Set up a classic Application Load Balancer with a managed instance group backend

This setup guide shows you how to create a classic Application Load Balancer with aCompute Engine managed instance groupbackend.

For general concepts, see theExternal Application Load Balancer overview.

If you are an existing user of the classic Application Load Balancer, make sure that youreviewMigrationoverview when you plan a new deployment with the global external Application Load Balancer.

Load balancer topologies

For an HTTPS load balancer, you create the configuration shown inthe following diagram.

External Application Load Balancer with a managed instance group (MIG) backend.
Figure 1. External Application Load Balancer with a managed instance group (MIG) backend (click to enlarge).

For an HTTP load balancer, you create the configuration shown inthe following diagram.

External Application Load Balancer with a managed instance group (MIG) backend.
Figure 2. External Application Load Balancer with a managed instance group (MIG) backend (click to enlarge).

The sequence of events in the diagrams are as follows:

  1. A client sends a content request to the external IPv4 address defined in theforwarding rule.

  2. For an HTTPS load balancer, the forwarding rule directs the request to thetarget HTTPS proxy.

    For an HTTP load balancer, the forwarding rule directs the request to thetarget HTTP proxy.

  3. The target proxy uses the rule in theURLmap to determine that thesingle backend service receives all requests.

  4. The load balancer determines that thebackendservice has only one instancegroup and directs the request to a virtual machine (VM) instance in thatgroup.

  5. The VM serves the content requested by the user.

Before you begin

Complete the following steps before you create the load balancer.

Set up an SSL certificate resource

For an HTTPS load balancer, create an SSL certificate resource as described in thefollowing:

We recommend using a Google-managed certificate.

This example assumes that you already have an SSL certificate resource namedwww-ssl-cert.

Warning: Don't use a self-signed certificate for production purposes.

Set up permissions

To complete the steps in this guide, you must have permission to createCompute Engine instances, firewall rules, and reserved IP addresses in aproject. You must have either a projectowner or editorrole, or you must have the followingCompute Engine IAM roles.

TaskRequired role
Create instancesInstance Admin
Add and remove firewall rulesSecurity Admin
Create load balancer componentsNetwork Admin
Create a project (optional)Project Creator

For more information, see the following guides:

Optional: Use BYOIP addresses

With bring your own IP (BYOIP), you can import your own public addresses toGoogle Cloud to use the addresses with Google Cloud resources. Forexample, if you import your own IPv4 addresses, you can assign one to theforwarding rule when you configure your load balancer. When you follow theinstructions in this document toset up the load balancer, provide the BYOIP address as theIP address.

For more information about using BYOIP, seeBring your own IP addresses.

Configure the network and subnets

To create the example network and subnet, follow these steps.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. Enter aName for the network.

  4. For theSubnet creation mode, chooseCustom.

  5. In theNew subnet section, configure the following fields:

    1. Provide aName for the subnet.
    2. Select aRegion.
    3. ForIP stack type, selectIPv4 (single-stack).
    4. Enter anIP address range. This is theprimary IPv4range for the subnet.

  6. ClickDone.

  7. To add a subnet in a different region, clickAdd subnet and repeatthe previous steps.

  8. ClickCreate.

gcloud

  1. Create the custom mode VPC network:

    gcloud compute networks createNETWORK \    --subnet-mode=custom

  2. Within the network, create a subnet for backends:

    gcloud compute networks subnets createSUBNET \    --network=NETWORK \    --stack-type=IPV4_ONLY \    --range=10.1.2.0/24 \    --region=REGION

    Replace the following:

    • NETWORK: a name for the VPC network.

    • SUBNET: a name for the subnet.

    • REGION: the name of the region.

Create a managed instance group

To set up a load balancer with a Compute Engine backend, your VMs needto be in an instance group. This guide describes how to create a managedinstance group with Linux VMs that have Apache running, and then set up loadbalancing. A managed instance group creates each of its managed instances basedon the instance templates that you specify.

The managed instance group provides VMs running the backend servers ofan external HTTP(S) load balancer. For demonstration purposes, backendsserve their own hostnames.

Before you create a managed instance group, create an instance template.

Console

To supportIPv4 traffic, use the following steps:

  1. In the Google Cloud console, go to theInstance templates page.

    Go to Instance templates

  2. ClickCreate instance template.

  3. ForName, enterlb-backend-template.

  4. Ensure that the Boot disk is set to a Debian image, such asDebian GNU/Linux 10 (buster). These instructions use commands thatare only available on Debian, such asapt-get.

  5. ExpandAdvanced options.

  6. ExpandNetworking and configure the following fields:

    1. ForNetwork tags, enterallow-health-check.
    2. In theNetwork interfaces section, clickEdit and make thefollowing changes:
      • Network:NETWORK
      • Subnet:SUBNET
      • IPv4 traffic:IPv4 (single-stack)
    3. ClickDone.

  7. ExpandManagement. In theStartup script field, enter thefollowing script:

    #! /bin/bashapt-get updateapt-get install apache2 -ya2ensite default-ssla2enmod sslvm_hostname="$(curl -H "Metadata-Flavor:Google" \http://metadata.google.internal/computeMetadata/v1/instance/name)"echo "Page served from: $vm_hostname" | \tee /var/www/html/index.htmlsystemctl restart apache2

  8. ClickCreate.

gcloud

To supportIPv4 traffic, run the following command:

gcloud compute instance-templates createTEMPLATE_NAME \  --region=REGION \  --network=NETWORK \  --subnet=SUBNET \  --stack-type=IPV4_ONLY \  --tags=allow-health-check \  --image-family=debian-10 \  --image-project=debian-cloud \  --metadata=startup-script='#! /bin/bash    apt-get update    apt-get install apache2 -y    a2ensite default-ssl    a2enmod ssl    vm_hostname="$(curl -H "Metadata-Flavor:Google" \    http://metadata.google.internal/computeMetadata/v1/instance/name)"    echo "Page served from: $vm_hostname" | \    tee /var/www/html/index.html    systemctl restart apache2'

Terraform

To create the instance template, use thegoogle_compute_instance_templateresource.

resource "google_compute_instance_template" "default" {  name = "lb-backend-template"  disk {    auto_delete  = true    boot         = true    device_name  = "persistent-disk-0"    mode         = "READ_WRITE"    source_image = "projects/debian-cloud/global/images/family/debian-11"    type         = "PERSISTENT"  }  labels = {    managed-by-cnrm = "true"  }  machine_type = "n1-standard-1"  metadata = {    startup-script = "#! /bin/bash\n     sudo apt-get update\n     sudo apt-get install apache2 -y\n     sudo a2ensite default-ssl\n     sudo a2enmod ssl\n     vm_hostname=\"$(curl -H \"Metadata-Flavor:Google\" \\\n   http://169.254.169.254/computeMetadata/v1/instance/name)\"\n   sudo echo \"Page served from: $vm_hostname\" | \\\n   tee /var/www/html/index.html\n   sudo systemctl restart apache2"  }  network_interface {    access_config {      network_tier = "PREMIUM"    }    network    = "global/networks/default"    subnetwork = "regions/us-east1/subnetworks/default"  }  region = "us-east1"  scheduling {    automatic_restart   = true    on_host_maintenance = "MIGRATE"    provisioning_model  = "STANDARD"  }  service_account {    email  = "default"    scopes = ["https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring.write", "https://www.googleapis.com/auth/pubsub", "https://www.googleapis.com/auth/service.management.readonly", "https://www.googleapis.com/auth/servicecontrol", "https://www.googleapis.com/auth/trace.append"]  }  tags = ["allow-health-check"]}

Create the managed instance group and select the instance template.

Console

  1. In the Google Cloud console, go to theInstance groups page.

    Go to Instance groups

  2. ClickCreate instance group.

  3. On the left, chooseNew managed instance group (stateless).

  4. ForName, enterlb-backend-example.

  5. UnderLocation, selectSingle zone.

  6. ForRegion, select your preferred region.

  7. ForZone, select a zone.

  8. UnderInstance template, select the instance templatelb-backend-template.

  9. ForAutoscaling mode, selectOn: add and remove instances to thegroup.

    SetMinimum number of instances to2, and setMaximum number ofinstances to2 or more.

  10. To create the new instance group, clickCreate.

gcloud

  1. Create the managed instance group based on the template.

    gcloud compute instance-groups managed create lb-backend-example \   --template=TEMPLATE_NAME --size=2 --zone=ZONE_A

Terraform

To create the managed instance group, use thegoogle_compute_instance_group_managerresource.

resource "google_compute_instance_group_manager" "default" {  name = "lb-backend-example"  zone = "us-east1-b"  named_port {    name = "http"    port = 80  }  version {    instance_template = google_compute_instance_template.default.id    name              = "primary"  }  base_instance_name = "vm"  target_size        = 2}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Add a named port to the instance group

For your instance group, define an HTTP service and map a port nameto the relevant port. The load balancing service forwardstraffic to the named port. For more information, seeNamed ports.

