Setting up zonal NEGs

This document contains instructions for configuring zonal network endpointgroups (NEGs). Before you configure zonalNEGs, readNetwork endpoint groups overview.

Note: This page describes how to configure a specific load balancer component orfeature before or after you've already created a load balancer. Working withspecific components is useful for advanced configurations and necessary for someconfiguration options. Before using the information on this page, know thetypeof Google Cloud load balancerthat you need.

Zonal NEGs withGCE_VM_IP endpoints

These can be used as backends for backend services in internal passthrough Network Load Balancers andexternal passthrough Network Load Balancers. For details, seeZonal NEGs overview: Loadbalancing.

For end-to-end examples, see the following:

Zonal NEGs withGCE_VM_IP_PORT endpoints

These can be used as backends for backend services in the following types ofload balancers:

The primary use case forGCE_VM_IP_PORT zonal NEGs iscontainer-native loadbalancingso that you can distribute traffic among microservices running in containers onyour VMs. Container-native load balancing enables load balancers totarget Pods directly and to make load distributiondecisions at the Pod-level instead of at the VM-level.

There are two ways to configure container-native load balancing: either use NEGsmanaged by GKE Ingress, or use standalone NEGs.

For instructions, see:

Configuring zonal NEGs

The rest of this page describes how to configure zonal NEGs before or afteryou've already created a load balancer. Note that some of these actionsdon't apply to zonal NEGscreated and managed byIngress.

Create a zonal network endpoint group

Console

To create a zonal network endpoint group:

  1. Go to the Network Endpoint Groups page in the Google Cloud console.
    Go to the Network Endpoint Groups page
  2. ClickCreate network endpoint group.
  3. For theNetwork endpoint group type, selectNetwork endpoint type:Zonal.
  4. Enter theName of the network endpoint group.
  5. ForNetwork endpoint type, selectNetwork endpoint group(Zonal).
  6. Select theEndpoints type depending on the type of load balanceryou're using.
  7. Select theNetwork.
  8. Select theSubnetwork.
  9. Select theZone.
  10. For zonal negs withGCE_VM_IP_PORT endpoints only, enter aDefaultport.
  11. ClickCreate.

gcloud

Create aGCE_VM_IP_PORT zonal NEG

gcloud compute network-endpoint-groups createNEG_NAME \    --zone=ZONE \    --network=NETWORK    [--subnet=SUBNET]    [--default-port=DEFAULT_PORT]

In this command, the flags are defined as follows:

  • NEG_NAME is the name of the new network endpoint group. The name must beunique within the zone.
  • ZONE is the name of the zone in which the NEG is created.
  • NETWORK is the name of the network in which the NEG is created. Ifomitted, Google Cloud uses a network nameddefault.
  • SUBNET is the name of the subnet to which the network endpoints belong.This flag is optional if the network is an auto mode VPC network. If omitted,the NEG resides in the automatically created subnet of the selected zone'sregion. The flag is required if the network is acustom mode VPC or if you need to specify a manually created subnet.
  • DEFAULT_PORT is the default port associated with the NEG. This flag isoptional. If omitted, all endpoints must be specified by IP:port. If included,theport portion can be omitted from the endpoint specification and thedefault port is assumed.

Create aGCE_VM_IP zonal NEG

To create aGCE_VM_IP zonal network endpoint group you must specifythenetwork-endpoint-type as shown here:gcloud compute network-endpoint-groupscreate

gcloud compute network-endpoint-groups createNEG_NAME \    --network-endpoint-type=gce-vm-ip \    --zone=ZONE \    --network=NETWORK    --subnet=SUBNET

In this command, the flags are defined as follows:

  • NEG_NAME is the name of the new network endpoint group. The name must beunique within the zone.
  • ZONE is the name of the zone in which the NEG is created.
  • NETWORK is the name of the network in which the NEG is created.
  • SUBNET is the name of the subnet to which the network endpoints belong.

Adding endpoints to a network endpoint group

Console

To add endpoints to a network endpoint group:

  1. Go to the Network Endpoint Groups page in the Google Cloud console.
    Go to the Network Endpoint Groups page
  2. Click theName of the network endpoint group to which you want toadd endpoints. You see theNetwork endpoint group details page.
  3. In theNetwork endpoints in this group section, clickAdd networkendpoint. You see theAdd network endpoint page.
  4. Select aVM instance to add its internal IP addresses as networkendpoints and clickAdd. You see theNetwork interface, zone,subnet, and the internal IP address of the VM interface assigned to theendpoint.
  5. For zonal negs withGCE_VM_IP_PORT endpoints only, perform thefollowing steps:
    1. Enter theIP address or range of the new network endpoint.
    2. Select thePort type.
    3. If you selectDefault, the endpoint uses the default port for allendpoints in the network endpoint group.
    4. If you selectCustom, enter thePort number for the endpoint touse.
  6. To add more endpoints, clickAdd network endpoint and repeat steps5 and 6.
  7. After you add all the endpoints that you need, clickAdd.

gcloud

To add endpoints to a network endpoint group:

gcloud compute network-endpoint-groups updateNEG_NAME \    --zone=ZONE \    --add-endpoint 'instance=INSTANCE_NAME,[ip=IP_ADDRESS],[port=PORT]' \    [--add-endpoint ...]

