Creating an HTTPS load balancer

This guide demonstrates how to create a Google Cloud Platform (GCP) HTTPS load balancer that both selects backend services based on the request URL paths (content-based load balancing) and routes requests to backends that are close to the clients (cross-region load balancing).

Before you start, make sure that you are familiar with overall HTTP(S) Load Balancing concepts.

Overview

This guide provides instructions for creating a load balancer that directs traffic based on the path in the request URL and balances traffic across multiple regions. You create two Compute Engine instances in US (in zone us-central1-b) and EU (in zone eu-west1-b) regions. You then create a load balancer that routes traffic to these instances.

After you complete the instructions, your load balancer is configured as follows:

  • Traffic containing a URL path that starts with /video is routed to one backend service.
  • Traffic with a URL path that doesn't match this pattern is routed to another backend service.

In this how-to document, you create the configuration that is illustrated in the following diagram:

Content-based and cross-regional HTTPS Load Balancing (click to enlarge)
Content-based and cross-regional HTTPS Load Balancing (click to enlarge)

The sequence of events in the diagram is:

  1. A client accesses the https://www.example.com/video/concert URL, sending a content request to the external IP address defined in the forwarding rule. The request can use IPv4 or IPv6; there are forwarding rules for both protocols.
  2. A forwarding rule directs the request to the target HTTPS proxy.
  3. The target proxy uses the rules set out in the URL map to determine which backend service will receive the request. A request that contains /video, like https://www.example.com/video/concert, is sent to video-backend-service. Any other URL path is sent to the default service, web-backend-service.
  4. The load balancer determines which of the backend service's instance groups should serve the request, based on their loading and proximity to the client, and directs the request to an instance in that group.
  5. The instance serves the content requested by each user. The video instances serve video content, while the www instances serve all other content.

Before you begin

These instructions require a project. If you do not already have a project, set one up now. These instructions guide you through creating a custom mode VPC network. You must also set up custom firewall rules to allow traffic to reach the instances.

If you prefer to work from the command line, install the gcloud command-line tool. See gcloud Overview for conceptual and installation information about the tool.

If you haven't run the gcloud command-line tool previously, first run gcloud init to initialize your gcloud directory.

In this example, the load balancer accepts HTTPS requests from clients, and proxies these requests as HTTP to the backends. You can also configure a load balancer to accept HTTP requests, as well as to use HTTPS when proxying requests to backends.

Permissions

To complete the steps in this guide, you must have permission to create Compute Engine instances in a project. You must have either a project owner or editor role, or you must have the following Compute Engine IAM roles:

Task Required Role
Create instances Instance Admin
Add and remove firewall rules Security Admin
Create load balancer components Network Admin
Create a project (Optional) Project Creator

Setup

Optional: Creating a new project

We recommend that users with the resourcemanager.projects.create permission create a new project before following the rest of this how-to. This simplifies cleanup at the end of the guide.

Configuring a network and subnets

In this example, use the following VPC network, regions, and subnets:

  • Network: The network is a custom mode VPC network named lb-network.

  • Subnets in two different regions:

    • us-subnet uses 10.1.10.0/24 for its primary IP range and is located in the us-central1 region
    • eu-subnet uses 10.1.11.0/24 for its primary IP range and is located in the europe-west1 region

To create the example network and subnet, follow these steps:

Console


  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC network page
  2. Click Create VPC network.
  3. Enter a Name of lb-network.
  4. In the Subnets section, create the first subnet:
    • Set the Subnet creation mode to Custom.
    • In the New subnet section, enter the following information:
      • Name: us-subnet
      • Region: us-central1
      • IP address range: 10.1.10.0/24
      • Click Done.
  5. Still in the Subnets section, create Add subnet and create the second subnet:
    • Set the Subnet creation mode to Custom.
    • In the New subnet section, enter the following information:
      • Name: eu-subnet
      • Region: europe-west1
      • IP address range: 10.1.11.0/24
      • Click Done.
  6. Click Create.

gcloud


  1. Create the custom VPC network:

    gcloud compute networks create lb-network --subnet-mode=custom
    
  2. Create the us-subnet:

    gcloud compute networks subnets create us-subnet \
      --network=lb-network \
      --range=10.1.10.0/24 \
      --region=us-central1
    
  3. Create the eu-subnet:

    gcloud compute networks subnets create eu-subnet \
      --network=lb-network \
      --range=10.1.11.0/24 \
      --region=europe-west1
    

Configuring firewall rules

The default deny ingress rule blocks incoming traffic to the backend instances, including traffic from the load balancer and GCP health checking systems. You must create new firewall rules to override the default rule and allow traffic to reach your instances.

