This page shows examples of configuring mutual TLS (mTLS) for a global external Application Load Balancer.
Before you begin
- Read the External Application Load Balancer overview.
- Read the Mutual TLS overview.
- Set up mutual TLS with user-provided certificates or mutual TLS with a private CA.
- Global external Application Load Balancers support different
backend services and buckets.
Make sure that you have set up a global external Application Load Balancer with any of the
following supported backends:
- VM instance group backends
- Cloud Storage buckets (Supported only if there is at least one backend service also attached to the load balancer, in addition to the backend bucket)
- Cloud Run, App Engine, or Cloud Functions
- Hybrid connectivity
Set up mTLS for the load balancer
For mutual TLS authentication to work, after you set up a load balancer,
you need to update the target HTTPS proxy by using the ServerTLSPolicy
resource.
Ensure that you have already created the
ServerTLSPolicy
resource. For instructions, see Create the network security resources.To list all the target HTTPS proxies in your project, use the
gcloud compute target-https-proxies list
command:gcloud compute target-https-proxies list
Note the name of the target HTTPS proxy to attach the
ServerTLSPolicy
resource. This name is referred to asTARGET_HTTPS_PROXY_NAME
in the following steps.To export a target HTTPS proxy's configuration to a file, use the
gcloud beta compute target-https-proxies export
command.global
gcloud beta compute target-https-proxies export TARGET_HTTPS_PROXY_NAME \ --destination=TARGET_PROXY_FILENAME \ --global
Replace the following:
TARGET_HTTPS_PROXY_NAME
: the name of the target proxy.TARGET_PROXY_FILENAME
: the name of a yaml file. For example,mtls_target_proxy.yaml
.
List all the
ServerTlsPolicies
resources in the specified location of the current project.Console
In the Google Cloud console, go to the Client authentication page.
All the
ServerTlsPolicies
resources are displayed.
gcloud
To list all the Client authentication (
ServerTlsPolicies
) resources, use thegcloud network-security server-tls-policies list
command:gcloud network-security server-tls-policies list \ --location=REGION
Replace the following:
REGION
: useglobal
.Note the name of the
ServerTlsPolicies
resource to configure mTLS. This name is referred to asSERVER_TLS_POLICY_NAME
in the next step.To append the
ServerTlsPolicy
resource fileTARGET_PROXY_FILENAME
, use the following command. ReplacePROJECT_ID
with the ID of your Google Cloud project.echo "serverTlsPolicy: //networksecurity.googleapis.com/projects/PROJECT_ID/locations/REGION/serverTlsPolicies/SERVER_TLS_POLICY_NAME" >> TARGET_PROXY_FILENAME
To import a target HTTPS proxy's configuration from a file, use the
gcloud beta compute target-https-proxies import
command.global
gcloud beta compute target-https-proxies import TARGET_HTTPS_PROXY_NAME \ --source=TARGET_PROXY_FILENAME \ --global
Replace the following:
TARGET_HTTPS_PROXY_NAME
: the name of the target proxy.TARGET_PROXY_FILENAME
: the name of a yaml file. For example,mtls_target_proxy.yaml
.
Add mTLS custom headers
With mTLS enabled, you can use custom headers to pass information about the mTLS connection to backend services. You can also enable logging so that mTLS connection failures are captured in the logs.To list all the backend services in the project, use the
gcloud compute backend-services list
command:gcloud compute backend-services list
Note the name of the backend service to enable custom headers and logging. This name is referred to as
BACKEND_SERVICE
in the following step.To update the backend service, use the
gcloud compute backend-services update
command:gcloud compute backend-services update BACKEND_SERVICE \ --global \ --enable-logging \ --logging-sample-rate=1 \ --custom-request-header='X-Client-Cert-Present:{client_cert_present}' \ --custom-request-header='X-Client-Cert-Chain-Verified:{client_cert_chain_verified}' \ --custom-request-header='X-Client-Cert-Error:{client_cert_error}' \ --custom-request-header='X-Client-Cert-Hash:{client_cert_sha256_fingerprint}' \ --custom-request-header='X-Client-Cert-Serial-Number:{client_cert_serial_number}' \ --custom-request-header='X-Client-Cert-SPIFFE:{client_cert_spiffe_id}' \ --custom-request-header='X-Client-Cert-URI-SANs:{client_cert_uri_sans}' \ --custom-request-header='X-Client-Cert-DNSName-SANs:{client_cert_dnsname_sans}' \ --custom-request-header='X-Client-Cert-Valid-Not-Before:{client_cert_valid_not_before}' \ --custom-request-header='X-Client-Cert-Valid-Not-After:{client_cert_valid_not_after}'
What's next
- Set up mutual TLS for a classic Application Load Balancer
- Set up mutual TLS with a private CA
- Set up mutual TLS with user-provided certificates
- View logs for mTLS client certificate validation
- Clean up a load balancing setup