Google Git
Sign in
third-party-mirror / terraform-provider-google-beta / 7018e2f3f116fdacfd66c03551fbf0c3db62170a / . / v5.18.0 / website / docs / r / compute_global_forwarding_rule.html.markdown
blob: 2de7959c16f67899c314c2d1a0ffc83b17b31a7e [file] [log] [blame]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Compute Engine"
description: |-
Represents a GlobalForwardingRule resource.
---
# google\_compute\_global\_forwarding\_rule
Represents a GlobalForwardingRule resource. Global forwarding rules are
used to forward traffic to the correct load balancer for HTTP load
balancing. Global forwarding rules can only be used for HTTP load
balancing.
For more information, see
https://cloud.google.com/compute/docs/load-balancing/http/
## Example Usage - External Ssl Proxy Lb Mig Backend
```hcl
# External SSL proxy load balancer with managed instance group backend
# VPC
resource "google_compute_network" "default" {
name = "ssl-proxy-xlb-network"
provider = google
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "ssl-proxy-xlb-subnet"
provider = google
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
name = "ssl-proxy-xlb-ip"
}
# Self-signed regional SSL certificate for testing
resource "tls_private_key" "default" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "default" {
key_algorithm = tls_private_key.default.algorithm
private_key_pem = tls_private_key.default.private_key_pem
# Certificate expires after 12 hours.
validity_period_hours = 12
# Generate a new certificate if Terraform is run within three
# hours of the certificate's expiration time.
early_renewal_hours = 3
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
dns_names = ["example.com"]
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
}
resource "google_compute_ssl_certificate" "default" {
name = "default-cert"
private_key = tls_private_key.default.private_key_pem
certificate = tls_self_signed_cert.default.cert_pem
}
resource "google_compute_target_ssl_proxy" "default" {
name = "test-proxy"
backend_service = google_compute_backend_service.default.id
ssl_certificates = [google_compute_ssl_certificate.default.id]
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "ssl-proxy-xlb-forwarding-rule"
provider = google
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "443"
target = google_compute_target_ssl_proxy.default.id
ip_address = google_compute_global_address.default.id
}
# backend service
resource "google_compute_backend_service" "default" {
name = "ssl-proxy-xlb-backend-service"
protocol = "SSL"
port_name = "tcp"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
max_utilization = 1.0
capacity_scaler = 1.0
}
}
resource "google_compute_health_check" "default" {
name = "ssl-proxy-health-check"
timeout_sec = 1
check_interval_sec = 1
tcp_health_check {
port = "443"
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "ssl-proxy-xlb-mig-template"
provider = google
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y apache2 jq
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo service apache2 restart
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<h1>SSL Load Balancer</h1>
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "ssl-proxy-xlb-mig1"
provider = google
zone = "us-central1-c"
named_port {
name = "tcp"
port = 443
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "ssl-proxy-xlb-fw-allow-hc"
provider = google
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=external_tcp_proxy_lb_mig_backend&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - External Tcp Proxy Lb Mig Backend
```hcl
# External TCP proxy load balancer with managed instance group backend
# VPC
resource "google_compute_network" "default" {
name = "tcp-proxy-xlb-network"
provider = google-beta
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "tcp-proxy-xlb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
provider = google-beta
name = "tcp-proxy-xlb-ip"
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "tcp-proxy-xlb-forwarding-rule"
provider = google-beta
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "110"
target = google_compute_target_tcp_proxy.default.id
ip_address = google_compute_global_address.default.id
}
resource "google_compute_target_tcp_proxy" "default" {
provider = google-beta
name = "test-proxy-health-check"
backend_service = google_compute_backend_service.default.id
}
# backend service
resource "google_compute_backend_service" "default" {
provider = google-beta
name = "tcp-proxy-xlb-backend-service"
protocol = "TCP"
port_name = "tcp"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
max_utilization = 1.0
capacity_scaler = 1.0
}
}
resource "google_compute_health_check" "default" {
provider = google-beta
name = "tcp-proxy-health-check"
timeout_sec = 1
check_interval_sec = 1
tcp_health_check {
port = "80"
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "tcp-proxy-xlb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "tcp-proxy-xlb-mig1"
provider = google-beta
zone = "us-central1-c"
named_port {
name = "tcp"
port = 80
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "tcp-proxy-xlb-fw-allow-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=external_http_lb_mig_backend_custom_header&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - External Http Lb Mig Backend Custom Header
```hcl
# External HTTP load balancer with a CDN-enabled managed instance group backend
# and custom request and response headers
# VPC
resource "google_compute_network" "default" {
name = "l7-xlb-network"
provider = google-beta
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "l7-xlb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
provider = google-beta
name = "l7-xlb-static-ip"
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "l7-xlb-forwarding-rule"
provider = google-beta
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "80"
target = google_compute_target_http_proxy.default.id
ip_address = google_compute_global_address.default.id
}
# http proxy
resource "google_compute_target_http_proxy" "default" {
name = "l7-xlb-target-http-proxy"
provider = google-beta
url_map = google_compute_url_map.default.id
}
# url map
resource "google_compute_url_map" "default" {
name = "l7-xlb-url-map"
provider = google-beta
default_service = google_compute_backend_service.default.id
}
# backend service with custom request and response headers
resource "google_compute_backend_service" "default" {
name = "l7-xlb-backend-service"
provider = google-beta
protocol = "HTTP"
port_name = "my-port"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
enable_cdn = true
custom_request_headers = ["X-Client-Geo-Location: {client_region_subdivision}, {client_city}"]
custom_response_headers = ["X-Cache-Hit: {cdn_cache_status}"]
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "l7-xlb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# health check
resource "google_compute_health_check" "default" {
name = "l7-xlb-hc"
provider = google-beta
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "l7-xlb-mig1"
provider = google-beta
zone = "us-central1-c"
named_port {
name = "http"
port = 8080
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "l7-xlb-fw-allow-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=global_forwarding_rule_http&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Global Forwarding Rule Http
```hcl
resource "google_compute_global_forwarding_rule" "default" {
name = "global-rule"
target = google_compute_target_http_proxy.default.id
port_range = "80"
}
resource "google_compute_target_http_proxy" "default" {
name = "target-proxy"
description = "a description"
url_map = google_compute_url_map.default.id
}
resource "google_compute_url_map" "default" {
name = "url-map-target-proxy"
description = "a description"
default_service = google_compute_backend_service.default.id
host_rule {
hosts = ["mysite.com"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/*"]
service = google_compute_backend_service.default.id
}
}
}
resource "google_compute_backend_service" "default" {
name = "backend"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
health_checks = [google_compute_http_health_check.default.id]
}
resource "google_compute_http_health_check" "default" {
name = "check-backend"
request_path = "/"
check_interval_sec = 1
timeout_sec = 1
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=global_forwarding_rule_internal&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Global Forwarding Rule Internal
```hcl
resource "google_compute_global_forwarding_rule" "default" {
provider = google-beta
name = "global-rule"
target = google_compute_target_http_proxy.default.id
port_range = "80"
load_balancing_scheme = "INTERNAL_SELF_MANAGED"
ip_address = "0.0.0.0"
metadata_filters {
filter_match_criteria = "MATCH_ANY"
filter_labels {
name = "PLANET"
value = "MARS"
}
}
}
resource "google_compute_target_http_proxy" "default" {
provider = google-beta
name = "target-proxy"
description = "a description"
url_map = google_compute_url_map.default.id
}
resource "google_compute_url_map" "default" {
provider = google-beta
name = "url-map-target-proxy"
description = "a description"
default_service = google_compute_backend_service.default.id
host_rule {
hosts = ["mysite.com"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/*"]
service = google_compute_backend_service.default.id
}
}
}
resource "google_compute_backend_service" "default" {
provider = google-beta
name = "backend"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
load_balancing_scheme = "INTERNAL_SELF_MANAGED"
backend {
group = google_compute_instance_group_manager.igm.instance_group
balancing_mode = "RATE"
capacity_scaler = 0.4
max_rate_per_instance = 50
}
health_checks = [google_compute_health_check.default.id]
}
data "google_compute_image" "debian_image" {
provider = google-beta
family = "debian-11"
project = "debian-cloud"
}
resource "google_compute_instance_group_manager" "igm" {
provider = google-beta
name = "igm-internal"
version {
instance_template = google_compute_instance_template.instance_template.id
name = "primary"
}
base_instance_name = "internal-glb"
zone = "us-central1-f"
target_size = 1
}
resource "google_compute_instance_template" "instance_template" {
provider = google-beta
name = "template-backend"
machine_type = "e2-medium"
network_interface {
network = "default"
}
disk {
source_image = data.google_compute_image.debian_image.self_link
auto_delete = true
boot = true
}
}
resource "google_compute_health_check" "default" {
provider = google-beta
name = "check-backend"
check_interval_sec = 1
timeout_sec = 1
tcp_health_check {
port = "80"
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=global_forwarding_rule_external_managed&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Global Forwarding Rule External Managed
```hcl
resource "google_compute_global_forwarding_rule" "default" {
name = "global-rule"
target = google_compute_target_http_proxy.default.id
port_range = "80"
load_balancing_scheme = "EXTERNAL_MANAGED"
}
resource "google_compute_target_http_proxy" "default" {
name = "target-proxy"
description = "a description"
url_map = google_compute_url_map.default.id
}
resource "google_compute_url_map" "default" {
name = "url-map-target-proxy"
description = "a description"
default_service = google_compute_backend_service.default.id
host_rule {
hosts = ["mysite.com"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/*"]
service = google_compute_backend_service.default.id
}
}
}
resource "google_compute_backend_service" "default" {
name = "backend"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
load_balancing_scheme = "EXTERNAL_MANAGED"
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=global_forwarding_rule_hybrid&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Global Forwarding Rule Hybrid
```hcl
// Roughly mirrors https://cloud.google.com/load-balancing/docs/https/setting-up-ext-https-hybrid
variable "subnetwork_cidr" {
default = "10.0.0.0/24"
}
resource "google_compute_network" "default" {
name = "my-network"
}
resource "google_compute_network" "internal" {
name = "my-internal-network"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "internal"{
name = "my-subnetwork"
network = google_compute_network.internal.id
ip_cidr_range = var.subnetwork_cidr
region = "us-central1"
private_ip_google_access= true
}
// Zonal NEG with GCE_VM_IP_PORT
resource "google_compute_network_endpoint_group" "default" {
name = "default-neg"
network = google_compute_network.default.id
default_port = "90"
zone = "us-central1-a"
network_endpoint_type = "GCE_VM_IP_PORT"
}
// Zonal NEG with GCE_VM_IP
resource "google_compute_network_endpoint_group" "internal" {
name = "internal-neg"
network = google_compute_network.internal.id
subnetwork = google_compute_subnetwork.internal.id
zone = "us-central1-a"
network_endpoint_type = "GCE_VM_IP"
}
// Hybrid connectivity NEG
resource "google_compute_network_endpoint_group" "hybrid" {
name = "hybrid-neg"
network = google_compute_network.default.id
default_port = "90"
zone = "us-central1-a"
network_endpoint_type = "NON_GCP_PRIVATE_IP_PORT"
}
resource "google_compute_network_endpoint" "hybrid-endpoint" {
network_endpoint_group = google_compute_network_endpoint_group.hybrid.name
port = google_compute_network_endpoint_group.hybrid.default_port
ip_address = "127.0.0.1"
}
// Backend service for Zonal NEG
resource "google_compute_backend_service" "default" {
name = "backend-default"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
backend {
group = google_compute_network_endpoint_group.default.id
balancing_mode = "RATE"
max_rate_per_endpoint = 10
}
health_checks = [google_compute_health_check.default.id]
}
// Backgend service for Hybrid NEG
resource "google_compute_backend_service" "hybrid" {
name = "backend-hybrid"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
backend {
group = google_compute_network_endpoint_group.hybrid.id
balancing_mode = "RATE"
max_rate_per_endpoint = 10
}
health_checks = [google_compute_health_check.default.id]
}
resource "google_compute_health_check" "default" {
name = "health-check"
