Set up a regional external proxy Network Load Balancer with VM instance group backends

A regional external proxy Network Load Balancer is a proxy-based regional Layer 4 load balancer thatlets you run and scale your TCP service traffic in a single region behindan external regional IP address. These load balancers distributeexternal TCP traffic from the internet to backends in the same region.

This guide contains instructions to set up a regional external proxy Network Load Balancerwith a managed instance group (MIG) backend.

Before you begin, read theExternal proxy Network Load Balancer overview.

Note: Regional external proxy Network Load Balancers support both thePremium and Standard Network Service Tiers. This procedure demonstrates the setupwith Standard Tier.

In this example, we'll use the load balancer to distribute TCP traffic acrossbackend VMs in two zonal managed instance groups in Region A. Forpurposes of the example, the service is a set ofApache servers configuredto respond on port110. Many browsers don't allow port110, so thetesting section usescurl.

In this example, you configure the deployment shown in the following diagram.

External proxy Network Load Balancer example configuration with instance group backends.
External proxy Network Load Balancer example configuration with instance group backends

A regional external proxy Network Load Balancer is a regional load balancer. All load balancer components(backend instance group, backend service, target proxy, and forwarding rule)must be in the same region.

Permissions

To follow this guide, you must be able to create instances and modify anetwork in a project. You must be either a projectOwner or Editor, or you musthave all of the followingCompute Engine IAM roles.

TaskRequired role
Create networks, subnets, and load balancer componentsCompute Network Admin (roles/compute.networkAdmin)
Add and remove firewall rulesCompute Security Admin (roles/compute.securityAdmin)
Create instancesCompute Instance Admin (roles/compute.instanceAdmin)

For more information, see the following guides:

Optional: Use BYOIP addresses

With bring your own IP (BYOIP), you can import your own public addresses toGoogle Cloud to use the addresses with Google Cloud resources. Forexample, if you import your own IPv4 addresses, you can assign one to theforwarding rule when you configure your load balancer. When you follow theinstructions in this document toconfigure the load balancer, provide the BYOIP address as theIP address.

For more information about using BYOIP, seeBring your own IP addresses.

Configure the network and subnets

You need a VPC network with two subnets, one for the loadbalancer's backends and the other for the load balancer's proxies. Thisload balancer is regional. Traffic within the VPCnetwork is routed to the load balancer if the traffic's source is in asubnet in the same region as the load balancer.

This example uses the following VPC network, region, andsubnets:

  • Network: acustom-mode VPCnetwork namedlb-network

  • Subnet for backends: a subnet namedbackend-subnet inRegion A that uses10.1.2.0/24 for its primary IP address range

  • Subnet for proxies: a subnet namedproxy-only-subnet inRegion B that uses10.129.0.0/23 for its primary IP address range

Note: You can change the name of the network, the region, and the parameters forthe subnets; however, subsequent steps in this guide use the network, region,and subnet parameters as named here.

Create the network and subnets

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. ForName, enterlb-network.

  4. In theSubnets section, set theSubnet creation mode toCustom.

  5. Create a subnet for the load balancer's backends. In theNew subnetsection, enter the following information:

    • Name:backend-subnet
    • Region:REGION_A
    • IP address range:10.1.2.0/24

  6. ClickDone.

  7. ClickCreate.

gcloud

  1. To create the custom VPC network, use thegcloud computenetworks create command:

    gcloud compute networks create lb-network --subnet-mode=custom

  2. To create a subnet in thelb-network network in theREGION_A region,use thegcloud compute networks subnets create command:

    gcloud compute networks subnets create backend-subnet \    --network=lb-network \    --range=10.1.2.0/24 \    --region=REGION_A

Create the proxy-only subnet

Aproxy-only subnet provides aset of IP addresses that Google uses to run Envoy proxies on your behalf. Theproxies terminate connections from the client and create new connections to thebackends.

This proxy-only subnet is used by all Envoy-based load balancers inRegion A of thelb-network VPC network.

