Creating Cross-Region Load Balancing

This guide demonstrates how to create an HTTP(S) load balancer that forwards traffic to instances in two different regions. If you need to forward user requests based on the URL host or path, see the content-based example.

Before you start, make sure that you are familiar with overall HTTP(S) Load Balancing concepts.

Overview

For this scenario, you will create four Compute Engine instances, two each in two different regions. You will then configure the rest of the system so that incoming connections are sent to the appropriate instance.

The resources you will be creating connect together as shown here:

Cross-region HTTP(S) Load Balancing (click to enlarge)
Cross-region HTTP(S) Load Balancing (click to enlarge)

Before you begin

These instructions assume you are using an auto mode VPC network or a legacy network. If you are using a custom mode VPC network, then some of the steps below, such as creating an instance, additionally require you to specify the subnet range.

If you prefer to work from the command line, install the gcloud command-line tool. See the gcloud Overview for conceptual and installation information about the tool.

If you haven't run the gcloud command-line tool previously, first run gcloud init to authenticate.

Configuring instances

In this example, create two virtual machine instances in each of two different regions, configure them for testing, and give them all the same tag. This tag will be used by a firewall rule to allow incoming traffic to reach your instances.

The startup script installs apache and creates a unique home page for each instance.

Console


  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Click Create instance.
  3. Set the Name to www-1 if you're using the HTTP protocol, wwws-1 if you're using the HTTPS protocol, or wwwh2-1 if you're using the HTTP/2 protocol.
  4. Set the Zone to us-central1-b.
  5. Click Management, Security, Disks, Networking, Sole Tenancy to to reveal advanced settings.
  6. Click Networking.
    • For HTTP traffic, populate the Network tags field with http-tag.
    • For HTTP/2 traffic, populate the Network tags field with http2-tag.
    • For HTTP and either HTTPS or HTTP/2 traffic, populate the Network tags field with the http-tag tag and either https-tag or http2-tag`.
  7. Click Management and set the Startup script to the following. If you are configuring HTTP/2, include the two commands that are inside the square brackets, ensuring that you remove the square brackets.
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    [sudo a2enmod http2]
    [sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf]
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>server 1</h1></body></html>' | sudo tee /var/www/html/index.html
  8. Leave the default values for rest of the fields.
  9. Click Create.
  10. Create www-2, wwws-2, or wwwh2-2 with the same settings, except with the following text inserted into the Startup script field. If you are configuring HTTP/2, include the two commands that are inside the square brackets, ensuring that you remove the square brackets.
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    [sudo a2enmod http2]
    [sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf]
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>server 2<h1></body></html>' | sudo tee /var/www/html/index.html
  11. Create www-3, wwws-3, or wwwh2-3 with the same settings, except with Zone set to europe-west1-b and the following text inserted into the Startup script field. If you are configuring HTTP/2, include the two commands that are inside the square brackets, ensuring that you remove the square brackets.
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    [sudo a2enmod http2]
    [sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf]
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>server 3</h1></body></html>' | sudo tee /var/www/html/index.html
  12. Create www-4 or wwws-4 with the same settings, except with Zone set to europe-west1-b and the following text inserted into the Startup script field. If you are configuring HTTP/2, include the two commands that are inside the square brackets, ensuring that you remove the square brackets.
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    [sudo a2enmod http2]
    [sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf]
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>server 4</h1></body></html>' | sudo tee /var/www/html/index.html

gcloud: HTTP


gcloud compute instances create www-1 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags http-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www-1</h1></body></html>' | tee /var/www/html/index.html
      EOF"

gcloud compute instances create www-2 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags http-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www-2</h1></body></html>' | tee /var/www/html/index.html
      EOF"

gcloud compute instances create www-3 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone europe-west1-b \
    --tags http-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www-3</h1></body></html>' | tee /var/www/html/index.html
      EOF"

gcloud compute instances create www-4 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone europe-west1-b \
    --tags http-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www-4</h1></body></html>' | tee /var/www/html/index.html
      EOF"

gcloud: HTTPS


gcloud compute instances create wwws-1 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags https-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>wwws-1</h1></body></html>' | tee /var/www/html/index.html
      EOF"

 gcloud compute instances create wwws-2 \
     --image-family debian-9 \
     --image-project debian-cloud \
     --zone us-central1-b \
     --tags https-tag \
     --metadata startup-script="#! /bin/bash
       sudo apt-get update
       sudo apt-get install apache2 -y
       sudo a2ensite default-ssl
       sudo a2enmod ssl
       sudo service apache2 restart
       echo '<!doctype html><html><body><h1>wwws-2</h1></body></html>' | tee /var/www/html/index.html
       EOF"

gcloud compute instances create wwws-3 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone europe-west1-b \
    --tags https-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>wwws-3</h1></body></html>' | tee /var/www/html/index.html
      EOF"

gcloud compute instances create wwws-4 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone europe-west1-b \
    --tags https-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>wwws-4</h1></body></html>' | tee /var/www/html/index.html
      EOF"