timeout_sec = 1
check_interval_sec = 1
tcp_health_check {
port = "80"
}
}
resource "google_compute_url_map" "default" {
name = "url-map-target-proxy"
description = "a description"
default_service = google_compute_backend_service.default.id
host_rule {
hosts = ["mysite.com"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.default.id
path_rule {
paths = ["/*"]
service = google_compute_backend_service.default.id
}
path_rule {
paths = ["/hybrid"]
service = google_compute_backend_service.hybrid.id
}
}
}
resource "google_compute_target_http_proxy" "default" {
name = "target-proxy"
description = "a description"
url_map = google_compute_url_map.default.id
}
resource "google_compute_global_forwarding_rule" "default" {
name = "global-rule"
target = google_compute_target_http_proxy.default.id
port_range = "80"
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=global_internal_http_lb_with_mig_backend&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Global Internal Http Lb With Mig Backend
```hcl
# Global Internal HTTP load balancer with a managed instance group backend
# VPC network
resource "google_compute_network" "gilb_network" {
name = "l7-gilb-network"
provider = google-beta
auto_create_subnetworks = false
}
# proxy-only subnet
resource "google_compute_subnetwork" "proxy_subnet" {
name = "l7-gilb-proxy-subnet"
provider = google-beta
ip_cidr_range = "10.0.0.0/24"
region = "europe-west1"
purpose = "GLOBAL_MANAGED_PROXY"
role = "ACTIVE"
network = google_compute_network.gilb_network.id
}
# backend subnet
resource "google_compute_subnetwork" "gilb_subnet" {
name = "l7-gilb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "europe-west1"
network = google_compute_network.gilb_network.id
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "google_compute_forwarding_rule" {
name = "l7-gilb-forwarding-rule"
provider = google-beta
depends_on = [google_compute_subnetwork.proxy_subnet]
ip_protocol = "TCP"
load_balancing_scheme = "INTERNAL_MANAGED"
port_range = "80"
target = google_compute_target_http_proxy.default.id
network = google_compute_network.gilb_network.id
subnetwork = google_compute_subnetwork.gilb_subnet.id
}
# HTTP target proxy
resource "google_compute_target_http_proxy" "default" {
name = "l7-gilb-target-http-proxy"
provider = google-beta
url_map = google_compute_url_map.default.id
}
# URL map
resource "google_compute_url_map" "default" {
name = "l7-gilb-url-map"
provider = google-beta
default_service = google_compute_backend_service.default.id
}
# backend service
resource "google_compute_backend_service" "default" {
name = "l7-gilb-backend-subnet"
provider = google-beta
protocol = "HTTP"
load_balancing_scheme = "INTERNAL_MANAGED"
timeout_sec = 10
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.mig.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# instance template
resource "google_compute_instance_template" "instance_template" {
name = "l7-gilb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["http-server"]
network_interface {
network = google_compute_network.gilb_network.id
subnetwork = google_compute_subnetwork.gilb_subnet.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# health check
resource "google_compute_health_check" "default" {
name = "l7-gilb-hc"
provider = google-beta
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# MIG
resource "google_compute_instance_group_manager" "mig" {
name = "l7-gilb-mig1"
provider = google-beta
zone = "europe-west1-b"
version {
instance_template = google_compute_instance_template.instance_template.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow all access from IAP and health check ranges
resource "google_compute_firewall" "fw-iap" {
name = "l7-gilb-fw-allow-iap-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.gilb_network.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16", "35.235.240.0/20"]
allow {
protocol = "tcp"
}
}
# allow http from proxy subnet to backends
resource "google_compute_firewall" "fw-gilb-to-backends" {
name = "l7-gilb-fw-allow-gilb-to-backends"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.gilb_network.id
source_ranges = ["10.0.0.0/24"]
target_tags = ["http-server"]
allow {
protocol = "tcp"
ports = ["80", "443", "8080"]
}
}
# test instance
resource "google_compute_instance" "vm-test" {
name = "l7-gilb-test-vm"
provider = google-beta
zone = "europe-west1-b"
machine_type = "e2-small"
network_interface {
network = google_compute_network.gilb_network.id
subnetwork = google_compute_subnetwork.gilb_subnet.id
}
boot_disk {
initialize_params {
image = "debian-cloud/debian-10"
}
}
}
```
## Example Usage - Private Service Connect Google Apis
```hcl
resource "google_compute_network" "network" {
provider = google-beta
project = "my-project-name"
name = "my-network"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "vpc_subnetwork" {
provider = google-beta
project = google_compute_network.network.project
name = "my-subnetwork"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.network.id
private_ip_google_access = true
}
resource "google_compute_global_address" "default" {
provider = google-beta
project = google_compute_network.network.project
name = "global-psconnect-ip"
address_type = "INTERNAL"
purpose = "PRIVATE_SERVICE_CONNECT"
network = google_compute_network.network.id
address = "100.100.100.106"
}
resource "google_compute_global_forwarding_rule" "default" {
provider = google-beta
project = google_compute_network.network.project
name = "globalrule"
target = "all-apis"
network = google_compute_network.network.id
ip_address = google_compute_global_address.default.id
load_balancing_scheme = ""
service_directory_registrations {
namespace = "sd-namespace"
service_directory_region = "europe-west3"
}
}
```
## Example Usage - Private Service Connect Google Apis No Automate Dns
```hcl
resource "google_compute_network" "network" {
provider = google-beta
project = "my-project-name"
name = "my-network"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "vpc_subnetwork" {
provider = google-beta
project = google_compute_network.network.project
name = "my-subnetwork"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.network.id
private_ip_google_access = true
}
resource "google_compute_global_address" "default" {
provider = google-beta
project = google_compute_network.network.project
name = "global-psconnect-ip"
address_type = "INTERNAL"
purpose = "PRIVATE_SERVICE_CONNECT"
network = google_compute_network.network.id
address = "100.100.100.106"
}
resource "google_compute_global_forwarding_rule" "default" {
provider = google-beta
project = google_compute_network.network.project
name = "globalrule"
target = "all-apis"
network = google_compute_network.network.id
ip_address = google_compute_global_address.default.id
load_balancing_scheme = ""
no_automate_dns_zone = false
}
```
## Argument Reference
The following arguments are supported:
* `name` -
(Required)
Name of the resource; provided by the client when the resource is created.
The name must be 1-63 characters long, and comply with
[RFC1035](https://www.ietf.org/rfc/rfc1035.txt).
Specifically, the name must be 1-63 characters long and match the regular
expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first
character must be a lowercase letter, and all following characters must
be a dash, lowercase letter, or digit, except the last character, which
cannot be a dash.
For Private Service Connect forwarding rules that forward traffic to Google
APIs, the forwarding rule name must be a 1-20 characters string with
lowercase letters and numbers and must start with a letter.
* `target` -
(Required)
The URL of the target resource to receive the matched traffic. For
regional forwarding rules, this target must be in the same region as the
forwarding rule. For global forwarding rules, this target must be a global
load balancing resource.
The forwarded traffic must be of a type appropriate to the target object.
* For load balancers, see the "Target" column in [Port specifications](https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications).
* For Private Service Connect forwarding rules that forward traffic to Google APIs, provide the name of a supported Google API bundle:
* `vpc-sc` - [ APIs that support VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/supported-products).
* `all-apis` - [All supported Google APIs](https://cloud.google.com/vpc/docs/private-service-connect#supported-apis).
For Private Service Connect forwarding rules that forward traffic to managed services, the target must be a service attachment.
- - -
* `description` -
(Optional)
An optional description of this resource. Provide this property when
you create the resource.
* `ip_address` -
(Optional)
IP address for which this forwarding rule accepts traffic. When a client
sends traffic to this IP address, the forwarding rule directs the traffic
to the referenced `target`.
While creating a forwarding rule, specifying an `IPAddress` is
required under the following circumstances:
* When the `target` is set to `targetGrpcProxy` and
`validateForProxyless` is set to `true`, the
`IPAddress` should be set to `0.0.0.0`.
* When the `target` is a Private Service Connect Google APIs
bundle, you must specify an `IPAddress`.
Otherwise, you can optionally specify an IP address that references an
existing static (reserved) IP address resource. When omitted, Google Cloud
assigns an ephemeral IP address.
