Forwarding rules overview

A forwarding rule and its corresponding IP address represent the frontend configuration of a Google Cloud load balancer.

Each forwarding rule references an IP address and one or more ports on which the load balancer accepts traffic. Some Google Cloud load balancers limit you to a predefined set of ports, and others let you specify arbitrary ports.

The forwarding rule also specifies an IP protocol. For Google Cloud load balancers, the IP protocol is always either TCP or UDP.

Depending on the load balancer type, the following is true:

Also, depending on the load balancer and its tier, a forwarding rule is either global or regional.

Internal forwarding rules

Internal forwarding rules forward traffic that originates inside a Google Cloud network. The clients can be in the same Virtual Private Cloud (VPC) network as the backends, or the clients can be in a connected network.

Internal forwarding rules are used by two types of Google Cloud load balancers:

  • internal TCP/UDP load balancers
  • internal HTTP(S) load balancers

Internal TCP/UDP load balancers

With an internal TCP/UDP load balancer, the supported traffic type is IPv4, and the supported protocol is either TCP or UDP (not both).

Each internal TCP/UDP load balancer has at least one regional internal forwarding rule. The regional internal forwarding rules point to the load balancer's regional internal backend service. The following diagram shows how a forwarding rule fits into the Internal TCP/UDP Load Balancing architecture.

Internal TCP/UDP Load Balancing forwarding rule (click to enlarge)
Internal TCP/UDP Load Balancing forwarding rule (click to enlarge)

The following diagram shows how the load balancer components fit within a subnet and region.

The internal forwarding rule must be in a region and a subnet. The backend service only needs to be in the region.

High-level internal TCP/UDP load balancer example (click to enlarge)
High-level internal TCP/UDP load balancer example (click to enlarge)

For more information about internal TCP/UDP load balancers, see the Internal TCP/UDP Load Balancing overview. For information about configuring internal TCP/UDP load balancers, see Setting up Internal TCP/UDP Load Balancing.

Internal HTTP(S) load balancers

With an internal HTTP(S) load balancer, the supported traffic type is IPv4, and the supported protocol can be HTTP, HTTPS, or HTTP/2.

Each internal HTTP(S) load balancer has exactly one regional internal forwarding rule. The regional internal forwarding rule points to the load balancer's regional target HTTP or HTTPS proxy. The following diagram shows how a forwarding rule fits into the Internal HTTP(S) Load Balancing architecture.

Internal HTTP(S) Load Balancing forwarding rule (click to enlarge)
Internal HTTP(S) Load Balancing forwarding rule (click to enlarge)

For more information about internal HTTP(S) load balancers, see the Internal HTTP(S) Load Balancing overview. For information about configuring internal HTTP(S) load balancers, see Preparing for Internal HTTP(S) Load Balancing setup.

External forwarding rules

External forwarding rules forward traffic that originates from the internet, outside of your VPC network.

External forwarding rules are used by the following Google Cloud load balancers:

  • external HTTP(S) load balancers
  • SSL proxy load balancers
  • TCP proxy load balancers
  • network load balancers

HTTP(S) load balancers

The external HTTP(S) load balancers support both Premium Tier and Standard Tier. The forwarding rule and IP address both depend on the tier that you select for the load balancer.

In an external HTTP(S) load balancer, a forwarding rule points to a target proxy.

In Premium Tier, an external HTTP(S) load balancer uses a global external IP address, which can be either IPv4 or IPv6, and a global external forwarding rule. You can provide a globally accessible application that directs end users to backends in the closest region and distributes traffic among multiple regions. Because a global external forwarding rule uses a single external IP address, you don't need to maintain separate DNS records in different regions or wait for DNS changes to propagate.

You can have two different global external IP addresses pointing to the same external HTTP(S) load balancer. For example, in Premium Tier, the global external IP address for one forwarding rule can be IPv4, and the global external IP address for a second forwarding rule can be IPv6. Both forwarding rules can point to the same target proxy. As a result, you can provide both an IPv4 and an IPv6 address for the same external HTTP(S) load balancer. For more information, see the IPv6 termination documentation.

In Standard Tier, an external HTTP(S) load balancer uses a regional external IP address, which must be IPv4, and a regional external forwarding rule. An external HTTP(S) load balancer in Standard Tier can only distribute traffic to backends within a single region.

The following diagram shows how a forwarding rule fits into the HTTP(S) Load Balancing architecture.

HTTP(S) Load Balancing forwarding rule (click to enlarge)
HTTP(S) Load Balancing forwarding rule (click to enlarge)

For more information about external HTTP(S) load balancers, see the HTTP(S) Load Balancing overview.

SSL proxy load balancers

An SSL proxy load balancer is similar to an external HTTP(S) load balancer because it can terminate SSL (TLS) sessions. SSL proxy load balancers do not support path-based redirection like external HTTP(S) load balancers, so they're best suited for handling SSL for protocols other than HTTPS, such as IMAP or WebSockets over SSL. For more information, see the SSL FAQ.

In an SSL proxy load balancer, a forwarding rule points to a target proxy.

