Set up an internal Application Load Balancer with Shared VPC

This document shows you two sample configurations for setting up aninternal Application Load Balancer in a Shared VPC environment:

  • The first example creates all the load balancer components and backends in oneservice project.
  • The second example creates the load balancer's frontend components and URL mapin one service project, while the load balancer's backend service andbackends are created in a different service project. This type of deployment,where the URL map references a backend service in another project, isreferred to asCross-project service referencing.

Both examples require the same upfront configuration tograntpermissions andset upShared VPC before you can start creating loadbalancers.

These are not the only Shared VPC configurations supported byinternal Application Load Balancers. For other valid Shared VPC architectures, seeShared VPC architectures.

If you don't want to use a Shared VPC network, seeSet up an internal Application Load Balancer.

Note:

For cross-region internal Application Load Balancers, you can use all the Shared VPC examples provided in this document.

To configure cross-region internal Application Load Balancers, see Set up a cross-region internal Application Load Balancer with VM instance group backends.

Before you begin

  1. ReadShared VPC overview.
  2. ReadInternal Application Load Balancer overview,including theShared VPCarchitectures section.

Permissions required

Setting up a load balancer on a Shared VPC network requires someinitial setup and provisioning by an administrator. After the initial setup, aservice project owner can do one of the following:

  • Deploy all the load balancer's components and its backends in a service project.
  • Deploy the load balancer's backend components (backend service and backends) in service projects that can be referenced by a URL map in another service or host project.

This section summarizes the permissions required to follow this guideto set up a load balancer on a Shared VPC network.

Set up Shared VPC

The following roles are required for the following tasks:

  1. Perform one-off administrative tasks such as setting up theShared VPC and enabling a host project.
  2. Perform administrative tasks that must be repeated every time you want to onboard a newservice project. This includes attaching the service project, provisioningand configuring networking resources, and granting access to the serviceproject administrator.

These tasks must be performed in the Shared VPC host project. Werecommend that the Shared VPC Admin also be the owner of theShared VPC host project. This automatically grants the Network Admin andSecurity Admin roles.

TaskRequired role
Set up Shared VPC, enable host project, and grant access to service project administratorsShared VPC Admin
Create subnets in the Shared VPC host project and grant access to service project administratorsNetwork Admin
Add and remove firewall rulesSecurity Admin

After the subnets have been provisioned, the host project owner must grant theNetwork User rolein the host project to anyone (typically service projectadministrators, developers, or service accounts) who needs to use theseresources.

TaskRequired role
Use VPC networks and subnets belonging to the host projectNetwork User

This role can be granted on the project level or for individual subnets. Werecommend that you grant the role on individual subnets. Granting the role onthe project provides access to all current and future subnets in theVPC network of the host project.

Deploy load balancer and backends

Service project administrators need the following rolesin the service projectto create load balancing resources and backends. These permissions are grantedautomatically to the service project owner or editor.

Roles granted in the service project
TaskRequired role
Create load balancer componentsNetwork Admin
Create instancesInstance Admin
Create and modify SSL certificatesSecurity Admin

Prerequisites

In this section, you need to perform the following steps:

  1. Configure the network and subnets in the host project.
  2. Set up Shared VPC in the host project.

The steps in this section do not need to be performed every time you want tocreate a new load balancer. However, you must ensure that you have access tothe resources described here before you proceed to creating the load balancer.

Configure the network and subnets in the host project

You need a Shared VPC network with two subnets: one for the loadbalancer's frontend and backends and one for the load balancer's proxies.

This example uses the following network, region, and subnets:

  • Network. The network is namedlb-network.

  • Subnet for load balancer's frontend and backends. A subnetnamedlb-frontend-and-backend-subnet in theus-west1 region uses10.1.2.0/24 for its primary IP range.

  • Subnet for proxies. A subnet namedproxy-only-subnet in theus-west1 region uses10.129.0.0/23 for its primary IP range.

Note: You can change the name of the network, the region, and the parameters forthe subnets; however, subsequent steps in this guide use the network, region,and subnet parameters as outlined here.

Configure the subnet for the load balancer's frontend and backends

This step does not need to be performed every time you want to create a newload balancer. You only need to ensure that the service project has access toa subnet in the Shared VPC network (in addition to the proxy-onlysubnet).

All the steps in this section must be performed in the host project.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.
  3. ForName, enterlb-network.

  4. In theSubnets section:

    1. Set theSubnet creation mode toCustom.

    2. In theNew subnet section, enter the following information:

      • Name:lb-frontend-and-backend-subnet

      • Region:us-west1

      • IP address range:10.1.2.0/24

    3. ClickDone.

  5. ClickCreate.

gcloud

  1. Create a VPC network with thegcloud computenetworks create command:

    gcloud compute networks create lb-network --subnet-mode=custom

  2. Create a subnet in thelb-network network in theus-west1 region:

    gcloud compute networks subnets create lb-frontend-and-backend-subnet
        --network=lb-network
        --range=10.1.2.0/24
        --region=us-west1

Terraform

  1. Create a VPC network:

    # Shared VPC networkresource "google_compute_network" "lb_network" {  name                    = "lb-network"  provider                = google-beta  project                 = "my-host-project-id"  auto_create_subnetworks = false}

  2. Create a subnet in theus-west1 region:

    # Shared VPC network - backend subnetresource "google_compute_subnetwork" "lb_frontend_and_backend_subnet" {  name          = "lb-frontend-and-backend-subnet"  provider      = google-beta  project       = "my-host-project-id"  region        = "us-west1"  ip_cidr_range = "10.1.2.0/24"  role          = "ACTIVE"  network       = google_compute_network.lb_network.id}

Configure the proxy-only subnet

The proxy-only subnet is used by allregional Envoy-based loadbalancers in theus-west1region, in thelb-network VPC network. There can only be oneactive proxy-only subnet per region, per network.

Do not perform this step if there is already a proxy-only subnet reserved in theus-west1 region in this network.

Important: Don't try to assign IP addresses from this proxy-only subnet to your loadbalancer's forwarding rule or backends. You assign the forwarding rule's IPaddress and the backend instance's IP addresses from adifferent subnet range (orranges), not this one. Google Cloud reserves this subnetrange for Google Cloud-managed proxies.

All the steps in this section must be performed in the host project.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of the Shared VPC network:lb-network.
  3. ClickAdd subnet.
  4. ForName, enterproxy-only-subnet.
  5. ForRegion, selectus-west1.
  6. SetPurpose toRegional Managed Proxy.
  7. ForIP address range, enter10.129.0.0/23.
  8. ClickAdd.

gcloud

Create the proxy-only subnet with thegcloud compute networks subnetscreate command:

gcloud compute networks subnets create proxy-only-subnet \    --purpose=REGIONAL_MANAGED_PROXY \    --role=ACTIVE \    --region=us-west1 \    --network=lb-network \    --range=10.129.0.0/23

Terraform

Create the proxy-only subnet:

# Shared VPC network - proxy-only subnetresource "google_compute_subnetwork" "proxy_only_subnet" {  name          = "proxy-only-subnet"  provider      = google-beta  project       = "my-host-project-id"  region        = "us-west1"  ip_cidr_range = "10.129.0.0/23"  role          = "ACTIVE"  purpose       = "REGIONAL_MANAGED_PROXY"  network       = google_compute_network.lb_network.id}

Give service project admins access to the backend subnet

Service project administrators require access to thelb-frontend-and-backend-subnet subnet so that they can provision the loadbalancer's backends.

A Shared VPC Admin must grant access to the backend subnet to serviceproject administrators (or developers who deploy resources and backendsthat use the subnet). For instructions, seeService Project Admins for some subnets.

Note: Service project administrators do not need to begranted access to the proxy-only subnet. However, without a pre-existing proxy-onlysubnet in the region, service project administrators cannot create forwarding rulesforregional Envoy-based loadbalancers in that region.

