Set up a regional internal Application Load Balancer with an external backend

The guide shows you how to configure a regional internal Application Load Balancer that proxiesrequests to an external backend. An external backend is an endpoint that isexternal to Google Cloud.

Before following this guide, familiarize yourself with theInternet NEGoverview documentation,including thelimitations.

The following architecture diagram shows a regional internal Application Load Balancer frontend withan external backend.

A regional internal Application Load Balancer with an external backend.
Figure 1. A regional internal Application Load Balancer with an external backend (click to enlarge).

Permissions

To follow this guide, you need to create an internet NEG and create or modify anApplication Load Balancer in a project. You should be either a projectOwner orEditor (roles/owner orroles/editor), oryou should have both of the followingCompute Engine IAMroles.

TaskRequired role
Create and modify load balancer componentsCompute Network Admin
(roles/compute.networkAdmin)
Create and modify NEGsCompute Instance Admin
(roles/compute.instanceAdmin)

Set up your external backend environment outside Google Cloud

To set up your external backend environment, see the following sections.

Configure network endpoints

Configure a network endpoint to expose your external backend toGoogle Cloud. Make sure that the endpoint—either an IP:Portcombination or a fully-qualified domain name (FQDN) and port—is reachableover the internet. This endpoint is later referenced from the internet NEG.

For detailed configuration requirements for internet NEG endpoints, see theInternet NEGs overview.

Allow the external backend to receive traffic from Google Cloud

This step can be completed after you've created the proxy-only subnet and setup the Cloud NAT gateway.

To allow requests from Google Cloud to reach your external backend, you'llneed to perform the following steps:

  1. Configure a Cloud NAT gateway with IP addresses that are used foregress traffic from Google Cloud. The gateway maps the proxy-onlysubnet range to the external IP addresses. For the steps, seeSet up aCloud NAT gateway.
  2. Make sure that your external backend environment is configured to allowtraffic from Google Cloud to reach the external backend. For example,if you used pre-reserved IP addresses for the NAT gateway, you'll allowlistthose IP addresses on your external environment. You'll likely need to workwith the network or security admin of your external environment to set thisup.

Set up your Google Cloud environment

You'll need a VPC network with two subnets: one for the loadbalancer components and the other for the region's proxy-only subnet. Thenyou'll create the load balancer with an internet NEG backend.

Note: If you're planning a cross-cloud deployment with a regional internet NEG, youcan use Cloud Location Finder to identify the optimal region or zone for yourdeployment based on factors like distance, network latency, carbon footprint(Google CFE%), or the territory code (in case you have regulatory requirementsfor your network traffic). For details, see theCloud Location Finderdocumentation (Preview).

Create the VPC network and subnet

This subnet is used to create the load balancer's components.

Cloud console

  1. In the Google Cloud console, go to theVPC networks page.
    Go to VPC networks
  2. ClickCreate VPC network.
  3. Enter aName:LB_NETWORK.
  4. In theSubnets section:
    • Set theSubnet creation mode toCustom.
    • In theNew subnet section, enter the following information:
      • Name:LB_SUBNET_NAME
      • Region:REGION
      • IP address range:LB_SUBNET_RANGE
    • ClickDone.
  5. ClickCreate.

gcloud

  1. Create the custom VPC network by using thegcloud computenetworks create command:

    gcloud compute networks createLB_NETWORK \  --subnet-mode=custom

  2. Create a subnet in theLB_NETWORKnetwork.

    gcloud compute networks subnets createLB_SUBNET_NAME \  --network=LB_NETWORK \  --range=LB_SUBNET_RANGE \  --region=REGION

Configure the proxy-only subnet

This proxy-only subnet is used by all regional Envoy-based load balancers in theREGION region.

Console

  1. In the Google Cloud console, go to theVPC networks page.
    Go to VPC networks
  2. Select aNetwork from the list.
  3. ClickAdd subnet.
  4. Enter aName:PROXY_ONLY_SUBNET_NAME.
  5. Select aRegion:REGION.
  6. SetPurpose toRegional Managed Proxy.
  7. Enter anIP address range:PROXY_ONLY_SUBNET_RANGE.
  8. ClickAdd.

gcloud

Create the proxy-only subnet with thegcloud compute networks subnetscreate command.

gcloud compute networks subnets createPROXY_ONLY_SUBNET_NAME \  --purpose=REGIONAL_MANAGED_PROXY \  --role=ACTIVE \  --region=REGION \  --network=LB_NETWORK \  --range=PROXY_ONLY_SUBNET_RANGE

Set up a Cloud NAT gateway

Before you configure the Cloud NAT gateway, make sure you've reviewedthe associated limitations and pricing considerations. For details, seeRegional NEGs: Use a Cloud NATgateway.

The following commands describe how to set up a Cloud NAT gateway. TheCloud NAT gateway can be configured to use either automatic NATexternal IP addresses, in which allocation is based on demand, or to use amanually pre-reserved set of external IP addresses. The gateway maps theproxy-only subnet range to the external IP addresses.

Set up automatic NAT allocated IP addresses

When you create a Cloud NAT gateway with automatic NAT IP addressallocation, you can specify theNetwork Service Tiers (Premium Tier or Standard Tier)from which the Cloud NAT gateway allocates the IP addresses.

Console

  1. In the Google Cloud console, go to theCloud NAT page.

    Go to Cloud NAT

  2. ClickGet started orCreate Cloud NAT gateway.Note: If this is the first Cloud NAT gateway that you're creating,clickGet started. If you already have existing gateways, theninstead ofGet started, Google Cloud displays theCreate Cloud NAT gateway button. To create another gateway, clickCreate Cloud NAT gateway.

  3. Enter a gateway nameLB_NAT_CONFIG.

  4. ForNAT type, selectPublic.

  5. In theNetwork list, selectLB_NETWORK.

  6. In theRegion list, selectREGION.

  7. Create a Cloud Router in the region.

  8. ForSource endpoint type, selectManaged proxy load balancers.

  9. In theSource list, selectCustom.

  10. In theCloud NAT IP addresses list, selectAutomatic (recommended).

  11. ForNetwork service tier, choose eitherPremium orStandard.

  12. ClickCreate.

gcloud

Use dynamically allocated IP addresses if your external backend environment doesn't require you to allowlist specific Google Cloud IP addresses that can send traffic to the external backend.

  1. Create a Cloud Router:

    gcloud beta compute routers createROUTER_NAME \  --network=LB_NETWORK \  --region=REGION

  2. Set up the Cloud NAT gateway.

    gcloud beta compute routers nats createLB_NAT_CONFIG \  --router=ROUTER_NAME \  --endpoint-types=ENDPOINT_TYPE_MANAGED_PROXY_LB \  --nat-custom-subnet-ip-ranges=PROXY_ONLY_SUBNET_NAME \  --auto-allocate-nat-external-ips \  --region=REGION

Replace the following:

Set up manually allocated IP addresses

Use manually allocated IP addresses only if your external backendenvironment requires you to use an allowlist for specific Google Cloud IPaddresses. If the external backend environment doesn't need an allowlist,use dynamic allocation instead as shown previously.

When creating a Cloud NAT gateway, you can choose to manually assign NATIP addresses from either Premium Tier or Standard Tier or both, subject to certainconditions.

Warning: If you provision fewer NAT IP addresses than thenumber of assignedEnvoy proxies,requests sent to the internet NEG might result in HTTP 5xx errors.To ensure that you are informed when such an event occurs, set up an alert forthenat_allocation_failed metric.Contact support if you need help calculating the number of IP addresses thatmust be allocated for your load balancer in a specific region.

Console

  1. In the Google Cloud console, go to theCloud NAT page.

    Go to Cloud NAT

  2. ClickGet started orCreate Cloud NAT gateway.Note: If this is the first Cloud NAT gateway that you're creating,clickGet started. If you already have existing gateways, theninstead ofGet started, Google Cloud displays theCreate Cloud NAT gateway button. To create another gateway, clickCreate Cloud NAT gateway.

  3. Enter a gateway nameLB_NAT_CONFIG.

  4. In theNetwork list, selectLB_NETWORK.

  5. In theRegion list, selectREGION.

  6. Select or create a Cloud Router in the region.

  7. ForSource endpoint type, selectManaged proxy load balancers.

  8. In theSource list, selectCustom.

  9. In theCloud NAT IP addresses list, selectManual.

  10. ForNetwork service tier, choose eitherPremium orStandard.

  11. Select or create a static reserved external IP address to use for NAT.

    Note: You can only select or create IP addresses based on the tier thatyou have selected in the previous step.

  12. If you want to specify additional IP addresses, clickAdd IP address,and then select or create an additional static reserved external IP address.

  13. ClickCreate.

gcloud

  1. Create the IP addresses. Because the gateway performs one-to-one NATtranslation, you must make sure that the pool of reserved IP addressesis big enough to handle the amount of traffic you're expecting.Insufficiently allocated NAT IP addresses could result in traffic loss.

    gcloud compute addresses createIP_ADDRESS_NAME_1IP_ADDRESS_NAME_2[IP_ADDRESS_NAME_3 ...] \  --region=REGION

  2. Create a Cloud Router:

    gcloud compute routers createROUTER_NAME \  --network=LB_NETWORK \  --region=REGION

  3. Set up the Cloud NAT gateway.

    gcloud beta compute routers nats createLB_NAT_CONFIG \  --router=ROUTER_NAME \  --endpoint-types=ENDPOINT_TYPE_MANAGED_PROXY_LB \  --nat-custom-subnet-ip-ranges=PROXY_ONLY_SUBNET_NAME \  --nat-external-ip-pool=IP_ADDRESS_NAME_1,IP_ADDRESS_NAME_2,[IP_ADDRESS_NAME_3 ...] \  --region=REGION

    Replace the following:

Set up dynamic port allocation

Update the Cloud NAT gateway to use dynamic port allocation modeto fully use the assigned IP addresses.

gcloud

  1. Update the Cloud NAT gateway. We recommend that you set theminimum number of ports to 2048 and the maximum number of ports to4096.

    gcloud compute routers nats updateLB_NAT_CONFIG \    --router=ROUTER_NAME \    --enable-dynamic-port-allocation \    --min-ports-per-vm=MIN_PORTS_PER_VM \    --max-ports-per-vm=MAX_PORTS_PER_VM \    --region=REGION

  2. Verify that dynamic port allocation is enabled and the minimum andmaximum number of ports are set.

    gcloud compute routers nats describeLB_NAT_CONFIG \     --router=ROUTER_NAME \     --region=REGION

    The output is similar to the following:

    enableDynamicPortAllocation: trueenableEndpointIndependentMapping: falseendpointTypes:‐ ENDPOINT_TYPE_MANAGED_PROXY_LBlogConfig:  enable: true  filter: ALLmaxPortsPerVm: 4096minPortsPerVm: 2048name: LB_NAT_CONFIGnatIpAllocateOption: MANUAL_ONLYnatIps:‐ https://www.googleapis.com/compute/projects/PROJECT_NAME/regions/REGION/addresses/ADDRESSsourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGEStype: PUBLIC

For more information, seeSpecify subnet ranges for NATin the Cloud NAT documentation.

Make sure that you use an allowlist for the NAT IP address ranges on yourexternal backend environment, so that your external backend can receive trafficfrom Google Cloud.

Reserve the load balancer's IP address

Reserve an internal IP address for the load balancer.

Console

You can reserve a standalone internal IP address using theGoogle Cloud console.

  1. Go to theVPC networks page.

    Go to VPC networks

  2. Click the network that was used to configurehybrid connectivity between the environments.
  3. ClickStatic internal IP addresses and then clickReserve static address.
  4. Enter aName:LB_IP_ADDRESS.
  5. For theSubnet, selectLB_SUBNET_NAME.
  6. If you want to specify which IP address to reserve, forStatic IPaddress, selectLet me choose, and then fill in aCustomIP address. Otherwise, the system automatically assigns an IP addressin the subnet for you.
  7. If you want to use this IP address with multiple forwarding rules, underPurpose, chooseShared.
  8. ClickReserve to finish the process.

gcloud

  1. Using the gcloud CLI, run thecompute addresses create command:

    gcloud compute addresses createLB_IP_ADDRESS \  --region=REGION \  --subnet=LB_SUBNET_NAME

  2. Use thecompute addresses describecommandto view the allocated IP address:

    gcloud compute addresses describeLB_IP_ADDRESS \  --region=REGION

Set up the internet NEG

You can create an internet NEG using eitherINTERNET_FQDN_PORT endpoints orINTERNET_IP_PORT endpoints.

Console

Create a NEG withINTERNET_FQDN_PORT endpoints

  1. In the Google Cloud console, go to theNetwork endpoint group page.

    Go to Network endpoint group

  2. ClickCreate network endpoint group.

  3. Specify anINTERNET_NEG_NAME for your Internet NEG. For more information, seeResource naming convention.

  4. In theNetwork endpoint group type list, selectNetwork endpoint group (Internet) and then do the following:

    • In theScope list, selectRegional.
    • Optional: In theRegion list, change theREGION for this NEG.
    • In theNetwork list, selectLB_NETWORK.
    • In theDefault port box, enterDEFAULT_PORT_NUMBER.
    • In theAdd endpoints through list, selectFully qualified domain name and port.
  5. SelectCreate.

AddINTERNET_FQDN_PORT endpoints to the NEG

  1. In the Google Cloud console, go to theNetwork endpoint group page.

    Go to Network endpoint group

  2. ClickINTERNET_NEG_NAME.

  3. Enter theFully qualified domain name such asmyorg.example.com. You must specify the FQDN objects instandard FQDN syntax.

  4. Optional: ForPort type, selectCustom.If thePort type isDefault, the default port of the NEG is used.

  5. In thePort number box, enterPORT_NUMBER_1.
  6. SelectCreate.

Create a NEG withINTERNET_IP_PORT endpoints

  1. In the Google Cloud console, go to theNetwork endpoint group page.

    Go to Network endpoint group

  2. ClickCreate network endpoint group.

  3. Specify a nameINTERNET_NEG_NAME for your Internet NEG. For more information, seeResource naming convention.

  4. In theNetwork endpoint group type list, selectNetwork endpoint group (Internet) and then do the following:

    • In theScope list, selectRegional.
    • Optional: In theRegion list, change theREGION for this NEG.
    • In theNetwork list, selectLB_NETWORK.
    • In theDefault port box, enterDEFAULT_PORT_NUMBER.
    • In theAdd endpoints through list, selectIP and port.
  5. SelectCreate.

AddINTERNET_IP_PORT endpoints to the NEG

  1. In the Google Cloud console, go to theNetwork endpoint group page.

    Go to Network endpoint group

  2. ClickINTERNET_NEG_NAME.
  3. In theIP address field, enterIP_ADDRESS_1.

  4. Optional: In thePort type list, selectCustom.If thePort type isDefault, the default port of the NEG is used.

  5. In thePort number field, enter aPORT_NUMBER_1.
  6. SelectCreate.

gcloud

To create a NEG withINTERNET_FQDN_PORT endpoints:

  1. Create the NEG resource.

    gcloud beta compute network-endpoint-groups createINTERNET_NEG_NAME \    --network-endpoint-type=INTERNET_FQDN_PORT \    --default-port=DEFAULT_PORT_NUMBER \    --network=LB_NETWORK \    --region=REGION

  2. Add endpoints to the NEG. If a port isn't specified, the default portof the NEG is used.

    gcloud beta compute network-endpoint-groups updateINTERNET_NEG_NAME \    --add-endpoint="fqdn=FULLY_QUALIFIED_DOMAIN_NAME_1,port=PORT_NUMBER_1" \    [--add-endpoint="fqdn=FULLY_QUALIFIED_DOMAIN_NAME_2,port=PORT_NUMBER_2" \]    --region=REGION

    Replace the following:

    • FULLY_QUALIFIED_DOMAIN_NAME: the fullyqualified domain name for the endpoint
    • PORT_NUMBER: the port number for theendpoint

    You can add up to 256 endpoints per NEG.

If your domain is resolvable over the internet, no other configuration isneeded to set up DNS. However, if you're using private FQDNs, you'llneed to configure Cloud DNS to facilitate DNS resolution. The namemust be hosted on Cloud DNS or be resolvable through DNS forwardingfrom Cloud DNS to an on-premises DNS.

Start by creating aCloud DNSzone to host the DNS records in yourproject. Then add the DNS records to it. Refer theCloud DNSdocumentation for specific configuration steps.

To create a NEG withINTERNET_IP_PORT endpoints:

  1. Create the NEG resource.

    gcloud beta compute network-endpoint-groups createINTERNET_NEG_NAME \    --network-endpoint-type=INTERNET_IP_PORT \    --default-port=DEFAULT_PORT_NUMBER \    --network=LB_NETWORK \    --region=REGION

  2. Add endpoints to the NEG. If a port isn't specified, the default portof the NEG is used.

    gcloud beta compute network-endpoint-groups updateINTERNET_NEG_NAME \    --add-endpoint="ip=IP_ADDRESS_1,port=PORT_NUMBER_1" \    [--add-endpoint="ip=IP_ADDRESS_2,port=PORT_NUMBER_2" \]    --region=REGION

    Replace the following:

    • IP_ADDRESS: the IP address for the endpoint
    • PORT_NUMBER: the port number for theendpoint

    You can repeat this step to add up to 256 endpoints per NEG.

Create the load balancer

Console

Select the load balancer type

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectApplication Load Balancer (HTTP/HTTPS) and clickNext.
  4. ForPublic facing or internal, selectInternal and clickNext.
  5. ForCross-region or single region deployment, selectBest for regional workloads and clickNext.
  6. ClickConfigure.

Basic configuration

  1. Enter aLoad balancer name.
  2. ForRegion, selectREGION.
  3. ForNetwork, selectLB_NETWORK.

Reserve a proxy-only subnet

Note: If you alreadycreated the proxy-only subnet,theReserve subnet button isn't displayed. You can skip thissection and continue with the steps in theFrontend configurationsection.

To reserve a proxy-only subnet:

  1. ClickReserve subnet.
  2. ForName, enterPROXY_ONLY_SUBNET_NAME.
  3. ForIP address range, enterPROXY_ONLY_SUBNET_RANGE.
  4. ClickAdd.

Frontend configuration

  1. ClickFrontend configuration.
  2. Enter aName.
  3. ForSubnetwork, selectLB_SUBNET_NAME.

  4. To create anHTTPS load balancer, you must have an SSL certificate.In this example, you create a Compute Engine SSL certificate.

    PropertyValue (type a value or select an option as specified)
    ProtocolHTTPS
    IP versionIPv4
    IP addressSelect the IP address reserved previously:LB_IP_ADDRESS.
    Port443
    Certificate

    ForChoose certificate repository, selectClassic Certificates.

    Select an existing SSL certificate or create a new certificate.

    To create an HTTPS load balancer, you must have an SSL certificate resource to use in the HTTPS proxy.

    If you want to test this process without setting up an SSL certificateresource (or a domain as required by Google-managed certificates), youcan set up an HTTP load balancer.

    To create anHTTP load balancer, verify that the following options areconfigured with these values:

    PropertyValue (type a value or select an option as specified)
    ProtocolHTTP
    IP versionIPv4
    IP addressSelect the IP address reserved previously:LB_IP_ADDRESS.
    Port80

  5. ClickDone.

Backend configuration

  1. ClickBackend configuration.
  2. ClickBackend services and backend buckets.
  3. ClickCreate a backend service.
  4. Enter a name.
  5. ForBackend type, selectInternet network endpoint group.
  6. ForProtocol, select the protocol that you intend to use from theload balancer to the internet NEG.
  7. ForBackends, in theNew backend window, select theRegionalinternet network endpoint group created in the previous step.
  8. ClickDone.
  9. Configure the health check:
    1. ForHealth check, selectCreate a health check.
    2. Set the health check name toHTTP_HEALTH_CHECK_NAME.
    3. ForProtocol, selectHTTP.
    4. SetPort to80.
  10. ClickCreate.

Review and finalize

  1. ClickReview and finalize.
  2. If everything looks correct, clickCreate.

gcloud

  1. Optional: Create a health check. Health check probes for external backends use thedistributed Envoy health checks and are later NAT-translated.
    gcloud compute health-checks create httpHTTP_HEALTH_CHECK_NAME \    --region=REGION \    --use-serving-port
  2. Create a backend service:
    gcloud compute backend-services createBACKEND_SERVICE \    --load-balancing-scheme=INTERNAL_MANAGED \    --protocol=HTTP \    --health-checks=HTTP_HEALTH_CHECK_NAME \    --health-checks-region=REGION \    --region=REGION
  3. Add the internet NEG to the backend service:
    gcloud compute backend-services add-backendBACKEND_SERVICE \    --network-endpoint-group=INTERNET_NEG_NAME \    --network-endpoint-group-region=REGION \    --region=REGION
  4. Create a URL map to route incoming requests to the backend service:
    gcloud compute url-maps createURL_MAP_NAME \    --default-service=BACKEND_SERVICE \    --region=REGION
  5. Optional: Perform this step if you are using HTTPS between the client andthe load balancer. This step is not required for HTTP load balancers.

    You can create either Compute Engine or Certificate Manager certificates. Use any of the following methods to create certificates using Certificate Manager:

    After you create certificates, attach the certificate directly to the targetproxy.

    To create a Compute Engine self-managed SSL certificate resource:
    gcloud compute ssl-certificates createSSL_CERTIFICATE_NAME \    --certificateCRT_FILE_PATH \    --private-keyKEY_FILE_PATH

  6. Create a target HTTP(S) proxy to route requests to your URL map.

    For an HTTP load balancer, create an HTTP target proxy:

    gcloud compute target-http-proxies createTARGET_HTTP_PROXY_NAME \    --url-map=URL_MAP_NAME \    --region=REGION

    For an HTTPS load balancer, create an HTTPS target proxy. The proxy is theportion of the load balancer that holds the SSL certificate for HTTPS LoadBalancing, so you also load your certificate in this step.

    gcloud compute target-https-proxies createTARGET_HTTPS_PROXY_NAME \    --ssl-certificates=SSL_CERTIFICATE_NAME \    --url-map=URL_MAP_NAME \    --region=REGION

  7. Create a forwarding rule to route incoming requests to the proxy.

    For an HTTP load balancer:

    gcloud compute forwarding-rules createHTTP_FORWARDING_RULE_NAME \    --load-balancing-scheme=INTERNAL_MANAGED \    --network-tier=PREMIUM \    --network=LB_NETWORK \    --subnet=LB_SUBNET_NAME \    --address=LB_IP_ADDRESS \    --target-http-proxy=TARGET_HTTP_PROXY_NAME \    --target-http-proxy-region=REGION \    --region=REGION \    --ports=80

    For an HTTPS load balancer:

    gcloud compute forwarding-rules createHTTPS_FORWARDING_RULE_NAME \    --load-balancing-scheme=INTERNAL_MANAGED \    --network-tier=PREMIUM \    --network=LB_NETWORK \    --subnet=LB_SUBNET_NAME \    --address=LB_IP_ADDRESS \    --target-https-proxy=TARGET_HTTPS_PROXY_NAME \    --target-https-proxy-region=REGION \    --region=REGION \    --ports=443

