Load Balancers

DigitalOcean Load Balancers are a fully-managed, highly available network load balancing service. Load balancers distribute traffic to groups of Droplets, which decouples the overall health of a backend service from the health of a single server to ensure that your services stay online.

Plans and Pricing

Load balancers cost $10/month. There is no additional cost to use Let's Encrypt with load balancers.


There are no bandwidth charges for DigitalOcean Load Balancers because they are bandwidth neutral. In other words, load balancers themselves don't change the amount of data transferred by Droplets. Bandwidth costs are based on the data transfer of the Droplets included in the load balancer's backend, taking into consideration their own transfer limits.

Regional Availability

Load balancers and Let's Encrypt certificates are supported in every region.

The Droplets in a load balancer's backend pool must be in the same region as the load balancer.


There are a number of benefits to adding a load balancer to your infrastructure.

  • Using a load balancer as a gateway gives you the flexibility to change your backend infrastructure without affecting the availability of your services, enabling seamless horizontal scaling, rolling deployments, large architecture redesigns, and more.

  • Sharing the processing workload among a group of servers rather than relying on a single server prevents any one machine from being overwhelmed by requests.

Load balancing services like DigitalOcean Load Balancers give you the benefits of load balancing without the burden of managing the operational complexities.

High Availability

All DigitalOcean Load Balancers automatically monitor their backend pools and only send requests to Droplets that pass health checks. You can define health check endpoints and set the parameters around what constitutes a healthy response. The load balancer automatically removes Droplets that fail health checks from rotation, and adds them back when the health checks pass.

Redundant Load Balancer

DigitalOcean Load Balancers are configured with automatic failover to maintain availability even when failures occur at the balancing layer. Internally, the active balancing component is monitored and fails over to a standby if necessary, meaning your load balancer is never a single point of failure.

Backend Droplet Tagging

There are two different ways to define backend Droplets for a load balancer:

  • By name, which lets you add individual Droplets to a load balancer using the control panel or API.
  • With a tag, which load balancers evaluate at runtime.

You can choose up to 10 backend Droplets by name. However, we recommend using tags as a more scalable automated solution.

Tags are custom labels you can apply to Droplets. If you use a tag to define the backend Droplets for your load balancer, it will automatically adjust the routing whenever you add or remove that tag from a Droplet.

You can use one tag per load balancer.

Backend Droplet Connections

The load balancer will connect to Droplets over the private network if it is enabled on the Droplets in question when they are added to the load balancer. If private networking is disabled, the load balancer will contact the Droplet using its public IP address.

Load balancers support two balancing algorithms: round robin and least connections.

Load balancers send traffic to Droplet using dynamic backend IP addresses that are separate from the public IP addresses displayed in the control panel. Backend IP addresses may change at any time and should not be used to configure firewalls.

Protocol Support

A single DigitalOcean Load Balancer can be configured to handle multiple protocols and ports. You can control traffic routing with configurable rules that specify the ports and protocols that the load balancer should listen on, as well as the way that it should select and forward requests to the backend servers.

Because DigitalOcean Load Balancers are network load balancers, not application load balancers, they do not support directing traffic to specific backends based on URLs, cookies, HTTP headers, etc.


Standard HTTP balancing directs requests based on standard HTTP mechanisms. The load balancer sets the X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port headers to give the backend servers information about the original request.

If user sessions depend on the client always connecting to the same backend, a cookie can be sent to the client to enable sticky sessions.


You can balance secure traffic using either HTTPS or HTTP/2. Both protocols can be configured with:

  • SSL termination, which handles the SSL decryption at the load balancer after you add your SSL certificate and private key. Your load balancer can also act as a gateway between HTTP/2 client traffic and HTTP/1.0 or HTTP/1.1 backend applications this way.

  • SSL passthrough, which forwards encrypted traffic to your backend Droplets. This is a good for end-to-end encryption and distributing the SSL decryption overhead, but you'll need to manage the SSL certificates yourself.

You can configure load balancers to redirect HTTP traffic on port 80 to HTTPS or HTTP/2 on port 443. This way, the load balancer can listen for traffic on both ports but redirect unencrypted traffic for better security.

