Set up a global external HTTP(S) load balancer (classic) with an external backend

Stay organized with collections Save and categorize content based on your preferences.

This guide uses an example to teach the fundamentals of using an external backend (sometimes called a custom origin) in an external HTTP(S) load balancer. An external backend is an endpoint that is external to Google Cloud. When you use an external backend with an external HTTP(S) load balancer, you can improve performance by using Cloud CDN caching.

External backends aren't supported with the global external HTTP(S) load balancer with advanced traffic management capability. You can only use external backends with the global external HTTP(S) load balancer (classic).

The guide steps through how to configure a global external HTTP(S) load balancer with a Cloud CDN-enabled backend service that proxies to an external backend server at

In the example, the load balancer accepts HTTPS requests from clients, and proxies these requests as HTTP/2 to the external backend. This example assumes that the external backend supports HTTP/2.

Other options would be to configure a load balancer to accept HTTP or HTTP/2 requests, and use HTTPS when proxying requests to the external backend.

This guide assumes that you have already set up a load balancer and you are adding a new external backend.

A sample architecture looks like this:

Typical use case for external backends
Typical use case for external backends

In the diagram, has a load balancer frontend with the IP address When there is a cache miss, user requests for /cart/id/1223515 are fetched from the external backend by way of HTTP/2. All other incoming traffic is directed to either the Google Cloud backend service with Compute Engine VMs or to the backend bucket, based on the URL map.

Before you begin

Before following this guide, familiarize yourself with the following:


To follow this guide, you need to create an internet NEG and create or modify an external HTTP(S) load balancer in a project. You should be either a project owner or editor, or you should have both of the following Compute Engine IAM roles.

Task Required role
Create and modify load balancer components Network Admin
Create and modify NEGs Compute Instance Admin

Configuring a load balancer with an external backend

This guide shows you how to configure and test an internet NEG.

Setup overview

Setting up an internet NEG involves doing the following:

  • Defining the internet endpoint in an internet NEG.
  • Adding an internet NEG as the backend to a backend service.
  • Defining which user traffic to map to this backend service by configuring your external HTTP(S) load balancer's URL map.
  • Allowlisting the necessary IP ranges.

This example creates the following resources:

  • A forwarding rule with the IP address directs incoming requests to a target proxy.
    • The networkTier of the forwarding rule must be PREMIUM.
  • The target proxy checks each request against the URL map to determine the appropriate backend service for the request.
    • For external backends, the target proxy must be TargetHttpProxy or TargetHttpsProxy. This example uses TargetHttpsProxy.
  • Cloud CDN enabled (optional) on the backend service allows caching and serving responses from Cloud CDN caches.
  • The backend service configuration directs traffic to one internet NEG.
  • This example includes a user-defined request header, which is required when the external backend expects a particular value for the HTTP request's Host header.

The setup looks like this:

Cloud CDN with on-premises backend
Cloud CDN with on-premises backend

Creating the NEG and internet endpoint


  1. In the Google Cloud console, go to the Network endpoint groups page.

    Go to the Network endpoint groups page

  2. Click Create network endpoint group.
  3. Enter the name of the network endpoint group: example-fqdn-neg.
  4. For Network endpoint group type, select Network endpoint group (Internet).
  5. For Default port, enter 443.
  6. For New network endpoint, select Fully qualified domain name and port.
  7. For the FQDN, enter
  8. For Port type, select Default, and verify that Port number is 443.
  9. Click Create.


  1. Create an internet NEG, and set the --network-endpoint-type to internet-fqdn-port (the hostname and port where your external backend can be reached):

    gcloud compute network-endpoint-groups create example-fqdn-neg \
        --network-endpoint-type="internet-fqdn-port" --global
  2. Add your endpoint to the NEG. If a port isn't specified, the port selection defaults to port 80 (HTTP) or 443 (HTTPS; HTTP/2) depending on the protocol configured in the backend service. Make sure to include the --global flag:

    gcloud compute network-endpoint-groups update example-fqdn-neg \
        --add-endpoint=",port=443" \
  3. List the created internet NEG:

    gcloud compute network-endpoint-groups list --global


    NAME                LOCATION   ENDPOINT_TYPE        SIZE
    example-fqdn-neg    global     INTERNET_FQDN_PORT   1

  4. List the endpoint within that NEG:

    gcloud compute network-endpoint-groups list-network-endpoints example-fqdn-neg \



Adding an external backend to a load balancer

The following example updates an existing load balancer.

In the existing load balancer, the default service is a Google Cloud service. The example modifies the existing URL map by adding a path matcher that sends all requests for cart/id/1223515 to the images backend service, which is associated with the internet NEG.


Create the backend service and add the internet NEG

  1. In the Google Cloud console, go to the Load balancing page.

    Go to the Load balancing page

  2. To add the backend service to an existing load balancer, select your external HTTP(S) load balancer, click Menu and then select Edit.
  3. Click Backend configuration.
  4. In the Create or select backend services & backend buckets pull-down menu, select Backend services > Create a backend service.
  5. Set the name of the backend service to images.
  6. For Backend type, select Internet network endpoint group.
  7. Select the protocol that you intend to use from the load balancer to the internet NEG. For this example, select HTTP/2.
  8. Under New backend > Internet network endpoint group, select example-fqdn-neg, and then click Done.
  9. Select Enable Cloud CDN.
  10. (Optional) Modify the cache mode and TTL settings.
  11. In Advanced configurations, under Custom request headers, click Add header.
    1. For Header name, enter Host.
    2. For Header value, enter
  12. Click Create.
  13. Keep the window open to continue.

