Load Balancer Overview

Plans and Pricing

Load Balancers cost $20/month. There is no additional cost to use Let’s Encrypt with Load Balancers.

There are no bandwidth charges for Load Balancers because they are bandwidth neutral. In other words, Load Balancers themselves don’t change the amount of data transferred by Droplets. Bandwidth costs are based on the data transfer of the Droplets included in the backend of the Load Balancer, taking into consideration their own transfer limits.

Regional Availability

Load Balancers and Let’s Encrypt certificate support are both available in every region.

The Droplets you choose for your backend pool must be in the same region as your Load Balancer.


High Availability

A DigitalOcean Load Balancer monitors backend Droplets to ensure that each service is operating healthy. Users can define health check endpoints and set the parameters around what constitutes a healthy response. The Load Balancer will automatically remove machines from rotation that fail health checks until those health checks indicate that service has been restored.

DigitalOcean Load Balancers are configured with automatic failover in order to maintain availability even when failures occur at the balancing layer. Internally, the active balancing component is monitored and fails over to a standby if necessary, meaning your Load Balancer is never a single point of failure.

Backend Droplet Management

There are two different ways to define backend Droplets for a Load Balancer:

  • By name, which lets you add individual Droplets to a Load Balancers using the Control Panel or API.
  • With a tag, which Load Balancers evaluate at runtime. This means that whenever a tag is added or removed from a Droplet, the Load Balancer will adjust the routing automatically.

The Load Balancer will connect to Droplets over the private network if it is enabled on the Droplets in question when they are added to the Load Balancer. If private networking is disabled, the Load Balancer will contact the Droplet using its public IP address.

Load Balancers support two balancing algorithms: round robin and least connections.

Protocol Support

A single DigitalOcean Load Balancer can be configured to handle multiple protocols and ports. You can control traffic routing is controlled with configurable rules that specify the ports and protocols that the Load Balancer should listen on, as well as the way that it should select and forward requests to the backend servers.

Because DigitalOcean Load Balancers are network load balancers, not application load balancers, they do not support directing traffic to specific backends based on URLs, cookies, HTTP headers, etc.


Standard HTTP balancing directs requests based on standard HTTP mechanisms. The Load Balancer sets the X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port headers to give the backend servers information about the original request.

If user sessions depend on the client always connecting to the same backend, a cookie can be sent to the client to enable sticky sessions.


You can balance secure traffic using either HTTPS or HTTP/2. Both protocols can be configured with:

  • SSL termination, which handles the SSL decryption at the Load Balancer after you add your SSL certificate and private key. Your Load Balancer can also act as a gateway between HTTP/2 client traffic and HTTP/1.0 or HTTP/1.1 backend applications this way.
  • SSL passthrough, which forwards encrypted traffic to your backend Droplets. This is a good for end-to-end encryption and distributing the SSL decryption overhead, but you’ll need to manage the SSL certificates yourself.

You can configure Load Balancers to redirect HTTP traffic on port 80 to HTTPS or HTTP/2 on port 443. This way, the Load Balancer can listen for traffic on both ports but redirect unencrypted traffic for better security.

TCP Balancing

TCP balancing is available for applications that do not speak HTTP. For example, deploying a Load Balancer in front of a database cluster like Galera would allow you spread requests across all available machines.

Let’s Encrypt SSL Certificates

Load Balancer Let’s Encrypt Certificates are fully managed and automatically renewed on your behalf every 60 days. You can use SSL certificates with HTTPS and HTTP/2.


Let’s Encrypt

  • DNS must be managed on DigitalOcean.

Let’s Encrypt Certificate are issued for domain names, not IP addresses. To manage DNS records and Let’s Encrypt on Load Balancers on your behalf, the DNS records must be managed on DigitalOcean.

  • SSL termination only.

DigitalOcean does not install or maintain certificates on our unmanaged services. Because SSL passthrough requires certificates on the Droplets themselves, and because Droplets are not managed by DigitalOcean, automatic certificate management isn’t available.

  • Wildcard certificates are not supported.

Let’s Encrypt added wildcard certificate support in March of 2018. These wildcard certificates are not supported, and Let’s Encrypt continues to recommend non-wildcard certificates for most use cases.

  • Let’s Encrypt imposes rate limits.

Let’s Encrypt imposes the following rate limits to ensure fair usage:

  • 20 certificates per registered domain per week
  • 100 names per certificate
  • 5 duplicate domain certificates per week

There are more details available on the Let’s Encrypt rate limits page.

If your certificate isn’t issued on the first try, we will automatically retry at 20 minute intervals up to 3 times. After that, we’ll send email to your account’s address letting you know that the certificate creation failed.