This tutorial describes how to use Compute Engine's external HTTP(S) load balancer service to distribute traffic to Microsoft Internet Information Services (IIS) web servers across different Compute Engine regions.
You must load balance traffic for the site
You want to ensure that incoming requests are routed to the closest
region. You also want to ensure that requests can fail over to a healthy
instance in the next closest region, if needed.
When you finish configuring this scenario, you have an external HTTP(S) load balancer that takes requests through a single global IP address. This IP address can route each incoming request by connection type—that is, HTTP or HTTPS. For HTTPS requests, the load balancer implements SSL/TLS encryption between the client sending the request and the load balancer.
The following diagram illustrates the load balancer architecture:
The load balancer has several components for maximum configurability. For a description of what each component does, see the HTTP(S) Load Balancing overview.
- Compute Engine virtual machine instances
- Compute Engine persistent disks
- Windows Server 2012 machine images
The cost of running this tutorial varies depending on runtime, number of instances, disk size, and machine type. Use the pricing calculator to generate a cost estimate based on your projected usage. If you are new to Google Cloud, you might be eligible for a free trial.
This tutorial assumes the following:
- You're using a Windows machine.
- You've created a Google Cloud console project.
- You've installed the gcloud CLI. You use this tool to interact with Google Cloud.
- You've run
gcloud auth loginto authenticate with Google Cloud.
- You've installed a Remote Desktop Protocol (RDP) client of your choice. For more information, see Microsoft Remote Desktop clients. If you already have an RDP client installed, you can skip this task.
You've read and understood the HTTP(S) Load Balancing overview.
You've set your project to be the default project that the gcloud CLI interacts with. If you haven't, run the following command to do so:
PS C:\> gcloud config set --project <project_name>
Set up your backend instances
In this section, you create two backend services in different regions. Each backend service includes two backend instances, each running a Microsoft IIS web server on Windows Server 2012. To avoid manual configuration of each server, you create a disk image from one server instance, and then use this image to create your other server instances.
Create your source image instance
To create the instance that you'll use as a source image:
- On your local Windows machine, open PowerShell.
Create a new Windows Server 2012 instance in the
us-central1region and add
www-tagtags to the instance. Later, you enable external access to your instance by creating firewall rules that specify these tags:
PS C:\> gcloud compute instances create src-img ^ --zone us-central1-f --image windows-2012-r2 ^ --tags rdp-tag,www-tag
After you create your source image instance, set up firewall rules to allow external access to the instance:
Create a firewall rule to permit external access to port 3389 on all instances tagged
rdp-tag. This rule allows your source image instance, and any subsequent instances using the
rdp-tagtag, to be accessible using RDP:
PS C:\> gcloud compute firewall-rules create rdp-rule ^ --allow tcp:3389 --source-ranges 0.0.0.0/0 ^ --target-tags rdp-tag
Create another firewall rule to permit external access to port 80 on all instances tagged
www-tag. This rule allows your source image instance, and any subsequent instances using the
www-tagtag, to send and receive HTTP traffic:
PS C:> gcloud compute firewall-rules create www-rule ^ --allow tcp:80 --source-ranges 0.0.0.0/0 ^ --target-tags www-tag
Configure your source image instance
Next, create a new Windows user on the source image instance and establish an RDP connection:
- In your web browser, visit the
VM instances page
in the Google Cloud console
and click the name of your source
image instance (
- Click the Set Windows password button.
- In the Set new Windows password dialog, add your username.
- Click Set to create the user account on your instance.
- Copy the provided password and close the dialog.
Click the RDP dropdown and select the Download the RDP file option to download the RDP file for your instance.
Use this file to connect to the instance using an RDP client. For more information, see Microsoft Remote Desktop clients.
After you establish an RDP connection with your source image instance, install IIS and add a default home page:
- On your source image instance, open PowerShell as an administrator.