gcloud: HTTP2


gcloud compute instances create wwwh2-1 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags http2-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo a2enmod http2
      sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www2-1</h1></body></html>' | tee /var/www/html/index.html
      EOF"

gcloud compute instances create wwwh2-2 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone us-central1-b \
    --tags http2-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo a2enmod http2
      sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www2-2</h1></body></html>' | tee /var/www/html/index.html
      EOF"

gcloud compute instances create wwwh2-3 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone europe-west1-b \
    --tags http2-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo a2enmod http2
      sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www2-3</h1></body></html>' | tee /var/www/html/index.html
      EOF"

gcloud compute instances create wwwh2-4 \
    --image-family debian-9 \
    --image-project debian-cloud \
    --zone europe-west1-b \
    --tags https-tag \
    --metadata startup-script="#! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo a2enmod http2
      sudo sed  -i '/^\t/a\t\tProtocols h2 HTTP\/1.1/' /etc/apache2/sites-available/default-ssl.conf
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www2-4</h1></body></html>' | tee /var/www/html/index.html
      EOF"

Next, create a firewall rule to allow external traffic to your virtual machine instances. This rule allows traffic from all sources, which is useful while you're setting up and testing your configuration. Later, you'll have the option of disabling HTTP(S) traffic from sources other than the load balancing service. The firewall rule makes use of the http-tag or https-tag tag that you created earlier. The firewall rule allows traffic to the designated port to reach instances that have the tag

Console


  1. Go to the Firewalls page in the GCP Console.
    Go to the Firewalls page
  2. Click Create firewall rule.
  3. Set the Name to www-firewall.
  4. Leave the network as default.
  5. Populate the Target tags field with one of the following choices. At least one tag is required.
    • For HTTP between the load balancer and the backends, use http-tag.
    • For HTTPS between the load balancer and the backends, use use https-tag.
    • For HTTP2 between the load balancer and the backends, use http2-tag.
    • For both HTTP and either HTTPS or HTTP/2, add http-tag, press the Enter key, then add either https-tag or http2-tag`.
  6. Set the Source IP Ranges field to 0.0.0.0/0.
  7. Set Protocols and ports to one of the following choices:
    • For HTTP between the load balancer and the backends, use tcp:80.
    • For HTTPS or HTTP/2 between the load balancer and the backends, use tcp:443.
    • For both HTTP and either HTTPS or HTTP/2 between the load balancer and the backends, usetcp:80,443.
  8. Click Create. It may take a moment for the Console to display the new firewall rule, or you might have to click Refresh to see the rule.

gcloud: HTTP


gcloud compute firewall-rules create www-firewall \
    --target-tags http-tag --allow tcp:80

gcloud: HTTPS


gcloud compute firewall-rules create www-firewall \
    --target-tags https-tag --allow tcp:443

gcloud: HTTP/2


gcloud compute firewall-rules create www-firewall \
    --target-tags http2-tag --allow tcp:443

Verify that your instances are running.

Console


  1. Go to the VM instances page in the GCP Console.
    Go to the VM instances page. Next to the new, running instances you see a green check mark in the Name column.
  2. Copy an instance's External IP and paste it into a browser.
  3. [HTTPS only] In the browser, add https:// in front of the IP address. If you don't have a certificate on the instance, or only have a self-signed one, you'll have to accept the browser's warning about the lack of valid certificate.

gcloud: HTTP


  1. List your instances to get their IP addresses from the EXTERNAL_IP column.

    gcloud compute instances list
    

  2. Run curl for each instance to confirm that they respond.

    curl http://IP_ADDRESS
    

gcloud: HTTPS


  1. List your instances to get their IP addresses from the EXTERNAL_IP column.

    gcloud compute instances list
    

  2. Run curl for each instance to confirm that they respond.

    curl -k https://IP_ADDRESS
    

gcloud:HTTP/2


Most implementations of curl default to HTTP/2 to https address. To force HTTP 1.1 traffic, you must use the --http1.1 flag, which is shown as an option in the following steps. However, if you are using a curl version earlier than 7.47.0, use the --http2 option to enable HTTP/2.

  1. List your instances to get their IP addresses from the EXTERNAL_IP column.

    gcloud compute instances list
    

  2. Run curl for each instance to confirm that they respond.

    curl -k --http2 https://IP_ADDRESS
    

Configuring services needed by the load balancing service

Now that your instances are up and running, set up the services needed for load balancing. You will create the following:

To configure these services, perform the following steps:

Create IPv4 and IPv6 global static external IP addresses for your load balancer.

