IBM Cloud Docs
Integrating an application load balancer with IBM Cloud DNS Services

Integrating an application load balancer with IBM Cloud DNS Services

IBM Cloud® Application Load Balancer for VPC allows you to bind a DNS zone from IBM Cloud DNS Services to move all DNS resolutions into private networks.

IBM Cloud DNS Services provides private DNS to VPC users. Private DNS zones are resolvable only on IBM Cloud, and only from explicitly permitted networks in an account or with cross-account access.

Do not remove or modify the DNS records created by the load balancer service. Doing so can result in your private DNS and load balancer configurations becoming out of sync, which can cause data path issues.

For more information about linking your own private DNS record name to a load balancer, refer to the solution tutorial Team based privacy using IAM, VPC, Transit Gateway and DNS.

Before you begin

Before binding DNS zones to load balancers, you must first create DNS zones and grant load balancer service access.

  1. DNS zones must be created before they can be bound to a load balancer. For more information, see Managing DNS zones.

  2. To give a load balancer access to your DNS zone, you must enable service-to-service authorization. This grants your load balancer access to the DNS zone. For more information, see Granting access between services. Make sure to choose VPC Infrastructure Services as the source service, Load Balancer for VPC as the resource type, DNS Services as the target service, and assign the Manager service access role.

Working with DNS zones in the UI

You can bind and unbind DNS zones to an application load balancer during provisioning, or to an existing load balancer.

Binding DNS zones when creating a load balancer in the UI

You can bind a DNS zone to a load balancer when you create a load balancer. If you do not specify a DNS zone during load balancer creation, the default zone is used. By default, the load balancer hostname is a subdomain of lb.appdomain.cloud and is publicly visible.

To bind a DNS zone when creating a load balancer, follow these steps:

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Load balancers.
  3. Click Create.
  4. Configure the VPC, type, subnet, listeners, and pools as needed.
  5. Under the DNS type section, choose Private.
  6. Click Bind+ to enter DNS instance, and DNS zone information.
  7. Click Create to provision the load balancer.

Binding a DNS zone to an existing load balancer in the UI

To bind a DNS zone to an existing load balancer, follow these steps:

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Load balancers.
  3. From the list of load balancers, select the load balancer to view its details page.
  4. Click Bind private DNS in the Private DNS section.
  5. Enter the DNS instance, and DNS zone information.
  6. Click Bind private DNS to bind the DNS zone to your load balancer.

When migrating to a private DNS zone for an existing load balancer, the default A records in lb.appdomain.cloud are removed. To prepare your client devices, create a CNAME record with the default hostname under the wanted private DNS zone before the migration. After configuring all client devices to use the new private DNS zone, you can then delete the CNAME record and begin the migration. This allows the client devices to cache the private DNS hostname until the A records are created.

Unbinding a DNS zone to an existing load balancer in the UI

To unbind a DNS zone from a load balancer, follow these steps:

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Load balancers.
  3. From the list of load balancers, select the load balancer to view its details page.
  4. Click the Unbind button in the Private DNS section
  5. Verify the action by clicking Unbind again.

Working with DNS zones from the CLI

You can bind and unbind DNS zones to an application load balancer during provisioning, or to an existing load balancer.

Creating a load balancer bound to a private DNS zone from the CLI

You need the CRN of the private DNS that you want to bind to your load balancer. To find it, click Navigation Menu Navigation Menu icon > Resource List from the IBM Cloud console. Click the table row of the DNS whose CRN you want to find. The CRN is shown in the side panel that appears.

To create an application load balancer with a private DNS zone, follow these steps:

  1. Set up your CLI environment.

  2. Use the terminal to log in to your account. After you enter the password, the system prompts which account and region that you want to use:

    ibmcloud login --sso
    
  3. Create your load balancer:

ibmcloud is lbc pdns-alb-example private --subnet 0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024 --family application --dns-instance-crn crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c:: --dns-zone-id 0671b738-57f0-468e-8086-10bc480ac00e

Sample output:

ID                           r014-e424acb0-24af-49a0-ab50-c5969304eb94
Name                         pdns-alb-example
CRN                          crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e424acb0-24af-49a0-ab50-c5969304eb94
Family                       Application
Datapath logging active      false
Host name                    e424acb0-us-east.example.com
Subnets                      ID                                          Name
                             0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024   lb-subnet

