A backend service defines how Cloud Load Balancing distributes traffic. The backend service configuration contains a set of values, such as the protocol used to connect to backends, various distribution and session settings, health checks, and timeouts. These settings provide fine-grained control over how your load balancer behaves. If you need to get started quickly, most of the settings have default values that allow for easy configuration.
Load balancers, Envoy proxies, and proxyless gRPC clients use the configuration information in the backend service resource to do the following:
- Direct traffic to the correct backends, which are instance groups or network endpoint groups (NEGs).
- Distribute traffic according to a balancing mode, which is a setting for each backend.
- Determine which health check is monitoring the health of the backends.
- Specify session affinity.
- Determine whether other services are enabled, including the following
services that are available only for global external HTTP(S) load balancers:
- Cloud CDN
- Google Cloud Armor security policies
- Identity-Aware Proxy
You set these values when you create a backend service or add a backend to the backend service.
You can configure a backend service for the following Google Cloud load balancers:
- Global external HTTP(S) load balancer (Preview)
- Global external HTTP(S) load balancer (classic)
- Regional external HTTP(S) load balancer (Preview)
- Internal HTTP(S) load balancer
- SSL proxy load balancer
- TCP proxy load balancer
- Internal TCP/UDP load balancer
- Backend service-based Network load balancer
Traffic Director also uses backend services.
The product that you are using determines the maximum number of backend services, scope of a backend service, the type of backends supported, and the backend service's load balancing scheme.
| Product | Maximum number of backend services | Scope of backend service | Supported backend types | Load balancing scheme |
|---|---|---|---|---|
| Global external HTTP(S) load balancer (Preview) | Multiple | Global | Each backend service supports one of the following backend combinations:
|
EXTERNAL_MANAGED |
| Global external HTTP(S) load balancer (classic) | Multiple | Global1 | Each backend service supports one of the following backend combinations:
|
EXTERNAL |
| Regional external HTTP(S) load balancer (Preview) | Multiple | Regional | Each backend service supports one of the following backend combinations:
|
EXTERNAL_MANAGED |
| Internal HTTP(S) load balancer | Multiple | Regional | Each backend service supports one of the following backend combinations:
|
INTERNAL_MANAGED |
| SSL proxy load balancer | 1 | Global1 | The backend service supports one of the following backend combinations:
|
EXTERNAL |
| TCP proxy load balancer | 1 | Global1 | The backend service supports one of the following backend combinations:
|
EXTERNAL |
| Network load balancer | 1 | Regional | The backend service supports the following backend combinations:
|
EXTERNAL |
| Internal TCP/UDP load balancer | 1 | Regional, but configurable to be globally accessible | The backend service supports one of the following backend combinations:
|
INTERNAL |
| Traffic Director | Multiple | Global | Each backend service supports one of the following backend combinations:
|
INTERNAL_SELF_MANAGED |
- The forwarding rule and its external IP address are regional.
- All backends connected to the backend service must be located in the same region as the forwarding rule.
API and gcloud reference
A backend service is either global or regional in scope.
For more information about the properties of the backend service resource, see the following references:
Global backend service API resource
Regional backend service API resource
gcloud compute backend-servicespage, for both global and regional backend services
Backends
A backend is a group of endpoints that receive traffic from a Google Cloud load balancer, a Traffic Director-configured Envoy proxy, or a proxyless gRPC client. There are several types of backends:
- Instance group containing virtual machine (VM) instances. An instance group can be a managed instance group, with or without autoscaling, or it can be an unmanaged instance group. More than one backend service can reference an instance group, but all backend services that reference the instance group must use the same balancing mode.
- Zonal NEG
- Serverless NEG
- Internet NEG
- Hybrid connectivity NEG
- Private Service Connect NEG
In addition, by using a backend bucket instead of a backend service, you can have a Cloud Storage bucket backend.
You cannot use different types of backends with the same backend service. For example, a single backend service cannot reference a combination of instance groups and zonal NEGs. However, you can use a combination of different types of instance groups on the same backend service. For example, a single backend service can reference a combination of both managed and unmanaged instance groups. For complete information about which backends are compatible with which backend services, see the table in the previous section.
You cannot delete a backend instance group or NEG that is associated with a backend service. Before you delete an instance group or NEG, you must first remove it as a backend from all backend services that reference it.
Protocol to the backends
When you create a backend service, you must specify the protocol used to communicate with the backends. You can specify only one protocol per backend service — you cannot specify a secondary protocol to use as a fallback.
