Setting up a network load balancer with a backend service

This guide provides instructions for creating a basic Network Load Balancing deployment using a regional backend service. In this example, we'll use the load balancer to distribute traffic across backend VMs in two zonal managed instance groups in the us-central1 region. An equally valid approach would be to use a single regional managed instance group for the us-central1 region.

Network load balancer with zonal instance groups — Network Load Balancing with zonal instance groups

This scenario distributes TCP traffic across healthy instances. To support this example, TCP health checks are configured to ensure that traffic is sent only to healthy instances. Note that TCP health checks are only supported with a backend service-based load balancer. Target pool-based load balancers can only use legacy HTTP health checks.

This example load balances TCP traffic, but you can use Network Load Balancing to load balance UDP, SSL, and HTTP(S) traffic. Before you start, read Network Load Balancing overview.

Note that the network load balancer is a regional load balancer. All load balancer components (backend VMs, backend service, and forwarding rule) must be in the same region.

Before you begin

Install the gcloud command-line tool. For a complete overview of the tool, see the gcloud Tool Guide. You can find commands related to load balancing in the API and gcloud reference guide.

If you haven't run the gcloud command-line tool previously, first run gcloud init to authenticate.

This guide assumes that you are familiar with bash.

Creating the zonal managed instance groups

For this load balancing scenario, you will create two Compute Engine zonal managed instance groups and install an echo server on each instance.

Instances that participate as backend VMs for network load balancers must be running the appropriate Linux Guest Environment, Windows Guest Environment, or other processes that provide equivalent functionality.

Setting up the instances

Cloud Console

Go to the Instance groups page in the Cloud Console.
Go to the Instance groups page
Click Create instance group.
Choose New managed instance group on the left.
For the Name, enter ig-us-1.
Under Location, select Single zone.
For the Region, select us-central1.
For the Zone, select us-central1-a.
Under Instance template, select Create a new instance template.
1. For the Name, enter ig-us-template.
2. Ensure that the Boot disk is set to a Debian image, such as Debian GNU/Linux 9 (stretch). These instructions use commands that are only available on Debian, such as apt-get.
3. Under Management, security, disks, networking, sole tenancy, on the Management tab, insert the following script into the Startup script field.
```
#! /bin/bash
apt-get update
apt-get install apache2 -y
a2ensite default-ssl
a2enmod ssl
vm_hostname="$(curl -H "Metadata-Flavor:Google" \
http://169.254.169.254/computeMetadata/v1/instance/name)"
echo "Page served from: $vm_hostname" | \
tee /var/www/html/index.html
systemctl restart apache2
```
4. Under Networking, populate the Tags field with the network-lb tag.
5. Click Save and continue.
Specify the number of instances that you want to create in the group.

For this example, under Autoscaling mode, select:
- Don't autoscale
- Under Number of instances, enter 2
Click Create to create the new instance group.
Repeat the previous steps to create a second managed instance group in the us-central1-c zone with the following specifications:
- Name: ig-us-2
- Zone: us-central1-c
- Instance template: Use the same ig-us-template template created in the previous section.

gcloud

The gcloud instructions in this guide assume that you are using Cloud Shell or another environment with bash installed.

Create a VM instance template with HTTP server with the gcloud compute instance-templates create command.

gcloud compute instance-templates create ig-us-template \
--region=us-central1 \
--tags=network-lb \
--image-family=debian-9 \
--image-project=debian-cloud \
--metadata=startup-script='#! /bin/bash
apt-get update
apt-get install apache2 -y
a2ensite default-ssl
a2enmod ssl
vm_hostname="$(curl -H "Metadata-Flavor:Google" \
http://169.254.169.254/computeMetadata/v1/instance/name)"
echo "Page served from: $vm_hostname" | \
tee /var/www/html/index.html
systemctl restart apache2'

Create a managed instance group in the zone with the gcloud compute instance-groups managed create command.

gcloud compute instance-groups managed create ig-us-1 \
    --zone us-central1-a \
    --size 2 \
    --template ig-us-template

Create a second managed instance group in the us-central1-c zone:

gcloud compute instance-groups managed create ig-us-2 \
    --zone us-central1-c \
    --size 2 \
    --template ig-us-template

Configuring firewall rules

Create a firewall rule that allows external traffic to reach the backend instances.

Console

Go to the Firewalls page in the Google Cloud Console.
Go to the Firewalls page
Click Create firewall rule.
Enter a Name of allow-network-lb.
Select the Network that the firewall rule applies to (Default).
Under Targets, select Specified target tags.
In the Target tags field, enter network-lb.
Set the Source IP ranges to 0.0.0.0/0, which allows traffic from any source. This allows both external traffic and health check probes to reach the backend instances.
Under Specified protocols and ports, click the checkbox next to tcp and enter 80.
Click Create. It might take a moment for the Console to display the new firewall rule, or you might have to click Refresh to see the rule.

gcloud

gcloud compute firewall-rules create allow-network-lb \
    --target-tags network-lb \
    --allow tcp:80

Configuring the load balancer

Next, set up the load balancer.

