GCP Network Specialty: Complete Load Balancer Guide

📋 Table of Contents

Introduction & Overview
Load Balancer Decision Tree
Architecture Overview
External Load Balancers
Internal Load Balancers
Advanced Features
Networking Concepts
Monitoring & Troubleshooting
Practical Scenarios
Best Practices

🚀 Introduction: The Traffic Orchestrators of Google Cloud

Load balancers are the unsung heroes of modern cloud architecture. They act as intelligent traffic orchestrators, distributing incoming requests across multiple backend instances to ensure optimal performance, high availability, and seamless scaling. Google Cloud's load balancing portfolio is both comprehensive and sophisticated, offering solutions for every architectural pattern from simple regional deployments to complex global multi-tier applications.

🏗️ Why Load Balancers Matter

🎯 High Availability

Distribute traffic across healthy instances, automatically routing around failures

📈 Scalability

Handle traffic spikes by distributing load across multiple backend resources

🌍 Global Reach

Use Anycast IPs to route users to the nearest healthy backend automatically

🔒 Security

Integrate with Cloud Armor for DDoS protection and WAF capabilities

graph TD A[Internet Users] --> B[GCP Load Balancer] B --> C[Backend Service 1] B --> D[Backend Service 2] B --> E[Backend Service 3] C --> F[Instance Group 1] D --> G[Instance Group 2] E --> H[Instance Group 3] style A fill:#e1f5fe style B fill:#4285f4,color:#fff style C fill:#34a853,color:#fff style D fill:#34a853,color:#fff style E fill:#34a853,color:#fff

🌳 The GCP Load Balancer Decision Tree

The key to mastering GCP load balancers is understanding the decision matrix. Every choice flows from three fundamental questions that determine the optimal load balancer for your specific use case.

graph TD START[Start: Need Load Balancer] --> Q1{Traffic Source?} Q1 -->|Internet| EXT[External Load Balancer] Q1 -->|VPC/Internal| INT[Internal Load Balancer] EXT --> Q2{Global or Regional?} Q2 -->|Global| GLOBAL[Global Load Balancer] Q2 -->|Regional| REGIONAL[Regional Load Balancer] GLOBAL --> Q3{Protocol?} Q3 -->|HTTP/HTTPS| GHTTP[Global External HTTP/S LB] Q3 -->|TCP with SSL| GSSL[External SSL Proxy LB] Q3 -->|TCP without SSL| GTCP[External TCP Proxy LB] REGIONAL --> Q4{Protocol?} Q4 -->|TCP/UDP/Other L4| REXT[Regional External LB] INT --> Q5{Layer 7 or Layer 4?} Q5 -->|Layer 7 HTTP/S| L7INT[Internal HTTP/S LB] Q5 -->|Layer 4 TCP/UDP| L4INT[Internal TCP/UDP LB] L7INT --> Q6{Regional or Cross-Region?} Q6 -->|Regional| RINT[Regional Internal HTTP/S LB] Q6 -->|Cross-Region| CINT[Cross-Region Internal HTTP/S LB] style START fill:#e8f5e8 style GHTTP fill:#4285f4,color:#fff style GSSL fill:#4285f4,color:#fff style GTCP fill:#4285f4,color:#fff style REXT fill:#34a853,color:#fff style RINT fill:#ea4335,color:#fff style CINT fill:#ea4335,color:#fff style L4INT fill:#fbbc04,color:#000

🎯 Quick Decision Guide

1. Is my traffic coming from the Internet OR from within my VPC?
- From the Internet → EXTERNAL Load Balancer
  - 2. Is my application GLOBAL or REGIONAL?
    - Global deployment (backends in multiple regions):
      - 3. What is the protocol?
        
        HTTP or HTTPS → Global External HTTPS Load Balancer
        
        TCP with SSL Offload → External SSL Proxy Load Balancer
        
        TCP without SSL Offload → External TCP Proxy Load Balancer
    - Regional deployment (backends in one region):
      - 3. What is the protocol?
        
        TCP/UDP/ESP/GRE/ICMP (L4 pass-through) → Regional External Load Balancer
- From within my VPC/on-prem → INTERNAL Load Balancer
  - 2. Is my traffic Layer 7 (HTTP/S) or Layer 4 (TCP/UDP)?
    - Layer 7 (HTTP/S):
      - Need to send traffic to backends in one region → Regional Internal HTTP(S) Load Balancer
      - Need to send traffic to backends in multiple regions → Cross-region Internal HTTP(S) Load Balancer
    - Layer 4 (TCP/UDP):
      - All internal L4 traffic is regional → Regional Internal TCP/UDP Load Balancer

🏛️ Architecture Overview

Understanding the architectural patterns behind GCP load balancers is crucial for making informed decisions. Let's explore the fundamental concepts that differentiate each type.

graph TB subgraph "Global Architecture" GU[Global Users] --> GA[Anycast IP] GA --> GR1[Region 1] GA --> GR2[Region 2] GA --> GR3[Region 3] end subgraph "Regional Architecture" RU[Regional Users] --> RA[Regional IP] RA --> RR1[Single Region] RR1 --> RZ1[Zone 1] RR1 --> RZ2[Zone 2] end subgraph "Internal Architecture" IV[VPC Clients] --> ILB[Internal LB] ILB --> IB1[Backend 1] ILB --> IB2[Backend 2] end style GA fill:#4285f4,color:#fff style RA fill:#34a853,color:#fff style ILB fill:#ea4335,color:#fff

🔄 Proxy vs. Pass-through Architecture

🔗 Proxy-based (L7)

How it works: Load balancer terminates the client connection and establishes a new connection to the backend

Benefits: Rich L7 features, SSL offloading, advanced routing, header manipulation

Use cases: HTTP/HTTPS traffic, microservices, API gateways

⚡ Pass-through (L4)

How it works: Load balancer forwards packets directly to backends without terminating connections

Benefits: Lower latency, preserves client IP, supports any protocol

Use cases: Gaming, VoIP, custom protocols, high-performance applications

sequenceDiagram participant C as Client participant P as Proxy LB participant B as Backend Note over C,B: Proxy-based Load Balancer C->>P: HTTPS Request P->>P: SSL Termination P->>P: L7 Processing P->>B: HTTP Request (New Connection) B->>P: Response P->>C: HTTPS Response Note over C,B: Pass-through Load Balancer C->>P: TCP Packet P->>B: Forward Packet (Same Connection) B->>P: Response Packet P->>C: Forward Response

🌐 External Load Balancers Deep Dive

External load balancers handle traffic from the internet and are the front door to your applications. Each type is optimized for specific use cases and protocols.

🏆 Global External HTTPS Load Balancer

The flagship load balancer for global web applications. This is Google's most feature-rich offering, designed for modern web architectures.

graph TB subgraph "Global HTTPS Load Balancer Architecture" U1[User Asia] --> A[Anycast IP
35.x.x.x] U2[User Europe] --> A U3[User Americas] --> A A --> CDN[Cloud CDN
Edge Locations] CDN --> ARM[Cloud Armor
WAF/DDoS Protection] ARM --> URLM[URL Maps
Routing Rules] URLM --> BS1[Backend Service 1
us-central1] URLM --> BS2[Backend Service 2
europe-west1] URLM --> BS3[Backend Service 3
asia-east1] BS1 --> IG1[Instance Group 1] BS2 --> IG2[Instance Group 2] BS3 --> IG3[Instance Group 3] end style A fill:#4285f4,color:#fff style CDN fill:#34a853,color:#fff style ARM fill:#ea4335,color:#fff style URLM fill:#fbbc04,color:#000

🔧 Create Global External HTTPS Load Balancer

# Create instance template
gcloud compute instance-templates create web-server-template \
    --machine-type=e2-medium \
    --network-interface=network-tier=PREMIUM,subnet=default \
    --maintenance-policy=MIGRATE \
    --tags=http-server,https-server \
    --image-family=debian-11 \
    --image-project=debian-cloud \
    --boot-disk-size=20GB \
    --boot-disk-type=pd-standard \
    --metadata=startup-script='#!/bin/bash
apt-get update
apt-get install -y nginx
systemctl start nginx
systemctl enable nginx'

