A ForwardingRule resource. A ForwardingRule resource specifies which pool of target virtual machines to forward a packet to if it matches the given [IPAddress, IPProtocol, portRange] tuple.
To get more information about ForwardingRule, see:
# Internal HTTP load balancer with a managed instance group backend
# VPC network
resource "google_compute_network" "ilb_network" {
name = "l7-ilb-network"
provider = google-beta
auto_create_subnetworks = false
}
# proxy-only subnet
resource "google_compute_subnetwork" "proxy_subnet" {
name = "l7-ilb-proxy-subnet"
provider = google-beta
ip_cidr_range = "10.0.0.0/24"
region = "europe-west1"
purpose = "REGIONAL_MANAGED_PROXY"
role = "ACTIVE"
network = google_compute_network.ilb_network.id
}
# backend subnet
resource "google_compute_subnetwork" "ilb_subnet" {
name = "l7-ilb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "europe-west1"
network = google_compute_network.ilb_network.id
}
# forwarding rule
resource "google_compute_forwarding_rule" "google_compute_forwarding_rule" {
name = "l7-ilb-forwarding-rule"
provider = google-beta
region = "europe-west1"
depends_on = [google_compute_subnetwork.proxy_subnet]
ip_protocol = "TCP"
load_balancing_scheme = "INTERNAL_MANAGED"
port_range = "80"
target = google_compute_region_target_http_proxy.default.id
network = google_compute_network.ilb_network.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
network_tier = "PREMIUM"
}
# HTTP target proxy
resource "google_compute_region_target_http_proxy" "default" {
name = "l7-ilb-target-http-proxy"
provider = google-beta
region = "europe-west1"
url_map = google_compute_region_url_map.default.id
}
# URL map
resource "google_compute_region_url_map" "default" {
name = "l7-ilb-regional-url-map"
provider = google-beta
region = "europe-west1"
default_service = google_compute_region_backend_service.default.id
}
# backend service
resource "google_compute_region_backend_service" "default" {
name = "l7-ilb-backend-subnet"
provider = google-beta
region = "europe-west1"
protocol = "HTTP"
load_balancing_scheme = "INTERNAL_MANAGED"
timeout_sec = 10
health_checks = [google_compute_region_health_check.default.id]
backend {
group = google_compute_region_instance_group_manager.mig.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# instance template
resource "google_compute_instance_template" "instance_template" {
name = "l7-ilb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["http-server"]
network_interface {
network = google_compute_network.ilb_network.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# health check
resource "google_compute_region_health_check" "default" {
name = "l7-ilb-hc"
provider = google-beta
region = "europe-west1"
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# MIG
resource "google_compute_region_instance_group_manager" "mig" {
name = "l7-ilb-mig1"
provider = google-beta
region = "europe-west1"
version {
instance_template = google_compute_instance_template.instance_template.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow all access from IAP and health check ranges
resource "google_compute_firewall" "fw-iap" {
name = "l7-ilb-fw-allow-iap-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.ilb_network.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16", "35.235.240.0/20"]
allow {
protocol = "tcp"
}
}
# allow http from proxy subnet to backends
resource "google_compute_firewall" "fw-ilb-to-backends" {
name = "l7-ilb-fw-allow-ilb-to-backends"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.ilb_network.id
source_ranges = ["10.0.0.0/24"]
target_tags = ["http-server"]
allow {
protocol = "tcp"
ports = ["80", "443", "8080"]
}
}
# test instance
resource "google_compute_instance" "vm-test" {
name = "l7-ilb-test-vm"
provider = google-beta
zone = "europe-west1-b"
machine_type = "e2-small"
network_interface {
network = google_compute_network.ilb_network.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
}
boot_disk {
initialize_params {
image = "debian-cloud/debian-10"
}
}
}
# Internal TCP/UDP load balancer with a managed instance group backend
# VPC
resource "google_compute_network" "ilb_network" {
name = "l4-ilb-network"
provider = google-beta
auto_create_subnetworks = false
}
# backed subnet
resource "google_compute_subnetwork" "ilb_subnet" {
name = "l4-ilb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "europe-west1"
network = google_compute_network.ilb_network.id
}
# forwarding rule
resource "google_compute_forwarding_rule" "google_compute_forwarding_rule" {
name = "l4-ilb-forwarding-rule"
backend_service = google_compute_region_backend_service.default.id
provider = google-beta
region = "europe-west1"
ip_protocol = "TCP"
load_balancing_scheme = "INTERNAL"
all_ports = true
allow_global_access = true
network = google_compute_network.ilb_network.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
}
# backend service
resource "google_compute_region_backend_service" "default" {
name = "l4-ilb-backend-subnet"
provider = google-beta
region = "europe-west1"
protocol = "TCP"
load_balancing_scheme = "INTERNAL"
health_checks = [google_compute_region_health_check.default.id]
backend {
group = google_compute_region_instance_group_manager.mig.instance_group
balancing_mode = "CONNECTION"
}
}
# instance template
resource "google_compute_instance_template" "instance_template" {
name = "l4-ilb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["allow-ssh","allow-health-check"]
network_interface {
network = google_compute_network.ilb_network.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# health check
resource "google_compute_region_health_check" "default" {
name = "l4-ilb-hc"
provider = google-beta
region = "europe-west1"
http_health_check {
port = "80"
}
}
# MIG
resource "google_compute_region_instance_group_manager" "mig" {
name = "l4-ilb-mig1"
provider = google-beta
region = "europe-west1"
version {
instance_template = google_compute_instance_template.instance_template.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow all access from health check ranges
resource "google_compute_firewall" "fw_hc" {
name = "l4-ilb-fw-allow-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.ilb_network.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16", "35.235.240.0/20"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}
# allow communication within the subnet
resource "google_compute_firewall" "fw_ilb_to_backends" {
name = "l4-ilb-fw-allow-ilb-to-backends"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.ilb_network.id
source_ranges = ["10.0.1.0/24"]
allow {
protocol = "tcp"
}
allow {
protocol = "udp"
}
allow {
protocol = "icmp"
}
}
# allow SSH
resource "google_compute_firewall" "fw_ilb_ssh" {
name = "l4-ilb-fw-ssh"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.ilb_network.id
allow {
protocol = "tcp"
ports = ["22"]
}
target_tags = ["allow-ssh"]
source_ranges = ["0.0.0.0/0"]
}
# test instance
resource "google_compute_instance" "vm_test" {
name = "l4-ilb-test-vm"
provider = google-beta
zone = "europe-west1-b"
machine_type = "e2-small"
network_interface {
network = google_compute_network.ilb_network.id
subnetwork = google_compute_subnetwork.ilb_subnet.id
}
boot_disk {
initialize_params {
image = "debian-cloud/debian-10"
}
}
}
// Forwarding rule for External Network Load Balancing using Backend Services
resource "google_compute_forwarding_rule" "default" {
provider = google-beta
name = "website-forwarding-rule"
region = "us-central1"
port_range = 80
backend_service = google_compute_region_backend_service.backend.id
}
resource "google_compute_region_backend_service" "backend" {
provider = google-beta
name = "website-backend"
region = "us-central1"
load_balancing_scheme = "EXTERNAL"
health_checks = [google_compute_region_health_check.hc.id]
}
resource "google_compute_region_health_check" "hc" {
provider = google-beta
name = "check-website-backend"
check_interval_sec = 1
timeout_sec = 1
region = "us-central1"
tcp_health_check {
port = "80"
}
}
// Forwarding rule for Internal Load Balancing
resource "google_compute_forwarding_rule" "default" {
name = "website-forwarding-rule"
region = "us-central1"
load_balancing_scheme = "INTERNAL"
backend_service = google_compute_region_backend_service.backend.id
all_ports = true
allow_global_access = true
network = google_compute_network.default.name
subnetwork = google_compute_subnetwork.default.name
}
resource "google_compute_region_backend_service" "backend" {
name = "website-backend"
region = "us-central1"
health_checks = [google_compute_health_check.hc.id]
}
resource "google_compute_health_check" "hc" {
name = "check-website-backend"
check_interval_sec = 1
timeout_sec = 1
tcp_health_check {
port = "80"
}
}
resource "google_compute_network" "default" {
name = "website-net"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "default" {
name = "website-net"
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
network = google_compute_network.default.id
}
resource "google_compute_forwarding_rule" "default" {
name = "website-forwarding-rule"
target = google_compute_target_pool.default.id
port_range = "80"
}
resource "google_compute_target_pool" "default" {
name = "website-target-pool"
}
resource "google_compute_forwarding_rule" "fwd_rule" {
provider = google-beta
name = "l3-forwarding-rule"
backend_service = google_compute_region_backend_service.service.id
ip_protocol = "L3_DEFAULT"
all_ports = true
}
resource "google_compute_region_backend_service" "service" {
provider = google-beta
region = "us-central1"
