Use health checks

Google Cloud provides health checking mechanisms thatdetermine whether backend instances respond properly to traffic. This documentdescribes how to create and use health checks forloadbalancers and Cloud Service Mesh.

This page assumes that you are familiar with the following concepts:

Note: The termhealth check does not refer to legacy health checks. In thisdocument, legacy health checks are explicitly calledlegacy health checks.

Create health checks

Google Cloud lets you create or select a health check when youcomplete the load balancer's backend configuration in the Google Cloud console.

You can also create a health check independently of load balancer configurationin the Google Cloud console. This is useful if you need to create yourhealth check first, or if you need to use a health check for multiple loadbalancers. You can create a health check using the Google Cloud console,the Google Cloud CLI, or the REST APIs.

Note: You must use legacy HTTP health checks for target poolbased-external passthrough Network Load Balancers. For details, seelegacy healthchecks.Backend service-basedexternal passthrough Network Load Balancers use thenon-legacy health checks described in this section.

Console

  1. Go to the Health checks page in the Google Cloud console.
    Go to the Health checks page
  2. ClickCreate a health check.
  3. On theCreate a health check page, supply the following information:
    • Name: Provide a name for the health check.
    • Description: Optionally, provide a description.
    • Scope: Select a scope, eitherGlobal orRegional,depending on the type of load balancer.
      • If you selectedRegional, pick aRegion from the drop-down.
    • Protocol: Choosea health checkprotocol.
    • Port: Provide a port number. When you create a health check inthe Google Cloud console, you mustspecify theport using a port number.
    • Proxy protocol: Optionally, you can append a proxy header to therequests made by the health check probe systems.
    • Request path and Response: For HTTP, HTTPS, and HTTP2 protocols,you can optionally provide a URL path for the health check probesystems to contact. For moreinformation, seeAdditional flags for HTTP, HTTPS, andHTTP/2 health checks.
    • Request andResponse: For TCP and SSL protcols, you canspecify an ASCII text string to send and expected text responsestring. For more information, seeAdditional flags for SSL and TCP healthchecks.
    • Check interval: Define the amount of time from the start of oneprobe to the start of the next one.
    • Timeout: Define the amount of time that Google Cloudwaits for a response to a probe. Its value must be less than or equalto the check interval.
    • Healthy threshold: Define the number of sequential probes thatmust succeed for the VM instance to be considered healthy.
    • Unhealthy threshold: Define the number of sequential probes thatmust fail for the VM instance to be considered unhealthy.
  4. ClickCreate.

gcloud

  • To create a global health check, use theappropriatecomputehealth-checks createcommand:

    gcloud compute health-checks createPROTOCOLNAME \    --global \    --description=DESCRIPTION \    --check-interval=CHECK_INTERVAL \    --timeout=TIMEOUT \    --healthy-threshold=HEALTHY_THRESHOLD \    --unhealthy-threshold=UNHEALTHY_THRESHOLD \PORT_SPECIFICATION \ADDITIONAL_FLAGS

  • To create a regional health check, use theappropriatecomputehealth-checks createcommand:

    gcloud compute health-checks createPROTOCOLNAME \    --region=REGION \    --description=DESCRIPTION \    --check-interval=CHECK_INTERVAL \    --timeout=TIMEOUT \    --healthy-threshold=HEALTHY_THRESHOLD \    --unhealthy-threshold=UNHEALTHY_THRESHOLD \PORT_SPECIFICATION \ADDITIONAL_FLAGS

Replace the following:

