Set up a global external Application Load Balancer with Shared VPC

This document shows you two sample configurations for setting up aglobal external Application Load Balancer with VM instance group backends in a Shared VPCenvironment:

  • In thefirst example, the load balancer's frontend andbackend components are created in one service project.
  • In thesecond example, the load balancer's frontendcomponents and URL map are created in one service project, while the loadbalancer's backend service and backends are created in a different serviceproject. This type of deployment, where the URL map in one project referencesa backend service in another project, is referred to ascross-projectservice referencing.

Both examples require the same initial configuration togrant permissions,configure the network and subnet in thehost project, andset up Shared VPCbefore you can start creating load balancers.

These are not the only Shared VPC configurations supported by theglobal external Application Load Balancer. For other valid Shared VPC architectures, seeShared VPC architecture.

If you don't want to use a Shared VPC network, seeSet up a global external Application Load Balancer with VM instance groupbackends.

Before you begin

Permissions required

Setting up a load balancer on a Shared VPC network requires someinitial setup and provisioning by an administrator. After the initial setup, aservice project owner can do one of the following:

  • Deploy all the load balancer's components and its backends in a service project.
  • Deploy the load balancer's backend components (backend service and backends) in service projects that can be referenced by a URL map in another service or host project.

This section summarizes the permissions required to follow this guideto set up a load balancer on a Shared VPC network.

Set up Shared VPC

The following roles are required for the following tasks:

  1. Perform one-off administrative tasks such as setting up theShared VPC and enabling a host project.
  2. Perform administrative tasks that must be repeated every time you want to onboard a newservice project. This includes attaching the service project, provisioningand configuring networking resources, and granting access to the serviceproject administrator.

These tasks must be performed in the Shared VPC host project. Werecommend that the Shared VPC Admin also be the owner of theShared VPC host project. This automatically grants the Network Admin andSecurity Admin roles.

TaskRequired role
Set up Shared VPC, enable host project, and grant access to service project administratorsShared VPC Admin
Create subnets in the Shared VPC host project and grant access to service project administratorsNetwork Admin
Add and remove firewall rulesSecurity Admin

After the subnets have been provisioned, the host project owner must grant theNetwork User rolein the host project to anyone (typically service projectadministrators, developers, or service accounts) who needs to use theseresources.

TaskRequired role
Use VPC networks and subnets belonging to the host projectNetwork User

This role can be granted on the project level or for individual subnets. Werecommend that you grant the role on individual subnets. Granting the role onthe project provides access to all current and future subnets in theVPC network of the host project.

Deploy load balancer and backends

Service project administrators need the following rolesin the service projectto create load balancing resources and backends. These permissions are grantedautomatically to the service project owner or editor.

Roles granted in the service project
TaskRequired role
Create load balancer componentsNetwork Admin
Create instancesInstance Admin
Create and modify SSL certificatesSecurity Admin

Reference cross-project backend services

If your load balancer needs to reference backend services from other serviceprojects, also known ascross-project servicereferencing, load balanceradministrators will require the following rolein the service project where thebackend service is created.

Roles granted in the service project
TaskRequired role
Permissions to use services in other projectsLoad Balancer Services User

This role can be granted either at the project level or for individual backendservices. For instructions about how to grant this role, see thecross-projectservice referencing example on this page.

For more information about IAM, see the following guides:

Prerequisites

In this section, you need to perform the following steps:

  1. Configure the network and subnets in the host project.
  2. Set up Shared VPC in the host project.

The steps in this section do not need to be performed every time you want tocreate a new load balancer. However, you must ensure that you have access tothe resources described here before you proceed to creating the load balancer.

Configure the network and subnets in the host project

You need a Shared VPC network with a subnet for the loadbalancer's backends.

This example uses the following network, region, and subnet:

  • Network. The network is namedlb-network.

  • Subnet for load balancer's backends. A subnetnamedlb-backend-subnet in theus-west1 region uses10.1.2.0/24 for its primary IP range.

Note: You can change the name of the network, the region, and the parameters forthe subnets; however, subsequent steps in this guide use the network, region,and subnet parameters as outlined here.

Configure the subnet for the load balancer's backends

This step does not need to be performed every time you want to create a newload balancer. You only need to ensure that the service project has access toa subnet in the Shared VPC network.

All the steps in this section must be performed in the host project.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.
  3. ForName, enterlb-network.

  4. In theSubnets section:

    1. Set theSubnet creation mode toCustom.

    2. In theNew subnet section, enter the following information:

      • Name:lb-backend-subnet

      • Region:us-west1

      • IP address range:10.1.2.0/24

    3. ClickDone.

  5. ClickCreate.

gcloud

  1. Create a VPC network with thegcloud computenetworks create command:

    gcloud compute networks create lb-network --subnet-mode=custom

  2. Create a subnet in thelb-network network in theus-west1 region:

    gcloud compute networks subnets create lb-backend-subnet
        --network=lb-network
        --range=10.1.2.0/24
        --region=us-west1

Give service project admins access to the backend subnet

Service project administrators require access to thelb-backend-subnet subnet so that they can provision the loadbalancer's backends.

A Shared VPC Admin must grant access to the backend subnet to serviceproject administrators (or developers who deploy resources and backendsthat use the subnet). For instructions, seeService Project Admins for some subnets.

Configure firewall rules in the host project

This example uses the following firewall rule:
  • fw-allow-health-check. An ingress rule, applicable to the instancesbeing load balanced, that allows all TCP traffic from the Google Cloudhealth checking systems in130.211.0.0/22 and35.191.0.0/16. Thisexample uses the target tagload-balanced-backend to identify the instancesto which it should apply.
Without this firewall rule, thedefault denyingress rule blocks incomingtraffic to the backend instances.

All the steps in this section must be performed in the host project.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. ClickCreate firewall rule to create the rule to allow Google Cloud health checks:
    • Name:fw-allow-health-check
    • Network:lb-network
    • Direction of traffic: Ingress
    • Action on match: Allow
    • Targets: Specified target tags
    • Target tags:load-balanced-backend
    • Source filter: IPv4 ranges
    • Source IPv4 ranges:130.211.0.0/22 and35.191.0.0/16
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • CheckTCP and enter80 for the port number.

        • As a best practice, limit this rule to just the protocols and ports that match those used by your health check. If you usetcp:80 for the protocol and port, Google Cloud can use HTTP on port80 to contact your VMs, but it cannot use HTTPS on port443 to contact them.

  3. ClickCreate.

gcloud

  1. Create thefw-allow-health-check firewall rule to allowGoogle Cloud health checks. This example allows all TCP trafficfrom health check probers. However, you can configure a narrower setof ports to meet your needs.

    gcloud compute firewall-rules create fw-allow-health-check \   --network=lb-network \   --action=allow \   --direction=ingress \   --source-ranges=130.211.0.0/22,35.191.0.0/16 \   --target-tags=load-balanced-backend \   --rules=tcp

Set up Shared VPC in the host project

This step entails enabling a Shared VPC host project, sharing subnets ofthe host project, and attaching service projects to the host project so that theservice projects can use the Shared VPC network. To set upShared VPC in the host project, see the following pages:

Note: Managed instance groups used with Shared VPC require making theGoogle APIs service account a Service Project Admin. This is because taskslike automatic instance creation via autoscaling are performedby this type of service account. To define theGoogle APIs service account asa Service Project Admin for the subnet in the Shared VPC hostproject, seeGoogle APIs service account as a Service ProjectAdmin.

The rest of these instructions assume that you have already set upShared VPC. This includessetting up IAM policies for yourorganization and designatingthe host and service projects.

Don't proceed until you have set up Shared VPC and enabled the hostand service projects.

After completing the steps defined in this prerequisites section, you can pursueeither of the following setups:

Configure a load balancer in one service project

After you have configured the VPC network in the host projectand set up Shared VPC, you can switch your attention to theservice project, in which you need to create all the load balancing components(backend service, URL map, target proxy, and forwarding rule) and the backends.

This section assumes that you have carried out the prerequisite steps describedin the previous section in the host project. In this section, the loadbalancer's frontend and backend components along with the backends are createdin one service project.

The following figure depicts the components of a global external Application Load Balancer in oneservice project, which is attached to the host project in a Shared VPCnetwork.

Load balancer's frontend and backend components in one service project
Figure 1. Load balancer's frontend and backend components in one service project

These steps should be carried out by the service project administrator (or adeveloper operating within the service project) and do not require involvementfrom the host project administrator. The steps in this section aresimilar to thestandard steps to set up aglobal external Application Load Balancer.

The example on this page explicitly sets a reserved IP address forthe global external Application Load Balancer's forwarding rule, rather than allowing anephemeral IP address to be allocated. As a best practice, we recommendreserving IP addresses for forwarding rules.

Create a managed instance group backend

Note: When using Shared VPC to create a managed instance group (MIG),you need to define theGoogle APIs service account as a Service ProjectAdmin for the subnetin the Shared VPC host project.

The precursor to creating a managed instance group is the creation of aninstance template, which is a resource that you can use to create virtualmachine (VM) instances. Traffic from clients is load balanced to VMs inan instance group. The managed instance group provides VMs that run thebackend servers of an external Application Load Balancer. In this example, the backendsserve their own hostnames.

Console

Create an instance template

  1. In the Google Cloud console, go to the Compute EngineInstance templates page.

    Go to Instance templates

  2. ClickCreate instance template.

  3. ForName, enterbackend-template.

  4. In theBoot disk section, ensure that the boot disk is set to a Debianimage, such asDebian GNU/Linux 12 (bookworm). ClickChange to changethe image if necessary.

  5. Expand theAdvanced options section.

  6. Expand theNetworking section, and in theNetwork tags field, enterload-balanced-backend.

  7. ForNetwork interfaces, selectNetworks shared with me (from hostproject:HOST_PROJECT_ID).

  8. In theShared subnetwork list, select thelb-backend-subnetsubnet from thelb-network network.

  9. Expand theManagement section, and in theAutomation field, specify thefollowing startup script:

     #!/bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2

  10. ClickCreate.

Create a managed instance group

  1. In the Google Cloud console, go to the Compute EngineInstance groups page.

    Go to Instance groups

  2. ClickCreate Instance Group.

  3. From the options, selectNew managed instance group (stateless).

  4. For the name of the instance group, enterlb-backend.

  5. In theInstance template list, select the instance templatebackend-template that you created in the previous step.

  6. In theLocation section, selectSingle zone, and enter the followingvalues:

    • ForRegion, selectus-west1.

    • ForZone, selectus-west1-a.

  7. In theAutoscaling section, enter the following values:

    • ForAutoscaling mode, selectOn: add and remove instances to thegroup.

    • ForMinimum number of instances, select2.

    • ForMaximum number of instances, select3.

  8. In thePort mapping section, clickAdd port, and enter thefollowing values:

    • ForPort name, enterhttp.

    • ForPort number, enter80.

  9. ClickCreate.

gcloud

  1. Create an instance template:

    gcloud compute instance-templates create backend-template \    --region=us-west1 \    --network=projects/HOST_PROJECT_ID/global/networks/lb-network \    --subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-backend-subnet \    --tags=load-balanced-backend \    --image-family=debian-12 \    --image-project=debian-cloud \    --metadata=startup-script='#! /bin/bash    apt-get update    apt-get install apache2 -y    a2ensite default-ssl    a2enmod ssl    vm_hostname="$(curl -H "Metadata-Flavor:Google" \    http://metadata.google.internal/computeMetadata/v1/instance/name)"    echo "Page served from: $vm_hostname" | \    tee /var/www/html/index.html    systemctl restart apache2' \    --project=SERVICE_PROJECT_ID

  2. Create a managed instance group and select the instance templatethat you created in the preceding step:

    gcloud compute instance-groups managed create lb-backend \    --zone=us-west1-a \    --size=2 \    --template=backend-template \    --project=SERVICE_PROJECT_ID

  3. Add a named port to the instance group:

    gcloud compute instance-groups set-named-ports lb-backend \    --named-ports=http:80 \    --zone=us-west1-a \    --project=SERVICE_PROJECT_ID

Create a health check

Health checks are tests that confirm the availability of backends. Create ahealth check that uses the HTTP protocol and probes on port80. Later, you'llattach this health check to the backend service referenced by the load balancer.

Console

  1. In the Google Cloud console, go to the Compute EngineHealth checks page.

    Go to Health checks

  2. For the name of the health check, enterlb-health-check.

  3. Set the protocol toHTTP.

  4. ClickCreate.

gcloud

Create an HTTP health check.

gcloud compute health-checks create http lb-health-check \  --use-serving-port \  --project=SERVICE_PROJECT_ID

Reserve the load balancer's IP address

Reserve a global static external IP address that can be assigned to theforwarding rule of the load balancer.

Console

  1. In the Google Cloud console, go to the VPCIP addresses page.

    Go to IP addresses

  2. ClickReserve external static IP address.

  3. ForName, enterlb-ipv4-1.

  4. SetNetwork Service Tier toPremium.

  5. SetIP version toIPv4.

  6. SetType toGlobal.

  7. ClickReserve.

gcloud

Create a global static external IP address.

gcloud compute addresses create lb-ipv4-1 \  --ip-version=IPV4 \  --network-tier=PREMIUM \  --global  --project=SERVICE_PROJECT_ID

Set up an SSL certificate resource

For a load balancer that uses HTTPS as the request-and-response protocol, createan SSL certificate resource as described in the following resources:

We recommend using a Google-managed certificate.

This example assumes that you have created an SSL certificate namedlb-ssl-cert. The SSL certificate is attached to the target proxy that you willcreate in one of the following steps.

Warning: Don't use a self-signed certificate for production purposes.

Configure the load balancer

This section shows you how to create the following resources for aglobal external Application Load Balancer:

  • Backend service with a managed instance group as the backend
  • URL map
  • SSL certificate (required only for HTTPS traffic)
  • Target proxy
  • Forwarding rule

In this example, you can use HTTP or HTTPS as the request-and-response protocolbetween the client and the load balancer. For HTTPS, you need anSSLcertificate resource to configure the proxy. We recommend using aGoogle-managed certificate.

Console

Select the load balancer type

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectApplication Load Balancer (HTTP/HTTPS) and clickNext.
  4. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  5. ForGlobal or single region deployment, selectBest for global workloads and clickNext.
  6. ForLoad balancer generation, selectGlobal external Application Load Balancer and clickNext.
  7. ClickConfigure.

Basic configuration

  1. For the load balancer name, enterl7-xlb-shared-vpc.

Configure the load balancer frontend

For HTTP traffic:

  1. ClickFrontend configuration.

  2. For the name of the load balancer frontend, enterhttp-fw-rule.

  3. ForProtocol, selectHTTP.

  4. SetIP version toIPv4.

  5. ForIP address, selectlb-ipv4-1, which is the IP address that youreserved earlier.

  6. Set thePort to80 to allow HTTP traffic.

  7. To complete the frontend configuration, clickDone.

  8. Verify that there is a blue checkmark next toFrontend configuration before continuing.

For HTTPS traffic:

  1. ClickFrontend configuration.

  2. For the name of the load balancer frontend, enterhttps-fw-rule.

  3. ForProtocol, selectHTTPS.

  4. SetIP version toIPv4.

  5. ForIP address, selectlb-ipv4-1, which is the IP address that youreserved earlier.

  6. Set thePort to443 to allow HTTPS traffic.

  7. In theCertificate list, select theSSL certificate thatyou created.

  8. To complete the frontend configuration, clickDone.

  9. Verify that there is a blue check mark next toFrontend configurationbefore continuing.

Configure the backend

  1. ClickBackend configuration.

  2. In theBackend services and backend buckets menu, clickCreate abackend service.

  3. For the name of the backend service, enterlb-backend-service.

  4. ForBackend type, selectInstance group.

  5. SetProtocol toHTTP.

  6. In theNamed port field, enterhttp. This is the same port name thatyou entered while creating the managed instance group.

  7. To addbackends to the backend service, do the following:

    1. In theBackends section, set theInstance group tolb-backend, which is the managed instance group that youcreated in an earlier step.

    2. ForPort numbers, enter80.

    3. To add the backend, clickDone.

  8. To add a health check, in theHealth check list, selectlb-health-check, which is the health check that you created earlier.

  9. To create the backend service, clickCreate.

  10. Verify that there is a blue check mark next toBackend configurationbefore continuing.

Configure the routing rules

  • ClickRouting rules. Ensure thatlb-backend-service is thedefault backend service for any unmatched host and any unmatched path.

For information about traffic management, seeSet up traffic management.

Review and finalize the configuration

  1. ClickReview and finalize.

  2. Review the frontend and backend settings of the load balancer to ensurethat it is configured as desired.

  3. ClickCreate, and then wait for the load balancer to be created.

gcloud

  1. Create a backend service to distribute traffic among backends:

    gcloud compute backend-services create lb-backend-service \    --load-balancing-scheme=EXTERNAL_MANAGED \    --protocol=HTTP \    --port-name=http \    --health-checks=lb-health-check \    --global \    --project=SERVICE_PROJECT_ID

  2. Add your instance group as the backend to the backend service:

    gcloud compute backend-services add-backend lb-backend-service \    --instance-group=lb-backend \    --instance-group-zone=us-west1-a \    --global \    --project=SERVICE_PROJECT_ID

  3. Create a URL map to route incoming requests to the backend service:

    gcloud compute url-maps create lb-map \    --default-service=lb-backend-service \    --global \    --project=SERVICE_PROJECT_ID

  4. Create a target proxy.

    For HTTP traffic, create a target HTTP proxy to routerequests to the URL map:

    gcloud compute target-http-proxies create http-proxy \    --url-map=lb-map \    --global \    --project=SERVICE_PROJECT_ID

    For HTTPS traffic, create a target HTTPS proxy to routerequests to the URL map. The proxy is the part of the loadbalancer that holds the SSL certificate for an HTTPS load balancer,so you also load yourSSL certificate in this step:

    gcloud compute target-https-proxies create https-proxy \    --url-map=lb-map \    --ssl-certificates=lb-ssl-cert    --global \    --project=SERVICE_PROJECT_ID

  5. Create a forwarding rule.

    For HTTP traffic, create a global forwarding rule to routeincoming requests to the target proxy:

    gcloud compute forwarding-rules create http-fw-rule \    --load-balancing-scheme=EXTERNAL_MANAGED \    --address=lb-ipv4-1 \    --global \    --target-http-proxy=http-proxy \    --ports=80 \    --project=SERVICE_PROJECT_ID

    For HTTPS traffic, create a global forwarding rule to routeincoming requests to the target proxy:

    gcloud compute forwarding-rules create https-fw-rule \    --load-balancing-scheme=EXTERNAL_MANAGED \    --address=lb-ipv4-1 \    --global \    --target-https-proxy=https-proxy \    --ports=443 \    --project=SERVICE_PROJECT_ID

Test the load balancer

When the load balancing service is running, you can sendtraffic to the forwarding rule and watch the traffic be dispersed to differentinstances.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. Click the load balancer that you just created.

  3. Note the load balancer's IP address. This IP address is referred to asLB_IP_ADDRESS in the following steps.

  4. In theBackend section, confirm that the VMs are healthy.

    TheHealthy column should be populated, indicating that the VMs arehealthy—for example, if two instances are created, then you shouldsee a message indicating2 of 2 with a green check mark next to it. Ifyou see otherwise, first try reloading the page. It can take a fewminutes for the Google Cloud console to indicate that the VMs arehealthy. If the backends do not appear healthy after a few minutes,review the firewall configuration and the network tag assigned to yourbackend VMs.

  5. After the Google Cloud console shows that the backend instances arehealthy, you can test your load balancer by pointing your web browser tohttps://LB_IP_ADDRESS (orhttp://LB_IP_ADDRESS). ReplaceLB_IP_ADDRESS with theload balancer's IPaddress.

  6. If you used a self-signed certificate for testing HTTPS, your browserdisplays a warning. You must explicitly instruct your browser to accept aself-signed certificate.

  7. Your browser should render a page with content showing the name of theinstance that served the page (for example,Page served from:lb-backend-example-xxxx). If your browser doesn't render this page,review the configuration settings in this guide.

gcloud

Note the IP address that was reserved:

gcloud compute addresses describeIP_ADDRESS_NAME \    --format="get(address)" \    --global

You can test your load balancer by pointing your web browser tohttps://LB_IP_ADDRESS (orhttp://LB_IP_ADDRESS). ReplaceLB_IP_ADDRESS with theload balancer's IPaddress.

If you used a self-signed certificate for testing HTTPS, your browserdisplays a warning. You must explicitly instruct your browser to accept aself-signed certificate.

Your browser should render a page with minimal information about the backendinstance. If your browser doesn't render this page, review the configurationsettings in this guide.

Configure a load balancer with a cross-project backend service

This section shows you how to configure a load balancer with across-project backend service in aShared VPC environment.

Before you begin

The previous example on this page shows you how to set up a Shared VPCdeployment where all the load balancer components and its backends are createdin one service project. Global external Application Load Balancers also let you configureShared VPC deployments where a URL map in one host or service projectreferences backend services (and backends) located across multiple serviceprojects in the Shared VPC environment.

You can use the steps in this section as a reference to configure any ofthe supported combinations listed here:

  • Forwarding rule, target proxy, and URL map in the host project, and backendservice in a service project
  • Forwarding rule, target proxy, and URL map in one service project, and backendservice in another service project

While this section uses a Shared VPC environment to configure across-project deployment, a Shared VPC environment isn't required. Forglobal external Application Load Balancers, your load balancer frontend can reference backendservices or backend buckets from any project within the same organization.

Setup requirements

If you haven't already done so, you must complete all of the prerequisite stepsto set up Shared VPC and configure the network, subnets, and firewallrules required for this example. For instructions, see the following sections atthe beginning of this page:

In this setup, the forwarding rule, target proxy, and URLmap are located in one service project, and the backend service andbackends are located in another service project.

  1. In service project B, you'll configure the followingbackend resources:
    • Managed instance group backend
    • Health check
    • Global backend service
  2. In service project A, you'll configure the followingfrontend resources:
    • IP address
    • SSL certificate
    • URL map
    • Target proxy
    • Forwarding rule

The following figure depicts a global external Application Load Balancer in which the loadbalancer's backend service in one service project is referenced by a URL map inanother service project.

Load balancer's frontend and backend components in different service projects
Figure 2. Load balancer's frontend and backend in different service projects

Cross-project service referencing with a global external Application Load Balancerdoes not require backend instances to be a part of the same VPCnetwork or a Shared VPC network.

In this example, the backend VMs in the service project are a part of theShared VPC network that is created in the host project. However, youcan also set up a standalone VPC network (that is, an unsharedVPC network), along with the required firewall rules, in a service project.You can then create backend instances (for example, an instance group) thatare a part of this standalone VPC network. After you create thebackend instances, you can follow the remaining steps, as depicted in thisexample, to create a backend service in the service project and connect it toa URL map in another service project by using cross-project servicereferencing.

Configure the load balancer's backend components in service project B

In this section, you need to configure the following backend resources inservice project B:

  • Managed instance group
  • Health check
  • Global backend service

Create a managed instance group backend

Note: When using Shared VPC to create a managed instance group, you need to define theGoogle APIs service account as a Service Project Admin for the subnet in the Shared VPC host project.

The precursor to creating a managed instance group is the creation of aninstance template, which is a resource that you can use to create virtualmachine (VM) instances. Traffic from clients is load balanced to VMs in aninstance group. The managed instance group provides VMs that run the backendservers of an external Application Load Balancer. In this example, the backends serve their ownhostnames.

Console

Create an instance template

  1. In the Google Cloud console, go to the Compute EngineInstance templates page.

    Go to Instance templates

  2. ClickCreate instance template.

  3. ForName, enterbackend-template.

  4. In theBoot disk section, ensure that the boot disk is set to a Debianimage, such asDebian GNU/Linux 12 (bookworm). ClickChange to change theimage if necessary.

  5. Expand theAdvanced options section.

  6. Expand theNetworking section, and in theNetwork tags field, enterload-balanced-backend.

  7. ForNetwork interfaces, selectNetworks shared with me (from hostproject:HOST_PROJECT_ID).

  8. In theShared subnetwork list, select thelb-backend-subnetsubnet from thelb-network network.

  9. Expand theManagement section, and in theAutomation field,specify the following startup script:

      #!/bin/bash  apt-get update  apt-get install apache2 -y  a2ensite default-ssl  a2enmod ssl  vm_hostname="$(curl -H "Metadata-Flavor:Google" \  http://metadata.google.internal/computeMetadata/v1/instance/name)"  echo "Page served from: $vm_hostname" | \  tee /var/www/html/index.html  systemctl restart apache2

  10. ClickCreate.

Create a managed instance group

  1. In the Google Cloud console, go to the Compute EngineInstance groups page.

    Go to Instance groups

  2. ClickCreate Instance Group.

  3. From the options, selectNew managed instance group (stateless).

  4. For the name of the instance group, enterlb-backend.

  5. In theInstance template list, select the instance templatebackend-template that you created in the previous step.

  6. In theLocation section, selectSingle zone, and enter the followingvalues:

    • ForRegion, selectus-west1.

    • ForZone, selectus-west1-a.

  7. In theAutoscaling section, enter the following values:

    • ForAutoscaling mode, selectOn: add and remove instances to thegroup.

    • ForMinimum number of instances, select2.

    • ForMaximum number of instances, select3.

  8. In thePort mapping section, clickAdd port, and enter thefollowing values:

    • ForPort name, enterhttp.

    • ForPort number, enter80.

  9. ClickCreate.

gcloud

  1. Create an instance template:

    gcloud compute instance-templates create backend-template \    --region=us-west1 \    --network=projects/HOST_PROJECT_ID/global/networks/lb-network \    --subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-backend-subnet \    --tags=load-balanced-backend \    --image-family=debian-12 \    --image-project=debian-cloud \    --metadata=startup-script='#! /bin/bash    apt-get update    apt-get install apache2 -y    a2ensite default-ssl    a2enmod ssl    vm_hostname="$(curl -H "Metadata-Flavor:Google" \    http://metadata.google.internal/computeMetadata/v1/instance/name)"    echo "Page served from: $vm_hostname" | \    tee /var/www/html/index.html    systemctl restart apache2' \    --project=SERVICE_PROJECT_B_ID

  2. Create a managed instance group and select the instance template that youcreated in the preceding step:

    gcloud compute instance-groups managed create lb-backend \    --zone=us-west1-a \    --size=2 \    --template=backend-template \    --project=SERVICE_PROJECT_B_ID

  3. Add a named port to the instance group:

    gcloud compute instance-groups set-named-ports lb-backend \    --named-ports=http:80 \    --zone=us-west1-a \    --project=SERVICE_PROJECT_B_ID

Create a health check

Health checks are tests that confirm the availability of backends. Create ahealth check that uses the HTTP protocol and probes on port80. Later, you'llattach this health check to the backend service referenced by the load balancer.

Console

  1. In the Google Cloud console, go to the Compute EngineHealth checks page.

    Go to Health checks

  2. For the name of the health check, enterlb-health-check.

  3. Set the protocol toHTTP.

  4. ClickCreate.

gcloud

Create an HTTP health check.

gcloud compute health-checks create http lb-health-check \  --use-serving-port \  --project=SERVICE_PROJECT_B_ID

Create a global backend service

Create a global backend service to distribute traffic among backends. As a partof this step, you need to assign the health check that you created to thebackend service and add the instance group as the backend to the backend service.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. Go to theBackends section.

  3. ClickCreate backend service.

  4. ForGlobal backend service, click theCreate button next to it.

  5. For the name of the backend service, entercross-ref-backend-service.

  6. ForBackend type, selectInstance group.

  7. SetProtocol toHTTP.

  8. In theNamed port field, enterhttp. This is the same port name thatyou entered while creating the managed instance group.

  9. To addbackends to the backend service, do the following:

    1. In theBackends section, set theInstance group tolb-backend, which is the managed instance group that youcreated in an earlier step.

    2. ForPort numbers, enter80.

    3. To add the backend, clickDone.

  10. To add a health check, in theHealth check list, selectlb-health-check, which is the health check that you created earlier.

  11. Optional: In theAdd permissions section, enter theIAM principals from other projects (typically an emailaddress) that have the Compute Load Balancer Admin role(roles/compute.loadBalancerAdmin) so that they can use this backendservice for load balancers in their own projects. Without this permission,you can't use cross-project service referencing.

    If you don't have permission to set access control policies forbackend services in this project, you can still create the backendservice now, and an authorized user can perform this step later asdescribed in the section,Grant permissions to the Compute Load BalancerAdmin to use the backend service. That section alsodescribes how to grant access to all the backend services in thisproject, so that you don't have to grant access every time you createa new backend service.

  12. To create the backend service, clickCreate.

gcloud

  1. Create a global backend service to distribute traffic among backends:

    gcloud compute backend-services create cross-ref-backend-service \    --load-balancing-scheme=EXTERNAL_MANAGED \    --protocol=HTTP \    --port-name=http \    --health-checks=lb-health-check \    --global \    --project=SERVICE_PROJECT_B_ID

  2. Add your instance group as the backend to the backend service:

    gcloud compute backend-services add-backend cross-ref-backend-service \    --instance-group=lb-backend \    --instance-group-zone=us-west1-a \    --global \    --project=SERVICE_PROJECT_B_ID

Configure the load balancer's frontend components in service project A

In this section, you need to configure the following frontend resources inservice project A:

  • IP address
  • SSL certificate
  • URL map
  • Target proxy
  • Forwarding rule

Reserve the load balancer's IP address

Reserve a global static external IP address that can be assigned to theforwarding rule of the load balancer.

Console

  1. In the Google Cloud console, go to the VPCIP addresses page.

    Go to IP addresses

  2. ClickReserve external static IP address.

  3. ForName, entercross-ref-ip-address.

  4. SetNetwork Service Tier toPremium.

  5. SetIP version toIPv4.

  6. SetType toGlobal.

  7. ClickReserve.

gcloud

Create a global static external IP address.

gcloud compute addresses create cross-ref-ip-address \    --ip-version=IPV4 \    --network-tier=PREMIUM \    --global \    --project=SERVICE_PROJECT_A_ID

Set up an SSL certificate resource

For a load balancer that uses HTTPS as the request-and-response protocol, createan SSL certificate resource as described in the following resources:

We recommend using a Google-managed certificate.