In PowerShell, paste the following to install your IIS services and dependencies:
PS C:\> Dism /Online /Enable-Feature /FeatureName:IIS-WebServerRole /FeatureName:IIS-WebServer /FeatureName:IIS-StaticContent /FeatureName:IIS-DefaultDocument /FeatureName:IIS-DirectoryBrowsing /FeatureName:IIS-HttpErrors /FeatureName:IIS-HealthAndDiagnostics /FeatureName:IIS-HttpLogging /FeatureName:IIS-LoggingLibraries /FeatureName:IIS-RequestMonitor /FeatureName:IIS-Security /FeatureName:IIS-RequestFiltering /FeatureName:IIS-HttpCompressionStatic /FeatureName:IIS-WebServerManagementTools /FeatureName:IIS-ManagementConsole /FeatureName:WAS-WindowsActivationService /FeatureName:WAS-ProcessModel /FeatureName:WAS-NetFxEnvironment /FeatureName:WAS-ConfigurationAPI /All
After your services are installed, create a new home page in
C:\inetpub\wwwroot, IIS's default web directory:
PS C:\> Echo '<!doctype html><html><body><h1>Hello World!</h1></body></html>' > C:\inetpub\wwwroot\index.html
Verify that your source image instance is able to serve content
In your web browser, navigate to the VM instances page. Click the external IP of your instance to verify that it is serving the home page you created earlier.
Create a reusable Windows Server 2012 image from your source image instance
After verifying that your source image instance is properly configured and able to serve content, create a reusable disk image from the instance's root persistent disk:
- On your source image instance, open PowerShell as an administrator.
Run the following command to prepare your system for cloning:
PS C:> GCESysprep
GCESysprepoperation completes, you are disconnected from your RDP session automatically.
On your local machine, run the following to delete your source instance while retaining its root persistent disk:
PS C:> gcloud compute instances delete src-img --keep-disks boot
After the instance is deleted, create a new image from the root persistent disk you retained:
PS C:> gcloud compute images create win-be-img --source-disk src-img --source-disk-zone us-central1-f
Create an instance template using your source image
Now that you've created a disk image from your configured Windows server, you can use the image as the source image for an instance template. Later, you configure two managed instance groups that use this template to create new instances.
On your local machine, run the following to create an instance template,
win-be-img as your source image and
your instance tags:
PS C:\> gcloud compute instance-templates create win-be-tmpl ^ --tags rdp-tag,www-tag ^ --image win-be-img
Create a managed instance group for each region
Next, create managed instance groups in each region. After you create each instance group, the group populates itself with two identical instances based on the instance template you defined earlier. Later, you configure your load balancer to treat these instance groups as backend targets.
To create your managed instance groups:
On your local machine, run the following command to create a new managed instance group in the zone
us-central1-f, and to populate it with two identical instances:
PS C:> gcloud compute instance-groups managed create us-be-group ^ --base-instance-name us ^ --size 2 ^ --zone us-central1-f ^ --template win-be-tmpl
Do the same in the zone
PS C:\> gcloud compute instance-groups managed create eu-be-group ^ --base-instance-name eu ^ --size 2 ^ --zone europe-west1-d ^ --template win-be-tmpl
Verify that your backend instances are running
In your web browser, navigate to the VM instances page. Click the external IP of each backend to verify that the backend is serving the home page you created earlier.
Create and configure your load balancing service
The Compute Engine load balancing service comprises several components. In this section, you create these components and connect them together.
On your local machine, run the following to create a new health check. Your load balancer uses this health check to check the health of your backend instances:
PS C:\> gcloud compute http-health-checks create basic-check
Create a backend service:
PS C:\> gcloud compute backend-services create be-srv ^ --protocol HTTP --http-health-check basic-check --global-health-checks
Add your instance groups as backend targets for your backend service:
PS C:\> gcloud beta compute backend-services add-backend be-srv ^ --instance-group us-be-group --zone us-central1-f PS C:\> gcloud beta compute backend-services add-backend be-srv ^ --instance-group eu-be-group --zone europe-west1-d
Create a default URL map that directs all incoming requests to all your instances:
PS C:\> gcloud compute url-maps create lb-map --default-service be-srv
Create an SSL certificate resource. Your load balancer uses this resource to encrypt and decrypt traffic.
If you already have a private key and an SSL certificate from a certificate authority, you can use them to create a new
SSLCertificateresource by running the command below. If not, you can create and use a self-signed certificate for testing. See Creating a private key and certificate for further information.
Run the following command to create your SSL certificate resource. Replace
<crt_file_path>with your certificate's local path and
<key_file_path>with your private key's path.