  • PROTOCOL defines the protocol used for the healthcheck. Valid options areGRPC,GRPC_WITH_TLS,HTTP,HTTPS,HTTP2,SSL, andTCP.
  • NAME is the name of the health check. Within a givenproject: Each global health check must have a unique name, and regionalhealth checks must have unique names within a given region.
  • REGION: The region of the health check. For regionalload balancers, the health check region must match the region of thebackend service.
  • DESCRIPTION is an optional description.
  • CHECK_INTERVAL is the amount of time from the start ofone health check probe system's connection to the start of the next one.Units are seconds. If omitted, Google Cloud uses a value of5s (5seconds).
  • TIMEOUT is the amount of time that Google Cloudwaits for a response to a probe. The value ofTIMEOUTmust be less than or equal to theCHECK_INTERVAL. Unitsare seconds. If omitted,Google Cloud uses a value of5s (5 seconds).
  • HEALTHY_THRESHOLD andUNHEALTHY_THRESHOLD specify the number of sequentialprobes that must succeed or fail for the VM instance to be consideredhealthy or unhealthy. If either is omitted,Google Cloud uses a default threshold of2.
  • PORT_SPECIFICATION: Defines the port specificationusing one of thePort specification flags.
  • ADDITIONAL_FLAGS are other flags for specifying portsand options specific to thePROTOCOL. SeeAdditionalflags for HTTP, HTTPS, and HTTP/2 healthchecks,Additional flags for SSL andTCP health checks, orAdditionalflag for gRPC health checks.

Terraform

To create a global health check, use thegoogle_compute_health_check resource.

resource "google_compute_health_check" "health_check_tcp_with_logging" {  provider = google-beta  name = "health-check-tcp"  timeout_sec        = 1  check_interval_sec = 1  tcp_health_check {    port = "22"  }  log_config {    enable = true  }}

To create a regional health check, use thegoogle_compute_region_health_check resource.

resource "google_compute_region_health_check" "default" {  name               = "tcp-health-check-region-west"  timeout_sec        = 5  check_interval_sec = 5  tcp_health_check {    port = "80"  }  region = "us-west1"}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

Modify health checks

You cannot convert a health check to a legacy health check (or the reverse) bymodifying the health check. You also cannot change a health check's name orscope (for example, global to regional).

Console

  1. Go to the Health checks page in the Google Cloud console.
    Go to the Health checks page
  2. Click a health check to view its details.
  3. If you need to modify the health check, clickEdit, then:
    • Make changes to the parameters as necessary.
    • ClickSave.

gcloud

  1. Identify the name and scope of the health check. For instructions, seeList health checks.

  2. Except for a health check's name, protocol, and scope, you can modify anyof thecommon flags, theport specificationflags, and other additional flags.To modify an existing health check, use theappropriatecomputehealth-checks updatecommand command.For flags that you omit, preconfigured settings are preserved.

    • Example modification of a global health check: The following commandmodifies a global HTTP health check namedhc-http-port-80 bychanging its check interval, timeout, and request path:

      gcloud compute health-checks update http hc-http-port-80 \    --global \    --check-interval=20s \    --timeout=15s \    --request-path="/health"

    • Example modification of a regional health check: The following commandmodifies a regional TCP health check inus-west1 namedhc-west1-tcp-ldap by changing its port specification:

      gcloud compute health-checks update tcp hc-west1-tcp-ldap \    --region=us-west1 \    --port=631

API

  1. Identify the name and scope of the health check. SeeListinghealth checks for instructions.

  2. Except for a health check's name, protocol, and scope, you can modify anyof thecommon flags, theport specificationflags, and other additional flagswith these API calls. Usepatch API calls to preserve any preconfiguredsettings that are not explicitly set in the request.

List health checks

Console

Note: The Google Cloud console listsboth health checks andlegacyhealth checks on its health checks page.
  1. Go to the Health checks page in the Google Cloud console.
    Go to the Health checks page
  2. Click a health check to view its details.

gcloud

To list health checks, use thecompute health-checkslist command:

  • To list global health checks:

    gcloud compute health-checks list \    --global

  • To list regional health checks: ReplaceREGION_LIST with acomma-delimited list of Google Cloud regions to query.

    gcloud compute health-checks list \    --regions=REGION_LIST

After you know the name and scope of a health check, use thecomputehealth-checksdescribe command toview its current configuration.

  • To describe a global health check, replaceNAME with its name.

    gcloud compute health-checks describeNAME \    --global

  • To describe a regional health check, replaceNAME with itsname andREGION with its region.

    gcloud compute health-checks describeNAME \    --region=REGION

API

To list health checks, use these API calls:

To describe a health check's current configuration, use:

Additional flags

This section describes additional flags you can use when creating or modifyinga health check. Some flags, such as port specification, must be set by usinggcloud or the API.