name = "service"
health_checks = [google_compute_region_health_check.health_check.id]
protocol = "UNSPECIFIED"
load_balancing_scheme = "EXTERNAL"
}
resource "google_compute_region_health_check" "health_check" {
provider = google-beta
name = "health-check"
region = "us-central1"
tcp_health_check {
port = 80
}
}
// Forwarding rule for Internal Load Balancing
resource "google_compute_forwarding_rule" "default" {
name = "website-forwarding-rule"
region = "us-central1"
load_balancing_scheme = "INTERNAL"
backend_service = google_compute_region_backend_service.backend.id
all_ports = true
network = google_compute_network.default.name
subnetwork = google_compute_subnetwork.default.name
ip_version = "IPV4"
}
resource "google_compute_region_backend_service" "backend" {
name = "website-backend"
region = "us-central1"
health_checks = [google_compute_health_check.hc.id]
}
resource "google_compute_health_check" "hc" {
name = "check-website-backend"
check_interval_sec = 1
timeout_sec = 1
tcp_health_check {
port = "80"
}
}
resource "google_compute_network" "default" {
name = "website-net"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "default" {
name = "website-net"
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
network = google_compute_network.default.id
}
// Forwarding rule for Internal Load Balancing
resource "google_compute_forwarding_rule" "default" {
provider = google-beta
depends_on = [google_compute_subnetwork.proxy]
name = "website-forwarding-rule"
region = "us-central1"
ip_protocol = "TCP"
load_balancing_scheme = "INTERNAL_MANAGED"
port_range = "80"
target = google_compute_region_target_http_proxy.default.id
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
network_tier = "PREMIUM"
}
resource "google_compute_region_target_http_proxy" "default" {
provider = google-beta
region = "us-central1"
name = "website-proxy"
url_map = google_compute_region_url_map.default.id
}
resource "google_compute_region_url_map" "default" {
provider = google-beta
region = "us-central1"
name = "website-map"
default_service = google_compute_region_backend_service.default.id
}
resource "google_compute_region_backend_service" "default" {
provider = google-beta
load_balancing_scheme = "INTERNAL_MANAGED"
backend {
group = google_compute_region_instance_group_manager.rigm.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
region = "us-central1"
name = "website-backend"
protocol = "HTTP"
timeout_sec = 10
health_checks = [google_compute_region_health_check.default.id]
}
data "google_compute_image" "debian_image" {
provider = google-beta
family = "debian-11"
project = "debian-cloud"
}
resource "google_compute_region_instance_group_manager" "rigm" {
provider = google-beta
region = "us-central1"
name = "website-rigm"
version {
instance_template = google_compute_instance_template.instance_template.id
name = "primary"
}
base_instance_name = "internal-glb"
target_size = 1
}
resource "google_compute_instance_template" "instance_template" {
provider = google-beta
name = "template-website-backend"
machine_type = "e2-medium"
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
}
disk {
source_image = data.google_compute_image.debian_image.self_link
auto_delete = true
boot = true
}
tags = ["allow-ssh", "load-balanced-backend"]
}
resource "google_compute_region_health_check" "default" {
depends_on = [google_compute_firewall.fw4]
provider = google-beta
region = "us-central1"
name = "website-hc"
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
resource "google_compute_firewall" "fw1" {
provider = google-beta
name = "website-fw-1"
network = google_compute_network.default.id
source_ranges = ["10.1.2.0/24"]
allow {
protocol = "tcp"
}
allow {
protocol = "udp"
}
allow {
protocol = "icmp"
}
direction = "INGRESS"
}
resource "google_compute_firewall" "fw2" {
depends_on = [google_compute_firewall.fw1]
provider = google-beta
name = "website-fw-2"
network = google_compute_network.default.id
source_ranges = ["0.0.0.0/0"]
allow {
protocol = "tcp"
ports = ["22"]
}
target_tags = ["allow-ssh"]
direction = "INGRESS"
}
resource "google_compute_firewall" "fw3" {
depends_on = [google_compute_firewall.fw2]
provider = google-beta
name = "website-fw-3"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["load-balanced-backend"]
direction = "INGRESS"
}
resource "google_compute_firewall" "fw4" {
depends_on = [google_compute_firewall.fw3]
provider = google-beta
name = "website-fw-4"
network = google_compute_network.default.id
source_ranges = ["10.129.0.0/26"]
target_tags = ["load-balanced-backend"]
allow {
protocol = "tcp"
ports = ["80"]
}
allow {
protocol = "tcp"
ports = ["443"]
}
allow {
protocol = "tcp"
ports = ["8000"]
}
direction = "INGRESS"
}
resource "google_compute_network" "default" {
