gcloud compute forwarding-rules create - create a forwarding rule to direct network traffic to a load balancer

gcloud compute forwarding-rules createNAME(--backend-service=BACKEND_SERVICE    |--target-google-apis-bundle=TARGET_GOOGLE_APIS_BUNDLE    |--target-grpc-proxy=TARGET_GRPC_PROXY    |--target-http-proxy=TARGET_HTTP_PROXY    |--target-https-proxy=TARGET_HTTPS_PROXY    |--target-instance=TARGET_INSTANCE    |--target-pool=TARGET_POOL    |--target-service-attachment=TARGET_SERVICE_ATTACHMENT    |--target-ssl-proxy=TARGET_SSL_PROXY    |--target-tcp-proxy=TARGET_TCP_PROXY    |--target-vpn-gateway=TARGET_VPN_GATEWAY)[--address=ADDRESS][--allow-global-access][--allow-psc-global-access][--description=DESCRIPTION][--disable-automate-dns-zone][--ip-collection=IP_COLLECTION][--ip-collection-region=IP_COLLECTION_REGION][--ip-protocol=IP_PROTOCOL][--ip-version=IP_VERSION][--is-mirroring-collector][--load-balancing-scheme=LOAD_BALANCING_SCHEME][--network=NETWORK][--network-tier=NETWORK_TIER][--service-directory-registration=SERVICE_DIRECTORY_REGISTRATION][--service-label=SERVICE_LABEL][--source-ip-ranges=SOURCE_IP_RANGE,[…]][--subnet=SUBNET][--subnet-region=SUBNET_REGION][--target-instance-zone=TARGET_INSTANCE_ZONE][--target-pool-region=TARGET_POOL_REGION][--target-service-attachment-region=TARGET_SERVICE_ATTACHMENT_REGION][--target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION][--address-region=ADDRESS_REGION    |--global-address][--backend-service-region=BACKEND_SERVICE_REGION    |--global-backend-service][--global    |--region=REGION][--global-target-http-proxy    |--target-http-proxy-region=TARGET_HTTP_PROXY_REGION][--global-target-https-proxy    |--target-https-proxy-region=TARGET_HTTPS_PROXY_REGION][--global-target-tcp-proxy    |--target-tcp-proxy-region=TARGET_TCP_PROXY_REGION][--port-range=[PORT |START_PORT-END_PORT]    |--ports=ALL    | [PORT |START_PORT-END_PORT],[…]][GCLOUD_WIDE_FLAG …]

Forwarding rules can be either global or regional, specified with the--global or--region=REGION flags. For more informationabout the scope of a forwarding rule, refer tohttps://cloud.google.com/load-balancing/docs/forwarding-rule-concepts.

Forwarding rules can be external, internal, internal managed, or internalself-managed, specified with the--load-balancing-scheme=[EXTERNAL|EXTERNAL_MANAGED|INTERNAL|INTERNAL_MANAGED|INTERNAL_SELF_MANAGED]flag. External forwarding rules are accessible from the internet, while internalforwarding rules are only accessible from within their VPC networks. You canspecify a reserved static external or internal IP address with the--address=ADDRESS flag for the forwardingrule. Otherwise, if the flag is unspecified, an ephemeral IP address isautomatically assigned (global IP addresses for global forwarding rules andregional IP addresses for regional forwarding rules); an internal forwardingrule is automatically assigned an ephemeral internal IP address from the subnetspecified with the--subnet flag. You mustprovide an IP address for an internal self-managed forwarding rule.

Different types of load balancers work at different layers of the OSI networkingmodel (http://en.wikipedia.org/wiki/Network_layer). Layer 3/4 targets includetarget pools, target SSL proxies, target TCP proxies, and backend services.Layer 7 targets include target HTTP proxies and target HTTPS proxies. For moreinformation, refer tohttps://cloud.google.com/load-balancing/docs/forwarding-rule-concepts.When creating a forwarding rule, exactly one of--target-instance,--target-pool,--target-http-proxy,--target-https-proxy,--target-grpc-proxy,--target-ssl-proxy,--target-tcp-proxy,--target-vpn-gateway,--backend-service or--target-google-apis-bundle must bespecified.

gcloudcomputeforwarding-rulescreateRULE_NAME--global--target-http-proxy=PROXY--ports=8080--address=ADDRESS

To create a regional forwarding rule for the subnet SUBNET_NAME on the defaultnetwork that will forward all traffic on ports 80-82 to a backend serviceSERVICE_NAME, run:

gcloudcomputeforwarding-rulescreateRULE_NAME--load-balancing-scheme=INTERNAL--backend-service=SERVICE_NAME--subnet=SUBNET_NAME--network=default--region=REGION--ports=80-82

NAME

Name of the forwarding rule to create.

