Set up an external passthrough Network Load Balancer for multiple IP protocols

This guide provides instructions for creatingbackend service-basedexternal passthrough Network Load Balancers thatload balance TCP, UDP, ESP, GRE, ICMP, and ICMPv6 traffic. You can use such aconfiguration to load-balance traffic that is using IP protocols other thanTCP or UDP. Target pool-based external passthrough Network Load Balancers don't support this capability.

To configure an external passthrough Network Load Balancer for IP protocols other than TCP or UDP, youcreate aforwarding rule with protocol set toL3_DEFAULT. Thisforwarding rule points to abackend service with protocol set toUNSPECIFIED.

In this example, we use two external passthrough Network Load Balancers to distribute traffic acrossbackend VMs in two zonal managed instance groups in theus-central1 region.Both load balancers receive traffic at the same external IP address.

One load balancer has a forwarding rule with protocolTCP and port 80, and theother load balancer has a forwarding rule with protocolL3_DEFAULT. TCPtraffic arriving at the IP address on port 80 is handled by theTCPforwarding rule. All other traffic that doesn't match the TCP-specificforwarding rule is handled by theL3_DEFAULT forwarding rule.

External passthrough Network Load Balancer with zonal managed instance groups.
External passthrough Network Load Balancer with zonal managed instance groups (click to enlarge).

This scenario load balances connections using multiple protocols with a TCPhealth check. For information about other supported protocols, seeRegionalbackendserviceandHealthchecks.

The external passthrough Network Load Balancer is a regional load balancer. All load balancer componentsmust be in the same region.

Before you begin

Install the Google Cloud CLI. For a complete overview of the tool, see thegcloud CLI overview. You can find commands related toload balancing in theAPI and gcloud reference.

If you haven't run the gcloud CLI previously, first run thegcloud init command to authenticate.

This guide assumes that you are familiar withbash.

Set up the network and subnets

The example on this page uses acustom mode VPCnetwork namedlb-network. If you only want tohandle IPv4 traffic, you can use an auto mode VPC network.However, subnets with IPv6 address ranges aren't supported on auto modeVPC networks. Subnets with IPv6 address ranges are supported oncustom mode VPC networks only.

In this example, subnets of the followingstack types are created:

Subnet rangesStack type
Only IPv4 subnet rangesIPV4_ONLY (single-stack)
Both IPv4 and IPv6 subnet rangesIPV4_IPV6 (dual-stack)
Only IPv6 subnet rangesIPV6_ONLY (single-stack)

For dual-stack and IPv6-only subnets that use an IPv6 address range, you need tochoose an IPv6 access type for the subnet. The IPv6 access type determineswhether the subnet is configured withinternal IPv6 addresses orexternal IPv6 addresses. For this example,the subnet'sipv6-access-type parameter is set toEXTERNAL.

A subnet with an external IPv6 address range, that is, whoseipv6-access-typeparameter is set toEXTERNAL, can also be used to source a forwarding rule'sexternal IPv6 address. For more information, seeIP address specifications for forwarding rules.

Note: An IPv6 forwarding rule with a BYOIP address doesn't require a network or subnet. For more information, seeCreate an IPv6 forwarding rule with BYOIP.

The backends and the load balancer components used for thisexample are located in this region and subnet:

  • Region:us-central1
  • Subnet:lb-subnet, with primary IPv4 address range10.1.2.0/24. Although you choose which IPv4 address range is configuredon the subnet, the IPv6 address range is assigned automatically. Googleprovides a fixed size (/64) IPv6 CIDR block.

To create the example network and subnet, follow these steps.

Console

To support bothIPv4 and IPv6 traffic, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. ForName, enterlb-network.

  4. SetSubnet creation mode toCustom.

  5. In theSubnets section, clickAdd subnet and configure thefollowing fields:

    • Name:lb-subnet
    • Region:us-central1
    • IP stack type:IPv4 and IPv6 (dual-stack)
    • IPv4 range:10.1.2.0/24
      Although you can configure an IPv4 range of addresses forthe subnet, you cannot choose the range of the IPv6 addressesfor the subnet. Google provides a fixed size (/64) IPv6 CIDRblock.
    • IPv6 access type:External
    • ClickDone

  6. ClickCreate.

To supportIPv4 traffic only, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. ForName, enterlb-network.

  4. SetSubnet creation mode toCustom.

  5. In theSubnets section, clickAdd subnet and configure thefollowing fields:

    • Name:lb-subnet
    • Region:us-central1
    • IP stack type:IPv4 (single-stack)
    • IPv4 range:10.1.2.0/24

  6. ClickCreate.

To supportIPv6 traffic only, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. ForName, enterlb-network.

  4. SetSubnet creation mode toCustom.

  5. In theSubnets section, clickAdd subnet and configure thefollowing fields:

    • Name:lb-subnet
    • Region:us-central1
    • IP stack type:IPv6 (single-stack)
    • IPv6 access type:External

  6. ClickCreate.

gcloud

  1. Create the custom mode VPC network:

    gcloud compute networks create lb-network \    --subnet-mode=custom

  2. Within thelb-network network, create a subnet for backends in theus-central1 region.

    For bothIPv4 and IPv6 traffic, use the following command to create adual-stack subnet:

      gcloud compute networks subnets create lb-subnet \      --stack-type=IPV4_IPV6 \      --ipv6-access-type=EXTERNAL \      --network=lb-network \      --range=10.1.2.0/24 \      --region=us-central1

    ForIPv4 traffic only, use the following command:

      gcloud compute networks subnets create lb-subnet \      --network=lb-network \      --range=10.1.2.0/24 \      --region=us-central1

    ForIPv6 traffic only, use the following command:

    gcloud compute networks subnets create lb-subnet \    --stack-type=IPV6_ONLY \    --ipv6-access-type=EXTERNAL \    --network=lb-network \    --region=us-central1

Create the zonal managed instance groups

For this load balancing scenario, you create two Compute Enginezonal managed instance groups and install an Apache web server on each instance.

The instance group references an instance template, which is used to createbackend VMs. In this example, you create backend VMs with IPv4-only, dual-stack,and IPv6-only network interfaces. The VMs also inherit theipv6-access-type setting (in this example,EXTERNAL) from the subnet. Formore information about IPv6 requirements, seeForwarding rulein the external passthrough Network Load Balancer overview document.

To use existing VMs as backends, update the VMs to be dual-stack by using thegcloud compute instances network-interfaces update command.

Instances that participate as backend VMs for external passthrough Network Load Balancersmust run the appropriateLinux guest environment,Windows guest environment,or other processes that provide equivalent capability.

Create the instance group for TCP traffic on port 80

Console

  1. Create an instance template. In the Google Cloud console, go to theInstance templates page.

    Go to Instance templates

    1. ClickCreate instance template.
    2. ForName, enterig-us-template-tcp-80.
    3. Ensure that the Boot disk is set to a Debian image, such asDebian GNU/Linux 12 (bookworm). These instructions use commands thatare only available on Debian, such asapt-get.
    4. Expand theAdvanced options section.

    5. Expand theManagement section, and then copy the following scriptinto theStartup script field.

      #! /bin/bashapt-get updateapt-get install apache2 -ya2ensite default-ssla2enmod sslvm_hostname="$(curl -H "Metadata-Flavor:Google" \http://metadata.google.internal/computeMetadata/v1/instance/name)"echo "Page served from: $vm_hostname" | \tee /var/www/html/index.htmlsystemctl restart apache2

    6. Expand theNetworking section, and then specify the following:

      1. ForNetwork tags, addnetwork-lb-tcp-80.

      2. ForNetwork interfaces, select the default network interface.

        To create backend VMs withdual-stack network interfaces,configure the following fields:

        • Network:lb-network
        • Subnetwork:lb-subnet
        • IP stack type:IPv4 and IPv6 (dual-stack)
        • External IPv4 address:Ephemeral
        • External IPv6 address:Auto-allocate

        To create backend VMs withIPv4-only network interfaces,configure the following fields:

        • Network:lb-network
        • Subnetwork:lb-subnet
        • IP stack type:IPv4 (single-stack)
        • External IPv4 address:Ephemeral

        To create backend VMs withIPv6-only network interfaces,configure the following fields:

        • Network:lb-network
        • Subnetwork:lb-subnet
        • IP stack type:IPv6 (single-stack)
        • External IPv6 address:Auto-allocate

    7. ClickCreate.

  2. Create a managed instance group. Go to theInstance groups page in the Google Cloud console.

    Go to Instance groups

    1. ClickCreate instance group.
    2. SelectNew managed instance group (stateless). For moreinformation, seeStateless or stateful MIGs.
    3. For theName, enterig-us-tcp-80.
    4. UnderLocation, selectSingle zone.
    5. For theRegion, selectus-central1.
    6. For theZone, selectus-central1-a.
    7. UnderInstance template, selectig-us-template-tcp-80.

    8. Specify the number of instances that you want to create in the group.

      For this example, specify the following options underAutoscaling:

      • ForAutoscaling mode, selectOff:do not autoscale.
      • ForMaximum number of instances, enter2.

    9. ClickCreate.

gcloud

Thegcloud instructions in this guide assume that you are usingCloud Shell or another environment with bash installed.

  1. Create a VM instance template with HTTP server with thegcloud compute instance-templates create command.

    To create backend VMs withdual-stack network interfaces,use the following command.

    Note: Set--ipv6-network-tier toPREMIUM only if you are creatingthe VMs in subnets withipv6-access-type set toEXTERNAL. Omit theflag if the subnet'sipv6-access-type isINTERNAL.
      gcloud compute instance-templates create ig-us-template-tcp-80 \      --region=us-central1 \      --network=lb-network \      --subnet=lb-subnet \      --ipv6-network-tier=PREMIUM \      --stack-type=IPV4_IPV6 \      --tags=network-lb-tcp-80 \      --image-family=debian-12 \      --image-project=debian-cloud \      --metadata=startup-script='#! /bin/bash      apt-get update      apt-get install apache2 -y      a2ensite default-ssl      a2enmod ssl      vm_hostname="$(curl -H "Metadata-Flavor:Google" \      http://metadata.google.internal/computeMetadata/v1/instance/name)"      echo "Page served from: $vm_hostname" | \      tee /var/www/html/index.html      systemctl restart apache2'

    To create backend VMs withIPv4-only network interfaces,use the following command.

      gcloud compute instance-templates create ig-us-template-tcp-80 \      --region=us-central1 \      --network=lb-network \      --subnet=lb-subnet \      --stack-type=IPV4_ONLY \      --tags=network-lb-tcp-80 \      --image-family=debian-12 \      --image-project=debian-cloud \      --metadata=startup-script='#! /bin/bash      apt-get update      apt-get install apache2 -y      a2ensite default-ssl      a2enmod ssl      vm_hostname="$(curl -H "Metadata-Flavor:Google" \              ://metadata.google.internal/computeMetadata/v1/instance/name)"      echo "Page served from: $vm_hostname" | \      tee /var/www/html/index.html      systemctl restart apache2'

    To create backend VMs withIPv6-only network interfaces,use the following command.

    Note: Set--ipv6-network-tier toPREMIUM only if you are creatingthe VMs in subnets withipv6-access-type set toEXTERNAL. Omit theflag if the subnet'sipv6-access-type isINTERNAL.
      gcloud compute instance-templates create ig-us-template-tcp-80 \      --region=us-central1 \      --network=lb-network \      --subnet=lb-subnet \      --ipv6-network-tier=PREMIUM \      --stack-type=IPV6_ONLY \      --tags=network-lb-tcp-80 \      --image-family=debian-12 \      --image-project=debian-cloud \      --metadata=startup-script='#! /bin/bash      apt-get update      apt-get install apache2 -y      a2ensite default-ssl      a2enmod ssl      vm_hostname="$(curl -H "Metadata-Flavor:Google" \      http://metadata.google.internal/computeMetadata/v1/instance/name)"      echo "Page served from: $vm_hostname" | \      tee /var/www/html/index.html      systemctl restart apache2'

  2. Create a managed instance group in the zone with thegcloud compute instance-groups managed create command.

      gcloud compute instance-groups managed create ig-us-tcp-80 \      --zone us-central1-a \      --size 2 \      --template ig-us-template-tcp-80

Create the instance group for TCP on port 8080, UDP, ESP, and ICMP traffic

Console

  1. Create an instance template. In the Google Cloud console, go to theInstance templates page.

    Go to Instance templates

    1. ClickCreate instance template.
    2. For theName, enterig-us-template-l3-default.
    3. Ensure that the Boot disk is set to a Debian image, such asDebian GNU/Linux 12 (bookworm). These instructions use commands thatare only available on Debian, such asapt-get.
    4. Expand theAdvanced options section.

    5. Expand theManagement section, and then copy the following scriptinto theStartup script field. The startup script also configuresthe Apache server to listen on port 8080 instead of port 80.

      #! /bin/bashapt-get updateapt-get install apache2 -ya2ensite default-ssla2enmod sslvm_hostname="$(curl -H "Metadata-Flavor:Google" \http://metadata.google.internal/computeMetadata/v1/instance/name)"echo "Page served from: $vm_hostname" | \tee /var/www/html/index.htmlsed -ire 's/^Listen 80$/Listen 8080/g' /etc/apache2/ports.confsystemctl restart apache2

    6. Expand theNetworking section, and then specify the following:

      1. ForNetwork tags, addnetwork-lb-l3-default.

      2. ForNetwork interfaces, select the default network interface.

        To create backend VMs withdual-stack network interfaces,configure the following fields:

        • Network:lb-network
        • Subnetwork:lb-subnet
        • IP stack type:IPv4 and IPv6 (dual-stack)
        • External IPv4 address:Ephemeral
        • External IPv6 address:Auto-allocate

        To create backend VMs withIPv4-only network interfaces,configure the following fields:

        • Network:lb-network
        • Subnetwork:lb-subnet
        • IP stack type:IPv4 (single-stack)
        • External IPv4 address:Ephemeral

        To create backend VMs withIPv6-only network interfaces,configure the following fields:

        • Network:lb-network
        • Subnetwork:lb-subnet
        • IP stack type:IPv6 (single-stack)
        • External IPv6 address:Auto-allocate

    7. ClickCreate.

  2. Create a managed instance group. Go to theInstance groups page in the Google Cloud console.

    Go to Instance groups

    1. ClickCreate instance group.
    2. ChooseNew managed instance group (stateless). For moreinformation, seeStateless or stateful MIGs.
    3. For theName, enterig-us-l3-default.
    4. UnderLocation, selectSingle zone.
    5. For theRegion, selectus-central1.
    6. For theZone, selectus-central1-c.
    7. UnderInstance template, selectig-us-template-l3-default.

    8. Specify the number of instances that you want to create in the group.

      For this example, specify the following options underAutoscaling:

      • ForAutoscaling mode, selectOff:do not autoscale.
      • ForMaximum number of instances, enter2.

    9. ClickCreate.

gcloud

Thegcloud instructions in this guide assume that you are usingCloud Shell or another environment with bash installed.

  1. Create a VM instance template with HTTP server with thegcloud compute instance-templates create command.

    The startup script also configures the Apache server to listen onport 8080 instead of port 80.

    To create backend VMs withdual-stack network interfaces,use the following command.

      gcloud compute instance-templates create ig-us-template-l3-default \      --region=us-central1 \      --network=lb-network \      --subnet=lb-subnet \      --ipv6-network-tier=PREMIUM \      --stack-type=IPV4_IPV6 \      --tags=network-lb-l3-default \      --image-family=debian-12 \      --image-project=debian-cloud \      --metadata=startup-script='#! /bin/bash      apt-get update      apt-get install apache2 -y      a2ensite default-ssl      a2enmod ssl      vm_hostname="$(curl -H "Metadata-Flavor:Google" \      http://metadata.google.internal/computeMetadata/v1/instance/name)"      echo "Page served from: $vm_hostname" | \      tee /var/www/html/index.html      sed -ire "s/^Listen 80$/Listen 8080/g" /etc/apache2/ports.conf      systemctl restart apache2'

    To create backend VMs withIPv4-only interfaces,use the following command.

      gcloud compute instance-templates create ig-us-template-l3-default \      --region=us-central1 \      --network=lb-network \      --subnet=lb-subnet \      --stack-type=IPV4_ONLY \      --tags=network-lb-l3-default \      --image-family=debian-12 \      --image-project=debian-cloud \      --metadata=startup-script='#! /bin/bash      apt-get update      apt-get install apache2 -y      a2ensite default-ssl      a2enmod ssl      vm_hostname="$(curl -H "Metadata-Flavor:Google" \      http://metadata.google.internal/computeMetadata/v1/instance/name)"      echo "Page served from: $vm_hostname" | \      tee /var/www/html/index.html      sed -ire "s/^Listen 80$/Listen 8080/g" /etc/apache2/ports.conf      systemctl restart apache2'

    To create backend VMs withIPv6-only network interfaces,use the following command.

      gcloud compute instance-templates create ig-us-template-l3-default \      --region=us-central1 \      --network=lb-network \      --subnet=lb-subnet \      --ipv6-network-tier=PREMIUM \      --stack-type=IPV6_ONLY \      --tags=network-lb-l3-default \      --image-family=debian-12 \      --image-project=debian-cloud \      --metadata=startup-script='#! /bin/bash      apt-get update      apt-get install apache2 -y      a2ensite default-ssl      a2enmod ssl      vm_hostname="$(curl -H "Metadata-Flavor:Google" \      http://metadata.google.internal/computeMetadata/v1/instance/name)"      echo "Page served from: $vm_hostname" | \      tee /var/www/html/index.html      sed -ire "s/^Listen 80$/Listen 8080/g" /etc/apache2/ports.conf      systemctl restart apache2'

  2. Create a managed instance group in the zone with thegcloud compute instance-groups managed create command.

      gcloud compute instance-groups managed create ig-us-l3-default \      --zone us-central1-c \      --size 2 \      --template ig-us-template-l3-default

Configure firewall rules

Create the following firewall rules:

  • Firewall rules that allow external TCP traffic to reach backendinstances in theig-us-tcp-80 instance group on port 80 (using target tagnetwork-lb-tcp-80). Create separate firewall rules to allow IPv4 and IPv6traffic.
  • Firewall rules that allow other external traffic (TCP on port8080, UDP, ESP, and ICMP) to reach backend instances in theig-us-l3-defaultinstance group (using target tagnetwork-lb-l3-default). Create separatefirewall rules to allow IPv4 and IPv6 traffic.

This example creates firewall rules that allow traffic fromall source rangesto reach your backend instances on the configured ports. If you want to createseparate firewall rules specifically for the health check probes, use the sourceIP address ranges documented in theHealth checks overview: Probe IP ranges andfirewall rules.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. To allowIPv4 TCP traffic to reach backends in theig-us-tcp-80instance group, create the following firewall rule.

    1. ClickCreate firewall rule.
    2. Enter aName ofallow-network-lb-tcp-80-ipv4.
    3. Select theNetwork that the firewall rule applies to (Default).
    4. UnderTargets, selectSpecified target tags.
    5. In theTarget tags field, enternetwork-lb-tcp-80.
    6. SetSource filter toIPv4 ranges.
    7. Set theSource IPv4 ranges to 0.0.0.0/0, which allows traffic fromany source. This allows both external traffic and health checkprobes to reach the backend instances.
    8. UnderProtocols and ports, selectSpecified protocols andports. Then select theTCP checkbox and enter80.
    9. ClickCreate. It might take a moment for the Console to display thenew firewall rule, or you might have to clickRefresh to seethe rule.

  3. To allowIPv4 UDP, ESP, and ICMP traffic to reach backends in theig-us-l3-default instance group, create the following firewall rule.

    1. ClickCreate firewall rule.
    2. Enter aName ofallow-network-lb-l3-default-ipv4.
    3. Select theNetwork that the firewall rule applies to (Default).
    4. UnderTargets, selectSpecified target tags.
    5. In theTarget tags field, enternetwork-lb-l3-default.
    6. SetSource filter toIPv4 ranges.
    7. Set theSource IPv4 ranges to0.0.0.0/0, which allows traffic fromany source. This allows both external traffic and health checkprobes to reach the backend instances.
    8. UnderProtocols and ports, selectSpecified protocols andports.
      1. Select theTCP checkbox and enter8080.
      2. Select theUDP checkbox.
      3. Select theOther checkbox and enteresp, icmp.
    9. ClickCreate. It might take a moment for the Console to display thenew firewall rule, or you might have to clickRefresh to seethe rule.

  4. To allowIPv6 TCP traffic to reach backends in theig-us-tcp-80instance group, create the following firewall rule.

    1. ClickCreate firewall rule.
    2. Enter aName ofallow-network-lb-tcp-80-ipv6.
    3. Select theNetwork that the firewall rule applies to (Default).
    4. UnderTargets, selectSpecified target tags.
    5. In theTarget tags field, enternetwork-lb-tcp-80.
    6. SetSource filter toIPv6 ranges.
    7. Set theSource IPv6 ranges to::/0, which allows traffic fromany source. This allows both external traffic and health checkprobes to reach the backend instances.
    8. UnderProtocols and ports, selectSpecified protocols andports. Click the checkbox next toTCP and enter80.
    9. ClickCreate. It might take a moment for the Console to display thenew firewall rule, or you might have to clickRefresh to seethe rule.

  5. To allowIPv6 UDP, ESP, and ICMPv6 traffic to reach backends in theig-us-l3-default instance group, create the following firewall rule.This firewall rule also allows TCP health check probes to reach theinstances on port 8080.

    1. ClickCreate firewall rule.
    2. Enter aName ofallow-network-lb-l3-default-ipv6.
    3. Select theNetwork that the firewall rule applies to (Default).
    4. UnderTargets, selectSpecified target tags.
    5. In theTarget tags field, enternetwork-lb-l3-default.
    6. SetSource filter toIPv6 ranges.
    7. Set theSource IPv6 ranges to::/0, which allows traffic fromany source. This allows both external traffic and health checkprobes to reach the backend instances.
    8. UnderProtocols and ports, selectSpecified protocols andports.
      1. Click the checkbox next toTCP and enter8080.
      2. Click the checkbox next toUDP.
      3. Click the checkbox next toOther and enteresp, 58.
    9. ClickCreate. It might take a moment for the Console to display thenew firewall rule, or you might have to clickRefresh to seethe rule.

gcloud

  1. To allowIPv4 TCP traffic to reach backends in theig-us-tcp-80instance group, create the following firewall rule.

    gcloud compute firewall-rules create allow-network-lb-tcp-80-ipv4 \    --network=lb-network \    --target-tags network-lb-tcp-80 \    --allow tcp:80 \    --source-ranges=0.0.0.0/0

  2. To allowIPv4 UDP, ESP, and ICMP traffic to reach backends in theig-us-l3-default instance group, create the following firewall rule.This firewall rule also allows TCP health check probes to reach theinstances on port 8080.

    gcloud compute firewall-rules create allow-network-lb-l3-default-ipv4 \    --network=lb-network \    --target-tags network-lb-l3-default \    --allow tcp:8080,udp,esp,icmp \    --source-ranges=0.0.0.0/0

  3. To allowIPv6 TCP traffic to reach backends in theig-us-tcp-80instance group, create the following firewall rule.

    gcloud compute firewall-rules create allow-network-lb-tcp-80-ipv6 \    --network=lb-network \    --target-tags network-lb-tcp-80 \    --allow tcp:80 \    --source-ranges=::/0

  4. To allowIPv6 UDP, ESP, and ICMPv6 traffic to reach backends in theig-us-l3-default instance group, create the following firewall rule.This firewall rule also allows TCP health check probes to reach theinstances on port 8080.

    gcloud compute firewall-rules create allow-network-lb-l3-default-ipv6 \    --network=lb-network \    --target-tags network-lb-l3-default \    --allow tcp:8080,udp,esp,58 \    --source-ranges=::/0

Configure the load balancers

Next, set up two load balancers. Configure both load balancers to use the sameexternal IP address for the forwarding rules where one load balancer handlesTCP traffic on port 80, and the other load balancer handles TCP, UDP, ESP, andICMP traffic on port 8080.

When you configure a load balancer, your backend VM instancesreceive packets that are destined for the static external IP address youconfigure. If you are using animage provided byCompute Engine,your instances are automatically configured to handle this IP address. Ifyou are using any other image, you must configure this address asan alias oneth0 or as a loopback on each instance.

To setup two load balancers, use the following the instructions.

Console

Start your configuration

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectNetwork Load Balancer (TCP/UDP/SSL) and clickNext.
  4. ForProxy or passthrough, selectPassthrough load balancer and clickNext.
  5. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  6. ClickConfigure.

Basic configuration

  1. In theName field, enter the namebackend-service-tcp-80 for thenew load balancer.
  2. In theRegion list, selectus-central1.

Backend configuration

  1. ClickBackend configuration.
  2. On theBackend configuration page, do the following:
    1. In theHealth check list, clickCreate a health check,and then enter the following information:
      • Name:tcp-health-check-80
      • Protocol:TCP
      • Port:80
    2. ClickCreate.
    3. In theNew Backend section, select theIP stack type.
    4. In theInstance group list, selectig-us-tcp-80, and then clickDone.
  3. Verify that there is a blue checkmark next toBackendconfiguration before continuing.

Frontend configuration

  1. ClickFrontend configuration.
  2. In theName field, enterforwarding-rule-tcp-80.
  3. To handle IPv4 traffic, use the following steps:
    1. ForIP version, selectIPv4.
    2. In theInternal IP purpose section, in theIP address list,selectCreate IP address.
      1. In theName field, enternetwork-lb-ipv4.
      2. ClickReserve.
    3. ForPorts, chooseSingle. In thePort number field, enter80.
    4. ClickDone.

  4. To handle IPv6 traffic, use the following steps:

    1. ForIP version, selectIPv6.
    2. ForSubnetwork, selectlb-subnet.
    3. In theIPv6 range list, selectCreateIP address.
      1. In theName field, enternetwork-lb-ipv6.
      2. ClickReserve.
    4. ForPorts, chooseSingle. In thePort number field, enter80.
    5. ClickDone.

    A blue circle with a checkmark to the left ofFrontend configuration indicates a successful setup.

Review the configuration

  1. ClickReview and finalize.
  2. Review your load balancer configuration settings.
  3. Optional: ClickEquivalent code to view the REST API requestthat will be used to create the load balancer.

  4. ClickCreate.

    On the load balancing page, under the Backend column for your newload balancer, you see a green checkmark showing that the newload balancer is healthy.

Create the second load balancer

Start your configuration

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectNetwork Load Balancer (TCP/UDP/SSL) and clickNext.
  4. ForProxy or passthrough, selectPassthrough load balancer and clickNext.
  5. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  6. ClickConfigure.

Basic configuration

  1. In theName field, enter the namebackend-service-l3-default for thenew load balancer.
  2. In theRegion list, selectus-central1.

Backend configuration

  1. ClickBackend configuration.
  2. On theBackend configuration page, do the following:
    1. In theHealth check list, clickCreate a health check,and then enter the following information:
      • Name:tcp-health-check-8080
      • Protocol:TCP
      • Port:8080
    2. ClickCreate.
    3. In theNew Backend section, select theIP stack type.If you created dual-stack backends to handle both IPv4 and IPv6traffic, selectIPv4 and IPv6 (dual-stack).To handle IPv4 traffic only, selectIPv4 (single-stack).
    4. In theInstance group list, selectig-us-l3-default, and then clickDone.
    5. In theProtocols list, selectL3 (Multiple protocols).
  3. Verify that there is a blue checkmark next toBackendconfiguration before continuing.

Frontend configuration

  1. ClickFrontend configuration.
  2. In theName field, enterforwarding-rule-l3-default.
  3. To handle IPv4 traffic, use the following steps:
    1. ForIP version, selectIPv4.
    2. In theInternal IP purpose section, in theIP address list,selectCreate IP address.
      1. In theName field, enternetwork-lb-ipv4.
      2. ClickReserve.
    3. In theProtocol list, selectL3 (Multiple protocols).
    4. ForPorts, chooseAll.
    5. ClickDone.

  4. To handle IPv6 traffic, use the following steps:

    1. ForIP version, selectIPv6.
    2. ForSubnetwork, selectlb-subnet.
    3. In theIPv6 range list, selectCreateIP address.
      1. In theName field, enternetwork-lb-ipv6.
      2. ClickReserve.
    4. In theProtocol field, selectL3 (Multiple protocols).
    5. ForPorts, selectAll.
    6. ClickDone.

    A blue circle with a checkmark to the left ofFrontend configuration indicates a successful setup.

Review the configuration

  1. ClickReview and finalize.
  2. Review your load balancer configuration settings.
  3. Optional: ClickEquivalent code to view the REST API requestthat will be used to create the load balancer.

  4. ClickCreate.

    On the load balancing page, under the Backend column for your newload balancer, you see a green checkmark showing that the newload balancer is healthy.

gcloud

  1. Reserve a static external IP address.

    For IPv4 traffic: Create astatic external IPaddress for yourload balancers.

    gcloud compute addresses create network-lb-ipv4 \    --region us-central1

    For IPv6 traffic: Create astatic external IPv6address range for yourload balancers. The subnet used must be a dual-stack subnet with anexternal IPv6 subnet range.

    gcloud compute addresses create network-lb-ipv6 \    --region us-central1 \    --subnet lb-subnet \    --ip-version IPV6 \    --endpoint-type NETLB

  2. Create a TCP health check for port 80. This health check is used toverify the healthof backends in theig-us-tcp-80 instance group.

    gcloud compute health-checks create tcp tcp-health-check-80 \    --region us-central1 \    --port 80

  3. Create a TCP health check for port 8080. This health check is used toverify thehealth of backends in theig-us-l3-default instance group.

    gcloud compute health-checks create tcp tcp-health-check-8080 \    --region us-central1 \    --port 8080

  4. Create the first load balancer for TCP traffic on port 80.

    1. Create abackend servicewith the protocol set toTCP.

      gcloud compute backend-services create backend-service-tcp-80 \    --protocol TCP \    --health-checks tcp-health-check-80 \    --health-checks-region us-central1 \    --region us-central1

    2. Add the backend instance group to the backend service.

      gcloud compute backend-services add-backend backend-service-tcp-80 \    --instance-group ig-us-tcp-80 \    --instance-group-zone us-central1-a \    --region us-central1

    3. For IPv4 traffic: Create a forwarding rule to route incoming TCPtraffic on port 80 to the backend service.TCP is the defaultforwarding rule protocol and does not need to be set explicitly.

      Use the IP address reserved in step 1 as the static externalIP address of the load balancer.

      gcloud compute forwarding-rules create forwarding-rule-tcp-80 \    --load-balancing-scheme external \    --region us-central1 \    --ports 80 \    --address network-lb-ipv4 \    --backend-service backend-service-tcp-80

    4. For IPv6 traffic: Create a forwarding rule to route incoming TCPtraffic on port 80 to the backend service.TCP is the defaultforwarding rule protocol and does not need to be set explicitly.

      Use the IPv6 address range reserved in step 1 as the staticexternal IP address of the load balancer. The subnet used must be adual-stack subnet with an external IPv6 subnet range.

      gcloud compute forwarding-rules create forwarding-rule-tcp-80 \    --load-balancing-scheme external \    --region us-central1 \    --network-tier PREMIUM \    --ip-version IPV6 \    --subnet lb-subnet \    --address network-lb-ipv6 \    --ports 80 \    --backend-service backend-service-tcp-80

  5. Create the second load balancer for TCP on port 8080, UDP, ESP, andICMP traffic.

    1. Create abackend servicewith the protocol set toUNSPECIFIED.

      gcloud compute backend-services create backend-service-l3-default \    --protocol UNSPECIFIED \    --health-checks tcp-health-check-8080 \    --health-checks-region us-central1 \    --region us-central1

    2. Add the backend instance group to the backend service.

      gcloud compute backend-services add-backend backend-service-l3-default \    --instance-group ig-us-l3-default \    --instance-group-zone us-central1-c \    --region us-central1

    3. For IPv4 traffic: Create a forwarding rule with the protocolset toL3_DEFAULT tohandle all remaining supported IP protocol traffic (TCP on port8080, UDP, ESP, and ICMP). All ports must be configured withL3_DEFAULT forwarding rules.

      Use the same external IPv4 address that you used for the previousload balancer.

      gcloud compute forwarding-rules create forwarding-rule-l3-default \    --load-balancing-scheme external \    --region us-central1 \    --ports all \    --ip-protocol L3_DEFAULT \    --address network-lb-ipv4 \    --backend-service backend-service-l3-default

    4. For IPv6 traffic: Create a forwarding rule with the protocolset toL3_DEFAULT tohandle all remaining supported IP protocol traffic (TCP on port8080, UDP, ESP, and ICMP). All ports must be configured withL3_DEFAULT forwarding rules.

      Use the IPv6 address range reserved in step 1 as the staticexternal IP address of the load balancer. The subnet used must be adual-stack subnet with an external IPv6 subnet range.

      gcloud compute forwarding-rules create forwarding-rule-l3-default \    --load-balancing-scheme external \    --region us-central1 \    --network-tier PREMIUM \    --ip-version IPV6 \    --subnet lb-subnet \    --address network-lb-ipv6 \    --ports all \    --ip-protocol L3_DEFAULT \    --backend-service backend-service-l3-default

Test the load balancer

Now that the load balancing service is configured, you can start sendingtraffic to the load balancer's external IP address and watch traffic getdistributed to the backend instances.

Look up the load balancer's external IP address

Console

  1. In the Google Cloud console, go to theLoad balancing componentsload balancing page.

    Go to Load balancing components

  2. On theForwarding Rules tab, locate the forwarding rules used bythe load balancer.

  3. In theIP Address column, note the external IP address listed foreach IPv4 and IPv6 forwarding rule.

gcloud: IPv4

Enter the following command to view the external IP address of theforwarding rule used by the load balancer.

gcloud compute forwarding-rules describe forwarding-rule-tcp-80 \    --region us-central1

This example uses the same IP address for both IPv4 forwarding rules,so usingforwarding-rule-l3-default also works.

gcloud: IPv6

Enter the following command to view the external IPv6 address of theforwarding-rule-tcp-80 forwarding rule used by the load balancer.

gcloud compute forwarding-rules describe forwarding-rule-tcp-80 \    --region us-central1

This example uses the same IP address for both IPv6 forwarding rules,so usingforwarding-rule-l3-default also works.

Send traffic to the load balancer

This procedure sends external traffic to the load balancer. Run the followingtests to help ensure that TCP traffic on port 80 is being load-balanced by theig-us-tcp-80 instance group while all other traffic (TCP on port 8080, UDP,ESP, and ICMP) is being handled by theig-us-l3-default instance group.

Verifying behavior with TCP requests on port 80

  1. Make web requests (over TCP on port 80) to the load balancer usingcurl tocontact its IP address.

    • From clients with IPv4 connectivity, run the following command:

      while true; do curl -m1IP_ADDRESS; done

    • From clients with IPv6 connectivity, run the following command:

      while true; do curl -m1 http://IPV6_ADDRESS; done

      For example, if the assigned IPv6 address is [2001:db8:1:1:1:1:1:1/96],the command is similar to the following:

      while true; do curl -m1 http://[2001:db8:1:1:1:1:1:1]; done

  2. Note the text returned by thecurl command. The name of the backend VMgenerating the response is displayed in that text—for example,Page servedfrom:VM_NAME. Responses come only frominstances in theig-us-tcp-80 instance group.

    If your response is initially unsuccessful, you might need to waitapproximately 30 seconds for the configuration to be fully loaded and foryour instances to be marked healthy before trying again.

Verifying behavior with TCP requests on port 8080

Make web requests (over TCP on port 8080) to the load balancer usingcurlto contact its IP address.

  • From clients with IPv4 connectivity, run the following command:

    while true; do curl -m1IPV4_ADDRESS:8080; done

  • From clients with IPv6 connectivity, run the following command:

    while true; do curl -m1 http://IPV6_ADDRESS; done

    For example, if the assigned IPv6 address is [2001:db8:1:1:1:1:1:1/96], thecommand is similar to the following:

    while true; do curl -m1 http://[2001:db8:1:1:1:1:1:1]:8080; done

Note the text returned by thecurl command. Responses come only frominstances in theig-us-l3-default instance group.

This shows that any traffic sent to the load balancer's IP address at port8080 is handled only by backends in theig-us-l3-default instancegroup.

Verifying behavior with ICMP requests

To verify behavior with ICMP traffic, you capture output from thetcpdumpcommand to confirm that only backend VMs in theig-us-l3-default instancegroup are handling ICMP requests send to the load balancer.

  1. Use SSH to connect to the backend VMs.

    1. In the Google Cloud console, go to theVM instances page.

      Go to the VM instances page

    2. In the list of virtual machine (VM) instances, clickSSH in the row ofthe instance that you want to connect to.

  2. Run the following command to usetcpdump to start listening for ICMPtraffic.

    sudo tcpdump icmp -w ~/icmpcapture.pcap -s0 -c 10000tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

    Leave the SSH window open.

  3. Repeat steps 1 and 2 for all four backend VMs.

  4. Make ICMP requests to the load balancer.

    To test the IPv4 responses, useping to contact the load balancer's IPv4address.

    pingIPV4_ADDRESS

    To test the IPv6 responses, useping6 to contact the load balancer's IPv6address.

    ping6IPV6_ADDRESS

    For example, if the assigned IPv6 address is [2001:db8:1:1:1:1:1:1/96], thecommand is similar to the following:

    ping6 2001:db8:1:1:1:1:1:1

  5. Go back to each VM's open SSH window and stop thetcpdump capturecommand. You can use Ctrl+C to do this.

  6. For each VM, check the output of thetcpdump command in theicmpcapture.pcap file.

    sudo tcpdump -r ~/icmpcapture.pcap -n

    For backend VMs in theig-us-l3-default instance group, you seefile entries that are similar to the following:

    reading from file /home/[user-directory]/icmpcapture.pcap, link-type EN10MB (Ethernet)22:13:07.814486 IP 35.230.115.24 > 35.193.84.93: ICMP echo request, id 1995, seq 1, length 6422:13:07.814513 IP 35.193.84.93 > 35.230.115.24: ICMP echo reply, id 1995, seq 1, length 6422:13:08.816150 IP 35.230.115.24 > 35.193.84.93: ICMP echo request, id 1995, seq 2, length 6422:13:08.816175 IP 35.193.84.93 > 35.230.115.24: ICMP echo reply, id 1995, seq 2, length 6422:13:09.817536 IP 35.230.115.24 > 35.193.84.93: ICMP echo request, id 1995, seq 3, length 6422:13:09.817560 IP 35.193.84.93 > 35.230.115.24: ICMP echo reply, id 1995, seq 3, length 64...

    For backend VMs in theig-us-tcp-80 instance group, you see that nopackets have been received and the file is blank:

    reading from file /home/[user-directory]/icmpcapture.pcap, link-type EN10MB (Ethernet)

Additional configuration options

Create an IPv6 forwarding rule with BYOIP

The load balancer created in the previous steps is configured withforwarding rules withIP version asIPv4 orIPv6. This section providesinstructions to create an IPv6 forwarding rule with bring your own IP (BYOIP)addresses.

Bring your own IP addresses lets you provision and use your own publicIPv6 addresses for Google Cloud resources. For more information, seeBring your own IP addresses.

Before you start configuring an IPv6 forwarding rule with BYOIP addresses, you mustcomplete the following steps:

  1. Create a public advertised IPv6 prefix
  2. Create public delegated prefixes
  3. Create IPv6 sub-prefixes
  4. Announce the prefix

To create a new forwarding rule, follow these steps:

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing.

  2. Click the name of the load balancer that you want to modify.
  3. ClickEdit.
  4. ClickFrontend configuration.
  5. ClickAdd frontend IP and port.
  6. In theNew Frontend IP and port section, specify the following:
    1. Select theProtocol that you need.
    2. In theIP version field, selectIPv6.
    3. In theSource of IPv6 range field, selectBYOIP.
    4. In theIP collection list, select a sub-prefix created in the previous steps with the forwarding rule option enabled.
    5. In theIPv6 range field, enter the IPv6 address range. The IPv6 address range's prefix must match the allocatable prefix length specified by the associated sub-prefix.
    6. In thePorts field, enter a port number.
    7. ClickDone.
  7. ClickUpdate.

gcloud

Create the forwarding rule by using thegcloud compute forwarding-rules create command:

gcloud compute forwarding-rules createFWD_RULE_NAME \    --load-balancing-scheme EXTERNAL \    --ip-protocolPROTOCOL \    --ports ALL \    --ip-version IPV6 \    --regionREGION_A \    --addressIPV6_CIDR_RANGE  \    --backend-serviceBACKEND_SERVICE \    --ip-collectionPDP_NAME

Replace the following:

  • FWD_RULE_NAME: the name of the forwarding rule
  • PROTOCOL: the IP protocol for the forwarding rule. The default isTCP. For this example, the IP protocol can be one ofTCP orL3_DEFAULT.
  • REGION_A: region for the forwarding rule
  • IPV6_CIDR_RANGE: the IPv6 address range that the forwarding rule serves. The IPv6 address range's prefix must match the allocatable prefix length specified by the associated sub-prefix.
  • BACKEND_SERVICE: the name of the backend service
  • PDP_NAME: the name of the public delegated prefix. The PDP must be a sub-prefix in the EXTERNAL_IPV6_FORWARDING_RULE_CREATION mode

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.