scaleway
diff --git a/‎pages/load-balancer/troubleshooting/certificates.mdx
+92 b/‎pages/load-balancer/troubleshooting/certificates.mdx
+92
diff --git a/‎pages/load-balancer/troubleshooting/configuration.mdx
+98 b/‎pages/load-balancer/troubleshooting/configuration.mdx
+98
diff --git a/‎pages/load-balancer/troubleshooting/http-connection-errors.mdx
+75 b/‎pages/load-balancer/troubleshooting/http-connection-errors.mdx
+75
@@ -0,0 +1,92 @@
+---
+meta:
+  title: I am having problems with my Load Balancer's certificate
+  description: Troubleshoot errors that you may experience when creating an SSL/TLS certificate, adding it to your Load Balancer frontend, or successfully handling HTTPS connections.
+content:
+  h1: I am having problems with my Load Balancer's certificate
+  paragraph: Troubleshoot errors that you may experience when creating an SSL/TLS certificate, adding it to your Load Balancer frontend, or successfully handling HTTPS connections.
+tags: load-balancer certificate ssl tls dns
+dates:
+  validation: 2025-03-10
+  posted: 2025-03-10
+categories:
+  - network
+---
+
+## I'm experiencing DNS errors when adding an SSL/TLS certificate
+
+You may be trying to [create or upload](/load-balancer/how-to/add-certificate/) a certificate for your Load Balancer, and receive the following error message:
+
+```
+invalid argument(s): dns_name does not respect constraint, <domain> does not resolve to your Load Balancer IP
+```
+
+### Cause
+
+The domain name specified does not resolve to the Load Balancer's public IP address.
+
+### Solutions
+
+Try the following steps:
+
+- Ensure that a DNS record exists, pointing this domain to the Load Balancer's public IP address.
+- Ensure that you have correctly typed the domain name, with no typos or errors.
+- If you created the DNS record very recently, DNS propagation might not yet be complete. Wait for 30-60 minutes and try again, to see if the issue resolves itself.
+- If you are trying to upload a custom certificate:
+    - Check the certificate's validity dates and ensure it's not expired or not yet valid.
+    - If the certificate has wildcards, ensure it covers the correct domain and subdomains. For example, if your certificate covers `*.example.com`, you can use it to secure `subdomain.example.com` but not `sub.subdomain.example.com`. Check the [IETF documentation](https://www.ietf.org/rfc/rfc2818.txt).
+- If the error persists, check the DNS entry using a tool like `dig`, to ensure it is resolving correctly.
+
+
+## I am experiencing HTTP errors when generating a Let's Encrypt SSL/TLS certificate
+
+You may be trying to [generate a Let's Encrypt certificate](/load-balancer/how-to/add-certificate/#how-to-generate-and-add-a-lets-encrypt-certificate) for your Load Balancer, and receive the following error message:
+
+```
+HTTP error 400: The port 80 frontend must be associated to an HTTP backend
+```
+
+### Cause
+
+Let's Encrypt certificates cannot be created for Load Balancers which have a frontend listening on port 80, but are attached to a **TCP** backend. This is because the Let's Encrypt challenge would fail. 
+
+### Solution:
+
+Ensure that your Load Balancer has either:
+- An HTTP-protocol backend attached to a frontend listening on port 80, or
+- A TCP-protocol backend attached to a frontend listening on a port other than 80
+
+Alternatively, create and import your own [custom certificate](/load-balancer/how-to/add-certificate/#how-to-import-a-certificate) for your Load Balancer, rather than generating a Let's Encrypt certificate via Scaleway.
+
+## I added a certificate to my Kubernetes Load Balancer via the Scaleway console, but it is not working correctly
+
+You may have used the Scaleway console attach a certificate to your Kubernetes Kapsule Load Balancer, and then find that the SSL certificate does not work as expected afterwards, with connections lost and HTTPS traffic dropped.
+
+### Cause
+
+Kubernetes Kapsule is a managed service, as are the Load Balancers created as part of the cluster.
+Modifying a Kubernetes Load Balancer via the Scaleway console results in non-permanent modifications which are not known to the Kubernetes Kapsule service, and therefore end up being overwritten.
+
+### Solution
+
+Always modify Kubernetes Load Balancers via the cluster's Cloud Controller Manager (CCM), using [Load Balancer annotations](/kubernetes/reference-content/using-load-balancer-annotations/). 
+
+The specific annotation to use can be found in the [Scaleway CCM documentation](https://github.com/scaleway/scaleway-cloud-controller-manager/blob/master/docs/loadbalancer-annotations.md#servicebetakubernetesioscw-loadbalancer-certificate-ids).
+
+
+## I have a different problem related to my Load Balancer SSL/TLS certificate
+
+Check the following documentation:
+
+- [How to add an SSL/TLS certificate](/load-balancer/how-to/add-certificate/)
+- [Setting up SSL bridging, offloading or passthrough](/load-balancer/reference-content/ssl-bridging-offloading-passthrough/)
+- [Load Balancer API Documentation: Certificates](https://www.scaleway.com/en/developers/api/load-balancer/zoned-api/#path-certificate-get-an-ssltls-certificate)
+- [Load Balancer Terraform Documentation: Certificates](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/lb_certificate)
+
+
+
+
+     
+
+
+    
@@ -0,0 +1,98 @@
+---
+meta:
+  title: I am having problems configuring my Load Balancer
+  description: Troubleshoot problems that you may experience when configuring your Load Balancer, such as adding backend servers, setting up Private Networks and dealing with security concerns.
+content:
+  h1:  I am having problems configuring my Load Balancer
+  paragraph: Troubleshoot problems that you may experience when configuring your Load Balancer, such as adding backend servers, setting up Private Networks and dealing with security concerns.
+tags: load-balancer configuration backend server error security ip
+dates:
+  validation: 2025-03-06
+  posted: 2025-03-06
+categories:
+  - network
+---
+
+If your problem concerns any of the following, see our specific documentation pages:
+
+- [Troubleshooting certificate configuration](/load-balancer/troubleshooting/certificates/)
+- [Setting up SSL bridging, offloading or passthrough](/load-balancer/reference-content/ssl-bridging-offloading-passthrough/)
+- [Troubleshooting connection and HTTP errors](/load-balancer/troubleshooting/http-connection-errors/)
+- General advice and help for configuring [frontends](/load-balancer/reference-content/configuring-frontends/), [backends](/load-balancer/reference-content/configuring-backends/) and [health checks](/load-balancer/reference-content/configuring-health-checks/)
+- [Creating and configuring a Kubernetes Load Balancer](/kubernetes/reference-content/kubernetes-load-balancer/)
+
+## When adding a backend server to my Load Balancer, I get an error that the IP is not owned by Scaleway`
+
+You may be trying to [add a backend server](/load-balancer/how-to/create-frontends-backends/#configuring-traffic-management) to your Load Balancer's backend, and experience the following error:
+
+`HTTP 404: IP not owned by Scaleway`
+
+### Cause
+
+You are trying to add the IP address of a backend server that is not owned by Scaleway (i.e. is not a Scaleway resource such as an Instance, Elastic Metal server or Managed Database.)
+
+### Solution
+
+Only certain Load Balancer types (L and XL) are compatible with non-Scaleway resources as backend servers. This is indicated as "Multi-cloud provider" compatibility in the [Load Balancer creation form](https://console.scaleway.com/load-balancer/lbs/create).
+
+Either:
+
+- [Resize](/load-balancer/how-to/resize-lb/) your Load Balancer to a type that is compatible with multi-cloud backend servers, or
+- Use only Scaleway resources as backend servers for your Load Balancer
+
+## When adding a backend server via its private IP address, I get an error saying this IP doesn't exist
+
+You may be trying to [add a backend server](/load-balancer/how-to/create-frontends-backends/#configuring-traffic-management) to your Load Balancer's backend using the server's private IP address, and experience an error message saying that the IP doesn't exist.
+
+### Cause
+
+You are entering an incorrect IP address for your resource, or using private IP address that is outside the standard range for private networks.
+    
+### Solution
+
+- Check that you are entering the correct [private IP address](/vpc/how-to/attach-resources-to-pn/#how-to-view-the-resources-ip-address) for your resource, and that it is attached to the same Private Network as the Load Balancer.
+- Verify that you are using a private IP address that is within the standard ranges used for private networks as described in [RFC1918](https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses). Only IP addresses from within one of these ranges are supported by Scaleway Load Balancer.
