Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://cloud.google.com/iap/docs/load-balancer-howto below:

Setting up an external Application Load Balancer | Identity-Aware Proxy

Stay organized with collections Save and categorize content based on your preferences.

External Application Load Balancers with Identity-Aware Proxy (IAP) are supported with the following backend types:

• Instance groups
• Zonal network endpoint groups (NEGs)
• Serverless NEGs: One or more Cloud Run services
• Internet NEGs, for endpoints that are outside of Google Cloud (also known as custom origins)
• Hybrid Connectivity NEGs, for endpoints that extend beyond Google Cloud, such as on-premises data centers and other public clouds that you can use hybrid connectivity to reach.
• Private Service Connect NEG, endpoint that resolves to one of the following:
  • A Google-managed regional API endpoint
  • A managed service published using Private Service Connect

This setup guide shows you how to create an external Application Load Balancer with a

backend with IAP enabled.

For general concepts, see the External Application Load Balancer overview.

If you are an existing user of the classic Application Load Balancer, make sure that you review Migration overview when you plan a new deployment with the global external Application Load Balancer.

For an HTTPS load balancer, you create the configuration shown in the following diagram.

For an HTTP load balancer, you create the configuration shown in the following diagram.

The sequence of events in the diagrams are as follows:

1. A client sends a content request to the external IPv4 address defined in the forwarding rule.

2. For an HTTPS load balancer, the forwarding rule directs the request to the target HTTPS proxy.

   For an HTTP load balancer, the forwarding rule directs the request to the target HTTP proxy.

3. The target proxy uses the rule in the URL map to determine that the single backend service receives all requests.

4. The load balancer determines that the backend service has only one instance group and directs the request to a virtual machine (VM) instance in that group.

5. The VM serves the content requested by the user.

Complete the following steps before you create the load balancer.

For an HTTPS load balancer, create an SSL certificate resource as described in the following:

• Using self-managed SSL certificates
• Using Google-managed SSL certificates

We recommend using a Google-managed certificate.

This example assumes that you already have an SSL certificate resource named www-ssl-cert.

To complete the steps in this guide, you must have permission to create Compute Engine instances, firewall rules, and reserved IP addresses in a project. You must have either a project owner or editor role, or you must have the following Compute Engine IAM roles.

For more information, see the following guides:

• Access control
• IAM Conditions

To create the example network and subnet, follow these steps.

1. In the Google Cloud console, go to the VPC networks page.

   Go to VPC networks

2. Click Create VPC network.

3. Enter a Name for the network.

4. For the Subnet creation mode, choose Custom.

5. In the New subnet section, configure the following fields:

   1. Provide a Name for the subnet.
   2. Select a Region.
   3. For IP stack type, select IPv4 (single-stack).
   4. Enter an IP address range. This is the primary IPv4 range for the subnet.

6. Click Done.

7. To add a subnet in a different region, click Add subnet and repeat the previous steps.

8. Click Create.

1. Create the custom mode VPC network:

   gcloud compute networks create NETWORK \
       --subnet-mode=custom
   

2. Within the network, create a subnet for backends:

   gcloud compute networks subnets create SUBNET \
       --network=NETWORK \
       --stack-type=IPV4_ONLY \
       --range=10.1.2.0/24 \
       --region=REGION
   

   Replace the following:

   • NETWORK: a name for the VPC network.

   • SUBNET: a name for the subnet.

   • REGION: the name of the region.

To set up a load balancer with a Compute Engine backend, your VMs need to be in an instance group. This guide describes how to create a managed instance group with Linux VMs that have Apache running, and then set up load balancing. A managed instance group creates each of its managed instances based on the instance templates that you specify.

The managed instance group provides VMs running the backend servers of an external HTTP(S) load balancer. For demonstration purposes, backends serve their own hostnames.

Before you create a managed instance group, create an instance template.

To support IPv4 traffic, use the following steps:

1. In the Google Cloud console, go to the Instance templates page.

   Go to Instance templates

2. Click Create instance template.

3. For Name, enter lb-backend-template.

4. Ensure that the Boot disk is set to a Debian image, such as Debian GNU/Linux 12 (bookworm). These instructions use commands that are only available on Debian, such as apt-get.

5. Expand Advanced options.

6. Expand Networking and configure the following fields:

   1. For Network tags, enter allow-health-check.
   2. In the Network interfaces section, click editEdit and make the following changes:
      • Network: NETWORK
      • Subnet: SUBNET
      • IPv4 traffic: IPv4 (single-stack)
   3. Click Done.

7. Expand Management. In the Startup script field, enter the following script:

   #! /bin/bash
   apt-get update
   apt-get install apache2 -y
   a2ensite default-ssl
   a2enmod ssl
   vm_hostname="$(curl -H "Metadata-Flavor:Google" \
   http://metadata.google.internal/computeMetadata/v1/instance/name)"
   echo "Page served from: $vm_hostname" | \
   tee /var/www/html/index.html
   systemctl restart apache2
   

8. Click Create.

To support IPv4 traffic, run the following command:

gcloud compute instance-templates create TEMPLATE_NAME \
  --region=REGION \
  --network=NETWORK \
  --subnet=SUBNET \
  --stack-type=IPV4_ONLY \
  --tags=allow-health-check \
  --image-family=debian-12 \
  --image-project=debian-cloud \
  --metadata=startup-script='#! /bin/bash
    apt-get update
    apt-get install apache2 -y
    a2ensite default-ssl
    a2enmod ssl
    vm_hostname="$(curl -H "Metadata-Flavor:Google" \
    http://metadata.google.internal/computeMetadata/v1/instance/name)"
    echo "Page served from: $vm_hostname" | \
    tee /var/www/html/index.html
    systemctl restart apache2'

To create the instance template, use the google_compute_instance_template resource.

Create the managed instance group and select the instance template.

1. In the Google Cloud console, go to the Instance groups page.

   Go to Instance groups

2. Click Create instance group.

3. On the left, choose New managed instance group (stateless).

4. For Name, enter lb-backend-example.

5. Under Location, select Single zone.

6. For Region, select your preferred region.

7. For Zone, select a zone.

8. Under Instance template, select the instance template lb-backend-template.

9. For Autoscaling mode, select On: add and remove instances to the group.

   Set Minimum number of instances to 2, and set Maximum number of instances to 2 or more.

10. To create the new instance group, click Create.

1. Create the managed instance group based on the template.

   gcloud compute instance-groups managed create lb-backend-example \
      --template=TEMPLATE_NAME --size=2 --zone=ZONE_A
   

To create the managed instance group, use the google_compute_instance_group_manager resource.

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

For your instance group, define an HTTP service and map a port name to the relevant port. The load balancing service forwards traffic to the named port. For more information, see Named ports.

1. In the Google Cloud console, go to the Instance groups page.

   Go to Instance groups

2. Click lb-backend-example.

3. On the instance group's Overview page, click editEdit.

4. In the Port mapping section, click Add port.

   1. For the port name, enter http. For the port number, enter 80.

5. Click Save.

Use the gcloud compute instance-groups set-named-ports command.

gcloud compute instance-groups set-named-ports lb-backend-example \
    --named-ports http:80 \
    --zone ZONE_A

The named_port attribute is included in the managed instance group sample.

In this example, you create the fw-allow-health-check firewall rule. This is an ingress rule that allows traffic from the Google Cloud health checking systems (130.211.0.0/22 and 35.191.0.0/16). This example uses the target tag allow-health-check to identify the VMs.

1. In the Google Cloud console, go to the Firewall policies page.

   Go to Firewall policies

2. Click Create firewall rule to create the firewall rule.

3. For Name, enter fw-allow-health-check.

4. Select a Network.

5. Under Targets, select Specified target tags.

6. Populate the Target tags field with allow-health-check.

7. Set Source filter to IPv4 ranges.

8. Set Source IPv4 ranges to 130.211.0.0/22 and 35.191.0.0/16.

9. Under Protocols and ports, select Specified protocols and ports.

10. Select the TCP checkbox, and then type 80 for the port numbers.

11. Click Create.

gcloud compute firewall-rules create fw-allow-health-check \
    --network=NETWORK \
    --action=allow \
    --direction=ingress \
    --source-ranges=130.211.0.0/22,35.191.0.0/16 \
    --target-tags=allow-health-check \
    --rules=tcp:80

To create the firewall rule, use the google_compute_firewall resource.

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Now that your instances are up and running, set up a global static external IP address that your customers use to reach your load balancer.

1. In the Google Cloud console, go to the External IP addresses page.

   Go to External IP addresses

2. To reserve an IPv4 address, click Reserve external static IP address.

3. For Name, enter lb-ipv4-1.

4. Set Network Service Tier to Premium.

5. Set IP version to IPv4.

6. Set Type to Global.

7. Click Reserve.

gcloud compute addresses create lb-ipv4-1 \
    --ip-version=IPV4 \
    --network-tier=PREMIUM \
    --global

Note the IPv4 address that was reserved:

gcloud compute addresses describe lb-ipv4-1 \
    --format="get(address)" \
    --global

To reserve the IP address, use the google_compute_global_address resource.

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

In this example, you are using HTTPS (frontend) between the client and the load balancer. For HTTPS, you need one or more SSL certificate resources to configure the proxy. We recommend using a Google-managed certificate.

Even if you're using HTTPS on the frontend, you can use HTTP on the backend. Google automatically encrypts traffic between Google Front Ends (GFEs) and your backends that reside within Google Cloud VPC networks.

1. In the Google Cloud console, go to the Load balancing page.

   Go to Load balancing

2. Click Create load balancer.
3. For Type of load balancer, select Application Load Balancer (HTTP/HTTPS) and click Next.
4. For Public facing or internal, select Public facing (external) and click Next.
5. For Global or single region deployment, select Best for global workloads and click Next.
6. For Load balancer generation, select Classic Application Load Balancer and click Next.
7. Click Configure.

Basic configuration

For the load balancer Name, enter something like web-map-https or web-map-http.

Frontend configuration

1. Click Frontend configuration.
2. Set Protocol to HTTPS.
3. Select IPv4 for IPv4 traffic. Set IP address to lb-ipv4-1, which you created earlier.
4. Set Port to 443.
5. Click Certificate, and select your primary SSL certificate.
6. Optional: Create an SSL policy:
   1. In the SSL policy list, select Create a policy.
   2. Set the name of the SSL policy to my-ssl-policy.
   3. For Minimum TLS Version, select TLS 1.0.
   4. For Profile, select Modern. The Enabled features and Disabled features are displayed.
   5. Click Save.
   If you have not created any SSL policies, a default SSL policy is applied.
7. Optional: Select the Enable HTTP to HTTPS Redirect checkbox to enable redirects.

   Enabling this checkbox creates an additional partial HTTP load balancer that uses the same IP address as your HTTPS load balancer and redirects incoming HTTP requests to your load balancer's HTTPS frontend.

   This checkbox can only be selected when the HTTPS protocol is selected and a reserved IP address is used.

8. Click Done.

Backend configuration

1. Click Backend configuration.
2. Under Create or select backend services & backend buckets, select Backend services > Create a backend service.
3. Add a name for your backend service, such as web-backend-service.
4. Under Protocol, select HTTP.
5. For the Named Port, enter http.
6. In Backends > New backend > Instance group, select your instance group, lb-backend-example.
7. For the Port numbers, enter 80.
8. Retain the other default settings.
9. Under Health check, select Create a health check, and then add a name for your health check, such as http-basic-check.
10. Set the protocol to HTTP, and then click Save.

11. Optional: Configure a default backend security policy. The default security policy throttles traffic over a user-configured threshold. For more information about default security policies, see the Rate limiting overview.

    1. To opt out of the Google Cloud Armor default security policy, select None in the backend security policy list menu.
    2. In the Security section, select Default security policy.
    3. In the Policy name field, accept the automatically generated name or enter a name for your security policy.
    4. In the Request count field, accept the default request count or enter an integer between 1 and 10,000.
    5. In the Interval field, select an interval.
    6. In the Enforce on key field, choose one of the following values: All, IP address, or X-Forwarded-For IP address. For more information about these options, see Identifying clients for rate limiting.
12. Retain the other default settings.
13. Click Create.

Host and path rules

For Host and path rules, retain the default settings.

Review and finalize

1. Click Review and finalize.
2. Review your load balancer configuration settings.
3. Optional: Click Equivalent code to view the REST API request that will be used to create the load balancer.
4. Click Create.

Wait for the load balancer to be created.

If you created an HTTPS load balancer and selected the Enable HTTP to HTTPS Redirect checkbox, you will also see an HTTP load balancer created with a -redirect suffix.

1. Click the name of the load balancer.
2. On the Load balancer details screen, note the IP:Port for your load balancer.

1. Create a health check.

    gcloud compute health-checks create http http-basic-check \
        --port 80
    

2. Create a backend service.

   gcloud compute backend-services create web-backend-service \
       --load-balancing-scheme=EXTERNAL \
       --protocol=HTTP \
       --port-name=http \
       --health-checks=http-basic-check \
       --global
   

3. Add your instance group as the backend to the backend service.

   gcloud beta compute backend-services add-backend web-backend-service \
     --instance-group=lb-backend-example \
     --instance-group-zone=ZONE_A \
     --global
   

4. For HTTP, create a URL map to route the incoming requests to the default backend service.

   gcloud beta compute url-maps create web-map-http \
     --default-service web-backend-service
   

5. For HTTPS, create a URL map to route the incoming requests to the default backend service.

   gcloud beta compute url-maps create web-map-https \
     --default-service web-backend-service
   

Set up an HTTPS frontend

Skip this section for HTTP load balancers.

1. For HTTPS, if you haven't already done so, create the global SSL certificate resource, as shown in the following sections:
• Creating a Google-managed SSL certificate resource
• Creating a self-managed SSL certificate resource

2. For HTTPS, create a target HTTPS proxy to route requests to your URL map. The proxy is the portion of the load balancer that holds the SSL certificate for an HTTPS load balancer, so you also load your certificate in this step.

   gcloud compute target-https-proxies create https-lb-proxy \
     --url-map=web-map-https \
     --ssl-certificates=www-ssl-cert
   

3. For HTTPS, create a global forwarding rule to route incoming requests to the proxy.

   gcloud compute forwarding-rules create https-content-rule \
     --load-balancing-scheme=EXTERNAL \
     --network-tier=PREMIUM \
     --address=lb-ipv4-1 \
     --global \
     --target-https-proxy=https-lb-proxy \
     --ports=443
   

4. Optional: For HTTPS, create a global SSL policy and attach it to the HTTPS proxy.
   To create a global SSL policy:

   gcloud compute ssl-policies create my-ssl-policy \
     --profile MODERN \
     --min-tls-version 1.0
   

   To attach the SSL policy to the global target HTTPS proxy:

   gcloud compute target-https-proxies update https-lb-proxy \
     --ssl-policy my-ssl-policy
   

Set up an HTTP frontend

Skip this section for HTTPS load balancers.

1. For HTTP, create a target HTTP proxy to route requests to your URL map.

   gcloud compute target-http-proxies create http-lb-proxy \
     --url-map=web-map-http
   

2. For HTTP, create a global forwarding rule to route incoming requests to the proxy.

   gcloud compute forwarding-rules create http-content-rule \
     --load-balancing-scheme=EXTERNAL \
     --address=lb-ipv4-1 \
     --global \
     --target-http-proxy=http-lb-proxy \
     --ports=80
   

1. To create the health check, use the google_compute_health_check resource.

2. To create the backend service, use the google_compute_backend_service resource.

   This example uses load_balancing_scheme="EXTERNAL_MANAGED", which sets up a global external Application Load Balancer with advanced traffic management capability. To create a classic Application Load Balancer, make sure you change the load_balancing_scheme to EXTERNAL before running the script.

3. To create the URL map, use the google_compute_url_map resource.

4. To create the target HTTP proxy, use the google_compute_target_http_proxy resource.

5. To create the forwarding rule, use the google_compute_global_forwarding_rule resource.

   This example uses load_balancing_scheme="EXTERNAL_MANAGED", which sets up a global external Application Load Balancer with advanced traffic management capability. To create a classic Application Load Balancer, make sure you change the load_balancing_scheme to EXTERNAL before running the script.

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Note: IAP isn't compatible with Cloud CDN.

You can configure IAP to be enabled or disabled (default). If enabled, you must provide values for oauth2-client-id and oauth2-client-secret.

To enable IAP, update the backend service to include the --iap=enabled flag with the oauth2-client-id and oauth2-client-secret.

gcloud compute backend-services update BACKEND_SERVICE_NAME \
    --iap=enabled,oauth2-client-id=ID,oauth2-client-secret=SECRET \
    --global

Optionally, you can enable IAP for a Compute Engine resource by using the Google Cloud console, gcloud CLI, or API.

After the load balancer is created, note the IP address that is associated with the load balancer—for example, 30.90.80.100. To point your domain to your load balancer, create an A record by using your domain registration service. If you added multiple domains to your SSL certificate, you must add an A record for each one, all pointing to the load balancer's IP address. For example, to create A records for www.example.com and example.com, use the following:

NAME                  TYPE     DATA
www                   A        30.90.80.100
@                     A        30.90.80.100

If you use Cloud DNS as your DNS provider, see Add, modify, and delete records.

Now that the load balancing service is running, you can send traffic to the forwarding rule and watch the traffic be dispersed to different instances.

1. In the Google Cloud console, go to the Load balancing page.

   Go to Load balancing

2. Click the load balancer that you just created.

3. In the Backend section, confirm that the VMs are healthy. The Healthy column should be populated, indicating that both VMs are healthy (2/2). If you see otherwise, first try reloading the page. It can take a few moments for the Google Cloud console to indicate that the VMs are healthy. If the backends do not appear healthy after a few minutes, review the firewall configuration and the network tag assigned to your backend VMs.

4. For HTTPS, if you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE. For more information, see Google-managed SSL certificate resource status.
5. After the Google Cloud console shows that the backend instances are healthy, you can test your load balancer using a web browser by going to https://IP_ADDRESS (or http://IP_ADDRESS). Replace IP_ADDRESS with the load balancer's IP address.
6. If you used a self-signed certificate for testing HTTPS, your browser displays a warning. You must explicitly instruct your browser to accept a self-signed certificate.
7. Your browser should render a page with content showing the name of the instance that served the page, along with its zone (for example, Page served from: lb-backend-example-xxxx). If your browser doesn't render this page, review the configuration settings in this guide.

gcloud compute addresses describe lb-ipv4-1 \
   --format="get(address)" \
   --global

After a few minutes have passed, you can test the setup by running the following curl command.

curl http://IP_ADDRESS

-OR-

curl https://HOSTNAME

• Read about enabling Cloud Load Balancing for GKE
• Learn more about instance groups.
• Read about load balancing and scaling.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-02 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["External Application Load Balancers support various backend types, including instance groups, zonal network endpoint groups (NEGs), serverless NEGs, Internet NEGs, hybrid connectivity NEGs, and Private Service Connect NEGs, excluding backend buckets."],["The setup guide demonstrates creating an external Application Load Balancer with a Compute Engine managed instance group backend, where you can choose between HTTP or HTTPS load balancer."],["Before configuring the load balancer, users must set up an SSL certificate resource for HTTPS load balancers, configure necessary permissions, and establish the network and subnets."],["A managed instance group is required for Compute Engine backends and is created using an instance template that defines the configurations for each VM, such as network tags and startup scripts."],["Identity-Aware Proxy (IAP) can be enabled on the external Application Load Balancer by updating the backend service with the necessary client ID and secret, while also noting it is incompatible with Cloud CDN."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4