This document provides instructions for configuring Internal HTTP(S) Load Balancing for your services running on Compute Engine VMs.
To configure load balancing for your services running in GKE pods, see Container-native load balancing with standalone NEGs and the Attaching an internal HTTP(S) load balancer to standalone NEGs section.
Setting up Internal HTTP(S) Load Balancing has two phases:
- Performing prerequisite tasks, such as ensuring that required accounts have the correct permissions and preparing the Virtual Private Cloud (VPC) network.
- Setting up the load balancer resources.
Before following this guide, familiarize yourself with the following:
- Internal HTTP(S) Load Balancing overview, including the Limitations section
- VPC firewall rules overview
Permissions
To follow this guide, you must be able to create instances and modify a network in a project. You must be either a project owner or editor, or you must have all of the following Compute Engine IAM roles.
| Task | Required role |
|---|---|
| Create networks, subnets, and load balancer components | Network Admin |
| Add and remove firewall rules | Security Admin |
| Create instances | Instance Admin |
For more information, see the following guides:
Setup overview
You can configure Internal HTTP(S) Load Balancing as described in the following high-level configuration flow. The numbered steps refer to the numbers in the diagram.
As shown in the diagram, this example creates an internal HTTP(S) load balancer in a
VPC network in region us-west1, with one backend service
and two backend groups.
The diagram shows the following:
A VPC network with two subnets:
One subnet is used for backends (instance groups and NEGs) and the forwarding rule. Its primary IP address range is
10.1.2.0/24.One subnet is a proxy-only subnet in the
us-west1region. You must create one proxy-only subnet in each region of a VPC network where you use internal HTTP(S) load balancers. The region's proxy-only subnet is shared among all internal HTTP(S) load balancers in the region. Source addresses of packets sent from the internal HTTP(S) load balancer to your service's backends are allocated from the proxy-only subnet. In this example, the proxy-only subnet for the region has a primary IP address range of10.129.0.0/23, which is the recommended subnet size. For more information, see Proxy-only subnets for internal HTTP(S) load balancers.
A firewall rule that permits proxy-only subnet traffic flows in your network. This means adding one rule that allows TCP port
80,443, and8080traffic from10.129.0.0/23(the range of the proxy-only subnet in this example). Another firewall rule for the health check probes.Backend instances. This example diagram demonstrates the following backend deployments:
- Compute Engine VMs
- Google Kubernetes Engine (GKE) backends added to standalone network endpoint groups (NEGs)
Instance groups and NEGs:
- Managed or unmanaged instance groups for Compute Engine VM deployments
- NEGs for GKE deployments
In each zone, you can have a combination of backend group types based on the requirements of your deployment.
A regional health check that reports the readiness of your backends.
A regional backend service that monitors the usage and health of backends.
A regional URL map that parses the URL of a request and forwards requests to specific backend services based on the host and path of the request URL.
A regional target HTTP or HTTPS proxy, which receives a request from the user and forwards it to the URL map. For HTTPS, configure a regional SSL certificate resource. The target proxy uses the SSL certificate to decrypt SSL traffic if you configure HTTPS load balancing. The target proxy can forward traffic to your instances by using HTTP or HTTPS.
A forwarding rule, which has the internal IP address of your load balancer, to forward each incoming request to the target proxy.
Configuring the network and subnets
You need a VPC network with two subnets: one for the load balancer's backends and the other for the load balancer's proxies. An internal HTTP(S) load balancer is regional. Traffic within the VPC network is routed to the load balancer if the traffic's source is in a subnet in the same region as the load balancer.
This example uses the following VPC network, region, and subnets:
Network. The network is a custom-mode VPC network named
lb-network.Subnet for backends. A subnet named
backend-subnetin theus-west1region uses10.1.2.0/24for its primary IP range.Subnet for proxies. A subnet named
proxy-only-subnetin theus-west1region uses10.129.0.0/23for its primary IP range.
Configuring the network and subnet for backends
Cloud Console
- Go to the VPC network page in the Google Cloud Console.
