gcloud beta compute backend-services create - create a backend service

gcloud beta compute backend-services createBACKEND_SERVICE_NAME[--affinity-cookie-name=AFFINITY_COOKIE_NAME][--affinity-cookie-path=AFFINITY_COOKIE_PATH][--affinity-cookie-ttl=AFFINITY_COOKIE_TTL][--bypass-cache-on-request-headers=BYPASS_CACHE_ON_REQUEST_HEADERS][--no-cache-key-include-host][--cache-key-include-http-header=[HEADER_FIELD_NAME,…]][--cache-key-include-named-cookie=[NAMED_COOKIE,…]][--no-cache-key-include-protocol][--no-cache-key-include-query-string][--cache-mode=CACHE_MODE][--client-ttl=CLIENT_TTL][--compression-mode=COMPRESSION_MODE][--connection-drain-on-failover][--connection-draining-timeout=CONNECTION_DRAINING_TIMEOUT][--connection-persistence-on-unhealthy-backends=CONNECTION_PERSISTENCE_ON_UNHEALTHY_BACKENDS][--custom-request-header=CUSTOM_REQUEST_HEADER][--custom-response-header=CUSTOM_RESPONSE_HEADER][--default-ttl=DEFAULT_TTL][--description=DESCRIPTION][--drop-traffic-if-unhealthy][--[no-]enable-cdn][--[no-]enable-logging][--[no-]enable-strong-affinity][--failover-ratio=FAILOVER_RATIO][--health-checks=HEALTH_CHECK,[…]][--http-health-checks=HTTP_HEALTH_CHECK,[…]][--https-health-checks=HTTPS_HEALTH_CHECK,[…]][--iap=disabled|enabled,[oauth2-client-id=OAUTH2-CLIENT-ID,oauth2-client-secret=OAUTH2-CLIENT-SECRET]][--idle-timeout-sec=IDLE_TIMEOUT_SEC][--ip-address-selection-policy=IP_ADDRESS_SELECTION_POLICY][--ip-port-dynamic-forwarding][--load-balancing-scheme=LOAD_BALANCING_SCHEME; default="EXTERNAL"][--locality-lb-policy=LOCALITY_LB_POLICY][--logging-optional=LOGGING_OPTIONAL][--logging-optional-fields=[LOGGING_OPTIONAL_FIELDS,…]][--logging-sample-rate=LOGGING_SAMPLE_RATE][--max-ttl=MAX_TTL][--[no-]negative-caching][--negative-caching-policy=[[CODE=TTL],…]][--network=NETWORK][--port-name=PORT_NAME][--protocol=PROTOCOL][--[no-]request-coalescing][--resource-manager-tags=[KEY=VALUE,…]][--serve-while-stale=SERVE_WHILE_STALE][--service-bindings=SERVICE_BINDING,[…]][--service-lb-policy=SERVICE_LOAD_BALANCING_POLICY][--session-affinity=SESSION_AFFINITY][--signed-url-cache-max-age=SIGNED_URL_CACHE_MAX_AGE][--subsetting-policy=SUBSETTING_POLICY; default="NONE"][--subsetting-subset-size=SUBSETTING_SUBSET_SIZE][--timeout=TIMEOUT; default="30s"][--tracking-mode=TRACKING_MODE][--zonal-affinity-spillover=ZONAL_AFFINITY_SPILLOVER][--zonal-affinity-spillover-ratio=ZONAL_AFFINITY_SPILLOVER_RATIO][--cache-key-query-string-blacklist=[QUERY_STRING,…]    |--cache-key-query-string-whitelist=QUERY_STRING,[…]][--custom-metrics=[CUSTOM_METRICS,…]    |--custom-metrics-file=[CUSTOM_METRICS,…]][--global    |--region=REGION][--global-health-checks    |--health-checks-region=HEALTH_CHECKS_REGION][--identity=IDENTITY    |--tls-settings=[authenticationConfig=AUTHENTICATIONCONFIG],[sni=SNI]][GCLOUD_WIDE_FLAG …]

After you create a backend service, you add backends by usinggcloudcompute backend-services add-backend.

For more information about the available settings, seehttps://cloud.google.com/load-balancing/docs/backend-service.

BACKEND_SERVICE_NAME

Name of the backend service to create.

--affinity-cookie-name=AFFINITY_COOKIE_NAME

If--session-affinity is set toHTTP_COOKIE orSTRONG_COOKIE_AFFINITY, this flag sets the name of the cookie.

--affinity-cookie-path=AFFINITY_COOKIE_PATH

If--session-affinity is set toHTTP_COOKIE orSTRONG_COOKIE_AFFINITY, this flag sets the path of the cookie.

--affinity-cookie-ttl=AFFINITY_COOKIE_TTL

If--session-affinity is set toGENERATED_COOKIE,HTTP_COOKIE, orSTRONG_COOKIE_AFFINITY, this flag setsthe TTL, in seconds, of the resulting cookie. A setting of 0 indicates that thecookie should be a session cookie. See $gcloud topic datetimes forinformation on duration formats.

