Set up a regional internal proxy Network Load Balancer with hybrid connectivity

The regional internal proxy Network Load Balancer is a proxy-based regional Layer 4 load balancer thatenables you to run and scale your TCP service traffic behind an internal IPaddress that is accessible only to clients in the same Virtual Private Cloud (VPC)network or clients connected to your VPCnetwork. If you want to make the service available to clients in otherVPC networks, you canuse Private Service Connectto publish the service.

This page describes how to configure a regional internal proxy Network Load Balancer to load balancetraffic to backends on-premises or in other cloudenvironments that are connected by usinghybridconnectivity. Configuring hybrid connectivityto connect your networks to Google Cloud is not in scope for this page.

Overview

In this example, we'll use the load balancer to distribute TCP traffic acrossbackend VMs located on-premises or in other cloud environments.

In this example, you configure the following deployment:

Regional internal proxy Network Load Balancer example configuration with hybrid NEG backends.
Regional internal proxy Network Load Balancer example configuration with hybrid NEG backends (click to enlarge).

The regional internal proxy Network Load Balancer is a regional load balancer. All load balancer components(backend instance groups, backend service, target proxy, and forwarding rule)must be in the same region.

Permissions

To set up hybrid load balancing, you must have the following permissions:

  • On Google Cloud

    • Permissions to establish hybrid connectivity between Google Cloud andyour on-premises environment or other cloud environments. For the listof permissions needed, see the relevantNetwork Connectivity productdocumentation.
    • Permissions to create a hybrid connectivity NEG and the load balancer.TheCompute Load Balancer Adminrole(roles/compute.loadBalancerAdmin) contains the permissions required toperform the tasks described in this guide.

  • On your on-premises environment or other non-Google Cloud cloudenvironment

    • Permissions to configure network endpoints that allow services on youron-premises environment or other cloud environments to be reachable fromGoogle Cloud by using anIP:Port combination. For more information,contact your environment's network administrator.
    • Permissions to create firewall rules on your on-premises environment orother cloud environments to allow Google's health check probes to reach theendpoints.

Additionally, to complete the instructions on this page, you need to create ahybrid connectivity NEG, a load balancer, and zonal NEGs (and their endpoints)to serve as Google Cloud-based backends for the load balancer.

You should be either a projectOwneror Editor, or you should have thefollowingCompute Engine IAMroles.

TaskRequired role
Create networks, subnets, and load balancer componentsCompute Network Admin (roles/compute.networkAdmin)
Add and remove firewall rulesCompute Security Admin (roles/compute.securityAdmin)
Create instancesCompute Instance Admin (roles/compute.instanceAdmin)

Optional: Use BYOIP addresses

With bring your own IP (BYOIP), you can import your own public addresses toGoogle Cloud to use the addresses with Google Cloud resources. Forexample, if you import your own IPv4 addresses, you can assign one to theforwarding rule when you configure your load balancer. When you follow theinstructions in this document to , provide the BYOIP address as theIP address.

For more information about using BYOIP, seeBring your own IP addresses.

Establish hybrid connectivity

Your Google Cloud and on-premises environment or other cloud environmentsmust be connected throughhybrid connectivity by usingeither Cloud Interconnect VLAN attachments or Cloud VPNtunnels with Cloud Router or Router appliance VMs. We recommend that youuse a high availability connection.

A Cloud Router enabled withglobal dynamicroutinglearns about the specific endpoint through Border Gateway Protocol (BGP) andprograms it into your Google Cloud VPC network. Regionaldynamic routing is not supported. Static routes are also not supported.

You can use either the same network or a different VPC networkwithin the same project to configure both hybrid networking(Cloud Interconnect or Cloud VPN or a Router appliance VM) and the load balancer. Notethe following:

  • If you use different VPC networks, the two networks must beconnected using either VPC Network Peering or they must beVPCspokeson the sameNCChub.

  • If you use the same VPC network, ensure that yourVPC network's subnet CIDR ranges don't conflict with yourremote CIDR ranges. When IP addresses overlap, subnet routes are prioritizedover remote connectivity.

For instructions, see the following documentation:

Important: Don't proceed with the instructions on this page until you set uphybrid connectivity between your environments.

Set up your environment that is outside Google Cloud

Perform the following steps to set up your on-premises environment or other cloudenvironment for hybrid load balancing:

  • Configure network endpoints to expose on-premises services toGoogle Cloud (IP:Port).
  • Configure firewall rules on your on-premises environment or other cloud environment.
  • Configure Cloud Router to advertise certain required routes to yourprivate environment.

Set up network endpoints

After you set up hybrid connectivity, you configure one or more networkendpoints within your on-premises environment or other cloud environments thatare reachable through Cloud Interconnect or Cloud VPN orRouter appliance by using anIP:port combination. ThisIP:portcombination is configured as one or more endpoints for the hybrid connectivityNEG that is created in Google Cloud later on in this process.

