This document describes how to migrate classic Application Load Balancer infrastructure resources to the global external Application Load Balancer infrastructure.
Before you begin
Ensure your setup meets the following prerequisites.
Set a default project
Console
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
gcloud
gcloud config set project PROJECT_ID
Replace PROJECT_ID
with the project that you are using for this guide.
Permissions
To follow this document, you must have permissions to create Compute Engine virtual machine (VM) instances, firewall rules, reserved IP addresses, and Cloud Storage buckets in a Google Cloud project. You must be either a project owner or editor, or you must have the following Compute Engine IAM roles:
Task | Required role |
---|---|
Create instances | Compute Instance Admin (beta) role (roles/compute.instanceAdmin )
|
Add and remove firewall rules | Compute Security Admin role (roles/compute.securityAdmin )
|
Create load balancer components | Compute Network Admin role (roles/compute.networkAdmin )
|
Create a project (optional) | Project Creator role (roles/resourcemanager.projectCreator )
|
Create Cloud Storage buckets | Storage Object Admin role (roles/storage.objectAdmin )
|
For more information, see the following guides:
Create classic Application Load Balancer resources
In this document, you create the following classic Application Load Balancer resources and then migrate them to the global external Application Load Balancer infrastructure.
- A managed instance group with VMs.
- A Cloud Storage bucket.
- An HTTP classic Application Load Balancer with the managed instance group and the Cloud Storage bucket as backends.
Create a managed instance group
This section describes how to create a managed instance group with Linux VMs that have Apache running. A managed instance group creates each of its managed instances based on the instance templates that you specify.
Create an instance template
Console
In the Google Cloud console, go to the Instance templates page.
Click Create instance template.
For Name, enter
lb-backend-template
.For Region, select
REGION
.In the Boot disk section, ensure that Image of the boot disk is set to a Debian image, such as Debian GNU/Linux 12 (bookworm). These instructions use commands that are only available on Debian, such as
apt-get
.Click Advanced options.
Click Networking, and in the Network tags field, enter
allow-health-check
.Click Management, and enter the following script into the Startup script field.
#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2
Click Create.
gcloud
Run the gcloud compute instance-templates create
command to create
the template.
gcloud compute instance-templates create lb-backend-template \ --region=REGION \ --network=default \ --subnet=default \ --tags=allow-health-check \ --image-family=debian-12 \ --image-project=debian-cloud \ --metadata=startup-script='#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2'
Create the managed instance group
Console
In the Google Cloud console, go to the Instance groups page.
Click Create instance group.
Select New managed instance group (stateless).
For Name, enter
lb-backend-example
.For Instance template, select the instance template
lb-backend-template
.Under Location, select Single zone.
For Region, select
REGION
.For Zone, select
ZONE
.For Autoscaling mode, select On: add and remove instances to the group.
Set Minimum number of instances and Maximum number of instances to
2
.In the Port mapping section, click Add port.
For the port name, enter
http
. For the port number, enter80
.Click Create.
gcloud
Run the gcloud compute instance-groups managed create
command to create the
managed instance group based on the template.
gcloud compute instance-groups managed create lb-backend-example \ --template=lb-backend-template \ --size=2 --zone=ZONE
Run the following command to add a named port to the instance group:
gcloud compute instance-groups set-named-ports lb-backend-example \ --named-ports http:80 \ --zone ZONE
Configure a firewall rule
In this section, you create the fw-allow-health-check
firewall rule and use
the target tag allow-health-check
to identify the VMs. This is an ingress rule
that allows traffic from the Google Cloud health checking systems
(130.211.0.0/22
and 35.191.0.0/16
).
Console
In the Google Cloud console, go to the Firewall policies page.
Click Create firewall rule.
For Name, enter
fw-allow-health-check
.For Network, select default.
For Targets, select Specified target tags.
In the Target tags field, enter
allow-health-check
.Set Source filter to IPv4 ranges.
Set Source IPv4 ranges to
130.211.0.0/22
and35.191.0.0/16
.In the Protocols and ports section, select Specified protocols and ports.
Select the TCP checkbox, and then type
80
for the port number.Click Create.
gcloud
Run the gcloud compute firewall-rules create
command to create the firewall rule.
gcloud compute firewall-rules create fw-allow-health-check \ --network=default \ --action=allow \ --direction=ingress \ --source-ranges=130.211.0.0/22,35.191.0.0/16 \ --target-tags=allow-health-check \ --rules=tcp:80
Create a Cloud Storage bucket
In this section, you create a Cloud Storage bucket for the load balancer to access. For production deployments, we recommend that you choose a multi-region bucket, which automatically replicates objects across multiple Google Cloud regions. This can improve the availability of your content and improve failure tolerance across your application.
Console
In the Google Cloud console, go to the Cloud Storage Buckets page.
Click Create.
In the Name your bucket box, enter
storage-backend-bucket
and click Continue.Click Choose where to store your data.
Set Location type to Region, and specify
REGION
.Click Create.
Optional: If you see the Public access will be prevented dialog, clear the Enforce public access prevention on this bucket checkbox and click Confirm.
gcloud
Run the gcloud storage buckets create
command to create the bucket:
gcloud storage buckets create gs://storage-backend-bucket \ --default-storage-class=standard \ --location=REGION --uniform-bucket-level-access
Transfer content to your Cloud Storage buckets
To test the bucket after you create the load balancer, copy the following image file from a public Cloud Storage bucket to your own Cloud Storage bucket.
gcloud
Click
Activate Cloud Shell.Run the following commands in Cloud Shell:
gcloud storage cp gs://gcp-external-http-lb-with-bucket/three-cats.jpg gs://storage-backend-bucket/never-fetch/
In the Google Cloud console, click Refresh on the bucket's details page to verify that the file has been copied successfully.
Make your Cloud Storage bucket publicly readable
When you make a Cloud Storage bucket publicly readable, anyone on the internet can list and view their objects, and view their metadata (excluding ACLs). Don't include sensitive information in your public buckets.
To reduce the likelihood of accidental exposure of sensitive information, don't store public objects and sensitive data in the same bucket.
Console
To grant all users access to view objects in your buckets, follow these steps:
In the Google Cloud console, go to the Cloud Storage Buckets page.
Click the
storage-backend-bucket
name, and then click the Permissions tab.Click Grant access.
In the New principals box, enter
allUsers
.In the Select a role box, select Cloud Storage > Storage Object Viewer.
Click Save.
Click Allow public access.
gcloud
Run the gcloud storage buckets add-iam-policy-binding
command to
grant all users access to view objects in your buckets:
gcloud storage buckets add-iam-policy-binding gs://storage-backend-bucket \ --member=allUsers \ --role=roles/storage.objectViewer
Reserve an external IP address
Now that your instances are up and running, set up a global static external IP address that your customers use to reach your load balancer.
Console
In the Google Cloud console, go to the External IP addresses page.
To reserve an IPv4 address, click Reserve external static IP address.
For Name, enter
lb-ipv4-1
.Set Network Service Tier to Premium.
Set IP version to IPv4.
Set Type to Global.
Click Reserve.
gcloud
To reserve an external IP address, run the following command:
gcloud compute addresses create lb-ipv4-1 \ --ip-version=IPV4 \ --network-tier=PREMIUM \ --global
To note the IPv4 address that was reserved, run the following command:
gcloud compute addresses describe lb-ipv4-1 \ --format="get(address)" \ --global
Set up the classic Application Load Balancer
In this section, you use HTTP (frontend) between the client and the load balancer.
Console
Start your configuration
In the Google Cloud console, go to the Load balancing page.
- Click Create load balancer.
- For Type of load balancer, select Application Load Balancer (HTTP/HTTPS) and click Next.
- For Public facing or internal, select Public facing (external) and click Next.
- For Global or single region deployment, select Best for global workloads and click Next.
- For Load balancer generation, select Classic Application Load Balancer and click Next.
- Click Configure.
Basic configuration
- In the Load balancer name field, enter
web-map-http
. - Click Frontend configuration, configure the following fields, and then click Done.
- Protocol: HTTP.
- IP version: IPv4
- IP address:
lb-ipv4-1
- Port:
443
- Click Backend configuration.
- In Backend services & backend buckets, click Create a backend service, and then do the following:
- Configure the following fields:
- Name:
web-backend-service
- Protocol: HTTP
- Named Port: http
- Name:
- In the Backends > New backend section, configure the following fields, and then click Done.
- Instance group: lb-backend-example
- Port numbers:
80
- For Health check, click Create a health check, specify the following fields, and then click Save.
- Name:
http-basic-check
- Protocol: HTTP
- Name:
- In the Logging section, select the Enable logging checkbox.
- Click Create.
- Configure the following fields:
- Click OK.
- In Backend services & backend buckets, click Create a backend bucket, configure the following fields, and then click Create.
- Backend bucket name:
cats
- Cloud Storage bucket:
storage-backend-bucket
- Backend bucket name:
- Click OK.
- Click Host and path rules.
- For
cats
, enter*
in the Host 2 field, and/never-fetch/*
in the Path 2 field. - Click Review and finalize.
- Review your load balancer configuration settings.
- Click Create.
gcloud
Create a health check.
gcloud compute health-checks create http http-basic-check \ --port 80
Create a backend service.
gcloud compute backend-services create web-backend-service \ --load-balancing-scheme=EXTERNAL \ --protocol=HTTP \ --port-name=http \ --health-checks=http-basic-check \ --enable-logging \ --logging-sample-rate=1.0 \ --enable-cdn \ --global
Add your instance group as the backend to the backend service.
gcloud compute backend-services add-backend web-backend-service \ --instance-group=lb-backend-example \ --instance-group-zone=ZONE \ --global
Add a backend bucket.
gcloud compute backend-buckets create cats \ --gcs-bucket-name=storage-backend-bucket
Create a URL map to route the incoming requests to the backend service and backend bucket.
gcloud compute url-maps create web-map-http \ --default-service web-backend-service
gcloud compute url-maps add-path-matcher web-map-http \ --path-matcher-name=cats-path-matcher \ --default-backend-bucket=cats \ --new-hosts="*" \ --backend-bucket-path-rules="/never-fetch/*=cats"
Create a target HTTP proxy to route requests to URL maps.
gcloud compute target-http-proxies create http-lb-proxy \ --url-map=web-map-http
Create a global forwarding rule to route incoming requests to the proxy.
gcloud compute forwarding-rules create web-map-http-forwarding-rule \ --load-balancing-scheme=EXTERNAL \ --address=lb-ipv4-1 \ --global \ --target-http-proxy=http-lb-proxy \ --ports=80
Test traffic sent to your instances
Now that the load balancing service is running, you can send traffic to the forwarding rule and watch the traffic be dispersed to different instances.
Console
In the Google Cloud console, go to the Load balancing page.
Click
web-map-http
.In the Frontend section, note the IP:Port of the load balancer.
To test the backend instance, enter
http://IP_ADDRESS
in the address bar of the web browser.Your browser renders a page with content showing the name of the instance that served the page, along with its zone (for example,
Page served from: lb-backend-example-xxxx
).To test the backend bucket, enter
http://IP_ADDRESS/never-fetch/three-cats.jpg
in the address bar of the web browser.Your browser renders the image.
Migrate classic Application Load Balancer resources
In this section, you migrate the backend service, backend bucket, and the forwarding rule to the global external Application Load Balancer infrastructure.
Migrate the backend service
Prepare the backend service for migration.
gcloud compute backend-services update web-backend-service \ --external-managed-migration-state=PREPARE \ --global
Wait for some time (approximately six minutes).
Send some traffic, such as 10%, to the backend service.
gcloud compute backend-services update web-backend-service \ --external-managed-migration-state=TEST_BY_PERCENTAGE \ --external-managed-migration-testing-percentage=10 \ --global
Wait for some time (approximately six minutes).
After the resource is ready, it sends 10% of requests to the global external Application Load Balancer infrastructure and 90% of requests to the classic Application Load Balancer infrastructure.
Access the backend service.
Enter
http://IP_ADDRESS
in the address bar of the web browser. If you see thePage served from: lb-backend-example-xxxx
message, run the following command to increase the percentage.gcloud compute backend-services update web-backend-service \ --external-managed-migration-state=TEST_BY_PERCENTAGE \ --external-managed-migration-testing-percentage=50 \ --global
Repeat the process until you reach 100%.
Optional: Check the logs of the backend service.
Complete the test and send all traffic to the backend service.
gcloud compute backend-services update web-backend-service \ --external-managed-migration-state=TEST_ALL_TRAFFIC \ --global
Optional: Check the logs of the backend service.
Change the scheme of the backend service to
EXTERNAL_MANAGED
.gcloud compute backend-services update web-backend-service \ --load-balancing-scheme=EXTERNAL_MANAGED \ --global
Wait for some time (approximately six minutes) for the backend service to be fully migrated to the global external Application Load Balancer infrastructure.
Optional: Check the logs of the backend service. You see that the load balancing scheme is
EXTERNAL_MANAGED
.
Migrate the backend bucket
Prepare the backend bucket for migration.
gcloud compute forwarding-rules update web-map-http-forwarding-rule \ --external-managed-backend-bucket-migration-state=PREPARE \ --global
Wait for some time (approximately six minutes).
Send some traffic, such as 10%, to the backend bucket.
gcloud compute forwarding-rules update web-map-http-forwarding-rule \ --external-managed-backend-bucket-migration-state=TEST_BY_PERCENTAGE \ --external-managed-backend-bucket-migration-testing-percentage=10 \ --global
Wait for some time (approximately six minutes).
After the resource is ready, it sends 10% of requests to the global external Application Load Balancer infrastructure and 90% of requests to the classic Application Load Balancer infrastructure.
Access the backend bucket.
Enter
http://IP_ADDRESS/never-fetch/three-cats.jpg
in the address bar of the web browser. If you see the image of cats, run the following command to increase the percentage. Repeat the process until you reach 100%.gcloud compute forwarding-rules update web-map-http-forwarding-rule \ --external-managed-backend-bucket-migration-state=TEST_BY_PERCENTAGE \ --external-managed-backend-bucket-migration-testing-percentage=50 \ --global
Optional: Check the logs of the backend bucket.
Complete the test and send all traffic to the backend bucket.
gcloud compute forwarding-rules update web-map-http-forwarding-rule \ --external-managed-backend-bucket-migration-state=TEST_ALL_TRAFFIC \ --global
Optional: Check the logs of the backend bucket.
Migrate the forwarding rule
Change the scheme of the forwarding rule to
EXTERNAL_MANAGED
.gcloud compute forwarding-rules update web-map-http-forwarding-rule \ --load-balancing-scheme=EXTERNAL_MANAGED \ --global
Wait for some time (approximately six minutes) for the forwarding rule to be fully migrated to the global external Application Load Balancer infrastructure.
Optional: Check the logs of the forwarding rule. You see that the load balancing scheme is
EXTERNAL_MANAGED
.