Use one of the following formats to specify an IP address while creating a
forwarding rule:
* IP address number, as in `100.1.2.3`
* IPv6 address range, as in `2600:1234::/96`
* Full resource URL, as in
`https://www.googleapis.com/compute/v1/projects/project_id/regions/region/addresses/address-name`
* Partial URL or by name, as in:
* `projects/project_id/regions/region/addresses/address-name`
* `regions/region/addresses/address-name`
* `global/addresses/address-name`
* `address-name`
The forwarding rule's `target`,
and in most cases, also the `loadBalancingScheme`, determine the
type of IP address that you can use. For detailed information, see
[IP address
specifications](https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications).
When reading an `IPAddress`, the API always returns the IP
address number.
* `ip_protocol` -
(Optional)
The IP protocol to which this rule applies.
For protocol forwarding, valid
options are `TCP`, `UDP`, `ESP`,
`AH`, `SCTP`, `ICMP` and
`L3_DEFAULT`.
The valid IP protocols are different for different load balancing products
as described in [Load balancing
features](https://cloud.google.com/load-balancing/docs/features#protocols_from_the_load_balancer_to_the_backends).
Possible values are: `TCP`, `UDP`, `ESP`, `AH`, `SCTP`, `ICMP`.
* `ip_version` -
(Optional)
The IP Version that will be used by this global forwarding rule.
Possible values are: `IPV4`, `IPV6`.
* `labels` -
(Optional)
Labels to apply to this forwarding rule. A list of key->value pairs.
**Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field `effective_labels` for all of the labels present on the resource.
* `load_balancing_scheme` -
(Optional)
Specifies the forwarding rule type.
For more information about forwarding rules, refer to
[Forwarding rule concepts](https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts).
Default value is `EXTERNAL`.
Possible values are: `EXTERNAL`, `EXTERNAL_MANAGED`, `INTERNAL_MANAGED`, `INTERNAL_SELF_MANAGED`.
* `metadata_filters` -
(Optional)
Opaque filter criteria used by Loadbalancer to restrict routing
configuration to a limited set xDS compliant clients. In their xDS
requests to Loadbalancer, xDS clients present node metadata. If a
match takes place, the relevant routing configuration is made available
to those proxies.
For each metadataFilter in this list, if its filterMatchCriteria is set
to MATCH_ANY, at least one of the filterLabels must match the
corresponding label provided in the metadata. If its filterMatchCriteria
is set to MATCH_ALL, then all of its filterLabels must match with
corresponding labels in the provided metadata.
metadataFilters specified here can be overridden by those specified in
the UrlMap that this ForwardingRule references.
metadataFilters only applies to Loadbalancers that have their
loadBalancingScheme set to INTERNAL_SELF_MANAGED.
Structure is [documented below](#nested_metadata_filters).
* `network` -
(Optional)
This field is not used for external load balancing.
For Internal TCP/UDP Load Balancing, this field identifies the network that
the load balanced IP should belong to for this Forwarding Rule.
If the subnetwork is specified, the network of the subnetwork will be used.
If neither subnetwork nor this field is specified, the default network will
be used.
For Private Service Connect forwarding rules that forward traffic to Google
APIs, a network must be provided.
* `port_range` -
(Optional)
The `portRange` field has the following limitations:
* It requires that the forwarding rule `IPProtocol` be TCP, UDP, or SCTP,
and
* It's applicable only to the following products: external passthrough
Network Load Balancers, internal and external proxy Network Load
Balancers, internal and external Application Load Balancers, external
protocol forwarding, and Classic VPN.
* Some products have restrictions on what ports can be used. See
[port specifications](https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications)
for details.
For external forwarding rules, two or more forwarding rules cannot use the
same `[IPAddress, IPProtocol]` pair, and cannot have overlapping
`portRange`s.
For internal forwarding rules within the same VPC network, two or more
forwarding rules cannot use the same `[IPAddress, IPProtocol]` pair, and
cannot have overlapping `portRange`s.
@pattern: \d+(?:-\d+)?
* `subnetwork` -
(Optional)
This field identifies the subnetwork that the load balanced IP should
belong to for this Forwarding Rule, used in internal load balancing and
network load balancing with IPv6.
If the network specified is in auto subnet mode, this field is optional.
However, a subnetwork must be specified if the network is in custom subnet
mode or when creating external forwarding rule with IPv6.
