Using target proxies

Target proxies are referenced by one or more forwarding rules. In the case of external HTTP(S) load balancers and internal HTTP(S) load balancers, proxies route incoming requests to a URL map. In the case of SSL proxy load balancers and TCP proxy load balancers, target proxies route incoming requests directly to backend services.

API and gcloud reference

For descriptions of the properties and methods available to you when working with target proxies through the REST API, see the following pages:

For descriptions of the properties and methods available to you when working with target proxies through the gcloud command-line tool, see the following pages:

Adding a target proxy

You can add a target proxy for the following load balancers:

  • Global external HTTP(S) load balancer
  • Global external HTTP(S) load balancer (classic)
  • Regional external HTTP(S) load balancer
  • Internal HTTP(S) Load Balancing
  • SSL Proxy Load Balancing
  • TCP Proxy Load Balancing

For global external HTTP(S) load balancer

The global external HTTP(S) load balancer only supports Premium Tier and uses a global target proxy. While the global external HTTP(S) load balancer (classic) can be deployed in Premium or Standard Tier, it requires a global target proxy irrespective of the Network Service Tiers. In Standard Tier, a regional forwarding rule points to a global target proxy.

To add a global target HTTP(S) proxy, perform the following steps:

Console: HTTP(S)

You can create a global target HTTP(S) proxy using the Cloud console when you're creating or updating a load balancer as shown in Configuring the load balancing resources.

gcloud: HTTP 

gcloud compute target-http-proxies create HTTP_PROXY_NAME \
  --global \
  --url-map URL_MAP \
  --global-url-map \
  [--description DESCRIPTION]

gcloud: HTTPS

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-https-proxies create HTTPS_PROXY_NAME \
   --global \
   --url-map URL_MAP \
   --global-url-map \
   --ssl-certificates SSL_CERT_1[,SSL_CERT_2,...] \
   --global-ssl-certificates \
   [--ssl-policy POLICY_NAME] \
   [--quic-override=ENABLE|DISABLE|NONE]

API: HTTP 

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpProxies

{
  "name": HTTP_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME
}

API: HTTPS 

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpsProxies

{
  "name": HTTPS_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME,
  "sslCertificates": /projects/PROJECT_ID/global/sslCertificates/SSL_CERT_NAME
}

For regional external HTTP(S) load balancer and internal HTTP(S) load balancer

For regional external HTTP(S) load balancers and internal HTTP(S) load balancers, a regional target proxy is required.

To add a regional target HTTP(S) proxy, perform the following steps:

Console

You can create a regional target HTTP(S) proxy using the Cloud console when you're creating or updating a load balancer as shown in Setting up internal HTTP(S) load balancer or Setting up regional external HTTP(S) load balancer.

gcloud: HTTP 

gcloud compute target-http-proxies create HTTP_PROXY_NAME \
    --url-map URL_MAP \
    --url-map-region REGION \
    --region REGION \
    [--description DESCRIPTION]

gcloud: HTTPS

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-https-proxies create HTTPS_PROXY_NAME \
     --url-map URL_MAP \
     --url-map-region REGION \
     --region REGION \
     --ssl-certificates SSL_CERT_NAME \
     --ssl-certificates-region REGION

API: HTTP 

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/regions/REGION/targetHttpProxies

{
  "name": HTTP_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME,
  "region": REGION
}

API: HTTPS 

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/region/REGION/targetHttpsProxies

{
  "name": HTTPS_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME,
  "region": REGION
  "sslCertificates": /projects/PROJECT_ID/regions/REGION/sslCertificates/SSL_CERT_NAME
}

For an SSL proxy load balancer

For SSL proxy load balancers, a global target proxy is required in both Standard and Premium Tier. This means that, in Standard Tier, a regional forwarding rule points to a global target proxy.

To add a global target SSL proxy, perform the following steps:

Console

You can create a global target SSL proxy using the Cloud console when you're creating or updating a load balancer as shown in Setting up SSL proxy load balancer.

gcloud

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-ssl-proxies create SSL_PROXY_NAME \
   --backend-service BACKEND_SERVICE \
   --ssl-certificates SSL_CERT_1[,SSL_CERT_2,...] \
   [--ssl-policy POLICY_NAME] \
   [--quic-override=ENABLE|DISABLE|NONE] \
   [--proxy-header=(NONE | PROXY_V1)]

API 

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetSslProxies

{
  "name": SSL_PROXY_NAME,
  "proxyHeader": ("NONE" | "PROXY_V1"),
  "service": "projects/PROJECT/global/backendServices/BACKEND_SERVICE"
  "sslCertificates": /projects/PROJECT_ID/global/sslCertificates/SSL_CERT_NAME
}

