Represents a GlobalForwardingRule resource. Global forwarding rules are used to forward traffic to the correct load balancer for HTTP load balancing. Global forwarding rules can only be used for HTTP load balancing.
For more information, see https://cloud.google.com/compute/docs/load-balancing/http/
# External SSL proxy load balancer with managed instance group backend
# VPC
resource "google_compute_network" "default" {
name = "ssl-proxy-xlb-network"
provider = google
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "ssl-proxy-xlb-subnet"
provider = google
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
name = "ssl-proxy-xlb-ip"
}
# Self-signed regional SSL certificate for testing
resource "tls_private_key" "default" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "default" {
key_algorithm = tls_private_key.default.algorithm
private_key_pem = tls_private_key.default.private_key_pem
# Certificate expires after 12 hours.
validity_period_hours = 12
# Generate a new certificate if Terraform is run within three
# hours of the certificate's expiration time.
early_renewal_hours = 3
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
dns_names = ["example.com"]
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
}
resource "google_compute_ssl_certificate" "default" {
name = "default-cert"
private_key = tls_private_key.default.private_key_pem
certificate = tls_self_signed_cert.default.cert_pem
}
resource "google_compute_target_ssl_proxy" "default" {
name = "test-proxy"
backend_service = google_compute_backend_service.default.id
ssl_certificates = [google_compute_ssl_certificate.default.id]
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "ssl-proxy-xlb-forwarding-rule"
provider = google
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "443"
target = google_compute_target_ssl_proxy.default.id
ip_address = google_compute_global_address.default.id
}
# backend service
resource "google_compute_backend_service" "default" {
name = "ssl-proxy-xlb-backend-service"
protocol = "SSL"
port_name = "tcp"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
max_utilization = 1.0
capacity_scaler = 1.0
}
}
resource "google_compute_health_check" "default" {
name = "ssl-proxy-health-check"
timeout_sec = 1
check_interval_sec = 1
tcp_health_check {
port = "443"
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "ssl-proxy-xlb-mig-template"
provider = google
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y apache2 jq
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo service apache2 restart
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<h1>SSL Load Balancer</h1>
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "ssl-proxy-xlb-mig1"
provider = google
zone = "us-central1-c"
named_port {
name = "tcp"
port = 443
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "ssl-proxy-xlb-fw-allow-hc"
provider = google
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}
# External TCP proxy load balancer with managed instance group backend
# VPC
resource "google_compute_network" "default" {
name = "tcp-proxy-xlb-network"
provider = google-beta
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "tcp-proxy-xlb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
provider = google-beta
name = "tcp-proxy-xlb-ip"
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "tcp-proxy-xlb-forwarding-rule"
provider = google-beta
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "110"
target = google_compute_target_tcp_proxy.default.id
ip_address = google_compute_global_address.default.id
}
resource "google_compute_target_tcp_proxy" "default" {
provider = google-beta
name = "test-proxy-health-check"
backend_service = google_compute_backend_service.default.id
}
# backend service
resource "google_compute_backend_service" "default" {
provider = google-beta
name = "tcp-proxy-xlb-backend-service"
protocol = "TCP"
port_name = "tcp"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
max_utilization = 1.0
capacity_scaler = 1.0
}
}
resource "google_compute_health_check" "default" {
provider = google-beta
name = "tcp-proxy-health-check"
timeout_sec = 1
check_interval_sec = 1
tcp_health_check {
port = "80"
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "tcp-proxy-xlb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "tcp-proxy-xlb-mig1"
provider = google-beta
zone = "us-central1-c"
named_port {
name = "tcp"
port = 80
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "tcp-proxy-xlb-fw-allow-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}
# External HTTP load balancer with a CDN-enabled managed instance group backend
# and custom request and response headers
# VPC
resource "google_compute_network" "default" {
name = "l7-xlb-network"
provider = google-beta