In this example, you create the following firewall rules:

  • fw-allow-ssh: An ingress rule, applicable to the instances being load balanced, that allows incoming SSH connectivity on TCP port 22 from any address. You can choose a more restrictive source IP range for this rule; for example, you can specify just the IP ranges of the system from which you will initiating SSH sessions. This example uses the target tag allow-ssh to identify the VMs to which it should apply.

  • fw-allow-health-check-and-proxy: An ingress rule, applicable to the instances being load balanced, that allows traffic from the load balancer and GCP health checking systems (130.211.0.0/22 and 35.191.0.0/16). This example uses the target tag allow-hc-and-proxy to identify the instances to which it should apply.

Console


  1. Go to the Firewalls page in the Google Cloud Platform Console.
    Go to the Firewalls page
  2. Click Create firewall rule to create the first firewall rule:
    1. Enter a Name of fw-allow-ssh.
    2. Under Network, select lb-network.
    3. Under Targets, select Specified target tags.
    4. Populate the Target tags field with allow-ssh.
    5. Set Source filter to IP ranges.
    6. Set Source IP ranges to 0.0.0.0/0.
    7. Under Protocols and ports, select Specified protocols and ports.
    8. Select the checkbox next to tcp and type 22 for the port number.
    9. Click Create.
  3. Click Create firewall rule to create the second firewall rule:
    1. Enter a Name of fw-allow-health-check-and-proxy.
    2. Under Network, select lb-network.
    3. Under Targets, select Specified target tags.
    4. Populate the Target tags field with allow-hc-and-proxy.
    5. Set Source filter to IP ranges.
    6. Set Source IP ranges to 130.211.0.0/22 and 35.191.0.0/16.
    7. Under Protocols and ports, select Specified protocols and ports.
    8. Select the checkbox next to tcp and type 80,443 for the port numbers.
    9. Click Create.

gcloud


  1. Create the fw-allow-ssh firewall rule to allow SSH connectivity to VMs with the network tag allow-ssh. When you omit source-ranges, GCP interprets the rule to mean any source.

    gcloud compute firewall-rules create fw-allow-ssh \
        --network=lb-network \
        --action=allow \
        --direction=ingress \
        --target-tags=allow-ssh \
        --rules=tcp:22
    
  2. Create the fw-allow-health-check-and-proxy rule to allow the load balancer and GCP health checks to communicate with backend instances on TCP port 80 and 443:

    gcloud compute firewall-rules create fw-allow-health-check-and-proxy \
        --network=lb-network \
        --action=allow \
        --direction=ingress \
        --target-tags=allow-hc-and-proxy \
        --source-ranges=130.211.0.0/22,35.191.0.0/16 \
        --rules=tcp:80,tcp:443
    

Instance setup

In this example, you create eight virtual machine instances: four to serve video content, and four to serve all other content. You use a startup script to install the Apache web server software with a unique home page for each instance.

Console


Create backend VMs

  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Repeat the following steps to create eight VMs, using the following name, region, and subnet combinations.
    • Name: www-us-01, region: us-central1, subnet: us-subnet
    • Name: www-us-02, region: us-central1, subnet: us-subnet
    • Name: video-us-01, region: us-central1, subnet: us-subnet
    • Name: video-us-02, region: us-central1, subnet: us-subnet
    • Name: www-eu-01, region: europe-west1, subnet: eu-subnet
    • Name: www-eu-02, region: europe-west1, subnet: eu-subnet
    • Name: video-eu-01, region: europe-west1, subnet: eu-subnet
    • Name: video-eu-02, region: europe-west1, subnet: eu-subnet
  3. Click Create instance.
  4. Set the Name and Region as indicated in step 2. You can choose any Zone in the region; this example uses us-central1-b in us-central1 and europe-west1-b in europe-west1.
  5. In the Boot disk section, ensure that the selected image is Debian GNU/Linux 9 Stretch. Click Choose to change the image if necessary.
  6. Click Management, security, disks, networking, sole tenancy and make the following changes:

    • Click Networking and add the following Network tags: allow-ssh and allow-hc-and-proxy
    • Click the edit button under Network interfaces and make the following changes then click Done:
      • Network: lb-network
      • Subnet: Choose the subnet as indicated in step 2.
      • Primary internal IP: Ephemeral (automatic)
      • External IP: Ephemeral
    • Click Management. In the Startup script field, copy and paste the following script contents. The script contents are identical for all eight VMs:

      #! /bin/bash
      apt-get update
      apt-get install apache2 -y
      a2ensite default-ssl
      a2enmod ssl
      vm_hostname="$(curl -H "Metadata-Flavor:Google" \
      http://169.254.169.254/computeMetadata/v1/instance/name)"
      filter="{print \$NF}"
      vm_zone="$(curl -H "Metadata-Flavor:Google" \
      http://169.254.169.254/computeMetadata/v1/instance/zone \
      | awk -F/ "${filter}")"
      echo "Page on $vm_hostname in $vm_zone" | \
      tee /var/www/html/index.html
      echo "AliasMatch /video(.*)$ /var/www/html/index.html" | \
      tee /etc/apache2/conf-enabled/video.conf
      systemctl restart apache2
      
  7. Click Create.

Create instance groups

  1. Go to the Instance groups page in the Google Cloud Platform Console.
    Go to the Instance groups page
  2. Repeat the following steps to create four unmanaged instance groups, each with two VMs, using these combinations.
    • Instance group: ig-www-us, region: us-central1, zone: us-central1-b, subnet: us-subnet, VMs: www-us-01 and www-us-02
    • Instance group: ig-video-us, region: us-central1, zone: us-central1-b, subnet: us-subnet, VMs: video-us-01 and video-us-02
    • Instance group: ig-www-eu, region: europe-west1, zone: europe-west1-b, subnet: eu-subnet, VMs: www-eu-01 and www-eu-02
    • Instance group: ig-video-eu, region: europe-west1, zone: europe-west1-b, subnet: eu-subnet, VMs: video-eu-01 and video-eu-02
  3. Click Create instance group, and select New unmanaged instance group.
  4. Set Name as indicated in step 2.
  5. In the Location section, select Single-zone, and choose the region and zone as indicated in step 2.
  6. For Network, enter lb-network.
  7. For Subnetwork, enter the subnet indicatedin step 2.
  8. In the VM instances section, add the VMs indicated in step 2.
  9. Click Create.

gcloud


  1. Repeat the following command to create eight VMs, using the following name, zone, and subnet combinations. Replace VM_NAME, ZONE, and SUBNET accordingly:

    • Name: www-us-01, zone: us-central1-b, subnet: us-subnet
    • Name: www-us-02, zone: us-central1-b, subnet: us-subnet
    • Name: video-us-01, zone: us-central1-b, subnet: us-subnet
    • Name: video-us-02, zone: us-central1-b, subnet: us-subnet
    • Name: www-eu-01, zone: europe-west1-b, subnet: eu-subnet
    • Name: www-eu-02, zone: europe-west1-b, subnet: eu-subnet
    • Name: video-eu-01, zone: europe-west1-b, subnet: eu-subnet
    • Name: video-eu-02, zone: europe-west1-b, subnet: eu-subnet
    gcloud compute instances create VM_NAME \
        --zone=ZONE \
        --image-family=debian-9 \
        --image-project=debian-cloud \
        --tags=allow-ssh,allow-hc-and-proxy \
        --subnet=SUBNET \
        --metadata=startup-script='#! /bin/bash
    apt-get update
    apt-get install apache2 -y
    a2ensite default-ssl
    a2enmod ssl
    vm_hostname="$(curl -H "Metadata-Flavor:Google" \
    http://169.254.169.254/computeMetadata/v1/instance/name)"
    filter="{print \$NF}"
    vm_zone="$(curl -H "Metadata-Flavor:Google" \
    http://169.254.169.254/computeMetadata/v1/instance/zone \
    | awk -F/ "${filter}")"
    echo "Page on $vm_hostname in $vm_zone" | \
    tee /var/www/html/index.html
    echo "AliasMatch /video(.*)$ /var/www/html/index.html" | \
    tee /etc/apache2/conf-enabled/video.conf
    systemctl restart apache2'
    
  2. Repeat the following command to create four unmanaged instance groups, using the following name and zone combinations. Replace INSTANCE_GROUP_NAME and ZONE accordingly:

    • Instance group: ig-www-us, zone: us-central1-b
    • Instance group: ig-video-us, zone: us-central1-b
    • Instance group: ig-www-eu, zone: europe-west1-b
    • Instance group: ig-video-eu, zone: europe-west1-b
    gcloud compute instance-groups unmanaged create INSTANCE_GROUP_NAME \
        --zone=ZONE
    
