Set up mutual TLS for an internal Application Load Balancer

This page shows examples of configuring mutual TLS (mTLS) for a cross-region internal Application Load Balancer or regional internal Application Load Balancer.

Before you begin

Read Internal Application Load Balancer overview.
Read Mutual TLS authentication.
Set up mutual TLS with user-provided certificates.
Internal Application Load Balancers support different backend services and buckets. Make sure that you have set up an internal Application Load Balancer with any of the following supported backends:

Regional internal Application Load Balancers
Cross-region internal Application Load Balancers
- VM instance group backends
- Hybrid connectivity

Set up mTLS for the load balancer

For mutual TLS authentication to work, after you set up a load balancer, you need to update the target HTTPS proxy by using the ServerTLSPolicy resource.

Ensure that you have already created the ServerTLSPolicy resource. For instructions, see Create the network security resources.
To list all the target HTTPS proxies in your project, use the gcloud compute target-https-proxies list command:
```
gcloud compute target-https-proxies list
```
Note the name of the target HTTPS proxy to attach the ServerTLSPolicy resource. This name is referred to as TARGET_HTTPS_PROXY_NAME in the following steps.
To export a target HTTPS proxy's configuration to a file, use the gcloud beta compute target-https-proxies export command.
global
```
  gcloud beta compute target-https-proxies export TARGET_HTTPS_PROXY_NAME \
      --destination=TARGET_PROXY_FILENAME \
      --global
  
```
Replace the following:
- TARGET_HTTPS_PROXY_NAME: the name of the target proxy.
- TARGET_PROXY_FILENAME: the name of a yaml file. For example, mtls_target_proxy.yaml.
regional
```
 gcloud beta compute target-https-proxies export TARGET_HTTPS_PROXY_NAME \
     --destination=TARGET_PROXY_FILENAME \
     --region=REGION
 
```
Replace the following:
- TARGET_HTTPS_PROXY_NAME: the name of the target proxy.
- TARGET_PROXY_FILENAME: the name of a yaml file. For example, mtls_target_proxy.yaml
- REGION: the region where you configured the load balancer.
List all the ServerTlsPolicies resources in the specified location of the current project.
Console
1. In the Google Cloud console, go to the Client authentication page.
  
  Go to Client authentication
2. All the ServerTlsPolicies resources are displayed.
gcloud
To list all the Client authentication (ServerTlsPolicies) resources, use the gcloud network-security server-tls-policies list command:
```
gcloud network-security server-tls-policies list \
  --location=REGION
```
Replace the following:

REGION: the region where you configured the load balancer. For cross-region internal Application Load Balancers, use global.

Note the name of the ServerTlsPolicies resource to configure mTLS. This name is referred to as SERVER_TLS_POLICY_NAME in the next step.

To append the ServerTlsPolicy resource file TARGET_PROXY_FILENAME, use the following command. Replace PROJECT_ID with the ID of your Google Cloud project.

echo "serverTlsPolicy: //networksecurity.googleapis.com/projects/PROJECT_ID/locations/REGION/serverTlsPolicies/SERVER_TLS_POLICY_NAME" >> TARGET_PROXY_FILENAME

To import a target HTTPS proxy's configuration from a file, use the gcloud beta compute target-https-proxies import command.
global
```
   gcloud beta compute target-https-proxies import TARGET_HTTPS_PROXY_NAME \
       --source=TARGET_PROXY_FILENAME \
       --global
   
```
Replace the following:
- TARGET_HTTPS_PROXY_NAME: the name of the target proxy.
- TARGET_PROXY_FILENAME: the name of a yaml file. For example, mtls_target_proxy.yaml.
regional
```
   gcloud beta compute target-https-proxies import TARGET_HTTPS_PROXY_NAME \
       --source=TARGET_PROXY_FILENAME \
       --region=REGION
   
```
Replace the following:
- TARGET_HTTPS_PROXY_NAME: the name of the target proxy.
- TARGET_PROXY_FILENAME: the name of a yaml file. For example, mtls_target_proxy.yaml
- REGION: the region where you configured the load balancer.

Add mTLS custom headers

With mTLS enabled, you can use custom headers to pass information about the mTLS connection to the URL map. You can also enable logging so that mTLS connection failures are captured in the logs.

