Setting up Network Load Balancing for multiple IP protocols

This guide provides instructions for creating backend service-based network load balancers that load-balance TCP, UDP, ESP, ICMP, and ICMPv6 traffic. You can use such a configuration if you want to load-balance traffic that is using IP protocols other than TCP or UDP. Target pool-based network load balancers do not support this capability.

To configure a network load balancer for IP protocols other than TCP or UDP, you create a forwarding rule with protocol set to L3_DEFAULT. This forwarding rule points to a backend service with protocol set to UNSPECIFIED.

In this example, we use two network load balancers to distribute traffic across backend VMs in two zonal managed instance groups in the us-central1 region. Both load balancers receive traffic at the same external IP address.

One load balancer has a forwarding rule with protocol TCP and port 80, and the other load balancer has a forwarding rule with protocol L3_DEFAULT. TCP traffic arriving at the IP address on port 80 is handled by the TCP forwarding rule. All other traffic that does not match the TCP-specific forwarding rule is handled by the L3_DEFAULT forwarding rule.

Network load balancer with zonal managed instance groups
Network Load Balancing with zonal managed instance groups

This scenario distributes traffic across healthy instances. To support this, you create TCP health checks to ensure that traffic is sent only to healthy instances.

The network load balancer is a regional load balancer. All load balancer components must be in the same region.

Before you begin

Install the Google Cloud CLI. For a complete overview of the tool, see the gcloud Tool Guide. You can find commands related to load balancing in the API and gcloud reference guide.

If you haven't run the Google Cloud CLI previously, first run gcloud init to authenticate.

This guide assumes that you are familiar with bash.

Set up the network and subnets

The example on this page uses a custom mode VPC network named lb-network. You can use an auto mode network if you only want to handle IPv4 traffic. However, IPv6 traffic requires a custom mode subnet.

IPv6 traffic also requires a dual-stack subnet (stack-type set to IPv4_IPv6). When you create a dual stack subnet on a custom mode VPC network, you choose an IPv6 access type for the subnet. For this example, we set the subnet's ipv6-access-type parameter to EXTERNAL. This means new VMs on this subnet can be assigned both external IPv4 addresses and external IPv6 addresses.

The backend instance group and the load balancer components used for this example are located in this region and subnet:

  • Region: us-central1
  • Subnet: lb-subnet, with primary IPv4 address range 10.1.2.0/24. Although you choose which IPv4 address range is configured on the subnet, the IPv6 address range is assigned automatically. Google provides a fixed size (/64) IPv6 CIDR block.

To create the example network and subnet, follow these steps.

Console

To support both IPv4 and IPv6 traffic, use the following steps:

  1. In the Google Cloud console, go to the VPC networks page.
    Go to VPC networks
  2. Click Create VPC network.
  3. Enter a Name of lb-network.
  4. In the Subnets section:
    • Set the Subnet creation mode to Custom.
    • In the New subnet section, configure the following fields:
      • Name: lb-subnet
      • Region: us-central1
      • IP stack type: IPv4 and IPv6 (dual-stack)
      • IPv4 range: 10.1.2.0/24
        Although you can configure an IPv4 range of addresses for the subnet, you cannot choose the range of the IPv6 addresses for the subnet. Google provides a fixed size (/64) IPv6 CIDR block.
      • IPv6 access type: External
      • Click Done.
  5. Click Create.

To support IPv4 traffic only, use the following steps:

  1. In the Google Cloud console, go to the VPC networks page.
    Go to VPC networks
  2. Click Create VPC network.
  3. Enter a Name of lb-network.
  4. In the Subnets section:
    • Set the Subnet creation mode to Custom.
    • In the New subnet section, configure the following fields:
      • Name: lb-subnet
      • Region: us-central1
      • IP stack type: IPv4 (single-stack)
      • IPv4 range: 10.1.2.0/24
      • Click Done.
  5. Click Create.

gcloud

  1. Create the custom mode VPC network:

    gcloud compute networks create lb-network \
        --subnet-mode=custom
    
  2. Within the lb-network network, create a subnet for backends in the us-central1 region.

    For both IPv4 and IPv6 traffic, use the following command:

    gcloud compute networks subnets create lb-subnet \
      --stack-type=IPV4_IPv6 \
      --ipv6-access-type=EXTERNAL \
      --network=lb-network \
      --range=10.1.2.0/24 \
      --region=us-central1
    

    For IPv4 traffic only, use the following command:

    gcloud compute networks subnets create lb-subnet \
      --network=lb-network \
      --range=10.1.2.0/24 \
      --region=us-central1
    

Create the zonal managed instance groups

For this load balancing scenario, you create two Compute Engine zonal managed instance groups and install an Apache web server on each instance.

To handle both IPv4 and IPv6 traffic, configure the backend VMs to be dual-stack. Set the VM's stack-type to IPv4_IPv6. The VMs also inherit the ipv6-access-type setting (in this example, EXTERNAL) from the subnet.

Instances that participate as backend VMs for network load balancers must be running the appropriate Linux Guest Environment, Windows Guest Environment, or other processes that provide equivalent functionality.

Create the instance group for TCP traffic on port 80

Console

  1. Create an instance template. In the Cloud console, go to the Instance templates page.

    Go to Instance templates

    1. Click Create instance template.
    2. For Name, enter ig-us-template-tcp-80.
    3. Ensure that the Boot disk is set to a Debian image, such as Debian GNU/Linux 10 (buster). These instructions use commands that are only available on Debian, such as apt-get.
    4. Click Networking, disks, security, management, sole tenancy.
    5. Click Management and copy the following script into the Startup script field.

      #! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo vm_hostname="$(curl -H "Metadata-Flavor:Google" \
      http://169.254.169.254/computeMetadata/v1/instance/name)"
      sudo echo "Page served from: $vm_hostname" | \
      tee /var/www/html/index.html
      
    6. Click Networking.

      1. For Network tags, add network-lb-tcp-80.
      2. For Network interfaces, click the default interface and configure the following fields:
        1. Network: lb-network
        2. Subnetwork: lb-subnet
    7. Click Create.

  2. Create a managed instance group. Go to the Instance groups page in the Cloud console.

    Go to Instance groups

    1. Click Create instance group.
    2. Select New managed instance group (stateless). For more information, see Stateless or stateful MIGs.
    3. For the Name, enter ig-us-tcp-80.
    4. Under Location, select Single zone.
    5. For the Region, select us-central1.
    6. For the Zone, select us-central1-a.
    7. Under Instance template, select ig-us-template-tcp-80.
    8. Specify the number of instances that you want to create in the group.

      For this example, specify the following options under Autoscaling:

      • For Autoscaling mode, select Off:do not autoscale.
      • For Maximum number of instances, enter 2.
    9. Click Create.

gcloud

The gcloud instructions in this guide assume that you are using Cloud Shell or another environment with bash installed.

  1. Create a VM instance template with HTTP server with the gcloud compute instance-templates create command.

    To handle both IPv4 and IPv6 traffic, use the following command.

    gcloud compute instance-templates create ig-us-template-tcp-80 \
    --region=us-central1 \
    --network=lb-network \
    --subnet=lb-subnet \
    --ipv6-network-tier=PREMIUM \
    --stack-type=IPv4_IPv6 \
    --tags=network-lb-tcp-80 \
    --image-family=debian-10 \
    --image-project=debian-cloud \
    --metadata=startup-script='#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    sudo vm_hostname="$(curl -H "Metadata-Flavor:Google" \
    http://169.254.169.254/computeMetadata/v1/instance/name)"
    sudo echo "Page served from: $vm_hostname" | \
    tee /var/www/html/index.html
    systemctl restart apache2'
    

    Or, if you want to handle IPv4 traffic only traffic, use the following command.

    gcloud compute instance-templates create ig-us-template-tcp-80 \
    --region=us-central1 \
    --network=lb-network \
    --subnet=lb-subnet \
    --tags=network-lb-tcp-80 \
    --image-family=debian-10 \
    --image-project=debian-cloud \
    --metadata=startup-script='#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    sudo vm_hostname="$(curl -H "Metadata-Flavor:Google" \
    http://169.254.169.254/computeMetadata/v1/instance/name)"
    sudo echo "Page served from: $vm_hostname" | \
    tee /var/www/html/index.html
    systemctl restart apache2'
    