For a TCP proxy load balancer

To add a global target TCP proxy, perform the following steps:

Console

You can create a global target TCP proxy using the Cloud console when you're creating or updating a load balancer as shown in Setting up TCP proxy load balancer.

gcloud 

 gcloud compute target-tcp-proxies create TCP_PROXY_NAME \
   --backend-service BACKEND_SERVICE \
   --proxy-header=(NONE | PROXY_V1)

API 

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetTcpProxies

{
  "name": TCP_PROXY_NAME,
  "proxyHeader": ("NONE" | "PROXY_V1"),
  "service": "projects/PROJECT/global/backendServices/BACKEND_SERVICE"
}

Listing target proxies

To list target proxies, perform the following steps.

For global external HTTP(S) load balancer

Console

Go to the Target Proxies page.
Go to the Target Proxies page

gcloud: HTTP 

gcloud compute target-http-proxies list --global

gcloud: HTTPS 

gcloud compute target-https-proxies list --global

API: HTTP 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies

API: HTTPS 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies

For regional external HTTP(S) load balancer and internal HTTP(S) load balancer

Console

Go to the Target Proxies page.
Go to the Target Proxies page

gcloud: HTTP 

gcloud compute target-http-proxies list \
    --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"

gcloud: HTTPS 

gcloud compute target-https-proxies list \
   --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"

API: HTTP 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies

API: HTTPS 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies

For an SSL proxy load balancer

Console

Go to the Target Proxies page.
Go to the Target Proxies page

gcloud 

gcloud compute target-ssl-proxies list

API 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies

For a TCP proxy load balancer

Console

Go to the Target Proxies page.
Go to the Target Proxies page

gcloud 

gcloud compute target-tcp-proxies list

API 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies

Getting information about a target proxy

To get information about a single target HTTP or HTTPS proxy, perform the following steps.

For global external HTTP(S) load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select a Target name.
  3. View the Target details screen. To return to the Load balancing screen, click the left-facing arrow at the top of the screen.

gcloud: HTTP 

gcloud compute target-http-proxies describe HTTP_PROXY_NAME \
   --global

gcloud: HTTPS 

gcloud compute target-https-proxies describe HTTPS_PROXY_NAME \
   --global

API: HTTP 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME

For regional external HTTP(S) load balancer and internal HTTP(S) load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select a Target name.
  3. View the Target details screen. To return to the Load balancing screen, click the left-facing arrow at the top of the screen.

gcloud: HTTP 

gcloud compute target-http-proxies describe HTTP_PROXY_NAME \
   --region=REGION

gcloud: HTTPS 

gcloud compute target-https-proxies describe HTTPS_PROXY_NAME \
   --region=REGION

API: HTTP 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME

For an SSL proxy load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select a Target name.
  3. View the Target details screen. To return to the Load balancing screen, click the left-facing arrow at the top of the screen.

gcloud 

gcloud compute target-ssl-proxies describe SSL_PROXY_NAME

API 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies/SSL_PROXY_NAME

For a TCP proxy load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select a Target name.
  3. View the Target details screen. To return to the Load balancing screen, click the left-facing arrow at the top of the screen.

gcloud 

gcloud compute target-tcp-proxies describe TCP_PROXY_NAME

API 

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies/TCP_PROXY_NAME

Updating the target proxy to point to a different URL map

To update the target proxy to point to a different URL map, perform the following steps.

For global external HTTP(S) load balancer

To update the URL map associated with a target proxy, perform the following steps:

Console

HTTP(S) proxies can't be edited in the Cloud console. You can edit the target proxy by using gcloud or the API.

gcloud: HTTP 

gcloud compute target-http-proxies update HTTP_PROXY_NAME \
    --url-map URL_MAP \
    --global \
    --global-url-map

gcloud: HTTPS 

gcloud compute target-https-proxies update HTTPS_PROXY_NAME \
    --url-map URL_MAP \
    --global \
    --global-url-map

API: HTTP 

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME/setUrlMap

{
  "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME
}

API: HTTPS 

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME/setUrlMap

{
  "urlMap": "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME
}

For regional external HTTP(S) load balancer and internal HTTP(S) load balancer

To update the URL map associated with a target proxy, perform the following steps:

Console

HTTP(S) proxies can't be edited in the Cloud console. You can edit the target proxy by using gcloud or the API.