Important: Don't try to assign addresses from the proxy-only subnet to your loadbalancer's forwarding rule or backends. You assign the forwarding rule's IPaddress and the backend instance IP addresses froma different subnet range (or ranges), not this one.Google Cloud reserves this subnet range for Google Cloud-managedproxies.

Console

If you're using the Google Cloud console, you can wait and create theproxy-only subnet later on theLoad balancing page.

If you want to create the proxy-only subnet now, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of the VPC network:lb-network.

  3. ClickAdd subnet.

  4. ForName, enterproxy-only-subnet.

  5. ForRegion, selectREGION_A.

  6. SetPurpose toRegional Managed Proxy.

  7. ForIP address range, enter10.129.0.0/23.

  8. ClickAdd.

gcloud

To create the proxy-only subnet, use thegcloud compute networks subnetscreate command:

gcloud compute networks subnets create proxy-only-subnet \    --purpose=REGIONAL_MANAGED_PROXY \    --role=ACTIVE \    --region=REGION_A \    --network=lb-network \    --range=10.129.0.0/23

Create firewall rules

In this example, you create the following firewall rules:

  • fw-allow-ssh. An ingress rule, applicable to the instances being loadbalanced, that allows incoming SSH connectivity on TCP port22 from anyaddress. You can choose a more restrictive source IP range for this rule; forexample, you can specify only the IP ranges of the system from which youinitiate SSH sessions. This example uses the target tagallow-ssh.

  • fw-allow-health-check. An ingress rule, applicable to the instances beingload balanced, that allows all TCP traffic from the Google Cloudhealth checking systems (in130.211.0.0/22 and35.191.0.0/16). Thisexample uses the target tagallow-health-check.

  • fw-allow-proxy-only-subnet. An ingress rule that allows connections from theproxy-only subnet to reach the backends.

Without these firewall rules, thedefault denyingress rule blocks incomingtraffic to the backend instances.

Thetarget tagsdefine the backend instances. Without the target tags, the firewallrules apply to all of your backend instances in the VPC network.When you create the backend VMs, make sure toinclude the specified target tags, as shown inCreate a managed instancegroup.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. ClickCreate firewall rule to create the rule to allow incomingSSH connections. Complete the following fields:

    • Name:fw-allow-ssh
    • Network:lb-network
    • Direction of traffic:Ingress
    • Action on match:Allow
    • Targets:Specified target tags
    • Target tags:allow-ssh
    • Source filter:IPv4 ranges
    • Source IPv4 ranges:0.0.0.0/0
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • Select theTCP checkbox, and then enter22 for the port number.

  3. ClickCreate.

  4. ClickCreate firewall rule a second time to create the rule to allowGoogle Cloud health checks:

    • Name:fw-allow-health-check
    • Network:lb-network
    • Direction of traffic:Ingress
    • Action on match:Allow
    • Targets:Specified target tags
    • Target tags:allow-health-check
    • Source filter:IPv4 ranges
    • Source IPv4 ranges:130.211.0.0/22 and35.191.0.0/16

    • Protocols and ports:

      • ChooseSpecified protocols and ports.
      • Select theTCP checkbox, and then enter80 for the port number.

      As a best practice, limit this rule to just the protocols and portsthat match those used by your health check. If you usetcp:80 forthe protocol and port, Google Cloud can useHTTP on port80 to contact your VMs, but it cannot use HTTPS onport443 to contact them.

  5. ClickCreate.

  6. ClickCreate firewall rule a third time to create the rule to allowthe load balancer's proxy servers to connect to the backends:

    • Name:fw-allow-proxy-only-subnet
    • Network:lb-network
    • Direction of traffic:Ingress
    • Action on match:Allow
    • Targets:Specified target tags
    • Target tags:allow-proxy-only-subnet
    • Source filter:IPv4 ranges
    • Source IPv4 ranges:10.129.0.0/23
    • Protocols and ports:
      • ChooseSpecified protocols and ports.
      • Select theTCP checkbox, and then enter80 for theport number.

  7. ClickCreate.

gcloud

  1. Create thefw-allow-ssh firewall rule to allow SSH connectivity toVMs with the network tagallow-ssh. When you omitsource-ranges,Google Cloudinterprets the rule to mean anysource.

    gcloud compute firewall-rules create fw-allow-ssh \    --network=lb-network \    --action=allow \    --direction=ingress \    --target-tags=allow-ssh \    --rules=tcp:22

  2. Create thefw-allow-health-check rule to allow Google Cloudhealth checks. This example allows all TCP traffic from health checkprobers; however, you can configure a narrower set of ports to meet yourneeds.

    gcloud compute firewall-rules create fw-allow-health-check \    --network=lb-network \    --action=allow \    --direction=ingress \    --source-ranges=130.211.0.0/22,35.191.0.0/16 \    --target-tags=allow-health-check \    --rules=tcp:80

  3. Create thefw-allow-proxy-only-subnet rule to allow the region's Envoyproxies to connect to your backends. Set--source-ranges to theallocated ranges of your proxy-only subnet—in this example,10.129.0.0/23.

    gcloud compute firewall-rules create fw-allow-proxy-only-subnet \    --network=lb-network \    --action=allow \    --direction=ingress \    --source-ranges=10.129.0.0/23 \    --target-tags=allow-proxy-only-subnet \    --rules=tcp:80

Reserve the load balancer's IP address

Reserve a static IP address for the load balancer.

Console

  1. In the Google Cloud console, go to theReserve a static address page.

    Go to Reserve a static address

  2. Choose a name for the new address.

  3. ForNetwork Service Tier, selectStandard.

  4. ForIP version, selectIPv4. IPv6 addresses are not supported.

  5. ForType, selectRegional.

  6. ForRegion, selectREGION_A.

  7. Leave theAttached to option set toNone. After you create theload balancer, this IP address is attached to the loadbalancer's forwarding rule.

  8. ClickReserve to reserve the IP address.

gcloud

  1. To reserve a static external IP address, use thegcloud compute addresses create command:

    gcloud compute addresses createADDRESS_NAME  \    --region=REGION_A \    --network-tier=STANDARD

    ReplaceADDRESS_NAME with the name that you want to call thisaddress.

  2. To view the result,use thegcloud compute addresses describe command:

    gcloud compute addresses describeADDRESS_NAME

Create a managed instance group

This section shows you how to create two managed instance group (MIG) backendsin Region A for the load balancer. The MIG provides VM instancesrunning the backend Apache servers for this example.Typically, a regional external proxy Network Load Balancer isn't used for HTTP traffic, butApache software is commonly used for testing.

Console

Create an instance template

  1. In the Google Cloud console, go to theInstance templates page.

    Go to Instance templates

  2. ClickCreate instance template.

  3. ForName, enterext-reg-tcp-proxy-backend-template.

  4. Ensure that theBoot disk is set to a Debian image, such asDebian GNU/Linux 12 (bookworm). These instructions use commands thatare only available on Debian, such asapt-get.

  5. ClickAdvanced options.

  6. ClickNetworking and configure the following fields:

    1. ForNetwork tags, enterallow-ssh,allow-health-check, andallow-proxy-only-subnet.
    2. ForNetwork interfaces, select the following:
      • Network:lb-network
      • Subnet:backend-subnet

  7. ClickManagement. Enter the following script into theStartup script field:

     #! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2

  8. ClickCreate.

Create a managed instance group

  1. In the Google Cloud console, go to theInstance groups page.

    Go to Instance groups

  2. ClickCreate instance group.

  3. SelectNew managed instance group (stateless). For more information,seeCreate a MIG with stateful disks.

  4. ForName, entermig-a.

  5. ForLocation, selectSingle zone.

  6. ForRegion, selectREGION_A.

  7. ForZone, selectZONE_A.

  8. ForInstance template, selectext-reg-tcp-proxy-backend-template.

  9. Specify the number of instances that you want to create in the group.

    For this example, specify the following options forAutoscaling:

    • ForAutoscaling mode, selectOff:do not autoscale.
    • ForMaximum number of instances, enter2.

  10. ForPort mapping, clickAdd port.

    • ForPort name, entertcp80.
    • ForPort number, enter80.

  11. ClickCreate.

  12. To create a second managed instance group, repeat theCreate a managed instance group steps and use the followingsettings:

    • Name:mig-b
    • Zone:ZONE_B

    Keep all the other settings the same.

gcloud

The Google Cloud CLI instructions in this guide assume that you are usingCloud Shell or another environment withbash installed.

  1. To create a VM instance template with HTTP server, use thegcloud compute instance-templates create command:

    gcloud compute instance-templates create ext-reg-tcp-proxy-backend-template \    --region=REGION_A \    --network=lb-network \    --subnet=backend-subnet \    --tags=allow-ssh,allow-health-check,allow-proxy-only-subnet \    --image-family=debian-12 \    --image-project=debian-cloud \    --metadata=startup-script='#! /bin/bash       apt-get update       apt-get install apache2 -y       a2ensite default-ssl       a2enmod ssl       vm_hostname="$(curl -H "Metadata-Flavor:Google" \       http://metadata.google.internal/computeMetadata/v1/instance/name)"       echo "Page served from: $vm_hostname" | \       tee /var/www/html/index.html       systemctl restart apache2'

  2. Create a managed instance group in theZONE_A zone:

    gcloud compute instance-groups managed create mig-a \    --zone=ZONE_A \    --size=2 \    --template=ext-reg-tcp-proxy-backend-template

  3. Create a managed instance group in theZONE_B zone:

    gcloud compute instance-groups managed create mig-b \    --zone=ZONE_B \    --size=2 \    --template=ext-reg-tcp-proxy-backend-template

Configure the load balancer

Console

Start your configuration

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectNetwork Load Balancer (TCP/UDP/SSL) and clickNext.
  4. ForProxy or passthrough, selectProxy load balancer and clickNext.
  5. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  6. ForGlobal or single region deployment, selectBest for regional workloads and clickNext.
  7. ClickConfigure.

Basic configuration

  1. ForName, entermy-ext-tcp-lb.
  2. ForRegion, selectREGION_A.
  3. ForNetwork, selectlb-network.

Reserve a proxy-only subnet

Note: If you alreadycreated the proxy-only subnet,theReserve subnet button isn't displayed. You can skip thissection and continue with the steps in theConfigure the backendssection.
  1. ClickReserve.
  2. In theName field, enterproxy-only-subnet.
  3. In theIP address range field, enter10.129.0.0/23.
  4. ClickAdd.

Configure the backends

  1. ClickBackend configuration.
  2. In theBackend type list, selectInstance group.
  3. In theProtocol list, selectTCP.
  4. In theNamed port field, entertcp80.
  5. Configure the health check:
    1. In theHealth check list, selectCreate a health check.
    2. In theName field, entertcp-health-check.
    3. In theProtocol list, selectTCP.
    4. In thePort field enter80.
    5. ClickCreate.
  6. Configure the first backend:
    1. ForNew backend, select instance groupmig-a.
    2. ForPort numbers, enter80.
    3. Retain the remaining default values, and then clickDone.
  7. Configure the second backend:
    1. ClickAdd backend.
    2. ForNew backend, select instance groupmig-b.
    3. ForPort numbers, enter80.
    4. Retain the remaining default values, and then clickDone.
  8. Retain the remaining default values, and then clickSave.
  9. In the Google Cloud console, verify that there is a check mark next toBackend configuration. If not, double-check that you have completedall of the steps.

Configure the frontend

  1. ClickFrontend configuration.
  2. ForName, enterext-reg-tcp-forwarding-rule.
  3. ForNetwork Service Tier, selectStandard.
  4. ForIP address, select the IP address reserved previously:LB_IP_ADDRESS
  5. ForPort number, enter110. The forwarding rule onlyforwards packets with a matching destination port.
  6. ForProxy protocol, selectOff because the PROXY protocoldoesn't work with the Apache HTTP Server software. For moreinformation, seePROXY protocol.
  7. ClickDone.
  8. In the Google Cloud console, verify that there is a check mark next toFrontend configuration. If not, double-check that you have completedall the previous steps.

Review and finalize

  1. ClickReview and finalize.
  2. Review your load balancer configuration settings.
  3. Optional: ClickEquivalent code to view the REST API requestthat is used to create the load balancer.
  4. ClickCreate.

gcloud

  1. Create a regional health check:

    gcloud compute health-checks create tcp tcp-health-check \    --region=REGION_A \    --use-serving-port

  2. Create a backend service:

    gcloud compute backend-services create ext-reg-tcp-proxy-bs \    --load-balancing-scheme=EXTERNAL_MANAGED \    --protocol=TCP \    --port-name=tcp80 \    --region=REGION_A \    --health-checks=tcp-health-check \    --health-checks-region=REGION_A

  3. Add instance groups to your backend service:

    gcloud compute backend-services add-backend ext-reg-tcp-proxy-bs \    --region=REGION_A \    --instance-group=mig-a \    --instance-group-zone=ZONE_A \    --balancing-mode=UTILIZATION \    --max-utilization=0.8
    gcloud compute backend-services add-backend ext-reg-tcp-proxy-bs \    --region=REGION_A \    --instance-group=mig-b \    --instance-group-zone=ZONE_B \    --balancing-mode=UTILIZATION \    --max-utilization=0.8

  4. Create a target TCP proxy:

    gcloud compute target-tcp-proxies create ext-reg-tcp-target-proxy \    --backend-service=ext-reg-tcp-proxy-bs \    --proxy-header=NONE \    --region=REGION_A

    If you want to turn on the proxy header,set it toPROXY_V1 instead ofNONE.In this example, don't enable the PROXY protocol because itdoesn't work with the Apache HTTP Server software. For moreinformation, seePROXY protocol.

  5. Create the forwarding rule. For--ports, specify a single port numberfrom 1-65535. This example uses port110. The forwarding rule onlyforwards packets with a matching destination port.

    gcloud compute forwarding-rules create ext-reg-tcp-forwarding-rule \    --load-balancing-scheme=EXTERNAL_MANAGED \    --network-tier=STANDARD \    --network=lb-network \    --region=REGION_A \    --target-tcp-proxy=ext-reg-tcp-target-proxy \    --target-tcp-proxy-region=REGION_A \    --address=LB_IP_ADDRESS \    --ports=110

Test the load balancer

Note: It might take a few minutes for the load balancer configuration topropagate after you first deploy it.

Now that you have configured your load balancer, you can test sendingtraffic to the load balancer's IP address.

  1. Get the load balancer's IP address.

    To get the IPv4 address, run the following command:

    gcloud compute addresses describeADDRESS_NAME

  2. Send traffic to your load balancer by running thefollowing command. ReplaceLB_IP_ADDRESS with your loadbalancer's IPv4 address.

    curl -m1LB_IP_ADDRESS:9090

Additional configuration options

This section expands on the configuration example to provide alternative andadditional configuration options. All of the tasks are optional. You canperform them in any order.

Enable session affinity

The example configuration creates a backend service without session affinity.

These procedures show you how to update a backend service for the example loadbalancer created previously so that the backend service uses client IP affinityor generated cookie affinity.

When client IP affinity is enabled, the load balancer directs a particularclient's requests to the same backend VM based on a hash created from theclient's IP address and the load balancer's IP address (the internal IP addressof an internal forwarding rule).

To enable client IP session affinity, complete the following steps.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickBackends.

  3. Clickext-reg-tcp-proxy-bs (the name of the backend servicethat you created for this example), and then clickEdit.

  4. On theBackend service details page, clickAdvancedconfiguration.

  5. ForSession affinity, selectClient IP.

  6. ClickUpdate.

gcloud

To update theext-reg-tcp-proxy-bs backend service and specify clientIP session affinity, use thegcloud compute backend-services update ext-reg-tcp-proxy-bscommand:

gcloud compute backend-services update ext-reg-tcp-proxy-bs \    --region=REGION_A \    --session-affinity=CLIENT_IP

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.