feat(lb): add troubleshooting

faq/loadbalancer.mdx

@@ -27,6 +27,8 @@ Yes: Check out our documentation on:
 
 By default, each [public](/load-balancer/concepts/#accessibility) Load Balancer is created automatically with a flexible IPv4 address. This is a public IP that can be held in your account even after you delete your Load Balancer. You can optionally also add an IPv6 address.
 
+**This IP address is fixed and does not risk changing once attached to your Load Balancer**.
+
 Your frontend listens to your Load Balancer's public flexible IP address. In case of a failure of the Load Balancer, a replica Load Balancer is immediately spawned and deployed, and the IP address is automatically rerouted to this replica. This is done automatically, by the Load Balancer control subsystems.
 
 When you delete a Load Balancer, you can choose to keep its flexible IP(s) in your account, to reuse later with a new Load Balancer. These flexible IPs are not compatible with other Scaleway products (e.g. Instances, Elastic Metal servers, Public Gateways): each resource has its own set of flexible IPs.
@@ -35,6 +37,12 @@ When you delete a Load Balancer, you can choose to keep its flexible IP(s) in yo
 
 Each Load Balancer can have one public IPv4 address and one public IPv6 address. Currently, it is not possible to assign more than one of each type of IP to a given Load Balancer.
 
+## How can I move my Instance's flexible IP address to my Load Balancer?
+
+This is not possible: flexible IPs are scoped to the resource-type that they were created for. You can move a flexible IP between different Instances, but not move it to a Load Balancer. 
+
+Watch this space for resource-agnostic flexible IPs in the future.
+
 ## Do Load Balancers support external IPv6 connections?
 
 Yes, Load Balancer supports both IPv4 and IPv6 addresses at the frontend. IPv6 can also be used to communicate between the Load Balancer and your backend servers.
@@ -60,6 +68,8 @@ To take advantage of multi-cloud, you must choose a compatible Load Balancer off
 
 All protocols based on `TCP` are supported. This includes `database`, `HTTP`, `LDAP`, `IMAP` and so on. You can also specify `HTTP` to benefit from support and features that are exclusive to this protocol.
 
+Scaleway Load Balancer does not currently support `UDP`.
+
 ## Is it possible to add security to restrict access to a URL or port on the Load Balancer?
 
 Yes, you can restrict the use of a `TCP` port or `HTTP` URL using ACLs. Find more information in our [ACL documentation](/load-balancer/how-to/create-manage-acls/).
@@ -78,4 +88,8 @@ A health check is one of the core concepts for a well-functioning Load Balancer.
 
 ## Can I set up a caching service for my load balanced application?
 
-Yes, this is possible with Scaleway's [Edge Services](/edge-services/) product, currently in Public Beta. By creating an Edge Services pipeline for your Load Balancer, you can access Edge Services caching service reduce load on your origin.
+Yes, this is possible with Scaleway's [Edge Services](/edge-services/) product, currently in Public Beta. By creating an Edge Services pipeline for your Load Balancer, you can access Edge Services caching service reduce load on your origin.
+
+## How can I add extra security such as a firewall or anti-DDOS to my Load Balancer?
+
+This will be available soon via [Edge Services](/edge-services/), watch this space.

menu/navigation.json

@@ -3597,6 +3597,22 @@
               },
               {
                 "items": [
+                  {
+                    "label": "I am having problems configuring my Load Balancer",
+                    "slug": "configuration"
+                  },
+                  {
+                    "label": "I am experiencing connection problems and HTTP errors with my Load Balancer",
+                    "slug": "http-connection-errors"
+                  },
+                  {
+                    "label": "I am having problems with my Load Balancer's certificate",
+                    "slug": "certificates"
+                  },
+                  {
+                    "label": "I am experiencing problems with my Kubernetes Load Balancer",
+                    "slug": "k8s-errors"
+                  },
                   {
                     "label": "Load Balancer Limitations",
                     "slug": "load-balancer-limitations"