--bypass-cache-on-request-headers=BYPASS_CACHE_ON_REQUEST_HEADERS

Bypass the cache when the specified request headers are matched - e.g. Pragma orAuthorization headers. Up to 5 headers can be specified.

The cache is bypassed for all cdnPolicy.cacheMode settings.

Note that requests that include these headers will always fill from origin, andmay result in a large number of cache misses if the specified headers are commonto many requests.

Values are case-insensitive.

The header name must be a valid HTTP header field token (per RFC 7230).

For the list of restricted headers, see the list of required header nameproperties inHowcustom headers work.

A header name must not appear more than once in the list of added headers.

--cache-key-include-host

Enable including host in cache key. If enabled, requests to different hosts willbe cached separately. Can only be applied for global resources. Enabled bydefault, use--no-cache-key-include-host to disable.

--cache-key-include-http-header=[HEADER_FIELD_NAME,…]

Specifies a comma-separated list of HTTP headers, by field name, to include incache keys. Only the request URL is included in the cache key by default.

--cache-key-include-named-cookie=[NAMED_COOKIE,…]

Specifies a comma-separated list of HTTP cookie names to include in cache keys.The name=value pair are used in the cache key Cloud CDN generates. Cookies arenot included in cache keys by default.

--cache-key-include-protocol

Enable including protocol in cache key. If enabled, http and https requests willbe cached separately. Can only be applied for global resources. Enabled bydefault, use--no-cache-key-include-protocol to disable.

--cache-key-include-query-string

Enable including query string in cache key. If enabled, the query stringparameters will be included according to --cache-key-query-string-whitelist and--cache-key-query-string-blacklist. If neither is set, the entire query stringwill be included. If disabled, then the entire query string will be excluded.Can only be applied for global resources. Enabled by default, use--no-cache-key-include-query-string to disable.

--cache-mode=CACHE_MODE

Specifies the cache setting for all responses from this backend.CACHE_MODE must be one of:

CACHE_ALL_STATIC

Automatically cache static content, including common image formats, media (videoand audio), web assets (JavaScript and CSS). Requests and responses that aremarked as uncacheable, as well as dynamic content (including HTML), aren'tcached.

FORCE_CACHE_ALL

Cache all content, ignoring any "private", "no-store" or "no-cache" directivesin Cache-Control response headers. Warning: this may result in Cloud CDN cachingprivate, per-user (user identifiable) content. You should only enable this onbackends that are not serving private or dynamic content, such as storagebuckets.

USE_ORIGIN_HEADERS

Require the origin to set valid caching headers to cache content. Responseswithout these headers aren't cached at Google's edge, and require a full trip tothe origin on every request, potentially impacting performance and increasingload on the origin server.

--client-ttl=CLIENT_TTL

Specifies a separate client (for example, browser client) TTL, separate from theTTL for Cloud CDN's edge caches.

This allows you to set a shorter TTL for browsers/clients, and to have thoseclients revalidate content against Cloud CDN on a more regular basis, withoutrequiring revalidation at the origin.

The value of clientTtl cannot be set to a value greater than that of maxTtl, butcan be equal.

Any cacheable response has its max-age/s-maxage directives adjusted down to theclient TTL value if necessary; an Expires header will be replaced with asuitable max-age directive.

The maximum allowed value is 31,622,400s (1 year).

When creating a new backend with CACHE_ALL_STATIC and the field is unset, orwhen switching to that mode and the field is unset, a default value of 3600 isused.

When the cache mode is set to "USE_ORIGIN_HEADERS", you must omit this field.

--compression-mode=COMPRESSION_MODE

Compress text responses using Brotli or gzip compression, based on the client'sAccept-Encoding header. Two modes are supported: AUTOMATIC (recommended) -automatically uses the best compression based on the Accept-Encoding header sentby the client. In most cases, this will result in Brotli compression beingfavored. DISABLED - disables compression. Existing compressed responses cachedby Cloud CDN will not be served to clients.COMPRESSION_MODE must be one of:DISABLED,AUTOMATIC.

--connection-drain-on-failover

Applicable only for backend service-based external and internal passthroughNetwork Load Balancers as part of a connection tracking policy. Only applicablewhen the backend service protocol is TCP. Not applicable to any other loadbalancer. Enabled by default, this option instructs the load balancer to allowestablished TCP connections to persist for up to 300 seconds on instances orendpoints in primary backends during failover, and on instances or endpoints infailover backends during failback. For details, see:Connectiondraining on failover and failback for internal passthrough Network LoadBalancers andConnectiondraining on failover and failback for external passthrough Network LoadBalancers.

--connection-draining-timeout=CONNECTION_DRAINING_TIMEOUT

Connection draining timeout to be used during removal of VMs from instancegroups. This guarantees that for the specified time all existing connections toa VM will remain untouched, but no new connections will be accepted. Set timeoutto zero to disable connection draining. Enable feature by specifying a timeoutof up to one hour. If the flag is omitted API default value (0s) will be used.See $gcloud topic datetimesfor information on duration formats.

