URL maps overview

Trusted Cloud by S3NS Application Load Balancers and Cloud Service Mesh use a Trusted Cloud configuration resource called a URL map to route HTTP(S) requests to backend services or backend buckets.

For example, with an external Application Load Balancer, you can use a single URL map to route requests to different destinations based on the rules configured in the URL map:

  • Requests for https://example.com/video go to one backend service.
  • Requests for https://example.com/audio go to a different backend service.
  • Requests for any other host and path combination go to a default backend service.

URL maps are used with the following Trusted Cloud products:

The regional URL map that you use depends on the product's load balancing scheme.

Product Load-balancing scheme URL map resource type Supported destinations
Regional external Application Load Balancer EXTERNAL_MANAGED Regional Backend services
Regional internal Application Load Balancer INTERNAL_MANAGED Regional Backend services

Not all URL map features are available for all products. URL maps used with regional external Application Load Balancers and internal Application Load Balancers also support several advanced traffic management features. For more information about these differences, see Load balancer feature comparison: Routing and traffic management.

How URL maps work

When a request arrives at the load balancer, the load balancer routes the request to a particular backend service.

A backend service represents a collection of backends, which are instances of an application or microservice.

For regional external Application Load Balancers and internal Application Load Balancers, possible destinations are the following:

For example, assume that you have the following setup:

  • One IP address:
    • All requests to your organization go to the same IP address and the same load balancer.
    • Traffic is directed to different backend services based on the request URL.
  • Two domains:
    • example.net hosts training videos.
    • example.org hosts your organization website.
  • Four sets of servers:
    • One hosts your organization website (backend service: org-site).
    • One hosts the overall training video website (backend service: video-site).
    • One hosts high definition (HD) training videos (backend service: video-hd).
    • One hosts standard definition (SD) training videos (backend service: video-sd).

You want the following to happen:

  • Requests to example.org (or any domain other than example.net) to go to the org-site backend service.
  • Requests to example.net that don't match more specific paths to go to the video-site backend service.
  • Requests to example.net/video/hd/* to go to the video-hd backend service.
  • Requests to example.net/video/sd/* to go to the video-sd backend service.

A --path-rule for /video/* matches URIs such as /video/test1 and /video/test2. However, this path rule doesn't match the path /video.

If the load balancer receives a request with /../ in the URL, the load balancer transforms the URL by removing the path segment before the .., and responds with the transformed URL. For example, when a request is sent for http://example.net/video/../abc, the load balancer responds with a 302 redirect to http://example.net/abc. Most clients then react by issuing a request to the URL returned by the load balancer (in this case, http://example.net/abc). This 302 redirection isn't logged in Cloud Logging.

The URL map lets you set up this type of host and path-based routing.

Example backend service setup.
Example backend service setup (click to enlarge).

Load balancer naming

For Application Load Balancers, the name of the load balancer is always the same as the name of the URL map. The behavior for each Trusted Cloud interface is as follows:

  • Trusted Cloud console. If you create an Application Load Balancer by using the Trusted Cloud console, the URL map is automatically assigned the same name that you entered for the load balancer name.
  • Google Cloud CLI or API. If you create an Application Load Balancer by using the gcloud CLI or the API, you enter a name of your choice while creating the URL map. This URL map name is then reflected in the Trusted Cloud console as the name of the load balancer.

To learn about how naming works for Proxy Network Load Balancers and Passthrough Network Load Balancers, see Backend services overview: Load balancer naming.

URL map components

A URL map is a set of Trusted Cloud configuration resources that direct requests for URLs to backend services. The URL map does so by using the hostname and path portions for each URL it processes:

  • A hostname is the domain name portion of a URL; for example, the hostname portion of the URL http://example.net/video/hd is example.net.
  • A path is the portion of a URL following the hostname and optional port number; for example, the path portion of the URL http://example.net/video/hd is /video/hd.
Load balancer configuration with basic URL map.
Load balancer configuration with basic URL map (click to enlarge).

This diagram shows the structure of the load balancing configuration objects in relation to each other.

You control which backend services receive incoming requests by using the following URL map configuration parameters:

  • Default backend service. When you create a URL map, you must specify either a default backend service. This default represents the backend service to which Trusted Cloud directs requests for URLs with any hostname, unless there is an applicable host rule.
  • Host rule (hostRules). A host rule directs requests sent to one or more associated hostnames to a single path matcher (pathMatchers). The hostname portion of a URL is exactly matched against the set of the host rule's configured hostnames. In a URL map host and path rule, if you omit the host, the rule matches any requested host. To direct requests for http://example.net/video/hd to a path matcher, you need a single host rule that at least includes the hostname example.net. That same host rule could also handle requests for other hostnames, but it would direct them to the same path matcher.

    If you need to direct requests to different path matchers, you must use different host rules. Two host rules in a URL map can't include the same hostname.

    It is possible to match all hostnames by specifying the wildcard character * in the host rule. For example, for the URLs http://example.org, http://example.net/video/hd, and http://example.com/audio, all three hostnames example.org, example.net, and example.com can be matched by specifying * in the host rule. It is also possible to match a partial hostname by specifying the wildcard character *. For example, a host rule *.example.net is matched against both hostnames news.example.net and finance.example.net.

    • Port number. Different Application Load Balancers handle port numbers differently. In the case of the internal Application Load Balancer, you can use the Host rule parameter to specify a port number. For example, to direct example.net requests for port 8080, set the host rule to example.net:8080.
  • Path matcher (pathMatchers). A path matcher is the configuration parameter referenced by a host rule. It defines the relationship between the path portion of a URL and the backend service that should serve the request. A path matcher consists of two elements:

    • Path matcher default backend service. For each path matcher, you must at least specify a default backend service. This default represents the backend service to which Trusted Cloud directs requests for URLs whose hostnames match a host rule associated with the path matcher, and whose URL paths don't match any path rule in the path matcher.

    • Path rules. For each path matcher, you can specify one or more path rules, which are key-value pairs mapping a URL path to a single backend service. The next section contains more information about how path rules work.

Order of operations

For a given hostname and path in a requested URL, Trusted Cloud uses the following procedure to direct the request to the correct backend service , as configured in your URL map:

  • If the URL map does not contain a host rule for the URL's hostname, Trusted Cloud directs requests to the URL map's default backend service , depending on which one you defined.

  • If the URL map contains a host rule that includes the URL's hostname, the path matcher referenced by that host rule is consulted:

    • If the path matcher contains a path rule that exactly matches the URL's path, Trusted Cloud directs requests to the backend service for that path rule.

    • If the path matcher does not contain a path rule that exactly matches the URL's path, but does contain a path rule ending in /* whose prefix matches the longest section of the URL's path, then Trusted Cloud directs requests to the backend service for that path rule. For example, for the URL map containing two path matcher rules /video/hd/movie1 and /video/hd/*, if the URL contains the exact path /video/hd/movie1, it is matched against that path rule.

    • If neither of the previous conditions is true, Trusted Cloud directs requests to the path matcher's default backend service, depending on which one you defined.

Path matcher constraints

Hostnames, path matchers, and path rules have constraints.

Wildcards, regular expressions, and dynamic URLs in path rules

  • A path rule can only include a wildcard character (*) after a forward slash character (/). For example, /videos/* and /videos/hd/* are valid for path rules, but /videos* and /videos/hd* are not.

  • Path rules don't use regular expressions or substring matching. PathTemplateMatch can use simplified path matching operators. For example, path rules for either /videos/hd or /videos/hd/* don't apply to a URL with the path /video/hd-abcd. However, a path rule for /video/* does apply to that path.

  • Path matchers (and URL maps in general) don't offer features that function like Apache LocationMatch directives. If you have an application that generates dynamic URL paths that have a common prefix, such as /videos/hd-abcd and /videos/hd-pqrs, and you need to send requests made to those paths to different backend services, you might not be able to do that with a URL map. For cases containing only a few possible dynamic URLs, you might be able to create a path matcher with a limited set of path rules. For more complex cases, you need to do path-based regular expression matching on your backends.

Wildcards and pattern matching operators in path templates for route rules

Flexible pattern matching operators let you match multiple parts of a URL path, including partial URLs and suffixes (file extensions), by using wildcard syntax. These operators can be helpful when you need to route traffic and execute rewrites based on complex URL paths. You can also associate one or more path components with named variables and then refer to those variables when rewriting the URL. With named variables, you can reorder and remove URL components before the request is sent to your origin.

Pattern matching with wildcards is supported only for the following products:

  • Regional external Application Load Balancer
  • Regional internal Application Load Balancer

The following example routes traffic for an eCommerce application that has separate services for cart information and user information. You can configure routeRules with flexible pattern matching operators and named variables to send the user's unique ID to a user account details page and the user's cart information to a cart processing service after rewriting the URL.

  pathMatchers:
    - name: cart-matcher
      routeRules:
        - description: CartService
          matchRules:
            - pathTemplateMatch: '/xyzwebservices/v2/xyz/users/{username=*}/carts/{cartid=**}'
          service: cart-backend
          priority: 1
          routeAction:
            urlRewrite:
              pathTemplateRewrite: '/{username}-{cartid}/'
    - name: user-matcher
      routeRules:
        - description: UserService
          matchRules:
            - pathTemplateMatch: '/xyzwebservices/v2/xyz/users/*/accountinfo/*'
          service: user-backend
          priority: 1

Here's what happens when a client requests /xyzwebservices/v2/xyz/users/abc@xyz.com/carts/FL0001090004/entries/SJFI38u3401nms?fields=FULL&client_type=WEB, which has both user information and cart information:

  1. The request path matches the pathTemplateMatch within the cart-matcher pathMatcher. The {username=*} variable matches abc@xyz.com and the {cartid=**} variable matches FL0001090004/entries/SJFI38u3401nms.
  2. The query parameters are split off from the path, the path is rewritten based on pathTemplateRewrite, and the query parameters are appended to the rewritten path. We must only use the same variables that we used to define the pathTemplateMatch in our pathTemplateRewrite.
  3. The rewritten request is sent to cart-backend with the rewritten URL path: /abc@xyz.com-FL0001090004/entries/SJFI38u3401nms?fields=FULL&client_type=WEB.

The following happens when a client requests /xyzwebservices/v2/xyz/users/abc%40xyz.com/accountinfo/abc-1234 instead, which has only user and account information:

  1. The request path matches the pathTemplateMatch within the user-matcher pathMatcher. The first * matches abc%40xyz.com and the second * matches abc-1234.
  2. The request is sent to user-backend.

The following table outlines the syntax for path template patterns.

Operator Matches
* A single path segment, not including the surrounding path separator / characters.
** Matches zero or more characters, including any path separator / characters between multiple path segments. If other operators are included, the ** operator must be the last operator.
{name} or {name=*} A named variable matching one path segment. Matches a single path segment, not including the surrounding path separator / characters.
{name=news/*} A named variable explicitly matching two path segments: news and a * wildcard segment.
{name=*/news/*} A named variable matching three path segments.
{name=**} A named variable matching zero or more characters. If present, must be the last operator.

When you use these operators for flexible pattern matching, keep these considerations in mind:

  • Multiple operators can be combined in a single pattern.
  • Query parameters are split off from the path, the path is rewritten based on pathTemplateRewrite, and the query parameters are appended to the rewritten path.
  • Requests are not percent-encoding normalized. For example, a URL with a percent-encoded slash character (%2F) is not decoded into the unencoded form.
  • Each variable name, such as {segment} or {region}, can appear only once in the same pattern. Multiple variables of the same name are invalid and are rejected.
  • Variable names are case-sensitive and must be valid identifiers. To check if a variable name is valid, ensure that it matches the regular expression ^[a-zA-Z][a-zA-Z0-9_]*$.
    • {API}, {api}, and {api_v1} are all valid identifiers. They identify three distinct variables.
    • {1}, {_api}, and {10alpha} are not valid identifiers.
  • There's a limit of five operators per template pattern.

To execute an optional URL rewrite before the request is sent to the origin, you can use the same variables that you defined to capture a path. For example, you can reference, reorder, or omit variables in the pathTemplateRewrite field when defining urlRewrite.

When you use variables and operators for flexible pattern matching for URL rewrites, keep these considerations in mind:

  • When rewriting a URL, you can omit variables if they're not required as part of the rewritten URL.
  • Prior to any rewrites, you can identify the URL sent by the client at your origin by inspecting response headers. The original client URL is populated with the x-client-request-url header and the x-envoy-original-path header.

Hostname and host rule relationship

  • A hostname can only reference a single host rule.

  • A single host rule can process multiple hostnames.

The relationship between hostnames and host rules.
The relationship between hostnames and host rules (click to enlarge).

Host rule and path matcher relationship

  • Multiple host rules can reference a single path matcher.

  • A host rule can only reference a single path matcher.

The following diagram illustrates these points.

The relationship between host rules and path matchers.
The relationship between host rules and path matchers (click to enlarge).

URL and backend relationship

Each unique URL is directed to only one backend service. Consequently:

  • Trusted Cloud uses the hostname portion of a URL to select a single host rule and its referenced path matcher.

  • When you use path rules in a path matcher, you cannot create more than one path rule for the same path. For example, requests for /videos/hd cannot be directed to more than one backend service. Backend services can have backend instance groups or backend network endpoint groups (NEGs) in different zones and regions.

    To direct traffic for a unique URL to multiple services, you can use route rules instead of path rules. If you configure the path matcher with route rules for header or parameter matches, a unique URL can be directed to more than one backend service, based on the contents of headers or query parameters on the URL.

    Similarly for regional external Application Load Balancers, weighted backend services on route actions can direct the same URL to multiple backend services, depending on the weights set on the weighted backend service.

URL maps and protocols

You can use the same URL map, host rules, and path matchers to process both HTTP and HTTPS requests submitted by clients, as long as both a target HTTP proxy and a target HTTPS proxy reference the URL map.

Simplest URL map

The simplest URL map only has a default backend service. It contains no host rules and no path matchers. Either the default backend service (whichever one you defined) handles all requested URLs.

If you define a default backend service, Trusted Cloud directs requests to its backend instance groups or backend NEGs according to the backend service's configuration.

URL map with no rules except default.
URL map with no rules except default (click to enlarge).

URL redirects

A URL redirect redirects your domain's visitors from one URL to another.

A default URL redirect is not conditioned on matching any particular pattern in the incoming request. For example, you might want to use a default URL redirect to redirect any hostname to a hostname of your choice.

There are several ways to create a URL redirect, as outlined in the following table.

Method Configuration
URL map's default URL redirect Top-level defaultUrlRedirect
A path matcher's default URL redirect pathMatchers[].defaultUrlRedirect[]
A path matcher's path rule's URL redirect pathMatchers[].pathRules[].urlRedirect
A path matcher's route rule's URL redirect pathMatchers[].routeRules[].urlRedirect

Inside of a defaultUrlRedirect or urlRedirect, pathRedirect always works as follows:

  • The entire request path is replaced with the path you specify.

Inside of a defaultUrlRedirect or urlRedirect, how theprefixRedirect works depends on how you use it:

  • If you use a defaultUrlRedirect, prefixRedirect is effectively a prefix prepend because the matched path is always /.
  • If you use a urlRedirect within a path matcher's route rule or path rule, prefixRedirect is a prefix replacement based on how the requested path was matched as defined in the path rule or route rule.

Redirect examples

The following table provides some examples of redirect configurations. The right-hand column shows the API configuration for a default URL redirect.

You want Accomplished using a default URL redirect
HTTP-to-HTTPS redirect

Redirect
http://host.name/path
to
https://host.name/path
            kind: compute#urlMap
            name: web-map-http
            defaultUrlRedirect:
              httpsRedirect: True
           
HTTP-to-HTTPS + Host redirect

Redirect
http://any-host-name/path
to
https://www.example.com/path
            kind: compute#urlMap
            name: web-map-http
            defaultUrlRedirect:
              httpsRedirect: True
              hostRedirect: "www.example.com"
          
HTTP-to-HTTPS + Host redirect + Full path redirect

Redirect
http://any-host-name/path
to
https://www.example.com/newPath
            kind: compute#urlMap
            name: web-map-http
            defaultUrlRedirect:
              httpsRedirect: True
              hostRedirect: "www.example.com"
              pathRedirect: "/newPath"
           
HTTP-to-HTTPS + Host redirect + Prefix redirect

Redirect
http://any-host-name/originalPath
to
https://www.example.com/newPrefix/originalPath
            kind: compute#urlMap
            name: web-map-http
            defaultUrlRedirect:
              httpsRedirect: True
              hostRedirect: "www.example.com"
              prefixRedirect: "/newPrefix"
            

The following partial snippet annotates each API resource:

defaultUrlRedirect:
   redirectResponseCode: MOVED_PERMANENTLY_DEFAULT
   httpsRedirect: True # True if you want https://, false if you want http://
   hostRedirect: "new-host-name.com" # Omit to keep the requested host
   pathRedirect: "/new-path" # Omit to keep the requested path; mutually exclusive to prefixRedirect
   prefixRedirect: "/newPrefix" # Omit to keep the requested path; mutually exclusive to pathRedirect
   stripQuery: False # True to omit everything in the URL after ?
   ...

What's next

  • To add, validate, test, list, or delete a URL map, see Use URL maps.