Console


  1. Go to the External IP addresses page in the GCP Console.
    Go to the External IP addresses page
  2. Click Reserve static address to reserve an IPv4 address.
  3. Set the Name to lb-ip-cr.
  4. Leave the Type set to Global.
  5. Click Reserve.
  6. Click Reserve static address again to reserve an IPv6 address.
  7. Set the Name to lb-ipv6-cr.
  8. Set IP version to IPv6.
  9. Leave the Type set to Global.
  10. Click Reserve.

gcloud: HTTP


gcloud compute addresses create lb-ip-cr \
    --ip-version=IPV4 \
    --global

gcloud compute addresses create lb-ipv6-cr \
    --ip-version=IPV6 \
    --global

gcloud: HTTPS


gcloud compute addresses create lb-ip-cr \
    --ip-version=IPV4 \
    --global

gcloud compute addresses create lb-ipv6-cr \
    --ip-version=IPV6 \
    --global

gcloud: HTTP2


gcloud compute addresses create lb-ip-cr \
    --ip-version=IPV4 \
    --global

gcloud compute addresses create lb-ipv6-cr \
    --ip-version=IPV6 \
    --global

Create an instance group for each of your zones.

Console


  1. Go to the Instance groups page in the GCP Console.
    Go to the Instance groups page
  2. Click Create instance group.
  3. Set the Name to us-resources-w for HTTP, us-resources-s for HTTPS, or us-resources-h for HTTP/2.
  4. Set the Zone to us-central1-b.
  5. Under Group type, select Unmanaged instance group.
  6. Select a Network and a Subnetwork.
  7. Under VM instances, select one of the following:
  8. www-1 and www-2 for HTTP
  9. wwws-1 and wwws-2 for HTTPS
  10. wwwh2-1 and wwwh2-2 for HTTP/2
  11. Leave the other settings as they are.
  12. Click Create.
  13. Repeat the steps, but set the following fields differently:
    • Name: europe-resources-w for HTTP, or europe-resources-s for HTTPS
    • Zone: europe-west1-b
    • Instances: www-3 and www-4 for HTTP, wwws-3 and wwws-4 for HTTPS, or wwwh2-3 and wwwh2-4 for HTTP/2.
  14. Confirm that you now have two instance groups, each with two instances.

gcloud: HTTP


gcloud compute instance-groups unmanaged create us-resources-w --zone us-central1-b

gcloud compute instance-groups unmanaged create europe-resources-w --zone europe-west1-b

gcloud: HTTPS


gcloud compute instance-groups unmanaged create us-resources-s --zone us-central1-b

gcloud compute instance-groups unmanaged create europe-resources-s --zone europe-west1-b

gcloud: HTTP2


gcloud compute instance-groups unmanaged create us-resources-s --zone us-central1-b

gcloud compute instance-groups unmanaged create europe-resources-s --zone europe-west1-b

Add the instances you created earlier to the instance groups.

Console


Completed as part of prior step.

gcloud: HTTP


gcloud compute instance-groups unmanaged add-instances us-resources-w \
    --instances www-1,www-2 \
    --zone us-central1-b

gcloud compute instance-groups unmanaged add-instances europe-resources-w \
    --instances www-3,www-4 \
    --zone europe-west1-b

gcloud: HTTPS


gcloud compute instance-groups unmanaged add-instances us-resources-s \
    --instances wwws-1,wwws-2 \
    --zone us-central1-b

gcloud compute instance-groups unmanaged add-instances europe-resources-s \
    --instances wwws-3,wwws-4 \
    --zone europe-west1-b

gcloud: HTTP2


gcloud compute instance-groups unmanaged add-instances us-resources-s \
    --instances wwwh2-1,wwwh2-2 \
    --zone us-central1-b

gcloud compute instance-groups unmanaged add-instances europe-resources-s \
    --instances wwwh2-3,wwwh2-4 \
    --zone europe-west1-b

Configuring the load balancing service

Load balancer functionality involves several connected services. In this section, you will set up and connect the services. The services you will create are as follows:

  • Named ports, which the load balancer uses to direct traffic to your instance groups.
  • A Health check, which polls your instances to see if they are healthy. The load balancer only sends traffic to healthy instances.
  • Backend services, which monitor the usage and health of instances. Backend services know whether the instances in the instance group can receive traffic or not.If the instances cannot receive traffic, the load balancer redirects traffic provided that instances elsewhere have sufficient capacity.
  • A URL map, which parses the URL of the request and can forward certain requests to specific backend services based on the host and path of the request URL. In the example, since we are not using content-based forwarding, the URL map will only contain the default mapping.
  • One or more SSL certificate resources if you are using HTTPS or HTTP/2. SSL certificate resources contain SSL certificate information for the load balancer. You can use multiple SSL certificates, which can be any combination of managed or self-managed SSL certificates. You must create an SSL certificate resource for each certificate you use.
  • An optional SSL policy, if you are using HTTPS or HTTP/2.
  • A target proxy, which receives the request from the user and forwards it to the URL map. The target proxy is the service that decrypts SSL traffic using the SSL certificate resource. The target proxy can forward traffic to your instances via HTTP, HTTPS, or HTTP/2.
  • Two global forwarding rules, one each for IPv4 and IPv6, which hold the global external IP address resources. Global forwarding rules forward the incoming request to the target proxy.

Console


Starting the load balancer configuration

  1. Go to the Create load balancer. page in the GCP Console.
    Go to the Create load balancer page
  2. Under HTTP(S) load balancing, click Start configuration.
  3. For the Name of the load balancer, enter web-map.

Backend configuration

Configure a default backend service to handle your traffic.