When you configure the load balancer, your virtual machine instances will receive packets that are destined for the static external IP address you configure. If you are using an image provided by Compute Engine, your instances are automatically configured to handle this IP address. If you are using any other image, you must configure this address as an alias on eth0 or as a loopback on each instance.

Console

Go to the Create a load balancer page in the Google Cloud Console.
Go to the Create a load balancer page
Under TCP Load Balancing, click the Start configuration button.

Note: To load balance UDP traffic with a network load balancer, you would click Start Configuration under UDP Load Balancing. You would then complete similar steps to set up the load balancer.
For Internet facing or internal only, select From Internet to my VMs.
For Multiple regions or single region, select Single region only.
For Backend type, select Backend Service (Beta).
Click Continue.

Backend configuration

On the New TCP load balancer screen, enter a Name of tcp-network-lb for the new load balancer.
Click Backend configuration. The load balancer Name you entered previously appears, but is not modifiable.
Click Backend configuration and make the following changes:
1. For the Region, select us-central1.
2. Under Backends, use the Instance group dropdown to select ig-us-1. Click Done. Click Add backend and repeat this step to add ig-us-2.
3. Under Health check, choose Create a health check or Create another health check, enter the following information:
  - Name: tcp-health-check
  - Protocol: TCP
  - Port: 80
4. Click Save and continue.
5. Verify that there is a blue check mark next to Backend configuration before continuing.

Frontend configuration

Click Frontend configuration.
Enter a Name of network-lb-forwarding-rule.
Under IP, click the drop-down menu and select Create IP address.
1. On the Reserve a new static IP address screen, assign a Name of network-lb-ip.
2. Click Reserve.
Enter a Port of 80.
Click the Done button.

A blue circle with a checkmark to the left of Frontend configuration indicates a successful set-up.

Review the configuration

Click the Review and finalize button to check all of your configuration settings for the load balancer.
If the settings are correct, click Create. It takes a few minutes for the load balancer to be created.

On the load balancing screen, under the Backend column for your new load balancer, you should see a green checkmark showing that the new load balancer is healthy.

gcloud

Create a static external IP address for your load balancer.

gcloud compute addresses create network-lb-ip \
    --region us-central1

Create a TCP health check.
Backend service-based network load balancers can use TCP, SSL, HTTP(S), and HTTP/2 health checks. Target pool-based network load balancer can only use legacy health checks.
```
gcloud compute health-checks create tcp tcp-health-check \
    --region us-central1 \
    --port 80
```

Create a backend service.

gcloud compute backend-services create network-lb-backend-service \
    --protocol TCP \
    --health-checks tcp-health-check \
    --health-checks-region us-central1 \
    --region us-central1

Add the instance groups to the backend service.

gcloud compute backend-services add-backend network-lb-backend-service \
--instance-group ig-us-1 \
--instance-group-zone us-central1-a \
--region us-central1

gcloud compute backend-services add-backend network-lb-backend-service \
--instance-group ig-us-2 \
--instance-group-zone us-central1-c \
--region us-central1

Create a forwarding rule to route incoming TCP traffic to the backend service. Use the IP address reserved in step 1 as the static external IP address of the load balancer.

gcloud compute forwarding-rules create network-lb-forwarding-rule \
    --load-balancing-scheme external \
    --region us-central1 \
    --ports 80 \
    --address network-lb-ip \
    --backend-service network-lb-backend-service

Testing the load balancer

Now that the load balancing service is configured, you can start sending traffic to the load balancer's external IP address and watch traffic get distributed to the backend instances.

Look up the load balancer's external IP address

Console

On the Advanced load balancing page, go to the Forwarding Rules tab.
Go to the Forwarding Rules tab
Locate network-lb-forwarding-rule, the forwarding rule used by the load balancer.
In the IP Address column for network-lb-forwarding-rule, note the external IP address listed.

gcloud

Enter the following command to view the external IP address of the network-lb-forwarding-rule forwarding rule used by the load balancer.

gcloud compute forwarding-rules describe network-lb-forwarding-rule \
    --region us-central1

Send traffic to the load balancer

This procedure sends external traffic to the load balancer.

Make web requests to the load balancer using curl to contact its IP address.
```
$ while true; do curl -m1 IP_ADDRESS; done
```
Note the text returned by the curl command. The name of the backend VM generating the response is displayed in that text; for example: Page served from: VM_NAME

The response from the curl command alternates randomly among the backend instances. If your response is initially unsuccessful, you might need to wait approximately 30 seconds for the configuration to be fully loaded and for your instances to be marked healthy before trying again.

What's next

For information on how Network Load Balancing works with a backend service, see Network Load Balancing with backend service overview.
To learn how to transition a network load balancer from a target pool backend to a regional backend service, see Transitioning network load balancers from target pools to backend services
To configure a network load balancer with a target pool, see Setting up Network Load Balancing.
Clean up the load balancer setup.