You can create a TCP/UDP Load Balancer by creating a
in its specification. This page explains the parameters you can use to
configure LoadBalancer Services. For more information specific to internal load
balancers, see Using an internal TCP/UDP load
balancer. For more
information specific to external load balancers, see Exposing applications
The following parameters are supported for Google Kubernetes Engine (GKE) LoadBalancer Services.
|Feature||Summary||Service Field||GKE Version Support|
|Local External Traffic Policy||Configures whether or not external traffic is load balanced across GKE nodes.||
|Load Balancer Source Ranges||Configures optional firewall rules in GKE and in the VPC to only allow certain source ranges.||
||All supported versions|
|Load Balancer IP||Specifies an IP for the load balancers||
||All supported versions|
|All-ports||The ability for the TCP/UDP load balancer to forward all ports instead of specific ports||N/A||For internal TCP/UDP load balancers, supported with Subsetting. For external load balancers, supported for all versions.|
|Network Service Tiers||Indicate which network tier a Google Cloud load balancer
should use. The valid values are
External traffic policy
externalTrafficPolicy is a standard Service option
that defines how and whether traffic incoming to a GKE node
is load balanced.
Cluster is the default policy but
Local is often used to
preserve the source IP of traffic coming into a cluster node.
effectively disables load balancing on the cluster node so that traffic that is
received by a local Pod sees the original source IP address.
externalTrafficPolicy is supported for internal LoadBalancer Services (via the
TCP/UDP load balancer), but load balancing behavior depends on where traffic
originates from and the configured traffic policy.
Traffic sourced from outside the cluster to a TCP/UDP load balancer will have the following behavior if there is at least one healthy Pod of the Service in the cluster:
Clusterpolicy: Traffic will be load balanced to any healthy GKE node in the cluster and then the kube-proxy will send it to a node with the Pod.
Localpolicy: Nodes that do not have one of the backend Pods appear as unhealthy to the TCP/UDP load balancer. Traffic will only be sent to one of the remaining healthy cluster nodes which has the Pod. Traffic is not routed again by the kube-proxy and instead will be sent directly to the local Pod with its IP header information intact.
If traffic to a given LoadBalancer Service IP is sourced from a GKE node inside the cluster, there is a different traffic behavior. The following table summarizes the traffic behavior for traffic sourced by a node or Pod inside the cluster destined for a member Pod of a LoadBalancer Service:
|externalTrafficPolicy||Service member Pod running on same node where traffic originates?||Traffic behavior|
|Cluster||Yes||Packets are delivered to any member Pod, either on the node or on a different node.|
|Cluster||No||Packets are delivered to any member Pod, which must be on a different node.|
|Local||Yes||Packets are delivered to any member Pod on the same node.|
Kubernetes 1.14 and earlier: Packets are dropped.
Kubernetes 1.15 and later: Packets are delivered to any member Pod, which must be on a different node.
Load balancer source ranges
spec: loadBalancerSourceRanges array specifies one or more internal or
external IP address ranges.
loadBalancerSourceRanges restricts traffic through
the load balancer to the IPs specified in this field. With this configuration,
creates the corresponding iptables rules in Kubernetes nodes.
GKE also creates a firewall rule in your VPC
network automatically. If you omit this field, your Service accepts traffic
from any IP address (
For more information about the Service specification, see the Service API reference.
Load balancer IP
spec: loadBalancerIP enables you to choose a specific IP address for the
load balancer. The IP address must not be in use by another internal TCP/UDP
load balancer or Service. If omitted, an ephemeral IP is assigned. For more
Reserving a static internal IP address.
If the IP address in
spec: loadBalancerIP is a Standard Tier IP,
cloud.google.com/network-tier with value
Standard is mandatory,
because Google Kubernetes Engine must create a forwarding rule with the same network tier
as the IP address specified.
Since Google Kubernetes Engine 1.17+ the default network tier to create forwarding rules
Premium, regardless of the project default network tier.
The GKE controller automatically sets the allPorts field in the forwarding rule if there are 5 or more ports in the service spec in GKE versions 1.20.6 and later or versions 1.21 and later. This behavior is also available in GKE versions 1.18 and later and 1.19 and later if you enable internal TCP/UDP load balancer subsetting on the cluster.
If you create an internal TCP/UDP load balancer manually, you can choose your
Google Kubernetes Engine nodes' instance group as the backend. Kubernetes Services of
type: NodePort are available through the internal TCP/UDP load balancer.
- Read the GKE network overview.
- Learn more about Compute Engine load balancers.
- Learn about internal load balancers.
- Learn about exposing applications externally using services.