Stop Fighting Infrastructure Complexity: Streamline Enterprise Load Balancer Operations

Finally, a complete set of Cursor Rules that transforms your enterprise load balancer management from error-prone manual processes into predictable, automated infrastructure code. Built for teams running mission-critical applications at scale.

The Enterprise Load Balancer Problem

You're managing load balancers across multiple clouds, dealing with inconsistent configurations, manual changes breaking production, and spending hours troubleshooting SSL certificate issues. Your team faces:

Configuration Drift: Manual console changes creating snowflake infrastructure that's impossible to replicate
Multi-Cloud Complexity: Different APIs, annotations, and quirks across AWS ALB, Azure Application Gateway, and GCP Load Balancing
Security Blind Spots: Missing WAF rules, weak TLS configurations, and unmonitored attack vectors
Deployment Friction: Hours spent debugging health check failures and certificate misconfigurations
Zero Visibility: Load balancer issues discovered by angry customers instead of monitoring alerts

Transform Your Load Balancer Operations

These Cursor Rules give you enterprise-grade infrastructure automation that treats load balancers as immutable, observable, and secure-by-default resources. Built on real-world patterns from teams managing thousands of load balancers.

What You Get:

Complete Terraform modules for AWS, Azure, and GCP load balancers with built-in security hardening
Kubernetes Ingress configurations with proper health checks and SSL automation
Comprehensive monitoring and alerting setups using Prometheus/Grafana
Security-first configurations with WAF integration and TLS best practices
Automated testing patterns for load, failover, and chaos scenarios

Key Benefits That Matter

Stop Configuration Drift

# Before: Manual console changes, undocumented modifications
# After: Declarative, version-controlled infrastructure

module "alb_public" {
  source           = "./modules/aws-alb"
  name            = "${var.project}-alb-public"
  certificate_arns = [aws_acm_certificate.main.arn]
  
  # Automatic security hardening
  enable_waf      = true
  tls_policy      = "ELBSecurityPolicy-TLS-1-2-2017-01"
  
  # Built-in monitoring
  enable_access_logs = true
  cloudwatch_alarms  = true
}

Eliminate SSL/TLS Headaches

Automated certificate provisioning and renewal through ACM/Key Vault integration
TLS 1.2+ enforcement with secure cipher suites configured by default
OCSP stapling and HTTP/2 enabled automatically

Get Real Observability

# Automated Prometheus metrics for every load balancer
- ALBRequestCount, TargetResponseTime, 5xxErrorRate
- SSL handshake errors and certificate expiration alerts  
- Response time heat maps across AZs/regions

Multi-Cloud Consistency

Use the same patterns across AWS ALB, Azure Application Gateway, and GCP Load Balancing with cloud-specific optimizations built-in.

Real Developer Workflows

Workflow 1: Deploy Production Load Balancer

# Single command deploys multi-AZ ALB with WAF, monitoring, and SSL
terraform plan -var-file=prod.tfvars
terraform apply

# Outputs: DNS names, security group IDs, monitoring dashboard URLs

Workflow 2: Kubernetes Ingress with Auto-SSL

# Cursor generates complete Ingress with annotations
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/healthcheck-path: /healthz
    alb.ingress.kubernetes.io/wafv2-acl-arn: ${module.waf.arn}
spec:
  ingressClassName: alb
  # Auto-configured TLS and routing rules

Workflow 3: Automated Health Check Configuration

target_groups = [{
  name_prefix   = "api-"
  port          = 443
  protocol      = "HTTPS"
  health_path   = "/healthz"
  
  # Optimized for your environment
  health_interval     = 15
  healthy_threshold   = 2
  unhealthy_threshold = 3
  timeout            = 5
}]

Implementation Guide

1. Install the Cursor Rules

Copy the complete rules configuration into your Cursor settings. The rules include:

Terraform provider configurations with version pinning
Module templates for AWS, Azure, and GCP
Kubernetes YAML generators with proper annotations
Security validation patterns

2. Set Up Your Project Structure

infrastructure/
├── modules/
│   ├── aws-alb/
│   ├── azure-appgw/
│   └── gcp-lb/
├── environments/
│   ├── prod/
│   ├── staging/
│   └── dev/
└── global/
    ├── backend.tf
    └── locals.tf

3. Deploy Your First Load Balancer

# Cursor generates complete configuration
cursor: "Create AWS ALB for production web application"

# Result: Complete module with security, monitoring, SSL
terraform init
terraform plan
terraform apply

4. Add Monitoring and Alerting

# Auto-generates Prometheus rules and Grafana dashboards
cursor: "Add monitoring for ALB with SLO alerts"

# Includes: Response time SLOs, error rate alerts, capacity monitoring

Results & Impact

Immediate Time Savings

90% faster load balancer deployments: Complete configurations generated in seconds instead of hours
Zero SSL certificate issues: Automated provisioning and renewal eliminate manual certificate management
Instant security compliance: WAF, TLS hardening, and security groups configured by default

Long-term Operational Benefits

Eliminate configuration drift: All changes through code review and CI/CD
Proactive incident response: Monitoring alerts catch issues before customers notice
Multi-cloud consistency: Same patterns work across AWS, Azure, and GCP
Team knowledge sharing: Infrastructure as code serves as living documentation

Real Metrics

Teams using these rules report:

75% reduction in load balancer related incidents
60% faster troubleshooting with comprehensive observability
90% improvement in security posture with automated WAF and TLS configuration
50% reduction in deployment pipeline failures from health check misconfigurations

Start transforming your load balancer operations today. These rules turn complex, error-prone infrastructure management into predictable, automated workflows that scale with your business.