  2. Create a managed instance group in the zone with the gcloud compute instance-groups managed create command.

    gcloud compute instance-groups managed create ig-us-tcp-80 \
        --zone us-central1-a \
        --size 2 \
        --template ig-us-template-tcp-80
    

Create the instance group for TCP on port 8080, UDP, ESP, and ICMP traffic

Console

  1. Create an instance template. In the Cloud console, go to the Instance templates page.

    Go to Instance templates

    1. Click Create instance template.
    2. For the Name, enter ig-us-template-l3-default.
    3. Ensure that the Boot disk is set to a Debian image, such as Debian GNU/Linux 10 (buster). These instructions use commands that are only available on Debian, such as apt-get.
    4. Click Networking, disks, security, management, sole tenancy.
    5. Click Management and copy the following script into the Startup script field. The startup script also configures the Apache server to listen on port 8080 instead of port 80.

      #! /bin/bash
      sudo apt-get update
      sudo apt-get install apache2 -y
      sudo a2ensite default-ssl
      sudo a2enmod ssl
      sudo vm_hostname="$(curl -H "Metadata-Flavor:Google" \
      http://169.254.169.254/computeMetadata/v1/instance/name)"
      sudo echo "Page served from: $vm_hostname" | \
      tee /var/www/html/index.html
      sudo sed -ire 's/^Listen 80$/Listen 8080/g' /etc/apache2/ports.conf
      sudo systemctl restart apache2
      
    6. Click Networking.

      1. For Network tags, add network-lb-l3-default.
      2. For Network interfaces, click the default interface and configure the following fields:
        1. Network: lb-network
        2. Subnetwork: lb-subnet
    7. Click Create.

  2. Create a managed instance group. Go to the Instance groups page in the Cloud console.

    Go to Instance groups

    1. Click Create instance group.
    2. Choose New managed instance group (stateless). For more information, see Stateless or stateful MIGs.
    3. For the Name, enter ig-us-l3-default.
    4. Under Location, select Single zone.
    5. For the Region, select us-central1.
    6. For the Zone, select us-central1-c.
    7. Under Instance template, select ig-us-template-l3-default.
    8. Specify the number of instances that you want to create in the group.

      For this example, specify the following options under Autoscaling:

      • For Autoscaling mode, select Off:do not autoscale.
      • For Maximum number of instances, enter 2.
    9. Click Create.

gcloud

The gcloud instructions in this guide assume that you are using Cloud Shell or another environment with bash installed.

  1. Create a VM instance template with HTTP server with the gcloud compute instance-templates create command.

    The startup script also configures the Apache server to listen on port 8080 instead of port 80.

    To handle both IPv4 and IPv6 traffic, use the following command.

    gcloud compute instance-templates create ig-us-template-l3-default \
    --region=us-central1 \
    --network=lb-network \
    --subnet=lb-subnet \
    --ipv6-network-tier=PREMIUM \
    --stack-type=IPv4_IPv6 \
    --tags=network-lb-l3-default \
    --image-family=debian-10 \
    --image-project=debian-cloud \
    --metadata=startup-script='#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    sudo vm_hostname="$(curl -H "Metadata-Flavor:Google" \
    http://169.254.169.254/computeMetadata/v1/instance/name)"
    sudo echo "Page served from: $vm_hostname" | \
    tee /var/www/html/index.html
    sudo sed -ire "s/^Listen 80$/Listen 8080/g" /etc/apache2/ports.conf
    sudo systemctl restart apache2'
    

    Or, if you want to handle IPv4 traffic only, use the following command.

    gcloud compute instance-templates create ig-us-template-l3-default \
    --region=us-central1 \
    --network=lb-network \
    --subnet=lb-subnet \
    --tags=network-lb-l3-default \
    --image-family=debian-10 \
    --image-project=debian-cloud \
    --metadata=startup-script='#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo a2ensite default-ssl
    sudo a2enmod ssl
    sudo vm_hostname="$(curl -H "Metadata-Flavor:Google" \
    http://169.254.169.254/computeMetadata/v1/instance/name)"
    sudo echo "Page served from: $vm_hostname" | \
    tee /var/www/html/index.html
    sudo sed -ire "s/^Listen 80$/Listen 8080/g" /etc/apache2/ports.conf
    sudo systemctl restart apache2'
    
  2. Create a managed instance group in the zone with the gcloud compute instance-groups managed create command.

    gcloud compute instance-groups managed create ig-us-l3-default \
        --zone us-central1-c \
        --size 2 \
        --template ig-us-template-l3-default
    

Configure firewall rules

Create the following firewall rules:

  • Firewall rules that allow external TCP traffic to reach backend instances in the ig-us-tcp-80 instance group on port 80 (using target tag network-lb-tcp-80). Create separate firewall rules to allow IPv4 and IPv6 traffic.
  • Firewall rules that allow other external traffic (TCP on port 8080, UDP, ESP, and ICMP) to reach backend instances in the ig-us-l3-default instance group (using target tag network-lb-l3-default). Create separate firewall rules to allow IPv4 and IPv6 traffic.

This example creates firewall rules that allows traffic from all source ranges to reach your backend instances on the configured ports. If you want to create separate firewall rules specifically for the health check probes, use the source IP address ranges documented in the Health checks overview: Probe IP ranges and firewall rules.

Console

  1. Go to the Firewalls page in the Google Cloud console.
    Go to the Firewalls page
  2. To allow IPv4 TCP traffic to reach backends in the ig-us-tcp-80 instance group, create the following firewall rule.
    1. Click Create firewall rule.
    2. Enter a Name of allow-network-lb-tcp-80-ipv4.
    3. Select the Network that the firewall rule applies to (Default).
    4. Under Targets, select Specified target tags.
    5. In the Target tags field, enter network-lb-tcp-80.
    6. Set Source filter to IPv4 ranges.
    7. Set the Source IPv4 ranges to 0.0.0.0/0, which allows traffic from any source. This allows both external traffic and health check probes to reach the backend instances.
    8. Under Protocols and ports, select Specified protocols and ports. Click the checkbox next to tcp and enter 80.
    9. Click Create. It might take a moment for the Console to display the new firewall rule, or you might have to click Refresh to see the rule.
  3. To allow IPv4 UDP, ESP, and ICMP traffic to reach backends in the ig-us-l3-default instance group, create the following firewall rule.
    1. Click Create firewall rule.
    2. Enter a Name of allow-network-lb-l3-default-ipv4.
    3. Select the Network that the firewall rule applies to (Default).
    4. Under Targets, select Specified target tags.
    5. In the Target tags field, enter network-lb-l3-default.
    6. Set Source filter to IPv4 ranges.
    7. Set the Source IPv4 ranges to 0.0.0.0/0, which allows traffic from any source. This allows both external traffic and health check probes to reach the backend instances.
    8. Under Protocols and ports, select Specified protocols and ports.
      1. Click the checkbox next to tcp and enter 8080.
      2. Click the checkbox next to udp.
      3. Click the checkbox next to Other protocols and enter esp, icmp.
    9. Click Create. It might take a moment for the Console to display the new firewall rule, or you might have to click Refresh to see the rule.
  4. To allow IPv6 TCP traffic to reach backends in the ig-us-tcp-80 instance group, create the following firewall rule.
    1. Click Create firewall rule.
    2. Enter a Name of allow-network-lb-tcp-80-ipv6.
    3. Select the Network that the firewall rule applies to (Default).
    4. Under Targets, select Specified target tags.
    5. In the Target tags field, enter network-lb-tcp-80.
    6. Set Source filter to IPv6 ranges.
    7. Set the Source IPv6 ranges to ::/0, which allows traffic from any source. This allows both external traffic and health check probes to reach the backend instances.
    8. Under Protocols and ports, select Specified protocols and ports. Click the checkbox next to tcp and enter 80.
    9. Click Create. It might take a moment for the Console to display the new firewall rule, or you might have to click Refresh to see the rule.
  5. To allow IPv6 UDP, ESP, and ICMPv6 traffic to reach backends in the ig-us-l3-default instance group, create the following firewall rule. This firewall rule also allows TCP health check probes to reach the instances on port 8080.
    1. Click Create firewall rule.
    2. Enter a Name of allow-network-lb-l3-default-ipv6.
    3. Select the Network that the firewall rule applies to (Default).
    4. Under Targets, select Specified target tags.
    5. In the Target tags field, enter network-lb-l3-default.
    6. Set Source filter to IPv6 ranges.
    7. Set the Source IPv6 ranges to ::/0, which allows traffic from any source. This allows both external traffic and health check probes to reach the backend instances.
    8. Under Protocols and ports, select Specified protocols and ports.
      1. Click the checkbox next to tcp and enter 8080.
      2. Click the checkbox next to udp.
      3. Click the checkbox next to Other protocols and enter esp, 58.
    9. Click Create. It might take a moment for the Console to display the new firewall rule, or you might have to click Refresh to see the rule.