  3. Repeat the following command four times, adding two VMs to each instance group according to the following combinations. Replace INSTANCE_GROUP_NAME, ZONE, and INSTANCES accordingly:

    • Instance group: ig-www-us, zone: us-central1-b, INSTANCES: www-us-01, www-us-02
    • Instance group: ig-video-us, zone: us-central1-b, INSTANCES: video-us-01, video-us-02
    • Instance group: ig-www-eu, zone: europe-west1-b, INSTANCES: www-eu-01, www-eu-02
    • Instance group: ig-video-eu, zone: europe-west1-b, INSTANCES: video-eu-01, video-eu-02
    gcloud compute instance-groups unmanaged add-instances INSTANCE_GROUP_NAME \
        --zone=ZONE \
        --instances=INSTANCES
    

    As a clarifying example, the command to add two instances to the first instance group is as follows:

    gcloud compute instance-groups unmanaged add-instances ig-www-us \
        --zone=us-central1-b \
        --instances=www-us-01,www-us-02
    

Reserving external IP addresses

Now that your instances are up and running, set up the services needed for load balancing. In this section, you create two global static external IP addresses that your customers use to reach your load balancer.

Console


  1. Go to the External IP addresses page in the Google Cloud Platform Console.
    Go to the External IP addresses page
  2. Click Reserve static address to reserve an IPv4 address.
  3. Assign a Name of lb-ipv4-1.
  4. Set the Network tier to Premium.
  5. Set the IP version to IPv4.
  6. Set the Type to Global.
  7. Click Reserve.
  8. Click Reserve static address again to reserve an IPv6 address.
  9. Assign a Name of lb-ipv6-1.
  10. Set the Network Tier to Premium.
  11. Set IP version to IPv6.
  12. Ensure that the Type is set to Global.

    In this example, the load balancer uses Premium Tier networking. A load balancer using Standard Tier networking would instead use regional IP addresses. IPv6 addresses are not available with Standard Tier.

  13. Click Reserve.

gcloud


gcloud compute addresses create lb-ipv4-1 \
    --ip-version=IPV4 \
    --global

Note the IPv4 address that was reserved:

gcloud compute addresses describe lb-ipv4-1 \
    --format="get(address)" \
    --global
gcloud compute addresses create lb-ipv6-1 \
    --ip-version=IPV6 \
    --global

Note the IPv6 address that was reserved:

gcloud compute addresses describe lb-ipv6-1 \
    --format="get(address)" \
    --global

Configuring the load balancing resources

Load balancer functionality involves several connected resources. In this section, you set up and connect the resources. They are as follows:

  • Named ports, which the load balancer uses to direct traffic to your instance groups.
  • A Health check, which polls your instances to see if they are healthy. The load balancer only sends traffic to healthy instances.
  • Backend services, which keep track of capacity, session affinity, and health check status. Backend services direct requests to backend VMs or endpoints based on capacity and instance health.
  • A URL map, which the load balancer uses to to direct requests to specific backend services based on the host and path of the request URL.
  • An SSL certificate resource. SSL certificate resources contain SSL certificate information that the load balancer uses to terminate TLS when HTTPS clients connect to it. You can use multiple SSL certificates, which can be any combination of managed or self-managed SSL certificates. You must create an SSL certificate resource for each certificate you use.
  • A target HTTPS proxy, which the load balancer uses to associate your URL map and SSL certificates with your global forwarding rules.
  • Two global forwarding rules, one each for IPv4 and IPv6, which hold the global external IP address resources. Global forwarding rules forward the incoming request to the target proxy.

Console


Name your load balancer

  1. Go to the Load balancing page in the Google Cloud Platform Console.
    Go to the Load balancing page
  2. Under HTTP(S) load balancing, click Start configuration.
  3. For the Name of the load balancer, enter web-map.
  4. Keep the window open to continue.

Configure the backend service and health check for the www instances

The load balancer requires two backend services, and a health check to service both of them. In this example, the load balancer terminates HTTPS requests from the client and uses HTTP to communicate with the backends. To do this, you specify HTTP for the backend protocols and health checks.

