This document shows you two sample configurations for setting up a regional external Application Load Balancer in a Shared VPC environment:
Both examples require the same initial configuration to grant permissions and set up Shared VPC before you can start creating load balancers.
These are not the only Shared VPC configurations supported by the regional external Application Load Balancer. For other valid Shared VPC architectures, see Shared VPC architectures.
If you don't want to use a Shared VPC network, see Set up a regional external Application Load Balancer with VM instance group backends.
Before you beginSetting up a load balancer on a Shared VPC network requires some initial setup and provisioning by an administrator. After the initial setup, a service project owner can do one of the following:
This section summarizes the permissions required to follow this guide to set up a load balancer on a Shared VPC network.
Set up Shared VPCThe following roles are required for the following tasks:
These tasks must be performed in the Shared VPC host project. We recommend that the Shared VPC Admin also be the owner of the Shared VPC host project. This automatically grants the Network Admin and Security Admin roles.
Task Required role Set up Shared VPC, enable host project, and grant access to service project administrators Shared VPC Admin Create subnets in the Shared VPC host project and grant access to service project administrators Network Admin Add and remove firewall rules Security AdminAfter the subnets have been provisioned, the host project owner must grant the Network User role in the host project to anyone (typically service project administrators, developers, or service accounts) who needs to use these resources.
Task Required role Use VPC networks and subnets belonging to the host project Network UserThis role can be granted on the project level or for individual subnets. We recommend that you grant the role on individual subnets. Granting the role on the project provides access to all current and future subnets in the VPC network of the host project.
Deploy load balancer and backendsService project administrators need the following roles in the service project to create load balancing resources and backends. These permissions are granted automatically to the service project owner or editor.
Roles granted in the service project PrerequisitesIn this section, you need to perform the following steps:
The steps in this section do not need to be performed every time you want to create a new load balancer. However, you must ensure that you have access to the resources described here before you proceed to creating the load balancer.
Configure the network and subnets in the host projectYou need a Shared VPC network with two subnets: one for the load balancer's frontend and backends and one for the load balancer's proxies.
This example uses the following network, region, and subnets:
Network. The network is named lb-network.
Subnet for load balancer's frontend and backends. A subnet named lb-frontend-and-backend-subnet in the us-west1 region uses 10.1.2.0/24 for its primary IP range.
Subnet for proxies. A subnet named proxy-only-subnet in the us-west1 region uses 10.129.0.0/23 for its primary IP range.
This step does not need to be performed every time you want to create a new load balancer. You only need to ensure that the service project has access to a subnet in the Shared VPC network (in addition to the proxy-only subnet).
All the steps in this section must be performed in the host project.
Consolelb-network.In the Subnets section:
In the New subnet section, enter the following information:
lb-frontend-and-backend-subnetRegion: us-west1
IP address range: 10.1.2.0/24
Click Done.
Click Create.
Create a VPC network with the gcloud compute networks create command:
gcloud compute networks create lb-network --subnet-mode=custom
Create a subnet in the lb-network network in the us-west1 region:
gcloud compute networks subnets create lb-frontend-and-backend-subnet
--network=lb-network
--range=10.1.2.0/24
--region=us-west1
Create a VPC network:
Create a subnet in the us-west1 region:
The proxy-only subnet is used by all regional Envoy-based load balancers in the us-west1 region, in the lb-network VPC network. There can only be one active proxy-only subnet per region, per network.
Do not perform this step if there is already a proxy-only subnet reserved in the us-west1 region in this network.
All the steps in this section must be performed in the host project.
Consolelb-network.proxy-only-subnet.us-west1.10.129.0.0/23.Create the proxy-only subnet with the gcloud compute networks subnets create command:
gcloud compute networks subnets create proxy-only-subnet \
--purpose=REGIONAL_MANAGED_PROXY \
--role=ACTIVE \
--region=us-west1 \
--network=lb-network \
--range=10.129.0.0/23
Terraform
Create the proxy-only subnet:
Give service project admins access to the backend subnetService project administrators require access to the
lb-frontend-and-backend-subnet
subnet so that they can provision the load balancer's backends.
A Shared VPC Admin must grant access to the backend subnet to service project administrators (or developers who deploy resources and backends that use the subnet). For instructions, see Service Project Admins for some subnets.
Note: Service project administrators do not need to be granted access to the proxy-only subnet. However, without a pre-existing proxy-only subnet in the region, service project administrators cannot create forwarding rules for regional Envoy-based load balancers in that region. Configure firewall rules in the host projectThis example uses the following firewall rules:
fw-allow-health-check. An ingress rule, applicable to the instances being load balanced, that allows all TCP traffic from the Google Cloud health checking systems in 130.211.0.0/22 and 35.191.0.0/16. This example uses the target tag load-balanced-backend to identify the instances to which it should apply.fw-allow-proxies. An ingress rule, applicable to the instances being load balanced, that allows TCP traffic on ports 80, 443, and 8080 from the load balancer's managed proxies. This example uses the target tag load-balanced-backend to identify the instances to which it should apply.Without these firewall rules, the
default deny ingressrule blocks incoming traffic to the backend instances.
All the steps in this section must be performed in the host project.
ConsoleIn the Google Cloud console, go to the Firewall policies page.
fw-allow-health-checklb-networkload-balanced-backend130.211.0.0/22 and 35.191.0.0/1680 for the port number.As a best practice, limit this rule to just the protocols and ports that match those used by your health check. If you use tcp:80 for the protocol and port, Google Cloud can use HTTP on port 80 to contact your VMs, but it cannot use HTTPS on port 443 to contact them.
fw-allow-proxieslb-networkload-balanced-backend10.129.0.0/2380, 443, 8080 for the port numbers.Create the fw-allow-health-check firewall rule to allow Google Cloud health checks. This example allows all TCP traffic from health check probers. However, you can configure a narrower set of ports to meet your needs.
gcloud compute firewall-rules create fw-allow-health-check \ --network=lb-network \ --action=allow \ --direction=ingress \ --source-ranges=130.211.0.0/22,35.191.0.0/16 \ --target-tags=load-balanced-backend \ --rules=tcp
Create the fw-allow-proxies firewall rule to allow traffic from the Envoy proxy-only subnet to reach your backends.
gcloud compute firewall-rules create fw-allow-proxies \ --network=lb-network \ --action=allow \ --direction=ingress \ --source-ranges=10.129.0.0/23 \ --target-tags=load-balanced-backend \ --rules=tcp:80,tcp:443,tcp:8080
Create a firewall rule to allow Google Cloud health checks.
Create a firewall rule to allow traffic from the Envoy proxy-only subnet to reach your backends.
This step entails enabling a Shared VPC host project, sharing subnets of the host project, and attaching service projects to the host project so that the service projects can use the Shared VPC network. To set up Shared VPC in the host project, see the following pages:
Note: Managed instance groups used with Shared VPC require making the Google APIs service account a Service Project Admin. This is because tasks like automatic instance creation via autoscaling are performed by this type of service account. To define the Google APIs service account as a Service Project Admin for the subnet in the Shared VPC host project, see Google APIs service account as a Service Project Admin.The rest of these instructions assume that you have already set up Shared VPC. This includes setting up IAM policies for your organization and designating the host and service projects.
Don't proceed until you have set up Shared VPC and enabled the host and service projects.
After completing the steps defined in this prerequisites section, you can pursue either of the following setups:
Configure a load balancer in the service projectThis example creates a regional external Application Load Balancer where all the load balancing components (forwarding rule, target proxy, URL map, and backend service) and backends are created in the service project.
The regional external Application Load Balancer's networking resources such as the proxy-only subnet and the subnet for the backend instances are created in the host project. The firewall rules for the backend instances are also created in the host project.
Figure 1. Regional external Application Load Balancer on Shared VPCThis section shows you how to set up the load balancer and backends. These steps should be carried out by the service project administrator (or a developer operating within the service project) and do not require involvement from the host project administrator. The steps in this section are largely similar to the standard steps to set up regional external Application Load Balancers.
The example on this page explicitly sets a reserved IP address for the regional external Application Load Balancer's forwarding rule, rather than allowing an ephemeral IP address to be allocated. As a best practice, we recommend reserving IP addresses for forwarding rules.
Create a managed instance group backend Note: This section shows you how to set up regional external Application Load Balancers with VM instances located in a service project. Regional external Application Load Balancers also support Shared VPC with pods in a GKE cluster by using container-native load balancing with network endpoint groups (NEGs).This section shows you how to create an instance template and a managed instance group backend. Traffic from clients is load balanced to VMs in these instance groups.
ConsoleCreate an instance template. In the Google Cloud console, go to the Instance templates page.
l7-xlb-backend-template.apt-get. If you need to change the Boot disk, click Change.
load-balanced-backend.lb-frontend-and-backend-subnet subnet from the lb-network network.Click Management. For Management, insert the following script into the Startup script field.
#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2
Click Create.
Create a managed instance group. In the Google Cloud console, go to the Instance groups page.
l7-xlb-backend-example.l7-xlb-backend-template.Specify the number of instances that you want to create in the group.
For this example, specify the following options for Autoscaling:
Off:do not autoscale.2.Optionally, in the Autoscaling section, you can configure the instance group to automatically add or remove instances based on instance CPU usage.
Click Create.
The gcloud instructions in this guide assume that you are using Cloud Shell or another environment with bash installed.
Create a VM instance template with HTTP server with the gcloud compute instance-templates create command.
gcloud compute instance-templates create l7-xlb-backend-template \ --region=us-west1 \ --network=projects/HOST_PROJECT_ID/global/networks/lb-network \ --subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \ --tags=load-balanced-backend \ --image-family=debian-12 \ --image-project=debian-cloud \ --metadata=startup-script='#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2' \ --project=SERVICE_PROJECT_ID
Create a managed instance group in the zone with the gcloud compute instance-groups managed create command.
gcloud compute instance-groups managed create l7-xlb-backend-example \
--zone=us-west1-a \
--size=2 \
--template=l7-xlb-backend-template \
--project=SERVICE_PROJECT_ID
Reserve a regional static external IP address for the load balancer in the service project.
All the steps in this section must be performed in the service project.
ConsoleIn the Google Cloud console, go to the Reserve a static address page.
Enter a name for the new address.
For Network Service Tier, select Standard.
For IP version, select IPv4. IPv6 addresses can only be global and can only be used with global load balancers.
For Type, select Regional.
For Region, select us-west1.
Leave the Attached to option set to None. After you create the load balancer, this IP address is attached to the load balancer's forwarding rule.
To reserve the IP address, click Reserve.
To reserve a static external IP address, use the compute addresses create command.
gcloud compute addresses create IP_ADDRESS_NAME \
--region=us-west1 \
--network-tier=STANDARD \
--project=SERVICE_PROJECT_ID
Replace the following:
IP_ADDRESS_NAME: the name that you want to call this address.SERVICE_PROJECT_ID: the project ID for the service project where the load balancer is being created.This section shows you how to create the following regional external Application Load Balancer resources:
Depending on the number of service projects that are using the same Shared VPC network, you might reach quotas or limits more quickly than in the network deployment model where each Google Cloud project hosts its own network.
For example, sometimes Google Cloud regions don't have enough proxy capacity for a new regional external Application Load Balancer. If this happens, the Google Cloud console provides a proxy availability warning message when you are creating your load balancer. To resolve this issue, you can do one of the following:
Contact your Google Cloud sales team to increase these limits.
In the Google Cloud console, go to the Load balancing page.
l7-xlb-shared-vpc.For the Network, select lb-network (from Project: HOST_PROJECT_ID).
If you see a Proxy-only subnet required in Shared VPC network warning, confirm that the host project admin has created the proxy-only-subnet in the us-west1 region in the lb-network Shared VPC network. Load balancer creation will succeed even if you do not have permission to view the proxy-only subnet on this page.
Keep the page open to continue.
For HTTP:
l7-xlb-forwarding-rule.HTTP.80.For the IP address that you created in Reserving the load balancer's IP address.
Click Done.
For HTTPS:
If you are using HTTPS between the client and the load balancer, you need one or more SSL certificate resources to configure the proxy. For information about how to create SSL certificate resources, see SSL certificates. Google-managed certificates aren't currently supported with regional external Application Load Balancers.
l7-xlb-forwarding-rule.HTTPS (includes HTTP/2).443, to allow HTTPS traffic.l7-xlb-cert.l7-xlb-backend-service.l7-xlb-backend-example.80.l7-xlb-basic-checkHTTP80l7-xlb-backend-service is the only backend service for any unmatched host and any unmatched path.For information about traffic management, see Setting up traffic management.
Review and finalize the configurationDefine the HTTP health check with the gcloud compute health-checks create http command.
gcloud compute health-checks create http l7-xlb-basic-check \ --region=us-west1 \ --use-serving-port \ --project=SERVICE_PROJECT_ID
Define the backend service with the gcloud compute backend-services create command.
gcloud compute backend-services create l7-xlb-backend-service \ --load-balancing-scheme=EXTERNAL_MANAGED \ --protocol=HTTP \ --health-checks=l7-xlb-basic-check \ --health-checks-region=us-west1 \ --region=us-west1 \ --project=SERVICE_PROJECT_ID
Add backends to the backend service with the gcloud compute backend-services add-backend command.
gcloud compute backend-services add-backend l7-xlb-backend-service \ --balancing-mode=UTILIZATION \ --instance-group=l7-xlb-backend-example \ --instance-group-zone=us-west1-a \ --region=us-west1 \ --project=SERVICE_PROJECT_ID
Create the URL map with the gcloud compute url-maps create command.
gcloud compute url-maps create l7-xlb-map \ --default-service=l7-xlb-backend-service \ --region=us-west1 \ --project=SERVICE_PROJECT_ID
Create the target proxy.
For HTTP:
For an HTTP load balancer, create the target proxy with the gcloud compute target-http-proxies create command.
gcloud compute target-http-proxies create l7-xlb-proxy \ --url-map=l7-xlb-map \ --url-map-region=us-west1 \ --region=us-west1 \ --project=SERVICE_PROJECT_ID
For HTTPS:
For information about how to create SSL certificate resources, see SSL certificates. Google-managed certificates aren't currently supported with regional external Application Load Balancers.
Assign your filepaths to variable names.
export LB_CERT=path to PEM-formatted file
export LB_PRIVATE_KEY=path to PEM-formatted file
Create a regional SSL certificate using the gcloud compute ssl-certificates create command.
gcloud compute ssl-certificates create l7-xlb-cert \ --certificate=$LB_CERT \ --private-key=$LB_PRIVATE_KEY \ --region=us-west1
Use the regional SSL certificate to create a target proxy with the gcloud compute target-https-proxies create command.
gcloud compute target-https-proxies create l7-xlb-proxy \ --url-map=l7-xlb-map \ --region=us-west1 \ --ssl-certificates=l7-xlb-cert \ --project=SERVICE_PROJECT_ID
Create the forwarding rule.
For custom networks, you must reference the subnet in the forwarding rule.
For the forwarding rule's IP address, use the lb-frontend-and-backend-subnet. If you try to use the proxy-only subnet, forwarding rule creation fails.
For HTTP:
Use the gcloud compute forwarding-rules create command with the correct flags.
gcloud compute forwarding-rules create l7-xlb-forwarding-rule \ --load-balancing-scheme=EXTERNAL_MANAGED \ --network=projects/HOST_PROJECT_ID/global/networks/lb-network \ --address=IP_ADDRESS_NAME \ --ports=80 \ --region=us-west1 \ --target-http-proxy=l7-xlb-proxy \ --target-http-proxy-region=us-west1 \ --network-tier=STANDARD \ --project=SERVICE_PROJECT_ID
For HTTPS:
Create the forwarding rule with the gcloud compute forwarding-rules create command with the correct flags.
gcloud compute forwarding-rules create l7-xlb-forwarding-rule \ --load-balancing-scheme=EXTERNAL_MANAGED \ --network=projects/HOST_PROJECT_ID/global/networks/lb-network \ --address=IP_ADDRESS_NAME \ --ports=443 \ --region=us-west1 \ --target-https-proxy=l7-xlb-proxy \ --target-https-proxy-region=us-west1 \ --network-tier=STANDARD \ --project=SERVICE_PROJECT_ID
When the load balancing service is running, you can send traffic to the forwarding rule and watch the traffic be dispersed to different instances.
ConsoleIn the Google Cloud console, go to the Load balancing page.
LB_IP_ADDRESS in the following steps.2/2). If you see otherwise, first try reloading the page. It can take a few moments for the Google Cloud console to indicate that the VMs are healthy. If the backends do not appear healthy after a few minutes, review the firewall configuration and the network tag assigned to your backend VMs.https://LB_IP_ADDRESS (or http://LB_IP_ADDRESS). Replace LB_IP_ADDRESS with the load balancer's IP address.Page served from: lb-backend-example-xxxx). If your browser doesn't render this page, review the configuration settings in this guide.Note the IP address that was reserved:
gcloud compute addresses describe IP_ADDRESS_NAME \
--format="get(address)" \
--region=us-west1
You can test your load balancer using a web browser by going to https://IP_ADDRESS_NAME (or http://IP_ADDRESS_NAME). Replace IP_ADDRESS_NAME with the load balancer's IP address.
If you used a self-signed certificate for testing HTTPS, your browser displays a warning. You must explicitly instruct your browser to accept a self-signed certificate.
Your browser should render a page with minimal information about the backend instance. If your browser doesn't render this page, review the configuration settings in this guide.
Configure a load balancer with a cross-project backend serviceThe previous example on this page shows you how to set up a Shared VPC deployment where all the load balancer components and its backends are created in the service project.
Regional external Application Load Balancers also let you configure Shared VPC deployments where a URL map in one host or service project can reference backend services (and backends) located across multiple service projects in Shared VPC environments. This is referred to as cross-project service referencing.
You can use the steps in this section as a reference to configure any of the supported combinations listed here:
Cross-project service referencing can be used with instance groups, serverless NEGs, or any other supported backend types.
Set up requirementsThis example configures a sample load balancer with its frontend and backend in two different service projects.
If you haven't already done so, you must complete all of the prerequisite steps to set up Shared VPC and configure the network, subnets, and firewall rules required for this example. For instructions, see the following sections at the start of this page:
Figure 2. Load balancer frontend and backend in different service projects Reserve the load balancer's IP address in service project AReserve a regional static external IP address for the load balancer in service project A.
All the steps in this section must be performed in service project A.
ConsoleIn the Google Cloud console, go to the Reserve a static address page.
For the name of the new address, enter cross-ref-ip-address.
For Network Service Tier, select Standard.
For IP version, select IPv4. IPv6 addresses can only be global and can only be used with global load balancers.
For Type, select Regional.
For Region, select us-west1.
Leave the Attached to option set to None. After you create the load balancer, this IP address is attached to the load balancer's forwarding rule.
To reserve the IP address, click Reserve.
To reserve a static external IP address, use the compute addresses create command.
gcloud compute addresses create IP_ADDRESS_CROSS_REF \
--region=us-west1 \
--network-tier=STANDARD \
--project=SERVICE_PROJECT_A_ID
Replace the following:
IP_ADDRESS_CROSS_REF: the name that you want to call this IP address.SERVICE_PROJECT_A_ID: the project ID for service project A, where the load balancer's frontend is being created.All the steps in this section must be performed in service project B.
ConsoleCreate an instance template. In the Google Cloud console, go to the Instance templates page.
cross-ref-backend-template.apt-get. If you need to change the Boot disk, click Change.
load-balanced-backend.lb-frontend-and-backend-subnet subnet from the lb-network network.Click Management. For Management, insert the following script into the Startup script field:
#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2
Click Create.
Create a managed instance group. In the Google Cloud console, go to the Instance groups page.
cross-ref-ig-backend.Specify the number of instances that you want to create in the group.
For this example, specify the following options for Autoscaling:
Off:do not autoscale.2.Optionally, in the Autoscaling section, you can configure the instance group to automatically add or remove instances based on instance CPU usage.
Click Create.
Create a regional backend service. As a part of this step, we also create the health check and add backends to the backend service. In the Google Cloud console, go to the Backends page.
cross-ref-backend-service.80.cross-ref-http-health-checkHTTP80Optional: In the Add permissions section, enter the IAM principals (typically an email address) of Load Balancer Admins from other projects so that they can use this backend service for load balancers in their own projects. Without this permission, you cannot use cross-project service referencing.
If you don't have permission to set access control policies for backend services in this project, you can still create the backend service now, and an authorized user can perform this step later as described in the section, Grant permissions to the Load Balancer Admin to use the backend service. That section also describes how to grant access to all the backend services in this project, so that you don't have to grant access every time you create a new backend service.
Click Create.
Create a VM instance template with an HTTP server with the gcloud compute instance-templates create command.
gcloud compute instance-templates create BACKEND_IG_TEMPLATE \
--region=us-west1 \
--network=projects/HOST_PROJECT_ID/global/networks/lb-network \
--subnet=projects/HOST_PROJECT_ID/regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \
--tags=load-balanced-backend \
--image-family=debian-12 \
--image-project=debian-cloud \
--metadata=startup-script='#! /bin/bash
apt-get update
apt-get install apache2 -y
a2ensite default-ssl
a2enmod ssl
vm_hostname="$(curl -H "Metadata-Flavor:Google" \
http://metadata.google.internal/computeMetadata/v1/instance/name)"
echo "Page served from: $vm_hostname" | \
tee /var/www/html/index.html
systemctl restart apache2' \
--project=SERVICE_PROJECT_B_ID
Replace the following:
BACKEND_IG_TEMPLATE: the name for the instance group template.SERVICE_PROJECT_B_ID: the project ID for service project B, where the load balancer's backends and the backend service are being created.HOST_PROJECT_ID: the project ID for the Shared VPC host project.Create a managed instance group in the zone with the gcloud compute instance-groups managed create command.
gcloud compute instance-groups managed create BACKEND_MIG \
--zone=us-west1-a \
--size=2 \
--template=BACKEND_IG_TEMPLATE \
--project=SERVICE_PROJECT_B_ID
Replace the following:
BACKEND_MIG: the name for the backend instance group.Define the HTTP health check with the gcloud compute health-checks create http command.
gcloud compute health-checks create http HTTP_HEALTH_CHECK_NAME \ --region=us-west1 \ --use-serving-port \ --project=SERVICE_PROJECT_B_ID
Replace the following:
HTTP_HEALTH_CHECK_NAME: the name for the HTTP health check.Define the backend service with the gcloud compute backend-services create command.
gcloud compute backend-services create BACKEND_SERVICE_NAME \ --load-balancing-scheme=EXTERNAL_MANAGED \ --protocol=HTTP \ --health-checks=HTTP_HEALTH_CHECK_NAME \ --health-checks-region=us-west1 \ --region=us-west1 \ --project=SERVICE_PROJECT_B_ID
Replace the following:
BACKEND_SERVICE_NAME: the name for the backend service created in service project B.Add backends to the backend service with the gcloud compute backend-services add-backend command.
gcloud compute backend-services add-backend BACKEND_SERVICE_NAME \ --balancing-mode=UTILIZATION \ --instance-group=BACKEND_MIG \ --instance-group-zone=us-west1-a \ --region=us-west1 \ --project=SERVICE_PROJECT_B_ID
All the steps in this section must be performed in service project A.
Console Select the load balancer typeIn the Google Cloud console, go to the Load balancing page.
cross-ref-l7-xlb-shared-vpc.For the Network, select lb-network (from Project: HOST_PROJECT_ID).
If you see a Proxy-only subnet required in Shared VPC network warning, confirm that the host project administrator has created the proxy-only-subnet in the us-west1 region in the lb-network Shared VPC network. Load balancer creation will succeed even if you don't have permission to view the proxy-only subnet on this page.
Keep the page open to continue.
For cross-project service referencing to work, the frontend must use the same network (lb-network) from the Shared VPC host project that was used to create the backend service.
For HTTP:
cross-ref-http-forwarding-rule.HTTP.Set the Subnetwork to lb-frontend-and-backend-subnet.
Don't select the proxy-only subnet for the frontend even if it is an option in the list.
Select the IP address that you created in Reserving the load balancer's IP address, called cross-ref-ip-address.
Set the Port to 80.
Click Done.
For HTTPS:
If you are using HTTPS between the client and the load balancer, you need one or more SSL certificate resources to configure the proxy. For information about how to create SSL certificate resources, see SSL certificates. Google-managed certificates aren't currently supported with regional external Application Load Balancers.
cross-ref-https-forwarding-rule.HTTPS (includes HTTP/2).Set the Subnetwork to lb-frontend-and-backend-subnet.
Don't select the proxy-only subnet for the frontend even if it is an option in the list.
Select the IP address that you created in Reserving the load balancer's IP address, called cross-ref-ip-address.
Ensure that the Port is set to 443 to allow HTTPS traffic.
Click the Certificate list.
To add certificate resources in addition to the primary SSL certificate resource:
Click Done.
cross-ref-backend-service.For information about traffic management, see Setting up traffic management.
Review and finalize the configurationAfter the load balancer is created, test the load balancer by using the steps described in Test the load balancer.
gcloudOptional: Before creating a load balancer with cross-referencing backend services, find out whether the backend services you want to refer to can be referenced using a URL map:
gcloud compute backend-services list-usable \
--region=us-west1 \
--project=SERVICE_PROJECT_B_ID
Create the URL map and set the default service to the backend service created in service project B.
gcloud compute url-maps create URL_MAP_NAME \
--default-service=projects/SERVICE_PROJECT_B_ID/regions/us-west1/backendServices/BACKEND_SERVICE_NAME \
--region=us-west1 \
--project=SERVICE_PROJECT_A_ID
Replace the following:
URL_MAP_NAME: the name for the URL map.BACKEND_SERVICE_NAME: the name for the backend service created in service project B.SERVICE_PROJECT_B_ID: the project ID for service project B, where the load balancer's backends and the backend service are created.SERVICE_PROJECT_A_ID: the project ID for service project A, where the load balancer's frontend is being created.URL map creation fails if you don't have the compute.backendServices.use permission for the backend service in service project B.
Create the target proxy.
For HTTP:
gcloud compute target-http-proxies create HTTP_TARGET_PROXY_NAME \ --url-map=URL_MAP_NAME \ --url-map-region=us-west1 \ --region=us-west1 \ --project=SERVICE_PROJECT_A_ID
Replace the following:
HTTP_TARGET_PROXY_NAME: the name for the target HTTP proxy.For HTTPS:
Create a regional SSL certificate using the gcloud compute ssl-certificates create command.
gcloud compute ssl-certificates create SSL_CERTIFICATE_NAME \ --certificate=PATH_TO_CERTIFICATE \ --private-key=PATH_TO_PRIVATE_KEY \ --region=us-west1 \ --project=SERVICE_PROJECT_A_ID
Replace the following:
SSL_CERTIFICATE_NAME: the name for the SSL certificate resource.PATH_TO_CERTIFICATE: the path to the local SSL certificate file in PEM format.PATH_TO_PRIVATE_KEY: the path to the local SSL certificate private key in PEM format.Use the regional SSL certificate to create a target proxy with the gcloud compute target-https-proxies create command.
gcloud compute target-https-proxies create HTTPS_TARGET_PROXY_NAME \ --url-map=URL_MAP_NAME \ --region=us-west1 \ --ssl-certificates=SSL_CERTIFICATE_NAME \ --project=SERVICE_PROJECT_A_ID
Replace the following:
HTTPS_TARGET_PROXY_NAME: the name for the target HTTPS proxy.Create the forwarding rule. For cross-project service referencing to work, the forwarding rule must use the same network (lb-network) from the Shared VPC host project that was used to create the backend service.
For HTTP:
gcloud compute forwarding-rules create HTTP_FORWARDING_RULE_NAME \ --load-balancing-scheme=EXTERNAL_MANAGED \ --network=projects/HOST_PROJECT_ID/global/networks/lb-network \ --address=IP_ADDRESS_CROSS_REF \ --ports=80 \ --region=us-west1 \ --target-http-proxy=HTTP_TARGET_PROXY_NAME \ --target-http-proxy-region=us-west1 \ --network-tier=STANDARD \ --project=SERVICE_PROJECT_A_ID
Replace the following:
HTTP_FORWARDING_RULE_NAME: the name for the forwarding rule that is used to handle HTTP traffic.For HTTPS:
gcloud compute forwarding-rules create HTTPS_FORWARDING_RULE_NAME \ --load-balancing-scheme=EXTERNAL_MANAGED \ --network=projects/HOST_PROJECT_ID/global/networks/lb-network \ --address=IP_ADDRESS_CROSS_REF \ --ports=443 \ --region=us-west1 \ --target-https-proxy=HTTPS_TARGET_PROXY_NAME \ --target-https-proxy-region=us-west1 \ --network-tier=STANDARD \ --project=SERVICE_PROJECT_A_ID
Replace the following:
HTTPS_FORWARDING_RULE_NAME: the name for the forwarding rule that is used to handle HTTPS traffic.To test the load balancer, use the steps described in Test the load balancer.
If you want load balancers to reference backend services in other service projects, the Load Balancer Admin must have the compute.backendServices.use permission. To grant this permission, you can use the predefined IAM role called Compute Load Balancer Services User (roles/compute.loadBalancerServiceUser). This role must be granted by the Service Project Admin and can be applied at the project level or at the individual backend service level.
This step is not required if you already granted the required permissions at the backend service level while creating the backend service. You can either skip this section or continue reading to learn how to grant access to all the backend services in this project so that you don't have to grant access every time you create a new backend service.
In this example, a Service Project Admin from service project B must run one of the following commands to grant the compute.backendServices.use permission to a Load Balancer Admin from service project A. This can be done either at the project level (for all backend services in the project) or per backend service.
Use the following steps to grant permissions to all backend services in your project.
You require the compute.regionBackendServices.setIamPolicy and the resourcemanager.projects.setIamPolicy permissions to complete this step.
In the Google Cloud console, go to the IAM page.
Select your project.
Click person_addGrant access.
In the New principals field, enter the principal's email address or other identifier.
In the Select a role list, select the Compute Load Balancer Services User.
Optional: Add a condition to the role.
Click Save.
Use the following steps to grant permissions to individual backend services in your project.
You require the compute.regionBackendServices.setIamPolicy permission to complete this step.
In the Google Cloud console, go to the Backends page.
From the backends list, select the backend service that you want to grant access to and click person_addPermissions.
Click person_addAdd principal.
In the New principals field, enter the principal's email address or other identifier.
In the Select a role list, select the Compute Load Balancer Services User.
Click Save.
Use the following steps to grant permissions to all backend services in your project.
You require the compute.regionBackendServices.setIamPolicy and the resourcemanager.projects.setIamPolicy permissions to complete this step.
gcloud projects add-iam-policy-binding SERVICE_PROJECT_B_ID \
--member="user:LOAD_BALANCER_ADMIN" \
--role="roles/compute.loadBalancerServiceUser"
Resource-level permissions for individual backend services
At the backend service level, Service Project Admins can use either of the following commands to grant the Compute Load Balancer Services User role (roles/compute.loadBalancerServiceUser).
You require the compute.regionBackendServices.setIamPolicy permission to complete this step.
gcloud projects add-iam-policy-binding SERVICE_PROJECT_B_ID \
--member="user:LOAD_BALANCER_ADMIN" \
--role="roles/compute.loadBalancerServiceUser" \
--condition='expression=resource.name=="projects/SERVICE_PROJECT_B_ID/regions/us-west1/backend-services/BACKEND_SERVICE_NAME",title=Shared VPC condition'
or
gcloud compute backend-services add-iam-policy-binding BACKEND_SERVICE_NAME \
--member="user:LOAD_BALANCER_ADMIN" \
--role="roles/compute.loadBalancerServiceUser" \
--project=SERVICE_PROJECT_B_ID \
--region=us-west1
To use these commands, replace LOAD_BALANCER_ADMIN with the user's principal—for example, test-user@gmail.com.
You can also configure IAM permissions so that they only apply to a subset of regional backend services by using conditions and specifying condition attributes.
To see URL maps referencing a particular Shared VPC backend service, follow these steps:
gcloudTo see resources referencing a regional Shared VPC backend service, run the following command:
gcloud compute backend-services describe BACKEND_SERVICE_NAME \
--region REGION
Replace the following:
BACKEND_SERVICE_NAME: the name of the load balancer backend serviceREGION: the region of the load balancerIn the command output, review the usedBy field, which displays the resources referencing the backend service, as shown in the following example:
id: '123456789' kind: compute#backendService loadBalancingScheme: INTERNAL_MANAGED ... usedBy: - reference: https://www.googleapis.com/compute/v1/projects/my-project/region/us-central1/urlMaps/my-url-mapWhat's next
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4