Internal passthrough Network Load Balancer logging and monitoring
This document shows you how to configure and useCloud LoggingandCloud Monitoring for internal passthrough Network Load Balancers.
Logging
Logs provide useful information for troubleshootingand monitoring the pass-through Google Cloud load balancer. Logs areaggregated per connection and exported in near real time. Logs are generated foreach load-balanced instance TCP and UDP flows for bothingress and egress traffic. For more information about the fields provided inthe log entry, seeLog fields.
There are no additional charges for using logs. Based on how you ingestlogs, standard pricing forCloud Logging,BigQuery, or Pub/Sub apply. Enabling logs has no effect on theperformance of the load balancer.
Logging provides the following benefits:
Internal passthrough Network Load Balancer traffic monitoring. Per-connection logging gives youinsight into how each connection is routed to serving backends.
Network troubleshooting. You can utilize internal passthrough Network Load Balancer logs for troubleshooting.For more information, seeTroubleshoot internal passthrough Network Load Balancers.
Sample log format for VM to VM flows
The following diagram shows the inbound and outbound traffic for an internalclient (192.168.1.2), internal passthrough Network Load Balancer (10.240.0.200),and backend instance (10.240.0.3).
Internal passthrough Network Load Balancer logs for connections from the client to the backendinstance are formatted as follows:
connection.clientIp: 192.168.1.2connection.serverIp: 10.240.0.200bytesSent: 1256bytesReceived: 4521
Logs sampling and collection
Google Cloud samples the packets that leave and enter load balancer backendVMs. Those sampled packets are processed to generate logs.
Not every packet is sampled. Google Cloud samples a variable subset ofpackets depending on the amount of traffic on the physical host.The lowest possible sampling rate is one out of 1,024 packets. The sampling rateis dynamically controlled by Google Cloud. You cannot adjust the samplingrate.
The packet sampling interacts with firewall rules in the following ways:
- Packets are sampledbefore egress firewall rules are applied.
- Packets are sampledafter ingress firewall rules are applied.
After packet sampling, Google Cloud processes the sampled packetsaccording to the following procedure:
Aggregation: Sampled packets are aggregated over a five-second intervalto produce a single flow entry.
Configurable (secondary) log sampling: This is a second samplingprocess, sampling the flows. You control the fraction of the flow entriesthat are emitted as log entries according to thelogConfig.sampleRateparameter. When
logConfig.sampleRateis1.0(100%), this means thatall ofthe sampled packets are processed.Write to logging: The log entries are written to Cloud Logging.
Optional fields
Log records contain required fields and optional fields. TheLogfields section lists which fields are optional and which are required. All requiredfields are always included. You can customize which optional fields you keep.
If you selectinclude all optional, all optional fields in the logrecord format are included in the flow logs. When new optional fields are addedto the record format, the flow logs automatically include the new fields.
If you selectexclude all optional, this omits all optional fields.
If you selectcustom, you can specify the optional fieldsthat you want to include by the parent field, such as
serverInstance, or bytheir full names, such asserverInstance.vm.When new optional fields are added to the record format, the logs do notinclude these fields unless they are a new field within a parent field thatyou have specified to include.
If you specify a custom optional field by using parent fields, when new optionalfields are added to the record format within that parent field, the logsautomatically include the new fields. For example, if you choose to include
optionalFieldA, then a new field added to the logs with the nameoptionalFieldA.subField1is included automatically.
For instructions about customizing optional fields, seeEnable logging on a new backend service.
Response packet source IP address requirements
Internal passthrough Network Load Balancer logging samples the response packets from the backendVMs only if the source IP address for those packets matches the load balancer'sforwarding rule IP address.For TCP connections, response packets must always have sources that match therequest packet's destination; however, for other protocols, it's possible forresponse packets to use a different source IP address.For additional details, seeIP addresses for request and return packets.
The packet sampling process used by internal passthrough Network Load Balancers omits anyresponse packets from backend VMs if those response packets have sources that donot match an IP address of a forwarding rule for an internal passthrough Network Load Balancer.
Enable logging for a new backend service
Console
In the Google Cloud console, go to theLoad balancing page.
Click the name of your load balancer.
ClickEdit, and then clickBackend Configuration.
SelectCreate a backend service, and then complete the required backend servicefields.
ClickEnable logging.
Set aSample rate fraction. You can set a rate to
0.0through1.0(default).Optional: To include all the optional fields in the logs, in theOptional fields section, clickInclude all optional fields.
Pro tip: To specify theCUSTOM option,use the gcloud CLI and the REST API.
