Setting Up TCP proxy for Google Cloud Load Balancing

Google Cloud Platform (GCP) TCP Proxy Load Balancing allows you to use a single IP address for all users around the world. GCP TCP proxy load balancing automatically routes traffic to the instances that are closest to the user.

Cloud TCP Proxy Load Balancing is intended for non-HTTP traffic. For HTTP traffic, HTTP(S) Load Balancing is recommended instead. For proxied SSL traffic, use SSL Proxy Load Balancing.

TCP Proxy Load Balancing supports both IPv4 and IPv6 addresses for client traffic. Client IPv6 requests are terminated at the global load balancing layer, then proxied over IPv4 to your backends.

Contents

Overview

With TCP proxying for your TCP traffic, you can terminate your customers’ TCP sessions at the global load balancing layer, then forward the traffic to your virtual machine instances using TCP or SSL.

TCP Proxy Load Balancing is a global load balancing service. You can deploy your instances in multiple regions, and global load balancing automatically directs traffic to the region closest to the user. If a region is at capacity, the load balancer automatically directs new connections to another region with available capacity. Existing user connections remain in the current region.

TCP Proxy Load Balancing advantages:

  • Intelligent routing — the load balancer can route requests to backend locations where there is capacity. In contrast, an L3/L4 load balancer must route to regional backends without paying attention to capacity. Use of smarter routing allows provisioning at N+1 or N+2 instead of x*N.
  • Security patching — If vulnerabilities arise in the TCP stack, we will apply patches at the load balancer automatically in order to keep your instances safe.
  • TCP Proxy Load Balancing supports the following ports: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222

Notes:

  • TCP Proxy Load Balancing can handle HTTP, but this is not recommended. You should instead use HTTP load balancing for HTTP traffic.

We now describe how TCP Proxy Load Balancing works and walk you through configuring a TCP proxy to load balance traffic to some instances.

TCP Proxy Load Balancing example

With TCP proxy at the global load balancing layer, traffic coming over a TCP connection is terminated at the global layer then proxied to the closest available instance group.

In this example, the traffic from the users in Iowa and Boston is terminated at the global load balancing layer, and a separate connection is established to the selected backend instance.

Google Cloud Load Balancing with TCP termination (click to enlarge)
Google Cloud Load Balancing with TCP termination (click to enlarge)

Setting up TCP Proxy Load Balancing

This example demonstrates setting up global TCP Proxy Load Balancing for a simple service that exists in two regions: us-central1 and us-east1. For purposes of the example, the service is a set of Apache servers configured to respond on port 110. Note that many browsers do not allow port 110, so we will be doing our final testing with curl.

We will configure the following:

  1. Four instances spread across two regions
  2. Instance groups for holding the instances
  3. A health check for verifying instance health
  4. A backend service, which monitors instances in groups and prevents them from exceeding configured usage
  5. The TCP proxy itself
  6. An external static IPv4 address and forwarding rule that sends user traffic to the proxy
  7. An external static IPv6 address and forwarding rule that sends user traffic to the proxy
  8. A firewall rule that allows traffic from the load balancer and health checker to the instances.

After that, we'll test our configuration.

Configure instances and instance groups

This section shows how to create simple instance groups, add instances to them, then add those instances to a backend service with a health check. A production system would normally use managed instance groups based on instance templates, but this setup is quicker for initial testing.

Configure instances

For testing purposes, let's install Apache on four instances, two in each of two instance groups. Normally, you wouldn't use TCP Proxy Load Balancing for HTTP traffic, but Apache is commonly used software and is easy to set up for testing.

These instance are all being created with a tag of tcp-lb. This tag is used later by the firewall rule.

