Cross-region load balancing using Microsoft IIS backends

This tutorial describes how to use Compute Engine's external HTTP(S) load balancer service to distribute traffic to Microsoft Internet Information Services (IIS) web servers across different Compute Engine regions.

Scenario

You must load balance traffic for the site www.example.com. You want to ensure that incoming requests are routed to the closest region. You also want to ensure that requests can fail over to a healthy instance in the next closest region, if needed.

When you finish configuring this scenario, you have an external HTTP(S) load balancer that takes requests through a single global IP address. This IP address can route each incoming request by connection type—that is, HTTP or HTTPS. For HTTPS requests, the load balancer implements SSL/TLS encryption between the client sending the request and the load balancer.

The following diagram illustrates the load balancer architecture:

Cross-region load balancing diagram (click to enlarge)

The load balancer has several components for maximum configurability. For a description of what each component does, see the External HTTP(S) load balancer overview.

Compute Engine virtual machine instances
Compute Engine persistent disks
Windows Server 2012 machine images

The cost of running this tutorial varies depending on runtime, number of instances, disk size, and machine type. Use the pricing calculator to generate a cost estimate based on your projected usage. If you are new to Google Cloud, you might be eligible for a free trial.

This tutorial assumes the following:

You're using a Windows machine.
You've created a Google Cloud console project.
You've installed the gcloud CLI. You use this tool to interact with Google Cloud.
You've run gcloud auth login to authenticate with Google Cloud.
You've installed a Remote Desktop Protocol (RDP) client of your choice. For more information, see Microsoft Remote Desktop clients. If you already have an RDP client installed, you can skip this task.
You've read and understood the External HTTP(S) load balancer overview.
You've set your project to be the default project that the gcloud CLI interacts with. If you haven't, run the following command to do so:
```
PS C:\> gcloud config set --project <project_name>
```

Set up your backend instances

In this section, you create two backend services in different regions. Each backend service includes two backend instances, each running a Microsoft IIS web server on Windows Server 2012. To avoid manual configuration of each server, you create a disk image from one server instance, and then use this image to create your other server instances.

Create your source image instance

To create the instance that you'll use as a source image:

On your local Windows machine, open PowerShell.
Create a new Windows Server 2012 instance in the us-central1 region and add rdp-tag and www-tag tags to the instance. Later, you enable external access to your instance by creating firewall rules that specify these tags:
```
PS C:\> gcloud compute instances create src-img ^
     --zone us-central1-f --image windows-2012-r2 ^
     --tags rdp-tag,www-tag
```
Note: Windows instances can take up to 10 minutes to deploy completely.

After you create your source image instance, set up firewall rules to allow external access to the instance:

Create a firewall rule to permit external access to port 3389 on all instances tagged rdp-tag. This rule allows your source image instance, and any subsequent instances using the rdp-tag tag, to be accessible using RDP:
```
PS C:\> gcloud compute firewall-rules create rdp-rule ^
     --allow tcp:3389 --source-ranges 0.0.0.0/0 ^
     --target-tags rdp-tag
```
Create another firewall rule to permit external access to port 80 on all instances tagged www-tag. This rule allows your source image instance, and any subsequent instances using the www-tag tag, to send and receive HTTP traffic:
```
 PS C:> gcloud compute firewall-rules create www-rule ^
     --allow tcp:80 --source-ranges 0.0.0.0/0 ^
     --target-tags www-tag
```

Configure your source image instance

Next, create a new Windows user on the source image instance and establish an RDP connection:

In your web browser, visit the VM instances page in the Google Cloud console and click the name of your source image instance (src-img).
Click the Set Windows password button.
In the Set new Windows password dialog, add your username.
Click Set to create the user account on your instance.
Copy the provided password and close the dialog.
Click the RDP dropdown and select the Download the RDP file option to download the RDP file for your instance.

Use this file to connect to the instance using an RDP client. For more information, see Microsoft Remote Desktop clients.

After you establish an RDP connection with your source image instance, install IIS and add a default home page:

On your source image instance, open PowerShell as an administrator.

In PowerShell, paste the following to install your IIS services and dependencies:

PS C:\> Dism /Online /Enable-Feature /FeatureName:IIS-WebServerRole /FeatureName:IIS-WebServer /FeatureName:IIS-StaticContent /FeatureName:IIS-DefaultDocument /FeatureName:IIS-DirectoryBrowsing /FeatureName:IIS-HttpErrors /FeatureName:IIS-HealthAndDiagnostics /FeatureName:IIS-HttpLogging /FeatureName:IIS-LoggingLibraries /FeatureName:IIS-RequestMonitor /FeatureName:IIS-Security /FeatureName:IIS-RequestFiltering /FeatureName:IIS-HttpCompressionStatic /FeatureName:IIS-WebServerManagementTools /FeatureName:IIS-ManagementConsole /FeatureName:WAS-WindowsActivationService /FeatureName:WAS-ProcessModel /FeatureName:WAS-NetFxEnvironment /FeatureName:WAS-ConfigurationAPI /All

After your services are installed, create a new home page in C:\inetpub\wwwroot, IIS's default web directory:

PS C:\> Echo '<!doctype html><html><body><h1>Hello World!</h1></body></html>' > C:\inetpub\wwwroot\index.html

Verify that your source image instance is able to serve content

In your web browser, navigate to the VM instances page. Click the external IP of your instance to verify that it is serving the home page you created earlier.

Create a reusable Windows Server 2012 image from your source image instance

After verifying that your source image instance is properly configured and able to serve content, create a reusable disk image from the instance's root persistent disk:

On your source image instance, open PowerShell as an administrator.
Run the following command to prepare your system for cloning:
```
 PS C:> GCESysprep
```
When the GCESysprep operation completes, you are disconnected from your RDP session automatically.
On your local machine, run the following to delete your source instance while retaining its root persistent disk:
```
 PS C:> gcloud compute instances delete src-img --keep-disks boot
```

After the instance is deleted, create a new image from the root persistent disk you retained:

 PS C:> gcloud compute images create win-be-img --source-disk src-img --source-disk-zone us-central1-f

Create an instance template using your source image

Now that you've created a disk image from your configured Windows server, you can use the image as the source image for an instance template. Later, you configure two managed instance groups that use this template to create new instances.

On your local machine, run the following to create an instance template, using win-be-img as your source image and rdp-tag and www-tag as your instance tags:

PS C:\> gcloud compute instance-templates create win-be-tmpl ^
    --tags rdp-tag,www-tag ^
    --image win-be-img

Create a managed instance group for each region

Next, create managed instance groups in each region. After you create each instance group, the group populates itself with two identical instances based on the instance template you defined earlier. Later, you configure your load balancer to treat these instance groups as backend targets.

To create your managed instance groups:

On your local machine, run the following command to create a new managed instance group in the zone us-central1-f, and to populate it with two identical instances:

 PS C:> gcloud compute instance-groups managed create us-be-group ^
      --base-instance-name us ^
      --size 2 ^
      --zone us-central1-f ^
      --template win-be-tmpl

Do the same in the zone europe-west1-d:

PS C:\> gcloud compute instance-groups managed create eu-be-group ^
      --base-instance-name eu ^
      --size 2 ^
      --zone europe-west1-d ^
      --template win-be-tmpl

Verify that your backend instances are running

In your web browser, navigate to the VM instances page. Click the external IP of each backend to verify that the backend is serving the home page you created earlier.

Create and configure your load balancing service

The Compute Engine load balancing service comprises several components. In this section, you create these components and connect them together.

On your local machine, run the following to create a new health check. Your load balancer uses this health check to check the health of your backend instances:
```
PS C:\> gcloud compute http-health-checks create basic-check
```

Create a backend service:

PS C:\> gcloud compute backend-services create be-srv ^
      --protocol HTTP --http-health-check basic-check --global-health-checks

Add your instance groups as backend targets for your backend service:

PS C:\> gcloud beta compute backend-services add-backend be-srv ^
      --instance-group us-be-group --zone us-central1-f
PS C:\> gcloud beta compute backend-services add-backend be-srv ^
      --instance-group eu-be-group --zone europe-west1-d

Create a default URL map that directs all incoming requests to all your instances:
```
PS C:\> gcloud compute url-maps create lb-map --default-service be-srv
```
Create an SSL certificate resource. Your load balancer uses this resource to encrypt and decrypt traffic.

If you already have a private key and an SSL certificate from a certificate authority, you can use them to create a new SSLCertificate resource by running the command below. If not, you can create and use a self-signed certificate for testing. See Creating a private key and certificate for further information.

Run the following command to create your SSL certificate resource. Replace <crt_file_path> with your certificate's local path and <key_file_path> with your private key's path.
```
PS C:\> gcloud beta compute ssl-certificates create www-cert ^
--certificate  --private-key 
```
Create target HTTP and HTTPS proxies to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for the load balancer, so you also associate your certificate with the proxy in this step:
```
 PS C:> gcloud compute target-http-proxies create http-lb-proxy ^
      --url-map lb-map
 PS C:> gcloud beta compute target-https-proxies create https-lb-proxy ^
      --url-map lb-map --ssl-certificate www-cert
```
For your load balancer to reliably receive traffic, you need to assign a global static IP address to the load balancer's global forwarding rule. To create a global static IP resource, run the following command:
```
 PS C:> gcloud compute addresses create lb-ip --global
```
Take note of the IP address.

Create two global forwarding rules to handle incoming HTTP and HTTPS requests. Each forwarding rule sends traffic to one of the target proxies you created, depending on the IP address, IP protocol, and port specified.

Replace <lb_ip_addr> in the following commands with the static IP address you created in the previous step:

PS C:\> gcloud compute forwarding-rules create http-fwd-rule ^
      --address <lb_ip_addr> --global ^
      --target-http-proxy http-lb-proxy --port-range 80
PS C:\> gcloud beta compute forwarding-rules create https-fwd-rule ^
      --address <lb_ip_addr> --global ^
      --target-https-proxy https-lb-proxy --port-range 443

After you create the global forwarding rules, it can take several minutes for your configuration to propagate. To check the progress of the propagation, you can either monitor your configuration in the Google Cloud console or run the following command on your local machine:

PS C:\> gcloud compute backend-services get-health be-srv

Send traffic to your backends

Now that you've configured your load balancing service, you can start sending traffic to the forwarding rule and watch the traffic be dispersed to different instances.

To send traffic to your backends:

Open the Load balancing page in the Google Cloud console .
Click the name of your load balancer.
In the Backend section of the page, confirm that instances are healthy by checking the Healthy column. It can take a few moments for the display to indicate that the instances are healthy.
After the display shows that the instances are healthy, copy the IP:Port from the Frontend section and paste that into your browser.
In your browser, you should see your default content page displayed.

Note: If you use a self-signed certificate for testing, your browser displays a warning and you can manually accept the certificate.

Restrict access to your backends

After you have verified that everything is working as intended, modify your firewall rules so HTTP(S) traffic can only come from your load balancing service:

On your local machine, run the following command to update your www-rule firewall rule. This command restricts traffic from all IP ranges, except the ranges 130.211.0.0/22 and 35.191.0.0/16, which are the load balancer's proxy and health check IP ranges:
```
PS C:\> gcloud compute firewall-rules update www-rule ^
       --source-ranges 130.211.0.0/22,35.191.0.0/16 ^
       --target-tags www-tag
```
In your web browser, navigate to the VM instances page.
Click each instance to verify that the instance is now inaccessible.

Simulate an outage

You can simulate an outage for one or more instances in a region so that you can observe how the load is balanced among the remaining healthy instances.

To stop an instance from receiving additional requests:

Establish an RDP connection to the instance.
On the instance, open PowerShell as an administrator.
Run the following command to create a new firewall rule on the instance. This command blocks the health check traffic from the health checker and prevents all new HTTP connections from the load balancer to the instance:
```
PS C:\> netsh advfirewall firewall add rule name="Outage Test" protocol=tcp dir=in localport=80 action=block remoteip=130.211.0.0/22,35.191.0.0/16
```
On your local machine, run the following command to verify that the instance now reports an UNHEALTHY status:
```
PS C:\> gcloud compute backend-services get-health be-srv
```
After the instance starts reporting an UNHEALTHY status, send a request to your load balancer. Only the healthy instances should respond.
After you've finished simulating an outage, you can restore your instance's connectivity by deleting the firewall rule. After opening PowerShell as an administrator on the unhealthy instance, run the following command to delete the rule:
```
PS C:\> netsh advfirewall firewall delete rule name="Outage Test"
```

Clean up

After you finish the tutorial, you can clean up the resources that you created so that they stop using quota and incurring charges. The following sections describe how to delete or turn off these resources.

Delete your Google Cloud project

The easiest way to eliminate billing is to delete the project that you created for the tutorial.

To delete the project:

In the Google Cloud console, go to the Manage resources page.
Go to Manage resources
In the project list, select the project that you want to delete, and then click Delete.
In the dialog, type the project ID, and then click Shut down to delete the project.

Delete your instances

To delete a Compute Engine instance:

In the Google Cloud console, go to the VM instances page.
Go to VM instances
Select the checkbox for the instance that you want to delete.
To delete the instance, click More actions, click Delete, and then follow the instructions.

Delete your persistent disks

To delete a Compute Engine disk:

In the Google Cloud console, go to the Disks page.
Go to Disks
Select the checkbox for the disk that you want to delete.
To delete the disk, click Delete.

Next steps

Try other tutorials

Explore reference architectures, diagrams, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.