Which protocols are valid depends on the type of load balancer or whether you are using Traffic Director.
| Product | Load balancing scheme | Backend service protocol options |
|---|---|---|
| Global external HTTP(S) load balancer (Preview) | EXTERNAL_MANAGED | HTTP, HTTPS, HTTP/2 |
| Global external HTTP(S) load balancer (classic) | EXTERNAL | HTTP, HTTPS, HTTP/2 |
| Regional external HTTP(S) load balancer (Preview) | EXTERNAL_MANAGED | HTTP, HTTPS, HTTP/2 |
| SSL proxy load balancer | EXTERNAL | SSL |
| TCP proxy load balancer | EXTERNAL | TCP |
| Internal HTTP(S) load balancer | INTERNAL_MANAGED | HTTP, HTTPS, HTTP/2 |
| Network load balancer | EXTERNAL | TCP, UDP, or UNSPECIFIED (Preview) |
| Internal TCP/UDP load balancer | INTERNAL | TCP or UDP |
| Traffic Director | INTERNAL_SELF_MANAGED | HTTP, HTTPS, HTTP/2, gRPC, TCP |
Changing a backend service's protocol makes the backends inaccessible through load balancers for a few minutes.
Encryption between the load balancer and backends
For information about this topic, see Encryption to the backends.
Instance groups
This section discusses how instance groups work with the backend service.
Backend VMs and external IP addresses
Backend VMs in backend services do not need external IP addresses:
- For global external HTTP(S) load balancers, SSL proxy load balancers, and TCP proxy load balancers: Clients communicate with a Google Front End (GFE) using your load balancer's external IP address. The GFE communicates with backend VMs or endpoints using a combination of an identifier for the backend's VPC network and the VM or endpoint's internal IP address. Internal IP addresses must be associated with the primary network interface (nic0) of the backend. Communication between GFEs and backend VMs or endpoints is facilitated through special routes.
- For regional external HTTP(S) load balancers: Clients use the load balancer's IP address and port to connect to the load balancer's Envoy proxies (provisioned in a proxy-only subnet). Backend VMs or endpoints of all regional external HTTP(S) load balancers in a region and VPC network receive connections from the proxy-only subnet.
- For network load balancers: Packets are first routed to the network load balancer's external IP address. The load balancer then uses consistent hashing to route them to backend VMs.
- Backend VMs do not require external IP addresses.
Named ports
On the backend, the load balancer forwards traffic to the port numbers that your backend instances (Compute Engine instances) are listening on. You configure the port number in the instance group and refer to it in the backend service configuration.
If an instance group's named port matches the --port-name in the backend
service configuration, the backend service uses this port number for
communication with the instance group's VMs.
The backend port number is called a named port because it is a name/value pair. In the instance group, you define the key name and value for the port.
For example, you might set the named port on an instance group with the name
my-service-name and the port 8888:
gcloud compute instance-groups unmanaged set-named-ports my-unmanaged-ig \
--named-ports=my-service-name:8888
Then you refer to the named port in the backend service configuration with the
--port-name on the backend service set to my-service-name:
gcloud compute backend-services update my-backend-service \
--port-name=my-service-name
If you use multiple port numbers for a named port (for example,
http:80,http:8080), they must all be for the same application. This is because
traffic is balanced between all ports with the same port name. For example, you
can't create a named port with the values 80 and 443. This doesn't work
because port 80 generally doesn't support TLS.
To learn how to create named ports, see the following instructions:
- Unmanaged instance groups: Working with named ports
- Managed instance groups: Assigning named ports to managed instance groups
Note the following:
Each backend service subscribes to a single port name. Each of its backend instance groups must have at least one named port for that name.
A backend service can use a different port number when communicating with VMs in different instance groups if each instance group specifies a different port number for the same port name. However, all ports must represent the same application. For example,
http:80,http:8080works, buthttp:80,http:443doesn't work.The resolved port number used by the backend service doesn't need to match the port number used by the load balancer's forwarding rules. A load balancer listens on the frontend on one or more port numbers that you configure in the load balancer's forwarding rule. The backend instances can be listening on different port numbers.
Named ports are not used in these circumstances:
- For zonal NEG or internet NEG backends, because these NEGs define ports using a different mechanism, namely, on the endpoints themselves.
- For serverless NEG backends, because these NEGs don't have endpoints.
- For internal TCP/UDP load balancers, because an internal TCP/UDP load balancer is a pass-through load balancer, not a proxy. Also, its backend service does not subscribe to a named port.
- For network load balancers, because a network load balancer is a pass-through load balancer, not a proxy, and its backend service does not subscribe to a named port.
For more information about named ports, see gcloud compute instance-groups managed set-named-ports and gcloud compute instance-groups unmanaged set-named-ports in the SDK documentation.
