This page shows examples of configuring mutual TLS (mTLS) for a cross-region internal Application Load Balancer or regional internal Application Load Balancer.
Before you begin
- Read Internal Application Load Balancer overview.
- Read Mutual TLS authentication.
- Set up mutual TLS with user-provided certificates.
Internal Application Load Balancers support different backend services and buckets. Make sure that you have set up an internal Application Load Balancer with any of the following supported backends:
Regional internal Application Load Balancers
Cross-region internal Application Load Balancers
Set up mTLS for the load balancer
For mutual TLS authentication to work, after you set up a load balancer,
you need to update the target HTTPS proxy by using the ServerTLSPolicy
resource.
Ensure that you have already created the
ServerTLSPolicy
resource. For instructions, see Create the network security resources.To list all the target HTTPS proxies in your project, use the
gcloud compute target-https-proxies list
command:gcloud compute target-https-proxies list
Note the name of the target HTTPS proxy to attach the
ServerTLSPolicy
resource. This name is referred to asTARGET_HTTPS_PROXY_NAME
in the following steps.To export a target HTTPS proxy's configuration to a file, use the
gcloud beta compute target-https-proxies export
command.global
gcloud beta compute target-https-proxies export TARGET_HTTPS_PROXY_NAME \ --destination=TARGET_PROXY_FILENAME \ --global
Replace the following:
TARGET_HTTPS_PROXY_NAME
: the name of the target proxy.TARGET_PROXY_FILENAME
: the name of a yaml file. For example,mtls_target_proxy.yaml
.
regional
gcloud beta compute target-https-proxies export TARGET_HTTPS_PROXY_NAME \ --destination=TARGET_PROXY_FILENAME \ --region=REGION
Replace the following:
TARGET_HTTPS_PROXY_NAME
: the name of the target proxy.TARGET_PROXY_FILENAME
: the name of a yaml file. For example,mtls_target_proxy.yaml
REGION
: the region where you configured the load balancer.
List all the
ServerTlsPolicies
resources in the specified location of the current project.Console
In the Google Cloud console, go to the Client authentication page.
All the
ServerTlsPolicies
resources are displayed.
gcloud
To list all the Client authentication (
ServerTlsPolicies
) resources, use thegcloud network-security server-tls-policies list
command:gcloud network-security server-tls-policies list \ --location=REGION
Replace the following:
REGION
: the region where you configured the load balancer. For cross-region internal Application Load Balancers, useglobal
.Note the name of the
ServerTlsPolicies
resource to configure mTLS. This name is referred to asSERVER_TLS_POLICY_NAME
in the next step.To append the
ServerTlsPolicy
resource fileTARGET_PROXY_FILENAME
, use the following command. ReplacePROJECT_ID
with the ID of your Google Cloud project.echo "serverTlsPolicy: //networksecurity.googleapis.com/projects/PROJECT_ID/locations/REGION/serverTlsPolicies/SERVER_TLS_POLICY_NAME" >> TARGET_PROXY_FILENAME
To import a target HTTPS proxy's configuration from a file, use the
gcloud beta compute target-https-proxies import
command.global
gcloud beta compute target-https-proxies import TARGET_HTTPS_PROXY_NAME \ --source=TARGET_PROXY_FILENAME \ --global
Replace the following:
TARGET_HTTPS_PROXY_NAME
: the name of the target proxy.TARGET_PROXY_FILENAME
: the name of a yaml file. For example,mtls_target_proxy.yaml
.
regional
gcloud beta compute target-https-proxies import TARGET_HTTPS_PROXY_NAME \ --source=TARGET_PROXY_FILENAME \ --region=REGION
Replace the following:
TARGET_HTTPS_PROXY_NAME
: the name of the target proxy.TARGET_PROXY_FILENAME
: the name of a yaml file. For example,mtls_target_proxy.yaml
REGION
: the region where you configured the load balancer.
