A forwarding rule and its corresponding IP address represent the frontend configuration of a Google Cloud load balancer.
Each forwarding rule references an IP address, an IP protocol, and one or more ports (if the protocol has a concept of ports) on which the load balancer accepts traffic. Some Google Cloud load balancers limit you to a predefined set of ports, and others let you specify arbitrary ports.
Depending on the load balancer type, the following is true:
- A forwarding rule specifies a backend service, target proxy, or target pool.
- A forwarding rule and its IP address are internal or external.
Also, depending on the load balancer and its tier, a forwarding rule is either global or regional.
Internal forwarding rules
Internal forwarding rules forward traffic that originates inside a Google Cloud network. The clients can be in the same Virtual Private Cloud (VPC) network as the backends, or the clients can be in a connected network.
Internal forwarding rules are used by the following Google Cloud load balancers:
- Internal TCP/UDP load balancer
- Internal HTTP(S) load balancer
- Internal regional TCP proxy load balancer
Internal TCP/UDP load balancer
With an internal TCP/UDP load balancer, the supported traffic type is IPv4, and the supported protocol is either TCP or UDP (not both).
Each internal TCP/UDP load balancer has at least one regional internal forwarding rule. The regional internal forwarding rules point to the load balancer's regional internal backend service. The following diagram shows how a forwarding rule fits into the internal TCP/UDP load balancer architecture.
The following diagram shows how the load balancer components fit within a subnet and region.
The internal forwarding rule must be defined in a region and a subnet. The backend service only needs to correspond to that region.
For more information about internal TCP/UDP load balancers, see the Internal TCP/UDP load balancer overview. For information about configuring internal TCP/UDP load balancers, see Set up an internal TCP/UDP load balancer.
Internal HTTP(S) load balancer
With an internal HTTP(S) load balancer, the supported traffic type is IPv4, and the supported protocol can be HTTP, HTTPS, or HTTP/2.
Each internal HTTP(S) load balancer has exactly one regional internal forwarding rule. The regional internal forwarding rule points to the load balancer's regional target HTTP or HTTPS proxy.
Internal managed forwarding rules connected to a target HTTP proxy support ports 80 or 8080 (one or the other, not both). Internal managed forwarding rules connected to a target HTTPS proxy support port 443.
The following diagram shows how a forwarding rule fits into the internal HTTP(S) load balancer architecture.
For more information about internal HTTP(S) load balancers, see the Internal HTTP(S) load balancer overview. For information about configuring internal HTTP(S) load balancers, see Preparing for an internal HTTP(S) load balancer setup.
Internal regional TCP proxy load balancer
With an internal regional TCP proxy load balancer, the supported traffic type is IPv4, and the supported protocol is TCP.
Each internal regional TCP proxy load balancer has at least one regional internal forwarding rule. The forwarding rule specifies an internal IP address, port, and regional target TCP proxy. Clients use the IP address and port to connect to the load balancer's Envoy proxies – the forwarding rule's IP address is the IP address of the load balancer (sometimes called a virtual IP address or VIP).
Internal managed forwarding rules connected to a target TCP proxy support any
port range X-X where X is a number between 1 and 65535 inclusive.
The following diagram shows how a forwarding rule fits into the internal regional TCP proxy load balancer architecture.
For more details, see the Internal regional TCP proxy load balancer overview.
External forwarding rules
External forwarding rules accept traffic from client systems that have internet access, including:
- A client outside of Google Cloud
- A Google Cloud VM with an external IP address
- A Google Cloud VM without an external IP address using Cloud NAT or an instance-based NAT system
External forwarding rules are used by the following Google Cloud load balancer types:
- External HTTP(S) load balancer
- External SSL proxy load balancer
- External TCP proxy load balancer
- External TCP/UDP Network load balancer
External HTTP(S) load balancer
The forwarding rule and IP address depend on the load balancer mode and the Network Service Tiers that you select for the load balancer.
- The global external HTTP(S) load balancer supports only Premium Tier.
- Each global external HTTP(S) load balancer (classic) can be Premium Tier or Standard Tier.
- The regional external HTTP(S) load balancer supports only Standard Tier.
In an external HTTP(S) load balancer, a forwarding rule points to a target proxy.
