This page shows you how to set up an HTTP-to-HTTPS redirect for the global external Application Load Balancer. This page is for a global external Application Load Balancer only. If you use a load balancer in a different mode, see one of the following pages:
Set up an HTTP-to-HTTPS redirect for a classic Application Load Balancer
Set up an HTTP-to-HTTPS redirect for regional external Application Load Balancers
This example demonstrates how to use URL redirects to redirect all requests from port 80 (HTTP) to port 443 (HTTPS).
HTTPS uses TLS (SSL) to encrypt HTTP requests and responses, making it
safer and more secure. A website that uses HTTPS has https://
in the beginning
of its URL instead of http://
.
For new HTTPS load balancers
If you're creating a new HTTPS load balancer, you can use the Google Cloud console to set up an HTTP-to-HTTPS redirect.
While creating the HTTPS load balancer's frontend, use the following steps:
- In the Google Cloud console, go to the load balancer's configuration page.
- Click Frontend configuration.
- Under Protocol, select HTTPS (includes HTTP/2).
- Under IP address, select a reserved IP address.
- Click the Enable HTTP to HTTPS Redirect checkbox to create the redirect.
You must select the HTTPS protocol and use a reserved IP address (not ephemeral) to be able to select the checkbox.

Depending on your backend type, use the Google Cloud console instructions from one of the following guides to complete this setup:
Setting the Enable HTTP to HTTPS Redirect checkbox automatically creates an
additional partial HTTP load balancer consisting of a URL map, a forwarding
rule, and a target HTTP proxy. This partial HTTP load balancer uses the same IP
address as your HTTPS load balancer and redirects HTTP requests to your load
balancer's HTTPS frontend. It uses 301 Moved Permanently
as the default
redirect response code.
After the HTTPS load balancer is created, you can see the partial HTTP load balancer in the list of load balancers, with a -redirect suffix. Test your setup by using the steps in Testing the HTTP-to-HTTPS redirect.
For existing load balancers
If you already have an external HTTPS load balancer (called here LB1) that is serving HTTPS traffic on port 443, you must create a partial external HTTP load balancer (called here LB2) with the following setup:
- The same frontend IP address used by LB1
- A redirect configured in the URL map
This partial HTTP load balancer uses the same IP address as your HTTPS load balancer and redirects HTTP requests to your load balancer's HTTPS frontend.
This architecture is shown in the following diagram.
Redirecting traffic to your HTTPS load balancer
After you have verified that your external HTTPS load balancer (LB1) is working, you can create the partial external HTTP load balancer (LB2) with its frontend configured to redirect traffic to LB1.
This example uses the 301 response code. You can instead use a different response code.
To configure the redirect with gcloud
, you must import a YAML file and make
sure that your target HTTP proxy points to the URL map that redirects
traffic. If you're using the Google Cloud console, this is handled for you.
Regional external Application Load Balancers aren't supported in the Google Cloud console.
Console
Start the configurationIn the Google Cloud console, go to the Load balancing page.
- Click Create load balancer.
- On the Application Load Balancer (HTTP/S) card, click Start configuration.
- For Internet facing or internal only, select From Internet to my VMs.
- For Global or regional, select Global external Application Load Balancer.
- For the Name of the load balancer, enter something like
http-redirect
. - Keep the window open to continue.
- Skip the Backend Configuration section.
- In the left column of the page, click Host and path rules.
- Select Advanced host and path rule (URL redirect, URL rewrite).
- Under Action, select Redirect the client to different host/path.
- Leave the Prefix redirect field blank.
- Under Path redirect, select Prefix redirect.
- Leave the Path value field blank.
- Under Redirect response code, select 301 - Moved Permanently.
- Under HTTPS redirect, select Enable.
- Click Done.
- Keep the load balancer configuration page open to continue.
- On the load balancer configuration page, click Frontend configuration.
- Set Protocol to HTTP.
- Set IP address to the *same* IP address that you use for your HTTPS load balancer.
- Ensure that Port is set to 80 to allow HTTP traffic.
- Click Done.
- Keep the window open to continue. Review the configuration
- In the left panel, click Review and finalize.
- Compare your settings to what you intended to create.
- If everything looks correct, click Create.
When you are finished, the Google Cloud console displays two load balancers, as follows.

