Anda dapat menggunakan contoh berikut untuk men-deploy Load Balancer Jaringan proxy eksternal.
Jika Anda baru menggunakan Terraform untuk Google Cloud, baca artikel Mulai menggunakan Terraform.
Membuat Load Balancer Jaringan proxy eksternal dengan proxy TCP
Anda dapat menggunakan resource Terraform untuk menampilkan Load Balancer Jaringan proxy eksternal dengan backend grup instance terkelola.
Untuk informasi tentang penyiapan load balancer, lihat panduan penyiapan utama.
# VPC
resource "google_compute_network" "default" {
name = "tcp-proxy-xlb-network"
provider = google-beta
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "tcp-proxy-xlb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
provider = google-beta
name = "tcp-proxy-xlb-ip"
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "tcp-proxy-xlb-forwarding-rule"
provider = google-beta
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "110"
target = google_compute_target_tcp_proxy.default.id
ip_address = google_compute_global_address.default.id
}
resource "google_compute_target_tcp_proxy" "default" {
provider = google-beta
name = "test-proxy-health-check"
backend_service = google_compute_backend_service.default.id
}
# backend service
resource "google_compute_backend_service" "default" {
provider = google-beta
name = "tcp-proxy-xlb-backend-service"
protocol = "TCP"
port_name = "tcp"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
max_utilization = 1.0
capacity_scaler = 1.0
}
}
resource "google_compute_health_check" "default" {
provider = google-beta
name = "tcp-proxy-health-check"
timeout_sec = 1
check_interval_sec = 1
tcp_health_check {
port = "80"
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "tcp-proxy-xlb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-12"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "tcp-proxy-xlb-mig1"
provider = google-beta
zone = "us-central1-c"
named_port {
name = "tcp"
port = 80
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "tcp-proxy-xlb-fw-allow-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}Membuat Load Balancer Jaringan proxy eksternal dengan proxy SSL
Anda dapat menggunakan resource Terraform untuk menampilkan Load Balancer Jaringan proxy eksternal dengan backend grup instance terkelola.
Untuk informasi tentang penyiapan load balancer, lihat panduan penyiapan utama.
# VPC
resource "google_compute_network" "default" {
name = "ssl-proxy-xlb-network"
provider = google
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "ssl-proxy-xlb-subnet"
provider = google
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
name = "ssl-proxy-xlb-ip"
}
# Self-signed regional SSL certificate for testing
resource "tls_private_key" "default" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "default" {
private_key_pem = tls_private_key.default.private_key_pem
# Certificate expires after 12 hours.
validity_period_hours = 12
# Generate a new certificate if Terraform is run within three
# hours of the certificate's expiration time.
early_renewal_hours = 3
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
dns_names = ["example.com"]
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
}
resource "google_compute_ssl_certificate" "default" {
name = "default-cert"
private_key = tls_private_key.default.private_key_pem
certificate = tls_self_signed_cert.default.cert_pem
}
resource "google_compute_target_ssl_proxy" "default" {
name = "test-proxy"
backend_service = google_compute_backend_service.default.id
ssl_certificates = [google_compute_ssl_certificate.default.id]
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "ssl-proxy-xlb-forwarding-rule"
provider = google
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "443"
target = google_compute_target_ssl_proxy.default.id
ip_address = google_compute_global_address.default.id
}
# backend service
resource "google_compute_backend_service" "default" {
name = "ssl-proxy-xlb-backend-service"
protocol = "SSL"
port_name = "tcp"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
max_utilization = 1.0
capacity_scaler = 1.0
}
}
resource "google_compute_health_check" "default" {
name = "ssl-proxy-health-check"
timeout_sec = 1
check_interval_sec = 1
tcp_health_check {
port = "443"
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "ssl-proxy-xlb-mig-template"
provider = google
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-12"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y apache2 jq
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo service apache2 restart
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<h1>SSL Load Balancer</h1>
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "ssl-proxy-xlb-mig1"
provider = google
zone = "us-central1-c"
named_port {
name = "tcp"
port = 443
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "ssl-proxy-xlb-fw-allow-hc"
provider = google
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}