TCP Balancing

TCP balancing is available for applications that do not speak HTTP. For example, deploying a load balancer in front of a database cluster like Galera would allow you spread requests across all available machines.

Let's Encrypt SSL Certificates

DigitalOcean Load Balancer Let's Encrypt certificates are fully managed and automatically renewed on your behalf every 60 days. You can use SSL certificates with HTTPS and HTTP/2.

PROXY Protocol

PROXY protocol is a way to send client connection information (like origin IP addresses and port numbers) to the final backend server rather than discarding it at the load balancer. This information can be helpful for use cases like analyzing traffic logs or changing application functionality based on geographical IP.

DigitalOcean Load Balancers have support for PROXY protocol version 1. Make sure to configure your backend services to accept PROXY protocol headers after you enable it on your load balancer.


  • DigitalOcean Load Balancers support TLS 1.2 and do not support downgrading connections to TLS 1.0 or 1.1.

  • Because DigitalOcean Load Balancers are network load balancers, not application load balancers, they do not support directing traffic to specific backends based on URLs, cookies, HTTP headers, etc.

  • Load balancers do not support IPv6.

  • When using SSL passthrough (port 443 to 443), load balancers do not inject x-forwarded-proto, x-forwarded-port, and other x-forwarded-for parameters. Load balancers inject those parameters for HTTPS when using SSL termination (port 443 to 80) or HTTP connection (port 80 to 80).

  • Sticky sessions are only visible at the load balancer layer; the cookies used for sticky sessions are both set and stripped at the load balancer. Because those cookies are not present in the request sent to the backend Droplets, backend applications cannot use them.

  • Load balancers use http-server-close and keep-alive headers are not honored.

  • Accounts can have up to 10 load balancers by default. This limit is also affected by the account's Droplet limit.

  • Load balancer connections have a keep-alive time of 60 seconds.

  • Load balancers support up to 10,000 simultaneous connections. You cannot change this limit.

  • HTTP health checks are sent using HTTP 1.0. If your web server uses a version other than HTTP 1.0, the headers in the health check may not be compatible and you'll need to use a TCP check.

  • You cannot assign a floating IP address to a DigitalOcean Load Balancer.

  • Sticky sessions do not work with SSL passthrough (port 443 to 443). They do work with SSL termination (port 443 to 80) and HTTP requests (port 80 to 80).

  • You can add up to 10 backend Droplets by name. Alternatively, you can add up to one tag. There is no limit to the number of Droplets to which you can apply a tag, and using one will automatically update your load balancer when you add or remove the tag from Droplets.

  • Ports 50053, 50054 and 50055 are reserved on DigitalOcean Load Balancers, so you cannot use those ports in forwarding rules.

Let's Encrypt

  • You must manage your DNS records on DigitalOcean in order for us to manage Let's Encrypt on load balancers on your behalf.

  • Let's Encrypt on DigitalOcean only supports SSL termination. SSL passthrough requires certificates on the Droplets themselves, and DigitalOcean does not install or maintain certificates on unmanaged services like Droplets.

  • Load balancers do not support Let's Encrypt wildcard certificates. Let's Encrypt added wildcard certificate support in March of 2018 but continues to recommend non-wildcard certificates for most use cases.

  • Let's Encrypt imposes rate limits of:

    • 20 certificates per registered domain per week
    • 100 names per certificate
    • 5 duplicate domain certificates per week

    If your certificate isn't issued on the first try, we will automatically retry at 20 minute intervals up to 3 times. After that, we'll send email to your account's address letting you know that the certificate creation failed.

  • Let's Encrypt SSL keys are limited to 2048 bits.

Known Issues

  • Editing the Droplet port in a existing load balancer's forwarding rule does not apply the change to the load balancer configuration. A workaround is to remove and re-add a Droplet to the load balancer. Our engineering team is working on a fix for this issue. Creating new load balancers is not affected.

Latest Updates

23 October 2019

20 August 2019

  • DigitalOcean Load Balancers no longer support downgrading TLS connections to TLS 1.0. We will stop supporting TLS 1.1 later this year.

19 March 2019

1 October 2018

For more information, see all Load Balancers release notes.