This tutorial describes how to use Google Compute Engine's HTTP(S) load balancer service to distribute traffic to Microsoft Internet Information Services (IIS) web servers across different Compute Engine regions.
You need to load balance traffic for the site
You want to ensure that incoming requests are routed to the closest
region; however, you also want to ensure that in the event of a
failure, or of instances in a region reaching capacity, the requests
can fail over to a healthy instance in the next closest region.
When you finish configuring this scenario, you will have an HTTP(S) load balancer that takes requests through a single global IP address. This IP address will be able to route each incoming request by connection type—that is, HTTP or HTTPS. For HTTPS requests, the load balancer will implement SSL/TLS encryption between the client sending the request and the load balancer.
The following diagram illustrates the load balancer architecture:
Note that the load balancer comprises several components for maximum configurability. For a description of what each component does, see the HTTP(S) Load Balancing overview.
This tutorial assumes the following:
- You're using a Windows machine.
- You've created a Google Cloud Console project.
- You've installed the Cloud SDK,
which includes the
gcloudcommand-line tool. You will use this tool to interact with Google Cloud Platform.
- You've run
gcloud auth loginto authenticate with Google Cloud Platform.
You've read and understood the HTTP(S) Load Balancing overview.
You've set your project to be the default project that the
gcloudtool will interact with. If you haven't, run the following command to do so:
PS C:\> gcloud config set --project <project_name>
Set up your backend instances
In this section, you will create two backend services in different regions. Each backend service will include two backend instances, each running a Microsoft IIS web server on Windows Server 2012. To avoid laborious manual configuration of each server, you will create a disk image from one server instance, and then use this image to create your other server instances.
Create your source image instance
To create the instance that you'll use as a source image:
- On your local Windows machine, open PowerShell.
Create a new Windows Server 2012 instance in the
us-central1region and add
www-tagtags to the instance. Later, you'll enable external access to your instance by creating firewall rules that target these tags:
PS C:\> gcloud compute instances create src-img ^ --zone us-central1-f --image windows-2012-r2 ^ --tags rdp-tag,www-tag
After you create your source image instance, set up firewall rules to allow external access to the instance:
Create a firewall rule to permit external access to port 3389 on all instances tagged
rdp-tag. This rule will allow your source image instance, and any subsequent instances using the
rdp-tagtag, to be accessible using RDP:
PS C:\> gcloud compute firewall-rules create rdp-rule ^ --allow tcp:3389 --source-ranges 0.0.0.0/0 ^ --target-tags rdp-tag
Create another firewall rule to permit external access to port 80 on all instances tagged
www-tag. This rule will allow your source image instance, and any subsequent instances using the
www-tagtag, to send and receive HTTP traffic:
PS C:> gcloud compute firewall-rules create www-rule ^ --allow tcp:80 --source-ranges 0.0.0.0/0 ^ --target-tags www-tag
Configure your source image instance
Next, create a new Windows user on the source image instance and establish an RDP connection:
- In your web browser, visit the
VM instances page
in the Cloud Console and click the name of your source
image instance (
- Click the Create or reset Windows password button.
- In the Set new Windows password dialog, add your username and click Set to create the user account on your instance.
- Copy the provided password and close the dialog box.
On the instance's console page, click RDP.
- If you installed the Chrome RDP extension, the extension window will open. Confirm that you want to connect to the instance, enter your username and password, and then click OK to connect to your instance.
- If you chose not to install the Chrome RDP extension, you'll be given the option to download the RDP file for your instance. Use this file to connect to the instance using Windows Remote Desktop Connection or your preferred third-party client.
After you establish an RDP connection with your source image instance, install IIS and add a default home page:
- On your source image instance, open PowerShell as an administrator.
