This document shows you how to create an
external HTTP(S) load balancer
to route requests for static content to
Cloud Storage buckets. After you
configure a load balancer with the backend buckets, requests to URL paths that
begin with /love-to-fetch
are sent to the us-east1
Cloud Storage bucket, and all other requests are sent to the
europe-north1
Cloud Storage bucket, regardless of the user's region.
If your backends serve dynamic content over HTTP(S), consider using backend services instead of backend buckets.
For step-by-step guidance on this task directly in Google Cloud console, click Guide me:
The following sections take you through the same steps as clicking Guide me.
Cloud Storage buckets as load balancer backends
An external HTTP(S) load balancer uses a URL map to direct traffic from specified URL paths to your backends.
In the following diagram, the load balancer sends traffic with a path of
/love-to-fetch/
to a Cloud Storage bucket in the us-east1
region. All other requests go to a Cloud Storage bucket in the
europe-north1
region.
By default, Cloud Storage uses the same cache
that Cloud CDN uses. If you enable Cloud CDN on the backend
bucket, you can use Cloud CDN controls on your content.
Cloud CDN controls include, for example, cache modes, signed URLs, and
invalidation. Cloud CDN also lets you cache large content (> 10 MB). If
you don't enable Cloud CDN on your backend bucket, you can only use
origin Cache-Control
headers to control caching for smaller content, as set
by the Cloud Storage metadata.
Before you begin
Make sure that your setup meets the following prerequisites. If you are using
the gcloud
or gsutil
utilities, you can install them both by using
instructions in
Quickstart: Using the gsutil tool document.
Set a default project
Console
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
gcloud/gsutil
gcloud config set project PROJECT_ID
or
gsutil config set project PROJECT_ID
Replace PROJECT_ID with the project you are using for this guide.
Permissions
To follow this guide, you need to create Cloud Storage buckets and a load balancer in a project. You should be either a project owner or editor, or you should have the following Compute Engine IAM roles:
Task | Required Role |
---|---|
Create load balancer components | Network Admin |
Create Cloud Storage buckets | Storage Object Admin |
For more information, see the following guides:
Set up an SSL certificate resource
For an HTTPS load balancer, create an SSL certificate resource as described in the following documentation:
We recommend using a Google-managed certificate.
This example assumes that you already have an SSL certificate resource named
www-ssl-cert
.
Prepare your Cloud Storage buckets and content
The process for preparing your Cloud Storage buckets is as follows:
Create the buckets.
Copy content to the buckets.
Provide public access to the buckets.
Create Cloud Storage buckets
In this example, you create two Cloud Storage buckets for the load balancer to access. For production deployments, we recommend that you choose a multi-region bucket, which automatically replicates objects across multiple Google Cloud regions. This can improve the availability of your content and improve failure tolerance across your application.
Note the names of the Cloud Storage buckets you create, as they're used later. In this guide, they're referred to as BUCKET_1_NAME and BUCKET_2_NAME.
Console
In the Google Cloud console, go to the Cloud Storage browser.
Click Create bucket.
In the Name your bucket box, enter a globally unique name that follows the naming guidelines.
Click Choose where to store your data.
Set Location type to Region.
Set Location to europe-north1. This is BUCKET_1_NAME in this guide.
Click Create.
Click Browser to return to the Cloud Storage browser. Use these instructions to create a second bucket, but set the Location to us-east1. This is BUCKET_2_NAME in this guide.
gcloud/gsutil
gsutil mb -p PROJECT_ID -c standard -l europe-north1 -b on gs://BUCKET_1_NAME
gsutil mb -p PROJECT_ID -c standard -l us-east1 -b on gs://BUCKET_2_NAME
Replace BUCKET_1_NAME and BUCKET_2_NAME with the names of the buckets you want to create.
Transfer content to your Cloud Storage buckets
So you can test the setup later, copy the following images from a public Cloud Storage bucket to your own Cloud Storage buckets.
Click
Activate Cloud Shell.Run the following commands in Cloud Shell, replacing the bucket name variables with your Cloud Storage bucket names:
gsutil cp gs://gcp-external-http-lb-with-bucket/three-cats.jpg gs://BUCKET_1_NAME/never-fetch/
gsutil cp gs://gcp-external-http-lb-with-bucket/two-dogs.jpg gs://BUCKET_2_NAME/love-to-fetch/
In the Google Cloud console, click Refresh on each bucket's details page to verify that the file has copied successfully.
Make your Cloud Storage buckets publicly readable
When you make Cloud Storage buckets publicly readable, anyone on the internet can list and view their objects, and view their metadata (excluding ACLs). Don't include sensitive information in your public buckets.
To reduce the likelihood of accidental exposure of sensitive information, don't store public objects and sensitive data in the same bucket. For more information, see Recommended bucket architecture.
Console
To grant all users access to view objects in your buckets, repeat the following procedure for each bucket:
In the Google Cloud console, go to the Cloud Storage browser.
Click the bucket name, followed by the Permissions tab.
Click Add.
In the New principals box, enter
allUsers
.In the Select a role box, select Cloud Storage > Storage Object Viewer.
Click Save.
Click Allow public access.
gcloud/gsutil
To grant all users access to view objects in your buckets, run the following commands:
gsutil iam ch allUsers:objectViewer gs://BUCKET_1_NAME
gsutil iam ch allUsers:objectViewer gs://BUCKET_2_NAME
Reserve an external IP address
After you've set up your Cloud Storage buckets, you can reserve a global static external IP address that your audience uses to reach your load balancer.
