Use target proxies

Target proxies terminate incoming connections from clients and create new connections from the load balancer to the backends. Target proxies are referenced by one or more forwarding rules.

You can create a target proxy for the following load balancers:

Global external Application Load Balancer
Classic Application Load Balancer
Regional external Application Load Balancer
Cross-region internal Application Load Balancer
Regional internal Application Load Balancer
Global external proxy Network Load Balancer
Regional external proxy Network Load Balancer
Regional internal proxy Network Load Balancer

In the case of external Application Load Balancers and internal Application Load Balancers, proxies route incoming requests to a URL map.

In the case of external proxy Network Load Balancers and regional internal proxy Network Load Balancers, target proxies route incoming requests directly to backend services.

Create a target proxy

The following sections show you how to create a target proxy for the different load balancers.

For global external Application Load Balancers and cross-region internal Application Load Balancers

The global external Application Load Balancers and the cross-region internal Application Load Balancers always use a global target HTTP(S) proxy. The classic Application Load Balancer also requires a global target proxy. Even if the classic Application Load Balancer is deployed in Standard Tier, its regional forwarding rule must point to a global target proxy.

To create a global target HTTP(S) proxy, perform the following steps:

Console: HTTP(S)

You can create a global target HTTP(S) proxy by using the Google Cloud console when you're creating or updating a load balancer as shown in Configuring the load balancing resources.

gcloud: HTTP

gcloud compute target-http-proxies create HTTP_PROXY_NAME \
  --global \
  --url-map URL_MAP \
  --global-url-map \
  [--description DESCRIPTION]

gcloud: HTTPS

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-https-proxies create HTTPS_PROXY_NAME \
   --global \
   --url-map URL_MAP \
   --global-url-map \
   --ssl-certificates SSL_CERT_1[,SSL_CERT_2,...] \
   --global-ssl-certificates \
   [--ssl-policy POLICY_NAME] \
   [--quic-override=ENABLE|DISABLE|NONE]

API: HTTP

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpProxies

{
  "name": HTTP_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME
}

API: HTTPS

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpsProxies

{
  "name": HTTPS_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME,
  "sslCertificates": /projects/PROJECT_ID/global/sslCertificates/SSL_CERT_NAME
}

For regional external Application Load Balancers and internal Application Load Balancers

For regional external Application Load Balancers and internal Application Load Balancers, a regional target proxy is required.

To create a regional target HTTP(S) proxy, perform the following steps:

Console

You can create a regional target HTTP(S) proxy by using the Google Cloud console when you're creating or updating a load balancer as shown in Setting up internal Application Load Balancer or Setting up regional external Application Load Balancer.

gcloud: HTTP

gcloud compute target-http-proxies create HTTP_PROXY_NAME \
    --url-map URL_MAP \
    --url-map-region REGION \
    --region REGION \
    [--description DESCRIPTION]

gcloud: HTTPS

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-https-proxies create HTTPS_PROXY_NAME \
     --url-map URL_MAP \
     --url-map-region REGION \
     --region REGION \
     --ssl-certificates SSL_CERT_NAME \
     --ssl-certificates-region REGION

API: HTTP

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/regions/REGION/targetHttpProxies

{
  "name": HTTP_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME,
  "region": REGION
}

API: HTTPS

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/region/REGION/targetHttpsProxies

{
  "name": HTTPS_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME,
  "region": REGION
  "sslCertificates": /projects/PROJECT_ID/regions/REGION/sslCertificates/SSL_CERT_NAME
}

For global external proxy Network Load Balancers with an SSL proxy

For external proxy Network Load Balancers, a global target proxy is required in both Standard and Premium Tier. This means that, in Standard Tier, a regional forwarding rule points to a global target proxy.