SSL proxy load balancers support both Premium Tier and Standard Tier. The forwarding rule and IP address both depend on the tier that you select for the load balancer.

In Premium Tier, an SSL proxy load balancer uses a global external IP address, which can be either IPv4 or IPv6, and a global external forwarding rule. You can provide a globally accessible application that directs end users to backends in the closest region and distributes traffic among multiple regions. Because a global external forwarding rule uses a single external IP address, you don't have to maintain separate DNS records in different regions or wait for DNS changes to propagate.

It is possible to have two different global external IP addresses pointing to the same SSL proxy load balancer. For example, in Premium Tier, the global external IP address for one forwarding rule can be IPv4, and the global external IP address for a second forwarding rule can be IPv6. Both forwarding rules can point to the same target proxy. As a result, you can provide both an IPv4 and an IPv6 address for the same SSL proxy load balancer. For more information, see the IPv6 termination documentation.

In Standard Tier, an SSL proxy load balancer uses a regional external IP address, which must be IPv4, and a regional external forwarding rule. An SSL proxy load balancer in Standard Tier can only distribute traffic to backends within a single region.

The following diagram shows how a forwarding rule fits into the SSL Proxy Load Balancing architecture.

SSL Proxy Load Balancing forwarding rule (click to enlarge)
SSL Proxy Load Balancing forwarding rule (click to enlarge)

For more information about SSL proxy load balancers, see the SSL Proxy Load Balancing overview. For information about configuring SSL proxy load balancers, see Setting up SSL Proxy Load Balancing.

TCP proxy load balancers

A TCP proxy load balancer offers global TCP proxying capability, without SSL offload. TCP proxy load balancers support both Premium Tier and Standard Tier. The forwarding rule and IP address both depend on the tier that you select for the load balancer.

In a TCP proxy load balancer, a forwarding rule points to a target proxy.

In Premium Tier, a TCP proxy load balancer uses a global external IP address, which can be either IPv4 or IPv6, and a global external forwarding rule. You can provide a globally accessible application that directs end users to backends in the closest region and distributes traffic among multiple regions. Because a global external forwarding rule uses a single external IP address, you don't have to maintain separate DNS records in different regions or wait for DNS changes to propagate.

It is possible to have two different global external IP addresses pointing to the same TCP proxy load balancer. For example, in Premium Tier, the global external IP address for one forwarding rule can be IPv4, and the global external IP address for a second forwarding rule can be IPv6. Both forwarding rules can point to the same target proxy. As a result, you can provide both an IPv4 and an IPv6 address for the same TCP proxy load balancer. For more information, see the IPv6 termination documentation.

In Standard Tier, a TCP proxy load balancer uses a regional external IP address, which must be IPv4, and a regional external forwarding rule. A TCP proxy load balancer in Standard Tier can only distribute traffic to backends within a single region.

The following diagram shows how a forwarding rule fits into the TCP Proxy Load Balancing architecture.

TCP Proxy Load Balancing forwarding rule (click to enlarge)
TCP Proxy Load Balancing forwarding rule (click to enlarge)

For more information about TCP proxy load balancers, see the TCP Proxy Load Balancing overview. For information about configuring TCP proxy load balancers, see Setting up TCP Proxy Load Balancing.

Network load balancers

The network load balancers distribute either TCP or UDP traffic among backends in a single region, and they support both Premium Tier and Standard Tier. A network load balancer uses a regional external forwarding rule and a regional external IPv4 address (regardless of tier). The regional external IP address can be accessed anywhere on the internet.

A regional external forwarding rule points to the load balancer's target pool.

Network Load Balancing forwarding rule (click to enlarge)
Network Load Balancing forwarding rule (click to enlarge)

To use Network Load Balancing in different regions, you must create a network load balancer in each region. This is the case regardless of tier. The following figure shows Network Load Balancing with three load balancers for three different regions. Each load balancer has its own regional external forwarding rule with its own regional external IPv4 address.

Network Load Balancing example (click to enlarge)
Network Load Balancing example (click to enlarge)

For more information about network load balancers, see the Network Load Balancing overview. For information about configuring network load balancers, see Setting up Network Load Balancing.

How Network Service Tiers affect load balancers

In Network Service Tiers, the distinction between Standard Tier and Premium Tier depends on how far traffic is routed over the public internet:

  • Standard Tier: Offloads traffic as close as possible to the Google data center. This means that traffic is typically routed over the public internet for a longer distance, compared with Premium Tier.

  • Premium Tier: Routes traffic over Google's private network as far as possible before leaving Google Cloud to get to the end user.

The internal load balancers (HTTP(S) and TCP/UDP) must use Google's private network, and they are therefore always in the Premium Tier. Internal load balancing is always regional.

Only the external load balancers (HTTP(S), TCP proxy, SSL proxy, and TCP/UDP network) can be routed over the public internet. You can choose whether your external load balancer is in the Premium Tier, using Google's private network, or in the Standard Tier, using the public internet.

Network Load Balancing is always regional, regardless of tier.