pages/load-balancer/troubleshooting/certificates.mdx

@@ -0,0 +1,84 @@
+---
+meta:
+  title: I am having problems with my Load Balancer's certificate
+  description: Troubleshoot errors that you may experience when creating an SSL/TLS certificate, adding it to your Load Balancer frontend, or successfully handling HTTPS connections.
+content:
+  h1: I am having problems with my Load Balancer's certificate
+  paragraph: Troubleshoot errors that you may experience when creating an SSL/TLS certificate, adding it to your Load Balancer frontend, or successfully handling HTTPS connections.
+tags: load-balancer certificate ssl tls dns
+dates:
+  validation: 2025-03-10
+  posted: 2025-03-10
+categories:
+  - network
+---
+
+## I'm experiencing DNS errors when adding an SSL/TLS certificate
+
+You may be trying to [create or upload](/load-balancer/how-to/add-certificate/) a certificate for your Load Balancer, and receive the following error message:
+
+```
+invalid argument(s): dns_name does not respect constraint, <domain> does not resolve to your Load Balancer IP
+```
+
+### Cause
+
+The domain name specified does not resolve to the Load Balancer's public IP address.
+
+### Solution
+
+Try the following steps:
+
+- Ensure that a DNS record exists, pointing this domain to the Load Balancer's public IP address.
+- Ensure that you have correctly typed the domain name, with no typos or errors.
+- If you created the DNS record very recently, DNS propagation might not yet be complete. Wait for 30-60 minutes and try again, to see if the issue resolves itself.
+- If you are trying to upload a custom certificate:
+    - Check the certificate's validity dates and ensure it's not expired or not yet valid.
+    - If the certificate has wildcards, ensure it covers the correct domain and subdomains. For example, if your certificate covers `*.example.com`, you can use it to secure `subdomain.example.com` but not `sub.subdomain.example.com`. Check the [IETF documentation](https://www.ietf.org/rfc/rfc2818.txt).
+- If the error persists, check the DNS entry using a tool like `dig`, to ensure it is resolving correctly.
+
+
+## I am experiencing HTTP errors when generating a Let's Encrypt SSL/TLS certificate
+
+You may be trying to [generate a Let's Encrypt certificate](/load-balancer/how-to/add-certificate/#how-to-generate-and-add-a-lets-encrypt-certificate) for your Load Balancer, and receive the following error message:
+
+```
+HTTP error 400: The port 80 frontend must be associated to an HTTP backend
+```
+
+### Cause
+
+Let's Encrypt certificates cannot be created for Load Balancers which have a frontend listening on port 80, but are attached to a **TCP** backend. This is because the Let's Encrypt challenge would fail. 
+
+### Solution:
+
+Ensure that your Load Balancer has either:
+- An HTTP-protocol-backend attached to a frontend listening on port 80, or
+- A TCP-protocol-backend attached to a frontend listening on a port other than 80
+
+Alternatively, create and import your own [custom certificate](/load-balancer/how-to/add-certificate/#how-to-import-a-certificate) for your Load Balancer, rather than generating a Let's Encrypt certificate via Scaleway.
+
+## I added a certificate to my Kubernetes Load Balancer via the Scaleway console, but it is not working correctly
+
+You may have used the Scaleway console attach a certificate to your Kubernetes Kapsule Load Balancer, and then find that the SSL certificate does not work as expected afterwards, with connections lost and HTTPS traffic dropped.
+
+### Cause
+
+Kubernetes Kapsule is a managed service, as are the Load Balancers created as part of the cluster.
+Modifying a Kubernetes Load Balancer via the Scaleway console results in non-permanent modifications which are not known to the Kubernetes Kapsule service, and therefore end up being overwritten.
+
+### Solution
+
+Always modify Kubernetes Load Balancers via the cluster's Cloud Controller Manager (CCM), using [Load Balancer annotations](/kubernetes/reference-content/using-load-balancer-annotations/). 
+
+The specific annotation to use can be found in the [Scaleway CCM documentation](https://github.com/scaleway/scaleway-cloud-controller-manager/blob/master/docs/loadbalancer-annotations.md#servicebetakubernetesioscw-loadbalancer-certificate-ids).
+
+
+## I have a different problem related to my Load Balancer SSL/TLS certificate
+
+Check the following documentation:
+
+- [How to add an SSL/TLS certificate](/load-balancer/how-to/add-certificate/)
+- [Setting up SSL bridging, offloading or passthrough](/load-balancer/reference-content/ssl-bridging-offloading-passthrough/)
+- [Load Balancer API Documentation: Certificates](https://www.scaleway.com/en/developers/api/load-balancer/zoned-api/#path-certificate-get-an-ssltls-certificate)
+- [Load Balancer Terraform Documentation: Certificates](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/lb_certificate)