Configure the backend service for www instances

  1. Click Backend configuration.
  2. In the Create or select a backend service pull-down menu, select Create a backend service.
  3. Set the Name of the backend service to web-backend-service.
  4. Click the Edit icon next to the Timeout field to edit the protocol. Select the protocol that you intend to use from the load balancer to the backends.
  5. In the Named port field, enter http.
  6. Ensure that the Backend type is set to Instance groups.
  7. Under Backends, set Instance group to ig-www-us.
  8. For traffic between the load balancer and the instances, set Port numbers to 80.
  9. Leave the default values for the remaining fields.
  10. Click Done at the bottom of the New-backend window.
  11. Click Add backend and repeat steps, but select instance group ig-www-eu.
  12. Keep the window open to continue.

Configure the health check for the www instances

  1. In the Backend configuration window under Health check, select Create a health check or Create another health check.
  2. To create the HTTP health check, set the following health check parameters:
    • Name to http-basic-check
    • Protocol to HTTP
    • Port to 80
  3. Click Save and Continue.
  4. Click Create.

Configure the backend and health check for the www-video instances

  1. Repeat the above steps, but name the second backend service video-backend-service and assign the video-resources-us and video-resources-eu instance groups to it.
  2. Follow the same steps to create a health check.

Configure host and path rules

The host and path rules configure the load balancer's URL map resource.

  1. In the left column of the screen, click Host and path rules.
  2. The first row has web-backend-service in the right-hand column and is already populated with the default rule Any unmatched (default) for Hosts and Paths.
  3. Ensure that there is second row with video-backend-service in the right hand column. If it does not exist, click Add host and path rule, then select video-backend-service from the drop-down menu in the right hand column. Populate the other columns as follows: [...]
    1. Set Hosts to *.
    2. In the Paths field, enter /video, press the Tab key, enter /video/*, and press the Tab key again.

Configure the frontend

The frontend configuration section configures several resources for the load balancer, including the forwarding rules and SSL certificates. In addition, it allows you to select the protocol used between the client and the load balancer.

In this example, you are using HTTPS between the client and the load balancer, so you need one or more SSL certificate resources to configure the proxy. See SSL Certificates for information on how to create SSL certificate resources. We reccomend using a Google-managed certificate.

  1. In the left panel of the New HTTP(S) load balancer page, click Frontend configuration.
  2. In the Name field, enter https-content-rule.
  3. In the Protocol field, select HTTPS.
  4. Keep the window open to continue.

Configure the IPv4 forwarding rule

  1. Set IP version to IPv4.
  2. In IP address, select lb-ipv4-1, which you created earlier.
  3. Ensure that the Port is set to 443, to allow HTTPS traffic.
  4. Click the Certificate drop-down list.
    1. If you already have a self-managed SSL certificate resource you want to use as the primary SSL certificate, select it from the drop-down menu.
    2. Otherwise, select Create a new certificate.
    3. Select Upload my certificate or Create Google managed certificate.
    4. If you selected Upload my certificate, complete these steps.
      1. Fill in a Name of www-ssl-cert.
      2. In the appropriate fields upload your Public key certificate (.crt file), Certificate chain (.csr file), and Private key (.key file).
      3. Click Create.
    5. If you choose Create Google managed certificate, enter a Domain.
  5. To add certificate resources in addition to the primary SSL certificate resource:
    1. Click Add certificate.
    2. Select a certificate from the Certificates list or click Create a new certificate and follow the instructions above.
  6. Click Done.
  7. Keep the window open to continue.

Configure the IPv6 forwarding rule

  1. Click Add frontend IP and port.
  2. Enter a Name of https-content-ipv6-rule.
  3. In the Protocol field, select HTTPS if you want to use HTTPS between the client and the load balancer. Select HTTP if you want HTTP between the client and the load balancer.
  4. Set IP version to IPv6.
  5. In IP, select lb-ipv6-1, which you created earlier.
  6. The default Port of 443 is required.
  7. If you already have an SSL certificate resource you want to use, select it from the Certificate drop-down menu. If not, select Create a new certificate.
    1. Fill in a Name of www-ssl-cert.
    2. In the appropriate fields upload your Public key certificate (.crt file), Certificate chain (.csr file), and Private key (.key file).
    3. Click Create.
  8. To add certificate resources in addition to the primary SSL certificate resource:
    1. Click Add certificate.
    2. Select a certificate from the Certificates list or click Create a new certificate and follow the instructions above.
  9. Click Done.

