Creating Content-Based Load Balancing

This guide demonstrates how to create an HTTP(S) load balancer that distributes traffic to different instances based on the path in the request URL.

Before you start, make sure that you are familiar with overall HTTP(S) Load Balancing concepts.

Overview

For this scenario, you will create Compute Engine instances that handle different kinds of requests, and you will create a load balancer that routes to the different instances based on URL path.

At the end of this guide, you will have a setup that forwards the following URL paths:

  • URL paths that start with /video are routed to one instance group.
  • URL paths that don't match this pattern are routed to another instance group.

The resources you will be creating connect together as shown here:

Content-based HTTP(S) Load Balancing (click to enlarge)
Content-based HTTP(S) Load Balancing (click to enlarge)

Before you begin

These instructions assume you are using an auto mode VPC network or a legacy network. If you are using a custom mode VPC network, then some of the steps below, such as creating an instance, additionally require you to specify the subnet range.

If you prefer to work from the command line, install the gcloud command-line tool. See gcloud Overview for conceptual and installation information about the tool.

If you haven't run the gcloud command-line tool previously, first run gcloud init to authenticate.

Configuring instances

In this example, create virtual machine instances, configure them for testing, and give them all the same tag. This tag will be used by a firewall rule to allow incoming traffic to reach your instances.

The startup script installs apache and creates a unique home page for each instance.

Console


  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Click Create instance.
  3. Set Name to www.
  4. Set the Zone to us-central1-b.
  5. Click Management, security, disks, networking, sole tenancy to to reveal advanced settings.
  6. Under Management, click Networking and populate the Tags field with http-tag for HTTP traffic, https-tag for HTTPS traffic, or http2-tag for HTTP/2 traffic. If you are using HTTP traffic and either HTTPS or HTTP/2, use http-tag and either https-tag or http2-tag.
  7. Insert the following script into the Startup script field. If you are configuring HTTP/2, include the two commands that are inside the square brackets, ensuring that you remove the square brackets.
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    [sudo a2enmod http2
    sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf]
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www</h1></body></html>' | sudo tee /var/www/html/index.html
  8. Leave the default values for rest of the fields.
  9. Click Create.
  10. Create www-video with the same settings, except with the following script inserted into the Startup script field. If you are configuring HTTP/2, include the two commands that are inside the square brackets, ensuring that you remove the square brackets.
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    [sudo a2enmod http2
    sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf]
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www-video</h1></body></html>' | sudo tee /var/www/html/index.html
    sudo mkdir /var/www/html/video
    echo '<!doctype html><html><body><h1>www-video</h1></body></html>' | sudo tee /var/www/html/video/index.html
    

gcloud: HTTP


gcloud compute instances create www \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags http-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www</h1></body></html>' | sudo tee /var/www/html/index.html
      EOF"

gcloud compute instances create www-video \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags http-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www-video</h1></body></html>' | sudo tee /var/www/html/index.html
      sudo mkdir /var/www/html/video
      echo '<!doctype html><html><body><h1>www-video</h1></body></html>' | sudo tee /var/www/html/video/index.html
      EOF"

gcloud: HTTPS


gcloud compute instances create www \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags https-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www</h1></body></html>' | sudo tee /var/www/html/index.html
      EOF"

gcloud compute instances create www-video \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags https-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www-video</h1></body></html>' | sudo tee /var/www/html/index.html
      sudo mkdir /var/www/html/video
      echo '<!doctype html><html><body><h1>www-video</h1></body></html>' | sudo tee /var/www/html/video/index.html
      EOF"

gcloud: HTTP/2


gcloud compute instances create www \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags http2-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo a2enmod http2
      sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www</h1></body></html>' | sudo tee /var/www/html/index.html
      EOF"

  1. Run the following commands.

gcloud compute instances create www-video \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags http2-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo a2enmod http2
      sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www-video</h1></body></html>' | sudo tee /var/www/html/index.html
      sudo mkdir /var/www/html/video
      echo '<!doctype html><html><body><h1>www-video</h1></body></html>' | sudo tee /var/www/html/video/index.html
      EOF"

Next, create a firewall rule to allow HTTP(S) or HTTP/2 traffic to your VMs. This rule allows traffic from all sources, which is useful while you're setting up and testing your configuration. Later, you'll have the option of disabling HTTP(S) or HTTP/2 traffic from sources other than the load balancing service.

The firewall rule makes use of the http-tag, https-tag, or http2-tag tag that you created earlier. The firewall rule allows traffic on the designated port to reach instances that have the tag.

