This document provides instructions for setting up SSL Proxy Load Balancing. Before you start, read SSL Proxy Load Balancing overview for information on how SSL Proxy Load Balancing works.
Setting up SSL Proxy Load Balancing
This example demonstrates setting up global SSL Proxy Load Balancing for a simple
service that exists in two regions: us-central1
and us-east1
. You will
configure the following:
- Four instances spread across two regions
- Instance groups for holding the instances
- Backend components, which include the following:
- Health check - used to monitor instance health
- Backend service - monitors instance groups and prevents them from exceeding configured usage
- Backends - hold the instance groups
- Frontend components, which include the following:
- An SSL certificate resource. You can use either a self-managed certificate, where you supply your own SSL certificate, or a Google-managed certificate, where Google issues a certificate that is valid for all of your domains. For more information, see Types of SSL certificates.
- The SSL proxy itself with its SSL certificate
- An external static IPv4 address and a forwarding rule that sends user traffic to the proxy
- An external static IPv6 address and a forwarding rule that sends user traffic to the proxy
- A firewall rule that allows traffic from the load balancer and health checker to the instances.
- Optionally, an SSL policy to control the features of SSL that your SSL proxy load balancer negotiates with clients.
After that, you'll test your configuration.
Permissions
To follow this guide, you must be able to create instances and modify a network in a project. You must be either a project owner or editor, or you must have all of the following Compute Engine IAM roles:
Task | Required Role |
---|---|
Create networks, subnets, and load balancer components | Network Admin |
Add and remove firewall rules | Security Admin |
Create instances | Compute Instance Admin |
For more information, see the following guides:
Configure instances and instance groups
This section shows how to create instances and instance groups, then add the instances to the instance groups. A production system would normally use managed instance groups based on instance templates, but this setup is quicker for initial testing.
Create instances
For testing purposes, install Apache on four instances, two in each of two instance groups. Typically, you would not use SSL Proxy Load Balancing for HTTP traffic, but Apache is commonly used and is easy to set up for testing.
Create these instances with the tag ssl-lb
, which the firewall rule will use
later.
Console
Create instances
Go to the VM instances page in the Google Cloud Console.
Click Create instance.
Set Name to
ig-us-central1-1
.Set the Zone to us-central1-b.
Click Management, security, disks, networking, sole tenancy to reveal advanced settings.
Under Management, populate the Tags field with
ssl-lb
.Set the Startup script to
sudo apt-get update sudo apt-get install apache2 -y sudo a2ensite default-ssl sudo a2enmod ssl sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-central1-1</h1></body></html>' | sudo tee /var/www/html/index.html
Leave the default values for rest of the fields.
Click Create.
Create
ig-us-central1-2
with the same settings, except with Startup script set tosudo apt-get update sudo apt-get install apache2 -y sudo a2ensite default-ssl sudo a2enmod ssl sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-central1-2</h1></body></html>' | sudo tee /var/www/html/index.html
Create
ig-us-east1-1
with the same settings, except with Zone set tous-east1-b
and Startup script set tosudo apt-get update sudo apt-get install apache2 -y sudo a2ensite default-ssl sudo a2enmod ssl sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-east1-1</h1></body></html>' | sudo tee /var/www/html/index.html
Create
ig-us-east1-2
with the same settings, except with Zone set tous-east1-b
and Startup script set tosudo apt-get update sudo apt-get install apache2 -y sudo a2ensite default-ssl sudo a2enmod ssl sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-east1-2</h1></body></html>' | sudo tee /var/www/html/index.html
gcloud
Create
ig-us-central1-1
in zoneus-central1-b
gcloud compute instances create ig-us-central1-1 \ --image-family debian-9 \ --image-project debian-cloud \ --tags ssl-lb \ --zone us-central1-b \ --metadata startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo a2ensite default-ssl sudo a2enmod ssl sudo service apache2 restart echo '<!doctype html><html><body><h1>SSL load balanced instance - US central 1</h1></body></html>' | tee /var/www/html/index.html EOF"