Console

  1. In the Google Cloud console, go to theInstance groups page.

    Go to Instance groups

  2. Clicklb-backend-example.

  3. On the instance group'sOverview page, clickEdit.

  4. In thePort mapping section, clickAdd port.

    1. For the port name, enterhttp. For the port number, enter80.

  5. ClickSave.

gcloud

Use thegcloud compute instance-groupsset-named-portscommand.

gcloud compute instance-groups set-named-ports lb-backend-example \    --named-ports http:80 \    --zoneZONE_A

Terraform

Thenamed_port attribute is included in themanaged instance group sample.

Configure a firewall rule

In this example, you create thefw-allow-health-check firewall rule.This is an ingress rule that allows traffic from the Google Cloud healthchecking systems (130.211.0.0/22 and35.191.0.0/16). This example uses thetarget tagallow-health-check to identify the VMs.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. ClickCreate firewall rule to create the firewall rule.

  3. ForName, enterfw-allow-health-check.

  4. Select aNetwork.

  5. UnderTargets, selectSpecified target tags.

  6. Populate theTarget tags field withallow-health-check.

  7. SetSource filter toIPv4 ranges.

  8. SetSource IPv4 ranges to130.211.0.0/22 and35.191.0.0/16.

  9. UnderProtocols and ports, selectSpecified protocols and ports.

  10. Select theTCP checkbox, and then type80 for the portnumbers.

  11. ClickCreate.

gcloud

gcloud compute firewall-rules create fw-allow-health-check \    --network=NETWORK \    --action=allow \    --direction=ingress \    --source-ranges=130.211.0.0/22,35.191.0.0/16 \    --target-tags=allow-health-check \    --rules=tcp:80

Terraform

To create the firewall rule, use thegoogle_compute_firewallresource.

resource "google_compute_firewall" "default" {  name          = "fw-allow-health-check"  direction     = "INGRESS"  network       = "global/networks/default"  priority      = 1000  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]  target_tags   = ["allow-health-check"]  allow {    ports    = ["80"]    protocol = "tcp"  }}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Reserve an external IP address

Now that your instances are up and running, set up aglobal static external IPaddress that your customers useto reach your load balancer.

Console

  1. In the Google Cloud console, go to theExternal IP addresses page.

    Go to External IP addresses

  2. To reserve an IPv4 address, clickReserve external static IP address.

  3. ForName, enterlb-ipv4-1.

  4. SetNetwork Service Tier toPremium.

  5. SetIP version toIPv4.

  6. SetType toGlobal.

  7. ClickReserve.

gcloud

gcloud compute addresses create lb-ipv4-1 \    --ip-version=IPV4 \    --network-tier=PREMIUM \    --global

Note the IPv4 address that was reserved:

gcloud compute addresses describe lb-ipv4-1 \    --format="get(address)" \    --global

Terraform

To reserve the IP address, use thegoogle_compute_global_addressresource.

resource "google_compute_global_address" "default" {  name       = "lb-ipv4-1"  ip_version = "IPV4"}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Set up the load balancer

In this example, you are using HTTPS (frontend) between the client and the loadbalancer. For HTTPS, you need one or moreSSL certificate resourcesto configure the proxy. We recommend using a Google-managed certificate.

Even if you're using HTTPS on the frontend, you can use HTTP on the backend.Googleautomatically encrypts traffic between Google Front Ends (GFEs) and yourbackendsthat reside within Google Cloud VPC networks.

Console

Select the load balancer type

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectApplication Load Balancer (HTTP/HTTPS) and clickNext.
  4. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  5. ForGlobal or single region deployment, selectBest for global workloads and clickNext.
  6. ForLoad balancer generation, selectClassic Application Load Balancer and clickNext.
  7. ClickConfigure.

Basic configuration

For the load balancerName, enter something likeweb-map-https orweb-map-http.

Frontend configuration

  1. ClickFrontend configuration.
  2. SetProtocol toHTTPS.
  3. SelectIPv4 for IPv4 traffic. SetIP address tolb-ipv4-1, which you created earlier.
  4. SetPort to443.
  5. ClickCertificate, and select your primary SSL certificate.
  6. Optional: Create an SSL policy:
    1. In theSSL policy list, selectCreate a policy.
    2. Set the name of the SSL policy tomy-ssl-policy.
    3. ForMinimum TLS Version, selectTLS 1.0.
    4. ForProfile, selectModern. TheEnabled features andDisabled features are displayed.
    5. ClickSave.
    If you have not created any SSL policies, adefault SSL policy is applied.
  7. Optional: Select theEnable HTTP to HTTPS Redirect checkbox to enable redirects.

