This document shows you how to create a global external Application Load Balancer with a backend service and a backend bucket that are located in a project that is different from where the load balancer's frontend and the URL map are located. This deployment model is known as cross-project service referencing.
The example used in this document does not use a Shared VPC environment to configure cross-project service referencing. To learn more about how to configure cross-project service referencing in a Shared VPC environment, see Set up a global external Application Load Balancer with Shared VPC.
Before you begin
Make sure that your setup meets the following prerequisites.
IAM roles and permissions required
To follow this guide, you must have the following IAM roles:
| Task | Required role | 
|---|---|
| Create a project | Project Creator role ( roles/resourcemanager.projectCreator) | 
| Create compute resources | Compute Network Admin role ( roles/compute.networkAdmin) | 
| Create Cloud Storage buckets | Storage Object Admin role ( roles/storage.objectAdmin) | 
| Use a resource from a different project (In this example, project A references the backend service and backend bucket that are located in project B.) | In this example, an administrator of project B must grant
      the
      Compute
      Load Balancer Services User role
      ( To learn more about how to assign this role, see Grant permissions to the Compute Load Balancer Admin to use the backend service. | 
Create Google Cloud projects
For the example in this document, follow the instructions two times to create two Google Cloud projects.
Console
To create a new project, do the following:
- 
    Go to the Manage resources page in the Google Cloud console.
    
    
    
    
    
The remaining steps appear in the Google Cloud console. 
- On the Select organization drop-down list at the top of the page, select the organization resource in which you want to create a project. If you are a free trial user, skip this step, as this list does not appear.
- Click Create Project.
- In the New Project window that appears, enter a project name and select a billing account as applicable. A project name can contain only letters, numbers, single quotes, hyphens, spaces, or exclamation points, and must be between 4 and 30 characters.
- Enter the parent organization or folder resource in the Location box. That resource will be the hierarchical parent of the new project. If No organization is an option, you can select it to create your new project as the top level of its own resource hierarchy.
- When you're finished entering new project details, click Create.
gcloud
- 
  
    
    
      
    
  
  
    
  
  
  
  
    
    In the Google Cloud console, activate Cloud Shell. At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize. 
- To create a new project, use the - gcloud projects createcommand:- gcloud projects create PROJECT_ID- Where PROJECT_ID is the ID for the project you want to create. A project ID must start with a lowercase letter, and can contain only ASCII letters, digits, and hyphens, and must be between 6 and 30 characters. 
Setup overview
As depicted in the following diagram, a global external Application Load Balancer's frontend and URL map are created in a project that is different from the load balancer's backend service and backend bucket. This type of cross-project deployment doesn't use a Shared VPC environment.
In this configuration, the URL map routes requests for static content
(/images/*) to a backend bucket whereas all other requests are routed to the
default backend service.
The following table provides an overview of the resources that are created in project A and project B. The load balancer's frontend and URL map are created in project A whereas the backend components are created in project B.
| Resources created in project A | Resources created in project B | 
|---|---|
| 
 | 
 | 
In the following sections, we will configure the different resources listed in the preceding table, starting with configuring a VPC network and a subnet for the load balancer's backend VMs in project B.
Configure a network and a subnet for the load balancer's backend VMs in project B
For the purpose of this example, the backend VMs are created in the following network and subnet:
- Network. The network is a custom mode VPC network named - lb-network.
- Subnet for load balancer's backends VMs A subnet named - lb-backend-subnetin the- us-west1region uses- 10.1.2.0/24for its primary IP range. A subnet's primary and secondary IPv4 address ranges are regional internal IPv4 addresses. For more information, see Valid IPv4 ranges.
Console
- In the Google Cloud console, go to the VPC networks page. 
- Click Create VPC network. 
- For Name, enter - lb-network.
- In the Subnets section, set the Subnet creation mode to Custom. 
- In the New subnet section, enter the following information: - Name: lb-backend-subnet
- Select a Region: us-west1
- IP address range: 10.1.2.0/24
 