Review and finalize

  1. In the left panel of the New HTTP(S) load balancer page, click Review and finalize.
  2. Compare your settings to what you intended to create.
  3. If everything looks correct, click Create to create your HTTP(S) load balancer.

gcloud


  1. For each instance group, define an HTTP service and map a port name to the relevant port. Once configured, the load balancing service forwards traffic to the named port.

    gcloud compute instance-groups unmanaged set-named-ports ig-video-us \
        --named-ports http:80 \
        --zone us-central1-b
    
    gcloud compute instance-groups unmanaged set-named-ports ig-www-us \
        --named-ports http:80 \
        --zone us-central1-b
    
    gcloud compute instance-groups unmanaged set-named-ports ig-video-eu \
        --named-ports http:80 \
        --zone europe-west1-b
    
    gcloud compute instance-groups unmanaged set-named-ports ig-www-eu \
        --named-ports http:80 \
        --zone europe-west1-b
    
  2. Create a health check. Use the gcloud command for HTTP if you are using HTTP between the load balancer and the backends.

    gcloud compute health-checks create http http-basic-check \
        --port 80
    
  3. Create a backend service for each content provider. Set the --protocol field to HTTP because we are using HTTP to go to the instances. Use the http-basic-check health check we created earlier as the health check.

    gcloud compute backend-services create video-backend-service \
        --protocol HTTP \
        --health-checks http-basic-check \
        --global
    
    gcloud compute backend-services create web-backend-service \
        --protocol HTTP \
        --health-checks http-basic-check \
        --global
    
  4. Add your instance groups as backends to the backend services. A backend defines the capacity (max CPU utilization or max queries per second) of the instance groups it contains. In this example, set balancing-mode to the value UTILIZATION, max-utilization to 0.8, and capacity-scaler to 1. Set capacity-scaler to 0 if you wish to drain a backend service.

    Add the ig-video-us instance group:

    gcloud compute backend-services add-backend video-backend-service \
        --balancing-mode=UTILIZATION \
        --max-utilization=0.8 \
        --capacity-scaler=1 \
        --instance-group=ig-video-us \
        --instance-group-zone=us-central1-b \
        --global
    

    Add the ig-video-eu instance group:

    gcloud compute backend-services add-backend video-backend-service \
        --balancing-mode=UTILIZATION \
        --max-utilization=0.8 \
        --capacity-scaler=1 \
        --instance-group=ig-video-eu \
        --instance-group-zone=europe-west1-b \
        --global
    

    Add the ig-www-us instance group:

    gcloud compute backend-services add-backend web-backend-service \
        --balancing-mode=UTILIZATION \
        --max-utilization=0.8 \
        --capacity-scaler=1 \
        --instance-group=ig-www-us \
        --instance-group-zone=us-central1-b \
        --global
    

    Add the ig-www-eu instance group:

    gcloud compute backend-services add-backend web-backend-service \
        --balancing-mode=UTILIZATION \
        --max-utilization=0.8 \
        --capacity-scaler=1 \
        --instance-group=ig-www-eu \
        --instance-group-zone=europe-west1-b \
        --global
    
  5. Create a URL map to route the incoming requests to the appropriate backend services. In this case, the request path mappings defined via the --path-rules flag split traffic according to the URL path in each request to your site. Traffic that does not match an entry in the --path-rules list is sent to the entry in the --default-service flag.

    1. Create a URL map:

      gcloud compute url-maps create web-map \
          --default-service web-backend-service
      
    2. Add a path matcher to your URL map and define your request path mappings:

      gcloud compute url-maps add-path-matcher web-map \
          --default-service web-backend-service \
          --path-matcher-name pathmap \
          --path-rules="/video=video-backend-service,/video/*=video-backend-service"
      
  6. Create a self-signed SSL certificate resource to use in the HTTPS proxy.

    We are using a self-signed certificate for demonstration purposes, but in a real deployment, you would set up your load balancer to use a CA-signed certificate. In that case, you can use either a self-managed certificate, where you supply your own SSL certificate, or a Google-managed certificate, where Google issues a certificate for your domain. For more information, see Types of SSL certificates. If you are using multiple SSL certificates, you must create an SSL certificate resource for each certificate.

    for further information on creating SSL certificate resources in GCP.