If there are multiple paths to the IP endpoint, routingfollows the behavior described in theCloud Routeroverview.

Set up firewall rules

The following firewall rules must be created on your on-premises environmentor other cloud environment:

  • Create an ingress allow firewall rule in on-premises or other cloud environments to allow traffic from the region'sproxy-only subnet to reach the endpoints.

  • Allowing traffic from Google's health check probe ranges isn't required for hybridNEGs. However, if you're using a combination of hybrid and zonal NEGs ina single backend service, you need to allow traffic from theGooglehealth check probe ranges for the zonal NEGs.

Advertise routes

Configure Cloud Router toadvertise the following custom IPranges to youron-premises environment or other cloud environment:

  • The range of the region's proxy-only subnet.

Set up your Google Cloud environment

For the following steps, make sure you use the same VPC network(calledNETWORK in this procedure) thatwas used to configure hybrid connectivity between the environments. You canselect any subnet from this network to reserve the load balancer's IP addressand create the load balancer. This subnet is referred to asLB_SUBNET in this procedure.

Additionally, make sure the region used (calledREGION in thisprocedure) is the same as that used to create the Cloud VPN tunnel orCloud Interconnect VLAN attachment.

Configure the proxy-only subnet

Aproxy-only subnet provides aset of IP addresses that Google uses to run Envoy proxies on your behalf. Theproxies terminate connections from the client and create new connections to thebackends.

The proxy-only subnet is used by allEnvoy-based regional loadbalancers in theREGION region of theNETWORK VPC network.

There can only be one active proxy-only subnet per region, perVPC network. You can skip this step if there's already aproxy-only subnet in this region.

Console

If you're using the Google Cloud console, you can wait and create theproxy-only subnet later on theLoad balancing page.

If you want to create the proxy-only subnet now, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Go to the network that was used to configurehybrid connectivity between the environments.

  3. ClickAdd subnet.

  4. Enter aName:PROXY_ONLY_SUBNET_NAME.

  5. Select aRegion:REGION.

  6. SetPurpose toRegional Managed Proxy.

  7. Enter anIP address range:PROXY_ONLY_SUBNET_RANGE.

  8. ClickAdd.

gcloud

Create the proxy-only subnet with thegcloud compute networks subnetscreate command.

gcloud compute networks subnets createPROXY_ONLY_SUBNET_NAME \    --purpose=REGIONAL_MANAGED_PROXY \    --role=ACTIVE \    --region=REGION \    --network=NETWORK \    --range=PROXY_ONLY_SUBNET_RANGE

Reserve the load balancer's IP address

By default, one IP address is used for each forwarding rule. You canreserve ashared IPv4 address, which lets you use the same IPv4 addresswith multiple forwarding rules. However, if you want touse Private Service Connect to publish the loadbalancer,then do not use a shared IPv4 address for the forwarding rule.

To reserve a static internal IPv4 address for your load balancer, seeReserve a new static internal IPv4 or IPv6address.

Note: You cannot reserve ashared static internal IPv6 address.

Set up the hybrid connectivity NEG

When creating the NEG, use aZONE that minimizes thegeographic distance between Google Cloud and your on-premises or othercloud environment. For example, if you are hosting a service in an on-premisesenvironment in Frankfurt, Germany, you can specify theeurope-west3-aGoogle Cloud zone when you create the NEG.

Moreover, theZONE usedto create the NEG should be in the same region where the Cloud VPNtunnel or Cloud Interconnect VLAN attachment were configured forhybrid connectivity.

For the available regions and zones, see theCompute Enginedocumentation: Available regions andzones.

Console

Note: You can either create the hybrid connectivity NEG now, or you can waitto create it while configuring the load balancer's backend.

To create a hybrid connectivity NEG:

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. ClickCreate network endpoint group.

  3. Enter aName for the hybrid NEG. Referred to asHYBRID_NEG_NAME in thisprocedure.

  4. Select theNetwork endpoint group type:Hybrid connectivity networkendpoint group (Zonal).

  5. Select theNetwork:NETWORK

  6. Select theSubnet:LB_SUBNET

  7. Select theZone:HYBRID_NEG_ZONE

  8. Enter theDefault port.

  9. ClickCreate

Add endpoints to the hybrid connectivity NEG:

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. Click theName of the network endpoint group created in the previousstep (HYBRID_NEG_NAME). Yousee theNetwork endpoint group details page.

