Proxy Network Load Balancer logging and monitoring
This page shows you how to configure and useCloud LoggingandCloud Monitoring for proxy Network Load Balancers.
Monitoring resources
The following table specifies the resource names for the load balancers.
Regional external proxy Network Load Balancer Regional internal proxy Network Load Balancer Cross-region internal proxy Network Load Balancer Global external proxy Network Load Balancer | Classic proxy Network Load Balancer | |
|---|---|---|
| Logging monitored-resource type | "Proxy Network Load Balancer Rule"l4_proxy_rule | "Global External Proxy Network Load Balancer Rule"tcp_ssl_proxy_rule |
| Monitoring monitored-resource type | "Proxy Network Load Balancer Rule"l4_proxy_rule | "Global External Proxy Network Load Balancer Rule"tcp_ssl_proxy_rule |
Logging for Proxy Network Load Balancers
Logs provide useful information for troubleshootingand monitoring load balancers. Logs are aggregated for each connection andgive you insight into how each connection is routed to the serving backends.
There are no additional charges for using logs. However, based on how you importlogs,standard pricing forCloud Logging,BigQuery, or Pub/Sub applies. Also, enabling logs does not affectthe performance of the load balancer.
Logs sampling and collection
The connections that leave and enter load balancer backend virtual machine(VM) instances are sampled. These sampled connections are then processedto generate logs. You control the fraction of the connections that areemitted as log entries according to thelogConfig.sampleRateparameter. WhenlogConfig.sampleRate is1.0 (100%), this means that logsare generated forall of the connections and written to Cloud Logging.
Enable logging on a new backend service
gcloud
Use thegcloud compute backend-services create command.
For regional external proxy Network Load Balancers and regional internal proxy Network Load Balancers:
gcloud compute backend-services createBACKEND_SERVICE \ --region=REGION \ --enable-logging \ --logging-sample-rate=SAMPLE_RATE
For global external proxy Network Load Balancers, classic proxy Network Load Balancers, or cross-region internal proxy Network Load Balancers:
gcloud compute backend-services createBACKEND_SERVICE \ --global \ --enable-logging \ --logging-sample-rate=SAMPLE_RATE
Replace the following:
BACKEND_SERVICE: the name of the backend service.REGION: the region of the backend service to create.SAMPLE_RATE: this field can only be specified if logging is enabled for this backend service.The value of the field must be from
0.0 to 1.0, where0.0means that no logs are reported and1.0means that all connections are logged. Enabling logging but setting the sampling rate to0.0is equivalent to disabling logging. The default value is1.0.
API
Make aPOST request to theregionBackendServices.insert method:
For regional internal proxy Network Load Balancers:
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "INTERNAL_MANAGED", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }For regional external proxy Network Load Balancers:
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "EXTERNAL_MANAGED", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }For global external proxy Network Load Balancers:
Make aPOST request to thebackendServices.insert method:
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "EXTERNAL_MANAGED", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }For classic proxy Network Load Balancers:
Make aPOST request to thebackendServices.insert method:
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "EXTERNAL", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }For cross-region internal proxy Network Load Balancers:
Make aPOST request to thebackendServices.insert method:
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "INTERNAL_MANAGED", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }Replace the following:
BACKEND_SERVICE: the name of the backend service.SAMPLE_RATE: this field can only be specified if logging is enabled for this backend service.The value of the field must be from
0.0 to 1.0, where0.0means that no logs are reported and1.0means that all connections are logged. Enabling logging but setting the sampling rate to0.0is equivalent to disabling logging. The default value is1.0.
Enable logging on an existing backend service
gcloud
Use thegcloud compute backend-services update command.
For regional external proxy Network Load Balancers and regional internal proxy Network Load Balancers:
gcloud compute backend-services updateBACKEND_SERVICE \ --region=REGION \ --enable-logging \ --logging-sample-rate=SAMPLE_RATE
For global external proxy Network Load Balancers, classic proxy Network Load Balancers, or cross-region internal proxy Network Load Balancers:
gcloud compute backend-services updateBACKEND_SERVICE \ --global \ --enable-logging \ --logging-sample-rate=SAMPLE_RATE
Replace the following:
BACKEND_SERVICE: the name of the backend service.REGION: the region of the backend service to create.SAMPLE_RATE: this field can only be specified if logging is enabled for this backend service.The value of the field must be from
0.0 to 1.0, where0.0means that no logs are reported and1.0means that all connections are logged. Enabling logging but setting the sampling rate to0.0is equivalent to disabling logging. The default value is1.0.
API
Make aPATCH request to theregionBackendServices/patch method:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/backendServices/BACKEND_SERVICE
For regional internal proxy Network Load Balancers:
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "INTERNAL_MANAGED", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }For regional external proxy Network Load Balancers:
{ "name": "BACKEND_SERVICE", "loadBalancingScheme": "EXTERNAL_MANAGED", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }For global external proxy Network Load Balancers:
Make aPATCH request to thebackendServices/patch method:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE { "name": "BACKEND_SERVICE", "loadBalancingScheme": "EXTERNAL_MANAGED", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }For classic proxy Network Load Balancers:
Make aPATCH request to thebackendServices/patch method:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE { "name": "BACKEND_SERVICE", "loadBalancingScheme": "EXTERNAL", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }For cross-region internal proxy Network Load Balancers:
Make aPATCH request to thebackendServices/patch method:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE { "name": "BACKEND_SERVICE", "loadBalancingScheme": "INTERNAL_MANAGED", "logConfig": { "enable": true, "sampleRate":SAMPLE_RATE } }Replace the following:
PROJECT_ID: the name of your project.BACKEND_SERVICE: the name of the backend service.SAMPLE_RATE: this field can only be specified if logging is enabled for this backend service.The value of the field must be from
0.0 to 1.0, where0.0means that no logs are reported and1.0means that all connections are logged. Enabling logging but setting the sampling rate to0.0is equivalent to disabling logging. The default value is1.0.
Disable logging on an existing backend service
gcloud
Use thegcloud compute backend-services update command.
For regional external proxy Network Load Balancers and regional internal proxy Network Load Balancers:
gcloud compute backend-services updateBACKEND_SERVICE \ --region=REGION \ --no-enable-logging
For global external proxy Network Load Balancers, classic proxy Network Load Balancers,or cross-region internal proxy Network Load Balancers:
gcloud compute backend-services updateBACKEND_SERVICE \ --global \ --no-enable-logging
Replace the following:
BACKEND_SERVICE: the name of the backend service.REGION: the region of the backend service.
API
For regional external proxy Network Load Balancers and regional internal proxy Network Load Balancers:
Make aPATCH request to theregionBackendServices/patch method:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/backendServices/BACKEND_SERVICE { "logConfig": { "enable": false } }For global external proxy Network Load Balancers, classic proxy Network Load Balancers, or cross-region internal proxy Network Load Balancers:
Make aPATCH request to thebackendServices/patch method:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE { "logConfig": { "enable": false } }Replace the following:
PROJECT_ID: the name of your project.REGION: the region of the backend service.BACKEND_SERVICE: the name of the backend service.
View logs
When logs are ingested into Cloud Logging and not excluded through aLog Router sink, you can read logs by using theCloud Logging API and theGoogle Cloud CLI.
To view all the logs, complete the following steps.
Console
In the Google Cloud console, go to theLogs Explorer page.
Select theProxy Network Load Balancer Rule resource type.Note: For classic proxy Network Load Balancers, selectGlobal External Proxy Network Load Balancer Rule resource type.
Select theloadbalancing.googleapis.com/connections log name.
Console query
In the Google Cloud console, go to theLogs Explorer page.
Click theShow query toggle.
Paste the following into the query field.
resource.type="LOG_RESOURCE_TYPE"logName="projects/PROJECT_ID/logs/loadbalancing.googleapis.com/connections"
ClickRun query.
Replace the following:
LOG_RESOURCE_TYPE: the logging monitored-resourcetype set to eitherl4_proxy_ruleortcp_ssl_proxy_rule.PROJECT_ID: the name of your project.
View logs for a specific backend service
To view the logs for a specific backend service, complete the following steps.
Console query
In the Google Cloud console, go to theLogs Explorer page.
Click theShow query toggle.
Paste the following into the query field.
resource.type="LOG_RESOURCE_TYPE"logName="projects/PROJECT_ID/logs/loadbalancing.googleapis.com/connections"resource.labels.backend_service_name="BACKEND_SERVICE_NAME"
ClickRun query.
Replace the following:
LOG_RESOURCE_TYPE: the logging monitored-resourcetype set to eitherl4_proxy_ruleortcp_ssl_proxy_rule.PROJECT_ID: the name of your project.BACKEND_SERVICE_NAME: the name of the backendservice.
View logs for a backend instance group
To view the logs for a specific backend instance group, complete the following steps.
Console query
In the Google Cloud console, go to theLogs Explorer page.
Click theShow query toggle.
Paste the following into the query field.
resource.type="LOG_RESOURCE_TYPE"logName="projects/PROJECT_ID/logs/loadbalancing.googleapis.com/connections"resource.labels.backend_group_name="BACKEND_GROUP_NAME"
ClickRun query.
Replace the following:
LOG_RESOURCE_TYPE: the logging monitored-resourcetype set to eitherl4_proxy_ruleortcp_ssl_proxy_rule.PROJECT_ID: the name of your project.BACKEND_GROUP_NAME: the name of the instance group.
What is logged
Log entries contain information useful for monitoring and debugging yourtraffic. Log records contain required fields, which are the default fields ofevery log record.
| Field | Field format | Field type: Required or Optional | Description |
|---|---|---|---|
| severity timestamp receiveTimestamp insertID logName | LogEntry | Required | The general fields as described in a log entry. |
| resource | MonitoredResource | Required | TheMonitoredResource is the resource type associated with a log entry. TheMonitoredResourceDescriptor describes the schema of a |
| jsonPayload | object (Struct format) | Required | The log entry payload that is expressed as a JSON object. The JSON object contains the following fields:
|
Log fields
Log records contain required fields, which are the default fields of every logrecord.
Some log fields contain more than one piece of data in a given field—theselog fields are in a multi-field format. For example, theconnection field isof theIpConnection format, which contains the source and destination IPaddress and port, plus the protocol, in a single field. These multi-fieldlog fields are described in the following record format table.
The following table lists all the required log fields for the resourcel4_proxy_rule.
| Field | Field format | Description |
|---|---|---|
| connection | IpConnection | 5-Tuple describing this connection. |
| startTime | string | Timestamp (RFC 3339 date string format) when the connection from the client was accepted by the load balancer. |
| endTime | string | Timestamp (RFC 3339 date string format) when the client or the backend terminated the connection. |
| bytesSent | int64 | Number of bytes sent from the server to the client. |
| bytesReceived | int64 | Number of bytes received by the server from the client. |
IpConnection field format
| Field | Type | Description |
|---|---|---|
| clientIp | string | Client IP address |
| clientPort | int32 | Client port. Set for TCP and UDP connections only. |
| serverIp | string | Server IP address (forwarding rule IP) |
| serverPort | int32 | Server port. Set for TCP and UDP connections only. |
| protocol | int32 | IANA protocol number |
proxyStatus error field
TheproxyStatus field contains a string that specifies why the loadbalancer returned an error. There are two parts in theproxyStatusfield,proxyStatus error andproxyStatus details.This section describes the strings that are supported in theproxyStatus errorfield.
TheproxyStatus errorfield is applicable to the following load balancers:
- Global external proxy Network Load Balancer
- Regional external proxy Network Load Balancer
- Cross-region internal proxy Network Load Balancer
- Regional internal proxy Network Load Balancer
| proxyStatus error | Description | Common accompanying response codes |
|---|---|---|
destination_unavailable | The load balancer considers the backend to be unavailable. For example, recent attempts to communicate with the backend have failed, or a health check might have resulted in a failure. | 500,503 |
connection_timeout | The load balancer's attempt to open a connection to the backend has timed out. | 504 |
connection_terminated | The load balancer's connection to the backend ended before a complete response is received. This
| 0,502,503 |
connection_refused | The load balancer's connection to the backend is refused. | 502,503 |
connection_limit_reached | The load balancer is configured to limit the number of connections it has to the backend, and that limit has been exceeded. This
| 502,503 |
destination_not_found | The load balancer can't determine the appropriate backend to use for this request. For example, the backend might not be configured. | 500,404 |
dns_error | The load balancer encountered a DNS error when trying to find an IP address for the backend hostname. | 502,503 |
proxy_configuration_error | The load balancer encountered an internal configuration error. | 500 |
proxy_internal_error | The load balancer encountered an internal error. The error can be due to a scheduled restart of the proxy managing the connections. | 0,500,502 |
proxy_internal_response | The load balancer generated the response without attempting to connect to the backend. | Any status code depending on the type of problem. For example, the410 status code means that the backend is unavailable due to payment delinquency. |
tls_protocol_error | The load balancer encountered a TLS error during the TLS handshake. | 0 |
tls_certificate_error | The load balancer encountered an error at the time of verifying the certificate presented by the server. | 0 |
tls_alert_received | The load balancer encountered a fatal TLS alert during the TLS handshake. | 0 |
proxyStatus details field
TheproxyStatus field contains a string that specifies why the loadbalancer returned an error. There are two parts in theproxyStatusfield,proxyStatus error andproxyStatus details.TheproxyStatus details field is optional and is shown only whenadditional information is available.This section describes the strings that are supported in theproxyStatus details field.
TheproxyStatus detailsfield is applicable to the following load balancers:
- Global external proxy Network Load Balancer
- Regional external proxy Network Load Balancer
- Regional internal proxy Network Load Balancer
- Cross-region internal proxy Network Load Balancer
| proxyStatus details | Description | Common accompanying response status codes |
|---|---|---|
client_disconnected_before_any_response | The connection to the client was broken before the load balancer sent any response. | 0 |
backend_connection_closed | The backend unexpectedly closed its connection to the load balancer. This can happen if the load balancer is sending traffic to another entity such as a third-party application that has a TCP timeout shorter than the 10-minute (600-second) timeout of the load balancer. | 502 |
failed_to_connect_to_backend | The load balancer failed to connect to the backend. This failure includes timeouts during the connection phase. | 503 |
failed_to_pick_backend | The load balancer failed to pick a healthy backend to handle the request. | 502 |
handled_by_identity_aware_proxy | This response was generated byIdentity-Aware Proxy (IAP) during verifying the identity of the client before allowing access. | 200,302,400,401,403,500,502 |
request_overall_timeout | The total request timeout was exceeded. For more information, seeLogged errors for closed connections. | 408,503,504 |
tls_version_not_supported | The TLS protocol version is recognized but not supported. The error results in a closed TLS connection. | 0 |
unknown_psk_identity | Servers send this error when PSK key establishment is required, but the client doesn't provide an acceptable PSK identity. The error results in a closed TLS connection. | 0 |
no_application_protocol | Sent by servers when a client "application_layer_protocol_negotiation" extension advertises only protocols that the server doesn't support. SeeTLS application-layer protocol negotiation extension. The error results in a closed TLS connection. | 0 |
no_certificate | No certificate was found. The error results in a closed TLS connection. | 0 |
bad_certificate | A certificate is invalid, or it contains signatures that couldn't be verified. The error results in a closed TLS connection. | 0 |
unsupported_certificate | A certificate is of an unsupported type. The error results in a closed TLS connection. | 0 |
certificate_revoked | A certificate was revoked by its signer. The error results in a closed TLS connection. | 0 |
certificate_expired | A certificate has expired or it isn't valid. The error results in a closed TLS connection. | 0 |
certificate_unknown | Some unspecified issues arose while processing the certificate, rendering it unacceptable. The error results in a closed TLS connection. | 0 |
unknown_ca | A valid certificate chain or partial chain was received, but the certificate can't be accepted because the CA certificate cannot be located or matched with a known trust anchor. The error results in a closed TLS connection. | 0 |
unexpected_message | An inappropriate message, such as a wrong handshake message or premature application data was received. The error results in a closed TLS connection. | 0 |
bad_record_mac | A record is received that can't be deprotected. The error results in a closed TLS connection. | 0 |
record_overflow | ATLSCiphertext record was received that has a length more than214+256 bytes, or a record was decrypted to aTLSPlaintext record with more than 214 bytes (or some other negotiated limit). The error results in a closed TLS connection. | 0 |
handshake_failure | Unable to negotiate an acceptable set of security parameters given the options available. The error results in a closed TLS connection. | 0 |
illegal_parameter | A field in the handshake was incorrect or inconsistent with other fields. The error results in a closed TLS connection. | 0 |
access_denied | A valid certificate or PSK was received, but when access control was applied, the client didn't proceed with negotiation. The error results in a closed TLS connection. | 0 |
decode_error | A message couldn't be decoded because some fields are out of the specified range, or the length of the message is incorrect. The error results in a closed TLS connection. | 0 |
decrypt_error | A handshake (not record layer) cryptographic operation failed, including being unable to correctly verify a signature or validate a finished message or a PSK binder. The error results in a closed TLS connection. | 0 |
insufficient_security | A negotiation has failed specifically because the server requires parameters that are more secure than those supported by the client. The error results in a closed TLS connection. | 0 |
inappropriate_fallback | Sent by a server in response to an invalid connection retry attempt from a client. The error results in a closed TLS connection. | 0 |
user_cancelled | The user canceled the handshake for some reason unrelated to a protocol failure. The error results in a closed TLS connection. | 0 |
missing_extension | Sent by endpoints that receive a handshake message not containing an extension that is mandatory to send for the offered TLS version or other negotiated parameters. The error results in a closed TLS connection. | 0 |
unsupported_extension | Sent by endpoints that receive any handshake message containing an extension known to be prohibited for inclusion in the given handshake message, or including any extensions inServerHello orCertificate that was not first offered in the correspondingClientHello orCertificateRequest. The error results in a closed TLS connection. | 0 |
unrecognized_name | Sent by servers when no server exists that can be identified by the name provided by the client through the "server_name" extension. SeeTLS extension definitions. | 0 |
bad_certificate_status_response | Sent by clients when an invalid or unacceptable OCSP response is provided by the server through the "status_request" extension. SeeTLS extension definitions. The error results in a closed TLS connection. | 0 |
load_balancer_configured_resource_limits_reached | The load balancer has reached the configured resource limits, such as the maximum number of connections. | 0 |
Failed TLS connection log entries
When the TLS connection between the client and the load balancer fails beforeany backend is selected, log entries record the errors. You can configure thebackend services with different log sample rates. When a TLS connection fails,the failed TLS connection log sample rate is the highest sample rate for anybackend service. For example, if you have configured two backend services withlogging sample rate as0.3 and0.5, the failed TLS connection log samplerate is0.5.
You can identify failed TLS connections by checking for theselog entry details:
- proxyStatus error type is
tls_alert_received,tls_certificate_error,tls_protocol_error,orconnection_terminated. - There is no backend information.
The following sample shows a failed TLS log entry with theproxyStatus error field:
json_payload: { @type: "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry" proxyStatus: "error="tls_alert_received"; details="server_to_client: handshake_failure"" log_name: "projects/529254013417/logs/mockservice.googleapis.com%20name" } http_request { latency { nanos: 12412000 } protocol: "HTTP/1.0" remote_ip: "127.0.0.2" } resource { type: "mock_internal_http_lb_rule" labels { backend_name: "" backend_scope: "" backend_scope_type: "UNKNOWN" backend_target_name: "" backend_target_type: "UNKNOWN" backend_type: "UNKNOWN" forwarding_rule_name: "l7-ilb-https-forwarding-rule-dev" matched_url_path_rule: "UNKNOWN" network_name: "lb-network" region: "REGION" target_proxy_name: "l7-ilb-https-proxy-dev" url_map_name: "" } } timestamp: "2023-08-15T16:49:30.850785Z"Resource labels
The following table lists the resource labels for resource typel4_proxy_rule.
| Field | Type | Description |
|---|---|---|
| network_name | string | The name of the load balancer's VPC network. |
| project_id | string | The identifier of the Google Cloud project associated with this resource. |
| region | string | The region where the load balancer is defined. |
| target_proxy_name | string | The name of the target proxy object referenced by the forwarding rule. |
| forwarding_rule_name | string | The name of the forwarding rule object. |
| loadbalancing_scheme_name | string | An attribute on the forwarding rule and the backend service of a load balancer that indicates whether the load balancer can be used for internal or external traffic. |
| backend_target_name | string | The name of the backend selected to handle the request. |
| backend_target_type | string | The type of backend target(BACKEND_SERVICE / UNKNOWN). |
| backend_name | string | The name of the backend instance group or network endpoint group (NEG). |
| backend_type | string | The type of backend, either an instance group or a NEG, or unknown. Cloud Logging logs requests when the backend_type is |
| backend_scope | string | The scope of the backend, either a zone name or a region name. Might beUNKNOWN wheneverbackend_name is unknown. |
| backend_scope_type | string | The scope of the backend (REGION/ZONE). Might beUNKNOWN wheneverbackend_name is unknown. |
Monitoring
The proxy Network Load Balancers export monitoring data toCloud Monitoring.
Monitoring metrics can be used to do the following:
- Evaluate a load balancer's configuration, usage, and performance.
- Troubleshoot problems.
- Improve resource utilization and user experience.
In addition to the predefined dashboards in Monitoring, you can create customdashboards, set up alerts, and query metrics by using theCloud Monitoring API.
View Monitoring dashboards
In the Google Cloud console, go to theMonitoring page.
IfResources appears in the navigation pane, selectResources,and then selectGoogle Cloud Load Balancers. Otherwise, selectDashboards, and then select the dashboard namedGoogle Cloud Load Balancers.
Click the name of your load balancer.
In the left pane, you can see various details for this load balancer.In the right pane, you can see timeseries graphs. To see specific breakdowns,clickBreakdowns.
Metric reporting frequency and retention
Metrics for the load balancers are batched and exported toMonitoring every one minute. Monitoring datais retained for six weeks.
By default, the dashboard provides data analysis for the past hour (1h).You can request analysis for a different time interval eitherby selecting one of the preconfigured intervals from the menuor by manually entering the time interval you want. For example:3h (for 3 hours) or4d (for 4 days) or6w (for six weeks).
Metrics for classic proxy Network Load Balancers
The following metrics for classic proxy Network Load Balancers are reportedinto Monitoring.
| Metric | Name | Description |
|---|---|---|
| Inbound traffic | tcp_ssl_proxy/ingress_bytes_count | The number of bytes sent from external endpoints to configured backends through the Google Front End (GFE)—in bytes per second. |
| Outbound traffic | tcp_ssl_proxy/egress_bytes_count | The number of bytes sent from configured backends to external endpoints through the GFE—in bytes per second. |
| Open connections | tcp_ssl_proxy/open_connections | The number of connections open at the given sample moment. Samples are taken one minute apart. |
| New connections per second | tcp_ssl_proxy/new_connections | The number of connections that were created (client successfully connected to backend). The counting granularity is per minute, but graphs are adjusted to show per second values. For more information, see theMonitoring documentation. |
| Closed connections per second | tcp_ssl_proxy/closed_connections | The number of connections that were closed. The counting granularity is per minute, but graphs are adjusted to show per second values. For more information, see theMonitoring documentation. |
| Frontend RTT | tcp_ssl_proxy/frontend_tcp_rtt | A distribution of the smoothed round-trip time (RTT) measured for each connection between the client and the GFE (measured by the GFE's TCP stack, each time application layer bytes pass from the GFE to the client). Smoothed RTT is an algorithm that deals with variations and anomalies that might occur in RTT measurements. |
Metrics for other load balancers
The following metrics for regional internal proxy Network Load Balancers,regional external proxy Network Load Balancers, cross-region internal proxy Network Load Balancer, andglobal external proxy Network Load Balancers are reported into Monitoring.
| Metric | Name | Description |
|---|---|---|
| Inbound traffic | l4_proxy/ingress_bytes_count | The number of bytes sent from the client to the backend VM by using the proxy. Sampled every 60 seconds. After sampling, data is not visible for up to 210 seconds. |
| Outbound traffic | l4_proxy/egress_bytes_count | The number of bytes sent from the backend VM to the client by using the proxy. Sampled every 60 seconds. After sampling, data is not visible for up to 210 seconds. |
| Closed connections per second | l4_proxy/tcp/closed_connections_count | The number of connections that were terminated by using a TCP RST or TCP FIN message. Sampled every 60 seconds. After sampling, data is not visible for up to 210 seconds. |
Filtering dimensions for metrics
Metrics are aggregated for each load balancer. Metrics can befurther broken down by the following dimensions.
| Property | Description |
|---|---|
| BACKEND SCOPE | The scope (region or zone) of the instance group that served the connection. |
| BACKEND ZONE | If the instance group was a zonal instance group, the zone of the instance group that served the connection. |
| BACKEND REGION | If the instance group was a regional instance group, the region of the instance group that served the connection. |
| PROXY CONTINENT | The continent of the GFE that terminated the user TCP/SSL connection—for example,America,Europe,Asia. |
| INSTANCE GROUP | The name of the instance group that received the user connection. |
| FORWARDING RULE | The name of the forwarding rule used to connect to the GFE. |
| CLIENT COUNTRY | The name of the country of the user. |
What's next
- To learn how SSL policies work, see theSSL policies overview.
- To learn how external proxy Network Load Balancers work, see theExternal proxy Network Load Balancer overview.
- To learn how internal proxy Network Load Balancers work, see theInternal proxy Network Load Balancer overview.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.