- Name: 
- Click Done. 
- Click Create. 
gcloud
- Create a custom VPC network, named - lb-network, with the- gcloud compute networks createcommand.- gcloud compute networks create lb-network \ --subnet-mode=custom \ --project=PROJECT_B_ID
- Create a subnet in the - lb-networkVPC network in the- us-west1region with the- gcloud compute networks subnets createcommand.- gcloud compute networks subnets create lb-backend-subnet \ --network=lb-network \ --range=10.1.2.0/24 \ --region=us-west1 \ --project=PROJECT_B_ID
Configure a backend service in project B
To configure a backend service, you need to do the following:
- Create an instance template.
- Create an instance group.
- Create a health check.
- Create a firewall rule.
- Create a backend service.
Create an instance template
The precursor to creating a managed instance group is the creation of an instance template, which is a resource that you can use to create virtual machine (VM) instances. Traffic from clients is load balanced to VMs in an instance group. The managed instance group provides VMs that run the backend servers of an external Application Load Balancer. In this example, the backends serve their own hostnames.
Console
- In the Google Cloud console, go to the Compute Engine Instance templates page. 
- Click Create instance template. 
- For Name, enter - backend-template.
- In the Boot disk section, ensure that the boot disk is set to a Debian image, such as Debian GNU/Linux 12 (bookworm). Click Change to change the image if necessary. 
- Expand the Advanced options section. 
- Expand Networking and configure the following fields: - For Network tags, enter load-balanced-backend.
- In the Network interfaces section, configure the
following fields:
- Network: lb-network
- Subnet: lb-backend-subnet
- IP stack type: IPv4
 
- Network: 
- Click Done
 
- For Network tags, enter 
- Expand Management. In the Startup script field, enter the following script: - #! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl # Retrieve the instance name from metadata vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" # Create an index file echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html # Restart Apache to apply changes systemctl restart apache2' \ 
- Click Create. 
gcloud
- Create an instance template. - gcloud compute instance-templates create INSTANCE_TEMPLATE_NAME \ --region=us-west1 \ --network=projects/PROJECT_B_ID/global/networks/lb-network \ --subnet=projects/PROJECT_B_ID/regions/us-west1/subnetworks/lb-backend-subnet \ --tags=load-balanced-backend \ --image-family=debian-12 \ --image-project=debian-cloud \ --metadata=startup-script='#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl # Retrieve the instance name from metadata vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" # Create an index file echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html # Restart Apache to apply changes systemctl restart apache2' \ --project=PROJECT_B_ID
Create a managed instance group
Console
- In the Google Cloud console, go to the Compute Engine Instance groups page. 
- Click Create Instance Group. 
- From the options, select New managed instance group (stateless). 
- For the name of the instance group, enter - lb-backend.
- In the Instance template list, select the instance template - backend-templatethat you created in the previous step.
- In the Location section, select Single zone, and enter the following values: - For Region, select - us-west1.
- For Zone, select - us-west1-a.
 
- In the Autoscaling section, enter the following values: - For Autoscaling mode, select On: add and remove instances to the group. 
- For Minimum number of instances, select - 2.
- For Maximum number of instances, select - 3.
 
- In the Port mapping section, click Add port, and enter the following values: - For Port name, enter - http.
- For Port number, enter - 80.
 
- Click Create. 
gcloud
- Create a managed instance group and select the instance template that you created in the preceding step: - gcloud compute instance-groups managed create INSTANCE_GROUP_NAME \ --zone=us-west1-a \ --size=2 \ --template=INSTANCE_TEMPLATE_NAME \ --project=PROJECT_B_ID
- Add a named port to the instance group: - gcloud compute instance-groups set-named-ports INSTANCE_GROUP_NAME \ --named-ports=http:80 \ --zone=us-west1-a \ --project=PROJECT_B_ID
Create a health check
Health checks are tests that confirm the availability of backends. Create a health check that uses the HTTP protocol and probes on port 80. Later, you'll attach this health check to the backend service referenced by the load balancer.
Console
- In the Google Cloud console, go to the Compute Engine Health checks page. 
- For the name of the health check, enter - lb-health-check.
- Set the protocol to HTTP. 
- Click Create. 
gcloud
Create an HTTP health check.
gcloud compute health-checks create http lb-health-check \ --use-serving-port \ --project=PROJECT_B_ID
Create a firewall rule
For the health check probes, you must create an ingress allow firewall rule at
the network level, which for the purpose of this example is lb-network. This
firewall rule allows health check probes to reach your backend instances. This
example uses the following firewall rule:
- fw-allow-health-check. An ingress rule, applicable to the instances being load balanced, that allows all TCP traffic from the Google Cloud health checking systems in- 130.211.0.0/22and- 35.191.0.0/16. This example uses the target tag- load-balanced-backendto identify the instances to which it should apply.
Console
- In the Google Cloud console, go to the Firewall policies page. 
- Click Create firewall rule to create the rule to allow incoming SSH connections on the client VM: - Name: fw-allow-health-check
- Network: lb-network
- Direction of traffic: Ingress
- Action on match: Allow
- Targets: Specified target tags
- Target tags: load-balanced-backend
- Source filter: IPv4 ranges
- Source IPv4 ranges: 130.211.0.0/22and35.191.0.0/16
- Protocols and ports:
- Choose Specified protocols and ports.
- Select the TCP checkbox, and then enter 80for the port number. As a best practice, limit this rule to just the protocols and ports that match those used by your health check. If you use tcp:80 for the protocol and port, Google Cloud can use HTTP on port 80 to contact your VMs, but it cannot use HTTPS on port 443 to contact them.
 
