This guide provides instructions for creating a basic Network Load Balancing
deployment using a regional backend service. In this example, we'll use the load
balancer to distribute traffic across backend VMs in two zonal managed instance
groups in the
us-central1 region. An equally valid approach would be to use a
single regional managed instance group for the
This scenario distributes TCP traffic across healthy instances. To support this example, TCP health checks are configured to ensure that traffic is sent only to healthy instances. Note that TCP health checks are only supported with a backend service-based load balancer. Target pool-based load balancers can only use legacy HTTP health checks.
This example load balances TCP traffic, but you can use Network Load Balancing to load balance UDP, SSL, and HTTP(S) traffic. Before you start, read Network Load Balancing overview.
Note that the network load balancer is a regional load balancer. All load balancer components (backend VMs, backend service, and forwarding rule) must be in the same region.
Before you begin
If you haven't run the
gcloud command-line tool previously, first run
gcloud init to authenticate.
This guide assumes that you are familiar with bash.
Creating the zonal managed instance groups
For this load balancing scenario, you will create two Compute Engine zonal managed instance groups and install an echo server on each instance.
Instances that participate as backend VMs for network load balancers must be running the appropriate Linux Guest Environment, Windows Guest Environment, or other processes that provide equivalent functionality.
Setting up the instances
- Go to the Instance groups page in the Cloud Console.
- Click Create instance group.
- Choose New managed instance group on the left.
- For the Name, enter
- Under Location, select Single zone.
- For the Region, select us-central1.
- For the Zone, select us-central1-a.
Under Instance template, select Create a new instance template.
- For the Name, enter
- Ensure that the Boot disk is set to a Debian image, such as
Debian GNU/Linux 9 (stretch). These instructions use commands that
are only available on Debian, such as
Under Management, security, disks, networking, sole tenancy, on the Management tab, insert the following script into the Startup script field.
#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://169.254.169.254/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2
Under Networking, populate the Tags field with the
Click Save and continue.
- For the Name, enter
Specify the number of instances that you want to create in the group.
For this example, under Autoscaling mode, select:
- Don't autoscale
- Under Number of instances, enter
Click Create to create the new instance group.
Repeat the previous steps to create a second managed instance group in the
us-central1-czone with the following specifications:
- Instance template: Use the same
ig-us-templatetemplate created in the previous section.
gcloud instructions in this guide assume that you are using Cloud
Shell or another environment with bash installed.
Create a VM instance template with HTTP server with the
gcloud compute instance-templates createcommand.
gcloud compute instance-templates create ig-us-template \ --region=us-central1 \ --tags=network-lb \ --image-family=debian-9 \ --image-project=debian-cloud \ --metadata=startup-script='#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://169.254.169.254/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2'
Create a managed instance group in the zone with the
gcloud compute instance-groups managed createcommand.
gcloud compute instance-groups managed create ig-us-1 \ --zone us-central1-a \ --size 2 \ --template ig-us-template
Create a second managed instance group in the
gcloud compute instance-groups managed create ig-us-2 \ --zone us-central1-c \ --size 2 \ --template ig-us-template
Configuring firewall rules
Create a firewall rule that allows external traffic to reach the backend instances.
- Go to the Firewalls page in the Google Cloud Console.
Go to the Firewalls page
- Click Create firewall rule.
- Enter a Name of
- Select the Network that the firewall rule applies to (Default).
- Under Targets, select Specified target tags.
- In the Target tags field, enter
- Set the Source IP ranges to
0.0.0.0/0, which allows traffic from any source. This allows both external traffic and health check probes to reach the backend instances.
- Under Specified protocols and ports, click the checkbox next to
tcp and enter
- Click Create. It might take a moment for the Console to display the new firewall rule, or you might have to click Refresh to see the rule.
gcloud compute firewall-rules create allow-network-lb \ --target-tags network-lb \ --allow tcp:80
Configuring the load balancer
Next, set up the load balancer.
When you configure the load balancer, your virtual machine instances
will receive packets that are destined for the static external IP address you
configure. If you are using an image provided by Compute Engine,
your instances are automatically configured to handle this IP address. If
you are using any other image, you must configure this address as
an alias on
eth0 or as a loopback on each instance.
- Go to the Create a load balancer page in the Google Cloud Console.
Go to the Create a load balancer page
Under TCP Load Balancing, click the Start configuration button.
For Internet facing or internal only, select From Internet to my VMs.
For Multiple regions or single region, select Single region only.
For Backend type, select Backend Service.
- On the New TCP load balancer screen, enter a Name of
tcp-network-lbfor the new load balancer.
- Click Backend configuration. The load balancer Name you entered previously appears, but is not modifiable.
- Click Backend configuration and make the following changes:
- For the Region, select us-central1.
- Under Backends, use the Instance group dropdown to
ig-us-1. Click Done. Click Add backend and repeat this step to add
- Under Health check, choose Create a health check or
Create another health check, enter the following information:
- Click Save and continue.
- Verify that there is a blue check mark next to Backend configuration before continuing.
- Click Frontend configuration.
- Enter a Name of
- Under IP, click the drop-down menu and select Create IP address.
- On the Reserve a new static IP address screen, assign a
- Click Reserve.
- On the Reserve a new static IP address screen, assign a Name of
- Choose Single, and enter
80for the Port number.
Click the Done button.
A blue circle with a checkmark to the left of Frontend configuration indicates a successful set-up.
Review the configuration
- Click the Review and finalize button to check all of your configuration settings for the load balancer.
If the settings are correct, click Create. It takes a few minutes for the load balancer to be created.
On the load balancing screen, under the Backend column for your new load balancer, you should see a green checkmark showing that the new load balancer is healthy.
Create a static external IP address for your load balancer.
gcloud compute addresses create network-lb-ip \ --region us-central1
Create a TCP health check.
gcloud compute health-checks create tcp tcp-health-check \ --region us-central1 \ --port 80
Create a backend service.
gcloud compute backend-services create network-lb-backend-service \ --protocol TCP \ --health-checks tcp-health-check \ --health-checks-region us-central1 \ --region us-central1
Add the instance groups to the backend service.
gcloud compute backend-services add-backend network-lb-backend-service \ --instance-group ig-us-1 \ --instance-group-zone us-central1-a \ --region us-central1
gcloud compute backend-services add-backend network-lb-backend-service \ --instance-group ig-us-2 \ --instance-group-zone us-central1-c \ --region us-central1
Create a forwarding rule to route incoming TCP traffic to the backend service. Use the IP address reserved in step 1 as the static external IP address of the load balancer.
gcloud compute forwarding-rules create network-lb-forwarding-rule \ --load-balancing-scheme external \ --region us-central1 \ --ports 80 \ --address network-lb-ip \ --backend-service network-lb-backend-service
Testing the load balancer
Now that the load balancing service is configured, you can start sending traffic to the load balancer's external IP address and watch traffic get distributed to the backend instances.
Look up the load balancer's external IP address
- On the Advanced load balancing page, go to the Forwarding Rules
Go to the Forwarding Rules tab
network-lb-forwarding-rule, the forwarding rule used by the load balancer.
- In the IP Address column for
network-lb-forwarding-rule, note the external IP address listed.
Enter the following command to view the external IP address of the
network-lb-forwarding-rule forwarding rule used by the load balancer.
gcloud compute forwarding-rules describe network-lb-forwarding-rule \ --region us-central1
Send traffic to the load balancer
This procedure sends external traffic to the load balancer.
Make web requests to the load balancer using
curlto contact its IP address.
$ while true; do curl -m1 IP_ADDRESS; done
Note the text returned by the
curlcommand. The name of the backend VM generating the response is displayed in that text; for example:
Page served from: VM_NAME
The response from the
curlcommand alternates randomly among the backend instances. If your response is initially unsuccessful, you might need to wait approximately 30 seconds for the configuration to be fully loaded and for your instances to be marked healthy before trying again.
- For information on how Network Load Balancing works with a backend service, see Network Load Balancing with backend service overview.
- To learn how to transition a network load balancer from a target pool backend to a regional backend service, see Transitioning network load balancers from target pools to backend services
- To configure a network load balancer with a target pool, see Setting up Network Load Balancing.
- Clean up the load balancer setup.