SSL policies specify the set of SSL features that Google Cloud load balancers use when negotiating SSL with clients. In this document, the term SSL refers to both the SSL and TLS protocols.
SSL policies are supported with the following load balancers:
- Global SSL policies
- Global external Application Load Balancer
- Classic Application Load Balancer
- External proxy Network Load Balancer (with a target SSL proxy)
- Cross-region internal Application Load Balancer
- Regional SSL policies
- Regional external Application Load Balancer
- Regional internal Application Load Balancer
For more information about how SSL policies work, see SSL policies overview.
You can create and manage SSL policies by using the Google Cloud console or the Google Cloud CLI when you create an HTTPS or SSL load balancer or at any time after you create the load balancer.
To list, create, and manage regional SSL policies, make sure that you're running gcloud CLI version 404 or later.
Create SSL policies
You can create SSL policies with Google-managed profiles or with a custom profile.
Create an SSL policy with a Google-managed profile
Console
Global SSL policy
To create a global SSL policy with a Google-managed profile, do the following:
In the Google Cloud console, go to the SSL policies page.
Click Create policy.
For Global SSL policy, click the Create button next to it. The Create policy page appears.
Enter a Name.
Select a Minimum TLS Version.
For Profile, select Compatible, Modern, or Restricted. The Enabled features and Disabled features for the profile are displayed on the right side of the page.
If there is a load balancer to which you want to attach the policy, click Apply to targets and select a forwarding rule as the target of the SSL policy. If necessary, add more targets.
Click Create.
Regional SSL policy
To create a regional SSL policy with a Google-managed profile, do the following:
In the Google Cloud console, go to the SSL policies page.
Click Create policy.
For Regional SSL policy, click the Create button next to it. The Create policy page appears.
Enter a Name.
Select a Region.
Select a Minimum TLS Version.
For Profile, select Compatible, Modern, or Restricted. The Enabled features and Disabled features for the profile are displayed on the right side of the page.
If there is a load balancer to which you want to attach the policy, click Apply to targets and select a forwarding rule as the target of the SSL policy. If necessary, add more targets.
Click Create.
gcloud
Global SSL policy
The following is the general syntax for creating a global SSL policy with a Google-managed profile:
gcloud compute ssl-policies create SSL_POLICY_NAME \ --profile COMPATIBLE | MODERN | RESTRICTED \ --min-tls-version 1.0 | 1.1 | 1.2
The following command creates a global SSL policy with the MODERN
profile:
gcloud compute ssl-policies create my-ssl-policy \ --profile MODERN \ --min-tls-version 1.0
Regional SSL policy
The following is the general syntax for creating a regional SSL policy with a Google-managed profile:
gcloud compute ssl-policies create SSL_POLICY_NAME \ --profile COMPATIBLE | MODERN | RESTRICTED \ --min-tls-version 1.0 | 1.1 | 1.2 \ --region REGION
The following command creates a regional SSL policy with the COMPATIBLE
profile:
gcloud compute ssl-policies create my-ssl-policy \ --profile COMPATIBLE \ --min-tls-version 1.1 \ --region us-west1
Create an SSL policy with a custom profile
Console
Global SSL policy
To create a global SSL policy with a custom profile, do the following:
In the Google Cloud console, go to the SSL policies page.
Click Create policy.
For Global SSL policy, click the Create button next to it. The Create policy page appears.
Enter a Name.
Select a Minimum TLS Version.
For Profile, select Custom. All features are shown as Disabled features on the right side of the page.
In the list of Features, select each cipher suite that you want to enable. The cipher suites you enable are listed as Enabled features.
If there is a load balancer to which you want to attach the policy, click Apply to targets and select a forwarding rule as the target of the SSL policy. If necessary, add more targets.
Click Create.
Regional SSL policy
To create a regional SSL policy with a custom profile, do the following:
In the Google Cloud console, go to the SSL policies page.
Click Create policy.
For Regional SSL policy, click the Create button next to it. The Create policy page appears.
Enter a Name.
Select a Region.
Select a Minimum TLS Version.
For Profile, select Custom. All features are shown as Disabled features on the right side of the page.
In the list of Features, select each cipher suite that you want to enable. The cipher suites you enable are listed as Enabled features.
If there is a load balancer to which you want to attach the policy, click Apply to targets and select a forwarding rule as the target of the SSL policy. If necessary, add more targets.
Click Create.
gcloud
When you create an SSL policy with the CUSTOM profile, only the features that you
specify in the create
command are supported. Other features are not
supported.