+
+
+## My Load Balancer's Elastic Metal backend servers added via private IPs are all down
+
+You may find that your Elastic Metal backend servers, which were added to your Load Balancer's backend via their private IP addresses, are all marked as `DOWN` as soon as you add them, and you are unable to work out why they are failing their health checks.
+
+### Cause
+
+The Load Balancer is unable to successfully communicate with the Elastic Metal backend servers over the Private Network, resulting in failed health checks, due to a configuration problem.
+
+### Solution
+
+- Check that you are entering the correct [private IP address](/vpc/how-to/attach-resources-to-pn/#how-to-view-the-resources-ip-address) for your Elastic Metal server, and that it is attached to the same Private Network as the Load Balancer.
+- Elastic Metal servers require additional manual configuration of their network interface, unlike Instances and other resource types. Ensure you have [followed the necessary configuration steps](/elastic-metal/how-to/use-private-networks/#how-to-configure-the-network-interface-on-your-elastic-metal-server-for-private-networks).
+
+Ensure that the Elastic Metal servers have been correctly configured for the Privat Network. Note that additional steps are required.
+
+
+## My Load Balancer's IP address is appearing in the backend application's logs, instead of the real client IP address.
+
+You may find that as requests are passed from the client, through the Load Balancer, to your backend servers, that the client's original IP address is replaced with the Load Balancer's IP address in your backend application's logs. This is problematic if you need the original IP address for localization, security or other purposes.
+
+### Cause
+
+Proxy Protocol has not been activated on your Load Balancer, meaning that information about the original client's connection is not being passed through to the backend servers.
+
+### Solution
+
+Activate [Proxy Protocol](/load-balancer/reference-content/configuring-backends/#proxy-protocol) on your Load Balancer, and ensure that your backend server is [correctly configured](/tutorials/proxy-protocol-v2-load-balancer/) to handle the activation of this protocol.
+
+## Security rules not being applied as expected, and I am having difficulties in filtering incoming traffic through my Load Balancer 
+
+You may find that traffic is not being filtered as expected via your Load Balancer, and that Instances in your backend are not dropping unauthorized traffic as expected.
+
+### Cause
+
+Instance Security Groups and/or Load Balancer ACLs are incorrectly configured.
+
+### Solutions
+
+Instance [Security Groups](instances/how-to/use-security-groups/) should still filter public traffic arriving on your backend server Instances, as long as that traffic is arriving over the public interface, i.e. the Instance in question is attached to the Load Balancer via its public IP and not private IP.
+- Ensure that your Instance is attached via its public IP address. If your Instance behind a Load Balancer is attached via a private IP address, the Security Group rules will not be applied.
+- Double check your [Security Group rules](/instances/how-to/use-security-groups/#how-to-choose-security-group-settings), and that they correspond to the required ports, protocols and IP addresses configured for your Load Balancer
+- To filter incoming traffic to your backend servers **as it passes through the Load Balancer**, use [Load Balancer ACLs](/load-balancer/how-to/create-manage-acls/).
@@ -0,0 +1,75 @@
+---
+meta:
+  title: I am experiencing connection problems and HTTP errors with my Load Balancer
+  description: Troubleshoot connection problems and HTTP errors that you may experience when accessing applications served via your Load Balancer. Learn how to resolve common problems and get your application back up and running.
+content:
+  h1: I am experiencing connection problems and HTTP errors with my Load Balancer
+  paragraph: Troubleshoot connection problems and HTTP errors that you may experience when accessing applications served via your Load Balancer. Learn how to resolve common problems and get your application back up and running.
+tags: load-balancer http-errors bad-request
+dates:
+  validation: 2025-03-06
+  posted: 2025-03-06
+categories:
+  - network
+---
+
+You may experience connection problems and HTTP errors when attempting to connect to an application served via your Load Balancer. 
+
+This page helps you find solutions to some of these most common errors.
+
+### I am getting a 400 Bad Request error when accessing my application through my Load Balancer
+
+You may find that when attempting to connect to the domain linked to your Load Balancer / the application being served by your backend servers, you receive a `400 Bad Request` error.
+
+## Cause
+
+400 Bad Request errors occur when the backend servers cannot process a request due to client-side issues, or an incompatibility in the way that requests are passed through the Load Balancer and received by the backend server.
+
+## Solutions
+
+- Try accessing your application directly, and not through your Load Balancer, to eliminate the possibility that the problem does not come from the Load Balancer. Use a tool such as `cURL` or Postman to compare headers and body content to check how the Load Balancer is modifying requests.
+- Check your Load Balancer's [logs](/load-balancer/how-to/monitor-lb-cockpit/#how-to-view-and-understand-your-load-balancer-logs) for any additional information about the way the request was handled.
+- Verify your certificate and [SSL bridging/offloading/passthrough](/load-balancer/reference-content/ssl-bridging-offloading-passthrough/) settings. For example, if SSL is terminated at the Load Balancer, but the backend expects HTTPS, requests may be rejected.
+- Check if [Proxy Protocol](load-balancer/reference-content/configuring-backends/#proxy-protocol) is enabled on your Load Balancer. If your backend server is not configured to handle Proxy Protocol headers correctly, it may reject the requests. Try [disabling Proxy Protocol](/load-balancer/how-to/manage-frontends-and-backends/#how-to-edit-backends-and-health-checks) on your Load Balancer to see if it resolves the issue. If the issue is resolved when Proxy Protocol is disabled, [ensure your backend server is correctly configured for Proxy Protocol](/tutorials/proxy-protocol-v2-load-balancer/) before re-enabling.
+
+### I am getting a 503 Service Unavailable error when trying to access my application through my Load Balancer 
+
+You may find that when attempting to connect to the domain linked to your Load Balancer / the application being served by your backend servers, you receive a `503 Service Unavailable` error.
+
+### Cause
+
+503 Service Unavailable errors occur when backend servers are unable to handle requests due to overload or maintenance issues. It indicates that the server cannot currently fulfill the request, but may be able to in the future.
+
+### Solutions
+
+- Check the health of your backend servers. If the servers are failing their health checks, this is likely to be the reason for the error. Investigate the reason for the failing health check, and either make the necessary changes to the servers so they are able to successfully respond to health checks, or [modify your health check settings](/load-balancer/reference-content/configuring-health-checks/) as necessary.
+- Check that your Load Balancer is not exceeding its bandwidth. Each Load Balancer type has a [maximum bandwidth](https://www.scaleway.com/en/pricing/network/#load-balancer) it can handle. If you are exceeding this bandwidth, a 503 error is likely. [Check your Load Balancer's metrics](/load-balancer/how-to/monitor-lb-cockpit/), and [resize your Load Balancer](/load-balancer/how-to/resize-lb/) if necessary.
+- Check your Load Balancer's [backend protection settings](/load-balancer/reference-content/configuring-backends/#backend-protection), and compare with [Cockpit data](/load-balancer/how-to/monitor-lb-cockpit/). If backend protection compared to request/connection volume is set in such a way that all backend servers are becoming overloaded, you may need to add additional backend servers or adjust your backend protection settings.
+
+
+## I am getting SSL protocol errors when trying to access my application through my Load Balancer 
+
+You may find that when attempting to connect to the domain linked to your Load Balancer / the application being served by your backend servers, you receive an error similar to one of the following
+
+```
+ERR_SSL_PROTOCOL_ERROR
+```
+
+```
+SSL_ERROR_PROTOCOL_VERSION_ALERT
+```
+
+```
+This site can't provide a secure connection
+OpenSSL/3.0.14: error:0A00010B:SSL routines::wrong version number
+```
+
+### Cause
+
+There is a mismatch between the SSL/TLS protocol versions or configurations between the client and the Load Balancer / its backend servers. This can prevent you from being able to establish a secure connection to your application.
+
+### Solution
+
+- Check that the client or backend servers are not using older SSL protocols such as SSLv2 or SSLv3, which are considered insecure.
+- Ensure that you have correctly configured [SSL bridging, offloading or passthrough](/load-balancer/reference-content/ssl-bridging-offloading-passthrough/) on your Load Balancer, depending on your use case. 
+- Ensure that you have not confused activation of the [Proxy Protocol](/load-balancer/reference-content/configuring-backends/#proxy-protocol) setting as anything to do with SSL bridging, offloading or passthrough, as it is unrelated.