provider = google-beta
name = "website-net"
auto_create_subnetworks = false
routing_mode = "REGIONAL"
}
resource "google_compute_subnetwork" "default" {
provider = google-beta
name = "website-net-default"
ip_cidr_range = "10.1.2.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
resource "google_compute_subnetwork" "proxy" {
provider = google-beta
name = "website-net-proxy"
ip_cidr_range = "10.129.0.0/26"
region = "us-central1"
network = google_compute_network.default.id
purpose = "REGIONAL_MANAGED_PROXY"
role = "ACTIVE"
}
// Forwarding rule for Regional External Load Balancing
resource "google_compute_forwarding_rule" "default" {
provider = google-beta
depends_on = [google_compute_subnetwork.proxy]
name = "website-forwarding-rule"
region = "us-central1"
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL_MANAGED"
port_range = "80"
target = google_compute_region_target_http_proxy.default.id
network = google_compute_network.default.id
ip_address = google_compute_address.default.id
network_tier = "STANDARD"
}
resource "google_compute_region_target_http_proxy" "default" {
provider = google-beta
region = "us-central1"
name = "website-proxy"
url_map = google_compute_region_url_map.default.id
}
resource "google_compute_region_url_map" "default" {
provider = google-beta
region = "us-central1"
name = "website-map"
default_service = google_compute_region_backend_service.default.id
}
resource "google_compute_region_backend_service" "default" {
provider = google-beta
load_balancing_scheme = "EXTERNAL_MANAGED"
backend {
group = google_compute_region_instance_group_manager.rigm.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
region = "us-central1"
name = "website-backend"
protocol = "HTTP"
timeout_sec = 10
health_checks = [google_compute_region_health_check.default.id]
}
data "google_compute_image" "debian_image" {
provider = google-beta
family = "debian-11"
project = "debian-cloud"
}
resource "google_compute_region_instance_group_manager" "rigm" {
provider = google-beta
region = "us-central1"
name = "website-rigm"
version {
instance_template = google_compute_instance_template.instance_template.id
name = "primary"
}
base_instance_name = "internal-glb"
target_size = 1
}
resource "google_compute_instance_template" "instance_template" {
provider = google-beta
name = "template-website-backend"
machine_type = "e2-medium"
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
}
disk {
source_image = data.google_compute_image.debian_image.self_link
auto_delete = true
boot = true
}
tags = ["allow-ssh", "load-balanced-backend"]
}
resource "google_compute_region_health_check" "default" {
depends_on = [google_compute_firewall.fw4]
provider = google-beta
region = "us-central1"
name = "website-hc"
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
resource "google_compute_address" "default" {
name = "website-ip-1"
provider = google-beta
region = "us-central1"
network_tier = "STANDARD"
}
resource "google_compute_firewall" "fw1" {
provider = google-beta
name = "website-fw-1"
network = google_compute_network.default.id
source_ranges = ["10.1.2.0/24"]
allow {
protocol = "tcp"
}
allow {
protocol = "udp"
}
allow {
protocol = "icmp"
}
direction = "INGRESS"
}
resource "google_compute_firewall" "fw2" {
depends_on = [google_compute_firewall.fw1]
provider = google-beta
name = "website-fw-2"
network = google_compute_network.default.id
source_ranges = ["0.0.0.0/0"]
allow {
protocol = "tcp"
ports = ["22"]
}
target_tags = ["allow-ssh"]
direction = "INGRESS"
}
resource "google_compute_firewall" "fw3" {
depends_on = [google_compute_firewall.fw2]
provider = google-beta
name = "website-fw-3"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["load-balanced-backend"]
direction = "INGRESS"
}
resource "google_compute_firewall" "fw4" {
depends_on = [google_compute_firewall.fw3]
provider = google-beta
name = "website-fw-4"
network = google_compute_network.default.id
source_ranges = ["10.129.0.0/26"]
target_tags = ["load-balanced-backend"]
allow {
protocol = "tcp"
ports = ["80"]
}
allow {
protocol = "tcp"
ports = ["443"]
}
allow {
protocol = "tcp"
ports = ["8000"]
}
direction = "INGRESS"
}
resource "google_compute_network" "default" {
provider = google-beta
name = "website-net"
auto_create_subnetworks = false
routing_mode = "REGIONAL"
}
resource "google_compute_subnetwork" "default" {
provider = google-beta
name = "website-net-default"
ip_cidr_range = "10.1.2.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
resource "google_compute_subnetwork" "proxy" {
provider = google-beta
name = "website-net-proxy"
ip_cidr_range = "10.129.0.0/26"
region = "us-central1"
network = google_compute_network.default.id
purpose = "REGIONAL_MANAGED_PROXY"
role = "ACTIVE"
}
// Forwarding rule for VPC private service connect