Console


  1. Go to the Firewalls page in the Google Cloud Platform Console.
    Go to the Firewalls page
  2. Click Create firewall rule.
  3. Enter a Name of www-firewall.
  4. Select VPC network to be default.
  5. Set Source filter to Allow from any source (0.0.0.0/0).
  6. Set Allowed protocols and ports to tcp:80 if you are using HTTP, tcp:443 if you are using HTTPS or HTTP/2, or tcp:80,443 for HTTP and either HTTPS or HTTP/2.
  7. Set the Target tags field.
    • For HTTP traffic, populate the Tags field with http-tag.
    • For HTTPS traffic, populate the Tags field with https-tag.
    • For HTTP/2 traffic, populate the Tags field with http2-tag.
    • For HTTP and either HTTPS or HTTP/2 traffic, populate the Tags field with the http-tag tag and either https-tag or http2-tag`. If you are specifying two tages, enter one, then press the Tab key and enter the other.
  8. Click Create. It may take a moment for the Console to display the new firewall rule, or you might have to click Refresh to see the rule.

gcloud: HTTP


gcloud compute firewall-rules create www-firewall \
    --target-tags http-tag --allow tcp:80

gcloud: HTTPS


gcloud compute firewall-rules create www-firewall \
    --target-tags https-tag --allow tcp:443

gcloud: HTTP/2


gcloud compute firewall-rules create www-firewall \
    --target-tags http2-tag --allow tcp:443

Verify that your instances are running.

Console


  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Click the addresses for your instances in the External IP column.

[HTTPS or HTTP/2 only] In the browser, add https:// in front of the IP address. If you don't have a certificate on the instance, or only have a self-signed one, you'll have to accept the browser's warning about the lack of valid certificate.

gcloud: HTTP


  1. List your instances to get their IP addresses from the EXTERNAL_IP column.

    gcloud compute instances list
    

  2. Run curl for each instance to confirm that they respond.

    curl http://IP_ADDRESS
    

gcloud: HTTPS


  1. List your instances to get their IP addresses from the EXTERNAL_IP column.

    gcloud compute instances list
    

  2. Run curl for each instance to confirm that they respond.

    curl -k https://IP_ADDRESS
    

gcloud: HTTP/2


  1. List your instances to get their IP addresses from the EXTERNAL_IP column.

    gcloud compute instances list
    

  2. Run curl for each instance to confirm that they respond. If you are using a curl version prior to 7.47.0, add the --http2 command line option when you issue the curl command.Try both IPv4 and IPv6. For IPv6, you must put [] around the address. For example, curl -g -6 "http://[2001:DB8::]/".

    curl -k http://IP_ADDRESS
    

Configuring services needed by the load balancing service

Now that your instances are up and running, set up the services needed for load balancing. In this section, you will create:

To configure these services, perform the following steps:

Create IPv4 and IPv6 global static external IP addresses for your load balancer.

Console


  1. Go to the External IP addresses page in the Google Cloud Platform Console.
    Go to the External IP addresses page
  2. Click Reserve static address to reserve an IPv4 address.
  3. Assign a Name of lb-ip-1.
  4. Set IP version to IPv4.
  5. Set Type to Global.
  6. Click Reserve.
  7. Click Reserve static address again to reserve an IPv6 address.
  8. Assign a Name of lb-ipv6-1.
  9. Set IP version to IPv6.
  10. Set Type to Global.
  11. Click Reserve.

gcloud: HTTP


gcloud compute addresses create lb-ip-1 \
    --ip-version=IPV4 \
    --global

gcloud compute addresses create lb-ipv6-1 \
    --ip-version=IPV6 \
    --global

gcloud: HTTPS


gcloud compute addresses create lb-ip-1 \
    --ip-version=IPV4 \
    --global

gcloud compute addresses create lb-ipv6-1 \
    --ip-version=IPV6 \
    --global

gcloud: HTTP/2


gcloud compute addresses create lb-ip-1 \
    --ip-version=IPV4 \
    --global

gcloud compute addresses create lb-ipv6-1 \
    --ip-version=IPV6 \
    --global

Create an instance group for each traffic type.

Console


  1. Go to the Instance groups page in the GCP Console.
    Go to the Instance groups page
  2. Click Create instance group.
  3. Set the Name to www-resources.
  4. Set the Zone to us-central1-b.
  5. Under Group type, select Unmanaged instance group.
  6. Under VM instances, select www-.
  7. Leave the other settings as they are.
  8. Click Create.
  9. Repeat steps, but create an instance group called video-resources that contains the instance called www-video.

gcloud: HTTP


gcloud compute instance-groups unmanaged create video-resources --zone us-central1-b

gcloud compute instance-groups unmanaged create www-resources --zone us-central1-b

gcloud: HTTPS


gcloud compute instance-groups unmanaged create video-resources --zone us-central1-b

gcloud compute instance-groups unmanaged create www-resources --zone us-central1-b

gcloud: HTTP/2


gcloud compute instance-groups unmanaged create video-resources --zone us-central1-b

gcloud compute instance-groups unmanaged create www-resources --zone us-central1-btral1-b

Add the instances you created earlier to the instance groups.