Add mTLS custom headers
With mTLS enabled, you can use custom headers to pass information about the mTLS connection to the URL map. You can also enable logging so that mTLS connection failures are captured in the logs.To list all the URL maps in the project, use the
gcloud beta compute url-maps list
command:
gcloud beta compute url-maps list
Note the name of the URL map to enable custom headers and logging.
This name is referred to as URL_MAP_NAME
in
the following step.
global
gcloud compute url-maps edit URL_MAP_NAME --global
Following is a sample YAML file that shows you how to use variables
in custom request headers (requestHeadersToAdd
). You can use the
same variables to send custom response headers
(responseHeadersToAdd
).
headerAction: requestHeadersToAdd: - headerName: "X-Client-Cert-Present" headerValue: "{client_cert_present}" - headerName: "X-Client-Cert-Chain-Verified" headerValue: "{client_cert_chain_verified}" - headerName: "X-Client-Cert-Error" headerValue: "{client_cert_error}" - headerName: "X-Client-Cert-Hash" headerValue: "{client_cert_sha256_fingerprint}" - headerName: "X-Client-Cert-Serial-Number" headerValue: "{client_cert_serial_number}" - headerName: "X-Client-Cert-SPIFFE" headerValue: "{client_cert_spiffe_id}" - headerName: "X-Client-Cert-URI-SANs" headerValue: "{client_cert_uri_sans}" - headerName: "X-Client-Cert-DNSName-SANs" headerValue: "{client_cert_dnsname_sans}" - headerName: "X-Client-Cert-Valid-Not-Before" headerValue: "{client_cert_valid_not_before}" - headerName: "X-Client-Cert-Valid-Not-After" headerValue: "{client_cert_valid_not_after}" - headerName: "X-Client-Cert-Issuer-Dn" headerValue: "{client_cert_issuer_dn}" - headerName: "X-Client-Cert-Subject-Dn" headerValue: "{client_cert_subject_dn}" - headerName: "X-Client-Cert-Leaf" headerValue: "{client_cert_leaf}" - headerName: "X-Client-Cert-Chain" headerValue: "{client_cert_chain}"
regional
gcloud compute url-maps edit URL_MAP_NAME --region=REGION
Following is a sample YAML file that shows you how to use variables in
custom request headers (requestHeadersToAdd
). You can use the
same variables to send custom response headers
(responseHeadersToAdd
).
defaultService: regions/REGION/backendServices/BACKEND_SERVICE_1 name: regional-lb-map region: region/REGION headerAction: requestHeadersToAdd: - headerName: "X-Client-Cert-Present" headerValue: "{client_cert_present}" - headerName: "X-Client-Cert-Chain-Verified" headerValue: "{client_cert_chain_verified}" - headerName: "X-Client-Cert-Error" headerValue: "{client_cert_error}" - headerName: "X-Client-Cert-Hash" headerValue: "{client_cert_sha256_fingerprint}" - headerName: "X-Client-Cert-Serial-Number" headerValue: "{client_cert_serial_number}" - headerName: "X-Client-Cert-SPIFFE" headerValue: "{client_cert_spiffe_id}" - headerName: "X-Client-Cert-URI-SANs" headerValue: "{client_cert_uri_sans}" - headerName: "X-Client-Cert-DNSName-SANs" headerValue: "{client_cert_dnsname_sans}" - headerName: "X-Client-Cert-Valid-Not-Before" headerValue: "{client_cert_valid_not_before}" - headerName: "X-Client-Cert-Valid-Not-After" headerValue: "{client_cert_valid_not_after}" - headerName: "X-Client-Cert-Issuer-Dn" headerValue: "{client_cert_issuer_dn}" - headerName: "X-Client-Cert-Subject-Dn" headerValue: "{client_cert_subject_dn}" - headerName: "X-Client-Cert-Leaf" headerValue: "{client_cert_leaf}" - headerName: "X-Client-Cert-Chain" headerValue: "{client_cert_chain}"
What's next
- Set up mutual TLS with user-provided certificates
- View logs for mTLS client certificate validation
- Clean up a load balancing setup