Using target proxies

Target proxies are referenced by one or more forwarding rules. In the case of external HTTP(S) load balancers and internal HTTP(S) load balancers, proxies route incoming requests to a URL map. In the case of SSL proxy load balancers and TCP proxy load balancers, target proxies route incoming requests directly to backend services.

Target proxy properties

For descriptions of the properties and methods available to you when working with target proxies through the REST API, see the following pages:

For descriptions of the properties and methods available to you when working with target proxies through the gcloud command-line tool, see the following pages:

Add a target proxy

You can add a target proxy for the following types of load balancing:

  • External HTTP(S) Load Balancing
  • Internal HTTP(S) Load Balancing
  • SSL Proxy Load Balancing
  • TCP Proxy Load Balancing

For an external HTTP(S) load balancer

To add a global target HTTP(S) proxy, perform the following steps:

Console: HTTP

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Click Create target proxy.
  3. Enter a Name.
  4. (Optional) Enter a Description.
  5. Select Type HTTP Proxy.
  6. Select a URL map.
  7. Click Create.

Console: HTTPS

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Click Create target proxy.
  3. Enter a Name.
  4. (Optional) Enter a Description.
  5. Select Type HTTPS Proxy.
  6. If you already have an SSL certificate resource you want to use as the primary SSL certificate, select it from the Certificate drop-down menu. If not, select Create a new certificate.
    1. Enter a Name.
    2. Either upload (recommended) the following files or copy and paste their contents into the appropriate fields:
      • Public key certificate (.crt file).
      • Certificate chain (.csr file).
      • Private key (.key file).
  7. Add additional certificates by repeating the previous step.
  8. Select a URL map.
  9. Click Create.

gcloud: HTTP

gcloud compute target-http-proxies create HTTP_PROXY_NAME \
  --global \
  --url-map URL_MAP \
  --global-url-map \
  [--description DESCRIPTION]

gcloud: HTTPS

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-https-proxies create HTTPS_PROXY_NAME \
   --global \
   --url-map URL_MAP \
   --global-url-map \
   --ssl-certificates SSL_CERT_1[,SSL_CERT_2,...] \
   --global-ssl-certificates \
   [--ssl-policy POLICY_NAME] \
   [--quic-override=ENABLE|DISABLE|NONE]

API: HTTP

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpProxies

{
  "name": HTTP_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME
}

API: HTTPS

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpsProxies

{
  "name": HTTPS_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME,
  "sslCertificates": /projects/PROJECT_ID/global/sslCertificates/SSL_CERT_NAME
}

For an internal HTTP(S) load balancer

To add a regional target HTTP(S) proxy, perform the following steps:

Console

Using the Cloud Console to create a standalone regional target HTTP(S) proxy is not supported.

gcloud: HTTP

gcloud compute target-http-proxies create HTTP_PROXY_NAME \
    --url-map URL_MAP \
    --url-map-region REGION \
    --region REGION \
    [--description DESCRIPTION]

gcloud: HTTPS

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-https-proxies create HTTPS_PROXY_NAME \
     --url-map URL_MAP \
     --url-map-region REGION \
     --region REGION \
     --ssl-certificates SSL_CERT_NAME \
     --ssl-certificates-region REGION

API: HTTP

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/regions/REGION/targetHttpProxies

{
  "name": HTTP_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME,
  "region": REGION
}

API: HTTPS

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/region/REGION/targetHttpsProxies

{
  "name": HTTPS_PROXY_NAME,
  "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME,
  "region": REGION
  "sslCertificates": /projects/PROJECT_ID/regions/REGION/sslCertificates/SSL_CERT_NAME
}

For an SSL proxy load balancer

To add a global target SSL proxy, perform the following steps:

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Click Create target proxy.
  3. Enter a Name.
  4. (Optional) Enter a Description.
  5. Select Type SSL Proxy.
  6. If you already have an SSL certificate resource you want to use as the primary SSL certificate, select it from the Certificate drop-down menu. If not, select Create a new certificate.
    1. Enter a Name.
    2. Either upload (recommended) the following files or copy and paste their contents into the appropriate fields:
      • Public key certificate (.crt file).
      • Certificate chain (.csr file).
      • Private key (.key file).
  7. Add additional certificates by repeating the previous step.
  8. Select a Backend service.
  9. (Optional) Enable the Proxy protocol.
  10. Click Create.

gcloud

Before you run this command, you must create an SSL certificate resource for each certificate.

 gcloud compute target-ssl-proxies create SSL_PROXY_NAME \
   --backend-service BACKEND_SERVICE \
   --ssl-certificates SSL_CERT_1[,SSL_CERT_2,...] \
   [--ssl-policy POLICY_NAME] \
   [--quic-override=ENABLE|DISABLE|NONE] \
   [--proxy-header=(NONE | PROXY_V1)]

API

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetSslProxies

{
  "name": SSL_PROXY_NAME,
  "proxyHeader": ("NONE" | "PROXY_V1"),
  "service": "projects/PROJECT/global/backendServices/BACKEND_SERVICE"
  "sslCertificates": /projects/PROJECT_ID/global/sslCertificates/SSL_CERT_NAME
}

For a TCP proxy load balancer

To add a global target TCP proxy, perform the following steps:

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Click Create target proxy.
  3. Enter a Name.
  4. (Optional) Enter a Description.
  5. Select Type TCP Proxy.
  6. Select a Backend service.
  7. (Optional) Enable the Proxy protocol.
  8. Click Create.

gcloud

 gcloud compute target-tcp-proxies create TCP_PROXY_NAME \
   --backend-service BACKEND_SERVICE \
   --proxy-header=(NONE | PROXY_V1)

API

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetTcpProxies

{
  "name": TCP_PROXY_NAME,
  "proxyHeader": ("NONE" | "PROXY_V1"),
  "service": "projects/PROJECT/global/backendServices/BACKEND_SERVICE"
}

List target proxies

To list target proxies, perform the following steps.

For an external HTTP(S) load balancer

Console

Go to the Target Proxies page.
Go to the Target Proxies page

gcloud: HTTP

gcloud compute target-http-proxies list --global

gcloud: HTTPS

gcloud compute target-https-proxies list --global

API: HTTP

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies

API: HTTPS

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies

For an internal HTTP(S) load balancer

Console

Go to the Target Proxies page.
Go to the Target Proxies page

gcloud: HTTP

gcloud compute target-http-proxies list \
    --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"

gcloud: HTTPS

gcloud compute target-https-proxies list \
   --filter="region:(COMMA_DELIMITED_LIST_OF_REGIONS)"

API: HTTP

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies

API: HTTPS

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies

For an SSL proxy load balancer

Console

Go to the Target Proxies page.
Go to the Target Proxies page

gcloud

gcloud compute target-ssl-proxies list

API

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies

For a TCP proxy load balancer

Console

Go to the Target Proxies page.
Go to the Target Proxies page

gcloud

gcloud compute target-tcp-proxies list

API

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies

Get information about a target proxy

To get information about a single target HTTP or HTTPS proxy, perform the following steps.

For an external HTTP(S) load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select a Target name.
  3. View the Target details screen. To return to the Load balancing screen, click the left-facing arrow at the top of the screen.

gcloud: HTTP

gcloud compute target-http-proxies describe HTTP_PROXY_NAME \
   --global

gcloud: HTTPS

gcloud compute target-https-proxies describe HTTPS_PROXY_NAME \
   --global

API: HTTP

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME

For an internal HTTP(S) load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select a Target name.
  3. View the Target details screen. To return to the Load balancing screen, click the left-facing arrow at the top of the screen.

gcloud: HTTP

gcloud compute target-http-proxies describe HTTP_PROXY_NAME \
   --region=REGION

gcloud: HTTPS

gcloud compute target-https-proxies describe HTTPS_PROXY_NAME \
   --region=REGION

API: HTTP

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME

For an SSL proxy load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select a Target name.
  3. View the Target details screen. To return to the Load balancing screen, click the left-facing arrow at the top of the screen.

gcloud

gcloud compute target-ssl-proxies describe SSL_PROXY_NAME

API

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies/SSL_PROXY_NAME

For a TCP proxy load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select a Target name.
  3. View the Target details screen. To return to the Load balancing screen, click the left-facing arrow at the top of the screen.

gcloud

gcloud compute target-tcp-proxies describe TCP_PROXY_NAME

API

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies/TCP_PROXY_NAME

Update the target proxy to point to a different URL map

To update the target proxy to point to a different URL map, perform the following steps.

For an external HTTP(S) load balancer

To update the URL map associated with a target proxy, perform the following steps:

Console

HTTP(S) proxies can't be edited in the Cloud Console. Instead, delete and re-add the target proxy. Alternatively, you can edit the target proxy by using gcloud or the API.

gcloud: HTTP

gcloud compute target-http-proxies update HTTP_PROXY_NAME \
    --url-map URL_MAP \
    --global \
    --global-url-map

gcloud: HTTPS

gcloud compute target-https-proxies update HTTPS_PROXY_NAME \
    --url-map URL_MAP \
    --global \
    --global-url-map

API: HTTP

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME/setUrlMap

{
  "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME
}

API: HTTPS

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME/setUrlMap

{
  "urlMap": "urlMap": /projects/PROJECT_ID/global/urlMaps/URL_MAP_NAME
}

For an internal HTTP(S) load balancer

To update the URL map associated with a target proxy, perform the following steps:

Console

HTTP(S) proxies can't be edited in the Cloud Console. Instead, delete and re-add the target proxy. Alternatively, you can edit the target proxy by using gcloud or the API.

gcloud: HTTP

gcloud compute target-http-proxies update HTTP_PROXY_NAME \
    --url-map URL_MAP \
    --region=REGION \
    --url-map-region=REGION

gcloud: HTTPS

gcloud compute target-https-proxies update HTTPS_PROXY_NAME \
    --url-map URL_MAP \
    --region=REGION \
    --url-map-region=REGION

API: HTTP

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME/setUrlMap

{
  "urlMap": /projects/PROJECT_ID/regions/REGIONurlMaps/URL_MAP_NAME
}

API: HTTPS

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME/setUrlMap

{
  "urlMap": /projects/PROJECT_ID/regions/REGION/urlMaps/URL_MAP_NAME
}

Delete a target proxy

To delete a target HTTP or HTTPS proxy, perform the following steps.

For an external HTTP(S) load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select Target proxies.
  3. Click the checkbox for the Target name to delete.
  4. Click Delete.

gcloud: HTTP

gcloud compute target-http-proxies delete HTTP_PROXY_NAME \
   --global

gcloud: HTTPS

gcloud compute target-https-proxies delete HTTPS_PROXY_NAME \
   --global

API: HTTP

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetHttpsProxies/HTTPS_PROXY_NAME

For an internal HTTP(S) load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select Target proxies.
  3. Click the checkbox for the Target name to delete.
  4. Click Delete.

gcloud: HTTP

gcloud compute target-http-proxies delete HTTP_PROXY_NAME \
   --region=REGION

gcloud: HTTPS

gcloud compute target-https-proxies delete HTTPS_PROXY_NAME \
   --region=REGION

API: HTTP

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpProxies/HTTP_PROXY_NAME

API: HTTPS

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/targetHttpsProxies/HTTPS_PROXY_NAME

For an SSL proxy load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select Target proxies.
  3. Click the checkbox for the Target name to delete.
  4. Click Delete.

gcloud

gcloud compute target-ssl-proxies delete SSL_PROXY_NAME

API

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies/SSL_PROXY_NAME

For a TCP proxy load balancer

Console

  1. Go to the Target Proxies page.
    Go to the Target Proxies page
  2. Select Target proxies.
  3. Click the checkbox for the Target name to delete.
  4. Click Delete.

gcloud

gcloud compute target-tcp-proxies delete TCP_PROXY_NAME

API

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetTcpProxies/TCP_PROXY_NAME

Update the QUIC protocol setting

External HTTP(S) Load Balancing supports the use of the QUIC transport protocol with the optional flag --quic-override.

QUIC has the following SSL certificate requirements:

  • The SSL certificate's commonName (CN) attribute must match a DNS name that resolves to the load balancer's IP address. Otherwise, the load balancer doesn't serve QUIC content.
  • The SSL certificate must be signed by a certificate authority (CA) that is trusted by the client. QUIC transport cannot be negotiated if your load balancer uses a self-signed certificate or one signed by a CA that isn't trusted by the client.
[--quic-override=ENABLE|DISABLE|NONE]

The effects of the flag are as follows:

  • When --quic-override is set to NONE, Google manages whether QUIC is used.
  • When the flag is set to ENABLE, the load balancer uses QUIC when possible.
  • When the flag is set to DISABLE, QUIC is not used.

If the --quic-override flag is not specified, NONE is implied.

gcloud compute target-https-proxies update HTTPS_PROXY_NAME \
    --global
    --quic-override=ENABLE|DISABLE|NONE

What's next