# Create managed instance groups in multiple regions
gcloud compute instance-groups managed create web-servers-us \
    --base-instance-name=web-server-us \
    --template=web-server-template \
    --size=2 \
    --zone=us-central1-a

gcloud compute instance-groups managed create web-servers-eu \
    --base-instance-name=web-server-eu \
    --template=web-server-template \
    --size=2 \
    --zone=europe-west1-b

# Set up autoscaling
gcloud compute instance-groups managed set-autoscaling web-servers-us \
    --zone=us-central1-a \
    --max-num-replicas=10 \
    --min-num-replicas=2 \
    --target-cpu-utilization=0.8

gcloud compute instance-groups managed set-autoscaling web-servers-eu \
    --zone=europe-west1-b \
    --max-num-replicas=10 \
    --min-num-replicas=2 \
    --target-cpu-utilization=0.8

# Create health check
gcloud compute health-checks create http web-health-check \
    --port=80 \
    --request-path=/health \
    --check-interval=30s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3 \
    --timeout=10s

# Create backend service
gcloud compute backend-services create web-backend-service \
    --protocol=HTTP \
    --port-name=http \
    --health-checks=web-health-check \
    --global \
    --enable-cdn \
    --cache-mode=CACHE_ALL_STATIC

# Add backend groups
gcloud compute backend-services add-backend web-backend-service \
    --instance-group=web-servers-us \
    --instance-group-zone=us-central1-a \
    --balancing-mode=UTILIZATION \
    --max-utilization=0.8 \
    --capacity-scaler=1.0 \
    --global

gcloud compute backend-services add-backend web-backend-service \
    --instance-group=web-servers-eu \
    --instance-group-zone=europe-west1-b \
    --balancing-mode=UTILIZATION \
    --max-utilization=0.8 \
    --capacity-scaler=1.0 \
    --global

# Create URL map
gcloud compute url-maps create web-url-map \
    --default-service=web-backend-service

# Create SSL certificate
gcloud compute ssl-certificates create web-ssl-cert \
    --domains=example.com,www.example.com \
    --global

# Create target HTTPS proxy
gcloud compute target-https-proxies create web-https-proxy \
    --ssl-certificates=web-ssl-cert \
    --url-map=web-url-map

# Create global forwarding rule
gcloud compute forwarding-rules create web-https-forwarding-rule \
    --address=web-static-ip \
    --global \
    --target-https-proxy=web-https-proxy \
    --ports=443

# Create HTTP to HTTPS redirect
gcloud compute url-maps create web-redirect-map \
    --default-url-redirect-response-code=301 \
    --default-url-redirect-https-redirect

gcloud compute target-http-proxies create web-http-proxy \
    --url-map=web-redirect-map

gcloud compute forwarding-rules create web-http-forwarding-rule \
    --global \
    --target-http-proxy=web-http-proxy \
    --ports=80

🎯 Key Features

Anycast IP for global availability
SSL/TLS termination and offloading
URL-based routing and path matching
WebSocket support
HTTP/2 and gRPC support

🔗 Integrations

Cloud CDN for content caching
Cloud Armor for WAF and DDoS protection
Identity-Aware Proxy (IAP)
Custom error pages
Traffic splitting for A/B testing

🔐 External SSL Proxy Load Balancer

For global TCP traffic that requires SSL termination but isn't HTTP-based.

graph TB subgraph "SSL Proxy Load Balancer" CL[Global Clients] --> AP[Anycast IP] AP --> SSL[SSL Termination] SSL --> BS[Backend Service] BS --> IG1[Instance Group
us-central1] BS --> IG2[Instance Group
europe-west1] BS --> IG3[Instance Group
asia-east1] end style AP fill:#4285f4,color:#fff style SSL fill:#ea4335,color:#fff style BS fill:#34a853,color:#fff

🔧 Create SSL Proxy Load Balancer

# Create health check for TCP service
gcloud compute health-checks create tcp ssl-health-check \
    --port=443 \
    --check-interval=30s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3 \
    --timeout=10s

# Create backend service for SSL proxy
gcloud compute backend-services create ssl-backend-service \
    --protocol=SSL \
    --health-checks=ssl-health-check \
    --global \
    --port-name=ssl

# Add backends
gcloud compute backend-services add-backend ssl-backend-service \
    --instance-group=ssl-servers-us \
    --instance-group-zone=us-central1-a \
    --global

# Create SSL certificate
gcloud compute ssl-certificates create ssl-proxy-cert \
    --certificate=path/to/cert.pem \
    --private-key=path/to/private-key.pem \
    --global

# Create target SSL proxy
gcloud compute target-ssl-proxies create ssl-proxy \
    --backend-service=ssl-backend-service \
    --ssl-certificates=ssl-proxy-cert

# Create forwarding rule
gcloud compute forwarding-rules create ssl-forwarding-rule \
    --global \
    --target-ssl-proxy=ssl-proxy \
    --ports=443

🌐 External TCP Proxy Load Balancer

For global TCP traffic without SSL requirements.

🔧 Create TCP Proxy Load Balancer

# Create health check for TCP service
gcloud compute health-checks create tcp tcp-health-check \
    --port=80 \
    --check-interval=30s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3 \
    --timeout=10s

# Create backend service for TCP proxy
gcloud compute backend-services create tcp-backend-service \
    --protocol=TCP \
    --health-checks=tcp-health-check \
    --global \
    --port-name=tcp

# Create target TCP proxy
gcloud compute target-tcp-proxies create tcp-proxy \
    --backend-service=tcp-backend-service

# Create forwarding rule
gcloud compute forwarding-rules create tcp-forwarding-rule \
    --global \
    --target-tcp-proxy=tcp-proxy \
    --ports=80

⚡ Regional External Load Balancer

High-performance pass-through load balancer for regional deployments.

graph TB subgraph "Regional External Load Balancer" RC[Regional Clients] --> RIP[Regional IP] RIP --> RBS[Regional Backend Service] RBS --> IG1[Instance Group
Zone A] RBS --> IG2[Instance Group
Zone B] RBS --> IG3[Instance Group
Zone C] end style RIP fill:#34a853,color:#fff style RBS fill:#fbbc04,color:#000

🔧 Create Regional External Load Balancer

# Create health check for regional service
gcloud compute health-checks create tcp regional-health-check \
    --port=80 \
    --region=us-central1 \
    --check-interval=30s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3 \
    --timeout=10s

# Create regional backend service
gcloud compute backend-services create regional-backend-service \
    --protocol=TCP \
    --health-checks=regional-health-check \
    --region=us-central1 \
    --load-balancing-scheme=EXTERNAL

# Add backends to regional service
gcloud compute backend-services add-backend regional-backend-service \
    --instance-group=game-servers-us \
    --instance-group-zone=us-central1-a \
    --region=us-central1

# Create forwarding rule for regional LB
gcloud compute forwarding-rules create regional-forwarding-rule \
    --region=us-central1 \
    --backend-service=regional-backend-service \
    --ports=80-8080 \
    --load-balancing-scheme=EXTERNAL

# For UDP traffic (gaming example)
gcloud compute health-checks create tcp game-health-check \
    --port=7777 \
    --region=us-central1

gcloud compute backend-services create game-backend-service \
    --protocol=UDP \
    --health-checks=game-health-check \
    --region=us-central1 \
    --load-balancing-scheme=EXTERNAL

gcloud compute forwarding-rules create game-forwarding-rule \
    --region=us-central1 \
    --backend-service=game-backend-service \
    --ports=7777 \
    --ip-protocol=UDP

🎮 Perfect for Gaming: Regional External Load Balancers are ideal for gaming applications because they preserve the original client IP address and provide the lowest possible latency through pass-through architecture.

🏠 Internal Load Balancers Deep Dive

Internal load balancers handle traffic within your VPC and are essential for microservices architectures and internal service communication.

