Regional external Application Load Balancer logging and monitoring
Logging
You can enable, disable, and view logs for an external Application Load Balancerbackend service.
You enable or disable logging for each backend service. You can configurewhether to log all requests or a randomly sampled fraction.
You must ensure that you don't have a logs exclusion that applies toexternal Application Load Balancers. For information about how to verify thatCloud HTTP LoadBalancer logs are allowed, seeExclusion filters.
Logs sampling and collection
The requests (and corresponding responses) handled by load balancer backendvirtual machine (VM) instances are sampled. These sampled requests are thenprocessed to generate logs. You control the fraction of the requests that areemitted as log entries according to thelogConfig.sampleRate parameter.WhenlogConfig.sampleRate is1.0 (100%), this means that logs aregenerated forall of the requests and written to Cloud Logging.
Optional fields
Log records contain required fields and optional fields. TheWhat islogged section lists which fields are optional and which arerequired. All required fields are always included. You can customize whichoptional fields you keep.
If you selectinclude all optional, all optional fields in the logrecord format are included in the logs. When new optional fields are addedto the record format, the logs automatically include the new fields.
If you selectexclude all optional, all optional fields are omitted.
If you selectcustom, you can specify the optional fields that you want toinclude, such as
tls.protocol,tls.cipher,orca_load_report.cpu_utilization,orca_load_report.mem_utilization.
For information about customizing optional fields, seeEnable logging on a new backend service.
Enabling logging on a new backend service
Console
In the Google Cloud console, go to theLoad Balancing page.
Click the name of your load balancer.
ClickEdit.
ClickBackend Configuration.
SelectCreate a backend service.
Complete the required backend service fields.
In theLogging section, select theEnable logging checkbox.
Set aSample rate fraction. You can set a number from
0.0through1.0, where0.0means that no requests are logged and1.0means that100% of the requests are logged. The default value is1.0.Optional: To include all the optional fields in the logs, in theOptional fields section, clickInclude all optional fields.
Pro tip: To specify theCUSTOM option,use the gcloud CLI and the REST API.
To finish editing the backend service, clickUpdate.
To finish editing the load balancer, clickUpdate.
gcloud
Create a backend service and enable logging by using thegcloud compute backend-services createcommand.
gcloud compute backend-services createBACKEND_SERVICE \ --region=REGION \ --enable-logging \ --logging-sample-rate=VALUE \ --load-balancing-scheme=EXTERNAL_MANAGED \ --logging-optional=LOGGING_OPTIONAL_MODE \ --logging-optional-fields=OPTIONAL_FIELDS
where
--regionindicates that the backend service isregional. Use this field for backend services used withregional external Application Load Balancers.--enable-loggingenables logging for that backend service.--logging-sample-ratelets you specify a value from0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of the requests are logged. This field is onlymeaningful with the--enable-loggingparameter. Enabling logging but setting thesampling rate to0.0is equivalent to disabling logging. The defaultvalue is1.0.--logging-optionallets you specify the optional fields thatyou want to include in the logs:INCLUDE_ALL_OPTIONALto include all optional fields.EXCLUDE_ALL_OPTIONAL(default) to exclude all optional fields.CUSTOMto include a custom list of optional fields thatyou specify inOPTIONAL_FIELDS.
--logging-optional-fieldslets you specify a comma-separated list of optional fields that you want to include in the logs.For example,
tls.protocol,tls.ciphercan only be set ifLOGGING_OPTIONAL_MODEis set toCUSTOM.If you usecustommetrics and want tolog elements of the ORCA load report, you setLOGGING_OPTIONAL_MODEtoCUSTOMandspecify which elements must be logged in theOPTIONAL_FIELDSfield. For example,orca_load_report.cpu_utilization,orca_load_report.mem_utilization.
Enabling logging on an existing backend service
Console
In the Google Cloud console, go to theLoad Balancing page.
Click the name of your load balancer.
ClickEdit.
ClickBackend Configuration.
ClickEdit next to yourbackend service.
In theLogging section, select theEnable logging checkbox.
In theSample rate field, set the sampling probability. You can set anumber from
0.0through1.0, where0.0means that no requests arelogged and1.0means that 100% of the requests are logged. The defaultvalue is1.0.Optional: To include all the optional fields in the logs, in theOptional fields section, clickInclude all optional fields.
Pro tip: To specify theCUSTOM option,use the gcloud CLI and the REST API.
To finish editing the backend service, clickUpdate.
To finish editing the load balancer, clickUpdate.
gcloud
Enable logging on an existing backend service with thegcloud compute backend-services update command.
gcloud compute backend-services updateBACKEND_SERVICE \ --region=REGION \ --enable-logging \ --logging-sample-rate=VALUE \ --logging-optional=LOGGING_OPTIONAL_MODE \ --logging-optional-fields=OPTIONAL_FIELDS
where
--regionindicates that the backend service isregional. Use this field for backend services used withregional external Application Load Balancers.--enable-loggingenables logging for that backend service.--logging-sample-ratelets you specify a value from0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of the requests are logged. Only meaningful withthe--enable-loggingparameter. Enabling logging but setting thesampling rate to0.0is equivalent to disabling logging. The defaultvalue is1.0.--logging-optionallets you specify the optional fields thatyou want to include in the logs.INCLUDE_ALL_OPTIONALto include all optional fields.EXCLUDE_ALL_OPTIONAL(default) to exclude all optionalfields.CUSTOMto include a custom list of optional fields thatyou specify inOPTIONAL_FIELDS.
--logging-optional-fieldslets you specify a comma-separated list ofoptional fields that you want to include in the logs.For example,
tls.protocol,tls.cipher. Can only be set ifLOGGING_OPTIONAL_MODEis set toCUSTOM.If you usecustommetrics and want tolog elements of the ORCA load report, you setLOGGING_OPTIONAL_MODEtoCUSTOMandspecify which elements must be logged in theOPTIONAL_FIELDSfield. For example,orca_load_report.cpu_utilization,orca_load_report.mem_utilization.
Disabling or modifying logging on an existing backend service
Console
In the Google Cloud console, go to theLoad Balancing page.
Click the name of your load balancer.
ClickEdit.
ClickBackend Configuration.
ClickEdit next to yourbackend service.
To disable logging entirely, in theLogging section, clear theEnable logging checkbox.
If you leave logging enabled, you can set a differentSample ratefraction. You can set a number from
0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of therequests are logged. The default value is1.0. For example,0.2means20% of the sampled requests generate logs.To finish editing the backend service, clickUpdate.
To finish editing the load balancer, clickUpdate.
gcloud: Regional mode
Disable logging on a backend service with thegcloud compute backend-services updatecommand.
Disabling logging entirely
gcloud compute backend-services updateBACKEND_SERVICE \ --region=REGION \ --no-enable-logging
where
--regionindicates that the backend service isregional. Use this field for backend services used withregional external Application Load Balancers.--no-enable-loggingdisables logging for that backend service.
Enabling logging optional fields on an existing backend service
gcloud compute backend-services updateBACKEND_SERVICE \ --region=REGION \ --enable-logging \ --logging-sample-rate=VALUE \ --logging-optional=LOGGING_OPTIONAL_MODE \ --logging-optional-fields=OPTIONAL_FIELDS
where
--logging-sample-ratelets you specify a value from0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of the requests are logged. Only meaningful withthe--enable-loggingparameter. Enabling logging but setting thesampling rate to0.0is equivalent to disabling logging. The defaultvalue is1.0.--logging-optionallets you specify the optional fields thatyou want to include in the logs:INCLUDE_ALL_OPTIONALto include all optional fields.EXCLUDE_ALL_OPTIONAL(default) to exclude all optional fields.CUSTOMto include a custom list of optional fields thatyou specify inOPTIONAL_FIELDS.
--logging-optional-fieldslets you specify a comma-separated list of optional fields that you want to include in the logs.For example,
tls.protocol,tls.ciphercan only be set ifLOGGING_OPTIONAL_MODEis set toCUSTOM.If you usecustommetrics and want tolog elements of the ORCA load report, you set
LOGGING_OPTIONAL_MODEtoCUSTOMandspecify which elements must be logged in theOPTIONAL_FIELDSfield. For example,orca_load_report.cpu_utilization,orca_load_report.mem_utilization.
Updating logging optional mode from CUSTOM to others
gcloud compute backend-services updateBACKEND_SERVICE \ --region=REGION \ --enable-logging \ --logging-sample-rate=VALUE \ --logging-optional=LOGGING_OPTIONAL_MODE \ --logging-optional-fields=
where
--logging-optionallets you specify the optional fields thatyou want to include in the logs:INCLUDE_ALL_OPTIONALto include all optional fields.EXCLUDE_ALL_OPTIONAL(default) to exclude all optional fields.
--logging-optional-fieldsmust be explicitly configured as shown toclear any existingCUSTOMfields. The API doesn't let youcombine a non-CUSTOMmode withCUSTOMfields.
Modifying the logging sample rate
gcloud compute backend-services updateBACKEND_SERVICE \ --region=REGION \ --logging-sample-rate=VALUE
View logs
HTTP(S) logs are indexed first by aforwarding rule,then by aURL map.
To view logs, go to theLogs Explorer page:
To view all logs, in theResource filter menu, selectCloud HTTP LoadBalancer > All forwarding rules.
To view logs for one forwarding rule, select a single forwarding rule name.
To view logs for one URL map, select a forwarding rule, and then select a URLmap.
Log fields of typeboolean typically only appear if they have a value oftrue. If a boolean field has a value offalse, that field is omitted fromthe log.
UTF-8 encodingis enforced for log fields. Characters that are not UTF-8characters are replaced with question marks.For regional external Application Load Balancers, you can exportlogs-based metrics usingresource logs (resource.type="http_external_regional_lb_rule").
What is logged
External Application Load Balancer log entries contain information useful formonitoring and debugging your HTTP(S) traffic. Log records contain requiredfields, which are the default fields of every log record.
Log records contain optional fieldsthat add additional information about your HTTP(S) traffic.Optional fields can be omitted to save storage costs.
Some log fields are in a multi-field format, with more than one piece of datain a given field. For example, thetls field is of theTlsInfoformat, which contains the TLS protocol and TLS cipher in a single field.These multi-field fields are described in the following record format table.| Field | Field format | Field type: Required or Optional | Description |
|---|---|---|---|
| severity insertID timestamp logName | LogEntry | Required | The general fields as described in a log entry. |
| httpRequest | HttpRequest | Required | A common protocol for logging HTTP requests. |
| resource | MonitoredResource | Required | TheMonitoredResource is the resource type associated with a log entry. TheMonitoredResourceDescriptor describes the schema of a |
| jsonPayload | object (Struct format) | Required | The log entry payload that is expressed as a JSON object. The JSON object contains the following fields:
|
| string | Required | The The field isn't logged if the value is an empty string. This can happen if the proxy or backend doesn't return a status code or the status code that is returned isn't The
| |
| AuthzPolicyInfo | Required | TheauthzPolicyInfo field stores information about the authorization policy result. This information is only available for regional external Application Load Balancers that have enabled authorization policies. For more information, see what is logged for authorization policies. | |
| TlsInfo | Optional | The Use the
Youcan't set | |
| MtlsInfo | Optional | The | |
| string | Required | ThebackendNetworkName field specifies the VPC network of the backend. | |
| OrcaLoadReport | Optional | The Use the
You can also set |
302 Found) that are issued from the load balancer arenot logged. Redirects issued from the backend instancesare logged.TlsInfo field format
| Field | Field format | Field type: Required or Optional | Description |
|---|---|---|---|
| protocol | string | Optional | TLS protocol that clients use to establish a connection with the load balancer. Possible values areTLSv1,TLSv1.1,TLSv1.2,TLSv1.3, orQUIC. This value is set toNULL if the client is not using TLS/SSL encryption. |
| cipher | string | Optional | TLS cipher that clients use to establish a connection with the load balancer. This value is set toNULL if the client isn't using HTTP(S) or the client isn't using TLS/SSL encryption. |
MtlsInfo field format
| Field | Field format | Field type: Required or Optional | Description |
|---|---|---|---|
| clientCertPresent | bool | Optional |
|
| clientCertChainVerified | bool | Optional |
|
| clientCertError | string | Optional | Predefined strings representing the error conditions. For more information about the error strings, seeClient validation mode. |
| clientCertSha256Fingerprint | string | Optional | Base64-encoded SHA-256 fingerprint of the client certificate. |
| clientCertSerialNumber | string | Optional | The serial number of the client certificate. If the serial number is longer than 50 bytes, the string |
| clientCertValidStartTime | string | Optional | Timestamp (RFC 3339 date string format) before which the client certificate isn't valid. For example, |
| clientCertValidEndTime | string | Optional | Timestamp (RFC 3339 date string format) after which the client certificate isn't valid. For example, |
| clientCertSpiffeId | string | Optional | TheSPIFFE ID from the subject alternative name (SAN) field. If the value isn't valid or exceeds 2048 bytes, the SPIFFE ID is set to an empty string. If the SPIFFE ID is longer than 2048 bytes, the string |
| clientCertUriSans | string | Optional | Comma-separated Base64-encoded list of the SAN extensions of type URI. The SAN extensions are extracted from the client certificate. The SPIFFE ID is not included in the If the |
| clientCertDnsnameSans | string | Optional | Comma-separated Base64-encoded list of the SAN extensions of type DNSName. The SAN extensions are extracted from the client certificate. If the |
| clientCertIssuerDn | string | Optional | Base64-encoded full Issuer field from the certificate. If the |
| clientCertSubjectDn | string | Optional | Base64-encoded full Subject field from the certificate. If the |
| clientCertLeaf | string | Optional | The client leaf certificate for an established mTLS connection where the certificate passed validation. Certificate encoding is compliant withRFC 9440: the binary DER certificate is encoded using Base64 (without line breaks, spaces, or other characters outside the Base64 alphabet) and delimited with colons on either side. If |
| clientCertChain | string | Optional | The comma-delimited list of certificates, in standard TLS order, of the client certificate chain for an established mTLS connection where the client certificate passed validation, not including the leaf certificate. Certificate encoding is compliant withRFC 9440. If the combined size of |
Resource labels
The following table lists the resource labels forresource.type="http_external_regional_lb_rule".
| Field | Type | Description |
|---|---|---|
backend_name | string | The name of the backend instance group or NEG. However, the label is empty for afailed TLS connection. |
backend_scope | string | The scope of the backend (either a zone name or a region name). Might beUNKNOWN wheneverbackend_name is unknown. |
backend_scope_type | string | The scope of the backend (REGION/ZONE). Might beUNKNOWN wheneverbackend_name is unknown. |
backend_target_name | string | The name of the backend selected to handle the request, based on the URL map path rule or route rule that matches the request. |
backend_target_type | string | The type of backend target. Can beBACKEND_SERVICE, orUNKNOWN is returned if the backend wasn't assigned. |
backend_type | string | The type of the backend group. Can beINSTANCE_GROUP,NETWORK_ENDPOINT_GROUP, orUNKNOWN is returned if the backend wasn't assigned. |
forwarding_rule_name | string | The name of the forwarding rule object. |
matched_url_path_rule | string | The URL map path rule or route rule configured as part of the URL map key. Can beUNMATCHED orUNKNOWN as fallbacks.
|
network_name | string | The name of the load balancer's VPC network. |
project_id | string | The identifier of the Google Cloud project associated with this resource. |
region | string | The region in which the load balancer is defined. |
target_proxy_name | string | The name of the target proxy object referenced by the forwarding rule. |
url_map_name | string | The name of the URL map object configured to select a backend service. For afailed TLS connection,url_map_name is empty. |
proxyStatus error field
TheproxyStatus field contains a string that specifies why the loadbalancer returned an error. There are two parts in theproxyStatusfield,proxyStatus error andproxyStatus details.This section describes the strings that are supported in theproxyStatus errorfield.
TheproxyStatus errorfield is applicable to the following load balancers:
- Regional external Application Load Balancer
- Cross-region internal Application Load Balancer
- Regional internal Application Load Balancer
| proxyStatus error | Description | Common accompanying response codes |
|---|---|---|
destination_unavailable | The load balancer considers the backend to be unavailable. For example, recent attempts to communicate with the backend have failed, or a health check might have resulted in a failure. | 500,503 |
connection_timeout | The load balancer's attempt to open a connection to the backend has timed out. | 504 |
connection_terminated | The load balancer's connection to the backend ended before a complete response is received. This
| 0,502,503 |
connection_refused | The load balancer's connection to the backend is refused. | 502,503 |
connection_limit_reached | The load balancer is configured to limit the number of connections it has to the backend, and that limit has been exceeded. This
| 502,503 |
destination_not_found | The load balancer can't determine the appropriate backend to use for this request. For example, the backend might not be configured. | 500,404 |
dns_error | The load balancer encountered a DNS error when trying to find an IP address for the backend hostname. | 502,503 |
proxy_configuration_error | The load balancer encountered an internal configuration error. | 500 |
proxy_internal_error | The load balancer encountered an internal error. The error can be due to a scheduled restart of the proxy managing the connections. | 0,500,502 |
proxy_internal_response | The load balancer generated the response without attempting to connect to the backend. | Any status code depending on the type of problem. For example, the410 status code means that the backend is unavailable due to payment delinquency. |
http_response_timeout | The load balancer reached a configured backend service timeout limit while waiting for the complete response from the backend. | 504,408 |
http_request_error | The load balancer encountered an HTTP 4xx error, indicating problems with the client request. | 400,403,405,406,408,411,413,414,415,416,417, or429 |
http_protocol_error | The load balancer encountered an HTTP protocol error while communicating with the backend. | 502 |
tls_protocol_error | The load balancer encountered a TLS error during the TLS handshake. | 0 |
tls_certificate_error | The load balancer encountered an error at the time of verifying the certificate presented by the server or by the client when mTLS is enabled. | 0 |
tls_alert_received | The load balancer encountered a fatal TLS alert during the TLS handshake. | 0 |
proxyStatus details field
TheproxyStatus field contains a string that specifies why the loadbalancer returned an error. There are two parts in theproxyStatusfield,proxyStatus error andproxyStatus details.TheproxyStatus details field is optional and is shown only whenadditional information is available.This section describes the strings that are supported in theproxyStatus details field.
TheproxyStatus detailsfield is applicable to the following load balancers:
- Regional external Application Load Balancer
- Regional internal Application Load Balancer
- Cross-region internal Application Load Balancer
| proxyStatus details | Description | Common accompanying response status codes |
|---|---|---|
client_disconnected_before_any_response | The connection to the client was broken before the load balancer sent any response. | 0 |
backend_connection_closed | The backend unexpectedly closed its connection to the load balancer. This can happen if the load balancer is sending traffic to another entity such as a third-party application that has a TCP timeout shorter than the 10-minute (600-second) timeout of the load balancer. | 502 |
failed_to_connect_to_backend | The load balancer failed to connect to the backend. This failure includes timeouts during the connection phase. | 503 |
failed_to_pick_backend | The load balancer failed to pick a healthy backend to handle the request. | 502 |
response_sent_by_backend | The HTTP request was proxied successfully to the backend, and the response was returned by the backend. | The HTTP status code is set by the software running on the backend. |
client_timed_out | The connection between the load balancer and client exceeded the idle timeout. For more information about regional external Application Load Balancer, seeClient HTTP keepalive timeout. For more information about internal Application Load Balancer, seeClient HTTP keepalive timeout. | 0,408 |
backend_timeout | The backend timed out while generating a response. | 502 |
http_protocol_error_from_backend_response | The backend response contains an HTTP protocol error. | 501,502 |
http_protocol_error_from_request | The client request contains an HTTP protocol error. | 400,503 |
http_version_not_supported | The HTTP protocol version isn't supported. Only HTTP 1.1 and 2.0 are supported. | 400 |
handled_by_identity_aware_proxy | This response was generated byIdentity-Aware Proxy (IAP) during verifying the identity of the client before allowing access. | 200,302,400,401,403,500,502 |
invalid_request_headers | The HTTP request headers received from a client contain at least one character that isn't allowed under an applicable HTTP specification. For example, header field names that include a double quotation mark ( For more information, see: | 400,404 |
ip_detection_failed | The original IP address couldn't be detected. | Any status code possible depending on the nature of the failure. The value must be from400 to599. |
request_body_too_large | The HTTP request body exceeded the maximum length supported by the load balancer. | 413,507 |
request_header_timeout | The request header timed out because the load balancer didn't receive the complete request within 5 seconds. | 408,504 |
denied_by_security_policy | The load balancer denied this request because of aGoogle Cloud Armor security policy. | 403 |
throttled_by_security_policy | The request was blocked by a Cloud Armor throttle rule. | 429 |
client_cert_chain_invalid_eku | Either the client certificate or its issuer doesn't haveextended key usage that includes clientAuth. For more information, seeLogged errors for closed connections. | 0 |
client_cert_chain_max_name_constraints_exceeded | An intermediate certificate provided for validation had more than 10 name constraints. For more information, seeLogged errors for closed connections. | 0 |
client_cert_invalid_rsa_key_size | A client leaf or intermediate certificate had an invalid RSA key size. For more information, seeLogged errors for closed connections. | 0 |
client_cert_not_provided | The client didn't provide the requested certificate during the handshake. For more information, seeLogged errors for closed connections. | 0 |
client_cert_pki_too_large | The PKI to be used for validation has more than three intermediate certificates that share the sameSubject andSubject Public Key Info. For more information, seeLogged errors for closed connections. | 0 |
client_cert_unsupported_elliptic_curve_key | A client or intermediate certificate is using an unsupported elliptic curve. For more information, seeLogged errors for closed connections. | 0 |
client_cert_unsupported_key_algorithm | A client or intermediate certificate is using a non-RSA or non-ECDSA algorithm. For more information, seeLogged errors for closed connections. | 0 |
client_cert_validation_failed | The client certificate fails validation with theTrustConfig. For more information, seeLogged errors for closed connections. | 0 |
client_cert_validation_not_performed | You have configured mutual TLS without setting up aTrustConfig. For more information, seeLogged errors for closed connections. | 0 |
client_cert_validation_search_limit_exceeded | The depth or iteration limit is reached while attempting to validate the certificate chain. For more information, seeLogged errors for closed connections. | 0 |
client_cert_validation_timed_out | The time limit exceeded (200 ms) while validating the certificate chain. For more information, seeLogged errors for closed connections. | 0 |
tls_version_not_supported | The TLS protocol version is recognized but not supported. The error results in a closed TLS connection. | 0 |
unknown_psk_identity | Servers send this error when PSK key establishment is required, but the client doesn't provide an acceptable PSK identity. The error results in a closed TLS connection. | 0 |
no_application_protocol | Sent by servers when a client "application_layer_protocol_negotiation" extension advertises only protocols that the server doesn't support. SeeTLS application-layer protocol negotiation extension. The error results in a closed TLS connection. | 0 |
no_certificate | No certificate was found. The error results in a closed TLS connection. | 0 |
bad_certificate | A certificate is invalid, or it contains signatures that couldn't be verified. The error results in a closed TLS connection. | 0 |
unsupported_certificate | A certificate is of an unsupported type. The error results in a closed TLS connection. | 0 |
certificate_revoked | A certificate was revoked by its signer. The error results in a closed TLS connection. | 0 |
certificate_expired | A certificate has expired or it isn't valid. The error results in a closed TLS connection. | 0 |
certificate_unknown | Some unspecified issues arose while processing the certificate, rendering it unacceptable. The error results in a closed TLS connection. | 0 |
unknown_ca | A valid certificate chain or partial chain was received, but the certificate can't be accepted because the CA certificate cannot be located or matched with a known trust anchor. The error results in a closed TLS connection. | 0 |
unexpected_message | An inappropriate message, such as a wrong handshake message or premature application data was received. The error results in a closed TLS connection. | 0 |
bad_record_mac | A record is received that can't be deprotected. The error results in a closed TLS connection. | 0 |
record_overflow | ATLSCiphertext record was received that has a length more than214+256 bytes, or a record was decrypted to aTLSPlaintext record with more than 214 bytes (or some other negotiated limit). The error results in a closed TLS connection. | 0 |
handshake_failure | Unable to negotiate an acceptable set of security parameters given the options available. The error results in a closed TLS connection. | 0 |
illegal_parameter | A field in the handshake was incorrect or inconsistent with other fields. The error results in a closed TLS connection. | 0 |
access_denied | A valid certificate or PSK was received, but when access control was applied, the client didn't proceed with negotiation. The error results in a closed TLS connection. | 0 |
decode_error | A message couldn't be decoded because some fields are out of the specified range, or the length of the message is incorrect. The error results in a closed TLS connection. | 0 |
decrypt_error | A handshake (not record layer) cryptographic operation failed, including being unable to correctly verify a signature or validate a finished message or a PSK binder. The error results in a closed TLS connection. | 0 |
insufficient_security | A negotiation has failed specifically because the server requires parameters that are more secure than those supported by the client. The error results in a closed TLS connection. | 0 |
inappropriate_fallback | Sent by a server in response to an invalid connection retry attempt from a client. The error results in a closed TLS connection. | 0 |
user_cancelled | The user canceled the handshake for some reason unrelated to a protocol failure. The error results in a closed TLS connection. | 0 |
missing_extension | Sent by endpoints that receive a handshake message not containing an extension that is mandatory to send for the offered TLS version or other negotiated parameters. The error results in a closed TLS connection. | 0 |
unsupported_extension | Sent by endpoints that receive any handshake message containing an extension known to be prohibited for inclusion in the given handshake message, or including any extensions inServerHello orCertificate that was not first offered in the correspondingClientHello orCertificateRequest. The error results in a closed TLS connection. | 0 |
unrecognized_name | Sent by servers when no server exists that can be identified by the name provided by the client through the "server_name" extension. SeeTLS extension definitions. | 0 |
bad_certificate_status_response | Sent by clients when an invalid or unacceptable OCSP response is provided by the server through the "status_request" extension. SeeTLS extension definitions. The error results in a closed TLS connection. | 0 |
load_balancer_configured_resource_limits_reached | The load balancer has reached the configured resource limits, such as the maximum number of connections. | 0 |
Failed TLS connection log entries
When the TLS connection between the client and the load balancer fails beforeany backend is selected, log entries record the errors. You can configure thebackend services with different log sample rates. When a TLS connection fails,the failed TLS connection log sample rate is the highest sample rate for anybackend service. For example, if you have configured two backend services withlogging sample rate as0.3 and0.5, the failed TLS connection log samplerate is0.5.
You can identify failed TLS connections by checking for theselog entry details:
- proxyStatus error type is
tls_alert_received,tls_certificate_error,tls_protocol_error,orconnection_terminated. - There is no backend information.
The following sample shows a failed TLS log entry with theproxyStatus error field:
json_payload: { @type: "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry" proxyStatus: "error="tls_alert_received"; details="server_to_client: handshake_failure"" log_name: "projects/529254013417/logs/mockservice.googleapis.com%20name" } http_request { latency { nanos: 12412000 } protocol: "HTTP/1.0" remote_ip: "127.0.0.2" } resource { type: "mock_internal_http_lb_rule" labels { backend_name: "" backend_scope: "" backend_scope_type: "UNKNOWN" backend_target_name: "" backend_target_type: "UNKNOWN" backend_type: "UNKNOWN" forwarding_rule_name: "l7-ilb-https-forwarding-rule-dev" matched_url_path_rule: "UNKNOWN" network_name: "lb-network" region: "REGION" target_proxy_name: "l7-ilb-https-proxy-dev" url_map_name: "" } } timestamp: "2023-08-15T16:49:30.850785Z"Authorization policy request logs
Theauthz_info object in the Load Balancer Log Entry JSON payload containsinformation about authorization policies. You can configure log-based metricsfor traffic allowed or denied by these policies. Check moreauthorization policies log details.
| Field | Type | Description |
|---|---|---|
authz_info.policies[] | object | The list of policies that match the request. |
authz_info.policies[].name | string | The name of the authorization policy that matches the request. The name is empty for the following reasons:
|
authz_info.policies[].result | enum | The result can beALLOWED orDENIED. |
authz_info.policies[].details | string | The details include the following:
|
authz_info.overall_result | enum | The result can beALLOWED orDENIED. |
Interacting with the logs
You can interact with the external Application Load Balancer logs by using theCloud Logging API. The Logging API provides ways to interactivelyfilter logs that have specific fields set. It exports matching logs toCloud Logging, Cloud Storage, BigQuery, or Pub/Sub.For more information about the Logging API, seeLogging API overview.
Monitoring
The load balancer exports monitoring data toMonitoring.
You can use monitoring metrics to do the following:
- Evaluate a load balancer's configuration, usage, and performance
- Troubleshoot problems
- Improve resource utilization and user experience
In addition to the predefined dashboards in Monitoring, you can createcustom dashboards, set up alerts, and query the metrics through theCloud Monitoring API.
Defining alerting policies
You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.
In the Google Cloud console, go to thenotifications Alerting page:
If you use the search bar to find this page, then select the result whose subheading isMonitoring.
- If you haven't created your notification channels and if you want to be notified, then clickEdit Notification Channels and add your notification channels. Return to theAlerting page after you add your channels.
- From theAlerting page, selectCreate policy.
- To select the metric, expand theSelect a metric menu and then do the following:
- To limit the menu to relevant entries, enter
Regional External Application Load Balancer Ruleinto the filter bar. If there are no results after you filter the menu, then disable theShow only active resources & metrics toggle. - For theResource type, selectRegional External Application Load Balancer Rule.
- Select aMetric category and aMetric, and then selectApply.
- To limit the menu to relevant entries, enter
- ClickNext.
- The settings in theConfigure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, seeCreate metric-threshold alerting policies.
- ClickNext.
- Optional: To add notifications to your alerting policy, clickNotification channels. In the dialog, select one or more notification channels from the menu, and then clickOK.
- Optional: Update theIncident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
- Optional: ClickDocumentation, and then add any information that you want included in a notification message.
- ClickAlert name and enter a name for the alerting policy.
- ClickCreate Policy.
Defining Cloud Monitoring custom dashboards
You can create custom Cloud Monitoring dashboards for the load balancer'smetrics:
In the Google Cloud console, go to theMonitoring page.
SelectDashboards > Create Dashboard.
ClickAdd Chart, and then give the chart a title.
To identify the time series to be displayed, choose a resource type andmetric type:
- In theResource & Metric section, click the chart, and thenin theSelect a metric section, select from the available options:
- For a regional external Application Load Balancer, select the resource typeRegional External Application Load Balancer Rule.
- ClickApply.
To specify monitoring filters, clickFilters > Add filter.
ClickSave.
Metric reporting frequency and retention
Metrics for the external Application Load Balancers are exported to Cloud Monitoring in1-minute granularity batches. Monitoring data is retained for six (6) weeks.