gcloud

  1. To allow IPv4 TCP traffic to reach backends in the ig-us-tcp-80 instance group, create the following firewall rule.

    gcloud compute firewall-rules create allow-network-lb-tcp-80-ipv4 \
        --network=lb-network \
        --target-tags network-lb-tcp-80 \
        --allow tcp:80 \
        --source-ranges=0.0.0.0/0
    
  2. To allow IPv4 UDP, ESP, and ICMP traffic to reach backends in the ig-us-l3-default instance group, create the following firewall rule. This firewall rule also allows TCP health check probes to reach the instances on port 8080.

    gcloud compute firewall-rules create allow-network-lb-l3-default-ipv4 \
        --network=lb-network \
        --target-tags network-lb-l3-default \
        --allow tcp:8080,udp,esp,icmp \
        --source-ranges=0.0.0.0/0
    
  3. To allow IPv6 TCP traffic to reach backends in the ig-us-tcp-80 instance group, create the following firewall rule.

    gcloud compute firewall-rules create allow-network-lb-tcp-80-ipv6 \
        --network=lb-network \
        --target-tags network-lb-tcp-80 \
        --allow tcp:80 \
        --source-ranges=::/0
    
  4. To allow IPv6 UDP, ESP, and ICMPv6 traffic to reach backends in the ig-us-l3-default instance group, create the following firewall rule. This firewall rule also allows TCP health check probes to reach the instances on port 8080.

    gcloud compute firewall-rules create allow-network-lb-l3-default-ipv6 \
        --network=lb-network \
        --target-tags network-lb-l3-default \
        --allow tcp:8080,udp,esp,58 \
        --source-ranges=::/0
    

Configure the load balancers

Next, set up the load balancers. Configure one load balancer to handle TCP traffic on port 80 and another load balancer to handle TCP on port 8080, UDP, ESP, and ICMP traffic. Both load balancers will use the same external IP address with their forwarding rules.

When you configure a load balancer, your backend VM instances will receive packets that are destined for the static external IP address you configure. If you are using an image provided by Compute Engine, your instances are automatically configured to handle this IP address. If you are using any other image, you must configure this address as an alias on eth0 or as a loopback on each instance.

Console

gcloud

  1. (For IPv4 traffic only) Create a static external IP address for your load balancers.

    gcloud compute addresses create network-lb-ipv4 \
        --region us-central1
    

    In this example, the IPv6 forwarding rule uses an ephemeral IP address. Reserving a static external IPv6 address is still in Preview and requires an allowlisted project. For details, see Reserving an external IPv6 address.

  2. Create a TCP health check for port 80. This is used to verify the health of backends in the ig-us-tcp-80 instance group.

    gcloud compute health-checks create tcp tcp-health-check-80 \
        --region us-central1 \
        --port 80
    
  3. Create a TCP health check for port 8080. This is used to verify the health of backends in the ig-us-l3-default instance group.

    gcloud compute health-checks create tcp tcp-health-check-8080 \
        --region us-central1 \
        --port 8080
    
  4. Create the first load balancer for TCP traffic on port 80.

    1. Create a backend service with protocol TCP.

      gcloud compute backend-services create backend-service-tcp-80 \
          --protocol TCP \
          --health-checks tcp-health-check-80 \
          --health-checks-region us-central1 \
          --region us-central1
      
    2. Add the backend instance group to the backend service.

      gcloud compute backend-services add-backend backend-service-tcp-80 \
          --instance-group ig-us-tcp-80 \
          --instance-group-zone us-central1-a \
          --region us-central1
      
    3. For IPv4 traffic. Create a forwarding rule to route incoming TCP traffic on port 80 to the backend service. TCP is the default forwarding rule protocol and does not need to be set explicitly.