🔄 Regional Internal HTTP(S) Load Balancer

The modern choice for internal microservices communication with rich Layer 7 features.

graph TB subgraph "VPC Network" subgraph "Internal HTTP(S) LB" CLIENT[Internal Clients] --> ENVOY[Envoy Proxy] ENVOY --> URL[URL Maps] URL --> BS1[Backend Service 1
Payment API] URL --> BS2[Backend Service 2
User API] BS1 --> IG1[Payment Instances] BS2 --> IG2[User Instances] end end style ENVOY fill:#4285f4,color:#fff style URL fill:#34a853,color:#fff style BS1 fill:#ea4335,color:#fff style BS2 fill:#fbbc04,color:#000

🔧 Create Regional Internal HTTP(S) Load Balancer

# Create health check for internal services
gcloud compute health-checks create http internal-http-health-check \
    --port=8080 \
    --request-path=/health \
    --region=us-central1

# Create backend service for internal LB
gcloud compute backend-services create internal-backend-service \
    --protocol=HTTP \
    --health-checks=internal-http-health-check \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL_MANAGED

# Add backend instance groups
gcloud compute backend-services add-backend internal-backend-service \
    --instance-group=microservice-group \
    --instance-group-zone=us-central1-a \
    --region=us-central1

# Create URL map for routing
gcloud compute url-maps create internal-url-map \
    --default-service=internal-backend-service \
    --region=us-central1

# Add path-based routing rules
gcloud compute url-maps add-path-matcher internal-url-map \
    --path-matcher-name=api-matcher \
    --default-service=internal-backend-service \
    --path-rules="/api/payments/*=payment-backend-service,/api/users/*=user-backend-service" \
    --region=us-central1

# Create target HTTP proxy
gcloud compute target-http-proxies create internal-http-proxy \
    --url-map=internal-url-map \
    --region=us-central1

# Create forwarding rule with internal IP
gcloud compute forwarding-rules create internal-forwarding-rule \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL_MANAGED \
    --network=default \
    --subnet=default \
    --address=10.1.0.100 \
    --target-http-proxy=internal-http-proxy \
    --target-http-proxy-region=us-central1 \
    --ports=80

# For HTTPS internal load balancer
gcloud compute ssl-certificates create internal-ssl-cert \
    --certificate=path/to/internal-cert.pem \
    --private-key=path/to/internal-key.pem \
    --region=us-central1

gcloud compute target-https-proxies create internal-https-proxy \
    --ssl-certificates=internal-ssl-cert \
    --url-map=internal-url-map \
    --region=us-central1

🎯 Advanced Routing Features

Path-based routing (/api/v1/* → Service A)
Header-based routing (version: beta → Service B)
Query parameter routing
Traffic splitting for canary deployments
Fault injection for testing

🔒 Security Features

Private internal IP addresses
SSL/TLS termination
Integration with IAP
VPC firewall integration
Client certificate validation

🌍 Cross-region Internal HTTP(S) Load Balancer

For internal services that need to span multiple regions.

graph TB subgraph "Multi-Region Internal LB" CLIENT[Internal Clients] --> CILB[Cross-Region Internal LB] CILB --> R1[us-central1 Backends] CILB --> R2[europe-west1 Backends] CILB --> R3[asia-east1 Backends] R1 --> IG1[Instance Group 1] R2 --> IG2[Instance Group 2] R3 --> IG3[Instance Group 3] end style CILB fill:#4285f4,color:#fff style R1 fill:#34a853,color:#fff style R2 fill:#34a853,color:#fff style R3 fill:#34a853,color:#fff

🔧 Create Cross-region Internal HTTP(S) Load Balancer

# Create global backend service for cross-region
gcloud compute backend-services create cross-region-backend-service \
    --protocol=HTTP \
    --health-checks=global-internal-health-check \
    --global \
    --load-balancing-scheme=INTERNAL_MANAGED

# Add backends from multiple regions
gcloud compute backend-services add-backend cross-region-backend-service \
    --instance-group=service-group-us \
    --instance-group-zone=us-central1-a \
    --global

gcloud compute backend-services add-backend cross-region-backend-service \
    --instance-group=service-group-eu \
    --instance-group-zone=europe-west1-b \
    --global

# Create global URL map
gcloud compute url-maps create cross-region-url-map \
    --default-service=cross-region-backend-service \
    --global

# Create global target HTTP proxy
gcloud compute target-http-proxies create cross-region-http-proxy \
    --url-map=cross-region-url-map \
    --global

# Create forwarding rule in each region where clients exist
gcloud compute forwarding-rules create cross-region-forwarding-rule-us \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL_MANAGED \
    --network=global-vpc \
    --subnet=us-central1-subnet \
    --target-http-proxy=cross-region-http-proxy \
    --ports=80

gcloud compute forwarding-rules create cross-region-forwarding-rule-eu \
    --region=europe-west1 \
    --load-balancing-scheme=INTERNAL_MANAGED \
    --network=global-vpc \
    --subnet=europe-west1-subnet \
    --target-http-proxy=cross-region-http-proxy \
    --ports=80

⚡ Regional Internal TCP/UDP Load Balancer

High-performance pass-through load balancer for internal Layer 4 traffic.

graph TB subgraph "Internal TCP/UDP LB" ICLIENT[Internal Clients] --> ILB[Internal LB
Pass-through] ILB --> DB1[Database Replica 1] ILB --> DB2[Database Replica 2] ILB --> DB3[Database Replica 3] end style ILB fill:#ea4335,color:#fff style DB1 fill:#fbbc04,color:#000 style DB2 fill:#fbbc04,color:#000 style DB3 fill:#fbbc04,color:#000

🔧 Create Regional Internal TCP/UDP Load Balancer

# Create health check for TCP service
gcloud compute health-checks create tcp internal-tcp-health-check \
    --port=5432 \
    --region=us-central1

# Create regional backend service for internal TCP/UDP
gcloud compute backend-services create internal-tcp-backend-service \
    --protocol=TCP \
    --health-checks=internal-tcp-health-check \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL

# Add backend instances
gcloud compute backend-services add-backend internal-tcp-backend-service \
    --instance-group=database-replicas \
    --instance-group-zone=us-central1-a \
    --region=us-central1

# Create forwarding rule for internal TCP LB
gcloud compute forwarding-rules create internal-tcp-forwarding-rule \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL \
    --network=default \
    --subnet=default \
    --address=10.1.0.200 \
    --backend-service=internal-tcp-backend-service \
    --ports=5432 \
    --ip-protocol=TCP

# For UDP traffic (example: internal game server)
gcloud compute health-checks create tcp internal-udp-health-check \
    --port=7777 \
    --region=us-central1

gcloud compute backend-services create internal-udp-backend-service \
    --protocol=UDP \
    --health-checks=internal-udp-health-check \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL

gcloud compute forwarding-rules create internal-udp-forwarding-rule \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL \
    --backend-service=internal-udp-backend-service \
    --ports=7777 \
    --ip-protocol=UDP

🔧 Performance Note: Internal TCP/UDP load balancers provide the highest performance for internal traffic because they use pass-through architecture with no proxy overhead.

⚡ Core Load Balancer Creation Commands

These are the actual commands that CREATE the load balancer itself (the forwarding rules). Everything else is supporting infrastructure.

🎯 Important: In GCP, the gcloud compute forwarding-rules create command IS the load balancer creation command. There's no separate "create load balancer" command - the forwarding rule defines the load balancer's IP, ports, and routing target.

🌐 Global External HTTPS Load Balancer

🔧 Create the HTTPS Load Balancer

# This command CREATES the HTTPS load balancer
gcloud compute forwarding-rules create my-https-lb \
    --address=my-static-ip \
    --global \
    --target-https-proxy=my-https-proxy \
    --ports=443

# This command CREATES the HTTP load balancer (for redirects)
gcloud compute forwarding-rules create my-http-lb \
    --address=my-static-ip \
    --global \
    --target-http-proxy=my-http-proxy \
    --ports=80

Prerequisites: You need a target-https-proxy (which needs URL map and SSL cert) and optionally a static IP.