--connection-persistence-on-unhealthy-backends=CONNECTION_PERSISTENCE_ON_UNHEALTHY_BACKENDS

Specifies connection persistence when backends are unhealthy. The default valueis DEFAULT_FOR_PROTOCOL.CONNECTION_PERSISTENCE_ON_UNHEALTHY_BACKENDS must be oneof:DEFAULT_FOR_PROTOCOL,NEVER_PERSIST,ALWAYS_PERSIST.

--custom-request-header=CUSTOM_REQUEST_HEADER

Specifies a HTTP Header to be added by your load balancer. This flag can berepeated to specify multiple headers. For example:

gcloudbetacomputebackend-servicescreateNAME--custom-request-header"header-name: value"--custom-request-header"another-header:"

--custom-response-header=CUSTOM_RESPONSE_HEADER

Custom headers that the external Application Load Balancer adds to proxiedresponses. For the list of headers, seeCreatingcustom headers.

Variables are not case-sensitive.

--default-ttl=DEFAULT_TTL

Specifies the default TTL for cached content served by this origin for responsesthat do not have an existing valid TTL (max-age or s-maxage).

The default value is 3600s for cache modes that allow a default TTL to bedefined.

The value of defaultTtl cannot be set to a value greater than that of maxTtl,but can be equal.

When the cacheMode is set to FORCE_CACHE_ALL, the defaultTtl overwrites the TTLset in all responses.

A TTL of "0" means Always revalidate.

The maximum allowed value is 31,622,400s (1 year). Infrequently accessed objectsmay be evicted from the cache before the defined TTL.

When creating a new backend with CACHE_ALL_STATIC or FORCE_CACHE_ALL and thefield is unset, or when updating an existing backend to use these modes and thefield is unset, a default value of 3600 is used. When the cache mode is set to"USE_ORIGIN_HEADERS", you must omit this field.

--description=DESCRIPTION

An optional, textual description for the backend service.

--drop-traffic-if-unhealthy

Applicable only for backend service-based external and internal passthroughNetwork Load Balancers as part of a connection tracking policy. Not applicableto any other load balancer. This option instructs the load balancer to droppackets when all instances or endpoints in primary and failover backends do notpass their load balancer health checks. For details, see:Droppingtraffic when all backend VMs are unhealthy for internal passthrough Network LoadBalancers andDroppingtraffic when all backend VMs are unhealthy for external passthrough Network LoadBalancers.

--[no-]enable-cdn

Enable or disable Cloud CDN for the backend service. Only available for backendservices with --load-balancing-scheme=EXTERNAL or EXTERNAL_MANAGED that use a--protocol of HTTP, HTTPS, HTTP2 or H2C. Cloud CDN caches HTTP responses at theedge of Google's network. Cloud CDN is disabled by default. Use--enable-cdn to enable and--no-enable-cdn to disable.

--[no-]enable-logging

The logging options for the load balancer traffic served by this backendservice. If logging is enabled, logs will be exported to Cloud Logging. Disabledby default. This field cannot be specified for global external proxy NetworkLoad Balancers. Use--enable-logging to enable and--no-enable-logging to disable.

--[no-]enable-strong-affinity

Enable or disable strong session affinity. This is only available forloadbalancingScheme EXTERNAL. Use--enable-strong-affinity toenable and--no-enable-strong-affinity to disable.

--failover-ratio=FAILOVER_RATIO

Applicable only to backend service-based external passthrough Network loadbalancers and internal passthrough Network load balancers as part of a failoverpolicy. Not applicable to any other load balancer. This option defines the ratioused to control when failover and failback occur. For details, see:Failoverratio for internal passthrough Network Load Balancers andFailoverratio for external passthrough Network Load Balancer overview.

--health-checks=HEALTH_CHECK,[…]

Specifies a list of health check objects for checking the health of the backendservice. Currently at most one health check can be specified. Health checks neednot be for the same protocol as that of the backend service.

--http-health-checks=HTTP_HEALTH_CHECK,[…]

Specifies a list of legacy HTTP health check objects for checking the health ofthe backend service.

Legacy health checks are not recommended for backend services. It is possible touse a legacy health check on a backend service for an Application Load Balancerif that backend service uses instance groups. For more information, refer tothis guide:https://cloud.google.com/load-balancing/docs/health-check-concepts#lb_guide.

--https-health-checks=HTTPS_HEALTH_CHECK,[…]

Specifies a list of legacy HTTPS health check objects for checking the health ofthe backend service.

Legacy health checks are not recommended for backend services. It is possible touse a legacy health check on a backend service for an Application Load Balancerif that backend service uses instance groups. For more information, refer tothis guide:https://cloud.google.com/load-balancing/docs/health-check-concepts#lb_guide.

