Network endpoint groups overview

A network endpoint group (NEG) is a configuration object that specifies a group of backend endpoints or services. A common use case for this configuration is deploying services in containers. You can also distribute traffic in a granular fashion to applications running on your backend instances.

You can use NEGs as backends for some load balancers and with Traffic Director.

Zonal and internet NEGs define how endpoints should be reached, whether they are reachable, and where they are located. Unlike these NEG types, serverless NEGs don't contain endpoints.

A zonal NEG contains one or more endpoints that can be Compute Engine VMs or services running on the VMs. Each endpoint is specified either by an IP address or an IP:port combination.

An internet NEG contains a single endpoint that is hosted outside of Google Cloud. This endpoint is specified by hostname FQDN:port or IP:port.

A serverless NEG points to Cloud Run, App Engine, Cloud Functions services residing in the same region as the NEG.

A hybrid connectivity NEG points to Traffic Director services running outside Google Cloud.

Zonal NEG Internet NEG Serverless NEG Hybrid connectivity NEG
Purpose One or more internal IP address endpoints that resolve to either Compute Engine VM instances or GKE Pods. A single internet-routable endpoint that is hosted outside of Google Cloud. A single endpoint within Google's network that resolves to an App Engine, Cloud Functions, or Cloud Run (fully managed) service. One or more endpoints that resolve to on-premises services, server applications in another cloud, and other internet-reachable services outside Google Cloud.
NetworkEndpointType API name
  • GCE_VM_IP
    IP only - Resolves to the primary internal IP address of a Compute Engine VM's NIC
    OR
  • GCE_VM_IP_PORT
    IP:Port - Resolves to either the primary internal IP address of a Google Cloud VM's NIC or an alias IP address on a NIC; for example, Pod IP addresses in VPC-native clusters.
  • INTERNET_IP_PORT
    IP:Port where IP must not be a RFC 1918 address.
    OR
  • INTERNET_FQDN_PORT
    FQDN:Port
SERVERLESS
FQDN belonging to an App Engine, Cloud Functions, or Cloud Run (fully managed) service.
NON_GCP_PRIVATE_IP_PORT
IP:Port belonging to a VM that is not in Compute Engine and that must be routable using hybrid connectivity.
Number of endpoints 1 or more 1 1 1 or more
Health checks for NEGs attached to backend services Centralized health checking for NEGs with GCE_VM_IP_PORT and GCE_VM_IP endpoints. Not applicable Not applicable Envoy distributed health checking
Scope Zonal Global Regional Zonal
Routing VPC network Internet To Google APIs and Services Internet
Google Cloud products that use this NEG
  • Internal HTTP(S) Load Balancing:
    GCE_VM_IP_PORT endpoints
  • Internal TCP/UDP Load Balancing:
    GCE_VM_IP endpoints
  • External HTTP(S) Load Balancing:
    GCE_VM_IP_PORT endpoints
  • Traffic Director:
    GCE_VM_IP_PORT endpoints
  • Cloud CDN:
    INTERNET_IP_PORT or INTERNET_FQDN_PORT endpoint
  • External HTTP(S) Load Balancing:
    INTERNET_IP_PORT or INTERNET_FQDN_PORT endpoint
External HTTP(S) Load Balancing:
  • SERVERLESS endpoint
Traffic Director:
  • NON_GCP_PRIVATE_IP_PORT endpoint

For more information about zonal, internet, and serverless NEGs, see: