Set up a global external HTTP(S) load balancer (classic) with Cloud Storage buckets

This document shows you how to create an external HTTP(S) load balancer to route requests for static content to Cloud Storage buckets. After you configure a load balancer with the backend buckets, requests to URL paths that begin with /love-to-fetch are sent to the us-east1 Cloud Storage bucket, and all other requests are sent to the europe-north1 Cloud Storage bucket, regardless of the user's region.

If your backends serve dynamic content over HTTP(S), consider using backend services instead of backend buckets.

For step-by-step guidance on this task directly in console, click Guide me:

Guide me

The following sections take you through the same steps as clicking Guide me.

Cloud Storage buckets as load balancer backends

An external HTTP(S) load balancer uses a URL map to direct traffic from specified URL paths to your backends.

In the following diagram, the load balancer sends traffic with a path of /love-to-fetch/ to a Cloud Storage bucket in the us-east1 region. All other requests go to a Cloud Storage bucket in the europe-north1 region.

The load balancer sends traffic to a Cloud Storage backend.
Distributing traffic to Cloud Storage

By default, Cloud Storage uses the same cache that Cloud CDN uses. If you enable Cloud CDN on the backend bucket, you can use Cloud CDN controls on your content. Cloud CDN controls include, for example, cache modes, signed URLs, and invalidation. Cloud CDN also lets you cache large content (> 10 MB). If you don't enable Cloud CDN on your backend bucket, you can only use origin Cache-Control headers to control caching for smaller content, as set by the Cloud Storage metadata.

Before you begin

Make sure that your setup meets the following prerequisites. If you are using the gcloud or gsutil utilities, you can install them both by using instructions in Quickstart: Using the gsutil tool document.

Set a default project


  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  5. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.


gcloud config set project PROJECT_ID


gsutil config set project PROJECT_ID

Replace PROJECT_ID with the project you are using for this guide.


To follow this guide, you need to create Cloud Storage buckets and a load balancer in a project. You should be either a project owner or editor, or you should have the following Compute Engine IAM roles:

Task Required Role
Create load balancer components Network Admin
Create Cloud Storage buckets Storage Object Admin

For more information, see the following guides:

Set up an SSL certificate resource

For an HTTPS load balancer, create an SSL certificate resource as described in the following documentation:

We recommend using a Google-managed certificate.

This example assumes that you already have an SSL certificate resource named www-ssl-cert.

Prepare your Cloud Storage buckets and content

The process for preparing your Cloud Storage buckets is as follows:

  • Create the buckets.

  • Copy content to the buckets.

  • Provide public access to the buckets.

Create Cloud Storage buckets

In this example, you create two Cloud Storage buckets for the load balancer to access. For production deployments, we recommend that you choose a multi-region bucket, which automatically replicates objects across multiple Google Cloud regions. This can improve the availability of your content and improve failure tolerance across your application.

Note the names of the Cloud Storage buckets you create, as they're used later. In this guide, they're referred to as BUCKET_1_NAME and BUCKET_2_NAME.


  1. In the console, go to the Cloud Storage browser.

    Go to Cloud Storage browser

  2. Click Create bucket.

  3. In the Name your bucket box, enter a globally unique name that follows the naming guidelines.

  4. Click Choose where to store your data.

  5. Set Location type to Region.

  6. Set Location to europe-north1. This is BUCKET_1_NAME in this guide.

  7. Click Create.

  8. Click Browser to return to the Cloud Storage browser. Use these instructions to create a second bucket, but set the Location to us-east1. This is BUCKET_2_NAME in this guide.


gsutil mb -p PROJECT_ID -c standard -l europe-north1 -b on gs://BUCKET_1_NAME
gsutil mb -p PROJECT_ID -c standard -l us-east1 -b on gs://BUCKET_2_NAME

Replace BUCKET_1_NAME and BUCKET_2_NAME with the names of the buckets you want to create.

Transfer content to your Cloud Storage buckets

So you can test the setup later, copy the following images from a public Cloud Storage bucket to your own Cloud Storage buckets.

  1. Click Activate Cloud Shell.

  2. Run the following commands in Cloud Shell, replacing the bucket name variables with your Cloud Storage bucket names:

    gsutil cp gs://gcp-external-http-lb-with-bucket/three-cats.jpg gs://BUCKET_1_NAME/never-fetch/
    gsutil cp gs://gcp-external-http-lb-with-bucket/two-dogs.jpg gs://BUCKET_2_NAME/love-to-fetch/
  3. In the console, click Refresh on each bucket's details page to verify that the file has copied successfully.

Make your Cloud Storage buckets publicly readable

When you make Cloud Storage buckets publicly readable, anyone on the internet can list and view their objects, and view their metadata (excluding ACLs). Don't include sensitive information in your public buckets.

To reduce the likelihood of accidental exposure of sensitive information, don't store public objects and sensitive data in the same bucket. For more information, see Recommended bucket architecture.


To grant all users access to view objects in your buckets, repeat the following procedure for each bucket:

  1. In the console, go to the Cloud Storage browser.

    Go to Cloud Storage browser

  2. Click the bucket name, followed by the Permissions tab.

  3. Click Add.

  4. In the New principals box, enter allUsers.

  5. In the Select a role box, select Cloud Storage > Storage Object Viewer.

  6. Click Save.

  7. Click Allow public access.


To grant all users access to view objects in your buckets, run the following commands:

gsutil iam ch allUsers:objectViewer gs://BUCKET_1_NAME
gsutil iam ch allUsers:objectViewer gs://BUCKET_2_NAME

Reserve an external IP address

After you've set up your Cloud Storage buckets, you can reserve a global static external IP address that your audience uses to reach your load balancer.