In PowerShell, paste the following to install your IIS services and dependencies:
PS C:\> Dism /Online /Enable-Feature /FeatureName:IIS-WebServerRole /FeatureName:IIS-WebServer /FeatureName:IIS-StaticContent /FeatureName:IIS-DefaultDocument /FeatureName:IIS-DirectoryBrowsing /FeatureName:IIS-HttpErrors /FeatureName:IIS-HealthAndDiagnostics /FeatureName:IIS-HttpLogging /FeatureName:IIS-LoggingLibraries /FeatureName:IIS-RequestMonitor /FeatureName:IIS-Security /FeatureName:IIS-RequestFiltering /FeatureName:IIS-HttpCompressionStatic /FeatureName:IIS-WebServerManagementTools /FeatureName:IIS-ManagementConsole /FeatureName:WAS-WindowsActivationService /FeatureName:WAS-ProcessModel /FeatureName:WAS-NetFxEnvironment /FeatureName:WAS-ConfigurationAPI /All
After your services are installed, create a new home page in
C:\inetpub\wwwroot, IIS's default web directory:
PS C:\> Echo '<!doctype html><html><body><h1>Hello World!</h1></body></html>' > C:\inetpub\wwwroot\index.html
Verify that your source image instance is able to serve content
In your web browser, navigate to the VM instances page. Click the external IP of your instance to verify that it is serving the home page you created earlier.
Create a reusable Windows Server 2012 image from your source image instance
After verifying that your source image instance is properly configured and able to serve content, create a reusable disk image from the instance's root persistent disk:
- On your source image instance, open PowerShell as an administrator.
Run the following command to prepare your system for cloning:
PS C:> GCESysprep
GCESysprepoperation completes, you will be disconnected from your RDP session automatically.
On your local machine, run the following to delete your source instance while retaining its root persistent disk:
PS C:> gcloud compute instances delete src-img --keep-disks boot
After the instance is deleted, create a new image from the root persistent disk you retained:
PS C:> gcloud compute images create win-be-img --source-disk src-img --source-disk-zone us-central1-f
Create an instance template using your source image
Now that you've created a disk image from your configured Windows server, you can use the image as the source image for an instance template. Later, you'll configure two managed instance groups that will use this template to create new instances.
On your local machine, run the following to create an instance template,
win-be-img as your source image and
your instance tags:
PS C:\> gcloud compute instance-templates create win-be-tmpl ^ --tags rdp-tag,www-tag ^ --image win-be-img
Create a managed instance group for each region
Next, create managed instance groups in each region. After you create each instance group, the group will populate itself with two identical instances based on the instance template you defined earlier. Later, you will configure your load balancer to treat these instance groups as backend targets.
To create your managed instance groups:
On your local machine, run the following command to create a new managed instance group in the zone
us-central1-f, and to populate it with two identical instances:
PS C:> gcloud compute instance-groups managed create us-be-group ^ --base-instance-name us ^ --size 2 ^ --zone us-central1-f ^ --template win-be-tmpl
Do the same in the zone
PS C:\> gcloud compute instance-groups managed create eu-be-group ^ --base-instance-name eu ^ --size 2 ^ --zone europe-west1-d ^ --template win-be-tmpl
Verify that your backend instances are running
In your web browser, navigate to the VM instances page. Click the external IP of each backend to verify that the backend is serving the home page you created earlier.
Create and configure your load balancing service
The Compute Engine load balancing service comprises several components. In this section, you will create these components and connect them together.
On your local machine, run the following to create a new health check. Your load balancer will use this health check to check the health of your backend instances:
PS C:\> gcloud compute http-health-checks create basic-check
Create a backend service:
PS C:\> gcloud compute backend-services create be-srv ^ --protocol HTTP --http-health-check basic-check --global-health-checks
Add your instance groups as backend targets for your backend service:
PS C:\> gcloud beta compute backend-services add-backend be-srv ^ --instance-group us-be-group --zone us-central1-f PS C:\> gcloud beta compute backend-services add-backend be-srv ^ --instance-group eu-be-group --zone europe-west1-d
Create a default URL map that directs all incoming requests to all your instances:
PS C:\> gcloud compute url-maps create lb-map --default-service be-srv
Create an SSL certificate resource. Your load balancer will use this resource to encrypt and decrypt traffic.
If you already have a private key and an SSL certificate from a certificate authority, you can use them to create a new
SSLCertificateresource by running the command below. If not, you can create and use a self-signed certificate for testing. See Creating a private key and certificate for further information.
Run the following command to create your SSL certificate resource. Replace
<crt_file_path>with your certificate's local file path and
<key_file_path>with your private key's file path.
PS C:\> gcloud beta compute ssl-certificates create www-cert ^ --certificate
Create target HTTP and HTTPS proxies to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for HTTPS load balancing, so you also associate your certificate with the proxy in this step:
PS C:> gcloud compute target-http-proxies create http-lb-proxy ^ --url-map lb-map PS C:> gcloud beta compute target-https-proxies create https-lb-proxy ^ --url-map lb-map --ssl-certificate www-cert
For your load balancer to reliably receive traffic, you need to assign a global static IP address to the load balancer's global forwarding rule. To create a global static IP resource, run the following command:
PS C:> gcloud compute addresses create lb-ip --global
Take note of the IP address.