    To create a self-managed SSL certificate resource:

    gcloud compute ssl-certificates create www-ssl-cert \
        --certificate [CRT_FILE_PATH] \
        --private-key [KEY_FILE_PATH]
    

    To create a Google-managed SSL certificate resource:

    gcloud beta compute ssl-certificates create www-ssl-cert \
      --domains [DOMAIN]
    
  7. Create a target HTTPS proxy to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for HTTPS Load Balancing, so you also load your certificate in this step.

    gcloud compute target-https-proxies create https-lb-proxy \
        --url-map web-map --ssl-certificates www-ssl-cert
    
  8. Create two global forwarding rules to route incoming requests to the proxy, one for each of the IP addresses you created.

    gcloud compute forwarding-rules create https-content-rule \
        --address=lb-ipv4-1\
        --global \
        --target-https-proxy=https-lb-proxy \
        --ports=443
    
    gcloud compute forwarding-rules create https-content-ipv6-rule \
        --address=lb-ipv6-1 \
        --global \
        --target-https-proxy=https-lb-proxy \
        --ports=443
    

After creating the global forwarding rule, it can take several minutes for your configuration to propagate worldwide.

Sending traffic to your instances

Now that you have configured your load balancing service, you can start sending traffic to the forwarding rule and watch the traffic be dispersed to different instances.

Console/ Web Browser


  1. Go to the Load balancing page in the Google Cloud Platform Console.
    Go to the Load balancing page
  2. Click web-map to expand the load balancer you just created.
  3. In the Backend section, confirm that instances are healthy. The Healthy column should be populated indicating that both instances in each of the four instance groups are healthy. If you see otherwise, first try reloading the page. It can take a few moments for the GCP Console to indicate that the instances are healthy. If the backends do not appear healthy after a few minutes, review the firewall configuration and the set of network tags assigned to your backend instances.
  4. If you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE. For more information, see Google-managed SSL certificate resource status.
  5. After the GCP Console shows that the backend instances are healthy, you can test your load balancer using a web browser by going to the https://<var>IP_Address</var>, where IP_Address is the load balancer's IP address. If you used a self-signed certificate for testing, your browser displays a warning. You must explicitly instruct your browser to accept a self-signed certificate. Your browser should render a page with content showing the name of the instance that served the page, along with its zone (for example, Page on www-us-02 in us-central1-b).
  6. In your browser, navigate to https://<var>IP_Address</var>/video, where IP_Address is the load balancer's IP address. Your browser should render a page with content showing the name of the video instance that served the page, along with its zone (for example, Page on video-us-02 in us-central1-b).

gcloud/ using curl


  1. If you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE before you proceed. For more information, see Google-managed SSL certificate resource status.

     gcloud beta compute ssl-certificates list
    
  2. Use the curl command to test the response from these URLs. Replace IP_Address with the load balancer's IPv4 address:

    curl -k https://IP_Address
    curl -k https://IP_Address/video/
    
  3. Use the curl command to test the response from these URLs. Replace IP_Address with the load balancer's IPv6 address. For IPv6, you must put brackets ([]) around the address and disable globbing with the -g flag (for example, curl -g -6 "https://[2001:DB8::]/").

    curl -k -g -6 https://[IP_Address]
    curl -k -g -6 https://[IP_Address]/video/
    

Testing cross-region functionality

To simulate a user in a different geography, you can connect to one of your virtual machine instances in a different region, then run a curl command from that instance to see the request go to an instance in the region closest to it.

You see the HTML output <!doctype html><html><body><h1>www-us</h1></body></html>.

Repeat steps, but this time connect to www-eu-1. The output now reads <!doctype html><html><body><h1>www-eu</h1></body></html>.

You can perform tests from a client system located anywhere in the world. If backends in one region become unhealthy or reach capacity, the HTTPS load balancer automatically sends traffic to the next-closest region.

Optional: Removing external IP addresses from backend VMs

GCP HTTP(S) Load Balancing communicates with backends using their internal IP addresses and special load balancer routes. The backend instances do not need external IP addresses to communicate with the load balancer. You can increase security by removing the external IP addresses from your backend instances.

To remove external IP addresses from backend instances, follow these directions.

If you need to connect using SSH to a backend instance that does not have an external IP address, refer to Connecting to an instance that doesn't have an external IP address.

Cleaning up

After you have finished this HTTP(S) load balancing tutorial you can delete the Cloud Load Balancing resources you've made, so that you won't continue to be billed for them in the future. If these resources were created within their own project, you can delete the entire project. Otherwise, you can delete the resources individually.

