Set up your backend instances

In this section, you create two backend services in differentregions. Each backend service includes two backend instances,each running a Microsoft IIS web server on Windows Server 2016. To avoidlaborious manual configuration of each server, create a diskimage from one server instance, and then use this image to create yourother server instances.

Create and configure a Compute Engine instance

To create the instance to use as a source image:

From Google Cloud Marketplace, launch an instance of Windows Server 2016 runningMicrosoft IIS on Compute Engine in a zone of your choice, and set upfirewall rules to allow external HTTP, HTTPS, and RDP traffic to your source imageinstance:

1. In the Google Cloud console, go to theASP.NET Framework Cloud Marketplace page.

   Go to Cloud Marketplace

2. ClickLaunch.

3. In theDeployment name field, entersrc-img.

4. In theZone field, select a zone that you want to deploy the image in.

5. In theWindows Server OS Version field, select2016.

6. In theNetworking - Firewall section, select only the following options:

   • Allow HTTP traffic
   • Allow HTTPS traffic
   • Allow RDP traffic

7. Accept the terms of service and clickDeploy.

8. Wait for the Compute Engine instance to be created.

Configure your source image instance

To configure your new source image instance, create a new Windows user on thesource image instance and establish an RDP connection:

1. In the Google Cloud console, go to theVM instances page.

   Go to VM instances

2. Click the name of your source image instance (src-img).

3. ClickSet Windows password.

4. In theSet new Windows password dialog, add your username andclickSet to create the user account on your instance.

5. Copy the provided password and close the dialog.

6. Click theRDP dropdown and select theDownload the RDP file option todownload the RDP file for your instance. Use this file to connect to theinstance using an RDP client. For more information, seeMicrosoft Remote Desktop clients.

After you establish an RDP connection with your source image instance,add a default homepage in the IIS default web directory:

1. On your source image instance, open PowerShell as an administrator.

2. Create a new homepage in the default IIS web directoryC:\inetpub\wwwroot:

   Echo '<!doctype html><html><body><h1>Hello World!</h1></body></html>' > C:\inetpub\wwwroot\index.html

Verify that your source image instance can serve content

In the Google Cloud console, go to theVM instances page.

Go to VM instances

Click the external IP address of your instance to verify that it is servingthe homepage you created earlier.

Create a reusable Windows Server 2016 image from your source image instance

After verifying that your source image instance is properly configuredand able to serve content, create a reusable disk image from the instance'sroot persistent disk:

1. On your source image instance, open PowerShell as an administrator.

2. Run the following command to prepare your system forcloning:

   GCESysprep

   When theGCESysprep operation completes, you are automatically disconnectedfrom your RDP session.

3. On your local machine, run the following command to delete your sourceinstance while retaining its root persistent disk:

   gcloud compute instances delete src-img \   --keep-disks=boot \   --zone=INSTANCE_ZONE

   ReplaceINSTANCE_ZONE with the zone of your sourceinstance.

4. After the instance is deleted, create a new image from theroot persistent disk you retained:

   gcloud compute images create win-be-img \   --source-disk=src-img \   --source-disk-zone=IMAGE_ZONE

   ReplaceIMAGE_ZONE with the zone that you want tocreate your source image in.

Create an instance template using your source image

Use the disk image from your configured Windows server as the source image foraninstance template.Later, you'll configure twomanaged instance groups to use this template for new instances.

On your local machine, run the following command to create an instance templatethat useswin-be-img as the source image andrdp-tag andwww-tag asinstance tags:

gcloud compute instance-templates create win-be-tmpl \    --tags=rdp-tag,www-tag \    --image=win-be-img

Create a managed instance group for each region

In each region, create managed instance groups. After you create eachinstance group, the group automatically populates with two identicalinstances based on the instance template you defined earlier. Later,you'll configure your load balancer to treat these instance groupsas backend targets.

To create your managed instance groups:

1. On your local machine, run the following command to create a newmanaged instance group in the zone that you created the image in andautomatically populate it with two identical instances:

   gcloud compute instance-groups managed createMANAGED_INSTANCE_GROUP_NAME_1 \   --base-instance-name=BASE_INSTANCE_NAME_1 \   --size=2 \   --zone=ZONE_1 \   --template=win-be-tmpl

   Replace the following:

   • MANAGED_INSTANCE_GROUP_NAME_1: your managed instance's name
   • BASE_INSTANCE_NAME_1: your base instance's name
   • ZONE_1: the zone that you want to deploy your managed instance in

2. Create a managed instance group in the second zone:

   gcloud compute instance-groups managed createMANAGED_INSTANCE_GROUP_NAME_2 \   --base-instance-name=BASE_INSTANCE_NAME_2 \   --size=2 \   --zone=ZONE_2 \   --template=win-be-tmpl

   Replace the following:

   • MANAGED_INSTANCE_GROUP_NAME_2: your managed instance's name
   • BASE_INSTANCE_NAME_2: your base instance's name
   • ZONE_2: the zone that you want to deploy your managed instance in

Verify that your backend instances are running

1. In the Google Cloud console, go to theVM instances page.

   Go to VM instances

2. Click the external IP address of each backend to verify that the backend is servingthe homepage you created earlier.

1. On your local machine, run the following command to create anew health check. Your load balancer uses this checkto check the responsiveness of your backend instances:

   gcloud compute http-health-checks create basic-check

2. Create abackend service:

   gcloud compute backend-services createBACKEND_SERVICE_NAME \  --protocol=HTTP \  --http-health-checks=basic-check \  --global

   ReplaceBACKEND_SERVICE_NAME with a name for the backend service.

3. Add your instance groups as backend targets for your backend service:

   gcloud compute backend-services add-backendBACKEND_SERVICE_NAME \   --instance-group=MANAGED_INSTANCE_GROUP_NAME_1 \   --instance-group-zone=ZONE_1gcloud compute backend-services add-backendBACKEND_SERVICE_NAME \   --instance-group=MANAGED_INSTANCE_GROUP_NAME_2 \   --instance-group-zone=ZONE_2

4. Create a default URL map that directs all incoming requeststo all of your instances:

   gcloud compute url-maps create lb-map \   --default-service=BACKEND_SERVICE_NAME

5. Create an SSL certificate resource. Your load balancer uses thisresource to encrypt and decrypt traffic.

   If you already have a private key and an SSL certificate from acertificate authority, you can use them to create a newSSLCertificateresource by running the following command. Otherwise, you can create and use aGoogle-managed SSL certificate or aself-signed certificate for testing. For more information, seeSSL certificates.

   Note: Skip this step if you choose to use a Google-managed or a self-signedSSL certificate.

   Run the following command to create your SSL certificate resource:

   gcloud compute ssl-certificates create www-cert \   --certificateCRT_FILE_PATH \   --private-keyKEY_FILE_PATH

   Replace the following:

   • CRT_FILE_PATH: your certificate's local filepath
   • KEY_FILE_PATH: your private key's file path

6. Create target HTTP and HTTPS proxies to route requests to your URL map.The proxy is the portion of the load balancer that holds the SSLcertificate for HTTPS load balancing, so you also load yourcertificate in this step:

   gcloud compute target-http-proxies create http-lb-proxy \   --url-map=lb-mapgcloud compute target-https-proxies create https-lb-proxy \   --url-map lb-map \   --ssl-certificateSSL_CERT

   Replace SSL_CERT based on the following:

   • If you've created an SSLCertificate resource with your SSL certificate andprivate key, then replaceSSL_CERT withwww-cert.
   • If you're using a Google-managed or a self-signed SSLcertificate, then replaceSSL_CERT with the name of your certificate.

7. For your load balancer to reliably receive traffic, you need to assign aglobal static IP address to the load balancer's global forwarding rule.

   To create a global static IP address resource, run the following command:

   gcloud compute addresses create lb-ip \   --global \   --network-tier=PREMIUM

   Take note of the IP address.

8. Create two global forwarding rules to handle incoming HTTP and HTTPSrequests. Each forwarding rule sends traffic to one of the targetproxies you created depending on the IP address, IP protocol, andport specified.

   • For a global external Application Load Balancer, use the gcloud CLI command withload-balancing-scheme=EXTERNAL_MANAGED. This setting offersadvanced traffic management capability.
   • For an classic Application Load Balancer, useload-balancing-scheme=EXTERNAL.

   gcloud compute forwarding-rules create http-fwd-rule \   --load-balancing-scheme=LOAD_BALANCING_SCHEME \   --network-tier=PREMIUM \   --address=lb-ip \   --global \   --target-http-proxy=http-lb-proxy \   --ports=80gcloud compute forwarding-rules create https-fwd-rule \   --load-balancing-scheme=LOAD_BALANCING_SCHEME \   --network-tier=PREMIUM \   --address=lb-ip \   --global \   --target-https-proxy=https-lb-proxy \   --ports=443

After you create the global forwarding rules, it can take several minutesfor your configuration to propagate. To check the progress of thepropagation, you can either monitor your configuration in theGoogle Cloud console or run the following command on your local machine:

gcloud compute backend-services get-healthBACKEND_SERVICE_NAME

Send traffic to your backends

Now that you've configured your load balancing service, you can start sendingtraffic to the forwarding rule and watch the traffic be dispersed to differentinstances.

Send traffic to your backends as follows:

1. In the Google Cloud console, go to theLoad balancing page.

   Go to Load balancing

2. Select theFrontends tab.

3. To see your default homepage, click the IP addresses in theAddress column.

   Note: If you used a self-signed certificate for testing, your browserdisplays a warning and you must manually accept the certificate.