pages/load-balancer/troubleshooting/configuration.mdx

@@ -0,0 +1,97 @@
+---
+meta:
+  title: I am having problems configuring my Load Balancer
+  description: Troubleshoot problems that you may experience when configuring your Load Balancer, such as adding backend servers, setting up Private Networks and dealing with security concerns.
+content:
+  h1:  I am having problems configuring my Load Balancer
+  paragraph: Troubleshoot problems that you may experience when configuring your Load Balancer, such as adding backend servers, setting up Private Networks and dealing with security concerns.
+tags: load-balancer configuration backend server error security ip
+dates:
+  validation: 2025-03-06
+  posted: 2025-03-06
+categories:
+  - network
+---
+
+If your problem concerns any of the following, see our specific documentation pages:
+
+- [Troubleshooting certificate configuration](/load-balancer/troubleshooting/certificates/)
+- [Setting up SSL bridging, offloading or passthrough](/load-balancer/reference-content/ssl-bridging-offloading-passthrough/)
+- [Troubleshooting connection and HTTP errors](/load-balancer/troubleshooting/http-connection-errors/)
+- General advice and help for configuring [frontends](/load-balancer/reference-content/configuring-frontends/), [backends](/load-balancer/reference-content/configuring-backends/) and [health checks](/load-balancer/reference-content/configuring-health-checks/)
+- [Creating and configuring a Kubernetes Load Balancer](/kubernetes/reference-content/kubernetes-load-balancer/)
+
+## When adding a backend server to my Load Balancer, I get the message: IP is not owned by Scaleway
+
+You may be trying to [add a backend server](/load-balancer/how-to/create-frontends-backends/#configuring-traffic-management) to your Load Balancer's backend, and experience the following error:
+
+`HTTP 404: IP not owned by Scaleway`
+
+### Cause
+
+You are trying to add the IP address of a backend server that is not owned by Scaleway (i.e. is not a Scaleway resource such as an Instance, Elastic Metal server or Managed Database).
+
+### Solution
+
+Only certain Load Balancer types (L and XL) allow you to add non-Scaleway resources as backend servers. This is indicated as "Multi-cloud provider" compatibility in the [Load Balancer creation form](https://console.scaleway.com/load-balancer/lbs/create).
+
+Either:
+
+- [Resize](/load-balancer/how-to/resize-lb/) your Load Balancer to a type that is compatible with multi-cloud backend servers, or
+- Use only Scaleway resources as backend servers for your Load Balancer
+
+## When adding a backend server via its private IP address, I get the message: IP doesn't exist
+
+You may be trying to [add a backend server](/load-balancer/how-to/create-frontends-backends/#configuring-traffic-management) to your Load Balancer's backend using the server's private IP address, and experience an error message saying that the IP doesn't exist.
+
+### Cause
+
+You are entering an incorrect IP address for your resource, or using private IP address that is outside the standard range for private networks.
+
+### Solution
+
+- Check that you are entering the correct [private IP address](/vpc/how-to/attach-resources-to-pn/#how-to-view-the-resources-ip-address) for your resource, and that it is attached to the same Private Network as the Load Balancer.
+- Verify that you are using a private IP address that is within the standard ranges used for private networks as described in [RFC1918](https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses). Only IP addresses from within one of these ranges are supported by Scaleway Load Balancer.
+
+
+## My Load Balancer's Elastic Metal backend servers added via private IPs are all down
+
+You may add Elastic Metal backend servers to your Load Balancer using their private IP address, and find they are marked as `DOWN` as soon as you add them. You are unable to work out why they are failing their health checks.
+
+### Cause
+
+The Load Balancer is unable to successfully communicate with the Elastic Metal backend servers over the Private Network, resulting in failed health checks.
+
+### Solution
+
+- Check that your health checks and backend servers are correctly configured to work together.
+- Check that you have entered the correct [private IP address](/vpc/how-to/attach-resources-to-pn/#how-to-view-the-resources-ip-address) for your Elastic Metal server, and that it is attached to the same Private Network as the Load Balancer.
+- Elastic Metal servers require additional manual configuration of their network interface, unlike Instances and other resource types. Ensure you have [followed the necessary configuration steps](/elastic-metal/how-to/use-private-networks/#how-to-configure-the-network-interface-on-your-elastic-metal-server-for-private-networks).
+
+
+## My Load Balancer's IP address is appearing in the backend application's logs, instead of the real client IP address.
+
+You may find that as requests are passed from the client, through the Load Balancer, to your backend servers, that the client's original IP address is replaced with the Load Balancer's IP address in your backend application's logs. This is problematic if you need the original IP address for localization, security or other purposes.
+
+### Cause
+
+Proxy Protocol has not been activated on your Load Balancer, meaning that information about the original client's connection is not being passed through to the backend servers.
+
+### Solution
+
+Activate [Proxy Protocol](/load-balancer/reference-content/configuring-backends/#proxy-protocol) on your Load Balancer, and ensure that your backend server is [correctly configured](/tutorials/proxy-protocol-v2-load-balancer/) to handle this protocol.
+
+## Security rules not being applied as expected, and I am having difficulties in filtering incoming traffic through my Load Balancer 
+
+You may find that traffic is not being filtered as expected via your Load Balancer, and that Instances in your backend are not dropping unauthorized traffic as expected.
+
+### Cause
+
+Instance security groups and/or Load Balancer ACLs are incorrectly configured.
+
+### Solution
+
+Instance [security groups](instances/how-to/use-security-groups/) should still filter public traffic arriving on your backend server Instances, as long as that traffic is arriving over the public interface. This means the Instance in question must be attached to the Load Balancer via its public IP and not any private IP.
+- Ensure that your Instance is attached via its public IP address. If your Instance behind a Load Balancer is attached via a private IP address, the security group rules will not be applied.
+- Double check your [security group rules](/instances/how-to/use-security-groups/#how-to-choose-security-group-settings), to verify that they correspond to the required ports, protocols, and IP addresses configured for your Load Balancer
+- To filter incoming traffic to your backend servers **as it passes through the Load Balancer**, use [Load Balancer ACLs](/load-balancer/how-to/create-manage-acls/).