    Enabling this checkbox creates an additional partial HTTP load balancer that uses the same IP address as your HTTPS load balancer and redirects incoming HTTP requests to your load balancer's HTTPS frontend.

    This checkbox can only be selected when the HTTPS protocol is selected and a reserved IP address is used.

  8. ClickDone.

Backend configuration

  1. ClickBackend configuration.
  2. UnderBackend services & backend buckets, selectCreate a backend service.
  3. Add a name for your backend service, such asweb-backend-service.
  4. Go to theSecurity section, and then selectEnable IAP to secure access to your applications.

    Cloud CDN and IAP are not compatible. If you have Cloud CDN enabled, and you select to enable IAP, Cloud CDN is automatically disabled.

  5. Optional: Configure a default backend security policy. The default security policy throttles traffic over a user-configured threshold. For more information about default security policies, see theRate limiting overview.

    1. To opt out of the Cloud Armor default security policy, selectNone in theCloud Armor backend security policy list.
    2. To configure the Cloud Armor default security policy, selectDefault security policy in theCloud Armor backend security policy list.
    3. In thePolicy name field, accept the automatically generated name or enter a name for your security policy.
    4. In theRequest count field, accept the default request count or enter an integer between1 and10,000.
    5. In theInterval field, select an interval.
    6. In theEnforce on key field, choose one of the following values:All,IP address, orX-Forwarded-For IP address. For more information about these options, seeIdentifying clients for rate limiting.
  6. Retain the other default settings.
  7. ClickCreate.

Host and path rules

ForHost and path rules, retain the default settings.

Review and finalize

  1. ClickReview and finalize.
  2. Review your load balancer configuration settings.
  3. Optional: ClickEquivalent code to view the REST API request that will be used to create the load balancer.
  4. ClickCreate.

Wait for the load balancer to be created.

If you created an HTTPS load balancer and selected theEnable HTTP to HTTPS Redirect checkbox, you will also seean HTTP load balancer created with a-redirect suffix.

  1. Click the name of the load balancer.
  2. On theLoad balancer details screen, note theIP:Port for your load balancer.

gcloud

  1. Create a health check.
     gcloud compute health-checks create http http-basic-check \     --port 80
  2. Create a backend service.
    gcloud compute backend-services create web-backend-service \    --load-balancing-scheme=EXTERNAL \    --protocol=HTTP \    --port-name=http \    --health-checks=http-basic-check \    --global
  3. Add your instance group as the backend to the backend service.
    gcloud beta compute backend-services add-backend web-backend-service \  --instance-group=lb-backend-example \  --instance-group-zone=ZONE_A \  --global
  4. For HTTP, create a URL map to route the incoming requests to the default backendservice.
    gcloud beta compute url-maps create web-map-http \  --default-service web-backend-service
  5. For HTTPS, create a URL map to route the incoming requests to thedefault backend service.
    gcloud beta compute url-maps create web-map-https \  --default-service web-backend-service

Set up an HTTPS frontend

Skip this section for HTTP load balancers.

  1. For HTTPS, if you haven't already done so, create the global SSLcertificate resource, as shown in the following sections:

  2. For HTTPS, create a target HTTPS proxy to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificatefor an HTTPS load balancer, so you also load your certificate in this step.

    gcloud compute target-https-proxies create https-lb-proxy \  --url-map=web-map-https \  --ssl-certificates=www-ssl-cert
  3. For HTTPS, create a global forwarding rule to route incoming requests tothe proxy.
    gcloud compute forwarding-rules create https-content-rule \  --load-balancing-scheme=EXTERNAL \  --network-tier=PREMIUM \  --address=lb-ipv4-1 \  --global \  --target-https-proxy=https-lb-proxy \  --ports=443
  4. Optional: For HTTPS, create a global SSL policy and attach it to the HTTPS proxy.
    To create a global SSL policy:
    gcloud compute ssl-policies create my-ssl-policy \  --profile MODERN \  --min-tls-version 1.0
    To attach the SSL policy to the global target HTTPS proxy:
    gcloud compute target-https-proxies update https-lb-proxy \  --ssl-policy my-ssl-policy

Set up an HTTP frontend

Skip this section for HTTPS load balancers.