The dashboard provides data analysis in default intervals of 1H (one hour),6H (six hours), 1D (one day), 1W (one week), and 6W (six weeks). You canmanually request analysis in any interval from 6W to 1 minute.
Monitoring metrics
You can monitor the following metrics for external Application Load Balancers.
The following metrics for regional external Application Load Balancers arereported into Cloud Monitoring.These metrics are prepended withloadbalancing.googleapis.com/.
| Metric | Name | Description |
|---|---|---|
| Backend configured rate (Preview) | network.googleapis.com/loadbalancer/backend/configured_rate | The maximum rate in requests per second configured per backend group. This is the result of scaling the target capacity by the (capacity scaler), if specified. |
| Backend configured utilization (Preview) | network.googleapis.com/loadbalancer/backend/configured_utilization | The maximum CPU utilization capacity as a fraction, configured per backend group. This is the result of scaling the target capacity by the capacity scaler, if specified. |
| Backend error rate (Preview) | network.googleapis.com/loadbalancer/backend/error_rate | The errors served by each backend group per second. |
| Backend fullness (Preview) | network.googleapis.com/loadbalancer/backend/fullness | The current fullness of each backend group as a percentage, based on the load balancer'sbalancing mode. |
| Backend latencies | loadbalancing.googleapis.com/https/external/regional/backend_latencies | A distribution of the backend latency. Backend latency is the timein milliseconds betweenthe last byte of the request sent to the backend and the last byte ofthe response received by the proxy. It includes the time taken by thebackend to process the request and the time taken for the response to besent back to the proxy. |
| Backend load balancing custom metrics (Preview) | network.googleapis.com/loadbalancer/backend/lb_custom_metric | The current utilization by each backend group, based on your defined custom metrics. |
| Backend rate (Preview) | network.googleapis.com/loadbalancer/backend/rate | The requests received by each backend group per second. |
| Backend utilization (Preview) | network.googleapis.com/loadbalancer/backend/utilization | The aggregate CPU utilization of the VMs in the group as a fraction. |
| Request count | loadbalancing.googleapis.com/https/external/regional/request_count | The number of requests served by the regional external Application Load Balancer. |
| Request bytes count | loadbalancing.googleapis.com/https/external/regional/request_bytes | The number of bytes sent as requests from clients to the regional external Application Load Balancer. |
| Response bytes count | loadbalancing.googleapis.com/https/external/regional/response_bytes | The number of bytes sent as responses from the regional external Application Load Balancer to the client. |
| Total latencies | loadbalancing.googleapis.com/https/external/regional/total_latencies | A distribution of the total latency. Total latency is the time inmilliseconds between thefirst byte of the request received by the proxy and the last byte of theresponse sent by the proxy. It includes: the time taken by the proxy to processthe request, the time taken for the request to be sent from the proxy to thebackend, the time taken by the backend to process the request, thetime taken for the response to be sent back to the proxy, and the time takenfor the proxy to process the response and send the response to the client. It doesn't include the RTT between the client and the proxy. Additionally,pauses between requests on the same connection that use |
Filtering dimensions for metrics
You can apply filters for metrics for external Application Load Balancers.
Metrics are aggregated for each regional external Application Load Balancer. You can filteraggregated metrics by using the following dimensions forresource.type="http_external_regional_lb_rule".
| Property | Description |
|---|---|
backend_name | The name of the backend instance group or NEG. |
backend_scope | The scope of the backend (either a zone name or a region name). Might beUNKNOWN wheneverbackend_name is unknown. |
backend_scope_type | The scope of the backend (REGION/ZONE). Might beUNKNOWN wheneverbackend_name is unknown. |
backend_target_name | The name of the backend selected to handle the request, based on the URL map path rule or route rule that matches the request. |
backend_target_type | The type of backend target. Can beBACKEND_SERVICE, orUNKNOWN is returned if the backend wasn't assigned. |
backend_type | The type of the backend group. Can beINSTANCE_GROUP,NETWORK_ENDPOINT_GROUP, orUNKNOWN is returned if the backend wasn't assigned. |
forwarding_rule_name | The name of the forwarding rule object. |
matched_url_path_rule | The URL map path rule or route rule configured as part of the URL map key. Can beUNMATCHED orUNKNOWN as fallbacks.
|
network_name | The name of the load balancer's VPC network. |
project_id | The identifier of the Google Cloud project associated with this resource. |
region | The region in which the load balancer is defined. |
target_proxy_name | The name of the target proxy object referenced by the forwarding rule. |
url_map_name | The name of the URL map object configured to select a backend service. |
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.