  3. In theNetwork endpoints in this group section, clickAdd networkendpoint. You see theAdd network endpoint page.

  4. Enter theIP address of the new network endpoint.

  5. Select thePort type.

    1. If you selectDefault, the endpoint uses the default portfor all endpoints in the network endpoint group.
    2. If you selectCustom, you can enter a differentPort numberfor the endpoint to use.

  6. To add more endpoints, clickAdd network endpoint and repeat theprevious steps.

  7. After you add all the non-Google Cloud endpoints,clickCreate.

gcloud

  1. Create a hybrid connectivity NEG using thegcloud compute network-endpoint-groupscreatecommand.

    gcloud compute network-endpoint-groups createHYBRID_NEG_NAME \   --network-endpoint-type=NON_GCP_PRIVATE_IP_PORT \   --zone=HYBRID_NEG_ZONE \   --network=NETWORK

  2. Add the on-premises IP:Port endpoint to the hybrid NEG:

    gcloud compute network-endpoint-groups updateHYBRID_NEG_NAME \    --zone=HYBRID_NEG_ZONE \    --add-endpoint="ip=ENDPOINT_IP_ADDRESS,port=ENDPOINT_PORT"

You can use this command to add the network endpoints youpreviouslyconfigured on-premises or in your cloud environment.Repeat--add-endpoint as many times as needed.

You can repeat these steps to create multiple hybrid NEGs if needed.

Configure the load balancer

Console

Start your configuration

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectNetwork Load Balancer (TCP/UDP/SSL) and clickNext.
  4. ForProxy or passthrough, selectProxy load balancer and clickNext.
  5. ForPublic facing or internal, selectInternal and clickNext.
  6. ForCross-region or single region deployment, selectBest for regional workloads and clickNext.
  7. ClickConfigure.

Basic configuration

  1. Enter aName for the load balancer.
  2. Select theRegion:REGION.
  3. Select theNetwork:NETWORK.

Reserve a proxy-only subnet

Note: If you alreadycreated the proxy-only subnet,theReserve subnet button isn't displayed. You can skip thissection and continue with the steps in theBackend configurationsection.

To reserve a proxy-only subnet:

  1. ClickReserve subnet.
  2. Enter theName:PROXY_ONLY_SUBNET_NAME.
  3. Enter anIP address range:PROXY_ONLY_SUBNET_RANGE.
  4. ClickAdd.

Backend configuration

  1. ClickBackend configuration.
  2. ForBackend type, selectHybrid connectivity network endpointgroup (Zonal).
  3. ForProtocol, selectTCP.
  4. In theHealth check list, clickCreate a health check, and thenenter the following information:
    1. In theName field, enter a name for the health check.
    2. In theProtocol list, selectTCP.
    3. In thePort field, enter80.
  5. ClickCreate.
  6. UnderNew backend, select the hybrid NEG created previously:HYBRID_NEG_NAME. Or, youcan clickCreate a network endpoint group to create the hybrid NEGnow. For guidance on configuring the NEG, seeSet up the hybridNEG.
  7. Retain the remaining default values and clickDone.
  8. In the Google Cloud console, verify that there is a check mark next toBackend configuration. If not, double-check that you have completedall of the steps.

Frontend configuration

  1. ClickFrontend configuration.
  2. Enter aName for the forwarding rule.
  3. ForSubnetwork, selectLB_SUBNET.
  4. ForIP address, selectLB_IP_ADDRESS.
  5. ForPort number, enter any port number from 1-65535. The forwardingrule only forwards packets with a matching destination port.
  6. EnableProxy Protocol only if it works with the service running onyour on-premise or other cloud endpoints. For example, PROXY protocoldoesn't work with the Apache HTTP Server software. For more information,seeProxy protocol.
  7. ClickDone.
  8. In the Google Cloud console, verify that there is a check mark next toFrontend configuration. If not, double-check that you have completedall the previous steps.

Review and finalize

  1. ClickReview and finalize.
  2. Double-check your settings.
  3. ClickCreate.

gcloud

  1. Create a regional health check for the backends.

    gcloud compute health-checks create tcpTCP_HEALTH_CHECK_NAME \    --region=REGION \    --use-serving-port

    Health check probes for hybrid NEG backends originate from Envoy proxiesin the proxy-only subnet.

  2. Create a backend service.

    gcloud compute backend-services createBACKEND_SERVICE_NAME \   --load-balancing-scheme=INTERNAL_MANAGED \   --protocol=TCP \   --region=REGION \   --health-checks=TCP_HEALTH_CHECK_NAME \   --health-checks-region=REGION

  3. Add the hybrid NEG backend to the backend service.

    gcloud compute backend-services add-backendBACKEND_SERVICE_NAME \   --network-endpoint-group=HYBRID_NEG_NAME \   --network-endpoint-group-zone=HYBRID_NEG_ZONE \   --region=REGION \   --balancing-mode=CONNECTION \   --max-connections=MAX_CONNECTIONS

    ForMAX_CONNECTIONS, enter the maximum concurrentconnections that the backend should handle.