Console


Completed as part of prior step.

gcloud: HTTP


gcloud compute instance-groups unmanaged add-instances video-resources \
    --instances www-video \
    --zone us-central1-b

gcloud compute instance-groups unmanaged add-instances www-resources \
    --instances www \
    --zone us-central1-b

gcloud: HTTPS


gcloud compute instance-groups unmanaged add-instances video-resources \
    --instances www-video \
    --zone us-central1-b

gcloud compute instance-groups unmanaged add-instances www-resources \
    --instances www \
    --zone us-central1-b

gcloud: HTTP/2


gcloud compute instance-groups unmanaged add-instances video-resources \
    --instances www-video \
    --zone us-central1-b

gcloud compute instance-groups unmanaged add-instances www-resources \
    --instances www \
    --zone us-central1-b

Configuring the load balancing service

Load balancer functionality involves several connected services. In this section, you will set up and connect the services. The services you will create are as follows:

  • Named ports, which the load balancer uses to direct traffic to your instance groups.
  • A Health check, which polls your instances to see if they are healthy. The load balancer only sends traffic to healthy instances.
  • Backend services, which monitor the usage and health of instances. Backend services know whether the instances in the instance group can receive traffic or not. If the instances cannot receive traffic, the load balancer redirects traffic provided that instances elsewhere have sufficient capacity.
  • A URL map, which parses the URL of the request and can forward certain requests to specific backend services based on the host and path of the request URL.
  • One or more SSL certificate resources, if you are using HTTPS or HTTP/2, which contain SSL certificate information for the load balancer. You can use multiple SSL certificates and you must create an SSL certificate resource for each certificate.
  • An optional SSL policy, if you are using HTTPS or HTTP/2.
  • A target proxy, which receives the request from the user and forwards it to the URL map. The target proxy is the service that decrypts SSL traffic using the SSL certificate resource. The target proxy can forward traffic to your instances via HTTP, HTTPS, or HTTP/2.
  • Two global forwarding rules, one each for IPv4 and IPv6, which hold the global external IP address resources. Global forwarding rules forward the incoming request to the target proxy.

Console


Name your load balancer

  1. Go to the Load balancing page in the Google Cloud Platform Console.
    Go to the Load balancing page
  2. Under HTTP(S) load balancing, click Start configuration.
  3. For the Name of the load balancer, enter web-map.

Backend configuration

Configure a backend service for each content type.

  1. Click Backend configuration.
  2. In the Create or select a backend service pull-down menu, select Create a backend service.
  3. Set the Name of the backend service to web-map-backend-service.
  4. Under Backends, set Instance group to www-resources.
  5. If traffic between the load balancer and the instances is to be HTTPS or HTTP/2, set Port numbers to 443. If traffic between the load balancer and the instances is to be HTTP, set Port numbers to 80.
  6. Leave the default values for rest of the fields.
  7. Under Health check, select Create a health check or Create another health check*.
    1. If you are creating an HTTP health check, set the following health check parameters:
      • Name to http-basic-check
      • Protocol to HTTP
      • Port to 80
    2. If you are creating an HTTPS health check, set the following health check parameters:
      • Name to https-basic-check
      • Protocol to HTTPS
      • Port to 443
    3. If you are creating an HTTP/2 health check, set the following health check parameters:
      • Name to http2-basic-check
      • Protocol to HTTP/2
      • Port to 443
  8. Click the Save and Continue button.
  9. In the middle column of the Backend Services screen, select Add backend
  10. Repeat the above steps, but name the second backend service video-service and assign the video-resources instance group to it.

Host and path rules

  1. In the left column of the screen, click Host and path rules.
  2. The first row is already populated with the default rule, which points to web-map-backend-service.
  3. The second row has video-service in the right column. Populate the other columns as follows:
    1. Set Hosts to *.
    2. Set Paths to /video and /video/*. Press the tab key between entries.

Frontend configuration

If you are using HTTPS or HTTP/2 between the client and the load balancer, you will need one or more SSL certificate resources to configure the proxy. See SSL Certificates for information on how to create SSL certificate resources. You should not use a self-signed certificate for production purposes.

