Use SSL policies for SSL and TLS protocols

SSL policies specify the set of SSL features that Google Cloud load balancersuse when negotiating SSL with clients. In this document, the termSSL refersto both the SSL and TLS protocols.

SSL policies are supported with the following load balancers:

  • Global SSL policies
    • Global external Application Load Balancer
    • Classic Application Load Balancer
    • External proxy Network Load Balancer (with a target SSL proxy)
    • Cross-region internal Application Load Balancer
  • Regional SSL policies
    • Regional external Application Load Balancer
    • Regional internal Application Load Balancer

For more information about how SSL policies work, seeSSL policies overview.

You can create and manage SSL policies by using the Google Cloud console or theGoogle Cloud CLI when you create an HTTPS or SSL load balancer or at any timeafter you create the load balancer.

Create SSL policies

You can create SSL policies with Google-managed profiles or with a customprofile.

Create an SSL policy with a Google-managed profile

Console

Global SSL policy

To create a global SSL policy with a Google-managed profile, do thefollowing:

  1. In the Google Cloud console, go to theSSL policies page.

    Go to SSL policies

  2. ClickCreate policy.

  3. ForGlobal SSL policy, click theCreate button next to it. TheCreate policy page appears.

  4. Enter aName.

  5. Select aMinimum TLS Version.

  6. ForProfile, selectCompatible,Modern, orRestricted.TheEnabled features andDisabled features for the profile aredisplayed on the right side of the page.

  7. If there is a load balancer to which you want to attach the policy, clickApply to targets and select a forwarding rule as the target of the SSLpolicy. If necessary, add more targets.

  8. ClickCreate.

Regional SSL policy

To create a regional SSL policy with a Google-managed profile, do thefollowing:

  1. In the Google Cloud console, go to theSSL policies page.

    Go to SSL policies

  2. ClickCreate policy.

  3. ForRegional SSL policy, click theCreate button next to it. TheCreate policy page appears.

  4. Enter aName.

  5. Select aRegion.

  6. Select aMinimum TLS Version.

  7. ForProfile, selectCompatible,Modern, orRestricted.TheEnabled features andDisabled features for the profile aredisplayed on the right side of the page.

  8. If there is a load balancer to which you want to attach the policy, clickApply to targets and select a forwarding rule as the target of the SSLpolicy. If necessary, add more targets.

  9. ClickCreate.

gcloud

Global SSL policy

The following is the general syntax for creating a global SSL policy with aGoogle-managed profile:

gcloud compute ssl-policies createSSL_POLICY_NAME \    --profileCOMPATIBLE | MODERN | RESTRICTED \    --min-tls-version1.0 | 1.1 | 1.2

The following command creates a global SSL policy with theMODERN profile:

gcloud compute ssl-policies create my-ssl-policy \    --profile MODERN \    --min-tls-version 1.0

Regional SSL policy

The following is the general syntax for creating a regional SSL policy witha Google-managed profile:

gcloud compute ssl-policies createSSL_POLICY_NAME \    --profileCOMPATIBLE | MODERN | RESTRICTED \    --min-tls-version1.0 | 1.1 | 1.2 \    --regionREGION

The following command creates a regional SSL policy with theCOMPATIBLEprofile:

gcloud compute ssl-policies create my-ssl-policy \    --profile COMPATIBLE \    --min-tls-version 1.1 \    --region us-west1

Create an SSL policy with a custom profile

Console

Global SSL policy

To create a global SSL policy with a custom profile, do the following:

  1. In the Google Cloud console, go to theSSL policies page.

    Go to SSL policies

  2. ClickCreate policy.

  3. ForGlobal SSL policy, click theCreate button next to it. TheCreate policy page appears.

  4. Enter aName.

  5. Select aMinimum TLS Version.

  6. ForProfile, selectCustom.All features are shown asDisabled features on the right side of thepage.

  7. In the list ofFeatures, select each cipher suite that you want to enable.The cipher suites you enable are listed asEnabled features.

  8. If there is a load balancer to which you want to attach the policy, clickApply to targets and select a forwarding rule as the target of the SSLpolicy. If necessary, add more targets.

  9. ClickCreate.

Regional SSL policy

To create a regional SSL policy with a custom profile, do thefollowing:

  1. In the Google Cloud console, go to theSSL policies page.

    Go to SSL policies

  2. ClickCreate policy.

  3. ForRegional SSL policy, click theCreate button next to it. TheCreate policy page appears.

  4. Enter aName.

  5. Select aRegion.

  6. Select aMinimum TLS Version.

  7. ForProfile, selectCustom.All features are shown asDisabled features on the right side of thepage.

  8. In the list ofFeatures, select each cipher suite that you want to enable.The cipher suites you enable are listed asEnabled features.

  9. If there is a load balancer to which you want to attach the policy, clickApply to targets and select a forwarding rule as the target of the SSLpolicy. If necessary, add more targets.

  10. ClickCreate.

gcloud

When you create an SSL policy with the CUSTOM profile, only the features that youspecify in thecreate command are supported. Other features are notsupported.

