Global external Application Load Balancer logging and monitoring

This document shows you how to configure and use Cloud Logging and Cloud Monitoring with classic Application Load Balancers, global external Application Load Balancers, and Cloud CDN.

Logging

You can enable, disable, and view logs for an external Application Load Balancer backend service. For external Application Load Balancers with backend buckets, logging is automatically enabled and cannot be disabled.

You enable or disable logging for each backend service. You can configure whether to log all requests or a randomly sampled fraction.

You must ensure that you don't have a logs exclusion that applies to external Application Load Balancers. For instructions about how to verify that Cloud HTTP Load Balancer logs are allowed, see Viewing resource-type exclusions.

Logs sampling and collection

The requests (and corresponding responses) handled by load balancer backend virtual machine (VM) instances are sampled. These sampled requests are then processed to generate logs. You control the fraction of the requests that are emitted as log entries according to the logConfig.sampleRate parameter. When logConfig.sampleRate is 1.0 (100%), this means that logs are generated for all of the requests and written to Cloud Logging.

Enabling logging on a new backend service

Console

  1. In the Google Cloud console, go to the Load Balancing page.

    Go to Load balancing

  2. Click the name of your load balancer.

  3. Click Edit.

  4. Click Backend Configuration.

  5. Select Create a backend service.

  6. Complete the required backend service fields.

  7. In the Logging section, select the Enable logging checkbox.

  8. Set a Sample rate fraction. You can set a number from 0.0 through 1.0, where 0.0 means that no requests are logged and 1.0 means that 100% of the requests are logged. The default value is 1.0.

  9. To finish editing the backend service, click Update.

  10. To finish editing the load balancer, click Update.

gcloud: Global mode

Create a backend service and enable logging by using the gcloud compute backend-services create command.

gcloud compute backend-services create BACKEND_SERVICE \
    --global \
    --enable-logging \
    --logging-sample-rate=VALUE \
    --load-balancing-scheme=EXTERNAL_MANAGED

where

  • --global indicates that the backend service is global. Use this field for backend services used with global external Application Load Balancers.
  • --enable-logging enables logging for that backend service.
  • --logging-sample-rate lets you specify a value from 0.0 through 1.0, where 0.0 means that no requests are logged and 1.0 means that 100% of the requests are logged. Only meaningful with the --enable-logging parameter. Enabling logging but setting the sampling rate to 0.0 is equivalent to disabling logging. The default value is 1.0.

gcloud: Classic mode

Create a backend service and enable logging by using the gcloud compute backend-services create command.

gcloud compute backend-services create BACKEND_SERVICE \
 --global \
 --enable-logging \
 --logging-sample-rate=VALUE \
 --load-balancing-scheme=EXTERNAL

where

  • --global indicates that the backend service is global. Use this field for backend services used with a classic Application Load Balancer.
  • --enable-logging enables logging for that backend service.
  • --logging-sample-rate lets you specify a value from 0.0 through 1.0, where 0.0 means that no requests are logged and 1.0 means that 100% of the requests are logged. Only meaningful with the --enable-logging parameter. Enabling logging but setting the sampling rate to 0.0 is equivalent to disabling logging. The default value is 1.0.

Enabling logging on an existing backend service

Console

  1. In the Google Cloud console, go to the Load Balancing page.

    Go to Load balancing

  2. Click the name of your load balancer.

  3. Click Edit.

  4. Click Backend Configuration.

  5. Click Edit next to your backend service.

  6. In the Logging section, select the Enable logging checkbox.

  7. In the Sample rate field, set the sampling probability. You can set a number from 0.0 through 1.0, where 0.0 means that no requests are logged and 1.0 means that 100% of the requests are logged. The default value is 1.0.

  8. To finish editing the backend service, click Update.

  9. To finish editing the load balancer, click Update.

gcloud: Global mode

Enable logging on an existing backend service with the gcloud compute backend-services update command.

gcloud compute backend-services update BACKEND_SERVICE \
    --global \
    --enable-logging \
    --logging-sample-rate=VALUE

where

  • --global indicates that the backend service is global. Use this field for backend services used with global external Application Load Balancers.
  • --enable-logging enables logging for that backend service.
  • --logging-sample-rate lets you specify a value from 0.0 through 1.0, where 0.0 means that no requests are logged and 1.0 means that 100% of the requests are logged. Only meaningful with the --enable-logging parameter. Enabling logging but setting the sampling rate to 0.0 is equivalent to disabling logging. The default value is 1.0.

