This guide uses an example to teach the fundamentals of using an external backend (sometimes called a custom origin) in an external HTTP(S) load balancer. An external backend is an endpoint that is external to Google Cloud. When you use an external backend with an external HTTP(S) load balancer, you can improve performance by using Cloud CDN caching.
External backends aren't supported with the global external HTTP(S) load balancer with advanced traffic management capability. You can only use external backends with the global external HTTP(S) load balancer (classic).
The guide steps through how to configure a global external HTTP(S) load balancer with a
Cloud CDN-enabled backend service that proxies to an
external backend server at backend.example.com
.
In the example, the load balancer accepts HTTPS requests from clients, and proxies these requests as HTTP/2 to the external backend. This example assumes that the external backend supports HTTP/2.
Other options would be to configure a load balancer to accept HTTP or HTTP/2 requests, and use HTTPS when proxying requests to the external backend.
This guide assumes that you have already set up a load balancer and you are adding a new external backend.
A sample architecture looks like this:
In the diagram, www.example.com
has a load balancer frontend with the IP
address 120.1.1.1
. When there is a cache miss, user requests for
/cart/id/1223515
are fetched from the external backend by way of HTTP/2. All
other incoming traffic is directed to either the Google Cloud backend
service with Compute Engine VMs or to the backend bucket, based on the
URL map.
Before you begin
Before following this guide, familiarize yourself with the following:
Internet NEG overview, including the limitations
Permissions
To follow this guide, you need to create an internet NEG and create or modify an external HTTP(S) load balancer in a project. You should be either a project owner or editor, or you should have both of the following Compute Engine IAM roles.
Task | Required role |
---|---|
Create and modify load balancer components | Network Admin |
Create and modify NEGs | Compute Instance Admin |
Configuring a load balancer with an external backend
This guide shows you how to configure and test an internet NEG.
Setup overview
Setting up an internet NEG involves doing the following:
- Defining the internet endpoint in an internet NEG.
- Adding an internet NEG as the backend to a backend service.
- Defining which user traffic to map to this backend service by configuring your external HTTP(S) load balancer's URL map.
- Allowlisting the necessary IP ranges.
This example creates the following resources:
- A forwarding rule with the
120.1.1.1
IP address directs incoming requests to a target proxy. - The
networkTier
of the forwarding rule must bePREMIUM
. - The target proxy checks each request against the URL map to determine the appropriate backend service for the request.
- For external backends, the target proxy must be
TargetHttpProxy
orTargetHttpsProxy
. This example usesTargetHttpsProxy
. - Cloud CDN enabled (optional) on the backend service allows caching and serving responses from Cloud CDN caches.
- The backend service configuration directs traffic to one internet NEG.
- This example includes a
user-defined
request header, which is required when the external backend expects a
particular value for the HTTP request's
Host
header.
The setup looks like this:
Creating the NEG and internet endpoint
Console
- In the Google Cloud console, go to the Network endpoint groups page.
- Click Create network endpoint group.
- Enter the name of the network endpoint group:
example-fqdn-neg
. - For Network endpoint group type, select Network endpoint group (Internet).
- For Default port, enter
443
. - For New network endpoint, select Fully qualified domain name and port.
- For the FQDN, enter
backend.example.com
. - For Port type, select Default, and verify that Port
number is
443
. - Click Create.
gcloud
Create an internet NEG, and set the
--network-endpoint-type
tointernet-fqdn-port
(the hostname and port where your external backend can be reached):gcloud compute network-endpoint-groups create example-fqdn-neg \ --network-endpoint-type="internet-fqdn-port" --global
Add your endpoint to the NEG. If a port isn't specified, the port selection defaults to port
80
(HTTP) or443
(HTTPS; HTTP/2) depending on the protocol configured in the backend service. Make sure to include the--global
flag:gcloud compute network-endpoint-groups update example-fqdn-neg \ --add-endpoint="fqdn=backend.example.com,port=443" \ --global
List the created internet NEG:
gcloud compute network-endpoint-groups list --global
Output:
NAME LOCATION ENDPOINT_TYPE SIZE example-fqdn-neg global INTERNET_FQDN_PORT 1
List the endpoint within that NEG:
gcloud compute network-endpoint-groups list-network-endpoints example-fqdn-neg \ --global
Output:
INSTANCE IP_ADDRESS PORT FQDN backend.example.com
Adding an external backend to a load balancer
The following example updates an existing load balancer.
In the existing load balancer, the default service is a Google Cloud
service. The example modifies the existing URL map by adding a path matcher that
sends all requests for cart/id/1223515
to the images
backend service, which
is associated with the internet NEG.
Console
Create the backend service and add the internet NEG
- In the Google Cloud console, go to the Load balancing page.
- To add the backend service to an existing load balancer, select your external HTTP(S) load balancer, click Menu and then select Edit.
- Click Backend configuration.
- In the Create or select backend services & backend buckets pull-down menu, select Backend services > Create a backend service.
- Set the name of the backend service to
images
. - For Backend type, select Internet network endpoint group.
- Select the protocol that you intend to use from the load balancer to the internet NEG. For this example, select HTTP/2.
- Under New backend > Internet network endpoint group, select
example-fqdn-neg
, and then click Done. - Select Enable Cloud CDN.
- (Optional) Modify the cache mode and TTL settings.
- In Advanced configurations, under Custom request headers,
click Add header.
- For Header name, enter
Host
. - For Header value, enter
backend.example.com
.
- For Header name, enter
- Click Create.
- Keep the window open to continue.
Attach the backend service to an existing URL map
- Click Host and path rules.