To finish editing the backend service, clickUpdate.
To finish editing the load balancer, clickUpdate.
gcloud
Create a backend service and enable logging by using thegcloud compute backend-services create command.
gcloud compute backend-services createBACKEND_SERVICE \ --region=REGION \ --enable-logging \ --logging-sample-rate=SAMPLE_RATE --logging-optional=LOGGING_OPTIONAL \ --logging-optional-fields=OPTIONAL_FIELDS
Replace the following:
BACKEND_SERVICE: the name of the backend service.REGION: the region of the backend service to create.SAMPLE_RATE: this field can only be specified iflogging is enabled for this backend service.The value of the field must be from
0.0to1.0,where0.0means that no logs are reported and1.0means that logs are generated for all of thesampled packets. Enablinglogging but setting the sampling rate to0.0is equivalent to disabling logging. The default value is1.0.LOGGING_OPTIONAL: the optional annotations that youwant to include in the logs:INCLUDE_ALL_OPTIONALto include all optional annotations.EXCLUDE_ALL_OPTIONAL(default) to exclude all optional annotations.CUSTOMto include a custom list of optional fields that youspecify inOPTIONAL_FIELDS.
OPTIONAL_FIELDS: a comma-separated list of optionalfields that you want to include in the logs.For example,
serverInstance.vm, serverGkeDetails. Can only be set ifLOGGING_OPTIONALis set toCUSTOM.
API
Make aPOST request to theregionBackendServices.insert method.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/backendServices
Exclude all optional fields
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "INTERNAL", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE, "optionalMode": "EXCLUDE_ALL_OPTIONAL" } }Include all optional fields
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "INTERNAL", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE, "optionalMode": "INCLUDE_ALL_OPTIONAL" }}Include a custom list of optional fields
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "INTERNAL", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE, "optionalMode": "CUSTOM", "optionalFields": ["field1","field2",...] }}Enable logging on an existing backend service
Console
In the Google Cloud console, go to theLoad balancing page.
Click the name of your load balancer.
ClickEdit, and then clickBackend Configuration.
Next to your backend service, clickEdit.
ClickEnable logging.
Set aSample rate fraction. You can set a rate to
0.0through1.0(default).Optional: To include all the optional fields in the logs, in theOptional fields section, clickInclude all optional fields.
Pro tip: To specify theCUSTOM option,use the gcloud CLI and the REST API.
To finish editing the backend service, clickUpdate.
To finish editing the load balancer, clickUpdate.
gcloud
Enable logging on an existing backend service with thegcloud compute backend-services update command.
gcloud compute backend-services updateBACKEND_SERVICE \--region=REGION \--enable-logging \--logging-sample-rate=SAMPLE_RATE \--logging-optional=LOGGING_OPTIONAL \--logging-optional-fields=OPTIONAL_FIELDS
Replace the following:
BACKEND_SERVICE: the name of the backend service.REGION: the region of the backend service to create.SAMPLE_RATE: this field can only be specified iflogging is enabled for this backend service.The value of the field must be from
0.0to1.0,where0.0means that no logs are reported and1.0means that logs are generated for all of thesampled packets. Enablinglogging but setting the sampling rate to0.0is equivalent to disabling logging. The default value is1.0.LOGGING_OPTIONAL: the optional annotations thatyou want to include in the logs.INCLUDE_ALL_OPTIONALto include all optional annotations.EXCLUDE_ALL_OPTIONAL(default) to exclude all optional annotations.CUSTOMto include a custom list of optional fields that youspecify inOPTIONAL_FIELDS.
OPTIONAL_FIELDS: a comma-separated list of optionalfields that you want to include in the logs.For example,
serverInstance.vm,serverGkeDetails. Can only be set ifLOGGING_OPTIONALis set toCUSTOM.
API
Make aPATCH request to theregionBackendServices/patch method.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/backendServices/BACKEND_SERVICE
Exclude all optional fields
"logConfig": { "enable": true, "sampleRate":SAMPLE_RATE, "optionalMode": "EXCLUDE_ALL_OPTIONAL" }Include all optional fields
"logConfig": { "enable": true, "sampleRate":SAMPLE_RATE, "optionalMode": "INCLUDE_ALL_OPTIONAL" }Include a custom list of optional fields
"logConfig": { "enable": true, "sampleRate":SAMPLE_RATE, "optionalMode": "CUSTOM", "optionalFields": ["field1","field2",...] }Disable logging on an existing backend service
Console
In the Google Cloud console, go to theLoad balancing page.
Click the name of your load balancer.