gcloud: Classic mode

Enable logging on an existing backend service with the gcloud compute backend-services update command.

gcloud compute backend-services update BACKEND_SERVICE \
    --global \
    --enable-logging \
    --logging-sample-rate=VALUE

where

  • --global indicates that the backend service is global. Use this field for backend services used with a classic Application Load Balancer.
  • --enable-logging enables logging for that backend service.
  • --logging-sample-rate lets you specify a value from 0.0 through 1.0, where 0.0 means that no requests are logged and 1.0 means that 100% of the requests are logged. Only meaningful with the --enable-logging parameter. Enabling logging but setting the sampling rate to 0.0 is equivalent to disabling logging. The default value is 1.0.

Disabling or modifying logging on an existing backend service

Console

  1. In the Google Cloud console, go to the Load Balancing page.

    Go to Load balancing

  2. Click the name of your load balancer.

  3. Click Edit.

  4. Click Backend Configuration.

  5. Click Edit next to your backend service.

  6. To disable logging entirely, in the Logging section, clear the Enable logging checkbox.

  7. If you leave logging enabled, you can set a different Sample rate fraction. You can set a number from 0.0 through 1.0, where 0.0 means that no requests are logged and 1.0 means that 100% of the requests are logged. The default value is 1.0. For example, 0.2 means 20% of the sampled requests generate logs.

  8. To finish editing the backend service, click Update.

  9. To finish editing the load balancer, click Update.

gcloud: Global mode

Disable logging on a backend service with the gcloud compute backend-services update command.

Disabling logging entirely

gcloud compute backend-services update BACKEND_SERVICE \
    --global \
    --no-enable-logging

where

  • --global indicates that the backend service is global. Use this field for backend services used with global external Application Load Balancers.
  • --region indicates that the backend service is regional. Use this field for backend services used with regional external Application Load Balancers.
  • --no-enable-logging disables logging for that backend service.

Modifying the logging sample rate

gcloud compute backend-services update BACKEND_SERVICE \
 --global \
 --logging-sample-rate=VALUE

gcloud: Classic mode

Disable logging on a backend service with the gcloud compute backend-services update command.

Disabling logging entirely

gcloud compute backend-services update BACKEND_SERVICE \
    --global \
    --no-enable-logging

where

  • --global indicates that the backend service is global. Use this field for backend services used with a classic Application Load Balancer.
  • --no-enable-logging disables logging for that backend service.

Modifying the logging sample rate

gcloud compute backend-services update BACKEND_SERVICE \
 --global \
 --logging-sample-rate=VALUE

where

  • --global indicates that the backend service is global. Use this field for backend services used with a classic Application Load Balancer.
  • --logging-sample-rate lets you specify a value from 0.0 through 1.0, where 0.0 means that no requests are logged and 1.0 means that 100% of the requests are logged. Only meaningful with the --enable-logging parameter. Enabling logging but setting the sampling rate to 0.0 is equivalent to disabling logging.

View logs


To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:

Guide me


HTTP(S) logs are indexed first by a forwarding rule, then by a URL map.

To view logs, go to the Logs Explorer page:

Go to Logs explorer

  • To view all logs, in the Resource filter menu, select Cloud HTTP Load Balancer > All forwarding rules.

  • To view logs for one forwarding rule, select a single forwarding rule name.

  • To view logs for one URL map, select a forwarding rule, and then select a URL map.

Log fields of type boolean typically only appear if they have a value of true. If a boolean field has a value of false, that field is omitted from the log.

UTF-8 encoding is enforced for log fields. Characters that are not UTF-8 characters are replaced with question marks. For classic Application Load Balancers and global external Application Load Balancers, you can export logs-based metrics using resource logs (resource.type="http_load_balancer"). The metrics created are based on the "Application Load Balancer Rule (Logs-based Metrics)" resource (l7_lb_rule), which is available under Cloud Monitoring dashboards instead of under the https_lb_rule resource.

What is logged

External Application Load Balancer log entries contain information useful for monitoring and debugging your HTTP(S) traffic. Log records contain required fields, which are the default fields of every log record.

Field Field format Field type: Required or Optional Description
severity
insertID
logName
LogEntry Required The general fields as described in a log entry.
timestamp string (Timestamp format) Optional The time when the first layer GFE receives the request.
httpRequest HttpRequest Required A common protocol for logging HTTP requests.