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "l7-xlb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
provider = google-beta
name = "l7-xlb-static-ip"
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "l7-xlb-forwarding-rule"
provider = google-beta
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "80"
target = google_compute_target_http_proxy.default.id
ip_address = google_compute_global_address.default.id
}
# http proxy
resource "google_compute_target_http_proxy" "default" {
name = "l7-xlb-target-http-proxy"
provider = google-beta
url_map = google_compute_url_map.default.id
}
# url map
resource "google_compute_url_map" "default" {
name = "l7-xlb-url-map"
provider = google-beta
default_service = google_compute_backend_service.default.id
}
# backend service with custom request and response headers
resource "google_compute_backend_service" "default" {
name = "l7-xlb-backend-service"
provider = google-beta
protocol = "HTTP"
port_name = "my-port"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
enable_cdn = true
custom_request_headers = ["X-Client-Geo-Location: {client_region_subdivision}, {client_city}"]
custom_response_headers = ["X-Cache-Hit: {cdn_cache_status}"]
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "l7-xlb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# health check
resource "google_compute_health_check" "default" {
name = "l7-xlb-hc"
provider = google-beta
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "l7-xlb-mig1"
provider = google-beta
zone = "us-central1-c"
named_port {
name = "http"
port = 8080
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "l7-xlb-fw-allow-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}
resource "google_compute_global_forwarding_rule" "default" {
name = "global-rule"
target = google_compute_target_http_proxy.default.id
port_range = "80"
}
resource "google_compute_target_http_proxy" "default" {
name = "target-proxy"
description = "a description"
url_map = google_compute_url_map.default.id
}
resource "google_compute_url_map" "default" {
name = "url-map-target-proxy"
description = "a description"
default_service = google_compute_backend_service.default.id
host_rule {
hosts = ["mysite.com"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/*"]
service = google_compute_backend_service.default.id
}
}
}
resource "google_compute_backend_service" "default" {
name = "backend"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
health_checks = [google_compute_http_health_check.default.id]
}
resource "google_compute_http_health_check" "default" {
name = "check-backend"
request_path = "/"
check_interval_sec = 1
timeout_sec = 1
}
resource "google_compute_global_forwarding_rule" "default" {
provider = google-beta
name = "global-rule"
target = google_compute_target_http_proxy.default.id
port_range = "80"
load_balancing_scheme = "INTERNAL_SELF_MANAGED"
ip_address = "0.0.0.0"
metadata_filters {
filter_match_criteria = "MATCH_ANY"
filter_labels {
name = "PLANET"
value = "MARS"
}
}
}
resource "google_compute_target_http_proxy" "default" {
provider = google-beta
name = "target-proxy"
description = "a description"
url_map = google_compute_url_map.default.id
}
resource "google_compute_url_map" "default" {
provider = google-beta
name = "url-map-target-proxy"
description = "a description"
default_service = google_compute_backend_service.default.id
host_rule {
hosts = ["mysite.com"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/*"]
service = google_compute_backend_service.default.id
}
}
}
resource "google_compute_backend_service" "default" {
provider = google-beta
name = "backend"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
load_balancing_scheme = "INTERNAL_SELF_MANAGED"
backend {
group = google_compute_instance_group_manager.igm.instance_group
balancing_mode = "RATE"
capacity_scaler = 0.4
max_rate_per_instance = 50
}
health_checks = [google_compute_health_check.default.id]
}
data "google_compute_image" "debian_image" {
provider = google-beta
family = "debian-11"
project = "debian-cloud"
}
resource "google_compute_instance_group_manager" "igm" {
provider = google-beta
name = "igm-internal"
version {
instance_template = google_compute_instance_template.instance_template.id
name = "primary"
}
base_instance_name = "internal-glb"
zone = "us-central1-f"
target_size = 1
}
resource "google_compute_instance_template" "instance_template" {
provider = google-beta
name = "template-backend"
machine_type = "e2-medium"
network_interface {
network = "default"
}
disk {
source_image = data.google_compute_image.debian_image.self_link
auto_delete = true
boot = true
}
}
resource "google_compute_health_check" "default" {
provider = google-beta
name = "check-backend"
check_interval_sec = 1
timeout_sec = 1
tcp_health_check {
port = "80"
}
}
resource "google_compute_global_forwarding_rule" "default" {
