Set up a global external proxy Network Load Balancer (SSL proxy) with VM instance group backends

This document provides instructions for setting up a global external proxy Network Load Balancerwith a target SSL proxy and VM instance group backends. Before you start, readExternal proxy Network Load Balancer overview for informationabout how these load balancers work.

Setup overview

This example demonstrates how to set up an external proxy Network Load Balancer for aservice that exists in two regions: Region A and Region B. You willconfigure the following:

  1. Four instances spread across two regions
  2. Instance groups for holding the instances
  3. Backend components, which include the following:
    • Health check - used to monitor instance health
    • Backend service - monitors instance groups and prevents themfrom exceeding configured usage
    • Backends - hold the instance groups
  4. Frontend components, which include the following:
    • AnSSL certificate resource.You can use either a self-managed certificate, where you supply yourown SSL certificate, or a Google-managed certificate, where Google issuesa certificate that is valid for all of your domains. For more information,seeTypes of SSL certificates.
    • The SSL proxy itself with its SSL certificate
    • An external static IPv4 address and a forwarding rule that sends usertraffic to the proxy
    • An external static IPv6 address and a forwarding rule that sends usertraffic to the proxy
  5. A firewall rule that allows traffic from the load balancer andhealth checker to the instances.
  6. Optionally, anSSL policy tocontrol the features of SSL that your SSL proxy load balancer negotiateswith clients.

After that, you'll test your configuration.

Permissions

To follow this guide, you must be able to create instances and modify anetwork in a project. You must be either a projectowner or editor, or you musthave all of the followingCompute Engine IAM roles:

TaskRequired Role
Create networks, subnets, and load balancer componentsNetwork Admin
Add and remove firewall rulesSecurity Admin
Create instancesCompute Instance Admin

For more information, see the following guides:

Configure the network and subnets

To create the example network and subnet, follow these steps.

Console

To support bothIPv4 and IPv6 traffic, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. Enter aName for the network.

  4. Optional: If you want to configure internal IPv6 address ranges onsubnets in this network, complete these steps:

    1. ForVPC network ULA internal IPv6 range, selectEnabled.

    2. ForAllocate internal IPv6 range, selectAutomatically orManually.

      If you selectManually, enter a/48 range from within thefd20::/20 range. If the range is in use, you are prompted to providea different range.

  5. For theSubnet creation mode, chooseCustom.

  6. In theNew subnet section, configure the following fields:

    1. In theName field, provide a name for the subnet.
    2. In theRegion field, select a region.
    3. ForIP stack type, selectIPv4 and IPv6 (dual-stack).

    4. In theIP address range field, enter an IP address range. This is theprimary IPv4range for the subnet.

      Although you can configure an IPv4 range of addresses forthe subnet, you cannot choose the range of the IPv6 addressesfor the subnet. Google provides a fixed size (/64) IPv6 CIDRblock.

    5. ForIPv6 access type, selectExternal.

  7. ClickDone.

  8. To add a subnet in a different region, clickAdd subnet and repeatthe previous steps.

  9. ClickCreate.

To support IPv4 traffic only, use the following steps:

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. In theName field, enter a name for the network.

  4. For theSubnet creation mode, chooseCustom.

  5. In theNew subnet section, configure the following:

    1. In theName field, provide a name for the subnet.
    2. In theRegion field, select a region.
    3. ForIP stack type, selectIPv4 (single-stack).
    4. In theIP address range field, enter theprimary IPv4range for the subnet.

  6. ClickDone.

  7. To add a subnet in a different region, clickAdd subnet and repeatthe previous steps.

  8. ClickCreate.

gcloud

  1. Create the custom mode VPC network:

    gcloud compute networks createNETWORK \    --subnet-mode=custom

  2. Within the network, create a subnet for backends.

    ForIPv4 and IPv6 traffic, use the following command to update asubnet:

    gcloud compute networks subnets createSUBNET \   --stack-type=IPV4_IPV6 \   --ipv6-access-type=EXTERNAL \   --network=NETWORK \   --range=IPV4_RANGE \   --region=REGION_A
    gcloud compute networks subnets createSUBNET_B \   --stack-type=IPV4_IPV6 \   --ipv6-access-type=EXTERNAL \   --network=NETWORK \   --range=IPV4_RANGE_B \   --region=REGION_B

    ForIPv4 traffic only, use the following command:

    gcloud compute networks subnets createSUBNET \   --network=NETWORK \   --stack-type=IPV4_ONLY \   --range=IPV4_RANGE \   --region=REGION_A
    gcloud compute networks subnets createSUBNET_B \   --network=NETWORK \   --stack-type=IPV4_ONLY \   --range=IPV4_RANGE_B \   --region=REGION_B

Replace the following:

  • NETWORK: a name for the VPC network

  • IPV4_RANGE: the primary IPv4 range for the new subnet,in CIDR notation. For example,10.1.2.0/24.

