1. Overview
    1. An internet network endpoint group (NEG) can be used as the backend for a backend service
    2. This is appropriate when serving content from an origin that is hosted outside of Google Cloud, with the Google Cloud external HTTP(S) load balancer as the frontend
    3. This enables the use of Google Edge infrastructure for terminating user connections
    4. Using Cloud CDN for a custom origin delivers traffic to a public endpoint across Google's private backbone
    5. This improves reliability and can decrease latency between client and server
    6. The terms "custom origin," "external endpoint," and "internet endpoint" are interchangeable
    7. Internet NEG is used to refer to a resource that contains an internet endpoint
    8. Internet NEGs are global resources that are hosted within on-premises infrastructure or on infrastructure provided by third-party providers
    9. An internet NEG can be used as a backend in a backend service for an external HTTP(S) load balancer, and as the origin for Cloud CDN
  2. Load balancing components and specifications
    1. An internet network endpoint group can be used in a load balancer using the Premium network service tier
    2. Because only one internet endpoint is allowed in each internet NEG, load balancing is not actually performed
    3. Load balancing modes, such as rate or utilization cannot be used
    4. The load balancer serves as the frontend only, and it proxies traffic to the specified internet endpoint
    5. The forwarding selection is based on a URL map
    6. For target HTTP(S) proxies, the backend service used is determined by checking the request host name and path in the URL map.
    7. HTTP(S) load balancers can have multiple backend services referenced from the URL map
    8. Each external HTTP(S) load balancer has its own global external forwarding rule to direct traffic to the appropriate target proxy object
    9. If the URL map sends the request to a backend service that contains an internet NEG, the backend service directs traffic to that internet NEG
  3. Backend service
    1. An internet NEG is one type of backend supported by a backend service of an external HTTP(S) load balancer
    2. Google's global edge infrastructure can be used to terminate user requests in front of a custom origin
    3. When an internet NEG is added as a backend on a backend service, the backend service cannot also use zonal NEGs or instance groups as backends
    4. All backends on a backend service must be of the same type
    5. Only one internet NEG backend can be added to the same backend service
    6. Only one endpoint can be added to an internet NEG
    7. The backend service cannot reference a health check
    8. The backend service's load balancing scheme must be EXTERNAL and its protocol must be one of HTTP, HTTPS, or HTTP2
  4. Health checks
    1. A backend service that uses an internet NEG as a backend does not support a health check
    2. Google Cloud does not provide health checking for any internet endpoint or custom origin
    3. If the internet endpoint becomes unreachable or if the configured hostname (FQDN) cannot be resolved, the external HTTP(S) load balancer returns an HTTP 502 (Bad Gateway) response to its clients
  5. Limitations
    1. An internet endpoint with a FQDN defined must be resolvable by Google Public DNS
    2. An internet endpoint must be a publicly-routable IPv4 address or must resolve to an internet endpoint cannot be an RFC 1918 address
    3. It must be reachable over the internet
    4. The endpoint cannot be only reachable over Cloud VPN or Cloud Interconnect
    5. If the internet endpoint references a Google API or service, the service must be reachable via TCP port 80 or 443 using the HTTP, HTTPS or HTTP/2 protocol
    6. Only use internet NEGs on the Premium network service tier, which is the default tier
    7. Load balancing is currently not supported on internet endpoints – the requests are only proxied to the endpoint
    8. Google Edge infrastructure terminates the user connections and then directs the connections to the internet endpoint
    9. Internet NEGs can be used without Cloud CDN enabled
    10. With this configuration, multiple NEGs cannot be attached to the backend service
    11. The restriction of a single endpoint remains
    12. No health checking is performed for the internet NEG
  6. Quota
    1. Users can configure as many NEGs with external network endpoints as permitted by your existing network endpoint group quota
  7. Pricing
    1. Egress traffic to an internet NEG's endpoint (type INTERNET_FQDN_PORT or INTERNET_IP_PORT) is charged at internet egress rates for Premium Tier networking
    2. The source is based on the client location, and the destination is based on the location of the public endpoint