- The first row or rows have Google Cloud services in the right
column, and one of them is already populated with the default rule
Any unmatched (default)
for Hosts and Paths. - Ensure that there is a row with
images
selected in the right column. If it doesn't exist, click Add host and path rule, and selectimages
. Populate the other fields as follows:- In Hosts, enter
*
. - In Paths, enter
/cart/id/1223515
.
- In Hosts, enter
Review and finalize
- Click Review and finalize.
- Compare your settings to what you intended to create.
- If everything looks correct, click Create to create your external HTTP(S) load balancer.
gcloud
Create a new backend service for the NEG:
gcloud compute backend-services create images \ --global \ --enable-cdn \ --cache-mode=CACHE_MODE --protocol=HTTP2
Set the cache mode by replacing CACHE_MODE with one of the following:
CACHE_All_STATIC
: Automatically caches static content.USE_ORIGIN_HEADERS
(default): Requires the origin to set valid caching headers to cache content.FORCE_CACHE_ALL
: Caches all content, ignoring anyprivate
,no-store
, orno-cache
directives inCache-Control
response headers.
Configure the backend service to add the custom request header
Host: backend.example.com
to the request:gcloud compute backend-services update images \ --custom-request-header "Host: backend.example.com" --global
Use the
backend-services add-backend
command to add the internet NEG to the backend service:gcloud compute backend-services add-backend images \ --network-endpoint-group "example-fqdn-neg" \ --global-network-endpoint-group \ --global
Attach the new backend service to the load balancer's URL map by creating a new matching rule to direct requests to that backend:
gcloud compute url-maps add-path-matcher EXAMPLE_URL_MAP \ --default-service=GCP_SERVICE_EXAMPLE \ --path-matcher-name=CUSTOM_ORIGIN_PATH_MATCHER_EXAMPLE \ --backend-service-path-rules=/CART/ID/1223515=IMAGES
Replace the following:
EXAMPLE_URL_MAP
: the name of your existing URL mapGCP_SERVICE_EXAMPLE
: the name of an existing default backend serviceCUSTOM_ORIGIN_PATH_MATCHER_EXAMPLE
: the name of this new path rule/CART/ID/1223515
: the pathIMAGES
: the name of the new backend service with the attached internet NEG
Allowlisting the necessary IP ranges
To allow an external HTTP(S) load balancer to send requests to your internet NEG, you must
query the _cloud-eoips.googleusercontent.com
DNS TXT record by using a tool
like dig
or nslookup
.
For example, run the following dig
command:
dig TXT _cloud-eoips.googleusercontent.com | grep -Eo 'ip4:[^ ]+' | cut -d':' -f2
The output contains two IP ranges, as follows:
34.96.0.0/20
34.127.192.0/18
Note the IP ranges and ensure that these ranges are allowed by your firewall or cloud access control list (ACL).
For more information, see Authenticating requests.
Connect your domain to your load balancer
After the load balancer is created, note the IP address that is associated with
the load balancer, for example, 30.90.80.100
. To point your domain to your
load balancer, create an A
record using your domain registration service. If
you added multiple domains to your SSL certificate, you must add an A
record
for each one, all pointing to the load balancer's IP address. For example, to
create A
records for www.example.com
and example.com
:
NAME TYPE DATA www A 30.90.80.100 @ A 30.90.80.100
If you are using Google Domains, see the Google Domains Help page for more information.
Testing the external HTTP(S) load balancer
Now that you have configured your load balancer, you can start sending traffic to the load balancer's IP address. If you configured a domain, you can send traffic to the domain name as well. However, DNS propagation can take time to complete so you can start by using the IP address for testing.
- Go to the Load balancing page in the Google Cloud console.
Go to the Load balancing page - Click on the load balancer you just created.
- Note the IP Address of the load balancer.
If you created an HTTP load balancer, you can test your load balancer using a web browser by going to
http://IP_ADDRESS
. ReplaceIP_ADDRESS
with the load balancer's IP address. You should be directed to thehelloworld
service homepage.If you created an HTTPS load balancer, you can test your load balancer using a web browser by going to
https://IP_ADDRESS
. ReplaceIP_ADDRESS
with the load balancer's IP address. You should be directed to thehelloworld
service homepage.If that does not work and you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE. For more information, see Google-managed SSL certificate resource status.
Alternatively, you can use curl from your local machine's command line. Replace IP_ADDRESS with the load balancer's IPv4 address.
If you're using a Google-managed certificate, test the domain that points to the load balancer's IP address. For example:
curl -s 'https://www.example.com:443' --resolve www.example.com:443:IP_ADDRESS
Optional: If you are using a custom domain, you might need to wait for the updated DNS settings to propagate. Then, test your domain (for example,
backend.example.com
) in the web browser.For help with troubleshooting, see Troubleshooting external backend and internet NEG issues.
Enable IAP on the external HTTP(S) load balancer
You can configure IAP to be
enabled or disabled (default). If enabled, you must provide values for
oauth2-client-id
and oauth2-client-secret
.
To enable IAP, update the backend service
to include the --iap=enabled
flag with the oauth2-client-id
and
oauth2-client-secret
.
gcloud compute backend-services update BACKEND_SERVICE_NAME \ --iap=enabled,oauth2-client-id=ID,oauth2-client-secret=SECRET \ --global
What's next
- To check whether Cloud CDN is serving responses from cache, see Viewing logs.
- To learn about which content is cacheable or non-cacheable, see Caching overview.
- To find Cloud CDN's points of presence, see Cache locations.
- Clean up the load balancer setup.