To create a global target SSL proxy, perform the following steps:

Console

You can create a global target SSL proxy by using the Google Cloud console when you're creating or updating a load balancer.

gcloud

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-ssl-proxies create SSL_PROXY_NAME \
   --backend-service BACKEND_SERVICE \
   --ssl-certificates SSL_CERT_1[,SSL_CERT_2,...] \
   [--ssl-policy POLICY_NAME] \
   [--quic-override=ENABLE|DISABLE|NONE] \
   [--proxy-header=(NONE | PROXY_V1)]

API

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetSslProxies

{
  "name": SSL_PROXY_NAME,
  "proxyHeader": ("NONE" | "PROXY_V1"),
  "service": "projects/PROJECT/global/backendServices/BACKEND_SERVICE"
  "sslCertificates": /projects/PROJECT_ID/global/sslCertificates/SSL_CERT_NAME
}

For global external proxy Network Load Balancers with a TCP proxy

To create a global target TCP proxy, perform the following steps:

Console

You can create a global target TCP proxy by using the Google Cloud console when you're creating or updating a load balancer as shown in Setting up external proxy Network Load Balancer.

gcloud

 gcloud compute target-tcp-proxies create TCP_PROXY_NAME \
   --backend-service BACKEND_SERVICE \
   --proxy-header=(NONE | PROXY_V1)

API

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetTcpProxies

{
  "name": TCP_PROXY_NAME,
  "proxyHeader": ("NONE" | "PROXY_V1"),
  "service": "projects/PROJECT/global/backendServices/BACKEND_SERVICE"
}

For regional external proxy Network Load Balancers and regional internal proxy Network Load Balancers

To create a regional target TCP proxy, perform the following steps:

Console

You can create a regional target TCP proxy by using the Google Cloud console when you're creating or updating a load balancer as shown in Set up a regional internal proxy Network Load Balancer.

gcloud

 gcloud compute target-tcp-proxies create TCP_PROXY_NAME \
   --backend-service BACKEND_SERVICE \
   --region REGION \
   --proxy-header=(NONE | PROXY_V1)

API

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/regions/REGION/targetTcpProxies

{
  "name": TCP_PROXY_NAME,
  "proxyHeader": ("NONE" | "PROXY_V1"),
  "region": REGION,
  "service": "projects/PROJECT/regions/REGION/backendServices/BACKEND_SERVICE"
}

List target proxies

To list target proxies, perform the following steps.

For global external Application Load Balancers and cross-region internal Application Load Balancers

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies

gcloud: HTTP

gcloud compute target-http-proxies list --global

gcloud: HTTPS

gcloud compute target-https-proxies list --global

API: HTTP

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies

API: HTTPS

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies

For regional external Application Load Balancers and internal Application Load Balancers

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies

gcloud: HTTP

gcloud compute target-http-proxies list \
    --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"

gcloud: HTTPS

gcloud compute target-https-proxies list \
   --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"

API: HTTP

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies

API: HTTPS

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies

For global external proxy Network Load Balancers with an SSL proxy

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies

gcloud

gcloud compute target-ssl-proxies list

API

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies

For global external proxy Network Load Balancers with a TCP proxy

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies

gcloud

gcloud compute target-tcp-proxies list

API

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies

For regional external proxy Network Load Balancers and regional internal proxy Network Load Balancers

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies

gcloud

gcloud compute target-tcp-proxies list \
    --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"

API

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetTcpProxies

Get information about a target proxy

To get information about a single target HTTP or HTTPS proxy, perform the following steps.

For global external Application Load Balancers and cross-region internal Application Load Balancers

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select a Name.
View the Target proxy details page. To return to the Load balancing page, click the left-facing arrow at the top of the page.

gcloud: HTTP

gcloud compute target-http-proxies describe HTTP_PROXY_NAME \
   --global

gcloud: HTTPS

gcloud compute target-https-proxies describe HTTPS_PROXY_NAME \
   --global

API: HTTP

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME

For regional external Application Load Balancers and internal Application Load Balancers

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select a Name.
View the Target proxy details page. To return to the Load balancing page, click the left-facing arrow at the top of the page.

