Setting Up a Load Balancer

This page describes how to set up a load balancer to use Cloud Identity-Aware Proxy (Cloud IAP) with Compute Engine and Container Engine.

Before you begin

Before you set up a load balancer, you'll need the following:

Setting up a load balancer in Compute Engine

To set up a load balancer in Compute Engine, your instances need to be in an instance group. This section describes how to create an instance group and then set up load balancing.

Creating an instance group

If you have instances in Compute Engine that aren't in an instance group, follow the steps below:

  1. Go to the Instance groups page.
    Go to the Compute Engine Instance groups page
  2. Click Create instance group.
  3. On the Instance definition list, click Select existing instances.
    1. You can leave other settings at their defaults or change any settings to your preferred configuration.
  4. Click Create.

Setting up the load balancer

If your instances in Compute Engine are in an instance group, follow the steps below to set up the load balancer:

  1. Go to the Load balancing page.
    Go to the Load balancing page
  2. Click Create load balancer.
  3. Under HTTP(S) Load Balancing, click Start configuration.
  4. In the New HTTP(S) load balancer panel that appears, add a Name for your load balancer.
  5. Click Backend configuration, then create or select a backend service. If you create a new backend service, follow the steps below:
    1. Add a Name for your backend service.
    2. Under Protocol, select HTTP or HTTPS. For HTTPS, each instance must be configured to serve SSL and have a certificate installed. However, you can use any certificate, including a self-signed one.
    3. In Backends > New Backend > Instance group, select the instance group you want to use.
    4. Don't enable Cloud CDN. It isn't supported for Cloud IAP. You can keep the other default settings, or customise however you want.
    5. In Health check > Create a health check, add a Name for your health check.
  6. In Host and path rules, you can keep the default settings.
  7. Click Frontend configuration, then follow the steps bellow:
    1. Under Protocol, select HTTPS.
    2. Under Certificate > Create a new certificate, add a Name for your certificate, then add the Public key certificate and other details as needed.
  8. When you're finished configuring the load balancer, click Create.
  9. On the Load balancing screen, note the IP:Port for your load balancer. Register your domain to the load balancer to route traffic through the load balancer.

Setting up a load balancer in Container Engine

When you create a cluster in Container Engine, it automatically creates an instance group. Follow the steps below to set up a load balancer for your containers:

  1. Go to the Load balancing page.
    Go to the Load balancing page
  2. Click Create load balancer.
  3. Under HTTP(S) Load Balancing, click Start configuration.
  4. In the New HTTP(S) load balancer panel that appears, add a Name for your load balancer.
  5. Click Backend configuration, then create or select a backend service. If you create a new backend service, follow the steps below:
    1. Add a Name for your backend service.
    2. Under Protocol, select HTTP or HTTPS. For HTTPS, each instance must be configured to serve SSL and have a certificate installed. However, you can use any certificate, including a self-signed one.
    3. In Backends > New Backend > Instance group, select the instance group you want to use.
    4. Don't enable Cloud CDN. It isn't supported for Cloud IAP. You can keep the other default settings, or customise however you want.
    5. In Health check > Create a health check, add a Name for your health check.
  6. In Host and path rules, you can keep the default settings.
  7. Click Frontend configuration, follow the steps bellow:
    1. Under Protocol, select HTTPS.
    2. Under Certificate > Create a new certificate, add a Name for your certificate, then add the Public key certificate and other details as needed.
  8. When you're finished configuring the load balancer, click Create.
  9. On the Load balancing screen, note the IP:Port for your load balancer. Register your domain to the load balancer to route traffic through the load balancer.

Best practices

Firewalls

  • Make sure all requests to Compute Engine or Container Engine are routed through the load balancer:

    Requests from GFE will be from an IP in the range of 130.211.0.0/22 and 35.191.0.0/16.

  • In Cloud Console, Cloud IAP displays an error or warning if your firewall rules appear to be set up incorrectly. The Cloud IAP Cloud Console doesn't detect which VM is used for each service, so the firewall analysis doesn't include advanced features like non-default networks and firewall rule tags. To bypass this analysis, enable Cloud IAP through the gcloud beta compute backend-services update command.

What's next

Send feedback about...

Identity-Aware Proxy Documentation