 
- Name: 
- Click Create. 
gcloud
- Create the - fw-allow-health-checkfirewall rule to allow Google Cloud health checks. This example allows all TCP traffic from health check probers. However, you can configure a narrower set of ports to meet your needs.- gcloud compute firewall-rules create FIREWALL_RULE_NAME \ --network=lb-network \ --action=allow \ --direction=ingress \ --source-ranges=130.211.0.0/22,35.191.0.0/16 \ --target-tags=load-balanced-backend \ --rules=tcp \ --project=PROJECT_B_ID 
Create a backend service
Create a global backend service to distribute traffic among backends. As a part of this step, you need to assign the health check that you created to the backend service and add the instance group as the backend to the backend service.
Console
- In the Google Cloud console, go to the Load balancing page. 
- Go to the Backends section. 
- Click Create backend service. 
- For Global backend service, click the Create button next to it. 
- For the name of the backend service, enter - cross-ref-backend-service.
- For Backend type, select Instance group. 
- Set Protocol to HTTP. 
- In the Named port field, enter - http. This is the same port name that you entered while creating the managed instance group.
- To add backends to the backend service, do the following: - In the Backends section, set the Instance group to - lb-backend, which is the managed instance group that you created in an earlier step.
- For Port numbers, enter - 80.
- To add the backend, click Done. 
 
- To add a health check, in the Health check list, select - lb-health-check, which is the health check that you created earlier.
- To create the backend service, click Create. 
gcloud
- Create a global backend service to distribute traffic among backends: - gcloud compute backend-services create BACKEND_SERVICE_NAME \ --load-balancing-scheme=EXTERNAL_MANAGED \ --protocol=HTTP \ --port-name=http \ --health-checks=HEALTH_CHECK_NAME \ --global \ --project=PROJECT_B_ID
- Add your instance group as the backend to the backend service: - gcloud compute backend-services add-backend BACKEND_SERVICE_NAME \ --instance-group=INSTANCE_GROUP_NAME \ --instance-group-zone=us-west1-a \ --global \ --project=PROJECT_B_ID
Configure a backend bucket in project B
To create a backend bucket, you need to do the following:
- Create the Cloud Storage bucket.
- Copy content to the bucket.
- Make the bucket publicly accessible.
- Create a backend bucket and point it to the Cloud Storage bucket.
Create a Cloud Storage bucket
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
 
- Click Create. 
- In the Name your bucket box, enter a globally unique name that follows the naming guidelines. 
- Click Choose where to store your data. 
- Set Location type to Region. 
- From the list of regions, select us-east1. 
- Click Create. 
gcloud
- Create a bucket in the - us-east1region with the- gcloud storage buckets createcommand.- gcloud storage buckets create gs://BUCKET_NAME \ --default-storage-class=standard \ --location=us-east1 \ --uniform-bucket-level-access \ --project=PROJECT_B_ID
Replace the variable BUCKET_NAME with your Cloud Storage bucket name.
Copy a graphic file to your Cloud Storage bucket
Run the following command in Cloud Shell, replacing the bucket name
variables with your unique Cloud Storage bucket name, to copy the graphic file from a public
Cloud Storage bucket to the images/ folder in your own Cloud Storage bucket:
gcloud storage cp gs://gcp-external-http-lb-with-bucket/three-cats.jpg gs://BUCKET_NAME/images/
Make your Cloud Storage bucket publicly readable
To make all objects in a bucket readable to everyone on the public internet,
grant the principal allUsers the Storage Object Viewer role
(roles/storage.objectViewer).
Console
To grant all users access to view objects in your buckets, repeat the following procedure for each bucket:
- In the Google Cloud console, go to the Cloud Storage Buckets page.
 
