Use os exemplos a seguir para implantar um balanceador de carga de aplicativo interno regional de amostra.
Se você ainda não usou o Terraform para Cloud de Confiance by S3NS, consulte Introdução ao Terraform.
Para implantações no Cloud de Confiance by S3NS, é necessário permitir uma lista de um conjunto diferente de intervalos de endereços IP de sondagem de verificação de integridade do que os usados nos exemplos de código neste documento. Para saber mais sobre os diferentes intervalos de verificação de integridade, consulte Intervalos de IP de sondagem e regras de firewall.Balanceador de carga de aplicativo interno com um back-end MIG
Use os recursos do Terraform para criar um balanceador de carga HTTP interno com um back-end de grupo de instâncias gerenciadas.
Para informações sobre a configuração do balanceador de carga, consulte o guia de configuração principal.
# VPC network
resource "google_compute_network" "ilb_network" {
name = "l7-ilb-network"
provider = google-beta
auto_create_subnetworks = false
}
# proxy-only subnet
resource "google_compute_subnetwork" "proxy_subnet" {
name = "l7-ilb-proxy-subnet"
provider = google-beta
ip_cidr_range = "10.0.0.0/24"
region = "europe-west1"
purpose = "REGIONAL_MANAGED_PROXY"
role = "ACTIVE"
network = google_compute_network.ilb_network.id
}
# backend subnet
resource "google_compute_subnetwork" "ilb_subnet" {
name = "l7-ilb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "europe-west1"
network = google_compute_network.ilb_network.id
}
# forwarding rule
resource "google_compute_forwarding_rule" "google_compute_forwarding_rule" {
name = "l7-ilb-forwarding-rule"
provider = google-beta
region = "europe-west1"
depends_on = [google_compute_subnetwork.proxy_subnet]
ip_protocol = "TCP"
load_balancing_scheme = "INTERNAL_MANAGED"
port_range = "80"
target = google_compute_region_target_http_proxy.default.id
network = google_compute_network.ilb_network.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
network_tier = "PREMIUM"
}
# HTTP target proxy
resource "google_compute_region_target_http_proxy" "default" {
name = "l7-ilb-target-http-proxy"
provider = google-beta
region = "europe-west1"
url_map = google_compute_region_url_map.default.id
}
# URL map
resource "google_compute_region_url_map" "default" {
name = "l7-ilb-regional-url-map"
provider = google-beta
region = "europe-west1"
default_service = google_compute_region_backend_service.default.id
}
# backend service
resource "google_compute_region_backend_service" "default" {
name = "l7-ilb-backend-subnet"
provider = google-beta
region = "europe-west1"
protocol = "HTTP"
load_balancing_scheme = "INTERNAL_MANAGED"
timeout_sec = 10
health_checks = [google_compute_region_health_check.default.id]
backend {
group = google_compute_region_instance_group_manager.mig.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# instance template
resource "google_compute_instance_template" "instance_template" {
name = "l7-ilb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["http-server"]
network_interface {
network = google_compute_network.ilb_network.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-12"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# health check
resource "google_compute_region_health_check" "default" {
name = "l7-ilb-hc"
provider = google-beta
region = "europe-west1"
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# MIG
resource "google_compute_region_instance_group_manager" "mig" {
name = "l7-ilb-mig1"
provider = google-beta
region = "europe-west1"
version {
instance_template = google_compute_instance_template.instance_template.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow all access from IAP and health check ranges
resource "google_compute_firewall" "fw_iap" {
name = "l7-ilb-fw-allow-iap-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.ilb_network.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16", "35.235.240.0/20"]
allow {
protocol = "tcp"
}
}
# allow http from proxy subnet to backends
resource "google_compute_firewall" "fw_ilb_to_backends" {
name = "l7-ilb-fw-allow-ilb-to-backends"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.ilb_network.id
source_ranges = ["10.0.0.0/24"]
target_tags = ["http-server"]
allow {
protocol = "tcp"
ports = ["80", "443", "8080"]
}
}
# test instance
resource "google_compute_instance" "vm_test" {
name = "l7-ilb-test-vm"
provider = google-beta
zone = "europe-west1-b"
machine_type = "e2-small"
network_interface {
network = google_compute_network.ilb_network.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
}
boot_disk {
initialize_params {
image = "debian-cloud/debian-12"
}
}
}Balanceador de carga de aplicativo interno com um back-end de MIG e um redirecionamento de HTTP para HTTPS
Os recursos do Terraform podem ser usados para exibir um balanceador de carga HTTPS interno com um back-end do MIG e um redirecionamento de HTTP para HTTPS.
Para informações sobre a configuração do balanceador de carga, consulte o guia de configuração principal.
# VPC network
resource "google_compute_network" "default" {
name = "l7-ilb-network"
auto_create_subnetworks = false
}
# Proxy-only subnet
resource "google_compute_subnetwork" "proxy_subnet" {
name = "l7-ilb-proxy-subnet"
ip_cidr_range = "10.0.0.0/24"
region = "europe-west1"
purpose = "REGIONAL_MANAGED_PROXY"
role = "ACTIVE"
network = google_compute_network.default.id
}
# Backend subnet
resource "google_compute_subnetwork" "default" {
name = "l7-ilb-subnet"
ip_cidr_range = "10.0.1.0/24"
region = "europe-west1"
network = google_compute_network.default.id
}
# Reserved internal address
resource "google_compute_address" "default" {
name = "l7-ilb-ip"
provider = google-beta
subnetwork = google_compute_subnetwork.default.id
address_type = "INTERNAL"
address = "10.0.1.5"
region = "europe-west1"
purpose = "SHARED_LOADBALANCER_VIP"
}
# Regional forwarding rule
resource "google_compute_forwarding_rule" "default" {
name = "l7-ilb-forwarding-rule"
region = "europe-west1"
depends_on = [google_compute_subnetwork.proxy_subnet]
ip_protocol = "TCP"
ip_address = google_compute_address.default.id
load_balancing_scheme = "INTERNAL_MANAGED"
port_range = "443"
target = google_compute_region_target_https_proxy.default.id
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
network_tier = "PREMIUM"
}
# Self-signed regional SSL certificate for testing
resource "tls_private_key" "default" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "default" {
private_key_pem = tls_private_key.default.private_key_pem
# Certificate expires after 12 hours.
validity_period_hours = 12
# Generate a new certificate if Terraform is run within three
# hours of the certificate's expiration time.
early_renewal_hours = 3
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
dns_names = ["example.com"]
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
}
resource "google_compute_region_ssl_certificate" "default" {
name_prefix = "my-certificate-"
private_key = tls_private_key.default.private_key_pem
certificate = tls_self_signed_cert.default.cert_pem
region = "europe-west1"
lifecycle {
create_before_destroy = true
}
}
# Regional target HTTPS proxy
resource "google_compute_region_target_https_proxy" "default" {
name = "l7-ilb-target-https-proxy"
region = "europe-west1"
url_map = google_compute_region_url_map.https_lb.id
ssl_certificates = [google_compute_region_ssl_certificate.default.self_link]
}
# Regional URL map
resource "google_compute_region_url_map" "https_lb" {
name = "l7-ilb-regional-url-map"
region = "europe-west1"
default_service = google_compute_region_backend_service.default.id
}
# Regional backend service
resource "google_compute_region_backend_service" "default" {
name = "l7-ilb-backend-service"
region = "europe-west1"
protocol = "HTTP"
port_name = "http-server"
load_balancing_scheme = "INTERNAL_MANAGED"
timeout_sec = 10
health_checks = [google_compute_region_health_check.default.id]
backend {
group = google_compute_region_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# Instance template
resource "google_compute_instance_template" "default" {
name = "l7-ilb-mig-template"
machine_type = "e2-small"
tags = ["http-server"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-12"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# Regional health check
resource "google_compute_region_health_check" "default" {
name = "l7-ilb-hc"
region = "europe-west1"
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# Regional MIG
resource "google_compute_region_instance_group_manager" "default" {
name = "l7-ilb-mig1"
region = "europe-west1"
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
named_port {
name = "http-server"
port = 80
}
base_instance_name = "vm"
target_size = 2
}
# Allow all access to health check ranges
resource "google_compute_firewall" "default" {
name = "l7-ilb-fw-allow-hc"
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16", "35.235.240.0/20"]
allow {
protocol = "tcp"
}
}
# Allow http from proxy subnet to backends
resource "google_compute_firewall" "backends" {
name = "l7-ilb-fw-allow-ilb-to-backends"
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["10.0.0.0/24"]
target_tags = ["http-server"]
allow {
protocol = "tcp"
ports = ["80", "443", "8080"]
}
}
# Test instance
resource "google_compute_instance" "default" {
name = "l7-ilb-test-vm"
zone = "europe-west1-b"
machine_type = "e2-small"
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
}
boot_disk {
initialize_params {
image = "debian-cloud/debian-12"
}
}
}
### HTTP-to-HTTPS redirect ###
# Regional forwarding rule
resource "google_compute_forwarding_rule" "redirect" {
name = "l7-ilb-redirect"
region = "europe-west1"
ip_protocol = "TCP"
ip_address = google_compute_address.default.id # Same as HTTPS load balancer
load_balancing_scheme = "INTERNAL_MANAGED"
port_range = "80"
target = google_compute_region_target_http_proxy.default.id
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
network_tier = "PREMIUM"
}
# Regional HTTP proxy
resource "google_compute_region_target_http_proxy" "default" {
name = "l7-ilb-target-http-proxy"
region = "europe-west1"
url_map = google_compute_region_url_map.redirect.id
}
# Regional URL map
resource "google_compute_region_url_map" "redirect" {
name = "l7-ilb-redirect-url-map"
region = "europe-west1"
default_service = google_compute_region_backend_service.default.id
host_rule {
hosts = ["*"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_region_backend_service.default.id
path_rule {
paths = ["/"]
url_redirect {
https_redirect = true
host_redirect = "10.0.1.5:443"
redirect_response_code = "PERMANENT_REDIRECT"
strip_query = true
}
}
}
}Balanceador de carga de aplicativo interno que usa VPC compartilhada e um serviço de back-end entre projetos
É possível usar recursos do Terraform para abrir um balanceador de carga de aplicativo interno que usa VPC compartilhada e um serviço de back-end entre projetos. O diagrama de arquitetura a seguir mostra onde os componentes do balanceador de carga são criados.
Antes de configurar um balanceador de carga de aplicativo interno que use a VPC compartilhada, verifique se você tem as permissões do IAM necessárias nos projetos host e de serviço. Para informações detalhadas sobre a configuração do balanceador de carga, consulte o guia de configuração principal.
# VPC network
resource "google_compute_network" "default" {
name = "l7-ilb-network"
auto_create_subnetworks = false
project = "my-host-project"
}
# proxy-only subnet
# https://cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create
resource "google_compute_subnetwork" "proxy_subnet" {
name = "l7-ilb-proxy-subnet"
ip_cidr_range = "10.0.0.0/24"
region = "us-central1"
purpose = "REGIONAL_MANAGED_PROXY"
role = "ACTIVE"
network = google_compute_network.default.id
project = "my-host-project"
}
# backend subnet
resource "google_compute_subnetwork" "ilb_subnet" {
name = "l7-ilb-subnet"
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
project = "my-host-project"
}
# allow all access from IAP and health check ranges
resource "google_compute_firewall" "fw_iap" {
project = "my-host-project"
name = "l7-ilb-fw-allow-iap-hc"
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16", "35.235.240.0/20"]
allow {
protocol = "tcp"
}
}
# allow http from proxy subnet to backends
resource "google_compute_firewall" "fw_ilb_to_backends" {
project = "my-host-project"
name = "l7-ilb-fw-allow-ilb-to-backends"
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["0.0.0.0/0"]
target_tags = ["http-server"]
allow {
protocol = "tcp"
ports = ["80", "443", "8080"]
}
}
# forwarding rule
resource "google_compute_forwarding_rule" "default" {
name = "l7-ilb-forwarding-rule"
region = "us-central1"
ip_protocol = "TCP"
load_balancing_scheme = "INTERNAL_MANAGED"
port_range = "80"
target = google_compute_region_target_http_proxy.default.id
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
network_tier = "PREMIUM"
project = "my-service-project-01"
depends_on = [google_compute_subnetwork.proxy_subnet]
}
# HTTP target proxy
resource "google_compute_region_target_http_proxy" "default" {
name = "l7-ilb-target-http-proxy"
region = "us-central1"
url_map = google_compute_region_url_map.default.id
project = "my-service-project-01"
}
# URL map
resource "google_compute_region_url_map" "default" {
name = "l7-ilb-regional-url-map"
region = "us-central1"
default_service = google_compute_region_backend_service.default.id
project = "my-service-project-01"
}
# regional health check
resource "google_compute_region_health_check" "default" {
project = "my-service-project-02"
name = "l7-ilb-rhc"
region = "us-central1"
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# regional backend service
resource "google_compute_region_backend_service" "default" {
project = "my-service-project-02"
name = "l7-ilb-backend-service"
region = "us-central1"
protocol = "HTTP"
load_balancing_scheme = "INTERNAL_MANAGED"
timeout_sec = 10
health_checks = [google_compute_region_health_check.default.id]
backend {
group = google_compute_region_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# health check
resource "google_compute_health_check" "default" {
project = "my-service-project-02"
name = "l7-ilb-hc"
timeout_sec = 1
check_interval_sec = 1
tcp_health_check {
port = "80"
}
}
# instance template
resource "google_compute_instance_template" "default" {
project = "my-service-project-02"
name = "l7-ilb-mig-template"
machine_type = "e2-small"
tags = ["http-server"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-12"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
}
# MIG
resource "google_compute_region_instance_group_manager" "default" {
project = "my-service-project-02"
name = "l7-ilb-mig1"
region = "us-central1"
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
auto_healing_policies {
health_check = google_compute_health_check.default.id
initial_delay_sec = 300
}
depends_on = [google_project_iam_binding.default]
}
data "google_project" "service_project02" {
project_id = "my-service-project-02"
}
# IAM Role
resource "google_project_iam_binding" "default" {
project = "my-host-project"
role = "roles/compute.networkUser"
members = [
"serviceAccount:${data.google_project.service_project02.number}@cloudservices.gserviceaccount.com",
]
}
# test instance
resource "google_compute_instance" "test_vm" {
project = "my-service-project-02"
name = "l7-ilb-test-vm"
zone = "us-central1-b"
machine_type = "e2-small"
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
}
boot_disk {
initialize_params {
image = "debian-cloud/debian-12"
}
}
lifecycle {
ignore_changes = [
metadata["ssh-keys"]
]
}
depends_on = [google_project_iam_binding.default]
}