A regional external proxy Network Load Balancer is a proxy-based regional Layer 4 load balancer that lets you run and scale your TCP service traffic in a single region behind an external regional IP address. These load balancers distribute external TCP traffic from the internet to backends in the same region.
This guide contains instructions to set up a regional external proxy Network Load Balancer with a zonal network endpoint group (NEG) backend.
Before you begin, review the following documents:
In this example, we'll use the load balancer to distribute TCP traffic across
backend VMs in two zonal NEGs in Region A. For purposes of the
example, the service is a set of
Apache servers
configured to respond on port 80
.
In this example, you configure the deployment shown in the following diagram.
This is a regional load balancer. All load balancer components (backend instance group, backend service, target proxy, and forwarding rule) must be in the same region.
Permissions
To follow this guide, you must be able to create instances and modify a network in a project. You must be either a project Owner or Editor, or you must have all of the following Compute Engine IAM roles.
Task | Required role |
---|---|
Create networks, subnets, and load balancer components | Compute Network Admin
(roles/compute.networkAdmin ) |
Add and remove firewall rules | Compute Security Admin
(roles/compute.securityAdmin ) |
Create instances | Compute Instance Admin
(roles/compute.instanceAdmin ) |
For more information, see the following guides:
Configure the network and subnets
You need a VPC network with two subnets, one for the load balancer's backends and the other for the load balancer's proxies. This is a regional load balancer. Traffic within the VPC network is routed to the load balancer if the traffic's source is in a subnet in the same region as the load balancer.
This example uses the following VPC network, region, and subnets:
Network: a custom-mode VPC network named
lb-network
Subnet for backends: a subnet named
backend-subnet
in Region A that uses10.1.2.0/24
for its primary IP address rangeSubnet for proxies: a subnet named
proxy-only-subnet
in Region A that uses10.129.0.0/23
for its primary IP address range
Create the network and subnet for backends
Console
In the Google Cloud console, go to the VPC networks page.
Click Create VPC network.
For Name, enter
lb-network
.In the Subnets section, do the following:
- Set the Subnet creation mode to Custom.
- In the New subnet section, enter the following information:
- Name:
backend-subnet
- Region:
REGION_A
- IP address range:
10.1.2.0/24
- Name:
- Click Done.
Click Create.
gcloud
To create the custom VPC network, use the
gcloud compute networks create
command:gcloud compute networks create lb-network --subnet-mode=custom
To create a subnet in the
lb-network
network in theREGION_A
region, use thegcloud compute networks subnets create
command:gcloud compute networks subnets create backend-subnet \ --network=lb-network \ --range=10.1.2.0/24 \ --region=REGION_A
Create the proxy-only subnet
A proxy-only subnet provides a set of IP addresses that Google uses to run Envoy proxies on your behalf. The proxies terminate connections from the client and create new connections to the backends.
This proxy-only subnet is used by all Envoy-based load balancers in
Region A of the lb-network
VPC network.
Console
If you're using the Google Cloud console, you can wait and create the proxy-only subnet later on the Load balancing page.
If you want to create the proxy-only subnet now, use the following steps:
In the Google Cloud console, go to the VPC networks page.
Click the name of the Shared VPC network:
lb-network
.Click Add subnet.
For Name, enter
proxy-only-subnet
.For Region, select
REGION_A
.Set Purpose to Regional Managed Proxy.
For IP address range, enter
10.129.0.0/23
.Click Add.
gcloud
To create the proxy-only subnet, use the gcloud compute networks subnets
create
command:
gcloud compute networks subnets create proxy-only-subnet \ --purpose=REGIONAL_MANAGED_PROXY \ --role=ACTIVE \ --region=REGION_A \ --network=lb-network \ --range=10.129.0.0/23
Create firewall rules
In this example, you create the following firewall rules:
fw-allow-health-check
. An ingress rule, applicable to the Google Cloud instances being load balanced, that allows traffic from the load balancer and Google Cloud health checking systems (130.211.0.0/22
and35.191.0.0/16
). This example uses the target tagallow-health-check
to identify the backend VMs to which it should apply.fw-allow-ssh
. An ingress rule that allows incoming SSH connectivity on TCP port22
from any address. You can choose a more restrictive source IP range for this rule; for example, you can specify only the IP ranges of the systems from which you initiate SSH sessions. This example uses the target tagallow-ssh
to identify the VMs to which it should apply.fw-allow-proxy-only-subnet
. An ingressallow
firewall rule for the proxy-only subnet that allows the load balancer to communicate with backend instances on TCP port80
. This example uses the target tagallow-proxy-only-subnet
to identify the backend VMs to which it should apply.