In Premium Tier, an external HTTP(S) load balancer uses a global external IP address, which can be either IPv4 or IPv6, and a global external forwarding rule. You can provide a globally accessible application that directs end users to backends in the closest region and distributes traffic among multiple regions. Because a global external forwarding rule uses a single external IP address, you don't need to maintain separate DNS records in different regions or wait for DNS changes to propagate.
You can have two different global external IP addresses pointing to the same external HTTP(S) load balancer. For example, in Premium Tier, the global external IP address for one forwarding rule can be IPv4, and the global external IP address for a second forwarding rule can be IPv6. Both forwarding rules can point to the same target proxy. As a result, you can provide both an IPv4 and an IPv6 address for the same external HTTP(S) load balancer. For more information, see the IPv6 termination documentation.
In Standard Tier, an external HTTP(S) load balancer uses a regional external IP address, which must be IPv4, and a regional external forwarding rule. An external HTTP(S) load balancer in Standard Tier can only distribute traffic to backends within a single region.
The following diagram shows how a global forwarding rule fits into the architecture for a global external HTTP(S) load balancer. The same architecture also applies to the global external HTTP(S) load balancer (classic) in Premium Tier.
For more information about external HTTP(S) load balancers, see the External HTTP(S) load balancer overview.
External SSL proxy load balancer
An external SSL proxy load balancer is similar to an external HTTP(S) load balancer because it can terminate SSL (TLS) sessions. External SSL proxy load balancers do not support path-based redirection like external HTTP(S) load balancers, so they're best suited for handling SSL for protocols other than HTTPS, such as IMAP or WebSockets over SSL. For more information, see the SSL FAQ.
In an external SSL proxy load balancer, a forwarding rule points to a target proxy.
External SSL proxy load balancers support both Premium Tier and Standard Tier. The forwarding rule and IP address both depend on the tier that you select for the load balancer.
In Premium Tier, an external SSL proxy load balancer uses a global external IP address, which can be either IPv4 or IPv6, and a global external forwarding rule. You can provide a globally accessible application that directs end users to backends in the closest region and distributes traffic among multiple regions. Because a global external forwarding rule uses a single external IP address, you don't have to maintain separate DNS records in different regions or wait for DNS changes to propagate.
It is possible to have two different global external IP addresses pointing to the same external SSL proxy load balancer. For example, in Premium Tier, the global external IP address for one forwarding rule can be IPv4, and the global external IP address for a second forwarding rule can be IPv6. Both forwarding rules can point to the same target proxy. As a result, you can provide both an IPv4 and an IPv6 address for the same external SSL proxy load balancer. For more information, see the IPv6 termination documentation.
In Standard Tier, an external SSL proxy load balancer uses a regional external IP address, which must be IPv4, and a regional external forwarding rule. An external SSL proxy load balancer in Standard Tier can only distribute traffic to backends within a single region.
The following diagram shows how a forwarding rule fits into the external SSL proxy load balancer architecture.
For more information about external SSL proxy load balancers, see the External SSL proxy load balancer overview. For information about configuring external SSL proxy load balancers, see Set up an external SSL proxy load balancer.
External TCP proxy load balancer
An external TCP proxy load balancer offers global and regional TCP proxying capabilities without SSL offload. The forwarding rule and IP address depend on the type of load balancer mode and the Network Service Tiers that you select for the load balancer:
- The global external TCP proxy load balancer can be Premium Tier or Standard Tier.
- The external regional TCP proxy load balancer supports only Standard Tier.
In external TCP proxy load balancers, the forwarding rule points to a target proxy:
In Premium Tier, the global external TCP proxy load balancer uses a global external IP address, which can be either IPv4 or IPv6, and a global external forwarding rule. You can provide a globally accessible application that directs end users to backends in the closest region and distributes traffic among multiple regions. Because a global external forwarding rule uses a single external IP address, you don't have to maintain separate DNS records in different regions or wait for DNS changes to propagate.
It is possible to have two different global external IP addresses pointing to the same external TCP proxy load balancer. For example, in Premium Tier, the global external IP address for one forwarding rule can be IPv4, and the global external IP address for a second forwarding rule can be IPv6. Both forwarding rules can point to the same target proxy. As a result, you can provide both an IPv4 and an IPv6 address for the same external TCP proxy load balancer. For more information, see the IPv6 termination documentation.
