Set up a cross-region internal Application Load Balancer with Cloud Storage buckets

This document shows you how to create a cross-region internal Application Load Balancer to routerequests for static content toCloud Storagebuckets.

Before you begin

Make sure that your setup meets the following prerequisites.

Install the Google Cloud CLI

Some of the instructions in this guide can only becarried out using the Google Cloud CLI. To install it, see the documentInstall the gcloud CLI.

You can find commands related to load balancing in theAPI and gcloud CLI references document.

Permissions

To follow this guide, you need to create Cloud Storage buckets andnetwork resources in your project. You must be either a projectowner oreditor, or you must have the followingCompute Engine IAM roles:

TaskRequired role
Create networks, subnets, and load balancer componentsCompute Network Admin role (roles/compute.networkAdmin)
Add and remove firewall rulesCompute Security Admin role (roles/compute.securityAdmin)
Create Cloud Storage bucketsStorage Object Admin role (roles/storage.objectAdmin)

For more information, see the following guides:

Set up an SSL certificate resource

For a cross-region internal Application Load Balancer that uses HTTPS as the request-and-responseprotocol, create an SSL certificate resource usingCertificate Manager as described in one of the following documents:

After you create the certificate, you can attach the certificate to the HTTPStarget proxy.

We recommend using a Google-managed certificate.

Limitations

The following limitations apply to Cloud Storage buckets when servingas backends to a cross-region internal Application Load Balancer:

  • Private bucket access isn't supported, so the backend bucket must be publiclyaccessible over the internet.

  • Signed URLs aren't supported.

  • Cloud CDN integration is not available when creating backend buckets for across-region internal Application Load Balancer.

  • When using a cross-region internal Application Load Balancer to access backend buckets, onlythe HTTPGET method is supported. You can download contentfrom the bucket, but uploading content to the bucket through thecross-region internal Application Load Balancer isn't available.

  • You can't set up a cross-region internal Application Load Balancer with Cloud Storagebuckets in a Shared VPC environment.

Setup overview

You can configure a cross-region internal Application Load Balancer in multiple regions as shown in thefollowing diagram:

A cross-region internal Application Load Balancer sends traffic to a Cloud Storage backend.
Distributing traffic to Cloud Storage (click to enlarge).

As shown in the architecture diagram, this example creates across-region internal Application Load Balancer in aVirtual Private Cloud (VPC) network with two backend buckets, where each backend bucketreferences a Cloud Storage bucket. The Cloud Storage bucketsare located in theus-east1 andasia-east1 region.

This deployment architecture offershigh availability. If thecross-region internal Application Load Balancer in a region fails, the DNS routing policies routetraffic to a cross-region internal Application Load Balancer in another region.

Configure the network and subnets

Within the VPC network, configure a subnet in each region wherethe forwarding rule of your load balancers is to be configured. In addition,configure aproxy-only-subnet in each region in which you want to configurethe load balancer.

This example uses the following VPC network, region, andsubnets:

  • Network. The network is acustom mode VPCnetwork namedlb-network.

  • Subnets for load balancer. A subnet namedsubnet-us intheus-east1 region uses10.1.2.0/24 for itsprimary IP range. A subnet namedsubnet-asia in theasia-east1 region uses10.1.3.0/24 for its primary IP range.

  • Subnet for Envoy proxies. A subnet namedproxy-only-subnet-us-east1in theus-east1 region uses10.129.0.0/23 for its primary IP range. Asubnet namedproxy-only-subnet-asia-east1 in theasia-east1 region uses10.130.0.0/23 for its primary IP range.

Cross-region internal Application Load Balancers can be accessed from any region within theVPC. So clients from any region can globally access your loadbalancer backends.

Configure the subnets for the load balancer's forwarding rule

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. ForName, enterlb-network.

  4. In theSubnets section, set theSubnet creation mode toCustom.

  5. In theNew subnet section, enter the following information:

    • Name:subnet-us
    • Select aRegion:us-east1
    • IP address range:10.1.2.0/24

  6. ClickDone.

  7. ClickAdd subnet.

  8. Create another subnet for the load balancer's forwarding rulein a different region. In theNew subnet section, enter the followinginformation:

    • Name:subnet-asia
    • Region:asia-east1
    • IP address range:10.1.3.0/24

  9. ClickDone.

  10. ClickCreate.

gcloud

  1. Create a custom VPC network, namedlb-network, with thegcloud compute networks create command.

    gcloud compute networks create lb-network --subnet-mode=custom

  2. Create a subnet in thelb-network VPC network in theus-east1 region with thegcloud compute networks subnetscreate command.

    gcloud compute networks subnets create subnet-us \    --network=lb-network \    --range=10.1.2.0/24 \    --region=us-east1

  3. Create a subnet in thelb-network VPC network in theasia-east1 region with thegcloud compute networks subnetscreate command.

    gcloud compute networks subnets create subnet-asia \    --network=lb-network \    --range=10.1.3.0/24 \    --region=asia-east1

Configure the proxy-only subnets

Aproxy-only subnet provides a set ofIP addresses that Google Cloud uses to run Envoy proxies on your behalf. Theproxies terminate connections from the client and create new connections to thebackends.