The Google Cloud console displays information about your
web-map-http
load balancer as follows.

gcloud
- Create a YAML file
/tmp/web-map-http.yaml
. This example uses MOVED_PERMANENTLY_DEFAULT as the response code. - Validate the URL map.
- Create the HTTP load balancer's URL map by importing the YAML
file. The name for this URL map is
web-map-http
. - Verify that the URL map is updated. Your HTTP load balancer's URL map should look something like this:
- Create a new target HTTP proxy or update an existing target HTTP proxy,
using
web-map-http
as the URL map. - Create a forwarding rule to route incoming requests to
the proxy. The
--address
flag specifieslb-ipv4-1
, which is the same IP address used for the external HTTPS load balancer.
kind: compute#urlMap name: web-map-http defaultUrlRedirect: redirectResponseCode: MOVED_PERMANENTLY_DEFAULT httpsRedirect: True tests: - description: Test with no query parameters host: example.com path: /test/ expectedOutputUrl: https://example.com/test/ expectedRedirectResponseCode: 301 - description: Test with query parameters host: example.com path: /test/?parameter1=value1¶meter2=value2 expectedOutputUrl: https://example.com/test/?parameter1=value1¶meter2=value2 expectedRedirectResponseCode: 301
gcloud compute url-maps validate --source /tmp/web-map-http.yaml
If the tests pass and the command outputs a success message, save the changes to the URL map.
gcloud compute url-maps import web-map-http \ --source /tmp/web-map-http.yaml \ --global
If you are updating an existing URL map, the following prompt appears:
Url Map [web-map-http] will be overwritten. Do you want to continue (Y/n)?
To continue, press Y.
gcloud compute url-maps describe web-map-http
creationTimestamp: '2020-03-23T10:53:44.976-07:00' defaultUrlRedirect: httpsRedirect: true redirectResponseCode: MOVED_PERMANENTLY_DEFAULT fingerprint: 3A5N_RLrED8= id: '2020316695093397831' kind: compute#urlMap name: web-map-http selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/urlMaps/web-map-http
gcloud compute target-http-proxies create http-lb-proxy \ --url-map=web-map-http \ --globalOR
gcloud compute target-http-proxies update http-lb-proxy \ --url-map=web-map-http \ --global
gcloud compute forwarding-rules create http-content-rule \ --load-balancing-scheme=EXTERNAL_MANAGED \ --address=lb-ipv4-1 \ --network-tier=PREMIUM \ --global \ --target-http-proxy=http-lb-proxy \ --ports=80
Adding a custom header
Optionally, add the HTTP
Strict-Transport-Security
header to your HTTPS load balancer's backend service, as follows:
- Header name:
Strict-Transport-Security
- Header value:
max-age=31536000; includeSubDomains; preload
This setting sends the custom header to the client so that the next time the client tries to access the URL through HTTP, the browser does the redirect.
To add the custom header to the backend service configuration, use the
--custom-response-header
flag.
gcloud compute backend-services update BACKEND_SERVICE_NAME_LB1 \ --global \ --custom-response-header='Strict-Transport-Security:max-age=31536000; includeSubDomains; preload'
For more information, see Creating custom headers.
Testing the HTTP-to-HTTPS redirect
Note the reserved IP address that you are using for both load balancers.
gcloud compute addresses describe lb-ipv4-1 \ --format="get(address)" \ --global
In this example, assume that the reserved IP address is 34.98.77.106
. The
http://34.98.77.106/
URL redirects to https://34.98.77.106/
.
After a few minutes have passed, you can test this by running the following
curl
command.
curl -v http://hostname.com
Sample output:
* Connected to 34.98.77.106 (34.98.77.106) port 80 (#0) > GET / HTTP/1.1 > Host: hostname.com > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Cache-Control: private < Content-Type: text/html; charset=UTF-8 < Referrer-Policy: no-referrer < Location: https://hostname.com < Content-Length: 220 < Date: Fri, 30 Jul 2021 21:32:25 GMT < <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="https://hostname.com">here</A>. </BODY></HTML> * Connection #0 to host hostname.com left intact
Related procedures
To use Terraform, see the HTTP-to-HTTPS redirect tab.
For GKE, see the HTTP-to-HTTPS redirects in the GKE documentation.
For internal Application Load Balancers, see Setting up HTTP-to-HTTPS redirect for internal Application Load Balancers.
For other types of redirects, see URL redirects.