Port specification flags

If you create a health check by using the Google Cloud CLI or the API,you have two options to specify the health check's port. The following tableshows port specification options for valid load balancer and backendcombinations. The terminstance group refers to unmanaged instance groups,zonal managed instance groups, or regional managed instance groups.

Each health check can only use one type of port specification.

ProductBackend typePort specification options
External passthrough Network Load BalancerInstance groups andsupported NEGs

--port: Specify a TCP port by number, from1 to65535

The--use-serving-port flag is ignored for a health check associated with an internal passthrough Network Load Balancer because backend services for this load balancer don't subscribe to anynamed ports. This is because they are passthrough load balancers that deliver packets directly to backends instead of creating new connections from the load balancer to the backend.

Target poolsLegacy health checks which support the port number (--port) specification.
Internal passthrough Network Load BalancerInstance groups andsupported NEGs

--port: Specify a TCP port by number, from1 to65535

The--use-serving-port flag is ignored for a health check associated with an internal passthrough Network Load Balancer because backend services for this load balancer don't subscribe to anynamed ports. This is because they are passthrough load balancers that deliver packets directly to backends instead of creating new connections from the load balancer to the backend.

Global external Application Load Balancer

Classic Application Load Balancer

Regional external Application Load Balancer

Cross-region internal Application Load Balancer

Regional internal Application Load Balancer

Global external proxy Network Load Balancer

Classic proxy Network Load Balancer

Regional external proxy Network Load Balancer

Cross-region internal proxy Network Load Balancer

Regional internal proxy Network Load Balancer

Cloud Service Mesh		Supported NEGs
  • --port: Specify a TCP port by number, from1 to65535
  • --use-serving-port: Use the port of each endpoint in the network endpoint group.
Instance groups
  • --port: Specify a TCP port by number, from1 to65535
  • --use-serving-port: Use the same instance group named port to which the backend service subscribes.

If you omit the port specification while creating the health check,Google Cloud uses the following defaults:

  • If the health check's protocol isTCP orHTTP, it uses--port=80.
  • If the health check's protocol isSSL,HTTPS, orHTTP2, it uses--port=443.
  • If the health check's protocol isGRPC orGRPC_WITH_TLS, there is noimplied default; you must include the port specification.

Additional flags for HTTP, HTTPS, and HTTP/2 health checks

In addition to the common flags and port specification, you can use thefollowing optional flags for HTTP, HTTPS, and HTTP/2 health checks. This examplecreates an HTTP health check namedhc-http-port-80 using port 80 with defaultinterval, timeout, and health threshold criteria.

gcloud compute health-checks createHTTP_PROTOCOL hc-http-port-80 \COMMON_FLAGS \PORT_SPECIFICATION \    --host=HOST \    --proxy-header=PROXY_HEADER \    --request-path=REQUEST_PATH \    --response=RESPONSE
  • HTTP_PROTOCOL: Can behttp (HTTP/1.1 without TLS),https(HTTP/1.1 with TLS), orhttp2 (HTTP/2 with TLS).
  • COMMON_FLAGS: Defines the common flags. SeeCreationprocedure.
  • PORT_SPECIFICATION: Defines the port specification using one ofthePort specification flags.
  • HOST lets you provide aHost HTTP header. If omitted, the IPaddress of the load balancer's forwarding rule is used.
  • PROXY_HEADER must be one ofNONE orPROXY_V1. If omitted,Google Cloud usesNONE. The value ofPROXY_V1 adds the headerPROXY UNKNOWN\r\n.
  • REQUEST_PATH specifies the URL path that Google Cloud useswhen sending health check requests. If omitted, the health check request issent to/.
  • RESPONSE defines an optional expected response. Response stringsmust follow these rules:
    • The response string must consist of ASCII letters, numbers, and spaces.
    • The response string can be up to 1,024 characters long.
    • Wildcard matching isnot supported.
    • Content-based checking does not support inversion; for example, operatorssuch as! in HAProxy are not supported.