  1. In the left panel of the New HTTP(S) load balancer page, click Frontend configuration.
  2. Enter a Name of http-content-rule.
  3. In the Protocol field, select HTTPS if you want HTTPS or HTTP/2 between the client and the load balancer. Select HTTP if you want HTTP between the client and the load balancer.
  4. Set IP version to IPv4.
  5. In IP, select lb-ip-1, which you created earlier.
  6. Select a Port of 80 if you are using HTTP. HTTPS or HTTP/2 traffic defaults to 443 and cannot be changed.
  7. [HTTPS or HTTP/2 only] If you already have an SSL certificate resource you want to use as the primary SSL certificate, select it from the Certificate drop-down menu. If not, select Create a new certificate.
    1. Fill in a Name of www-ssl-cert.
    2. In the appropriate fields upload your Public key certificate (.crt file), Certificate chain (.csr file), and Private key (.key file).
    3. Click Create.
  8. [HTTPS or HTTP/2 only] To add certificate resources in addition to the primary SSL certificate resource:
    1. Click Add certificate.
    2. Select a certificate from the Certificates list or click Create a new certificate and follow the instructions above.
  9. [HTTPS or HTTP/2 only] To optionally create an SSL policy:
    1. Under SSL policy, select Create policy.
    2. Enter a Name of my-ssl-policy.
    3. Select TLS 1.0 for Minimum TLS Version.
    4. Select MODERN for Profile. The Enabled features and Disabled features are displayed.
    5. Click Create.
  10. Click Done.
  11. Click Add frontend IP and port.
  12. Enter a Name of http-content-ipv6-rule.
  13. In the Protocol field, select HTTPS if you want HTTPS or HTTP/2 between the client and the load balancer. Select HTTP if you want HTTP between the client and the load balancer.
  14. Set IP version to IPv6.
  15. In IP, select lb-ipv6-1, which you created earlier.
  16. Select a Port of 80 if you are using HTTP. HTTPS or HTTP/2 traffic defaults to 443 and cannot be changed.
  17. [HTTPS or HTTP2 only] If you already have an SSL certificate resource you want to use, select it from the Certificate drop-down menu. If not, select Create a new certificate.
    1. Fill in a Name of www-ssl-cert.
    2. In the appropriate fields upload your Public key certificate (.crt file), Certificate chain (.csr file), and Private key (.key file).
    3. Click Create.
  18. [HTTPS or HTTP2 only] To add certificate resources in addition to the primary SSL certificate resource:
    1. Click Add certificate.
    2. Select a certificate from the Certificates list or click Create a new certificate and follow the instructions above.
  19. [HTTPS or HTTP2 only] To optionally create an SSL policy:
    1. Under SSL policy, select Create policy.
    2. Enter a Name of my-ssl-policy.
    3. Select TLS 1.0 for Minimum TLS Version.
    4. Select MODERN for Profile. The Enabled features and Disabled features are displayed.
    5. Click Create.
  20. [HTTPS or HTTP2 only] To modify the QUIC negotiation setting, select Enabled or Disabled.
  21. Click Done.

Review and finalize

  1. In the left panel of the New HTTP(S) load balancer page, click Review and finalize.
  2. Compare your settings to what you intended to create.
  3. If everything looks correct, click Create to create your HTTP(S) load balancer.

gcloud: HTTP


  1. For each instance group, define an HTTP service and map a port name to the relevant port. Once configured, the load balancing service forwards traffic to the named port.

    gcloud compute instance-groups unmanaged set-named-ports video-resources \
        --named-ports http:80 \
        --zone us-central1-b
    

    gcloud compute instance-groups unmanaged set-named-ports www-resources \
        --named-ports http:80 \
        --zone us-central1-b
    

  2. Create a health check. Use the gcloud command for HTTP if you are using HTTP between the load balancer and the backends.

    gcloud compute health-checks create http http-basic-check /
        --port 80
    

  3. Create a backend service for each content provider. Set the --protocol field to HTTP because we are using HTTP to go to the instances. Use the http-basic-check health check we created earlier as the health check.

    gcloud compute backend-services create video-service \
        --protocol HTTP \
        --health-checks http-basic-check \
        --global
    

    gcloud compute backend-services create web-map-backend-service \
        --protocol HTTP \
        --health-checks http-basic-check \
        --global
    

  4. Add your instance groups as backends to the backend services. A backend defines the capacity (max CPU utilization or max queries per second) of the instance groups it contains. In this example, set the balancing mode to be CPU utilization, the max utilization to be 80%, and the capacity scaling to be 1. Set the capacity scaling to 0 if you wish to drain a backend service.

    gcloud compute backend-services add-backend video-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group video-resources \
        --instance-group-zone us-central1-b \
        --global
    

    gcloud compute backend-services add-backend web-map-backend-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group www-resources \
        --instance-group-zone us-central1-b \
        --global
    

  5. Create a URL map to route the incoming requests to the appropriate backend services. In this case, the request path mappings defined via the --path-rules flag will split traffic according to the URL path in each request to your site. Traffic that does not match an entry in the --path-rules list is sent to the entry in the --default-service flag.

