Setting Up Network Load Balancing

This guide provides instructions for creating a basic Network Load Balancing configuration. The example assumes that you have multiple web servers on Google Compute Engine instances across which you want to balance the traffic. This scenario sets up a layer 3 load balancing configuration to distribute HTTP traffic across healthy instances. Basic HTTP health checks are configured to ensure that traffic is sent only to healthy instances.

This example load balances HTTP traffic, but you can use Network Load Balancing to load balance UDP, TCP, and SSL traffic. Before you start, read Network Load Balancing Concepts for conceptual information about Network Load Balancing.

Before you begin

Install the gcloud command-line tool. For a complete overview of the tool, see the gcloud Tool Guide. You can find commands related to load balancing in the gcloud compute command group.

You can also get detailed help for any gcloud command by using the --help flag:

gcloud compute http-health-checks create --help

If you haven't run the gcloud command-line tool previously, first run gcloud init to authenticate.

In addition, you must create a static external IP address for the load balancer. If you are using an image provided by Compute Engine, your virtual machine (VM) instances are automatically configured to handle this IP address. If you are using any other image, you will have to configure this address as an alias on eth0 or as a loopback on each instance.

This guide assumes that you are familiar with bash.

Configure Compute Engine instances

For this load balancing scenario, you will create three Compute Engine VM instances and install Apache on them. You will add a firewall rule that allows HTTP traffic to reach the instances.

Set up the instances

Console

  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Click Create instance.
  3. Set Name to www1.
  4. Set the Region to us-central1.
  5. Set the Zone to us-central1-b.
  6. Under Boot disk, the default OS image of Google Drawfork Debian GNU/Linux 9 is already selected.
  7. Click Management, security, disks, networking, sole tenancy to reveal advanced settings.
    1. Under Management, insert the following script into the Automation, Startup script field.
      #! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo service apache2 restart
      echo '<!doctype html><html><body><h1>www1</h1></body></html>' | tee /var/www/html/index.html
      EOF
    2. Under Networking, populate the Tags field with network-lb-tag.
    3. Leave the default values for rest of the fields.
    4. Click Create.
  8. Create an instance named www2 with the same settings, except with the following script inserted into the Automation, Startup script field.
    #! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www2</h1></body></html>' | tee /var/www/html/index.html
    EOF
  9. Create an instance named www3 with the same settings, except with the following script inserted into the Automation, Startup script field.
    #! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www3</h1></body></html>' | tee /var/www/html/index.html
    EOF

gcloud

The commands below are all run on your local system and assume a bash command prompt.

To see OS image names, attributes, and status use the gcloud compute images list command.

  1. Create three new virtual machines in a given zone and give them all the same tag. This example sets the zone to us-central1-b. Setting the tags field allows you to reference these instances all at once, such as with a firewall rule. These commands also install Apache on each instance and give each instance a unique home page.

    gcloud compute instances create www1 \
      --image-family debian-9 \
      --image-project debian-cloud \
      --zone us-central1-b \
      --tags network-lb-tag \
      --metadata startup-script="#! /bin/bash
        sudo apt-get update
        sudo apt-get install apache2 -y
        sudo service apache2 restart
        echo '<!doctype html><html><body><h1>www1</h1></body></html>' | tee /var/www/html/index.html
        EOF"
    gcloud compute instances create www2 \
      --image-family debian-9 \
      --image-project debian-cloud \
      --zone us-central1-b \
      --tags network-lb-tag \
      --metadata startup-script="#! /bin/bash
        sudo apt-get update
        sudo apt-get install apache2 -y
        sudo service apache2 restart
        echo '<!doctype html><html><body><h1>www2</h1></body></html>' | tee /var/www/html/index.html
        EOF"
    gcloud compute instances create www3 \
      --image-family debian-9 \
      --image-project debian-cloud \
      --zone us-central1-b \
      --tags network-lb-tag \
      --metadata startup-script="#! /bin/bash
        sudo apt-get update
        sudo apt-get install apache2 -y
        sudo service apache2 restart
        echo '<!doctype html><html><body><h1>www3</h1></body></html>' | tee /var/www/html/index.html
        EOF"