- In the list of buckets, click the name of the bucket that you want to make public. 
- Select the Permissions tab near the top of the page. 
- In the Permissions section, click the Grant access button. The Grant access dialog appears. 
- In the New principals field, enter - allUsers.
- In the Select a role field, enter - Storage Object Viewerin the filter box and select the Storage Object Viewer from the filtered results.
- Click Save. 
- Click Allow public access. 
gcloud
To grant all users access to view objects in your buckets, run the buckets add-iam-policy-binding command.
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer
Replace the bucket name variables with your unique Cloud Storage bucket names.
Create a backend bucket
Backend buckets serve as a wrapper to the Cloud Storage buckets that you created earlier. They direct incoming traffic to Cloud Storage buckets.
Console
- In the Google Cloud console, go to the Load balancing page. 
- Go to the Backends section. 
- Click Create backend bucket. 
- Enter a name for your backend bucket. 
- Select a Cloud Storage bucket to point your backend bucket to. 
- Click Create. 
gcloud
Create a backend bucket with the
gcloud compute backend-buckets create command in project B.
gcloud compute backend-buckets create BACKEND_BUCKET_NAME \ --gcs-bucket-name=BUCKET_NAME \ --project=PROJECT_B_ID
Configure the load balancer frontend components in project A
This section shows you how to configure the following load balancer frontend components in project A:
- IP address
- SSL certificate
- URL map
- Target proxy
- Forwarding rule
Reserve the load balancer's IP address
Reserve a global static external IP address that can be assigned to the forwarding rule of the load balancer.
Console
- In the Google Cloud console, go to the VPC IP addresses page. 
- Click Reserve external static IP address. 
- For Name, enter - cross-ref-ip-address.
- Set Network Service Tier to Premium. 
- Set IP version to IPv4. 
- Set Type to Global. 
- Click Reserve. 
gcloud
Create a global static external IP address.
gcloud compute addresses create IP_ADDRESS_NAME \
    --ip-version=IPV4 \
    --network-tier=PREMIUM \
    --global \
    --project=PROJECT_A_ID
Set up an SSL certificate resource
In this example, you can use HTTP or HTTPS as the request-and-response protocol between the client and the load balancer. To create an HTTPS load balancer, you must add an SSL certificate resource to the load balancer's frontend.
Create an SSL certificate resource as described in the following documentation:
We recommend using a Google-managed certificate.
After you create the certificate, you can attach the certificate to the HTTPS target proxy.
Configure the components of a global external Application Load Balancer
Console
Select the load balancer type
- In the Google Cloud console, go to the Load balancing page. 
- Click Create load balancer.
- For Type of load balancer, select Application Load Balancer (HTTP/HTTPS) and click Next.
- For Public facing or internal, select Public facing (external) and click Next.
- For Global or single region deployment, select Best for global workloads and click Next.
- For Load balancer generation, select Global external Application Load Balancer and click Next.
- Click Configure.
Basic configuration
- Enter a name for your load balancer.
- Keep the page open to continue.
Configure the frontend
For HTTP:
- Click Frontend configuration.
- Enter a name for the forwarding rule.
- Set the Protocol to HTTP.
- Select the IP address that you created in Reserve the load balancer's IP address.
- Set the Port to 80.
- Click Done.
For HTTPS:
If you are using HTTPS between the client and the load balancer, you need one or more SSL certificate resources to configure the proxy. For information about how to create SSL certificate resources, see SSL certificates.
- Click Frontend configuration.
- Enter a name for the forwarding rule.
- In the Protocol field, select HTTPS (includes HTTP/2).
- Select the IP address that you created in Reserve the load balancer's IP address.
- Ensure that the Port is set to 443to allow HTTPS traffic.
- Click the Certificate list.
- Select te name of the SSL certificate that you created earlier.
- Click Done.
Configure the backend
- Click Backend configuration.
- Click Cross-project backend services.
- For Project ID, enter the project ID for project B.