Restrictions and guidance for instance groups
Keep the following restrictions and guidance in mind when you create instance groups for your load balancers:
Do not put a VM in more than one load-balanced instance group. If a VM is a member of two or more unmanaged instance groups, or a member of one managed instance group and one or more unmanaged instance groups, Google Cloud limits you to only using one of those instance groups at a time as a backend for a particular backend service.
If you need a VM to participate in multiple load balancers, you must use the same instance group as a backend on each of the backend services.
For proxy load balancers, when you want to balance traffic to different ports, specify the required named ports on one instance group and have each backend service subscribe to a unique named port .
You can use the same instance group as a backend for more than one backend service. In this situation, the backends must use compatible balancing modes. Compatible means that the balancing modes must be the same, or they must be a combination of
CONNECTIONandRATE. Incompatible combinations are as follows:CONNECTIONwithUTILIZATIONRATEwithUTILIZATION
Consider the following example:
- You have two backend services:
external-https-backend-servicefor an external HTTP(S) load balancer andinternal-tcp-backend-servicefor an internal TCP/UDP load balancer. - You're using an instance group called
instance-group-aininternal-tcp-backend-service. - In
internal-tcp-backend-service, you must apply theCONNECTIONbalancing mode because internal TCP/UDP load balancers only support theCONNECTIONbalancing mode. - You can also use
instance-group-ainexternal-https-backend-serviceif you apply theRATEbalancing mode inexternal-https-backend-service. - You cannot also use
instance-group-ainexternal-https-backend-servicewith theUTILIZATIONbalancing mode.
To change the balancing mode for an instance group serving as a backend for multiple backend services:
- Remove the instance group from all backend services except for one.
- Change the balancing mode for the backend on the one remaining backend service.
- Re-add the instance group as a backend to the remaining backend services, if they support the new balancing mode.
If your instance group is associated with several backend services, each backend service can reference the same named port or a different named port on the instance group.
We recommend not adding an autoscaled managed instance group to more than one backend service. Doing so might cause unpredictable and unnecessary scaling of instances in the group, especially if you use the HTTP Load Balancing Utilization autoscaling metric.
- While not recommended, this scenario might work if the autoscaling metric is either CPU Utilization or a Cloud Monitoring Metric that is unrelated to the load balancer's serving capacity. Using one of these autoscaling metrics might prevent erratic scaling.
Zonal network endpoint groups
Network endpoints represent services by their IP address or an IP address/port combination, rather than referring to a VM in an instance group. A network endpoint group (NEG) is a logical grouping of network endpoints.
Zonal network endpoint groups (NEGs) are zonal resources that represent collections of either IP addresses or IP address/port combinations for Google Cloud resources within a single subnet.
There are two types of network endpoints available for zonal NEGs:
GCE_VM_IPendpoints.GCE_VM_IP_PORTendpoints.
For details, see Zonal NEGs overview.
A backend service that uses zonal NEGs as its backends distributes traffic among applications or containers running within VMs.
Zonal network endpoint groups (NEGs) using GCE_VM_IP_PORT endpoints can be
used as backends for the following load balancer types:
- Global external HTTP(S) load balancer
- Global external HTTP(S) load balancer (classic)
- Regional external HTTP(S) load balancer
- Internal HTTP(S) load balancer
- SSL proxy load balancer
- TCP proxy load balancer
Traffic Director also supports zonal NEG backends with GCE_VM_IP_PORT
endpoints.
Zonal network endpoint groups (NEGs) using GCE_VM_IP endpoints can be
used as backends for Internal TCP/UDP Load Balancing only.
Zonal NEGs are not supported by Network Load Balancing.
For more information, see Overview of network endpoint groups in load balancing.
Internet network endpoint groups
Internet NEGs are global resources that define external backends. An external backend is a backend that is hosted within on-premises infrastructure or on infrastructure provided by third parties.
An internet NEG is a combination of an IP address or hostname, plus an optional port:
- A publicly resolvable fully qualified domain name and an optional port,
for example
backend.example.com:443(default ports:80for HTTP and443for HTTPS). - A publicly accessible IP address and an optional port, for example
203.0.113.8:80or203.0.113.8:443(default ports:80for HTTP and443for HTTPS)
Only the global external HTTP(S) load balancer (classic) supports Internet NEG backends. Global external HTTP(S) load balancers and regional external HTTP(S) load balancers do not support internet NEG backends.
For more information, see Internet network endpoint group overview.
Serverless network endpoint groups
A network endpoint group (NEG) specifies a group of backend endpoints for a load balancer. A serverless NEG is a backend that points to a Cloud Run, App Engine, or Cloud Functions service.
A serverless NEG can represent one of the following:
- A Cloud Run service or a group of services.