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instances/ig-us-central1-1]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-central1-1 us-central1-b n1-standard-1 10.240.0.8 23.251.150.133 RUNNING
Create
ig-us-central1-2
in zoneus-central1-b
gcloud compute instances create ig-us-central1-2 \ --image-family=debian-9 \ --image-project=debian-cloud \ --tags=ssl-lb \ --zone=us-central1-b \ --metadata=startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo a2ensite default-ssl sudo a2enmod ssl sudo service apache2 restart echo '<!doctype html><html><body><h1>SSL load balanced instance - US central 2</h1></body></html>' | tee /var/www/html/index.html EOF"
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instances/ig-us-central1-2]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-central1-2 us-central1-b n1-standard-1 10.240.0.11 23.251.148.160 RUNNING
Create
ig-us-east1-1
in zoneus-east1-b
gcloud compute instances create ig-us-east1-1 \ --image-family=debian-9 \ --image-project=debian-cloud \ --tags=ssl-lb \ --zone=us-east1-b \ --metadata=startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo a2ensite default-ssl sudo a2enmod ssl sudo service apache2 restart echo '<!doctype html><html><body><h1>SSL load balanced instance - US east 1</h1></body></html>' | tee /var/www/html/index.html EOF"
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instances/ig-us-east1-1]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-east1-1 us-east1-b n1-standard-1 10.240.0.12 104.196.31.214 RUNNING
Create
ig-us-east1-2
in zoneus-east1-b
gcloud compute instances create ig-us-east1-2 \ --image-family=debian-9 \ --image-project=debian-cloud \ --tags=ssl-lb \ --zone=us-east1-b \ --metadata=startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo a2ensite default-ssl sudo a2enmod ssl sudo service apache2 restart echo '<!doctype html><html><body><h1>SSL load balanced instance - US east 2</h1></body></html>' | tee /var/www/html/index.html EOF"
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instances/ig-us-east1-2]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-east1-2 us-east1-b n1-standard-1 10.240.0.13 104.196.25.101 RUNNING
Create an instance group for each zone and add instances
Console
Go to the Instance groups page in the Google Cloud Console.
Click Create instance group.
Set the Name to
us-ig1
.Set the Zone to
us-central1-b
.Click Specify port name mapping. A load balancer sends traffic to an instance group through a named port. Create a named port to map the incoming traffic to a specific port number.
- Under Port name mapping, click Add item.
- Enter a Port name of
ssl-lb
and Port numbers of443
.
Under Instance definition, click Select existing instances.
From VM instances select
ig-us-central1-1
andig-us-central1-2
.Leave other settings as they are.
Click Create.
Repeat steps, but set the following:
- Name:
us-ig2
- Zone:
us-east1-b
- Port name of
ssl-lb
and Port numbers of443
- Instances: ig-us-east1-1 and ig-us-east1-2.
- Name:
Confirm that you now have two instance groups, each with two instances.
gcloud
Create the
us-ig1
instance group.gcloud compute instance-groups unmanaged create us-ig1 --zone us-central1-b
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instanceGroups/us-ig1]. NAME ZONE NETWORK MANAGED INSTANCES us-ig1 us-central1-b 0
Set a named port for the instance group.
gcloud compute instance-groups set-named-ports us-ig1 \ --named-ports=ssl-lb:443 \ --zone=us-central1-b
Add
ig-us-central1-1
andig-us-central1-2
tous-ig1
gcloud compute instance-groups unmanaged add-instances us-ig1 \ --instances=ig-us-central1-1,ig-us-central1-2 \ --zone=us-central1-b
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instanceGroups/us-ig1].
Create the
us-ig2
instance group.gcloud compute instance-groups unmanaged create us-ig2 --zone us-east1-b
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2]. NAME ZONE NETWORK MANAGED INSTANCES us-ig2 us-east1-b 0
Set a named port for the instance group.
gcloud compute instance-groups set-named-ports us-ig2 \ --named-ports=ssl-lb:443 \ --zone=us-east1-b
Add
ig-us-east1-1
andig-us-east1-2
tous-ig2
gcloud compute instance-groups unmanaged add-instances us-ig2 \ --instances=ig-us-east1-1,ig-us-east1-2 \ --zone=us-east1-b
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2].