🎮 Regional External Load Balancer

🔧 Create the Regional External Load Balancer

# This command CREATES the regional external load balancer for TCP
gcloud compute forwarding-rules create my-regional-tcp-lb \
    --region=us-central1 \
    --backend-service=my-backend-service \
    --ports=80-8080 \
    --load-balancing-scheme=EXTERNAL

# This command CREATES the regional external load balancer for UDP
gcloud compute forwarding-rules create my-regional-udp-lb \
    --region=us-central1 \
    --backend-service=my-game-backend-service \
    --ports=7777 \
    --ip-protocol=UDP \
    --load-balancing-scheme=EXTERNAL

# With static IP
gcloud compute forwarding-rules create my-regional-lb-with-ip \
    --address=my-regional-static-ip \
    --region=us-central1 \
    --backend-service=my-backend-service \
    --ports=80

Prerequisites: You need a regional backend service and optionally a regional static IP.

🏠 Regional Internal HTTP(S) Load Balancer

🔧 Create the Internal HTTP(S) Load Balancer

# This command CREATES the internal HTTP load balancer
gcloud compute forwarding-rules create my-internal-http-lb \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL_MANAGED \
    --network=my-vpc \
    --subnet=my-subnet \
    --address=10.1.0.100 \
    --target-http-proxy=my-internal-http-proxy \
    --target-http-proxy-region=us-central1 \
    --ports=80

# This command CREATES the internal HTTPS load balancer
gcloud compute forwarding-rules create my-internal-https-lb \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL_MANAGED \
    --network=my-vpc \
    --subnet=my-subnet \
    --address=10.1.0.100 \
    --target-https-proxy=my-internal-https-proxy \
    --target-https-proxy-region=us-central1 \
    --ports=443

Prerequisites: You need a regional target-http-proxy (which needs regional URL map and backend service).

🗃️ Regional Internal TCP/UDP Load Balancer

🔧 Create the Internal TCP/UDP Load Balancer

# This command CREATES the internal TCP load balancer
gcloud compute forwarding-rules create my-internal-tcp-lb \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL \
    --network=my-vpc \
    --subnet=my-subnet \
    --address=10.1.0.200 \
    --backend-service=my-tcp-backend-service \
    --ports=5432 \
    --ip-protocol=TCP

# This command CREATES the internal UDP load balancer
gcloud compute forwarding-rules create my-internal-udp-lb \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL \
    --backend-service=my-udp-backend-service \
    --ports=53 \
    --ip-protocol=UDP

# For all ports (any port)
gcloud compute forwarding-rules create my-internal-all-ports-lb \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL \
    --backend-service=my-backend-service \
    --all-ports \
    --ip-protocol=TCP

Prerequisites: You need a regional backend service with INTERNAL load balancing scheme.

🌍 Cross-Region Internal HTTP(S) Load Balancer

🔧 Create the Cross-Region Internal Load Balancer

# This command CREATES cross-region internal load balancer in us-central1
gcloud compute forwarding-rules create my-cross-region-lb-us \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL_MANAGED \
    --network=my-global-vpc \
    --subnet=my-us-subnet \
    --target-http-proxy=my-global-http-proxy \
    --ports=80

# This command CREATES cross-region internal load balancer in europe-west1
gcloud compute forwarding-rules create my-cross-region-lb-eu \
    --region=europe-west1 \
    --load-balancing-scheme=INTERNAL_MANAGED \
    --network=my-global-vpc \
    --subnet=my-eu-subnet \
    --target-http-proxy=my-global-http-proxy \
    --ports=80

Prerequisites: You need a global target-http-proxy (which needs global URL map and global backend service).

🔐 External SSL Proxy Load Balancer

🔧 Create the SSL Proxy Load Balancer

# This command CREATES the SSL proxy load balancer
gcloud compute forwarding-rules create my-ssl-proxy-lb \
    --address=my-global-static-ip \
    --global \
    --target-ssl-proxy=my-ssl-proxy \
    --ports=443

# For multiple ports
gcloud compute forwarding-rules create my-ssl-proxy-multi-port-lb \
    --global \
    --target-ssl-proxy=my-ssl-proxy \
    --ports=443,8443

Prerequisites: You need a target-ssl-proxy (which needs backend service and SSL certificate).

🌐 External TCP Proxy Load Balancer

🔧 Create the TCP Proxy Load Balancer

# This command CREATES the TCP proxy load balancer
gcloud compute forwarding-rules create my-tcp-proxy-lb \
    --address=my-global-static-ip \
    --global \
    --target-tcp-proxy=my-tcp-proxy \
    --ports=80

# For port range
gcloud compute forwarding-rules create my-tcp-proxy-range-lb \
    --global \
    --target-tcp-proxy=my-tcp-proxy \
    --ports=8000-8100

Prerequisites: You need a target-tcp-proxy (which needs a global backend service).

🎯 Key Points for the Exam

Forwarding Rule = Load Balancer: The gcloud compute forwarding-rules create command creates the actual load balancer
Global vs Regional: Global LBs use --global, Regional LBs use --region=REGION
External vs Internal: Internal LBs require --load-balancing-scheme=INTERNAL or INTERNAL_MANAGED
Proxy vs Pass-through: Proxy LBs use target proxies, Pass-through LBs connect directly to backend services
IP Assignment: Use --address=IP_NAME for static IPs, omit for ephemeral IPs

💡 Pro Tip: You can list all your load balancers with:

# List all forwarding rules (load balancers)
gcloud compute forwarding-rules list

# List global load balancers only
gcloud compute forwarding-rules list --global

# List regional load balancers only
gcloud compute forwarding-rules list --regions=us-central1,europe-west1

🔧 Complete Load Balancer Creation Commands

Here are the complete end-to-end commands to create each type of load balancer from scratch.

🌐 Complete Global External HTTPS Load Balancer

📝 Step-by-Step Complete Creation

# Step 1: Create static IP address
gcloud compute addresses create web-static-ip \
    --global

# Step 2: Create instance template
gcloud compute instance-templates create web-server-template \
    --machine-type=e2-medium \
    --network-interface=network-tier=PREMIUM,subnet=default \
    --tags=http-server,https-server \
    --image-family=debian-11 \
    --image-project=debian-cloud \
    --metadata=startup-script='#!/bin/bash
apt-get update
apt-get install -y nginx
systemctl start nginx
echo "Server: $(hostname)" > /var/www/html/index.html
echo "OK" > /var/www/html/health'

# Step 3: Create managed instance groups
gcloud compute instance-groups managed create web-servers-us \
    --base-instance-name=web-server-us \
    --template=web-server-template \
    --size=2 \
    --zone=us-central1-a

gcloud compute instance-groups managed create web-servers-eu \
    --base-instance-name=web-server-eu \
    --template=web-server-template \
    --size=2 \
    --zone=europe-west1-b

# Step 4: Configure named ports for instance groups
gcloud compute instance-groups managed set-named-ports web-servers-us \
    --named-ports=http:80 \
    --zone=us-central1-a

gcloud compute instance-groups managed set-named-ports web-servers-eu \
    --named-ports=http:80 \
    --zone=europe-west1-b

# Step 5: Create health check
gcloud compute health-checks create http web-health-check \
    --port=80 \
    --request-path=/health \
    --check-interval=30s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3 \
    --timeout=10s

# Step 6: Create backend service
gcloud compute backend-services create web-backend-service \
    --protocol=HTTP \
    --port-name=http \
    --health-checks=web-health-check \
    --global \
    --enable-cdn

# Step 7: Add backends to the service
gcloud compute backend-services add-backend web-backend-service \
    --instance-group=web-servers-us \
    --instance-group-zone=us-central1-a \
    --balancing-mode=UTILIZATION \
    --max-utilization=0.8 \
    --global

gcloud compute backend-services add-backend web-backend-service \
    --instance-group=web-servers-eu \
    --instance-group-zone=europe-west1-b \
    --balancing-mode=UTILIZATION \
    --max-utilization=0.8 \
    --global

