'%20filter='url(%23b)'%20transform='translate(0%20-286)'/%3e%3cpath%20d='M1636.5%20147c-123.436%200-223.5%20102.975-223.5%20230s100.064%20230%20223.5%20230S1860%20504.025%201860%20377c-.143-126.964-100.124-229.853-223.5-230Zm107.16%20308.341c-1.892%202.323-4.973%203.231-7.78%202.295l-98.896-32.908-98.896%2032.908c-2.807.933-5.884.022-7.774-2.3-1.89-2.32-2.212-5.587-.815-8.25l101.128-192.49c1.376-2.238%203.776-3.596%206.357-3.596%202.58%200%204.981%201.358%206.357%203.596l101.128%20192.49c1.401%202.663%201.08%205.932-.81%208.255Z'%20fill='url(%23c)'%20filter='url(%23d)'%20transform='translate(0%20-286)'/%3e%3c/g%3e%3c/svg%3e)
Load balancing
Loopback offers managed load balancers with IPv4/IPv6 front ends, algorithms (for example round-robin, least connections), health checks, TLS termination concepts, and access control via allowed and blocked origin CIDR lists on services. The same product object backs load balancers at different scopes; the API surface you call depends on whether the LB is attached to a project, a workspace, or (in multi-cluster operator setups) a management cluster context.
Scopes
Project-level
Project load balancer APIs (nested targets, services). Share an edge across multiple workspaces in the same project when your architecture calls for it.
Workspace-level
Workspace load balancer APIs under the owning project. Use when the VIP and backends are owned by one environment.
Cluster-level (operator)
Additional surfaces exist for load balancers tied to Kubernetes management clusters. Most tenant documentation focuses on project and workspace scopes; cluster scope is a platform concern unless your operator exposes it to you.
Object structure (conceptual)
- Load balancer - front IP, algorithm, state, organization and optional project/workspace references.
- Target - backend host or endpoint membership, weights, health configuration.
- Service - listener definition (ports, protocols), linkage to targets, optional LBFW-related hooks where the deployment supports them, and origin allow/block CIDR lists (validated CIDR notation).
Security and edge policy
Allowed and blocked origin lists are not a full WAF by themselves; they are IP-layer filters at the LB edge. Pair with Firewalls on hosts for defense in depth.
Reconciliation
Load balancers appear as reconcilable entities in the scheduler (backend sync, certificate refresh triggers). Expect eventual convergence after API changes.