This step is optional but recommended, as a static external IP address provides a single address to point your domain at.


  1. Go to the External IP addresses page in the Google Cloud console.

    Go to External IP addresses

  2. Click Reserve static address.

  3. In the Name box, enter example-ip.

  4. Set the Network Service Tier to Premium.

  5. Set the IP version to IPv4.

  6. Set the Type to Global.

  7. Click Reserve.


gcloud compute addresses create example-ip \
    --network-tier=PREMIUM \
    --ip-version=IPV4 \

Note the IPv4 address that was reserved:

gcloud compute addresses describe example-ip \
    --format="get(address)" \

Create an external HTTP(S) load balancer with backend buckets

These instructions cover creating either an HTTP or HTTPS load balancer. To create an HTTPS load balancer you must add an SSL certificate resource to the load balancer's frontend. For more information, see the SSL certificates overview.


Start the configuration

  1. Go to the Load balancing page in the Google Cloud console.

    Go to Load balancing

  2. Click Create load balancer.
  3. In the HTTP(S) load balancing card, click Start configuration.
  4. Under Internet facing or internal only, select From Internet to my VMs or serverless services.
  5. Under Global or regional, select Global HTTP(S) Load Balancer (classic).
  6. Click Continue.

Configure the backend

  1. In the Name box, enter http-lb.

  2. Click Backend configuration.

  3. Click the Backend services and backend buckets box, and then click Create a backend bucket.

  4. In the Backend bucket name box, enter cats.

  5. In the Cloud Storage bucket box, click Browse.

  6. Select BUCKET_1_NAME, and then click Select. Creating the cats backend bucket first makes it the default, where all unmatched traffic requests are directed. You can't change a default backend bucket's redirect rules in the load balancer.

  7. Click Create.

  8. Use the same process to create a backend bucket named dogs, and select BUCKET_2_NAME.

  9. Click OK.

Configure host and path rules

Host rules and path matchers are configuration components of an external HTTP(S) load balancer's URL map. To set up the rules for this example:

  1. Click Host and path rules.

  2. For dogs, enter * in the Hosts field, and /love-to-fetch/* in the Paths field.

Configure the frontend

  1. Click Frontend configuration.

  2. Verify that the following options are configured with these values:

    Property Value (type a value or select an option as specified)
    Protocol HTTP
    Network Service Tier Premium
    IP version IPv4
    IP address example-ip
    Port 80

    If you want to create an HTTPS load balancer instead of an HTTP load balancer, you must have an SSL certificate (gcloud compute ssl-certificates list), and you must fill in the fields as follows:

    Property Value (type a value or select an option as specified)
    Protocol HTTP(S)
    Network Service Tier Premium
    IP version IPv4
    IP address example-ip
    Port 443
    Select a certificate or create a new certificate
    (Optional) Enable HTTP to HTTPS Redirect Use this checkbox to enable redirects from port 80 to port 443.

    Enabling this checkbox creates an additional partial HTTP load balancer that uses the same IP address as your HTTPS load balancer and redirects HTTP requests to your load balancer's HTTPS frontend.

    This checkbox can only be selected when the HTTPS protocol is selected and a reserved IP address is used.

  3. Click Done.

Review the configuration

  1. Click Review and finalize.

  2. Review the Frontend, Host and path rules, and Backend buckets.

  3. Click Create and wait for the load balancer to be created.

  4. Click the name of the load balancer (http-lb).

  5. Note the IP address of the load balancer for the next task. In this guide, it's referred to as IP_ADDRESS.


Configure the backend

gcloud compute backend-buckets create dogs \
gcloud compute backend-buckets create cats \

Configure the URL map

gcloud compute url-maps create http-lb \
gcloud compute url-maps add-path-matcher http-lb \
    --path-matcher-name=path-matcher-2 \
    --new-hosts=* \
    --backend-bucket-path-rules="/love-to-fetch/*=dogs" \

Configure the target proxy

gcloud compute target-http-proxies create http-lb-proxy \

Configure the forwarding rule

gcloud compute forwarding-rules create http-lb-forwarding-rule \
    --load-balancing-scheme=EXTERNAL \
    --network-tier=PREMIUM \
    --address=example-ip \
    --global \
    --target-http-proxy=http-lb-proxy \

Send traffic to your load balancer

Several minutes after you have configured your load balancer, you can start sending traffic to the load balancer's IP address.


In a web browser, go to the following addresses to test your load balancer, replacing IP_ADDRESS with the load balancer's IP address:

  • http://IP_ADDRESS/love-to-fetch/two-dogs.jpg

  • http://IP_ADDRESS/never-fetch/three-cats.jpg

If you've set up an HTTP load balancer, make sure your browser doesn't automatically redirect to HTTPS.


Use the curl command to test the response from the following URLs. Replace IP_ADDRESS with the load balancer's IPv4 address:

curl http://IP_ADDRESS/love-to-fetch/two-dogs.jpg
curl http://IP_ADDRESS/never-fetch/three-cats.jpg