resource "google_compute_forwarding_rule" "default" {
name = "psc-endpoint"
region = "us-central1"
load_balancing_scheme = ""
target = google_compute_service_attachment.producer_service_attachment.id
network = google_compute_network.consumer_net.name
ip_address = google_compute_address.consumer_address.id
allow_psc_global_access = true
}
// Consumer service endpoint
resource "google_compute_network" "consumer_net" {
name = "consumer-net"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "consumer_subnet" {
name = "consumer-net"
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
network = google_compute_network.consumer_net.id
}
resource "google_compute_address" "consumer_address" {
name = "website-ip-1"
region = "us-central1"
subnetwork = google_compute_subnetwork.consumer_subnet.id
address_type = "INTERNAL"
}
// Producer service attachment
resource "google_compute_network" "producer_net" {
name = "producer-net"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "producer_subnet" {
name = "producer-net"
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
network = google_compute_network.producer_net.id
}
resource "google_compute_subnetwork" "psc_producer_subnet" {
name = "producer-psc-net"
ip_cidr_range = "10.1.0.0/16"
region = "us-central1"
purpose = "PRIVATE_SERVICE_CONNECT"
network = google_compute_network.producer_net.id
}
resource "google_compute_service_attachment" "producer_service_attachment" {
name = "producer-service"
region = "us-central1"
description = "A service attachment configured with Terraform"
enable_proxy_protocol = true
connection_preference = "ACCEPT_AUTOMATIC"
nat_subnets = [google_compute_subnetwork.psc_producer_subnet.name]
target_service = google_compute_forwarding_rule.producer_target_service.id
}
resource "google_compute_forwarding_rule" "producer_target_service" {
name = "producer-forwarding-rule"
region = "us-central1"
load_balancing_scheme = "INTERNAL"
backend_service = google_compute_region_backend_service.producer_service_backend.id
all_ports = true
network = google_compute_network.producer_net.name
subnetwork = google_compute_subnetwork.producer_subnet.name
}
resource "google_compute_region_backend_service" "producer_service_backend" {
name = "producer-service-backend"
region = "us-central1"
health_checks = [google_compute_health_check.producer_service_health_check.id]
}
resource "google_compute_health_check" "producer_service_health_check" {
name = "producer-service-health-check"
check_interval_sec = 1
timeout_sec = 1
tcp_health_check {
port = "80"
}
}
resource "google_compute_forwarding_rule" "default" {
name = "psc-endpoint"
region = "us-central1"
load_balancing_scheme = ""
target = google_compute_service_attachment.producer_service_attachment.id
network = google_compute_network.consumer_net.name
ip_address = google_compute_address.consumer_address.id
allow_psc_global_access = true
no_automate_dns_zone = true
}
resource "google_compute_network" "consumer_net" {
name = "consumer-net"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "consumer_subnet" {
name = "consumer-net"
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
network = google_compute_network.consumer_net.id
}
resource "google_compute_address" "consumer_address" {
name = "website-ip-1"
region = "us-central1"
subnetwork = google_compute_subnetwork.consumer_subnet.id
address_type = "INTERNAL"
}
resource "google_compute_network" "producer_net" {
name = "producer-net"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "producer_subnet" {
name = "producer-net"
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
network = google_compute_network.producer_net.id
}
resource "google_compute_subnetwork" "psc_producer_subnet" {
name = "producer-psc-net"
ip_cidr_range = "10.1.0.0/16"
region = "us-central1"
purpose = "PRIVATE_SERVICE_CONNECT"
network = google_compute_network.producer_net.id
}
resource "google_compute_service_attachment" "producer_service_attachment" {
name = "producer-service"
region = "us-central1"
description = "A service attachment configured with Terraform"
enable_proxy_protocol = true
connection_preference = "ACCEPT_AUTOMATIC"
nat_subnets = [google_compute_subnetwork.psc_producer_subnet.name]
target_service = google_compute_forwarding_rule.producer_target_service.id
}
resource "google_compute_forwarding_rule" "producer_target_service" {
name = "producer-forwarding-rule"
region = "us-central1"
load_balancing_scheme = "INTERNAL"
backend_service = google_compute_region_backend_service.producer_service_backend.id
all_ports = true
network = google_compute_network.producer_net.name
subnetwork = google_compute_subnetwork.producer_subnet.name
}
resource "google_compute_region_backend_service" "producer_service_backend" {