Configure firewall rules in the host project

This example uses the following firewall rules:
  • fw-allow-health-check. An ingress rule, applicable to the instancesbeing load balanced, that allows all TCP traffic from the Google Cloudhealth checking systems in130.211.0.0/22 and35.191.0.0/16. Thisexample uses the target tagload-balanced-backend to identify the instancesto which it should apply.
  • fw-allow-proxies. An ingress rule, applicable to the instances beingload balanced, that allows TCP traffic on ports80,443, and8080 fromthe load balancer's managed proxies. This example uses thetarget tagload-balanced-backend to identify the instances to which itshould apply.
  • fw-allow-ssh. An ingress rule, applicable to the instances being loadbalanced, that allows incoming SSH connectivity on TCP port22 from anyaddress. You can choose a more restrictive source IP range for thisrule. For example, you can specify just the IP ranges of the systemfrom which you initiate SSH sessions. This example uses the targettagallow-ssh to identify the virtual machines (VMs) to which thefirewall rule applies.
Without these firewall rules, thedefault denyingress rule blocks incomingtraffic to the backend instances.

All the steps in this section must be performed in the host project.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. ClickCreate firewall rule to create the rule to allow Google Cloud health checks:
    • Name:fw-allow-health-check
    • Network:lb-network
    • Direction of traffic: Ingress
    • Action on match: Allow
    • Targets: Specified target tags
    • Target tags:load-balanced-backend
    • Source filter: IPv4 ranges
    • Source IPv4 ranges:130.211.0.0/22 and35.191.0.0/16
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • CheckTCP and enter80 for the port number.

        • As a best practice, limit this rule to just the protocols and ports that match those used by your health check. If you usetcp:80 for the protocol and port, Google Cloud can use HTTP on port80 to contact your VMs, but it cannot use HTTPS on port443 to contact them.

  3. ClickCreate.
  4. ClickCreate firewall rule to create the rule to allow Google Cloud health checks:
    • Name:fw-allow-proxies
    • Network:lb-network
    • Direction of traffic: Ingress
    • Action on match: Allow
    • Targets: Specified target tags
    • Target tags:load-balanced-backend
    • Source filter: IPv4 ranges
    • Source IPv4 ranges:10.129.0.0/23
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • CheckTCP and enter80, 443, 8080 for the port numbers.
  5. ClickCreate.
  6. ClickCreate firewall rule to create the rule to allow Google Cloud health checks:
    • Name:fw-allow-ssh
    • Network:lb-network
    • Direction of traffic: Ingress
    • Action on match: Allow
    • Targets: Specified target tags
    • Target tags:allow-ssh
    • Source filter: IPv4 ranges
    • Source IPv4 ranges:0.0.0.0/0
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • CheckTCP and enter22 for the port number.
  7. ClickCreate.

gcloud

  1. Create thefw-allow-health-check firewall rule to allowGoogle Cloud health checks. This example allows all TCP trafficfrom health check probers. However, you can configure a narrower setof ports to meet your needs.

    gcloud compute firewall-rules create fw-allow-health-check \   --network=lb-network \   --action=allow \   --direction=ingress \   --source-ranges=130.211.0.0/22,35.191.0.0/16 \   --target-tags=load-balanced-backend \   --rules=tcp

  2. Create thefw-allow-proxies firewall rule to allow trafficfrom the Envoy proxy-only subnet to reach your backends.

    gcloud compute firewall-rules create fw-allow-proxies \   --network=lb-network \   --action=allow \   --direction=ingress \   --source-ranges=10.129.0.0/23 \   --target-tags=load-balanced-backend \   --rules=tcp:80,tcp:443,tcp:8080

  3. Create thefw-allow-ssh firewall rule to allow SSHconnectivity to VMs with the network tagallow-ssh.When you omitsource-ranges,Google Cloudinterprets the rule to mean anysource.

    gcloud compute firewall-rules create fw-allow-ssh \   --network=lb-network \   --action=allow \   --direction=ingress \   --target-tags=allow-ssh \   --rules=tcp:22

Terraform

  1. Create a firewall rule to allow Google Cloud health checks.

    resource "google_compute_firewall" "fw_allow_health_check" {  name          = "fw-allow-health-check"  provider      = google-beta  project       = "my-host-project-id"  direction     = "INGRESS"  network       = google_compute_network.lb_network.id  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]  allow {    protocol = "tcp"  }  target_tags = ["load-balanced-backend"]}

  2. Create a firewall rule to allow traffic from the Envoy proxy-only subnetto reach your backends.

    resource "google_compute_firewall" "fw_allow_proxies" {  name          = "fw-allow-proxies"  provider      = google-beta  project       = "my-host-project-id"  direction     = "INGRESS"  network       = google_compute_network.lb_network.id  source_ranges = ["10.129.0.0/23"]  allow {    protocol = "tcp"    ports    = ["80", "443", "8080"]  }  target_tags = ["load-balanced-backend"]}

  3. Create a firewall rule to allow SSH connectivity to VMs with the networktagallow-ssh.

    resource "google_compute_firewall" "fw_allow_ssh" {  name          = "fw-allow-ssh"  provider      = google-beta  project       = "my-host-project-id"  direction     = "INGRESS"  network       = google_compute_network.lb_network.id  source_ranges = ["0.0.0.0/0"]  allow {    protocol = "tcp"    ports    = ["22"]  }  target_tags = ["allow-ssh"]}

Set up Shared VPC in the host project

This step entails enabling a Shared VPC host project, sharing subnets ofthe host project, and attaching service projects to the host project so that theservice projects can use the Shared VPC network. To set upShared VPC in the host project, see the following pages:

Note: Managed instance groups used with Shared VPC require making theGoogle APIs service account a Service Project Admin. This is because taskslike automatic instance creation via autoscaling are performedby this type of service account. To define theGoogle APIs service account asa Service Project Admin for the subnet in the Shared VPC hostproject, seeGoogle APIs service account as a Service ProjectAdmin.

The rest of these instructions assume that you have already set upShared VPC. This includessetting up IAM policies for yourorganization and designatingthe host and service projects.

Don't proceed until you have set up Shared VPC and enabled the hostand service projects.

After completing the steps defined in this prerequisites section, you can pursueeither of the following setups:

Configure a load balancer in the service project

This example creates an internal Application Load Balancer where all the load balancing components(forwarding rule, target proxy, URL map, and backend service) and backends arecreated in the service project.

The internal Application Load Balancer's networking resources such as the proxy-only subnet andthe subnet for the backend instances are created in the host project. Thefirewall rules for the backend instances are also created in the host project.

Figure 1. Internal Application Load Balancer on Shared VPC
Figure 1. Internal Application Load Balancer on Shared VPC

This section shows you how to set up the load balancer and backends. These stepsshould be carried out by the service project administrator (or a developeroperating within the service project) and do not require involvement from thehost project administrator. The steps in this section are largely similar tothestandard steps to set up aninternal Application Load Balancer.

The example on this page explicitly sets a reserved internal IP address forthe internal Application Load Balancer's forwarding rule, rather than allowing anephemeral internal IP address to be allocated. As a best practice, we recommendreserving IP addresses for forwarding rules.

Create the managed instance group backend

Note: This section shows you how to set up an internal Application Load Balancer with VMinstances located in a service project. Internal Application Load Balancers alsosupport Shared VPC with pods in a GKE clusterusingcontainer-native load balancing with network endpoint groups(NEGs).

This section shows how to create a template and a managed instance group. Themanaged instance group provides VM instances running the backend servers of anexample internal Application Load Balancer. Traffic from clients is load balanced tothese backend servers. For demonstration purposes, backends serve their ownhostnames.

Console

  1. Create an instance template. In the Google Cloud console, go to theInstance templates page.

    Go to Instance templates

    1. ClickCreate instance template.
    2. ForName, enterl7-ilb-backend-template.
    3. Ensure that theBoot disk is set to a Debian image, such asDebian GNU/Linux 12 (bookworm). These instructions use commands thatare only available on Debian, such asapt-get. If you need to changetheBoot disk, clickChange.
      1. ForOperating System, selectDebian.
      2. ForVersion, select one of the available Debian images suchasDebian GNU/Linux 12 (bookworm).
      3. ClickSelect.
    4. ClickAdvanced options, and then clickNetworking.
    5. Enter the followingNetworktags:allow-ssh,load-balanced-backend.
    6. In theNetwork interfaces section,selectNetworks shared with me(from host project:HOST_PROJECT_ID).
    7. Select thelb-frontend-and-backend-subnet subnet from thelb-network network.
    8. ClickManagement. ForManagement, insert the followingscript into theStartup script field.
       #! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google"
       http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" |
       tee /var/www/html/index.html systemctl restart apache2
    9. ClickCreate.

  2. Create a managed instance group. In the Google Cloud console, go to theInstance groups page.

    Go to Instance groups

    1. ClickCreate instance group.
    2. ChooseNew managed instance group (stateless). For moreinformation, seeStateless or stateful MIGs.
    3. ForName, enterl7-ilb-backend-example.
    4. ForLocation, selectSingle zone.
    5. ForRegion, selectus-west1.
    6. ForZone, selectus-west1-a.
    7. ForInstance template, selectl7-ilb-backend-template.

    8. Specify the number of instances that you want to create in the group.

      For this example, specify the following options forAutoscaling:

      • ForAutoscaling mode, selectOff:do not autoscale.
      • ForMaximum number of instances, enter2.

      Optionally, in theAutoscaling section of the UI, you can configurethe instance group toautomatically add or removeinstances based on instance CPU usage.

    9. ClickCreate.

gcloud

Thegcloud instructions in this guide assume that you are usingCloudShell or another environment with bash installed.

  1. Create a VM instance template with an HTTP server with thegcloud compute instance-templates createcommand.

    gcloud compute instance-templates create l7-ilb-backend-template \--region=us-west1 \--network=projects/HOST_PROJECT_ID/global/networks/lb-network \--subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \--tags=allow-ssh,load-balanced-backend \--image-family=debian-12 \--image-project=debian-cloud \--metadata=startup-script='#! /bin/bashapt-get updateapt-get install apache2 -ya2ensite default-ssla2enmod sslvm_hostname="$(curl -H "Metadata-Flavor:Google" \http://metadata.google.internal/computeMetadata/v1/instance/name)"echo "Page served from: $vm_hostname" | \tee /var/www/html/index.htmlsystemctl restart apache2' \--project=SERVICE_PROJECT_ID

  2. Create a managed instance group in the zone with thegcloud computeinstance-groups managed createcommand.

    gcloud compute instance-groups managed create l7-ilb-backend-example \    --zone=us-west1-a \    --size=2 \    --template=l7-ilb-backend-template \    --project=SERVICE_PROJECT_ID

Terraform

  1. Create a VM instance template.

    # Instance templateresource "google_compute_instance_template" "default" {  name     = "l7-ilb-backend-template"  provider = google-beta  project  = "my-service-project-id"  region   = "us-west1"  # For machine type, using small. For more options check https://cloud.google.com/compute/docs/machine-types  machine_type = "e2-small"  tags         = ["allow-ssh", "load-balanced-backend"]  network_interface {    network    = google_compute_network.lb_network.id    subnetwork = google_compute_subnetwork.lb_frontend_and_backend_subnet.id    access_config {      # add external ip to fetch packages like apache2, ssl    }  }  disk {    source_image = "debian-cloud/debian-12"    auto_delete  = true    boot         = true  }  # install apache2 and serve a simple web page  metadata = {    startup-script = <<EOF    #! /bin/bash    sudo apt-get update    sudo apt-get install apache2 -y    sudo a2ensite default-ssl    sudo a2enmod ssl    vm_hostname="$(curl -H "Metadata-Flavor:Google" \    http://metadata.google.internal/computeMetadata/v1/instance/name)"    sudo echo "Page served from: $vm_hostname" | \    tee /var/www/html/index.html    sudo systemctl restart apache2    EOF  }}

  2. Create a managed instance group.

    For HTTP:

    # MIGresource "google_compute_instance_group_manager" "default" {  name               = "l7-ilb-backend-example"  provider           = google-beta  project            = "my-service-project-id"  zone               = "us-west1-a"  base_instance_name = "vm"  target_size        = 2  version {    instance_template = google_compute_instance_template.default.id    name              = "primary"  }  named_port {    name = "http"    port = 80  }}

    For HTTPS:

    # MIGresource "google_compute_instance_group_manager" "default" {  name               = "l7-ilb-backend-example"  provider           = google-beta  project            = "my-service-project-id"  zone               = "us-west1-a"  base_instance_name = "vm"  target_size        = 2  version {    instance_template = google_compute_instance_template.default.id    name              = "primary"  }  named_port {    name = "https"    port = 443  }}

Configure the load balancer

This section shows you how to create the internal Application Load Balancer resources:

  • HTTP health check
  • Backend service with a managed instance group as the backend
  • A URL map
  • SSL certificate (required only for HTTPS)
  • Target proxy
  • Forwarding rule

Proxy availability

Depending on the number of service projects that are using the sameShared VPC network, you might reachquotas or limitsmore quickly than in the network deployment model whereeach Google Cloud project hosts its own network.

For example, sometimes Google Cloud regions don't have enough proxycapacity for a new internal Application Load Balancer. If this happens, the Google Cloud consoleprovides a proxy availability warning message when you are creating your loadbalancer. To resolve this issue, you can do one of the following:

  • Wait for the capacity issue to be resolved.

  • Contact your Google Cloud sales team to increase these limits.

Console

Switch context to the service project

  1. In the Google Cloud console, go to theDashboard page.

    Go to Dashboard

  2. Click theSelect from list at the top of the page. In theSelect from window that appears, select the service project whereyou want to create the load balancer.

Select the load balancer type

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectApplication Load Balancer (HTTP/HTTPS) and clickNext.
  4. ForPublic facing or internal, selectInternal and clickNext.
  5. ForCross-region or single region deployment, selectBest for regional workloads and clickNext.
  6. ClickConfigure.

Basic configuration

  1. For theName of the load balancer, enterl7-ilb-shared-vpc.
  2. For theRegion, selectus-west1.

  3. For theNetwork, selectlb-network(fromProject:HOST_PROJECT_ID).

    If you see aProxy-only subnet required in Shared VPC network warning, confirm that the host project admin has created theproxy-only-subnet in theus-west1 region in thelb-network Shared VPC network. Load balancer creation succeeds even if you do not have permission to view the proxy-only subnet on this page.

  4. Keep the window open to continue.

Configure the backend

  1. ClickBackend configuration.
  2. From theCreate or select backend services menu,selectCreate a backend service.
  3. Set theName of the backend service tol7-ilb-backend-service.
  4. Set theBackend type toInstance groups.
  5. In theHealth check list, selectCreate a health check, and thenenter the following information:
    1. Name:l7-ilb-basic-check
    2. Protocol:HTTP
    3. Port:80
  6. ClickCreate.

  7. In theNew backend section:

    1. Set theInstance group tol7-ilb-backend-example.
    2. Set thePort numbers to80.
    3. Set theBalancing mode toUtilization.
    4. ClickDone.

  8. ClickCreate.

Configure the routing rules

  • ClickRouting rules. Ensure that thel7-ilb-backend-serviceis the only backend service for any unmatched host and any unmatchedpath.

For information about traffic management, seeSetting up trafficmanagement.

Configure the frontend

For HTTP:

  1. ClickFrontend configuration.
  2. Set theName tol7-ilb-forwarding-rule.
  3. Set theProtocol toHTTP.
  4. Set theSubnetwork tolb-frontend-and-backend-subnet.Don't select the proxy-only subnet for the frontend even if itis an option in the list.
  5. Set thePort to80.
  6. Click theIP address menu, and then clickCreate IP address.
  7. In theReserve a static internal IP address panel, provide thefollowing details:
    1. For theName, enterip-address-shared-vpc.
    2. ForStatic IP address, clickLet me choose. ForCustom IPaddress, enter10.1.2.99.
    3. (Optional) If you want to share this IP address with differentfrontends, for setPurpose toShared.
  8. ClickDone.

For HTTPS:

If you are using HTTPS between the client and the load balancer,you need one or more SSL certificate resources to configure the proxy.For information about how to create SSL certificate resources, seeSSL certificates. Google-managedcertificates aren't currently supported with internal Application Load Balancers.

  1. ClickFrontend configuration.
  2. In theName field, enterl7-ilb-forwarding-rule.
  3. In theProtocol field, selectHTTPS (includes HTTP/2).
  4. Set theSubnetwork tolb-frontend-and-backend-subnet.Don't select the proxy-only subnet for the frontend even if itis an option in the list.
  5. Ensure that thePort is set to443 to allow HTTPS traffic.
  6. Click theIP address menu, and then clickCreate IP address.
  7. In theReserve a static internal IP address panel, provide thefollowing details:
    1. For theName, enterip-address-shared-vpc.
    2. ForStatic IP address, clickLet me choose. ForCustom IPaddress, enter10.1.2.99.
    3. (Optional) If you want to share this IP address with differentfrontends, for setPurpose toShared.
  8. Click theCertificate list.
    1. If you already have aself-managed SSLcertificate resource thatyou want to use as the primary SSL certificate, select it from themenu.
    2. Otherwise, selectCreate a new certificate.
      1. Fill in aName ofl7-ilb-cert.
      2. In the appropriate fields, upload your PEM-formatted files:
        • Public key certificate
        • Certificate chain
        • Private key
      3. ClickCreate.
  9. To add certificate resources in addition tothe primary SSL certificate resource:
    1. ClickAdd certificate.
    2. Select a certificate from theCertificates list or clickCreate a new certificate and follow the previous instructions.
  10. ClickDone.

Review and finalize the configuration

  • ClickCreate.

gcloud

  1. Define the HTTP health check with thegcloud compute health-checkscreate httpcommand.

    gcloud compute health-checks create http l7-ilb-basic-check \   --region=us-west1 \   --use-serving-port \   --project=SERVICE_PROJECT_ID

  2. Define the backend service with thegcloud compute backend-servicescreate command.

    gcloud compute backend-services create l7-ilb-backend-service \  --load-balancing-scheme=INTERNAL_MANAGED \  --protocol=HTTP \  --health-checks=l7-ilb-basic-check \  --health-checks-region=us-west1 \  --region=us-west1 \  --project=SERVICE_PROJECT_ID

  3. Add backends to the backend service with thegcloud compute backend-servicesadd-backend command.

    gcloud compute backend-services add-backend l7-ilb-backend-service \  --balancing-mode=UTILIZATION \  --instance-group=l7-ilb-backend-example \  --instance-group-zone=us-west1-a \  --region=us-west1 \  --project=SERVICE_PROJECT_ID

  4. Create the URL map with thegcloud compute url-mapscreate command.

    gcloud compute url-maps create l7-ilb-map \  --default-service=l7-ilb-backend-service \  --region=us-west1 \  --project=SERVICE_PROJECT_ID

  5. Create the target proxy.

    For HTTP:

    For an internal HTTP load balancer, create the target proxywith thegcloud compute target-http-proxiescreate command.

    gcloud compute target-http-proxies create l7-ilb-proxy \  --url-map=l7-ilb-map \  --url-map-region=us-west1 \  --region=us-west1 \  --project=SERVICE_PROJECT_ID

    For HTTPS:

    For information about how to create SSL certificate resources, seeSSL certificates. Google-managedcertificates aren't currently supported with internal Application Load Balancers.

    Assign your filepaths to variable names.

    export LB_CERT=path to PEM-formatted file
    export LB_PRIVATE_KEY=path to PEM-formatted file

    Create a regional SSL certificate using thegcloud computessl-certificatescreate command.

    gcloud compute ssl-certificates create l7-ilb-cert \  --certificate=$LB_CERT \  --private-key=$LB_PRIVATE_KEY \  --region=us-west1

    Use the regional SSL certificate to create a target proxy with thegcloudcompute target-https-proxiescreatecommand.

    gcloud compute target-https-proxies create l7-ilb-proxy \  --url-map=l7-ilb-map \  --region=us-west1 \  --ssl-certificates=l7-ilb-cert \  --project=SERVICE_PROJECT_ID

  6. Create the forwarding rule.

    For custom networks, you must reference the subnet in the forwarding rule.

    For the forwarding rule's IP address, use thelb-frontend-and-backend-subnet. If you tryto use theproxy-only subnet,forwarding rule creation fails.

    For HTTP:

    Use thegcloud compute forwarding-rulescreate commandwith the correct flags.

    gcloud compute forwarding-rules create l7-ilb-forwarding-rule \  --load-balancing-scheme=INTERNAL_MANAGED \  --network=projects/HOST_PROJECT_ID/global/networks/lb-network \  --subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \  --address=IP_ADDRESS_NAME \  --ports=80 \  --region=us-west1 \  --target-http-proxy=l7-ilb-proxy \  --target-http-proxy-region=us-west1 \  --project=SERVICE_PROJECT_ID

    For HTTPS:

    Use thegcloud compute forwarding-rulescreate commandwith the correct flags.

    gcloud compute forwarding-rules create l7-ilb-forwarding-rule \  --load-balancing-scheme=INTERNAL_MANAGED \  --network=projects/HOST_PROJECT_ID/global/networks/lb-network \  --subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \  --address=IP_ADDRESS_NAME \  --ports=443 \  --region=us-west1 \  --target-https-proxy=l7-ilb-proxy \  --target-https-proxy-region=us-west1 \  --project=SERVICE_PROJECT_ID

Terraform

  1. Define the HTTP health check.

    For HTTP:

    # health checkresource "google_compute_health_check" "default" {  name               = "l7-ilb-basic-check"  provider           = google-beta  project            = "my-service-project-id"  timeout_sec        = 1  check_interval_sec = 1  http_health_check {    port = "80"  }}

    For HTTPS:

    # health checkresource "google_compute_health_check" "default" {  name               = "l7-ilb-basic-check"  provider           = google-beta  project            = "my-service-project-id"  timeout_sec        = 1  check_interval_sec = 1  https_health_check {    port = "443"  }}

  2. Define the backend service.

    # backend serviceresource "google_compute_region_backend_service" "default" {  name                  = "l7-ilb-backend-service"  provider              = google-beta  project               = "my-service-project-id"  region                = "us-west1"  protocol              = "HTTP"  load_balancing_scheme = "INTERNAL_MANAGED"  timeout_sec           = 10  health_checks         = [google_compute_health_check.default.id]  backend {    group           = google_compute_instance_group_manager.default.instance_group    balancing_mode  = "UTILIZATION"    capacity_scaler = 1.0  }}

  3. Create the URL map.

    # URL mapresource "google_compute_region_url_map" "default" {  name            = "l7-ilb-map"  provider        = google-beta  project         = "my-service-project-id"  region          = "us-west1"  default_service = google_compute_region_backend_service.default.id}

  4. Create the target proxy.

    For HTTP:

    # HTTP target proxyresource "google_compute_region_target_http_proxy" "default" {  name     = "l7-ilb-proxy"  provider = google-beta  project  = "my-service-project-id"  region   = "us-west1"  url_map  = google_compute_region_url_map.default.id}

    For HTTPS:Create a regional SSL certificate

    For information about how to create SSL certificate resources, seeSSL certificates. Google-managedcertificates aren't currently supported with internal Application Load Balancers.