* `service_directory_registrations` -
(Optional)
Service Directory resources to register this forwarding rule with.
Currently, only supports a single Service Directory resource.
Structure is [documented below](#nested_service_directory_registrations).
* `source_ip_ranges` -
(Optional)
If not empty, this Forwarding Rule will only forward the traffic when the source IP address matches one of the IP addresses or CIDR ranges set here. Note that a Forwarding Rule can only have up to 64 source IP ranges, and this field can only be used with a regional Forwarding Rule whose scheme is EXTERNAL. Each sourceIpRange entry should be either an IP address (for example, 1.2.3.4) or a CIDR range (for example, 1.2.3.0/24).
* `allow_psc_global_access` -
(Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
This is used in PSC consumer ForwardingRule to control whether the PSC endpoint can be accessed from another region.
* `no_automate_dns_zone` -
(Optional)
This is used in PSC consumer ForwardingRule to control whether it should try to auto-generate a DNS zone or not. Non-PSC forwarding rules do not use this field.
* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
<a name="nested_metadata_filters"></a>The `metadata_filters` block supports:
* `filter_match_criteria` -
(Required)
Specifies how individual filterLabel matches within the list of
filterLabels contribute towards the overall metadataFilter match.
MATCH_ANY - At least one of the filterLabels must have a matching
label in the provided metadata.
MATCH_ALL - All filterLabels must have matching labels in the
provided metadata.
Possible values are: `MATCH_ANY`, `MATCH_ALL`.
* `filter_labels` -
(Required)
The list of label value pairs that must match labels in the
provided metadata based on filterMatchCriteria
This list must not be empty and can have at the most 64 entries.
Structure is [documented below](#nested_filter_labels).
<a name="nested_filter_labels"></a>The `filter_labels` block supports:
* `name` -
(Required)
Name of the metadata label. The length must be between
1 and 1024 characters, inclusive.
* `value` -
(Required)
The value that the label must match. The value has a maximum
length of 1024 characters.
<a name="nested_service_directory_registrations"></a>The `service_directory_registrations` block supports:
* `namespace` -
(Optional)
Service Directory namespace to register the forwarding rule under.
* `service_directory_region` -
(Optional)
[Optional] Service Directory region to register this global forwarding rule under.
Default to "us-central1". Only used for PSC for Google APIs. All PSC for
Google APIs Forwarding Rules on the same network should use the same Service
Directory region.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `projects/{{project}}/global/forwardingRules/{{name}}`
* `psc_connection_id` -
The PSC connection id of the PSC Forwarding Rule.
* `psc_connection_status` -
The PSC connection status of the PSC Forwarding Rule. Possible values: `STATUS_UNSPECIFIED`, `PENDING`, `ACCEPTED`, `REJECTED`, `CLOSED`
* `label_fingerprint` -
The fingerprint used for optimistic locking of this resource. Used
internally during updates.
* `base_forwarding_rule` -
[Output Only] The URL for the corresponding base Forwarding Rule. By base Forwarding Rule, we mean the Forwarding Rule that has the same IP address, protocol, and port settings with the current Forwarding Rule, but without sourceIPRanges specified. Always empty if the current Forwarding Rule does not have sourceIPRanges specified.
* `terraform_labels` -
The combination of labels configured directly on the resource
and default labels configured on the provider.
* `effective_labels` -
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
* `self_link` - The URI of the created resource.
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
GlobalForwardingRule can be imported using any of these accepted formats:
* `projects/{{project}}/global/forwardingRules/{{name}}`
* `{{project}}/{{name}}`
* `{{name}}`
In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import GlobalForwardingRule using one of the formats above. For example:
```tf
import {
id = "projects/{{project}}/global/forwardingRules/{{name}}"
to = google_compute_global_forwarding_rule.default
}
```
When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), GlobalForwardingRule can be imported using one of the formats above. For example:
```
$ terraform import google_compute_global_forwarding_rule.default projects/{{project}}/global/forwardingRules/{{name}}
$ terraform import google_compute_global_forwarding_rule.default {{project}}/{{name}}
$ terraform import google_compute_global_forwarding_rule.default {{name}}
```
## User Project Overrides
This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).