Load Balancer Forwarding Rules

Forwarding rules overview
1. A forwarding rule and its corresponding IP address represent the frontend configuration of a Google Cloud load balancer
2. Forwarding rules are used for protocol forwarding, Classic VPN gateways, and Traffic Director to provide forwarding information in the control plane
3. Each forwarding rule references an IP address and one or more ports on which the load balancer accepts traffic
4. Some Google Cloud load balancers limit users to a predefined set of ports, and others let users specify arbitrary ports
5. The forwarding rule also specifies an IP protocol
6. For Google Cloud load balancers, the IP protocol is always either TCP or UDP
7. Depending on the load balancer type
  1. A forwarding rule specifies a backend service, target proxy, or target pool
  2. A forwarding rule and its IP address are internal or external
  3. Depending on the load balancer and its tier, a forwarding rule is either global or regional
Internal forwarding rules
1. Internal forwarding rules forward traffic that originates inside a Google Cloud network
2. The clients can be in the same Virtual Private Cloud (VPC) network as the backends, or the clients can be in a connected network
3. Internal forwarding rules are used by two types of Google Cloud load balancers
  1. Internal TCP/UDP load balancers
  2. Internal HTTP(S) load balancers
Internal TCP/UDP load balancers
1. With an internal TCP/UDP load balancer, the supported traffic type is IPv4, and the supported protocol is either TCP or UDP (not both)
2. Each internal TCP/UDP load balancer has at least one regional internal forwarding rule
3. The regional internal forwarding rules point to the load balancer's regional internal backend service
4. The internal forwarding rule must be in a region and a subnet, and the backend service only needs to be in the region
Internal HTTP(S) load balancers
1. With an internal HTTP(S) load balancer, the supported traffic type is IPv4, and the supported protocol can be HTTP, HTTPS, or HTTP/2
2. Each internal HTTP(S) load balancer has exactly one regional internal forwarding rule
3. The regional internal forwarding rule points to the load balancer's regional target HTTP or HTTPS proxy
External forwarding rules
1. External forwarding rules forward traffic that originates from the internet, outside of your VPC network
2. External forwarding rules are used by the following Google Cloud load balancers
  1. External HTTP(S) load balancers
  2. SSL proxy load balancers
  3. TCP proxy load balancers
  4. Network load balancers
HTTP(S) load balancers
1. The external HTTP(S) load balancers support both Premium Tier and Standard Tier
2. The forwarding rule and IP address both depend on the tier selected for the load balancer
3. In an external HTTP(S) load balancer, a forwarding rule points to a target proxy
4. In Premium Tier, an external HTTP(S) load balancer uses a global external IP address, which can be either IPv4 or IPv6, and a global external forwarding rule
5. Users can provide a globally accessible application that directs end users to backends in the closest region and distributes traffic among multiple regions
6. Because a global external forwarding rule uses a single external IP address, there is no need to maintain separate DNS records in different regions or wait for DNS changes to propagate
7. Users can configure two different global external IP addresses pointing to the same external HTTP(S) load balancer
8. In Premium Tier, the global external IP address for one forwarding rule can be IPv4, and the global external IP address for a second forwarding rule can be IPv6
9. Both forwarding rules can point to the same target proxy
10. Users can provide both an IPv4 and an IPv6 address for the same external HTTP(S) load balancer
11. In Standard Tier, an external HTTP(S) load balancer uses a regional external IP address, which must be IPv4, and a regional external forwarding rule
12. An external HTTP(S) load balancer in Standard Tier can only distribute traffic to backends within a single region
SSL proxy load balancers
1. An SSL proxy load balancer is similar to an external HTTP(S) load balancer because it can terminate SSL (TLS) sessions
2. SSL proxy load balancers do not support path-based redirection like external HTTP(S) load balancers, so they are best suited for handling SSL for protocols other than HTTPS, such as IMAP or WebSockets over SSL
3. In an SSL proxy load balancer, a forwarding rule points to a target proxy
4. SSL proxy load balancers support both Premium Tier and Standard Tier
5. The forwarding rule and IP address both depend on the tier that is selected for the load balancer
6. In Premium Tier, an SSL proxy load balancer uses a global external IP address, which can be either IPv4 or IPv6, and a global external forwarding rule
7. Users can provide a globally accessible application that directs end users to backends in the closest region and distributes traffic among multiple regions
8. Because a global external forwarding rule uses a single external IP address, users don't have to maintain separate DNS records in different regions or wait for DNS changes to propagate
9. It is possible to have two different global external IP addresses pointing to the same SSL proxy load balancer
10. In Premium Tier, the global external IP address for one forwarding rule can be IPv4, and the global external IP address for a second forwarding rule can be IPv6. Both forwarding rules can point to the same target proxy
11. Users can provide both an IPv4 and an IPv6 address for the same SSL proxy load balancer
12. In Standard Tier, an SSL proxy load balancer uses a regional external IP address, which must be IPv4, and a regional external forwarding rule
13. An SSL proxy load balancer in Standard Tier can only distribute traffic to backends within a single region
TCP proxy load balancers
1. A TCP proxy load balancer offers global TCP proxying capability, without SSL offload
2. TCP proxy load balancers support both Premium Tier and Standard Tier
3. The forwarding rule and IP address both depend on the tier selected for the load balancer
4. In a TCP proxy load balancer, a forwarding rule points to a target proxy
5. In Premium Tier, a TCP proxy load balancer uses a global external IP address, which can be either IPv4 or IPv6, and a global external forwarding rule
6. Users can provide a globally accessible application that directs end users to backends in the closest region and distributes traffic among multiple regions
7. Because a global external forwarding rule uses a single external IP address, users don't have to maintain separate DNS records in different regions or wait for DNS changes to propagate
8. It is possible to have two different global external IP addresses pointing to the same TCP proxy load balancer
9. In Premium Tier, the global external IP address for one forwarding rule can be IPv4, and the global external IP address for a second forwarding rule can be IPv6.
10. Both forwarding rules can point to the same target proxy
11. Users can provide both an IPv4 and an IPv6 address for the same TCP proxy load balancer
12. In Standard Tier, a TCP proxy load balancer uses a regional external IP address, which must be IPv4, and a regional external forwarding rule
13. A TCP proxy load balancer in Standard Tier can only distribute traffic to backends within a single region
Network load balancers
1. The network load balancers distribute either TCP or UDP traffic among backends in a single region, and supports both Premium Tier and Standard Tier
2. A network load balancer uses a regional external forwarding rule and a regional external IPv4 address (regardless of tier)
3. The regional external IP address can be accessed anywhere on the internet
4. A regional external forwarding rule points to the load balancer's target pool
5. To use Network Load Balancing in different regions, create a network load balancer in each region.
6. Each load balancer has its own regional external forwarding rule with its own regional external IPv4 address
How Network Service Tiers affect load balancers
1. In Network Service Tiers, the distinction between Standard Tier and Premium Tier depends on how far traffic is routed over the public internet
2. Standard Tier: Offloads traffic as close as possible to the Google data center
3. Traffic is typically routed over the public internet for a longer distance, compared with Premium Tier
4. Premium Tier: Routes traffic over Google's private network as far as possible before leaving Google Cloud to get to the end user
5. The internal load balancers (HTTP(S) and TCP/UDP) must use Google's private network, and they are therefore always in the Premium Tier
6. Internal load balancing is always regional
7. Only the external load balancers (HTTP(S), TCP proxy, SSL proxy, and TCP/UDP network) can be routed over the public internet
8. Users can choose whether external load balancer is in the Premium Tier, using Google's private network, or in the Standard Tier, using the public internet
9. Network Load Balancing is always regional, regardless of tier
10. With Premium Tier, external HTTP(S) load balancers, TCP proxy load balancers, and SSL proxy load balancers are global
11. Their forwarding rules, IP addresses, and backend services are global
12. In Standard Tier, these load balancers are effectively regional
13. Their backend services remain global, but their forwarding rules and IP addresses are regional
Multiple forwarding rules with a common IP address
1. Two or more forwarding rules with the EXTERNAL load balancing scheme can share the same IP address if
  1. The ports used by each forwarding rule do not overlap
  2. The Network Service Tiers of each forwarding rule matches the Network Service Tiers of the external IP address
  3. A network load balancer that accepts traffic on TCP port 79 and another network load balancer that accepts traffic on TCP port 80 can share the same regional external IP address
2. The same global external IP address can be used for an external HTTP(S) load balancer (HTTP and HTTPS)
3. If the forwarding rule's load balancing scheme is one of the following, it must have a unique IP address
  1. INTERNAL for internal TCP/UDP load balancers
  2. INTERNAL_MANAGED for internal HTTP(S) load balancers
  3. INTERNAL_SELF_MANAGED for Traffic Director
Cloud IAM Conditions
1. With Cloud IAM Conditions, users can set conditions to control which roles are granted to members
2. This feature lets users grant permissions to members if configured conditions are met
3. A Cloud IAM condition checks the load balancing scheme (for example, INTERNAL or EXTERNAL) in the forwarding rule and allows (or disallows) creation of the forwarding rule
4. If a member tries to create a forwarding rule without permission, an error message appears