Network endpoint groups overview

A network endpoint group (NEG) is a configuration object that specifies a group of backend endpoints or services. With NEGs, Google Cloud load balancers can serve virtual machine (VM) instance group-based workloads, serverless workloads, and containerized workloads. NEGs let you distribute traffic to your load balancer's backends at a more granular level (for example, load balancing traffic at the Pod level instead of at the VM-level for GKE workloads).

You can use NEGs as backends for some load balancers and with Traffic Director. Use the following tables to decide which type of NEG you need for your deployment.

Zonal NEG

Features Details
Purpose

One or more internal IP address endpoints that resolve to either Compute Engine VM instances or GKE Pods.

For detailed information about this NEG and its use cases, see Zonal NEGs overview.

NetworkEndpointType API name
  • GCE_VM_IP
    IP only: resolves to the primary internal IPv4 address of a VM's network interface

    OR

  • GCE_VM_IP_PORT
    IP:Port: resolves to either the primary internal IPv4 address of a VM's network interface or an internal IPv4 address from an alias IP address range associated with a VM's network interface; for example, Pod IPv4 addresses in VPC-native clusters.
Number of endpoints 1 or more
Health checks for NEGs attached to backend services Centralized health checks for NEGs with GCE_VM_IP_PORT and GCE_VM_IP endpoints.
Scope Zonal
Routing VPC network
Google Cloud products that use this NEG

Related documentation:

  • Set up Zonal NEGs
  • Internet NEG

    Features Details
    Purpose

    A single internet-routable endpoint that is hosted outside of Google Cloud.

    For detailed information about this NEG and its use cases, see Internet NEGs overview.

    NetworkEndpointType API name
    • INTERNET_IP_PORT
      IP:Port, where IP must not be a RFC 1918 address.

      OR

    • INTERNET_FQDN_PORT
      FQDN:Port
    Number of endpoints

    Global NEGs: 1

    Regional NEGs: 256

    Health checks for NEGs attached to backend services

    Global NEGs: not supported

    Regional NEGs: distributed Envoy health checks

    Scope Global or regional
    Routing Internet
    Google Cloud products that use this NEG Global internet NEGs

    Regional internet NEGs (INTERNET_IP_PORT or INTERNET_FQDN_PORT endpoint)

    Serverless NEG

    Features Details
    Purpose

    A single endpoint within Google's network that resolves to an App Engine, Cloud Functions, API Gateway, or Cloud Run service.

    For detailed information about this NEG and its use cases, see Serverless NEGs overview.

    NetworkEndpointType API name SERVERLESS

    FQDN belonging to an App Engine, Cloud Functions, API Gateway, or Cloud Run service.

    Number of endpoints 1
    Health checks for NEGs attached to backend services Not applicable
    Scope Regional
    Routing To Google APIs and Services
    Google Cloud products that use this NEG

    Hybrid connectivity NEG

    Features Details
    Purpose One or more endpoints that resolve to on-premises services, server applications in another cloud, and other internet-reachable services outside Google Cloud.
    NetworkEndpointType API name NON_GCP_PRIVATE_IP_PORT

    IP:Port belonging to a VM that is not in Compute Engine and that must be routable using hybrid connectivity.

    Number of endpoints 1 or more
    Health checks for NEGs attached to backend services
    • Centralized health checks when you use this NEG with the global external Application Load Balancer, the classic Application Load Balancer, and the external proxy Network Load Balancer.
    • Distributed Envoy health checks when you use this NEG with the regional external Application Load Balancer, the internal Application Load Balancer (cross-region and regional), the regional internal proxy Network Load Balancer, cross-region internal proxy Network Load Balancer, or Traffic Director.
    Scope Zonal
    Routing To an on-premises network or another Cloud provider network by way of Cloud Interconnect VLAN attachment, Cloud VPN tunnel, or Router appliance VM in a VPC network
    Google Cloud products that use this NEG

    Private Service Connect NEG

    Features Details
    Purpose A single endpoint that resolves to one of the following:
    • A Google-managed regional API endpoint
    • A managed service published using Private Service Connect
    NetworkEndpointType API name PRIVATE_SERVICE_CONNECT
    Number of endpoints 1
    Health checks for NEGs attached to backend services Not applicable
    Scope Regional
    Routing Private Service Connect: Supported load balancers and targets
    Google Cloud products that use this NEG
    • Cross-region internal Application Load Balancer
    • Regional internal Application Load Balancer
    • Global external Application Load Balancer

      Private Service Connect NEGs are not supported by the classic Application Load Balancer.

    • Regional external Application Load Balancer
    • Global external proxy Network Load Balancer
    • Regional internal proxy Network Load Balancer
    • Cross-region internal proxy Network Load Balancer
    • Regional external proxy Network Load Balancer

    For more information about Private Service Connect NEGs, see About Private Service Connect backends.