Target proxies are referenced by one or more forwarding rules. Target proxies terminate connections from the client and creates new connections to the backends.
You can create a target proxy for the following load balancers:
- Global external HTTP(S) load balancer
- Global external HTTP(S) load balancer (classic)
- Regional external HTTP(S) load balancer
- Internal HTTP(S) load balancer
- External SSL proxy load balancer
- External TCP proxy load balancer
- Internal regional TCP proxy load balancer
In the case of external HTTP(S) load balancers and internal HTTP(S) load balancers, proxies route incoming requests to a URL map.
In the case of external SSL proxy load balancers, external TCP proxy load balancers and internal regional TCP proxy load balancers, target proxies route incoming requests directly to backend services.
Create a target proxy
The following sections show you how to create a target proxy for the different load balancers.
For global external HTTP(S) load balancer
The global external HTTP(S) load balancer only supports Premium Tier and uses a global target HTTP(S) proxy. While the global external HTTP(S) load balancer (classic) can be deployed in Premium or Standard Tier, it requires a global target proxy irrespective of the Network Service Tiers. In Standard Tier, a regional forwarding rule points to a global target proxy.
To create a global target HTTP(S) proxy, perform the following steps:
Console: HTTP(S)
You can create a global target HTTP(S) proxy by using the Google Cloud console when you're creating or updating a load balancer as shown in Configuring the load balancing resources.
gcloud: HTTP
gcloud compute target-http-proxies create HTTP_PROXY_NAME \ --global \ --url-map URL_MAP \ --global-url-map \ [--description DESCRIPTION]
gcloud: HTTPS
Before you run this command, you must create an SSL certificate resource for each certificate.
gcloud compute target-https-proxies create HTTPS_PROXY_NAME \ --global \ --url-map URL_MAP \ --global-url-map \ --ssl-certificates SSL_CERT_1[,SSL_CERT_2,...] \ --global-ssl-certificates \ [--ssl-policy POLICY_NAME] \ [--quic-override=ENABLE|DISABLE|NONE]
API: HTTP
POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpProxies { "name": HTTP_PROXY_NAME, "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME }
API: HTTPS
POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpsProxies { "name": HTTPS_PROXY_NAME, "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME, "sslCertificates": /projects/PROJECT_ID/global/sslCertificates/SSL_CERT_NAME }
For regional external HTTP(S) load balancer and internal HTTP(S) load balancer
For regional external HTTP(S) load balancers and internal HTTP(S) load balancers, a regional target proxy is required.
To create a regional target HTTP(S) proxy, perform the following steps:
Console
You can create a regional target HTTP(S) proxy by using the Google Cloud console when you're creating or updating a load balancer as shown in Setting up internal HTTP(S) load balancer or Setting up regional external HTTP(S) load balancer.
gcloud: HTTP
gcloud compute target-http-proxies create HTTP_PROXY_NAME \ --url-map URL_MAP \ --url-map-region REGION \ --region REGION \ [--description DESCRIPTION]
gcloud: HTTPS
Before you run this command, you must create an SSL certificate resource for each certificate.
gcloud compute target-https-proxies create HTTPS_PROXY_NAME \ --url-map URL_MAP \ --url-map-region REGION \ --region REGION \ --ssl-certificates SSL_CERT_NAME \ --ssl-certificates-region REGION
API: HTTP
POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/regions/REGION/targetHttpProxies { "name": HTTP_PROXY_NAME, "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME, "region": REGION }
API: HTTPS
POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/region/REGION/targetHttpsProxies { "name": HTTPS_PROXY_NAME, "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME, "region": REGION "sslCertificates": /projects/PROJECT_ID/regions/REGION/sslCertificates/SSL_CERT_NAME }
For an external SSL proxy load balancer
For external SSL proxy load balancers, a global target proxy is required in both Standard and Premium Tier. This means that, in Standard Tier, a regional forwarding rule points to a global target proxy.
To create a global target SSL proxy, perform the following steps:
Console
You can create a global target SSL proxy by using the Google Cloud console when you're creating or updating a load balancer as shown in Setting up external SSL proxy load balancer.
gcloud
Before you run this command, you must create an SSL certificate resource for each certificate.
gcloud compute target-ssl-proxies create SSL_PROXY_NAME \ --backend-service BACKEND_SERVICE \ --ssl-certificates SSL_CERT_1[,SSL_CERT_2,...] \ [--ssl-policy POLICY_NAME] \ [--quic-override=ENABLE|DISABLE|NONE] \ [--proxy-header=(NONE | PROXY_V1)]
API
POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetSslProxies { "name": SSL_PROXY_NAME, "proxyHeader": ("NONE" | "PROXY_V1"), "service": "projects/PROJECT/global/backendServices/BACKEND_SERVICE" "sslCertificates": /projects/PROJECT_ID/global/sslCertificates/SSL_CERT_NAME }
For an external TCP proxy load balancer
To create a global target TCP proxy, perform the following steps:
Console
You can create a global target TCP proxy by using the Google Cloud console when you're creating or updating a load balancer as shown in Setting up external TCP proxy load balancer.
gcloud
gcloud compute target-tcp-proxies create TCP_PROXY_NAME \ --backend-service BACKEND_SERVICE \ --proxy-header=(NONE | PROXY_V1)
API
POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetTcpProxies { "name": TCP_PROXY_NAME, "proxyHeader": ("NONE" | "PROXY_V1"), "service": "projects/PROJECT/global/backendServices/BACKEND_SERVICE" }
For an internal regional TCP proxy load balancer
To create a regional target TCP proxy, perform the following steps:
Console
You can create a regional target TCP proxy by using the Google Cloud console when you're creating or updating a load balancer as shown in Setting up internal regional TCP proxy load balancer.
gcloud
gcloud compute target-tcp-proxies create TCP_PROXY_NAME \ --backend-service BACKEND_SERVICE \ --region REGION \ --proxy-header=(NONE | PROXY_V1)
API
POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/regions/REGION/targetTcpProxies { "name": TCP_PROXY_NAME, "proxyHeader": ("NONE" | "PROXY_V1"), "region": REGION, "service": "projects/PROJECT/regions/REGION/backendServices/BACKEND_SERVICE" }
Listing target proxies
To list target proxies, perform the following steps.
For global external HTTP(S) load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
gcloud: HTTP
gcloud compute target-http-proxies list --global
gcloud: HTTPS
gcloud compute target-https-proxies list --global
API: HTTP
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies
API: HTTPS
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies
For regional external HTTP(S) load balancer and internal HTTP(S) load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
gcloud: HTTP
gcloud compute target-http-proxies list \ --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"
gcloud: HTTPS
gcloud compute target-https-proxies list \ --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"
API: HTTP
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies
API: HTTPS
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies
For an external SSL proxy load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
gcloud
gcloud compute target-ssl-proxies list
API
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies
For an external TCP proxy load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
gcloud
gcloud compute target-tcp-proxies list
API
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies
For an internal regional TCP proxy load balancer
Console
You can't use the Google Cloud console to create or maintain the internal regional TCP proxy load balancer. Use the gcloud CLI or the REST API instead.
gcloud
gcloud compute target-tcp-proxies list \ --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"
API
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetTcpProxies
Getting information about a target proxy
To get information about a single target HTTP or HTTPS proxy, perform the following steps.
For global external HTTP(S) load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
Select a Name.
View the Target proxy details page. To return to the Load balancing page, click the left-facing arrow at the top of the page.
gcloud: HTTP
gcloud compute target-http-proxies describe HTTP_PROXY_NAME \ --global
gcloud: HTTPS
gcloud compute target-https-proxies describe HTTPS_PROXY_NAME \ --global
API: HTTP
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME
API: HTTPS
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME
For regional external HTTP(S) load balancer and internal HTTP(S) load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
Select a Name.
View the Target proxy details page. To return to the Load balancing page, click the left-facing arrow at the top of the page.
gcloud: HTTP
gcloud compute target-http-proxies describe HTTP_PROXY_NAME \ --region=REGION
gcloud: HTTPS
gcloud compute target-https-proxies describe HTTPS_PROXY_NAME \ --region=REGION
API: HTTP
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME
API: HTTPS
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME
For an external SSL proxy load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
Select a Name.