Restrict access to your backends

After you have verified that everything is working as intended, modifyyour firewall rules so that HTTP or HTTPS traffic can only come from your loadbalancing service:

1. In the Google Cloud console, go to theFirewall page.

   Go to Firewall

2. Click the name of the firewall rule that permits external access to porttcp:80.

3. ClickEdit to edit the firewall rule.

4. In theSource IPv4 ranges field, remove the value0.0.0.0/0 andenter130.211.0.0/22.This restricts the firewall rule's allowed source IPs to the range130.211.0.0/22, which is the HTTPS load balancing health check IP range.

5. ClickSave.

6. In the Google Cloud console, go to theVM instances page.

   Go to VM instances

7. Click the external IP address of each instance to verify that the instance is now inaccessible.

Simulate an outage

To see how a load is balanced among the responsive instances, you can simulate anoutage for one or more instances in a region.

To stop an instance from receiving additional requests:

1. Establish an RDP connection to the instance.
2. On the instance, open PowerShell as an administrator.

3. Run the following command to create a new firewall rule on theinstance. This command blocks the health check traffic from thehealth checker and prevents all new HTTP connections from theload balancer to the instance:

   netsh advfirewall firewall add rule name="Outage Test" protocol=tcp dir=in localport=80 action=block remoteip=130.211.0.0/22

4. On your local machine, run the following command to verify that theinstance now reports anUNHEALTHY status:

   gcloud compute backend-services get-healthBACKEND_SERVICE_NAME

5. After the instance starts reporting anUNHEALTHY status, senda request to your load balancer. Only the responsive instances shouldrespond.

6. After you've finished simulating an outage, you can restore yourinstance's connectivity by deleting the firewall rule. After openingPowerShell as an administrator on the unresponsive instance, run thefollowing command to delete the rule:

   netsh advfirewall firewall delete rule name="Outage Test"

Clean up

After you finish the tutorial, you can clean up the resources that you created so that they stop using quota and incurring charges. The following sections describe how to delete or turn off these resources.

Delete the project

The easiest way to eliminate billing is to delete the project that you createdfor the tutorial.

Caution: Deleting a project has the following effects:
• Everything in the project is deleted. If you used an existing project for the tasks in this document, when you delete it, you also delete any other work you've done in the project.
• Custom project IDs are lost. When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as anappspot.com URL, delete selected resources inside the project instead of deleting the whole project.

If you plan to explore multiple architectures, tutorials, or quickstarts, reusing projects can help you avoid exceeding project quota limits.

1. In the Google Cloud console, go to theManage resources page.

   Go to Manage resources

2. In the project list, select the project that you want to delete, and then clickDelete.
3. In the dialog, type the project ID, and then clickShut down to delete the project.

Delete individual resources

You'll need to individually delete all the resources created for the project(images, instance templates, instance groups, health checks, backend services,URL map, http proxy, addresses, forwarding rules). You can't delete the VMinstances until you run the following commands.

Run the following commands on your local machine to delete the resources createdfor the tutorial:

1. Delete the HTTP/S forwarding rules:

   gcloud compute forwarding-rules delete https-fwd-rule --global

   gcloud compute forwarding-rules delete http-fwd-rule --global

2. Delete the global static IP address:

   gcloud compute addresses delete lb-ip --global

3. Delete the HTTP/S proxies:

   gcloud compute target-https-proxies delete https-lb-proxy

   gcloud compute target-http-proxies delete http-lb-proxy

4. Delete the SSL certificate:

   gcloud compute ssl-certificates deleteSSL_CERT

5. Delete the URL map:

   gcloud compute url-maps delete lb-map

6. Delete the backend service:

   gcloud compute backend-services deleteBACKEND_SERVICE_NAME --global

7. Delete the HTTP health check:

   gcloud compute http-health-checks delete basic-check

8. Delete the managed instance groups:

   gcloud compute instance-groups managed deleteMANAGED_INSTANCE_GROUP_NAME_1 --zone=ZONE_1

   gcloud compute instance-groups managed deleteMANAGED_INSTANCE_GROUP_NAME_2 --zone=ZONE_2

9. Delete the instance template:

   gcloud compute instance-templates delete win-be-tmpl

10. In the Google Cloud console, go to theImages page.

    Go to Images

11. Select the checkbox for the image that you want to delete.
12. To delete the image, clickdeleteDelete.
13. In the Google Cloud console, go to theDisks page.

    Go to Disks

14. Select the checkbox for the disk that you want to delete.
15. To delete the disk, clickdeleteDelete.

What's next

• Work through thedeploying load-balanced IIS web servers tutorial.
• Review the best practices in theGoogle Cloud Well-Architected Framework.
• Explore reference architectures, diagrams, and best practices about Google Cloud.Take a look at ourCloud Architecture Center.