- A Cloud Functions function or a group of functions.
- An App Engine app (Standard or Flex), a specific service within an app, a specific version of an app, or a group of services.
To set up a serverless NEG for serverless applications that share a URL
pattern, you use a URL
mask. A URL mask
is a template of your URL schema (for example, example.com/<service>). The
serverless NEG will use this template to extract the <service> name from the
incoming request's URL and route the request to the matching
Cloud Run, Cloud Functions, or App Engine
service with the same name.
For more information, including which load balancers support serverless NEGs, see Serverless network endpoint group overview.
Traffic distribution
The values of the following fields in the backend services resource determine some aspects of the backend's behavior:
- A balancing mode defines how the load balancer measures backend readiness for new requests or connections.
- A target capacity defines a target maximum number of connections, a target maximum rate, or target maximum CPU utilization.
- A capacity scaler adjusts overall available capacity without modifying the target capacity.
Balancing mode
The balancing mode determines whether backends of a load balancer or Traffic Director can handle additional traffic or are fully loaded. Google Cloud has three balancing modes:
CONNECTIONRATEUTILIZATION
The balancing mode options depend on the backend service's load balancing scheme, the backend service's protocol, and the type of backends connected to the backend service.
You set the balancing mode when you add a backend to the backend service. Note that you cannot specify a balancing mode when using serverless NEGs or internet NEGs as backends for a load balancer.
For the global external HTTP(S) load balancer (classic), the balancing mode is used to select the most favorable backend (instance group or NEG). Traffic is then distributed in a round robin fashion among instances or endpoints within the backend.
For global external HTTP(S) load balancers, regional external HTTP(S) load balancers, and internal HTTP(S) load balancers,
load balancing is two-tiered. The balancing mode determines the weighting or
fraction of traffic that should be sent to each backend (instance group or NEG).
Then, the load balancing policy (LocalityLbPolicy) determines how traffic is
distributed to instances or endpoints within the group. The max-utilization
target capacity can only be specified per instance group and cannot be applied
to a particular VM in the group.
| Balancing mode | Supported load balancing schemes | Compatible backend service protocols1 | Compatible backends2 | Applicable products |
|---|---|---|---|---|
CONNECTION |
EXTERNALINTERNAL |
SSL, TCP, UDP |
Either instance groups or zonal NEGs, if supported. |
|
RATE |
EXTERNALEXTERNAL_MANAGEDINTERNAL_MANAGEDINTERNAL_SELF_MANAGED |
HTTP, HTTPS, HTTP2, gRPC | Instance groups or zonal NEGs |
|
UTILIZATION |
EXTERNALEXTERNAL_MANAGEDINTERNAL_MANAGEDINTERNAL_SELF_MANAGED |
No special restriction | Instance groups only. Zonal NEGs do not support utilization mode. |
|
If the average utilization of all VMs that are associated with a backend service is less than 10%, Google Cloud might prefer specific zones. This can happen when you use managed regional instance groups, managed zonal instance groups in different zones, and unmanaged zonal instance groups. This zonal imbalance automatically resolves as more traffic is sent to the load balancer.
For more information, see gcloud compute backend-services add-backend.
Changing the balancing mode of a load balancer
For some load balancers, you cannot change the balancing mode because the backend service has only one possible balancing mode. For others, depending on the backend used, you can change the balancing mode because more than one mode is available to those backend services.
| Load balancer | Backends | Balancing modes available |
|---|---|---|
| Instance groups | RATE or UTILIZATION |
|
Zonal NEGs (GCE_VM_IP_PORT endpoints) |
RATE |
|
| Internal HTTP(S) load balancer | Instance groups | RATE or UTILIZATION |
Zonal NEGs (GCE_VM_IP_PORT endpoints) |
RATE |
|
| TCP proxy load balancer | Instance groups | CONNECTION or UTILIZATION |
Zonal NEGs (GCE_VM_IP_PORT endpoints) |
CONNECTION |
|
| SSL proxy load balancer | Instance groups | CONNECTION or UTILIZATION |
Zonal NEGs (GCE_VM_IP_PORT endpoints) |
CONNECTION |
|
| Network load balancer | Instance groups | CONNECTION |
| Internal TCP/UDP load balancer | Instance groups | CONNECTION |
Zonal NEGs (GCE_VM_IP endpoints) |
CONNECTION |
Target capacity
Each balancing mode has a corresponding target capacity, which defines one of the following target maximums:
- Number of connections
- Rate
- CPU utilization
For every balancing mode, the target capacity is not a circuit breaker. A load balancer can exceed the maximum under certain conditions, for example, if all backend VMs or endpoints have reached the maximum.
