Externally-Facing Regional TCP/UDP Network Load Balancer on GCP
A regional LB, which is faster than a global one.
IPv4 only, a limitation imposed by GCP.
Perhaps unexpectedly, the External TCP/UDP NLB has additional limitations imposed by GCP when comparing to the Internal TCP/UDP NLB, namely:
- Despite it works for any TCP traffic (also UDP and other protocols), it can only use a plain HTTP health check. So, HTTPS or SSH probes are not possible.
- Can only use the nic0 (the base interface) of an instance.
- Cannot serve as a next hop in a GCP custom routing table entry.
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.3, < 2.0 |
| ~> 4.54 |
Providers
| Name | Version |
|---|---|
| ~> 4.54 | |
| google-beta | n/a |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| google-beta_google_compute_region_backend_service.this | resource |
| google_compute_address.this | resource |
| google_compute_forwarding_rule.rule | resource |
| google_compute_http_health_check.this | resource |
| google_compute_region_health_check.this | resource |
| google_compute_target_pool.this | resource |
| google_client_config.this | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| backend_instance_groups | List of backend instance groups | list | [] | no |
| connection_tracking_policy | Connection tracking policy settings, only available for backend service based rules. Following options are available: - mode - (Optional|string) PER_CONNECTION (default) or PER_SESSION- persistence_on_unhealthy_backends - (Optional|string) DEFAULT_FOR_PROTOCOL (default), ALWAYS_PERSIST or NEVER_PERSISTMore information about supported configurations in conjunction with session_affinity is available in Backend service-based external Network Load Balancing documentation. | map(any) | null | no |
| create_health_check | Whether to create a health check on the target pool. | bool | true | no |
| health_check_healthy_threshold | Health check parameter, see provider doc | number | null | no |
| health_check_http_host | Health check http request host header, with the default adjusted to localhost to be able to check the health of the PAN-OS webui. | string | "localhost" | no |
| health_check_http_port | Health check parameter, see provider doc | number | null | no |
| health_check_http_request_path | Health check http request path, with the default adjusted to /php/login.php to be able to check the health of the PAN-OS webui. | string | "/php/login.php" | no |
| health_check_interval_sec | Health check parameter, see provider doc | number | null | no |
| health_check_timeout_sec | Health check parameter, see provider doc | number | null | no |
| health_check_unhealthy_threshold | Health check parameter, see provider doc | number | null | no |
| instances | List of links to the instances. Expected to be empty when using an autoscaler, as the autoscaler inserts entries to the target pool dynamically. The nic0 of each instance gets the traffic. Even when this list is shifted or re-ordered, it doesn't re-create any resources and such modifications often proceed without any noticeable downtime. | list(string) | null | no |
| name | Name of the backend_service, target_pool and of the associated health check. | string | n/a | yes |
| network_tier | The networking tier used for configuring this address. If this field is not specified, it is assumed to be PREMIUM. Possible values are PREMIUM and STANDARD. | string | "PREMIUM" | no |
| project | The project to deploy to. If unset the default provider project is used. | string | "" | no |
| region | GCP region to deploy to. If unset the default provider region is used. | string | null | no |
| rules | Map of objects, the keys are names of the external forwarding rules, each of the objects has the following attributes: - port_range: (Required) The port your service is listening on. Can be a number (80) or a range (8080-8089, or even 1-65535).- ip_address: (Optional) A public IP address on which to listen, must be in the same region as the LB and must be IPv4. If empty, automatically generates a new non-ephemeral IP on a PREMIUM tier.- ip_protocol: (Optional) The IP protocol for the frontend forwarding rule: TCP, UDP, ESP, ICMP, or L3_DEFAULT. Default is TCP.- all_ports: (Optional) Allows all ports to be forwarded to the Backend Service | any | n/a | yes |
| session_affinity | Controls distribution of new connections (or fragmented UDP packets) from clients to the backends, can influence available connection tracking configurations. Valid values are: NONE (default), CLIENT_IP, CLIENT_IP_PROTO, CLIENT_IP_PORT_PROTO (only available for backend service based rules). | string | "NONE" | no |
Outputs
| Name | Description |
|---|---|
| created_google_compute_http_health_check | The created health check resource. Null if create_health_check option was false. |
| created_google_compute_region_health_check | The created health check resource. Null if create_health_check option was false. |
| forwarding_rules | The map of created forwarding rules. |
| ip_addresses | The map of IP addresses of the forwarding rules. |
| target_pool | The self-link of the target pool. |
Resources Created
- One TargetPool.
- Zero or one HttpHealthCheck, the legacy kind.
- Multiple ForwardingRules (all in a single region) of type EXTERNAL and tier PREMIUM.
- Each creates zero or one of non-ephemeral, external, regional IPv4 IPAddresses.