api

Create instance www1 in zone us-central1-b with the instances.insert method

POST https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instances

{
  "canIpForward": false,
  "deletionProtection": false,
  "disks": [
    {
      "type": "PERSISTENT",
      "boot": true,
      "mode": "READ_WRITE",
      "autoDelete": true,
      "deviceName": "www1",
      "initializeParams": {
        "sourceImage": "projects/eip-images/global/images/debian-9-drawfork-v20181101",
        "diskType": "projects/[PROJECT_ID]/zones/us-central1-b/diskTypes/pd-standard",
        "diskSizeGb": "10"
      }
    }
  ],
  "machineType": "projects/[PROJECT_ID]/zones/us-central1-b/machineTypes/n1-standard-1",
  "metadata": {
    "items": [
      {
        "key": "startup-script",
        "value": "sudo apt-get update\nsudo apt-get install apache2 -y\nsudo a2ensite default-ssl\nsudo a2enmod ssl\nsudo service apache2 restart\necho '<!doctype html><html><body><h1>www1</h1></body></html>' | tee /var/www/html/index.html"
      }
    ]
  },
  "name": "www1",
  "networkInterfaces": [
    {
      "network": "projects/[PROJECT_ID]/global/networks/default",
      "subnetwork": "projects/[PROJECT_ID]/regions/us-central1/subnetworks/default"
    }
  ],
  "tags": {
    "items": [
      "network-lb-tag"
    ]
  }
}

Create instances named www2 and www3 with the same settings, except replace www1 in the deviceName, value, and name fields.

Create a firewall rule to allow external traffic to these VM instances

Console

  1. Go to the Firewalls page in the Google Cloud Platform Console.
    Go to the Firewalls page
  2. Click Create firewall rule.
  3. Enter a Name of www-firewall-network-lb.
  4. Select the Network that the firewall rule applies to (Default).
  5. Under Targets, select Specified target tags.
  6. In the Target tags field, enter network-lb-tag.
  7. Set the Source IP ranges to 0.0.0.0/0, which allows traffic from any source.
  8. Under Specified protocols and ports, click the checkbox next to TCP and enter 80.
  9. Click Create. It might take a moment for the Console to display the new firewall rule, or you might have to click Refresh to see the rule.

gcloud

gcloud compute firewall-rules create www-firewall-network-lb \
    --target-tags network-lb-tag --allow tcp:80

api

Create a firewall rule that allows all traffic within the subnet with the firewalls.insert ** method**

POST https://www.googleapis.com/compute/projects/[PROJECT_ID]/global/firewalls

{
  "name": "www-firewall-network-lb",
  "direction": "INGRESS",
  "priority": 1000,
  "targetTags": [
    "network-lb-tag"
  ],
  "allowed": [
    {
      "IPProtocol": "tcp",
      "ports": [
        "80"
      ]
    }
  ],
  "sourceRanges": [
    "0.0.0.0/0"
  ]
}

Get the external IP addresses of your instances and verify that they are running

Console

  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. View the addresses for your instances in the External IP column.
  3. Verify that your instances are running by looking for a green checkmark to the left of the instance name. If you don't see a green checkmark, refer to the General Troubleshooting page for instances.

gcloud

  1. List your instances to get their IP addresses from the EXTERNAL_IP column.

    gcloud compute instances list
    
  2. Verify that each instance is running.

    At the command line, run curl using the external IP address of each instance to confirm that all of the instances respond.

    curl http://[IP_ADDRESS]
    

api

Get information about instance www1 with the instances.get method

Make sure the status field says RUNNING, and look for the external IP address in the natIP field.