# Step 8: Create URL map (this routes requests to backend services)
gcloud compute url-maps create web-url-map \
    --default-service=web-backend-service

# Step 9: Create SSL certificate (managed certificate)
gcloud compute ssl-certificates create web-ssl-cert \
    --domains=example.com,www.example.com \
    --global

# Step 10: Create target HTTPS proxy (connects URL map to SSL cert)
gcloud compute target-https-proxies create web-https-proxy \
    --ssl-certificates=web-ssl-cert \
    --url-map=web-url-map

# Step 11: Create the actual HTTPS load balancer (forwarding rule)
gcloud compute forwarding-rules create web-https-lb \
    --address=web-static-ip \
    --global \
    --target-https-proxy=web-https-proxy \
    --ports=443

# Step 12: Create HTTP to HTTPS redirect
gcloud compute url-maps create web-redirect-map \
    --default-url-redirect-response-code=301 \
    --default-url-redirect-https-redirect

gcloud compute target-http-proxies create web-http-proxy \
    --url-map=web-redirect-map

# Step 13: Create HTTP load balancer for redirect
gcloud compute forwarding-rules create web-http-lb \
    --address=web-static-ip \
    --global \
    --target-http-proxy=web-http-proxy \
    --ports=80

# Step 14: Create firewall rules
gcloud compute firewall-rules create allow-web-traffic \
    --allow tcp:80,tcp:443 \
    --source-ranges 0.0.0.0/0 \
    --target-tags http-server,https-server

gcloud compute firewall-rules create allow-health-check \
    --allow tcp:80 \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags http-server

# Verify the load balancer
echo "Load balancer created! IP address:"
gcloud compute addresses describe web-static-ip --global --format="get(address)"

🎮 Complete Regional External Load Balancer (Gaming)

📝 Complete Gaming Load Balancer Creation

# Step 1: Create regional static IP
gcloud compute addresses create game-static-ip \
    --region=us-central1

# Step 2: Create game server instance template
gcloud compute instance-templates create game-server-template \
    --machine-type=c2-standard-4 \
    --network-interface=network-tier=PREMIUM,subnet=default \
    --tags=game-server \
    --image-family=ubuntu-2004-lts \
    --image-project=ubuntu-os-cloud \
    --metadata=startup-script='#!/bin/bash
apt-get update
# Install your game server here
echo "Game server starting on $(hostname)" > /tmp/game.log'

# Step 3: Create managed instance group
gcloud compute instance-groups managed create game-servers \
    --base-instance-name=game-server \
    --template=game-server-template \
    --size=3 \
    --zone=us-central1-a

# Step 4: Configure named ports for UDP
gcloud compute instance-groups managed set-named-ports game-servers \
    --named-ports=gameport:7777 \
    --zone=us-central1-a

# Step 5: Create health check for game servers
gcloud compute health-checks create tcp game-health-check \
    --port=7777 \
    --region=us-central1 \
    --check-interval=10s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3 \
    --timeout=5s

# Step 6: Create regional backend service
gcloud compute backend-services create game-backend-service \
    --protocol=UDP \
    --health-checks=game-health-check \
    --region=us-central1 \
    --load-balancing-scheme=EXTERNAL

# Step 7: Add backend to service
gcloud compute backend-services add-backend game-backend-service \
    --instance-group=game-servers \
    --instance-group-zone=us-central1-a \
    --region=us-central1

# Step 8: Create the regional external load balancer (forwarding rule)
gcloud compute forwarding-rules create game-lb \
    --address=game-static-ip \
    --region=us-central1 \
    --backend-service=game-backend-service \
    --ports=7777 \
    --ip-protocol=UDP

# Step 9: Create firewall rule for game traffic
gcloud compute firewall-rules create allow-game-traffic \
    --allow udp:7777 \
    --source-ranges 0.0.0.0/0 \
    --target-tags game-server

# Step 10: Allow health check traffic
gcloud compute firewall-rules create allow-game-health-check \
    --allow tcp:7777 \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags game-server

# Verify the load balancer
echo "Game load balancer created! IP address:"
gcloud compute addresses describe game-static-ip \
    --region=us-central1 --format="get(address)"

🏠 Complete Regional Internal HTTP(S) Load Balancer

📝 Complete Internal Load Balancer Creation

# Step 1: Create custom VPC (optional, can use default)
gcloud compute networks create internal-vpc \
    --subnet-mode=custom

gcloud compute networks subnets create internal-subnet \
    --network=internal-vpc \
    --range=10.0.1.0/24 \
    --region=us-central1

# Step 2: Create instance template for internal services
gcloud compute instance-templates create internal-service-template \
    --machine-type=e2-medium \
    --network-interface=network-tier=PREMIUM,subnet=internal-subnet \
    --no-address \
    --tags=internal-service \
    --image-family=debian-11 \
    --image-project=debian-cloud \
    --metadata=startup-script='#!/bin/bash
apt-get update
apt-get install -y nginx
systemctl start nginx
echo "Internal service on $(hostname)" > /var/www/html/index.html
echo "healthy" > /var/www/html/health'

# Step 3: Create managed instance group
gcloud compute instance-groups managed create internal-services \
    --base-instance-name=internal-service \
    --template=internal-service-template \
    --size=2 \
    --zone=us-central1-a

# Step 4: Configure named ports
gcloud compute instance-groups managed set-named-ports internal-services \
    --named-ports=http:80 \
    --zone=us-central1-a

# Step 5: Create health check for internal services
gcloud compute health-checks create http internal-health-check \
    --port=80 \
    --request-path=/health \
    --region=us-central1

# Step 6: Create regional backend service for internal LB
gcloud compute backend-services create internal-backend-service \
    --protocol=HTTP \
    --port-name=http \
    --health-checks=internal-health-check \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL_MANAGED

# Step 7: Add backend to service
gcloud compute backend-services add-backend internal-backend-service \
    --instance-group=internal-services \
    --instance-group-zone=us-central1-a \
    --region=us-central1

# Step 8: Create URL map for internal LB
gcloud compute url-maps create internal-url-map \
    --default-service=internal-backend-service \
    --region=us-central1

# Step 9: Create target HTTP proxy for internal LB
gcloud compute target-http-proxies create internal-http-proxy \
    --url-map=internal-url-map \
    --region=us-central1

# Step 10: Create the internal load balancer (forwarding rule)
gcloud compute forwarding-rules create internal-lb \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL_MANAGED \
    --network=internal-vpc \
    --subnet=internal-subnet \
    --address=10.0.1.100 \
    --target-http-proxy=internal-http-proxy \
    --target-http-proxy-region=us-central1 \
    --ports=80

# Step 11: Create firewall rules for internal traffic
gcloud compute firewall-rules create allow-internal-lb \
    --network=internal-vpc \
    --allow tcp:80 \
    --source-ranges 10.0.1.0/24 \
    --target-tags internal-service

gcloud compute firewall-rules create allow-internal-health-check \
    --network=internal-vpc \
    --allow tcp:80 \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags internal-service

# Verify the internal load balancer
echo "Internal load balancer created at: 10.0.1.100"

🗃️ Complete Regional Internal TCP/UDP Load Balancer

📝 Complete Database Load Balancer Creation

# Step 1: Create instance template for database replicas
gcloud compute instance-templates create db-replica-template \
    --machine-type=n1-standard-2 \
    --network-interface=network-tier=PREMIUM,subnet=default \
    --no-address \
    --tags=db-replica \
    --image-family=ubuntu-2004-lts \
    --image-project=ubuntu-os-cloud \
    --metadata=startup-script='#!/bin/bash
apt-get update
apt-get install -y postgresql-12
# Configure PostgreSQL here
systemctl start postgresql
systemctl enable postgresql'

# Step 2: Create managed instance group for DB replicas
gcloud compute instance-groups managed create db-replicas \
    --base-instance-name=db-replica \
    --template=db-replica-template \
    --size=3 \
    --zone=us-central1-a

