Set up a regional external proxy Network Load Balancer with zonal NEG backends

A regional external proxy Network Load Balancer is a proxy-based regional Layer 4 load balancer thatlets you run and scale your TCP service traffic in a single region behindan external regional IP address. These load balancers distributeexternal TCP traffic from the internet to backends in the same region.

This guide contains instructions to set up a regional external proxy Network Load Balancerwith a zonal network endpoint group (NEG) backend.

Before you begin, review the following documents:

In this example, we'll use the load balancer to distribute TCP traffic acrossbackend VMs in two zonal NEGs in Region A. For purposes of theexample, the service is a set ofApache serversconfigured to respond on port80.

In this example, you configure the deployment shown in the following diagram.

Regional external proxy Network Load Balancer example configuration with zonal NEG backends.
Regional external proxy Network Load Balancer example configuration with zonal NEG backends.

This is a regional load balancer. All load balancer components(backend instance group, backend service, target proxy, and forwarding rule)must be in the same region.

Permissions

To follow this guide, you must be able to create instances and modify anetwork in a project. You must be either a projectOwner or Editor, or you musthave all of the followingCompute Engine IAM roles.

TaskRequired role
Create networks, subnets, and load balancer componentsCompute Network Admin (roles/compute.networkAdmin)
Add and remove firewall rulesCompute Security Admin (roles/compute.securityAdmin)
Create instancesCompute Instance Admin (roles/compute.instanceAdmin)

For more information, see the following guides:

Optional: Use BYOIP addresses

With bring your own IP (BYOIP), you can import your own public addresses toGoogle Cloud to use the addresses with Google Cloud resources. Forexample, if you import your own IPv4 addresses, you can assign one to theforwarding rule when you configure your load balancer. When you follow theinstructions in this document toconfigure the load balancer, provide the BYOIP address as theIP address.

For more information about using BYOIP, seeBring your own IP addresses.

Configure the network and subnets

You need a VPC network with two subnets, one for the loadbalancer's backends and the other for the load balancer's proxies. This isa regional load balancer. Traffic within the VPCnetwork is routed to the load balancer if the traffic's source is in asubnet in the same region as the load balancer.

This example uses the following VPC network, region, andsubnets:

  • Network: acustom-mode VPCnetwork namedlb-network

  • Subnet for backends: a subnet namedbackend-subnet inRegion A that uses10.1.2.0/24 for its primary IP addressrange

  • Subnet for proxies: a subnet namedproxy-only-subnet inRegion A that uses10.129.0.0/23 for its primary IP addressrange

Note: You can change the name of the network, the region, and the parameters forthe subnets; however, subsequent steps in this guide use the network, region,and subnet parameters as named here.

Create the network and subnet for backends

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. ForName, enterlb-network.

  4. In theSubnets section, do the following:

    1. Set theSubnet creation mode toCustom.
    2. In theNew subnet section, enter the following information:
      • Name:backend-subnet
      • Region:REGION_A
      • IP address range:10.1.2.0/24
    3. ClickDone.

  5. ClickCreate.

gcloud

  1. To create the custom VPC network, use thegcloud computenetworks create command:

    gcloud compute networks create lb-network --subnet-mode=custom

  2. To create a subnet in thelb-network network in theREGION_A region,use thegcloud compute networks subnets createcommand:

    gcloud compute networks subnets create backend-subnet \   --network=lb-network \   --range=10.1.2.0/24 \   --region=REGION_A

Create the proxy-only subnet

Aproxy-only subnet provides aset of IP addresses that Google uses to run Envoy proxies on your behalf. Theproxies terminate connections from the client and create new connections to thebackends.

This proxy-only subnet is used by all Envoy-based load balancers inRegion A of thelb-network VPC network.

Important: Don't try to assign addresses from the proxy-only subnet to your loadbalancer's forwarding rule or backends. You assign the forwarding rule's IPaddress and the backend instance IP addresses froma different subnet range (or ranges), not this one.Google Cloud reserves this subnet range for Google Cloud-managedproxies.