Connection balancing mode
For CONNECTION balancing mode, the target capacity defines a target
maximum number of concurrent connections. Except for internal TCP/UDP load balancers
and network load balancers, you must use one of the following settings to specify a
target maximum number of connections:
max-connections-per-instance(per VM): Target average number of connections for a single VM.max-connections-per-endpoint(per endpoint in a zonal NEG): Target average number of connections for a single endpoint.max-connections(per zonal NEGs and for zonal instance groups): Target average number of connections for the whole NEG or instance group. For regional managed instance groups, usemax-connections-per-instanceinstead.
The following table shows how the target capacity parameter defines the following:
- The target capacity for the whole backend
- The expected target capacity for each instance or endpoint
| Backend type | Target capacity | ||
|---|---|---|---|
| If you specify | Whole backend capacity | Expected per instance or per endpoint capacity | |
Instance groupN instances,H healthy |
max-connections-per-instance=X
|
X × N
|
(X × N)/H
|
Zonal NEGN endpoints,H healthy
|
max-connections-per-endpoint=X
|
X × N
|
(X × N)/H
|
| Instance groups (except regional managed instance groups) H healthy instances
|
max-connections=Y
|
Y
|
Y/H
|
As illustrated, the max-connections-per-instance and
max-connections-per-endpoint settings are proxies for calculating a
target maximum number of connections for the whole instance group or whole zonal
NEG:
- In an instance group with
Ninstances, settingmax-connections-per-instance=Xhas the same meaning as settingmax-connections=X × N. - In a zonal NEG with
Nendpoints, settingmax-connections-per-endpoint=Xhas the same meaning as settingmax-connections=X × N.
Rate balancing mode
For the RATE balancing mode, you must define the target capacity using
one of the following parameters:
max-rate-per-instance(per VM): Provide a target average HTTP request rate for a single VM.max-rate-per-endpoint(per endpoint in a zonal NEG): Provide a target average HTTP request rate for a single endpoint.max-rate(per zonal NEGs and for zonal instance groups): Provide a target average HTTP request rate for the whole NEG or instance group. For regional managed instance groups, usemax-rate-per-instanceinstead.
The following table shows how the target capacity parameter defines the following:
- The target capacity for the whole backend
- The expected target capacity for each instance or endpoint
| Backend type | Target capacity | ||
|---|---|---|---|
| If you specify | Whole backend capacity | Expected per instance or per endpoint capacity | |
Instance groupN instances,H healthy |
max-rate-per-instance=X
|
X × N
|
(X × N)/H
|
zonal NEGN endpoints,H healthy
|
max-rate-per-endpoint=X
|
X × N
|
(X × N)/H
|
| Instance groups (except regional managed instance groups) H healthy instances
|
max-rate=Y
|
Y
|
Y/H
|
As illustrated, the max-rate-per-instance and max-rate-per-endpoint settings
are proxies for calculating a target maximum rate of HTTP requests for the whole
instance group or whole zonal NEG:
- In an instance group with
Ninstances, settingmax-rate-per-instance=Xhas the same meaning as settingmax-rate=X × N. - In a zonal NEG with
Nendpoints, settingmax-rate-per-endpoint=Xhas the same meaning as settingmax-rate=X × N.
Utilization balancing mode
The UTILIZATION balancing mode has no mandatory target capacity. You have a
number of options that depend on the type of backend, as summarized in
the table in the following section.
The max-utilization target capacity can only be specified per instance
group and cannot be applied to a particular VM in the group.
Supported balancing modes and target capacity settings
This table summarizes all possible balancing modes for a given load balancer and type of backend. It also shows the available or required capacity settings that you must specify with the balancing mode.
| Load balancer | Type of backend | Balancing mode | Target capacity |
|---|---|---|---|
|
Instance group | RATE |
You must specify one of the following:
|
UTILIZATION |
You can optionally specify one of the following:
|
||
Zonal NEG (GCP_VM_IP_PORT) |
RATE |
You must specify one of the following:
|
|
| Internal TCP/UDP load balancer | Instance group | CONNECTION |
You cannot specify a target maximum number of connections. |
Zonal NEGs (GCP_VM_IP) |
CONNECTION |
You cannot specify a target maximum number of connections. | |
| External TCP/UDP Network load balancer | Instance group | CONNECTION |
You cannot specify a target maximum number of connections. |
|
Instance group | CONNECTION |
You must specify one of the following:
|
UTILIZATION |
You can optionally specify one of the following:
|
||
Zonal NEG (GCP_VM_IP_PORT) |
CONNECTION |
You must specify one of the following:
|
Capacity scaler
You can optionally adjust the capacity scaler to scale down the target capacity (max utilization, max rate, or max connections) without changing the target capacity. The capacity scaler is supported for all load balancers that support a target capacity. The only exceptions are the network load balancer and internal TCP/UDP load balancer.