Go to the VPC network page - Click Create VPC network.
- For the Name, enter
lb-network. - In the Subnets section:
- Set the Subnet creation mode to Custom.
- In the New subnet section, enter the following information:
- Name:
backend-subnet - Region:
us-west1 - IP address range:
10.1.2.0/24
- Name:
- Click Done.
- Click Create.
gcloud
Create the custom VPC network with the
gcloud compute networks createcommand:gcloud compute networks create lb-network --subnet-mode=custom
Create a subnet in the
lb-networknetwork in theus-west1region with thegcloud compute networks subnets createcommand:gcloud compute networks subnets create backend-subnet \ --network=lb-network \ --range=10.1.2.0/24 \ --region=us-west1
API
Make a POST request to the
networks.insert method,
replacing project-id with your project ID.
POST https://www.googleapis.com/compute/v1/projects/project-id/global/networks
{
"routingConfig": {
"routingMode": "REGIONAL"
},
"name": "lb-network",
"autoCreateSubnetworks": false
}
Make a POST request to the
subnetworks.insert method,
replacing project-id with your project ID.
POST https://www.googleapis.com/compute/v1/projects/project-id/regions/us-west1/subnetworks
{
"name": "backend-subnet",
"network": "projects/project-id/global/networks/lb-network",
"ipCidrRange": "10.1.2.0/24",
"region": "projects/project-id/regions/us-west1",
}
Configuring the proxy-only subnet
The proxy-only subnet is for all internal HTTP(S) load balancers in the us-west1 region.
Cloud Console
If you're using the Google Cloud Console, you can wait and create the proxy-only subnet later on the Load balancing page.
gcloud
Create the proxy-only subnet with the gcloud compute networks subnets
create command.
gcloud compute networks subnets create proxy-only-subnet \ --purpose=INTERNAL_HTTPS_LOAD_BALANCER \ --role=ACTIVE \ --region=us-west1 \ --network=lb-network \ --range=10.129.0.0/23
API
Create the proxy-only subnet with the
subnetworks.insert
method, replacing project-id with your project ID.
POST https://www.googleapis.com/compute/projects/project-id/regions/us-west1/subnetworks
{
"name": "proxy-only-subnet",
"ipCidrRange": "10.129.0.0/23",
"network": "projects/project-id/global/networks/lb-network",
"region": "projects/project-id/regions/us-west1",
"purpose": "INTERNAL_HTTPS_LOAD_BALANCER",
"role": "ACTIVE"
}
Configuring firewall rules
This example uses the following firewall rules:
fw-allow-ssh. An ingress rule, applicable to the instances being load balanced, that allows incoming SSH connectivity on TCP port22from any address. You can choose a more restrictive source IP range for this rule; for example, you can specify just the IP ranges of the system from which you initiate SSH sessions. This example uses the target tagallow-sshto identify the VMs to which the firewall rule applies.fw-allow-health-check. An ingress rule, applicable to the instances being load balanced, that allows all TCP traffic from the Google Cloud health checking systems (in130.211.0.0/22and35.191.0.0/16). This example uses the target tagload-balanced-backendto identify the instances to which it should apply.fw-allow-proxies. An ingress rule, applicable to the instances being load balanced, that allows TCP traffic on ports80,443, and8080from the internal HTTP(S) load balancer's managed proxies. This example uses the target tagload-balanced-backendto identify the instances to which it should apply.
Without these firewall rules, the default deny ingress rule blocks incoming traffic to the backend instances.
Cloud Console
- Go to the Firewall rules page in the Google Cloud Console.
Go to the Firewall rules page - Click Create firewall rule to create the rule to allow incoming
SSH connections:
- Name:
fw-allow-ssh - Network:
lb-network - Direction of traffic: ingress
- Action on match: allow
- Targets: Specified target tags
- Target tags:
allow-ssh - Source filter:
IP ranges - Source IP ranges:
0.0.0.0/0 - Protocols and ports:
- Choose Specified protocols and ports.
- Check
tcpand type22for the port number.
- Name:
- Click Create.
- Click Create firewall rule a second time to create the rule to allow
Google Cloud health checks:
- Name:
fw-allow-health-check - Network:
lb-network - Direction of traffic: ingress
- Action on match: allow
- Targets: Specified target tags
- Target tags:
load-balanced-backend - Source filter:
IP ranges - Source IP ranges:
130.211.0.0/22and35.191.0.0/16 - Protocols and ports:
- Choose Specified protocols and ports.
- Check
tcpand enter80. As a best practice, limit this rule to just the protocols and ports that match those used by your health check. If you usetcp:80for the protocol and port, Google Cloud can use HTTP on port80to contact your VMs, but it cannot use HTTPS on port443to contact them.
- Name:
- Click Create.
- Click Create firewall rule a third time to create the rule to allow
the load balancer's proxy servers to connect the backends:
- Name:
fw-allow-proxies - Network:
lb-network - Direction of traffic: ingress
- Action on match: allow
- Targets: Specified target tags
- Target tags:
load-balanced-backend - Source filter:
IP ranges - Source IP ranges:
10.129.0.0/23 - Protocols and ports:
- Choose Specified protocols and ports.
- Check
tcpand type80, 443, 8080for the port numbers.
- Name:
- Click Create.
gcloud
Create the
fw-allow-sshfirewall rule to allow SSH connectivity to VMs with the network tagallow-ssh. When you omitsource-ranges, Google Cloud interprets the rule to mean any source.gcloud compute firewall-rules create fw-allow-ssh \ --network=lb-network \ --action=allow \ --direction=ingress \ --target-tags=allow-ssh \ --rules=tcp:22Create the
fw-allow-health-checkrule to allow Google Cloud health checks. This example allows all TCP traffic from health check probers; however, you can configure a narrower set of ports to meet your needs.gcloud compute firewall-rules create fw-allow-health-check \ --network=lb-network \ --action=allow \ --direction=ingress \ --source-ranges=130.211.0.0/22,35.191.0.0/16 \ --target-tags=load-balanced-backend \ --rules=tcpCreate the
fw-allow-proxiesrule to allow the internal HTTP(S) load balancer's proxies to connect to your backends.gcloud compute firewall-rules create fw-allow-proxies \ --network=lb-network \ --action=allow \ --direction=ingress \ --source-ranges=10.129.0.0/23 \ --target-tags=load-balanced-backend \ --rules=tcp:80,tcp:443,tcp:8080
API
Create the fw-allow-ssh firewall rule by making a POST request to
the firewalls.insert
method, replacing project-id with your project ID.
POST https://www.googleapis.com/compute/v1/projects/project-id/global/firewalls
{
"name": "fw-allow-ssh",
"network": "projects/project-id/global/networks/lb-network",
"sourceRanges": [
"0.0.0.0/0"
],
"targetTags": [
"allow-ssh"
],
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"22"
]
}
],
"direction": "INGRESS"
}
Create the fw-allow-health-check firewall rule by making a POST request to
the firewalls.insert
method, replacing project-id with your project ID.
POST https://www.googleapis.com/compute/v1/projects/project-id/global/firewalls
{
"name": "fw-allow-health-check",
"network": "projects/project-id/global/networks/lb-network",
"sourceRanges": [
"130.211.0.0/22",
"35.191.0.0/16"
],
"targetTags": [
"load-balanced-backend"
],
"allowed": [
{
"IPProtocol": "tcp"
}
],
"direction": "INGRESS"
}
Create the fw-allow-proxies firewall rule to allow TCP traffic within the
proxy subnet for the
firewalls.insert
method, replacing project-id with your project ID.