Console

If you're using the Google Cloud console, you can wait and create theproxy-only subnet later on theLoad balancing page.

If you want to create the proxy-only subnet now, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of the Shared VPC network:lb-network.

  3. ClickAdd subnet.

  4. ForName, enterproxy-only-subnet.

  5. ForRegion, selectREGION_A.

  6. SetPurpose toRegional Managed Proxy.

  7. ForIP address range, enter10.129.0.0/23.

  8. ClickAdd.

gcloud

To create the proxy-only subnet, use thegcloud compute networks subnetscreate command:

gcloud compute networks subnets create proxy-only-subnet \    --purpose=REGIONAL_MANAGED_PROXY \    --role=ACTIVE \    --region=REGION_A \    --network=lb-network \    --range=10.129.0.0/23

Create firewall rules

In this example, you create the following firewall rules:

  • fw-allow-health-check. An ingress rule, applicable to the Google Cloudinstances being load balanced, that allows traffic from the load balancer andGoogle Cloud health checking systems (130.211.0.0/22 and35.191.0.0/16). This example uses the target tagallow-health-check toidentify the backend VMs to which it should apply.
  • fw-allow-ssh. An ingress rule that allows incoming SSH connectivity on TCPport22 from any address. You can choose a more restrictive source IP rangefor this rule; for example, you can specify only the IP ranges of the systemsfrom which you initiate SSH sessions. This example uses the target tagallow-ssh to identify the VMs to which it should apply.

  • fw-allow-proxy-only-subnet. An ingressallow firewall rule for theproxy-only subnet that allows the load balancer to communicate with backendinstances on TCP port80. This example uses the target tagallow-proxy-only-subnet toidentify the backend VMs to which it should apply.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. ClickCreate firewall rule, and then complete the following fields:

    • Name:fw-allow-health-check
    • Network:lb-network
    • Targets:Specified target tags
    • Target tags:allow-health-check
    • Source filter:IPv4 ranges
    • Source IPv4 ranges:130.211.0.0/22 and35.191.0.0/16
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • Select theTCP checkbox, and then enter80 for the portnumber.

  3. ClickCreate.

  4. ClickCreate firewall rule a second time to create the ruleto allow incoming SSH connections:

    • Name:fw-allow-ssh
    • Network:lb-network
    • Priority:1000
    • Direction of traffic:Ingress
    • Action on match:Allow
    • Targets:Specified target tags
    • Target tags:allow-ssh
    • Source filter:IPv4 ranges
    • Source IPv4 ranges:0.0.0.0/0
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • Select theTCP checkbox, and then enter22 for the portnumber.

  5. ClickCreate.

  6. ClickCreate firewall rule a third time to create the rule toallow incoming connections from the proxy-only subnet to the Google Cloudbackends:

    • Name:fw-allow-proxy-only-subnet
    • Network:lb-network
    • Priority:1000
    • Direction of traffic:Ingress
    • Action on match:Allow
    • Targets:Specified target tags
    • Target tags:allow-proxy-only-subnet
    • Source filter:IPv4 ranges
    • Source IPv4 ranges:10.129.0.0/23
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • Select theTCP checkbox, and then enter80 for the portnumber.

  7. ClickCreate.

gcloud

  1. Create thefw-allow-health-check rule to allowthe Google Cloud health checks to reach thebackend instances on TCP port80:

    gcloud compute firewall-rules create fw-allow-health-check \    --network=lb-network \    --action=allow \    --direction=ingress \    --target-tags=allow-health-check \    --source-ranges=130.211.0.0/22,35.191.0.0/16 \    --rules=tcp:80

  2. Create thefw-allow-ssh firewall rule to allow SSH connectivity toVMs with the network tagallow-ssh. When you omitsource-ranges,Google Cloudinterprets the rule to mean anysource.

    gcloud compute firewall-rules create fw-allow-ssh \    --network=lb-network \    --action=allow \    --direction=ingress \    --target-tags=allow-ssh \    --rules=tcp:22

  3. Create an ingress allow firewall rule for the proxy-only subnet to allowthe load balancer to communicate with backend instances on TCP port80:

    gcloud compute firewall-rules create fw-allow-proxy-only-subnet \    --network=lb-network \    --action=allow \    --direction=ingress \    --target-tags=allow-proxy-only-subnet \    --source-ranges=10.129.0.0/23 \    --rules=tcp:80

Reserve the load balancer's IP address

Note: Regional external proxy Network Load Balancers support both thePremium and Standard Network Service Tiers. This procedure demonstrates the setupwith Standard Tier.