If Google Cloud finds the expected response stringanywhere in thefirst 1,024 bytes of the received response body, and if the HTTP status is200 (OK), the probe is considered successful.

The--request-path and--response flags modifythe success criteria for thehealth check probe.

Additional flags for SSL and TCP health checks

In addition to the common flags and port specification, you can use thefollowing optional flags for SSL and TCP health checks. This example creates aTCP health check namedhc-tcp-3268 using port 3268 with default interval,timeout, and health threshold criteria.

gcloud compute health-checks create tcp hc-tcp-3268 \COMMON_FLAGS \PORT_SPECIFICATION \    --proxy-header=PROXY_HEADER \    --request=REQUEST_STRING \    --response=RESPONSE_STRING
  • The protocol can betcp (in this example) orssl.
  • COMMON_FLAGS: Defines the common flags. SeeCreationprocedure.
  • PORT_SPECIFICATION: Defines the port specification using one ofthePort specification flags.
  • PROXY_HEADER must be one ofNONE orPROXY_V1. If omitted,Google Cloud usesNONE. The value ofPROXY_V1 adds the headerPROXY UNKNOWN\r\n.
  • REQUEST_STRING: You can provide a string, up to 1,024 ASCIIcharacters long, to send once the TCP or SSL session has been established.
  • RESPONSE_STRING: You can provide a string, up to 1,024 ASCIIcharacters long, for the expected response.

The--request and--response flags modifythe success criteria for thehealth check probe. If you usethe--response flag, either by itself or in conjunction with the--requestflag, the response returned must exactly match the expected response string.

Additional flag for gRPC health checks

Your backend gRPC server must implement the gRPC health service as described inthe gRPC health checking protocol.Google Cloud sends aHealthCheckRequest message to your backends bycalling theCheck method of the health service on your backend. The serviceparameter in the request is set to an empty string unless a gRPC service name isspecified.

A gRPC health check can check the status of a gRPC service. You can include astring, up to 1,024 ASCII characters long, that is the name of a particulargRPC service running on a backend VM or NEG. To do this, use the followingoptional flag for gRPC health checks:

--grpc-service-name=GRPC_SERVICE_NAME

For example, you might have the following services and status that the backendserver registers with your backend's gRPC Health service.

  • MyPackage.ServiceA with the serving statusSERVING
  • MyPackage.ServiceB with the serving statusNOT_SERVING
  • Empty service name with the serving statusNOT_SERVING

If you create a health check againstMyPackage.ServiceA, as follows, thehealth check probe returnsHEALTHY, because the service's status isSERVING.

gcloud compute health-checks create grpc MyGrpcHealthCheckServiceA \    --grpc-service-name=MyPackage.ServiceA

If you create a health check againstMyPackage.ServiceB, thehealth check probe returnsUNHEALTHY because the service's status isNOT_SERVING.

If you create a health check againstMyPackage.ServiceC, which is notregistered with the gRPC Health service, the health check probe returns thegRPC statusNOT_FOUND, which is the equivalent ofUNHEALTHY.

If you create a health check against the empty service name, the health checkprobe returns the statusUNHEALTHY, because the empty service name isregistered with the statusNOT_SERVING.

Legacy health checks

This section describes how to create, modify, and list legacy HTTP and HTTPShealth checks. You cannot convert a legacy health check to a health check, andyou cannot convert a health check to a legacy health check.

To learn which types of load balancers support legacy health checks, see theLoad balancer guide.

Create legacy health checks

Console

Although the Google Cloud console's health checks page lists and lets youedit both health checks and legacy health checks, you cannotcreate a new legacy health check from the Google Cloud console's healthchecks page.