POST https://www.googleapis.com/compute/v1/projects/{project}/global/firewalls
{
"name": "fw-allow-proxies",
"network": "projects/project-id/global/networks/lb-network",
"sourceRanges": [
"10.129.0.0/23"
],
"targetTags": [
"load-balanced-backend"
],
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"80"
]
},
{
"IPProtocol": "tcp",
"ports": [
"443"
]
},
{
"IPProtocol": "tcp",
"ports": [
"8080"
]
}
],
"direction": "INGRESS"
}
Configuring Internal HTTP(S) Load Balancing with a VM-based service
This section shows the configuration required for services that run on Compute Engine VMs. Client VMs connect to the IP address and port that you configure in the forwarding rule. When your client applications send traffic to this IP address and port, their requests are forwarded to your backend virtual machines (VMs) according to your internal HTTP(S) load balancer's URL map.
The example on this page explicitly sets a reserved internal IP address for the internal HTTP(S) load balancer's forwarding rule, rather than allowing an ephemeral internal IP address to be allocated. As a best practice, we recommend reserving IP addresses for forwarding rules.
For the forwarding rule's IP address, use the backend-subnet. If you
try to use the proxy-only
subnet, forwarding rule
creation fails.
Creating a managed instance group
This section shows how to create a template and a managed instance group. The managed instance group provides VM instances running the backend servers of an example internal HTTP(S) load balancer. Traffic from clients is load balanced to these backend servers. For demonstration purposes, backends serve their own hostnames.
Cloud Console
- Go to the Instance groups page in the Cloud Console.
- Click Create instance group.
- Choose New managed instance group on the left.
- For the Name, enter
l7-ilb-backend-example. - Under Location, select Single zone.
- For the Region, select
us-west1. - For the Zone, select
us-west1-a. Under Instance template, select Create a new instance template.
- For the Name, enter
l7-ilb-backend-template. - Ensure that the Boot disk is set to a Debian image, such as
Debian GNU/Linux 9 (stretch). These instructions use commands that
are only available on Debian, such as
apt-get. Under Management, security, disks, networking, sole tenancy, on the Management tab, insert the following script into the Startup script field.
#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://169.254.169.254/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2'
Under Networking, select
lb-networkas the Network, and for the Subnet, selectbackend-subnet.Add the following network tags:
allow-sshandload-balanced-backend.Click Save and continue.
- For the Name, enter
Specify the number of instances that you want to create in the group.
For this example, under Autoscaling mode, you can select:
- Don't configure autoscaling
- Under Number of instances, enter
2
Optionally, in the Autoscaling section of the UI, you can configure the instance group to automatically add or remove instances based on instance CPU usage.
Click Create to create the new instance group.
gcloud
The gcloud instructions in this guide assume that you are using Cloud
Shell or another environment with bash installed.
Create a VM instance template with HTTP server with the
gcloud compute instance-templates createcommand.gcloud compute instance-templates create l7-ilb-backend-template \ --region=us-west1 \ --network=lb-network \ --subnet=backend-subnet \ --tags=allow-ssh,load-balanced-backend \ --image-family=debian-9 \ --image-project=debian-cloud \ --metadata=startup-script='#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://169.254.169.254/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2'
Create a managed instance group in the zone with the
gcloud compute instance-groups managed createcommand.gcloud compute instance-groups managed create l7-ilb-backend-example \ --zone=us-west1-a \ --size=2 \ --template=l7-ilb-backend-template
API
Create the instance template with the
instanceTemplates.insert
method, replacing [project-id] with your project ID.
POST https://www.googleapis.com/compute/v1/projects/[project-id]/global/instanceTemplates
{
"name":"l7-ilb-backend-template",
"properties":{
"machineType":"n1-standard-1",
"tags":{
"items":[
"allow-ssh",
"load-balanced-backend"
]
},
"metadata":{
"kind":"compute#metadata",
"items":[
{
"key":"startup-script",
"value":"#! /bin/bash\napt-get update\napt-get install apache2 -y\na2ensite default-ssl\na2enmod ssl\nvm_hostname=\"$(curl -H \"Metadata-Flavor:Google\" \\\nhttp://169.254.169.254/computeMetadata/v1/instance/name)\"\necho \"Page served from: $vm_hostname\" | \\\ntee /var/www/html/index.html\nsystemctl restart apache2"
}
]
},
"networkInterfaces":[
{
"network":"projects/[project-id]/global/networks/lb-network",
"subnetwork":"regions/us-west1/subnetworks/backend-subnet",
"accessConfigs":[
{
"type":"ONE_TO_ONE_NAT"
}
]
}
],
"disks":[
{
"index":0,
"boot":true,
"initializeParams":{
"sourceImage":"projects/debian-cloud/global/images/family/debian-9"
},
"autoDelete":true
}
]
}
}
Create a managed instance group in each zone with the
instanceGroupManagers.insert
method, replacing [project-id] with your project ID.
POST https://www.googleapis.com/compute/v1/projects/[project-id]/zones/{zone}/instanceGroupManagers
{
"name": "l7-ilb-backend-example",
"zone": "projects/[project-id]/zones/us-west1-a",
"instanceTemplate": "projects/[project-id]/global/instanceTemplates/l7-ilb-backend-template",
"baseInstanceName": "l7-ilb-backend-example",
"targetSize": 2
}
Configuring the load balancer
This example shows you how to create the following internal HTTP(S) load balancer resources:
- HTTP health check
- Backend service with a managed instance group as the backend
- A URL map
- Make sure to refer to a regional URL map if a region is defined for the target HTTP(S) proxy. A regional URL map routes requests to a regional backend service based on rules that you define for the host and path of an incoming URL. A regional URL map can be referenced by a regional target proxy rule in the same region only.
- SSL certificate (for HTTPS)
- Target proxy
- Forwarding rule
For the forwarding rule's IP address, use the backend-subnet. If you
try to use the proxy-only
subnet, forwarding rule
creation fails.
Proxy availability
Sometimes Google Cloud regions don't have enough proxy capacity for a new internal HTTP(S) load balancer. If this happens, the Cloud Console provides a proxy availability warning message when you are creating your load balancer. To resolve this issue, you can do one of the following:
- Select a different region for your load balancer. This can be a practical option if you have backends in another region.
- Select a VPC network that already has an allocated proxy-only subnet.
Wait for the capacity issue to be resolved.
Cloud Console
Select a load balancer type
- Go to the Load balancing page in the Google Cloud Console.
Go to the Load balancing page - Under HTTP(S) Load Balancing, click Start configuration.
- Select Only between my VMs. This setting means that the load balancer is internal.
- Click Continue.
Prepare the load balancer
- For the Name of the load balancer, enter
l7-ilb-map. - For the Region, select
us-west1. - For the Network, select
lb-network. - Keep the window open to continue.
Reserve a proxy-only subnet
For Internal HTTP(S) Load Balancing, reserve a proxy subnet:
- Click Reserve a Subnet.
- For the Name, enter
proxy-only-subnet. - For the IP address range, enter
10.129.0.0/23. - Click Add.
Configure the backend service
- Click Backend configuration.
- From the Create or select backend services menu, select Create a backend service.
- Set the Name of the backend service to l7-ilb-backend-service.
- Set the Backend type to instance groups.
- In the New backend section:
- Set the Instance group to l7-ilb-backend-example.
- Set the Port numbers to
80. - Set the Balancing mode to Utilization.
- Click Done.
- In the Health check section, choose Create a health check with the
following parameters:
- Name: l7-ilb-basic-check
- Protocol: HTTP
- Port:
80 - Click Save and Continue.
- Click Create.
Configure the URL map
Click Host and path rules. Ensure that the l7-ilb-backend-service is the only backend service for any unmatched host and any unmatched path.
For information about traffic management, see Setting up traffic management.
Configure the frontend
For HTTP:
- Click Frontend configuration.
- Click Add frontend IP and port.
- Set the Name to l7-ilb-forwarding-rule.
- Set the Protocol to HTTP.
- Set the Subnetwork to backend-subnet.
