Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Create an internal network load balancer

Written by
Improved by
Updated at December 1, 2025

Note

To create an internal network load balancer, you need the load-balancer.privateAdmin role.

You can only set the load balancer type (internal or external) when creating it and cannot change it later.

To create an internal network load balancer:

  1. In the management console, select the folder where you want to create a load balancer.

  2. In the list of services, select Network Load Balancer.

  3. Click Create a network load balancer.

  4. In the Name field, enter a name for the load balancer. Follow these naming requirements:

    • It must be from 2 to 63 characters long.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  5. In the Type field, select Internal.

  6. Optionally, in the Advanced field, enable load balancer protection from deletion.

  7. Under Listeners, add a listener:

    1. Click Add listener.
    2. In the window that opens, specify these listener settings:

      • Name.

      • Subnet where the load balancer will route traffic.

      • In the Internal IPv4 address field, select the method through which the listener will get the IP address the load balancer will receive traffic on:

        • Auto: For the listener to automatically get a free IP address from the selected subnet range.

        • List: To manually reserve a particular IP address for the listener in the subnet you select.

          In the IP-address field that opens, select a previously reserved IP address or click Reserve to reserve a new one. In the window that opens, specify the parameters of the reserved IP address:

          • Name.
          • Internal IPv4 address: Specify a free IP address in the subnet range selected for the listener.
          • Optionally, in the Advanced field, enable deletion protection for the reserved IP address.
          • Click Create.

      • In the Protocol field, select TCP or UDP.

        Note

        By default, the listener uses TCP. To use UDP, contact technical support.

      • Port where the listener will listen for incoming traffic. The possible values range from 1 to 32767.

      • Target port to which the load balancer will redirect traffic. The possible values range from 1 to 32767.

    3. Click Add.

  8. Under Target groups, add a target group:

    1. Click Add target group.
    2. Select a target group or create a new one:
      • In the Target group field, select Create target group.
      • In the window that opens, enter a target group name.
      • Add VMs to the target group.
      • Click Create.
    3. Optionally, under Health check, click Configure. In the window that opens, specify the resource health check settings:

      • Name.

      • Under Type, choose one of the options:

        • HTTP. Additionally, in the Path field, specify the path for health checks.
        • TCP.
        • HTTP/2. Additionally, in the Host and Path fields, specify the host address and path for health checks.
        • HTTPS. Additionally, in the Host and Path fields, specify the host address and path for health checks.
        • GRPC. Additionally, in the Service name and Authority fields, specify the details of your gRPC service.

      • Port: Port number for health checks. The possible values range from 1 to 32767.

      • Timeout in sec: Response timeout in seconds.

      • Interval in sec: Health check interval in seconds.

      • Healthy threshold: Number of successful checks required to consider the VM ready to receive traffic.

      • Unhealthy threshold: Number of failed checks before traffic is no longer routed to the VM.

    4. Click Apply.

  9. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Before you create a load balancer, make sure to create a target group for it.

  2. See the description of the CLI command for creating a network load balancer:

    yc load-balancer network-load-balancer create --help

  3. To create an internal load balancer with a listener and a target group, run this command:

    yc load-balancer network-load-balancer create <load_balancer_name> \
   --type=internal \
   --listener name=<listener_name>,`
              `port=<port>,`
              `target-port=<target_port>,`
              `protocol=<protocol>,`
              `internal-subnet-id=<subnet_ID>,`
              `internal-ip-version=<IP_address_version>,`
              `internal-address=<listener_IP_address> \
   --target-group target-group-id=<target_group_ID>,`
                  `healthcheck-name=<health_check_name>,`
                  `healthcheck-interval=<health_check_interval>s,`
                  `healthcheck-timeout=<health_check_timeout>s,`
                  `healthcheck-unhealthythreshold=<number_of_failed_checks_to_get_Unhealthy_status>,`
                  `healthcheck-healthythreshold=<number_of_successful_checks_to_get_Healthy_status>,`
                  `healthcheck-tcp-port=<TCP_port>,`
                  `healthcheck-http-port=<HTTP_port>,`
                  `healthcheck-http-path=<URL>

    Where:

    • --type: Load balancer type.
    • --listener: Listener settings:

      • name: Listener name.

