Enable connection draining

Note: This page describes how to configure a specific load balancer component orfeature before or after you've already created a load balancer. Working withspecific components is useful for advanced configurations and necessary for someconfiguration options. Before using the information on this page, know thetypeof Google Cloud load balancerthat you need.

Connection draining is a process that ensures that existing, in-progressrequests are given time to complete when a virtual machine (VM) instance isremoved from an instance group or when an endpoint is removed from networkendpoint groups (NEGs) that are zonal in scope.

The information on this page applies only to instance groups and thefollowing types of NEGs that are zonal in scope:

Connection draining begins whenever you do the following:

Connection draining doesn't apply when you disconnect a backend (instance groupor zonal NEG) from a load balancer's backend service.

How connection draining works

To enable connection draining, you set aconnection draining timeout on thebackend service. The timeout duration must be from 0 to 3600 seconds, inclusive.

It can take up to 60 seconds after your specified timeout duration has passedfor the instance to be terminated.

The following is a list of specifications about connection draining:

  • Connection draining is available for backend services that are part of thefollowing load balancers:

    Both internal passthrough Network Load Balancers and external passthrough Network Load Balancers support connection draining for TCP,UDP, and other non-TCP protocols.

  • Connection draining is also available for backend services that are part ofCloud Service Mesh deployments.

  • When a connection draining timeout is set, and an instance is removed from theinstance group or an endpoint is removed from a zonal NEG,Google Cloud load balancers and Cloud Service Mesh behave in thefollowing way:

    • No new connections are sent to the removed instance or endpoint.

    • Application Load Balancers: For the specified duration of the timeout,existing requests to the VM or endpoint marked for removal are given timeto complete. The load balancer doesn't send new connections to this VM orendpoint. After the timeout duration is reached, the load balancer stopssending all traffic to the removed VM or endpoint.

    • Proxy Network Load Balancers: For the specified duration of the timeout,existing TCP connections to the VM or endpoint marked for removalcontinue to work during the configured connection draining period. The loadbalancer doesn't send new connections to this VM or endpoint. After thetimeout duration is reached, existing TCP connections to the removed VM orendpoint remain active and the proxy closes all existing TCP connectionswithin 10 minutes, the default idle timeout.

    • passthrough Network Load Balancers: For the specified duration of the connection drainingtimeout, packets belonging to existing connections are routed to the VM orendpoint marked for removal. After the timeout duration is reached, theconntrack entry for the removed VM or endpoint is removed. Any non-SYNpacket from an existing connection leads to the creation of a new conntrackentry for the healthy backend. When the packet goes to a new healthybackend, the backend sends a RST to the client as it doesn't have any recordof the packet it has just received. The internal and external passthrough Network Load Balancersthemselves don't send a TCP-RST or TCP-FIN to end existing connections afterthe connection draining timeout expires.

  • If you enable connection draining on multiple backend services that share thesame instance groups or NEGs, the largest timeout value is used. For example,suppose that the same instance group or zonal NEG is a backend for two backendservices, where one backend service has a connection draining timeout of 100seconds, and the other backend service has a connection draining timeout of200 seconds. Google Cloud uses 200 seconds as the effective connectiondraining timeout before terminating them. If the backend is a managed instancegroup, operations that delete the instance are delayed by at least 200seconds.

  • If you don't set a connection draining timeout, or if the connection drainingtimeout is set to zero (0), Google Cloud ends existing connections onthe removed instance or endpoint as quickly as possible.

  • If you're using connection pooling, you might see that new requests, usinga previously established connection, are still being received on VMs thatare getting drained, causing connection errors when those VMs are eventuallydeleted.

Enable connection draining

To enable connection draining, complete the following steps.

Console

Update a load balancer

  1. Go to the Load balancing page in the Google Cloud console.
    Go to Load balancing
  2. On theLoad Balancers tab, for the load balancer that you'd like toupdate, clickmore_vert,and then clickEdit.
  3. ClickBackend configuration.
  4. In theBackend configuration pane, click.
  5. At the bottom of theEdit backend service pane, clickAdvanced configurations.
  6. In theConnection draining timeout field, enter a value from0 -3600. A setting of0 disables connection draining.

Update Cloud Service Mesh

  1. Go to the Cloud Service Mesh page in the Google Cloud console.
    Go to Cloud Service Mesh
  2. Click theName of your service.
  3. On theService details page, clickEdit.
  4. At the bottom of your service, clickAdvanced configurations.
  5. In theConnection draining timeout field, enter a value from0 -3600. A setting of0 disables connection draining.
  6. ClickSave.

gcloud

Enable connection draining on a new or existing backend service by usingthe--connection-draining-timeout flag. The following examples demonstratehow to change the connection draining timeout:

  • For an existingregional loadbalancer:

    gcloud compute backend-services updateBACKEND_SERVICE \    --region=REGION \    --connection-draining-timeout=CONNECTION_TIMEOUT_SECS

Replace the placeholders with valid values:

  • BACKEND_SERVICE: the backend service that you'reupdating
  • REGION: if applicable, the region of the backendservice that you're updating

  • CONNECTION_TIMEOUT_SECS: the number of seconds towait before existing connections to instances or endpoints are terminated,between0 -3600 seconds, inclusive. A setting of0 disablesconnection draining. The connection draining timeout applies to allbackends of the backend service.

    You can also use thegcloud compute backend-services edit command toupdate an existing backend service.

API

To enable connection draining in the API when creating or updating aninstance or endpoint, make a request to the respective API URI to includetheconnectionDraining field in your request body. The following examplesdemonstrate how to set that attribute by editing an existing backendservice. For information about other requiredattributes, see the documentation for each load balancer.

  • For an existingregional loadbalancer:

    PATCH https://www.googleapis.com/compute/v1/projects/PROJECT_ID/region/REGION/backendServices{   "name": "BACKEND_SERVICE",   "connectionDraining": {     "drainingTimeoutSec":CONNECTION_TIMEOUT_SECS   }}

    Replace the following:

    • PROJECT_ID: the project ID that containsyour load balancer or Cloud Service Mesh deployment
    • BACKEND_SERVICE: the backend serviceused by your load balancer or Cloud Service Mesh deployment
    • CONNECTION_TIMEOUT_SECS: the number ofseconds to wait before instances or endpoints are removed from theinstance group or NEG, between 0 to 3600 seconds, inclusive. Thistimeout duration applies to all instance groups or NEGs that arereferenced by the backend service.

What's next

For general information on backend services, seeBackendservices overview.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.