      Use the IP address reserved in step 1 as the static external IP address of the load balancer.

      gcloud compute forwarding-rules create forwarding-rule-tcp-80-ipv4 \
          --load-balancing-scheme external \
          --region us-central1 \
          --ports 80 \
          --address network-lb-ipv4 \
          --backend-service backend-service-tcp-80
      
    4. For IPv6 traffic. Create a forwarding rule to route incoming TCP traffic on port 80 to the backend service. TCP is the default forwarding rule protocol and does not need to be set explicitly.

      Use an ephemeral IP address.

      gcloud compute forwarding-rules create forwarding-rule-tcp-80-ipv6 \
          --load-balancing-scheme external \
          --region us-central1 \
          --subnet lb-subnet \
          --ip-version IPV6 \
          --ports 80 \
          --backend-service backend-service-tcp-80
      
  5. Create the second load balancer for TCP on port 8080, UDP, ESP, and ICMP traffic.

    1. Create a backend service with protocol UNSPECIFIED.

      gcloud compute backend-services create backend-service-l3-default \
          --protocol UNSPECIFIED \
          --health-checks tcp-health-check-8080 \
          --health-checks-region us-central1 \
          --region us-central1
      
    2. Add the backend instance group to the backend service.

      gcloud compute backend-services add-backend backend-service-l3-default \
          --instance-group ig-us-l3-default \
          --instance-group-zone us-central1-c \
          --region us-central1
      
    3. For IPv4 traffic. Create a forwarding rule with protocol set to L3_DEFAULT to handle all remaining supported IP protocol traffic (TCP on port 8080, UDP, ESP, and ICMP). All ports must be configured with L3_DEFAULT forwarding rules.

      Use the same external IPv4 address as that used for the previous load balancer.

      gcloud compute forwarding-rules create forwarding-rule-l3-default-ipv4 \
          --load-balancing-scheme external \
          --region us-central1 \
          --ports all \
          --ip-protocol L3_DEFAULT \
          --address network-lb-ipv4 \
          --backend-service backend-service-l3-default
      
    4. For IPv6 traffic. Create a forwarding rule with protocol set to L3_DEFAULT to handle all remaining supported IP protocol traffic (TCP on port 8080, UDP, ESP, and ICMP). All ports must be configured with L3_DEFAULT forwarding rules.

      Use an ephemeral IP address.

      gcloud compute forwarding-rules create forwarding-rule-l3-default-ipv6 \
          --load-balancing-scheme external \
          --region us-central1 \
          --subnet lb-subnet \
          --ip-version IPV6 \
          --ports all \
          --ip-protocol L3_DEFAULT \
          --backend-service backend-service-l3-default
      

Test the load balancer

Now that the load balancing service is configured, you can start sending traffic to the load balancer's external IP address and watch traffic get distributed to the backend instances.

Look up the load balancer's external IP address

Console

  1. On the Advanced load balancing page, go to the Forwarding Rules tab.
    Go to the Forwarding Rules tab
  2. Locate the forwarding rules used by the load balancer.
  3. In the IP Address column, note the external IP address listed for each IPv4 and IPv6 forwarding rule.

gcloud: IPv4

Enter the following command to view the external IP address of the forwarding rule used by the load balancer.

gcloud compute forwarding-rules describe forwarding-rule-tcp-80-ipv4 \
    --region us-central1

This example uses the same IP address for both IPv4 forwarding rules so using forwarding-rule-l3-default-ipv4 will also work.

gcloud: IPv6

Enter the following command to view the external IPv6 address of the forwarding-rule-tcp-80-ipv6 forwarding rule used by the load balancer.

gcloud compute forwarding-rules describe forwarding-rule-tcp-80-ipv6 \
    --region us-central1

Use the following command to get the IPv6 address for the forwarding-rule-l3-default-ipv6 used by the second load balancer.

gcloud compute forwarding-rules describe forwarding-rule-l3-default-ipv6 \
    --region us-central1

Send traffic to the load balancer

This procedure sends external traffic to the load balancer. Run the following tests to ensure that TCP traffic on port 80 is being load-balanced by the ig-us-tcp-80 instance group while all other traffic (TCP on port 8080, UDP, ESP, and ICMP) is being handled by the ig-us-l3-default instance group.