This proxy-only subnet is used by all Envoy-based regional load balancers in thesame region as the VPC network. There can only be one activeproxy-only subnet for a given purpose, per region, per network. In this example,we create two proxy-only subnets—one in theus-east1 region,and the other in theasia-east1 region.

Important: Don't try to assign addresses from the proxy-only subnet to your loadbalancer's forwarding rule or backends. You assign the forwarding rule's IPaddress and the backend instance IP addresses froma different subnet range (or ranges), not this one.Google Cloud reserves this subnet range for Google Cloud-managedproxies.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of the VPC network that you created.

  3. On theSubnet tab, clickAdd subnet.

  4. Enter the following information:

    • ForName, enterproxy-only-subnet-us.
    • ForRegion, enterus-east1.
    • ForPurpose, selectCross-region Managed Proxy.
    • ForIP address range, enter10.129.0.0/23.

  5. ClickAdd.

  6. Create another proxy-only subnet in theasia-east1 region.On theSubnet tab, clickAdd subnet.

  7. Enter the following information:

    • ForName, enterproxy-only-subnet-asia.
    • ForRegion, enterasia-east1.
    • ForPurpose, selectCross-region Managed Proxy.
    • ForIP address range, enter10.130.0.0/23.

  8. ClickAdd.

gcloud

  1. Create a proxy-only subnet in theus-east1 region with thegcloudcompute networks subnetscreate command.

    gcloud compute networks subnets create proxy-only-subnet-us \    --purpose=GLOBAL_MANAGED_PROXY \    --role=ACTIVE \    --region=us-east1 \    --network=lb-network \    --range=10.129.0.0/23

  2. Create a proxy-only subnet in theasia-east1 region with thegcloudcompute networks subnetscreate command.

    gcloud compute networks subnets create proxy-only-subnet-asia \    --purpose=GLOBAL_MANAGED_PROXY \    --role=ACTIVE \    --region=asia-east1 \    --network=lb-network \    --range=10.130.0.0/23

Configure a firewall rule

This example uses the following firewall rule:

  • An ingress rule that allows SSH access on port22 to the client VM. In thisexample, this firewall rule is namedfw-allow-ssh.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. ClickCreate firewall rule to create the rule to allow incomingSSH connections on the client VM:

    • Name:fw-allow-ssh
    • Network:lb-network
    • Direction of traffic:Ingress
    • Action on match:Allow
    • Targets:Specified target tags
    • Target tags:allow-ssh
    • Source filter:IPv4 ranges
    • Source IPv4 ranges:0.0.0.0/0
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • Select theTCP checkbox, and then enter22 for the port number.

  3. ClickCreate.

gcloud

  1. Create thefw-allow-ssh firewall rule to allow SSH connectivity toVMs with the network tagallow-ssh. When you omit--source-ranges,Google Cloudinterprets the rule to mean anysource.

    gcloud compute firewall-rules create fw-allow-ssh \    --network=lb-network \    --action=allow \    --direction=ingress \    --target-tags=allow-ssh \    --rules=tcp:22

Configure your Cloud Storage buckets

The process for configuring your Cloud Storage buckets is as follows:

  • Create the buckets.
  • Copy content to the buckets.

Create Cloud Storage buckets

In this example, you create two Cloud Storage buckets, one the in theus-east1 region and another in theasia-east1 region. For productiondeployments, we recommend that you choose amulti-regionbucket, which automatically replicatesobjects across multiple Google Cloud regions. This can improve theavailability of your content and improve failure tolerance across yourapplication.

Console

  1. In the Google Cloud console, go to the Cloud StorageBuckets page.

    Go to Buckets

  2. ClickCreate.

  3. In theName your bucket box, enter a globally unique name that followsthenaming guidelines.

  4. ClickChoose where to store your data.

  5. SetLocation type toRegion.

  6. From the list of regions, selectus-east1.

  7. ClickCreate.

  8. ClickBuckets to return to the Cloud Storage Buckets page.Use these instructions to create a second bucket, but set theLocation toasia-east1.

gcloud

  1. Create the first bucket in theus-east1 region with thegcloud storage buckets create command.

    gcloud storage buckets create gs://BUCKET1_NAME \    --default-storage-class=standard \    --location=us-east1 \    --uniform-bucket-level-access

  2. Create the second bucket in theasia-east1 region with thegcloud storage buckets create command.

    gcloud storage buckets create gs://BUCKET2_NAME \    --default-storage-class=standard \    --location=asia-east1 \    --uniform-bucket-level-access

Replace the variablesBUCKET1_NAME andBUCKET2_NAMEwith your Cloud Storage bucket names.

