The tunnel mode looks like the Direct Server Return mode, except that traffic between the load-balancer and the server can be routed.

The load-balancer encapsulates the request in an IP tunnel to the server.
The server recover the client request from the loadbalancer, process it and forward the response directly to the client.

TCP connection overview

The loadbalancer takes client requests then encapsulate them into an IP tunnel to forward them to the server.

Data flow

The client traffic between the server and the load-balancer is tunneled and can be routed between both of them.
The server will answer directly to the client.

Pros and cons


  • backends from multiple datacenters can be used
  • load-balancer network bandwidth is not a bottleneck anymore
  • total output bandwidth is the sum of each backend bandwidth


  • requires patched backend to be able to tunnel IP traffic
  • no layer 7 advanced features are available

When use this architecture?

  • when the only way to reach backends is routing.
  • where no intelligence is required
  • when output capacity of the load-balancer could be the bottleneck