  4. Create the target TCP proxy.

    gcloud compute target-tcp-proxies createTARGET_TCP_PROXY_NAME \   --backend-service=BACKEND_SERVICE_NAME \   --region=REGION

  5. Create the forwarding rule.

    Create the forwarding rule using thegcloud compute forwarding-rulescreatecommand.

    ReplaceFWD_RULE_PORT with a single port number from 1-65535.The forwarding rule only forwards packets with a matching destinationport.

    gcloud compute forwarding-rules createFORWARDING_RULE \   --load-balancing-scheme=INTERNAL_MANAGED \   --network=NETWORK \   --subnet=LB_SUBNET \   --address=LB_IP_ADDRESS \   --ports=FWD_RULE_PORT \   --region=REGION \   --target-tcp-proxy=TARGET_TCP_PROXY_NAME \   --target-tcp-proxy-region=REGION

Test the load balancer

To test the load balancer, create a client VM in the same region as theload balancer. Then send traffic from the client to the load balancer.

Create a client VM

Create a client VM (client-vm) in the same region as the load balancer.

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. ClickCreate instance.

  3. SetName toclient-vm.

  4. SetZone toCLIENT_VM_ZONE.

  5. ClickAdvanced options.

  6. ClickNetworking and configure the following fields:

    1. ForNetwork tags, enterallow-ssh.
    2. ForNetwork interfaces, select the following:
      • Network:NETWORK
      • Subnet:LB_SUBNET

  7. ClickCreate.

gcloud

The client VM must be in the same VPC network and region asthe load balancer. It doesn't need to be in the same subnet or zone. Theclient uses the same subnet as the backend VMs.

gcloud compute instances create client-vm \    --zone=CLIENT_VM_ZONE \    --image-family=debian-12 \    --image-project=debian-cloud \    --tags=allow-ssh \    --subnet=LB_SUBNET

Allow SSH traffic to the test VM

In this example, you create the following firewall rule:

  • fw-allow-ssh: An ingress rule that allows incoming SSH connectivity on TCPport 22 from any address. You can choose a more restrictive source IP rangefor this rule; for example, you can specify just the IP ranges of the systemsfrom which you will initiate SSH sessions. This example uses the target tagallow-ssh to identify the test client VM to which it should apply.

Console

  1. In the Google Cloud console, go to theFirewall policies page.Go to Firewall policies
  2. ClickCreate firewall rule to create the rule to allow incomingSSH connections:
    1. Name:fw-allow-ssh
    2. Network:NETWORK
    3. Priority:1000
    4. Direction of traffic: ingress
    5. Action on match: allow
    6. Targets: Specified target tags
    7. Target tags:allow-ssh
    8. Source filter:IPv4 ranges
    9. Source IPv4 ranges:0.0.0.0/0
    10. Protocols and ports: ChooseSpecified protocols and ports,and then entertcp:22.
    11. ClickCreate.

gcloud

  1. Create thefw-allow-ssh firewall rule to allow SSH connectivity toVMs with the network tagallow-ssh.

    gcloud compute firewall-rules create fw-allow-ssh \    --network=NETWORK \    --action=allow \    --direction=ingress \    --target-tags=allow-ssh \    --rules=tcp:22

Send traffic to the load balancer

Note: It might take a few minutes for the load balancer configuration topropagate globally after you first deploy it.

Now that you have configured your load balancer, you can test sendingtraffic to the load balancer's IP address.

  1. Connect via SSH to the client instance.

    gcloud compute ssh client-vm \  --zone=CLIENT_VM_ZONE

  2. Verify that the load balancer is serving backend hostnames as expected.

    1. Use thecompute addresses describecommandto view the load balancer's IP address:

      gcloud compute addresses describeLB_IP_ADDRESS \  --region=REGION

      Make a note of the IP address.

    2. Send traffic to the load balancer on the IP address and port specifiedwhen creating the load balancer forwarding rule. Testing whether thehybrid NEG backends are responding to requests depends on the servicerunning on the non-Google Cloud endpoints.

Optional: Publish the service by using Private Service Connect

A regional internal proxy Network Load Balancer with hybrid connectivity lets you make a service that ishosted in on-premises or other cloud environments available to clients in yourVPC network.

If you want to make the hybrid service available in other VPCnetworks, you can use Private Service Connect topublish the service.By placing a service attachment in front of your regional internal proxy Network Load Balancer, you can letclients in other VPC networks reach the hybrid services runningin on-premises or other cloud environments.

Using Private Service Connect to publish a hybrid service.
Using Private Service Connect to publish a hybrid service (click to enlarge).

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.