You can create a legacy health check in the Google Cloud consoleonly whilecreating a target pool-basedexternal passthrough Network Load Balancer.To create the legacy health check by itself, use this section'sgcloudor API instructions.

gcloud

To create a legacy health check, use thecompute http-health-checkscreatecommand:

gcloud computeLEGACY_CHECK_TYPE createNAME \    --description=DESCRIPTION \    --check-interval=CHECK_INTERVAL \    --timeout=TIMEOUT \    --healthy-threshold=HEALTHY_THRESHOLD \    --unhealthy-threshold=UNHEALTHY_THRESHOLD \    --host=HOST \    --port=PORT \    --request-path=REQUEST_PATH

Replace the following:

  • LEGACY_CHECK_TYPE ishttp-health-checks for a legacy HTTPhealth check orhttps-health-checks for a legacy HTTPS health check. Ifyou are creating the legacy health check for a target pool-basedexternal passthrough Network Load Balancer, you must usehttp-health-checks.
  • NAME is the name of the legacy health check.Within a given project, each legacy health check must have a unique name.
  • DESCRIPTION is an optional description.
  • CHECK_INTERVAL is the amount of time from the start of oneprobe to the start of the next one. Units are seconds. If omitted,Google Cloud uses a value of5s (5 seconds).
  • TIMEOUT is the amount of time that Google Cloud willwait for a response to a probe. The value ofTIMEOUT must beless than or equal to theCHECK_INTERVAL. Units are seconds. Ifomitted, Google Cloud uses a value of5s (5 seconds).
  • HEALTHY_THRESHOLD andUNHEALTHY_THRESHOLD specifythe number of sequential probes that must succeed or fail for a VMinstance to be considered healthy or unhealthy. If either is omitted,Google Cloud uses a default threshold of2.
  • HOST lets you provide a host HTTP header. If omitted, theIP address of the load balancer's forwarding rule is used.
  • PORT lets you provide a port number. If omitted,Google Cloud uses80.
  • REQUEST_PATH specifies the URL path that Google Clouduses when sending health check requests. If omitted, the health checkrequest is sent to/.

API

Terraform

Modify legacy health checks

Console

  1. Go to the Health checks page in the Google Cloud console.
    Go to the Health checks page
  2. Click a health check to view its details.
  3. ClickEdit , make changes, and then clickSave.

gcloud

  • To modify a legacy HTTP health check, use thecompute http-health-checksupdatecommand, replacingNAME with its name. When modifying a legacyhealth check withgcloud, preconfigured settings for flags you omit arepreserved. TheOTHER_OPTIONS are the options described increating a legacy health check.

    gcloud compute http-health-checks updateNAME \OTHER_OPTIONS

  • To modify a legacy HTTPS health check, use thecompute https-health-checksupdatecommand, replacingNAME with its name. When modifying a legacyhealth check withgcloud, preconfigured settings for flags you omit arepreserved. TheOTHER_OPTIONS are the options described increating a legacy health check.

    gcloud compute https-health-checks updateNAME \OTHER_OPTIONS

API

Except for a legacy health check's name and type, you can modify any ofthe flags used for its creation. ThepatchAPI calls preserve any preconfigured settings that are not explicitly set inthe patch request.

List legacy health checks

Console

  1. Go to the Health checks page in the Google Cloud console.
    Go to the Health checks page
  2. Click a legacy health check to view its details.

gcloud

  1. To list legacy HTTP health checks, use thecompute http-health-checkslist command:

    gcloud compute http-health-checks list

    To list legacy HTTPS health checks, use thecompute https-health-checkslist command:

    gcloud compute https-health-checks list

  2. To describe a legacy HTTP health check, use thecomputehttp-health-checksdescribecommand, replacingNAME with its name.

    gcloud compute http-health-checks describeNAME

    To describe a legacy HTTPS health check, use thecomputehttps-health-checksdescribecommand, replacingNAME with its name.

    gcloud compute https-health-checks describeNAME

API

  1. To list legacy health checks:

  2. To describe a legacy health check:

Create required firewall rules

You need to create ingress firewall rules applicable to all VMs being loadbalanced to allow traffic fromhealth check prober IPranges. The followingexample creates a firewall rule that is applicable to VM instances identified bya specific target tag.