--iap=disabled|enabled,[oauth2-client-id=OAUTH2-CLIENT-ID,oauth2-client-secret=OAUTH2-CLIENT-SECRET]

Configure Identity Aware Proxy (IAP) for external HTTP(S) load balancing. Youcan configure IAP to beenabled ordisabled (default).If enabled, you can provide values foroauth2-client-id andoauth2-client-secret. For example,--iap=enabled,oauth2-client-id=foo,oauth2-client-secret=bar turnsIAP on, and--iap=disabled turns it off. For more information, seehttps://cloud.google.com/iap/.

--idle-timeout-sec=IDLE_TIMEOUT_SEC

Specifies how long to keep a connection tracking table entry while there is nomatching traffic (in seconds). Applicable only for backend service-basedexternal and internal passthrough Network Load Balancers as part of a connectiontracking policy.

--ip-address-selection-policy=IP_ADDRESS_SELECTION_POLICY

Specifies a preference for traffic sent from the proxy to the backend (or fromthe client to the backend for proxyless gRPC).

Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED,INTERNAL_MANAGED or EXTERNAL_MANAGED.

The possible values are:

IPV4_ONLYOnlysendIPv4traffictothebackendsofthebackendservice,regardlessoftrafficfromtheclienttotheproxy.OnlyIPv4healthchecksareusedtocheckthehealthofthebackends.

PREFER_IPV6Prioritizetheconnectiontotheendpoint'sIPv6addressoveritsIPv4address(providedthereisahealthyIPv6address).

IPV6_ONLYOnlysendIPv6traffictothebackendsofthebackendservice,regardlessoftrafficfromtheclienttotheproxy.OnlyIPv6healthchecksareusedtocheckthehealthofthebackends.

IP_ADDRESS_SELECTION_POLICY must be one of:IPV4_ONLY,PREFER_IPV6,IPV6_ONLY.

--ip-port-dynamic-forwarding

Enables Dynamic Forwarding in IpPort selection mode.

--load-balancing-scheme=LOAD_BALANCING_SCHEME; default="EXTERNAL"

Specifies the load balancer type. Choose EXTERNAL for the classic ApplicationLoad Balancers, the external passthrough Network Load Balancers, and the globalexternal proxy Network Load Balancers. Choose EXTERNAL_MANAGED for theEnvoy-based global and regional external Application Load Balancers, and theregional external proxy Network Load Balancers. Choose INTERNAL for the internalpassthrough Network Load Balancers. Choose INTERNAL_MANAGED for Envoy-basedinternal load balancers such as the internal Application Load Balancers and theinternal proxy Network Load Balancers. Choose INTERNAL_SELF_MANAGED for TrafficDirector. For more information, refer to this guide:https://cloud.google.com/load-balancing/docs/choosing-load-balancer.LOAD_BALANCING_SCHEME must be one of:INTERNAL,EXTERNAL,INTERNAL_SELF_MANAGED,EXTERNAL_MANAGED,INTERNAL_MANAGED.

--locality-lb-policy=LOCALITY_LB_POLICY

The load balancing algorithm used within the scope of the locality.LOCALITY_LB_POLICY must be one of:INVALID_LB_POLICY,ROUND_ROBIN,LEAST_REQUEST,RING_HASH,RANDOM,ORIGINAL_DESTINATION,MAGLEV,WEIGHTED_MAGLEV,WEIGHTED_ROUND_ROBIN,WEIGHTED_GCP_RENDEZVOUS.

--logging-optional=LOGGING_OPTIONAL

This field can only be specified if logging is enabled for the backend service.Configures whether all, none, or a subset of optional fields should be added tothe reported logs. Default is EXCLUDE_ALL_OPTIONAL. This field can only bespecified for internal and external passthrough Network Load Balancers.LOGGING_OPTIONAL must be one of:EXCLUDE_ALL_OPTIONAL,INCLUDE_ALL_OPTIONAL,CUSTOM.

--logging-optional-fields=[LOGGING_OPTIONAL_FIELDS,…]

This field can only be specified if logging is enabled for the backend serviceand "--logging-optional" was set to CUSTOM. Contains a comma-separated list ofoptional fields you want to include in the logs. For example: serverInstance,serverGkeDetails.cluster, serverGkeDetails.pod.podNamespace. This can only bespecified for internal and external passthrough Network Load Balancers.

--logging-sample-rate=LOGGING_SAMPLE_RATE

This field can only be specified if logging is enabled for the backend service.The value of the field must be a float in the range [0, 1]. This configures thesampling rate of requests to the load balancer where 1.0 means all loggedrequests are reported and 0.0 means no logged requests are reported. The defaultvalue is 1.0 when logging is enabled and 0.0 otherwise.

--max-ttl=MAX_TTL

Specifies the maximum allowed TTL for cached content served by this origin.

The default value is 86400 for cache modes that support a max TTL.

Cache directives that attempt to set a max-age or s-maxage higher than this, oran Expires header more than maxTtl seconds in the future, are capped at thevalue of maxTtl, as if it were the value of an s-maxage Cache-Control directive.

A TTL of "0" means Always revalidate.

The maximum allowed value is 31,622,400s (1 year). Infrequently accessed objectsmay be evicted from the cache before the defined TTL.