  • SUBNET: a name for the subnet

  • REGION_A orREGION_B: the name of theregion

Configure instances and instance groups

This section shows how to create instances and instance groups, then addthe instances to the instance groups.A production system would normally usemanaged instance groups basedoninstance templates, but this setupis quicker for initial testing.

Create instances

Create these instances with the tagssl-lb, which the firewall rule will uselater.

Console

Create instances

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. ClickCreate instance.

  3. SetName tovm-a1.

  4. Set theZone toZONE_A.

  5. ClickAdvanced options.

  6. ClickNetworking and configure the following field:

    • In theNetwork tags field, enterssl-lb andallow-health-check-ipv6.

  7. In theNetwork interfaces section, clickEditand make the following changes:

    • Select the network.

    • Select a subnet.

    • In theIP stack type field, selectIPv4 and IPv6 (dual-stack).

    • ClickDone.

  8. ClickManagement. Enter the following script into theStartup script field.

    sudo apt-get updatesudo apt-get install apache2 -ysudo a2ensite default-sslsudo a2enmod sslsudo service apache2 restartecho '<!doctype html><html><body><h1>vm-a1</h1></body></html>' | sudo tee /var/www/html/index.html

  9. Leave the default values for rest of the fields.

  10. ClickCreate.

  11. Createvm-a2 with the same settings, except withStartup script set to the following:

    sudo apt-get updatesudo apt-get install apache2 -ysudo a2ensite default-sslsudo a2enmod sslsudo service apache2 restartecho '<!doctype html><html><body><h1>vm-a2</h1></body></html>' | sudo tee /var/www/html/index.html

  12. Createvm-b1 with the same settings, except withZone set toZONE_B andStartup script set to the following:

    sudo apt-get updatesudo apt-get install apache2 -ysudo a2ensite default-sslsudo a2enmod sslsudo service apache2 restartecho '<!doctype html><html><body><h1>vm-b1</h1></body></html>' | sudo tee /var/www/html/index.html

  13. Createvm-b2 with the same settings, except withZone set toZONE_B andStartup script set to the following:

    sudo apt-get updatesudo apt-get install apache2 -ysudo a2ensite default-sslsudo a2enmod sslsudo service apache2 restartecho '<!doctype html><html><body><h1>vm-b2</h1></body></html>' | sudo tee /var/www/html/index.html

gcloud

  1. Createvm-a1 in zoneZONE_A.

    gcloud compute instances create vm-a1 \   --image-family debian-12 \   --image-project debian-cloud \   --tags ssl-lb \   --zoneZONE_A \   --metadata startup-script="#! /bin/bash     sudo apt-get update     sudo apt-get install apache2 -y     sudo a2ensite default-ssl     sudo a2enmod ssl     sudo service apache2 restart     echo '<!doctype html><html><body><h1>vm-a1</h1></body></html>' | sudo tee /var/www/html/index.html     EOF"

  2. Createvm-a2 in zoneZONE_A.

    gcloud compute instances create vm-a2 \  --image-family=debian-12 \  --image-project=debian-cloud \  --tags=ssl-lb \  --zone=ZONE_A \  --metadata=startup-script="#! /bin/bash    sudo apt-get update    sudo apt-get install apache2 -y    sudo a2ensite default-ssl    sudo a2enmod ssl    sudo service apache2 restart    echo '<!doctype html><html><body><h1>vm-a2</h1></body></html>' | sudo tee /var/www/html/index.html     EOF"

  3. Createvm-b1 in zoneZONE_B.

    gcloud compute instances create vm-b1 \  --image-family=debian-12 \  --image-project=debian-cloud \  --tags=ssl-lb \  --zone=ZONE_B \  --metadata=startup-script="#! /bin/bash    sudo apt-get update    sudo apt-get install apache2 -y    sudo a2ensite default-ssl    sudo a2enmod ssl    sudo service apache2 restart    echo '<!doctype html><html><body><h1>vm-b1</h1></body></html>' | sudo tee /var/www/html/index.html    EOF"