  1. In the left panel of the New HTTP(S) load balancer page, click Backend configuration.
  2. In the Create or select backend services & backend buckets pull-down menu, select Backend services, then Create a backend service. You see the Create Backend Service dialog box.
  3. Set the Name of the backend service to web-map-backend-service.
  4. Set the Protocol.
    • For HTTP protocol, leave the values set to the defaults.
    • For the HTTPS (recommended) protocol, click the Edit pencil, then set Protocol to HTTPS and Named port to https.
    • For the HTTP/2 protocol, click the Edit pencil, then set Protocol to HTTP/2 and Named port to http2.
  5. Under Backends, set Instance group to us-resources-w or us-resources-s, depending on whether you're configuring HTTP or HTTPS.
  6. Set the port number.
    • For HTTP traffic between the load balancer and the instances, leave Port numbers at 80.
    • For HTTPS or HTTP/2 traffic between the load balancer and the instances, set Port numbers to 443.
  7. Leave the default values for rest of the fields.
  8. Click Add backend.
  9. Select the europe-resources-w or europe-resources-s instance group, depending on whether you're configuring HTTP or HTTPS. depending on whether you're configuring HTTP, HTTPS, or HTTP/2.
    • For HTTP traffic between the load balancer and the instances, leave Port numbers at 80.
    • For HTTPS or HTTP/2 traffic between the load balancer and the instances, set Port numbers to 443.
  10. Leave the default values for rest of the fields.
  11. Click Done.
  12. Under Health check, select Create a health check or Create another health check.
    1. If you are creating an HTTP health check, set the following health check parameters:
      • Name to http-basic-check
      • Protocol to HTTP
      • Port to 80
    2. If you are creating an HTTPS health check, set the following health check parameters:
      • Name to https-basic-check
      • Protocol to HTTPS
      • Port to 443
    3. If you are creating an HTTP/2 health check, set the following health check parameters:
      • Name to http2-basic-check
      • Protocol to HTTP/2
      • Port to 443
  13. Click Create.

Host and path rules

  1. In the left panel of the New HTTP(S) load balancer page, click Host and path rules.
    For this example, we don't need to configure any host or path rules since all traffic will go to the default rule. So, we can accept the pre-populated default values.

Frontend configuration

If you are using HTTPS between the client and the load balancer, you will need at least one SSL certificate resource to configure the proxy. If you don't have one, see SSL Certificates for information on how to create a self-signed one for testing purposes. You should not use a self-signed certificate for production purposes.

The pre-populated default values for a frontend configuration are as follows:

  • Name is an automatically-created forwarding rule prefixed with your load balancer name. For example, test-lb-2-forwarding-rule if your load balancer is named test-lb.
  • Protocol http.
  • IP address is an automatically-assigned, unnamed, ephemeral external IP address such as 35.227.225.169.
  • Port 80.

To configure the frontend, perform the following steps:

  1. In the left panel of the New HTTP(S) load balancer page, click Frontend configuration.
  2. Set Name to http-cr-rule.
  3. Set the Protocol.
    • Select HTTPS if you want HTTPS between the client and the load balancer.
    • Select HTTP if you want HTTP between the client and the load balancer.
  4. Set IP version to IPv4.
  5. In the IP address field, select lb-ip-cr, which you created earlier.
  6. Leave Port at 80 if you are using HTTP and HTTP/2. HTTPS traffic defaults to 443 and cannot be changed.
  7. [HTTPS only] Click the Certificate drop-down list.
    1. [HTTPS only] If you already have a self-managed SSL certificate resource you want to use as the primary SSL certificate, select it from the drop-down menu.
    2. Otherwise, select Create a new certificate.
    3. Select Upload my certificate or Create Google managed certificate.
    4. [HTTPS only] If you selected Upload my certificate, complete these steps.
      1. Fill in a Name of www-ssl-cert.
      2. In the appropriate fields upload your Public key certificate (.crt file), Certificate chain (.csr file), and Private key (.key file).
      3. Click Create.
    5. [HTTPS only] If you choose Create Google managed certificate, enter a Domain.
  8. [HTTPS only] To add certificate resources in addition to the primary SSL certificate resource:
    1. Click Add certificate.
    2. Select a certificate from the Certificates list or click Create a new certificate and follow the instructions above.
  9. [HTTPS only] To optionally create an SSL policy:
    1. Under SSL policy, select Create policy.
    2. Enter a Name of my-ssl-policy.
    3. Select TLS 1.0 for Minimum TLS Version.
    4. Select MODERN for Profile. The Enabled features and Disabled features are displayed.
    5. Click Create.
  10. Click Done.
  11. Click Add frontend IP and port.
  12. Enter a Name of http-cr-ipv6-rule.
  13. Set the Protocol.
    • Select HTTPS if you want HTTPS between the client and the load balancer.
    • Select HTTP if you want HTTP between the client and the load balancer.
  14. Set IP version to IPv6.
  15. In IP, select lb-ipv6-cr, which you created earlier.
  16. Leave the Port at 80 if you are using HTTP. HTTPS or HTTP/2 traffic defaults to port 443 and cannot be changed.
  17. [HTTPS only] If you already have an SSL certificate resource you want to use, select it from the Certificate drop-down menu. If not, select Create a new certificate.
    1. Fill in a Name of www-ssl-cert.
    2. Either upload (recommended) the following files or copy and paste their contents into the appropriate fields:
      • Public key certificate (.crt file).
      • Certificate chain (.csr file).
      • Private key (.key file).
    3. Click Create.
  18. [HTTPS only] To add certificate resources in addition to the primary SSL certificate resource:
    1. Click Add certificate.
    2. Select a certificate from the Certificates list or click Create a new certificate and follow the instructions above.
  19. [HTTPS only] To optionally create an SSL policy:
    1. Under SSL policy, select Create policy.
    2. Enter a Name of my-ssl-policy.
    3. Select TLS 1.0 for Minimum TLS Version.
    4. Select MODERN for Profile. The Enabled features and Disabled features are displayed.
    5. Click Create.
  20. [HTTPS only] To modify the QUIC negotiation setting, select Enabled or Disabled.
  21. Click Done.