You now have an instance group in each of two regions, each with two instances.
Configure the load balancer
Console
Create the load balancer and configure a backend service
Go to the Load balancing page in the Google Cloud Console.
Click Create load balancer.
Under TCP load balancing, click Start configuration.
Under Internet facing or internal only select From Internet to my VMs.
Under Multiple regions or single region, select Multiple regions (or not sure yet).
Set the Name of the load balancer to
my-ssl-lb
.Click Backend configuration.
Leave the Protocol set to TCP or optionally select *SSL.
For Named port, enter
ssl-lb
.Accept the default value for the Timeout.
Leave the Backend type set to Instance groups.
Under New backend, select instance group
us-ig1
.Set Port numbers to
443
.Leave other settings as they are.
Under New backend, select instance group
us-ig2
.Set Port numbers to
443
.Leave other settings as they are.
Click Done.
Under Health check, select Create health check.
- Set the health check Name to
my-ssl-health-check
. - Set Protocol to
SSL
. - Leave the other settings the same.
- Click Save and continue.
- Set the health check Name to
Verify that there is a green check mark next to Backend configuration in the Google Cloud Console. If not, double-check that you have completed all the steps above.
Configure frontend services
- Click Frontend configuration.
- Under New frontend IP and port, enter a Name of
my-ssl-lb-forwarding-rule
. - "Set Protocol to
SSL
. - Under IP address, select Create IP address.
- Enter a Name of
ssl-lb-static-ip
. - Click Reserve.
- Enter a Name of
- Under Certificate, select Create a new certificate.
- Enter a Name of
my-ssl-cert
. - If you choose Upload my certificate, complete these steps:
- In the appropriate fields upload your
- Public key certificate (.crt file)
- Certificate chain (.csr file)
- Private key (.key file).
- To add another SSL certificate, click Add certificate, then either select it from the Certificates drop-down menu or select Create a new certificate and follow the instructions above.
- Turn on Proxy protocol if desired.
- Click Create.
- In the appropriate fields upload your
- If you choose Create Google managed certificate, enter a Domain. Each time you press Enter another empty field appears. You can enter additional domains into these fields.
- Click Done.
- Click Add frontend IP and port.
- Enter a Name of
my-ssl-lb-ipv6-forwarding-rule
. - Set IP version to
IPv6
. - Under IP address, select Create IP address.
- Enter a Name of
ssl-lb-static-ipv6
. - Click Reserve.
- Enter a Name of
- Under Certificate, select
my-ssl-cert
. - Click Done.
- To add certificate resources in addition to the primary SSL
certificate resource:
- Select a certificate from the Certificates list or click Create a new certificate and follow the instructions above.
- Click Done.
- To optionally create an SSL policy:
- Under SSL policy, select Create policy.
- Enter a Name of
my-ssl-policy
. - Select TLS 1.0 for Minimum TLS Version.
- Select MODERN for Profile. The Enabled features and Disabled features are displayed.
- Click Create.
- Verify that there is a green check mark next to Frontend configuration in the Google Cloud Console. If not, double-check that you have completed all the steps above.
Review and finalize
- Click Review and finalize.
- Double-check your settings.
- Click Create.
gcloud
Create a health check
gcloud compute health-checks create ssl my-ssl-health-check --port=443
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/healthChecks/my-ssl-health-check]. NAME PROTOCOL my-ssl-health-check SSL
Create a backend service
gcloud compute backend-services create my-ssl-lb \ --global-health-checks \ --protocol=SSL \ --port-name=ssl-lb \ --health-checks=my-ssl-health-check \ --timeout=5m \ --global
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-ssl-lb]. NAME BACKENDS PROTOCOL my-ssl-lb SSL
Alternatively you could configure unencrypted communication between from the
load balancer to the instances with --protocol=TCP
.