- Under Internal IP, select Reserve a static internal IP address.
- In the panel that appears, provide the following details:
- Name: l7-ilb-ip
- In the Static IP address section, select Let me choose.
- In the Custom IP address section, enter
10.1.2.99. - Click Reserve.
- Set the Port to
80. - Click Done.
For HTTPS:
If you are using HTTPS between the client and the load balancer, you need one or more SSL certificate resources to configure the proxy. For information about how to create SSL certificate resources, see SSL certificates. Google-managed certificates aren't currently supported with internal HTTP(S) load balancers.
- Click Frontend configuration.
- Click Add frontend IP and port.
- In the Name field, enter
l7-ilb-forwarding-rule. - In the Protocol field, select
HTTPS (includes HTTP/2). - Set the Subnetwork to backend-subnet.
- Under Internal IP, select Reserve a static internal IP address.
- In the panel that appears provide the following details:
- Name: l7-ilb-ip
- In the Static IP address section, select Let me choose.
- In the Custom IP address section, enter
10.1.2.99. - Click Reserve.
- Ensure that the Port is set to
443, to allow HTTPS traffic. - Click the Certificate drop-down list.
- If you already have a self-managed SSL certificate resource you want to use as the primary SSL certificate, select it from the drop-down menu.
- Otherwise, select Create a new certificate.
- Fill in a Name of
l7-ilb-cert. - In the appropriate fields upload your PEM-formatted files:
- Public key certificate
- Certificate chain
- Private key
- Click Create.
- Fill in a Name of
- To add certificate resources in addition to
the primary SSL certificate resource:
- Click Add certificate.
- Select a certificate from the Certificates list or click Create a new certificate and follow the instructions above.
- Click Done.
Complete the configuration
Click Create.
gcloud
Define the HTTP health check with the
gcloud compute health-checks create httpcommand.gcloud compute health-checks create http l7-ilb-basic-check \ --region=us-west1 \ --use-serving-port
Define the backend service with the
gcloud compute backend-services createcommand.gcloud compute backend-services create l7-ilb-backend-service \ --load-balancing-scheme=INTERNAL_MANAGED \ --protocol=HTTP \ --health-checks=l7-ilb-basic-check \ --health-checks-region=us-west1 \ --region=us-west1
Add backends to the backend service with the
gcloud compute backend-services add-backendcommand.gcloud compute backend-services add-backend l7-ilb-backend-service \ --balancing-mode=UTILIZATION \ --instance-group=l7-ilb-backend-example \ --instance-group-zone=us-west1-a \ --region=us-west1
Create the URL map with the
gcloud compute url-maps createcommand.gcloud compute url-maps create l7-ilb-map \ --default-service=l7-ilb-backend-service \ --region=us-west1
Create the target proxy.
For HTTP:
For an internal HTTP load balancer, create the target proxy with the
gcloud compute target-http-proxies createcommand.gcloud compute target-http-proxies create l7-ilb-proxy \ --url-map=l7-ilb-map \ --url-map-region=us-west1 \ --region=us-west1
For HTTPS:
For information about how to create SSL certificate resources, see SSL certificates. Google-managed certificates aren't currently supported with internal HTTP(S) load balancers.
Assign your filepaths to variable names.
export LB_CERT=path to PEM-formatted file
export LB_PRIVATE_KEY=path to PEM-formatted file
Create a regional SSL certificate using the
gcloud compute ssl-certificates createcommand.gcloud compute ssl-certificates create l7-ilb-cert \ --certificate=$LB_CERT \ --private-key=$LB_PRIVATE_KEY \ --region=us-west1
Use the regional SSL certificate to create a target proxy with the
gcloud compute target-https-proxies createcommand.gcloud compute target-https-proxies create l7-ilb-proxy \ --url-map=l7-ilb-map \ --region=us-west1 \ --ssl-certificates=l7-ilb-cert
Create the forwarding rule.
For custom networks, you must reference the subnet in the forwarding rule. Note that this is the VM subnet, not the proxy subnet.