This example allows all TCP traffic from Google Cloud healthcheck systems to your VM instances. (TCP traffic includes SSL, HTTP, HTTPS, andHTTP/2 traffic.) If you prefer, you can specify ports along with the TCPprotocol; however, if you specify ports, your firewall rules might becomespecific to a particular health check. If you usetcp:80 for the protocol andport, this allows TCP traffic on port 80, so Google Cloud could contactyour VMs using HTTP on port 80, but it couldn't contact them using HTTPS onport 443.

Console

  1. In the Google Cloud console, go to theFirewall policies page.
    Go to Firewall policies
  2. ClickCreate firewall rule.
  3. On theCreate a firewall rule page, supply the following information:
    • Name: Provide a name for the rule. For this example, usefw-allow-health-checks.
    • Network: Choose a VPC network.
    • Priority: Enter a number for the priority. Lower numbers havehigher priorities. Be sure that the firewall rule has a higherpriority than other rules that might deny ingress traffic.
    • Direction of traffic: Chooseingress.
    • Action on match: Chooseallow.
    • Targets: ChooseSpecified target tags, and then enter tags intheTarget tags field. For this example, useallow-health-checks.
    • Source filter: ChooseIP ranges.
    • Source IP ranges: Enter the source IP range depending on yourload balancer type, traffic type, and health check type. SeeProbe IPranges and firewall rules.
    • Allowed protocols and ports: Usetcp and the port configured inyour health check. TCP is the underlying protocol for all health checkprotocols.
    • ClickCreate.
  4. On each of your instances being load balanced,add the networktagso that this new ingress firewall rule applies to them. This exampleusesallow-health-checks for the network tag.

gcloud

  1. Use the followinggcloud command to create a firewall rule namedfw-allow-health-checks that lets incoming TCP connections, fromGoogle Cloud health check systems, to instances in yourVPC network with theallow-health-checks tag.Based on the load balancer type, a different set ofprobe IP ranges and firewall rulesis supported for IPv6 traffic to the backends.

    ReplaceNETWORK_NAME with the name of yourVPC network and replacePORT with theports used by your load balancer.

    gcloud compute firewall-rules create fw-allow-health-checks \    --network=NETWORK_NAME \    --action=ALLOW \    --direction=INGRESS \    --source-ranges=SOURCE_IP_RANGE \    --target-tags=allow-health-checks \    --rules=tcp:PORT

    The value forSOURCE_IP_RANGE depends on yourload balancer type, traffic type, and health check type. SeeProbe IPranges and firewall rules.

  2. On each of your instances being load balanced,add the networktagso that this new ingress firewall rule applies to them. This exampleusesallow-health-checks for the network tag.

Refer to thegcloud firewall rulesdocumentation and theAPIdocumentation for more details.

Related documentation:

Associate health checks with load balancers

If you haven't already done so, review theHealth checks overview: Select ahealth check.

To associate a health check with anew load balancer, refer to the setup guidefor the respective load balancer. This section describes how to associate ahealth check with an existing load balancer's backend service.

This section assumes that you have already:

Console

To associate a health check with an existing load balancer:

  1. Go to the Load balancing page in the Google Cloud console.
    Go to the Load balancing page
  2. Click a load balancer to view its details.
  3. ClickEdit , and then clickBackend configuration.
  4. Choose a health check from theHealth check menu.
  5. ClickUpdate.

gcloud

To associate a health check with an existing backend service, follow thesesteps.

  1. Identify the name and scope of the backend service. Thepassthrough Network Load Balancers andproxy Network Load Balancers have only one backend service perload balancer. The Application Load Balancers have one or more backendservices associated with a single URL map.

