Set up mutual TLS for a global external Application Load Balancer

This page shows examples of configuring mutual TLS (mTLS) for a global external Application Load Balancer.

Before you begin

• Read the External Application Load Balancer overview.
• Read the Mutual TLS overview.
• Set up mutual TLS with user-provided certificates or mutual TLS with a private CA.
• Global external Application Load Balancers support different backend services and buckets. Make sure that you have set up a global external Application Load Balancer with any of the following supported backends:
  • VM instance group backends
  • Cloud Storage buckets
  • Cloud Run, App Engine, or Cloud Functions
  • Hybrid connectivity

Set up mTLS for the load balancer

For mutual TLS authentication to work, after you set up a load balancer, you need to update the target HTTPS proxy by using the ServerTLSPolicy resource.

1. Ensure that you have already created the ServerTLSPolicy resource. For instructions, see Create the network security resources.

2. To list all the target HTTPS proxies in your project, use the gcloud compute target-https-proxies list command:

   gcloud compute target-https-proxies list
   

   Note the name of the target HTTPS proxy to attach the ServerTLSPolicy resource. This name is referred to as TARGET_HTTPS_PROXY_NAME in the following steps.

3. To export a target HTTPS proxy's configuration to a file, use the gcloud beta compute target-https-proxies export command.

   global

     gcloud beta compute target-https-proxies export TARGET_HTTPS_PROXY_NAME \
         --destination=TARGET_PROXY_FILENAME \
         --global
     

   Replace the following:

   • TARGET_HTTPS_PROXY_NAME: the name of the target proxy.
   • TARGET_PROXY_FILENAME: the name of a yaml file. For example, mtls_target_proxy.yaml.

4. List all the ServerTlsPolicies resources in the specified location of the current project.

   Console

   1. In the Google Cloud console, go to the Client authentication page.

      Go to Client authentication

   2. All the ServerTlsPolicies resources are displayed.

   gcloud

   To list all the Client authentication (ServerTlsPolicies) resources, use the gcloud network-security server-tls-policies list command:

   gcloud network-security server-tls-policies list \
     --location=REGION
   

   Replace the following:

   REGION: use global.

   Note the name of the ServerTlsPolicies resource to configure mTLS. This name is referred to as SERVER_TLS_POLICY_NAME in the next step.

5. To append the ServerTlsPolicy resource file TARGET_PROXY_FILENAME, use the following command. Replace PROJECT_ID with the ID of your Google Cloud project.

   echo "serverTlsPolicy: //networksecurity.googleapis.com/projects/PROJECT_ID/locations/REGION/serverTlsPolicies/SERVER_TLS_POLICY_NAME" >> TARGET_PROXY_FILENAME
   

6. To import a target HTTPS proxy's configuration from a file, use the gcloud beta compute target-https-proxies import command.

   global

      gcloud beta compute target-https-proxies import TARGET_HTTPS_PROXY_NAME \
          --source=TARGET_PROXY_FILENAME \
          --global
      

   Replace the following:

   • TARGET_HTTPS_PROXY_NAME: the name of the target proxy.
   • TARGET_PROXY_FILENAME: the name of a yaml file. For example, mtls_target_proxy.yaml.

Add mTLS custom headers

With mTLS enabled, you can use custom headers to pass information about the mTLS connection to backend services. You can also enable logging so that mTLS connection failures are captured in the logs.

1. To list all the backend services in the project, use the gcloud compute backend-services list command:

   gcloud compute backend-services list
   

   Note the name of the backend service to enable custom headers and logging. This name is referred to as BACKEND_SERVICE in the following step.

2. To update the backend service, use the gcloud compute backend-services update command:

   gcloud compute backend-services update BACKEND_SERVICE \
     --global \
     --enable-logging \
     --logging-sample-rate=1 \
     --custom-request-header='X-Client-Cert-Present:{client_cert_present}' \
     --custom-request-header='X-Client-Cert-Chain-Verified:{client_cert_chain_verified}' \
     --custom-request-header='X-Client-Cert-Error:{client_cert_error}' \
     --custom-request-header='X-Client-Cert-Hash:{client_cert_sha256_fingerprint}' \
     --custom-request-header='X-Client-Cert-Serial-Number:{client_cert_serial_number}' \
     --custom-request-header='X-Client-Cert-SPIFFE:{client_cert_spiffe_id}' \
     --custom-request-header='X-Client-Cert-URI-SANs:{client_cert_uri_sans}' \
     --custom-request-header='X-Client-Cert-DNSName-SANs:{client_cert_dnsname_sans}' \
     --custom-request-header='X-Client-Cert-Valid-Not-Before:{client_cert_valid_not_before}' \
     --custom-request-header='X-Client-Cert-Valid-Not-After:{client_cert_valid_not_after}'
   

What's next

• Set up mutual TLS for a classic Application Load Balancer
• Set up mutual TLS with a private CA
• Set up mutual TLS with user-provided certificates
• View logs for mTLS client certificate validation
• Clean up a load balancing setup