name = "global-rule"
target = google_compute_target_http_proxy.default.id
port_range = "80"
load_balancing_scheme = "EXTERNAL_MANAGED"
}
resource "google_compute_target_http_proxy" "default" {
name = "target-proxy"
description = "a description"
url_map = google_compute_url_map.default.id
}
resource "google_compute_url_map" "default" {
name = "url-map-target-proxy"
description = "a description"
default_service = google_compute_backend_service.default.id
host_rule {
hosts = ["mysite.com"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/*"]
service = google_compute_backend_service.default.id
}
}
}
resource "google_compute_backend_service" "default" {
name = "backend"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
load_balancing_scheme = "EXTERNAL_MANAGED"
}
// Roughly mirrors https://cloud.google.com/load-balancing/docs/https/setting-up-ext-https-hybrid
variable "subnetwork_cidr" {
default = "10.0.0.0/24"
}
resource "google_compute_network" "default" {
name = "my-network"
}
resource "google_compute_network" "internal" {
name = "my-internal-network"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "internal"{
name = "my-subnetwork"
network = google_compute_network.internal.id
ip_cidr_range = var.subnetwork_cidr
region = "us-central1"
private_ip_google_access= true
}
// Zonal NEG with GCE_VM_IP_PORT
resource "google_compute_network_endpoint_group" "default" {
name = "default-neg"
network = google_compute_network.default.id
default_port = "90"
zone = "us-central1-a"
network_endpoint_type = "GCE_VM_IP_PORT"
}
// Zonal NEG with GCE_VM_IP
resource "google_compute_network_endpoint_group" "internal" {
name = "internal-neg"
network = google_compute_network.internal.id
subnetwork = google_compute_subnetwork.internal.id
zone = "us-central1-a"
network_endpoint_type = "GCE_VM_IP"
}
// Hybrid connectivity NEG
resource "google_compute_network_endpoint_group" "hybrid" {
name = "hybrid-neg"
network = google_compute_network.default.id
default_port = "90"
zone = "us-central1-a"
network_endpoint_type = "NON_GCP_PRIVATE_IP_PORT"
}
resource "google_compute_network_endpoint" "hybrid-endpoint" {
network_endpoint_group = google_compute_network_endpoint_group.hybrid.name
port = google_compute_network_endpoint_group.hybrid.default_port
ip_address = "127.0.0.1"
}
// Backend service for Zonal NEG
resource "google_compute_backend_service" "default" {
name = "backend-default"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
backend {
group = google_compute_network_endpoint_group.default.id
balancing_mode = "RATE"
max_rate_per_endpoint = 10
}
health_checks = [google_compute_health_check.default.id]
}
// Backgend service for Hybrid NEG
resource "google_compute_backend_service" "hybrid" {
name = "backend-hybrid"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
backend {
group = google_compute_network_endpoint_group.hybrid.id
balancing_mode = "RATE"
max_rate_per_endpoint = 10
}
health_checks = [google_compute_health_check.default.id]
}
resource "google_compute_health_check" "default" {
name = "health-check"
timeout_sec = 1
check_interval_sec = 1
tcp_health_check {
port = "80"
}
}
resource "google_compute_url_map" "default" {
name = "url-map-target-proxy"
description = "a description"
default_service = google_compute_backend_service.default.id
host_rule {
hosts = ["mysite.com"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/*"]
service = google_compute_backend_service.default.id
}
path_rule {
paths = ["/hybrid"]
service = google_compute_backend_service.hybrid.id
}
}
}
resource "google_compute_target_http_proxy" "default" {
name = "target-proxy"
description = "a description"
url_map = google_compute_url_map.default.id
}
resource "google_compute_global_forwarding_rule" "default" {
name = "global-rule"
target = google_compute_target_http_proxy.default.id
port_range = "80"
}
# Global Internal HTTP load balancer with a managed instance group backend
# VPC network
resource "google_compute_network" "gilb_network" {
name = "l7-gilb-network"
provider = google-beta
auto_create_subnetworks = false
}
# proxy-only subnet
resource "google_compute_subnetwork" "proxy_subnet" {
name = "l7-gilb-proxy-subnet"
provider = google-beta
ip_cidr_range = "10.0.0.0/24"
region = "europe-west1"
purpose = "GLOBAL_MANAGED_PROXY"
role = "ACTIVE"
network = google_compute_network.gilb_network.id
}
# backend subnet
resource "google_compute_subnetwork" "gilb_subnet" {
name = "l7-gilb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "europe-west1"
network = google_compute_network.gilb_network.id
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "google_compute_forwarding_rule" {
name = "l7-gilb-forwarding-rule"
provider = google-beta
depends_on = [google_compute_subnetwork.proxy_subnet]
ip_protocol = "TCP"
load_balancing_scheme = "INTERNAL_MANAGED"