ClickEdit, and then clickBackend Configuration.
To disable logging entirely, clearEnable logging.
If you leave logging enabled, you can set a differentSample ratefraction. You can set the rate to
0.0through1.0(default).To only generate logs for 20% of thesampled packets, set thevalue to0.2.To finish editing the backend service, clickUpdate.
To finish editing the load balancer, clickUpdate.
gcloud
Disable logging on a backend service with thegcloud compute backend-services update command.
gcloud compute backend-services updateBACKEND_SERVICE \ --region=REGION \ --no-enable-logging
Replace the following:
BACKEND_SERVICE: the name of the backend service.REGION: the region of the backend service to create.
API
Make aPATCH request to theregionBackendServices/patch method.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/backendServices/BACKEND_SERVICE
{ "logConfig": { "enable": false } }View logs
When logs are ingested into Cloud Logging and not excluded through aLog router sink, you can read logs by using theCloud Logging API and theGoogle Cloud CLI.
To view all the internal passthrough Network Load Balancer logs:
Console
In the Google Cloud console, go to theLogs Explorer page.
Select theInternal Passthrough Network Load Balancer Rule resource type.
Select theloadbalancing.googleapis.com/flows log name.
Console query
In the Google Cloud console, go to theLogs Explorer page.
Click theShow query toggle.
Paste the following into the query field. Replace
PROJECT_IDwith your project ID.resource.type="loadbalancing.googleapis.com/InternalNetworkLoadBalancerRule"logName="projects/PROJECT_ID/logs/loadbalancing.googleapis.com%2Fflows"
ClickRun query.
View logs for a backend service
To view the internal passthrough Network Load Balancer logs for a specific backend service:
Console query
In the Google Cloud console, go to theLogs Explorer page.
Click theShow query toggle.
Paste the following into the query field. Replace
PROJECT_IDwith your project ID andBACKEND_SERVICE_NAMEwith the name of your backend service.resource.type="loadbalancing.googleapis.com/InternalNetworkLoadBalancerRule"logName="projects/PROJECT_ID/logs/loadbalancing.googleapis.com%2Fflows"resource.labels.backend_service_name="BACKEND_SERVICE_NAME"
ClickRun query.
View logs for a backend instance group
To view the internal passthrough Network Load Balancer logs for a specific backend instance group or network endpoint group (NEG) withGCE_VM_IP endpoints, follow these steps:
Console query
In the Google Cloud console, go to theLogs Explorer page.
Click theShow query toggle.
Paste the following into the query field. Replace
PROJECT_IDwith your project ID and theBACKEND_GROUP_NAMEwith the name of the instance group or NEG.resource.type="loadbalancing.googleapis.com/InternalNetworkLoadBalancerRule"logName="projects/PROJECT_ID/logs/loadbalancing.googleapis.com%2Fflows"resource.labels.backend_group_name="BACKEND_GROUP_NAME"
ClickRun query.
Log fields
Log records contain required fields—the default fields of every logrecord—and optional fields that add additional information. Optional fields canbe omitted to save storage costs.
Some log fields are in a multi-field format, with more than one piece of datain a given field. For example, theconnection field is of theIpConnectionformat, which contains the source and destination IP address and port plus theprotocol in a single field. These multi-field fields are described in thefollowing record format table.
The monitored resource isloadbalancing.googleapis.com/InternalNetworkLoadBalancerRule.
