Migrate resources from classic to global external Application Load Balancer

This document describes how to migrate classic Application Load Balancer infrastructure resources to the global external Application Load Balancer infrastructure.

Before you begin

Ensure your setup meets the following prerequisites.

Set a default project

Console

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

gcloud

gcloud config set project PROJECT_ID

Replace PROJECT_ID with the project that you are using for this guide.

Permissions

To follow this document, you must have permissions to create Compute Engine virtual machine (VM) instances, firewall rules, reserved IP addresses, and Cloud Storage buckets in a Google Cloud project. You must be either a project owner or editor, or you must have the following Compute Engine IAM roles:

Task	Required role
Create instances	Compute Instance Admin (beta) role (`roles/compute.instanceAdmin`)
Add and remove firewall rules	Compute Security Admin role (`roles/compute.securityAdmin`)
Create load balancer components	Compute Network Admin role (`roles/compute.networkAdmin`)
Create a project (optional)	Project Creator role (`roles/resourcemanager.projectCreator`)
Create Cloud Storage buckets	Storage Object Admin role (`roles/storage.objectAdmin`)

For more information, see the following guides:

Create classic Application Load Balancer resources

In this document, you create the following classic Application Load Balancer resources and then migrate them to the global external Application Load Balancer infrastructure.

A managed instance group with VMs.
A Cloud Storage bucket.
An HTTP classic Application Load Balancer with the managed instance group and the Cloud Storage bucket as backends.

Create a managed instance group

This section describes how to create a managed instance group with Linux VMs that have Apache running. A managed instance group creates each of its managed instances based on the instance templates that you specify.

Create an instance template

Console

In the Google Cloud console, go to the Instance templates page.

Go to Instance templates
Click Create instance template.
For Name, enter lb-backend-template.
For Region, select REGION.
In the Boot disk section, ensure that Image of the boot disk is set to a Debian image, such as Debian GNU/Linux 12 (bookworm). These instructions use commands that are only available on Debian, such as apt-get.
Click Advanced options.
Click Networking, and in the Network tags field, enter allow-health-check.

Click Management, and enter the following script into the Startup script field.

#! /bin/bash
apt-get update
apt-get install apache2 -y
a2ensite default-ssl
a2enmod ssl
vm_hostname="$(curl -H "Metadata-Flavor:Google" \
http://metadata.google.internal/computeMetadata/v1/instance/name)"
echo "Page served from: $vm_hostname" | \
tee /var/www/html/index.html
systemctl restart apache2

Click Create.

gcloud

Run the gcloud compute instance-templates create command to create the template.

gcloud compute instance-templates create lb-backend-template \
    --region=REGION \
    --network=default \
    --subnet=default \
    --tags=allow-health-check \
    --image-family=debian-12 \
    --image-project=debian-cloud \
    --metadata=startup-script='#! /bin/bash
      apt-get update
      apt-get install apache2 -y
      a2ensite default-ssl
      a2enmod ssl
      vm_hostname="$(curl -H "Metadata-Flavor:Google" \
    http://metadata.google.internal/computeMetadata/v1/instance/name)"
    echo "Page served from: $vm_hostname" | \
    tee /var/www/html/index.html
    systemctl restart apache2'

Create the managed instance group

Console

In the Google Cloud console, go to the Instance groups page.

Go to Instance groups
Click Create instance group.
Select New managed instance group (stateless).
For Name, enter lb-backend-example.
For Instance template, select the instance template lb-backend-template.
Under Location, select Single zone.
For Region, select REGION.
For Zone, select ZONE.
For Autoscaling mode, select On: add and remove instances to the group.

Set Minimum number of instances and Maximum number of instances to 2.
In the Port mapping section, click Add port.
For the port name, enter http. For the port number, enter 80.
Click Create.

gcloud

Run the gcloud compute instance-groups managed create command to create the managed instance group based on the template.

gcloud compute instance-groups managed create lb-backend-example \
    --template=lb-backend-template \
    --size=2 --zone=ZONE

Run the following command to add a named port to the instance group:

gcloud compute instance-groups set-named-ports lb-backend-example \
    --named-ports http:80 \
    --zone ZONE

Configure a firewall rule

In this section, you create the fw-allow-health-check firewall rule and use the target tag allow-health-check to identify the VMs. This is an ingress rule that allows traffic from the Google Cloud health checking systems (130.211.0.0/22 and 35.191.0.0/16).

Console

In the Google Cloud console, go to the Firewall policies page.

Go to Firewall policies
Click Create firewall rule.
For Name, enter fw-allow-health-check.
For Network, select default.
For Targets, select Specified target tags.
In the Target tags field, enter allow-health-check.
Set Source filter to IPv4 ranges.
Set Source IPv4 ranges to 130.211.0.0/22 and 35.191.0.0/16.
In the Protocols and ports section, select Specified protocols and ports.
Select the TCP checkbox, and then type 80 for the port number.
Click Create.

gcloud

Run the gcloud compute firewall-rules create command to create the firewall rule.

gcloud compute firewall-rules create fw-allow-health-check \
    --network=default \
    --action=allow \
    --direction=ingress \
    --source-ranges=130.211.0.0/22,35.191.0.0/16 \
    --target-tags=allow-health-check \
    --rules=tcp:80

Create a Cloud Storage bucket

In this section, you create a Cloud Storage bucket for the load balancer to access. For production deployments, we recommend that you choose a multi-region bucket, which automatically replicates objects across multiple Google Cloud regions. This can improve the availability of your content and improve failure tolerance across your application.

Console

In the Google Cloud console, go to the Cloud Storage Buckets page.

Go to Cloud Storage Buckets
Click Create.
In the Name your bucket box, enter storage-backend-bucket and click Continue.
Click Choose where to store your data.
Set Location type to Region, and specify REGION.
Click Create.
Optional: If you see the Public access will be prevented dialog, clear the Enforce public access prevention on this bucket checkbox and click Confirm.

gcloud

Run the gcloud storage buckets create command to create the bucket:

gcloud storage buckets create gs://storage-backend-bucket \
    --default-storage-class=standard \
    --location=REGION --uniform-bucket-level-access

Transfer content to your Cloud Storage buckets

To test the bucket after you create the load balancer, copy the following image file from a public Cloud Storage bucket to your own Cloud Storage bucket.

gcloud

Click Activate Cloud Shell.
Run the following commands in Cloud Shell:

gcloud storage cp gs://gcp-external-http-lb-with-bucket/three-cats.jpg gs://storage-backend-bucket/never-fetch/

In the Google Cloud console, click Refresh on the bucket's details page to verify that the file has been copied successfully.

Make your Cloud Storage bucket publicly readable

When you make a Cloud Storage bucket publicly readable, anyone on the internet can list and view their objects, and view their metadata (excluding ACLs). Don't include sensitive information in your public buckets.

To reduce the likelihood of accidental exposure of sensitive information, don't store public objects and sensitive data in the same bucket.

Console

To grant all users access to view objects in your buckets, follow these steps:

In the Google Cloud console, go to the Cloud Storage Buckets page.

Go to Cloud Storage Buckets
Click the storage-backend-bucket name, and then click the Permissions tab.
Click Grant access.
In the New principals box, enter allUsers.
In the Select a role box, select Cloud Storage > Storage Object Viewer.
Click Save.
Click Allow public access.

gcloud

Run the gcloud storage buckets add-iam-policy-binding command to grant all users access to view objects in your buckets:

gcloud storage buckets add-iam-policy-binding gs://storage-backend-bucket \
    --member=allUsers \
    --role=roles/storage.objectViewer

Reserve an external IP address

Now that your instances are up and running, set up a global static external IP address that your customers use to reach your load balancer.

Console

In the Google Cloud console, go to the External IP addresses page.

Go to External IP addresses
To reserve an IPv4 address, click Reserve external static IP address.
For Name, enter lb-ipv4-1.
Set Network Service Tier to Premium.
Set IP version to IPv4.
Set Type to Global.
Click Reserve.

gcloud

To reserve an external IP address, run the following command:

gcloud compute addresses create lb-ipv4-1 \
    --ip-version=IPV4 \
    --network-tier=PREMIUM \
    --global

To note the IPv4 address that was reserved, run the following command:

gcloud compute addresses describe lb-ipv4-1 \
    --format="get(address)" \
    --global

Set up the classic Application Load Balancer

In this section, you use HTTP (frontend) between the client and the load balancer.

Console

Start your configuration

In the Google Cloud console, go to the Load balancing page.

Go to Load balancing
Click Create load balancer.
For Type of load balancer, select Application Load Balancer (HTTP/HTTPS) and click Next.
For Public facing or internal, select Public facing (external) and click Next.
For Global or single region deployment, select Best for global workloads and click Next.
For Load balancer generation, select Classic Application Load Balancer and click Next.
Click Configure.

Basic configuration

In the Load balancer name field, enter web-map-http.
Click Frontend configuration, configure the following fields, and then click Done.
- Protocol: HTTP.
- IP version: IPv4
- IP address: lb-ipv4-1
- Port: 443
Click Backend configuration.
In Backend services & backend buckets, click Create a backend service, and then do the following:
1. Configure the following fields:
  - Name: web-backend-service
  - Protocol: HTTP
  - Named Port: http
2. In the Backends > New backend section, configure the following fields, and then click Done.
  - Instance group: lb-backend-example
  - Port numbers: 80
3. For Health check, click Create a health check, specify the following fields, and then click Save.
  - Name: http-basic-check
  - Protocol: HTTP
4. In the Logging section, select the Enable logging checkbox.
5. Click Create.
Click OK.
In Backend services & backend buckets, click Create a backend bucket, configure the following fields, and then click Create.
- Backend bucket name: cats
- Cloud Storage bucket: storage-backend-bucket
Click OK.
Click Host and path rules.
For cats, enter * in the Host 2 field, and /never-fetch/* in the Path 2 field.
Click Review and finalize.
Review your load balancer configuration settings.
Click Create.

gcloud

Create a health check.

gcloud compute health-checks create http http-basic-check \
    --port 80

Create a backend service.

gcloud compute backend-services create web-backend-service \
    --load-balancing-scheme=EXTERNAL \
    --protocol=HTTP \
    --port-name=http \
    --health-checks=http-basic-check \
    --enable-logging \
    --logging-sample-rate=1.0 \
    --enable-cdn \
    --global

Add your instance group as the backend to the backend service.

gcloud compute backend-services add-backend web-backend-service \
    --instance-group=lb-backend-example \
    --instance-group-zone=ZONE \
    --global

Add a backend bucket.

gcloud compute backend-buckets create cats \
    --gcs-bucket-name=storage-backend-bucket

Create a URL map to route the incoming requests to the backend service and backend bucket.

gcloud compute url-maps create web-map-http \
    --default-service web-backend-service

gcloud compute url-maps add-path-matcher web-map-http \
    --path-matcher-name=cats-path-matcher \
    --default-backend-bucket=cats \
    --new-hosts="*" \
    --backend-bucket-path-rules="/never-fetch/*=cats"

Create a target HTTP proxy to route requests to URL maps.

gcloud compute target-http-proxies create http-lb-proxy \
    --url-map=web-map-http

Create a global forwarding rule to route incoming requests to the proxy.

gcloud compute forwarding-rules create web-map-http-forwarding-rule \
    --load-balancing-scheme=EXTERNAL \
    --address=lb-ipv4-1 \
    --global \
    --target-http-proxy=http-lb-proxy \
    --ports=80

Test traffic sent to your instances

Now that the load balancing service is running, you can send traffic to the forwarding rule and watch the traffic be dispersed to different instances.

Console

In the Google Cloud console, go to the Load balancing page.

Go to Load balancing
Click web-map-http.
In the Frontend section, note the IP:Port of the load balancer.
To test the backend instance, enter http://IP_ADDRESS in the address bar of the web browser.

Your browser renders a page with content showing the name of the instance that served the page, along with its zone (for example, Page served from: lb-backend-example-xxxx).
To test the backend bucket, enter http://IP_ADDRESS/never-fetch/three-cats.jpg in the address bar of the web browser.