Console
In the Google Cloud console, go to the Firewall policies page.
Click Create firewall rule, and then complete the following fields:
- Name:
fw-allow-health-check
- Network:
lb-network
- Targets: Specified target tags
- Target tags:
allow-health-check
- Source filter: IPv4 ranges
- Source IPv4 ranges:
130.211.0.0/22
and35.191.0.0/16
- Protocols and ports:
- Choose Specified protocols and ports.
- Select the TCP checkbox, and then enter
80
for the port number.
- Name:
Click Create.
Click Create firewall rule a second time to create the rule to allow incoming SSH connections:
- Name:
fw-allow-ssh
- Network:
lb-network
- Priority:
1000
- Direction of traffic: Ingress
- Action on match: Allow
- Targets: Specified target tags
- Target tags:
allow-ssh
- Source filter: IPv4 ranges
- Source IPv4 ranges:
0.0.0.0/0
- Protocols and ports:
- Choose Specified protocols and ports.
- Select the TCP checkbox, and then enter
22
for the port number.
- Name:
Click Create.
Click Create firewall rule a third time to create the rule to allow incoming connections from the proxy-only subnet to the Google Cloud backends:
- Name:
fw-allow-proxy-only-subnet
- Network:
lb-network
- Priority:
1000
- Direction of traffic: Ingress
- Action on match: Allow
- Targets: Specified target tags
- Target tags:
allow-proxy-only-subnet
- Source filter: IPv4 ranges
- Source IPv4 ranges:
10.129.0.0/23
- Protocols and ports:
- Choose Specified protocols and ports.
- Select the TCP checkbox, and then enter
80
for the port number.
- Name:
Click Create.
gcloud
Create the
fw-allow-health-check
rule to allow the Google Cloud health checks to reach the backend instances on TCP port80
:gcloud compute firewall-rules create fw-allow-health-check \ --network=lb-network \ --action=allow \ --direction=ingress \ --target-tags=allow-health-check \ --source-ranges=130.211.0.0/22,35.191.0.0/16 \ --rules=tcp:80
Create the
fw-allow-ssh
firewall rule to allow SSH connectivity to VMs with the network tagallow-ssh
. When you omitsource-ranges
, Google Cloud interprets the rule to mean any source.gcloud compute firewall-rules create fw-allow-ssh \ --network=lb-network \ --action=allow \ --direction=ingress \ --target-tags=allow-ssh \ --rules=tcp:22
Create an ingress allow firewall rule for the proxy-only subnet to allow the load balancer to communicate with backend instances on TCP port
80
:gcloud compute firewall-rules create fw-allow-proxy-only-subnet \ --network=lb-network \ --action=allow \ --direction=ingress \ --target-tags=allow-proxy-only-subnet \ --source-ranges=10.129.0.0/23 \ --rules=tcp:80
Reserve the load balancer's IP address
Console
In the Google Cloud console, go to the Reserve a static address page.
Choose a name for the new address.
For Network Service Tier, select Standard.
For IP version, select IPv4. IPv6 addresses are not supported.
For Type, select Regional.
For Region, select
REGION_A
.Leave the Attached to option set to None. After you create the load balancer, this IP address is attached to the load balancer's forwarding rule.
Click Reserve to reserve the IP address.
gcloud
To reserve a static external IP address, use the
gcloud compute addresses create
command:gcloud compute addresses create ADDRESS_NAME \ --region=REGION_A \ --network-tier=STANDARD
Replace
ADDRESS_NAME
with the name that you want to call this address.To view the result, use the
gcloud compute addresses describe
command:gcloud compute addresses describe ADDRESS_NAME
Set up the zonal NEG
Set up a zonal NEG with GCE_VM_IP_PORT
type endpoints
in Region A. First create the VMs, and then
create a zonal NEG and add the VMs' network endpoints to the NEG.
Create VMs
Console
In the Google Cloud console, go to the VM instances page.
Click Create instance.
Set Name to
vm-a1
.For Region, select
REGION_A
.For Zone, select
ZONE_A
.In the Boot disk section, ensure that Debian GNU/Linux 12 (bookworm) is selected for the boot disk options. Click Choose to change the image if necessary.
Click Advanced options.