    # Use self-signed SSL certificateresource "google_compute_region_ssl_certificate" "default" {  name        = "l7-ilb-cert"  provider    = google-beta  project     = "my-service-project-id"  region      = "us-west1"  private_key = file("sample-private.key") # path to PEM-formatted file  certificate = file("sample-server.cert") # path to PEM-formatted file}

    Use the regional SSL certificate to create a target proxy

    # HTTPS target proxyresource "google_compute_region_target_https_proxy" "default" {  name             = "l7-ilb-proxy"  provider         = google-beta  project          = "my-service-project-id"  region           = "us-west1"  url_map          = google_compute_region_url_map.default.id  ssl_certificates = [google_compute_region_ssl_certificate.default.id]}

  5. Create the forwarding rule.

    For custom networks, you must reference the subnet in the forwarding rule.

    For HTTP:

    # Forwarding ruleresource "google_compute_forwarding_rule" "default" {  name                  = "l7-ilb-forwarding-rule"  provider              = google-beta  project               = "my-service-project-id"  region                = "us-west1"  ip_protocol           = "TCP"  port_range            = "80"  load_balancing_scheme = "INTERNAL_MANAGED"  target                = google_compute_region_target_http_proxy.default.id  network               = google_compute_network.lb_network.id  subnetwork            = google_compute_subnetwork.lb_frontend_and_backend_subnet.id  network_tier          = "PREMIUM"  depends_on            = [google_compute_subnetwork.lb_frontend_and_backend_subnet]}

    For HTTPS:

    # Forwarding ruleresource "google_compute_forwarding_rule" "default" {  name                  = "l7-ilb-forwarding-rule"  provider              = google-beta  project               = "my-service-project-id"  region                = "us-west1"  ip_protocol           = "TCP"  port_range            = "443"  load_balancing_scheme = "INTERNAL_MANAGED"  target                = google_compute_region_target_https_proxy.default.id  network               = google_compute_network.lb_network.id  subnetwork            = google_compute_subnetwork.lb_frontend_and_backend_subnet.id  network_tier          = "PREMIUM"  depends_on            = [google_compute_subnetwork.lb_frontend_and_backend_subnet]}

Test the load balancer

To test the load balancer, first create a sample client VM. Then establish anSSH session with the VM and send traffic from this VM to the load balancer.

Create a test VM instance

Clients can be located in either the host project or any connected serviceproject. In this example, you test that the load balancer is working bydeploying a client VM in a service project. The client must use the sameShared VPC network and be in the same region as the load balancer.

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. ClickCreate instance.

  3. Set theName toclient-vm.

  4. Set theZone tous-west1-a.

  5. ClickAdvanced options, and then clickNetworking.

  6. Enter the followingNetworktags:allow-ssh,load-balanced-backend.

  7. In theNetwork interfaces section,selectNetworks shared with me(from host project:HOST_PROJECT_ID).

  8. Select thelb-frontend-and-backend-subnet subnet from thelb-network network.

  9. ClickCreate.

gcloud

Create a test VM instance.

gcloud compute instances create client-vm \    --image-family=debian-12 \    --image-project=debian-cloud \    --subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \    --zone=us-west1-a \    --tags=allow-ssh \    --project=SERVICE_PROJECT_ID

Terraform

Create a test VM instance.

resource "google_compute_instance" "vm_test" {  name         = "client-vm"  provider     = google-beta  project      = "my-service-project-id"  zone         = "us-west1-a"  machine_type = "e2-small"  tags         = ["allow-ssh"]  network_interface {    network    = google_compute_network.lb_network.id    subnetwork = google_compute_subnetwork.lb_frontend_and_backend_subnet.id  }  boot_disk {    initialize_params {      image = "debian-cloud/debian-12"    }  }  lifecycle {    ignore_changes = [      metadata["ssh-keys"]    ]  }}

Send traffic to the load balancer

Use SSH to connect to the instance that you just created and test that HTTP(S)services on the backends are reachable through the internal Application Load Balancer's forwardingrule IP address and that traffic is being load balanced across the backendinstances.

  1. Connect to the client instance with SSH.

    gcloud compute ssh client-vm \   --zone=us-west1-a

  2. Verify that the IP address is serving its hostname. ReplaceLB_IP_ADDRESS with the load balancer's IP address.

    curlLB_IP_ADDRESS

    For HTTPS testing, replacecurl with the following:

    curl -k -s 'https://LB_IP_ADDRESS:443'

    The-k flag causes curl to skip certificate validation.

Configure a load balancer with a cross-project backend service

The previous example on this page shows you how to set up a Shared VPCdeployment where all the load balancer components and its backends are createdin the service project.

Internal Application Load Balancers also let you configure Shared VPCdeployments where a URL map in one host or service project can reference backendservices (and backends) located across multiple service projects inShared VPC environments. This is referred to ascross-projectservice referencing.

You can use the steps in this section as a reference to configure any ofthe supported combinations listed here:

  • Forwarding rule, target proxy, and URL map in the host project, and backendservice in a service project
  • Forwarding rule, target proxy, and URL map in a service project, and backendservice in another service project

Cross-project service referencing can be used with instance groups, serverlessNEGs, or any other supported backend types. If you're using serverless NEGs,you need to create a VM in the VPC network where youintend to create the load balancer's frontend. For an example, seeCreate a VM instance in a specific subnetinSet up an internal Application Load Balancer with Cloud Run.

Set up requirements

This example configures a sample load balancer with its frontend and backendin two different service projects.

If you haven't already done so, you must complete all of the prerequisite stepsto set up Shared VPC and configure the network, subnets, and firewallrules required for this example. For instructions, see the following:

Figure 2. Load balancer frontend and backend in different service projects
Figure 2. Load balancer frontend and backend in different service projects

Create the backends and backend service in service project B

All the steps in this section must be performed in service project B.

Console

  1. Create an instance template. In the Google Cloud console, go to theInstance templates page.

    Go to Instance templates

    1. ClickCreate instance template.
    2. Enter aName for the instance template:cross-ref-backend-template.
    3. Ensure that theBoot disk is set to a Debian image, such asDebian GNU/Linux 12 (bookworm). These instructions use commands thatare only available on Debian, such asapt-get. If you need to changetheBoot disk, clickChange.
      1. ForOperating System, selectDebian.
      2. ForVersion, select one of the available Debian images suchasDebian GNU/Linux 12 (bookworm).
      3. ClickSelect.
    4. ClickAdvanced options, and then clickNetworking.
    5. Enter the followingNetworktags:allow-ssh,load-balanced-backend.
    6. In theNetwork interfaces section,selectNetworks shared with me(from host project:HOST_PROJECT_ID).
    7. Select thelb-frontend-and-backend-subnet subnet from thelb-network network.
    8. ClickManagement. ForManagement, insert the followingscript into theStartup script field.
      #! /bin/bashapt-get updateapt-get install apache2 -ya2ensite default-ssla2enmod sslvm_hostname="$(curl -H "Metadata-Flavor:Google"
      http://metadata.google.internal/computeMetadata/v1/instance/name)"echo "Page served from: $vm_hostname" |
      tee /var/www/html/index.htmlsystemctl restart apache2
    9. ClickCreate.

