Linode NodeBalancer Load Balancer

linode-nodebalancer

Managed Linode NodeBalancer (L4/L7 load balancer) with TLS-terminating HTTPS listeners, active health checks, session stickiness, and optional VPC-backed backends — in one apply. Works with Terraform and OpenTofu (>= 1.6), Linode provider >= 3.14, < 4.0.

Status: static-validated, live-test pending. This module ships under live-test quarantine: it has passed tofu fmt, tofu validate, and tflint, but the real apply → verify → destroy gate is pending a Linode sandbox account. Treat the secure defaults below as the contract.

Design & secure defaults

• HTTPS by default. A config's protocol defaults to https, and the module requires ssl_cert + ssl_key for HTTPS listeners (enforced with a plan-time precondition). TLS material is sensitive.
• Modern ciphers only. cipher_suite is pinned to recommended; the legacy suite (weak ciphers) is rejected by variable validation — opt-in would require a custom build, not a flag.
• Health checking on by default. Every config gets active checks (check = "connection") plus passive checks (check_passive = true), so a failed backend is pulled out of rotation automatically.
• Private-IP backends only. Every node address must be an RFC1918 private IP (validated). Public-IP backends are rejected — backend traffic stays on the private/VPC network.
• proxy_protocol is TCP-scoped. The module silently neutralizes proxy_protocol on non-TCP configs so it can't be misapplied.
• Firewalls stay out-of-band. Attach a Cloud Firewall via the linode-firewall module (linode_firewall_device) so rules and balancer lifecycle are decoupled.
• Optional VPC backends. vpc_backend routes backend traffic over a VPC subnet (newer NodeBalancer feature) instead of the legacy private network.

Usage

module "lb" {
  source = "./linode-nodebalancer"

  label  = "prod-web-lb"
  region = "us-ord"

  configs = {
    https = {
      port     = 443
      protocol = "https"
      ssl_cert = file("tls/fullchain.pem")
      ssl_key  = file("tls/privkey.pem")
      check      = "http"
      check_path = "/healthz"

      nodes = {
        web1 = { address = "192.168.128.10:8080" }
        web2 = { address = "192.168.128.11:8080" }
      }
    }
  }

  tags = ["env:prod"]
}

Inputs

Name	Type	Default	Description
label	string	—	NodeBalancer label, 3-32 chars (required)
region	string	—	Linode region slug, e.g. us-ord (required)
client_conn_throttle	number	0	Per-client connections/sec throttle (0-20; 0 = off)
vpc_backend	object	null	{ subnet_id, ipv4_range } to route backends over a VPC subnet
configs	map(object)	{}	Listener configs keyed by name (see below)
tags	list(string)	[]	Tags applied to the NodeBalancer

Each configs entry: port (required), protocol (https/http/tcp, default https), algorithm (roundrobin/leastconn/source), stickiness (none/table/http_cookie), check (none/connection/http/http_body), check_interval/check_timeout/check_attempts, check_path (required for http/http_body checks), check_passive, proxy_protocol (none/v1/v2, TCP only), cipher_suite (recommended), ssl_cert + ssl_key (required, sensitive, for HTTPS), and nodes — a map of { address, weight, mode, subnet_id } where address is an RFC1918 private IP with a mandatory port (PRIVATE_IPv4:PORT, e.g. 10.0.0.5:8080).

Outputs

Name	Description
nodebalancer_id	NodeBalancer ID
label	NodeBalancer label
hostname	Hostname (*.nodebalancer.linode.com)
ipv4	Public IPv4 address
ipv6	Public IPv6 address
config_ids	config key => config ID
config_ports	config key => listener port
node_ids	"<config>:<node>" => node ID

Requirements

• Terraform or OpenTofu >= 1.6
• linode/linode provider >= 3.14, < 4.0
• Backend nodes must already exist and be reachable on a private IP (or VPC subnet) before the balancer can mark them healthy.
• VPC-backed backends are a newer Linode feature; confirm regional availability.

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).