Your browser renders the image.

Migrate classic Application Load Balancer resources

In this section, you migrate the backend service, backend bucket, and the forwarding rule to the global external Application Load Balancer infrastructure.

Migrate the backend service

Prepare the backend service for migration.

gcloud compute backend-services update web-backend-service \
    --external-managed-migration-state=PREPARE \
    --global

Wait for some time (approximately six minutes).

Send some traffic, such as 10%, to the backend service.
```
gcloud compute backend-services update web-backend-service \
    --external-managed-migration-state=TEST_BY_PERCENTAGE \
    --external-managed-migration-testing-percentage=10 \
    --global
```
Wait for some time (approximately six minutes).

After the resource is ready, it sends 10% of requests to the global external Application Load Balancer infrastructure and 90% of requests to the classic Application Load Balancer infrastructure.
Access the backend service.

Enter http://IP_ADDRESS in the address bar of the web browser. If you see the Page served from: lb-backend-example-xxxx message, run the following command to increase the percentage.
```
gcloud compute backend-services update web-backend-service \
    --external-managed-migration-state=TEST_BY_PERCENTAGE \
    --external-managed-migration-testing-percentage=50 \
    --global
```
Repeat the process until you reach 100%.
Optional: Check the logs of the backend service.

Complete the test and send all traffic to the backend service.

gcloud compute backend-services update web-backend-service \
    --external-managed-migration-state=TEST_ALL_TRAFFIC \
    --global

Optional: Check the logs of the backend service.
Change the scheme of the backend service to EXTERNAL_MANAGED.
```
gcloud compute backend-services update web-backend-service \
    --load-balancing-scheme=EXTERNAL_MANAGED \
    --global
```
Wait for some time (approximately six minutes) for the backend service to be fully migrated to the global external Application Load Balancer infrastructure.
Optional: Check the logs of the backend service. You see that the load balancing scheme is EXTERNAL_MANAGED.

Migrate the backend bucket

Prepare the backend bucket for migration.

gcloud compute forwarding-rules update web-map-http-forwarding-rule \
    --external-managed-backend-bucket-migration-state=PREPARE \
    --global

Wait for some time (approximately six minutes).

Send some traffic, such as 10%, to the backend bucket.
```
gcloud compute forwarding-rules update web-map-http-forwarding-rule \
    --external-managed-backend-bucket-migration-state=TEST_BY_PERCENTAGE \
    --external-managed-backend-bucket-migration-testing-percentage=10 \
    --global
```
Wait for some time (approximately six minutes).

After the resource is ready, it sends 10% of requests to the global external Application Load Balancer infrastructure and 90% of requests to the classic Application Load Balancer infrastructure.
Access the backend bucket.

Enter http://IP_ADDRESS/never-fetch/three-cats.jpg in the address bar of the web browser. If you see the image of cats, run the following command to increase the percentage. Repeat the process until you reach 100%.
```
gcloud compute forwarding-rules update web-map-http-forwarding-rule \
    --external-managed-backend-bucket-migration-state=TEST_BY_PERCENTAGE \
    --external-managed-backend-bucket-migration-testing-percentage=50 \
    --global
```
Optional: Check the logs of the backend bucket.

Complete the test and send all traffic to the backend bucket.

gcloud compute forwarding-rules update web-map-http-forwarding-rule \
    --external-managed-backend-bucket-migration-state=TEST_ALL_TRAFFIC \
    --global

Optional: Check the logs of the backend bucket.

Migrate the forwarding rule

Change the scheme of the forwarding rule to EXTERNAL_MANAGED.
```
gcloud compute forwarding-rules update web-map-http-forwarding-rule \
    --load-balancing-scheme=EXTERNAL_MANAGED \
    --global
```
Wait for some time (approximately six minutes) for the forwarding rule to be fully migrated to the global external Application Load Balancer infrastructure.
Optional: Check the logs of the forwarding rule. You see that the load balancing scheme is EXTERNAL_MANAGED.

What's next

Roll back migrated resources to classic Application Load Balancer