Request routing to a multi-region classic Application Load Balancer

This guide demonstrates how to create a Google Cloud HTTPS load balancer that:

  • Selects backend services based on the request URL paths.
  • Routes requests to backends that are close to the clients (multi-region load balancing).

Before you start, make sure that you are familiar with External Application Load Balancer concepts.

For a simplified example, see Setting up an external Application Load Balancer with a Compute Engine backend. For advanced routing, such as HTTP rewrites and redirects, see Traffic management for external Application Load Balancers.

Overview

This guide provides instructions for creating a load balancer that directs traffic based on the path in the request URL and balances traffic across multiple regions. You create eight total Compute Engine instances in US (in zone us-central1-b) and EU (in zone eu-west1-b) regions. You then create a load balancer that routes traffic to these instances.

After you complete the instructions, your load balancer is configured as follows:

  • Traffic containing a URL path that starts with /video is routed to one backend service.
  • Traffic with a URL path that doesn't match this pattern is routed to another backend service.

In this how-to document, you create the configuration that is illustrated in the following diagram:

Multi-regional HTTPS Load Balancing
Multi-regional HTTPS Load Balancing (click to enlarge)

The sequence of events in the diagram is:

  1. A client accesses the https://www.example.com/video/concert URL, sending a content request to the external IP address defined in the forwarding rule. The request can use IPv4 or IPv6; there are forwarding rules for both protocols.
  2. A forwarding rule directs the request to the target HTTPS proxy.
  3. The target proxy uses the rules set out in the URL map to determine which backend service receives the request. A request that contains /video, like https://www.example.com/video/concert, is sent to video-backend-service. Any other URL path is sent to the default service, web-backend-service.
  4. The load balancer determines which of the backend service's instance groups should serve the request, based on their loading and proximity to the client, and directs the request to an instance in that group.
  5. The instance serves the content requested by each user. The video instances serve video content, while the www instances serve all other content.

In this example, the load balancer accepts HTTPS requests from clients and proxies these requests as HTTP to the backends. You can also configure a load balancer to accept HTTP requests, as well as to use HTTPS when proxying requests to backends.

Before you begin

These instructions require a project. If you do not already have a project, set one up now. These instructions guide you through creating a custom mode Virtual Private Cloud (VPC) network. You must also set up custom firewall rules to allow traffic to reach the instances.

If you prefer to work from the command line, install the gcloud command-line tool. See gcloud Overview for conceptual and installation information about the tool.

Permissions

To complete the steps in this guide, you must have permission to create Compute Engine instances in a project. You must have either a project owner or editor role, or you must have the following Compute Engine IAM roles:

Task Required Role
Create instances Compute Instance Admin
Add and remove firewall rules Security Admin
Create load balancer components Network Admin
Create a project (Optional) Project Creator

For more information, see the following guides:

Setup

Optional: Creating a new project

We recommend that users with the resourcemanager.projects.create permission create a new project before following the rest of this how-to. This simplifies cleanup at the end of the guide.

Configuring a network and subnets

In this example, use the following VPC network, regions, and subnets:

  • Network: The network is a custom mode VPC network named lb-network.

  • Subnets in two different regions:

    • us-subnet uses 10.1.10.0/24 for its primary IP range and is located in the us-central1 region.
    • eu-subnet uses 10.1.11.0/24 for its primary IP range and is located in the europe-west1 region.

To create the example network and subnet, follow these steps:

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click Create VPC network.

  3. Enter a Name of lb-network.

  4. In the Subnets section, create the first subnet:

    • Set the Subnet creation mode to Custom.
    • In the New subnet section, enter the following information:
      • Name: us-subnet
      • Region: us-central1
      • IP address range: 10.1.10.0/24
      • Click Done.

  5. Still in the Subnets section, click Add subnet and create the second subnet:

    • In the New subnet section, enter the following information:
      • Name: eu-subnet
      • Region: europe-west1
      • IP address range: 10.1.11.0/24
      • Click Done.

  6. Click Create.

gcloud

  1. Create the custom VPC network:

    gcloud compute networks create lb-network --subnet-mode=custom

  2. Create the us-subnet:

    gcloud compute networks subnets create us-subnet \
  --network=lb-network \
  --range=10.1.10.0/24 \
  --region=us-central1

  3. Create the eu-subnet:

    gcloud compute networks subnets create eu-subnet \
  --network=lb-network \
  --range=10.1.11.0/24 \
  --region=europe-west1

Configuring firewall rules

The default deny ingress rule blocks incoming traffic to the backend instances, including traffic from the load balancer and Google Cloud health checking systems. You must create new firewall rules to override the default rule and allow traffic to reach your instances.

In this example, you create the following firewall rules:

  • fw-allow-ssh: An ingress rule, applicable to the instances being load balanced, that allows incoming SSH connectivity on TCP port 22 from any address. You can choose a more restrictive source IP range for this rule; for example, you can specify just the IP ranges of the system from which you will initiating SSH sessions. This example uses the target tag allow-ssh to identify the backend VMs to which it should apply.

  • fw-allow-health-check-and-proxy: An ingress rule, applicable to the instances being load balanced, that allows traffic from the load balancer and Google Cloud health checking systems (130.211.0.0/22 and 35.191.0.0/16). This example uses the target tag allow-health-check to identify the backend VMs to which it should apply.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. Click Create firewall rule to create the first firewall rule:

    1. Enter a Name of fw-allow-ssh.
    2. Under Network, select lb-network.
    3. Under Targets, select Specified target tags.
    4. Populate the Target tags field with allow-ssh.
    5. Set Source filter to IPv4 ranges.
    6. Set Source IPv4 ranges to 0.0.0.0/0.
    7. Under Protocols and ports, select Specified protocols and ports.
    8. Select the TCP checkbox and enter 22 for the port number.
    9. Click Create.

  3. Click Create firewall rule to create the second firewall rule:

    1. Enter a Name of fw-allow-health-check-and-proxy.
    2. Under Network, select lb-network.
    3. Under Targets, select Specified target tags.
    4. Populate the Target tags field with allow-health-check.
    5. Set Source filter to IPv4 ranges.
    6. Set Source IPv4 ranges to 130.211.0.0/22 and 35.191.0.0/16.
    7. Under Protocols and ports, select Specified protocols and ports.
    8. Select the TCP checkbox and enter 80,443 for the port numbers.
    9. Click Create.

gcloud

  1. Create the fw-allow-ssh firewall rule to allow SSH connectivity to VMs with the network tag allow-ssh. When you omit source-ranges, Google Cloud interprets the rule to mean any source.

    gcloud compute firewall-rules create fw-allow-ssh \
    --network=lb-network \
    --action=allow \
    --direction=ingress \
    --target-tags=allow-ssh \
    --rules=tcp:22

  2. Create the fw-allow-health-check-and-proxy rule to allow the load balancer and Google Cloud health checks to communicate with backend instances on TCP port 80 and 443:

    gcloud compute firewall-rules create fw-allow-health-check-and-proxy \
    --network=lb-network \
    --action=allow \
    --direction=ingress \
    --target-tags=allow-health-check \
    --source-ranges=130.211.0.0/22,35.191.0.0/16 \
    --rules=tcp:80,tcp:443

Creating instances

To set up a load balancer with a Compute Engine backend, your VMs need to be in instance groups. This guide describes how to create a managed instance group with Linux VMs that have Apache running.

The managed instance group provides VMs running the backend servers of an external HTTPS load balancer. For demonstration purposes, backends serve their own hostnames.

In this example, you create eight virtual machine instances (VMs): four to serve video content and four to serve all other content. You use a startup script to install Apache web server software with a unique home page for each instance. Note that you can use any web server on your VMs; Apache is installed in this example as a convenience.

Console

Create an instance template.

  1. In the Google Cloud console, go to the Instance templates page.

    Go to Instance templates

    1. Click Create instance template.
    2. For Name, enter video-us-template.
    3. Ensure that the Boot disk is set to a Debian image, such as Debian GNU/Linux 12 (bookworm). These instructions use commands that are only available on Debian, such as apt-get.
    4. Click Advanced options.
    5. Click Networking and configure the following fields:
      1. For Network tags, enter allow-health-check and allow-ssh.
      2. For Network interfaces, select the following:
        • Network: lb-network
        • Subnet: us-subnet

    6. Click Management. Enter the following script into the Startup script field.

      #! /bin/bash
apt-get update
apt-get install apache2 -y
a2ensite default-ssl
a2enmod ssl
vm_hostname="$(curl -H "Metadata-Flavor:Google" \
http://metadata.google.internal/computeMetadata/v1/instance/name)"
mkdir -p /var/www/html/video
echo "Page served from: $vm_hostname" | \
tee /var/www/html/index.html /var/www/html/video/index.html
systemctl restart apache2

    7. Click Create.

  2. Create a managed instance group. In the Google Cloud console, go to the Instance groups page.

    Go to Instance groups

    1. Click Create instance group.
    2. Select New managed instance group (stateless). For more information, see Stateless or stateful MIGs.
    3. For Name, enter ig-video-us.
    4. Under Location, select Single zone.
    5. For Region, select your preferred region. This example uses us-central1.
    6. For Zone, select us-central1-b.
    7. Under Instance template, select video-us-template.
    8. Under Autoscaling mode, select Off:do not autoscale.
    9. Under Maximum number of instances, enter 2.
    10. Click Create.

gcloud

  1. Create an instance template.

    gcloud compute instance-templates create video-us-template \
   --region=us-central1 \
   --network=lb-network \
   --subnet=us-subnet \
   --tags=allow-health-check,allow-ssh \
   --image-family=debian-12 \
   --image-project=debian-cloud \
   --metadata=startup-script='#! /bin/bash
     apt-get update
     apt-get install apache2 -y
     a2ensite default-ssl
     a2enmod ssl
     vm_hostname="$(curl -H "Metadata-Flavor:Google" \
     http://metadata.google.internal/computeMetadata/v1/instance/name)"
     mkdir -p /var/www/html/video
     echo "Page served from: $vm_hostname" | \
     tee /var/www/html/index.html /var/www/html/video/index.html
     systemctl restart apache2'

  2. Create a managed instance group based on the template.

    gcloud compute instance-groups managed create ig-video-us \
   --template=video-us-template --size=2 --zone=us-central1-b

Repeat this procedure four times for the four instance groups. Make sure to change the instance group name, template name, region, and zone for each instance group, as follows:

  • ig-video-us, video-us-template, us-central1-b (as shown in the example)
  • ig-video-eu, video-eu-template, europe-west1-b
  • ig-www-us, www-us-template, us-central1-b
  • ig-www-eu, www-europe-template, europe-west1-b

Adding a named port to the instance group

For each instance group, define an HTTP service and map a port name to the relevant port. Once configured, the load balancing service forwards traffic to the named port.

Console

  1. In the Google Cloud console, go to the Instance groups page.

    Go to Instance groups

  2. Click the name of your instance group (for example ig-video-us) and click Edit Group.

  3. Click Specify port name mapping.

  4. Click Add item.

  5. For the port name, enter http. For the port number, enter 80.

  6. Click Save.

Repeat this step for each instance group.

gcloud 

gcloud compute instance-groups unmanaged set-named-ports ig-video-us \
    --named-ports http:80 \
    --zone us-central1-b

gcloud compute instance-groups unmanaged set-named-ports ig-www-us \
    --named-ports http:80 \
    --zone us-central1-b

gcloud compute instance-groups unmanaged set-named-ports ig-video-eu \
    --named-ports http:80 \
    --zone europe-west1-b

gcloud compute instance-groups unmanaged set-named-ports ig-www-eu \
    --named-ports http:80 \
    --zone europe-west1-b

Reserving external IP addresses

Now that your instances are up and running, set up the services needed for load balancing. In this section, you create two global static external IP addresses that your customers use to reach your load balancer.

Console

  1. In the Google Cloud console, go to the External IP addresses page.

    Go to External IP addresses

  2. Click Reserve static address to reserve an IPv4 address.

  3. Assign a Name of lb-ipv4-1.

  4. Set the Network tier to Premium.

  5. Set IP version to IPv4.

  6. Set the Type to Global.