Public IPs
Private IPs
Provision status             create_pending
Operating status             offline
Is public                    false
Listeners
Pools                        ID   Name

Resource group               ID                                 Name
                             42c4f51adc3147b4b4049ad9826c30a1   Default

Created                      2023-02-10T13:18:11-06:00
DNS                          Instance CRN                                                                                                      Zone
                             crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::   0671b738-57f0-468e-8086-10bc480ac00e

Instance Group Supported     -
SourceIP Session Supported   -
Security groups              ID                                          Name
                             r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e   astonish-backing-shadiness-frostlike-cosmos-hunk

UDP Supported                false

Binding an existing load balancer to a private DNS zone from the CLI

You need the CRN of the private DNS that you want to bind to your load balancer. To find it, click Navigation Menu Navigation Menu icon > Resource List from the IBM Cloud console. Click the table row of the DNS whose CRN you want to find. The CRN is shown in the side panel that appears.

To use the CLI to update an application load balancer with a private DNS zone, follow these steps:

  1. Set up your CLI environment.

  2. Log in to your account using the CLI. After you enter the password, the system prompts which account and region that you want to use:

    ibmcloud login --sso
    
  3. Update your load balancer with the private DNS zone information:

    ibmcloud is load-balancer-update pdns-alb-update-example --dns-instance-crn crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c:: --dns-zone-id 0671b738-57f0-468e-8086-10bc480ac00e
    

Sample output:

ID                           r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3
Name                         pdns-alb-update-example
CRN                          crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3
Family                       Application
Datapath logging active      false
Host name                    e68a40fb-us-east.example.com
Subnets                      ID                                          Name
                             0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024   lb-subnet

Public IPs
Reserved IPs                 ID                                          Address        Subnet
                             0767-16871e0f-c43a-4b6e-8491-a3e075362046   10.241.64.11   0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024
                             0767-a7db5d37-42cf-473e-ab27-07b679d64ceb   10.241.64.12   0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024

Provision status             update_pending
Operating status             online
Is public                    false
Listeners
Pools                        ID   Name

Resource group               ID                                 Name
                             42c4f51adc3147b4b4049ad9826c30a1   Default

Created                      2023-02-10T13:36:44-06:00
DNS                          Instance CRN                                                                                                      Zone
                             crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::   0671b738-57f0-468e-8086-10bc480ac00e

Instance Group Supported     -
SourceIP Session Supported   -
Security groups              ID                                          Name
                             r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e   astonish-backing-shadiness-frostlike-cosmos-hunk

UDP Supported                false

Unbinding an existing load balancer from a private DNS zone from the CLI

To update an application load balancer with the default public DNS zone, follow these steps:

  1. Set up your CLI environment.

  2. Log in to your account. After you enter the password, the system prompts which account and region that you want to use:

    ibmcloud login --sso
    
  3. Update your load balancer with reset-dns flag.

    ibmcloud is load-balancer-update pdns-alb-update-example --reset-dns
    

Sample output:

ID                           r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3
Name                         pdns-alb-update-example
CRN                          crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3
Family                       Application
Datapath logging active      false
Host name                    e68a40fb-us-east.lb.appdomain.cloud
Subnets                      ID                                          Name
                             0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024   lb-subnet

Public IPs
Reserved IPs                 ID                                          Address        Subnet
                             0767-16871e0f-c43a-4b6e-8491-a3e075362046   10.241.64.11   0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024
                             0767-a7db5d37-42cf-473e-ab27-07b679d64ceb   10.241.64.12   0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024

Provision status             update_pending
Operating status             online
Is public                    false
Listeners
Pools                        ID   Name

Resource group               ID                                 Name
                             42c4f51adc3147b4b4049ad9826c30a1   Default

Created                      2023-02-10T13:36:44-06:00
Instance Group Supported     -
SourceIP Session Supported   -
Security groups              ID                                          Name
                             r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e   astonish-backing-shadiness-frostlike-cosmos-hunk

UDP Supported                false

Working with DNS zones with the API

You can bind and unbind DNS zones to an application load balancer during provisioning, or to an existing load balancer.