  2. Create a managed instance group. In the Google Cloud console, go to theInstance groups page.

    Go to Instance groups

    1. ClickCreate instance group.
    2. ChooseNew managed instance group (stateless). For moreinformation, seeStateless or stateful MIGs.
    3. Enter aName for the instance group:cross-ref-ig-backend.
    4. ForLocation, selectSingle zone.
    5. ForRegion, selectus-west1.
    6. ForZone, selectus-west1-a.
    7. ForInstance template, selectcross-ref-backend-template.

    8. Specify the number of instances that you want to create in the group.

      For this example, specify the following options forAutoscaling:

      • ForAutoscaling mode, selectOff:do not autoscale.
      • ForMaximum number of instances, enter2.

      Optionally, in theAutoscaling section of the UI, you can configurethe instance group toautomatically add or removeinstances based on instance CPU usage.

    9. ClickCreate.

  3. Create a regional backend service. As a part of this step we'll alsocreate the health check and add backends to the backend service.In the Google Cloud console, go to theBackends page.

    Go to Backends

    1. ClickCreate regional backend service.
    2. Enter aName for the backend service:cross-ref-backend-service.
    3. ForRegion, selectus-west1.
    4. ForLoad balancer type, selectRegional internal Application Load Balancer (INTERNAL_MANAGED).
    5. SetBackend type toInstance groups.
    6. In theHealth check list, clickCreate a health check, andthen enter the following information:
      1. Name:cross-ref-http-health-check
      2. Protocol:HTTP
      3. Port:80
    7. ClickCreate.
    8. In theBackends section, setNetwork tolb-network.
    9. ClickAdd backend and set the following fields:
      1. SetInstance group tocross-ref-ig-backend.
      2. Enter thePort numbers:80.
      3. SetBalancing mode toUtilization.
      4. ClickDone.
    10. ClickContinue.

    11. Optional: In theAdd permissions section, enter theIAM principals (typically an email address) of LoadBalancer Admins from other projects so that they can use this backendservice for load balancers in their own projects. Without thispermission, you cannot use cross-project service referencing.

      If you don't have permission to set access control policies forbackend services in this project, you can still create the backendservice now, and an authorized user can perform this step later asdescribed in the section,Grant permissions to the Load BalancerAdmin to use the backend service. That section alsodescribes how to grant access to all the backend services in thisproject, so that you don't have to grant access every time you createa new backend service.

    12. ClickCreate.

gcloud

  1. Create a VM instance template with an HTTP server with thegcloud computeinstance-templatescreate command.

    gcloud compute instance-templates createBACKEND_IG_TEMPLATE \    --region=us-west1 \    --network=projects/HOST_PROJECT_ID/global/networks/lb-network \    --subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \    --tags=allow-ssh,load-balanced-backend \    --image-family=debian-12 \    --image-project=debian-cloud \    --metadata=startup-script='#! /bin/bash    apt-get update    apt-get install apache2 -y    a2ensite default-ssl    a2enmod ssl    vm_hostname="$(curl -H "Metadata-Flavor:Google" \    http://metadata.google.internal/computeMetadata/v1/instance/name)"    echo "Page served from: $vm_hostname" | \    tee /var/www/html/index.html    systemctl restart apache2' \    --project=SERVICE_PROJECT_B_ID

    Replace the following:

    • BACKEND_IG_TEMPLATE: the name for theinstance group template.
    • SERVICE_PROJECT_B_ID: the project ID forservice project B, where the load balancer's backends and the backendservice are being created.
    • HOST_PROJECT_ID: the project ID for theShared VPC host project.

  2. Create a managed instance group in the zone with thegcloud computeinstance-groups managedcreatecommand.

    gcloud compute instance-groups managed createBACKEND_MIG \    --zone=us-west1-a \    --size=2 \    --template=BACKEND_IG_TEMPLATE \    --project=SERVICE_PROJECT_B_ID

    Replace the following:

    • BACKEND_MIG: the name for thebackend instance group.

  3. Define the HTTP health check with thegcloud compute health-checkscreate httpcommand.

    gcloud compute health-checks create httpHTTP_HEALTH_CHECK_NAME \  --region=us-west1 \  --use-serving-port \  --project=SERVICE_PROJECT_B_ID

    Replace the following:

    • HTTP_HEALTH_CHECK_NAME: the name for theHTTP health check.

  4. Define the backend service with thegcloud compute backend-servicescreate command.

    gcloud compute backend-services createBACKEND_SERVICE_NAME \  --load-balancing-scheme=INTERNAL_MANAGED \  --protocol=HTTP \  --health-checks=HTTP_HEALTH_CHECK_NAME \  --health-checks-region=us-west1 \  --region=us-west1 \  --project=SERVICE_PROJECT_B_ID

    Replace the following:

    • BACKEND_SERVICE_NAME: the name for thebackend service created in service project B.

  5. Add backends to the backend service with thegcloud computebackend-servicesadd-backendcommand.

    gcloud compute backend-services add-backendBACKEND_SERVICE_NAME \  --balancing-mode=UTILIZATION \  --instance-group=BACKEND_MIG \  --instance-group-zone=us-west1-a \  --region=us-west1 \  --project=SERVICE_PROJECT_B_ID

Terraform

  1. Create an instance template.

    # Instance templateresource "google_compute_instance_template" "default" {  name     = "l7-ilb-backend-template"  provider = google-beta  project  = "my-service-project-b-id"  region   = "us-west1"  # For machine type, using small. For more options check https://cloud.google.com/compute/docs/machine-types  machine_type = "e2-small"  tags         = ["allow-ssh", "load-balanced-backend"]  network_interface {    network    = google_compute_network.lb_network.id    subnetwork = google_compute_subnetwork.lb_frontend_and_backend_subnet.id    access_config {      # add external ip to fetch packages like apache2, ssl    }  }  disk {    source_image = "debian-cloud/debian-12"    auto_delete  = true    boot         = true  }  # install apache2 and serve a simple web page  metadata = {    startup-script = <<EOF    #! /bin/bash    sudo apt-get update    sudo apt-get install apache2 -y    sudo a2ensite default-ssl    sudo a2enmod ssl    vm_hostname="$(curl -H "Metadata-Flavor:Google" \    http://metadata.google.internal/computeMetadata/v1/instance/name)"    sudo echo "Page served from: $vm_hostname" | \    tee /var/www/html/index.html    sudo systemctl restart apache2    EOF  }}

  2. Create a managed instance group.

    For HTTP

    # MIGresource "google_compute_instance_group_manager" "default" {  name               = "l7-ilb-backend-example"  provider           = google-beta  project            = "my-service-project-b-id"  zone               = "us-west1-a"  base_instance_name = "vm"  target_size        = 2  version {    instance_template = google_compute_instance_template.default.id    name              = "primary"  }  named_port {    name = "http"    port = 80  }}

    For HTTPS

    # MIGresource "google_compute_instance_group_manager" "default" {  name               = "l7-ilb-backend-example"  provider           = google-beta  project            = "my-service-project-b-id"  zone               = "us-west1-a"  base_instance_name = "vm"  target_size        = 2  version {    instance_template = google_compute_instance_template.default.id    name              = "primary"  }  named_port {    name = "https"    port = 443  }}

  3. Create a health check for backend.

    For HTTP

    # health checkresource "google_compute_health_check" "default" {  name               = "l7-ilb-basic-check"  provider           = google-beta  project            = "my-service-project-b-id"  timeout_sec        = 1  check_interval_sec = 1  http_health_check {    port = "80"  }}

    For HTTPS

    # health checkresource "google_compute_health_check" "default" {  name               = "l7-ilb-basic-check"  provider           = google-beta  project            = "my-service-project-b-id"  timeout_sec        = 1  check_interval_sec = 1  https_health_check {    port = "443"  }}

  4. Create a regional backend service.

    # backend serviceresource "google_compute_region_backend_service" "default" {  name                  = "l7-ilb-backend-service"  provider              = google-beta  project               = "my-service-project-b-id"  region                = "us-west1"  protocol              = "HTTP"  load_balancing_scheme = "INTERNAL_MANAGED"  timeout_sec           = 10  health_checks         = [google_compute_health_check.default.id]  backend {    group           = google_compute_instance_group_manager.default.instance_group    balancing_mode  = "UTILIZATION"    capacity_scaler = 1.0  }}

Create the load balancer frontend and URL map in service project A

All the steps in this section must be performed in service project A.