Add instance groups to your backend service
gcloud compute backend-services add-backend my-ssl-lb \ --instance-group=us-ig1 \ --instance-group-zone=us-central1-b \ --balancing-mode=UTILIZATION \ --max-utilization=0.8 \ --global
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-ssl-lb].
gcloud compute backend-services add-backend my-ssl-lb \ --instance-group=us-ig2 \ --instance-group-zone=us-east1-b \ --balancing-mode=UTILIZATION \ --max-utilization=0.8 \ --global
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-ssl-lb].
Configure your SSL certificate resources
If you are using self-managed certificates, you must already have at least one SSL certificate to upload. If you do not, see SSL certificates. When you use multiple SSL certificates, you must create them one at a time.
If you are using self-managed SSL certificates and you don’t have a private key and signed certificate, you can create and use a self-signed certificate for testing purposes.
To create a self-managed SSL certificate resource:
gcloud compute ssl-certificates create my-ssl-cert \ --certificate=[CRT_FILE_PATH] \ --private-key=[KEY_FILE_PATH]
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/sslCertificates/my-ssl-cert]. NAME CREATION_TIMESTAMP my-ssl-cert 2016-02-20T20:53:33.584-08:00
To create a Google-managed SSL certificate resource:
gcloud beta compute ssl-certificates create www-ssl-cert \ --domains=[DOMAIN_1],[DOMAIN_2]
Configure a target SSL proxy
SSL Proxy Load Balancing supports creating a target SSL proxy that has from one to fifteen SSL certificates. Before you run this command, you must create an SSL certificate resource for each certificate.
If you want to turn on the proxy header, set it to
PROXY_V1
instead of none
.
You can optionally attach an SSL policy
to the target proxy. First, create the policy.
gcloud compute ssl-policies create my-ssl-policy \ --profile=MODERN \ --min-tls-version=1.0
Then attached the policy to the target proxy.
gcloud compute target-ssl-proxies create my-ssl-lb-target-proxy \ --backend-service=my-ssl-lb \ --ssl-certificates=[SSL_CERT_1][,[SSL_CERT_2],...] \ --ssl-policy=my-ssl-policy \ --proxy-header=NONE
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/targetSslProxies/my-ssl-lb-target-proxy]. NAME PROXY_HEADER SERVICE SSL_CERTIFICATES my-ssl-lb-target-proxy NONE my-ssl-lb my-ssl-cert
Reserve global static IP addresses
Your customers use these IP addresses to access your load-balanced service.
gcloud compute addresses create ssl-lb-static-ipv4 \ --ip-version=IPV4 \ --global
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/addresses/ssl-lb-static-ip]. NAME REGION ADDRESS STATUS ssl-lb-static-ip [LB_STATIC_IP] RESERVED
gcloud compute addresses create ssl-lb-static-ipv6 \ --ip-version=IPV6 \ --global
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/addresses/ssl-lb-static-ipv6]. NAME REGION ADDRESS STATUS ssl-lb-static-ipv6 [LB_STATIC_IPV6] RESERVED
Configure global forwarding rules
Create global forwarding rules associated with the target proxy.
Replace [LB_STATIC_IP]
and [LB_STATIC_IPV6]
with the IP addresses you
generated in Reserve global static IP addresses.
gcloud compute forwarding-rules create my-ssl-lb-forwarding-rule \ --global \ --target-ssl-proxy=my-ssl-lb-target-proxy \ --address=[LB_STATIC_IP] \ --ports=443
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/forwardingRules/my-ssl-lb-forwarding-rule]. NAME REGION IP_ADDRESS IP_PROTOCOL TARGET my-ssl-lb-forwarding-rule [LB_STATIC_IP] SSL my-ssl-lb-target-proxy
gcloud compute forwarding-rules create my-ssl-lb-ipv6-forwarding-rule \ --global \ --target-ssl-proxy=my-ssl-lb-target-proxy \ --address=[LB_STATIC_IPV6] \ --ports=443
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/forwardingRules/my-ssl-lb-ipv6-forwarding-rule]. NAME REGION IP_ADDRESS IP_PROTOCOL TARGET my-ssl-lb-ipv6-forwarding-rule [LB_STATIC_IPV6] SSL my-ssl-lb-target-proxy
Create a firewall rule for the SSL load balancer
Configure the firewall to allow traffic from the load balancer and health checker to the instances.
Console
- Go to the Firewall page in the Google Cloud Console.
Go to the Firewall page - Click Create firewall rule.
- Enter a Name of
allow-ssl-lb-and-health
. - Under Network, select
default
. - Under Targets, select Specified target tags.
- Set Target tags to
ssl-lb
. - Set Source filter to
IP ranges
. - Set Source IP ranges to
130.211.0.0/22
and35.191.0.0/16
. - Set Allowed protocols and ports to
tcp:443
. - Click Create.
gcloud
gcloud compute firewall-rules create allow-ssl-lb-and-health \ --source-ranges=130.211.0.0/22,35.191.0.0/16 \ --target-tags=ssl-lb \ --allow=tcp:443
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-ssl-lb-and-health]. NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS allow-ssl-lb-and-health default 130.211.0.0/22,35.191.0.0/16 tcp:443 ssl-lb
If you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE. For more information, see Google-managed SSL certificate resource status.
gcloud beta compute ssl-certificates list
Test your load balancer
In your web browser, connect to your static IP address using HTTPS. In this
test setup, the instances are using self-signed certificates. Therefore, you
will see a warning in your browser the first time you access a page. Click
through the warning to see the actual page. Replace [IP_ADDRESS]
with either
the IPv4 or IPv6 address you created earlier.
https://[IP_ADDRESS]
You should see one of the hosts from the region closest to you. Reload the page until you see the other instance in that region. To see instances from the other region, stop the instances in the closest region.
Alternatively, you can use curl
from the your local machine's command line.
If you are using a self-signed certificate on the SSL proxy, you must also
specify -k
. The curl -k
option allows curl to work even if you have a
self-signed certificate or no certificate at all. If you have a normal
certificate, you can remove that parameter. You should only use the -k
parameter for testing your own site. Under normal circumstances, a valid
certificate is an important security measure and certificate warnings should
not be ignored.
Replace [IP_ADDRESS]
with either the IPv4 or IPv6 address you created earlier.
curl -k https://[IP_ADDRESS]
Additional SSL proxy commands
List target SSL proxies
Console
Go to the Target proxy list page in the Google Cloud Console.
gcloud
gcloud compute target-ssl-proxies list
NAME PROXY_HEADER SERVICE SSL_CERTIFICATES my-ssl-lb-target-proxy NONE my-ssl-lb my-ssl-cert
Describe target SSL proxies
Console
Go to the Target proxy list page in the Google Cloud Console.
Click on the name of your target SSL proxy.
gcloud
gcloud compute target-ssl-proxies describe [PROXY_NAME]
creationTimestamp: '2016-02-20T20:55:17.633-08:00' id: '9208913598676794842' kind: compute#targetSslProxy name: my-ssl-lb-target-proxy proxyHeader: NONE selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/targetSslProxies/my-ssl-lb-target-proxy service: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-ssl-lb sslCertificates: – https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/sslCertificates/my-ssl-cert
Delete target SSL proxy
To delete a target proxy, you must first delete any global forwarding rules that reference it.
Console
Go to the Global forwarding rule list page in the Google Cloud Console.
Select the checkbox next to your global forwarding rule.
Click
Delete.Go to the Target proxy list page in the Google Cloud Console.
Select the checkbox next to your target SSL proxy.
Click
Delete.
Alternatively, you can delete all load balancer components by doing the following:
Go to the Load balancing page in the Google Cloud Console.
Click the trash can icon on the right side of the desired row.
Click Delete load balancer to confirm.
gcloud
Delete the global forwarding rule.
gcloud compute forwarding-rules delete my-ssl-lb-forwarding-rule \ --global
The following global forwarding rules will be deleted: – [my-ssl-lb-forwarding-rule] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/forwardingRules/my-ssl-lb-forwarding-rule].
Delete the SSL proxy.
gcloud compute target-ssl-proxies delete my-ssl-lb-target-proxy
The following target ssl proxies will be deleted: – [my-ssl-lb-target-proxy] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/targetSslProxies/my-ssl-lb-target-proxy].
Update a backend service for the target SSL proxy
You can use the update
command to point your SSL proxy at a different backend
service. In this example, you create a new backend service and point the proxy
at it. Then, you make an update and point the proxy back to the original backend
service.
Console
Use the gcloud
command-line tool for this step.
gcloud
Create a second backend service using the same health check.
gcloud compute backend-services create my-other-backend-service \ --protocol=SSL \ --port-name=ssl-lb \ --health-checks=my-ssl-health-check \ --global
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-other-backend-service]. NAME BACKENDS PROTOCOL my-other-backend-service SSL
Point the SSL proxy at the new backend.
gcloud compute target-ssl-proxies update my-ssl-lb-target-proxy \ --backend-service=my-other-backend-service
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/targetSslProxies/my-ssl-lb-target-proxy].
This backend service has no instances, so if you try to use the proxy right now, you won't get your web pages. To continue testing the original configuration, point your SSL proxy back at the first backend service.
gcloud compute target-ssl-proxies update my-ssl-lb-target-proxy \ --backend-service=my-ssl-lb
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/targetSslProxies/my-ssl-lb-target-proxy].
Update the SSL certificate resource for the target SSL proxy
Use this command to replace the SSL certificate on the SSL proxy. You must already have created any additional SSL certificate resources that you will need.
Console
Go to the Load balancing page in the Google Cloud Console.
Click Edit
next to your load balancer.Click Frontend configuration.
In the Certificate drop-down menu, select the new certificate.
Click
Add certificate
if you need to add more certificates.Click Done.
gcloud
You can configure the documented number of SSL certificates per target SSL proxy.
gcloud compute target-ssl-proxies set-ssl-certificates [PROXY_NAME] \ --ssl-certificates=[SSL_CERT_1][,[SSL_CERT_2],...]
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/targetSslProxies/my-ssl-lb-target-proxy].
Additional configuration options
This section expands on the configuration example to provide alternative and additional configuration options. All of the tasks are optional. You can perform them in any order.
Set PROXY protocol for retaining client connection information
Google Cloud Load Balancing with SSL proxy terminates SSL connections from the client and creates new connections to the instances. Therefore, the original client IP and port information is not preserved by default.
To preserve and send the original connection information to your instances, enable PROXY protocol (version 1) on the load balancer's frontend. This protocol sends an additional header that contains the source IP address, destination IP address, and port numbers to the instance as a part of the request.
You can also set the PROXY protocol for TCP and SSL health checks.
Make sure that the SSL proxy load balancer's backend instances are running HTTP(S) servers that support PROXY protocol headers. If the HTTP(S) servers are not configured to support PROXY protocol headers, the backend instances return empty responses.
The PROXY protocol header is typically a single line of user-readable text with the following format:
PROXY TCP4 <client IP> <load balancing IP> <source port> <dest port>\r\n
In this example, the client IP address is 192.0.2.1
, the load balancing IP
address is 198.51.100.1
, the client port is 15221
, and the destination port
is 443
:
PROXY TCP4 192.0.2.1 198.51.100.1 15221 443\r\n
When the client IP address is not known, the load balancer generates a PROXY protocol header in the following format:
PROXY UNKNOWN\r\n
Update PROXY protocol header for the proxy
Use this command to change the PROXY protocol header for an existing target SSL proxy.
Console
Go to the Load balancing page in the Google Cloud Console.
Click Edit
for your load balancer.Click Frontend configuration.
Change the value of the Proxy protocol field.
Click Update to save your changes.
gcloud
gcloud compute target-ssl-proxies update my-ssl-lb-target-proxy \ --proxy-header=[NONE | PROXY_V1]
Enabling connection draining
You can enable connection draining on backend services to ensure minimal interruption to your users when an instance that is serving traffic is terminated, removed manually, or removed by an autoscaler. To learn more about connection draining, see the Enabling Connection Draining documentation.