HttpRequest.protocol is not populated for resource.type="http_load_balancer"

.
resource MonitoredResource Required

The MonitoredResource is the resource type associated with a log entry.

The MonitoredResourceDescriptor describes the schema of a MonitoredResource object by using a type name and a set of labels. For more information, see Resource labels.

jsonPayload object (Struct format) Required The log entry payload that is expressed as a JSON object. The JSON object contains the following fields:
  • statusDetails
  • backendTargetProjectNumber
  • overrideResponseCode
  • errorService
  • errorBackendStatusDetails
  • authzPolicyInfo
  • loadBalancingScheme
string Required The statusDetails field holds a string that explains why the load balancer returned the HTTP status that it did. For more information about these log strings, see statusDetails HTTP success messages and statusDetails HTTP failure messages.
string Required The backendTargetProjectNumber field holds the project number where the backend target—backend service or backend bucket—has been created. This field is in the format: "projects/PROJECT_NUMBER". This information is only available for global external Application Load Balancers using custom error responses.
integer Required The overrideResponseCode holds the override response code applied to the response sent to the client. This information is only available for global external Application Load Balancers using custom error responses.
string Required The errorService field holds the backend service that provided the custom error response. This information is only available for global external Application Load Balancers using custom error responses.
string Required The errorBackendStatusDetails field holds the statusDetails of the final response served to the client. This information is only available for global external Application Load Balancers using custom error responses.
AuthzPolicyInfo Required The authzPolicyInfo field stores information about the Authorization Policy result. This information is only available for global external Application Load Balancers enabled Authorization Policy. For more information, see what is logged for authorization policy.
string Optional The loadBalancingScheme field is only populated for customers using the classic Application Load Balancer migration feature. This field holds a string that describes which load balancing scheme was used to route the request. The possible values are either EXTERNAL or EXTERNAL_MANAGED.

Resource labels

The following table lists the resource labels for resource.type="http_load_balancer".

Field Type Description
backend_service_name string The name of the backend service.
forwarding_rule_name string The name of the forwarding rule object.
project_id string The identifier of the Google Cloud project associated with this resource.
target_proxy_name string The name of the target proxy object referenced by the forwarding rule.
url_map_name string The name of the URL map object configured to select a backend service.
zone string The zone in which the load balancer is running. The zone is global.

statusDetails HTTP success messages

statusDetails (successful) Meaning Common accompanying response codes
byte_range_caching The HTTP request was served using Cloud CDN byte range caching. Any cacheable response code is possible.
response_from_cache The HTTP request was served from a Cloud CDN cache. Any cacheable response code is possible.
response_from_cache_validated The return code was set from a Cloud CDN cached entry that was validated by a backend. Any cacheable response code is possible.
response_sent_by_backend The HTTP request was proxied successfully to the backend, and the response was returned by the backend. The HTTP response code is set by the software running on the backend.

statusDetails HTTP failure messages

statusDetails (failure) Meaning Common accompanying response codes
aborted_request_due_to_backend_early_response A request with body was aborted due to the backend sending an early response with an error code. The response was forwarded to the client. The request was terminated. 4XX or 5XX
backend_connection_closed_after_partial_response_sent The backend connection closed unexpectedly after a partial response had been sent to the client.

The HTTP response code is set by the software running on the backend. HTTP response code 0 (zero) means that the backend sent incomplete HTTP headers.

The HTTP response code is 101 if the HTTP(S) connection was upgraded to a websocket connection.

backend_connection_closed_before_data_sent_to_client The backend unexpectedly closed its connection to the load balancer before the response was proxied to the client.

502, 503

The HTTP response code is 101 if the HTTP(S) connection was upgraded to a websocket connection.

backend_early_response_with_non_error_status The backend sent a non-error response (1XX or 2XX) to a request before receiving the whole request body. 502, 503
backend_interim_response_not_supported The backend sent an interim 1XX response to the request in a context where interim responses are not supported.

502, 503

backend_response_corrupted The HTTP response body sent by the backend has invalid chunked transfer-encoding or is otherwise corrupted. Any response code possible depending on the nature of the corruption. Often 502, 503.
backend_response_headers_too_long The HTTP response headers sent by the backend exceeded the allowed limit. See the Header size for external Application Load Balancers section for more information. 502, 503
backend_timeout

The backend timed out while generating a response.