port_range = "80"
target = google_compute_target_http_proxy.default.id
network = google_compute_network.gilb_network.id
subnetwork = google_compute_subnetwork.gilb_subnet.id
}
# HTTP target proxy
resource "google_compute_target_http_proxy" "default" {
name = "l7-gilb-target-http-proxy"
provider = google-beta
url_map = google_compute_url_map.default.id
}
# URL map
resource "google_compute_url_map" "default" {
name = "l7-gilb-url-map"
provider = google-beta
default_service = google_compute_backend_service.default.id
}
# backend service
resource "google_compute_backend_service" "default" {
name = "l7-gilb-backend-subnet"
provider = google-beta
protocol = "HTTP"
load_balancing_scheme = "INTERNAL_MANAGED"
timeout_sec = 10
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.mig.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# instance template
resource "google_compute_instance_template" "instance_template" {
name = "l7-gilb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["http-server"]
network_interface {
network = google_compute_network.gilb_network.id
subnetwork = google_compute_subnetwork.gilb_subnet.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# health check
resource "google_compute_health_check" "default" {
name = "l7-gilb-hc"
provider = google-beta
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# MIG
resource "google_compute_instance_group_manager" "mig" {
name = "l7-gilb-mig1"
provider = google-beta
zone = "europe-west1-b"
version {
instance_template = google_compute_instance_template.instance_template.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow all access from IAP and health check ranges
resource "google_compute_firewall" "fw-iap" {
name = "l7-gilb-fw-allow-iap-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.gilb_network.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16", "35.235.240.0/20"]
allow {
protocol = "tcp"
}
}
# allow http from proxy subnet to backends
resource "google_compute_firewall" "fw-gilb-to-backends" {
name = "l7-gilb-fw-allow-gilb-to-backends"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.gilb_network.id
source_ranges = ["10.0.0.0/24"]
target_tags = ["http-server"]
allow {
protocol = "tcp"
ports = ["80", "443", "8080"]
}
}
# test instance
resource "google_compute_instance" "vm-test" {
name = "l7-gilb-test-vm"
provider = google-beta
zone = "europe-west1-b"
machine_type = "e2-small"
network_interface {
network = google_compute_network.gilb_network.id
subnetwork = google_compute_subnetwork.gilb_subnet.id
}
boot_disk {
initialize_params {
image = "debian-cloud/debian-10"
}
}
}
resource "google_compute_network" "network" {
provider = google-beta
project = "my-project-name"
name = "my-network"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "vpc_subnetwork" {
provider = google-beta
project = google_compute_network.network.project
name = "my-subnetwork"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.network.id
private_ip_google_access = true
}
resource "google_compute_global_address" "default" {
provider = google-beta
project = google_compute_network.network.project
name = "global-psconnect-ip"
address_type = "INTERNAL"
purpose = "PRIVATE_SERVICE_CONNECT"
network = google_compute_network.network.id
address = "100.100.100.106"
}
resource "google_compute_global_forwarding_rule" "default" {
provider = google-beta
project = google_compute_network.network.project
name = "globalrule"
target = "all-apis"
network = google_compute_network.network.id
ip_address = google_compute_global_address.default.id
load_balancing_scheme = ""
service_directory_registrations {
namespace = "sd-namespace"
service_directory_region = "europe-west3"
}
}
resource "google_compute_network" "network" {
provider = google-beta
project = "my-project-name"
name = "my-network"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "vpc_subnetwork" {
provider = google-beta
project = google_compute_network.network.project
name = "my-subnetwork"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.network.id
private_ip_google_access = true
}
resource "google_compute_global_address" "default" {
provider = google-beta
project = google_compute_network.network.project
name = "global-psconnect-ip"
address_type = "INTERNAL"
purpose = "PRIVATE_SERVICE_CONNECT"
network = google_compute_network.network.id
address = "100.100.100.106"
}
resource "google_compute_global_forwarding_rule" "default" {
provider = google-beta
project = google_compute_network.network.project
name = "globalrule"
target = "all-apis"
network = google_compute_network.network.id
ip_address = google_compute_global_address.default.id
load_balancing_scheme = ""
no_automate_dns_zone = false
}
The following arguments are supported:
name
-
(Required)
Name of the resource; provided by the client when the resource is created.