In Standard Tier, both the global and regional external TCP proxy load balancers use regional external IP addresses, which must be IPv4, and regional external forwarding rules. A load balancer in Standard Tier can only distribute traffic to backends within a single region.
The following diagram shows how a forwarding rule fits into the global external TCP proxy load balancer architecture.
For more information about external TCP proxy load balancers, see the External TCP proxy load balancer overview.
External TCP/UDP network load balancer
Network load balancers is a pass-through load balancer that distributes traffic among backend instances in a single region. A network load balancer uses a regional external forwarding rule and a regional external IP address. The regional external IP address can be accessed from anywhere on the internet and by Google Cloud VMs with internet access.
For backend service-based network load balancers, the regional external forwarding rule points to a backend service. Backend service-based network load balancers support TCP, UDP, ESP, GRE, ICMP, and ICMPv6 traffic. For details, see Forwarding rule protocols for backend service-based network load balancers. Forwarding rules for backend service-based load balancers can be configured with either IPv4 or IPv6 addresses. Forwarding rules for backend service-based network load balancers support the following advanced features:
- Direct traffic coming from a specific range of source IP addresses to a specific backend service. For more information, see Traffic steering.
- Distribute traffic across the load balancer's backend instances based on the weights reported by an HTTP health check using Weighted load balancing.
For target pool-based network load balancers, the forwarding rule points to a target pool. A target pool-based network load balancer supports only TCP or UDP traffic. Forwarding rules for target pool-based network load balancer support only IPv4 addresses.
For regional external IPv4 addresses, the network load balancer supports both Standard Tier and Premium Tier. Regional external IPv6 addresses are only available in the Premium Tier.
To support backend instances in more than one region, you must create a network load balancer in each region. This is the case regardless of whether the IP address of the load balancer is in the Premium Tier or the Standard Tier.
The following figure shows a network load balancer which has a regional external
forwarding rule with the IP address, 120.1.1.1. The load balancer is serving
requests from backends in the us-central1 region.
For more information about network load balancers, see the Network load balancer overview. For information about configuring network load balancers, see one of the following:
- Setting up a network load balancer with a backend service (TCP or UDP traffic only)
- Setting up a network load balancer with a backend service (multiple protocols)
- Setting up a network load balancer with a target pool
How Network Service Tiers affect load balancers
In Network Service Tiers, the distinction between Standard Tier and Premium Tier depends on how far traffic is routed over the public internet:
Standard Tier: Offloads traffic as close as possible to the Google data center. This means that traffic is typically routed over the public internet for a longer distance, compared with Premium Tier.
Premium Tier: Routes traffic through Google's production network as far as possible before leaving Google Cloud to get to the end user.
| Load balancer | Supported Network Service Tiers |
|---|---|
| Global external HTTP(S) load balancer | These load balancers are always Premium Tier. Their backend services, forwarding rules, and IP addresses are global. |
| Global external HTTP(S) load balancer (classic) | These load balancers can be Premium Tier or Standard Tier. With Premium Tier, they are global. Their forwarding rules, IP addresses, and backend services are global. In Standard Tier, these load balancers are effectively regional. Their backend services are global, but their forwarding rules and IP addresses are regional. |
|
These load balancers are always Standard Tier. Their backend services, forwarding rules, and IP addresses are regional. |
|
These load balancers can be Premium Tier or Standard Tier. With Premium Tier, they are global. Their forwarding rules, IP addresses, and backend services are global. In Standard Tier, these load balancers are effectively regional. Their backend services are global, but their forwarding rules and IP addresses are regional. |
|
These load balancers support traffic within a VPC network (including networks connected to it). Traffic is Premium Tier because it is within a VPC network. |
| External TCP/UDP network load balancer | These load balancers must use regional external IPv4 or IPv6 addresses. These load balancers can be either Premium or Standard Tier. IPv6 addresses require Premium Tier. Only the backend service-based network load balancers can handle IPv6 traffic. |
IP Protocol specifications
Each forwarding rule has an associated IP protocol that the rule will serve.
