Set up a regional external Application Load Balancer with VM instance group backends

This document provides instructions for configuring a regional external Application Load Balancerfor your services that run on Compute Engine VMs.

Because regional external Application Load Balancers allow you to create load balancers inspecific regions, they are often used for workloads that have jurisdictionalcompliance requirements. Workloads that require access toStandard Network Tieregress are another common use case forregional external Application Load Balancers, because the regional external Application Load Balancers support both thePremium and Standard Network Service Tier.

Before following this guide, familiarize yourself with the following:

Note: Regional external Application Load Balancers support both the Premiumand Standard Network Service Tiers. This procedure demonstrates the setup withStandard Tier.

Permissions

To follow this guide, you must be able to create instances and modify anetwork in a project. You must be either a projectowner or editor, or you must have all ofthe followingCompute Engine IAM roles.

TaskRequired role
Create networks, subnets, and load balancer componentsNetwork Admin
Add and remove firewall rulesSecurity Admin
Create instancesInstance Admin

For more information, see the following guides:

Optional: Use BYOIP addresses

With bring your own IP (BYOIP), you can import your own public addresses toGoogle Cloud to use the addresses with Google Cloud resources. Forexample, if you import your own IPv4 addresses, you can assign one to theforwarding rule when you configure your load balancer. When you follow theinstructions in this document toconfigure the load balancer, provide the BYOIP address as theIP address.

For more information about using BYOIP, seeBring your own IP addresses.

Setup overview

You can configure a regional external Application Load Balancer as described in the followinghigh-level configuration flow. The numbered steps refer to the numbers in thediagram.

Regional external Application Load Balancer numbered components
Regional external Application Load Balancer numbered components (click to enlarge)

As shown in the diagram, this example creates a regional external Application Load Balancer in aVPC network in regionus-west1, with one backend serviceand two backend instance groups.

The diagram shows the following:

  1. A VPC network with two subnets:

    1. One subnet is used for backends (instance groups).Its primary IP address range is10.1.2.0/24.

    2. One subnet is a proxy-only subnet in theus-west1 region. You mustcreate one proxy-only subnet in each region of a VPCnetwork where you use regional external Application Load Balancers. The region'sproxy-only subnet is shared among all regional load balancers inthe region. Source addresses of packets sent from the load balancersto your service's backends are allocated from theproxy-only subnet. In this example, the proxy-only subnet for the regionhas a primary IP address range of10.129.0.0/23, which is therecommended subnet size. For more information,seeProxy-only subnets.

  2. A firewall rule that permits proxy-only subnet traffic flows in yournetwork. This means adding one rule that allows TCP port80,443, and8080 traffic from10.129.0.0/23 (the range of the proxy-only subnet inthis example). Another firewall rule for thehealth checkprobes.

  3. Backend instances.

  4. Instance groups:

    1. Managed or unmanaged instance groups for Compute Engine VM deployments
    2. NEGs for GKE deployments

    In each zone, you can have a combination of backend group types based onthe requirements of your deployment.

  5. A regional health check that reports the readiness of your backends.

  6. A regional backend service that monitors the usage and health ofbackends.

  7. A regional URL map that parses the URL of a request and forwardsrequests to specific backend services based on the host and path of therequest URL.

  8. A regional target HTTP or HTTPS proxy, which receives a request from theuser and forwards it to the URL map. For HTTPS, configure a regional SSLcertificate resource. The target proxy can use either the SSL certificateor the Certificate Manager certificate to decryptSSL traffic if you configure HTTPS load balancing. The target proxy canforward traffic to your instances by using HTTP or HTTPS.

  9. A forwarding rule, which has the external IP address of your loadbalancer to forward each incoming request to the target proxy.

    The external IP address that is associated with the forwarding rule isreserved by using thegcloud compute addresses create command, asdescribed inReserving the load balancer's IPaddress.

Configure the network and subnets

You need a VPC network with two subnets: one for the loadbalancer's backends and the other for the load balancer's proxies. Aregional external Application Load Balancer is regional. Traffic within the VPCnetwork is routed to the load balancer if the traffic's source is in asubnet in the same region as the load balancer.

This example uses the following VPC network, region, andsubnets:

  • Network. The network is acustom-mode VPCnetwork namedlb-network.

  • Subnet for backends. A subnet namedbackend-subnet in theus-west1 region uses10.1.2.0/24 for its primary IP range.

  • Subnet for proxies. A subnet namedproxy-only-subnet in theus-west1 region uses10.129.0.0/23 for its primary IP range.

Note: You can change the name of the network, the region, and the parameters forthe subnets; however, subsequent steps in this guide use the network, region,and subnet parameters as outlined here.

Configure the network and subnet for backends

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. ForName, enterlb-network.

  4. In theSubnets section:

    • SetSubnet creation mode toCustom.
    • In theNew subnet section, enter the following information:
      • Name:backend-subnet
      • Region:us-west1
      • IP address range:10.1.2.0/24
    • ClickDone.

  5. ClickCreate.

gcloud

  1. Create the custom VPC network with thegcloud computenetworks create command:

    gcloud compute networks create lb-network --subnet-mode=custom

  2. Create a subnet in thelb-network network in theus-west1 region withthegcloud compute networks subnets createcommand:

    gcloud compute networks subnets create backend-subnet \    --network=lb-network \    --range=10.1.2.0/24 \    --region=us-west1

Terraform

To create the VPC network, use thegoogle_compute_network resource.

resource "google_compute_network" "default" {  name                    = "lb-network"  auto_create_subnetworks = false  routing_mode            = "REGIONAL"}

To create the VPC subnet in thelb-network network, use thegoogle_compute_subnetwork resource.

resource "google_compute_subnetwork" "default" {  name                       = "backend-subnet"  ip_cidr_range              = "10.1.2.0/24"  network                    = google_compute_network.default.id  private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS"  purpose                    = "PRIVATE"  region                     = "us-west1"  stack_type                 = "IPV4_ONLY"}

API

  1. Make aPOST request to thenetworks.insert method,replacingPROJECT_ID with your project ID.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks{ "routingConfig": {   "routingMode": "REGIONAL" }, "name": "lb-network", "autoCreateSubnetworks": false}

  2. Make aPOST request to thesubnetworks.insert method,replacingPROJECT_ID with your project ID.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/subnetworks{ "name": "backend-subnet", "network": "projects/PROJECT_ID/global/networks/lb-network", "ipCidrRange": "10.1.2.0/24", "region": "projects/PROJECT_ID/regions/us-west1",}

Configure the proxy-only subnet

Aproxy-only subnet provides aset of IP addresses that Google uses to run Envoy proxies on your behalf. Theproxies terminate connections from the client and create new connections to thebackends.

This proxy-only subnet is used by allEnvoy-based regional loadbalancers in thesame region of thelb-network VPC network. There can only beone active proxy-only subnet per region, per network.

Important: Don't try to assign addresses from the proxy-only subnet to your loadbalancer's backends. You assign the backend instance IP addresses froma different subnet range (or ranges), not this one.Google Cloud reserves this subnet range for Google Cloud-managedproxies.

Console

If you're using the Google Cloud console, you can also wait and create theproxy-only subnet later on theLoad balancing page.

If you want to create the proxy-only subnet now, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of the VPC network:lb-network.

  3. ClickAdd subnet.

  4. ForName, enterproxy-only-subnet.

  5. ForRegion, selectus-west1.

  6. SetPurpose toRegional Managed Proxy.

  7. ForIP address range, enter10.129.0.0/23.

  8. ClickAdd.

gcloud

Create the proxy-only subnet with thegcloud compute networks subnetscreate command.

gcloud compute networks subnets create proxy-only-subnet \  --purpose=REGIONAL_MANAGED_PROXY \  --role=ACTIVE \  --region=us-west1 \  --network=lb-network \  --range=10.129.0.0/23

Terraform

To create the VPC proxy-only subnet in thelb-networknetwork, use thegoogle_compute_subnetwork resource.

resource "google_compute_subnetwork" "proxy_only" {  name          = "proxy-only-subnet"  ip_cidr_range = "10.129.0.0/23"  network       = google_compute_network.default.id  purpose       = "REGIONAL_MANAGED_PROXY"  region        = "us-west1"  role          = "ACTIVE"}

API

Create the proxy-only subnet with thesubnetworks.insertmethod, replacingPROJECT_ID with your project ID.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/subnetworks{  "name": "proxy-only-subnet",  "ipCidrRange": "10.129.0.0/23",  "network": "projects/PROJECT_ID/global/networks/lb-network",  "region": "projects/PROJECT_ID/regions/us-west1",  "purpose": "REGIONAL_MANAGED_PROXY",  "role": "ACTIVE"}

Configure firewall rules

This example uses the following firewall rules:

  • fw-allow-health-check. An ingress rule, applicable to the instancesbeing load balanced, that allows all TCP traffic from the Google Cloudhealth checking systems (in130.211.0.0/22 and35.191.0.0/16). Thisexample uses the target tagload-balanced-backend to identify the VMs thatthe firewall rule applies to.

  • fw-allow-proxies. An ingress rule, applicable to the instances beingload balanced, that allows TCP traffic on ports80,443, and8080 fromthe regional external Application Load Balancer's managed proxies. This example uses the targettagload-balanced-backend to identify the VMs that the firewall rule appliesto.

Without these firewall rules, thedefault denyingress rule blocks incomingtraffic to the backend instances.

Thetarget tagsdefine the backend instances. Without the target tags, the firewallrules apply to all of your backend instances in the VPC network.When you create the backend VMs, make sure toinclude the specified target tags, as shown inCreating a managed instancegroup.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall rules

  2. ClickCreate firewall rule to create the rule to allowGoogle Cloud health checks:

    • Name:fw-allow-health-check
    • Network:lb-network
    • Direction of traffic:Ingress
    • Action on match:Allow
    • Targets:Specified target tags
    • Target tags:load-balanced-backend
    • Source filter:IPv4 ranges
    • Source IPv4 ranges:130.211.0.0/22 and35.191.0.0/16
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • Select theTCP checkbox, and then enter80 for the port number.
        As a best practice, limit this rule to just the protocols and portsthat match those used by your health check. If you usetcp:80 forthe protocol and port, Google Cloud can useHTTP on port80 to contact your VMs, but it cannot use HTTPS onport443 to contact them.

  3. ClickCreate.

  4. ClickCreate firewall rule to create the rule to allowthe load balancer's proxy servers to connect the backends:

    • Name:fw-allow-proxies
    • Network:lb-network
    • Direction of traffic:Ingress
    • Action on match:Allow
    • Targets:Specified target tags
    • Target tags:load-balanced-backend
    • Source filter:IPv4 ranges
    • Source IPv4 ranges:10.129.0.0/23
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • Select theTCP checkbox, and then enter80, 443, 8080 for theport numbers.

  5. ClickCreate.

gcloud

  1. Create thefw-allow-health-check rule to allow Google Cloudhealth checks. This example allows all TCP traffic from health checkprobers; however, you can configure a narrower set of ports to meet yourneeds.

    gcloud compute firewall-rules create fw-allow-health-check \    --network=lb-network \    --action=allow \    --direction=ingress \    --source-ranges=130.211.0.0/22,35.191.0.0/16 \    --target-tags=load-balanced-backend \    --rules=tcp

  2. Create thefw-allow-proxies rule to allow theregional external Application Load Balancer's proxies to connect to your backends. Setsource-ranges to the allocated ranges of your proxy-only subnet, forexample,10.129.0.0/23.

    gcloud compute firewall-rules create fw-allow-proxies \  --network=lb-network \  --action=allow \  --direction=ingress \  --source-ranges=source-range \  --target-tags=load-balanced-backend \  --rules=tcp:80,tcp:443,tcp:8080

Terraform

To create the firewall rules, use thegoogle_compute_firewall resource.

resource "google_compute_firewall" "default" {  name = "fw-allow-health-check"  allow {    protocol = "tcp"  }  direction     = "INGRESS"  network       = google_compute_network.default.id  priority      = 1000  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]  target_tags   = ["load-balanced-backend"]}
resource "google_compute_firewall" "allow_proxy" {  name = "fw-allow-proxies"  allow {    ports    = ["443"]    protocol = "tcp"  }  allow {    ports    = ["80"]    protocol = "tcp"  }  allow {    ports    = ["8080"]    protocol = "tcp"  }  direction     = "INGRESS"  network       = google_compute_network.default.id  priority      = 1000  source_ranges = ["10.129.0.0/23"]  target_tags   = ["load-balanced-backend"]}

API

Create thefw-allow-health-check firewall rule by making aPOST request tothefirewalls.insertmethod, replacingPROJECT_ID with your project ID.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls{  "name": "fw-allow-health-check",  "network": "projects/PROJECT-ID/global/networks/lb-network",  "sourceRanges": [    "130.211.0.0/22",    "35.191.0.0/16"  ],  "targetTags": [    "load-balanced-backend"  ],  "allowed": [    {      "IPProtocol": "tcp"    }  ],  "direction": "INGRESS"}

Create thefw-allow-proxies firewall rule to allow TCP traffic within theproxy subnet for thefirewalls.insertmethod, replacingPROJECT_ID with your project ID.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls{  "name": "fw-allow-proxies",  "network": "projects/PROJECT_ID/global/networks/lb-network",  "sourceRanges": [    "10.129.0.0/23"  ],  "targetTags": [    "load-balanced-backend"  ],  "allowed": [    {      "IPProtocol": "tcp",      "ports": [        "80"      ]    },    {      "IPProtocol": "tcp",      "ports": [        "443"      ]    },    {      "IPProtocol": "tcp",      "ports": [        "8080"      ]    }  ],  "direction": "INGRESS"}

Configure a regional external Application Load Balancer with a VM-based service

This section shows the configuration required for services that run onCompute Engine VMs. Client VMs connect to the IP address and port thatyou configure in the forwarding rule. When your client applications send trafficto this IP address and port, their requests are forwarded to your backendvirtual machines (VMs) according to your regional external Application Load Balancer's URLmap.

The example on this page explicitly creates a reserved external IP address forthe regional external Application Load Balancer's forwarding rule, rather than allowing anephemeral external IP address to be allocated. As a best practice, we recommendreserving IP addresses for forwarding rules.

Create a managed instance group backend

This section shows how to create a template and a managed instance group. Themanaged instance group provides VM instances running the backend servers of anexample regional external Application Load Balancer. Traffic from clients is load balanced tothese backend servers. For demonstration purposes, backends serve their ownhostnames.

Console

  1. Create an instance template. In the Google Cloud console, go to theInstance templates page.

    Go to Instance templates

    1. ClickCreate instance template.
    2. ForName, enterl7-xlb-backend-template.
    3. Ensure thatBoot disk is set to a Debian image, such asDebian GNU/Linux 12 (bookworm). These instructions use commands thatare only available on Debian, such asapt-get.
    4. ClickAdvanced options.
    5. ClickNetworking and configure the following fields:
      1. ForNetwork tags, enterload-balanced-backend.
      2. ForNetwork interfaces, select the following:
        • Network:lb-network
        • Subnet:backend-subnet

    6. ClickManagement. Enter the following script into theStartup script field.

      #! /bin/bashapt-get updateapt-get install apache2 -ya2ensite default-ssla2enmod sslvm_hostname="$(curl -H "Metadata-Flavor:Google" \http://metadata.google.internal/computeMetadata/v1/instance/name)"echo "Page served from: $vm_hostname" | \tee /var/www/html/index.htmlsystemctl restart apache2

    7. ClickCreate.

  2. Create a managed instance group. In the Google Cloud console, go to theInstance groups page.

    Go to Instance groups

    1. ClickCreate instance group.
    2. SelectNew managed instance group (stateless). For moreinformation, seeStateless or stateful MIGs.
    3. ForName, enterl7-xlb-backend-example.
    4. ForLocation, selectSingle zone.
    5. ForRegion, selectus-west1.
    6. ForZone, selectus-west1-a.
    7. ForInstance template, selectl7-xlb-backend-template.

    8. ForAutoscaling mode, selectOn: add and remove instances to thegroup.

      SetMinimum number of instances to2, and setMaximumnumber of instances to2 or more.

    9. ClickCreate.

gcloud

Thegcloud instructions in this guide assume that you are usingCloudShell or another environment with bash installed.

  1. Create a VM instance template with HTTP server with thegcloud compute instance-templates createcommand.

    gcloud compute instance-templates create l7-xlb-backend-template \--region=us-west1 \--network=lb-network \--subnet=backend-subnet \--tags=load-balanced-backend \--image-family=debian-12 \--image-project=debian-cloud \--metadata=startup-script='#! /bin/bashapt-get updateapt-get install apache2 -ya2ensite default-ssla2enmod sslvm_hostname="$(curl -H "Metadata-Flavor:Google" \http://metadata.google.internal/computeMetadata/v1/instance/name)"echo "Page served from: $vm_hostname" | \tee /var/www/html/index.htmlsystemctl restart apache2'

  2. Create a managed instance group in the zone with thegcloud computeinstance-groups managed createcommand.

    gcloud compute instance-groups managed create l7-xlb-backend-example \    --zone=us-west1-a \    --size=2 \    --template=l7-xlb-backend-template

Terraform

To create the instance template, use thegoogle_compute_instance_template resource.

resource "google_compute_instance_template" "default" {  name = "l7-xlb-backend-template"  disk {    auto_delete  = true    boot         = true    device_name  = "persistent-disk-0"    mode         = "READ_WRITE"    source_image = "projects/debian-cloud/global/images/family/debian-12"    type         = "PERSISTENT"  }  labels = {    managed-by-cnrm = "true"  }  machine_type = "n1-standard-1"  metadata = {    startup-script = <<EOF    #! /bin/bash    sudo apt-get update    sudo apt-get install apache2 -y    sudo a2ensite default-ssl    sudo a2enmod ssl    vm_hostname="$(curl -H "Metadata-Flavor:Google" \    http://169.254.169.254/computeMetadata/v1/instance/name)"    sudo echo "Page served from: $vm_hostname" | \    tee /var/www/html/index.html    sudo systemctl restart apache2    EOF  }  network_interface {    access_config {      network_tier = "PREMIUM"    }    network    = google_compute_network.default.id    subnetwork = google_compute_subnetwork.default.id  }  region = "us-west1"  scheduling {    automatic_restart   = true    on_host_maintenance = "MIGRATE"    provisioning_model  = "STANDARD"  }  service_account {    email  = "default"    scopes = ["https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring.write", "https://www.googleapis.com/auth/pubsub", "https://www.googleapis.com/auth/service.management.readonly", "https://www.googleapis.com/auth/servicecontrol", "https://www.googleapis.com/auth/trace.append"]  }  tags = ["load-balanced-backend"]}

To create the managed instance group, use thegoogle_compute_instance_group_manager resource.

resource "google_compute_instance_group_manager" "default" {  name = "l7-xlb-backend-example"  zone = "us-west1-a"  named_port {    name = "http"    port = 80  }  version {    instance_template = google_compute_instance_template.default.id    name              = "primary"  }  base_instance_name = "vm"  target_size        = 2}

API

  1. Create the instance template with theinstanceTemplates.insertmethod, replacingPROJECT_ID with your project ID.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/instanceTemplates{ "name":"l7-xlb-backend-template", "properties": {   "machineType":"e2-standard-2",   "tags": {     "items":[       "load-balanced-backend"     ]   },   "metadata": {     "kind":"compute#metadata",     "items":[       {         "key":"startup-script",         "value":"#! /bin/bash\napt-get update\napt-get install apache2 -y\na2ensite default-ssl\na2enmod ssl\nvm_hostname=\"$(curl -H \"Metadata-Flavor:Google\" \\\nhttp://metadata.google.internal/computeMetadata/v1/instance/name)\"\necho \"Page served from: $vm_hostname\" | \\\ntee /var/www/html/index.html\nsystemctl restart apache2"       }     ]   },   "networkInterfaces":[     {       "network":"projects/PROJECT_ID/global/networks/lb-network",       "subnetwork":"regions/us-west1/subnetworks/backend-subnet",       "accessConfigs":[         {           "type":"ONE_TO_ONE_NAT"         }       ]     }   ],   "disks": [     {       "index":0,       "boot":true,       "initializeParams": {         "sourceImage":"projects/debian-cloud/global/images/family/debian-12"       },       "autoDelete":true     }   ] }}

  2. Create a managed instance group in each zone with theinstanceGroupManagers.insertmethod, replacingPROJECT_ID with your project ID.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/{zone}/instanceGroupManagers{ "name": "l7-xlb-backend-example", "zone": "projects/PROJECT_ID/zones/us-west1-a", "instanceTemplate": "projects/PROJECT_ID/global/instanceTemplates/l7-xlb-backend-template", "baseInstanceName": "l7-xlb-backend-example", "targetSize": 2}

Add a named port to the instance group

For your instance group, define an HTTP service and map a port nameto the relevant port. The backend service of the load balancer forwardstraffic to the named port.

Console

  1. In the Google Cloud console, go to theInstance groups page.

    Go to Instance groups

  2. Click the name of your instance group (in this examplel7-xlb-backend-example).

  3. On the instance group'sOverview page, clickEdit.

  4. ClickSpecify port name mapping.

  5. ClickAdd item.

  6. For the port name, enterhttp. For the port number, enter80.

  7. ClickSave.

gcloud

Use thegcloud compute instance-groupsset-named-portscommand.

gcloud compute instance-groups set-named-ports l7-xlb-backend-example \    --named-ports http:80 \    --zone us-west1-a

Terraform

Thenamed_port attribute is included in themanaged instance group sample.

Reserve the load balancer's IP address

Reserve a static IP address for the load balancer.

Console

  1. In the Google Cloud console, go to theReserve a static address page.

    Go to Reserve a static address

  2. Choose aName for the new address.

  3. ForNetwork Service Tier, selectStandard.

  4. ForIP version, selectIPv4. IPv6 addresses can only be globaland can only be used with global load balancers.

  5. ForType, selectRegional.

  6. ForRegion, selectus-west1.

  7. Leave theAttached to option set toNone. After you create theload balancer, this IP address will be attached to the loadbalancer's forwarding rule.

  8. ClickReserve to reserve the IP address.

gcloud

  1. To reserve a static external IP address usinggcloud compute, use thecompute addresses create command.

    gcloud compute addresses createADDRESS_NAME  \   --region=us-west1 \   --network-tier=STANDARD

    Replace the following:

    • ADDRESS_NAME: the name you want to call thisaddress.
    • REGION: the region where you want to reserve this address.This region should be the same region as the load balancer. Allregional IP addresses areIPv4.

  2. Use thecompute addresses describe commandto view the result:

    gcloud compute addresses describeADDRESS_NAME

Terraform

To reserve the IP address, use thegoogle_compute_address resource.

resource "google_compute_address" "default" {  name         = "address-name"  address_type = "EXTERNAL"  network_tier = "STANDARD"  region       = "us-west1"}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

To create a regional IPv4 address, call theregionaladdresses.insert method:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses

Your request body should contain the following:

{  "name": "ADDRESS_NAME"  "networkTier": "STANDARD"  "region": "us-west1"}

Replace the following:

  • ADDRESS_NAME: the name for the address
  • REGION: the name of the region for this request
  • PROJECT_ID: the project ID for this request

Configure the load balancer

This example shows you how to create the following regional external Application Load Balancer resources:

  • HTTP health check
  • Backend service with a managed instance group as the backend
  • AURL map
    • Make sure to refer to a regional URL map if a region is defined forthe target HTTP(S) proxy. A regional URL map routes requests to a regionalbackend service based on rules that you define for the host and path of anincoming URL. A regional URL map can be referenced by a regional targetproxy rule in the same region only.
  • SSL certificate (for HTTPS)
  • Target proxy
  • Forwarding rule

Proxy availability

Sometimes Google Cloud regions don't have enough proxy capacity fora new load balancer. If this happens, the Google Cloud console provides aproxy availability warning message when you are creating your load balancer. Toresolve this issue, you can do one of the following:

  • Select a different region for your load balancer. This can be a practicaloption if you have backends in another region.
  • Select a VPC network that already has an allocatedproxy-only subnet.

  • Wait for the capacity issue to be resolved.

Console

Select the load balancer type

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectApplication Load Balancer (HTTP/HTTPS) and clickNext.
  4. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  5. ForGlobal or single region deployment, selectBest for regional workloads and clickNext.
  6. ClickConfigure.

Basic configuration

  1. For the name of the load balancer, enterregional-l7-xlb.
  2. ForRegion, selectus-west1.
  3. ForNetwork, selectlb-network.

Reserve a proxy-only subnet

Note: If you alreadyconfigured the proxy-only subnet,theReserve subnet button isn't displayed. You can skip thissection and continue with the steps inConfigure the frontendservice.

For a regional external Application Load Balancer, reserve a proxy-only subnet:

  1. ClickReserve subnet.
  2. ForName, enterproxy-only-subnet.
  3. ForIP address range, enter10.129.0.0/23.
  4. ClickAdd.

Configure the frontend

For HTTP:

  1. ClickFrontend configuration.
  2. SetName tol7-xlb-forwarding-rule.
  3. SetProtocol toHTTP.
  4. SetNetwork service tier toStandard.
  5. SetPort to80.
  6. Select theIP address that you created inReserving the load balancer's IP address.
  7. ClickDone.

For HTTPS:

  1. ClickFrontend configuration.
  2. In theName field, enterl7-xlb-forwarding-rule.
  3. In theProtocol field, selectHTTPS (includes HTTP/2).
  4. SetNetwork service tier toStandard.
  5. Ensure that thePort is set to443.
  6. Select theIP address that you created inReserving the load balancer's IP address.

  7. To assign an SSL certificate to the target HTTPS proxy of theload balancer, you can either use a Compute EngineSSL certificate or a Certificate Manager certificate.

    1. To attach a Certificate Manager certificate to thetarget HTTPS proxy of the load balancer, in theChoose certificate repository section, selectCertificates.

      If you already have an existing Certificate Managercertificate to select, do the following:

      1. ClickAdd Certificate.
      2. ClickSelect an existing certificateand select the certificate from the list of certificates.
      3. ClickSelect.

      After you select the new Certificate Managercertificate, it appears in the list of certificates.

      To create a new Certificate Manager certificate,do the following:

      1. ClickAdd Certificate.
      2. ClickCreate a new certificate.

      3. To create a new certificate, follow the stepsstarting fromstep 3 as outlined in any oneof the following configuration methods in theCertificate Manager documentation:

      After you create the new Certificate Managercertificate, it appears in the list of certificates.

    2. To attach a Compute Engine SSL certificate to thetarget HTTPS proxy of the load balancer, in theChoose certificate repository section,selectClassic Certificates.

      1. In theCertificate list, do the following:
        1. If you already have a Compute Engineself-managed SSL certificateresource, select the primary SSL certificate.
        2. ClickCreate a new certificate.
          1. In theName field, enterl7-xlb-cert.
          2. In the appropriate fields, upload your PEM-formatted files:
            • Certificate
            • Private key
          3. ClickCreate.
        3. Optional: To add certificates in addition to the primary SSL certificate:
          1. ClickAdd certificate.
          2. If you already have a certificate, select it from theCertificates list.
          3. Optional: ClickCreate a new certificate and follow the instructions as specified in the previous step.

  8. Select an SSL policy from theSSL policy list. Optionally, to createan SSL policy, do the following:

    1. In theSSL policy list, selectCreate a policy.
    2. Enter a name for the SSL policy.
    3. Select a minimum TLS version. The default value isTLS 1.0.
    4. Select one of the pre-configured Google-managed profiles or select aCustom profile that lets you select SSL features individually. TheEnabled features andDisabled features are displayed.
    5. ClickSave.

    If you have not created any SSL policies, adefault Google Cloud SSL policy is applied.

  9. ClickDone.

Configure the backend service

  1. ClickBackend configuration.
  2. From theCreate or select backend services menu, selectCreate abackend service.
  3. Set the name of the backend service tol7-xlb-backend-service.
  4. ForProtocol, selectHTTP.
  5. ForNamed Port, enterhttp.
  6. SetBackend type toInstance group.
  7. In theHealth check list, clickCreate a health check, and thenenter the following information:
    • In theName field, enterl7-xlb-basic-check.
    • In theProtocol list, selectHTTP.
    • In thePort field, enter80.
  8. ClickCreate.
  9. In theNew backend section:
    1. SetInstance group tol7-xlb-backend-example.
    2. SetPort numbers to80.
    3. SetBalancing mode toUtilization.
    4. ClickDone.
  10. ClickCreate.

Configure the routing rules

  1. ClickRouting rules.
  2. ForMode, selectSimple host and path rule.
  3. Ensure that thel7-xlb-backend-serviceis the only backend service for any unmatched host and any unmatchedpath.

Review the configuration

  1. ClickReview and finalize.
  2. Review your load balancer configuration settings.
  3. Optional: ClickEquivalent code to view the REST API requestthat will be used to create the load balancer.
  4. ClickCreate.

gcloud

  1. Define the HTTP health check with thegcloud compute health-checkscreate httpcommand.

    gcloud compute health-checks create http l7-xlb-basic-check \   --region=us-west1 \   --request-path='/' \   --use-serving-port

  2. Define the backend service with thegcloud compute backend-servicescreate command.

    gcloud compute backend-services create l7-xlb-backend-service \  --load-balancing-scheme=EXTERNAL_MANAGED \  --protocol=HTTP \  --port-name=http \  --health-checks=l7-xlb-basic-check \  --health-checks-region=us-west1 \  --region=us-west1

  3. Add backends to the backend service with thegcloud compute backend-servicesadd-backend command.

    gcloud compute backend-services add-backend l7-xlb-backend-service \  --balancing-mode=UTILIZATION \  --instance-group=l7-xlb-backend-example \  --instance-group-zone=us-west1-a \  --region=us-west1

  4. Create the URL map with thegcloud compute url-mapscreate command.

    gcloud compute url-maps create regional-l7-xlb-map \  --default-service=l7-xlb-backend-service \  --region=us-west1

  5. Create the target proxy.

    For HTTP:

    For an HTTP load balancer, create the target proxywith thegcloud compute target-http-proxiescreate command.

    gcloud compute target-http-proxies create l7-xlb-proxy \  --url-map=regional-l7-xlb-map \  --url-map-region=us-west1 \  --region=us-west1

    For HTTPS:

    You can create either Compute Engine or Certificate Manager certificates. Use any of the following methods to create certificates using Certificate Manager:

    After you create certificates, attach the certificate directly to the targetproxy.

    1. Assign your filepaths to variable names.

      export LB_CERT=path to PEM-formatted file
      export LB_PRIVATE_KEY=path to PEM-formatted file

    2. Create a regional SSL certificate using thegcloud computessl-certificatescreate command.

      gcloud compute ssl-certificates create l7-xlb-cert \ --certificate=$LB_CERT \ --private-key=$LB_PRIVATE_KEY \ --region=us-west1

    3. Use the regional SSL certificate to create a target proxy with thegcloudcompute target-https-proxiescreatecommand.

      gcloud compute target-https-proxies create l7-xlb-proxy \ --url-map=regional-l7-xlb-map \ --region=us-west1 \ --ssl-certificates=l7-xlb-cert

  6. Create the forwarding rule.

    For HTTP:

    Use thegcloud compute forwarding-rulescreate commandwith the correct flags.

    gcloud compute forwarding-rules create l7-xlb-forwarding-rule \  --load-balancing-scheme=EXTERNAL_MANAGED \  --network-tier=STANDARD \  --network=lb-network \  --address=ADDRESS_NAME \  --ports=80 \  --region=us-west1 \  --target-http-proxy=l7-xlb-proxy \  --target-http-proxy-region=us-west1

    For HTTPS:

    Create the forwarding rule with thegcloud compute forwarding-rulescreate commandwith the correct flags.

    gcloud compute forwarding-rules create l7-xlb-forwarding-rule \  --load-balancing-scheme=EXTERNAL_MANAGED \  --network-tier=STANDARD \  --network=lb-network \  --address=ADDRESS_NAME \  --ports=443 \  --region=us-west1 \  --target-https-proxy=l7-xlb-proxy \  --target-https-proxy-region=us-west1

Terraform

To create the health check, use thegoogle_compute_region_health_check resource.

resource "google_compute_region_health_check" "default" {  name               = "l7-xlb-basic-check"  check_interval_sec = 5  healthy_threshold  = 2  http_health_check {    port_specification = "USE_SERVING_PORT"    proxy_header       = "NONE"    request_path       = "/"  }  region              = "us-west1"  timeout_sec         = 5  unhealthy_threshold = 2}

To create the backend service, use thegoogle_compute_region_backend_service resource.

resource "google_compute_region_backend_service" "default" {  name                  = "l7-xlb-backend-service"  region                = "us-west1"  load_balancing_scheme = "EXTERNAL_MANAGED"  health_checks         = [google_compute_region_health_check.default.id]  protocol              = "HTTP"  session_affinity      = "NONE"  timeout_sec           = 30  backend {    group           = google_compute_instance_group_manager.default.instance_group    balancing_mode  = "UTILIZATION"    capacity_scaler = 1.0  }}

To create the URL map, use thegoogle_compute_region_url_mapresource.

resource "google_compute_region_url_map" "default" {  name            = "regional-l7-xlb-map"  region          = "us-west1"  default_service = google_compute_region_backend_service.default.id}

To create the target HTTP proxy, use thegoogle_compute_region_target_http_proxy resource.

resource "google_compute_region_target_http_proxy" "default" {  name    = "l7-xlb-proxy"  region  = "us-west1"  url_map = google_compute_region_url_map.default.id}

To create the forwarding rule, use thegoogle_compute_forwarding_rule resource.

resource "google_compute_forwarding_rule" "default" {  name       = "l7-xlb-forwarding-rule"  provider   = google-beta  depends_on = [google_compute_subnetwork.proxy_only]  region     = "us-west1"  ip_protocol           = "TCP"  load_balancing_scheme = "EXTERNAL_MANAGED"  port_range            = "80"  target                = google_compute_region_target_http_proxy.default.id  network               = google_compute_network.default.id  ip_address            = google_compute_address.default.id  network_tier          = "STANDARD"}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

Create the health check by making aPOST request to theregionHealthChecks.insertmethod, replacingPROJECT_ID with your project ID.

POSThttps://compute.googleapis.com/compute/v1/projects/<var>PROJECT_ID</var>/regions/{region}/healthChecks{"name":"l7-xlb-basic-check","type":"HTTP","httpHealthCheck":{"portSpecification":"USE_SERVING_PORT"}}

Create the regional backend service by making aPOST request to theregionBackendServices.insertmethod, replacingPROJECT_ID with your project ID.

POSThttps://compute.googleapis.com/compute/v1/projects/<var>PROJECT_ID</var>/regions/us-west1/backendServices{"name":"l7-xlb-backend-service","backends":[{"group":"projects/<var>PROJECT_ID</var>/zones/us-west1-a/instanceGroups/l7-xlb-backend-example","balancingMode":"UTILIZATION"}],"healthChecks":["projects/<var>PROJECT_ID</var>/regions/us-west1/healthChecks/l7-xlb-basic-check"],"loadBalancingScheme":"EXTERNAL_MANAGED"}

Create the URL map by making aPOST request to theregionUrlMaps.insertmethod, replacingPROJECT_ID with your project ID.

POSThttps://compute.googleapis.com/compute/v1/projects/<var>PROJECT_ID</var>/regions/us-west1/urlMaps{"name":"regional-l7-xlb-map","defaultService":"projects/<var>PROJECT_ID</var>/regions/us-west1/backendServices/l7-xlb-backend-service"}

Create the target HTTP proxy by making aPOST request to theregionTargetHttpProxies.insertmethod, replacingPROJECT_ID with your project ID.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/targetHttpProxy{  "name": "l7-xlb-proxy",  "urlMap": "projects/PROJECT_ID/global/urlMaps/regional-l7-xlb-map",  "region": "us-west1"}

Create the forwarding rule by making aPOST request to theforwardingRules.insertmethod, replacingPROJECT_ID with your project ID.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/forwardingRules{  "name": "l7-xlb-forwarding-rule",  "IPAddress": "10.1.2.99",  "IPProtocol": "TCP",  "portRange": "80-80",  "target": "projects/PROJECT_ID/regions/us-west1/targetHttpProxies/l7-xlb-proxy",  "loadBalancingScheme": "EXTERNAL_MANAGED",  "network": "projects/PROJECT_ID/global/networks/lb-network",  "networkTier": "STANDARD",}

Connect your domain to your load balancer

After the load balancer is created, note the IP address that is associated withthe load balancer—for example,30.90.80.100. To point your domain to yourload balancer, create anA record by using your domain registration service. Ifyou added multiple domains to your SSL certificate, you must add anA recordfor each one, all pointing to the load balancer's IP address. For example, tocreateA records forwww.example.com andexample.com, use the following:

NAME                  TYPE     DATAwww                   A        30.90.80.100@                     A        30.90.80.100

If you use Cloud DNS as your DNS provider, seeAdd, modify, and delete records.

Test the load balancer

Now that the load balancing service is running, you can sendtraffic to the forwarding rule and watch the traffic be dispersed to differentinstances.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. Select the load balancer that you just created.
  3. In theBackend section, confirm that the VMs are healthy. TheHealthy column should be populated, indicating that both VMs are healthy (2/2). If you see otherwise, first try reloading the page. It can take a few moments for the Google Cloud console to indicate that the VMs are healthy. If the backends do not appear healthy after a few minutes, review the firewall configuration and the network tag assigned to your backend VMs.
  4. After the Google Cloud console shows that the backend instances are healthy, you can test your load balancer using a web browser by going tohttps://IP_ADDRESS (orhttp://IP_ADDRESS). ReplaceIP_ADDRESS with theload balancer's IP address.
  5. If you used a self-signed certificate for testing HTTPS, your browser displays a warning. You must explicitly instruct your browser to accept a self-signed certificate.
  6. Your browser should render a page with content showing the name of the instance that served the page, along with its zone (for example,Page served from: lb-backend-example-xxxx). If your browser doesn't render this page, review the configuration settings in this guide.

gcloud

Note the IPv4 address that was reserved:

gcloud beta compute addresses describeADDRESS_NAME \    --format="get(address)" \    --region="us-west1"

You can test your load balancer using a web browser by going tohttps://IP_ADDRESS (orhttp://IP_ADDRESS). ReplaceIP_ADDRESS with theload balancer's IP address.

If you used a self-signed certificate for testing HTTPS, your browserdisplays a warning. You must explicitly instruct your browser to accept aself-signed certificate.

Your browser should render a page with minimal information about the backendinstance. If your browser doesn't render this page, review the configurationsettings in this guide.

Additional configuration options

This section expands on the configuration example to provide alternative andadditional configuration options. All of the tasks are optional. You canperform them in any order.

Enable session affinity

These procedures show you how to update a backend service for the exampleregional external Application Load Balancer so that the backend service usesgenerated cookie affinity, header field affinity, or HTTP cookie affinity.

When generated cookie affinity is enabled, the load balancer issues a cookieon the first request. For each subsequent request with the same cookie, the loadbalancer directs the request to the same backend VM or endpoint. Forregional external Application Load Balancers, the cookie is namedGCILB.

When header field affinity is enabled, the load balancer routes requests tobackend VMs or endpoints in a NEG based on the value of the HTTP header namedin the--custom-request-header flag. Header field affinity is only valid ifthe load balancing locality policy is eitherRING_HASH orMAGLEV and thebackend service's consistent hash specifies the name of the HTTP header.

When HTTP cookie affinity is enabled, the load balancer routes requests tobackend VMs or endpoints in a NEG, based on an HTTP cookie named in theHTTP_COOKIE flag with the optional--affinity-cookie-ttl flag. If the clientdoes not provide the cookie in its HTTP request, the proxy generatesthe cookie and returns it to the client in aSet-Cookie header. HTTP cookieaffinity is only valid if the load balancing locality policy is eitherRING_HASH orMAGLEV and the backend service's consistent hash specifies theHTTP cookie.

Console

To enable or change session affinity for a backend service:

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. Select the load balancer that you just created.

  3. ClickBackends.

  4. Clickl7-xlb-backend-service (the name of the backend serviceyou created for this example) and clickEdit.

  5. On theBackend service details page, clickAdvancedconfiguration.

  6. ForSession affinity, select the type of session affinity you wantfrom the menu.

  7. ClickUpdate.

gcloud

Use the following commands to update thel7-xlb-backend-servicebackend service to different types of session affinity:

gcloud compute backend-services update l7-xlb-backend-service \    --session-affinity=GENERATED_COOKIE | HEADER_FIELD | HTTP_COOKIE | CLIENT_IP    --region=us-west1

API

To set session affinity, make aPATCH request to theregionBackendServices/patchmethod.

PATCHhttps://compute.googleapis.com/compute/v1/projects/<var>PROJECT_ID</var>/regions/us-west1/regionBackendServices/l7-xlb-backend-service{"sessionAffinity":<var>"GENERATED_COOKIE"|"HEADER_FIELD"|"HTTP_COOKIE"|"CLIENT_IP"</var>}

Update client HTTP keepalive timeout

The load balancer created in the previous steps has been configured witha default value for theclient HTTP keepalivetimeout.

To update the client HTTP keepalive timeout, use the following instructions.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing.

  2. Click the name of the load balancer that you want to modify.
  3. ClickEdit.
  4. ClickFrontend configuration.
  5. ExpandAdvanced features. ForHTTP keepalive timeout, enter a timeout value.
  6. ClickUpdate.
  7. To review your changes, clickReview and finalize, and then clickUpdate.

gcloud

For an HTTP load balancer, update the target HTTP proxy by using thegcloud compute target-http-proxies update command.

      gcloud compute target-http-proxies updateTARGET_HTTP_PROXY_NAME \          --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \          --region=REGION

For an HTTPS load balancer, update the target HTTPS proxy by using thegcloud compute target-https-proxies update command.

      gcloud compute target-https-proxies updateTARGET_HTTP_PROXY_NAME \          --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \          --regionREGION

Replace the following:

  • TARGET_HTTP_PROXY_NAME: the name of the target HTTP proxy.
  • TARGET_HTTPS_PROXY_NAME: the name of the target HTTPS proxy.
  • HTTP_KEEP_ALIVE_TIMEOUT_SEC: the HTTP keepalive timeout value from 5 to 600 seconds.

Enable IAP on the external Application Load Balancer

You can configure IAP to beenabled or disabled (default). If enabled, you must provide values foroauth2-client-id andoauth2-client-secret.

To enable IAP, update the backend serviceto include the--iap=enabled flag with theoauth2-client-id andoauth2-client-secret.

Optionally, you canenable IAPfor a Compute Engine resource by using the Google Cloud console,gcloud CLI, or API.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.