To list all the URL maps in the project, use the gcloud beta compute url-maps list command:

   gcloud beta compute url-maps list

Note the name of the URL map to enable custom headers and logging. This name is referred to as URL_MAP_NAME in the following step.

global

   gcloud compute url-maps edit URL_MAP_NAME --global

Following is a sample YAML file that shows you how to use variables in custom request headers (requestHeadersToAdd). You can use the same variables to send custom response headers (responseHeadersToAdd).

   headerAction:
      requestHeadersToAdd:
      - headerName: "X-Client-Cert-Present"
        headerValue: "{client_cert_present}"
      - headerName: "X-Client-Cert-Chain-Verified"
        headerValue: "{client_cert_chain_verified}"
      - headerName: "X-Client-Cert-Error"
        headerValue: "{client_cert_error}"
      - headerName: "X-Client-Cert-Hash"
        headerValue: "{client_cert_sha256_fingerprint}"
      - headerName: "X-Client-Cert-Serial-Number"
        headerValue: "{client_cert_serial_number}"
      - headerName: "X-Client-Cert-SPIFFE"
        headerValue: "{client_cert_spiffe_id}"
      - headerName: "X-Client-Cert-URI-SANs"
        headerValue: "{client_cert_uri_sans}"
      - headerName: "X-Client-Cert-DNSName-SANs"
        headerValue: "{client_cert_dnsname_sans}"
      - headerName: "X-Client-Cert-Valid-Not-Before"
        headerValue: "{client_cert_valid_not_before}"
      - headerName: "X-Client-Cert-Valid-Not-After"
        headerValue: "{client_cert_valid_not_after}"
      - headerName: "X-Client-Cert-Issuer-Dn"
        headerValue: "{client_cert_issuer_dn}"
      - headerName: "X-Client-Cert-Subject-Dn"
        headerValue: "{client_cert_subject_dn}"
      - headerName: "X-Client-Cert-Leaf"
        headerValue: "{client_cert_leaf}"
      - headerName: "X-Client-Cert-Chain"
        headerValue: "{client_cert_chain}"

regional

   gcloud compute url-maps edit URL_MAP_NAME --region=REGION

   defaultService: regions/REGION/backendServices/BACKEND_SERVICE_1
      name: regional-lb-map
      region: region/REGION
   headerAction:
      requestHeadersToAdd:
      - headerName: "X-Client-Cert-Present"
        headerValue: "{client_cert_present}"
      - headerName: "X-Client-Cert-Chain-Verified"
        headerValue: "{client_cert_chain_verified}"
      - headerName: "X-Client-Cert-Error"
        headerValue: "{client_cert_error}"
      - headerName: "X-Client-Cert-Hash"
        headerValue: "{client_cert_sha256_fingerprint}"
      - headerName: "X-Client-Cert-Serial-Number"
        headerValue: "{client_cert_serial_number}"
      - headerName: "X-Client-Cert-SPIFFE"
        headerValue: "{client_cert_spiffe_id}"
      - headerName: "X-Client-Cert-URI-SANs"
        headerValue: "{client_cert_uri_sans}"
      - headerName: "X-Client-Cert-DNSName-SANs"
        headerValue: "{client_cert_dnsname_sans}"
      - headerName: "X-Client-Cert-Valid-Not-Before"
        headerValue: "{client_cert_valid_not_before}"
      - headerName: "X-Client-Cert-Valid-Not-After"
        headerValue: "{client_cert_valid_not_after}"
      - headerName: "X-Client-Cert-Issuer-Dn"
        headerValue: "{client_cert_issuer_dn}"
      - headerName: "X-Client-Cert-Subject-Dn"
        headerValue: "{client_cert_subject_dn}"
      - headerName: "X-Client-Cert-Leaf"
        headerValue: "{client_cert_leaf}"
      - headerName: "X-Client-Cert-Chain"
        headerValue: "{client_cert_chain}"

Set up mutual TLS for an internal Application Load Balancer

Before you begin

Set up mTLS for the load balancer

global

regional

Console

gcloud

global

regional

Add mTLS custom headers

global

regional

What's next