name = "producer-service-backend"
region = "us-central1"
health_checks = [google_compute_health_check.producer_service_health_check.id]
}
resource "google_compute_health_check" "producer_service_health_check" {
name = "producer-service-health-check"
check_interval_sec = 1
timeout_sec = 1
tcp_health_check {
port = "80"
}
}
resource "google_compute_forwarding_rule" "steering" {
name = "steering-rule"
region = "us-central1"
ip_address = google_compute_address.basic.self_link
backend_service = google_compute_region_backend_service.external.self_link
load_balancing_scheme = "EXTERNAL"
source_ip_ranges = ["34.121.88.0/24", "35.187.239.137"]
depends_on = [google_compute_forwarding_rule.external]
}
resource "google_compute_address" "basic" {
name = "website-ip"
region = "us-central1"
}
resource "google_compute_region_backend_service" "external" {
name = "service-backend"
region = "us-central1"
load_balancing_scheme = "EXTERNAL"
}
resource "google_compute_forwarding_rule" "external" {
name = "external-forwarding-rule"
region = "us-central1"
ip_address = google_compute_address.basic.self_link
backend_service = google_compute_region_backend_service.external.self_link
load_balancing_scheme = "EXTERNAL"
}
// Forwarding rule for Internal Load Balancing
resource "google_compute_forwarding_rule" "default" {
name = "ilb-ipv6-forwarding-rule"
region = "us-central1"
load_balancing_scheme = "INTERNAL"
backend_service = google_compute_region_backend_service.backend.id
all_ports = true
network = google_compute_network.default.name
subnetwork = google_compute_subnetwork.default.name
ip_version = "IPV6"
}
resource "google_compute_region_backend_service" "backend" {
name = "ilb-ipv6-backend"
region = "us-central1"
health_checks = [google_compute_health_check.hc.id]
}
resource "google_compute_health_check" "hc" {
name = "check-ilb-ipv6-backend"
check_interval_sec = 1
timeout_sec = 1
tcp_health_check {
port = "80"
}
}
resource "google_compute_network" "default" {
name = "net-ipv6"
auto_create_subnetworks = false
enable_ula_internal_ipv6 = true
}
resource "google_compute_subnetwork" "default" {
name = "subnet-internal-ipv6"
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
stack_type = "IPV4_IPV6"
ipv6_access_type = "INTERNAL"
network = google_compute_network.default.id
}
The following arguments are supported:
name
-
(Required)
Name of the resource; provided by the client when the resource is created.
The name must be 1-63 characters long, and comply with
RFC1035.
Specifically, the name must be 1-63 characters long and match the regular
expression [a-z]([-a-z0-9]*[a-z0-9])?
which means the first
character must be a lowercase letter, and all following characters must
be a dash, lowercase letter, or digit, except the last character, which
cannot be a dash.
For Private Service Connect forwarding rules that forward traffic to Google
APIs, the forwarding rule name must be a 1-20 characters string with
lowercase letters and numbers and must start with a letter.is_mirroring_collector
-
(Optional)
Indicates whether or not this load balancer can be used as a collector for
packet mirroring. To prevent mirroring loops, instances behind this
load balancer will not have their traffic mirrored even if a
PacketMirroring
rule applies to them.
This can only be set to true for load balancers that have their
loadBalancingScheme
set to INTERNAL
.
description
-
(Optional)
An optional description of this resource. Provide this property when
you create the resource.
ip_address
-
(Optional)
IP address for which this forwarding rule accepts traffic. When a client
sends traffic to this IP address, the forwarding rule directs the traffic
to the referenced target
or backendService
.
While creating a forwarding rule, specifying an IPAddress
is
required under the following circumstances:
target
is set to targetGrpcProxy
and
validateForProxyless
is set to true
, the
IPAddress
should be set to 0.0.0.0
.target
is a Private Service Connect Google APIs
bundle, you must specify an IPAddress
.Otherwise, you can optionally specify an IP address that references an existing static (reserved) IP address resource. When omitted, Google Cloud assigns an ephemeral IP address. Use one of the following formats to specify an IP address while creating a forwarding rule:
100.1.2.3
2600:1234::/96
https://www.googleapis.com/compute/v1/projects/project_id/regions/region/addresses/address-name
projects/project_id/regions/region/addresses/address-name
regions/region/addresses/address-name
global/addresses/address-name
address-name
The forwarding rule's target
or backendService
,
and in most cases, also the loadBalancingScheme
, determine the
type of IP address that you can use. For detailed information, see
IP address
specifications.