With Premium Tier, external HTTP(S) load balancers, TCP proxy load balancers, and SSL proxy load balancers are global. Their forwarding rules, IP addresses, and backend services are global. In Standard Tier, these load balancers are effectively regional. Their backend services remain global, but their forwarding rules and IP addresses are regional.

IP address specifications

The forwarding rule must have an IP address that your customers use to reach your load balancer. The IP address can be static or ephemeral.

A static IP address provides a single reserved IP address that you can point your domain to. If you ever need to delete your forwarding rule and re-add it, you can continue using the same reserved IP address.

An ephemeral IP address remains constant while the forwarding rule exists. When you choose an ephemeral IP address, Google Cloud associates an IP address with your load balancer's forwarding rule. If you need to delete the forwarding rule and re-add it, the forwarding rule might receive a new IP address.

Depending on the load balancer type, the IP address can have various attributes. The following table summarizes the valid IP address configurations, based on the load balancing scheme and the target of the forwarding rule.

Scheme Target Address type Address scope Address tier Reservable address Notes
EXTERNAL

HTTP(S) Load Balancing
SSL Proxy Load Balancing
TCP Proxy Load Balancing
Target HTTP proxy
Target HTTPS proxy
Target SSL proxy
Target TCP proxy
External Regional or global, matching the forwarding rule Premium Tier: Global external IP address and forwarding rule

Standard Tier: Regional external IP address and forwarding rule
Yes, optional IPv6 available with a global external address (Premium Tier)
EXTERNAL

Network Load Balancing
Target pool External Regional Standard or Premium Yes IPv6 not supported
EXTERNAL

Classic VPN
See the Classic VPN documentation External Regional Cloud VPN doesn't have Network Service Tiers Yes, required IPv6 not supported
INTERNAL

Internal TCP/UDP Load Balancing
Backend service Internal Regional Premium Yes, optional Must be from the primary IP range of the associated subnet
INTERNAL_MANAGED

Internal HTTP(S) Load Balancing
Target HTTP proxy
Target HTTPS proxy
Internal Regional Premium Yes, optional Must be from the primary IP range of the associated subnet
INTERNAL_SELF_MANAGED

Traffic Director
Target HTTP proxy
Target gRPC proxy
Internal Global Not applicable No 0.0.0.0, 127.0.0.1, or any RFC 1918 address is allowed

Multiple forwarding rules with a common IP address

Two or more forwarding rules with the EXTERNAL load balancing scheme can share the same IP address if the following are true:

  • The ports used by each forwarding rule do not overlap.
  • The Network Service Tiers of each forwarding rule matches the Network Service Tiers of the external IP address.

Examples:

  • A network load balancer that accepts traffic on TCP port 79 and another network load balancer that accepts traffic on TCP port 80 can share the same regional external IP address.
  • You can use the same global external IP address for an external HTTP(S) load balancer (HTTP and HTTPS).

If the forwarding rule's load balancing scheme is INTERNAL or INTERNAL_MANAGED, multiple forwarding rules can use the same IP address. For more information, see Internal TCP/UDP Load Balancing overview.

If the forwarding rule's load balancing scheme is INTERNAL_SELF_MANAGED for Traffic Director, it must have a unique IP address.

Port specifications

The following table summarizes the valid port configurations, based on the load balancing scheme and the target of the forwarding rule.

Scheme Target Ports must be specified Behavior when ports are unspecified Port requirements
EXTERNAL Target HTTP proxy Yes N/A 80, 8080
EXTERNAL Target HTTPS proxy Yes N/A 443
EXTERNAL Target SSL proxy Yes N/A 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 3389, 5222, 5432, 5671, 5672, 5900, 5901, 6379, 8085, 8099, 9092, 9200, and 9300
EXTERNAL Target TCP proxy Yes N/A 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 3389, 5222, 5432, 5671, 5672, 5900, 5901, 6379, 8085, 8099, 9092, 9200, and 9300
EXTERNAL Target VPN Gateway Yes N/A 500, 4500
EXTERNAL Target pool No All ports
(1-65535) are forwarded
Must be contiguous
INTERNAL Backend service Yes N/A Up to five (contiguous or non-contiguous) or you can specify ALL
INTERNAL_MANAGED Target HTTP proxy
Target HTTPS proxy
Yes N/A One of 80 or 8080
443
INTERNAL_SELF_MANAGED Target HTTP proxy
Target HTTPS proxy
Yes N/A Must be a single value.

Within a VPC network, no two forwarding rules for Traffic Director can have the same IP address and port specification.

IAM Conditions

With Identity and Access Management (IAM) Conditions, you can set conditions to control which roles are granted to members. This feature lets you grant permissions to members if configured conditions are met.

An IAM condition checks the load balancing scheme (for example, INTERNAL or EXTERNAL) in the forwarding rule and allows (or disallows) creation of the forwarding rule. If a member tries to create a forwarding rule without permission, an error message appears.

For more information, see IAM Conditions.

API and gcloud reference

For descriptions of the properties and methods available to you when working with forwarding rules through the REST API, see the following:

For the gcloud command-line tool, see the following:

What's next