Exactly one of these must be specified:

--backend-service=BACKEND_SERVICE

Target backend service that receives the traffic.

--target-google-apis-bundle=TARGET_GOOGLE_APIS_BUNDLE

Target bundle of Google APIs that will receive forwarded traffic via PrivateService Connect. Acceptable values are all-apis, meaning all Google APIs, orvpc-sc, meaning just the APIs that support VPC Service Controls

--target-grpc-proxy=TARGET_GRPC_PROXY

Target gRPC proxy that receives the traffic.

--target-http-proxy=TARGET_HTTP_PROXY

Target HTTP proxy that receives the traffic. For the acceptable ports, seePortspecifications.

--target-https-proxy=TARGET_HTTPS_PROXY

Target HTTPS proxy that receives the traffic. For the acceptable ports, seePortspecifications.

--target-instance=TARGET_INSTANCE

Name of the target instance that receives the traffic. The target instance mustbe in a zone in the forwarding rule's region. Global forwarding rules cannotdirect traffic to target instances. If not specified and thecompute/zone property isn't set, you mightbe prompted to select a zone (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/zone property:

gcloudconfigsetcompute/zoneZONE

A list of zones can be fetched by running:

gcloudcomputezoneslist

To unset the property, run:

gcloudconfigunsetcompute/zone

Alternatively, the zone can be stored in the environment variableCLOUDSDK_COMPUTE_ZONE.

--target-pool=TARGET_POOL

Target pool that receives the traffic. The target pool must be in the sameregion as the forwarding rule. Global forwarding rules cannot direct traffic totarget pools.

--target-service-attachment=TARGET_SERVICE_ATTACHMENT

Target service attachment that receives the traffic. The target serviceattachment must be in the same region as the forwarding rule.

--target-ssl-proxy=TARGET_SSL_PROXY

Target SSL proxy that receives the traffic. For the acceptable ports, seePortspecifications.

--target-tcp-proxy=TARGET_TCP_PROXY

Target TCP proxy that receives the traffic. For the acceptable ports, seePortspecifications.

--target-vpn-gateway=TARGET_VPN_GATEWAY

Target VPN gateway (Cloud VPN Classic gateway) that receives forwarded traffic.Acceptable values for --ports flag are: 500, 4500.

--address=ADDRESS

The IP address that the forwarding rule serves. When a client sends traffic tothis IP address, the forwarding rule directs the traffic to the target that youspecify in the forwarding rule.

If you don't specify a reserved IP address, an ephemeral IP address is assigned.You can specify the IP address as a literal IP address or as a reference to anexisting Address resource. The following examples are all valid:

• 100.1.2.3
• 2600:1901::/96
• https://compute.googleapis.com/compute/v1/projects/project-1/regions/us-central1/addresses/address-1
• projects/project-1/regions/us-central1/addresses/address-1
• regions/us-central1/addresses/address-1
• global/addresses/address-1
• address-1

The load-balancing-scheme (EXTERNAL, EXTERNAL_MANAGED, INTERNAL,INTERNAL_SELF_MANAGED, INTERNAL_MANAGED) and the target of the forwarding ruledetermine the type of IP address that you can use. The address type must beexternal for load-balancing-scheme EXTERNAL or EXTERNAL_MANAGED. For otherload-balancing-schemes, the address type must be internal. For detailedinformation, refer tohttps://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications.

--allow-global-access

If True, then clients from all regions can access this internal forwarding rule.This can only be specified for forwarding rules with the LOAD_BALANCING_SCHEMEset to INTERNAL or INTERNAL_MANAGED. For forwarding rules of type INTERNAL, thetarget must be either a backend service or a target instance.

--allow-psc-global-access

If specified, clients from all regions can access this Private Service Connectforwarding rule. This can only be specified if the forwarding rule's target is aservice attachment (--target-service-attachment).