The default protocol value is TCP.
| Product | Load balancing scheme | IP Protocol options |
|---|---|---|
| Global external HTTP(S) load balancer | EXTERNAL_MANAGED | TCP |
| Global external HTTP(S) load balancer (classic) | EXTERNAL | TCP |
| Regional external HTTP(S) load balancer | EXTERNAL_MANAGED | TCP |
| External SSL proxy load balancer | EXTERNAL | TCP |
| Global external TCP proxy load balancer | EXTERNAL | TCP |
| External regional TCP proxy load balancer | EXTERNAL_MANAGED | TCP |
| Internal regional TCP proxy load balancer | INTERNAL_MANAGED | TCP |
| Network load balancer | EXTERNAL | TCP, UDP, or L3_DEFAULT |
| Internal TCP/UDP load balancer | INTERNAL | TCP or UDP |
| Internal HTTP(S) load balancer | INTERNAL_MANAGED | TCP |
| Traffic Director | INTERNAL_SELF_MANAGED | TCP |
IP address specifications
The forwarding rule must have an IP address that your customers use to reach your load balancer. The IP address can be static or ephemeral.
A static IP address provides a single reserved IP address that you can point your domain to. If you ever need to delete your forwarding rule and re-add it, you can continue using the same reserved IP address.
An ephemeral IP address remains constant while the forwarding rule exists. When you choose an ephemeral IP address, Google Cloud associates an IP address with your load balancer's forwarding rule. If you need to delete the forwarding rule and re-add it, the forwarding rule might receive a new IP address.
Depending on the load balancer type, the IP address can have various attributes. The following table summarizes the valid IP address configurations, based on the load balancing scheme and the target of the forwarding rule.
| Scheme | Target | Address type | Address scope | Address tier | Reservable address | Notes |
|---|---|---|---|---|---|---|
| EXTERNAL_MANAGED Global external HTTP(S) load balancer |
Target HTTP proxy Target HTTPS proxy |
External | Global | Premium Tier: Global external IP address and forwarding rule | Yes, optional | IPv6 available |
| EXTERNAL Global external HTTP(S) load balancer (classic) |
Target HTTP proxy Target HTTPS proxy |
External | Regional or global, matching the forwarding rule | Premium Tier: Global external IPv4 or IPv6 address and forwarding rule
Standard Tier: Regional external IPv4 address and forwarding rule |
Yes, optional | IPv6 available with a global external address (Premium Tier) |
| EXTERNAL_MANAGED Regional external HTTP(S) load balancer |
Target HTTP proxy Target HTTPS proxy |
External | Regional | Standard Tier: Regional external IPv4 address and forwarding rule | Yes, optional | IPv6 not available |
| INTERNAL_MANAGED Internal HTTP(S) load balancer |
Target HTTP proxy Target HTTPS proxy |
Internal | Regional | Premium | Yes, optional | Forwarding rule address must be within the primary IPv4 address range of the associated subnet. |
| EXTERNAL Network load balancer |
Backend service Target pool |
External | Regional | Standard (IPv4 addresses) Premium (IPv4 or IPv6 addresses) |
Yes, optional | IPv6 support requires a backend service based NetLB and a subnet with an
IPv6 address range configured using the IPv6 access type
EXTERNAL. The
external IPv6 address is sourced from the subnet's external IPv6 address
range and is therefore in Premium Tier. |
| INTERNAL Internal TCP/UDP load balancer |
Backend service | Internal | Regional | Premium | Yes, optional | Forwarding rule address must be within the primary IPv4 address range of the associated subnet. |
| EXTERNAL External SSL proxy load balancer External TCP proxy load balancer |
Target SSL proxy Target TCP proxy |
External | Regional or global, matching the forwarding rule | Premium Tier: Global external IPv4 or IPv6 address and forwarding rule
Standard Tier: Regional external IPv4 address and forwarding rule |
Yes, optional | IPv6 available with a global external address (Premium Tier) |
| EXTERNAL_MANAGED External regional TCP proxy load balancer |
Target TCP proxy | External | Regional | Standard Tier: Regional external IPv4 address and forwarding rule | Yes, optional | IPv6 not available |
| INTERNAL_MANAGED Internal regional TCP proxy load balancer |
Target TCP proxy | Internal | Regional | Premium | Yes, optional | Forwarding rule address must be within the primary IPv4 address range of the associated subnet |
| INTERNAL_SELF_MANAGED Traffic Director |
Target HTTP proxy Target gRPC proxy |
Internal | Global | Not applicable | No | 0.0.0.0, 127.0.0.1, or any RFC 1918 address is allowed |
| EXTERNAL Classic VPN |
See the Classic VPN documentation | External | Regional | Cloud VPN doesn't have Network Service Tiers | Yes, required | IPv6 not supported |
Multiple forwarding rules with a common IP address
Two or more forwarding rules with the EXTERNAL or EXTERNAL_MANAGED load
balancing scheme can share the same IP address if the following are true:
- The ports used by each forwarding rule do not overlap.
- The Network Service Tiers of each forwarding rule matches the Network Service Tiers of the external IP address.
Examples:
- A network load balancer that accepts traffic on TCP port 79 and another network load balancer that accepts traffic on TCP port 80 can share the same regional external IP address.
- You can use the same global external IP address for an external HTTP(S) load balancer (HTTP and HTTPS).
If the forwarding rule's load balancing scheme is INTERNAL or INTERNAL_MANAGED,
multiple forwarding rules can use the same IP address. For more information, see
the following:
- Internal TCP/UDP load balancer and forwarding rules with a common IP address
- Using a common IP address between multiple internal forwarding rules for internal HTTP(S) load balancers
- Forwarding rules and IP address used with internal regional TCP proxy load balancers
If the forwarding rule's load balancing scheme is INTERNAL_SELF_MANAGED for
Traffic Director, it must have a unique IP address.
Port specifications
The following table summarizes the valid port configurations, based on the load balancing scheme and the target of the forwarding rule.
| Scheme | Target | Ports must be specified | Behavior when ports are unspecified | Port requirements |
|---|---|---|---|---|
| EXTERNAL or EXTERNAL_MANAGED | Target HTTP proxy | Yes | N/A | Can reference exactly one of the following ports: 80, 8080 |
| EXTERNAL or EXTERNAL_MANAGED | Target HTTPS proxy | Yes | N/A | Can only reference port: 443 |
| EXTERNAL_MANAGED | Target TCP proxy | Yes | N/A | Can reference exactly one port from 1-65535. |
| EXTERNAL | Target SSL proxy | Yes | N/A | Can reference exactly one port from 1-65535. |
| EXTERNAL | Target TCP proxy | Yes | N/A | Can reference exactly one port from 1-65535. |
| EXTERNAL | Target VPN Gateway | Yes | N/A | Can reference exactly one of the following ports: 500, 4500 |
| EXTERNAL | Backend service | Yes | N/A | If the forwarding rule protocol is TCP or UDP,
you can configure:
If the forwarding rule protocol is L3_DEFAULT,
you must configure all ports.
|
| Target pool | No | All ports (1-65535) are forwarded |
Must be a single port range (contiguous) | |
| INTERNAL | Backend service | Yes | N/A | Up to five (contiguous or non-contiguous) ports or you can configure all
ports using one of these methods: set --ports=ALL using the gcloud command line
tool, orset allPorts to True using the API.
|
| INTERNAL_MANAGED | Target HTTP proxy | Yes | N/A | Can reference exactly one of the following ports: 80, 8080 |
| INTERNAL_MANAGED | Target HTTPS proxy | Yes | N/A | Can only reference port: 443 |
| INTERNAL_MANAGED | Target TCP proxy | Yes | N/A | Can reference exactly one port from 1-65535 |
| INTERNAL_SELF_MANAGED | Target HTTP proxy Target HTTPS proxy |
Yes | N/A | Must be a single value. Within a VPC network, no two forwarding rules for Traffic Director can have the same IP address and port specification. |
IAM Conditions
With Identity and Access Management (IAM) Conditions, you can set conditions to control which roles are granted to principals. This feature lets you grant permissions to principals if configured conditions are met.
An IAM condition checks the load balancing scheme (for example,
INTERNAL or EXTERNAL) in the forwarding
rule and allows (or disallows)
creation of the forwarding rule. If a principal tries to create a forwarding
rule without permission, an error message appears.
For more information, see IAM Conditions.
API and gcloud reference
For descriptions of the properties and methods available to you when working with forwarding rules through the REST API, see the following:
- Global: globalForwardingRules
- Regional: forwardingRules
For the Google Cloud CLI, see the following:
- gcloud compute forwarding-rules
- Global:
--global - Regional:
--region=[REGION]
- Global:
What's next
- To add or delete a forwarding rule, see Using forwarding rules.