Click Networking, and then configure the following fields:
- For Network tags, enter
allow-ssh
,allow-health-check
, andallow-proxy-only-subnet
. - For Network interfaces, select the following:
- Network:
lb-network
- Subnet:
backend-subnet
- Network:
- For Network tags, enter
Click Management. Enter the following script into the Startup script field:
#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2
Click Create.
Repeat the previous steps to create three more VMs. Use the following name and zone combinations:
- Name:
vm-a2
| Zone:ZONE_A
- Name:
vm-b1
| Zone:ZONE_B
- Name:
vm-b2
| Zone:ZONE_B
- Name:
gcloud
To create the VMs, use the gcloud compute instances create
command
two times. Use the following combinations for
VM_NAME
and
ZONE
. The script contents are identical for
both VMs:
VM_NAME
:vm-a1
andZONE
:ZONE_A
VM_NAME
:vm-a2
andZONE
:ZONE_A
VM_NAME
:vm-b1
andZONE
:ZONE_B
VM_NAME
:vm-b2
andZONE
:ZONE_B
gcloud compute instances create VM_NAME \ --zone=ZONE \ --image-family=debian-12 \ --image-project=debian-cloud \ --tags=allow-ssh,allow-health-check,allow-proxy-only-subnet \ --subnet=backend-subnet \ --metadata=startup-script='#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2'
Create the zonal NEGs
Console
Create a zonal network endpoint group
In the Google Cloud console, go to the Network endpoint groups page.
Click Create network endpoint group.
For Name, enter
zonal-neg-a
.For Network endpoint group type, select Network endpoint group (Zonal).
For Network, select
lb-network
.For Subnet, select
backend-subnet
.For Zone, select
ZONE_A
.For Default port, enter
80
.Click Create.
Repeat all the steps in this section to create a second zonal NEG with the following changes in settings:
- Name:
zonal-neg-b
- Zone:
ZONE_B
- Name:
Add endpoints to the zonal NEGs
In the Google Cloud console, go to the Network endpoint groups page.
Click the name of the network endpoint group that you created in the previous step (for example,
zonal-neg-a
).On the Network endpoint group details page, in the Network endpoints in this group section, click Add network endpoint.
Select a VM instance (for example,
vm-a1
).In the Network interface section, the VM name, zone, and subnet are displayed.
- For IP address, enter the IP address of the new network endpoint. To get the IP address, click Check primary IP addresses and alias IP range in nic0.
- For Port type, select Default. The endpoint uses the default port
80
for all endpoints in the network endpoint group. This is sufficient for our example because the Apache server is serving requests at port80
. - Click Create.
Click Add network endpoint. Select the second VM instance,
vm-a2
, and repeat the previous steps to add its endpoints tozonal-neg-a
.Repeat all the steps in this section to add endpoints from
vm-b1
andvm-b2
tozonal-neg-b
.
gcloud
Create a zonal NEG in the
ZONE_A
zone withGCE_VM_IP_PORT
endpoints:gcloud compute network-endpoint-groups create zonal-neg-a \ --network-endpoint-type=GCE_VM_IP_PORT \ --zone=ZONE_A \ --network=lb-network \ --subnet=backend-subnet
You can either specify the
--default-port
while creating the NEG, or specify a port number for each endpoint as shown in the next step.Add endpoints to the zonal NEG:
gcloud compute network-endpoint-groups update zonal-neg-a \ --zone=ZONE_A \ --add-endpoint='instance=vm-a1,port=80' \ --add-endpoint='instance=vm-a2,port=80'
Create a zonal NEG in the
ZONE_B
zone withGCE_VM_IP_PORT
endpoints:gcloud compute network-endpoint-groups create zonal-neg-b \ --network-endpoint-type=GCE_VM_IP_PORT \ --zone=ZONE_B \ --network=lb-network \ --subnet=backend-subnet
You can either specify the
--default-port
while creating the NEG, or specify a port number for each endpoint as shown in the next step.Add endpoints to the zonal NEG:
gcloud compute network-endpoint-groups update zonal-neg-b \ --zone=ZONE_B \ --add-endpoint='instance=vm-b1,port=80' \ --add-endpoint='instance=vm-b2,port=80'
Configure the load balancer
Console
Start your configuration
In the Google Cloud console, go to the Load balancing page.
- Click Create load balancer.
- For Type of load balancer, select Network Load Balancer (TCP/UDP/SSL) and click Next.