When reading an IPAddress
, the API always returns the IP
address number.
ip_protocol
-
(Optional)
The IP protocol to which this rule applies.
For protocol forwarding, valid
options are TCP
, UDP
, ESP
,
AH
, SCTP
, ICMP
and
L3_DEFAULT
.
The valid IP protocols are different for different load balancing products
as described in Load balancing
features.
A Forwarding Rule with protocol L3_DEFAULT can attach with target instance or
backend service with UNSPECIFIED protocol.
A forwarding rule with "L3_DEFAULT" IPProtocal cannot be attached to a backend service with TCP or UDP.
Possible values are: TCP
, UDP
, ESP
, AH
, SCTP
, ICMP
, L3_DEFAULT
.
backend_service
-
(Optional)
Identifies the backend service to which the forwarding rule sends traffic.
Required for Internal TCP/UDP Load Balancing and Network Load Balancing;
must be omitted for all other load balancer types.
load_balancing_scheme
-
(Optional)
Specifies the forwarding rule type.
For more information about forwarding rules, refer to
Forwarding rule concepts.
Default value is EXTERNAL
.
Possible values are: EXTERNAL
, EXTERNAL_MANAGED
, INTERNAL
, INTERNAL_MANAGED
.
network
-
(Optional)
This field is not used for external load balancing.
For Internal TCP/UDP Load Balancing, this field identifies the network that
the load balanced IP should belong to for this Forwarding Rule.
If the subnetwork is specified, the network of the subnetwork will be used.
If neither subnetwork nor this field is specified, the default network will
be used.
For Private Service Connect forwarding rules that forward traffic to Google
APIs, a network must be provided.
port_range
-
(Optional)
The ports
, portRange
, and allPorts
fields are mutually exclusive.
Only packets addressed to ports in the specified range will be forwarded
to the backends configured with this forwarding rule.
The portRange
field has the following limitations:
IPProtocol
be TCP, UDP, or SCTP,
and[IPAddress, IPProtocol]
pair, and cannot have overlapping
portRange
s.
For internal forwarding rules within the same VPC network, two or more
forwarding rules cannot use the same [IPAddress, IPProtocol]
pair, and
cannot have overlapping portRange
s.
@pattern: \d+(?:-\d+)?ports
-
(Optional)
The ports
, portRange
, and allPorts
fields are mutually exclusive.
Only packets addressed to ports in the specified range will be forwarded
to the backends configured with this forwarding rule.
The ports
field has the following limitations:
IPProtocol
be TCP, UDP, or SCTP,
and[IPAddress, IPProtocol]
pair if they share at least one port
number.
For internal forwarding rules within the same VPC network, two or more
forwarding rules cannot use the same [IPAddress, IPProtocol]
pair if
they share at least one port number.
@pattern: \d+(?:-\d+)?subnetwork
-
(Optional)
This field identifies the subnetwork that the load balanced IP should
belong to for this Forwarding Rule, used in internal load balancing and
network load balancing with IPv6.
If the network specified is in auto subnet mode, this field is optional.
However, a subnetwork must be specified if the network is in custom subnet
mode or when creating external forwarding rule with IPv6.
target
-
(Optional)
The URL of the target resource to receive the matched traffic. For
regional forwarding rules, this target must be in the same region as the
forwarding rule. For global forwarding rules, this target must be a global
load balancing resource.
The forwarded traffic must be of a type appropriate to the target object.
vpc-sc
- APIs that support VPC Service Controls.all-apis
- All supported Google APIs.For Private Service Connect forwarding rules that forward traffic to managed services, the target must be a service attachment.
allow_global_access
-
(Optional)
This field is used along with the backend_service
field for
internal load balancing or with the target
field for internal
TargetInstance.
If the field is set to TRUE
, clients can access ILB from all
regions.
Otherwise only allows access from clients in the same region as the
internal load balancer.
labels
-
(Optional)
Labels to apply to this forwarding rule. A list of key->value pairs.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
all_ports
-
(Optional)
The ports
, portRange
, and allPorts
fields are mutually exclusive.
Only packets addressed to ports in the specified range will be forwarded
to the backends configured with this forwarding rule.