For HTTP:
Use the
gcloud compute forwarding-rules createcommand with the correct flags.gcloud compute forwarding-rules create l7-ilb-forwarding-rule \ --load-balancing-scheme=INTERNAL_MANAGED \ --network=lb-network \ --subnet=backend-subnet \ --address=10.1.2.99 \ --ports=80 \ --region=us-west1 \ --target-http-proxy=l7-ilb-proxy \ --target-http-proxy-region=us-west1
For HTTPS:
Create the forwarding rule with the
gcloud compute forwarding-rules createcommand with the correct flags.gcloud compute forwarding-rules create l7-ilb-forwarding-rule \ --load-balancing-scheme=INTERNAL_MANAGED \ --network=lb-network \ --subnet=backend-subnet \ --address=10.1.2.99 \ --ports=443 \ --region=us-west1 \ --target-https-proxy=l7-ilb-proxy \ --target-https-proxy-region=us-west1
API
Create the health check by making a POST request to the
regionHealthChecks.insert
method, replacing [project-id] with your project ID.
POST https://compute.googleapis.com/compute/v1/projects/[project-id]/regions/{region}/healthChecks
{
"name": "l7-ilb-basic-check",
"type": "HTTP",
"httpHealthCheck": {
"portSpecification": "USE_SERVING_PORT"
}
}
Create the regional backend service by making a POST request to the
regionBackendServices.insert
method, replacing [project-id] with your project ID.
POST https://www.googleapis.com/compute/v1/projects/[project-id]/regions/us-west1/backendServices
{
"name": "l7-ilb-backend-service",
"backends": [
{
"group": "projects/[project-id]/zones/us-west1-a/instanceGroups/l7-ilb-backend-example",
"balancingMode": "UTILIZATION"
}
],
"healthChecks": [
"projects/[project-id]/regions/us-west1/healthChecks/l7-ilb-basic-check"
],
"loadBalancingScheme": "INTERNAL_MANAGED"
}
Create the URL map by making a POST request to the
regionUrlMaps.insert
method, replacing [project-id] with your project ID.
POST https://compute.googleapis.com/compute/v1/projects/[project-id]/regions/us-west1/urlMaps
{
"name": "l7-ilb-map",
"defaultService": "projects/[project-id]/regions/us-west1/backendServices/l7-ilb-backend-service"
}
Create the target HTTP proxy by making a POST request to the
regionTargetHttpProxies.insert
method, replacing [project-id] with your project ID.
POST https://www.googleapis.com/compute/v1/projects/[project-id]/regions/us-west1/targetHttpProxy
{
"name": "l7-ilb-proxy",
"urlMap": "projects/[project-id]/global/urlMaps/l7-ilb-map",
"region": "us-west1"
}
Create the forwarding rule by making a POST request to the
forwardingRules.insert
method, replacing [project-id] with your project ID.
POST https://www.googleapis.com/compute/v1/projects/[project-id]/regions/us-west1/forwardingRules
{
"name": "l7-ilb-forwarding-rule",
"IPAddress": "10.1.2.99",
"IPProtocol": "TCP",
"portRange": "80-80",
"target": "projects/[project-id]/regions/us-west1/targetHttpProxies/l7-ilb-proxy",
"loadBalancingScheme": "INTERNAL_MANAGED",
"subnetwork": "projects/[project-id]/regions/us-west1/subnetworks/backend-subnet",
"network": "projects/[project-id]/global/networks/lb-network",
"networkTier": "PREMIUM",
}
Testing
Creating a VM instance to test connectivity
gcloud compute instances create l7-ilb-client-us-west1-a \
--image-family=debian-9 \
--image-project=debian-cloud \
--network=lb-network \
--subnet=backend-subnet \
--zone=us-west1-a \
--tags=allow-ssh
Testing the load balancer
Log in to the instance that you just created and test that HTTP(S) services on the backends are reachable via the internal HTTP(S) load balancer's forwarding rule IP address, and traffic is being load balanced across the backend instances.
