A forwarding rule specifies how to route network traffic to the backend services of a load balancer. A forwarding rule includes an IP address, an IP protocol, and one or more ports on which the load balancer accepts traffic. Some Trusted Cloud by S3NS load balancers limit you to a predefined set of ports, and others let you specify arbitrary ports.
A forwarding rule and its corresponding IP address represent the frontend configuration of a Trusted Cloud by S3NS load balancer.
Depending on the load balancer type, the following is true:
- Forwarding rules specify either a backend service, target proxy, or target pool.
- Forwarding rules and their IP addresses are either internal or external.
- Forwarding rules are regional.
In addition, a regional forwarding rule can be a resource that's designated as a service in App Hub applications.
Internal forwarding rules
Internal forwarding rules forward traffic that originates inside a Trusted Cloud network. The clients can be in the same Virtual Private Cloud (VPC) network as the backends, or the clients can be in a connected network.
Internal forwarding rules are used by the following Trusted Cloud load balancers:
- Internal Application Load Balancer
- Internal proxy Network Load Balancer
- Internal passthrough Network Load Balancer
Internal Application Load Balancer
The internal Application Load Balancer supports IPv4 traffic using either the HTTP, HTTPS, or HTTP/2 protocols.
The scope of the forwarding rule depends on the type of load balancer:
- Each regional internal Application Load Balancer has at least one regional internal forwarding rule. The regional internal forwarding rule points to the load balancer's regional target HTTP or HTTPS proxy. The forwarding rule is associated with a regional internal IP address.
Internal managed forwarding rules connected to a target HTTP(S) proxy support any port number between 1 and 65535 inclusive.
As an example, the following diagram shows how a forwarding rule fits into the regional internal Application Load Balancer architecture.
For more information about internal Application Load Balancers, see the following pages:
- Internal Application Load Balancer overview
- Set up an internal Application Load Balancer
- Internal Application Load Balancers and connected networks
Internal proxy Network Load Balancer
With an internal proxy Network Load Balancer, the supported traffic type is IPv4, and the supported protocol is TCP.
The scope of the forwarding rule depends on the type of load balancer:
- Each regional internal proxy Network Load Balancer has at least one regional internal forwarding rule. The forwarding rule specifies an internal IP address, port, and regional target TCP proxy. Clients use the IP address and port to connect to the load balancer's Envoy proxies—the forwarding rule's IP address is the IP address of the load balancer (sometimes called a virtual IP address or VIP).
Internal managed forwarding rules connected to a target TCP proxy support any port number between 1 and 65535 inclusive.
The following diagram shows how a forwarding rule fits into the regional internal proxy Network Load Balancer architecture.
For more details about internal proxy Network Load Balancers, see the following pages:
- Internal proxy Network Load Balancer overview
- Internal proxy Network Load Balancer and connected networks
Internal passthrough Network Load Balancer
With an internal passthrough Network Load Balancer, the supported traffic types are either IPv4 or IPv6. For information about the supported protocols, see Forwarding rule protocols.
Each internal passthrough Network Load Balancer has at least one regional internal forwarding rule. The regional internal forwarding rules point to the load balancer's regional internal backend service. The following diagram shows how a forwarding rule fits into the internal passthrough Network Load Balancer architecture.
The following diagram shows how the load balancer components fit within a subnet and region.
The internal forwarding rule must be defined in a region and a subnet. The backend service only needs to correspond to that region.
For more information about internal passthrough Network Load Balancers, see the following pages:
- Internal passthrough Network Load Balancer overview
- Set up an internal passthrough Network Load Balancer
- Internal passthrough Network Load Balancers and connected networks
External forwarding rules
External forwarding rules accept traffic from client systems that have internet access, including:
- A client outside of Trusted Cloud
- A Trusted Cloud VM with an external IP address
- A Trusted Cloud VM without an external IP address using Cloud NAT or an instance-based NAT system
External forwarding rules are used by the following Trusted Cloud load balancer types:
- External Application Load Balancer
- External proxy Network Load Balancer
- External passthrough Network Load Balancer
External Application Load Balancer
For external Application Load Balancers, the forwarding rule and IP address depend on the load balancer mode, and the Network Service Tiers that you select for the load balancer.
In an external Application Load Balancer, a forwarding rule points to a target HTTP(S) proxy. External forwarding rules connected to a target HTTP(S) proxy support any port number between 1 and 65535 inclusive.
Regional external Application Load Balancers use a regional external IPv4 address and a regional external forwarding rule.
The following diagram shows how a regional forwarding rule fits into the architecture for a regional external Application Load Balancer.
For more information about external Application Load Balancers, see the External Application Load Balancer overview.
External proxy Network Load Balancer
An external proxy Network Load Balancer offers TCP proxying capability. These load balancers are similar to external Application Load Balancers because they can terminate TCP sessions. However, these load balancers don't support path-based redirection like external Application Load Balancers.
In an external proxy Network Load Balancer, a forwarding rule points to a target TCP proxy. External forwarding rules connected to a target TCP proxy support any port number between 1 and 65535 inclusive.
The following diagram shows how a forwarding rule fits into the regional external proxy Network Load Balancer architecture.
For more information about external proxy Network Load Balancers, see the External proxy Network Load Balancer overview. For information about configuring external proxy Network Load Balancers, see Set up an external proxy Network Load Balancer.
External passthrough Network Load Balancer
External passthrough Network Load Balancers is a pass-through load balancer that distributes traffic among backend instances in a single region. An external passthrough Network Load Balancer uses a regional external forwarding rule and a regional external IP address. The regional external IP address can be accessed from anywhere on the internet and by Trusted Cloud VMs with internet access.
For backend service-based external passthrough Network Load Balancers, the regional external forwarding rule points to a backend service. Backend service-based external passthrough Network Load Balancers support TCP, UDP, ESP, GRE, ICMP, and ICMPv6 traffic. For details, see Forwarding rule protocols for backend service-based external passthrough Network Load Balancers. Forwarding rules for backend service-based load balancers can be configured with either IPv4 or IPv6 addresses. Forwarding rules for backend service-based external passthrough Network Load Balancers support the following advanced features:
- Direct traffic coming from a specific range of source IP addresses to a specific backend service. For more information, see Traffic steering.
- Distribute traffic across the load balancer's backend instances based on the weights reported by an HTTP health check using Weighted load balancing.
For target pool-based external passthrough Network Load Balancers, the forwarding rule points to a target pool. A target pool-based external passthrough Network Load Balancer supports only TCP or UDP traffic. Forwarding rules for target pool-based external passthrough Network Load Balancer support only IPv4 addresses.
To support backend instances in more than one region, you must create a external passthrough Network Load Balancer in each region.
The following figure shows an external passthrough Network Load Balancer which has a regional external
forwarding rule with the IP address, 120.1.1.1. The load balancer is serving
requests from backends in the us-central1 region.
For more information about external passthrough Network Load Balancers, see the External passthrough Network Load Balancer overview. For information about configuring external passthrough Network Load Balancers, see one of the following:
- Setting up an external passthrough Network Load Balancer with a backend service (TCP or UDP traffic only)
- Setting up an external passthrough Network Load Balancer with a backend service (multiple protocols)
- Setting up an external passthrough Network Load Balancer with a target pool
IP protocol specifications
Each forwarding rule has an associated IP protocol that the rule will serve.
The default protocol value is TCP.
| Product | Load balancing scheme | IP protocol options |
|---|---|---|
| Regional external Application Load Balancer | EXTERNAL_MANAGED | TCP |
| Regional internal Application Load Balancer | INTERNAL_MANAGED | TCP |
| Regional external proxy Network Load Balancer | EXTERNAL_MANAGED | TCP |
| Regional internal proxy Network Load Balancer | INTERNAL_MANAGED | TCP |
| External passthrough Network Load Balancer | EXTERNAL | TCP, UDP, or L3_DEFAULT |
| Internal passthrough Network Load Balancer | INTERNAL | TCP, UDP, or L3_DEFAULT |
| Cloud Service Mesh | INTERNAL_SELF_MANAGED | TCP |
IP address specifications
The forwarding rule must have an IP address that your customers use to reach your load balancer. The IP address can be static or ephemeral.
A static IP address provides a single reserved IP address that you can point your domain to. If you ever need to delete your forwarding rule and re-add it, you can continue using the same reserved IP address.
An ephemeral IP address remains constant while the forwarding rule exists. When you choose an ephemeral IP address, Trusted Cloud associates an IP address with your load balancer's forwarding rule. If you need to delete the forwarding rule and re-add it, the forwarding rule might receive a new IP address.
Depending on the load balancer type, the IP address can have various attributes. The following table summarizes the valid IP address configurations, based on the load balancing scheme and the target of the forwarding rule.
| Product and scheme | Target | IP address type | IP address scope | IP address tier | Reservable IP address | Notes |
|---|---|---|---|---|---|---|
| Regional external Application Load Balancer EXTERNAL_MANAGED |
Target HTTP proxy Target HTTPS proxy |
External | Regional | Premium Tier | Yes, optional | IPv6 not available |
| Regional internal Application Load Balancer INTERNAL_MANAGED |
Target HTTP proxy Target HTTPS proxy |
Internal | Regional | Premium Tier | Yes, optional | Forwarding rule address must be within the primary IPv4 address range of the associated subnet. |
| Regional external proxy Network Load Balancer EXTERNAL_MANAGED |
Target TCP proxy | External | Regional | Premium Tier | Yes, optional | IPv6 not available |
| Regional internal proxy Network Load Balancer INTERNAL_MANAGED |
Target TCP proxy | Internal | Regional | Premium Tier | Yes, optional | Forwarding rule address must be within the primary IPv4 address range of the associated subnet |
| External passthrough Network Load Balancer EXTERNAL |
Backend service Target pool |
External | Regional | Premium (IPv4 or IPv6 addresses) | Yes, optional | IPv6 support requires a backend service-based external passthrough Network Load Balancer. Forwarding rule IPv6 address must be within a subnet's external IPv6 address range. The external IPv6 address is sourced from the subnet's external IPv6 address range and is therefore in Premium Tier. |
| Internal passthrough Network Load Balancer INTERNAL |
Backend service | Internal | Regional | Premium Tier | Yes, optional | For IPv4 traffic, the forwarding rule must reference an IPv4 address from the primary IPv4 subnet range. For IPv6 traffic, the forwarding rule must reference a
|
| Classic VPN EXTERNAL |
See the Classic VPN documentation | External | Regional | Cloud VPN doesn't have Network Service Tiers | Yes, required | IPv6 not supported |
EXTERNAL_MANAGED backend services to
EXTERNAL forwarding rules. However, EXTERNAL backend
services cannot be attached to EXTERNAL_MANAGED forwarding rules.
To take advantage of new features available
only with the global external Application Load Balancer, we
recommend that you migrate your existing EXTERNAL resources to
EXTERNAL_MANAGED by using the migration process described at
Migrate
resources from classic to global external Application Load Balancer.
Multiple forwarding rules with a common IP address
Two or more forwarding rules with the EXTERNAL or EXTERNAL_MANAGED load
balancing scheme (or a combination of both) can share the same IP address if the
following are true:
- The ports used by each forwarding rule don't overlap. This is because
each combination of
IP address + protocol + portmust be unique. - The Network Service Tiers of each forwarding rule matches the Network Service Tiers of the external IP address.
Examples:
- An external passthrough Network Load Balancer that accepts traffic on TCP port 79 and another external passthrough Network Load Balancer that accepts traffic on TCP port 80 can share the same regional external IP address.
- You can use the same global external IP address for an external Application Load Balancer (HTTP and HTTPS).
Two or more forwarding rules with the INTERNAL or INTERNAL_MANAGED load
balancing scheme (or a combination of both) can share the same IP address if the
following is true:
- The ports used by each forwarding rule don't overlap. This is because
each combination of
IP address + protocol + portmust be unique.
For more information, see the following:
- For internal passthrough Network Load Balancers, see Internal passthrough Network Load Balancer forwarding rules that use a common IP address
- For internal Application Load Balancers, see Use a common IP address between multiple internal forwarding rules
- For internal proxy Network Load Balancers, see Forwarding rules and IP addresses
Port specifications
The following table summarizes the valid port configurations, based on the load balancing scheme and the target of the forwarding rule.
| Product | Load balancing scheme | Target | Port requirements |
|---|---|---|---|
| Regional external Application Load Balancer | EXTERNAL_MANAGED | Target HTTP proxy Target HTTPS proxy |
Can reference exactly one port from 1-65535 |
| Regional internal Application Load Balancer | INTERNAL_MANAGED | Target HTTP proxy Target HTTPS proxy |
Can reference exactly one port from 1-65535 |
| Regional external proxy Network Load Balancer | EXTERNAL_MANAGED | Target TCP proxy | Can reference exactly one port from 1-65535 |
| Regional internal proxy Network Load Balancer | INTERNAL_MANAGED | Target TCP proxy | Can reference exactly one port from 1-65535 |
| External passthrough Network Load Balancer | EXTERNAL | Backend service | If the forwarding rule protocol is TCP or UDP,
you can configure:
If the forwarding rule protocol is L3_DEFAULT,
you must configure all ports.
|
| Target pool | Must be a single port range (contiguous) Specifying a port is optional for forwarding rules used with target pool-based external passthrough Network Load Balancers. If no port is specified, traffic from all ports (1-65535) is forwarded. |
||
| Internal passthrough Network Load Balancer | INTERNAL | Backend service | Up to five (contiguous or non-contiguous) ports or you can configure all
ports using one of these methods: set --ports=ALL using the gcloud command line
tool, orset allPorts to True using the API.
|
| Classic VPN | EXTERNAL | Target VPN gateway | Can reference exactly one of the following ports: 500, 4500 |
IAM conditions
With Identity and Access Management (IAM) conditions, you can set conditions to control which roles are granted to principals. This feature lets you grant permissions to principals if configured conditions are met.
An IAM condition checks the load balancing scheme (for example,
INTERNAL or EXTERNAL) in the forwarding rule and allows (or disallows)
creation of the forwarding rule. If a principal tries to create a forwarding
rule without permission, an error message appears.
For more information, see IAM Conditions.
Use forwarding rules
If you're using the Trusted Cloud console to set up a load balancer, the forwarding rule is set up implicitly as part of your frontend configuration. If you're using the Google Cloud CLI or the API, you need to configure the forwarding rule explicitly.
After creating a forwarding rule, you can make limited changes to it. For example, after a forwarding rule is defined, you can't change its IP address, port number, or protocol. However, you can update certain settings for forwarding rules by editing the frontend configuration of the load balancer they are associated with. Use either the gcloud CLI or the API to make any other changes.
Change the IP address of a forwarding rule
You cannot change the IP address of an existing forwarding rule. To update the IP address of a forwarding rule, you must delete and recreate the rule as follows:
Delete the forwarding rule using the
gcloud compute forwarding-rules deletecommand or theforwardingRules.deletemethod.Recreate the forwarding rule using the
gcloud compute forwarding-rules createcommand or theforwardingRules.insertmethod.
APIs
For descriptions of the properties and methods available to you when working with forwarding rules through the REST API, see the following:
- Regional: forwardingRules
Google Cloud CLI
For the gcloud CLI reference documentation, see the following:
gcloud compute forwarding-rules
- Regional:
--region=[REGION]
What's next
- To learn more about protocol forwarding, see Protocol forwarding overview.