View the Target proxy details page. To return to the Load balancing page, click the left-facing arrow at the top of the page.
gcloud
gcloud compute target-ssl-proxies describe SSL_PROXY_NAME
API
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies/SSL_PROXY_NAME
For an external TCP proxy load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
Select a Name.
View the Target proxy details page. To return to the Load balancing page, click the left-facing arrow at the top of the page.
gcloud
gcloud compute target-tcp-proxies describe TCP_PROXY_NAME
API
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies/TCP_PROXY_NAME
For an internal regional TCP proxy load balancer
Console
You can't use the Google Cloud console to create or maintain the internal regional TCP proxy load balancer. Use the gcloud CLI or the REST API instead.
gcloud
gcloud compute target-tcp-proxies describe TCP_PROXY_NAME \ --region=REGION
API
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetTcpProxies/TCP_PROXY_NAME
Updating the target proxy to point to a different URL map
To update the target proxy to point to a different URL map, perform the following steps.
For global external HTTP(S) load balancer
To update the URL map associated with a target proxy, perform the following steps:
Console
HTTP(S) proxies can't be edited in the Google Cloud console. You can edit the target proxy by using the gcloud CLI or the API.
gcloud: HTTP
gcloud compute target-http-proxies update HTTP_PROXY_NAME \ --url-map URL_MAP \ --global \ --global-url-map
gcloud: HTTPS
gcloud compute target-https-proxies update HTTPS_PROXY_NAME \ --url-map URL_MAP \ --global \ --global-url-map
API: HTTP
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME/setUrlMap { "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME }
API: HTTPS
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME/setUrlMap { "urlMap": "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME }
For regional external HTTP(S) load balancer and internal HTTP(S) load balancer
To update the URL map associated with a target proxy, perform the following steps:
Console
HTTP(S) proxies can't be edited in the Google Cloud console. You can edit the target proxy by using the gcloud CLI or the API.
gcloud: HTTP
gcloud compute target-http-proxies update HTTP_PROXY_NAME \ --url-map URL_MAP \ --region=REGION \ --url-map-region=REGION
gcloud: HTTPS
gcloud compute target-https-proxies update HTTPS_PROXY_NAME \ --url-map URL_MAP \ --region=REGION \ --url-map-region=REGION
API: HTTP
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME/setUrlMap { "urlMap": /projects/PROJECT_ID/regions/REGIONurlMaps/URL_MAP_NAME }
API: HTTPS
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME/setUrlMap { "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME }
Updating the SSL certificate resource for the target HTTPS proxy
Use this procedure to replace the SSL certificate on the HTTPS proxy. You must already have created any additional SSL certificate resources that you need.
Console
In the Google Cloud console, go to the Load balancing page.
Click Edit
next to your load balancer.Click Frontend configuration.
In the Certificate drop-down menu, select the new certificate.
Click
Add certificate
if you need to add more certificates.Click Done.
gcloud
You can configure the documented number of SSL certificates per target HTTPS proxy.
gcloud compute target-https-proxies update PROXY_NAME \ --ssl-certificates=SSL_CERT_1,SSL_CERT_2,...
API: HTTPS
You can use the following API call to replace the SSL certificate for the HTTPS Proxy.
POST [https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/targetHttpsProxies/HTTPS_PROXY_NAME/setSslCertificates]
The request body contains data with the following structure:
{ "sslCertificates": [ "SSL_CERT_URL" ] }
Replace the following:
PROJECT_ID
: Project ID for this requestHTTPS_PROXY_NAME
: Name of the Target HTTPS Proxy resource for which the SSL certificate resource is being updatedSSL_CERT_URL
: Server-defined URL (selfLink
) for the SSL certificate resource
Deleting a target proxy
To delete a target proxy, you must first delete any forwarding rules that reference it.
To delete a target proxy, perform the following steps.
For global external HTTP(S) load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
Select Target proxies.
Click the checkbox for the Name to delete.