Connecting via SSH to each client instance
gcloud compute ssh l7-ilb-client-us-west1-a \
--zone=us-west1-a
Verifying that the IP is serving its hostname
curl 10.1.2.99
For HTTPS testing, replace curl with:
curl -k -s 'https://test.example.com:443' --connect-to test.example.com:443:10.1.2.99:443
The -k flag causes curl to skip certificate validation.
Running 100 requests and confirming that they are load balanced
For HTTP:
{
RESULTS=
for i in {1..100}
do
RESULTS="$RESULTS:$(curl --silent 10.1.2.99)"
done
echo "***"
echo "*** Results of load-balancing to 10.1.2.99: "
echo "***"
echo "$RESULTS" | tr ':' '\n' | grep -Ev "^$" | sort | uniq -c
echo
}
For HTTPS:
{
RESULTS=
for i in {1..100}
do
RESULTS="$RESULTS:$(curl -k -s 'https://test.example.com:443' --connect-to test.example.com:443:10.1.2.99:443)"
done
echo "***"
echo "*** Results of load-balancing to 10.1.2.99: "
echo "***"
echo "$RESULTS" | tr ':' '\n' | grep -Ev "^$" | sort | uniq -c
echo
}
Additional configuration options
This section expands on the configuration example to provide alternative and additional configuration options. All of the tasks are optional. You can perform them in any order.
Enabling session affinity
These procedures show you how to update a backend service for the example internal HTTP(S) load balancer so that the backend service uses generated cookie affinity, header field affinity, or HTTP cookie affinity.
When generated cookie affinity is enabled, the load balancer issues a cookie
on the first request. For each subsequent request with the same cookie, the load
balancer directs the request to the same backend VM or endpoint. For
internal HTTP(S) load balancers, the cookie is named GCILB.
When header field affinity is enabled, the load balancer routes requests to
backend VMs or endpoints in a NEG based on the value of the HTTP header named
in the --custom-request-header flag. Header field affinity is only valid if
the load balancing locality policy is either RING_HASH or MAGLEV and the
backend service's consistent hash specifies the name of the HTTP header.
When HTTP cookie affinity is enabled, the load balancer routes requests to
backend VMs or endpoints in a NEG, based on an HTTP cookie named in the
HTTP_COOKIE flag with the optional --affinity-cookie-ttl flag. If the client
does not provide the cookie in its HTTP request, the proxy generates
the cookie and returns it to the client in a Set-Cookie header. HTTP cookie
affinity is only valid if the load balancing locality policy is either
RING_HASH or MAGLEV and the backend service's consistent hash specifies the
HTTP cookie.
Cloud Console
To enable or change session affinity for a backend service:
- Go to the Load balancing page in the Google Cloud Console.
Go to the Load balancing page - Click Backends.
- Click l7-ilb-backend-service (the name of the backend service you created for this example) and click Edit.
- On the Backend service details page, click Advanced configuration.
- Under Session affinity, select the type of session affinity you want from the menu.
- Click Update.
gcloud
Use the following gcloud commands to update the l7-ilb-backend-service
backend service to different types of session affinity:
gcloud compute backend-services update l7-ilb-backend-service \
--session-affinity=[GENERATED_COOKIE | HEADER_FIELD | HTTP_COOKIE | CLIENT_IP]
--region=us-west1
API
To set session affinity, make a PATCH request to the
regionBackendServices/patch
method.
PATCH https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-west1/regionBackendServices/l7-ilb-backend-service
{
"sessionAffinity": ["GENERATED_COOKIE" | "HEADER_FIELD" | "HTTP_COOKIE" | "CLIENT_IP" ]
}
What's next
To learn how Internal HTTP(S) Load Balancing works, see Internal HTTP(S) Load Balancing overview.
To manage the proxy-only subnet resource required by Internal HTTP(S) Load Balancing, see Proxy-only subnet for internal HTTP(S) load balancers.