# Step 3: Configure named ports for database
gcloud compute instance-groups managed set-named-ports db-replicas \
    --named-ports=postgresql:5432 \
    --zone=us-central1-a

# Step 4: Create health check for database
gcloud compute health-checks create tcp db-health-check \
    --port=5432 \
    --region=us-central1 \
    --check-interval=30s \
    --healthy-threshold=1 \
    --unhealthy-threshold=3 \
    --timeout=10s

# Step 5: Create regional backend service for internal TCP LB
gcloud compute backend-services create db-backend-service \
    --protocol=TCP \
    --health-checks=db-health-check \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL

# Step 6: Add backend to service
gcloud compute backend-services add-backend db-backend-service \
    --instance-group=db-replicas \
    --instance-group-zone=us-central1-a \
    --region=us-central1

# Step 7: Create the internal TCP load balancer (forwarding rule)
gcloud compute forwarding-rules create db-internal-lb \
    --region=us-central1 \
    --load-balancing-scheme=INTERNAL \
    --network=default \
    --subnet=default \
    --address=10.128.0.100 \
    --backend-service=db-backend-service \
    --ports=5432 \
    --ip-protocol=TCP

# Step 8: Create firewall rules for database access
gcloud compute firewall-rules create allow-db-internal \
    --allow tcp:5432 \
    --source-ranges 10.128.0.0/20 \
    --target-tags db-replica

gcloud compute firewall-rules create allow-db-health-check \
    --allow tcp:5432 \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags db-replica

# Verify the database load balancer
echo "Database load balancer created at: 10.128.0.100:5432"

🔐 Complete External SSL Proxy Load Balancer

📝 Complete SSL Proxy Creation

# Step 1: Create static IP for SSL proxy
gcloud compute addresses create ssl-proxy-ip \
    --global

# Step 2: Create instance template for SSL services
gcloud compute instance-templates create ssl-service-template \
    --machine-type=e2-medium \
    --network-interface=network-tier=PREMIUM,subnet=default \
    --tags=ssl-service \
    --image-family=debian-11 \
    --image-project=debian-cloud \
    --metadata=startup-script='#!/bin/bash
apt-get update
# Install your SSL service here
nc -l -p 443 &  # Simple listener for demo'

# Step 3: Create managed instance groups
gcloud compute instance-groups managed create ssl-services-us \
    --base-instance-name=ssl-service-us \
    --template=ssl-service-template \
    --size=2 \
    --zone=us-central1-a

gcloud compute instance-groups managed create ssl-services-eu \
    --base-instance-name=ssl-service-eu \
    --template=ssl-service-template \
    --size=2 \
    --zone=europe-west1-b

# Step 4: Configure named ports
gcloud compute instance-groups managed set-named-ports ssl-services-us \
    --named-ports=ssl:443 \
    --zone=us-central1-a

gcloud compute instance-groups managed set-named-ports ssl-services-eu \
    --named-ports=ssl:443 \
    --zone=europe-west1-b

# Step 5: Create health check for SSL services
gcloud compute health-checks create tcp ssl-health-check \
    --port=443 \
    --check-interval=30s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3 \
    --timeout=10s

# Step 6: Create backend service for SSL proxy
gcloud compute backend-services create ssl-backend-service \
    --protocol=SSL \
    --port-name=ssl \
    --health-checks=ssl-health-check \
    --global

# Step 7: Add backends from multiple regions
gcloud compute backend-services add-backend ssl-backend-service \
    --instance-group=ssl-services-us \
    --instance-group-zone=us-central1-a \
    --global

gcloud compute backend-services add-backend ssl-backend-service \
    --instance-group=ssl-services-eu \
    --instance-group-zone=europe-west1-b \
    --global

# Step 8: Create or upload SSL certificate
gcloud compute ssl-certificates create ssl-proxy-cert \
    --certificate=path/to/certificate.pem \
    --private-key=path/to/private-key.pem \
    --global

# Alternative: Create managed certificate
# gcloud compute ssl-certificates create ssl-proxy-cert \
#     --domains=ssl-service.example.com \
#     --global

# Step 9: Create target SSL proxy
gcloud compute target-ssl-proxies create ssl-target-proxy \
    --backend-service=ssl-backend-service \
    --ssl-certificates=ssl-proxy-cert

# Step 10: Create the SSL proxy load balancer (forwarding rule)
gcloud compute forwarding-rules create ssl-proxy-lb \
    --address=ssl-proxy-ip \
    --global \
    --target-ssl-proxy=ssl-target-proxy \
    --ports=443

# Step 11: Create firewall rules
gcloud compute firewall-rules create allow-ssl-proxy \
    --allow tcp:443 \
    --source-ranges 0.0.0.0/0 \
    --target-tags ssl-service

gcloud compute firewall-rules create allow-ssl-health-check \
    --allow tcp:443 \
    --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    --target-tags ssl-service

# Verify the SSL proxy load balancer
echo "SSL Proxy load balancer created! IP address:"
gcloud compute addresses describe ssl-proxy-ip --global --format="get(address)"

🔧 Key Components Explained:

Forwarding Rule: This IS the load balancer! It's the entry point that defines the IP and port.
Target Proxy: Routes requests from forwarding rule to URL map (for HTTP/S) or backend service (for TCP/SSL).
Backend Service: Defines the backend instances and health checking.
Instance Groups: Collections of VM instances that serve your application.
Health Checks: Ensure traffic only goes to healthy instances.

🚀 Advanced Features and Integrations

🛡️ Cloud Armor Integration

Web Application Firewall and DDoS protection for your load balancers.

graph TB subgraph "Cloud Armor Protection" ATT[Attackers] --> CA[Cloud Armor] LEG[Legitimate Users] --> CA CA --> |Block Malicious| BLOCK[❌ Blocked] CA --> |Allow Good Traffic| LB[Load Balancer] LB --> BE[Backend Services] end style CA fill:#ea4335,color:#fff style BLOCK fill:#f44336,color:#fff style LB fill:#4285f4,color:#fff

🔧 Configure Cloud Armor

# Create Cloud Armor security policy
gcloud compute security-policies create web-security-policy \
    --description="Security policy for web application"

# Add rate limiting rule
gcloud compute security-policies rules create 1000 \
    --security-policy=web-security-policy \
    --expression="true" \
    --action=rate-based-ban \
    --rate-limit-threshold-count=100 \
    --rate-limit-threshold-interval-sec=60 \
    --ban-duration-sec=600 \
    --conform-action=allow \
    --exceed-action=deny-403 \
    --enforce-on-key=IP

# Add geo-blocking rule
gcloud compute security-policies rules create 2000 \
    --security-policy=web-security-policy \
    --expression="origin.region_code == 'CN'" \
    --action=deny-403 \
    --description="Block traffic from China"

# Add SQL injection protection
gcloud compute security-policies rules create 3000 \
    --security-policy=web-security-policy \
    --expression="evaluatePreconfiguredExpr('sqli-stable')" \
    --action=deny-403 \
    --description="Block SQL injection attempts"

# Attach policy to backend service
gcloud compute backend-services update web-backend-service \
    --security-policy=web-security-policy \
    --global

# Enable Cloud Armor Adaptive Protection
gcloud compute security-policies update web-security-policy \
    --enable-adaptive-protection

🌐 Cloud CDN Integration

Global content delivery network for faster content delivery.

🔧 Configure Cloud CDN

# Enable CDN on backend service
gcloud compute backend-services update web-backend-service \
    --enable-cdn \
    --cache-mode=CACHE_ALL_STATIC \
    --default-ttl=3600 \
    --max-ttl=86400 \
    --client-ttl=3600 \
    --global

# Configure custom cache keys
gcloud compute backend-services update web-backend-service \
    --cache-key-include-host \
    --cache-key-include-protocol \
    --cache-key-include-query-string \
    --cache-key-query-string-whitelist=version,lang \
    --global

# Set up CDN with custom headers
gcloud compute backend-services update web-backend-service \
    --custom-response-header="X-Cache-Status: {cdn_cache_status}" \
    --custom-response-header="X-Cache-ID: {cdn_cache_id}" \
    --global

# Configure negative caching
gcloud compute backend-services update web-backend-service \
    --negative-caching \
    --negative-caching-policy=404=300,410=300 \
    --global

🔐 Identity-Aware Proxy (IAP)

Zero-trust access control for your applications.