gcloud: HTTP 

gcloud compute target-http-proxies update HTTP_PROXY_NAME \
    --url-map URL_MAP \
    --region=REGION \
    --url-map-region=REGION

gcloud: HTTPS 

gcloud compute target-https-proxies update HTTPS_PROXY_NAME \
    --url-map URL_MAP \
    --region=REGION \
    --url-map-region=REGION

API: HTTP 

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME/setUrlMap

{
  "urlMap": /projects/PROJECT_ID/regions/REGIONurlMaps/URL_MAP_NAME
}

API: HTTPS 

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME/setUrlMap

{
  "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME
}

Updating the SSL certificate resource for the target HTTPS proxy

Use this procedure to replace the SSL certificate on the HTTPS proxy. You must already have created any additional SSL certificate resources that you need.

Console

  1. Go to the Load balancing page in the Google Cloud console.

    Go to the Load balancing page

  2. Click Edit next to your load balancer.

  3. Click Frontend configuration.

  4. In the Certificate drop-down menu, select the new certificate.

  5. Click Add certificate if you need to add more certificates.

  6. Click Done.

gcloud

You can configure the documented number of SSL certificates per target HTTPS proxy.

gcloud compute target-https-proxies update PROXY_NAME \
    --ssl-certificates=SSL_CERT_1,SSL_CERT_2,...

API: HTTPS 

DELETE [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME]

POST [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies]

{
  "name": HTTPS_PROXY_NAME,
  "sslCertificates": [
    SSL_CERT_1,SSL_CERT_2
  ]
}

Deleting a target proxy

To delete a target HTTP or HTTPS proxy, perform the following steps.

For global external HTTP(S) load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select Target proxies.
  3. Click the checkbox for the Target name to delete.
  4. Click Delete.

gcloud: HTTP 

gcloud compute target-http-proxies delete HTTP_PROXY_NAME \
   --global

gcloud: HTTPS 

gcloud compute target-https-proxies delete HTTPS_PROXY_NAME \
   --global

API: HTTP 

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS 

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME

For regional external HTTP(S) load balancer and internal HTTP(S) load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select Target proxies.
  3. Click the checkbox for the Target name to delete.
  4. Click Delete.

gcloud: HTTP 

gcloud compute target-http-proxies delete HTTP_PROXY_NAME \
   --region=REGION

gcloud: HTTPS 

gcloud compute target-https-proxies delete HTTPS_PROXY_NAME \
   --region=REGION

API: HTTP 

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS 

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME

For an SSL proxy load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select Target proxies.
  3. Click the checkbox for the Target name to delete.
  4. Click Delete.

gcloud 

gcloud compute target-ssl-proxies delete SSL_PROXY_NAME

API 

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies/SSL_PROXY_NAME

For a TCP proxy load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select Target proxies.
  3. Click the checkbox for the Target name to delete.
  4. Click Delete.

gcloud 

gcloud compute target-tcp-proxies delete TCP_PROXY_NAME

API 

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies/TCP_PROXY_NAME

Updating the QUIC protocol setting

Target HTTPS proxies support the use of the QUIC transport protocol with the optional flag --quic-override.

Console: HTTPS

You can use the Cloud console to configure the QUIC setting when you're setting up a new load balancer, as shown in Configuring the load balancing resources.

gcloud: HTTPS

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-https-proxies create HTTPS_PROXY_NAME \
   --global \
   --quic-override=QUIC_SETTING

where QUIC_SETTING is one of the following:

  • NONE (Default) Allows Google to control when QUIC is negotiated. Currently, when you select NONE, QUIC is disabled. By selecting this option, you are allowing Google to automatically enable QUIC negotiations and HTTP/3 in the future for this load balancer. In the Cloud console, this option is called Automatic (Default).
  • ENABLED Allows the load balancer to negotiate QUIC with clients.
  • DISABLED Prevents the load balancer from negotiating QUIC with clients.

API: HTTPS 

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpsProxies/TARGET_PROXY_NAME/setQuicOverride

{
  "quicOverride": QUIC_SETTING
}

where QUIC_SETTING is one of the following:

  • NONE (Default) Allows Google to control when QUIC is negotiated. Currently, when you select NONE, QUIC is disabled. By selecting this option, you are allowing Google to automatically enable QUIC negotiations and HTTP/3 in the future for this load balancer. In the Cloud console, this option is called Automatic (Default).
  • ENABLED Allows the load balancer to negotiate QUIC with clients.
  • DISABLED Prevents the load balancer from negotiating QUIC with clients.

What's next