Cloud Load Balancing
Google Cloud Load Balancing is a fully distributed, software-defined managed service for distributing traffic across applications and regions. It offers a range of load balancing options to support different types of traffic, from global external HTTP(S) traffic to internal TCP/UDP traffic within a single region.
Key Features
- Autoscaling: Handles increases in traffic without pre-warming
- Global and Regional: Distribute traffic globally or within specific regions
- Integrated with Google Cloud: Works with Cloud CDN, Cloud Armor, and Monitoring
- Intelligent traffic distribution: Based on capacity, proximity, and health
- Layer 4 and Layer 7 support: Protocol and application-level load balancing
- Modern protocols: Support for HTTP/2 and QUIC
- Security features: Integration with Cloud Armor for DDoS protection and WAF capabilities
Load Balancing Types
Global Load Balancers
| Type | Use Case | Protocol Support | Notes |
|---|---|---|---|
| Global External Application Load Balancer | Global HTTP(S), gRPC traffic | HTTP, HTTPS, HTTP/2, gRPC | Integrate with Cloud CDN and Cloud Armor |
| Global External Proxy Network Load Balancer | Global TCP traffic | TCP, SSL | TLS termination, preserves client source IP |
| Global External Classic Application Load Balancer (Legacy) | HTTP(S) traffic | HTTP, HTTPS | Predecessor to Global External Application Load Balancer |
Regional Load Balancers
| Type | Use Case | Protocol Support | Notes |
|---|---|---|---|
| Regional External Application Load Balancer | Regional HTTP(S) traffic | HTTP, HTTPS, HTTP/2, gRPC | Lower latency within a region |
| Regional Internal Application Load Balancer | Internal HTTP(S) traffic | HTTP, HTTPS, HTTP/2, gRPC | Private traffic inside VPC |
| Regional External Network Load Balancer | Regional TCP/UDP traffic | TCP, UDP, ICMP | Preserves client source IP |
| Regional Internal Network Load Balancer | Internal TCP/UDP traffic | TCP, UDP | Internal RFC 1918 clients |
| Cross-region Internal Network Load Balancer | Internal traffic across regions | TCP, UDP | Multi-region internal services |
Choosing the Right Load Balancer
- HTTP(S) Traffic:
- Global reach needed: Global External Application Load Balancer
- Single region traffic: Regional External Application Load Balancer
- Internal services: Regional Internal Application Load Balancer
- TCP/UDP Traffic:
- Global TCP: Global External Proxy Network Load Balancer
- Regional TCP/UDP with preserved client IPs: Regional External Network Load Balancer
- Internal TCP/UDP: Regional Internal Network Load Balancer
- Cross-region internal: Cross-region Internal Network Load Balancer
Deployments with Terraform
Global External Application Load Balancer
This setup creates a globally distributed HTTP load balancer for a web application:
# Google Cloud Provider Configuration
provider "google" {
project = "my-project-id"
region = "us-central1"
}
# Reserve a global static external IP address
resource "google_compute_global_address" "default" {
name = "global-lb-ip"
}
# Create a backend service with health check
resource "google_compute_health_check" "default" {
name = "http-health-check"
check_interval_sec = 5
timeout_sec = 5
http_health_check {
port = 80
request_path = "/health"
}
}
# Create instance group for backend VMs
resource "google_compute_instance_group" "webservers" {
name = "webserver-group"
description = "Web server instance group"
zone = "us-central1-a"
named_port {
name = "http"
port = 80
}
# Note: In a real deployment, you would reference existing instances
# or use an instance group manager with an instance template
}
# Backend service to distribute traffic to instances
resource "google_compute_backend_service" "default" {
name = "web-backend-service"
protocol = "HTTP"
port_name = "http"
timeout_sec = 30
enable_cdn = true
load_balancing_scheme = "EXTERNAL"
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group.webservers.id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
# Optional: Configure Cloud CDN
cdn_policy {
cache_mode = "CACHE_ALL_STATIC"
client_ttl = 3600
default_ttl = 3600
max_ttl = 86400
serve_while_stale = 86400
}
}
# URL map to route requests to the backend service
resource "google_compute_url_map" "default" {
name = "web-url-map"
default_service = google_compute_backend_service.default.id
# Optional: Add path-based routing rules
host_rule {
hosts = ["example.com"]
path_matcher = "main"
}
path_matcher {
name = "main"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/api/*"]
service = google_compute_backend_service.default.id
}
}
}
# HTTP target proxy to route requests to URL map
resource "google_compute_target_http_proxy" "default" {
name = "web-proxy"
url_map = google_compute_url_map.default.id
}
# Global forwarding rule to route traffic to the proxy
resource "google_compute_global_forwarding_rule" "default" {
name = "web-forwarding-rule"
ip_address = google_compute_global_address.default.address
port_range = "80"
target = google_compute_target_http_proxy.default.id
load_balancing_scheme = "EXTERNAL"
}
# Optional: Set up HTTPS with managed SSL certificate
resource "google_compute_managed_ssl_certificate" "default" {
name = "web-ssl-cert"
managed {
domains = ["example.com"]
}
}
resource "google_compute_target_https_proxy" "default" {
name = "web-https-proxy"
url_map = google_compute_url_map.default.id
ssl_certificates = [google_compute_managed_ssl_certificate.default.id]
}
resource "google_compute_global_forwarding_rule" "https" {
name = "web-https-forwarding-rule"
ip_address = google_compute_global_address.default.address
port_range = "443"
target = google_compute_target_https_proxy.default.id
load_balancing_scheme = "EXTERNAL"
}
Regional Internal Application Load Balancer
This setup creates a regional internal HTTP load balancer for internal microservices:
# Define a regional internal application load balancer
resource "google_compute_region_health_check" "default" {
name = "internal-http-health-check"
region = "us-central1"
check_interval_sec = 5
timeout_sec = 5
http_health_check {
port = 8080
request_path = "/healthz"
}
}
# Create a regional backend service
resource "google_compute_region_backend_service" "default" {
name = "internal-backend-service"
region = "us-central1"
protocol = "HTTP"
port_name = "http"
timeout_sec = 30
load_balancing_scheme = "INTERNAL_MANAGED"
health_checks = [google_compute_region_health_check.default.id]
backend {
group = google_compute_region_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# Create a URL map for routing
resource "google_compute_region_url_map" "default" {
name = "internal-url-map"
region = "us-central1"
default_service = google_compute_region_backend_service.default.id
}
# Create regional HTTP proxy
resource "google_compute_region_target_http_proxy" "default" {
name = "internal-http-proxy"
region = "us-central1"
url_map = google_compute_region_url_map.default.id
}
# Create a forwarding rule to route traffic to the proxy
resource "google_compute_forwarding_rule" "default" {
name = "internal-forwarding-rule"
region = "us-central1"
ip_protocol = "TCP"
port_range = "8080"
load_balancing_scheme = "INTERNAL_MANAGED"
target = google_compute_region_target_http_proxy.default.id
network = "default"
subnetwork = "default"
}
# Create a managed instance group for the backends
resource "google_compute_region_instance_group_manager" "default" {
name = "internal-service-mig"
region = "us-central1"
base_instance_name = "service"
version {
instance_template = google_compute_instance_template.default.id
}
auto_healing_policies {
health_check = google_compute_region_health_check.default.id
initial_delay_sec = 300
}
target_size = 2
}
# Define the instance template for the backends
resource "google_compute_instance_template" "default" {
name = "internal-service-template"
machine_type = "e2-medium"
disk {
source_image = "debian-cloud/debian-11"
auto_delete = true
boot = true
}
network_interface {
network = "default"
# No access_config means no external IP
}
metadata_startup_script = <<-EOT
#!/bin/bash
apt-get update
apt-get install -y nginx
cat > /var/www/html/healthz <<EOF
OK
EOF
cat > /etc/nginx/sites-available/default <<EOF
server {
listen 8080;
location / {
root /var/www/html;
}
location /healthz {
root /var/www/html;
}
}
EOF
systemctl restart nginx
EOT
tags = ["allow-health-check"]
}
# Create a firewall rule to allow health checks
resource "google_compute_firewall" "default" {
name = "allow-health-check"
network = "default"
allow {
protocol = "tcp"
ports = ["8080"]
}
source_ranges = ["35.191.0.0/16", "130.211.0.0/22"]
target_tags = ["allow-health-check"]
}
Regional External Network Load Balancer
This setup creates a regional external TCP load balancer that preserves client IP addresses:
# Create a health check for the backend service
resource "google_compute_region_health_check" "tcp_health_check" {
name = "tcp-health-check"
region = "us-central1"
check_interval_sec = 5
timeout_sec = 5
tcp_health_check {
port = 80
}
}
# Create a regional backend service
resource "google_compute_region_backend_service" "backend" {
name = "tcp-backend-service"
region = "us-central1"
protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
health_checks = [google_compute_region_health_check.tcp_health_check.id]
backend {
group = google_compute_instance_group.backends.id
balancing_mode = "CONNECTION"
}
}
# Create an instance group for the backends
resource "google_compute_instance_group" "backends" {
name = "tcp-backend-group"
zone = "us-central1-a"
instances = [google_compute_instance.backend.id]
named_port {
name = "http"
port = 80
}
}
# Create a backend VM
resource "google_compute_instance" "backend" {
name = "tcp-backend-vm"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral public IP
}
}
metadata_startup_script = <<-EOT
#!/bin/bash
apt-get update
apt-get install -y nginx
systemctl start nginx
EOT
}
# Reserve an external IP address
resource "google_compute_address" "lb_ip" {
name = "tcp-lb-ip"
region = "us-central1"
}
# Create a forwarding rule
resource "google_compute_forwarding_rule" "tcp_forwarding_rule" {
name = "tcp-forwarding-rule"
region = "us-central1"
load_balancing_scheme = "EXTERNAL"
port_range = "80"
ip_address = google_compute_address.lb_ip.address
backend_service = google_compute_region_backend_service.backend.id
}
# Create firewall rule to allow traffic from Google Load Balancers
resource "google_compute_firewall" "allow_lb" {
name = "allow-lb-to-backends"
network = "default"
allow {
protocol = "tcp"
ports = ["80"]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["http-server"]
}
Implementation with gcloud CLI
Global External Application Load Balancer
# Create a global static IP address
gcloud compute addresses create global-lb-ip \
--global
# Create health check
gcloud compute health-checks create http http-basic-check \
--port=80 \
--check-interval=5s \
--timeout=5s \
--healthy-threshold=2 \
--unhealthy-threshold=2 \
--request-path="/health"
# Create a backend service
gcloud compute backend-services create web-backend-service \
--protocol=HTTP \
--port-name=http \
--health-checks=http-basic-check \
--global
# Add your instance group to the backend service
gcloud compute backend-services add-backend web-backend-service \
--instance-group=webserver-group \
--instance-group-zone=us-central1-a \
--global
# Create URL map
gcloud compute url-maps create web-map \
--default-service=web-backend-service
# Create HTTP target proxy
gcloud compute target-http-proxies create http-lb-proxy \
--url-map=web-map
# Create forwarding rule
gcloud compute forwarding-rules create http-content-rule \
--address=global-lb-ip \
--global \
--target-http-proxy=http-lb-proxy \
--ports=80
Regional Internal Application Load Balancer
# Create health check
gcloud compute health-checks create http internal-http-health-check \
--port=8080 \
--request-path="/healthz" \
--check-interval=5s \
--timeout=5s \
--region=us-central1
# Create backend service
gcloud compute backend-services create internal-backend-service \
--region=us-central1 \
--health-checks=internal-http-health-check \
--health-checks-region=us-central1 \
--protocol=HTTP \
--load-balancing-scheme=INTERNAL_MANAGED
# Add instance group to backend service
gcloud compute backend-services add-backend internal-backend-service \
--instance-group=internal-service-mig \
--instance-group-region=us-central1 \
--region=us-central1
# Create URL map
gcloud compute url-maps create internal-url-map \
--region=us-central1 \
--default-service=internal-backend-service
# Create HTTP proxy
gcloud compute target-http-proxies create internal-http-proxy \
--region=us-central1 \
--url-map=internal-url-map \
--url-map-region=us-central1
# Create forwarding rule
gcloud compute forwarding-rules create internal-forwarding-rule \
--region=us-central1 \
--load-balancing-scheme=INTERNAL_MANAGED \
--network=default \
--subnet=default \
--target-http-proxy=internal-http-proxy \
--target-http-proxy-region=us-central1 \
--ports=8080
Advanced Configurations
Custom Headers and URL Rewrites
For Application Load Balancers, you can configure custom headers and URL rewrites:
resource "google_compute_url_map" "advanced_url_map" {
name = "advanced-url-map"
default_service = google_compute_backend_service.default.id
host_rule {
hosts = ["example.com"]
path_matcher = "advanced"
}
path_matcher {
name = "advanced"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/api/*"]
service = google_compute_backend_service.api.id
route_action {
url_rewrite {
path_prefix_rewrite = "/v1/"
}
}
}
path_rule {
paths = ["/legacy/*"]
service = google_compute_backend_service.legacy.id
header_action {
request_headers_to_add {
header_name = "X-Source"
header_value = "legacy-gateway"
replace = true
}
}
}
}
}
Weighted Traffic Distribution
For Global Application Load Balancers, you can implement weighted traffic distribution for A/B testing or canary deployments:
resource "google_compute_url_map" "weighted_url_map" {
name = "weighted-url-map"
default_service = google_compute_backend_service.prod.id
host_rule {
hosts = ["example.com"]
path_matcher = "weighted"
}
path_matcher {
name = "weighted"
default_service = google_compute_backend_service.prod.id
route_rules {
priority = 1
match_rules {
prefix_match = "/features/"
}
route_action {
weighted_backend_services {
backend_service = google_compute_backend_service.prod.id
weight = 90
}
weighted_backend_services {
backend_service = google_compute_backend_service.canary.id
weight = 10
}
}
}
}
}
Session Affinity
Configure session affinity to route requests from the same client to the same backend:
resource "google_compute_backend_service" "affinity_service" {
name = "affinity-backend-service"
protocol = "HTTP"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 30
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group.webservers.id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
session_affinity = "GENERATED_COOKIE"
# For cookie-based affinity
consistent_hash {
http_cookie {
name = "session-cookie"
ttl {
seconds = 3600
}
}
}
}
SSL Policies for Enhanced Security
Create a custom SSL policy for HTTPS load balancers:
# Create custom SSL policy
resource "google_compute_ssl_policy" "secure_policy" {
name = "secure-ssl-policy"
profile = "MODERN"
min_tls_version = "TLS_1_2"
# Optional: specify allowed cipher suites
custom_features = [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
}
# Apply SSL policy to HTTPS proxy
resource "google_compute_target_https_proxy" "default" {
name = "web-https-proxy"
url_map = google_compute_url_map.default.id
ssl_certificates = [google_compute_managed_ssl_certificate.default.id]
ssl_policy = google_compute_ssl_policy.secure_policy.id
}
Cloud Armor Integration for WAF and DDoS Protection
Add Cloud Armor security policy to your load balancer:
# Create Cloud Armor security policy
resource "google_compute_security_policy" "policy" {
name = "my-security-policy"
# Default rule (lowest priority, evaluated last)
rule {
action = "allow"
priority = "2147483647"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["0.0.0.0/0"]
}
}
description = "Default rule, allow all traffic"
}
# Block traffic from specific countries
rule {
action = "deny(403)"
priority = "1000"
match {
expr {
expression = "origin.region_code == 'CN'"
}
}
description = "Block traffic from China"
}
# Block common SQL injection patterns
rule {
action = "deny(403)"
priority = "2000"
match {
expr {
expression = "evaluatePreconfiguredExpr('sqli-stable')"
}
}
description = "Block SQL injection attempts"
}
# Rate limit by IP
rule {
action = "rate_based_ban"
priority = "3000"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["0.0.0.0/0"]
}
}
description = "Rate limit all traffic"
rate_limit_options {
conform_action = "allow"
exceed_action = "deny(429)"
enforce_on_key = "IP"
rate_limit_threshold {
count = 100
interval_sec = 60
}
}
}
}
# Apply security policy to backend service
resource "google_compute_backend_service" "default" {
name = "web-backend-service"
protocol = "HTTP"
port_name = "http"
timeout_sec = 30
enable_cdn = true
load_balancing_scheme = "EXTERNAL"
health_checks = [google_compute_health_check.default.id]
security_policy = google_compute_security_policy.policy.id
backend {
group = google_compute_instance_group.webservers.id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
Load Balancing Patterns
Multi-Regional Active-Active
Deploy a global load balancer with backend services in multiple regions for high availability:
resource "google_compute_backend_service" "multi_region" {
name = "multi-region-backend"
protocol = "HTTP"
port_name = "http"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 30
health_checks = [google_compute_health_check.default.id]
# US region backend
backend {
group = google_compute_instance_group.us_webservers.id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
# Europe region backend
backend {
group = google_compute_instance_group.eu_webservers.id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
# Asia region backend
backend {
group = google_compute_instance_group.asia_webservers.id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
# Use latency-based routing
locality_lb_policy = "LEAST_REQUEST"
}
Internal Microservices Architecture
Create internal load balancers for microservices communication:
# Service A - Internal Load Balancer
resource "google_compute_region_backend_service" "service_a" {
name = "service-a-backend"
region = "us-central1"
protocol = "HTTP"
load_balancing_scheme = "INTERNAL_MANAGED"
health_checks = [google_compute_region_health_check.service_a_health.id]
backend {
group = google_compute_region_instance_group_manager.service_a.instance_group
balancing_mode = "UTILIZATION"
}
}
# Service B - Internal Load Balancer
resource "google_compute_region_backend_service" "service_b" {
name = "service-b-backend"
region = "us-central1"
protocol = "HTTP"
load_balancing_scheme = "INTERNAL_MANAGED"
health_checks = [google_compute_region_health_check.service_b_health.id]
backend {
group = google_compute_region_instance_group_manager.service_b.instance_group
balancing_mode = "UTILIZATION"
}
}
# API Gateway - External Load Balancer
resource "google_compute_backend_service" "api_gateway" {
name = "api-gateway-backend"
protocol = "HTTP"
port_name = "http"
load_balancing_scheme = "EXTERNAL"
health_checks = [google_compute_health_check.gateway_health.id]
backend {
group = google_compute_instance_group_manager.api_gateway.instance_group
balancing_mode = "UTILIZATION"
}
}
CDN Integration Pattern
Integrate Cloud CDN with Application Load Balancer for static content:
resource "google_compute_backend_service" "cdn_backend" {
name = "cdn-backend-service"
protocol = "HTTP"
port_name = "http"
timeout_sec = 30
enable_cdn = true
load_balancing_scheme = "EXTERNAL"
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group.webservers.id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
cdn_policy {
cache_mode = "USE_ORIGIN_HEADERS"
client_ttl = 3600
default_ttl = 3600
max_ttl = 86400
negative_caching = true
serve_while_stale = 86400
cache_key_policy {
include_host = true
include_protocol = true
include_query_string = true
}
}
}
Monitoring and Logging
CloudWatch Metrics for Load Balancers
# Create a dashboard for load balancer monitoring
resource "google_monitoring_dashboard" "lb_dashboard" {
dashboard_json = <<EOF
{
"displayName": "Load Balancer Dashboard",
"gridLayout": {
"columns": "2",
"widgets": [
{
"title": "Request Count",
"xyChart": {
"dataSets": [
{
"timeSeriesQuery": {
"timeSeriesFilter": {
"filter": "metric.type=\"loadbalancing.googleapis.com/https/request_count\" resource.type=\"https_lb_rule\" resource.label.\"forwarding_rule_name\"=\"${google_compute_global_forwarding_rule.default.name}\"",
"aggregation": {
"alignmentPeriod": "60s",
"perSeriesAligner": "ALIGN_RATE"
}
}
}
}
]
}
},
{
"title": "Backend Latency",
"xyChart": {
"dataSets": [
{
"timeSeriesQuery": {
"timeSeriesFilter": {
"filter": "metric.type=\"loadbalancing.googleapis.com/https/backend_latencies\" resource.type=\"https_lb_rule\" resource.label.\"forwarding_rule_name\"=\"${google_compute_global_forwarding_rule.default.name}\"",
"aggregation": {
"alignmentPeriod": "60s",
"perSeriesAligner": "ALIGN_PERCENTILE_95"
}
}
}
}
]
}
}
]
}
}
EOF
}
Setting Up Alerting Policies
# Create alert policy for 5xx errors
resource "google_monitoring_alert_policy" "lb_5xx_errors" {
display_name = "High 5xx Error Rate Alert"
combiner = "OR"
conditions {
display_name = "Error Rate > 5%"
condition_threshold {
filter = "metric.type=\"loadbalancing.googleapis.com/https/request_count\" resource.type=\"https_lb_rule\" resource.label.\"forwarding_rule_name\"=\"${google_compute_global_forwarding_rule.default.name}\" metric.label.\"response_code_class\"=\"500\""
duration = "60s"
comparison = "COMPARISON_GT"
threshold_value = 0.05
aggregations {
alignment_period = "60s"
per_series_aligner = "ALIGN_RATE"
cross_series_reducer = "REDUCE_SUM"
group_by_fields = ["resource.label.forwarding_rule_name"]
}
denominator_filter = "metric.type=\"loadbalancing.googleapis.com/https/request_count\" resource.type=\"https_lb_rule\" resource.label.\"forwarding_rule_name\"=\"${google_compute_global_forwarding_rule.default.name}\""
denominator_aggregations {
alignment_period = "60s"
per_series_aligner = "ALIGN_RATE"
cross_series_reducer = "REDUCE_SUM"
group_by_fields = ["resource.label.forwarding_rule_name"]
}
}
}
notification_channels = [
google_monitoring_notification_channel.email.id
]
documentation {
content = "High rate of 5xx errors detected on load balancer ${google_compute_global_forwarding_rule.default.name}"
mime_type = "text/markdown"
}
}
resource "google_monitoring_notification_channel" "email" {
display_name = "DevOps Team Email"
type = "email"
labels = {
email_address = "devops@example.com"
}
}
Best Practices
-
Choose the right load balancer: Match your load balancer type to your traffic patterns and requirements
-
Implement health checks properly: Design health checks that accurately reflect service health, not just connectivity
-
Utilize Cloud CDN: Enable Cloud CDN for static content to reduce backend load and improve user experience
-
Implement security layers: Use Cloud Armor for WAF capabilities and DDoS protection
-
Configure appropriate session affinity: Choose the correct affinity method based on your application requirements
-
Set up proper monitoring: Configure dashboards and alerts for key metrics like latency, errors, and traffic
-
Design for high availability: Use multiple regions for global services and multiple zones for regional services
-
Optimize backend instance groups: Use managed instance groups with autoscaling for dynamic workloads
-
Define custom headers for backend routing: Add custom headers to help backend services identify traffic source
-
Implement graceful backend transitions: Use weighted traffic distribution for canary releases
-
Configure appropriate timeouts: Adjust timeout settings based on backend service response characteristics
Troubleshooting
Common Issues and Solutions
- 5xx Errors from Load Balancer
- Check backend service health
- Verify backend instance capacity
- Inspect backend service logs for errors
- Confirm firewall rules allow health check traffic
- High Latency
- Check backend service resource utilization
- Verify proper region selection for regional load balancers
- Enable and optimize Cloud CDN for cacheable content
- Use network performance tests to identify bottlenecks
- SSL/TLS Certificate Problems
- Verify certificate validity and domain names
- Check SSL policy configuration
- Ensure certificates are properly uploaded and linked
- Look for certificate mismatch errors in logs
- Load Balancer Not Distributing Traffic Evenly
- Review balancing mode settings
- Check instance group health and capacity
- Verify session affinity settings
- Inspect health check pass/fail rates
Diagnostic Commands
# Check health check status for instances
gcloud compute backend-services get-health web-backend-service \
--global
# View recent load balancer logs
gcloud logging read 'resource.type=http_load_balancer AND resource.labels.forwarding_rule_name=web-forwarding-rule' \
--limit=10
# Get load balancer details
gcloud compute forwarding-rules describe web-forwarding-rule \
--global
# List SSL certificates
gcloud compute ssl-certificates list
# Test backend connectivity from Cloud Shell
curl -v --resolve example.com:443:$(gcloud compute addresses describe global-lb-ip --global --format='value(address)') https://example.com/