The name must be 1-63 characters long, and comply with
RFC1035.
Specifically, the name must be 1-63 characters long and match the regular
expression [a-z]([-a-z0-9]*[a-z0-9])?
which means the first
character must be a lowercase letter, and all following characters must
be a dash, lowercase letter, or digit, except the last character, which
cannot be a dash.
For Private Service Connect forwarding rules that forward traffic to Google
APIs, the forwarding rule name must be a 1-20 characters string with
lowercase letters and numbers and must start with a letter.
target
-
(Required)
The URL of the target resource to receive the matched traffic. For
regional forwarding rules, this target must be in the same region as the
forwarding rule. For global forwarding rules, this target must be a global
load balancing resource.
The forwarded traffic must be of a type appropriate to the target object.
vpc-sc
- APIs that support VPC Service Controls.all-apis
- All supported Google APIs.For Private Service Connect forwarding rules that forward traffic to managed services, the target must be a service attachment.
Otherwise, you can optionally specify an IP address that references an existing static (reserved) IP address resource. When omitted, Google Cloud assigns an ephemeral IP address. Use one of the following formats to specify an IP address while creating a forwarding rule:
100.1.2.3
2600:1234::/96
https://www.googleapis.com/compute/v1/projects/project_id/regions/region/addresses/address-name
projects/project_id/regions/region/addresses/address-name
regions/region/addresses/address-name
global/addresses/address-name
address-name
The forwarding rule's target
,
and in most cases, also the loadBalancingScheme
, determine the
type of IP address that you can use. For detailed information, see
IP address
specifications.
When reading an IPAddress
, the API always returns the IP
address number.
ip_protocol
-
(Optional)
The IP protocol to which this rule applies.
For protocol forwarding, valid
options are TCP
, UDP
, ESP
,
AH
, SCTP
, ICMP
and
L3_DEFAULT
.
The valid IP protocols are different for different load balancing products
as described in Load balancing
features.
Possible values are: TCP
, UDP
, ESP
, AH
, SCTP
, ICMP
.
ip_version
-
(Optional)
The IP Version that will be used by this global forwarding rule.
Possible values are: IPV4
, IPV6
.
labels
-
(Optional)
Labels to apply to this forwarding rule. A list of key->value pairs.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
load_balancing_scheme
-
(Optional)
Specifies the forwarding rule type.
For more information about forwarding rules, refer to
Forwarding rule concepts.
Default value is EXTERNAL
.
Possible values are: EXTERNAL
, EXTERNAL_MANAGED
, INTERNAL_MANAGED
, INTERNAL_SELF_MANAGED
.
metadata_filters
-
(Optional)
Opaque filter criteria used by Loadbalancer to restrict routing
configuration to a limited set xDS compliant clients. In their xDS
requests to Loadbalancer, xDS clients present node metadata. If a
match takes place, the relevant routing configuration is made available
to those proxies.
For each metadataFilter in this list, if its filterMatchCriteria is set
to MATCH_ANY, at least one of the filterLabels must match the
corresponding label provided in the metadata. If its filterMatchCriteria
is set to MATCH_ALL, then all of its filterLabels must match with
corresponding labels in the provided metadata.
metadataFilters specified here can be overridden by those specified in
the UrlMap that this ForwardingRule references.
metadataFilters only applies to Loadbalancers that have their
loadBalancingScheme set to INTERNAL_SELF_MANAGED.
Structure is documented below.
network
-
(Optional)
This field is not used for external load balancing.
For Internal TCP/UDP Load Balancing, this field identifies the network that
the load balanced IP should belong to for this Forwarding Rule.
If the subnetwork is specified, the network of the subnetwork will be used.
If neither subnetwork nor this field is specified, the default network will
be used.
For Private Service Connect forwarding rules that forward traffic to Google
APIs, a network must be provided.
port_range
-
(Optional)
The portRange
field has the following limitations:
IPProtocol
be TCP, UDP, or SCTP,
and[IPAddress, IPProtocol]
pair, and cannot have overlapping
portRange
s.