Review and finalize

  1. In the left panel of the New HTTP(S) load balancer page, click Review and finalize.
  2. Compare your settings to what you intended to create.
  3. If the settings are correct, click Create. You are returned to the Load Balancing screen. After the load balancer is created, a green check mark next to it indicates that it is running.

gcloud: HTTP


  1. For each instance group, define an HTTP service and map a port name to the relevant port.

    gcloud compute instance-groups unmanaged set-named-ports us-resources-w \
        --named-ports http:80 \
        --zone us-central1-b
    

    gcloud compute instance-groups unmanaged set-named-ports europe-resources-w \
        --named-ports http:80 \
        --zone europe-west1-b
    

  2. Create a health check. Use the gcloud command for HTTP if you are using HTTP between the load balancer and the backends.

    gcloud compute health-checks create http http-basic-check \
        --port 80
    

  3. Create a backend service and specify its parameters. Set the --protocol field to HTTP because we are using HTTP to go to the instances. Use the http-basic-check health check we created earlier as the health check.

    gcloud compute backend-services create web-map-backend-service \
        --protocol HTTP \
        --health-checks http-basic-check \
        --global
    

  4. Add your instance groups as backends to the backend services. A backend defines the capacity (max CPU utilization or max queries per second) of the instance groups it contains. In this example, set the balancing mode to be CPU utilization, the max utilization to be 80%, and the capacity scaling to be 1. Set the capacity scaling to 0 if you wish to drain a backend service.

    gcloud compute backend-services add-backend web-map-backend-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group us-resources-w \
        --instance-group-zone us-central1-b \
        --global
    

    gcloud compute backend-services add-backend web-map-backend-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group europe-resources-w \
        --instance-group-zone europe-west1-b \
        --global
    

  5. Create a default URL map that directs all incoming requests to all your instances.

    gcloud compute url-maps create web-map \
        --default-service web-map-backend-service
    

  6. Create a target HTTP proxy to route requests to your URL map.

    gcloud compute target-http-proxies create http-lb-proxy \
        --url-map web-map
    

  7. Look up the static IP addresses you created for your load balancer. You will use them in the next step.

    gcloud compute addresses list
    

  8. Create two global forwarding rules to route incoming requests to the proxy, one for IPv4 and one for IPv6. Replace [LB_IP_ADDRESS] in the command with the static IPv4 address you created. Replace [LB_IPV6_ADDRESS] with the IPv6 address you created. You can use gcloud compute addresses list to find them.

    gcloud compute forwarding-rules create http-cr-rule \
        --address [LB_IP_ADDRESS] \
        --global \
        --target-http-proxy http-lb-proxy \
        --ports 80
    

    gcloud compute forwarding-rules create http-cr-ipv6-rule \
        --address [LB_IPV6_ADDRESS] \
        --global \
        --target-http-proxy http-lb-proxy \
        --ports 80
    

gcloud: HTTPS


  1. For each instance group, define an HTTPS service and map a port name to the relevant port. Once configured, the load balancing service forwards traffic to the named port.

    gcloud compute instance-groups unmanaged set-named-ports us-resources-s \
        --named-ports https:443 \
        --zone us-central1-b
    

    gcloud compute instance-groups unmanaged set-named-ports europe-resources-s \
        --named-ports https:443 \
        --zone europe-west1-b
    

  2. Create a health check. Use the gcloud command for HTTPS if you are using HTTPS between the load balancer and the backends.

    gcloud compute health-checks create https https-basic-check \
        --port 443
    

  3. Create a backend service for each content provider. Set the --protocol field to HTTPS because we are using HTTPS to go to the instances. Use the https-basic-check health check we created earlier as the health check.

    gcloud compute backend-services create web-map-backend-service \
        --protocol HTTPS \
        --health-checks https-basic-check \
        --global
    

  4. Add your instance groups as backends to the backend services. A backend defines the capacity (max CPU utilization or max queries per second) of the instance groups it contains. In this example, set the balancing mode to be CPU utilization, the max utilization to be 80%, and the capacity scaling to be 1. Set the capacity scaling to 0 if you wish to drain a backend service.

