Skip to main content

Externally-Facing Regional TCP/UDP Network Load Balancer on GCP

  • A regional LB, which is faster than a global one.

  • IPv4 only, a limitation imposed by GCP.

  • Perhaps unexpectedly, the External TCP/UDP NLB has additional limitations imposed by GCP when comparing to the Internal TCP/UDP NLB, namely:

    • Despite it works for any TCP traffic (also UDP and other protocols), it can only use a plain HTTP health check. So, HTTPS or SSH probes are not possible.
    • Can only use the nic0 (the base interface) of an instance.
    • Cannot serve as a next hop in a GCP custom routing table entry.

GitHub Logo Terraform Logo



terraform>= 1.3, < 2.0
google~> 4.54


google~> 4.54


No modules.


google_client_config.thisdata source


backend_instance_groupsList of backend instance groupslist[]no
connection_tracking_policyConnection tracking policy settings, only available for backend service based rules. Following options are available:
- mode - (Optional|string) PER_CONNECTION (default) or PER_SESSION
- persistence_on_unhealthy_backends - (Optional|string) DEFAULT_FOR_PROTOCOL (default), ALWAYS_PERSIST or NEVER_PERSIST

More information about supported configurations in conjunction with session_affinity is available in Backend service-based external Network Load Balancing documentation.
create_health_checkWhether to create a health check on the target pool.booltrueno
health_check_healthy_thresholdHealth check parameter, see provider docnumbernullno
health_check_http_hostHealth check http request host header, with the default adjusted to localhost to be able to check the health of the PAN-OS webui.string"localhost"no
health_check_http_portHealth check parameter, see provider docnumbernullno
health_check_http_request_pathHealth check http request path, with the default adjusted to /php/login.php to be able to check the health of the PAN-OS webui.string"/php/login.php"no
health_check_interval_secHealth check parameter, see provider docnumbernullno
health_check_timeout_secHealth check parameter, see provider docnumbernullno
health_check_unhealthy_thresholdHealth check parameter, see provider docnumbernullno
instancesList of links to the instances. Expected to be empty when using an autoscaler, as the autoscaler inserts entries to the target pool dynamically. The nic0 of each instance gets the traffic. Even when this list is shifted or re-ordered, it doesn't re-create any resources and such modifications often proceed without any noticeable downtime.list(string)nullno
nameName of the backend_service, target_pool and of the associated health check.stringn/ayes
network_tierThe networking tier used for configuring this address. If this field is not specified, it is assumed to be PREMIUM. Possible values are PREMIUM and STANDARD.string"PREMIUM"no
projectThe project to deploy to. If unset the default provider project is used.string""no
regionGCP region to deploy to. If unset the default provider region is used.stringnullno
rulesMap of objects, the keys are names of the external forwarding rules, each of the objects has the following attributes:

- port_range: (Required) The port your service is listening on. Can be a number (80) or a range (8080-8089, or even 1-65535).
- ip_address: (Optional) A public IP address on which to listen, must be in the same region as the LB and must be IPv4. If empty, automatically generates a new non-ephemeral IP on a PREMIUM tier.
- ip_protocol: (Optional) The IP protocol for the frontend forwarding rule: TCP, UDP, ESP, ICMP, or L3_DEFAULT. Default is TCP.
- all_ports: (Optional) Allows all ports to be forwarded to the Backend Service
session_affinityControls distribution of new connections (or fragmented UDP packets) from clients to the backends, can influence available connection tracking configurations.
Valid values are: NONE (default), CLIENT_IP, CLIENT_IP_PROTO, CLIENT_IP_PORT_PROTO (only available for backend service based rules).


created_google_compute_http_health_checkThe created health check resource. Null if create_health_check option was false.
created_google_compute_region_health_checkThe created health check resource. Null if create_health_check option was false.
forwarding_rulesThe map of created forwarding rules.
ip_addressesThe map of IP addresses of the forwarding rules.
target_poolThe self-link of the target pool.

Resources Created

  • One TargetPool.
  • Zero or one HttpHealthCheck, the legacy kind.
  • Multiple ForwardingRules (all in a single region) of type EXTERNAL and tier PREMIUM.
    • Each creates zero or one of non-ephemeral, external, regional IPv4 IPAddresses.