Verifying behavior with TCP requests on port 80

  1. Make web requests (over TCP on port 80) to the load balancer using curl to contact its IP address.

    $ while true; do curl -m1 IP_ADDRESS; done
    
  2. Note the text returned by the curl command. The name of the backend VM generating the response is displayed in that text; for example: Page served from: VM_NAME. Responses should come from instances in the ig-us-tcp-80 instance group only.

    If your response is initially unsuccessful, you might need to wait approximately 30 seconds for the configuration to be fully loaded and for your instances to be marked healthy before trying again.

Verifying behavior with TCP requests on port 8080

Make web requests (over TCP on port 8080) to the load balancer using curl to contact its IP address.

  • From clients with IPv4 connectivity, run the following command:

    $ while true; do curl -m1 IPV4_ADDRESS:8080; done
    
  • From clients with IPv6 connectivity, run the following command:

    $ while true; do curl -m1 http://IPV6_ADDRESS; done
    

    For example, if the assigned IPv6 address is [2001:db8:1:1:1:1:1:1/96], the command should look like:

    $ while true; do curl -m1 http://[2001:db8:1:1:1:1:1:1]:8080; done
    

Note the text returned by the curl command. Responses should come from instances in the ig-us-l3-default instance group only.

This shows that any traffic sent to the load balancer's IP address at port 8080 is being handled by backends in the ig-us-l3-default instance group only.

Verifying behavior with ICMP requests

To verify behavior with ICMP traffic, you capture output from the tcpdump command to confirm that only backend VMs in the ig-us-l3-default instance group are handling ICMP requests send to the load balancer.

  1. SSH to the backend VMs.

    1. In the Cloud console, go to the VM instances page.
      Go to the VM instances page

    2. In the list of virtual machine instances, click SSH in the row of the instance that you want to connect to.

  2. Run the following command to use tcpdump to start listening for ICMP traffic.

    sudo tcpdump icmp -w ~/icmpcapture.pcap -s0 -c 10000
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    

    Leave the SSH window open.

  3. Repeat steps 1 and 2 for all four backend VMs.

  4. Make ICMP requests to the load balancer.

    To test the IPv4 responses, use ping to contact the load balancer's IPv4 address.

    ping IPV4_ADDRESS
    

    To test the IPv6 responses, use ping6 to contact the load balancer's IPv6 address.

    ping6 IPV6_ADDRESS
    

    For example, if the assigned IPv6 address is [2001:db8:1:1:1:1:1:1/96], the command should look like:

    ping6 2001:db8:1:1:1:1:1:1
    
  5. Go back to each VM's open SSH window and stop the tcpdump capture command. You can use Ctrl+C to do this.

  6. For each VM, check the output of the tcpdump command in the icmpcapture.pcap file.

    sudo tcpdump -r ~/icmpcapture.pcap -n
    

    For backend VMs in the ig-us-l3-default instance group, you should see file entries like:

    reading from file /home/[user-directory]/icmpcapture.pcap, link-type EN10MB (Ethernet)
    22:13:07.814486 IP 35.230.115.24 > 35.193.84.93: ICMP echo request, id 1995, seq 1, length 64
    22:13:07.814513 IP 35.193.84.93 > 35.230.115.24: ICMP echo reply, id 1995, seq 1, length 64
    22:13:08.816150 IP 35.230.115.24 > 35.193.84.93: ICMP echo request, id 1995, seq 2, length 64
    22:13:08.816175 IP 35.193.84.93 > 35.230.115.24: ICMP echo reply, id 1995, seq 2, length 64
    22:13:09.817536 IP 35.230.115.24 > 35.193.84.93: ICMP echo request, id 1995, seq 3, length 64
    22:13:09.817560 IP 35.193.84.93 > 35.230.115.24: ICMP echo reply, id 1995, seq 3, length 64
    ...
    

    For backend VMs in the ig-us-tcp-80 instance group, you should see that no packets have been received and the file should be blank:

    reading from file /home/[user-directory]/icmpcapture.pcap, link-type EN10MB (Ethernet)
    

What's next