  1. For HTTP, create a target HTTP proxy to route requests to your URL map.
    gcloud compute target-http-proxies create http-lb-proxy \  --url-map=web-map-http
  2. For HTTP, create a global forwarding rule to route incoming requests to the proxy.
    gcloud compute forwarding-rules create http-content-rule \  --load-balancing-scheme=EXTERNAL \  --address=lb-ipv4-1 \  --global \  --target-http-proxy=http-lb-proxy \  --ports=80

Terraform

  1. To create the health check, use thegoogle_compute_health_check resource.

    resource "google_compute_health_check" "default" {  name               = "http-basic-check"  check_interval_sec = 5  healthy_threshold  = 2  http_health_check {    port               = 80    port_specification = "USE_FIXED_PORT"    proxy_header       = "NONE"    request_path       = "/"  }  timeout_sec         = 5  unhealthy_threshold = 2}

  2. To create the backend service, use thegoogle_compute_backend_service resource.

    This example usesload_balancing_scheme="EXTERNAL_MANAGED", which sets up a global external Application Load Balancer withadvanced traffic management capability. To create a classic Application Load Balancer, make sure you change theload_balancing_scheme toEXTERNAL before running the script.

    resource "google_compute_backend_service" "default" {  name                            = "web-backend-service"  connection_draining_timeout_sec = 0  health_checks                   = [google_compute_health_check.default.id]  load_balancing_scheme           = "EXTERNAL_MANAGED"  port_name                       = "http"  protocol                        = "HTTP"  session_affinity                = "NONE"  timeout_sec                     = 30  backend {    group           = google_compute_instance_group_manager.default.instance_group    balancing_mode  = "UTILIZATION"    capacity_scaler = 1.0  }}

  3. To create the URL map, use thegoogle_compute_url_map resource.

    resource "google_compute_url_map" "default" {  name            = "web-map-http"  default_service = google_compute_backend_service.default.id}

  4. To create the target HTTP proxy, use thegoogle_compute_target_http_proxy resource.

    resource "google_compute_target_http_proxy" "default" {  name    = "http-lb-proxy"  url_map = google_compute_url_map.default.id}

  5. To create the forwarding rule, use thegoogle_compute_global_forwarding_rule resource.

    This example usesload_balancing_scheme="EXTERNAL_MANAGED", which sets up a global external Application Load Balancer withadvanced traffic management capability. To create a classic Application Load Balancer, make sure you change theload_balancing_scheme toEXTERNAL before running the script.

    resource "google_compute_global_forwarding_rule" "default" {  name                  = "http-content-rule"  ip_protocol           = "TCP"  load_balancing_scheme = "EXTERNAL_MANAGED"  port_range            = "80-80"  target                = google_compute_target_http_proxy.default.id  ip_address            = google_compute_global_address.default.id}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Connect your domain to your load balancer

After the load balancer is created, note the IP address that is associated withthe load balancer—for example,30.90.80.100. To point your domain to yourload balancer, create anA record by using your domain registration service. Ifyou added multiple domains to your SSL certificate, you must add anA recordfor each one, all pointing to the load balancer's IP address. For example, tocreateA records forwww.example.com andexample.com, use the following:

NAME                  TYPE     DATAwww                   A        30.90.80.100@                     A        30.90.80.100

If you use Cloud DNS as your DNS provider, seeAdd, modify, and delete records.

Test traffic sent to your instances

Now that the load balancing service is running, you can sendtraffic to the forwarding rule and watch the traffic be dispersed to differentinstances.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. Click the load balancer that you just created.

  3. In theBackend section, confirm that the VMs are healthy. TheHealthy column should be populated, indicating that both VMsare healthy (2/2). If you see otherwise, first try reloadingthe page. It can take a few moments for the Google Cloud console toindicate that the VMs are healthy. If the backends do not appear healthyafter a few minutes, review the firewall configuration and the network tagassigned to your backend VMs.

  4. For HTTPS, if you are using a Google-managed certificate, confirm that yourcertificate resource's status is ACTIVE. For more information, seeGoogle-managed SSL certificate resource status.
  5. After the Google Cloud console shows that the backend instances arehealthy, you can test your load balancer using a web browser by going tohttps://IP_ADDRESS (orhttp://IP_ADDRESS). ReplaceIP_ADDRESS with theload balancer's IP address.
  6. If you used a self-signed certificate for testing HTTPS, your browserdisplays a warning. You must explicitly instruct your browser to accept a self-signed certificate.
  7. Your browser should render a page with content showing the name of the instance that served the page, along with its zone (for example,Page served from: lb-backend-example-xxxx). If your browser doesn't render this page, review the configuration settings in this guide.

gcloud

gcloud compute addresses describe lb-ipv4-1 \   --format="get(address)" \   --global

After a few minutes have passed, you can test the setup by running the followingcurl command.

curl http://IP_ADDRESS

-OR-

curl https://HOSTNAME

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.