🔧 Configure IAP

# Enable IAP on backend service
gcloud compute backend-services update web-backend-service \
    --iap=enabled \
    --global

# Create OAuth consent screen (manual step in Console required)
# Then create OAuth 2.0 client ID

# Configure IAP settings
gcloud iap web set-iam-policy web-backend-service \
    --resource-type=backend-services \
    policy.json

# Example policy.json content:
cat > policy.json << EOF
{
  "bindings": [
    {
      "role": "roles/iap.httpsResourceAccessor",
      "members": [
        "user:admin@example.com",
        "group:developers@example.com"
      ]
    }
  ]
}
EOF

# Enable IAP for specific paths
gcloud compute url-maps edit web-url-map \
    --global
# Add IAP configuration in the editor

🌐 Critical Networking Concepts

📡 Anycast IP Addresses

Understanding how global load balancers route traffic efficiently.

graph TB subgraph "Anycast Routing" U1[User in Tokyo] --> |Route to closest| A[Anycast IP
203.0.113.1] U2[User in London] --> |Route to closest| A U3[User in New York] --> |Route to closest| A A --> R1[Asia Region
Load Balancer] A --> R2[Europe Region
Load Balancer] A --> R3[Americas Region
Load Balancer] end style A fill:#4285f4,color:#fff style R1 fill:#34a853,color:#fff style R2 fill:#34a853,color:#fff style R3 fill:#34a853,color:#fff

🌍 Anycast Magic: The same IP address (203.0.113.1) is advertised from multiple locations. Internet routing automatically directs users to the nearest healthy location, providing optimal performance and automatic failover.

🏥 Health Checking

Ensuring traffic only goes to healthy backends.

sequenceDiagram participant LB as Load Balancer participant H1 as Healthy Backend participant H2 as Unhealthy Backend LB->>H1: Health Check H1->>LB: 200 OK LB->>H2: Health Check H2->>LB: Timeout/Error Note over LB: Mark H2 as unhealthy LB->>H1: Route Traffic LB--xH2: No Traffic Note over LB: Continue checking H2 LB->>H2: Health Check H2->>LB: 200 OK Note over LB: Mark H2 as healthy again

🔧 Advanced Health Check Configuration

# Create comprehensive HTTP health check
gcloud compute health-checks create http advanced-health-check \
    --port=8080 \
    --request-path=/health \
    --check-interval=10s \
    --timeout=5s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3 \
    --host=health.example.com \
    --proxy-header=PROXY_V1

# Create TCP health check with specific port
gcloud compute health-checks create tcp tcp-health-check \
    --port=5432 \
    --check-interval=15s \
    --timeout=10s \
    --healthy-threshold=1 \
    --unhealthy-threshold=2

# Create gRPC health check
gcloud compute health-checks create grpc grpc-health-check \
    --port=443 \
    --grpc-service-name=my.service.v1.HealthCheck

# Create HTTPS health check with custom headers
gcloud compute health-checks create https https-health-check \
    --port=443 \
    --request-path=/api/health \
    --check-interval=30s \
    --timeout=10s \
    --healthy-threshold=2 \
    --unhealthy-threshold=5 \
    --host=api.example.com

⚖️ Load Balancing Algorithms

Understanding how traffic is distributed across backends.

🔄 Round Robin

Requests are distributed evenly across all healthy backends in order. Simple and effective for similar capacity backends.

📊 Least Connections

Routes to the backend with the fewest active connections. Good for long-lived connections.

🎯 IP Hash

Uses hash of client IP to determine backend. Provides session affinity for stateful applications.

📈 Weighted Round Robin

Like round robin but considers backend capacity. Larger instances get more traffic proportionally.

📊 Monitoring and Troubleshooting

🔍 Key Metrics to Monitor

🔧 Set Up Monitoring and Alerting

# Create alerting policy for high error rate
gcloud alpha monitoring policies create \
    --policy-from-file=high-error-rate-policy.yaml

# Example policy file content:
cat > high-error-rate-policy.yaml << EOF
displayName: "High Error Rate on Load Balancer"
conditions:
  - displayName: "Error rate > 5%"
    conditionThreshold:
      filter: 'resource.type="gce_backend_service"'
      comparison: COMPARISON_GREATER_THAN
      thresholdValue: 0.05
      duration: 300s
      aggregations:
        - alignmentPeriod: 60s
          perSeriesAligner: ALIGN_RATE
          crossSeriesReducer: REDUCE_MEAN
          groupByFields:
            - "resource.label.backend_service_name"
notificationChannels:
  - projects/PROJECT_ID/notificationChannels/CHANNEL_ID
alertStrategy:
  autoClose: 86400s
EOF

# Create custom dashboard for load balancer metrics
gcloud monitoring dashboards create \
    --config-from-file=lb-dashboard.json

# Enable VPC Flow Logs for debugging
gcloud compute networks subnets update default \
    --region=us-central1 \
    --enable-flow-logs \
    --logging-flow-sampling=0.1 \
    --logging-aggregation-interval=interval-10-min

# Set up uptime checks
gcloud monitoring uptime create web-uptime-check \
    --hostname=example.com \
    --path=/health \
    --port=443 \
    --protocol=HTTPS \
    --period=60 \
    --timeout=10 \
    --regions=usa,europe,asia_pacific

🎯 Request Metrics

Request count and rate
Response latency (50th, 95th, 99th percentile)
Error rate by status code
Bytes sent/received

🏥 Backend Health

Healthy vs unhealthy backend ratio
Health check success rate
Backend utilization
Connection counts

🔧 Common Troubleshooting Commands

🛠️ Debugging Load Balancer Issues

# Check load balancer status and configuration
gcloud compute forwarding-rules describe web-https-forwarding-rule \
    --global

# Verify backend service health
gcloud compute backend-services get-health web-backend-service \
    --global

# Check URL map configuration
gcloud compute url-maps describe web-url-map \
    --global

# View backend service details
gcloud compute backend-services describe web-backend-service \
    --global

# Check health check configuration
gcloud compute health-checks describe web-health-check

# Test specific backend health
gcloud compute instance-groups managed list-instances web-servers-us \
    --zone=us-central1-a

# View load balancer logs
gcloud logging read 'resource.type="gce_backend_service"' \
    --limit=50 \
    --format=json

# Check firewall rules
gcloud compute firewall-rules list \
    --filter="name~'.*lb.*'"

# Verify SSL certificate status
gcloud compute ssl-certificates describe web-ssl-cert \
    --global

# Test connectivity from a VM
gcloud compute ssh test-vm --zone=us-central1-a \
    --command="curl -v https://example.com/health"

🎯 Practical Exam Scenarios

💡 Exam Strategy: For each scenario, work through the decision tree systematically. Identify the traffic source, scope, and protocol requirements first.