  4. Createvm-b2 in zoneZONE_B.

    gcloud compute instances create vm-b2 \  --image-family=debian-12 \  --image-project=debian-cloud \  --tags=ssl-lb \  --zone=ZONE_B \  --metadata=startup-script="#! /bin/bash    sudo apt-get update    sudo apt-get install apache2 -y    sudo a2ensite default-ssl    sudo a2enmod ssl    sudo service apache2 restart    echo '<!doctype html><html><body><h1>vm-b2</h1></body></html>' | sudo tee /var/www/html/index.html    EOF"

Create an instance group for each zone and add instances

Console

  1. In the Google Cloud console, go to theInstance groups page.

    Go to Instance groups

  2. ClickCreate instance group.

  3. Set theName toinstance-group-a.

  4. Set theZone toZONE_A.

  5. UnderPort mapping, clickAdd port.A load balancer sends traffic to an instance group through anamedport.Create a named port to map the incoming traffic to a specific portnumber.

    1. Enter aPort name ofssl-lb andPort numbers of443.

  6. UnderInstance definition, clickSelect existing instances.

  7. FromVM instances selectvm-a1 andvm-a2.

  8. Leave other settings as they are.

  9. ClickCreate.

  10. Repeat steps, but set the following:

    • Name:instance-group-b
    • Zone:ZONE_B
    • Port name ofssl-lb andPort numbers of443
    • Instances:vm-b1 andvm-b2.

  11. Confirm that you now have two instance groups, each with two instances.

gcloud

  1. Create the instance-group-a instance group.

    gcloud compute instance-groups unmanaged create instance-group-a --zoneZONE_A

  2. Set a named port for the instance group.

    gcloud compute instance-groups set-named-ports instance-group-a \    --named-ports=ssl-lb:443 \    --zone=ZONE_A

  3. Addvm-a1 andvm-a2 to instance-group-a

    gcloud compute instance-groups unmanaged add-instances instance-group-a \    --instances=vm-a1,vm-a2 \    --zone=ZONE_A

  4. Create theinstance-group-b instance group.

    gcloud compute instance-groups unmanaged create instance-group-b --zoneZONE_B

  5. Set a named port for the instance group.

    gcloud compute instance-groups set-named-ports instance-group-b \    --named-ports=ssl-lb:443 \    --zone=ZONE_B

  6. Addvm-b1 andvm-b2 to instance-group-b

    gcloud compute instance-groups unmanaged add-instances instance-group-b \    --instances=vm-b1,vm-b2 \    --zone=ZONE_B

You now have an instance group in each of two regions, each with twoinstances.

Create a firewall rule for the SSL load balancer

Configure the firewall to allow traffic from the load balancer and healthchecker to the instances.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. ClickCreate firewall rule.

  3. In theName field, enterallow-ssl-lb-and-health.

  4. Select the network.

  5. UnderTargets, selectSpecified target tags.

  6. SetTarget tags tossl-lb.

  7. SetSource filter toIPv4 ranges.

  8. SetSource IPv4 ranges to130.211.0.0/22 and35.191.0.0/16.

  9. UnderProtocols and ports, setSpecified protocols and ports totcp:443.

  10. ClickCreate.

gcloud

gcloud compute firewall-rules create allow-ssl-lb-and-health \  --source-ranges=130.211.0.0/22,35.191.0.0/16 \  --target-tags=ssl-lb \  --allow=tcp:443

If you are using a Google-managed certificate, confirm that yourcertificate resource's status is ACTIVE. For more information, seeGoogle-managed SSL certificate resourcestatus.

gcloud compute ssl-certificates list

Create an IPv6 health check firewall rule

Ensure that you have an ingress rule that is applicable to the instancesbeing load balanced and that allows traffic from the Google Cloudhealth checking systems (2600:2d00:1:b029::/64). This example uses thetarget tagallow-health-check-ipv6 to identify the VM instances to whichit applies.

Without this firewall rule, thedefault denyingress rule blocks incoming IPv6traffic to the backend instances.

Note: You must create a firewall rule to allow health checks from the IP rangesof Google Cloud probe systems. For more information, seeprobe IPranges.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. To allow IPv6 subnet traffic, clickCreate firewall rule again andenter the following information:

    • Name:fw-allow-lb-access-ipv6
    • Network:NETWORK
    • Priority:1000
    • Direction of traffic:ingress
    • Targets:Specified target tags
    • Target tags field, enterallow-health-check-ipv6
    • Source filter:IPv6 ranges
    • Source IPv6 ranges:2600:2d00:1:b029::/64,2600:2d00:1:1::/64
    • Protocols and ports:Allow all

  3. ClickCreate.

gcloud

Create thefw-allow-lb-access-ipv6 firewall rule to allow communicationwith the subnet:

gcloud compute firewall-rules create fw-allow-lb-access-ipv6 \  --network=NETWORK \  --action=allow \  --direction=ingress \  --target-tags=allow-health-check-ipv6 \  --source-ranges=2600:2d00:1:b029::/64,2600:2d00:1:1::/64 \  --rules=all

Configure the load balancer

Console

Start your configuration

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickCreate load balancer.
  3. ForType of load balancer, selectNetwork Load Balancer (TCP/UDP/SSL) and clickNext.
  4. ForProxy or passthrough, selectProxy load balancer and clickNext.
  5. ForPublic facing or internal, selectPublic facing (external) and clickNext.
  6. ForGlobal or single region deployment, selectBest for global workloads and clickNext.
  7. ForLoad balancer generation, selectGlobal external proxy Network Load Balancer and clickNext.
  8. ClickConfigure.

Basic configuration

Set theName tomy-ssl-lb.

Backend configuration

  1. ClickBackend configuration.
  2. In theBackend type list, selectInstance groups.
  3. In theProtocol list, selectSSL.
  4. In theNamed port field, enterssl-lb.
  5. Accept the default value for theTimeout.
  6. In theIP address selection policy list, selectPrefer IPv6.Tip: When you select theIP address selection policy, ensure that your backends support the selected traffic type.
  7. Configure the health check:
    • In theHealth check list, selectCreate a health check.
    • In theName field, entermy-ssl-health-check.
    • In theProtocol list, selectSSL.
    • Retain the remaining default values.
    • ClickCreate.
  8. Configure the first backend:
    1. UnderNew backend, select instance groupinstance-group-a.
    2. SetPort numbers to443.
    3. Retain the remaining default values.
  9. Configure the second backend:
    1. ClickAdd backend.
    2. Select instance groupinstance-group-b.
    3. SetPort numbers to443.
    4. ClickDone.
  10. In the Google Cloud console, verify that there is a check mark next toBackend configuration. If not, double-check that you have completed all of the steps.

Frontend configuration

  1. ClickFrontend configuration.
      2. Add the first forwarding rule:
    1. Enter aName ofmy-ssl-lb-forwarding-rule.
    2. UnderProtocol, selectSSL.
    3. UnderIP address, selectCreate IP address:
      1. Enter aName ofssl-lb-static-ipv4.
      2. ClickReserve.
    4. UnderCertificate, selectCreate a new certificate.
    5. Enter aName ofmy-ssl-cert.
    6. If you chooseUpload my certificate, complete these steps:
      1. Paste in your certificate or clickUpload to navigate to your certificate file.
      2. Paste in your private key or clickUpload to navigate to your private key file.
    7. If you chooseCreate Google managed certificate, enter aDomain.
      1. To enter additional domains, clickAdd Domain.
      2. ClickCreate.
    8. To add certificate resources in addition to the primary SSL certificate resource, clickAdditional certificates. Then either select another certificate from theCertificates menu or clickCreate a new certificate and follow the instructions above.
      1. (Optional) To create an SSL policy:
      2. UnderSSL policy, selectCreate a policy.
      3. Enter aName ofmy-ssl-policy.
      4. ForMinimum TLS Version, selectTLS 1.0.
      5. ForProfile, selectModern. TheEnabled features andDisabled features are displayed.
      6. ClickSave.
    9. Optional: Turn onProxy protocol.
    10. ClickDone.
  2. Verify that there is a green check mark next toFrontend configuration in the Google Cloud console. If not, double-check that you have completed all the previous steps.
  3. ClickDone.

Review and finalize

  1. ClickReview and finalize.
  2. Review your load balancer configuration settings.
  3. Optional: ClickEquivalent code to view the REST API request that will be used to create the load balancer.
  4. ClickCreate.

gcloud

  1. Create a health check.
       gcloud compute health-checks create ssl my-ssl-health-check --port=443
  2. Create a backend service.
       gcloud beta compute backend-services create my-ssl-lb \       --load-balancing-scheme EXTERNAL_MANAGED \       --global-health-checks \       --protocol=SSL \       --port-name=ssl-lb \       --ip-address-selection-policy=PREFER_IPV6 \       --health-checks=my-ssl-health-check \       --timeout=5m \       --global

    Alternatively you can configure unencrypted communication from the load balancer to the instances by using--protocol=TCP.

  3. Add instance groups to your backend service.

    Note: A backend service with multiple endpoints must have unique IPv6 addresses. The endpoints can be in different subnets, but the same IPv6 address cannot be used for multiple endpoints.
       gcloud compute backend-services add-backend my-ssl-lb \       --instance-group=instance-group-a \       --instance-group-zone=ZONE_A \       --balancing-mode=UTILIZATION \       --max-utilization=0.8 \       --global
       gcloud compute backend-services add-backend my-ssl-lb \       --instance-group=instance-group-b \       --instance-group-zone=ZONE_B \       --balancing-mode=UTILIZATION \       --max-utilization=0.8 \       --global
  4. Configure your SSL certificate resource.

    If you are using self-managed certificates, you must already have at least one SSL certificate to upload. If you don't, seeSSL certificates overview. When you use multiple SSL certificates, you must create them one at a time.

    If you are using self-managed SSL certificates and you don't have a private key and signed certificate, you can create and use aself-signed certificate for testing purposes.

    To create a self-managed SSL certificate resource:

       gcloud compute ssl-certificates create my-ssl-cert \       --certificate=CRT_FILE_PATH \       --private-key=KEY_FILE_PATH

    To create a Google-managed SSL certificate resource:

       gcloud compute ssl-certificates create www-ssl-cert \       --domains=DOMAIN_1,DOMAIN_2
  5. Configure a target SSL proxy.

    External proxy Network Load Balancers support creating a target SSL proxy that hasfrom one to fifteen SSL certificates. Before you run this command, you must create an SSL certificate resource for each certificate.

    If you want to turn on theproxy header, set it toPROXY_V1 instead ofnone. You can optionally attach anSSL policy to the target proxy. First, create the policy.

       gcloud compute ssl-policies create my-ssl-policy \       --profile=MODERN \       --min-tls-version=1.0

    Then attached the policy to the target proxy.

       gcloud beta compute target-ssl-proxies create my-ssl-lb-target-proxy \       --backend-service=my-ssl-lb \       --ssl-certificates=[SSL_CERT_1][,[SSL_CERT_2],...] \       --ssl-policy=my-ssl-policy \       --proxy-header=NONE
  6. Reserve global static IP addresses.

    Your customers use these IP addresses to access your load-balanced service.

       gcloud compute addresses create ssl-lb-static-ipv4 \       --ip-version=IPV4 \       --global
       gcloud compute addresses create ssl-lb-static-ipv6 \       --ip-version=IPV6 \       --global
  7. Configure global forwarding rules.

    Create global forwarding rules associated with the target proxy. ReplaceLB_STATIC_IP andLB_STATIC_IPV6 with the IP addresses you generated inReserve global static IP addresses.

       gcloud beta compute forwarding-rules create my-ssl-lb-forwarding-rule \       --load-balancing-scheme EXTERNAL_MANAGED \       --global \       --target-ssl-proxy=my-ssl-lb-target-proxy \       --address=LB_STATIC_IP \       --ports=443

Connect your domain to your load balancer

After the load balancer is created, note the IP address that is associated withthe load balancer—for example,30.90.80.100. To point your domain to yourload balancer, create anA record by using your domain registration service. Ifyou added multiple domains to your SSL certificate, you must add anA recordfor each one, all pointing to the load balancer's IP address. For example, tocreateA records forwww.example.com andexample.com, use the following:

NAME                  TYPE     DATAwww                   A        30.90.80.100@                     A        30.90.80.100

If you use Cloud DNS as your DNS provider, seeAdd, modify, and delete records.

Test the load balancer

In your web browser, connect to your static IP address using HTTPS. In thistest setup, the instances are using self-signed certificates. Therefore, youwill see a warning in your browser the first time you access a page. Clickthrough the warning to see the actual page. ReplaceIP_ADDRESS with eitherthe IPv4 or IPv6 address you created earlier.

https://IP_ADDRESS

You should see one of the hosts from the region closest to you. Reload thepage until you see the other instance in that region. To see instances fromthe other region, stop the instances in the closest region.

Alternatively, you can usecurl from the your local machine's command line.If you are using a self-signed certificate on the SSL proxy, you must alsospecify-k. Thecurl -k option allows curl to work even if you have aself-signed certificate or no certificate at all. If you have a normalcertificate, you can remove that parameter. You should only use the-kparameter for testing your own site. Under normal circumstances, a validcertificate is an important security measure and certificate warnings shouldn'tbe ignored.

ReplaceIP_ADDRESS with either the IPv4 or IPv6 address you created earlier.

curl -k https://IP_ADDRESS

If you can't reach the load balancer, try the steps described inProxy Network Load Balancer logging andmonitoring toinvestigate the load balancer's logs and metrics.

Additional configuration options

This section expands on the configuration example to provide alternative andadditional configuration options. All of the tasks are optional. You canperform them in any order.

PROXY protocol for retaining client connection information

The proxy Network Load Balancer ends TCP connections fromthe client and creates new connections to the instances. By default, theoriginal client IP and port information is not preserved.

To preserve and send the original connection information to your instances,enablePROXY protocol version 1.This protocol sends an additional header that contains the sourceIP address, destination IP address, and port numbers to the instance as a partof the request.

Make sure that the proxy Network Load Balancer's backend instances are running servers that support PROXY protocol headers. If the servers are notconfigured to support PROXY protocol headers, the backend instances return emptyresponses.

If you set the PROXY protocol for user traffic, you can also set it for yourhealth checks. If you are checking health and servingcontent on the same port, set the health check's--proxy-header to match yourload balancer setting.

The PROXY protocol header is typically a single line of user-readabletext in the following format:

PROXY TCP4 <client IP> <load balancing IP> <source port> <dest port>\r\n

The following example shows a PROXY protocol:

PROXY TCP4 192.0.2.1 198.51.100.1 15221 110\r\n

In the preceding example, the client IP is192.0.2.1, the load balancing IP is198.51.100.1, the client port is15221, and the destination port is110.

When the client IP is not known, the load balancer generatesa PROXY protocol header in the following format:

PROXY UNKNOWN\r\n

Update PROXY protocol header for target proxy

Theexample load balancer setup on this page shows you how toenable the PROXY protocol header while creating the proxy Network Load Balancer. Use thesesteps to change the PROXY protocol header for an existing target proxy.

Console

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickEdit for your load balancer.
  3. ClickFrontend configuration.
  4. Change the value of theProxy protocol field toOn.
  5. ClickUpdate to save your changes.

gcloud

In the following command, edit the--proxy-header field and set it to eitherNONE orPROXY_V1 depending on your requirement.

gcloud compute target-ssl-proxies updateTARGET_PROXY_NAME \    --proxy-header=[NONE | PROXY_V1]

Configure session affinity

These procedures show you how to update a backend service for the exampleSSL proxy load balancer so that the backend service uses client IP affinity.

When client IP affinity is enabled, the load balancer directs a particularclient's requests to the same backend VM based on a hash created from theclient's IP address and the load balancer's IP address (the external IP addressof an external forwarding rule).

Console

To enable client IP session affinity:

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. ClickBackends.

  3. Clickmy-ssl-lb (the name of the backend serviceyou created for this example) and clickEdit.

  4. On theBackend service details page, clickAdvancedconfiguration.

  5. UnderSession affinity, selectClient IP from the menu.

  6. ClickUpdate.

gcloud

Use the following command to update themy-ssl-lb backendservice, specifying client IP session affinity:

gcloud compute backend-services update my-ssl-lb \    --global \    --session-affinity=CLIENT_IP

API

To set client IP session affinity, make aPATCH request to thebackendServices/patch method.

PATCHhttps://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/us-west1/backendServices/my-ssl-lb{"sessionAffinity":"CLIENT_IP"}

Enable connection draining

You can enable connection draining on backend services to ensure minimalinterruption to your users when an instance that is serving traffic isterminated, removed manually, or removed by an autoscaler. To learn more aboutconnection draining, see theEnabling Connection Drainingdocumentation.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.