Console

  1. In the Google Cloud console, go to theReserve a static address page.

    Go to Reserve a static address

  2. Choose a name for the new address.

  3. ForNetwork Service Tier, selectStandard.

  4. ForIP version, selectIPv4. IPv6 addresses are not supported.

  5. ForType, selectRegional.

  6. ForRegion, selectREGION_A.

  7. Leave theAttached to option set toNone. After you create theload balancer, this IP address is attached to the loadbalancer's forwarding rule.

  8. ClickReserve to reserve the IP address.

gcloud

  1. To reserve a static external IP address, use thegcloud compute addresses create command:

    gcloud compute addresses createADDRESS_NAME  \   --region=REGION_A \   --network-tier=STANDARD

    ReplaceADDRESS_NAME with the name thatyou want to call this address.

  2. To view the result, use thegcloud compute addresses describe command:

    gcloud compute addresses describeADDRESS_NAME

Set up the zonal NEG

Set up a zonal NEG withGCE_VM_IP_PORT type endpointsin Region A. First create the VMs, and thencreate a zonal NEG and add the VMs' network endpoints to the NEG.

Create VMs

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. ClickCreate instance.

  3. SetName tovm-a1.

  4. ForRegion, selectREGION_A.

  5. ForZone, selectZONE_A.

  6. In theBoot disk section, ensure thatDebian GNU/Linux 12 (bookworm) is selected for the boot diskoptions. ClickChoose to change the image if necessary.

  7. ClickAdvanced options.

  8. ClickNetworking, and then configure the following fields:

    1. ForNetwork tags, enterallow-ssh,allow-health-check,andallow-proxy-only-subnet.
    2. ForNetwork interfaces, select the following:
      • Network:lb-network
      • Subnet:backend-subnet

  9. ClickManagement. Enter the following script into theStartup script field:

    #! /bin/bashapt-get updateapt-get install apache2 -ya2ensite default-ssla2enmod sslvm_hostname="$(curl -H "Metadata-Flavor:Google" \http://metadata.google.internal/computeMetadata/v1/instance/name)"echo "Page served from: $vm_hostname" | \tee /var/www/html/index.htmlsystemctl restart apache2

  10. ClickCreate.

  11. Repeat the previous steps to create three more VMs. Use the followingname and zone combinations:

    • Name:vm-a2 | Zone:ZONE_A
    • Name:vm-b1 | Zone:ZONE_B
    • Name:vm-b2 | Zone:ZONE_B

gcloud

To create the VMs, use thegcloud compute instances create command two times. Use the following combinations forVM_NAME andZONE. The script contents are identical for both VMs:

  • VM_NAME:vm-a1 andZONE:ZONE_A
  • VM_NAME:vm-a2 andZONE:ZONE_A
  • VM_NAME:vm-b1 andZONE:ZONE_B
  • VM_NAME:vm-b2 andZONE:ZONE_B
 gcloud compute instances createVM_NAME \     --zone=ZONE \     --image-family=debian-12 \     --image-project=debian-cloud \     --tags=allow-ssh,allow-health-check,allow-proxy-only-subnet \     --subnet=backend-subnet \     --metadata=startup-script='#! /bin/bash       apt-get update       apt-get install apache2 -y       a2ensite default-ssl       a2enmod ssl       vm_hostname="$(curl -H "Metadata-Flavor:Google" \       http://metadata.google.internal/computeMetadata/v1/instance/name)"       echo "Page served from: $vm_hostname" | \       tee /var/www/html/index.html       systemctl restart apache2'

Create the zonal NEGs

Console

Create a zonal network endpoint group

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. ClickCreate network endpoint group.