Enabling session affinity
These procedures show you how to update a backend service for the example SSL proxy load balancer so that the backend service uses client IP affinity.
When client IP affinity is enabled, the load balancer directs a particular client's requests to the same backend VM based on a hash created from the client's IP address and the load balancer's IP address (the external IP address of an external forwarding rule).
Console
To enable client IP session affinity:
Go to the Load balancing page in the Google Cloud Console.
Click Backends.
Click my-ssl-lb (the name of the backend service you created for this example) and click Edit.
On the Backend service details page, click Advanced configuration.
Under Session affinity, select Client IP from the menu.
Click Update.
gcloud
Use the following gcloud command to update the my-ssl-lb
backend
service, specifying client IP session affinity:
gcloud compute backend-services update my-ssl-lb \ --global \ --session-affinity=CLIENT_IP
API
To set client IP session affinity, make a PATCH
request to the
backendServices/patch
method.
PATCH https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/us-west1/backendServices/my-ssl-lb
{
"sessionAffinity": "CLIENT_IP"
}
Load balancer components
Health checking
Health checks determine which instances can receive new connections. You can configure a TCP, SSL, HTTP, or HTTPS health check for determining the health of your instances.
- If the service running on your backend instances is based on HTTP, use an HTTP health check.
- If the service running on your backend instances is based on HTTPS, use an HTTPS health check.
- If the service running on your backend instances uses SSL, use an SSL health check.
- Unless you have an explicit reason to use a different kind of health check, use a TCP health check.
Health check firewall rules
Health check probes to your instances come from addresses in the ranges
130.211.0.0/22
and 35.191.0.0/16
. Your firewall rules must allow these
connections on the relevant port. For instructions, see
Create a firewall rule for the SSL load balancer.
See Health Checks for more information on health checks.
Backend service
A backend service resource provides configuration information to the load balancer, including the following.
- Backend services direct incoming traffic to one or more attached backends (depending on the load balancing mode, discussed later). Each backend consists of an instance group and additional configuration to balance traffic among the instances in the instance group. Each instance group is composed of one or more instances.
- Each backend service also specifies which health checks are performed for the instances in the instance groups added to the backend service.
- The duration of idle SSL proxy connections through the load balancer is limited by the backend service timeout.
When you configure a backend service, you must add instances and specify a balancing mode that determines how much traffic the load balancer can send to the instances. Once the limit is reached, additional requests are sent to the instance that is next closest to the user, if it has capacity.
SSL proxy supports the following balancing modes:
UTILIZATION
(default): instances can accept traffic if the backend utilization of the instance group is below a specified value. To set this value, use the--max-utilization
parameter and pass a value between0.0
(0%) and1.0
(100%). Default is0.8
(80%).CONNECTION
: instances can accept traffic if the number of connections is below a specified value. This value can be one of the following:--max-connections
: the maximum number of connections across all of the backend instances in the instance group.--max-connections-per-instance
: the maximum number of connections a single instance can handle. Requests are forwarded if the average for the group does not exceed this number.
You can specify a --max-connections
or --max-connections-per-instance
even
if you set balancing mode to UTILIZATION
. If both --max-utilization
and a
connection parameter are specified, the group is considered at full
utilization when either limit is reached.
For more information on the backend service resource, see Backend services overview.
SSL certificates
To use SSL Proxy Load Balancing, you must create at least one SSL certificate that can be used by the target proxy for the load balancer. You can configure the target proxy with up to fifteen SSL certificates.
These certificates can be self-managed or Google-managed.
If you are using self-managed SSL certificates and you don’t have a private key and signed certificate, you can create and use a self-signed certificate for testing purposes. For more information, see Creating a private key and certificate. Do not use a self-signed certificate for production purposes. If you are using multiple SSL certificates, you must create an SSL certificate resource for each certificate.
Forwarding rule
Create a forwarding rule to forward specific IP addresses and ports to the target SSL proxy. When customer traffic arrives at your external IP address, this forwarding rule tells the network to send that traffic to your SSL proxy.
See Forwarding rules for more information.
Recommendations
- You should configure the load balancer to prepend a PROXY protocol version 1 header if you need to retain the client connection information.