--description=DESCRIPTION

Optional textual description for the forwarding rule.

--disable-automate-dns-zone

If specified, then a DNS zone will not be auto-generated for this PrivateService Connect forwarding rule. This can only be specified if the forwardingrule's target is a service attachment(--target-service-attachment=SERVICE_ATTACHMENT) or Google APIsbundle (--target-google-apis-bundle=API_BUNDLE)

--ip-collection=IP_COLLECTION

Resource reference to a public delegated prefix. The PublicDelegatedPrefix (PDP)must be a sub-prefix in EXTERNAL_IPV6_FORWARDING_RULE_CREATION mode.

--ip-collection-region=IP_COLLECTION_REGION

Region of the public delegated prefix to operate on. If not specified, theregion is set to the region of the forwarding rule. Overrides the defaultcompute/region property value for this command invocation.

--ip-protocol=IP_PROTOCOL

IP protocol that the rule will serve. The default isTCP.

Note that if the load-balancing scheme isINTERNAL, the protocolmust be one of:TCP,UDP,L3_DEFAULT.

For a load-balancing scheme that isEXTERNAL, all IP_PROTOCOLoptions are valid.

IP_PROTOCOL must be one of:AH,ESP,ICMP,SCTP,TCP,UDP,L3_DEFAULT.

--ip-version=IP_VERSION

Version of the IP address to be allocated or assigned. The default is IPv4.IP_VERSION must be one of:IPV4,IPV6.

--is-mirroring-collector

If set, this forwarding rule can be used as a collector for packet mirroring.This can only be specified for forwarding rules with the LOAD_BALANCING_SCHEMEset to INTERNAL.

--load-balancing-scheme=LOAD_BALANCING_SCHEME

This defines the forwarding rule's load balancing scheme. Note that it defaultsto EXTERNAL and is not applicable for Private Service Connect forwarding rules.LOAD_BALANCING_SCHEME must be one of:

EXTERNAL

Classic Application Load Balancers, global external proxy Network LoadBalancers, external passthrough Network Load Balancers or protocol forwarding,used with one of --target-http-proxy, --target-https-proxy, --target-tcp-proxy,--target-ssl-proxy, --target-pool, --target-vpn-gateway, --target-instance.

EXTERNAL_MANAGED

Global and regional external Application Load Balancers, and regional externalproxy Network Load Balancers, used with --target-http-proxy,--target-https-proxy, --target-tcp-proxy.

INTERNAL

Internal passthrough Network Load Balancers or protocol forwarding, used with--backend-service.

INTERNAL_MANAGED

Internal Application Load Balancers and internal proxy Network Load Balancers,used with --target-http-proxy, --target-https-proxy, --target-tcp-proxy.

INTERNAL_SELF_MANAGED

Traffic Director, used with --target-http-proxy, --target-https-proxy,--target-grpc-proxy, --target-tcp-proxy.

--network=NETWORK

(Only for --load-balancing-scheme=INTERNAL or--load-balancing-scheme=INTERNAL_SELF_MANAGED or--load-balancing-scheme=EXTERNAL_MANAGED (regional) or--load-balancing-scheme=INTERNAL_MANAGED) Network that this forwarding ruleapplies to. If this field is not specified, the default network is used. In theabsence of the default network, this field must be specified.

--network-tier=NETWORK_TIER

Network tier to assign to the forwarding rules.NETWORK_TIER must be one of:PREMIUM,STANDARD. The default value isPREMIUM.

--service-directory-registration=SERVICE_DIRECTORY_REGISTRATION

The Service Directory service in which to register this forwarding rule as anendpoint. The Service Directory service must be in the same project and regionas the forwarding rule you are creating.

--service-label=SERVICE_LABEL

(Only for Internal Load Balancing):https://cloud.google.com/load-balancing/docs/dns-names/The DNS label to use as the prefix of the fully qualified domain name for thisforwarding rule. The full name will be internally generated and output asdnsName. If this field is not specified, no DNS record will be generated and noDNS name will be output. You cannot use the--service-label flag ifthe forwarding rule references an internal IP address that has the--purpose=SHARED_LOADBALANCER_VIP flag set.