PS C:\> gcloud beta compute ssl-certificates create www-cert ^ --certificate
Create target HTTP and HTTPS proxies to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for HTTP(S) Load Balancing, so you also associate your certificate with the proxy in this step:
PS C:> gcloud compute target-http-proxies create http-lb-proxy ^ --url-map lb-map PS C:> gcloud beta compute target-https-proxies create https-lb-proxy ^ --url-map lb-map --ssl-certificate www-cert
For your load balancer to reliably receive traffic, you need to assign a global static IP address to the load balancer's global forwarding rule. To create a global static IP resource, run the following command:
PS C:> gcloud compute addresses create lb-ip --global
Take note of the IP address.
Create two global forwarding rules to handle incoming HTTP and HTTPS requests. Each forwarding rule sends traffic to one of the target proxies you created, depending on the IP address, IP protocol, and port specified.
<lb_ip_addr>in the following commands with the static IP address you created in the previous step:
PS C:\> gcloud compute forwarding-rules create http-fwd-rule ^ --address <lb_ip_addr> --global ^ --target-http-proxy http-lb-proxy --port-range 80 PS C:\> gcloud beta compute forwarding-rules create https-fwd-rule ^ --address <lb_ip_addr> --global ^ --target-https-proxy https-lb-proxy --port-range 443
After you create the global forwarding rules, it can take several minutes for your configuration to propagate. To check the progress of the propagation, you can either monitor your configuration in the Google Cloud console or run the following command on your local machine:
PS C:\> gcloud compute backend-services get-health be-srv
Send traffic to your backends
Now that you've configured your load balancing service, you can start sending traffic to the forwarding rule and watch the traffic be dispersed to different instances.
To send traffic to your backends:
- Open the Load balancing page in the Google Cloud console .
- Click the name of your load balancer.
- In the Backend section of the page, confirm that instances are healthy by checking the Healthy column. It can take a few moments for the display to indicate that the instances are healthy.
- After the display shows that the instances are healthy, copy the IP:Port from the Frontend section and paste that into your browser.
In your browser, you should see your default content page displayed.
Restrict access to your backends
After you have verified that everything is working as intended, modify your firewall rules so HTTP(S) traffic can only come from your load balancing service:
On your local machine, run the following command to update your
www-rulefirewall rule. This command restricts traffic from all IP ranges, except the ranges
188.8.131.52/16, which are the HTTP(S) Load Balancing proxy and health check IP ranges:
PS C:\> gcloud compute firewall-rules update www-rule ^ --source-ranges 184.108.40.206/22,220.127.116.11/16 ^ --target-tags www-tag
In your web browser, navigate to the VM instances page.
Click each instance to verify that the instance is now inaccessible.
Simulate an outage
You can simulate an outage for one or more instances in a region so that you can observe how the load is balanced among the remaining healthy instances.
To stop an instance from receiving additional requests:
- Establish an RDP connection to the instance.
- On the instance, open PowerShell as an administrator.
Run the following command to create a new firewall rule on the instance. This command blocks the health check traffic from the health checker and prevents all new HTTP connections from the load balancer to the instance:
PS C:\> netsh advfirewall firewall add rule name="Outage Test" protocol=tcp dir=in localport=80 action=block remoteip=18.104.22.168/22,22.214.171.124/16
On your local machine, run the following command to verify that the instance now reports an
PS C:\> gcloud compute backend-services get-health be-srv
After the instance starts reporting an
UNHEALTHYstatus, send a request to your load balancer. Only the healthy instances should respond.
After you've finished simulating an outage, you can restore your instance's connectivity by deleting the firewall rule. After opening PowerShell as an administrator on the unhealthy instance, run the following command to delete the rule:
PS C:\> netsh advfirewall firewall delete rule name="Outage Test"
After you finish the tutorial, you can clean up the resources that you created so that they stop using quota and incurring charges. The following sections describe how to delete or turn off these resources.
Delete your Google Cloud project
The easiest way to eliminate billing is to delete the project that you created for the tutorial.
To delete the project:
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Delete your instances
To delete a Compute Engine instance:
- In the Google Cloud console, go to the VM instances page.
- Select the checkbox for the instance that you want to delete.
- To delete the instance, click More actions, click Delete, and then follow the instructions.
Delete your persistent disks
To delete a Compute Engine disk:
- In the Google Cloud console, go to the Disks page.
- Select the checkbox for the disk that you want to delete.
- To delete the disk, click Delete.
Read more about using Windows on Compute Engine
Review the documentation for Windows instances on Compute Engine.
Try other tutorials
Explore reference architectures, diagrams, tutorials, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.