By default, the value of the capacity scaler is 1.0 (100%). You can set the
capacity scaler to either of these values:
- exactly
0.0, which will prevent all new connections - a value between
0.1(10%) and1.0(100%)
The following examples demonstrate how the capacity scaler works in conjunction with the target capacity setting.
If the balancing mode is
RATE, the max-rate is set to 80 RPS, and the capacity scaler is1.0, the effective target capacity is also 80 RPS.If the balancing mode is
RATE, the max utilization is set to 80 RPS, and the capacity scaler is0.5, the effective target capacity is 40 RPS (0.5 times 80).If the balancing mode is
RATE, the max utilization is set to 80 RPS, and the capacity scaler is0.0, the effective target capacity is zero. A capacity scaler of zero will take the backend out of rotation.
Traffic Director and traffic distribution
Traffic Director also uses backend service resources. Specifically,
Traffic Director uses backend services whose load balancing scheme is
INTERNAL_SELF_MANAGED. For an internal self-managed backend service, traffic
distribution is based on the combination of a load balancing mode and a
load balancing policy. The backend service directs traffic to a backend
according to the backend's balancing mode. Then Traffic Director distributes
traffic according to a load balancing policy.
Internal self-managed backend services support the following balancing modes:
UTILIZATION, if all the backends are instance groupsRATE, if all the backends are either instance groups or zonal NEGs
If you choose RATE balancing mode, you must specify a maximum rate, maximum
rate per instance, or maximum rate per endpoint.
For more information about Traffic Director, see Traffic Director concepts.
Session affinity
Some applications need multiple requests from a given user to be directed to the same backend or endpoint. Such applications include stateful servers used by ads serving, games, or services with heavy internal caching. The disadvantage of session affinity is that your load might be less evenly distributed.
Session affinity operates on a best-effort basis to deliver requests to the same
backend that served the initial request. By default, session affinity is
disabled (--session-affinity=NONE). Without session affinity enabled, load
balancers distribute new requests based on a 5-tuple hash, as follows:
- Packet's source IP address
- Packet's source port (if present in the packet's header)
- Packet's destination IP address
- Packet's destination port (if present in the packet's header)
- Packet's Protocol
For pass-through load balancers, if a backend instance or endpoint is healthy, subsequent requests go to the same backend VM or endpoint.
For proxy-based load balancers, if a backend instance or endpoint is healthy and isn't at capacity subsequent requests go to the same backend VM or endpoint. The balancing mode determines when the backend is at capacity.
The following table shows the session affinity options:
| Product | Session affinity options |
|---|---|
| Global external HTTP(S) load balancer Regional external HTTP(S) load balancer |
|
| Global external HTTP(S) load balancer (classic) |
|
| Internal HTTP(S) load balancer |
|
| Internal TCP/UDP load balancer |
|
| Network load balancer1 |
|
| TCP proxy load balancer SSL proxy load balancer |
|
| Traffic Director |
|
1 This table documents session affinities supported by backend
service-based
network load balancers.
Target pool-based network load balancers
don't use backend services. Instead, you set session affinity for
network load balancers through the sessionAffinity parameter in
Target Pools.
Keep the following in mind when configuring session affinity:
Do not rely on session affinity for authentication or security purposes. Session affinity is designed to break when a backend is at or above capacity or if it becomes unhealthy.
Google Cloud load balancers provide session affinity on a best-effort basis. Factors such as changing backend health check states or changes to backend fullness, as measured by the balancing mode, can break session affinity. Using a session affinity other than
Nonewith theUTILIZATIONbalancing mode is not recommended. This is because changes in the instance utilization can cause the load balancing service to direct new requests or connections to backend VMs that are less full. This breaks session affinity. Instead, use either theRATEorCONNECTIONbalancing mode to reduce the chance of breaking session affinity.When load balancers have session affinity enabled, they load balance well when there is a reasonably large distribution of unique sessions. Reasonably large means at least several times the number of backend instances in the instance group. When you test a load balancer with a small number of sessions, traffic isn't evenly distributed.
For external and internal HTTP(S) load balancers, session affinity might be broken when the intended endpoint or instance exceeds its balancing mode's target maximum. Consider the following example:
- A load balancer has one NEG and three endpoints.
- Each endpoint has a target capacity of 1 RPS.
- The balancing mode is
RATE. - At the moment, each endpoint is processing 1.1, 0.8, and 1.6 RPS, respectively.