      • port: Port on which the load balancer will listen to incoming traffic. The possible values range from 1 to 32767.

      • target-port: Port to which the load balancer will redirect traffic. The possible values range from 1 to 32767.

      • protocol: Protocol the listener will use, tcp or udp.

      • internal-subnet-id: Subnet ID.

      • internal-ip-version: Internal IP address version, ipv4 or ipv6.

      • internal-address: Listener IP address not occupied by other resources and belonging to the subnet range specified in the internal-subnet-id property.

        If the internal-address property is not specified, the internal load balancer listener gets a random IP address from the selected subnet range.

    • --target-group: Target group parameters and health check settings:

      • target-group-id: Target group ID.

        To find out the ID, get a list of target groups in the folder.

      • healthcheck-name: Health check name.

      • healthcheck-interval: Health check interval in seconds. The possible values range from 1s to 60s. The interval must be at least 1 second longer than the response timeout.

      • healthcheck-timeout: Response timeout in seconds. The possible values range from 1s to 60s.

      • healthcheck-unhealthythreshold: Number of failed checks before traffic is no longer routed to the VM. The possible values range from 2 to 10.

      • healthcheck-healthythreshold: Number of successful checks required to consider the VM ready to receive traffic. The possible values range from 2 to 10.

      • healthcheck-tcp-port: Port for TCP health checks. The possible values range from 1 to 32,767.

      • healthcheck-http-port: Port for HTTP health checks. The possible values range from 1 to 32,767.

      • healthcheck-http-path: URL for HTTP health checks.

      You cannot specify both healthcheck-tcp-port and healthcheck-http-port at the same time.

      Warning

      Use the <time_in_seconds>s format, e.g., 20s, for the healthcheck-interval and healthcheck-timeout values.

    For more information about the yc load-balancer network-load-balancer create command, see the Yandex Cloud CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To create an internal load balancer with a listener and a target group:

  1. Describe the network load balancer settings in the configuration file.

    Here is the configuration file example:

    resource "yandex_lb_network_load_balancer" "foo" {
  name = "<load_balancer_name>"
  type = "internal"
  deletion_protection = "<deletion_protection>"
  listener {
    name = "<listener_name>"
    port = <port_number>
    internal_address_spec {
      subnet_id  = "<subnet_ID>"
      ip_version = "<IP_address_version>"
      address    = "<listener_IP_address>"
    }
  }
  attached_target_group {
    target_group_id = "<target_group_ID>"
    healthcheck {
      name = "<health_check_name>"
        http_options {
          port = <port_number>
          path = "<URL>"
        }
    }
  }
}

    Where:

    • name: Name of the network load balancer.
    • type: Type of the network load balancer. Use internal to create an internal load balancer.
    • deletion_protection: Deletion protection for the internal network load balancer. You cannot delete a load balancer with this option enabled. This does not apply to its listeners or target groups. The default value is false.
    • listener: Listener settings:
      • name: Listener name.
      • port: Port number (ranging from 1 to 32767) on which the load balancer will listen to incoming traffic.
      • internal_address_spec: Specification of the internal load balancer's listener:

        • subnet_id: Subnet ID.

        • ip_version: External IP address specification. Specify the IP address version, ipv4 or ipv6. The default value is ipv4.

        • address: Listener IP address not occupied by other resources and belonging to the subnet range specified in the subnet_id field.

          If the address field value is not specified, the internal load balancer listener gets a random IP address from the selected subnet range.

    • attached_target_group: Description of the network load balancer's target group settings:

      • target_group_id: Target group ID.

        To find out the ID, get a list of target groups in the folder.

      • healthcheck: Health check settings. Specify a name, a port number ranging from 1 to 32767, and a path for health checks.

    For more information about the resources you can create with Terraform, see this article.

  2. Create a network load balancer:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.

To create an internal network load balancer, use the create REST API method for the NetworkLoadBalancer resource or the NetworkLoadBalancerService/Create gRPC API call.