Console

Select the load balancer type

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectApplication Load Balancer (HTTP/HTTPS) and clickNext.
  4. ForPublic facing or internal, selectInternal and clickNext.
  5. ForCross-region or single region deployment, selectBest for regional workloads and clickNext.
  6. ClickConfigure.

Basic configuration

  1. Enter aName for the load balancer.
  2. For theRegion, selectus-west1.

  3. For theNetwork, selectlb-network(fromProject:HOST_PROJECT_NAME).

    If you see aProxy-only subnet required in Shared VPC network warning, confirm that the host project admin has created theproxy-only-subnet in theus-west1 region in thelb-network Shared VPC network. Load balancer creation succeeds even if you do not have permission to view the proxy-only subnet on this page.

  4. Keep the window open to continue.

Configure the backend

  1. ClickBackend configuration.
  2. ClickCross-project backend services.
  3. ForProject ID, enter theprojectIDfor service project B.
  4. From theSelect backend services list, select the backend servicesfrom service project B that you want to use. For this example, you entercross-ref-backend-service.
  5. ClickOK.

Configure the routing rules

  • ClickRouting rules. Ensure that thecross-ref-backend-serviceis the only backend service for any unmatched host and any unmatchedpath.

For information about traffic management, seeSetting up trafficmanagement.

Configure the frontend

For cross-project service referencing to work, the frontend must usethe same network (lb-network) from the Shared VPC host projectthat was used to create the backend service.

For HTTP:

  1. ClickFrontend configuration.
  2. Enter aName for the forwarding rule:cross-ref-http-forwarding-rule.
  3. Set theProtocol toHTTP.
  4. Set theSubnetwork tolb-frontend-and-backend-subnet.Don't select the proxy-only subnet for the frontend even if itis an option in the list.
  5. Set thePort to80.
  6. Click theIP address menu, and then clickCreate IP address.
  7. In theReserve a static internal IP address panel, provide thefollowing details:
    1. For theName, entercross-ref-ip-address.
    2. ForStatic IP address, clickLet me choose. ForCustom IPaddress, enter10.1.2.98.
    3. (Optional) If you want to share this IP address with differentfrontends, for setPurpose toShared.
  8. ClickDone.

For HTTPS:

If you are using HTTPS between the client and the load balancer,you need one or more SSL certificate resources to configure the proxy.For information about how to create SSL certificate resources, seeSSL certificates. Google-managedcertificates aren't currently supported with internal Application Load Balancers.

  1. ClickFrontend configuration.
  2. Enter aName for the forwarding rule:cross-ref-https-forwarding-rule.
  3. In theProtocol field, selectHTTPS (includes HTTP/2).
  4. Set theSubnetwork tolb-frontend-and-backend-subnet.Don't select the proxy-only subnet for the frontend even if itis an option in the list.
  5. Ensure that thePort is set to443 to allow HTTPS traffic.
  6. Click theIP address menu, and then clickCreate IP address.
  7. In theReserve a static internal IP address panel, provide thefollowing details:
    1. For theName, entercross-ref-ip-address.
    2. ForStatic IP address, clickLet me choose. ForCustom IPaddress, enter10.1.2.98.
    3. (Optional) If you want to share this IP address with differentfrontends, for setPurpose toShared.
  8. Click theCertificate list.
    1. If you already have aself-managed SSLcertificate resourceyou want to use as the primary SSL certificate, select it from themenu.
    2. Otherwise, selectCreate a new certificate.
      1. Enter aName for the SSL certificate.
      2. In the appropriate fields, upload your PEM-formatted files:
        • Public key certificate
        • Certificate chain
        • Private key
      3. ClickCreate.
  9. To add certificate resources in addition tothe primary SSL certificate resource:
    1. ClickAdd certificate.
    2. Select a certificate from theCertificates list or clickCreate a new certificate and follow the previous instructions.
  10. ClickDone.

Review and finalize the configuration

  • ClickCreate.

Test the load balancer

After the load balancer is created, test the load balancer by using thesteps described inTest the load balancer.

gcloud

  1. Optional: Before creating a load balancer with cross-referencing backend services, find out whether the backend services you want to refer to can be referenced using a URL map:

    gcloud compute backend-services list-usable \    --region=us-west1 \    --project=SERVICE_PROJECT_B_ID

  2. Create the URL map and set the default service to the backend servicecreated in service project B.

    gcloud compute url-maps createURL_MAP_NAME \    --default-service=projects/SERVICE_PROJECT_B_ID/regions/us-west1/backendServices/BACKEND_SERVICE_NAME \    --region=us-west1 \    --project=SERVICE_PROJECT_A_ID

    Replace the following:

    • URL_MAP_NAME: the name for theURL map.
    • BACKEND_SERVICE_NAME: the name for thebackend service created in service project B.
    • SERVICE_PROJECT_B_ID: the project ID forservice project B, where the load balancer's backends and the backendservice are created.
    • SERVICE_PROJECT_A_ID: the project ID forservice project A, where the load balancer's frontend is being created.

    URL map creation fails if you don't have thecompute.backendServices.usepermission for the backend service inservice project B.

  3. Create the target proxy.

    For HTTP:

    gcloud compute target-http-proxies createHTTP_TARGET_PROXY_NAME \  --url-map=URL_MAP_NAME \  --url-map-region=us-west1 \  --region=us-west1 \  --project=SERVICE_PROJECT_A_ID

    Replace the following:

    • HTTP_TARGET_PROXY_NAME: the name for thetarget HTTP proxy.

    For HTTPS:

    Create a regional SSL certificate using thegcloud computessl-certificatescreate command.

    gcloud compute ssl-certificates createSSL_CERTIFICATE_NAME \  --certificate=PATH_TO_CERTIFICATE \  --private-key=PATH_TO_PRIVATE_KEY \  --region=us-west1 \  --project=SERVICE_PROJECT_A_ID

    Replace the following:

    • SSL_CERTIFICATE_NAME: the name for theSSL certificate resource.
    • PATH_TO_CERTIFICATE: the path to the localSSL certificate file in PEM format.
    • PATH_TO_PRIVATE_KEY: the path to the localSSL certificate private key in PEM format.

    Use the regional SSL certificate to create a target proxy with thegcloudcompute target-https-proxiescreatecommand.

    gcloud compute target-https-proxies createHTTPS_TARGET_PROXY_NAME \  --url-map=URL_MAP_NAME \  --region=us-west1 \  --ssl-certificates=SSL_CERTIFICATE_NAME \  --project=SERVICE_PROJECT_A_ID

    Replace the following:

    • HTTPS_TARGET_PROXY_NAME: the name for thetarget HTTPS proxy.

  4. Create the forwarding rule. For cross-project service referencing towork, the forwarding rule must use the same network (lb-network) fromthe Shared VPC host project that was used to create the backendservice.

    For HTTP:

    gcloud compute forwarding-rules createHTTP_FORWARDING_RULE_NAME \  --load-balancing-scheme=INTERNAL_MANAGED \  --network=projects/HOST_PROJECT_ID/global/networks/lb-network \  --subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \  --address=IP_ADDRESS_CROSS_REF \  --ports=80 \  --region=us-west1 \  --target-http-proxy=HTTP_TARGET_PROXY_NAME \  --target-http-proxy-region=us-west1 \  --project=SERVICE_PROJECT_A_ID

    Replace the following:

    • HTTP_FORWARDING_RULE_NAME: the name for theforwarding rule that is used to handle HTTP traffic.