Global SSL policy

The following is the general syntax for creating a global SSL policy witha custom profile:

gcloud compute ssl-policies createSSL_POLICY_NAME \    --profile CUSTOM \    --min-tls-version1.0 | 1.1 | 1.2 \    --custom-featuresSSL_FEATURE_1[,SSL_FEATURE_2,SSL_FEATURE_3]

The following example creates a global SSL policy with the CUSTOM profilewith a minimum TLS version of 1.2 and featuresTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 andTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.

gcloud compute ssl-policies createSSL_POLICY_NAME \    --profile CUSTOM \    --min-tls-version 1.2 \    --custom-features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Regional SSL policy

The following is the general syntax for creating a regional SSL policy witha custom profile:

gcloud compute ssl-policies createSSL_POLICY_NAME \    --profile CUSTOM \    --min-tls-version1.0 | 1.1 | 1.2 \    --custom-featuresSSL_FEATURE_1[,SSL_FEATURE_2,SSL_FEATURE_3] \    --regionREGION

The following example creates a regional SSL policy with the CUSTOM profilewith a minimum TLS version of 1.2 and featuresTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 andTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.

gcloud compute ssl-policies createSSL_POLICY_NAME \    --profile CUSTOM \    --min-tls-version 1.2 \    --custom-features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \    --region us-west1

List SSL policies

Console

In the Google Cloud console, go to theSSL policies page.

Go to SSL policies

You can view a list of all the available SSL policies. TheScope fieldindicates whether the SSL policy is global or regional.

gcloud

To list both global and regional SSL policies, run:

  gcloud compute ssl-policies list

To list only global SSL policies, run:

  gcloud compute ssl-policies list --global

To list only regional SSL policies, run:

  gcloud compute ssl-policies list --regionsREGION

List features available in an SSL policy

Console

  1. In the Google Cloud console, go to theSSL policies page.

    Go to SSL policies

  2. Click the name of the policy whose features you want to see.The enabled and disabled cipher suites are listed on the right side ofthe page.

gcloud

To list the features available in global SSL policies:

gcloud compute ssl-policies list-available-features

To list the features available in regional SSL policies:

gcloud compute ssl-policies list-available-features \    --regionREGION

Modify SSL policies

Console

To modify a global or a regional SSL policy, do the following:

  1. In the Google Cloud console, go to theSSL policies page.

    Go to SSL policies

  2. Click the name of the policy that you want to modify.

  3. ClickEdit.

  4. Make any changes you want.

  5. ClickSave.

gcloud

To modify an existing SSL policy, pass any or all of the flags correspondingto the fields you want to update. Unspecified fields are not updated.

If you update the features, previously enabled features are deleted andreplaced with the new features you specify.

Global SSL policies

gcloud compute ssl-policies updateSSL_POLICY_NAME \    --profileCOMPATIBLE|MODERN|RESTRICTED|CUSTOM \    --min-tls-version1.0|1.1|1.2 \    --custom-featuresFEATURES

Regional SSL policies

gcloud compute ssl-policies updateSSL_POLICY_NAME \    --profileCOMPATIBLE|MODERN|RESTRICTED|CUSTOM \    --min-tls-version1.0|1.1|1.2 \    [--custom-featuresFEATURES \]    --regionREGION

Create a target proxy with an SSL policy

Console

You can create a target proxy by using the Google Cloud console when you'recreating or updating the load balancer as shown in the following documents:

gcloud

To create a target SSL proxy with a global SSL policy:

gcloud compute target-ssl-proxies createTARGET_SSL_PROXY_NAME \  --backend-serviceBACKEND_SERVICE_NAME \  --ssl-certificateSSL_CERTIFICATE_NAME \  --ssl-policySSL_POLICY_NAME

To create a global target HTTPS proxy with a global SSL policy:

gcloud compute target-https-proxies createTARGET_HTTPS_PROXY_NAME \  --ssl-certificateSSL_CERTIFICATE_NAME \  --url-mapURL_MAP_NAME \  --ssl-policySSL_POLICY_NAME

To create a regional target HTTPS proxy with a regional SSL policy:

gcloud compute target-https-proxies createREGIONAL_TARGET_HTTPS_PROXY_NAME \  --ssl-certificatesSSL_CERTIFICATE_NAME \  --url-mapURL_MAP_NAME \  --url-map-regionREGION \  --ssl-policySSL_POLICY_NAME \  --regionREGION

Attach an existing SSL policy to an existing target proxy

Console

Note: Target proxies can't be modified in the Google Cloud console. Use thegcloud CLI or the API instead.

gcloud

Use these commands to attach an existing SSL policy to an SSL proxy or HTTPSproxy.

If you don't provide the--ssl-policy flag or the--clear-ssl-policy flagin a target proxy update (for example, when updating an SSL certificate), theSSL policy is unchanged. The--clear-ssl-policy flag is described inDeletean SSL policy from a target proxy.

