Set up a regional external proxy Network Load Balancer with hybrid connectivity

An regional external proxy Network Load Balancer is a proxy-based regional Layer 4 load balancer thatenables you to run and scale your TCP service traffic in a single region behindan external regional IP address. These load balancers distributeexternal TCP traffic from the internet to backends in the same region.

This page describes how to configure a regional external proxy Network Load Balancer to loadbalance traffic to backends in on-premises environments or in other cloudenvironments that are connected by usinghybridconnectivity. Configuring hybrid connectivity to connectyour networks to Google Cloud is not in scope for this page.

Before you begin, read theExternal proxy Network Load Balanceroverview.

Note: Regional external proxy Network Load Balancers support both thePremium and Standard Network Service Tiers. This procedure demonstrates the setupwith Standard Tier.

In this example, we'll use the load balancer to distribute TCP traffic acrossbackend VMs located on-premises or in other cloud environments.

In this example, you configure the deployment shown in the following diagram.

External proxy Network Load Balancer example configuration with hybrid NEG backends.
External proxy Network Load Balancer example configuration with hybrid NEG backends

This is a regional load balancer. All load balancer components(backend instance group, backend service, target proxy, and forwarding rule)must be in the same region.

Permissions

To set up hybrid load balancing, you must have the following permissions:

  • On Google Cloud

    • Permissions to establish hybrid connectivity between Google Cloud andyour on-premises environment or other cloud environments. For the listof permissions needed, see the relevantNetwork Connectivity productdocumentation.
    • Permissions to create a hybrid connectivity NEG and the load balancer.TheCompute Load Balancer Adminrole(roles/compute.loadBalancerAdmin) contains the permissions required toperform the tasks described in this guide.

  • On your on-premises environment or other non-Google Cloud cloudenvironment

    • Permissions to configure network endpoints that allow services on youron-premises environment or other cloud environments to be reachable fromGoogle Cloud by using anIP:Port combination. For more information,contact your environment's network administrator.
    • Permissions to create firewall rules on your on-premises environment orother cloud environments to allow Google's health check probes to reach theendpoints.

Additionally, to complete the instructions on this page, you need to create ahybrid connectivity NEG, a load balancer, and zonal NEGs (and their endpoints)to serve as Google Cloud-based backends for the load balancer.

You should be either a projectOwneror Editor, or you should have thefollowingCompute Engine IAMroles.

TaskRequired role
Create networks, subnets, and load balancer componentsCompute Network Admin (roles/compute.networkAdmin)
Add and remove firewall rulesCompute Security Admin (roles/compute.securityAdmin)
Create instancesCompute Instance Admin (roles/compute.instanceAdmin)

Optional: Use BYOIP addresses

With bring your own IP (BYOIP), you can import your own public addresses toGoogle Cloud to use the addresses with Google Cloud resources. Forexample, if you import your own IPv4 addresses, you can assign one to theforwarding rule when you configure your load balancer. When you follow theinstructions in this document toconfigure the load balancer, provide the BYOIP address as theIP address.

For more information about using BYOIP, seeBring your own IP addresses.

Establish hybrid connectivity

Your Google Cloud and on-premises environment or other cloud environmentsmust be connected throughhybrid connectivity by usingeither Cloud Interconnect VLAN attachments or Cloud VPNtunnels with Cloud Router or Router appliance VMs. We recommend that youuse a high availability connection.

A Cloud Router enabled withglobal dynamicroutinglearns about the specific endpoint through Border Gateway Protocol (BGP) andprograms it into your Google Cloud VPC network. Regionaldynamic routing is not supported. Static routes are also not supported.

You can use either the same network or a different VPC networkwithin the same project to configure both hybrid networking(Cloud Interconnect or Cloud VPN or a Router appliance VM) and the load balancer. Notethe following:

  • If you use different VPC networks, the two networks must beconnected using either VPC Network Peering or they must beVPCspokeson the sameNetwork Connectivity Centerhub.

  • If you use the same VPC network, ensure that yourVPC network's subnet CIDR ranges don't conflict with yourremote CIDR ranges. When IP addresses overlap, subnet routes are prioritizedover remote connectivity.

For instructions, see the following documentation:

Important: Don't proceed with the instructions on this page until you set uphybrid connectivity between your environments.

Set up your environment that is outside Google Cloud

Perform the following steps to set up your on-premises environment or other cloudenvironment for hybrid load balancing:

  • Configure network endpoints to expose on-premises services toGoogle Cloud (IP:Port).
  • Configure firewall rules on your on-premises environment or other cloud environment.
  • Configure Cloud Router to advertise certain required routes to yourprivate environment.

Set up network endpoints

After you set up hybrid connectivity, you configure one or more networkendpoints within your on-premises environment or other cloud environments thatare reachable through Cloud Interconnect or Cloud VPN orRouter appliance by using anIP:port combination. ThisIP:portcombination is configured as one or more endpoints for the hybrid connectivityNEG that is created in Google Cloud later on in this process.

If there are multiple paths to the IP endpoint, routingfollows the behavior described in theCloud Routeroverview.

Set up firewall rules

The following firewall rules must be created on your on-premises environmentor other cloud environment:

  • Create an ingress allow firewall rule in on-premises or other cloud environments to allow traffic from the region'sproxy-only subnet to reach the endpoints.

  • Allowing traffic from Google's health check probe ranges isn't required for hybridNEGs. However, if you're using a combination of hybrid and zonal NEGs ina single backend service, you need to allow traffic from theGooglehealth check probe ranges for the zonal NEGs.

Advertise routes

Configure Cloud Router toadvertise the following custom IPranges to youron-premises environment or other cloud environment:

  • The range of the region's proxy-only subnet.

Set up your Google Cloud environment

For the following steps, make sure that you use the same VPC network(calledNETWORK in this procedure) thatwas used to configure hybrid connectivity between the environments. You canselect any subnet from this network to reserve the load balancer's IP addressand create the load balancer. This subnet is referred to asLB_SUBNET in this procedure.

Additionally, make sure that the region used (calledREGION_A in this procedure) is the same regionthat was used to create the Cloud VPN tunnel orCloud Interconnect VLAN attachment.

Configure the proxy-only subnet

Aproxy-only subnet provides aset of IP addresses that Google uses to run Envoy proxies on your behalf. Theproxies terminate connections from the client and create new connections to thebackends.

This proxy-only subnet is used by allEnvoy-based regional loadbalancers in theregion (REGION_A) of theVPC network (NETWORK).

There can only be one active proxy-only subnet per region, perVPC network. You can skip this step if there's already aproxy-only subnet in this region.

Console

If you're using the Google Cloud console, you can wait and create theproxy-only subnet later on theLoad balancing page.

If you want to create the proxy-only subnet now, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Go to the network that was used to configurehybrid connectivity between the environments.

  3. ClickAdd subnet.

  4. ForName, enterproxy-only-subnet.

  5. ForRegion, selectREGION_A.

  6. SetPurpose toRegional Managed Proxy.

  7. ForIP address range, enter10.129.0.0/23.

  8. ClickAdd.

gcloud

To create the proxy-only subnet, use thegcloud compute networks subnetscreate command:

gcloud compute networks subnets create proxy-only-subnet \    --purpose=REGIONAL_MANAGED_PROXY \    --role=ACTIVE \    --region=REGION_A \    --network=NETWORK \    --range=10.129.0.0/23

Reserve the load balancer's IP address

Reserve a static IP address for the load balancer.

Console

  1. In the Google Cloud console, go to theReserve a static address page.

    Go to Reserve a static address

  2. Choose a name for the new address.

  3. ForNetwork Service Tier, selectStandard.

  4. ForIP version, selectIPv4. IPv6 addresses are not supported.

  5. ForType, selectRegional.

  6. ForRegion, selectREGION_A.

  7. Leave theAttached to option set toNone. After you create theload balancer, this IP address is attached to the loadbalancer's forwarding rule.

  8. ClickReserve to reserve the IP address.

gcloud

  1. To reserve a static external IP address, use thegcloud compute addresses create command:

    gcloud compute addresses createADDRESS_NAME  \   --region=REGION_A \   --network-tier=STANDARD

    ReplaceADDRESS_NAME with the name thatyou want to call this address.

  2. To view the result, use thegcloud compute addresses describe command:

    gcloud compute addresses describeADDRESS_NAME

Set up the hybrid connectivity NEG

When you create the NEG, use aZONE that minimizes thegeographic distance between Google Cloud and your on-premises or othercloud environment. For example, if you are hosting a service in an on-premisesenvironment in Frankfurt, Germany, you can specify theeurope-west3-aGoogle Cloud zone when you create the NEG.

Moreover, the zone that you use to create the NEG should be in the same regionwhere the Cloud VPN tunnel or the Cloud Interconnect VLANattachment was configured for hybrid connectivity.

For the available regions and zones, seeAvailable regions andzones in theCompute Engine documentation.

Console

Note: You can either create the hybrid connectivity NEG now, or you can waitto create it while configuring the load balancer's backend.

Create a hybrid connectivity NEG

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. ClickCreate network endpoint group.

  3. ForName, enterHYBRID_NEG_NAME.

  4. ForNetwork endpoint group type, selectHybrid connectivity networkendpoint group (Zonal).

  5. ForNetwork, selectNETWORK.

  6. ForSubnet, selectLB_SUBNET.

  7. ForZone, selectHYBRID_NEG_ZONE.

  8. ForDefault port, select the default.

  9. ForMaximum connections, enter2.

  10. ClickCreate.

Add endpoints to the hybrid connectivity NEG

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. Click the name of the network endpoint group that you created inthe previous step (HYBRID_NEG_NAME).

  3. On theNetwork endpoint group details page,in theNetwork endpoints in this group section, clickAdd networkendpoint.

  4. On theAdd network endpoint page, enter the IP address ofthe new network endpoint.

  5. Select thePort type:

    • If you selectDefault, the endpoint uses the default portfor all endpoints in the network endpoint group.
    • If you selectCustom, you can enter a different port numberfor the endpoint to use.

  6. To add more endpoints, clickAdd network endpoint and repeat theprevious steps.

  7. After you add all the non-Google Cloud endpoints,clickCreate.

gcloud

  1. To create a hybrid connectivity NEG, use thegcloud compute network-endpoint-groupscreate command:

    gcloud compute network-endpoint-groups createHYBRID_NEG_NAME \    --network-endpoint-type=NON_GCP_PRIVATE_IP_PORT \    --zone=HYBRID_NEG_ZONE \    --network=NETWORK

  2. Add the on-premises IP:Port endpoint to the hybrid NEG:

    gcloud compute network-endpoint-groups updateHYBRID_NEG_NAME \    --zone=HYBRID_NEG_ZONE \    --add-endpoint="ip=ENDPOINT_IP_ADDRESS,port=ENDPOINT_PORT"

You can use this command to add the network endpoints that youpreviouslyconfigured on-premises or in your cloud environment.Repeat--add-endpoint as many times as needed.

You can repeat these steps to create multiple hybrid NEGs if needed.

Configure the load balancer

Console

Start your configuration

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectNetwork Load Balancer (TCP/UDP/SSL) and clickNext.
  4. ForProxy or passthrough, selectProxy load balancer and clickNext.
  5. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  6. ForGlobal or single region deployment, selectBest for regional workloads and clickNext.
  7. ClickConfigure.

Basic configuration

  1. ForName, enter a name for the load balancer.
  2. ForRegion, selectREGION_A.
  3. ForNetwork, selectNETWORK.

Reserve a proxy-only subnet

Note: If you alreadycreated the proxy-only subnet,theReserve subnet button isn't displayed. You can skip thissection and continue with the steps in theConfigure the backendsection.
  1. ClickReserve subnet.
  2. ForName, enterproxy-only-subnet.
  3. ForIP address range, enter10.129.0.0/23.
  4. ClickAdd.

Configure the backend

  1. ClickBackend configuration.
  2. ForBackend type, selectHybrid connectivity network endpointgroup (Zonal).
  3. ForProtocol, selectTCP.
  4. In theHealth check list, clickCreate a health check, and thenenter the following information:
    • In theName field, enter a name for the health check.
    • In theProtocol list, selectTCP.
    • In thePort list, enter80.
  5. ClickCreate.
  6. ForNew backend, select the hybrid NEG that you created previously(HYBRID_NEG_NAME). Or, youcan clickCreate a network endpoint group to create the hybrid NEGnow. For guidance about configuring the NEG, seeSet up the hybridNEG.
  7. Retain the remaining default values, and then clickDone.
  8. In the Google Cloud console, verify that there is a check mark next toBackend configuration. If not, double-check that you have completedall of the steps.

Configure the frontend

  1. ClickFrontend configuration.
  2. ForName, enter a name for the forwarding rule.
  3. ForNetwork Service Tier, selectStandard.
  4. ForIP address, selectLB_IP_ADDRESS.
  5. ForPort number, enter any port number from 1-65535. The forwardingrule only forwards packets with a matching destination port.
  6. EnableProxy protocol only if it works with the service running onyour on-premises or other cloud endpoints. For example, PROXY protocoldoesn't work with the Apache HTTP Server software. For more information,seePROXY protocol.
  7. ClickDone.
  8. In the Google Cloud console, verify that there is a check mark next toFrontend configuration. If not, double-check that you have completedall the previous steps.

Review and finalize

  1. ClickReview and finalize.
  2. Double-check your settings.
  3. ClickCreate.

gcloud

  1. Create a regional health check for the backends:

    gcloud compute health-checks create tcpTCP_HEALTH_CHECK_NAME \    --region=REGION_A \    --use-serving-port

  2. Create a backend service:

    gcloud compute backend-services createBACKEND_SERVICE_NAME \   --load-balancing-scheme=EXTERNAL_MANAGED \   --protocol=TCP \   --region=REGION_A \   --health-checks=TCP_HEALTH_CHECK_NAME \   --health-checks-region=REGION_A

  3. Add the hybrid NEG backend to the backend service:

    gcloud compute backend-services add-backendBACKEND_SERVICE_NAME \   --network-endpoint-group=HYBRID_NEG_NAME \   --network-endpoint-group-zone=HYBRID_NEG_ZONE \   --region=REGION_A \   --balancing-mode=CONNECTION \   --max-connections=MAX_CONNECTIONS

    ForMAX_CONNECTIONS, enter the maximum concurrentconnections that the backend should handle.

  4. Create the target TCP proxy:

    gcloud compute target-tcp-proxies createTARGET_TCP_PROXY_NAME \   --backend-service=BACKEND_SERVICE_NAME \   --region=REGION_A

  5. Create the forwarding rule. Use thegcloud compute forwarding-rulescreate command.ReplaceFWD_RULE_PORT with a single port numberfrom 1-65535. The forwarding rule only forwards packets with a matchingdestination port.

    gcloud compute forwarding-rules createFORWARDING_RULE \   --load-balancing-scheme=EXTERNAL_MANAGED \   --network=NETWORK \   --network-tier=STANDARD \   --address=LB_IP_ADDRESS \   --ports=FWD_RULE_PORT \   --region=REGION_A \   --target-tcp-proxy=TARGET_TCP_PROXY_NAME \   --target-tcp-proxy-region=REGION_A

Test your load balancer

Note: It might take a few minutes for the load balancer configuration topropagate after you first deploy it.

Now that you have configured your load balancer, you can test sendingtraffic to the load balancer's IP address.

  1. Get the load balancer's IP address.

    To get the IPv4 address, run the following command:

    gcloud compute addresses describeADDRESS_NAME

  2. Send traffic to your load balancer by running thefollowing command. ReplaceLB_IP_ADDRESS with your loadbalancer's IPv4 address.

    curl -m1LB_IP_ADDRESS:FWD_RULE_PORT

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.