  3. ForName, enterzonal-neg-a.

  4. ForNetwork endpoint group type, selectNetwork endpoint group(Zonal).

  5. ForNetwork, selectlb-network.

  6. ForSubnet, selectbackend-subnet.

  7. ForZone, selectZONE_A.

  8. ForDefault port, enter80.

  9. ClickCreate.

  10. Repeat all the steps in this section to create a second zonal NEG withthe following changes in settings:

    • Name:zonal-neg-b
    • Zone:ZONE_B

Add endpoints to the zonal NEGs

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. Click the name of the network endpoint group that you createdin the previous step (for example,zonal-neg-a).

  3. On theNetwork endpoint group details page, in theNetwork endpoints in this group section, clickAdd networkendpoint.

  4. Select a VM instance (for example,vm-a1).

  5. In theNetwork interface section, the VM name, zone, andsubnet are displayed.

    1. ForIP address, enter the IP address of the new network endpoint.To get the IP address, clickCheck primary IP addresses and alias IPrange in nic0.
    2. ForPort type, selectDefault. The endpoint uses the default port80 for all endpoints in the network endpoint group. This is sufficientfor our example because the Apache server is serving requests at port80.
    3. ClickCreate.

  6. ClickAdd network endpoint. Select the second VM instance,vm-a2, and repeat the previous steps to add its endpoints tozonal-neg-a.

  7. Repeat all the steps in this section to add endpoints fromvm-b1 andvm-b2 tozonal-neg-b.

gcloud

  1. Create a zonal NEG in theZONE_A zone withGCE_VM_IP_PORTendpoints:

    gcloud compute network-endpoint-groups create zonal-neg-a \    --network-endpoint-type=GCE_VM_IP_PORT \    --zone=ZONE_A \    --network=lb-network \    --subnet=backend-subnet

    You can either specify the--default-port while creating the NEG,orspecify a port number for eachendpointas shown in the next step.

  2. Add endpoints to the zonal NEG:

    gcloud compute network-endpoint-groups update zonal-neg-a \    --zone=ZONE_A \    --add-endpoint='instance=vm-a1,port=80' \    --add-endpoint='instance=vm-a2,port=80'

  3. Create a zonal NEG in theZONE_B zone withGCE_VM_IP_PORTendpoints:

    gcloud compute network-endpoint-groups create zonal-neg-b \    --network-endpoint-type=GCE_VM_IP_PORT \    --zone=ZONE_B \    --network=lb-network \    --subnet=backend-subnet

    You can either specify the--default-port while creating the NEG,orspecify a port number for eachendpointas shown in the next step.

  4. Add endpoints to the zonal NEG:

    gcloud compute network-endpoint-groups update zonal-neg-b \    --zone=ZONE_B \    --add-endpoint='instance=vm-b1,port=80' \    --add-endpoint='instance=vm-b2,port=80'

Configure the load balancer

Console

Start your configuration

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectNetwork Load Balancer (TCP/UDP/SSL) and clickNext.
  4. ForProxy or passthrough, selectProxy load balancer and clickNext.
  5. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  6. ForGlobal or single region deployment, selectBest for regional workloads and clickNext.
  7. ClickConfigure.

Basic configuration

  1. ForName, entermy-ext-tcp-lb.
  2. ForRegion, selectREGION_A.
  3. ForNetwork, selectlb-network.

Reserve a proxy-only subnet

Note: If you alreadycreated the proxy-only subnet,theReserve subnet button isn't displayed. You can skip thissection and continue with the steps in theConfigure the backendssection.
  1. ClickReserve subnet.
  2. ForName, enterproxy-only-subnet.
  3. ForIP address range, enter10.129.0.0/23.
  4. ClickAdd.