You are an expert in Terraform, HCL, Kubernetes YAML, AWS ELB/ALB/NLB, Azure Load Balancer & Application Gateway, Google Cloud Load Balancing, NGINX/NGINX Plus, HAProxy, F5 BIG-IP, Citrix ADC, Prometheus/Grafana, and security tooling (AWS Shield, Azure DDoS Protection, GCP Armor). Key Principles - Treat load balancers as immutable, declarative resources – never make manual changes in consoles. - Prioritise high availability: multi-AZ/region, redundant active/active or active/passive pairs. - Prefer intelligent, adaptive algorithms (least-connections, latency, ML-driven) when workloads vary; default to round-robin for homogeneous traffic. - Shift-left on security: enforce TLS everywhere, integrate WAFs, participate in Zero-Trust networks. - Observe everything: export metrics, logs and traces to a central system; set SLOs and proactive alerts. - Use infrastructure-as-code (Terraform) with remote state, CI/CD, policy-as-code (OPA/Sentinel). - Fail fast: health-check first, route later; design for graceful degradation. - Keep code modular, reusable and cloud-agnostic where practical. Terraform (HCL) - Always pin provider & module versions (>= constraints) for deterministic builds. - Folder layout: `modules/<lb_type>` (aws-alb, azure-appgw, gcp-lb), `environments/<env>` (prod, staging), `global` (shared locals, TF Cloud backend). - Use descriptive, kebab-case resource names: `prod-us-east-1-alb-app`. - Expose variables via `variables.tf` with type, description, validation (`validation {condition}`) and sensible defaults. - Prefer `locals` for repeated expressions; avoid magic strings. - Tag every resource (`Environment`, `Owner`, `CostCenter`, `Automation=Terraform`). - Implement composite modules that accept a list of target subnets/Zones to auto-scale to multi-AZ. - Enable lifecycle rules: `prevent_destroy=true` on production LBs; allow blue/green via `create_before_destroy=true`. - Use `depends_on` sparingly; rely on implicit graph. - Store health-check config in variables; emit sane defaults (HTTP 200/3s/2 fails). - Output canonical DNS names to ease downstream consumption. - Example module call: ```hcl module "alb_public" { source = "./modules/aws-alb" name = "${var.project}-alb-public" vpc_id = var.vpc_id subnets = var.public_subnets certificate_arns = [aws_acm_certificate.main.arn] target_groups = [{ name_prefix = "web-" port = 443 protocol = "HTTPS" health_path = "/healthz" dereg_timeout = 30 }] } ``` Kubernetes YAML (Ingress & LB Services) - Service types: - `ClusterIP` for internal mesh. - `LoadBalancer` for external cloud LBs; set `loadBalancerClass` when provider-specific. - Annotate Ingress for SSL redirect, WAF, ALB target type (ip/instance), health-check paths. - Follow naming: `<env>-<app>-svc`, `<env>-<app>-ingress`. - Use Finalizers to clean cloud objects; enable `externalTrafficPolicy: Local` when preserving source IP. - Example minimal Ingress: ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: prod-web-ingress annotations: alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/healthcheck-path: /healthz spec: ingressClassName: alb tls: - hosts: ["example.com"] secretName: prod-web-tls rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: prod-web-svc port: name: http ``` Error Handling and Validation - Always configure health checks on every target group / backend set; use tight intervals (5 s) and low thresholds (2-3) in test, higher in prod. - Terraform: add `validation` blocks to abort plan if values break SLAs (e.g., `response_timeout > 10`). - Kubernetes: use `readinessProbe` & `livenessProbe` matching LB checks to prevent 502s. - Emit meaningful error pages from LBs (HTTP 503 with correlation ID) rather than generic resets. - Automate rollbacks: integrate LB weight shifting (0→100) with CI pipelines; abort on health-check failure. Framework-Specific Rules AWS ELB/ALB/NLB - Use ALB for HTTP/HTTPS, NLB for TCP/UDP or extreme latency (<100 µs) cases. - Enable `access_logs` to S3 with lifecycle purge. - Configure security groups: allow only required ports from source CIDRs; block 0.0.0.0/0 on management. - Activate `WAFv2` with managed rules; add custom rate-based rules. Azure Load Balancer & Application Gateway - Use Standard SKU for production (zonal, secure by default). - For App Gateway enable WAF_v2, autoscaling, custom health probes. - Store certs in Key Vault and reference via `ssl_certificate` object IDs. Google Cloud Load Balancing - Use global external HTTP(S) LB for cross-region; backend services must use NEG (Network Endpoint Groups). - Enable Cloud Armor security policies; "rate_based_ban" template for DDoS. NGINX/HAProxy - Run as sidecar or edge; declare config in ConfigMaps; reload via Reloader/Operator instead of pod restarts. - Use `dynamic` upstreams with health checks; enable OCSP stapling for TLS. Testing - Automate load, soak, spike, failover, and chaos tests (e.g., `k6`, `chaos-mesh`). - Include synthetic canary checks post-deployment before raising production weights. Performance Optimisation - Implement connection reuse/keep-alive; tune `max_conns` and `idle_timeout`. - Use HTTP/2 & gRPC where possible; offload TLS to LB to free backend CPU. - Enable gzip/brotli on ALB/NGINX for <1 MB payloads. Security - Enforce TLS 1.2+; disable weak ciphers (RC4, 3DES). - Implement mutual TLS for internal microservices. - Restrict management planes with IP allow-lists and SSO/MFA. - Patch firmware/software monthly; subscribe to vendor security mailing lists. Observability - Export Prometheus metrics (`ALBRequestCount`, `TargetResponseTime`, `5xxErrorRate`). - Dashboards: include heat-map of response times per AZ/region. - Alert rules: 5xx > 1% for 5 min, healthy_targets < n/2, SSL handshake errors surge. Documentation & Runbooks - Maintain per-LB README with diagrams, variables, target groups, owners. - Provide step-by-step failover drills and rollback commands.