app} in the load balancer’s domain name:{app} gets mapped to the URL set as the output URL.

  4. Set the output URL to {app}
    So that the domain{app} gets mapped to {app} using the pattern {app} to match your application’s name.

  5. Set the appURI to / to redirect to the initial path of your application.

By default your load balancer listens external requests on https and communicates with your workers internally through http.
If you configured your Mule application within the VPC to listen on https, make sure you set upstreamProtocol to https when creating the mapping list using the load-balancer mappings add command.

Update an Existing Load Balancer

It is possible to edit the Whitelists, Mapping Rules and SSL Endpoints from the Anypoint Platform CLI.

Remove the existing configuration using load-balancer whitelist remove, load-balancer mappings remove and load-balancer ssl-endpoint remove respectively and add the new configurations.

Update an Existing Load Balancer Using the CloudHub API

Although it is not possible to update certain load balancer values through the Anypoint Platform CLI, you can use the Cloudhub API to programmatically manage and update your load balancer:

  1. Log in to the CloudHub services passing your credentials to

  2. Use the organizations/{orgId}/vpcs/{vpcId}/loadbalancers/{lbId} endpoint to update your load balancer.

You can use the API Reference to understand how to interact with the API’s resources.

For example, to update the httpmode of the load balancer, you need to send a PATCH request to the{orgId}/vpcs/{vpcId}/loadbalancers/{lbId} endpoint with a JSON payload:

You can query your {orgId} using the account business-group describe command.

Your {vpcId} and {lbId} values are listed by running a cloudhub vpc describe-json and a cloudhub load balancer describe-json command respectively.

    "op": "replace",
    "path": "/httpMode",
    "value": "redirect"