Configure the backends

  1. ClickBackend configuration.
  2. In theBackend type list, selectZonal network endpoint group.
  3. In theProtocol list, selectTCP.
  4. Configure the health check:
    1. In theHealth check list, selectCreate a health check.
    2. In theName field, entertcp-health-check.
    3. In theProtocol list, selectTCP.
    4. In thePort field, enter80.
    5. CLickCreate.
  5. Configure the first backend:
    1. ForNew backend, select zonal NEGzonal-neg-a.
    2. Retain the remaining default values, and then clickDone.
  6. Configure the second backend:
    1. ClickAdd backend.
    2. ForNew backend, select instance groupzonal-neg-b.
    3. Retain the remaining default values, and then clickDone.
  7. Retain the remaining default values, and then clickSave.
  8. In the Google Cloud console, verify that there is a check mark next toBackend configuration. If not, double-check that you have completedall of the steps.

Configure the frontend

  1. ClickFrontend configuration.
  2. ForName, enterext-tcp-forwarding-rule.
  3. ForNetwork Service Tier, selectStandard.
  4. ForIP address, selectext-tcp-ip-address.
  5. ForPort number, enter9090. The forwarding rule onlyforwards packets with a matching destination port.
  6. ForProxy protocol, selectOff because the PROXY protocoldoesn't work with the Apache HTTP Server software. For moreinformation, seePROXY protocol.
  7. ClickDone.
  8. In the Google Cloud console, verify that there is a check mark next toFrontend configuration. If not, double-check that you have completedall the previous steps.

Review and finalize

  1. ClickReview and finalize.
  2. Double-check your settings.
  3. ClickCreate.

gcloud

  1. Create a regional health check for the backends:

    gcloud compute health-checks create tcp tcp-health-check \    --region=REGION_A \    --use-serving-port

  2. Create a backend service:

    gcloud compute backend-services create external-tcp-proxy-bs \   --load-balancing-scheme=EXTERNAL_MANAGED \   --protocol=TCP \   --region=REGION_A \   --health-checks=tcp-health-check \   --health-checks-region=REGION_A

  3. Add the zonal NEG in theZONE_A zone to the backend service:

    gcloud compute backend-services add-backend external-tcp-proxy-bs \   --network-endpoint-group=zonal-neg-a \   --network-endpoint-group-zone=ZONE_A \   --balancing-mode=CONNECTION \   --max-connections-per-endpoint=50 \   --region=REGION_A

  4. Add the zonal NEG in theZONE_B zone to the backend service:

    gcloud compute backend-services add-backend external-tcp-proxy-bs \   --network-endpoint-group=zonal-neg-b \   --network-endpoint-group-zone=ZONE_B \   --balancing-mode=CONNECTION \   --max-connections-per-endpoint=50 \   --region=REGION_A

  5. Create the target TCP proxy:

    gcloud compute target-tcp-proxies create ext-tcp-target-proxy \   --backend-service=external-tcp-proxy-bs \   --region=REGION_A

  6. Create the forwarding rule. For--ports, specify a single port numberfrom 1-65535. This example uses port9090. The forwarding rule onlyforwards packets with a matching destination port.

    gcloud compute forwarding-rules create ext-tcp-forwarding-rule \  --load-balancing-scheme=EXTERNAL_MANAGED \  --network=lb-network \  --network-tier=STANDARD \  --address=ext-tcp-ip-address \  --ports=9090 \  --region=REGION_A \  --target-tcp-proxy=ext-tcp-target-proxy \  --target-tcp-proxy-region=REGION_A

Test your load balancer

Note: It might take a few minutes for the load balancer configuration topropagate after you first deploy it.

Now that you have configured your load balancer, you can test sendingtraffic to the load balancer's IP address.

  1. Get the load balancer's IP address.

    To get the IPv4 address, run the following command:

    gcloud compute addresses describeADDRESS_NAME

  2. Send traffic to your load balancer by running thefollowing command. ReplaceLB_IP_ADDRESS with your loadbalancer's IPv4 address.

    curl -m1LB_IP_ADDRESS:9090

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.