- When an HTTP request with affinity for the last endpoint arrives on the load balancer, session affinity claims the endpoint that is processing at 1.6 RPS.
- The new request might go to the middle endpoint with 0.8 RPS.
For specific information about Network Load Balancing and session affinity, see the External TCP/UDP Network Load Balancing overview.
For specific information about Internal TCP/UDP Load Balancing and session affinity, see the Internal TCP/UDP Load Balancing overview.
When proxyless gRPC services are configured, Traffic Director does not support session affinity.
The following sections discuss the different types of session affinity.
Client IP affinity
Client IP affinity directs requests from the same client IP address to the same backend instance. Client IP affinity is an option for every Google Cloud load balancer that uses backend services.
When you use client IP affinity, keep the following in mind:
Client IP affinity is a two-tuple hash consisting of the client's IP address and the IP address of the load balancer's forwarding rule that the client contacts.
The client IP address as seen by the load balancer might not be the originating client if it is behind NAT or makes requests through a proxy. Requests made through NAT or a proxy use the IP address of the NAT router or proxy as the client IP address. This can cause incoming traffic to clump unnecessarily onto the same backend instances.
If a client moves from one network to another, its IP address changes, resulting in broken affinity.
Generated cookie affinity
When you set generated cookie affinity, the load balancer issues a cookie on the first request. For each subsequent request with the same cookie, the load balancer directs the request to the same backend VM or endpoint.
- For global external HTTP(S) load balancers, the cookie is named
GCLB. - For regional external HTTP(S) load balancers, internal HTTP(S) load balancers, and Traffic Director, the
cookie is named
GCILB.
Cookie-based affinity can more accurately identify a client to a load balancer, compared to client IP-based affinity. For example:
With cookie-based affinity, the load balancer can uniquely identify two or more client systems that share the same source IP address. Using client IP-based affinity, the load balancer treats all connections from the same source IP address as if they were from the same client system.
If a client changes its IP address, cookie-based affinity lets the load balancer recognize subsequent connections from that client instead of treating the connection as new. An example of when a client changes its IP address is when a mobile device moves from one network another.
When a load balancer creates a cookie for generated cookie-based affinity, it
sets the path attribute of the cookie to /. If the URL map's path matcher
has multiple backend service for a host name, all backend services share the
same session cookie.
The lifetime of the HTTP cookie generated by the load balancer is
configurable. You can set it to 0 (default), which means the cookie is only
a session cookie. Or you can set the lifetime of the cookie to a value from
1 to 86400 seconds (24 hours) inclusive.
Header field affinity
Header field affinity is supported when both of the following are true:
- The load balancing locality policy is RING_HASH or MAGLEV.
- The backend service's
consistentHashspecifies the name of the HTTP header (httpHeaderName).
The following products can use header field affinity:
- Global external HTTP(S) load balancer
- Regional external HTTP(S) load balancer
- Internal HTTP(S) load balancer
- Traffic Director
HTTP cookie affinity
HTTP cookie affinity is supported when both of the following are true:
- The load balancing locality policy is RING_HASH or MAGLEV.
- The backend service's consistent hash specifies the name of the HTTP cookie.
HTTP cookie affinity routes requests to backend VMs or endpoints in a NEG based
on the HTTP cookie named in the HTTP_COOKIE flag. If the client does not provide
the cookie, the proxy generates the cookie and returns it to the client in a
Set-Cookie header.
The following products can use HTTP cookie affinity:
- Global external HTTP(S) load balancer
- Regional external HTTP(S) load balancer
- Internal HTTP(S) load balancer
- Traffic Director
For more information about internal HTTP(S) load balancers, in which HTTP cookie affinity is used, see Internal HTTP(S) Load Balancing overview.
Losing session affinity
Regardless of the type of affinity chosen, a client can lose affinity with a backend in the following situations:
- If the backend instance group or zonal NEG runs out of capacity, as defined by the balancing mode's target capacity. In this situation, Google Cloud directs traffic to a different backend instance group or zonal NEG, which might be in a different zone. You can mitigate this by ensuring that you specify the correct target capacity for each backend based on your own testing.
- Autoscaling adds instances to, or removes instances from, a managed instance group. When this happens, the number of instances in the instance group changes, so the backend service recomputes hashes for session affinity. You can mitigate this by ensuring that the minimum size of the managed instance group can handle a typical load. Autoscaling is then only performed during unexpected increases in load.
- If a backend VM or endpoint in a NEG fails health checks, the load balancer directs traffic to a different healthy backend. Refer to the documentation for each Google Cloud load balancer for details about how the load balancer behaves when all of its backends fail health checks.