- If your traffic is HTTPS, then you should use HTTPS Load Balancing and not SSL Proxy Load Balancing.
Monitoring
For information on monitoring SSL Proxy Load Balancing, see TCP/SSL Proxy Monitoring.
Troubleshooting
Pages fail to load from load balancer IP
Verify the health of instances
Verify that the instances are HEALTHY.
gcloud compute backend-services get-health my-ssl-lb
--- backend: https://www.googleapis.com/resourceviews/v1/projects/[PROJECT_ID]/zones/us-central1-b/resourceViews/us-ig1 status: kind: compute#backendServiceGroupHealth --- backend: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2 status: kind: compute#backendServiceGroupHealth
Confirm that your firewall rule is correct
- The health checker and the load balancer both require these IP addresses
to allow traffic:
130.211.0.0/22
and35.191.0.0/16
. - If you are using SSL between the load balancer and the instances, use SSL
health checks. Ensure that the firewall rule allows
tcp:443
from the source IP address ranges130.211.0.0/22
and35.191.0.0/16
. - If you are using TCP between the load balancer and the instances, use TCP
health checks. Ensure that the firewall rule allows
tcp:80
from the source IP ranges130.211.0.0/22
and35.191.0.0/16
. - If you are using instance tags, make sure that the tag is listed under
TARGET_TAGS in the firewall rule, and make sure that all of your instances
have that tag. In this example, instances are tagged with
ssl-lb
.
gcloud compute firewall-rules list
NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS allow-ssl-lb-and-health default 130.211.0.0/22,35.191.0.0/16 tcp:443 ssl-lb
Try to reach individual instances
Temporarily set a firewall rule that allows you to access your instances individually, and then try to load a page from a specific instance.
Open the firewall to allow traffic from any source to the tagged instances. Do this by creating a source filter that sets the source IP range to
0.0.0.0/0
for HTTPS traffic to instances with thessl-lb
tag.gcloud compute firewall-rules create allow-ssl-0-0-0-0 \ --source-ranges=0.0.0.0/0 \ --target-tags=ssl-lb \ --allow=tcp:443
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-ssl-0-0-0-0]. NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS allow-ssl-0-0-0-0 default 0.0.0.0/0 tcp:443 ssl-lb
Look up the
EXTERNAL_IP
address of one of the instances.gcloud compute instances list
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-central1-1 us-central1-b n1-standard-1 10.240.0.8 EXTERNAL_IP RUNNING ig-us-central1-2 us-central1-b n1-standard-1 10.240.0.11 EXTERNAL_IP RUNNING ig-us-east1-1 us-east1-b n1-standard-1 10.240.0.12 EXTERNAL_IP RUNNING ig-us-east1-2 us-east1-b n1-standard-1 10.240.0.13 EXTERNAL_IP RUNNING
Access one or more of your instances directly from your browser.
https://[EXTERNAL_IP]
If your instances are not accessible by this method, make sure that your software is running correctly. If it is, make sure that your load balancer firewall rule is correct.
gcloud compute firewall-rules describe allow-ssl-lb-and-health
allowed: IPProtocol: tcp ports: '443' creationTimestamp: '2016-02-20T22:27:15.094-08:00' description: '' id: '5304629236729177644' kind: compute#firewall name: allow-130-211-0-0-22-ssl network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/default selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-ssl-lb-and-health sourceRanges: 130.211.0.0/22,35.191.0.0/16 targetTags: ssl-lb
When you're sure the that instances are working, remove the "from anywhere" firewall rule.
gcloud compute firewall-rules delete allow-ssl-0-0-0-0
The following firewalls will be deleted: [allow-ssl-0-0-0-0] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-ssl-0-0-0-0].
What's next
- See SSL Proxy Load Balancing overview for information about how SSL Proxy Load Balancing works.
- See TCP/SSL Proxy Monitoring for information on how monitoring works for SSL Proxy Load Balancing.
- See SSL Policy overview for information on how SSL policies work.
- See Using SSL policies for information on configuring SSL policies.