Creating a load balancer bound to a private DNS zone with the API

You need the CRN of the private DNS that you want to bind to your load balancer. To find it, click Navigation Menu Navigation Menu icon > Resource List from the IBM Cloud console. Click the table row of the DNS whose CRN you want to find. The CRN is shown in the side panel that appears.

To specify a private DNS zone during creation:

Specify the dns information in the POST /load_balancers call. For more information about this creation payload, see Creating an application load balancer with the API.

{
  "name": "pdns-alb-example",
  "is_public": false,
  "dns": {
    "instance": {
       "crn": "crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::"
    },
    "zone": {
        "id": "0671b738-57f0-468e-8086-10bc480ac00e"
    }
  },
  "subnets": [
    {
      "id": "0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024"
    }
  ]
}

Sample output:

{
  "id": "r014-eac21cde-a4ce-4980-b037-fc3507112955",
  "name": "pdns-alb-example",
  "href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancers/r014-eac21cde-a4ce-4980-b037-fc3507112955",
  "crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-eac21cde-a4ce-4980-b037-fc3507112955",
  "is_public": false,
  "created_at": "2023-02-13T18:58:12Z",
  "hostname": "eac21cde-us-east.example.com",
  "listeners": [],
  "operating_status": "offline",
  "pools": [],
  "private_ips": [],
  "provisioning_status": "create_pending",
  "public_ips": [],
  "subnets": [
    {
      "id": "0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
      "crn": "crn:v1:bluemix:public:is:us-east-2:a/be636a7a6e4d4b6296bedf669ce8f757::subnet:0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
      "name": "lb-subnet"
    }
  ],
  "resource_group": {
    "id": "42c4f51adc3147b4b4049ad9826c30a1",
    "href": "https://resource-controller.cloud.ibm.com/v1/resource_groups/42c4f51adc3147b4b4049ad9826c30a1",
    "name": "Default"
  },
  "resource_type": "load_balancer",
  "logging": {
    "datapath": {
      "active": false
    }
  },
  "profile": {
    "href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancer/profiles/dynamic",
    "name": "dynamic",
    "family": "Application"
  },
  "security_groups": [
    {
      "id": "r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/security_groups/r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
      "crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::security-group:r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
      "name": "astonish-backing-shadiness-frostlike-cosmos-hunk"
    }
  ],
  "security_group_supported": true,
  "route_mode": false,
  "udp_supported": false,
  "dns": {
    "instance": {
      "crn": "crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::"
    },
    "zone": {
      "id": "0671b738-57f0-468e-8086-10bc480ac00e"
    }
  }
}

Binding an existing load balancer to a private DNS zone with the API

You need the CRN of the private DNS that you want to bind to your load balancer. To find it, click Navigation Menu Navigation Menu icon > Resource List from the IBM Cloud console. Click the table row of the DNS whose CRN you want to find. The CRN is shown in the side panel that appears.

To use the API to bind an existing load balancer to a private DNS zone:

Specify the dns information in the PATCH /load_balancers call. For more information about this PATCH payload, see Creating an application load balancer with the API.

{
  "dns": {
    "instance": {
      "crn": "crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::"
    },
    "zone": {
      "id": "0671b738-57f0-468e-8086-10bc480ac00e"
    }
  }
}

Sample output:

{
  "id": "r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
  "name": "pdns-alb-update-example",
  "href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancers/r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
  "crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
  "is_public": false,
  "created_at": "2023-02-10T19:36:44Z",
  "hostname": "e68a40fb-us-east.example.com",
  "listeners": [],
  "operating_status": "online",
  "pools": [],
  "private_ips": [
    {
      "address": "10.241.64.11",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024/reserved_ips/0767-16871e0f-c43a-4b6e-8491-a3e075362046",
      "id": "0767-16871e0f-c43a-4b6e-8491-a3e075362046",
      "name": "yapping-extract-reawake-bullhorn",
      "resource_type": "subnet_reserved_ip"
    },
    {
      "address": "10.241.64.12",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024/reserved_ips/0767-a7db5d37-42cf-473e-ab27-07b679d64ceb",
      "id": "0767-a7db5d37-42cf-473e-ab27-07b679d64ceb",
      "name": "dioxide-stylized-headway-despise",
      "resource_type": "subnet_reserved_ip"
    }
  ],
  "provisioning_status": "update_pending",
  "public_ips": [],
  "subnets": [
    {
      "id": "0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
      "crn": "crn:v1:bluemix:public:is:us-east-2:a/be636a7a6e4d4b6296bedf669ce8f757::subnet:0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
      "name": "lb-subnet"
    }
  ],
  "resource_group": {
    "id": "42c4f51adc3147b4b4049ad9826c30a1",
    "href": "https://resource-controller.cloud.ibm.com/v1/resource_groups/42c4f51adc3147b4b4049ad9826c30a1",
    "name": "Default"
  },
  "resource_type": "load_balancer",
  "logging": {
    "datapath": {
      "active": false
    }
  },
  "profile": {
    "href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancer/profiles/dynamic",
    "name": "dynamic",
    "family": "Application"
  },
  "security_groups": [
    {
      "id": "r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/security_groups/r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
      "crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::security-group:r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
      "name": "astonish-backing-shadiness-frostlike-cosmos-hunk"
    }
  ],
  "security_group_supported": true,
  "route_mode": false,
  "udp_supported": false,
  "dns": {
    "instance": {
      "crn": "crn:v1:bluemix:public:dns-svcs:global:a/be636a7a6e4d4b6296bedf669ce8f757:c7295f57-4d25-4832-9d7e-a032de0c278c::"
    },
    "zone": {
      "id": "0671b738-57f0-468e-8086-10bc480ac00e"
    }
  }
}

Unbinding an existing load balancer from a private DNS zone with the API

To use the API to unbind an existing load balancer to a private DNS zone:

Specify null dns information in the PATCH /load_balancers call. For more information about this PATCH payload, see Creating an application load balancer with the API.

{
  "dns": null
}

Sample output:

{
  "id": "r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
  "name": "pdns-alb-update-example",
  "href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancers/r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
  "crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::load-balancer:r014-e68a40fb-2b94-4a92-b8bd-dc9bb92c3ef3",
  "is_public": false,
  "created_at": "2023-02-10T19:36:44Z",
  "hostname": "e68a40fb-us-east.lb.appdomain.cloud",
  "listeners": [],
  "operating_status": "online",
  "pools": [],
  "private_ips": [
    {
      "address": "10.241.64.11",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024/reserved_ips/0767-16871e0f-c43a-4b6e-8491-a3e075362046",
      "id": "0767-16871e0f-c43a-4b6e-8491-a3e075362046",
      "name": "yapping-extract-reawake-bullhorn",
      "resource_type": "subnet_reserved_ip"
    },
    {
      "address": "10.241.64.12",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024/reserved_ips/0767-a7db5d37-42cf-473e-ab27-07b679d64ceb",
      "id": "0767-a7db5d37-42cf-473e-ab27-07b679d64ceb",
      "name": "dioxide-stylized-headway-despise",
      "resource_type": "subnet_reserved_ip"
    }
  ],
  "provisioning_status": "update_pending",
  "public_ips": [],
  "subnets": [
    {
      "id": "0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/subnets/0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
      "crn": "crn:v1:bluemix:public:is:us-east-2:a/be636a7a6e4d4b6296bedf669ce8f757::subnet:0767-064498f3-4df5-4fa5-b2ed-de5a3bfea024",
      "name": "lb-subnet"
    }
  ],
  "resource_group": {
    "id": "42c4f51adc3147b4b4049ad9826c30a1",
    "href": "https://resource-controller.cloud.ibm.com/v1/resource_groups/42c4f51adc3147b4b4049ad9826c30a1",
    "name": "Default"
  },
  "resource_type": "load_balancer",
  "logging": {
    "datapath": {
      "active": false
    }
  },
  "profile": {
    "href": "https://us-east.iaas.cloud.ibm.com/v1/load_balancer/profiles/dynamic",
    "name": "dynamic",
    "family": "Application"
  },
  "security_groups": [
    {
      "id": "r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
      "href": "https://us-east.iaas.cloud.ibm.com/v1/security_groups/r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
      "crn": "crn:v1:bluemix:public:is:us-east:a/be636a7a6e4d4b6296bedf669ce8f757::security-group:r014-b739c959-fb3c-44cc-9ec5-41c45b4d637e",
      "name": "astonish-backing-shadiness-frostlike-cosmos-hunk"
    }
  ],
  "security_group_supported": true,
  "route_mode": false,
  "udp_supported": false,
  "dns": null
}