Global SSL policy
The following is the general syntax for creating a global SSL policy with a custom profile:
gcloud compute ssl-policies create SSL_POLICY_NAME \ --profile CUSTOM \ --min-tls-version 1.0 | 1.1 | 1.2 \ --custom-features SSL_FEATURE_1[,SSL_FEATURE_2,SSL_FEATURE_3]
The following example creates a global SSL policy with the CUSTOM profile
with a minimum TLS version of 1.2 and features
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
and
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
.
gcloud compute ssl-policies create SSL_POLICY_NAME \ --profile CUSTOM \ --min-tls-version 1.2 \ --custom-features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Regional SSL policy
The following is the general syntax for creating a regional SSL policy with a custom profile:
gcloud compute ssl-policies create SSL_POLICY_NAME \ --profile CUSTOM \ --min-tls-version 1.0 | 1.1 | 1.2 \ --custom-features SSL_FEATURE_1[,SSL_FEATURE_2,SSL_FEATURE_3] \ --region REGION
The following example creates a regional SSL policy with the CUSTOM profile
with a minimum TLS version of 1.2 and features
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
and
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
.
gcloud compute ssl-policies create SSL_POLICY_NAME \ --profile CUSTOM \ --min-tls-version 1.2 \ --custom-features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \ --region us-west1
List SSL policies
Console
In the Google Cloud console, go to the SSL policies page.
You can view a list of all the available SSL policies. The Scope field indicates whether the SSL policy is global or regional.
gcloud
To list both global and regional SSL policies, run:
gcloud compute ssl-policies list
To list only global SSL policies, run:
gcloud compute ssl-policies list --global
To list only regional SSL policies, run:
gcloud compute ssl-policies list --regions REGION
List features available in an SSL policy
Console
In the Google Cloud console, go to the SSL policies page.
Click the name of the policy whose features you want to see. The enabled and disabled cipher suites are listed on the right side of the page.
gcloud
To list the features available in global SSL policies:
gcloud compute ssl-policies list-available-features
To list the features available in regional SSL policies:
gcloud compute ssl-policies list-available-features \ --region REGION
Modify SSL policies
Console
To modify a global or a regional SSL policy, do the following:
In the Google Cloud console, go to the SSL policies page.
Click the name of the policy that you want to modify.
Click Edit.
Make any changes you want.
Click Save.
gcloud
To modify an existing SSL policy, pass any or all of the flags corresponding to the fields you want to update. Unspecified fields are not updated.
If you update the features, previously enabled features are deleted and replaced with the new features you specify.
Global SSL policies
gcloud compute ssl-policies update SSL_POLICY_NAME \ --profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM \ --min-tls-version 1.0|1.1|1.2 \ --custom-features FEATURES
Regional SSL policies
gcloud compute ssl-policies update SSL_POLICY_NAME \ --profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM \ --min-tls-version 1.0|1.1|1.2 \ [--custom-features FEATURES \] --region REGION
Create a target proxy with an SSL policy
Console
You can create a target proxy by using the Google Cloud console when you're creating or updating the load balancer as shown in the following documents:
- Set up an external proxy Network Load Balancer with a target SSL proxy
- Set up a global external Application Load Balancer
- Set up a classic Application Load Balancer
- Set up a regional external Application Load Balancer
- Set up a regional internal Application Load Balancer
- Set up a cross-region internal Application Load Balancer
gcloud
To create a target SSL proxy with a global SSL policy:
gcloud compute target-ssl-proxies create TARGET_SSL_PROXY_NAME \ --backend-service BACKEND_SERVICE_NAME \ --ssl-certificate SSL_CERTIFICATE_NAME \ --ssl-policy SSL_POLICY_NAME
To create a global target HTTPS proxy with a global SSL policy:
gcloud compute target-https-proxies create TARGET_HTTPS_PROXY_NAME \ --ssl-certificate SSL_CERTIFICATE_NAME \ --url-map URL_MAP_NAME \ --ssl-policy SSL_POLICY_NAME
To create a regional target HTTPS proxy with a regional SSL policy:
gcloud compute target-https-proxies create REGIONAL_TARGET_HTTPS_PROXY_NAME \ --ssl-certificates SSL_CERTIFICATE_NAME \ --url-map URL_MAP_NAME \ --url-map-region REGION \ --ssl-policy SSL_POLICY_NAME \ --region REGION
Attach an existing SSL policy to an existing target proxy
Console
gcloud
Use these commands to attach an existing SSL policy to an SSL proxy or HTTPS proxy.
To find all projects in your organization that have target SSL proxies:
gcloud asset search-all-resources \ --scope=organizations/ORGANIZATION_ID \ --asset-types=compute.googleapis.com/TargetSslProxy
To find all projects in your organization that have target HTTPS proxies:
gcloud asset search-all-resources \ --scope=organizations/ORGANIZATION_ID \ --asset-types=compute.googleapis.com/TargetHttpsProxy
To list all global target SSL proxies in a project, use the
targetSslProxies.aggregatedList
method. Then, use thefilter
query parameter to search for target SSL proxies that don't reference an SSL policy.curl \ 'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies?filter=sslPolicy%3D%22%22&key=YOUR_API_KEY' \ --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ --header 'Accept: application/json' \ --compressed
To list all global and regional target HTTPS proxies in a project, use the
targetHttpsProxies.aggregatedList
method with theincludeAllScopes
query parameter set totrue
. Then, use thefilter
query parameter to search for target HTTPS proxies that don't reference an SSL policy.curl \ 'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/targetHttpsProxies?filter=sslPolicy%3D%22%22&includeAllScopes=true&key=YOUR_API_KEY' \ --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ --header 'Accept: application/json' \ --compressed
To attach an existing global SSL policy to a target SSL proxy:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME \ --ssl-policy SSL_POLICY_NAME
To attach an existing global SSL policy to a global target HTTPS proxy:
gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME \ --ssl-policy SSL_POLICY_NAME
To attach an existing regional SSL policy to a regional target HTTPS proxy:
gcloud compute target-https-proxies update REGIONAL_TARGET_HTTPS_PROXY_NAME \ --ssl-policy SSL_POLICY_NAME \ --region REGION
If you don't provide the --ssl-policy
flag or the --clear-ssl-policy
flag
in a target proxy update (for example, when updating an SSL certificate), the
SSL policy is unchanged. The --clear-ssl-policy
flag is described in Delete
an SSL policy from a target proxy.
API
To set a global SSL policy for a global target proxy, use the
targetHttpsProxies.patch
method.
To set a regional SSL policy for a regional target proxy, use the
regionTargetHttpsProxies.patch
method.
Delete an SSL policy from a target proxy
Console
gcloud
Use these commands to remove an SSL policy from an SSL proxy or HTTPS load
balancer. If you don't attach a different SSL policy to the target proxy,
the load balancer uses the default SSL policy. Using the --clear-ssl-policy
flag is equivalent to replacing an SSL policy with the default SSL policy.
To remove a global SSL policy from a target SSL proxy:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME \ --clear-ssl-policy
To remove a global SSL policy from a global target HTTPS proxy:
gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME \ --clear-ssl-policy
To remove a regional SSL policy from a regional target HTTPS proxy:
gcloud compute target-https-proxies update REGIONAL_TARGET_HTTPS_PROXY_NAME \ --clear-ssl-policy \ --region REGION
When you provide the --clear-ssl-policy
flag in the update command, the SSL
policy is removed from the proxy.
If you don't provide the --clear-ssl-policy
flag or the--ssl-policy
flag in the target proxy update (for example, when updating an SSL
certificate), the SSL policy is unchanged. The --ssl-policy
flag is
described in Attach an existing SSL policy to an existing target proxy.
Manage SSL policies
If you use custom constraints to restrict TLS capabilities, manually check for TLS compliance in pre-existing SSL policies that are attached to target SSL proxies and target HTTPS proxies.
Use the following sample steps to find and update SSL policies that don't meet your security goals.
To find all projects in your organization that have SSL policy resources:
gcloud asset search-all-resources \ --scope=organizations/ORGANIZATION_ID \ --asset-types=compute.googleapis.com/SslPolicy
To list all global and regional SSL policies in a project, use the
sslPolicies.aggregatedList
method with theincludeAllScopes
query parameter set totrue
. Then, use thefilter
query parameter to search for SSL policies that don't align with your security goals.For example, to find SSL policies with TLS version lower than
1.2
, use the filterminTlsVersion="TLS_1_0" OR minTlsVersion="TLS_1_1"
:curl \ 'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/sslPolicies?filter=minTlsVersion%3D%22TLS_1_0%22%20OR%20minTlsVersion%3D%22TLS_1_1%22&includeAllScopes=true&key=YOUR_API_KEY' \ --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ --header 'Accept: application/json' \ --compressed
To get your API key, see Authenticate using API keys. To get your access token, use the
projects.serviceAccounts.generateAccessToken
method.Then update the SSL policies that don't meet your minimum TLS requirement. For example, for a global SSL policy, you can use the following command:
gcloud compute ssl-policies update SSL_POLICY_NAME \ --min-tls-version=TLS_1_2 \ --global
To list all the global and regional target SSL proxies in a project that aren't associated with an SSL policy, run the following command:
curl \ 'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies?filter=sslPolicy%3D%22%22&key=YOUR_API_KEY' \ --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ --header 'Accept: application/json' \ --compressed
To attach an SSL policy to these target proxies, see Attach an existing SSL policy to an existing target proxy
You can also use either Cloud Asset Inventory or the Google APIs Explorer to find and update resources that don't meet your security requirements.
For example, to look up a list of target SSL proxies that aren't associated with an SSL policy, you can use the following steps in Cloud Asset Inventory:
In the Google Cloud console, go to the Asset inventory page.
Click Asset query.
In the Edit query field, enter the following query and click Run.
select * from `compute_googleapis_com_TargetSslProxy` where resource.data.sslPolicy IS NULL
To attach an SSL policy to these target proxies, see Attach an existing SSL policy to an existing target proxy.
Run the query in Cloud Asset Inventory until you see an empty response.
Limits
See load balancer quotas and limits.
API reference
For descriptions of the properties and methods available to you when working with SSL policies through the REST API, see the following:
Product | API documentation |
---|---|
|
sslPolicies |
|
regionSslPolicies |
gcloud CLI reference
For the Google Cloud CLI reference, see the following:
- gcloud compute ssl-policies
- Global:
--global
- Regional:
--region=[REGION]
- Global:
What's next
- For conceptual information about SSL policies, see SSL policies for SSL and TLS protocols.
- For information about external proxy Network Load Balancers, see External proxy Network Load Balancer overview.
- For information about external Application Load Balancers, see External Application Load Balancer overview.