When creating a new backend with CACHE_ALL_STATIC and the field is unset, orwhen updating an existing backend to use these modes and the field is unset, adefault value of 86400 is used. When the cache mode is set to"USE_ORIGIN_HEADERS" or "FORCE_CACHE_ALL", you must omit this field.

--[no-]negative-caching

Negative caching allows per-status code cache TTLs to be set, in order to applyfine-grained caching for common errors or redirects. This can reduce the load onyour origin and improve the end-user experience by reducing response latency.

Negative caching applies to a set of 3xx, 4xx, and 5xx status codes that aretypically useful to cache.

Status codes not listed here cannot have their TTL explicitly set and aren'tcached, in order to avoid cache poisoning attacks.

HTTP success codes (HTTP 2xx) are handled by the values of defaultTtl andmaxTtl.

When the cache mode is set to CACHE_ALL_STATIC or USE_ORIGIN_HEADERS, thesevalues apply to responses with the specified response code that lack anycache-control orexpires headers.

When the cache mode is set to FORCE_CACHE_ALL, these values apply to allresponses with the specified response code, and override any caching headers.

Cloud CDN applies the following default TTLs to these status codes:

• HTTP 300 (Multiple Choice), 301, 308 (Permanent Redirects): 10m
• HTTP 404 (Not Found), 410 (Gone), 451 (Unavailable For Legal Reasons): 120s
• HTTP 405 (Method Not Found), 421 (Misdirected Request), 501 (Not Implemented):60s

These defaults can be overridden in cdnPolicy.negativeCachingPolicy.

Use--negative-caching to enable and--no-negative-caching to disable.

--negative-caching-policy=[[CODE=TTL],…]

Sets a cache TTL for the specified HTTP status code.

NegativeCaching must be enabled to config the negativeCachingPolicy.

If you omit the policy and leave negativeCaching enabled, Cloud CDN's defaultcache TTLs are used.

Note that when specifying an explicit negative caching policy, make sure thatyou specify a cache TTL for all response codes that you want to cache. Cloud CDNdoesn't apply any default negative caching when a policy exists.

CODE is the HTTP status code to define a TTL against. Only HTTPstatus codes 300, 301, 308, 404, 405, 410, 421, 451, and 501 can be specified asvalues, and you cannot specify a status code more than once.

TTL is the time to live (in seconds) for which to cache responses for thespecifiedCODE. The maximum allowed value is 1800s (30 minutes),noting that infrequently accessed objects may be evicted from the cache beforethe defined TTL.

--network=NETWORK

Network that this backend service applies to. It can only be set if theload-balancing-scheme is INTERNAL.

--port-name=PORT_NAME

Backend services for Application Load Balancers and proxy Network Load Balancersmust reference exactly one named port if using instance group backends.

Each instance group backend exports one or more named ports, which map auser-configurable name to a port number. The backend service's named portsubscribes to one named port on each instance group. The resolved port numbercan differ among instance group backends, based on each instance group's namedport list.

When omitted, a backend service subscribes to a named port called http.

The named port for a backend service is either ignored or cannot be set forthese load balancing configurations:

• For any load balancer, if the backends are not instance groups (for example,GCE_VM_IP_PORT NEGs).
• For any type of backend on a backend service for internal or externalpassthrough Network Load Balancers.

See alsohttps://cloud.google.com/load-balancing/docs/backend-service#named_ports.

--protocol=PROTOCOL

Protocol for incoming requests.

If theload-balancing-scheme isINTERNAL (Internalpassthrough Network Load Balancer), the protocol must be one of: TCP, UDP,UNSPECIFIED.

If theload-balancing-scheme isINTERNAL_SELF_MANAGED(Traffic Director), the protocol must be one of: HTTP, HTTPS, HTTP2, GRPC, H2C.

If theload-balancing-scheme isINTERNAL_MANAGED(Internal Application Load Balancer), the protocol must be one of: HTTP, HTTPS,HTTP2, H2C.

If theload-balancing-scheme isINTERNAL_MANAGED(Internal proxy Network Load Balancer), the protocol must be only TCP.

If theload-balancing-scheme isEXTERNAL andregion is not set (Classic Application Load Balancer and Classicproxy Network Load Balancer), the protocol must be one of: HTTP, HTTPS, HTTP2,TCP, SSL.

If theload-balancing-scheme isEXTERNAL andregion is set (External passthrough Network Load Balancer), theprotocol must be one of: TCP, UDP, UNSPECIFIED.

If theload-balancing-scheme isEXTERNAL_MANAGED(Global external Application Load Balancer and regional external ApplicationLoad Balancer), the protocol must be one of: HTTP, HTTPS, HTTP2, H2C.

If theload-balancing-scheme isEXTERNAL_MANAGED(Global external proxy Network Load Balancer), the protocol must be one of: TCP,SSL.

If theload-balancing-scheme isEXTERNAL_MANAGED(Regional external proxy Network Load Balancer), the protocol must be only TCP.

