Using SSL Policies

SSL policies give you the ability to control the features of SSL that your Google Cloud load balancers negotiate with clients. In this document, the term SSL refers to both the SSL and TLS protocols.

SSL policies are supported with the following load balancers:

  • Global SSL policies
    • Global external HTTP(S) load balancer
    • Global external HTTP(S) load balancer (classic)
    • SSL proxy load balancer
  • Regional SSL policies
    • Regional external HTTP(S) load balancer
    • Internal HTTP(S) load balancer

For more information on how SSL policies work, see SSL policies overview.

You can create and manage SSL policies using the Console or gcloud command-line tool when you create an HTTPS or SSL load balancer or at any time after you create the load balancer.

To create and manage regional SSL policies, make sure you're running Google Cloud CLI version 387 or later.

Create SSL policies

You can create SSL policies with Google-managed profiles or with a custom profile.

Create an SSL policy with a Google-managed profile

Console

To create an SSL policy with a Google-managed profile, use these instructions:

  1. Go to the SSL policies page in the Google Cloud console.
    Go to the SSL policies page
  2. Click Create policy. You see the Create policy page.
  3. Enter a Name.
  4. Select a Minimum TLS Version.
  5. Under Profile, select Compatible, Modern, or Restricted. The Enabled features and Disabled features for the profile are displayed on the right side of the page.
  6. If there is a load balancer to which you want to attach the policy, click Add target and select a forwarding rule as the target of the SSL policy. If desired, add more targets.
  7. Click Create.

gcloud

Global SSL policies

The following is the general syntax for creating a global SSL policy with a Google-managed profile:

gcloud compute ssl-policies create SSL_POLICY_NAME \
    --profile COMPATIBLE | MODERN | RESTRICTED   \
    --min-tls-version 1.0 | 1.1 | 1.2

The following command creates a global SSL policy with the MODERN profile:

gcloud compute ssl-policies create my-ssl-policy \
    --profile MODERN \
    --min-tls-version 1.0

Regional SSL policies

The following is the general syntax for creating a regional SSL policy with a Google-managed profile:

gcloud beta compute ssl-policies create SSL_POLICY_NAME \
    --profile COMPATIBLE | MODERN | RESTRICTED \
    --min-tls-version 1.0 | 1.1 | 1.2 \
    --region REGION

The following command creates a regional SSL policy with the COMPATIBLE profile:

gcloud beta compute ssl-policies create my-ssl-policy \
    --profile COMPATIBLE \
    --min-tls-version 1.1 \
    --region us-west1

Create an SSL policy with a custom profile

Console

To create an SSL policy with a custom profile, use these instructions:

  1. Go to the SSL policies page in the Google Cloud console.
    Go to the SSL policies page
  2. Click Create policy. You see the Create policy page.
  3. Enter a Name.
  4. Select a Minimum TLS Version.
  5. Under Profile, select Custom. All features are shown as Disabled features on the right side of the page.
  6. In the list of Features, select each cipher suite you want to enable. The cipher suites you enable are listed as Enabled features.
  7. If there is a load balancer to which you want to attach the policy, click Add target and select a forwarding rule as the target of the SSL policy. If desired, add more targets.
  8. Click Create.

gcloud

When you create an SSL policy with the CUSTOM profile, only the features you specify in the create command are supported. Other features are not supported.

Global SSL policies

The following is the general syntax for creating a global SSL policy with a custom profile:

gcloud compute ssl-policies create SSL_POLICY_NAME \
    --profile CUSTOM \
    --min-tls-version 1.0 | 1.1 | 1.2 \
    --custom-features SSL_FEATURE_1[,SSL_FEATURE_2,SSL_FEATURE_3]

The following example creates a global SSL policy with the CUSTOM profile with a minimum TLS version of 1.2 and features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.

gcloud compute ssl-policies create SSL_POLICY_NAME \
    --profile CUSTOM \
    --min-tls-version 1.2 \
    --custom-features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Regional SSL policies

The following is the general syntax for creating a regional SSL policy with a custom profile:

gcloud beta compute ssl-policies create SSL_POLICY_NAME \
    --profile CUSTOM \
    --min-tls-version 1.0 | 1.1 | 1.2 \
    --custom-features SSL_FEATURE_1[,SSL_FEATURE_2,SSL_FEATURE_3] \
    --region REGION

The following example creates a regional SSL policy with the CUSTOM profile with a minimum TLS version of 1.2 and features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.

gcloud beta compute ssl-policies create SSL_POLICY_NAME \
    --profile CUSTOM \
    --min-tls-version 1.2 \
    --custom-features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
    --region us-west1

List features available in an SSL policy

Console

  1. Go to the SSL policies page in the Google Cloud console.
    Go to the SSL policies page
  2. Click the name of the policy whose features you want to see. The enabled and disabled cipher suites are listed on the right side of the page.

gcloud

To list the features available in global SSL policies:

gcloud compute ssl-policies list-available-features

To list the features available in regional SSL policies:

gcloud beta compute ssl-policies list-available-features \
    --region REGION

Modify SSL policies

Console

  1. Go to the SSL policies page in the Google Cloud console.
    Go to the SSL policies page
  2. Click the name of the policy you want to modify.
  3. Click Edit.
  4. Make any changes you want.
  5. Click Save.

gcloud

To modify an existing SSL policy, pass any or all of the flags corresponding to the fields you want to update. Unspecified fields are not updated.