    For HTTPS:

    gcloud compute forwarding-rules createHTTPS_FORWARDING_RULE_NAME \  --load-balancing-scheme=INTERNAL_MANAGED \  --network=projects/HOST_PROJECT_ID/global/networks/lb-network \  --subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \  --address=IP_ADDRESS_CROSS_REF \  --ports=443 \  --region=us-west1 \  --target-https-proxy=HTTPS_TARGET_PROXY_NAME \  --target-https-proxy-region=us-west1 \  --project=SERVICE_PROJECT_A_ID

    Replace the following:

    • HTTPS_FORWARDING_RULE_NAME: the name for theforwarding rule that is used to handle HTTPS traffic.

  5. To test the load balancer, use the steps described inTest the loadbalancer.

Terraform

  1. Create the URL map.

    # URL mapresource "google_compute_region_url_map" "default" {  name            = "l7-ilb-map"  provider        = google-beta  project         = "my-service-project-a-id"  region          = "us-west1"  default_service = google_compute_region_backend_service.default.id}

  2. Create the target proxy.

    For HTTP

    # HTTP target proxyresource "google_compute_region_target_http_proxy" "default" {  name     = "l7-ilb-proxy"  provider = google-beta  project  = "my-service-project-a-id"  region   = "us-west1"  url_map  = google_compute_region_url_map.default.id}

    For HTTPS

    Create a regional SSL certificate

    # Use self-signed SSL certificateresource "google_compute_region_ssl_certificate" "default" {  name        = "l7-ilb-cert"  provider    = google-beta  project     = "my-service-project-a-id"  region      = "us-west1"  private_key = file("sample-private.key") # path to PEM-formatted file  certificate = file("sample-server.cert") # path to PEM-formatted file}

    Use the regional SSL certificate to create a target proxy

    # HTTPS target proxyresource "google_compute_region_target_https_proxy" "default" {  name             = "l7-ilb-proxy"  provider         = google-beta  project          = "my-service-project-a-id"  region           = "us-west1"  url_map          = google_compute_region_url_map.default.id  ssl_certificates = [google_compute_region_ssl_certificate.default.id]}

  3. Create the forwarding rule.

    For HTTP

    # Forwarding ruleresource "google_compute_forwarding_rule" "default" {  name                  = "l7-ilb-forwarding-rule"  provider              = google-beta  project               = "my-service-project-a-id"  region                = "us-west1"  ip_protocol           = "TCP"  port_range            = "80"  load_balancing_scheme = "INTERNAL_MANAGED"  target                = google_compute_region_target_http_proxy.default.id  network               = google_compute_network.lb_network.id  subnetwork            = google_compute_subnetwork.lb_frontend_and_backend_subnet.id  network_tier          = "PREMIUM"  depends_on            = [google_compute_subnetwork.lb_frontend_and_backend_subnet]}

    For HTTPS

    # Forwarding ruleresource "google_compute_forwarding_rule" "default" {  name                  = "l7-ilb-forwarding-rule"  provider              = google-beta  project               = "my-service-project-a-id"  region                = "us-west1"  ip_protocol           = "TCP"  port_range            = "443"  load_balancing_scheme = "INTERNAL_MANAGED"  target                = google_compute_region_target_https_proxy.default.id  network               = google_compute_network.lb_network.id  subnetwork            = google_compute_subnetwork.lb_frontend_and_backend_subnet.id  network_tier          = "PREMIUM"  depends_on            = [google_compute_subnetwork.lb_frontend_and_backend_subnet]}

  4. To test the load balancer, use the steps described inTest the loadbalancer.

Grant permissions to the Load Balancer Admin to use the backend service

If you want load balancers to reference backend services in other serviceprojects, the Load Balancer Admin must have thecompute.backendServices.usepermission. To grant this permission, you can use the predefinedIAM role calledCompute Load Balancer Services User (roles/compute.loadBalancerServiceUser).This role must be granted by the Service Project Admin and can be applied atthe project level or at the individual backend service level.

This step isnot required if you already granted the required permissionsat the backend service level whilecreating the backendservice. You can either skip this section or continuereading to learn how to grant access to all the backend services in thisproject so that you don't have to grant access every time you create a newbackend service.

In this example, a Service Project Admin from service project B must runoneof the following commands to grant thecompute.backendServices.use permissionto a Load Balancer Admin from service project A. This can be done either at theproject level (for all backend services in the project) or per backend service.

Console

Project-level permissions

Use the following steps to grant permissions to all backend services inyour project.

You require thecompute.regionBackendServices.setIamPolicy and theresourcemanager.projects.setIamPolicy permissions to complete this step.

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM

  2. Select your project.

  3. ClickGrantaccess.

  4. In theNew principals field, enter the principal's email address orother identifier.

  5. In theSelect a role list, select theCompute Load BalancerServices User.

  6. Optional: Add acondition to the role.

  7. ClickSave.

Resource-level permissions for individual backend services

Use the following steps to grant permissions to individual backendservices in your project.

You require thecompute.regionBackendServices.setIamPolicy permission tocomplete this step.

  1. In the Google Cloud console, go to theBackends page.

    Go to Backends

  2. From the backends list, select the backend service that you want togrant access to and clickPermissions.

  3. ClickAdd principal.

  4. In theNew principals field, enter the principal's email address orother identifier.

  5. In theSelect a role list, select theCompute Load BalancerServices User.

  6. ClickSave.

gcloud

Project-level permissions

Use the following steps to grant permissions to all backend services inyour project.

You require thecompute.regionBackendServices.setIamPolicy and theresourcemanager.projects.setIamPolicy permissions to complete this step.

gcloud projects add-iam-policy-bindingSERVICE_PROJECT_B_ID \    --member="user:LOAD_BALANCER_ADMIN" \    --role="roles/compute.loadBalancerServiceUser"

Resource-level permissions for individual backend services

At the backend service level, Service Project Admins can useeither of thefollowing commands to grant the Compute Load Balancer Services User role(roles/compute.loadBalancerServiceUser).

You require thecompute.regionBackendServices.setIamPolicy permission tocomplete this step.

gcloud projects add-iam-policy-bindingSERVICE_PROJECT_B_ID \    --member="user:LOAD_BALANCER_ADMIN" \    --role="roles/compute.loadBalancerServiceUser" \    --condition='expression=resource.name=="projects/SERVICE_PROJECT_B_ID/regions/us-west1/backend-services/BACKEND_SERVICE_NAME",title=Shared VPC condition'

or

gcloud compute backend-services add-iam-policy-bindingBACKEND_SERVICE_NAME \    --member="user:LOAD_BALANCER_ADMIN" \    --role="roles/compute.loadBalancerServiceUser" \    --project=SERVICE_PROJECT_B_ID \    --region=us-west1

To use these commands, replaceLOAD_BALANCER_ADMIN with theuser'sprincipal—forexample,test-user@gmail.com.

You can also configure IAM permissions so that they only applyto a subset of regional backend services by using conditions andspecifyingcondition attributes.

To see URL maps referencing a particular Shared VPC backend service,follow these steps:

gcloud

To see resources referencing aregional Shared VPC backend service, run the following command:

gcloud compute backend-services describeBACKEND_SERVICE_NAME \    --regionREGION

Replace the following:

  • BACKEND_SERVICE_NAME: the name of the loadbalancer backend service
  • REGION: the region of the load balancer

In the command output, review theusedBy field, which displays theresources referencing the backend service, as shown in the followingexample:

id: '123456789'kind: compute#backendServiceloadBalancingScheme: INTERNAL_MANAGED...usedBy:-   reference: https://www.googleapis.com/compute/v1/projects/my-project/region/us-central1/urlMaps/my-url-map

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.