- For Proxy or passthrough, select Proxy load balancer and click Next.
- For Public facing or internal, select Public facing (external) and click Next.
- For Global or single region deployment, select Best for regional workloads and click Next.
- Click Configure.
Basic configuration
- For Name, enter
my-ext-tcp-lb
. - For Region, select
REGION_A
. - For Network, select
lb-network
.
Reserve a proxy-only subnet
- Click Reserve subnet.
- For Name, enter
proxy-only-subnet
. - For IP address range, enter
10.129.0.0/23
. - Click Add.
Configure the backends
- Click Backend configuration.
- For Backend type, select Zonal network endpoint group.
- For Protocol, select TCP.
- Configure the first backend:
- For New backend, select zonal NEG
zonal-neg-a
. - Retain the remaining default values, and then click Done.
- For New backend, select zonal NEG
- Configure the second backend:
- Click Add backend.
- For New backend, select instance group
zonal-neg-b
. - Retain the remaining default values, and then click Done.
- Configure the health check:
- For Health check, select Create a health check.
- Set the health check name to
tcp-health-check
. - For Protocol, select TCP.
- For Port, enter
80
.
- Retain the remaining default values, and then click Save.
- In the Google Cloud console, verify that there is a check mark next to Backend configuration. If not, double-check that you have completed all of the steps.
Configure the frontend
- Click Frontend configuration.
- For Name, enter
ext-tcp-forwarding-rule
. - For Network Service Tier, select Standard.
- For IP address, select
ext-tcp-ip-address
. - For Port number, enter
9090
. The forwarding rule only forwards packets with a matching destination port. - For Proxy protocol, select Off because the PROXY protocol doesn't work with the Apache HTTP Server software. For more information, see PROXY protocol.
- Click Done.
- In the Google Cloud console, verify that there is a check mark next to Frontend configuration. If not, double-check that you have completed all the previous steps.
Review and finalize
- Click Review and finalize.
- Double-check your settings.
- Click Create.
gcloud
Create a regional health check for the backends:
gcloud compute health-checks create tcp tcp-health-check \ --region=REGION_A \ --use-serving-port
Create a backend service:
gcloud compute backend-services create external-tcp-proxy-bs \ --load-balancing-scheme=EXTERNAL_MANAGED \ --protocol=TCP \ --region=REGION_A \ --health-checks=tcp-health-check \ --health-checks-region=REGION_A
Add the zonal NEG in the
ZONE_A
zone to the backend service:gcloud compute backend-services add-backend external-tcp-proxy-bs \ --network-endpoint-group=zonal-neg-a \ --network-endpoint-group-zone=ZONE_A \ --balancing-mode=CONNECTION \ --max-connections-per-endpoint=50 \ --region=REGION_A
Add the zonal NEG in the
ZONE_B
zone to the backend service:gcloud compute backend-services add-backend external-tcp-proxy-bs \ --network-endpoint-group=zonal-neg-b \ --network-endpoint-group-zone=ZONE_B \ --balancing-mode=CONNECTION \ --max-connections-per-endpoint=50 \ --region=REGION_A
Create the target TCP proxy:
gcloud compute target-tcp-proxies create ext-tcp-target-proxy \ --backend-service=external-tcp-proxy-bs \ --region=REGION_A
Create the forwarding rule. For
--ports
, specify a single port number from 1-65535. This example uses port9090
. The forwarding rule only forwards packets with a matching destination port.gcloud compute forwarding-rules create ext-tcp-forwarding-rule \ --load-balancing-scheme=EXTERNAL_MANAGED \ --network=lb-network \ --network-tier=STANDARD \ --address=ext-tcp-ip-address \ --ports=9090 \ --region=REGION_A \ --target-tcp-proxy=ext-tcp-target-proxy \ --target-tcp-proxy-region=REGION_A
Test your load balancer
Now that you have configured your load balancer, you can test sending traffic to the load balancer's IP address.
Get the load balancer's IP address.
To get the IPv4 address, run the following command:
gcloud compute addresses describe ADDRESS_NAME
Send traffic to your load balancer by running the following command. Replace
LB_IP_ADDRESS
with your load balancer's IPv4 address.curl -m1 LB_IP_ADDRESS:9090
What's next
- Convert proxy Network Load Balancer to IPv6
- External proxy Network Load Balancer overview.
- Proxy Network Load Balancer logging and monitoring.
- Add a Private Service Connect.
- Clean up the load balancer setup.