API

To set a global SSL policy for a global target proxy, use thetargetHttpsProxies.patchmethod.

To set a regional SSL policy for a regional target proxy, use theregionTargetHttpsProxies.patchmethod.

Delete an SSL policy from a target proxy

Console

Note: Target proxies can't be modified in the Google Cloud console. Use thegcloud CLI or the API instead.

gcloud

Use these commands to remove an SSL policy from an SSL proxy or HTTPS proxy. If you don't attach a different SSL policy to the target proxy,the load balancer uses the default SSL policy. Using the--clear-ssl-policyflag is equivalent to replacing an SSL policy with the default SSL policy.

To remove a global SSL policy from a target SSL proxy:

gcloud compute target-ssl-proxies updateTARGET_SSL_PROXY_NAME \    --clear-ssl-policy

To remove a global SSL policy from a global target HTTPS proxy:

gcloud compute target-https-proxies updateTARGET_HTTPS_PROXY_NAME \    --clear-ssl-policy

To remove a regional SSL policy from a regional target HTTPS proxy:

gcloud compute target-https-proxies updateREGIONAL_TARGET_HTTPS_PROXY_NAME \    --clear-ssl-policy \    --regionREGION

When you provide the--clear-ssl-policy flag in the update command, the SSLpolicy is removed from the proxy.

If you don't provide the--clear-ssl-policy flag or the--ssl-policyflag in the target proxy update (for example, when updating an SSLcertificate), the SSL policy is unchanged. The--ssl-policy flag isdescribed inAttach an existing SSL policy to an existing target proxy.

Manage SSL policies

If youuse custom constraints to restrict TLScapabilities,manually check for TLS compliance in pre-existing SSL policies that are attachedto target SSL proxies and target HTTPS proxies.

Use the following sample steps to find and update SSL policies that don't meetyour security goals.

  • To find all projects in your organization that have SSL policy resources:

    gcloud asset search-all-resources \  --scope=organizations/ORGANIZATION_ID \  --asset-types=compute.googleapis.com/SslPolicy

  • To list all global and regional SSL policies in a project, use thesslPolicies.aggregatedList method with theincludeAllScopes queryparameter set totrue. Then, use thefilter query parameter to searchfor SSL policies that don't align with your security goals.

    For example, to find SSL policies with TLS version lower than1.2, use thefilterminTlsVersion="TLS_1_0" OR minTlsVersion="TLS_1_1":

    curl \  'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/sslPolicies?filter=minTlsVersion%3D%22TLS_1_0%22%20OR%20minTlsVersion%3D%22TLS_1_1%22&includeAllScopes=true&key=YOUR_API_KEY' \  --header 'Authorization: BearerYOUR_ACCESS_TOKEN' \  --header 'Accept: application/json' \  --compressed

    To get your API key, seeAuthenticate using APIkeys. To get your access token, use theprojects.serviceAccounts.generateAccessToken method.

    Then update the SSL policies that don't meet your minimum TLSrequirement.

    To update a global SSL policy, you can use the followingcommand:

    gcloud compute ssl-policies updateSSL_POLICY_NAME \  --min-tls-version=TLS_1_2 \  --global

    To update a regional SSL policy, you can use the followingcommand:

    gcloud compute ssl-policies updateSSL_POLICY_NAME \  --min-tls-version=TLS_1_2 \  --regionREGION

  • To list all the target SSL proxies in a project thataren't associated with an SSL policy, run the following command:

    curl \  'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies?filter=sslPolicy%3D%22%22&key=YOUR_API_KEY' \    --header 'Authorization: BearerYOUR_ACCESS_TOKEN' \    --header 'Accept: application/json' \    --compressed

    To attach an SSL policy to these target proxies, seeAttach an existingSSL policy to an existing target proxy

  • You can also use eitherCloud Asset Inventory or the Google APIsExplorer to find and update resources that don't meet your securityrequirements.

    For example, to look up a list of target SSL proxies that aren't associatedwith an SSL policy, you can use the following steps in Cloud Asset Inventory:

    1. In the Google Cloud console, go to theAsset inventory page.

      Go to Asset inventory

    2. ClickAsset query.

    3. In theEdit query field, enter the following query and clickRun.

      select * from `compute_googleapis_com_TargetSslProxy` where resource.data.sslPolicy IS NULL

    4. To attach an SSL policy to these target proxies, seeAttach an existingSSL policy to an existing target proxy.

    5. Run the query in Cloud Asset Inventory until you see an empty response.

Limits

Seeload balancer quotas and limits.

API reference

For descriptions of the properties and methods available to you when workingwith SSL policies through the REST API, see the following:

ProductAPI documentation
  • Global external Application Load Balancer
  • Classic Application Load Balancer
  • Cross-region internal Application Load Balancer
  • Global external proxy Network Load Balancer
  • Classic proxy Network Load Balancer
sslPolicies
  • Regional external Application Load Balancer
  • Regional internal Application Load Balancer
regionSslPolicies

gcloud CLI reference

For the Google Cloud CLI reference, see the following:

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.