For a websocket connection:

  • For global external Application Load Balancer, an error is generated when the GFE closes the websocket connection in idle state after the backend service timeout expires.
  • For classic Application Load Balancer, an error is generated when the GFE closes the websocket connection in either idle or active state, after the backend service timeout expires.

502, 503

The HTTP response code is 101 if the HTTP(S) connection was upgraded to a websocket connection.

banned_by_security_policy The request was banned by a Google Cloud Armor rate-based ban rule. 429
body_not_allowed The client sent an HTTP request with a body, but the HTTP method used does not allow a body. 400
byte_range_caching_aborted The load balancer previously received a response indicating that the resource was cacheable and supported byte ranges. Cloud CDN received an inconsistent response (for example, one with a response code other than the expected 206 Partial Content). This happened when attempting to perform cache fill using a byte range request. As a result, the load balancer aborted the response to the client. 2XX
byte_range_caching_forwarded_backend_response The load balancer previously received a response indicating that the resource was cacheable and supported byte ranges. Cloud CDN received an inconsistent response (for example, one with a response code other than the expected 206 Partial Content). This happened when attempting to perform cache fill using a byte range request. The load balancer then forwarded the inconsistent response to the client.

Returned from the backend—any response code is possible.

byte_range_caching_retrieval_abandoned The client canceled a byte range request or validation request initiated by Cloud CDN.

Returned from the backend—any response code is possible.

byte_range_caching_retrieval_from_backend_failed_after_partial_response A byte range request or validation request initiated by Cloud CDN encountered an error. Refer to the corresponding Cloud Logging log entry for the request initiated by Cloud CDN for the detailed backend status. 2XX
cache_lookup_failed_after_partial_response The load balancer failed to serve a full response from Cloud CDN cache due to an internal error. 2XX
cache_lookup_timeout_after_partial_response The Cloud CDN cache lookup stream timed out because the client did not retrieve the content in a timely manner. 2XX
client_disconnected_after_partial_response The connection to the client was broken after the load balancer sent a partial response.

Returned from the backend—any response code is possible.

The HTTP response code is 101 if the HTTP(S) connection was upgraded to a websocket connection.

client_disconnected_before_any_response The connection to the client was broken before the load balancer sent any response.

0

The HTTP response code is 101 if the HTTP(S) connection was upgraded to a websocket connection.

client_timed_out The Google Front End (GFE) idled out the client connection due to lack of progress while it was proxying either the request or the response. 0 or 408
client_cert_invalid_rsa_key_size A client leaf or intermediate certificate had an invalid RSA key size. For more information, see Logged errors for closed connections. 0
client_cert_unsupported_elliptic_curve_key A client or intermediate certificate is using an unsupported elliptic curve. For more information, see Logged errors for closed connections. 0
client_cert_unsupported_key_algorithm A client or intermediate certificate is using a non-RSA or non-ECDSA algorithm. For more information, see Logged errors for closed connections. 0
client_cert_pki_too_large The PKI to be used for validation has more than three intermediate certificates that share the same Subject and Subject Public Key Info. For more information, see Logged errors for closed connections. 0
client_cert_chain_max_name_constraints_exceeded An intermediate certificate provided for validation had more than ten name constraints. For more information, see Logged errors for closed connections. 0
client_cert_chain_invalid_eku Either the client certificate or its issuer does not have Extended Key Usage (EKU) that includes clientAuth. For more information, see Logged errors for closed connections. 0
client_cert_validation_timed_out Time limit exceeded while validating the certificate chain. For more information, see Logged errors for closed connections. 0
client_cert_validation_search_limit_exceeded The depth or iteration limit is reached while attempting to validate the certificate chain. For more information, see Logged errors for closed connections. 0
client_cert_validation_not_performed You have configured mTLS without setting up a TrustConfig. For more information, see Logged errors for closed connections. 0
client_cert_not_provided The client did not provide the requested certificate during the handshake. For more information, see Logged errors for closed connections. 0
client_cert_validation_failed Client certificate fails validation with the TrustConfig when hashing algorithms such as MD4, MD5, and SHA-1 are used. For more information, see Logged errors for closed connections. 0
config_not_found

The load balancer is missing project configuration. This might occur intermittently, especially after you've made configuration changes that add a new resource.

As there are two layers of proxies, sometimes, the first-layer GFE might fail to reach the second-layer GFE. This could be due to an internal error, such as an in-progress rollout, a load balancer overload, or intermittent configuration issues.