    • To list backend services for internal passthrough Network Load Balancers, run the followingcommand.

      gcloud compute backend-services list \    --region=REGION \    --filter="loadBalancingScheme=INTERNAL"

    • To list backend services for external passthrough Network Load Balancers, run the followingcommand.

      gcloud compute backend-services list \    --region=REGION \    --filter="loadBalancingScheme=EXTERNAL"

    • To list backend services for global external proxy Network Load Balancers, run the followingcommand.

      gcloud compute backend-services list \    --global \    --filter="loadBalancingScheme=EXTERNAL_MANAGED" \    --filter="protocol=(SSL,TCP)"

    • To list backend services for classic proxy Network Load Balancers, run thefollowing command.

      gcloud compute backend-services list \    --global \    --filter="loadBalancingScheme=EXTERNAL" \    --filter="protocol=(SSL,TCP)"

    • To list backend services for cross-region internal proxy Network Load Balancers, run thefollowing command.

      gcloud compute backend-services list \    --global \    --filter="loadBalancingScheme=INTERNAL_MANAGED" \    --filter="protocol=(SSL,TCP)"

    • To list backend services for regional external proxy Network Load Balancers, run thefollowing command.

      gcloud compute backend-services list \    --region=REGION \    --filter="loadBalancingScheme=EXTERNAL_MANAGED" \    --filter="protocol=(SSL,TCP)"

    • To list backend services for regional internal proxy Network Load Balancers, run thefollowing command.

      gcloud compute backend-services list \    --region=REGION \    --filter="loadBalancingScheme=INTERNAL_MANAGED" \    --filter="protocol=(SSL,TCP)"

    • To identify backend services for global external Application Load Balancers,classic Application Load Balancers, and cross-region internal Application Load Balancers, firstidentify a URL map, and then describe the map. URL maps and backendservices for these load balancers are always global, regardless of theNetwork Service Tier. ReplaceURL_MAP_NAME with thename of the URL map. The backend services used by the load balancerare listed in the response.

      gcloud compute url-maps list \    --global
      gcloud compute url-maps describeURL_MAP_NAME \    --global

    • To identify backend services for either a regional external Application Load Balancer ora regional internal Application Load Balancer, first identify a URL map, and then describe themap. Both URL maps and backend services for these load balancers are regional.ReplaceREGION_LIST with a comma-delimited list ofGoogle Cloud regions to query. ReplaceURL_MAP_NAME with the name of the URL map andREGION with its region. The backend services usedby the load balancer are listed in the response.

      gcloud compute url-maps list \    --regions=REGION_LIST
      gcloud compute url-maps describeURL_MAP_NAME \    --region=REGION

  2. Identify a health check. SeeListing health checks.

  3. Associate a health check with the backend service by using thecomputebackend-servicesupdate command.Each backend service must reference a single health check. In thefollowing commands, replaceBACKEND_SERVICE_NAME with the nameof the backend service,HEALTH_CHECK_NAME with the name of thehealth check, and, if necessaryREGION with theGoogle Cloud region of the backend service, the health check, orboth.

    • To change the health check for an internal passthrough Network Load Balancer: Aninternal passthrough Network Load Balancer's backend service is regional. It can reference aglobal or regional health check. The following example shows aregional health check reference. If you're using a global health checkwith your internal passthrough Network Load Balancer, use--global-health-checks instead of--health-checks-region.

      gcloud compute backend-services updateBACKEND_SERVICE_NAME \    --region=REGION \    --health-checks=HEALTH_CHECK_NAME \    --health-checks-region=REGION

    • To change the health check for a backend service-basedexternal passthrough Network Load Balancer: An external passthrough Network Load Balancer's backend service isregional. It can reference a regional health check.

      gcloud compute backend-services updateBACKEND_SERVICE_NAME \    --region=REGION \    --health-checks=HEALTH_CHECK_NAME \    --health-checks-region=REGION

    • To change the health check for a global external proxy Network Load Balancer,classic proxy Network Load Balancer, global external Application Load Balancer, classic Application Load Balancer,or a cross-region internal Application Load Balancer: Both the backendservice and health check are global for these load balancers.Application Load Balancers can reference more thanone health check if it references more than one backend service.

      gcloud compute backend-services updateBACKEND_SERVICE_NAME \    --global \    --health-checksHEALTH_CHECK_NAME \    --global-health-checks

    • To change the health check for either a regional external Application Load Balancer,a regional external proxy Network Load Balancer, a regional internal Application Load Balancer, or aregional internal proxy Network Load Balancer: Both the backendservice and health check are regional. Some load balancers mightreference more than one health check if they can reference more than onebackend service.

      gcloud compute backend-services updateBACKEND_SERVICE_NAME \    --region=REGION \    --health-checks=HEALTH_CHECK_NAME \    --health-checks-region=REGION

API

  1. You can list backend services with thebackendServices.listAPI call.

  2. View health checks.

  3. To associate a health check with a backend service, use one of these APIcalls:

Associate legacy health checks with target pool-based external passthrough Network Load Balancers

To associate a legacy health check with a new external passthrough Network Load Balancer, refer toSet upan external passthrough Network Load Balancer with a targetpool. This section describeshow to associate a legacy health check with a target pool-based external passthrough Network Load Balancer.

This section assumes that you have already:

Console

To associate a health check with an existing target pool-basedexternal passthrough Network Load Balancer:

  1. Go to the Load balancing page in the Google Cloud console.
    Go to the Load balancing page
  2. Click a load balancer to view its details.
  3. ClickEdit , and then clickBackend configuration.
  4. Choose a legacy health check from theHealth check menu. (Onlyeligible legacy health checks are shown.)
  5. ClickUpdate.

gcloud

To associate a health check with an existing target pool-basedexternal passthrough Network Load Balancer:

  1. Identify the target pool(s). An external passthrough Network Load Balancer has at least onetarget pool, and might have a secondary backup pool.

    gcloud compute target-pools list

  2. Identify a legacy health check using theHTTP protocol.View legacyhealth checks if necessary.

  3. Associate the legacy health check with the target pool(s). In thefollowing commands, replaceTARGET_POOL_NAME with the name ofthe target pool,REGION with its region, andLEGACY_CHECK_NAME with the name of the legacy healthcheck. The legacy health check must use the HTTP protocol.

    • To remove a legacy HTTP health check from a target pool:

      gcloud compute target-pools remove-health-checksTARGET_POOL_NAME \    --region=REGION \    --http-health-checkLEGACY_CHECK_NAME

    • To add a legacy HTTP health check to a target pool:

      gcloud compute target-pools add-health-checksTARGET_POOL_NAME \    --region=REGION \    --http-health-checkLEGACY_CHECK_NAME

API

  1. You can list target pools with thetargetPools.listAPI call.

  2. View legacy health checksand identify a legacy HTTP health check.

  3. To associate a legacy HTTP health check with a target pool use the APIcalltargetPools.addHealthCheck.

Check health check status

After you associate a health check with a backend service or a target pool, youcan get the instantaneous health check state for the load balancer's backends.

Console

  1. Go to the load balancing summary page.
    Go to the Load balancingpage
  2. Click the name of a load balancer.
  3. UnderBackend, inspect theHealthy column. Health status isreported for each backend instance group or network endpoint group.

gcloud

  • For all load balancers except target pool-based external passthrough Network Load Balancers,identify the name and scope (global or regional) of the backend service.For a complete list of load balancers and scopes, seeBackendservices.

    Use thecompute backend-servicesget-healthcommand, replacingNAME with the name of the backend service,andREGION with its region, if required.

    • To get the instantaneous health state of a global backend service:

      gcloud compute backend-services get-healthGLOBAL_BACKEND_SERVICE_NAME \    --global

    • To get the instantaneous health state of a regional backend service:

      gcloud compute backend-services get-healthREGIONAL_BACKEND_SERVICE_NAME \    --region=REGION

  • For target pool-based external passthrough Network Load Balancers, identify the nameand region of the load balancer's target pool, and then usethecompute target-poolsget-healthcommand, replacingNAME with the name of the target pool,andREGION with its region.

    gcloud compute target-pools get-healthTARGET_POOL_NAME \    --region=REGION

API

  • For all load balancers except target pool-based external passthrough Network Load Balancers,identify the name and scope (global or regional) of the backend service.For a complete list of load balancers and scopes, seeBackendservices.

  • For target pool-based external passthrough Network Load Balancers, usetargetPools.getHealth

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.