Deleting the project

Console


  1. Go to the Projects page in the Google Cloud Platform Console.
    Go to the Projects page
  2. In the project list, select the project you want to delete and click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

gcloud


Run the following command, replacing project_id with your project ID:

gcloud projects delete project_id

Deleting individual resources

Console


Delete the load balancer

  1. Go to the Load balancing page in the Google Cloud Platform Console.
    Go to the Load balancing page
  2. Select the checkbox next to web-map.
  3. Click the Delete button at the top of the page.
  4. Select the checkboxes next to all of the additional resources, including backend services, health checks, and SSL certificates.
  5. Click Delete load balancer and the selected resources.

Delete the instance groups

  1. Go to the Instance groups page in the Google Cloud Platform Console.
    Go to the Instance groups page
  2. Select the checkbox at the top next to Name, to select all instance groups.
  3. Click Delete.
  4. In the confirmation window, click Delete.

Release external IP addresses

  1. Go to the External IP addresses page in the Google Cloud Platform Console.
    Go to the External IP addresses page
  2. Select the checkboxes next to lb-ipv4-1 and lb-ipv6-1.
  3. Click Delete.
  4. In the confirmation window, click Delete.

Delete the firewall rules

  1. Go to the Firewalls page in the Google Cloud Platform Console.
    Go to the Firewalls page
  2. Select the checkboxes next to fw-allow-health-check-and-proxy and fw-allow-ssh.
  3. Click Delete.
  4. In the confirmation window, click Delete.

Delete the VM instances

  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Select the checkbox at the top next to Name to select all instances.
  3. Click Delete.
  4. In the confirmation window, click Delete.

Delete the VPC network

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC network page
  2. Click lb-network.
  3. On the network details page, click Delete VPC network.
  4. In the confirmation window, click Delete.

gcloud


Delete the load balancer

To delete the load balancer, you'll need to delete each of its components.

  1. Delete the forwarding rules:

    gcloud compute forwarding-rules delete https-content-rule \
        --global
    gcloud compute forwarding-rules delete https-content-ipv6-rule \
        --global
    
  2. Delete the global external IP addresses:

    gcloud compute addresses delete lb-ipv4-1 \
        --global
    gcloud compute addresses delete lb-ipv6-1 \
        --global
    
  3. Delete the target proxy:

    gcloud compute target-https-proxies delete https-lb-proxy
    
  4. Delete the SSL certificate:

    gcloud compute ssl-certificates delete www-ssl-cert
    
  5. Delete the URL map:

    gcloud compute url-maps delete web-map
    
  6. Delete the backend services:

    gcloud compute backend-services delete web-backend-service \
        --global
    gcloud compute backend-services delete video-backend-service \
        --global
    
  7. Delete the health checks:

    gcloud compute health-checks delete http-basic-check
    

You have deleted all of the load balancer resources.

Delete the instance groups

Repeat the following command to create four unmanaged instance groups, using the following name and zone combinations. Replace INSTANCE_GROUP_NAME and ZONE accordingly:

  • Name: ig-www-us, zone: us-central1-b
  • Name: ig-video-us, zone: us-central1-b
  • Name: ig-www-eu, zone: europe-west1-b
  • Name: ig-video-eu, zone: europe-west1-b
gcloud compute instance-groups unmanaged delete INSTANCE_GROUP_NAME \
   --zone=ZONE

Delete the VM instances

Repeat the following command to delete eight VMs, using the following name and zone combinations. Replace VM_NAME and ZONE accordingly:

  • Name: www-us-01, zone: us-central1-b
  • Name: www-us-02, zone: us-central1-b
  • Name: video-us-01, zone: us-central1-b
  • Name: video-us-02, zone: us-central1-b
  • Name: www-eu-01, zone: europe-west1-b
  • Name: www-eu-02, zone: europe-west1-b
  • Name: video-eu-01, zone: europe-west1-b
  • Name: video-eu-02, zone: europe-west1-b
gcloud compute instance delete VM_NAME \
   --zone=ZONE

Delete the firewall rules

Delete both firewall rules:

gcloud compute firewall-rules delete fw-allow-health-check-and-proxy
gcloud compute firewall-rules delete fw-allow-ssh

Delete the VPC network

First, delete the us-subnet:

gcloud compute networks subnets delete us-subnet \
    --region=us-central1

Next, delete the eu-subnet:

gcloud compute networks subnets delete eu-subnet \
    --region=europe-west1

Finally, delete the VPC network:

gcloud compute networks delete lb-network

You have deleted all of the resources that you set up in this project.

What's next

Σας βοήθησε αυτή η σελίδα; Πείτε μας τη γνώμη σας:

Αποστολή σχολίων σχετικά με…

Αυτή η σελίδα