Attach the backend service to an existing URL map

  1. Click Host and path rules.
  2. The first row or rows have Google Cloud services in the right column, and one of them is already populated with the default rule Any unmatched (default) for Hosts and Paths.
  3. Ensure that there is a row with images selected in the right column. If it doesn't exist, click Add host and path rule, and select images. Populate the other fields as follows:
    1. In Hosts, enter *.
    2. In Paths, enter /cart/id/1223515.

Review and finalize

  1. Click Review and finalize.
  2. Compare your settings to what you intended to create.
  3. If everything looks correct, click Create to create your external HTTP(S) load balancer.


  1. Create a new backend service for the NEG:

    gcloud compute backend-services create images \
       --global \
       --enable-cdn \

    Set the cache mode by replacing CACHE_MODE with one of the following:

    • CACHE_All_STATIC: Automatically caches static content.

    • USE_ORIGIN_HEADERS (default): Requires the origin to set valid caching headers to cache content.

    • FORCE_CACHE_ALL: Caches all content, ignoring any private, no-store, or no-cache directives in Cache-Control response headers.

  2. Configure the backend service to add the custom request header Host: to the request:

    gcloud compute backend-services update images \
       --custom-request-header "Host:" --global
  3. Use the backend-services add-backend command to add the internet NEG to the backend service:

    gcloud compute backend-services add-backend images \
      --network-endpoint-group "example-fqdn-neg" \
      --global-network-endpoint-group \
  4. Attach the new backend service to the load balancer's URL map by creating a new matching rule to direct requests to that backend:

    gcloud compute url-maps add-path-matcher EXAMPLE_URL_MAP \
      --default-service=GCP_SERVICE_EXAMPLE \
      --path-matcher-name=CUSTOM_ORIGIN_PATH_MATCHER_EXAMPLE \

    Replace the following:

    • EXAMPLE_URL_MAP: the name of your existing URL map
    • GCP_SERVICE_EXAMPLE: the name of an existing default backend service
    • CUSTOM_ORIGIN_PATH_MATCHER_EXAMPLE: the name of this new path rule
    • /CART/ID/1223515: the path
    • IMAGES: the name of the new backend service with the attached internet NEG

Allowlisting the necessary IP ranges

To allow an external HTTP(S) load balancer to send requests to your internet NEG, you must query the DNS TXT record by using a tool like dig or nslookup.

For example, run the following dig command:

dig TXT | grep -Eo 'ip4:[^ ]+' | cut -d':' -f2

The output contains two IP ranges, as follows:

Note the IP ranges and ensure that these ranges are allowed by your firewall or cloud access control list (ACL).

For more information, see Authenticating requests.

Connect your domain to your load balancer

After the load balancer is created, note the IP address that is associated with the load balancer, for example, To point your domain to your load balancer, create an A record using your domain registration service. If you added multiple domains to your SSL certificate, you must add an A record for each one, all pointing to the load balancer's IP address. For example, to create A records for and

NAME                  TYPE     DATA
www                   A
@                     A

If you are using Google Domains, see the Google Domains Help page for more information.

Testing the external HTTP(S) load balancer

Now that you have configured your load balancer, you can start sending traffic to the load balancer's IP address. If you configured a domain, you can send traffic to the domain name as well. However, DNS propagation can take time to complete so you can start by using the IP address for testing.

  1. Go to the Load balancing page in the Google Cloud console.
    Go to the Load balancing page
  2. Click on the load balancer you just created.
  3. Note the IP Address of the load balancer.
  4. If you created an HTTP load balancer, you can test your load balancer using a web browser by going to http://IP_ADDRESS. Replace IP_ADDRESS with the load balancer's IP address. You should be directed to the helloworld service homepage.

    If you created an HTTPS load balancer, you can test your load balancer using a web browser by going to https://IP_ADDRESS. Replace IP_ADDRESS with the load balancer's IP address. You should be directed to the helloworld service homepage.

    If that does not work and you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE. For more information, see Google-managed SSL certificate resource status.

    Alternatively, you can use curl from your local machine's command line. Replace IP_ADDRESS with the load balancer's IPv4 address.

    If you're using a Google-managed certificate, test the domain that points to the load balancer's IP address. For example:

    curl -s '' --resolve

  5. Optional: If you are using a custom domain, you might need to wait for the updated DNS settings to propagate. Then, test your domain (for example, in the web browser.

    For help with troubleshooting, see Troubleshooting external backend and internet NEG issues.

Enable IAP on the external HTTP(S) load balancer

You can configure IAP to be enabled or disabled (default). If enabled, you must provide values for oauth2-client-id and oauth2-client-secret.

To enable IAP, update the backend service to include the --iap=enabled flag with the oauth2-client-id and oauth2-client-secret.

gcloud compute backend-services update BACKEND_SERVICE_NAME \
    --iap=enabled,oauth2-client-id=ID,oauth2-client-secret=SECRET \

What's next