Replace the following:

  • NEG_NAME: the name of the NEG
  • ZONE: the name of the zone in which the NEGresides.
  • INSTANCE_NAME: the name of the VM to which theIP address belongs.
  • IP_ADDRESS: an optional IP addressfor the network endpoint being added. If you omit the IP address,Google Cloud selects the primary internal IPaddress of the VM instance that matches the subnetwork of the NEG.
  • PORT: the port of the network endpoint beingadded. The port is optional if default port is specified in the NEG. Thisfield is not supported for zonal NEGs withGCE_VM_IP endpoints.

For more details, seeZonal network endpoint groups overview.

For example, to add endpoints to aGCE_VM_IP_PORT zonal NEG:

gcloud compute network-endpoint-groups update my-lb-neg \    --zone=asia-southeast1-a \    --add-endpoint 'instance=my-vm1,ip=10.1.1.1,port=80'

Adding a zonal NEG to a backend service

Console

To add a network endpoint group to a backend service:

  1. Go to the Load balancing page in the Google Cloud console.
    Go to the Load balancing page
  2. Click the name of the load balancer whose backend service you want toedit.
  3. On theLoad balancer details page, clickEdit.
  4. On theEdit load balancer page, clickBackend configuration.
  5. On theBackend configuration page, clickEdit.
  6. Click+Add backend.
  7. Select aZonal network endpoint group and clickDone.
  8. ClickUpdate.

gcloud

To add a NEG to a backend service:

gcloud compute backend-services add-backendBACKEND_SERVICE \     --network-endpoint-group=NETWORK_ENDPOINT_GROUP \     --network-endpoint-group-zone=ZONE

For example, to add aGCE_VM_IP_PORT zonal NEG to a backend service:

gcloud compute backend-services add-backend my-lb \   --network-endpoint-group my-lb-neg \   --network-endpoint-group-zone=asia-southeast1-a \   --global \   --balancing-mode=RATE \   --max-rate-per-endpoint=5

Removing a NEG from a backend service

Console

  1. Go to the Load balancing page in the Google Cloud console.
    Go to the Load balancing page
  2. Click the name of the load balancer whose backend service you want toedit.
  3. On theLoad balancer details page, clickEdit.
  4. On theEdit load balancer page, clickBackend configuration.
  5. On theBackend configuration page, clickEdit for thebackend service from which you are removing the NEG.
  6. In theBackend section, locate the NEG you want to remove and clickthe trash can icon for that NEG.
  7. ClickUpdate.

gcloud

To remove a NEG from a backend service:

gcloud compute backend-services remove-backendBACKEND_SERVICE \    --network-endpoint-group=NETWORK_ENDPOINT_GROUP \    --network-endpoint-group-zone=NETWORK_ENDPOINT_GROUP_ZONE

For example:

gcloud compute backend-services remove-backend my-lb \    --network-endpoint-group=my-lb-neg \    --network-endpoint-group-zone=asia-southeast1-a

Removing endpoints from a network endpoint group

When a network endpoint is removed from a load balancing NEG, it triggersconnection draining based on the drain parameters specified in thebackend service. If multiple backend services refer to the same NEG, themaximum drain interval across all backend services is applied.

Console

To remove endpoints from a network endpoint group:

  1. Go to the Network Endpoint Groups page in the Google Cloud console.
    Go to the Network Endpoint Groups page
  2. Click theName of the network endpoint group from which you want todelete endpoints. You see theNetwork endpoint group detail page.
  3. Select the network endpoints you want to delete and clickRemoveendpoint.

gcloud

To remove endpoints from a network endpoint group:

gcloud compute network-endpoint-groups updateNEG_NAME \--zone=ZONE \--remove-endpoint 'instance=INSTANCE_NAME,[ip=IP],[port=PORT]' \[--remove-endpoint ...]