Copy graphic files to your Cloud Storage buckets

To enable you to test the setup, copy a graphic file from a publicCloud Storage bucket to your own Cloud Storage buckets.

Run the following commands in Cloud Shell, replacing the bucket namevariables with your unique Cloud Storage bucket names:

gcloud storage cp gs://gcp-external-http-lb-with-bucket/three-cats.jpg gs://BUCKET1_NAME/never-fetch/
gcloud storage cp gs://gcp-external-http-lb-with-bucket/two-dogs.jpg gs://BUCKET2_NAME/love-to-fetch/

Make your Cloud Storage buckets publicly readable

To make all objects in a bucket readable to everyone on the public internet,grant the principalallUsers the Storage Object Viewer role(roles/storage.objectViewer).

Console

To grant all users access to view objects in your buckets, repeat thefollowing procedure for each bucket:

  1. In the Google Cloud console, go to the Cloud StorageBuckets page.

    Go to Buckets

  2. In the list of buckets, click the name of the bucket that you want tomake public.

  3. Select thePermissions tab near the top of the page.

  4. In thePermissions section, click theGrant access button.TheGrant access dialog appears.

  5. In theNew principals field, enterallUsers.

  6. In theSelect a role field, enterStorage Object Viewer inthe filter box and select theStorage Object Viewer from thefiltered results.

  7. ClickSave.

  8. ClickAllow public access.

gcloud

To grant all users access to view objects in your buckets, run thebuckets add-iam-policy-binding command.

gcloud storage buckets add-iam-policy-binding gs://BUCKET1_NAME --member=allUsers --role=roles/storage.objectViewer
gcloud storage buckets add-iam-policy-binding gs://BUCKET2_NAME --member=allUsers --role=roles/storage.objectViewer

Replace the bucket name variables with your unique Cloud Storagebucket names.

Configure the load balancer with backend buckets

This section shows you how to create the following resources for across-region internal Application Load Balancer:

In this example, you can use HTTP or HTTPS as the request-and-response protocolbetween the client and the load balancer. To create an HTTPS load balancer, youmust add an SSL certificate resource to the load balancer's frontend.

Note: You can only use the gcloud CLI to configure a cross-region internal Application Load Balancer with backend buckets.

To create the aforementioned load balancing components using thegcloud CLI, follow these steps:

  1. Create two backend buckets, one for each Cloud Storage bucket, with thegcloud compute backend-buckets create command.The backend buckets have a load balancing scheme ofINTERNAL_MANAGED.

    gcloud compute backend-buckets create backend-bucket-cats \    --gcs-bucket-name=BUCKET1_NAME \    --load-balancing-scheme=INTERNAL_MANAGED
    gcloud compute backend-buckets create backend-bucket-dogs \    --gcs-bucket-name=BUCKET2_NAME \    --load-balancing-scheme=INTERNAL_MANAGED
    Note: When creating a backend bucket for a cross-region internal Application Load Balancer, you cannot enable Cloud CDN. In other words, Cloud CDN integration is not available when--load-balancing-scheme=INTERNAL_MANAGED.

  2. Create a URL map to route incoming requests to the backend bucket with thegcloud compute url-maps create command.

    gcloud compute url-maps create lb-map \    --default-backend-bucket=backend-bucket-cats \    --global

  3. Configure the host and path rules of the URL map with thegcloud computeurl-maps add-path-matcher command.

    In this example, the default backend bucket isbackend-bucket-cats, whichhandles all the paths that exist within it. However, any request targetinghttp://FORWARDING_RULE_IP_ADDRESS/love-to-fetch/two-dogs.jpguses thebackend-bucket-dogs backend. For example, if the/love-to-fetch/ folder also exists within your default backend(backend-bucket-cats), the load balancer prioritizes thebackend-bucket-dogs backend because there is a specific path rule for/love-to-fetch/*.

    gcloud compute url-maps add-path-matcher lb-map \    --path-matcher-name=path-matcher-pets \    --new-hosts=* \    --backend-bucket-path-rules="/love-to-fetch/*=backend-bucket-dogs" \    --default-backend-bucket=backend-bucket-cats

  4. Create a target proxy with thegcloud compute target-http-proxies create command.

    For HTTP traffic, create a target HTTP proxy to routerequests to the URL map:

    gcloud compute target-http-proxies create http-proxy \    --url-map=lb-map \    --global

    For HTTPS traffic, create a target HTTPS proxy to route requests tothe URL map. The proxy is the part of the load balancer that holds theSSL certificate for an HTTPS load balancer. After youcreate thecertificate, you can attach the certificate to the HTTPStarget proxy.

    gcloud compute target-https-proxies create https-proxy \    --url-map=lb-map \    --certificate-manager-certificates=CERTIFICATE_NAME \    --global

    ReplaceCERTIFICATE_NAME with the name of theSSL certificate you created using Certificate Manager.

  5. Create two global forwarding rules, one with an IP address in theus-east1 region and another with an IP address in theasia-east1region with thegcloud compute forwarding-rules create command.

    If you want to reserve a static internal IP address for your loadbalancer's forwarding rule, seeReserve a static internal IPaddress.Reserving an IP address is optional for an HTTP forwarding rule;however, you need to reserve an IP address for an HTTPS forwarding rule.

    In this example, an ephemeral IP address is associated with your loadbalancer's HTTP forwarding rule. An ephemeral IP address remains constantwhile the forwarding rule exists. If you need to delete the forwarding ruleand recreate it, the forwarding rule might receive a new IP address.

    For HTTP traffic, create the global forwarding rules to routeincoming requests to the HTTP target proxy:

    gcloud compute forwarding-rules create http-fw-rule-1 \    --load-balancing-scheme=INTERNAL_MANAGED \    --network=lb-network \    --subnet=subnet-us \    --subnet-region=us-east1 \    --ports=80 \    --target-http-proxy=http-proxy \    --global-target-http-proxy \    --global
    gcloud compute forwarding-rules create http-fw-rule-2 \    --load-balancing-scheme=INTERNAL_MANAGED \    --network=lb-network \    --subnet=subnet-asia \    --subnet-region=asia-east1 \    --ports=80 \    --target-http-proxy=http-proxy \    --global-target-http-proxy \    --global

    For HTTPS traffic, create the global forwarding rules to routeincoming requests to the HTTPS target proxy:

    gcloud compute forwarding-rules create https-fw-rule-1 \    --load-balancing-scheme=INTERNAL_MANAGED \    --network=lb-network \    --subnet=subnet-us \    --subnet-region=us-east1 \    --address=RESERVED_IP_ADDRESS \    --ports=443 \    --target-https-proxy=https-proxy \    --global-target-https-proxy \    --global
    gcloud compute forwarding-rules create https-fw-rule-2 \    --load-balancing-scheme=INTERNAL_MANAGED \    --network=lb-network \    --subnet=subnet-asia \    --subnet-region=asia-east1 \    --address=RESERVED_IP_ADDRESS \    --ports=443 \    --target-https-proxy=https-proxy \    --global-target-https-proxy \    --global

Send an HTTP request to the load balancer

Send a request from an internal client VM to the forwarding rule of the loadbalancer.

Get the IP address of the load balancer's forwarding rule

  1. Get the IP address of the load balancer's forwarding rule (http-fw-rule-1),which is in theus-east1 region.

    gcloud compute forwarding-rules describe http-fw-rule-1 \    --global

  2. Get the IP address of the load balancer's forwarding rule (http-fw-rule-2),which is in theasia-east1 region.

    gcloud compute forwarding-rules describe http-fw-rule-2 \    --global

Create a client VM to test connectivity

  1. Create a client VM in theus-east1 region.

    gcloud compute instances create client-a \    --image-family=debian-12 \    --image-project=debian-cloud \    --network=lb-network \    --subnet=subnet-us \    --zone=us-east1-c \    --tags=allow-ssh

  2. Establish an SSH connection to the client VM.

    gcloud compute ssh client-a --zone=us-east1-c

  3. In this example, the cross-region internal Application Load Balancer has frontend virtual IPaddresses (VIP) in both theus-east1 andasia-east1 regions in the VPCnetwork. Make an HTTP request to the VIP in either region by using curl.

    curl http://FORWARDING_RULE_IP_ADDRESS/love-to-fetch/two-dogs.jpg --output two-dogs.jpg
    curl http://FORWARDING_RULE_IP_ADDRESS/never-fetch/three-cats.jpg --output three-cats.jpg

Test high availability

  1. Delete the forwarding rule (http-fw-rule-1) in theus-east1 region tosimulate regional outage and check whether the client in theus-east regioncan still access data from the backend bucket.

    gcloud compute forwarding-rules delete http-fw-rule-1 \    --global

  2. Make an HTTP request to the VIP of the forwarding rule in eitherregion by using curl.

    curl http://FORWARDING_RULE_IP_ADDRESS/love-to-fetch/two-dogs.jpg --output two-dogs.jpg
    curl http://FORWARDING_RULE_IP_ADDRESS/never-fetch/three-cats.jpg --output three-cats.jpg

    If you make an HTTP request to the VIP in theus-east1 region, the DNS routing policies detect that this VIP isn'tresponding, and return the next most optimal VIP to the client (in thisexample,asia-east1). This behavior helps ensure that your applicationstays up even during regional outages.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.