GET https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instances/www1

{
 "kind": "compute#instance",
 "id": "6734015273571474749",
 "creationTimestamp": "2018-11-09T11:45:23.487-08:00",
 "name": "www1",
 "description": "",
 "tags": {
  "items": [
   "network-lb-tag"
  ],
  "fingerprint": "9GVlO4gPawg="
 },
 "machineType": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/machineTypes/n1-standard-1",
 "status": "RUNNING",
 "zone": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b",
 "canIpForward": false,
 "networkInterfaces": [
  {
   "kind": "compute#networkInterface",
   "network": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/default",
   "subnetwork": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/subnetworks/default",
   "networkIP": "10.128.0.2",
   "name": "nic0",
   "accessConfigs": [
    {
     "kind": "compute#accessConfig",
     "type": "ONE_TO_ONE_NAT",
     "name": "External NAT",
     "natIP": "35.192.37.233",
     "networkTier": "PREMIUM"
    }
   ],
   "fingerprint": "lxD5f5ua_sw="
  }
 ],
 "disks": [
  {
   "kind": "compute#attachedDisk",
   "type": "PERSISTENT",
   "mode": "READ_WRITE",
   "source": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/disks/www1",
   "deviceName": "www1",
   "index": 0,
   "boot": true,
   "autoDelete": true,
   "licenses": [
    "https://www.googleapis.com/compute/v1/projects/debian-cloud/global/licenses/debian-9-stretch"
   ],
   "interface": "SCSI",
   "guestOsFeatures": [
    {
     "type": "VIRTIO_SCSI_MULTIQUEUE"
    }
   ]
  }
 ],
 "metadata": {
  "kind": "compute#metadata",
  "fingerprint": "IyHRmHoJx6E=",
  "items": [
   {
    "key": "startup-script",
    "value": "#! /bin/bash\n sudo apt-get update\n sudo apt-get install apache2 -y\n sudo service apache2 restart\n echo '\u003c!doctype html\u003e\u003chtml\u003e\u003cbody\u003e\u003ch1\u003ewww1\u003c/h1\u003e\u003c/body\u003e\u003c/html\u003e' | tee /var/www/html/index.html\n EOF"
   }
  ]
 },
 "serviceAccounts": [
  {
   "email": "674259759219-compute@developer.gserviceaccount.com",
   "scopes": [
    "https://www.googleapis.com/auth/devstorage.read_only",
    "https://www.googleapis.com/auth/logging.write",
    "https://www.googleapis.com/auth/monitoring.write",
    "https://www.googleapis.com/auth/servicecontrol",
    "https://www.googleapis.com/auth/service.management.readonly",
    "https://www.googleapis.com/auth/trace.append"
   ]
  }
 ],
 "selfLink": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instances/www1",
 "scheduling": {
  "onHostMaintenance": "MIGRATE",
  "automaticRestart": true,
  "preemptible": false
 },
 "cpuPlatform": "Intel Haswell",
 "labelFingerprint": "42WmSpB8rSM=",
 "startRestricted": false,
 "deletionProtection": false
}

Repeat this API call for www2 and www3.

Configure the load balancing service

Next, set up the load balancing service.

When you configure the load balancing service, your virtual machine instances will receive packets that are destined for the static external IP address you configure. If you are using an image provided by Compute Engine, your instances are automatically configured to handle this IP address. If you are using any other image, you will have to configure this address as an alias on eth0 or as a loopback on each instance

Console

  1. Go to the Create a load balancer page in the Google Cloud Platform Console.
    Go to the Create a load balancer page
  2. Under TCP load balancing, click the Start configuration button.

  3. For Internet facing or internal only, select From Internet to my VMs.

  4. For Multiple regions or single region, select Single region only.

  5. For Connection termination, select No (TCP).

  6. Click the Continue button.

Configure the backend

  1. On the New TCP load balancer screen, enter a Name of www-network-lb for the new load balancer.
  2. Click Backend configuration
  3. The load balancer Name you entered previously appears, but is not modifiable.
  4. For Region select us-central1.
  5. Under Backends, click the Select existing instances tab and click Add an instance. Enter instance www1. Repeat this step for instances www2 and www3.
  6. Under Health check, click Create a new health check or Create another health check:

    1. Enter basic-check as the Name of the health check.
    2. Retain the default settings.
    3. Click the Save and continue button.

    A blue circle with a checkmark to the left of Backend configuration indicates a successful set-up.

Configure the forwarding rule

  1. Click Frontend configuration.
  2. Enter a Name of www-rule.
  3. Under IP, click the drop-down menu and select Create IP address.
    1. On the Reserve static IP address screen, assign a Name of lb-ip-1.
    2. Click Reserve.
  4. Enter a Port of 80.
  5. Click the Done button.

    A blue circle with a checkmark to the left of Frontend configuration indicates a successful set-up.

Review the configuration

  1. Click the Review and finalize button to check all of your configuration settings for the load balancer.
  2. If the settings are correct, click Create. It takes a few minutes for the load balancer to be created.