Examples

Creating an internal load balancer without a listener

Create an internal network load balancer named internal-lb-test-1 without a listener and a target group.

To create an internal load balancer without a listener, run this command:

yc load-balancer network-load-balancer create internal-lb-test-1 \
   --type=internal

  1. In the configuration file, describe the load balancer settings, skipping the listener and attached_target_group sections:

    resource "yandex_lb_network_load_balancer" "foo" {
  name = "internal-lb-test-1"
  type = "internal"
  deletion_protection = "true"

    For more information about the resources you can create with Terraform, see this article.

  2. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  3. Create a network load balancer.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

Use the create API method, providing the following in the request body:

{
  "folderId": "<folder_ID>",
  "name": "internal-lb-test-1",
  "type": "INTERNAL"
}

Creating an internal load balancer with a listener and attached target group

Create an internal network load balancer with a listener and attached target group with the following test settings:

  • Name: internal-lb-test-2
  • Listener settings:
    • Name: test-listener
    • Port: 80
    • Target port: 81
    • Protocol: TCP
    • Subnet ID: b0cp4drld130********
    • IP address version: ipv4
    • Listener IP address: 192.168.1.25
  • Target group ID: enpu2l7q9kth********
  • Target group health check settings:
    • Name: http
    • Health check interval: 2 seconds
    • Response timeout: 1 second
    • Unhealthy threshold: 2
    • Healthy threshold: 2
    • Port for HTTP health checks: 80
    • URL for health checks: /

Run this command:

yc load-balancer network-load-balancer create internal-lb-test-2 \
   --type=internal \
   --listener name=test-listener,`
              `port=80,`
              `target-port=81,`
              `protocol=tcp,`
              `internal-subnet-id=b0cp4drld130********,`
              `internal-ip-version=ipv4,`
              `internal-address=192.168.1.25 \
   --target-group target-group-id=enpu2l7q9kth********,`
                  `healthcheck-name=http,`
                  `healthcheck-interval=2s,`
                  `healthcheck-timeout=1s,`
                  `healthcheck-unhealthythreshold=2,`
                  `healthcheck-healthythreshold=2,`
                  `healthcheck-http-port=80,`
                  `healthcheck-http-path=/

  1. In the configuration file, describe the load balancer, including the listener and attached_target_group sections:

    resource "yandex_lb_network_load_balancer" "internal-lb-test" {
  name = "internal-lb-test-2"
  type = "internal"
  deletion_protection = "true"
  listener {
    name        = "test-listener"
    port        = 80
    target_port = 81
    protocol    = "tcp"
    internal_address_spec {
      subnet_id  = "b0cp4drld130********"
      ip_version = "ipv4"
      address    = "192.168.1.25"
    }
  }
  attached_target_group {
    target_group_id = "enpu2l7q9kth********"
    healthcheck {
      name                = "http"
      interval            = 2
      timeout             = 1
      unhealthy_threshold = 2
      healthy_threshold   = 2
      http_options {
        port = 80
        path = "/"
      }
    }
  }
}

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  3. Create a network load balancer.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

Use the create API method, providing the following in the request body:

{
  "folderId": "<folder_ID>",
  "name": "internal-lb-test-2",
  "type": "INTERNAL",
  "listenerSpecs": [
    {
      "name": "test-listener",
      "port": "80",
      "protocol": "TCP",
      "targetPort": "81",
      "internalAddressSpec": {
        "subnetId": "b0cp4drld130********",
        "ipVersion": "IPV4",
        "address": "192.168.1.25"
      }
    }
  ],
  "attachedTargetGroups": [
    {
      "targetGroupId": "enpu2l7q9kth********",
      "healthChecks": [
        {
          "name": "http",
          "interval": "2s",
          "timeout": "1s",
          "unhealthyThreshold": "2",
          "healthyThreshold": "2",
          "httpOptions": {
            "port": "80",
            "path": "/"
          }
        }
      ]
    }
  ]
}
Previous
Creating a load balancer
Next
Stopping and starting a load balancer