Load Balancer on Google Cloud With Google-managed SSL Certificates


Today I would like to introduce how we could deploy simple web servers with load balancer on Google Cloud, and finally install a Google-managed SSL certificate. Generally, there are two types of load balancers: external and internal. According to Google Cloud document, external load balancers distribute traffic coming from the internet to your Google Cloud Virtual Private Cloud (VPC) network. Global load balancing requires that you use the Premium Tier of Network Service Tiers. For regional load balancing, you can use Standard Tier. Internal load balancers distribute traffic to instances inside of Google Cloud. In this article, we will mainly focus on external load balancer. In this article, I assume that all of you already had a Google Cloud account, if not, please visit here.

In fact, there are also different types of external load balancer. In this article we will go through how to configure HTTP(s) and TCP/UDP load balancer. HTTP(s) load balancer is Layer 7, it usually acts as a proxy server. TCP/UDP load balancer is Layer 4, it usually acts as an ECMP router to route packet to the most suitable backend with reference to health check. For more details, please visit External HTTP(S) Load Balancing overview and External TCP/UDP Network Load Balancing overview.

Solution Diagram

Now, let’s take a look what we will do today:

The final result will look like:

Before we start, please firstly download the prepared files from my github. Or

git clone https://github.com/manbobo2002/gcp_lb.git


In console, we choose Cloud Shell and then click the editor mode such that we could easily review our code.

The we have to setup our environment e.g. define project, zone and region:

gcloud config set project <you-project-id>
gcloud config set compute/zone us-central1-a
gcloud config set compute/region us-central1

Now, we are ready to really create something. For convenience, I create some scripts which could create what we want very fast.

Create Instance

First of all, we should create our instances with startup script.

cd gcp_lb
sh create-instance.sh

If you are first time to use compute engine, it will ask you to enable API, please choose “y” and press “Enter”.

So, what I have done on the script? The first thing is to create an instance template with startup script and target pool, then we create 2 instances from the template, and finally open the port 80 for access.

When we take a look on compute engine, we will see there are 2 instances now.

Create a TCP/UDP Network (L4) Load Balancer

sh create-nlb.sh

It is quite easy to create network load balancer. We just have to define the region, port and the target pool.

By browsing the ip, we could successfully see the result. You may observe that when you press F5 to refresh, the instance will not change. The reason is that network load balancer will take a look on the incoming address, port and port type. And these metrics may not change when you refresh the page, so you will be redirected to the same instance.

Create HTTP(s) Load Balancer

sh create-httplb.sh

Then for HTTP(s) load balancer, it is a little bit complicated to configure and the flow is like the solution diagram.

We firstly create health check, then map a port name to relevant port for instance group. Secondly, we create backend-service which contains configuration values for Google Cloud Platform load balancing services. Thirdly, add the instance group into the backend service. Finally, we create default URL map, a target HTTP proxy and a global forwarding rule.

By browsing the ip, we could successfully see the result. This time you may find that the instance will keep changing when you refresh the page. The reason is that this time HTTP(s) load balancer will take a look on the request traffic and choose which instance is more suitable and has enough capacity to handle.

Test the load balancer

Then you may ask, how about one instance is suddenly down? The answer is another instance will pick up all the traffic. If you don’t believe, then let’s try. The below script is to delete the first instance.

sh test-delete.sh

As expected, all traffic are automatically routed to the second instance. Also, for the instance group, when it detects one instance is gone, it will create another one soon.

Create Google-managed SSL Certificates

Now let us create google-managed SSL certificate. This time I jsut use HTTP(s) load balancer as an example and install the SSL certificate on it. But what you need is to prepare a domain and point it to the HTTPs load balancer IP. If you do not have any domain, please go to no-ips and register it.

sh create-ssl.sh

Actually, it is nothing special than normal HTTP load balancer. But we have to create a SSL-certificate and state your domain, then change the port from 80 to 443.

Finally, please set your domain to point the HTTPs load balancer. Now, let’s see the result by just typing the domain name with https.

Now we could see I successfully create a SSL cert with domain. By the way, I delete the project and re-create another one here, so the instance name will be different as previous. Also please note that you may see something wrong, please wait around 10 mins for update.

That’s the end, hope you enjoy this tutorial.

Leave a Reply