404, 502, 503
direct_response The load balancer overrode this request and returned a fixed response. You might see any HTTP response code depending on the nature of the issue. For example, the HTTP 410 response code means that the backend is unavailable due to payment delinquency.
denied_by_security_policy The load balancer denied this request because of a Google Cloud Armor security policy. Configured in the security policy.
error_uncompressing_gzipped_body There was an error uncompressing a gzipped HTTP response. 502, 503
failed_to_connect_to_backend The load balancer failed to connect to the backend. This includes timeouts during the connection phase. 502, 503
failed_to_pick_backend The load balancer failed to pick a healthy backend to handle the request. 502, 503
failed_to_negotiate_alpn The load balancer and the backend failed to negotiate an application layer protocol (such as HTTP/2) to use to communicate with each other over TLS. 502, 503
headers_too_long The request headers were larger than the maximum allowed. 413
http_version_not_supported HTTP version not supported. Currently only HTTP 0.9, 1.0, 1.1, and 2.0 are supported. 400
internal_error Internal error at the load balancer. Normally represents a transient error in the load balancer infrastructure. Retry your query. 4XX
invalid_external_origin_endpoint The configuration for the external backend is invalid. Review the internet NEG configuration and ensure that it specifies a valid FQDN/IP address and port. 4XX
invalid_request_headers

The HTTP request headers received from a client contain at least one character that isn't allowed under an applicable HTTP specification.

For example, header field names that include a double quotation mark (") or any characters outside of the standard ASCII range (that is, any byte >= 0x80) are invalid.

For more information, see:

400
invalid_http2_client_header_format The HTTP/2 headers from a client are invalid. For more information, see invalid_request_headers. 400
invalid_http2_client_request_path

The HTTP/2 request path from a client contains at least one character that isn't allowed under the URI specification.

For more information, see the "3.3. Path" section of RFC 3986.

400
multiple_iap_policies Multiple Identity-Aware Proxy (IAP) policies cannot be combined. If you have an IAP policy attached to a backend service and another policy attached to a serverless object, remove one of the policies and try again. Serverless objects include App Engine, Cloud Run, and Cloud Run functions. 500
malformed_chunked_body The request body was improperly chunk encoded. 411
request_loop_detected The load balancer detected a request loop. This loop might be caused by a misconfiguration where the backend forwarded the request back to the load balancer. 502, 503
required_body_but_no_content_length The HTTP request requires a body but the request headers did not include a content length or transfer-encoding chunked header. 400 or 403
secure_url_rejected A request with an https:// URL was received over a plaintext HTTP/1.1 connection. 400
ssl_certificate_san_verification_failed The load balancer couldn't find a SAN (Subject Alternative Name) in the SSL certificate presented by backend that matches the configured hostname. 502, 503
ssl_certificate_chain_verification_failed The SSL certificate presented by the backend failed SSL certificate verification. 502, 503
throttled_by_security_policy The request was blocked by a Google Cloud Armor throttle rule. 429
unsupported_method The client supplied an unsupported HTTP request method. 400
unsupported_100_continue The client request included 'Expect: 100-continue' header on a protocol that doesn't support it. 400
upgrade_header_rejected The client HTTP request contained the Upgrade header and was refused. 400
websocket_closed The websocket connection was closed. 101
websocket_handshake_failed The websocket handshake failed. Any response code possible depending on the nature of the handshake failure.
request_body_too_large The HTTP request body exceeded the maximum supported by the backend. Not applicable for VM backends. 413
handled_by_identity_aware_proxy This response was generated by Identity-Aware Proxy during identity verification of the client before allowing access.

200, 302, 400, 401, 403, 500, 502, 503

429 (throttled by IAP)

serverless_neg_routing_failed The serverless NEG request cannot be dispatched. This error can happen when the region specified in the NEG cannot be reached, or when the resource name (for example, the Cloud Run functions name) cannot be found. 404, 502, 503
fault_filter_abort This error can happen if the customer has configured a fault filter and the fault filter was triggered for the given request. The value must be from 200 to 599.

View logs for mTLS client certificate validation

To view the logged errors for closed connections during mutual TLS client certificate validation, complete the following steps.

Console query

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. Click the Show query toggle.

  3. Paste the following into the query field. Replace FORWARDING_RULE_NAME with the name of your forwarding rule.

    jsonPayload.statusDetails=~"client_cert"
    jsonPayload.@type="type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry"
    resource.labels.forwarding_rule_name=FORWARDING_RULE_NAME
    
  4. Click Run query.

Authorization policy request logs

The authz_info object in the Load Balancer Log Entry JSON payload contains information about authorization policies. You can configure log-based metrics for traffic allowed or denied by these policies. Check more authorization policies log details.

Field Type Description
authz_info.policies[] object The list of policies that match the request.
authz_info.policies[].name string The name of the authorization policy that matches the request.
The name is empty for the following reasons:
  • No ALLOW policy matches the request and the request is denied.
  • No DENY policy matches the request and the request is allowed.
authz_info.policies[].result enum The result can be ALLOWED or DENIED.
authz_info.policies[].details string The details include the following:
  • allowed_as_no_deny_policies_matched_request
  • denied_as_no_allow_policies_matched_request
  • denied_by_authz_extension
  • denied_by_cloud_iap
authz_info.overall_result enum The result can be ALLOWED or DENIED.

Logging for backend buckets

Logging is automatically enabled for load balancers with backend buckets. You cannot modify or disable logging for backend buckets.

Logging for Google Cloud Armor

The table for statusDetail HTTP failure messages contains some messages that apply to Google Cloud Armor. For more information about what Google Cloud Armor logs, see Using request logging.

Logging for Shared VPC deployments

Application Load Balancer logs and metrics are typically exported to the project that has the forwarding rule. Therefore, service admins—owners or users of projects where the backend service is created—won't have access to the load balancer's logs and metrics by default. You can use IAM roles to grant these permissions to service admins. To learn more about the IAM roles that are available, and the steps to provide access, see Grant access to Monitoring.

Interacting with the logs

You can interact with the external Application Load Balancer logs by using the Cloud Logging API. The Logging API provides ways to interactively filter logs that have specific fields set. It exports matching logs to Cloud Logging, Cloud Storage, BigQuery, or Pub/Sub. For more information about the Logging API, see Cloud Logging API overview.

Monitoring

The load balancer exports monitoring data to Cloud Monitoring.

You can use monitoring metrics to do the following:

  • Evaluate a load balancer's configuration, usage, and performance
  • Troubleshoot problems
  • Improve resource utilization and user experience

In addition to the predefined dashboards in Cloud Monitoring, you can create custom dashboards, set up alerts, and query the metrics through the Cloud Monitoring API.

Viewing predefined Cloud Monitoring dashboards

Cloud Monitoring provides predefined dashboards to monitor your load balancers. These dashboards are automatically populated by Cloud Monitoring.

Perform the following steps to access the predefined dashboards:

  1. Go to Monitoring in the Google Cloud console.

    Go to Monitoring

  2. In the Monitoring navigation panel, click Dashboards.

  3. Under Categories, click GCP.

    • To view a list of dashboards for all your Google Cloud load balancers, select the dashboard named Google Cloud Load Balancers. To view a specific load balancer's dashboard, locate the load balancer in the list and click its name.

    • To view the predefined dashboards for only your external Application Load Balancers, select the dashboard named External HTTP(S) Load Balancers. This page displays a dashboard that shows the 5XX response ratios and backend latency for all external Application Load Balancers in your project. It also provides a list of dashboards for all the external Application Load Balancers in your project.

      You can click through to each load balancer's dashboard. Each dashboard includes the following:

      • Pre-populated graphs that display breakdowns for responses by response code classes (5XX, 4XX, 3XX, 2XX)
      • Total latency
      • Backend latency
      • Frontend RTT
      • Request count
      • A link to the logs for the load balancer
  4. To view dashboards for third-party services, go back to the Dashboards page. Under Categories, click Other.

    • To view a specific third-party service dashboard, locate it in the list and click its name.

Defining alerting policies


To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:

Guide me


You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

  1. In the Google Cloud console, go to the  Alerting page:

    Go to Alerting

    If you use the search bar to find this page, then select the result whose subheading is Monitoring.

  2. If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
  3. From the Alerting page, select Create policy.
  4. To select the metric, expand the Select a metric menu and then do the following:
    1. To limit the menu to relevant entries, enter Global External Application Load Balancer Rule into the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle.
    2. For the Resource type, select Global External Application Load Balancer Rule.
    3. Select a Metric category and a Metric, and then select Apply.
  5. Click Next.
  6. The settings in the Configure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, see Create metric-threshold alerting policies.
  7. Click Next.
  8. Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.
  9. Optional: Update the Incident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
  10. Optional: Click Documentation, and then add any information that you want included in a notification message.
  11. Click Alert name and enter a name for the alerting policy.
  12. Click Create Policy.
For more information, see Alerting policies.

Defining Cloud Monitoring custom dashboards

You can create custom Cloud Monitoring dashboards for the load balancer's metrics:

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. Select Dashboards > Create Dashboard.

  3. Click Add Chart, and then give the chart a title.

  4. To identify the time series to be displayed, choose a resource type and metric type:

    1. In the Resource & Metric section, click the chart, and then in the Select a metric section, select from the available options:
      • For a global external Application Load Balancer, select the resource type Global External Application Load Balancer Rule.
    2. Click Apply.
  5. To specify monitoring filters, click Filters > Add filter.

  6. Click Save.

Metric reporting frequency and retention

Metrics for the external Application Load Balancers are exported to Cloud Monitoring in 1-minute granularity batches. Monitoring data is retained for six (6) weeks.

The dashboard provides data analysis in default intervals of 1H (one hour), 6H (six hours), 1D (one day), 1W (one week), and 6W (six weeks). You can manually request analysis in any interval from 6W to 1 minute.

Monitoring metrics

You can monitor the following metrics for external Application Load Balancers.

The following metrics for global external Application Load Balancers are reported into Cloud Monitoring. These metrics are prepended with loadbalancing.googleapis.com/.

Metric Name Description
Request count https/request_count The number of requests served by the external Application Load Balancer
Request bytes count https/request_bytes_count The number of bytes sent as requests from clients to the external Application Load Balancer
Response bytes count https/response_bytes_count The number of bytes sent as responses from the external Application Load Balancer to clients
Total latencies https/total_latencies

A distribution of the latency. Latency is the time between the first byte of the request received to the last byte of the response sent by the GFE.

Total latencies are measured by request/response. Pauses between requests on the same connection that use Connection: keep-alive do not affect the measurement. This measurement is typically reduced to the 95th percentile in Cloud Monitoring views.

For websocket connections, this field refers to the entire time duration of the connection.

Example: A load balancer has 1 request per second from the UK, all with 100 ms latency, and 9 requests per second from the US, all with 50 ms latency. Over a certain minute there were 60 requests from the UK and 540 requests from the US. Monitoring metrics preserves the distribution over all dimensions. You can request information such as the following:

  • median overall latency (300/600) - 50 ms
  • median UK latency (30/60) - 100 ms
  • 95th percentile overall latency (570/600) - 100 ms
Frontend RTT* https/frontend_tcp_rtt A distribution of the smoothed round trip time (RTT) measured for each connection between the client and the GFE (measured by the GFE's TCP stack). Smoothed RTT is an algorithm that deals with variations and anomalies that may occur in RTT measurements.
Backend latencies* https/backend_latencies

A distribution of the latency measured from when the first request byte was sent by the GFE to the backend, until the GFE received from the backend the last byte of the response.

For websocket connections, backend latencies apply to the entire duration of the websocket session.

Response code class fraction Fraction of total external Application Load Balancer responses that are in each response code class (2XX, 4XX, ...). In Cloud Monitoring, this value is only available on default dashboards. It is not available for custom dashboards. You can use the API to set alerts for it.
Backend request count https/backend_request_count The number of requests sent from the external Application Load Balancer to the backends.
Backend request bytes count https/backend_request_bytes_count The number of bytes sent as requests from the external Application Load Balancer to the backends.
Backend response bytes count https/backend_response_bytes_count The number of bytes sent as responses from the backends (including cache) to the external Application Load Balancer.

* The sum of Frontend RTT and Backend latencies is not guaranteed to be less than or equal to Total latencies. This is because although we poll RTT over the socket from the GFE to the client at the time the HTTP response is ACKed, we rely on kernel reporting for some of these measurements, and we cannot guarantee that the kernel will have an RTT measurement for the given HTTP response. The end result is a smoothed RTT value that is also affected by previous HTTP responses, SYN/ACKs, and SSL handshakes that aren't affecting current HTTP request actual timings.

For monitoring websocket connections, create a backend service specifically for websockets.

Filtering dimensions for metrics

You can apply filters for metrics for external Application Load Balancers.

Metrics are aggregated for each classic Application Load Balancer and global external Application Load Balancer. You can filter aggregated metrics by the following dimensions for resource.type="http_load_balancer" or resource.type="https_lb_rule". Note that not all dimensions are available on all metrics.