--source-ip-ranges=SOURCE_IP_RANGE,[…]

List of comma-separated IP addresses or IP ranges. If set, this forwarding ruleonly forwards traffic when the packet's source IP address matches one of the IPranges set here.

--subnet=SUBNET

(Only for --load-balancing-scheme=INTERNAL and--load-balancing-scheme=INTERNAL_MANAGED) Subnetwork that this forwarding ruleapplies to. If the network is auto mode, this flag is optional. If the networkis custom mode, this flag is required.

--subnet-region=SUBNET_REGION

Region of the subnetwork to operate on. If not specified, the region is set tothe region of the forwarding rule. Overrides the defaultcompute/region property value for this command invocation.

--target-instance-zone=TARGET_INSTANCE_ZONE

Zone of the target instance to operate on. Overrides the defaultcompute/zone property value for this command invocation.

--target-pool-region=TARGET_POOL_REGION

Region of the target pool to operate on. If not specified, the region is set tothe region of the forwarding rule. Overrides the defaultcompute/region property value for this command invocation.

--target-service-attachment-region=TARGET_SERVICE_ATTACHMENT_REGION

Region of the target service attachment to operate on. If not specified, youmight be prompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/region property:

gcloudconfigsetcompute/regionREGION

A list of regions can be fetched by running:

gcloudcomputeregionslist

To unset the property, run:

gcloudconfigunsetcompute/region

Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

--target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION

Region of the VPN gateway to operate on. If not specified, the region is set tothe region of the forwarding rule. Overrides the defaultcompute/region property value for this command invocation.

At most one of these can be specified:

--address-region=ADDRESS_REGION

Region of the address to operate on. If not specified, you might be prompted toselect a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/region property:

gcloudconfigsetcompute/regionREGION

A list of regions can be fetched by running:

gcloudcomputeregionslist

To unset the property, run:

gcloudconfigunsetcompute/region

Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

--global-address

If set, the address is global.

At most one of these can be specified:

--backend-service-region=BACKEND_SERVICE_REGION

Region of the backend service to operate on. If not specified, the region is setto the region of the forwarding rule. Overrides the defaultcompute/region property value for this command invocation.

--global-backend-service

If set, the backend service is global.

At most one of these can be specified:

--global

If set, the forwarding rule is global.

--region=REGION

Region of the forwarding rule to create. If not specified, you might be promptedto select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/region property:

gcloudconfigsetcompute/regionREGION

A list of regions can be fetched by running:

gcloudcomputeregionslist

To unset the property, run:

gcloudconfigunsetcompute/region

Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

At most one of these can be specified:

--global-target-http-proxy

If set, the http proxy is global.

--target-http-proxy-region=TARGET_HTTP_PROXY_REGION

Region of the http proxy to operate on. If not specified, you might be promptedto select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/region property:

gcloudconfigsetcompute/regionREGION

A list of regions can be fetched by running:

gcloudcomputeregionslist

To unset the property, run:

gcloudconfigunsetcompute/region

Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

At most one of these can be specified:

--global-target-https-proxy

If set, the https proxy is global.

--target-https-proxy-region=TARGET_HTTPS_PROXY_REGION

Region of the https proxy to operate on. If not specified, you might be promptedto select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/region property:

gcloudconfigsetcompute/regionREGION

A list of regions can be fetched by running:

gcloudcomputeregionslist

To unset the property, run:

gcloudconfigunsetcompute/region

Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

At most one of these can be specified:

--global-target-tcp-proxy

If set, the tcp proxy is global.

--target-tcp-proxy-region=TARGET_TCP_PROXY_REGION

Region of the tcp proxy to operate on. If not specified, you might be promptedto select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/region property:

gcloudconfigsetcompute/regionREGION

A list of regions can be fetched by running:

gcloudcomputeregionslist

To unset the property, run:

gcloudconfigunsetcompute/region

Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

At most one of these can be specified:

--port-range=[PORT |START_PORT-END_PORT]

DEPRECATED, use --ports. If specified, only packets addressed to ports in thespecified range are forwarded. For more information, refer tohttps://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.

--ports=ALL | [PORT |START_PORT-END_PORT],[…]

List of comma-separated ports. The forwarding rule forwards packets withmatching destination ports. Port specification requirements vary depending onthe load-balancing scheme and target. For more information, refer tohttps://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.

Run$gcloud help for details.