gcloud: HTTP

gcloud compute target-http-proxies describe HTTP_PROXY_NAME \
   --region=REGION

gcloud: HTTPS

gcloud compute target-https-proxies describe HTTPS_PROXY_NAME \
   --region=REGION

API: HTTP

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME

For global external proxy Network Load Balancers with an SSL proxy

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select a Name.
View the Target proxy details page. To return to the Load balancing page, click the left-facing arrow at the top of the page.

gcloud

gcloud compute target-ssl-proxies describe SSL_PROXY_NAME

API

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies/SSL_PROXY_NAME

For global external proxy Network Load Balancers with a TCP proxy

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select a Name.
View the Target proxy details page. To return to the Load balancing page, click the left-facing arrow at the top of the page.

gcloud

gcloud compute target-tcp-proxies describe TCP_PROXY_NAME

API

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies/TCP_PROXY_NAME

For regional external proxy Network Load Balancers and regional internal proxy Network Load Balancers

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select a Name.
View the Target proxy details page.

gcloud

gcloud compute target-tcp-proxies describe TCP_PROXY_NAME \
    --region=REGION

API

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetTcpProxies/TCP_PROXY_NAME

Update the target proxy to point to a different URL map

To update the target proxy to point to a different URL map, perform the following steps.

For global external Application Load Balancers and cross-region internal Application Load Balancers

To update the URL map associated with a target proxy, perform the following steps:

Console

HTTP(S) proxies can't be edited in the Google Cloud console. You can edit the target proxy by using the gcloud CLI or the API.

gcloud: HTTP

gcloud compute target-http-proxies update HTTP_PROXY_NAME \
    --url-map URL_MAP \
    --global \
    --global-url-map

gcloud: HTTPS

gcloud compute target-https-proxies update HTTPS_PROXY_NAME \
    --url-map URL_MAP \
    --global \
    --global-url-map

API: HTTP

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME/setUrlMap

{
  "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME
}

API: HTTPS

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME/setUrlMap

{
  "urlMap": "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME
}

For regional external Application Load Balancers and internal Application Load Balancers

To update the URL map associated with a target proxy, perform the following steps:

Console

HTTP(S) proxies can't be edited in the Google Cloud console. You can edit the target proxy by using the gcloud CLI or the API.

gcloud: HTTP

gcloud compute target-http-proxies update HTTP_PROXY_NAME \
    --url-map URL_MAP \
    --region=REGION \
    --url-map-region=REGION

gcloud: HTTPS

gcloud compute target-https-proxies update HTTPS_PROXY_NAME \
    --url-map URL_MAP \
    --region=REGION \
    --url-map-region=REGION

API: HTTP

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME/setUrlMap

{
  "urlMap": /projects/PROJECT_ID/regions/REGIONurlMaps/URL_MAP_NAME
}

API: HTTPS

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME/setUrlMap

{
  "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME
}

Update the SSL certificate resource for the target HTTPS proxy

Use this procedure to replace the SSL certificate on the HTTPS proxy. You must already have created any additional SSL certificate resources that you need.

Console

In the Google Cloud console, go to the Load balancing page.

Go to Load balancing
Click Edit next to your load balancer.
Click Frontend configuration.
In the Certificate drop-down menu, select the new certificate.
Click Add certificate if you need to add more certificates.
Click Done.

gcloud

You can configure the documented number of SSL certificates per target HTTPS proxy.

gcloud compute target-https-proxies update PROXY_NAME \
    --ssl-certificates=SSL_CERT_1,SSL_CERT_2,...

API: HTTPS

You can use the following API call to replace the SSL certificate for the HTTPS Proxy.

POST [https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/targetHttpsProxies/HTTPS_PROXY_NAME/setSslCertificates]

The request body contains data with the following structure:

{
  "sslCertificates": [
    "SSL_CERT_URL"
  ]
}

Replace the following:

PROJECT_ID: Project ID for this request
HTTPS_PROXY_NAME: Name of the Target HTTPS Proxy resource for which the SSL certificate resource is being updated
SSL_CERT_URL: Server-defined URL (selfLink) for the SSL certificate resource

Delete a target proxy

To delete a target proxy, you must first delete any forwarding rules that reference it.