This step is optional but recommended, as a static external IP address provides a single address to point your domain at.
Console
Go to the External IP addresses page in the Google Cloud console.
Click Reserve static address.
In the Name box, enter
example-ip
.Set the Network Service Tier to Premium.
Set the IP version to IPv4.
Set the Type to Global.
Click Reserve.
gcloud/gsutil
gcloud compute addresses create example-ip \
--network-tier=PREMIUM \
--ip-version=IPV4 \
--global
Note the IPv4 address that was reserved:
gcloud compute addresses describe example-ip \
--format="get(address)" \
--global
Create an external HTTP(S) load balancer with backend buckets
These instructions cover creating either an HTTP or HTTPS load balancer. To create an HTTPS load balancer you must add an SSL certificate resource to the load balancer's frontend. For more information, see the SSL certificates overview.
Console
Start the configuration
Go to the Load balancing page in the Google Cloud console.
- Click Create load balancer.
- In the HTTP(S) load balancing card, click Start configuration.
- Under Internet facing or internal only, select From Internet to my VMs or serverless services.
- Under Global or regional, select Global HTTP(S) Load Balancer (classic).
- Click Continue.
Configure the backend
In the Name box, enter
http-lb
.Click Backend configuration.
Click the Backend services and backend buckets box, and then click Create a backend bucket.
In the Backend bucket name box, enter
cats
.In the Cloud Storage bucket box, click Browse.
Select BUCKET_1_NAME, and then click Select. Creating the
cats
backend bucket first makes it the default, where all unmatched traffic requests are directed. You can't change a default backend bucket's redirect rules in the load balancer.Click Create.
Use the same process to create a backend bucket named
dogs
, and select BUCKET_2_NAME.Click OK.
Configure host and path rules
Host rules and path matchers are configuration components of an external HTTP(S) load balancer's URL map. To set up the rules for this example:
Click Host and path rules.
For
dogs
, enter*
in the Hosts field, and/love-to-fetch/*
in the Paths field.
Configure the frontend
Click Frontend configuration.
Verify that the following options are configured with these values:
Property Value (type a value or select an option as specified) Protocol HTTP Network Service Tier Premium IP version IPv4 IP address example-ip Port 80 If you want to create an HTTPS load balancer instead of an HTTP load balancer, you must have an SSL certificate (
gcloud compute ssl-certificates list
), and you must fill in the fields as follows:Property Value (type a value or select an option as specified) Protocol HTTP(S) Network Service Tier Premium IP version IPv4 IP address example-ip Port 443 Select a certificate or create a new certificate (Optional) Enable HTTP to HTTPS Redirect Use this checkbox to enable redirects from port 80 to port 443. Enabling this checkbox creates an additional partial HTTP load balancer that uses the same IP address as your HTTPS load balancer and redirects HTTP requests to your load balancer's HTTPS frontend.
This checkbox can only be selected when the HTTPS protocol is selected and a reserved IP address is used.
Click Done.
Review the configuration
Click Review and finalize.
Review the Frontend, Host and path rules, and Backend buckets.
Click Create and wait for the load balancer to be created.
Click the name of the load balancer (http-lb).
Note the IP address of the load balancer for the next task. In this guide, it's referred to as IP_ADDRESS.
gcloud/gsutil
Configure the backend
gcloud compute backend-buckets create dogs \
--gcs-bucket-name=BUCKET_1_NAME
gcloud compute backend-buckets create cats \
--gcs-bucket-name=BUCKET_2_NAME
Configure the URL map
gcloud compute url-maps create http-lb \
--default-backend-bucket=cats
gcloud compute url-maps add-path-matcher http-lb \
--path-matcher-name=path-matcher-2 \
--new-hosts=* \
--backend-bucket-path-rules="/love-to-fetch/*=dogs" \
--default-backend-bucket=cats
Configure the target proxy
gcloud compute target-http-proxies create http-lb-proxy \
--url-map=http-lb
Configure the forwarding rule
gcloud compute forwarding-rules create http-lb-forwarding-rule \
--load-balancing-scheme=EXTERNAL \
--network-tier=PREMIUM \
--address=example-ip \
--global \
--target-http-proxy=http-lb-proxy \
--ports=80
Send traffic to your load balancer
Several minutes after you have configured your load balancer, you can start sending traffic to the load balancer's IP address.
Console
In a web browser, go to the following addresses to test your load balancer, replacing IP_ADDRESS with the load balancer's IP address:
http://IP_ADDRESS/love-to-fetch/two-dogs.jpg
http://IP_ADDRESS/never-fetch/three-cats.jpg
If you've set up an HTTP load balancer, make sure your browser doesn't automatically redirect to HTTPS.
gcloud/gsutil
Use the curl
command to test the response from the following URLs. Replace
IP_ADDRESS with the load balancer's IPv4 address:
curl http://IP_ADDRESS/love-to-fetch/two-dogs.jpg
curl http://IP_ADDRESS/never-fetch/three-cats.jpg
Limitations
- Backend buckets are only supported with global external HTTP(S) load balancers and global external HTTP(S) load balancer (classic). They aren't supported by regional external HTTP(S) load balancer or any other load balancer type.
Backend buckets aren't supported with Identity-Aware Proxy.
What's next
Using Terraform module examples for external HTTP(S) load balancers