- When the
UTILIZATIONbalancing mode is in effect for backend instance groups, session affinity breaks because of changes in backend utilization. You can mitigate this by using theRATEorCONNECTIONbalancing mode, whichever is supported by the load balancer's type.
When you use HTTP(S) Load Balancing, SSL Proxy Load Balancing, or TCP Proxy Load Balancing, keep the following additional points in mind:
- If the routing path from a client on the internet to Google changes between requests or connections, a different Google Front End (GFE) might be selected as the proxy. This can break session affinity.
- When you use the
UTILIZATIONbalancing mode — especially without a defined target maximum target capacity — session affinity is likely to break when traffic to the load balancer is low. Switch to usingRATEorCONNECTIONbalancing mode, as supported by your chosen load balancer.
Backend service timeout
Most Google Cloud load balancers have a backend service timeout. The default value is 30 seconds. The full range of timeout values allowed is 1 - 2,147,483,647 seconds.
For external HTTP(S) load balancers and internal HTTP(S) load balancers using the HTTP, HTTPS, or HTTP/2 protocol, the backend service timeout is a request/response timeout for HTTP(S) traffic. This is the amount of time that the load balancer waits for a backend to return a full response to a request. For example, if the value of the backend service timeout is the default value of 30 seconds, the backends have 30 seconds to deliver a complete response to requests. The load balancer retries the HTTP GET request once if the backend closes the connection or times out before sending response headers to the load balancer. If the backend sends response headers (even if the response body is otherwise incomplete) or if the request sent to the backend is not an HTTP GET request, the load balancer does not retry. If the backend does not reply at all, the load balancer returns an HTTP
5xxresponse to the client. To change the allotted time for backends to respond to requests, change the timeout value.For HTTP traffic, the maximum amount of time for the client to complete sending its request is equal to the backend service timeout. If you see HTTP
408responses with thejsonPayload.statusDetailclient_timed_out, this means that there was insufficient progress while the request from the client was proxied or the response from the backend was proxied. If the problem is because of clients that are experiencing performance issues, you can resolve this issue by increasing the backend service timeout.If the HTTP connection is upgraded to a WebSocket, the backend service timeout defines the maximum amount of time that a WebSocket can be open, whether idle or not.
For more details about the backend service timeout for each load balancer, see the following:
- For global external HTTP(S) load balancers and regional external HTTP(S) load balancers, see Timeouts and retries.
- For internal HTTP(S) load balancers, see Timeouts and retries.
For SSL proxy load balancers and TCP proxy load balancers, the timeout is an idle timeout. To allow more or less time before the connection is deleted, change the timeout value. This idle timeout is also used for WebSocket connections.
For internal TCP/UDP load balancers and network load balancers, you can set the value of the backend service timeout using
gcloudor the API, but the value is ignored. Backend service timeout has no meaning for these pass-through load balancers.For Traffic Director, the backend service timeout field (specified using
timeoutSec) is not supported with proxyless gRPC services. For such services, configure the backend service timeout using themaxStreamDurationfield. This is because gRPC does not support the semantics oftimeoutSecthat specifies the amount of time to wait for a backend to return a full response after the request is sent. gRPC's timeout specifies the amount of time to wait from the beginning of the stream until the response has been completely processed, including all retries.
Health checks
Each backend service whose backends are instance groups or zonal NEGs must have an associated health check. Backend services using a serverless NEG or an internet NEG as a backend must not reference a health check.
When you create a load balancer using the Google Cloud Console, you can create the health check, if it is required, when you create the load balancer, or you can reference an existing health check.
When you create a backend service using either instance group or zonal NEG
backends using the gcloud command-line tool or the API, you must reference an
existing health check. Refer to the load balancer
guide in the Health
Checks Overview for details about the type and scope of health check required.
For more information, read the following documents:
Additional features enabled on the backend service resource
Some optional Google Cloud features (such as Cloud CDN and Google Cloud Armor) are available for backend services used by global external HTTP(S) load balancers. They are not discussed in this document, but are listed in the HTTP(S) Load Balancing overview.
Traffic management features
The following features are supported only for some products:
- Load balancing policies
(
localityLbPolicy) except for ROUND_ROBIN - Circuit breaking except for
maxRequestsfield - Outlier detection
These features are supported by the following load balancers:
- Global external HTTP(S) load balancer (circuit breaking is not supported)
- Regional external HTTP(S) load balancer
- Internal HTTP(S) load balancer
- Traffic Director (but not supported with proxyless gRPC services)
What's next
For related documentation and information about how backend services are used in load balancing, review the following:
- Creating custom headers
- Creating an HTTP(S) load balancer
- Conceptual information about HTTP(S) Load Balancing
- Enabling Connection Draining
- Encryption in Transit in Google Cloud