    On the load balancing screen, under the Backend column for your new load balancer, you should see a green checkmark showing that the new load balancer is healthy.

gcloud

  1. Create a static external IP address for your load balancer

    gcloud compute addresses create network-lb-ip-1 \
        --region us-central1
    
  2. Add a legacy HTTP health check resource

    This example uses the default settings for the health check mechanism, but you can also customize this on your own.

    gcloud compute http-health-checks create basic-check
    
  3. Add a target pool

    Add a target pool in the same region as your virtual machine instances. Use the health check created in the prior step for this target pool. Target pools require a health check service in order to function.

    gcloud compute target-pools create www-pool \
        --region us-central1 --http-health-check basic-check
    
  4. Add your instances to the target pool

    gcloud compute target-pools add-instances www-pool \
        --instances www1,www2,www3 \
        --instances-zone us-central1-b
    

    Instances within a target pool must belong to the same region but can be spread out across different zones in the same region. For example, you can have instances in zone us-central1-f and instances in zone us-central1-b in one target pool because they are in the same region, us-central1.

  5. Add a forwarding rule

    Add a forwarding rule serving on behalf of an external IP address and port range that points to your target pool. For the --address field, use either the numeric IP address or its fully qualified name.

    gcloud compute forwarding-rules create www-rule \
        --region us-central1 \
        --ports 80 \
        --address network-lb-ip-1 \
        --target-pool www-pool
    

api

  1. Create a static external IP address for your load balancer

    POST https://www.googleapis.com/compute/v1/projects/[PROJECT_ID/regions/us-central1/addresses
    {
      "name": "network-lb-ip-1"
    }
    
  2. Add a legacy HTTP health check

    This example uses the default settings for the health check mechanism, but you can also customize this on your own.

    POST https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/httpHealthChecks
    {
      "name": "basic-check"
    }
    
  3. Add a target pool

    Add a target pool in the same region as your virtual machine instances. Use the health check created in the prior step for this target pool. Target pools require a health check service in order to function.

    POST https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/targetPools
    {
      "name": "www-pool",
      "healthChecks": [
        "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/httpHealthChecks/basic-check"
      ]
    }
    
  4. Add your instances to the target pool

    POST https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/targetPools/www-pool/addInstance
    {
      "instances": [
        {
          "instance": "projects/[PROJECT_ID]/zones/us-central1-b/instances/www1"
        }
      ]
    }
    

    Repeat this API call for instances www2 and www3.

    Instances within a target pool must belong to the same region but can be spread out across different zones in the same region. For example, you can have instances in zone us-central1-f and instances in zone us-central1-b in one target pool because they are in the same region, us-central1.

  5. Add a forwarding rule

    POST https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/forwardingRules
    {
      "name": "www-rule",
      "portRange": "80",
      "loadBalancingScheme": "EXTERNAL",
      "target": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/targetPools/www-network-lb"
    }
    

Send traffic to your instances

Now that the load balancing service is configured, you can start sending traffic to the forwarding rule and watch the traffic be dispersed to different instances.

Look up the forwarding rule's external IP address

Console

  1. Go to the Forwarding Rules tab on the Advanced load balancing page in the Google Cloud Platform Console.
    Go to the Forwarding Rules tab
  2. Locate www-rule, the forwarding rule used by the load balancer.
  3. In the IP Address column for www-rule, note the external IP address listed.

gcloud

Enter the following command to view the external IP address of the www-rule forwarding rule used by the load balancer.

gcloud compute forwarding-rules describe www-rule --region us-central1

api

View the external IP address of the www-rule forwarding rule with the forwardingRules.get method

In the output, look for the IPAddress field.

GET https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/forwardingRules/www-rule
{
  "kind": "compute#forwardingRule",
  "id": "5133886346582800002",
  "creationTimestamp": "2018-11-09T14:21:33.574-08:00",
  "name": "www-rule",
  "description": "",
  "region": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1",
  "IPAddress": "35.232.228.9",
  "IPProtocol": "TCP",
  "portRange": "80-80",
  "target": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/targetPools/www-network-lb",
  "selfLink": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/forwardingRules/www-rule",
  "loadBalancingScheme": "EXTERNAL",
  "networkTier": "PREMIUM"
}

Use the curl command to access the external IP address

The response from the curl command will alternate randomly among the three instances. If your response is initially unsuccessful, you might need to wait approximately 30 seconds for the configuration to be fully loaded and for your instances to be marked healthy before trying again:

$ while true; do curl -m1 [IP_ADDRESS]; done

What's next

See Network Load Balancing Concepts for information on how Network Load Balancing works.

Was this page helpful? Let us know how we did:

Send feedback about...

Load Balancing