Click
Delete.
gcloud: HTTP
gcloud compute target-http-proxies delete HTTP_PROXY_NAME \ --global
gcloud: HTTPS
gcloud compute target-https-proxies delete HTTPS_PROXY_NAME \ --global
API: HTTP
DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME
API: HTTPS
DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME
For regional external HTTP(S) load balancer and internal HTTP(S) load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
Select Target proxies.
Click the checkbox for the Name to delete.
Click
Delete.
gcloud: HTTP
gcloud compute target-http-proxies delete HTTP_PROXY_NAME \ --region=REGION
gcloud: HTTPS
gcloud compute target-https-proxies delete HTTPS_PROXY_NAME \ --region=REGION
API: HTTP
DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME
API: HTTPS
DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME
For an external SSL proxy load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
Select Target proxies.
Click the checkbox for the Name to delete.
Click
Delete.
gcloud
gcloud compute target-ssl-proxies delete SSL_PROXY_NAME
API
DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies/SSL_PROXY_NAME
For an external TCP proxy load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
Select Target proxies.
Click the checkbox for the Name to delete.
Click
Delete.
gcloud
gcloud compute target-tcp-proxies delete TCP_PROXY_NAME
API
DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies/TCP_PROXY_NAME
For a internal regional TCP proxy load balancer
Console
In the Google Cloud console, go to the Target Proxies page.
Select Target proxies.
Click the checkbox for the Name to delete.
Click
Delete.
gcloud
gcloud compute target-tcp-proxies delete TCP_PROXY_NAME \ --region=REGION
API
DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetTcpProxies/TCP_PROXY_NAME
Updating the QUIC protocol setting
Target HTTPS proxies support the use of the QUIC transport
protocol with the optional flag --quic-override
.
Console: HTTPS
You can use the Google Cloud console to configure the QUIC setting when you're setting up a new load balancer, as shown in Configuring the load balancing resources.
gcloud: HTTPS
Before you run this command, you must create an SSL certificate resource for each certificate.
gcloud compute target-https-proxies create HTTPS_PROXY_NAME \ --global \ --quic-override=QUIC_SETTING
where QUIC_SETTING is one of the following:
NONE
(Default) Allows Google to control when QUIC is negotiated. Currently, when you selectNONE
, QUIC is disabled. By selecting this option, you are allowing Google to automatically enable QUIC negotiations and HTTP/3 in the future for this load balancer. In the Google Cloud console, this option is called Automatic (Default).ENABLED
Allows the load balancer to negotiate QUIC with clients.DISABLED
Prevents the load balancer from negotiating QUIC with clients.
API: HTTPS
POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpsProxies/TARGET_PROXY_NAME/setQuicOverride { "quicOverride": QUIC_SETTING }
where QUIC_SETTING is one of the following:
NONE
(Default) Allows Google to control when QUIC is negotiated. Currently, when you selectNONE
, QUIC is disabled. By selecting this option, you are allowing Google to automatically enable QUIC negotiations and HTTP/3 in the future for this load balancer. In the Google Cloud console, this option is called Automatic (Default).ENABLED
Allows the load balancer to negotiate QUIC with clients.DISABLED
Prevents the load balancer from negotiating QUIC with clients.
API and gcloud
reference
For descriptions of the properties and methods available to you when working with target proxies through the REST API, see the following pages:
- Global target HTTP proxies
- Global target HTTPS proxies
- Regional target HTTP proxies
- Regional target HTTPS proxies
- Regional target TCP proxies
- Global target SSL proxies
- Global target TCP proxies
For descriptions of the properties and methods available to you when working with target proxies through the Google Cloud CLI, see the following pages:
- Global target HTTP proxies (with
--global
flag) - Regional target HTTP proxies (with
--region
flag) - Global target HTTPS proxies (with
--global
flag) - Regional target HTTPS proxies (with
--region
flag) - Regional target TCP proxies (with
--region
flag) - Global target SSL proxies
- Global target TCP proxies
What's next
- For more information about the QUIC transport protocol, see QUIC protocol support for HTTPS load balancing.
- To update the SSL certificate that your target proxy points to, see: