Traffic distribution for internal passthrough Network Load Balancers
This page explains concepts about how internal passthrough Network Load Balancers distribute traffic.
Backend selection and connection tracking
Backend selection and connection tracking work together to balance multipleconnections across different backends and to route all packets for eachconnection to the same backend. This is accomplished with a two-part strategy.First, a backend is selected using consistent hashing. Then, this selection isrecorded in a connection tracking table.
The following steps capture the backend selection and connection trackingprocess.
1.Check for a connection tracking table entry to use a previously selected backend
For anexisting connection, the load balancer uses the connectiontracking table to identify the previously selected backend for that connection.
The load balancer attempts to match each load-balanced packet with an entryin its connection tracking table using the following process:
If the packet is a TCP packet with the
SYNflag:If the load balancer's connection tracking mode is
PER_CONNECTION,continue to theIdentify eligible backendsstep. InPER_CONNECTIONtracking mode, a TCP packet with theSYNflag always represents a new connection, regardless of theconfigured session affinity.If the load balancer's connection tracking mode is
PER_SESSIONand the session affinity is eitherNONEorCLIENT_IP_PORT_PROTO,continue to theIdentify eligible backendsstep. InPER_SESSIONtracking mode, a TCP packet with theSYNflag represents a newconnection only when using one of the 5-tuple session affinityoptions (NONEorCLIENT_IP_PORT_PROTO).
For all other packets, the load balancer checks if the packet matches anexisting connection tracking table entry. The connection tuple (a set ofpacket characteristics) used to compare the packet to existing connectiontracking table entries depends on the connection tracking mode and sessionaffinity you configured. For information about which connection tupleis used for connection tracking, see thetable in theConnection trackingmode section.
If the packet matches a connection tracking table entry, the loadbalancer sends the packet to the previously selected backend.
If the packet doesn't match a connection tracking table entry,continue to theIdentify eligible backendsstep.
For information about how long a connection tracking table entrypersists and under what conditions it persists,see theCreate a connection tracking table entry step.
2.Select an eligible backend for a new connection
For anew connection, the load balancer uses theconsistent hashingalgorithm to select a backend from among the eligible backends.
The following steps outline the process to select an eligible backend for a newconnection and then record that connection in a connection tracking table.
2.1Identify eligible backends
This step models which backends are candidates to receive new connections,taking into consideration health andfailoverpolicyconfiguration:
No failover policy
The set of eligible backends depends only on health checks:
When at least one backend is healthy, eligible backends are all healthybackends.
When all backends are unhealthy, eligible backends areall backends.
Failover policy configured
The set of eligible backends depends on health checks and failover policyconfiguration:
When at least one backend is healthy, eligible backends are defined asfollows, using the first condition that is true from this ordered list:
- If there are no healthy primary backends, eligible backends areallhealthy failover backends.
- If there are no healthy failover backends, eligible backends areallhealthy primary backends.
- If the failover ratio is set to
0.0(the default value), eligiblebackends areall healthy primary backends. - If the ratio of the number of healthy primary backends compared to thetotal number of primary backends is greater than or equal to theconfigured failover ratio, eligible backends areall healthy primarybackends.
- The eligible backends areall healthy failover backends.
When there are no healthy backends, eligible backends are defined asfollows:
- If the load balancer's failover policy is configured to drop newconnections when no backends are healthy, the set of eligible backends isempty. The load balancer drops the packets for new connections.
- If the load balancer's failover policy isnot configured to drop newconnections when no backends are healthy, health checks aren't relevant.Eligible backends areall primary backends.
2.2Adjust eligible backends for zonal affinity
This step is skipped if any of the following is true:
- Zonal affinity is disabled
- The client isincompatible with zonalaffinity
- Azonal matchwith the zone of a compatible client doesn't happen
If zonal affinity is enabled, a client is compatible with zonal affinity, and azonal match happens, new connections from the client are routed to an adjustedset of eligible backends. For more information, see the following:
2.3Select an eligible backend
The load balancer usesconsistent hashingto select an eligible backend. The load balancer maintains hashesof eligible backends, mapped to a unit circle. When processing a packetfor a connection that's not in the connection tracking table, the loadbalancer computes a hash of the packet characteristics and maps that hashto the same unit circle, selecting an eligible backend on the circle'scircumference. The set of packet characteristics used to calculate thepacket hash is defined by thesession affinity setting.
If a session affinity isn't explicitly configured, the
NONEsessionaffinity is the default.The load balancer assigns new connections to eligible backends in a waythat is as consistent as possible even if the number of eligible backendschanges. The following benefits of consistent hashing show how the loadbalancer selects eligible backends for possible new connections that donot have connection tracking table entries:
The load balancer selects the same backend for all possible new connectionsthat have identical packet characteristics, as defined by session affinity,if the set of eligible backends doesnot change.
When a new eligible backend is added, approximately
1/Npossible newconnections map to the newly added backend. In this situation,Nisthe count of eligible backendsafter the new backend is added.When an eligible backend is removed, approximately
1/Npossible newconnections map to one of theN-1remaining backends. In this situation,Nis the count of backendsbefore the eligible backend is removed.
2.4Create a connection tracking table entry
After selecting a backend, theload balancer creates a connection tracking table entry. The connectiontracking table entry maps packet characteristics to the selected backend.The packet header fields used for this mapping depend on the connectiontracking mode and session affinity you configured.
The load balancer removes connection tracking table entries according to thefollowing rules:
A connection tracking table entry is removed after the connection has beenidle. Unless you configure a custom idle timeout, the load balancer uses adefault idle timeout of 600 seconds. For more information, seeIdletimeout.
Connection tracking table entries arenot removed when a TCP connectionis closed with a
FINorRSTpacket. Anynew TCP connection alwayscarries theSYNflag and is processed as described in theCheck for aconnection tracking table entry step.If a failover policy is configured and the connection draining on failoverand failback setting is disabled, the load balancer removes all entries inthe connection tracking table when the eligible backends switch from primaryto failover backends (failover), or switch from failover to primary backends(failback). For more information, seeConnection draining on failover andfailback.
Entries in the connection tracking table can be removed if a backend becomesunhealthy. This behavior depends on the connection tracking mode, theprotocol, and the connection persistence on unhealthy backends setting. Formore information, seeConnection persistence on unhealthybackends.
Entries in the connection tracking table are removed after the connectiondraining timeout that occurs following an event like deleting a backend VMor removing a backend VM from an instance group or NEG. For moreinformation, seeEnable connectiondraining.
Session affinity
Session affinity controls the distribution of new connections from clients tothe load balancer's backends.Internal passthrough Network Load Balancers use session affinity toselect a backend from a set of eligible backends as described in theIdentifyeligible backends andSelect an eligible backend steps in theBackend selection and connectiontracking section. You configure session affinity onthe backend service, not on each backend instance group or NEG.
Internal passthrough Network Load Balancers support the following session affinity settings. Eachsession affinity setting usesconsistent hashing to select an eligible backend.The session affinity setting determines which fields from the IP header andLayer 4 headers are used to calculate the hash.
| Hash method for backend selection | Session affinity setting |
|---|---|
5-tuple hash (consists of source IP address, source port, protocol, destination IP address, and destination port) for non-fragmented packets that include port information such as TCP packets and non-fragmented UDP packets OR3-tuple hash (consists of source IP address, destination IP address, and protocol) for fragmented UDP packets and packets of all other protocols | NONE1 |
5-tuple hash (consists of source IP address, source port, protocol, destination IP address, and destination port) for non-fragmented packets that include port information such as TCP packets and non-fragmented UDP packets OR3-tuple hash (consists of source IP address, destination IP address, and protocol) for fragmented UDP packets and packets of all other protocols | CLIENT_IP_PORT_PROTO |
| 3-tuple hash (consists of source IP address, destination IP address, and protocol) | CLIENT_IP_PROTO |
| 2-tuple hash (consists of source IP address and destination IP address) | CLIENT_IP |
| 1-tuple hash (consists of source IP only) | CLIENT_IP_NO_DESTINATION2 |
1 A session affinity setting ofNONE doesnotmean that there is no session affinity. It means that no session affinity optionis explicitly configured.
Hashing is always performed to select a backend. And a sessionaffinity setting ofNONE means that the load balanceruses a 5-tuple hash or a 3-tuple hash to select backends—functionallythe same behavior as whenCLIENT_IP_PORT_PROTO is set.
CLIENT_IP_NO_DESTINATION is aone-tuple hash based on just the source IP address of each received packet.This setting can be useful in situations where you need the same backend VM toprocess all packets from a client, based solely on the source IP address of thepacket, without respect to the packet destination IP address. These situationsusually arise when an internal passthrough Network Load Balancer is a next hop for a static route.For details, seeSession affinityand next hop internal passthrough Network Load Balancer.To learn how the different session affinity settings affect the backendselection and connection tracking methods, see thetable in theConnection trackingmode section.
Note: For internalUDP load balancers, setting session affinity is supportedin the gcloud CLI and the API. You cannot set sessionaffinity for UDP traffic by using the Google Cloud console.Session affinity and next hop internal passthrough Network Load Balancer
When an internal passthrough Network Load Balancer load balancer is a next hop of a static route, thedestination IP address is not limited to the forwarding rule IP address of theload balancer. Instead, the destination IP address of the packet can beany IPaddress that fits within the destination range of the static route.
Selecting an eligible backend depends on calculating a hashof packet characteristics. Except for theCLIENT_IP_NO_DESTINATION sessionaffinity (1-tuple hash), the hash depends, in part, on thepacket destinationIP address.
The load balancer selects the same backend for all possible new connections thathave identical packet characteristics, as defined by session affinity, if theset of eligible backends does not change. If you need the same backend VM toprocess all packets from a client, based solely on the source IP address,regardless of destination IP addresses, use theCLIENT_IP_NO_DESTINATIONsession affinity.
Connection tracking policy
This section describes the settings that control the connection trackingbehavior of internal passthrough Network Load Balancers. A connection tracking policy includes the followingsettings:
Connection tracking mode
The load balancer's connection tracking table maps connection tuples topreviously selected backends in a hash table. The set of packet characteristicsthat compose each connection tuple is determined by the connection trackingmode and session affinity.
Internal passthrough Network Load Balancers track connections for all protocols that they support.
The connection tracking mode refers to the granularity of the each connectiontuple in the load balancer's connection tracking table. The connection tuplecan be 5-tuple or 3-tuple (PER_CONNECTION mode), or it can match the sessionaffinity setting (PER_SESSION mode).
PER_CONNECTION. This is the default connectiontracking mode. This connection tracking mode uses a 5-tuplehash or a 3-tuple hash. Non-fragmented packets that include port informationsuch as TCP packets and non-fragmented UDP packets are tracked with 5-tuplehashes. All other packets are tracked with 3-tuple hashes.PER_SESSION. This connection tracking mode uses a hash consisting of thesame packet characteristics used by the session affinity hash. Depending on thechosen session affinity,PER_SESSIONcan result in connections that morefrequently match an existing connection tracking table entry, reducing thefrequency that a backend needs to be selected by the session affinity hash.
The following table summarizes how connection tracking mode and session affinitywork together to route all packets for each connection to the same backend.
| Backend selection using session affinity | Connection tracking mode | ||
|---|---|---|---|
| Session affinity setting | Hash method for backend selection | PER_CONNECTION (default) | PER_SESSION |
NONE | TCP and unfragmented UDP: 5-tuple hash Fragmented UDP and all other protocols: 3-tuple hash | TCP and unfragmented UDP: 5-tuple hash Fragmented UDP and all other protocols: 3-tuple hash | TCP and unfragmented UDP: 5-tuple hash Fragmented UDP and all other protocols: 3-tuple hash |
CLIENT_IP_NO_DESTINATION | All protocols: 1-tuple hash | TCP and unfragmented UDP: 5-tuple hash Fragmented UDP and all other protocols: 3-tuple hash | All protocols: 1-tuple hash |
CLIENT_IP | All protocols: 2-tuple hash | TCP and unfragmented UDP: 5-tuple hash Fragmented UDP and all other protocols: 3-tuple hash | All protocols: 2-tuple hash |
CLIENT_IP_PROTO | All protocols: 3-tuple hash | TCP and unfragmented UDP: 5-tuple hash Fragmented UDP and all other protocols: 3-tuple hash | All protocols: 3-tuple hash |
CLIENT_IP_PORT_PROTO | TCP and unfragmented UDP: 5-tuple hash Fragmented UDP and all other protocols: 3-tuple hash | TCP and unfragmented UDP: 5-tuple hash Fragmented UDP and all other protocols: 3-tuple hash | TCP and unfragmented UDP: 5-tuple hash Fragmented UDP and all other protocols: 3-tuple hash |
To learn how to change the connection tracking mode, seeConfigure aconnection trackingpolicy.
Connection persistence on unhealthy backends
The connection persistence settings control whether an existing connectionpersists on a selected backend VM or endpoint after that backend becomesunhealthy, as long as the backend remains in the load balancer's configuredbackend group (in an instance group or a NEG).
The following connection persistence options are available:
DEFAULT_FOR_PROTOCOL(default)NEVER_PERSISTALWAYS_PERSIST
The following table summarizes connection persistence options and howconnections persist for different protocols, session affinity options, andtracking modes.
| Connection persistence on unhealthy backends option | Connection tracking mode | |
|---|---|---|
PER_CONNECTION | PER_SESSION | |
DEFAULT_FOR_PROTOCOL | TCP: connections persist on unhealthy backends (all session affinities) UDP: connections never persist on unhealthy backends | TCP: connections persist on unhealthy backends if session affinity is UDP: connections never persist on unhealthy backends |
NEVER_PERSIST | TCP, UDP: connections never persist on unhealthy backends | |
ALWAYS_PERSIST | TCP, UDP: connections persist on unhealthy backends (all session affinities) This option should only be used for advanced use cases. | Configuration not possible |
To learn how to change connection persistence behavior, seeConfigure aconnection trackingpolicy.
Note: When a backend becomes unhealthy, theload balancer removes existing connection tracking table entries according tothe packet protocol and the selected connection persistence on unhealthybackends option. Subsequent packets for the connections whose entries wereremoved are treated as new connections. The load balancer creates a replacementconnection tracking table entry—after selecting an eligible backend—for each connection. Replacement connection tracking table entries remain validaccording to the same conditions as any other connection tracking table entry.If the unhealthy backend returns to being healthy, that event alone doesnotcause the replacement connection tracking table entries to be removed,unlessthe event triggers a failback andconnection draining on failover and failback is disabled.Idle timeout
A connection tracking table entry is removed after the connection has been idlefor a certain period of time. Unless you configure a custom idle timeout, theload balancer uses a default idle timeout value of 600 seconds (10 minutes).
The following table shows the minimum and maximum configurable idle timeoutvalues for different combinations of session affinity and connection trackingmode settings.
| Session affinity | Connection tracking mode | Default idle timeout | Minimum configurable idle timeout | Maximum configurable idle timeout |
|---|---|---|---|---|
| Any connection tuple | PER_CONNECTION | 600 seconds | 60 seconds | 600 seconds |
| PER_SESSION | 600 seconds | 60 seconds | 57,600 seconds |
5-tuple (NONE,CLIENT_IP_PORT_PROTO) | PER_SESSION | 600 seconds | 60 seconds | 600 seconds |
To learn how to change the idle timeout value, seeConfigure aconnection trackingpolicy.
Connections for single-client deployments
When testing connections to the IP address of an internal passthrough Network Load Balancer that only hasone client, you should keep the following in mind:
If the client VM is not a VM being load balanced—that is, it is notalso a backend VM, new connections are delivered to the load balancer'shealthy backend VMs. However, because allsession affinityoptions rely on at least the client system's IP address,connections from the same client might be distributed to the same backend VMmore frequently than you might expect.
Practically, this means that you cannot accurately monitor trafficdistribution through an internal passthrough Network Load Balancer by connecting to it from a singleclient. The number of clients needed to monitor traffic distribution variesdepending on the load balancer type, the type of traffic, and the number ofhealthy backends.
If the client VM is also a backend VM of the load balancer, connectionssent to the IP address of the load balancer's forwarding rule are alwaysanswered by the same backend VM (which is also the client VM). This happensregardless of whether the backend VM is healthy. It happens forall trafficsent to the load balancer's IP address, not just traffic on the protocol andports specified in the load balancer's internal forwarding rule.
For more information, seesending requests from load-balanced VMs.
Connection draining
Connection draining provides a configurable amount of additional time forestablished connections to persist in the load balancer's connectiontracking table when one of the following actions takes place:
- A virtual machine (VM) instance is removed from a backend instance group(this includes abandoning an instance in a backend managed instance group)
- A VM is stopped or deleted (this includes automatic actions like rollingupdates or scaling down a backend managed instance group)
- An endpoint is removed from a backend network endpoint group (NEG)
By default, connection draining for the aforementioned actions is disabled.For information about how connection draining is triggered and how toenable connection draining, seeEnabling connectiondraining.
UDP fragmentation
Internal passthrough Network Load Balancers can process both fragmented and unfragmented UDPpackets. If your application uses fragmented UDP packets, keep the following inmind:- UDP packets might become fragmented before reaching a Google CloudVPC network.
- Google Cloud VPC networks forward UDP fragments as theyarrive (without waiting for all fragments to arrive).
- Non-Google Cloud networks and on-premises network equipment mightforward UDP fragments as they arrive, delay fragmented UDP packets untilall fragments have arrived, or discard fragmented UDP packets. For details,see the documentation for the network provider or network equipment.
If you expect fragmented UDP packets and need to route them to the same backends,use the following forwarding rule and backend service configuration parameters:
Forwarding rule configuration: Use only one
UDPforwarding rule per load-balanced IP address, and configure the forwardingrule to accept traffic on all ports. This ensures that all fragments arrive atthe same forwarding rule. Even though the fragmented packets (other than thefirst fragment) lack a destination port, configuring the forwarding rule toprocess traffic for all ports also configures it to receive UDP fragments thathave no port information. To configure all ports, either use theGoogle Cloud CLI to set--ports=ALLor use the APIto setallPortstoTrue.Backend service configuration: Set the backend service'ssessionaffinity to
CLIENT_IP(2-tuple hash) orCLIENT_IP_PROTO(3-tuple hash) so that the same backend is selected for UDPpackets that include port information and UDP fragments (other than the firstfragment) that lack port information. Set the backend service'sconnectiontracking mode toPER_SESSIONso that the connectiontracking table entries are built by using the same 2-tuple or 3-tuple hashes.
Failover
An internal passthrough Network Load Balancer lets you designate some backends as failoverbackends. These backends are only used when the number of healthy VMs in theprimary backend instance groups has fallen below a configurable threshold.By default, if all primary and failover VMs are unhealthy, as a last resortGoogle Cloud distributes new connections only among all the primary VMs.
When you add a backend to an internal passthrough Network Load Balancer's backend service,by default that backend is a primary backend. You can designate a backendto be a failover backend when you add it to the load balancer's backend service,or by editing the backend service later.
For more information about how failover is used for backend selection andconnection tracking, see theIdentify eligible backendsandCreate a connection tracking table entry stepsin theBackend selection and connection tracking section.
For more information about how failover works, seeFailover for internal passthrough Network Load Balancers.
What's next
- To configure and test an internal passthrough Network Load Balancer that uses failover, seeConfigure failover for internal passthrough Network Load Balancers.
- To configure and test an internal passthrough Network Load Balancer, seeSet up an internal passthrough Network Load Balancer.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.