Property Description
backend_scope The Google Cloud scope (region or zone) of the backend service instance group that served the connection.

If no instance group was available or if the request was served by another entity, you will see one of the following values instead of the region or zone of the backend service instance group.

  • FRONTEND_5XX - An internal error occurred before the GFE could select a backend. The GFE returned `5XX` to the client.
  • INVALID_BACKEND - The GFE couldn't find a healthy backend to assign the request to, so it returned a `5XX` response to the requestor.
  • NO_BACKEND_SELECTED - An error or other interruption occurred before a backend could be selected or a URL redirect happened.
  • MULTIPLE_BACKENDS - The request was served by potentially multiple backends. This can happen when Cloud CDN has served the request partially from its cache and has also sent one or more byte range requests to the backend. Use the backend_scope breakdown to visualize each load balancer-to-backend request.

When this breakdown is chosen, the charts show backend metrics (load balancer-to-backends), not frontend metrics (client-to-load balancer).
backend_type

The name of the backend group that served the client's request. Can be INSTANCE GROUP, NETWORK_ENDPOINT_GROUP, or UNKNOWN is returned if the backend wasn't assigned. If no backend group was available or if the request was served by another entity, one of the following values is displayed instead of a backend group.

  • FRONTEND_5XX - An internal error occurred before the GFE could select a backend. The GFE returned `5XX` to the client.
  • INVALID_BACKEND - The GFE couldn't find a healthy backend to assign the request to, so it returned a `5XX` response to the requestor.
  • NO_BACKEND_SELECTED - An error or other interruption occurred before backend could be selected or a URL redirect happened.
  • MULTIPLE_BACKENDS - The request was served by potentially multiple backends. This can happen when Cloud CDN has served the request partially from its cache and has also sent one or more byte range requests to the backend. Use the backend_scope breakdown to visualize each load balancer-to-backend request.
backend_target_type The name of the backend service that served the request. Can be BACKEND_SERVICE, BACKEND_BUCKET, UNKNOWN if the backend wasn't assigned, or NO_BACKEND_SELECTED if an error or other interruption occurred before a backend could be selected or a URL redirect happened.
matched_url_path_rule The URL map path rule that matched the prefix of the HTTP(S) request (up to 50 characters).
forwarding_rule_name The name of the forwarding rule used by the client to send the request.
url_map_name

The URL map path rule or route rule configured as part of the URL map key. Can be UNMATCHED or UNKNOWN as fallbacks.

  • UNMATCHED refers to a request that doesn't match any URL path rules, so url_map_name uses the default path rule.
  • UNKNOWN indicates an internal error.
target_proxy_name The name of the target HTTP(S) proxy object referenced by the forwarding rule.
backend_target_name The name of the backend target. The target can be either a backend service or backend bucket. UNKNOWN is returned if a backend wasn't assigned.
backend_name The name of the backend instance group, bucket, or NEG. UNKNOWN is returned if the backend wasn't assigned, or NO_BACKEND_SELECTED if an error or other interruption occurred before a backend could be selected or a URL redirect happened.
backend_scope_type

The type of the scope of the backend group. Can be GLOBAL, REGION, ZONE, MULTIPLE_BACKENDS, or NO_BACKEND_SELECTED if an error or other interruption occurred before a backend could be selected or a URL redirect happened, or other possible backend_type outputs.

MULTIPLE_BACKENDS is used when chunk caching is used. Multiple queries are sent to the same backend for different chunks of data to support a single client request.

proxy_continent Continent of the HTTP(S) GFE that terminated the HTTP(S) connection. (Examples: America, Europe, Asia)
protocol Protocol used by the client, one of HTTP/1.0, HTTP/1.1, HTTP/2.0, QUIC/HTTP/2.0, UNKNOWN.
response_code The HTTP response code of the request.
response_code_class The HTTP response code class of the request: 200, 300, 400, 500 or 0 for none.
cache_result Cache result for serving HTTP request by proxy: HIT, MISS, DISABLED, PARTIAL_HIT (for a request served partially from cache and partially from backend) or UNKNOWN.
client_country Country of the client that issued the HTTP request (for example, United States or Germany)
load_balancing_scheme The load balancing scheme used. If classic Application Load Balancer is used, the value is EXTERNAL. If global external Application Load Balancer is used, the value is EXTERNAL_MANAGED.

What's next