For example, to remove an endpoint from aGCE_VM_IP_PORT zonal NEG:

gcloud compute network-endpoint-groups update my-lb-neg \     --remove-endpoint 'instance=my-vm1,ip=10.1.1.1,port=80' \     --zone=asia-southeast1-a

Listing network endpoint groups

Console

To view a list of network endpoint groups, go to the Network Endpoint Groupspage in the Google Cloud console.
Go to the Network Endpoint Groups page

gcloud

To list network endpoint groups:

gcloud compute network-endpoint-groups list

Describing a specific network endpoint group

Console

To get the details of a specific network endpoint group:

  1. Go to the Network Endpoint Groups page in the Google Cloud console.
    Go to the Network Endpoint Groups page
  2. Click the name of the network endpoint group whose details you want tosee.

gcloud

To get the details of a specific network endpoint group:

gcloud compute network-endpoint-groups describeNEG_NAME \    --zone=ZONE

Replace the following:

  • NEG_NAME: the name of the network endpoint group
  • ZONE: the optional name of the zone where theNEG was created.

For example, the followinggcloud command lists information about the networkendpoint groupmy-lb-neg.

gcloud compute network-endpoint-groups describe my-lb-neg \    --zone=asia-southeast1-a

The output of the command is the following:

    creationTimestamp: '2018-04-09T14:51:34.381-07:00'    id: '5260475207627726473'    kind: compute#networkEndpointGroup    loadBalancer:      defaultPort: 80      network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/default      zone: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/asia-southeast1-a

Removing network endpoint groups

A network endpoint group cannot be deleted if it is attached to a backendservice. Before you delete a NEG, ensure that it is detached from thebackend service.

Deleting a VM immediately causes all network endpoints on the VM to be removedfrom the NEG, closing all connections. Deleting a NEG after deleting a backendservice also removes all endpoints in that NEG without connection draining.

Console

To remove a network endpoint group from a backend service:

  1. Go to the Load balancing page in the Google Cloud console.
    Go to the Load balancing page
  2. Click the name of the load balancer whose backend service you want toedit.
  3. On theLoad balancer details page, clickEdit.
  4. On theEdit load balancer page, clickBackend configuration.
  5. On theBackend configuration page, clickEdit for thebackend service from which you are removing the NEG.
  6. In theBackend section, locate the NEG you want to remove and clickthe trash can icon for that NEG.
  7. ClickUpdate.

To delete a network endpoint group:

  1. Go to the Network Endpoint Groups page in the Google Cloud console.
    Go to the Network Endpoint Groups page
  2. Locate the network endpoint group you want to delete.
  3. Click the trash can icon in that row.

gcloud

To remove a network endpoint group from a backend service:

gcloud compute backend-services remove-backendBACKEND_SERVICE \     --network-endpoint-group=NETWORK_ENDPOINT_GROUP \     --network-endpoint-group-zone=ZONE

To delete a network endpoint group:

gcloud compute network-endpoint-groups deleteNEG_NAME \    --zone=ZONE

For example:

gcloud compute backend-services remove-backend my-neg-backend \    --network-endpoint-group=my-lb-neg \    --network-endpoint-group-zone=southeast1-a
gcloud compute network-endpoint-groups delete my-lb-neg \    --zone=asia-southeast1-a

Listing endpoints in a network endpoint group

Console

To view a list of endpoints in a network endpoint group:

  1. Go to the Network Endpoint Groups page in the Google Cloud console.
    Go to the Network Endpoint Groups page
  2. Click theName of the network endpoint group from which you want todelete endpoints. You see theNetwork endpoint group detail page, onwhich the endpoints for the endpoint group are listed.
  3. To filter the endpoints, create key:value pairs in the text field underNetwork endpoints in this group.

gcloud

To list all of the network endpoints in a network endpoint group:

gcloud compute network-endpoint-groups list-network-endpointsNEG_NAME \     --zone=ZONE

Custom filtering when you list endpoints in a network endpoint group

You can use a custom filter to limit which endpoints in a network endpointgroup are listed. Custom filtering is enabled only for the REST API. You cannotuse custom filtering from the Google Cloud console or using thegcloudcommand-line interface.

For details, see the documentation for the methodnetworkEndpointGroups.listNetworkEndpoints.

Health checking network endpoints

Backend services with zonal NEG backends must use a health checkwhose port specification is either:

  • a fixed (numbered) port (--port)
  • configured to use the serving port of the network endpoint(--use-serving-port)

The example that follows creates an HTTP health check that uses the serving portof the network endpoint with the--use-serving-port flag. Note that the--use-serving-port flag is implemented withgcloud computehealth-checks create,but not withgcloud compute health-checks update.

gcloud compute health-checks create httpHTTP_HEALTH_CHECK_NAME    --use-serving-port

You cannot use a legacy health check with a zonal NEG backend. For moreinformation, seeHealth Check Concepts.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.