The allPorts
field has the following limitations:
IPProtocol
be TCP, UDP, SCTP, or
L3_DEFAULT.allPorts
be set to
true.network_tier
-
(Optional)
This signifies the networking tier used for configuring
this load balancer and can only take the following values:
PREMIUM
, STANDARD
.
For regional ForwardingRule, the valid values are PREMIUM
and
STANDARD
. For GlobalForwardingRule, the valid value is
PREMIUM
.
If this field is not specified, it is assumed to be PREMIUM
.
If IPAddress
is specified, this value must be equal to the
networkTier of the Address.
Possible values are: PREMIUM
, STANDARD
.
service_directory_registrations
-
(Optional)
Service Directory resources to register this forwarding rule with.
Currently, only supports a single Service Directory resource.
Structure is documented below.
service_label
-
(Optional)
An optional prefix to the service name for this Forwarding Rule.
If specified, will be the first label of the fully qualified service
name.
The label must be 1-63 characters long, and comply with RFC1035.
Specifically, the label must be 1-63 characters long and match the
regular expression [a-z]([-a-z0-9]*[a-z0-9])?
which means the first
character must be a lowercase letter, and all following characters
must be a dash, lowercase letter, or digit, except the last
character, which cannot be a dash.
This field is only used for INTERNAL load balancing.
source_ip_ranges
-
(Optional)
If not empty, this Forwarding Rule will only forward the traffic when the source IP address matches one of the IP addresses or CIDR ranges set here. Note that a Forwarding Rule can only have up to 64 source IP ranges, and this field can only be used with a regional Forwarding Rule whose scheme is EXTERNAL. Each sourceIpRange entry should be either an IP address (for example, 1.2.3.4) or a CIDR range (for example, 1.2.3.0/24).
allow_psc_global_access
-
(Optional)
This is used in PSC consumer ForwardingRule to control whether the PSC endpoint can be accessed from another region.
no_automate_dns_zone
-
(Optional)
This is used in PSC consumer ForwardingRule to control whether it should try to auto-generate a DNS zone or not. Non-PSC forwarding rules do not use this field.
ip_version
-
(Optional)
The IP address version that will be used by this forwarding rule.
Valid options are IPV4 and IPV6.
If not set, the IPv4 address will be used by default.
Possible values are: IPV4
, IPV6
.
region
-
(Optional)
A reference to the region where the regional forwarding rule resides.
This field is not applicable to global forwarding rules.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
recreate_closed_psc
- (Optional) This is used in PSC consumer ForwardingRule to make terraform recreate the ForwardingRule when the status is closed
The service_directory_registrations
block supports:
namespace
-
(Optional)
Service Directory namespace to register the forwarding rule under.
service
-
(Optional)
Service Directory service to register the forwarding rule under.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}
creation_timestamp
-
Creation timestamp in RFC3339 text format.
psc_connection_id
-
The PSC connection id of the PSC Forwarding Rule.
psc_connection_status
-
The PSC connection status of the PSC Forwarding Rule. Possible values: STATUS_UNSPECIFIED
, PENDING
, ACCEPTED
, REJECTED
, CLOSED
label_fingerprint
-
The fingerprint used for optimistic locking of this resource. Used
internally during updates.
service_name
-
The internal fully qualified service name for this Forwarding Rule.
This field is only used for INTERNAL load balancing.
base_forwarding_rule
-
[Output Only] The URL for the corresponding base Forwarding Rule. By base Forwarding Rule, we mean the Forwarding Rule that has the same IP address, protocol, and port settings with the current Forwarding Rule, but without sourceIPRanges specified. Always empty if the current Forwarding Rule does not have sourceIPRanges specified.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
self_link
- The URI of the created resource.This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.ForwardingRule can be imported using any of these accepted formats:
projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}
{{project}}/{{region}}/{{name}}
{{region}}/{{name}}
{{name}}
In Terraform v1.5.0 and later, use an import
block to import ForwardingRule using one of the formats above. For example:
import {
id = "projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}"
to = google_compute_forwarding_rule.default
}
When using the terraform import
command, ForwardingRule can be imported using one of the formats above. For example:
$ terraform import google_compute_forwarding_rule.default projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}
$ terraform import google_compute_forwarding_rule.default {{project}}/{{region}}/{{name}}
$ terraform import google_compute_forwarding_rule.default {{region}}/{{name}}
$ terraform import google_compute_forwarding_rule.default {{name}}
This resource supports User Project Overrides.