For internal forwarding rules within the same VPC network, two or more
forwarding rules cannot use the same [IPAddress, IPProtocol]
pair, and
cannot have overlapping portRange
s.
@pattern: \d+(?:-\d+)?subnetwork
-
(Optional)
This field identifies the subnetwork that the load balanced IP should
belong to for this Forwarding Rule, used in internal load balancing and
network load balancing with IPv6.
If the network specified is in auto subnet mode, this field is optional.
However, a subnetwork must be specified if the network is in custom subnet
mode or when creating external forwarding rule with IPv6.
service_directory_registrations
-
(Optional)
Service Directory resources to register this forwarding rule with.
Currently, only supports a single Service Directory resource.
Structure is documented below.
source_ip_ranges
-
(Optional)
If not empty, this Forwarding Rule will only forward the traffic when the source IP address matches one of the IP addresses or CIDR ranges set here. Note that a Forwarding Rule can only have up to 64 source IP ranges, and this field can only be used with a regional Forwarding Rule whose scheme is EXTERNAL. Each sourceIpRange entry should be either an IP address (for example, 1.2.3.4) or a CIDR range (for example, 1.2.3.0/24).
allow_psc_global_access
-
(Optional, Beta)
This is used in PSC consumer ForwardingRule to control whether the PSC endpoint can be accessed from another region.
no_automate_dns_zone
-
(Optional)
This is used in PSC consumer ForwardingRule to control whether it should try to auto-generate a DNS zone or not. Non-PSC forwarding rules do not use this field.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
The metadata_filters
block supports:
filter_match_criteria
-
(Required)
Specifies how individual filterLabel matches within the list of
filterLabels contribute towards the overall metadataFilter match.
MATCH_ANY - At least one of the filterLabels must have a matching
label in the provided metadata.
MATCH_ALL - All filterLabels must have matching labels in the
provided metadata.
Possible values are: MATCH_ANY
, MATCH_ALL
.
filter_labels
-
(Required)
The list of label value pairs that must match labels in the
provided metadata based on filterMatchCriteria
This list must not be empty and can have at the most 64 entries.
Structure is documented below.
The filter_labels
block supports:
name
-
(Required)
Name of the metadata label. The length must be between
1 and 1024 characters, inclusive.
value
-
(Required)
The value that the label must match. The value has a maximum
length of 1024 characters.
The service_directory_registrations
block supports:
namespace
-
(Optional)
Service Directory namespace to register the forwarding rule under.
service_directory_region
-
(Optional)
[Optional] Service Directory region to register this global forwarding rule under.
Default to "us-central1". Only used for PSC for Google APIs. All PSC for
Google APIs Forwarding Rules on the same network should use the same Service
Directory region.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/global/forwardingRules/{{name}}
psc_connection_id
-
The PSC connection id of the PSC Forwarding Rule.
psc_connection_status
-
The PSC connection status of the PSC Forwarding Rule. Possible values: STATUS_UNSPECIFIED
, PENDING
, ACCEPTED
, REJECTED
, CLOSED
label_fingerprint
-
The fingerprint used for optimistic locking of this resource. Used
internally during updates.
base_forwarding_rule
-
[Output Only] The URL for the corresponding base Forwarding Rule. By base Forwarding Rule, we mean the Forwarding Rule that has the same IP address, protocol, and port settings with the current Forwarding Rule, but without sourceIPRanges specified. Always empty if the current Forwarding Rule does not have sourceIPRanges specified.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
self_link
- The URI of the created resource.This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.GlobalForwardingRule can be imported using any of these accepted formats:
projects/{{project}}/global/forwardingRules/{{name}}
{{project}}/{{name}}
{{name}}
In Terraform v1.5.0 and later, use an import
block to import GlobalForwardingRule using one of the formats above. For example:
import {
id = "projects/{{project}}/global/forwardingRules/{{name}}"
to = google_compute_global_forwarding_rule.default
}
When using the terraform import
command, GlobalForwardingRule can be imported using one of the formats above. For example:
$ terraform import google_compute_global_forwarding_rule.default projects/{{project}}/global/forwardingRules/{{name}}
$ terraform import google_compute_global_forwarding_rule.default {{project}}/{{name}}
$ terraform import google_compute_global_forwarding_rule.default {{name}}
This resource supports User Project Overrides.