Set up a global external Application Load Balancer with an external backend

This guide uses an example to teach the fundamentals of using an externalbackend (sometimes called acustom origin) with a global external Application Load Balancer. Anexternal backend is an endpoint that is external to Google Cloud. When you usean external backend with a global external Application Load Balancer, you can improve performanceby using Cloud CDN caching.

The guide shows you how to configure a global external Application Load Balancer with aCloud CDN-enabled backend service that proxies requests to anexternal backend server.

Before following this guide, familiarize yourself with theInternet NEGoverview documentation,including thelimitations.

The following architecture diagram shows a global external Application Load Balancer frontend withan external backend.

A global external Application Load Balancer with an external backend.
Figure 1. A global external Application Load Balancer with an external backend (click to enlarge).

Permissions

To follow this guide, you need to create an internet NEG and create or modify anexternal Application Load Balancer in a project. You should be either a projectOwner orEditor (roles/owner orroles/editor), oryou should have both of the followingCompute Engine IAMroles.

TaskRequired role
Create and modify load balancer componentsCompute Network Admin
(roles/compute.networkAdmin)
Create and modify NEGsCompute Instance Admin
(roles/compute.instanceAdmin)

Optional: Use BYOIP addresses

With bring your own IP (BYOIP), you can import your own public addresses toGoogle Cloud to use the addresses with Google Cloud resources. Forexample, if you import your own IPv4 addresses, you can assign one to theforwarding rule when you configure your load balancer. When you follow theinstructions in this document tocreate the load balancer, provide the BYOIP address as theIP address.

For more information about using BYOIP, seeBring your own IP addresses.

Set up your external backend environment outside Google Cloud

To set up your environment, see the following sections.

Configure network endpoints

Configure a network endpoint to expose your external backend toGoogle Cloud. Make sure that the endpoint—either an IP:Port combinationor a fully-qualified domain name (FQDN) and port—is reachable over theinternet. This endpoint is later referenced from the internet NEG.

For detailed configuration requirements for internet NEG endpoints, see theInternet NEGs overview.

Allow the external backend to receive traffic from Google Cloud

To allow requests from Google Cloud to reach your external backend, youmust allowlist the IP address ranges that Google uses to send requests toexternal backends. To look up the IP addresses that need to be allowed to sendtraffic to your external backends, query the_cloud-eoips.googleusercontent.com DNS TXT record by using a tool such asdig ornslookup.

Examples:

  • Run the followingnslookup command:

    nslookup -q=TXT _cloud-eoips.googleusercontent.com 8.8.8.8

    The output looks like the following:

    Non-authoritative answer:_cloud-eoips.googleusercontent.com    text = "v=spf1 ip4:34.96.0.0/20 ip4:34.127.192.0/18 ~all"

    Note the CIDR ranges followingip4: and ensure that these ranges are allowedby the firewall rules or cloud access control lists (ACLs) configured on yourexternal backend.

  • Run the followingdig command:

    dig TXT _cloud-eoips.googleusercontent.com | grep -Eo 'ip4:[^ ]+' | cut -d':' -f2

    The output contains two IP address ranges, as follows:

    34.96.0.0/2034.127.192.0/18
Caution: These IP address ranges are subject to change. Make sure that youalways confirm the Google Cloud IP address ranges that send trafficto your external backends.

Set up your Google Cloud environment

Create the global external Application Load Balancer with an internet NEG backend.

Reserve an external IP address

Reserve a global static external IP address that clients use to reach yourapplication.

Note: This step is required for this example, and recommended in general.Reserving an IP address is also essential if you are using acustom domain for your external backend (also required for Google-managed SSLcertificates). With a custom domain, you must update your DNS recordsto point your domain to this IP address.

Console

  1. In the Google Cloud console, go to theExternal IP addresses page.

    Go to External IP addresses

  2. ClickReserve external static address to reserve an IPv4 address.

  3. Enter a name.

  4. ForNetwork Service Tier, selectPremium.

  5. ForIP version, selectIPv4.

  6. ForType, selectGlobal.

  7. ClickReserve.

gcloud

gcloud compute addresses createLB_IP_ADDRESS_NAME \    --network-tier=PREMIUM \    --ip-version=IPV4 \    --global

Note the IPv4 address that was reserved:

gcloud compute addresses describeLB_IP_ADDRESS_NAME \    --format="get(address)" \    --global

Set up the internet NEG

Console

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. ClickCreate network endpoint group.

  3. Enter a name.

  4. ForNetwork endpoint group type, selectNetworkendpoint group (Internet).

  5. ForDefault port, enter443.

  6. ForNew network endpoint, selectFully qualified domain name andport.

  7. Enter theFully qualified domain name.

  8. ForPort type, selectDefault, and verify thatPortnumber is443.

  9. ClickCreate.

gcloud

  1. Create an internet NEG, and set the--network-endpoint-type tointernet-fqdn-port (the hostname and port where your external backendcan be reached):

    gcloud compute network-endpoint-groups createINTERNET_NEG_NAME \    --network-endpoint-type="internet-fqdn-port" \    --global

  2. Add your endpoint to the NEG. If a port isn't specified, the portselection defaults to port80 (HTTP) or443 (HTTPS; HTTP/2) dependingon the protocol configured in the backend service. Make sure to includethe--global flag:

    gcloud compute network-endpoint-groups updateINTERNET_NEG_NAME \    --add-endpoint="fqdn=FULLY_QUALIFIED_DOMAIN_NAME,port=443" \    --global

Create the load balancer

Console

Select the load balancer type

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectApplication Load Balancer (HTTP/HTTPS) and clickNext.
  4. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  5. ForGlobal or single region deployment, selectBest for global workloads and clickNext.
  6. ForLoad balancer generation, selectGlobal external Application Load Balancer and clickNext.
  7. ClickConfigure.

Frontend configuration

  1. ClickFrontend configuration.
  2. Enter a name.

  3. To create anHTTPS load balancer, you must have an SSL certificate.We recommend using a Google-managed certificate.

    Verify that the following options are configured with these values.

    PropertyValue (type a value or select an option as specified)
    ProtocolHTTPS
    Network Service TierPremium
    IP versionIPv4
    IP addressSelect the IP address created in theReserve an external IP address step.
    Port443
    Optional: HTTP keepalive timeoutEnter a timeout value from 5 to 1200 seconds. The default value is 610 seconds.
    Certificate

    Select an existing SSL certificate or create a new certificate.

    To create an HTTPS load balancer, you must have anSSL certificate resource to use in the HTTPS proxy. You can create an SSL certificate resource by using either a Google-managed SSL certificate or a self-managed SSL certificate.

    To create a Google-managed certificate, you must have a domain. The domain's A record must resolve to the IP address of the load balancer (in this example,example-ip). We recommend using Google-managed certificates because Google Cloud obtains, manages, and renews these certificates automatically. If you don't have a domain, you can use a self-signed SSL certificate for testing.

    Optional: Enable HTTP to HTTPS Redirect

    Use this checkbox to enable HTTP to HTTPS redirects.

    Enabling this checkbox creates an additional partial HTTP load balancer that uses the same IP address as your HTTPS load balancer and redirects HTTP requests to your load balancer's HTTPS frontend.

    This checkbox can only be selected when the HTTPS protocol is selected and a reserved IP address is used.

    If you want to test this process without setting up an SSL certificateresource (or a domain as required by Google-managed certificates), youcan set up an HTTP load balancer.

    To create anHTTP load balancer, verify that the following options areconfigured with these values:

    PropertyValue (type a value or select an option as specified)
    ProtocolHTTP
    Network Service TierPremium
    IP versionIPv4
    IP addressSelect the IP address created in theReserve an external IP address step.
    Port80
    Optional: HTTP keepalive timeoutEnter a timeout value from 5 to 1200 seconds. The default value is 610 seconds.

  4. ClickDone.

Backend configuration

  1. ClickBackend configuration.
  2. ClickBackend services and backend buckets.
  3. ClickCreate a backend service.
  4. Enter a name.
  5. ForBackend type, selectInternet network endpoint group.
  6. ForProtocol, select the protocol that you intend to use from theload balancer to the internet NEG. For this example, selectHTTP/2.
  7. ForBackends, in theNew backend window, select the internet NEGcreated in the previous step.
  8. ClickCreate.

Review and finalize

  1. ClickReview and finalize.
  2. If everything looks correct, clickCreate.

gcloud

  1. Create a backend service:
      gcloud compute backend-services createBACKEND_SERVICE \      --load-balancing-scheme=EXTERNAL_MANAGED \      --global
  2. Add the internet NEG to the backend service:
      gcloud compute backend-services add-backendBACKEND_SERVICE \      --network-endpoint-group=INTERNET_NEG_NAME \      --global-network-endpoint-group \      --global
  3. Create a URL map to route incoming requests to the backend service:
      gcloud compute url-maps createURL_MAP_NAME \      --default-service=BACKEND_SERVICE \      --global

  4. Perform this step only if you want to create an HTTPS load balancer. This step is not required for HTTP load balancers.

    To create an HTTPS load balancer, you must have anSSL certificate resource to use in the HTTPS target proxy. You can create an SSL certificate resource by using either a Google-managed SSL certificate or a self-managed SSL certificate. We recommend using Google-managed certificates because Google Cloud obtains, manages, and renews these certificates automatically.

    To create a Google-managed certificate,you must have a domain. If you don't have a domain, you can use a self-managed SSL certificate for testing.

    To create a Google-managed SSL certificate resource:
      gcloud compute ssl-certificates createSSL_CERTIFICATE_NAME \      --domainsDOMAIN
     To create a self-managed SSL certificate resource:
      gcloud compute ssl-certificates createSSL_CERTIFICATE_NAME \      --certificateCRT_FILE_PATH \      --private-keyKEY_FILE_PATH

  5. Create a target HTTP(S) proxy to route requests to your URL map.

    For an HTTP load balancer, create an HTTP target proxy:

      gcloud compute target-http-proxies createTARGET_HTTP_PROXY_NAME \      --url-map=URL_MAP_NAME \      --global

    For an HTTPS load balancer, create an HTTPS target proxy. The proxy is the portion of the load balancer that holds the SSL certificate for HTTPS Load Balancing, so you also load your certificate in this step.

      gcloud compute target-https-proxies createTARGET_HTTPS_PROXY_NAME \      --ssl-certificates=SSL_CERTIFICATE_NAME \      --url-map=URL_MAP_NAME \      --global

    Replace the following:

    • TARGET_HTTP_PROXY_NAME: the name of the target HTTP proxy.
    • TARGET_HTTPS_PROXY_NAME: the name of the target HTTPS proxy.
    • SSL_CERTIFICATE_NAME: the name of the SSL certificate.
    • URL_MAP_NAME: the name of the URL map.
    Optional: For global external Application Load Balancers, you can set anclient HTTP keepalive timeout by using the--http-keep-alive-timeout-sec option. The timeout value must be between 5 to 1200 seconds. The default value is 610 seconds.

  6. Create a forwarding rule to route incoming requests to the proxy.

    For an HTTP load balancer:

      gcloud compute forwarding-rules createHTTP_FORWARDING_RULE_NAME \      --load-balancing-scheme=EXTERNAL_MANAGED \      --network-tier=PREMIUM \      --address=LB_IP_ADDRESS_NAME \      --target-http-proxy=TARGET_HTTP_PROXY_NAME \      --global \      --ports=80

    For an HTTPS load balancer:

      gcloud compute forwarding-rules createHTTPS_FORWARDING_RULE_NAME \      --load-balancing-scheme=EXTERNAL_MANAGED \      --network-tier=PREMIUM \      --address=LB_IP_ADDRESS_NAME \      --target-https-proxy=TARGET_HTTPS_PROXY_NAME \      --global \      --ports=443

Connect your domain to your load balancer

After the load balancer is created, note the IP address that is associated withthe load balancer—for example,30.90.80.100. To point your domain to yourload balancer, create anA record by using your domain registration service. Ifyou added multiple domains to your SSL certificate, you must add anA recordfor each one, all pointing to the load balancer's IP address. For example, tocreateA records forwww.example.com andexample.com, use the following:

NAME                  TYPE     DATAwww                   A        30.90.80.100@                     A        30.90.80.100

If you use Cloud DNS as your DNS provider, seeAdd, modify, and delete records.

Test the load balancer

Note: It might take a few minutes for the load balancer configuration topropagate globally after you first deploy it.

Now that you have configured your load balancer, you can start sendingtraffic to the load balancer's IP address. If you configured a domain, you cansend traffic to the domain name as well. However, DNS propagation can take timeto complete, so you can start by using the IP address for testing.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. Click the load balancer that you just created.

  3. Note the IP address of the load balancer.

  4. Send traffic to the load balancer.

    • If you created anHTTP load balancer, you can test your load balancerby going tohttp://IP_ADDRESS.ReplaceIP_ADDRESS with theload balancer's IP address. Youshould be directed to the application you're running on the externalbackend.

    • If you created anHTTPS load balancer, you can test your load balancerby going tohttps://IP_ADDRESS.ReplaceIP_ADDRESS with theload balancer's IP address. Youshould be directed to the you're application running on the externalbackend.

    If that does not work and you are using a Google-managed certificate,confirm that your certificate resource's status is ACTIVE. For moreinformation, seeGoogle-managed SSL certificate resourcestatus.

    Alternatively, you can usecurl from your local machine's command line.ReplaceIP_ADDRESS with theload balancer's IPv4address. If you're using a Google-managed certificate, test the domain that points tothe load balancer's IP address. For example:

    curl -s 'https://www.example.com:443' --resolve www.example.com:443:IP_ADDRESS

  5. Optional: If you are using a custom domain, you might need to wait for theupdated DNS settings to propagate. Then, test your domain in the web browser.

    For help with troubleshooting, seeTroubleshooting external backend and internetNEG issues.

Additional configuration

This section expands on the configuration example to provide alternative andadditional configuration options. All of the tasks are optional. You can performthem in any order.

Enable Cloud CDN

When Cloud CDN is enabled, the external Application Load Balancer sends requests to theinternet NEG backend only when there is a Cloud CDN cache miss.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing.

  2. Click the name of the load balancer that you want to modify.

  3. ClickEdit.

  4. ClickBackend configuration.

  5. For the backend service with the internet NEG backend, clickEdit.

  6. SelectEnable Cloud CDN.

  7. Optional: Modify thecache mode andTTL settings.

  8. ClickUpdate.

  9. To review your changes, clickReview and finalize, and then clickUpdate.

gcloud

  • To enable Cloud CDN on the backend service, use the followingcommand:
      gcloud compute backend-services updateBACKEND_SERVICE \      --load-balancing-scheme=EXTERNAL_MANAGED \      --global \      --enable-cdn \      --cache-mode=CACHE_MODE

    Set thecache mode by replacingCACHE_MODE with one of the following:

    • CACHE_All_STATIC: automatically cachesstatic content.
    • USE_ORIGIN_HEADERS (default): requires the origin to setvalid caching headers to cache content.
    • FORCE_CACHE_ALL: caches all content, ignoring anyprivate,no-store, orno-cache directives inCache-Control response headers.

Use a custom header to authenticate requests

To authenticate requests sent to your external backend, you can set a customheader to indicate that the request came from a Google Cloud loadbalancer. For example, you can configure the external backend to expect aparticular value for the HTTP request'sHost header, and you can configure thebackend service to set theHost header to that expected value.

Use the following steps to configure the backend service to add a customHostheader to each request.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing.

  2. Click the name of the load balancer that you want to modify.

  3. ClickEdit.

  4. ClickBackend configuration.

  5. For the backend service with the internet NEG backend, clickEdit.

  6. ClickAdvanced configurations.

  7. ForCustom request headers, clickAdd header:

    1. ForHeader name, enterHost.
    2. ForHeader value, enterFQDN_NEG_ENDPOINT.

  8. ClickUpdate.

  9. To review your changes, clickReview and finalize, and then clickUpdate.

gcloud

  • Use the following command to configure the backend service to add a custom `Host` header to each request.
      gcloud compute backend-services updateBACKEND_SERVICE \      --custom-request-header "Host:HEADER_VALUE" \      --load-balancing-scheme=EXTERNAL_MANAGED \      --global

Make sure that you also configured the external backend to expect aHostheader so that it can authenticate incoming requests.

For general information about custom request headers, seeConfigure customrequestheaders. Forother authentication methods, seeAuthenticate requests to the externalbackend.

Enable IAP on the external Application Load Balancer

Note: IAP isn't compatible with Cloud CDN.

You can configure IAP to beenabled or disabled (default). If enabled, you must provide values foroauth2-client-id andoauth2-client-secret.

To enable IAP, update the backend serviceto include the--iap=enabled flag with theoauth2-client-id andoauth2-client-secret.

gcloud compute backend-services updateBACKEND_SERVICE_NAME \    --iap=enabled,oauth2-client-id=ID,oauth2-client-secret=SECRET \    --global

Optionally, you canenable IAPfor a Compute Engine resource by using the Google Cloud console,gcloud CLI, or API.

Update client HTTP keepalive timeout

The load balancer created in the previous steps has been configured witha default value for theclient HTTP keepalivetimeout.

To update the client HTTP keepalive timeout, use the following instructions.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing.

  2. Click the name of the load balancer that you want to modify.
  3. ClickEdit.
  4. ClickFrontend configuration.
  5. ExpandAdvanced features. ForHTTP keepalive timeout, enter a timeout value.
  6. ClickUpdate.
  7. To review your changes, clickReview and finalize, and then clickUpdate.

gcloud

For an HTTP load balancer, update the target HTTP proxy by using thegcloud compute target-http-proxies update command:

      gcloud compute target-http-proxies updateTARGET_HTTP_PROXY_NAME \          --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \          --global

For an HTTPS load balancer, update the target HTTPS proxy by using thegcloud compute target-https-proxies update command:

      gcloud compute target-https-proxies updateTARGET_HTTPS_PROXY_NAME \          --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \          --global

Replace the following:

  • TARGET_HTTP_PROXY_NAME: the name of the target HTTP proxy.
  • TARGET_HTTPS_PROXY_NAME: the name of the target HTTPS proxy.
  • HTTP_KEEP_ALIVE_TIMEOUT_SEC: the HTTP keepalive timeout value from 5 to 600 seconds.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.