    1. Create a URL map:

      gcloud compute url-maps create web-map \
          --default-service web-map-backend-service
      

    2. Add a path matcher to your URL map and define your request path mappings:

      gcloud compute url-maps add-path-matcher web-map \
          --default-service web-map-backend-service \
          --path-matcher-name pathmap \
          --path-rules="/video=video-service,/video/*=video-service"
                 

  6. Create a target HTTP proxy to route requests to your URL map.

    gcloud compute target-http-proxies create http-lb-proxy \
        --url-map web-map
    

  7. Create two global forwarding rules to route incoming requests to the proxy, one for IPv4 and one for IPv6. Replace [LB_IP_ADDRESS] in the command with the static IPv4 address you created. Replace [LB_IPV6_ADDRESS] with the IPv6 address you created. You can use gcloud compute addresses list to find them.

    gcloud compute forwarding-rules create http-content-rule \
        --address [LB_IP_ADDRESS] \
        --global \
        --target-http-proxy http-lb-proxy \
        --ports 80
    

    gcloud compute forwarding-rules create http-content-ipv6-rule \
        --address [LB_IPV6_ADDRESS] \
        --global \
        --target-http-proxy http-lb-proxy \
        --ports 80
    

gcloud: HTTPS


  1. For each instance group, define an HTTPS service and map a port name to the relevant port. Once configured, the load balancing service forwards traffic to the named port.

    gcloud compute instance-groups unmanaged set-named-ports video-resources \
        --named-ports https:443 \
        --zone us-central1-b
    

    gcloud compute instance-groups unmanaged set-named-ports www-resources \
        --named-ports https:443 \
        --zone us-central1-b
    

  2. Create a health check. Use the gcloud command for HTTPS if you are using HTTPS between the load balancer and the backends.

    gcloud compute health-checks create https https-basic-check /
        --port 443
    

  3. Create a backend service for each content provider. Set the --protocol field to HTTPS because we are using HTTPS to go to the instances. Use the https-basic-check health check we created earlier as the health check.

    gcloud compute backend-services create video-service \
        --protocol HTTPS \
        --health-checks https-basic-check \
        --global
    

    gcloud compute backend-services create web-map-backend-service \
        --protocol HTTPS \
        --health-checks https-basic-check \
        --global
    

  4. Add your instance groups as backends to the backend services. A backend defines the capacity (max CPU utilization or max queries per second) of the instance groups it contains. In this example, set the balancing mode to be CPU utilization, the max utilization to be 80%, and the capacity scaling to be 1. Set the capacity scaling to 0 if you wish to drain a backend service.

    gcloud compute backend-services add-backend video-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group video-resources \
        --instance-group-zone us-central1-b \
        --global
    

    gcloud compute backend-services add-backend web-map-backend-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group www-resources \
        --instance-group-zone us-central1-b \
        --global
    

  5. Create a URL map to route the incoming requests to the appropriate backend services. In this case, the request path mappings defined via the --path-rules flag will split traffic according to the URL path in each request to your site. Traffic that does not match an entry in the --path-rules list is sent to the entry in the --default-service flag.

    1. Create a URL map:

      gcloud compute url-maps create web-map \
          --default-service web-map-backend-service
      

    2. Add a path matcher to your URL map and define your request path mappings:

      gcloud compute url-maps add-path-matcher web-map \
         --default-service web-map-backend-service --path-matcher-name pathmap \
         --path-rules=/video=video-service,/video/*=video-service
      

  6. Create an SSL certificate resource to use in the HTTPS proxy. If you don’t have a private key and signed certificate, you can create and use a self-signed certificate for testing purposes. See SSL Certificates for further information. You should not use a self-signed certificate for production purposes. If you are using multiple SSL certificates, you must create an SSL certificate resource for each certificate.

    gcloud compute ssl-certificates create www-ssl-cert \
        --certificate [CRT_FILE_PATH] \
        --private-key [KEY_FILE_PATH]
    

  7. Optionally, create an SSL policy for the load balancer.

    gcloud compute ssl-policies create cb_ssl_policy \
        --profile MODERN --min-tls-version 1.0
    

  8. Create a target HTTPS proxy to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for HTTPS Load Balancing, so you also load your certificate in this step.

    gcloud compute target-https-proxies create https-lb-proxy \
        --url-map web-map --ssl-certificates www-ssl-cert
    

  9. Look up the static IP addresses you created for your load balancer. You will use them in the next step.

    gcloud compute addresses list
    

  10. Optionally, enable the QUIC protocol.

    gcloud compute target-https-proxies update https-lb-proxy \
        --quic_override=ENABLE
    