- From the Select backend services list, select the backend service from project B that you want to use.
- Click OK.
Configure the routing rules
- Click Routing rules. 
- For mode, select Advanced host and path rule. 
- Select Add host and path rule. 
- In the Hosts field, enter - *to match all hostnames.
- In the Patch matcher section, enter the following YAML configuration. - defaultService: projects/PROJECT_B_ID/global/backendServices/BACKEND_SERVICE_NAME name: PATH_MATCHER_NAME pathRules: - paths: - /images/* service: projects/PROJECT_B_ID/global/backendBuckets/BACKEND_BUCKET_NAME- The path matcher, in this example, is comprised of a path rule and a default service. The path rule routes all requests to - /images/*to a backend bucket. All other requests are routed to the default backend service.
- Click Done. 
For information about traffic management, see Traffic management overview.
Review and finalize the configuration
- Review the different components of the load balancer that you have configured in the preceding steps. You will notice that the Backends section has reference to both the backend service and the backend bucket. 
- Click Create. 
gcloud
To create the aforementioned load balancing components using the gcloud CLI, follow these steps:
- Create a URL map with the - gcloud compute url-maps createcommand.- gcloud compute url-maps create URL_MAP_NAME \ --default-service=projects/PROJECT_B_ID/global/backendServices/BACKEND_SERVICE_NAME \ --global \ --project=PROJECT_A_ID 
- Add a path matcher for the URL map. The path matcher, in this example, is comprised of a path rule and a default service. The path rule routes all requests to - /images/*to a backend bucket. All other requests are routed to the default backend service.- gcloud compute url-maps add-path-matcher URL_MAP_NAME \ --path-matcher-name=PATH_MATCHER_NAME \ --default-service=projects/PROJECT_B_ID/global/backendServices/BACKEND_SERVICE_NAME \ --backend-bucket-path-rules=/images/*=projects/PROJECT_B_ID/global/backendBuckets/BACKEND_BUCKET_NAME 
- Create a target proxy with the - gcloud compute target-http-proxies createcommand.- For HTTP traffic, create a target HTTP proxy to route requests to the URL map: - gcloud compute target-http-proxies create TARGET_HTTP_PROXY_NAME \ --url-map=URL_MAP_NAME \ --global \ --project=PROJECT_A_ID - For HTTPS traffic, create a target HTTPS proxy to route requests to the URL map. The proxy is the part of the load balancer that holds the SSL certificate for an HTTPS load balancer. After you create the certificate, you can attach the certificate to the HTTPS target proxy. - gcloud compute target-https-proxies create TARGET_HTTPS_PROXY_NAME \ --url-map=URL_MAP_NAME \ --ssl-certificates=CERTIFICATE_NAME \ --global \ --project=PROJECT_A_ID - Replace - CERTIFICATE_NAMEwith the name of the SSL certificate.
- Create a global forwarding rule with the - gcloud compute forwarding-rules createcommand.- For HTTP traffic, create the global forwarding rules to route incoming requests to the HTTP target proxy: - gcloud compute forwarding-rules create HTTP_FORWARDING_RULE_NAME \ --load-balancing-scheme=EXTERNAL_MANAGED \ --address=IP_ADDRESS_NAME \ --global \ --target-http-proxy=TARGET_HTTP_PROXY_NAME \ --ports=80 \ --project=PROJECT_A_ID - For HTTPS traffic, create the global forwarding rules to route incoming requests to the HTTPS target proxy: - gcloud compute forwarding-rules create HTTPS_FORWARDING_RULE_NAME \ --load-balancing-scheme=EXTERNAL_MANAGED \ --address=IP_ADDRESS_NAME \ --global \ --target-https-proxy=TARGET_HTTPS_PROXY_NAME \ --ports=443 \ --project=PROJECT_A_ID 
Test the load balancer
It can take a few minutes for your load balancer to be configured following which you can send a request to the load balancer. In this example, the request is sent to the HTTP forwarding rule of the load balancer.
Get the IP address of the load balancer's HTTP forwarding rule.
gcloud compute forwarding-rules describe HTTP_FORWARDING_RULE_NAME \
    --global
If you were to point your browser to http://IP_ADDRESS, the request is routed to the backend service, which returns a page with minimal information about the backend instance.
However, if you were to point your browser to
http://IP_ADDRESS/images/three-cats.jpg, the request to /images/*
is routed to the backend bucket, which returns the graphic file.