Create two global forwarding rules to handle incoming HTTP and HTTPS requests. Each forwarding rule will send traffic to one of the target proxies you created, depending on the IP address, IP protocol, and port specified.
<lb_ip_addr>in the following commands with the static IP address you created in the previous step:
PS C:\> gcloud compute forwarding-rules create http-fwd-rule ^ --address <lb_ip_addr> --global ^ --target-http-proxy http-lb-proxy --port-range 80 PS C:\> gcloud beta compute forwarding-rules create https-fwd-rule ^ --address <lb_ip_addr> --global ^ --target-https-proxy https-lb-proxy --port-range 443
After you create the global forwarding rules, it can take several minutes for your configuration to propagate. To check the progress of the propagation, you can either monitor your configuration in the Google Cloud Console or run the following command on your local machine:
PS C:\> gcloud compute backend-services get-health be-srv
Send traffic to your backends
Now that you've configured your load balancing service, you can start sending traffic to the forwarding rule and watch the traffic be dispersed to different instances.
To send traffic to your backends:
- Open the Load balancing page in the Cloud Console.
- Click the name of your load balancer.
- In the Backend section of the page, confirm that instances are healthy by checking the Healthy column. It can take a few moments for the display to indicate that the instances are healthy.
- Once the display shows that the instances are healthy, copy the IP:Port from the Frontend section and paste that into your browser.
In your browser you should see your default content page displayed.
Restrict access to your backends
After you have verified that everything is working as intended, modify your firewall rules so HTTP(S) traffic can only come from your load balancing service:
On your local machine, run the following command to update your
www-rulefirewall rule. This restricts traffic from all IP ranges except the ranges
184.108.40.206/16, which are the HTTP(S) load balancing proxy and health check IP ranges:
PS C:\> gcloud compute firewall-rules update www-rule ^ --source-ranges 220.127.116.11/22,18.104.22.168/16 ^ --target-tags www-tag
In your web browser, navigate to the VM instances page.
Click each instance to verify that the instance is now inaccessible.
Simulate an outage
You can simulate an outage for one or more instances in a region so that you can observe how the load will be balanced among the remaining healthy instances.
To stop an instance from receiving additional requests:
- Establish an RDP connection to the instance.
- On the instance, open PowerShell as an administrator.
Run the following command to create a new firewall rule on the instance. This command blocks the health check traffic from the health checker and prevents all new HTTP connections from the load balancer to the instance:
PS C:\> netsh advfirewall firewall add rule name="Outage Test" protocol=tcp dir=in localport=80 action=block remoteip=22.214.171.124/22,126.96.36.199/16
On your local machine, run the following command to verify that the instance now reports an
PS C:\> gcloud compute backend-services get-health be-srv
After the instance starts reporting an
UNHEALTHYstatus, send a request to your load balancer. Only the healthy instances should respond.
After you've finished simulating an outage, you can restore your instance's connectivity by deleting the firewall rule. After opening PowerShell as an administrator on the unhealthy instance, run the following command to delete the rule:
PS C:\> netsh advfirewall firewall delete rule name="Outage Test"
After you've finished the Microsoft IIS tutorial, you can clean up the resources that you created on Google Cloud so they won't take up quota and you won't be billed for them in the future. The following sections describe how to delete or turn off these resources.
Delete your Google Cloud Platform project
The easiest way to eliminate billing is to delete the project that you created for the tutorial.
To delete the project:
- In the Cloud Console, go to the Manage resources page.
- In the project list, select the project that you want to delete and then click Delete delete.
- In the dialog, type the project ID and then click Shut down to delete the project.
Delete your instances
To delete a Compute Engine instance:
- In the Cloud Console, go to the VM Instances page.
- Click the checkbox for the instance you want to delete.
- Click Delete delete to delete the instance.
Delete your persistent disks
To delete a Compute Engine disk:
- In the Cloud Console, go to the Disks page.
- Click the checkbox for the disk you want to delete.
- Click Delete delete to delete the disk.
Read more about using Windows on Compute Engine
Review the documentation for Windows instances on Compute Engine.
Try other tutorials
Try out other Google Cloud features for yourself. Have a look at our tutorials.