  11. Create two global forwarding rules to route incoming requests to the proxy, one for IPv4 and one for IPv6. Replace [LB_IP_ADDRESS] in the command with the static IPv4 address you created. Replace [LB_IPV6_ADDRESS] with the IPv6 address you created. You can use gcloud compute addresses list to find them.

    gcloud compute forwarding-rules create https-content-rule \
        --address [LB_IP_ADDRESS] \
        --global \
        --target-https-proxy https-lb-proxy \
        --ports 443
    

    gcloud compute forwarding-rules create https-content-ipv6-rule \
        --address [LB_IPV6_ADDRESS] \
        --global \
        --target-https-proxy https-lb-proxy \
        --ports 443
    

gcloud: HTTP/2


Note that this uses an HTTPS load balancing service and target https proxy.

  1. For each instance group, define an HTTPS service and map a port name to the relevant port. Once configured, the load balancing service forwards traffic to the named port.

    gcloud compute instance-groups unmanaged set-named-ports video-resources \
        --named-ports https:443 \
        --zone us-central1-b
    

    gcloud compute instance-groups unmanaged set-named-ports www-resources \
        --named-ports https:443 \
        --zone us-central1-b
    

  2. Create a health check. Use the gcloud command for HTTP/2 if you are using HTTP/2 between the load balancer and the backends.

    gcloud compute health-checks create http2 http2-basic-check
        --port 443
    

  3. Create a backend service for each content provider. Set the --protocol field to HTTP2 because we are using HTTP2 to go to the instances. Use the http2-basic-check health check we created earlier as the health check.

    gcloud compute backend-services create video-service \
        --protocol HTTP2 \
        --health-checks http2-basic-check \
        --global
    

    gcloud compute backend-services create web-map-backend-service \
        --protocol HTTP2 \
        --health-checks http2-basic-check \
        --global
    

  4. Add your instance groups as backends to the backend services. A backend defines the capacity (max CPU utilization or max queries per second) of the instance groups it contains. In this example, set the balancing mode to be CPU utilization, the max utilization to be 80%, and the capacity scaling to be 1. Set the capacity scaling to 0 if you wish to drain a backend service.

    gcloud compute backend-services add-backend video-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group video-resources \
        --instance-group-zone us-central1-b \
        --global
    

    gcloud compute backend-services add-backend web-map-backend-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group www-resources \
        --instance-group-zone us-central1-b \
        --global
    

  5. Create a URL map to route the incoming requests to the appropriate backend services. In this case, the request path mappings defined via the --path-rules flag will split traffic according to the URL path in each request to your site. Traffic that does not match an entry in the --path-rules list is sent to the entry in the --default-service flag.

    1. Create a URL map:

      gcloud compute url-maps create web-map \
          --default-service web-map-backend-service
      

    2. Add a path matcher to your URL map and define your request path mappings:

      gcloud compute url-maps add-path-matcher web-map \
          --default-service web-map-backend-service --path-matcher-name pathmap \
          --path-rules=/video=video-service,/video/*=video-service
      

  6. Create an SSL certificate resource to use in the HTTPS proxy. If you don’t have a private key and signed certificate, you can create and use a self-signed certificate for testing purposes. See SSL Certificates for further information. You should not use a self-signed certificate for production purposes. If you are using multiple SSL certificates, you must create an SSL certificate resource for each certificate.

    gcloud compute ssl-certificates create www-ssl-cert \
        --certificate [CRT_FILE_PATH] \
        --private-key [KEY_FILE_PATH]
    

  7. Optionally, create an SSL policy for the load balancer.

    gcloud compute ssl-policies create cb_ssl_policy \
        --profile MODERN --min-tls-version 1.0
    

  8. Create a target HTTPS proxy to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for HTTPS load balancing, so you also load your certificate in this step.

    gcloud compute target-https-proxies create https-lb-proxy \
        --url-map web-map --ssl-certificates www-ssl-cert
    

  9. Look up the static IP addresses you created for your load balancer. You will use them in the next step.

    gcloud compute addresses list
    

  10. Optionally, enable the QUIC protocol.

    gcloud compute target-https-proxies update https-lb-proxy \
        --quic_override=ENABLE
    

  11. Create two global forwarding rules to route incoming requests to the proxy, one for IPv4 and one for IPv6. Replace [LB_IP_ADDRESS] in the command with the static IPv4 address you created. Replace [LB_IPV6_ADDRESS] with the IPv6 address you created. You can use gcloud compute addresses list to find them.

    gcloud compute forwarding-rules create https-content-rule \
        --address [LB_IP_ADDRESS] \
        --global \
        --target-https-proxy https-lb-proxy \
        --ports 443
    

    gcloud compute forwarding-rules create https-content-ipv6-rule \
        --address [LB_IPV6_ADDRESS] \
        --global \
        --target-https-proxy https-lb-proxy \
        --ports 443
    

After creating the global forwarding rule, it can take several minutes for your configuration to propagate.

Sending traffic to your instances

Now that you have configured your load balancing service, you can start sending traffic to the forwarding rule and watch the traffic be dispersed to different instances.

Console


  1. Go to the Load balancing page in the Google Cloud Platform Console.
    Go to the Load balancing page
  2. Click on web-map to expand the load balancer you just created.
  3. In the Backend section, confirm that instances are healthy by checking the Healthy column. It can take a few moments for the display to indicate that the instances are healthy.
  4. Once the display shows that the instances are healthy, copy the IP:Port from the Frontend section and paste that into your browser.
  5. In your browser you should see your default content page displayed. If you used a self-signed certificate for testing, your browser will display a warning. You will have to explicitly tell your browser to accept the certificate.
  6. In your browser, add /video to the end of the IP address and press Enter.

gcloud: HTTP


  1. Find the IP addresses of your global forwarding rules.

    gcloud compute forwarding-rules list
    

  2. Use the curl command to test the response for various URLs for your services. Try both IPv4 and IPv6. For IPv6, you have to put [] around the address. For example, curl -g -6 "http://[2001:DB8::]/".

    curl http://IPv4_ADDRESS/video/
    curl http://IPv4_ADDRESS
    

    curl -g -6 "http://[IPv6_ADDRESS]/video/"
    curl -g -6 "http://[IPv6_ADDRESS]/"
    

gcloud: HTTPS


  1. Find the IP address of your global forwarding rule.

    gcloud compute forwarding-rules list
    

  2. Use the curl command to test the response for various URLs for your services. Try both IPv4 and IPv6. For IPv6, you have to put [] around the address. For example, curl -g -6 "https://[2001:DB8::]/".

    curl https://IPv4_ADDRESS/video/
    curl https://IPv4_ADDRESS
    

    curl -g -6 "https://[IPv6_ADDRESS]/video/"
    curl -g -6 "https://[IPv6_ADDRESS]/"
    

gcloud: HTTP/2


  1. Find the IP address of your global forwarding rule.

    gcloud compute forwarding-rules list
    

  2. Use the curl command to test the response for various URLs for your services. Try both IPv4 and IPv6. For IPv6, you have to put [] around the address. For example, curl -g -6 "https://[2001:DB8::]/".

    curl https://IPv4_ADDRESS/video/
    curl https://IPv4_ADDRESS
    

If your response is unsuccessful initially, you might need to wait a few minutes for the configuration to fully load and for your instances to be marked healthy before trying again.

Shutting off HTTP(S) access from everywhere but the load balancing service

Once everything is working, modify your firewall rules so HTTP(S) traffic to your instances can only come from your load balancing service. Since traffic between the proxies and instances is over IPv4, you can use these instructions for both IPv4 and IPv6 client traffic.

Console


  1. Go to the Firewalls page in the Google Cloud Platform Console.
    Go to the Firewalls page
  2. Click Create firewall rule.
  3. Specify a Name of allow-lb-and-healthcheck.
  4. Select VPC network to be default.
  5. Leave Source filter set to IP ranges.
  6. Set Source IP Ranges to 130.211.0.0/22 and 35.191.0.0/16.
  7. Set Allowed protocols and ports to tcp:80 for HTTP, tcp:443 for HTTPS and HTTP/2, or tcp:80,443 for HTTP and either HTTPS or HTTP/2.
  8. Set Target tags to http-tag, https-tag, http2-tag or http2-tag. If specifying http-tag and either http2-tag or http2-tag, enter http-tag, then press the Tab key and enter the other.
  9. Click Create. It might take a moment for the new firewall rule to be displayed on the Console.

gcloud: HTTP


gcloud compute firewall-rules create allow-lb-and-healthcheck \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags http-tag \
    --allow tcp:80

gcloud: HTTPS


gcloud compute firewall-rules create allow-lb-and-healthcheck \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags https-tag \
    --allow tcp:443

gcloud: HTTP/2


gcloud compute firewall-rules create allow-lb-and-healthcheck \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags http2-tag \
    --allow tcp:443

Then, remove the rule that allows HTTP(S) traffic from other sources.

Console


  1. Go to the Firewalls page in the Google Cloud Platform Console.
    Go to the Firewalls page
  2. Select the checkbox next to the www-firewall firewall rule.
  3. Click Delete.

gcloud: HTTP


gcloud compute firewall-rules delete www-firewall

gcloud: HTTPs


gcloud compute firewall-rules delete www-firewall

gcloud: HTTP/2


gcloud compute firewall-rules delete www-firewall

Test that the load balancer can reach the instances, but that other sources can't.