| Field | Field format | Field type: Required or Optional | Description |
|---|---|---|---|
| connection | IpConnection | Required | 5-Tuple describing this connection. |
| startTime | string | Required | Timestamp (RFC 3339 date string format) of the first observed packet during the aggregated time interval. |
| endTime | string | Required | Timestamp (RFC 3339 date string format) of the last observed packet during the aggregated time interval. |
| bytesSent | string | Required | Number of bytes sent from the server to the client. |
| bytesReceived | int64 | Required | Number of bytes received by the server from the client. |
| packetsSent | int64 | Required | Number of packets sent from the server to the client. |
| packetsReceived | int64 | Required | Number of packets received by the server from the client. |
| rtt | string | Required | Latency is measured only for TCP connections. Latency is the sum of estimated network round-trip time (RTT) plus time consumed processing the packet within the client's VM operating system. For sampled packets, the RTT is calculated from the perspective of aload-balanced backend by measuring time differences between the backend sending a TCPsegment and the backend receiving a TCP acknowledgment for the sequence numberof the sent segment. Latency is formatted as a string that begins with the number ofseconds and ends with "s" to indicate seconds. Nanoseconds isexpressed as fractional seconds. For example, the latency of 250 milliseconds isformatted as "0.250000000s". |
| clientInstance | InstanceDetails | Optional | VM instance details of the client. Only available if the client's VM instance islocated in the same project. |
| serverInstance | InstanceDetails | Optional | VM instance details of the backend VM. |
| clientVpc | VpcDetails | Optional | VPC network details of the client. Only available if the client is an endpointinside a VPC network located in the same project. |
| clientGkeDetails | GkeDetails | Optional | GKE metadata for the client. Only available if the client is a GKE endpointin the same project. |
| serverGkeDetails | GkeDetails | Optional | GKE metadata for the server backend. Only available if the backend is aGKE endpoint. |
IpConnection field format
| Field | Type | Description |
|---|---|---|
| clientIp | string | Client IP address |
| clientPort | int32 | Client port. Set for TCP and UDP connections only. |
| serverIp | string | Server IP address (forwarding rule IP) |
| serverPort | int32 | Server port. Set for TCP and UDP connections only. |
| protocol | int32 | IANA protocol number |
InstanceDetails field format
| Field | Type | Description |
|---|---|---|
| projectId | string | ID of the project containing the VM |
| vm | string | Instance name of the VM |
| region | string | Region of the VM |
| zone | string | Zone of the VM |
| vmIp | string | Primary internal IP of the NIC that served the connection |
VpcDetails field format
| Field | Type | Description |
|---|---|---|
| projectId | string | ID of the project containing the VPC network |
| vpc | string | VPC network on which the VM is operating |
| subnetwork | string | Subnetwork on which the VM is operating |
GkeDetails field format
| Field | Type | Description |
|---|---|---|
| cluster | ClusterDetail | GKE cluster metadata |
| pod | PodDetails | GKE Pod metadata, populated when the source or destination of the traffic is a Pod |
| service | ServiceDetails | GKE Service metadata, populated in service endpoints only. The record contains up to two services. If there are more than two relevant services, this field contains a single service with a specialMANY_SERVICES marker. |
ClusterDetails field format
| Field | Type | Description |
|---|---|---|
| cluster | string | GKE cluster name |
| clusterLocation | string | Location of the cluster. The cluster location can be a zone or a region. |
PodDetails field format
| Field | Type | Description |
|---|---|---|
| pod | string | Name of the Pod |
| podNamespace | string | Namespace of the Pod |
ServiceDetails field format
| Field | Type | Description |
|---|---|---|
| service | string | Name of the service. If there are more than two relevant services, the field is set to a specialMANY_SERVICES marker. |
| serviceNamespace | string | Namespace of the service |
Monitoring
An internal passthrough Network Load Balancer exports monitoring data toCloud Monitoring.
Monitoring metrics can be used for the following purposes:
- Evaluate an internal passthrough Network Load Balancer's configuration, usage, andperformance
- Troubleshoot problems
- Improve resource utilization and user experience
In addition to the predefined dashboards in Monitoring, you can create customdashboards, set up alerts, and query the metrics through theMonitoring API.
View Monitoring dashboards
Console
In the Google Cloud console, go to theMonitoring page.
IfResources appears in the navigation pane, selectResources,and then selectGoogle Cloud Load Balancers. Otherwise, selectDashboards, and then select the dashboard namedGoogle Cloud Load Balancers.
Click the name of your load balancer.
In the left pane, you can see various details for the selected load balancer.In the right pane, you can see time series graphs. Click theBreakdowns linkto see specific breakdowns. The left pane presents currentlyconfigured data, while the right pane can present data served by historicalconfigurations not currently reflected in the left pane.
Note: Monitoring collects internal passthrough Network Load Balancer data every 15 minutes.However, it might take up to two hours after you create your firstinternal passthrough Network Load Balancer for data to be available in Cloud Logging andMonitoring.Define Monitoring custom dashboards
You can create custom Monitoring dashboards forinternal passthrough Network Load Balancer metrics.
Console
In the Google Cloud console, go to theMonitoring page.
SelectDashboards> Create Dashboard.
ClickAdd Chart.
Give the chart a title.
Select metrics and filters. For metrics, the resource type isInternal Passthrough TCP Network Load Balancer Rule(
internal_tcp_lb_rule) orInternal Passthrough UDP Network Load Balancer Rule(internal_udp_lb_rule).ClickSave.
Define alerting policies
Console
You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.
In the Google Cloud console, go to thenotifications Alerting page:
If you use the search bar to find this page, then select the result whose subheading isMonitoring.