If you update the features, previously-enabled features are deleted and replaced with the new features you specify.

Global SSL policies

gcloud compute ssl-policies update SSL_POLICY_NAME \
    --profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM \
    --min-tls-version 1.0|1.1|1.2 \
    --custom-features FEATURES

Regional SSL policies

gcloud beta compute ssl-policies update SSL_POLICY_NAME \
    --profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM \
    --min-tls-version 1.0|1.1|1.2 \
    [--custom-features FEATURES \]
    --region REGION

Create a target proxy with an SSL policy

Console

You can create a target proxy using the Google Cloud console when you're creating or updating the load balancer as shown in the following documents:

gcloud

To create a target SSL proxy with a global SSL policy:

gcloud compute target-ssl-proxies create TARGET_SSL_PROXY_NAME \
  --backend-service BACKEND_SERVICE_NAME \
  --ssl-certificate SSL_CERTIFICATE_NAME \
  --ssl-policy SSL_POLICY_NAME

To create a global target HTTPS proxy with a global SSL policy:

gcloud compute target-https-proxies create TARGET_HTTPS_PROXY_NAME \
  --ssl-certificate SSL_CERTIFICATE_NAME \
  --url-map URL_MAP_NAME \
  --ssl-policy SSL_POLICY_NAME

To create a regional target HTTPS proxy with a regional SSL policy:

gcloud beta compute target-https-proxies create REGIONAL_TARGET_HTTPS_PROXY_NAME \
  --ssl-certificates SSL_CERTIFICATE_NAME \
  --url-map URL_MAP_NAME \
  --url-map-region REGION \
  --ssl-policy SSL_POLICY_NAME \
  --region REGION

Attach an existing SSL policy to an existing target proxy

Console

Target proxies can't be modified in the Google Cloud console. Use the gcloud CLI or the API instead.

gcloud

Use these commands to attach an existing SSL policy to an SSL proxy or HTTPS proxy.

To attach an existing global SSL policy to a target SSL proxy:

gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME \
    --ssl-policy SSL_POLICY_NAME

To attach an existing global SSL policy to a global target HTTPS proxy:

gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME \
    --ssl-policy SSL_POLICY_NAME

To attach an existing regional SSL policy to a regional target HTTPS proxy:

gcloud beta compute target-https-proxies update REGIONAL_TARGET_HTTPS_PROXY_NAME \
    --ssl-policy SSL_POLICY_NAME \
    --region REGION

If you do not provide the --ssl-policy flag or the --clear-ssl-policy flag in a target proxy update (for example, when updating an SSL certificate) the SSL policy will be unchanged. The --clear-ssl-policy flag is described in Deleting an SSL policy from an existing target SSL proxy or HTTPS proxy.

API

To set a global SSL policy for a global target proxy (for SSL proxy load balancers or global external HTTP(S) load balancers), use the targetHttpsProxies.patch method.

To set a regional SSL policy for a regional target proxy (for regional external HTTP(S) load balancers), use the regionTargetHttpsProxies.patch method.

Delete an SSL policy from a target proxy

Console

Target proxies can't be modified in the Google Cloud console. Use the gcloud CLI or the API instead.

gcloud

Use these commands to remove an SSL policy from an SSL proxy or HTTPS load balancer. If you do not attach a different SSL policy to the target proxy, the load balancer uses the default SSL policy. Using the --clear-ssl-policy flag is equivalent to replacing an SSL policy with the default SSL policy.

To remove a global SSL policy from a target SSL proxy:

gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME \
    --clear-ssl-policy

To remove a global SSL policy from a global target HTTPS proxy:

gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME \
    --clear-ssl-policy

To remove a regional SSL policy from a regional target HTTPS proxy:

gcloud beta compute target-https-proxies update REGIONAL_TARGET_HTTPS_PROXY_NAME \
    --clear-ssl-policy \
    --region REGION

When you provide the --clear-ssl-policy flag in the update command, the SSL policy is removed from the proxy.

If you do not provide the --clear-ssl-policy flag or the--ssl-policy flag in the target proxy update (for example, when updating an SSL certificate) the SSL policy will be unchanged. The --ssl-policy flag is described in Attaching an existing SSL policy to an existing target SSL proxy or HTTP proxy.

Limits

  • You can configure a maximum of 10 SSL policies per project.
  • You cannot configure more than one SSL policy per proxy.

API reference

For descriptions of the properties and methods available to you when working with SSL policies through the REST API, see the following:

Product API documentation
  • Global external HTTP(S) load balancer
  • Global external HTTP(S) load balancer (classic)
  • SSL proxy load balancer
sslPolicies
  • Regional external HTTP(S) load balancer
  • Internal HTTP(S) Load Balancing
regionSslPolicies

gcloud CLI reference

For the Google Cloud CLI reference, see the following:

What's next