Console


  1. Go to the Load balancing page in the Google Cloud Platform Console.
    Go to the Load balancing page
  2. Click on web-map to expand the load balancer you just created. It will show the IP and port under the Frontend section. Copy and paste that into your browser.
    You should see your page.
  3. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  4. Click the link under External IP for each individual instance. If the instance was set up for HTTPS only, add https:// to the front of IP address in the browser. In either case, connection should time out. You should not be able to reach the instance.

gcloud: HTTP


  1. Find the IP address of your global forwarding rule.

    gcloud compute addresses list
    

  2. Use the curl command to test the response for various URLs for your services. All of these commands should work.

    curl http://IP_ADDRESS/video/
    curl http://IP_ADDRESS
    

  3. Find the IP address of your individual instances and note the addresses in the EXTERNAL_IP column.

    gcloud compute instances list
    

  4. Use the curl command to test the response for various URLs for your services. For each curl command, use the EXTERNAL_IP of the appropriate instance. All of these commands should time out.

    curl http://EXTERNAL_IP/video/
    curl http://EXTERNAL_IP
    

gcloud: HTTPS


  1. Find the IP address of your global forwarding rule.

    gcloud compute addresses list
    

  2. Use the curl command to test the response for various URLs for your services. All of these commands should work.

    curl -k https://IP_ADDRESS/video/
    curl -k https://IP_ADDRESS
    

  3. Find the IP address of your individual instances and note the addresses in the EXTERNAL_IP column.

    gcloud compute instances list
    

  4. Use the curl command to test the response for various URLs for your services. For each curl command, use the EXTERNAL_IP of the appropriate instance. All of these commands should time out.

    curl -k https://EXTERNAL_IP/video/
    curl -k https://EXTERNAL_IP
    

gcloud: HTTP/2


  1. Find the IP address of your global forwarding rule.

    gcloud compute addresses list
    

  2. Use the curl command to test the response for various URLs for your services. If you are using a curl version prior to 7.47.0, add the --http2 command line option when you issue the curl command. Try both IPv4 and IPv6.For IPv6, you must put [] around the address. For example, curl -g -6 "http://[2001:DB8::]/". All of these commands should work.

    curl -k https://IP_ADDRESS/video/
    curl -k https://IP_ADDRESS
    

  3. Find the IP address of your individual instances and note the addresses in the EXTERNAL_IP column.

    gcloud compute instances list
    

  4. Use the curl command to test the response for various URLs for your services. If you are using a curl version prior to 7.47.0, add the --http2 command line option when you issue the curl command. Try both IPv4 and IPv6. For IPv6, you must put [] around the address. For example, curl -g -6 "http://[2001:DB8::]/". For each curl command, use the EXTERNAL_IP of the appropriate instance. All of these commands should time out.

    curl -k https://EXTERNAL_IP/video/
    curl -k https://EXTERNAL_IP
    

Optional: Removing external IPs except for a bastion host

HTTP(S) Load Balancing makes use of the targets' internal IPs, not their external IPs. Once you have load balancing working, you can increase security by removing the external IPs from your load balancing targets, then connect through an intermediary instance to perform tasks on the load balanced instances. That way, no one outside your VPC network can access them in any way, except through the load balancer.

You'll need at least one instance in your VPC network that has an external IP address, normally an instance designated for this purpose. See Connecting from one instance to another for instructions on connecting from an instance with an external IP address to one without.

If you accidentally delete all external IP addresses, you can use the Google Cloud Platform Console to create a new one.

Remove the external IP address from an instance.

Console


  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Click the Name of the instance you wish to change.
  3. Click Edit.
  4. Change the value in the External IP drop-down menu to None.
  5. Click Save.
  6. Return to the VM Instances page. The External IP field will say None blank and the SSH button will be grayed out.
  7. Make sure the page still appears when accessed via the load balancer from your browser.

gcloud: HTTP


  1. Run the following command. Make a note of the name of the instance as shown in the NAME field.

    gcloud compute instances list
    

  2. Delete the access config for the instance. For NAME, put the name of the instance.

    gcloud compute instances delete-access-config NAME
    

gcloud: HTTPS


  1. Run the following command. Make a note of the name of the instance as shown in the NAME field.

    gcloud compute instances list
    

  2. Delete the access config for the instance. For NAME, put the name of the instance.

    gcloud compute instances delete-access-config NAME
    

gcloud: HTTP/2


  1. Run the following command. Make a note of the name of the instance as shown in the NAME field.

    gcloud compute instances list
    

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Load Balancing