- If you haven't created your notification channels and if you want to be notified, then clickEdit Notification Channels and add your notification channels. Return to theAlerting page after you add your channels.
- From theAlerting page, selectCreate policy.
- To select the metric, expand theSelect a metric menu and then do the following:
- To limit the menu to relevant entries, enter
Google Cloud TCP Load BalancerorGoogle Cloud UDP Load Balancerinto the filter bar. If there are no results after you filter the menu, then disable theShow only active resources & metrics toggle. - For theResource type, selectGoogle Cloud TCP Load Balancer orGoogle Cloud UDP Load Balancer.
- Select aMetric category and aMetric, and then selectApply.
- To limit the menu to relevant entries, enter
- ClickNext.
- The settings in theConfigure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, seeCreate metric-threshold alerting policies.
- ClickNext.
- Optional: To add notifications to your alerting policy, clickNotification channels. In the dialog, select one or more notification channels from the menu, and then clickOK.
- Optional: Update theIncident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
- Optional: ClickDocumentation, and then add any information that you want included in a notification message.
- ClickAlert name and enter a name for the alerting policy.
- ClickCreate Policy.
Metrics for internal passthrough Network Load Balancers
The following metrics for internal passthrough Network Load Balancers are reported intoMonitoring.
| Metric | metric_name | Description |
|---|---|---|
| Inbound Throughput | loadbalancing.googleapis.com/l3/internal/ingress_bytes_count | The number of bytes sent from the client to the internal passthrough Network Load Balancer backend. For TCP flows, only bytes in the application stream are counted. |
| Inbound Packets | loadbalancing.googleapis.com/l3/internal/ingress_packets_count | The number of packets sent from the client to the internal passthrough Network Load Balancer backend. |
| Outbound Throughput | loadbalancing.googleapis.com/l3/internal/egress_bytes_count | The number of bytes sent from the internal passthrough Network Load Balancer backend to the client. For TCP flows, only bytes in the application stream are counted. |
| Outbound Packets | loadbalancing.googleapis.com/l3/internal/egress_packets_count | The number of packets sent from the internal passthrough Network Load Balancer backend to the client. |
| Latency | loadbalancing.googleapis.com/l3/internal/rtt_latencies | A distribution of RTT measured over TCP connections for internal passthrough Network Load Balancer flows. Available only for TCP traffic. |
Filter dimensions for internal passthrough Network Load Balancer metrics
Metrics are aggregated for each internal passthrough Network Load Balancer. Metrics can befurther broken down by the following dimensions:
| Property | Description |
|---|---|
| BACKEND NAME | The name of the instance group or network endpoint group (NEG) withGCE_VM_IP endpoints. |
| BACKEND SCOPE | The scope (regionor zone) of the backend that received the connection. |
| BACKEND ZONE | For zonal instance groups and network endpoint groups,zoneof the backend that served the connection. |
| CLIENT NETWORK | The network of the client instance that connected to the internal passthrough Network Load Balancer. |
| CLIENT SUBNETWORK | The subnetwork of the client instance that connected to the internal passthrough Network Load Balancer. |
| CLIENT ZONE | The Google Cloudzoneof the instance that connected to the forwarding rule. |
| FORWARDING RULE | The name of the internal passthrough Network Load Balancer's forwarding rule. |
Metric reporting frequency and retention
Metrics for the internal passthrough Network Load Balancers are exported to Monitoring inone-minute granularity batches. Monitoring data is retained for six weeks.Metrics are based on sampled traffic (sampling rate is dynamic and cannot beadjusted).The dashboard provides data analysis in default intervals of one hour(1H), six hours (6H), one day (1D), one week (1W), and six weeks (6W). You canmanually request analysis in any interval from six weeks to one minute.
What's next
- For information about fundamentals, seeInternal passthrough Network Load Balancer overview.
- For information about failover, seeFailover for internal passthrough Network Load Balancers.
- For available DNS name options for your load balancer, seeInternal load balancing and DNS names.
- For an example internal passthrough Network Load Balancer configuration, seeSet up an internal passthrough Network Load Balancer with VM instance group backends.
- For information about how to configure and test an internal passthrough Network Load Balancer thatuses failover configuration, seeConfigure failover for internal passthrough Network Load Balancers.
- For information about accessing internal load balancers from peer networksconnected to your VPC network, seeInternal passthrough Network Load Balancers and connected networks.
- For information about how to troubleshoot,seeTroubleshoot internal passthrough Network Load Balancers.
- For information about how to troubleshoot issues with logs, seeTroubleshoot logging issues.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.