🛒 Scenario 1: Global E-commerce Platform

Requirements:

Global user base (North America, Europe, Asia)
Need CDN for product images and static content
Require DDoS protection and WAF
SSL termination required
Backend services in multiple regions

Solution: Global External HTTPS Load Balancer

Reasoning: Global scope requirement, HTTP/HTTPS protocol, internet-facing traffic. This LB provides Anycast IP, integrates with Cloud CDN for static content, Cloud Armor for security, and can route to backends in multiple regions.

graph TB U[Global Users] --> ALB[Global External HTTPS LB] ALB --> CDN[Cloud CDN] CDN --> ARM[Cloud Armor] ARM --> US[US Backend] ARM --> EU[EU Backend] ARM --> ASIA[Asia Backend] style ALB fill:#4285f4,color:#fff style CDN fill:#34a853,color:#fff style ARM fill:#ea4335,color:#fff

🎮 Scenario 2: Real-time Gaming Server

Requirements:

UDP protocol for game traffic
Lowest possible latency
Need to preserve client IP for anti-cheat systems
Regional deployment in us-west1
High-performance requirements

Solution: Regional External Load Balancer

Reasoning: Regional scope, UDP protocol (Layer 4), internet-facing traffic. Pass-through architecture preserves client IP and provides minimal latency overhead.

graph TB GP[Game Players] --> RLB[Regional External LB
Pass-through] RLB --> GS1[Game Server 1] RLB --> GS2[Game Server 2] RLB --> GS3[Game Server 3] style RLB fill:#34a853,color:#fff style GS1 fill:#fbbc04,color:#000 style GS2 fill:#fbbc04,color:#000 style GS3 fill:#fbbc04,color:#000

🏢 Scenario 3: Internal Microservices Architecture

Requirements:

Payment service needs to communicate with user service
Both services in us-central1
REST API communication (HTTPS)
Need path-based routing (/api/v1/users, /api/v1/payments)
Internal VPC communication only

Solution: Regional Internal HTTP(S) Load Balancer

Reasoning: Internal VPC traffic, HTTP/HTTPS protocol (Layer 7), regional scope. Envoy-based proxy enables advanced routing features like path-based routing.

graph TB MS[Microservices] --> ILB[Regional Internal HTTPS LB] ILB --> |/api/v1/users| US[User Service] ILB --> |/api/v1/payments| PS[Payment Service] ILB --> |/api/v1/orders| OS[Order Service] style ILB fill:#ea4335,color:#fff style US fill:#4285f4,color:#fff style PS fill:#34a853,color:#fff style OS fill:#fbbc04,color:#000

🗃️ Scenario 4: Database Load Balancing

Requirements:

PostgreSQL database with read replicas
Internal application servers need to connect
TCP protocol on port 5432
High performance and low latency required
Regional deployment

Solution: Regional Internal TCP/UDP Load Balancer

Reasoning: Internal VPC traffic, TCP protocol (Layer 4), regional scope. Pass-through architecture provides highest performance for database connections.

graph TB APP[Application Servers] --> DBLB[Internal TCP LB
Port 5432] DBLB --> DB1[Primary DB] DBLB --> DB2[Read Replica 1] DBLB --> DB3[Read Replica 2] style DBLB fill:#ea4335,color:#fff style DB1 fill:#fbbc04,color:#000 style DB2 fill:#fbbc04,color:#000 style DB3 fill:#fbbc04,color:#000

🌐 Scenario 5: Global API with Multi-region Failover

Requirements:

Global API service
Backends in multiple regions for high availability
HTTPS with custom SSL certificates
Need automatic failover if entire region goes down
Custom domain api.company.com

Solution: Global External HTTPS Load Balancer

Reasoning: Global scope with multi-region backends, HTTPS protocol, internet-facing. Automatic failover through health checking and Anycast routing.

🔧 Implementation Example

# Create the complete solution
gcloud compute backend-services create global-api-service \
    --protocol=HTTPS \
    --health-checks=api-health-check \
    --global \
    --port-name=https

# Add backends from multiple regions
for region in us-central1 europe-west1 asia-east1; do
    gcloud compute backend-services add-backend global-api-service \
        --instance-group=api-servers-${region} \
        --instance-group-zone=${region}-a \
        --global \
        --balancing-mode=UTILIZATION \
        --max-utilization=0.8
done

🏆 Best Practices and Optimization

⚡ Performance Optimization

🎯 Right-size Your Load Balancer

Use regional LBs for single-region deployments
Choose pass-through for highest performance
Enable connection pooling where appropriate
Configure appropriate timeout values

🔄 Health Check Optimization

Use lightweight health check endpoints
Set appropriate check intervals
Consider graceful startup delays
Monitor health check failure patterns

🌐 CDN Integration

Enable Cloud CDN for static content
Configure appropriate cache headers
Use custom cache keys when needed
Implement cache invalidation strategies

🔒 Security Hardening

Enable Cloud Armor for public services
Use IAP for internal applications
Implement proper SSL/TLS configuration
Regular security policy updates

💰 Cost Optimization

📊 Traffic Patterns

Analyze traffic patterns to choose optimal LB type
Use preemptible instances for non-critical workloads
Implement autoscaling to match demand
Consider sustained use discounts

🌍 Regional Strategy

Place backends close to users
Use regional LBs when global isn't needed
Optimize data transfer costs
Consider multi-region for disaster recovery only

📋 Deployment Checklist

✅ Pre-deployment Validation

# Validate configuration before deployment
gcloud compute backend-services describe $BACKEND_SERVICE --global
gcloud compute health-checks describe $HEALTH_CHECK
gcloud compute url-maps validate --source $URL_MAP_FILE
gcloud compute ssl-certificates describe $SSL_CERT --global

# Test health checks
gcloud compute backend-services get-health $BACKEND_SERVICE --global

# Verify firewall rules
gcloud compute firewall-rules list --filter="allowed[].ports:('80' OR '443' OR '8080')"

# Check SSL certificate status
gcloud compute ssl-certificates list --global

# Validate DNS configuration
nslookup your-domain.com
dig your-domain.com A

⚠️ Common Pitfalls to Avoid:

Wrong Load Balancer Type: Using global LB for regional workloads wastes money
Health Check Misconfiguration: Too aggressive checks can mark healthy backends as unhealthy
SSL Certificate Issues: Always verify certificate validity and domain matching
Firewall Rules: Ensure proper tags and rules for health checks and traffic flow
Backend Capacity: Underprovisioned backends will cause high latency

📋 Master Comparison Table

Your ultimate reference for the GCP Network Specialty exam. Master this table!

Load Balancer	Scope	Traffic Type	Protocols	Architecture	SSL Handling	Primary Use Cases	Key Integrations
Global External HTTPS	Global	External (Internet)	HTTP, HTTPS	Proxy (L7)	Terminate & Offload	Global web apps, APIs, SPA	CDN, Armor, IAP
External SSL Proxy	Global	External (Internet)	TCP with SSL	Proxy (L4)	Terminate & Offload	Global TCP services with encryption	Cloud Armor
External TCP Proxy	Global	External (Internet)	TCP	Proxy (L4)	Pass-through	Global TCP services without SSL	Cloud Armor
Regional External	Regional	External (Internet)	TCP, UDP, ESP, GRE, ICMP	Pass-through (L4)	Pass-through	Gaming, VoIP, regional high-performance	None (pure L4)
Cross-region Internal HTTP(S)	Multi-Region	Internal (VPC)	HTTP, HTTPS	Proxy (L7)	Terminate & Offload	Multi-region microservices	IAP, Service Mesh
Regional Internal HTTP(S)	Regional	Internal (VPC)	HTTP, HTTPS	Proxy (L7)	Terminate & Offload	Regional microservices, API gateways	IAP, Istio
Regional Internal TCP/UDP	Regional	Internal (VPC)	TCP, UDP	Pass-through (L4)	Pass-through	Databases, internal high-performance	None (pure L4)

🎓 Final Exam Tips

🎯 Key Decision Points for the Exam

Traffic Source: Internet → External, VPC → Internal
Geographic Scope: Multiple regions → Global, Single region → Regional
Protocol Layer: HTTP/HTTPS → L7 (proxy), TCP/UDP → L4 (can be proxy or pass-through)
Performance vs Features: Highest performance → Pass-through, Rich features → Proxy
Integration Needs: CDN/Armor/IAP → Global External HTTPS

📚 Study Strategy

Memorize the decision tree
Practice with scenario questions
Understand proxy vs pass-through
Know integration capabilities
Practice gcloud commands

⚡ Quick Recall

Global + HTTP = Global External HTTPS
Regional + UDP = Regional External
Internal + HTTP = Internal HTTP(S)
Internal + TCP = Internal TCP/UDP
Need CDN/Armor = Global External HTTPS

🎯 Remember: The exam will test your ability to choose the RIGHT load balancer for specific scenarios. Always work through the decision tree systematically, and don't overthink it. Google has designed each load balancer type for specific use cases, and the decision tree will lead you to the correct answer every time.