Console


Create instances

  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Click Create instance.
  3. Set Name to ig-us-central1-1.
  4. Set the Zone to us-central1-b.
  5. Click Management, disk, networking, SSH keys to reveal advanced settings.
  6. Under Management, populate the Tags field with tcp-lb.
  7. Set the Startup script to
       sudo apt-get update
       sudo apt-get install apache2 -y
       sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf
       sudo sed -i '/\<VirtualHost *:80>/c\' /etc/apache2/sites-enabled/000-default.conf
       sudo service apache2 restart
       echo '<!doctype html><html><body><h1>ig-us-central1-1</h1></body></html>' | sudo tee /var/www/html/index.html
  8. Leave the default values for rest of the fields.
  9. Click Create.
  10. Create ig-us-central1-2 with the same settings, except with Startup script set to
        sudo apt-get update
        sudo apt-get install apache2 -y
        sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf
        sudo sed -i '/\<VirtualHost *:80>/c\' /etc/apache2/sites-enabled/000-default.conf
        sudo service apache2 restart
        echo '<!doctype html><html><body><h1>ig-us-central1-2</h1></body></html>' | sudo tee /var/www/html/index.html
    .
  11. Create ig-us-east1-1 with the same settings, except with Zone set to us-east1-b and Startup script set to
        sudo apt-get update
        sudo apt-get install apache2 -y
        sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf
        sudo sed -i '/\<VirtualHost *:80>/c\' /etc/apache2/sites-enabled/000-default.conf
        sudo service apache2 restart
        echo '<!doctype html><html><body><h1>ig-us-east1-1</h1></body></html>' | sudo tee /var/www/html/index.html
    .
  12. Create ig-us-east1-2 with the same settings, except with Zone set to us-east1-b and Startup script set to
        sudo apt-get update
        sudo apt-get install apache2 -y
        sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf
        sudo sed -i '/\<VirtualHost *:80>/c\' /etc/apache2/sites-enabled/000-default.conf
        sudo service apache2 restart
        echo '<!doctype html><html><body><h1>ig-us-east1-2</h1></body></html>' | sudo tee /var/www/html/index.html
    .

gcloud


  1. Create ig-us-central1-1 in zone us-central1-b

    gcloud compute instances create ig-us-central1-1 \
        --image-family debian-8 \
        --image-project debian-cloud \
        --tags tcp-lb \
        --zone us-central1-b \
        --metadata startup-script="#! /bin/bash
          sudo apt-get update
          sudo apt-get install apache2 -y
          sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf
          sudo sed -i '/\<VirtualHost *:80>/c\' /etc/apache2/sites-enabled/000-default.conf
          sudo service apache2 restart
          echo '<!doctype html><html><body><h1>ig-us-central1-1</h1></body></html>' | tee /var/www/html/index.html
          EOF"
    

    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instances/ig-us-central1-1].
    NAME             ZONE          MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP EXTERNAL_IP    STATUS
    ig-us-central1-1 us-central1-b n1-standard-1             10.240.0.8  23.251.150.133 RUNNING
    

  2. Create ig-us-central1-2 in zone us-central1-b

    gcloud compute instances create ig-us-central1-2 \
        --image-family debian-8 \
        --image-project debian-cloud \
        --tags tcp-lb \
        --zone us-central1-b \
        --metadata startup-script="#! /bin/bash
          sudo apt-get update
          sudo apt-get install apache2 -y
          sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf
          sudo sed -i '/\<VirtualHost *:80>/c\' /etc/apache2/sites-enabled/000-default.conf
          sudo service apache2 restart
          echo '<!doctype html><html><body><h1>ig-us-central1-2</h1></body></html>' | tee /var/www/html/index.html
          EOF"
    

    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instances/ig-us-central1-2].
    NAME             ZONE          MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP EXTERNAL_IP    STATUS
    ig-us-central1-2 us-central1-b n1-standard-1             10.240.0.11 23.251.148.160 RUNNING
    

  3. Create ig-us-east1-1 in zone us-east1-b

    gcloud compute instances create ig-us-east1-1 \
        --image-family debian-8 \
        --image-project debian-cloud \
        --tags tcp-lb \
        --zone us-east1-b \
        --metadata startup-script="#! /bin/bash
          sudo apt-get update
          sudo apt-get install apache2 -y
          sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf
          sudo sed -i '/\<VirtualHost *:80>/c\' /etc/apache2/sites-enabled/000-default.conf
          sudo service apache2 restart
          echo '<!doctype html><html><body><h1>ig-us-east1-1</h1></body></html>' | tee /var/www/html/index.html
              EOF"
    

    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instances/ig-us-east1-1].
    NAME          ZONE       MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP EXTERNAL_IP    STATUS
    ig-us-east1-1 us-east1-b n1-standard-1             10.240.0.12 104.196.31.214 RUNNING
    