--[no-]request-coalescing

Enables request coalescing to the backend (recommended).

Request coalescing (or collapsing) combines multiple concurrent cache fillrequests into a small number of requests to the origin. This can improveperformance by putting less load on the origin and backend infrastructure.However, coalescing adds a small amount of latency when multiple requests to thesame URL are processed, so for latency-critical applications it may not bedesirable.

Defaults to true.

Use--request-coalescing to enable and--no-request-coalescing to disable.

--resource-manager-tags=[KEY=VALUE,…]

A comma-separated list of Resource Manager tags to apply to the backend service.

--serve-while-stale=SERVE_WHILE_STALE

Serve existing content from the cache (if available) when revalidating contentwith the origin; this allows content to be served more quickly, and also allowscontent to continue to be served if the backend is down or reporting errors.

This setting defines the default serve-stale duration for any cached responsesthat do not specify a stale-while-revalidate directive. Stale responses thatexceed the TTL configured here will not be served without first beingrevalidated with the origin. The default limit is 86400s (1 day), which willallow stale content to be served up to this limit beyond the max-age (ors-max-age) of a cached response.

The maximum allowed value is 604800 (1 week).

Set this to zero (0) to disable serve-while-stale.

--service-bindings=SERVICE_BINDING,[…]

List of service bindings to be attached to this backend service. Can only be setif load balancing scheme is INTERNAL_SELF_MANAGED. If set, lists of backends andhealth checks must be both empty.

--service-lb-policy=SERVICE_LOAD_BALANCING_POLICY

Service load balancing policy to be applied to this backend service. Can only beset if load balancing scheme is EXTERNAL_MANAGED, INTERNAL_MANAGED, orINTERNAL_SELF_MANAGED. Only available for global backend services.

--session-affinity=SESSION_AFFINITY

The type of session affinity to use. Supports both TCP and UDP.SESSION_AFFINITY must be one of:

CLIENT_IP

Route requests to instances based on the hash of the client's IP address.

CLIENT_IP_NO_DESTINATION

Directs a particular client's request to the same backend VM based on a hashcreated on the client's IP address only. This is used in L4 ILB as Next-Hopscenarios. It differs from the Client-IP option in that Client-IP uses a hashbased on both client-IP's address and destination address.

CLIENT_IP_PORT_PROTO

(Applicable if--load-balancing-scheme isINTERNAL)Connections from the same client IP with the same IP protocol and port will goto the same backend VM while that VM remains healthy.

CLIENT_IP_PROTO

(Applicable if--load-balancing-scheme isINTERNAL)Connections from the same client IP with the same IP protocol will go to thesame backend VM while that VM remains healthy.

GENERATED_COOKIE

(Applicable if--load-balancing-scheme isINTERNAL_MANAGED,INTERNAL_SELF_MANAGED,EXTERNAL_MANAGED, orEXTERNAL) If the--load-balancing-scheme isEXTERNAL orEXTERNAL_MANAGED, routes requests to backend VMs or endpoints in aNEG, based on the contents of theGCLB cookie set by the loadbalancer. Only applicable when--protocol is HTTP, HTTPS,HTTP2 orH2C. If the--load-balancing-scheme isINTERNAL_MANAGED orINTERNAL_SELF_MANAGED, routesrequests to backend VMs or endpoints in a NEG, based on the contents of theGCILB cookie set by the proxy. (If no cookie is present, the proxychooses a backend VM or endpoint and sends aSet-Cookie responsefor future requests.) If the--load-balancing-scheme isINTERNAL_SELF_MANAGED, routes requests to backend VMs or endpointsin a NEG, based on the contents of a cookie set by Traffic Director. Thissession affinity is only valid if the load balancing locality policy is eitherRING_HASH orMAGLEV.

HEADER_FIELD

(Applicable if--load-balancing-scheme isINTERNAL_MANAGED,EXTERNAL_MANAGED, orINTERNAL_SELF_MANAGED) Route requests to backend VMs or endpointsin a NEG based on the value of the HTTP header named in the--custom-request-header flag. This session affinity is only validif the load balancing locality policy is eitherRING_HASH orMAGLEV and the backend service's consistent hash specifies the nameof the HTTP header.

HTTP_COOKIE

(Applicable if--load-balancing-scheme isINTERNAL_MANAGED,EXTERNAL_MANAGED orINTERNAL_SELF_MANAGED) Route requests to backend VMs or endpointsin a NEG, based on an HTTP cookie in the--affinity-cookie-nameflag (with the optional--affinity-cookie-ttl flag). If the clienthas not provided the cookie, the proxy generates the cookie and returns it tothe client in aSet-Cookie header. This session affinity is onlyvalid if the load balancing locality policy is eitherRING_HASH orMAGLEV and the backend service's consistent hash specifies the HTTPcookie.

NONE

Session affinity is disabled.

STRONG_COOKIE_AFFINITY

(Applicable if--load-balancing-scheme isINTERNAL_MANAGED orEXTERNAL_MANAGED) Strongcookie-based affinity, based on an HTTP cookie named in the--affinity-cookie-name flag (with the optional--affinity-cookie-ttl flag). Connections bearing the same cookiewill be served by the same backend VM while that VM remains healthy, as long asthe cookie has not expired. If the--affinity-cookie-ttl flag isset to 0, the cookie will be treated as a session cookie.

--signed-url-cache-max-age=SIGNED_URL_CACHE_MAX_AGE

The amount of time up to which the response to a signed URL request will becached in the CDN. After this time period, the Signed URL will be revalidatedbefore being served. Cloud CDN will internally act as though all responses fromthis backend had aCache-Control: public, max-age=[TTL] header,regardless of any existing Cache-Control header. The actual headers served inresponses will not be altered. If unspecified, the default value is 3600s.

For example, specifying12h will cause the responses to signed URLrequests to be cached in the CDN up to 12 hours. See $gcloud topic datetimes forinformation on duration formats.

This flag only affects signed URL requests.

--subsetting-policy=SUBSETTING_POLICY; default="NONE"

Specifies the algorithm used for subsetting. Default value is NONE which impliesthat subsetting is disabled. For Layer 4 Internal Load Balancing, if subsettingis enabled, only the algorithm CONSISTENT_HASH_SUBSETTING can be specified.SUBSETTING_POLICY must be one of:NONE,CONSISTENT_HASH_SUBSETTING.

--subsetting-subset-size=SUBSETTING_SUBSET_SIZE

Number of backends per backend group assigned to each proxy instance or eachservice mesh client. Can only be set if subsetting policy isCONSISTENT_HASH_SUBSETTING and load balancing scheme is either INTERNAL_MANAGEDor INTERNAL_SELF_MANAGED.

--timeout=TIMEOUT; default="30s"

Applicable to all load balancing products except passthrough Network LoadBalancers. For internal passthrough Network Load Balancers(load-balancing-scheme set to INTERNAL) andexternal passthrough Network Load Balancers(global not set andload-balancing-scheme set to EXTERNAL),timeout is ignored.

If theprotocol is HTTP, HTTPS, HTTP2 orH2C,timeout is a request/response timeoutfor HTTP(S) traffic, meaning the amount of time that the load balancer waits fora backend to return a full response to a request. If WebSockets traffic issupported, thetimeout parameter sets themaximum amount of time that a WebSocket can be open (idle or not).

For example, for HTTP, HTTPS, HTTP2 or H2C traffic, specifying atimeout of 10s means that backends have 10seconds to respond to the load balancer's requests. The load balancer retriesthe HTTP GET request one time if the backend closes the connection or times outbefore sending response headers to the load balancer. If the backend sendsresponse headers or if the request sent to the backend is not an HTTP GETrequest, the load balancer does not retry. If the backend does not reply at all,the load balancer returns a 502 Bad Gateway error to the client.

If theprotocol is SSL or TCP,timeout is an idle timeout.

The full range of timeout values allowed is 1 - 2,147,483,647 seconds.

--tracking-mode=TRACKING_MODE

Specifies the connection key used for connection tracking. The default value isPER_CONNECTION. Applicable only for backend service-based external and internalpassthrough Network Load Balancers as part of a connection tracking policy. Fordetails, see:Connectiontracking mode for internal passthrough Network Load Balancers balancing andConnectiontracking mode for external passthrough Network Load Balancers.TRACKING_MODE must be one of:PER_CONNECTION,PER_SESSION.

--zonal-affinity-spillover=ZONAL_AFFINITY_SPILLOVER

Specifies whether zonal affinity is enabled or not. For further details, refertoZonalaffinity options.

Can only be set if load balancing scheme is INTERNAL,

The possible values are:

ZONAL_AFFINITY_DISABLEDDefaultValue.ZonalAffinityisdisabled.TheloadbalancerdistributesnewconnectionstoallhealthybackendVMsacrossallzones.

ZONAL_AFFINITY_STAY_WITHIN_ZONEZonalAffinityisenabled.TheloadbalancerdistributesnewconnectionstoallhealthybackendVMsintheclientVM's zone only.  If there are no healthy backend VMs in the client VM'szone,theloadbalancerdistributesnewconnectionstoallbackendVMsintheclientVM'szone.

ZONAL_AFFINITY_SPILL_CROSS_ZONEZonalAffinityisenabled.TheloadbalancerdistributesnewconnectionstoallhealthybackendVMsintheclientVM's zone only.  If there aren'tenoughhealthybackendVMsintheclientVM's zone,  the load balancer distributes some new connections to backend VMs in  zones other than the client VM'szone.ThisdistributiondependsonaconfigurablespilloverratiothatdetermineswhentrafficstartsspillingovertobackendVMsinotherzones.

ZONAL_AFFINITY_SPILLOVER must be one of:ZONAL_AFFINITY_DISABLED,ZONAL_AFFINITY_STAY_WITHIN_ZONE,ZONAL_AFFINITY_SPILL_CROSS_ZONE.

--zonal-affinity-spillover-ratio=ZONAL_AFFINITY_SPILLOVER_RATIO

The value of the field can range from 0.0 to 1.0, inclusive. If not specified, adefault value of 0.0 is used.

This ratio indicates the threshold value for keeping traffic in the client VM'szone. If the proportion of healthy backend VMs in a zone falls below theconfigured spillover ratio, some new connections from the client VM aredistributed to healthy backend VMs in zones other than the client VM's zone.

For further details, refer toHowZONAL_AFFINITY_SPILL_CROSS_ZONE and spillover ratio work.

At most one of these can be specified:

--cache-key-query-string-blacklist=[QUERY_STRING,…]

Specifies a comma separated list of query string parameters to exclude in cachekeys. All other parameters will be included. Either specify--cache-key-query-string-whitelist or --cache-key-query-string-blacklist, notboth. '&' and '=' will be percent encoded and not treated as delimiters. Canonly be applied for global resources.

--cache-key-query-string-whitelist=QUERY_STRING,[…]

Specifies a comma separated list of query string parameters to include in cachekeys. All other parameters will be excluded. Either specify--cache-key-query-string-whitelist or --cache-key-query-string-blacklist, notboth. '&' and '=' will be percent encoded and not treated as delimiters. Canonly be applied for global resources.

At most one of these can be specified:

--custom-metrics=[CUSTOM_METRICS,…]

List of custom metrics that are used for WEIGHTED_ROUND_ROBIN locality loadbalancing policy.

Example:

gcloudbetacomputebackend-servicescreate--custom-metrics='name=my-signal,dryRun=true'gcloudbetacomputebackend-servicescreate--custom-metrics='name=my-signal,dryRun=true'--custom-metrics='name=my-signal2'gcloudbetacomputebackend-servicescreate--custom-metrics='[{"name" : "my-signal", "dryRun" : true}, {"name" : "my-signal2"}]'

Setscustom_metrics value.

dryRun

SetsdryRun value.

name

Required, setsname value.

Shorthand Example:

--custom-metrics=dryRun=boolean,name=string--custom-metrics=dryRun=boolean,name=string

JSON Example:

--custom-metrics='[{"dryRun": boolean, "name": "string"}]'

File Example:

--custom-metrics=path_to_file.(yaml|json)

--custom-metrics-file=[CUSTOM_METRICS,…]

File path to json file with custom metrics that are used forWEIGHTED_ROUND_ROBIN locality load balancing policy.

Example:

gcloudbetacomputebackend-servicescreate--custom-metrics-file='customMetric.json'

Setscustom_metrics_file value.

dryRun

SetsdryRun value.

name

Required, setsname value.

Shorthand Example:

--custom-metrics-file=dryRun=boolean,name=string--custom-metrics-file=dryRun=boolean,name=string

JSON Example:

--custom-metrics-file='[{"dryRun": boolean, "name": "string"}]'

File Example:

--custom-metrics-file=path_to_file.(yaml|json)

At most one of these can be specified:

--global

If set, the backend service is global.

--region=REGION

Region of the backend service to create. Overrides the defaultcompute/region property value for this command invocation.

At most one of these can be specified:

--global-health-checks

If set, the health checks are global.

--health-checks-region=HEALTH_CHECKS_REGION

Region of the health checks to operate on. If not specified, you might beprompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/region property:

gcloudconfigsetcompute/regionREGION

A list of regions can be fetched by running:

gcloudcomputeregionslist

To unset the property, run:

gcloudconfigunsetcompute/region

Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

At most one of these can be specified:

--identity=IDENTITY

Assigns the Managed Identity for the BackendService Workload. Use this propertyto configure the load balancer back-end to use certificates and roots of trustprovisioned by the Managed Workload Identity system. Theidentityproperty is the scheme-less SPIFFE ID to use in the SVID presented by the LoadBalancer Workload. The SPIFFE ID must be a resource starting with thetrustDomain property value, followed by the path to the ManagedWorkload Identity. Supported SPIFFE ID format://<trust_domain>/ns/<namespace>/sa/<subject> The Trust Domainwithin the Managed Identity must refer to a valid Workload Identity Pool. TheTrustConfig and CertificateIssuanceConfig will be inherited from the WorkloadIdentity Pool. Restrictions: If you set theidentity property, youcannot manually set the following fields: tlsSettings.sni,tlsSettings.subjectAltNames, tlsSettings.authenticationConfig. When defining aidentity for a RegionBackendServices, the corresponding WorkloadIdentity Pool must have a ca_pool configured in the same region. The system willset up a read-only tlsSettings.authenticationConfig for the Managed Identity.

--tls-settings=[authenticationConfig=AUTHENTICATIONCONFIG],[sni=SNI]

Configuration for Backend Authenticated TLS and mTLS. May only be specified whenthe backend protocol is SSL, HTTPS or HTTP2.

Example: $ gcloud beta compute backend-services create \--tls-settings='sni=example.com,authenticationConfig=${AUTH_CONF\ IG_NAME}'

Run$gcloud help for details.