Connect your domain to your load balancer

After the load balancer is created, note the IP address that is associated withthe load balancer—for example,30.90.80.100. To point your domain to yourload balancer, create anA record by using your domain registration service. Ifyou added multiple domains to your SSL certificate, you must add anA recordfor each one, all pointing to the load balancer's IP address. For example, tocreateA records forwww.example.com andexample.com, use the following:

NAME                  TYPE     DATAwww                   A        30.90.80.100@                     A        30.90.80.100

If you use Cloud DNS as your DNS provider, seeAdd, modify, and delete records.

Test the load balancer

Now that you have configured your load balancer, you can start sendingtraffic to the load balancer's IP address.

Create a client VM

This example creates a client VM (vm-client) in the same region as theload balancer. The client is used to validate the load balancer's configurationand demonstrate expected behavior.

gcloud

The client VM can be in any zone in the sameREGION as theload balancer, and it can use any subnet in the same VPCnetwork.

gcloud compute instances create vm-client \    --image-family=debian-12 \    --image-project=debian-cloud \    --tags=allow-ssh \    --network=LB_NETWORK \    --subnet=LB_SUBNET_NAME \    --zone=ZONE

Send traffic to the load balancer

It might take a few minutes for the load balancer configuration topropagate after you first deploy it.

  • Connect to the client instance by using SSH.

    gcloud compute ssh vm-client \  --zone=ZONE

  • Verify that the load balancer is connecting to the application you're runningon the external backend as expected.

    For HTTP testing, run:

    curlIP_ADDRESS

    For HTTPS testing, run:

    curl -k -s 'https://TEST_DOMAIN_URL:443' --connect-toTEST_DOMAIN_URL:443:IP_ADDRESS:443

    ReplaceTEST_DOMAIN_URL with the domain associated with yourapplication. For example,test.example.com.

    The-k flag causes curl to skip certificate validation.

Additional configuration

This section expands on the configuration example to provide alternative andadditional configuration options. All of the tasks are optional. You can performthem in any order.

To enable even more capabilities for your regional internal Application Load Balancer, such asglobal access (if your clients are in a different region), seeSet up aninternal Application Load Balancer with VM instance group backends: Additionalconfiguration.

Use a custom header to authenticate requests

To authenticate requests sent to your external backend, you can set a customheader to indicate that the request came from a Google Cloud loadbalancer. You'll also need to configure the external backend to expect thiscustom header on traffic coming from Google Cloud.

To learn how to set up custom headers, seeSet up advancedtrafficmanagement.

For other authentication methods, seeAuthenticate requests to the externalbackend.

Update client HTTP keepalive timeout

The load balancer created in the previous steps has been configured witha default value for theclient HTTP keepalivetimeout.

To update the client HTTP keepalive timeout, use the following instructions.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing.

  2. Click the name of the load balancer that you want to modify.
  3. ClickEdit.
  4. ClickFrontend configuration.
  5. ExpandAdvanced features. ForHTTP keepalive timeout, enter a timeout value.
  6. ClickUpdate.
  7. To review your changes, clickReview and finalize, and then clickUpdate.

gcloud

For an HTTP load balancer, update the target HTTP proxy by using thegcloud compute target-http-proxies update command.

      gcloud compute target-http-proxies updateTARGET_HTTP_PROXY_NAME \          --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \          --region=REGION

For an HTTPS load balancer, update the target HTTPS proxy by using thegcloud compute target-https-proxies update command.

      gcloud compute target-https-proxies updateTARGET_HTTP_PROXY_NAME \          --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \          --regionREGION

Replace the following:

  • TARGET_HTTP_PROXY_NAME: the name of the target HTTP proxy.
  • TARGET_HTTPS_PROXY_NAME: the name of the target HTTPS proxy.
  • HTTP_KEEP_ALIVE_TIMEOUT_SEC: the HTTP keepalive timeout value from 5 to 600 seconds.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-24 UTC.