    gcloud compute backend-services add-backend web-map-backend-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group us-resources-s \
        --instance-group-zone us-central1-b \
        --global
    

    gcloud compute backend-services add-backend web-map-backend-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group europe-resources-s \
        --instance-group-zone europe-west1-b \
        --global
    

  5. Create a default URL map that directs all incoming requests to all your instances. If you need to divide your traffic to different instances depending on the URL being requested, see content-based routing.

    gcloud compute url-maps create web-map \
        --default-service web-map-backend-service
    

  6. Create an SSL certificate resource to use in the HTTPS proxy. You can use either a self-managed certificate, where you supply your own SSL certificate, or a Google-managed certificate, where Google issues a certificate for your domain. For more information, see Types of SSL certificates. If you don’t have a private key and signed certificate, you can create and use a self-signed certificate for testing purpose. See SSL Certificates for further information. You should not use a self-signed certificate for production purposes. If you are using multiple SSL certificates, you must create an SSL certificate resource for each certificate.

    To create a self-managed SSL certificate resource:

    gcloud compute ssl-certificates create www-ssl-cert \
        --certificate [CRT_FILE_PATH] \
        --private-key [KEY_FILE_PATH]
    

    To create a Google-managed SSL certificate resource:

    gcloud beta compute ssl-certificates create www-ssl-cert \
      --domains [DOMAIN]
    

  7. Optionally, create an SSL policy for the load balancer.

    gcloud compute ssl-policies create cr-ssl-policy \
        --profile MODERN --min-tls-version 1.0
    

  8. Create a target HTTPS proxy to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for HTTPS Load Balancing, so you also load your certificate in this step.

    gcloud compute target-https-proxies create https-lb-proxy \
        --url-map web-map --ssl-certificates www-ssl-cert
    

  9. Optionally, enable the QUIC protocol.

    gcloud compute target-https-proxies update https-lb-proxy \
        --quic-override=ENABLE
    

  10. Create two global forwarding rules to route incoming requests to the proxy, one for IPv4 and one for IPv6. Replace [LB_IP_ADDRESS] in the command with the static IPv4 address you created. Replace [LB_IPV6_ADDRESS] with the IPv6 address you created. You can use gcloud compute addresses list to find them.

    gcloud compute forwarding-rules create https-cr-rule \
        --address [LB_IP_ADDRESS] \
        --global \
        --target-https-proxy https-lb-proxy \
        --ports 443
    

    gcloud compute forwarding-rules create https-cr-ipv6-rule \
        --address [LB_IPV6_ADDRESS] \
        --global \
        --target-https-proxy https-lb-proxy \
        --ports 443
    

gcloud: HTTP2


  1. For each instance group, define an HTTPS service and map a port name to the relevant port. Once configured, the load balancing service forwards traffic to the named port.

    gcloud compute instance-groups unmanaged set-named-ports us-resources-s \
        --named-ports https:443 \
        --zone us-central1-b
    

    gcloud compute instance-groups unmanaged set-named-ports europe-resources-s \
        --named-ports https:443 \
        --zone europe-west1-b
    

  2. Create a health check. Use the gcloud command for HTTP/2 if you are using HTTP/2 between the load balancer and the backends.

    gcloud beta compute health-checks create http2 http2-basic-check \
        --port 443
    

  3. Create a backend service for each content provider. Set the --protocol field to HTTP2 because we are using HTTP2 to go to the instances. Use the http2-basic-check health check we created earlier as the health check.

    gcloud beta compute backend-services create web-map-backend-service \
        --protocol HTTP2 \
        --health-checks http2-basic-check \
        --global
    

  4. Add your instance groups as backends to the backend services. A backend defines the capacity (max CPU utilization or max queries per second) of the instance groups it contains. In this example, set the balancing mode to be CPU utilization, the max utilization to be 80%, and the capacity scaling to be 1. Set the capacity scaling to 0 if you wish to drain a backend service.

    gcloud compute backend-services add-backend web-map-backend-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group us-resources-s \
        --instance-group-zone us-central1-b \
        --global
    

    gcloud compute backend-services add-backend web-map-backend-service \
        --balancing-mode UTILIZATION \
        --max-utilization 0.8 \
        --capacity-scaler 1 \
        --instance-group europe-resources-s \
        --instance-group-zone europe-west1-b \
        --global
    

  5. Create a default URL map that directs all incoming requests to all your instances. If you need to divide your traffic to different instances depending on the URL being requested, see content-based routing.

    gcloud compute url-maps create web-map \
        --default-service web-map-backend-service
    

  6. Create an SSL certificate resource to use in the HTTPS proxy. If you don’t have a private key and signed certificate, you can create and use a self-signed certificate for testing purpose. See SSL Certificates for further information. You should not use a self-signed certificate for production purposes. If you are using multiple SSL certificates, you must create an SSL certificate resource for each certificate.

    gcloud compute ssl-certificates create www-ssl-cert \
        --certificate [CRT_FILE_PATH] \
        --private-key [KEY_FILE_PATH]
    