To delete a target proxy, perform the following steps.

For global external Application Load Balancers and cross-region internal Application Load Balancers

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select Target proxies.
Click the checkbox for the Name to delete.
Click Delete.

gcloud: HTTP

gcloud compute target-http-proxies delete HTTP_PROXY_NAME \
   --global

gcloud: HTTPS

gcloud compute target-https-proxies delete HTTPS_PROXY_NAME \
   --global

API: HTTP

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME

For regional external Application Load Balancers and internal Application Load Balancers

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select Target proxies.
Click the checkbox for the Name to delete.
Click Delete.

gcloud: HTTP

gcloud compute target-http-proxies delete HTTP_PROXY_NAME \
   --region=REGION

gcloud: HTTPS

gcloud compute target-https-proxies delete HTTPS_PROXY_NAME \
   --region=REGION

API: HTTP

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME

For global external proxy Network Load Balancers with an SSL proxy

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select Target proxies.
Click the checkbox for the Name to delete.
Click Delete.

gcloud

gcloud compute target-ssl-proxies delete SSL_PROXY_NAME

API

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies/SSL_PROXY_NAME

For global external proxy Network Load Balancers with a TCP proxy

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select Target proxies.
Click the checkbox for the Name to delete.
Click Delete.

gcloud

gcloud compute target-tcp-proxies delete TCP_PROXY_NAME

API

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies/TCP_PROXY_NAME

For regional external proxy Network Load Balancers and regional internal proxy Network Load Balancers

Console

In the Google Cloud console, go to the Target proxies page.

Go to Target proxies
Select Target proxies.
Click the checkbox for the Name to delete.
Click Delete.

gcloud

gcloud compute target-tcp-proxies delete TCP_PROXY_NAME \
    --region=REGION

API

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetTcpProxies/TCP_PROXY_NAME

Update the QUIC protocol setting

Target HTTPS proxies support the use of the QUIC transport protocol with the optional flag --quic-override.

Console: HTTPS

You can use the Google Cloud console to configure the QUIC setting when you're setting up a new load balancer, as shown in Configuring the load balancing resources.

gcloud: HTTPS

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-https-proxies create HTTPS_PROXY_NAME \
   --global \
   --quic-override=QUIC_SETTING

where QUIC_SETTING is one of the following:

NONE (Default) Allows Google to control when QUIC is negotiated. Currently, when you select NONE, QUIC is disabled. By selecting this option, you are allowing Google to automatically enable QUIC negotiations and HTTP/3 in the future for this load balancer. In the Google Cloud console, this option is called Automatic (Default).
ENABLED Allows the load balancer to negotiate QUIC with clients.
DISABLED Prevents the load balancer from negotiating QUIC with clients.

API: HTTPS

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpsProxies/TARGET_PROXY_NAME/setQuicOverride

{
  "quicOverride": QUIC_SETTING
}

where QUIC_SETTING is one of the following:

NONE (Default) Allows Google to control when QUIC is negotiated. Currently, when you select NONE, QUIC is disabled. By selecting this option, you are allowing Google to automatically enable QUIC negotiations and HTTP/3 in the future for this load balancer. In the Google Cloud console, this option is called Automatic (Default).
ENABLED Allows the load balancer to negotiate QUIC with clients.
DISABLED Prevents the load balancer from negotiating QUIC with clients.

API and `gcloud` reference

For descriptions of the properties and methods available to you when working with target proxies through the REST API, see the following pages:

For descriptions of the properties and methods available to you when working with target proxies through the Google Cloud CLI, see the following pages:

What's next

For more information about the QUIC transport protocol, see QUIC protocol support for HTTPS load balancing.
To update the SSL certificate that your target proxy points to, see:
- Replacing self-managed SSL certificates
- Replacing Google-managed SSL certificates