  4. Create ig-us-east1-2 in zone us-east1-b

    gcloud compute instances create ig-us-east1-2 \
        --image-family debian-8 \
        --image-project debian-cloud \
        --tags tcp-lb \
        --zone us-east1-b \
        --metadata startup-script="#! /bin/bash
          sudo apt-get update
          sudo apt-get install apache2 -y
          sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf
          sudo sed -i '/\<VirtualHost *:80>/c\' /etc/apache2/sites-enabled/000-default.conf
          sudo service apache2 restart
          echo '<!doctype html><html><body><h1>ig-us-east1-2</h1></body></html>' | tee /var/www/html/index.html
          EOF"
    

    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instances/ig-us-east1-2].
    NAME          ZONE       MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP EXTERNAL_IP    STATUS
    ig-us-east1-2 us-east1-b n1-standard-1             10.240.0.13 104.196.25.101 RUNNING
    

Create an instance group for each zone and add instances

Console


  1. Go to the Instance groups page in the Google Cloud Platform Console.
    Go to the Instance groups page
  2. Click Create instance group.
  3. Set the Name to us-ig1.
  4. Set the Zone to us-central1-b.
  5. Click Specify port name mapping.
  6. Set Port name to tcp110.
  7. Set Port numbers to 110.
  8. Under Instance definition, click Select existing instances.
  9. From VM instances select ig-us-central1-1 and ig-us-central1-2.
  10. Leave other settings as they are.
  11. Click Create.
  12. Repeat steps, but set the following:
    • Name: us-ig2
    • Zone: us-east1-b
    • Port name: tcp110
    • Port numbers: 110
    • Instances: ig-us-east1-1 and ig-us-east1-2.
  13. Confirm that you now have two instance groups, each with two instances.

gcloud


  1. Create the us-ig1 instance group.

    gcloud compute instance-groups unmanaged create us-ig1 \
        --zone us-central1-b
    

    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instanceGroups/us-ig1].
    NAME    LOCATION       SCOPE  NETWORK  MANAGED  INSTANCES
    us-ig1  us-central1-b  zone                     0
    

  2. Create a named port for the instance group.

    gcloud compute instance-groups set-named-ports us-ig1 \
        --named-ports tcp110:110 \
        --zone us-central1-b
    

    Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2].

  3. Add ig-us-central1-1 and ig-us-central1-2 to us-ig1

    gcloud compute instance-groups unmanaged add-instances us-ig1 \
        --instances ig-us-central1-1,ig-us-central1-2 \
        --zone us-central1-b
    

    Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instanceGroups/us-ig1].

  4. Create the us-ig2 instance group.

    gcloud compute instance-groups unmanaged create us-ig2 \
        --zone us-east1-b
    

    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2].
    NAME    LOCATION    SCOPE  NETWORK  MANAGED  INSTANCES
    us-ig2  us-east1-b  zone                     0
    

  5. Create a named port for the instance group.

    gcloud compute instance-groups set-named-ports us-ig2 \
        --named-ports tcp110:110 \
        --zone us-east1-b
    

    Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2].

  6. Add ig-us-east1-1 and ig-us-east1-2 to us-ig2

    gcloud compute instance-groups unmanaged add-instances us-ig2 \
        --instances ig-us-east1-1,ig-us-east1-2 \
        --zone us-east1-b
    

    Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2].

You now have an instance group in each of two regions, each with two instances.

Configure load balancer

Console


Create the load balancer and configure a backend service

  1. Go to the Load balancing page in the Google Cloud Platform Console.
    Go to the Load balancing page
  2. Click Create load balancer.
  3. Under TCP load balancing, click Start configuration.
  4. Set Internet facing or internal only to From Internet to my VMs.
  5. Set Multiple regions or single region to Multiple regions.

