Setting up an global external HTTP(S) load balancer (classic) with a Compute Engine backend

This setup guide shows you how to create an external HTTP(S) load balancer and a Compute Engine backend with the following resources:

If this example doesn't match your use case, see one of the following pages:

For general concepts, see the External HTTP(S) Load Balancing overview.

Load balancer topologies

For an HTTPS load balancer, you create the configuration that is illustrated in the following diagram.

HTTPS load balancer with a Compute Engine backend (click to enlarge)
HTTPS load balancer with a Compute Engine backend (click to enlarge)

For an HTTP load balancer, you create the configuration that is illustrated in the following diagram.

HTTP load balancer with a Compute Engine backend (click to enlarge)
HTTP load balancer with a Compute Engine backend (click to enlarge)

The sequence of events in the diagrams are as follows:

  1. A client sends a content request to the external IPv4 address defined in the forwarding rule.
  2. For an HTTPS load balancer, the forwarding rule directs the request to the target HTTPS proxy.

    For an HTTP load balancer, the forwarding rule directs the request to the target HTTP proxy.

  3. The target proxy uses the rule in the URL map to determine that the single backend service receives all requests.

  4. The load balancer determines that the backend service has only one instance group and directs the request to a virtual machine (VM) instance in that group.

  5. The VM serves the content requested by the user.

Before you begin

Make sure that your setup meets the prerequisites.

Set up an SSL certificate resource

For an HTTPS load balancer, create an SSL certificate resource as described in the following:

We recommend using a Google-managed certificate.

This example assumes that you already have an SSL certificate resource named www-ssl-cert.

Set up permissions

To complete the steps in this guide, you must have permission to create Compute Engine instances, firewall rules, and reserved IP addresses in a project. You must have either a project owner or editor role, or you must have the following Compute Engine IAM roles.

Task Required role
Create instances Instance Admin
Add and remove firewall rules Security Admin
Create load balancer components Network Admin
Create a project (optional) Project Creator

For more information, see the following guides:

Creating a managed instance group

To set up a load balancer with a Compute Engine backend, your VMs need to be in an instance group. This guide describes how to create a managed instance group with Linux VMs that have Apache running, and then set up load balancing. A managed instance group creates each of its managed instances based on the instance templates that you specify.

The managed instance group provides VMs running the backend servers of an external HTTP(S) load balancer. For demonstration purposes, backends serve their own hostnames.

Before you create a managed instance group, create an instance template.

Console

  1. In the Cloud Console, go to the Instance templates page.

    Go to Instance templates

  2. Click Create instance template.

  3. For Name, enter lb-backend-template.

  4. Ensure that the Boot disk is set to a Debian image, such as Debian GNU/Linux 9 (stretch). These instructions use commands that are only available on Debian, such as apt-get.

  5. Do not configure the Firewall option.

    Because the external HTTP(S) load balancer is a proxy, you don't need to select Allow HTTPS traffic or Allow HTTP traffic under Firewall. In Configuring a firewall rule, you create the only necessary firewall rule for this load balancer.

  6. Under Management, security, disks, networking, sole tenancy, on the Management tab, insert the following script into the Startup script field.

    #! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    sudo vm_hostname="$(curl -H "Metadata-Flavor:Google" \
    http://169.254.169.254/computeMetadata/v1/instance/name)"
    sudo echo "Page served from: $vm_hostname" | \
    tee /var/www/html/index.html
    
  7. On the Networking tab, add the network tags: allow-health-check

  8. Click Create.

gcloud

  1. Create the template.

    gcloud compute instance-templates create TEMPLATE_NAME \
       --region=us-east1 \
       --network=default \
       --subnet=default \
       --tags=allow-health-check \
       --image-family=debian-9 \
       --image-project=debian-cloud \
       --metadata=startup-script='#! /bin/bash
         sudo apt-get update
         sudo apt-get install apache2 -y
         sudo a2ensite default-ssl
         sudo a2enmod ssl
         sudo vm_hostname="$(curl -H "Metadata-Flavor:Google" \
       http://169.254.169.254/computeMetadata/v1/instance/name)"
       sudo echo "Page served from: $vm_hostname" | \
       tee /var/www/html/index.html
       sudo systemctl restart apache2'
    

Create the managed instance group and select the instance template.

Console

  1. In the Google Cloud Console, go to the Instance groups page.

    Go to the Instance groups page

  2. Click Create instance group.
  3. On the left, choose New managed instance group (stateless).
  4. For Name, enter lb-backend-example.
  5. Under Location, select Single zone.
  6. For Region, select your preferred region. This example uses us-east1.
  7. For Zone, select us-east1-b.
  8. Under Instance template, select the instance template lb-backend-template.
  9. Under Autoscaling mode, select Don't autoscale.
  10. Under Number of instances, enter 2.
  11. To create the new instance group, click Create.

gcloud

  1. Create the managed instance group based on the template.

    gcloud compute instance-groups managed create lb-backend-example \
    --template=TEMPLATE_NAME --size=2 --zone=us-east1-b
    

Adding a named port to the instance group

For your instance group, define an HTTP service and map a port name to the relevant port. The load balancing service forwards traffic to the named port.

Console

  1. In the Google Cloud Console, go to the Instance groups page.

    Go to the Instance groups page

  2. Click the name of your instance group (in this example lb-backend-example).
  3. On the instance group's Overview page, click Edit .
  4. Click Specify port name mapping.
  5. Click Add item.
  6. For the port name, enter http. For the port number, enter 80.
  7. Click Save.

gcloud

Use the gcloud compute instance-groups set-named-ports command.

gcloud compute instance-groups set-named-ports lb-backend-example \
    --named-ports http:80 \
    --zone us-east1-b

Configuring a firewall rule

In this example, you create the fw-allow-health-check firewall rule. This is an ingress rule that allows traffic from the Google Cloud health checking systems (130.211.0.0/22 and 35.191.0.0/16). This example uses the target tag allow-health-check to identify the VMs.

Console

  1. In the Google Cloud Console, go to the Firewall page.

    Go to the Firewall page

  2. Click Create firewall rule to create the second firewall rule.
  3. For Name, enter fw-allow-health-check.
  4. Under Network, select Default.
  5. Under Targets, select Specified target tags.
  6. Populate the Target tags field with allow-health-check.
  7. Set Source filter to IPv4 ranges.
  8. Set Source IPv4 ranges to 130.211.0.0/22 and 35.191.0.0/16.
  9. Under Protocols and ports, select Specified protocols and ports.
  10. Select the tcp checkbox, and then type 80 for the port numbers.
  11. Click Create.

gcloud

gcloud compute firewall-rules create fw-allow-health-check \
    --network=default \
    --action=allow \
    --direction=ingress \
    --source-ranges=130.211.0.0/22,35.191.0.0/16 \
    --target-tags=allow-health-check \
    --rules=tcp:80

Reserving an external IP address

Now that your instances are up and running, set up a global static external IP address that your customers use to reach your load balancer.

Console

  1. In the Google Cloud Console, go to the External IP addresses page.

    Go to the External IP addresses page

  2. To reserve an IPv4 address, click Reserve static address.
  3. For Name, enter lb-ipv4-1.
  4. Set Network Service Tier to Premium.
  5. Set IP version to IPv4.
  6. Set Type to Global.
  7. Click Reserve.

gcloud

gcloud compute addresses create lb-ipv4-1 \
    --ip-version=IPV4 \
    --network-tier=PREMIUM \
    --global

Note the IPv4 address that was reserved:

gcloud compute addresses describe lb-ipv4-1 \
    --format="get(address)" \
    --global

Setting up the load balancer

In this example, you are using HTTP or HTTPS between the client and the load balancer. For HTTPS, you need one or more SSL certificate resources to configure the proxy. We recommend using a Google-managed certificate.

Even if you're using HTTPS on the frontend, you can use HTTP on the backend. Google automatically encrypts traffic between Google Front Ends (GFEs) and your backends that reside within Google Cloud VPC networks.

Console

Start the configuration
  1. In the Google Cloud Console, go to the Load balancing page.

    Go to Load balancing
  2. Under HTTP(S) load balancing, click Start configuration.
  3. Select From Internet to my VMs, and then click Continue.
  4. Under Advanced traffic management, select Classic HTTP(S) Load Balancer.
  5. Click Continue.
  6. For the load balancer Name, enter something like web-map-https or web-map-http.
  7. Click Backend configuration.
    1. Under Create or select backend services & backend buckets, select Backend services > Create a backend service.
    2. Add a name for your backend service, such as web-backend-service.
    3. Under Protocol, select HTTP.
    4. For the Named Port, enter http.
    5. In Backends > New backend > Instance group, select your instance group, lb-backend-example.
    6. For the Port numbers, enter 80.
    7. Retain the other default settings.
    8. Under Health check, select Create a health check, and then add a name for your health check, such as http-basic-check.
    9. Set the protocol to HTTP, and then click Save and continue.
    10. Retain the other default settings.
    11. Click Create.
  8. In Host and path rules, retain the default settings.
  9. In Frontend configuration, use the following values:
    1. Set Protocol to HTTPS or HTTP.
    2. Set IP address to lb-ipv4-1, which you created earlier.
    3. Ensure that Port is set to 443 to allow HTTPS traffic or 80 for HTTP traffic.
    4. If you selected HTTPS, do the following:
      1. Click Certificate, and select your primary SSL certificate.
      2. (Optional) Select the Enable HTTP to HTTPS Redirect checkbox to enable redirects from port 80 to port 443.

        Enabling this checkbox creates an additional partial HTTP load balancer that uses the same IP address as your HTTPS load balancer and redirects incoming HTTP requests to your load balancer's HTTPS frontend.

        This checkbox can only be selected when the HTTPS protocol is selected and a reserved IP address is used.

    5. Click Done.
  10. Click Review and finalize.
  11. When you finish configuring the load balancer, click Create.
  12. Wait for the load balancer to be created.

    If you created an HTTPS load balancer and selected the Enable HTTP to HTTPS Redirect checkbox, you will also see a an HTTP load balancer created with a -redirect suffix.

  13. Click the name of the load balancer.
  14. On the Load balancer details screen, note the IP:Port for your load balancer.

gcloud

  1. Create a health check.
        gcloud compute health-checks create http http-basic-check \
            --port 80
        
  2. Create a backend service.
        gcloud compute backend-services create web-backend-service \
            --load-balancing-scheme=EXTERNAL \
            --protocol=HTTP \
            --port-name=http \
            --health-checks=http-basic-check \
            --global
        
  3. Add your instance group as the backend to the backend service.
        gcloud compute backend-services add-backend web-backend-service \
            --instance-group=lb-backend-example \
            --instance-group-zone=us-east1-b \
            --global
        
  4. For HTTP, create a URL map to route the incoming requests to the default backend service.
        gcloud compute url-maps create web-map-http \
            --default-service web-backend-service
        
  5. For HTTPS, create a URL map to route the incoming requests to the default backend service.
        gcloud compute url-maps create web-map-https \
            --default-service web-backend-service
        

Setting up an HTTPS frontend

Skip this section for HTTP load balancers.
  1. For HTTPS, if you haven't already done so, create the global SSL certificate resource, as shown in:
  2. For HTTPS, create a target HTTPS proxy to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for an HTTPS load balancer, so you also load your certificate in this step.
        gcloud compute target-https-proxies create https-lb-proxy \
            --url-map=web-map-https \
            --ssl-certificates=www-ssl-cert
        
  3. For HTTPS, create a global forwarding rule to route incoming requests to the proxy.
        gcloud compute forwarding-rules create https-content-rule \
            --load-balancing-scheme=EXTERNAL \
            --network-tier=PREMIUM \
            --address=lb-ipv4-1 \
            --global \
            --target-https-proxy=https-lb-proxy \
            --ports=443
        

Setting up an HTTP frontend

Skip this section for HTTPS load balancers.

  1. For HTTP, create a target HTTP proxy to route requests to your URL map.
        gcloud compute target-http-proxies create http-lb-proxy \
            --url-map=web-map-http
        
  2. For HTTP, create a global forwarding rule to route incoming requests to the proxy.
        gcloud compute forwarding-rules create http-content-rule \
            --load-balancing-scheme=EXTERNAL \
            --address=lb-ipv4-1 \
            --global \
            --target-http-proxy=http-lb-proxy \
            --ports=80
        

Connect your domain to your load balancer

After the load balancer is created, note the IP address that is associated with the load balancer: for example, 30.90.80.100. To point your domain to your load balancer, create an A record using your domain registration service. If you added multiple domains to your SSL certificate, you must add an A record for each one, all pointing to the load balancer's IP address. For example, to create A records for www.example.com and example.com:

NAME                  TYPE     DATA
www                   A        30.90.80.100
@                     A        30.90.80.100

If you are using Google Domains, see the Google Domains Help page for more information.

Testing traffic sent to your instances

Now that the load balancing service is running, you can send traffic to the forwarding rule and watch the traffic be dispersed to different instances.

Console

  1. In the Google Cloud Console, go to the Load balancing page.

    Go to the Load balancing page

  2. Click the load balancer that you just created.
  3. In the Backend section, confirm that the VMs are healthy. The Healthy column should be populated, indicating that both VMs are healthy (2/2). If you see otherwise, first try reloading the page. It can take a few moments for the Cloud Console to indicate that the VMs are healthy. If the backends do not appear healthy after a few minutes, review the firewall configuration and the network tag assigned to your backend VMs.
  4. For HTTPS, if you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE. For more information, see Google-managed SSL certificate resource status.
  5. After the Cloud Console shows that the backend instances are healthy, you can test your load balancer using a web browser by going to https://IP_ADDRESS (or http://IP_ADDRESS). Replace IP_ADDRESS with the load balancer's IP address.
  6. If you used a self-signed certificate for testing HTTPS, your browser displays a warning. You must explicitly instruct your browser to accept a self-signed certificate.
  7. Your browser should render a page with content showing the name of the instance that served the page, along with its zone (for example, Page served from: lb-backend-example-xxxx). If your browser doesn't render this page, review the configuration settings in this guide.

gcloud

gcloud compute addresses describe lb-ipv4-1 \
   --format="get(address)" \
   --global

After a few minutes have passed, you can test the setup by running the following curl command.

curl http://IP_ADDRESS

-OR-

curl https://HOSTNAME

What's next