  7. Optionally, create an SSL policy for the load balancer.

    gcloud compute ssl-policies create cr-ssl-policy \
        --profile MODERN --min-tls-version 1.0
    

  8. Create a target HTTPS proxy to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for HTTPS load balancing, so you also load your certificate in this step.

    gcloud compute target-https-proxies create https-lb-proxy \
        --url-map web-map --ssl-certificates www-ssl-cert
    

  9. Optionally, enable the QUIC protocol.

    gcloud compute target-https-proxies update https-lb-proxy \
        --quic-override=ENABLE
    

  10. Create two global forwarding rules to route incoming requests to the proxy, one for IPv4 and one for IPv6. Replace [LB_IP_ADDRESS] in the command with the static IPv4 address you created. Replace [LB_IPV6_ADDRESS] with the IPv6 address you created. You can use gcloud compute addresses list to find them.

After creating the global forwarding rules, it can take several minutes for your configuration to propagate.

Sending traffic to your instances

Now that you have configured your load balancing service, you can start sending traffic to the forwarding rule and watch the traffic be dispersed to different instances.

Console


  1. Go to the Load balancing page in the GCP Console.
    Go to the Load balancing page
  2. Click on load balancer named web-map to expand the load balancer you just created.
  3. In the Backend section of the page, confirm that instances are healthy by checking the Healthy column. It can take a few moments for the display to indicate that the instances are healthy.
  4. Once the display shows that the instances are healthy, copy the IP:Port from the Frontend section and paste that into your browser.
  5. In your browser you should see your default content page displayed. If you used a self-signed certificate for testing, your browser will display a warning. You will have to explicitly tell your browser to accept the certificate.

gcloud: HTTP


  1. Find the IP addresses of your global forwarding rules.

    gcloud compute forwarding-rules list
    

  2. Use the curl command to test the response for various URLs for your services. Try both IPv4 and IPv6. For IPv6, you must put [] around the address. For example, curl -g -6 "http://[2001:DB8::]/".

    curl http://IPv4_ADDRESS
    

    curl -g -6 "http://[IPv6_ADDRESS]/"
    

gcloud: HTTPS


  1. Find the IP address of your global forwarding rule.

    gcloud compute forwarding-rules list
    

  2. Use the curl command to test the response for various URLs for your services. Try both IPv4 and IPv6. For IPv6, you must put [] around the address. For example, curl -g -6 "https://[2001:DB8::]/".

    curl https://IPv4_ADDRESS
    

    curl -g -6 "https://[IPv6_ADDRESS]/"
    

    In your browser you should see your default content page displayed. If you used a self-signed certificate for testing, your browser will display a warning. You will have to explicitly tell your browser to accept the certificate.

  3. If you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE. For more information, see Google-managed SSL certificate resource status.

   gcloud beta compute ssl-certificates list
   

gcloud: HTTP/2


  1. Find the IP address of your global forwarding rule.

    gcloud compute forwarding-rules list
    

  2. Use the curl command to test the response for various URLs for your services. If you are using a curl version prior to 7.47.0, add the --http2 command line option when you issue the curl command. Try both IPv4 and IPv6. For IPv6, you must put [] around the address. For example, curl -g -6 "http://[2001:DB8::]/".

    curl https://IPv4_ADDRESS
    

  3. If you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE. For more information, see Google-managed SSL certificate resource status.

   gcloud beta compute ssl-certificates list
   

You should see responses from the region closest to you. If your response is unsuccessful initially, you might need to wait a few minutes for the configuration to fully load and for your instances to be marked healthy before trying again. Each reload of the page may show the other instance. To simulate a user in a different geography, try using a web proxy to make the requests.

Alternatively, you can connect to one of your virtual machine instances in different region, then run a curl command from that instance to see the request go to an instance in the region closest to it.

Shutting off HTTP(S) access from everywhere but the load balancing service

Once everything is working, modify your firewall rules so that traffic to your instances can only come from your load balancing service.

Console


  1. Go to the Firewalls page in the GCP Console.
    Go to the Firewalls page
  2. Click Create firewall rule.
  3. Specify a Name of allow-lb-and-healthcheck.
  4. Leave the VPC network as default.
  5. Set Target tags to http-tag, https-tag, http2-tag or http-tag and either https-tag or http2-tag. If specifying two tags, enter one, then press the Tab key and enter the other.
  6. Leave Source filter set to IP ranges.
  7. Set Source IP Ranges to 130.211.0.0/22 and 35.191.0.0/16.
  8. Set Allowed protocols and ports to tcp:80 if you are using HTTP, tcp:443 if you are using HTTPS or HTTP/2, or tcp:80,443 for HTTP and either HTTPS or HTTP/2.
  9. Click Create. It might take a moment for the new firewall rule to be displayed on the Console.

gcloud: HTTP


gcloud compute firewall-rules create allow-lb-and-healthcheck \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags http-tag \
    --allow tcp:80

gcloud: HTTPS


gcloud compute firewall-rules create allow-lb-and-healthcheck \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags https-tag \
    --allow tcp:443

gcloud: HTTP2


gcloud compute firewall-rules create allow-lb-and-healthcheck \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags http2-tag \
    --allow tcp:443

Then, remove the rule that allows HTTP(S) traffic from other sources.

Console


  1. Go to the Firewalls page in the GCP Console.
    Go to the Firewalls page
  2. Select the checkbox next to the www-firewall firewall rule.
  3. Click Delete.

gcloud: HTTP


gcloud compute firewall-rules delete www-firewall

gcloud: HTTPS


gcloud compute firewall-rules delete www-firewall

gcloud: HTTP2


gcloud compute firewall-rules delete www-firewall

Lastly, test that the load balancer can reach the instances, but that other sources can't.

Console


  1. Go to the Load balancing page in the GCP Console.
    Go to the Load balancing page
  2. Click on the load balancer named web-map to expand the load balancer you just created. Under the Frontend section copy and paste the IP address and port into your browser.
    You should see your page.
  3. Go to the VM instances page in the GCP Console.
    Go to the VM instances page
  4. In the External IP column, copy and paste an address for an instance into your browser. If the instance was set up for HTTPS only, add https:// to the front of the IP address in the browser. In either case, the connection should time out. You should not be able to reach the instance.

gcloud: HTTP


  1. Find the IP address of your global forwarding rule.

    gcloud compute addresses list
    

  2. Use the curl command to test the response for your load balancing service. This command should work.

    curl http://IP_ADDRESS
    

  3. Find the IP address of your individual instances and note the addresses in the EXTERNAL_IP column.

    gcloud compute instances list
    

  4. Use the curl command to test the response for individual instances. For each curl command, use the EXTERNAL_IP of the appropriate instance. All instances should time out.

    curl http://EXTERNAL_IP
    

gcloud: HTTPS


  1. Find the IP address of your global forwarding rule.

    gcloud compute addresses list
    

  2. Use the curl command to test the response for your load balancing service. This command should work.

    curl -k https://IP_ADDRESS
    

  3. Find the IP address of your individual instances and note the addresses in the EXTERNAL_IP column.

    gcloud compute instances list
    

  4. Use the curl command to test the response for individual instances. For each curl command, use the EXTERNAL_IP of the appropriate instance. All instances should time out.

    curl -k https://EXTERNAL_IP
    

gcloud: HTTP/2


  1. Find the IP address of your global forwarding rule.

    gcloud compute addresses list
    

  2. Use the curl command to test the response for various URLs for your services. If you are using a curl version prior to 7.47.0, add the --http2 command line option when you issue the curl command. Try both IPv4 and IPv6. For IPv6, you must put [] around the address. For example, curl -g -6 "http://[2001:DB8::]/".

    curl -k https://IP_ADDRESS
    

  3. Find the IP address of your individual instances and note the addresses in the EXTERNAL_IP column.

    gcloud compute instances list
    

  4. Use the curl command to test the response for individual instances. For each curl command, use the EXTERNAL_IP of the appropriate instance. All instances should time out.

    curl -k --http2 https://EXTERNAL_IP
    

Optional: Removing external IPs except for a bastion host

HTTP(S) Load Balancing makes use of the targets' internal IPs, not their external IPs. Once you have load balancing working, you can increase security by removing the external IPs from your load balancing targets, then connect through an intermediary instance to perform tasks on the load balanced instances. That way, no one outside your VPC network can access them in any way, except through the load balancer.

You'll need at least one instance in your VPC network that has an external IP address, normally an instance designated for this purpose. See Connecting from one instance to another for instructions on connecting from an instance with an external IP address to one without.

If you accidentally delete all external IP addresses, you can use the Google Cloud Platform Console to create a new one.

Remove the external IP address from an instance.

Console


  1. Go to the VM instances page in the GCP Console.
    Go to the VM instances page
  2. Click the Name of the instance you wish to change.
  3. Click the Edit pencil.
  4. Under Network interfaces, click the Edit pencil.
  5. Change the value in the External IP drop-down to None.
  6. Click Done.
  7. Click Save.
  8. Click the left-facing arrow at the top of the VM instance details page to return to the VM Instances page. The External IP field displays None and the SSH button is grayed out.
  9. Make sure the page still appears when accessed through the load balancer from your browser.

gcloud: HTTP


  1. Run the following command. Make a note of the name of the instance as shown in the NAME field.

    gcloud compute instances list
    

  2. Delete the access config. For NAME, put the name of the instance.

    gcloud compute instances delete-access-config NAME
    

gcloud: HTTPS


  1. Run the following command. Make a note of the name of the instance as shown in the NAME field.

    gcloud compute instances list
    

  2. Delete the access config. For NAME, put the name of the instance.

    gcloud compute instances delete-access-config NAME
    

gcloud: HTTP2


  1. Run the following command. Make a note of the name of the instance as shown in the NAME field.

    gcloud compute instances list
    

  2. Delete the access config. For NAME, put the name of the instance.

    gcloud compute instances delete-access-config NAME
    

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Load Balancing