  6. Under Connection termination, select Yes (TCP Proxy or SSL Proxy).

  7. Click Continue.
  8. Set the Name to my-tcp-lb.
  9. Click Backend configuration.
  10. The Name of the backend service appears as my-tcp-lb.
  11. Set Protocol to TCP.
  12. Under New backend, select instance group us-ig1.
  13. In the Instance group has a named port dialog, click Use existing port name.
  14. Leave other settings as they are.
  15. Click Add backend.
  16. Select instance group us-ig2.
  17. Set Port numbers to 110.
  18. Under Health check, select Create health check.
    1. Set the health check Name to my-tcp-health-check.
    2. Set Protocol to TCP.
    3. Set Port to 110.
    4. Leave the other settings the same.
    5. Click Save and continue.
  19. Verify that there is a green check mark next to Backend configuration in the Google Cloud Platform Console. If not, double-check that you have completed all the steps above.

Configure frontend services

  1. Click Frontend configuration.
  2. Enter a Name of my-tcp-lb-forwarding-rule.
  3. Set Protocol to TCP
  4. Under IP, select Create IP address:
    1. Enter a Name of tcp-lb-static-ip.
    2. Click Reserve.
  5. Set Port to 110.
  6. Turn on Proxy protocol if desired.
  7. Click Done.
  8. Click Add frontend IP and port.
  9. Enter a Name of my-tcp-lb-ipv6-forwarding-rule.
  10. Select a protocol of TCP.
  11. Set IP version to IPv6.
  12. Under IP address, click Create IP address.
    1. Enter a name of tcp-lb-ipv6-static-ip.
    2. Click Reserve.
  13. Set Port to 110.
  14. Turn on Proxy protocol if desired.
  15. Click Done.
  16. Verify that there is a green check mark next to Frontend configuration in the Google Cloud Platform Console. If not, double-check that you have completed all the steps above.

Review and finalize

  1. Click Review and finalize.
  2. Double-check your settings.
  3. Click Create.

gcloud


Create a health check

gcloud compute health-checks create tcp my-tcp-health-check --port 110

Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/healthChecks/my-tcp-health-check].
NAME                PROTOCOL
my-tcp-health-check TCP

Create a backend service

gcloud compute backend-services create my-tcp-lb \
    --global \
    --protocol TCP \
    --health-checks my-tcp-health-check \
    --timeout 5m \
    --port-name tcp110

Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-tcp-lb].
NAME      BACKENDS PROTOCOL
my-tcp-lb          TCP

Alternatively you could configure encrypted communication from the load balancer to the instances with --protocol SSL.

Add instance groups to your backend service

gcloud compute backend-services add-backend my-tcp-lb \
    --global \
    --instance-group us-ig1 \
    --instance-group-zone us-central1-b \
    --balancing-mode UTILIZATION \
    --max-utilization 0.8

Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-tcp-lb].

gcloud compute backend-services add-backend my-tcp-lb \
    --global \
    --instance-group us-ig2 \
    --instance-group-zone us-east1-b \
    --balancing-mode UTILIZATION \
    --max-utilization 0.8

Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-tcp-lb].

Configure a target TCP proxy

If you want to turn on the proxy header, set it to PROXY_V1 instead of none.

gcloud compute target-tcp-proxies create my-tcp-lb-target-proxy \
    --backend-service my-tcp-lb \
    --proxy-header NONE

Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/targetTcpProxies/my-tcp-lb-target-proxy].
NAME                   PROXY_HEADER SERVICE
my-tcp-lb-target-proxy NONE         my-tcp-lb

Reserve global static IPv4 and IPv6 addresses

Your customers can use these IP addresses to reach your load balanced service.

gcloud compute addresses create tcp-lb-static-ipv4 \
    --ip-version=IPV4 \
    --global

Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/addresses/tcp-lb-static-ipv4].
NAME                 REGION ADDRESS                 STATUS
tcp-lb-static-ip            [LB_STATIC_IPV4]        RESERVED

gcloud compute addresses create tcp-lb-static-ipv6 \
    --ip-version=IPV6 \
    --global

Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/addresses/tcp-lb-static-ipv6].
NAME                   REGION ADDRESS                 STATUS
tcp-lb-static-ip-ipv6         [LB_STATIC_IPV6]        RESERVED

Configure global forwarding rules for the two addresses

In place of [LB_STATIC_IPV4] and [LB_STATIC_IPV4], enter the relevant IP addresses. You can use gcloud compute addresses list to find them.