This example assumes that you have created an SSL certificate namedlb-ssl-cert. The SSL certificate is attached to the target proxy that you willcreate in one of the following steps.

Warning: Don't use a self-signed certificate for production purposes.

Create the frontend components

Console

Select the load balancer type

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectApplication Load Balancer (HTTP/HTTPS) and clickNext.
  4. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  5. ForGlobal or single region deployment, selectBest for global workloads and clickNext.
  6. ForLoad balancer generation, selectGlobal external Application Load Balancer and clickNext.
  7. ClickConfigure.

Basic configuration

  1. Enter theName of the load balancer:cross-ref-lb-shared-vpc.
  2. Keep the page open to continue.

Configure the frontend

For HTTP:

  1. ClickFrontend configuration.
  2. Enter aName for the forwarding rule:cross-ref-http-forwarding-rule.
  3. Set theProtocol toHTTP.
  4. Select theIP address that you created inReserve the load balancer's IP address, calledcross-ref-ip-address.
  5. Set thePort to80.
  6. ClickDone.

For HTTPS:

If you are using HTTPS between the client and the load balancer,you need one or more SSL certificate resources to configure the proxy.For information about how to create SSL certificate resources, seeSSL certificates. Google-managedcertificates aren't supported with regional external Application Load Balancers.

  1. ClickFrontend configuration.
  2. Enter aName for the forwarding rule:cross-ref-https-forwarding-rule.
  3. In theProtocol field, selectHTTPS (includes HTTP/2).
  4. Select theIP address that you created inReserve the load balancer's IP address, calledcross-ref-ip-address.
  5. Ensure that thePort is set to443 to allow HTTPS traffic.
  6. Click theCertificate list.
    1. If you already have aself-managed SSLcertificate resourcethat you want to use as the primary SSL certificate, select it from themenu.
    2. Otherwise, selectCreate a new certificate.
      1. Enter aName for the SSL certificate.
      2. In the appropriate fields upload your PEM-formatted files:
        • Public key certificate
        • Certificate chain
        • Private key
      3. ClickCreate.
  7. To add certificate resources in addition tothe primary SSL certificate resource:
    1. ClickAdd certificate.
    2. Select a certificate from theCertificates list or clickCreate a new certificate and follow the previous instructions.
  8. ClickDone.

Configure the backend

  1. ClickBackend configuration.
  2. ClickCross-project backend services.
  3. ForProject ID, enter theprojectIDfor service project B.
  4. From theSelect backend services list, select the backend servicesfrom service project B that you want to use. For this example, you entercross-ref-backend-service.
  5. ClickOK.

Configure the routing rules

  • ClickRouting rules. Ensure that thecross-ref-backend-serviceis the only backend service for any unmatched host and any unmatchedpath.

For information about traffic management, seeSet up trafficmanagement.

Review and finalize the configuration

  • ClickCreate.

gcloud

  1. Optional: Before creating a load balancer with cross-referencing backendservices, find out whether the backend services you want to refer to can bereferenced using a URL map:

    gcloud compute backend-services list-usable \    --global \    --project=SERVICE_PROJECT_B_ID

  2. Create a URL map to route incoming requests to the backend service:

    gcloud compute url-maps create cross-ref-url-map \    --default-service=projects/SERVICE_PROJECT_B_ID/global/backendServices/cross-ref-backend-service \    --global \    --project=SERVICE_PROJECT_A_ID

  3. Create a target proxy.

    For HTTP traffic, create a target HTTP proxy to routerequests to the URL map:

    gcloud compute target-http-proxies create cross-ref-http-proxy \    --url-map=cross-ref-url-map \    --global \    --project=SERVICE_PROJECT_A_ID

    For HTTPS traffic, create a target HTTPS proxy to routerequests to the URL map. The proxy is the part of the loadbalancer that holds the SSL certificate for an HTTPS loadbalancer, so you also load yourSSL certificate in this step:

    gcloud compute target-https-proxies create cross-ref-https-proxy \    --url-map=cross-ref-url-map \    --ssl-certificates=lb-ssl-cert \    --global \    --project=SERVICE_PROJECT_A_ID

  4. Create a forwarding rule.

    For HTTP traffic, create a global forwarding rule to routeincoming requests to the target proxy:

    gcloud compute forwarding-rules create cross-ref-http-forwarding-rule \    --load-balancing-scheme=EXTERNAL_MANAGED \    --address=cross-ref-ip-address \    --global \    --target-http-proxy=cross-ref-http-proxy \    --ports=80 \    --project=SERVICE_PROJECT_A_ID

    For HTTPS traffic, create a global forwarding rule to routeincoming requests to the target proxy:

    gcloud compute forwarding-rules create cross-ref-https-forwarding-rule \    --load-balancing-scheme=EXTERNAL_MANAGED \    --address=cross-ref-ip-address \    --global \    --target-https-proxy=cross-ref-https-proxy \    --ports=443 \    --project=SERVICE_PROJECT_A_ID

Grant permissions to the Compute Load Balancer Admin to use the backend service

If you want load balancers to reference backend services in other serviceprojects, the Load Balancer Admin must have thecompute.backendServices.usepermission. To grant this permission, you can use the predefinedIAM role calledCompute Load Balancer Services User (roles/compute.loadBalancerServiceUser).This role must be granted by the Service Project Admin and can be applied atthe project level or at the individual backend service level.

This step isnot required if you already granted the required permissionsat the backend service level whilecreating the backendservice. You can either skip this section or continuereading to learn how to grant access to all the backend services in thisproject so that you don't have to grant access every time you create a newbackend service.

In this example, a Service Project Admin from service project B must runoneof the following commands to grant thecompute.backendServices.use permissionto a Load Balancer Admin from service project A. This can be done either at theproject level (for all backend services in the project) or per backend service.

Console

Project-level permissions

Use the following steps to grant permissions to all backend services inyour project.

You require thecompute.backendServices.setIamPolicy and theresourcemanager.projects.setIamPolicy permissions to complete this step.

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM

  2. Select your project.

  3. ClickGrantaccess.

  4. In theNew principals field, enter the principal's email address orother identifier.

  5. In theSelect a role list, select theCompute Load BalancerServices User.

  6. Optional: Add acondition to the role.

  7. ClickSave.

Resource-level permissions for individual backend services

Use the following steps to grant permissions to individual backendservices in your project.

You require thecompute.backendServices.setIamPolicy permission tocomplete this step.

  1. In the Google Cloud console, go to theBackends page.

    Go to Backends

  2. From the backends list, select the backend service that you want togrant access to and clickPermissions.

  3. ClickAdd principal.

  4. In theNew principals field, enter the principal's email address orother identifier.

  5. In theSelect a role list, select theCompute Load BalancerServices User.

  6. ClickSave.

gcloud

Project-level permissions

Use the following steps to grant permissions to all backend services inyour project.

You require thecompute.backendServices.setIamPolicy and theresourcemanager.projects.setIamPolicy permissions to complete this step.

gcloud projects add-iam-policy-bindingSERVICE_PROJECT_B_ID \    --member="user:LOAD_BALANCER_ADMIN" \    --role="roles/compute.loadBalancerServiceUser"

Resource-level permissions for individual backend services

At the backend service level, Service Project Admins can useeither of thefollowing commands to grant the Compute Load Balancer Services User role(roles/compute.loadBalancerServiceUser).

You require thecompute.backendServices.setIamPolicy permission tocomplete this step.

gcloud projects add-iam-policy-bindingSERVICE_PROJECT_B_ID \    --member="user:LOAD_BALANCER_ADMIN" \    --role="roles/compute.loadBalancerServiceUser" \    --condition='expression=resource.name=="projects/SERVICE_PROJECT_B_ID/regions/us-west1/backend-services/BACKEND_SERVICE_NAME",title=Shared VPC condition'

or

gcloud compute backend-services add-iam-policy-bindingBACKEND_SERVICE_NAME \    --member="user:LOAD_BALANCER_ADMIN" \    --role="roles/compute.loadBalancerServiceUser" \    --project=SERVICE_PROJECT_B_ID \    --region=us-west1

To use these commands, replaceLOAD_BALANCER_ADMIN with theuser'sprincipal—forexample,test-user@gmail.com.

You can also configure IAM permissions so that they only applyto a subset of regional backend services by using conditions andspecifyingcondition attributes.

Test the load balancer

It can take several minutes for the load balancer to be configured. When theload balancing service is running, you can send traffic to the forwarding ruleinservice project A and watch the traffic be dispersed to different VMinstances inservice project B.

Console

  1. In the Google Cloud console, go to theLoad balancing pageinservice project A.

    Go to Load balancing

  2. Click the load balancer that you just created.

  3. Note the load balancer's IP address. This IP address is referred to asLB_IP_ADDRESS in the following steps.

  4. You can test your load balancer by pointing your web browser tohttps://LB_IP_ADDRESS (orhttp://LB_IP_ADDRESS). ReplaceLB_IP_ADDRESS with theload balancer's IPaddress.

  5. If you used a self-signed certificate for testing HTTPS, your browserdisplays a warning. You must explicitly instruct your browser to accept aself-signed certificate.

  6. Your browser should render a page with content showing the name of theinstance that served the page (for example,Page served from:lb-backend-example-xxxx). If your browser doesn't render this page,review the configuration settings in this guide.

gcloud

Note the IP address that was reserved:

gcloud compute addresses describeIP_ADDRESS_NAME \    --format="get(address)" \    --global    --project=SERVICE_PROJECT_A_ID

You can test your load balancer by pointing your web browser tohttps://LB_IP_ADDRESS (orhttp://LB_IP_ADDRESS). ReplaceLB_IP_ADDRESS with theload balancer's IPaddress.

If you used a self-signed certificate for testing HTTPS, your browserdisplays a warning. You must explicitly instruct your browser to accept aself-signed certificate.

Your browser should render a page with minimal information about the backendinstance. If your browser doesn't render this page, review the configurationsettings in this guide.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.