gcloud beta compute forwarding-rules create my-tcp-lb-ipv4-forwarding-rule \
    --global \
    --target-tcp-proxy my-tcp-lb-target-proxy \
    --address [LB_STATIC_IPV4] \
    --ports 110

Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/forwardingRules/my-tcp-lb-ipv4-forwarding-rule].
NAME                           REGION IP_ADDRESS       IP_PROTOCOL TARGET
my-tcp-lb-ipv4-forwarding-rule        [LB_STATIC_IPV4] TCP         my-tcp-lb-target-proxy

gcloud beta compute forwarding-rules create my-tcp-lb-ipv6-forwarding-rule \
    --global \
    --target-tcp-proxy my-tcp-lb-target-proxy \
    --address [LB_STATIC_IPV6] \
    --ports 110

Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/forwardingRules/my-tcp-lb-ipv6-forwarding-rule].
NAME                           REGION IP_ADDRESS       IP_PROTOCOL TARGET
my-tcp-lb-ipv6-forwarding-rule        [LB_STATIC_IPV6] TCP         my-tcp-lb-target-proxy

Create a firewall rule for the TCP load balancer

Configure the firewall to allow traffic from the load balancer and health checker to the instances. In this case, we will open TCP port 110. The health check will use the same port. Since the traffic between the load balancer and your instances uses IPv4, only IPv4 ranges need be opened.

Console


  1. Go to the Firewall rules page in the Google Cloud Platform Console.
    Go to the Firewalls rules page
  2. Click Create firewall rule.
  3. Enter a Name of allow-tcp-lb-and-health.
  4. Select VPC network to be default.
  5. Set Source filter to IP ranges.
  6. Set Source IP ranges to 130.211.0.0/22and 35.191.0.0/16.
  7. Set Allowed protocols and ports to tcp:110.
  8. Set Target tags to tcp-lb.
  9. Click Create.

gcloud


 gcloud compute firewall-rules create allow-tcplb-and-health \
     --source-ranges 130.211.0.0/22,35.191.0.0/16 \
     --target-tags tcp-lb \
     --allow tcp:110

Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-tcp110-130-211-0-0-22].
NAME                     NETWORK SRC_RANGES                   RULES      SRC_TAGS TARGET_TAGS
allow-tcplb-and-health   default 130.211.0.0/22,35.191.0.0/16 tcp:110             tcp-lb

Test your load balancer

Port 110 is a blocked port in many browsers, so you'll need to use something like curl to see your load balancer in action.

  1. Enter the IPv4 or IPv6 address in the address field into the curl command. Replace [IP_ADDRESS] with either the IPv4 or IPv6 address you created earlier.

    curl [IP_ADDRESS]:110

PROXY protocol for retaining client connection information

TCP Proxy Load Balancing terminates TCP connections from the client and creates new connections to the instances, hence the original client IP and port information is not preserved by default.

If you would like to preserve and send this information to your instances, then you will need to enable PROXY protocol (version 1) where an additional header containing the original connection information including source IP address, destination IP address, and port numbers is added and sent to the instance as a part of the request.

If you set this parameter for user traffic, you must also set it for health checks if you are serving traffic and checking health on the same port.

The PROXY protocol header will typically be a single line of user-readable text with the following format:

PROXY TCP4 <client IP> <load balancing IP> <source port> <dest port>\r\n

An example of the PROXY protocol is show below:

PROXY TCP4 192.0.2.1 198.51.100.1 15221 110\r\n

Where client IP is 192.0.2.1, load balancing IP is 198.51.100.1, client port is 15221 and the destination port is 110.

In cases where the client IP is not known, the load balancer will generate a PROXY protocol header in the following format:

PROXY UNKNOWN\r\n

If you are checking health and serving content on the same port, you can set your health check --proxy-header to match your load balancer setting. If you are using different ports, you can set this for your health check or not, as appropriate.

Health Checking

Health checks determine which instances can receive new connections. You can configure a TCP, SSL, HTTP, or HTTPS health check for determining the health of your instances.

  • If the service running on your backend instances is based on HTTP, use an HTTP health check
  • If the service running on your backend instances is based on HTTPS, use an HTTPS health check
  • If the service running on your backend instances uses SSL, use an SSL health check
  • Unless you have an explicit reason to use a different kind of health check, use a TCP health check

Health check firewall rules

Health check probes to your load balanced instances come from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16. Your firewall rules must allow these connections on the relevant port.

The section Create a firewall rule for the TCP Proxy load balancer covers this step.

See the Health Checks page for details on health checks.

Connection draining

You can enable connection draining on backend services to ensure minimal interruption to your users when an instance that is serving traffic is terminated, removed manually, or removed by an autoscaler. To learn more about connection draining, read the Enabling Connection Draining documentation.

TCP Proxy Load Balancing and GCP firewalls

Unlike Network Load Balancing, access to TCP Proxy Load Balancing cannot be controlled via firewall rules. This is because TCP Proxy Load Balancing is implemented at the edge of the Google Cloud and the GCP firewall rules are implemented on instances in the datacenter.

Monitoring

Please see the Monitoring section on the SSL Proxy page for information on TCP/SSL Monitoring.

Troubleshooting

Pages fail to load from load balancer IP

Because port 110 is a restricted port for many browsers, you must use a tool such as curl to test your load balancer. If you cannot reach your pages via curl, the rest of this section offers some troubleshooting steps.

Verify the health of instances

Verify that the instances are HEALTHY.

gcloud compute backend-services get-health [BACKEND-SERVICE]

Confirm that your firewall rule is correct

  • Both the health checker and the load balancer need 130.211.0.0/22 and 35.191.0.0/16 to be open.
  • If you are leveraging instance tags, make sure the tag is listed as under TARGET_TAGS in the firewall rule, and make sure all your instances have that tag. In this example, instances are tagged with tcp-lb.
gcloud compute firewall-rules list
NAME                      NETWORK SRC_RANGES                    RULES          SRC_TAGS TARGET_TAGS
allow-tcplb-and-health    default 130.211.0.0/22,35.191.0.0/16  tcp:110                 tcp-lb

Try to reach individual instances

Temporarily set a firewall rule that allows you to access your instances individually, then try to load a page from a specific instance.

  1. Open the firewall to allow traffic from any source to the tagged instances.

    gcloud compute firewall-rules create allow-tcp110-0-0-0-0   \
        --source-ranges 0.0.0.0/0   \
        --target-tags tcp-lb    \
        --allow tcp:110
    

    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-tcp110-0-0-0-0].
    NAME                 NETWORK SRC_RANGES RULES   SRC_TAGS TARGET_TAGS
    allow-tcp110-0-0-0-0 default 0.0.0.0/0  tcp:110          tcp-lb
    

  2. Look up the EXTERNAL_IP address of one of the instances.

    
    

    NAME             ZONE           MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP EXTERNAL_IP    STATUS
    ig-us-central1-1 us-central1-b  n1-standard-1             10.240.0.8  EXTERNAL_IP RUNNING
    ig-us-central1-2 us-central1-b  n1-standard-1             10.240.0.11 EXTERNAL_IP RUNNING
    ig-us-east1-1    us-east1-b     n1-standard-1             10.240.0.12 EXTERNAL_IP RUNNING
    ig-us-east1-2    us-east1-b     n1-standard-1             10.240.0.13 EXTERNAL_IP RUNNING

  3. Then access one or more of your instances directly from your browser.

    
    
  4. If your instances are not accessible by this method, make sure that your software is running correctly. If your instances are accessible individually, make sure your load balancer firewall rule is correct.

    
    

    allowed:
    - IPProtocol: tcp
      ports:
      - '110'
    creationTimestamp: '2017-03-16T15:21:34.119-07:00'
    description: ''
    id: '8144207668574597377'
    kind: compute#firewall
    name: allow-tcp-lb-and-health
    network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/default
    selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-tcp-lb-and-health
    sourceRanges:
    - 130.211.0.0/110
    - 35.191.0.0/16
    targetTags:
    - tcp-lb

  5. When you're sure the instances are working, remove the "from anywhere" firewall rule.

    
    

    The following firewalls will be deleted:
     - [allow-tcp110-0-0-0-0]

    Do you want to continue (Y/n)? y

    Deleted [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-tcp110-0-0-0-0].

Overvåg dine ressourcer på farten

Få Google Cloud Console-appen for bedre at kunne administrere dine projekter.

Send feedback om...

Compute Engine Documentation