· İLİDYAN YAZILIM HİZMETLERİ LTD. ŞTİ · Cloud Infrastructure  · 6 min read

How to Setup Connection Between Google Cloud Load Balancer and Internal Cloud Run Service

Learn how to configure a Google Cloud Load Balancer to route traffic to an internal Cloud Run service with step-by-step instructions and best practices.

Learn how to configure a Google Cloud Load Balancer to route traffic to an internal Cloud Run service with step-by-step instructions and best practices.

Setting up a connection between a Google Cloud Load Balancer and an internal Cloud Run service is a common requirement for building scalable, secure backend architectures. This configuration allows you to expose your Cloud Run services through a managed load balancer while keeping the services internal and secure.

In this comprehensive guide, we’ll walk through the entire process of configuring this setup, including prerequisites, step-by-step implementation, and best practices.

Prerequisites

Before we begin, ensure you have the following:

  • A Google Cloud Project with billing enabled
  • Cloud Run API enabled
  • Compute Engine API enabled
  • VPC networks configured
  • Appropriate IAM permissions (Cloud Run Admin, Compute Network Admin)
  • Google Cloud SDK installed and configured

Understanding the Architecture

When you configure Cloud Run with “Internal + Load Balancer” ingress, the service becomes accessible only through:

  • VPC networks within your project
  • Connected networks (VPC peering, VPN, Interconnect)
  • Google Cloud Load Balancer

This setup provides several benefits:

  • Enhanced Security: Services are not directly exposed to the internet
  • Better Control: Traffic routing through managed load balancers
  • Scalability: Automatic scaling with Cloud Run
  • Integration: Seamless integration with other Google Cloud services

Step 1: Create a Cloud Run Service with Internal Ingress

First, let’s deploy a Cloud Run service configured for internal access only.

Using Google Cloud Console

  1. Navigate to Cloud Run in the Google Cloud Console
  2. Click “Create Service”
  3. Configure your container image and basic settings
  4. In the “Networking” section:
    • Set Ingress to “Internal and cloud load balancing”
    • Choose your VPC network
    • Select appropriate subnets

Using gcloud CLI

# Deploy a Cloud Run service with internal ingress
gcloud run deploy my-internal-service \
    --image=gcr.io/PROJECT_ID/my-app:latest \
    --platform=managed \
    --region=us-central1 \
    --ingress=internal-and-cloud-load-balancing \
    --vpc-connector=my-vpc-connector \
    --no-allow-unauthenticated

Step 2: Configure VPC Connector (if needed)

If your Cloud Run service needs to access resources in your VPC, you’ll need a VPC connector.

# Create a VPC connector
gcloud compute networks vpc-access connectors create my-vpc-connector \
    --region=us-central1 \
    --subnet=my-subnet \
    --subnet-project=PROJECT_ID \
    --min-instances=2 \
    --max-instances=10

Step 3: Create a Backend Service

The backend service defines how the load balancer distributes traffic to your Cloud Run service.

Using gcloud CLI

# Create a backend service for Cloud Run
gcloud compute backend-services create my-backend-service \
    --global \
    --protocol=HTTPS \
    --port-name=http \
    --health-checks=my-health-check

Add Cloud Run as a backend

# Add your Cloud Run service as a backend
gcloud compute backend-services add-backend my-backend-service \
    --global \
    --network-endpoint-group=my-neg \
    --network-endpoint-group-region=us-central1

Step 4: Create Network Endpoint Group (NEG)

A serverless NEG is required to connect the load balancer to your Cloud Run service.

# Create a serverless NEG for Cloud Run
gcloud compute network-endpoint-groups create my-neg \
    --region=us-central1 \
    --network-endpoint-type=serverless \
    --cloud-run-service=my-internal-service

Step 5: Configure URL Map and HTTP(S) Proxy

Create URL Map

# Create a URL map to route requests
gcloud compute url-maps create my-url-map \
    --default-backend-service=my-backend-service

Create HTTP(S) Proxy

For HTTPS (recommended):

# Create HTTPS proxy
gcloud compute target-https-proxies create my-https-proxy \
    --url-map=my-url-map \
    --ssl-certificates=my-ssl-cert

For HTTP:

# Create HTTP proxy
gcloud compute target-http-proxies create my-http-proxy \
    --url-map=my-url-map

Step 6: Create Global Forwarding Rule

The forwarding rule defines the external IP address and port for your load balancer.

For HTTPS

# Create HTTPS forwarding rule
gcloud compute forwarding-rules create my-https-forwarding-rule \
    --global \
    --target-https-proxy=my-https-proxy \
    --ports=443

For HTTP

# Create HTTP forwarding rule
gcloud compute forwarding-rules create my-http-forwarding-rule \
    --global \
    --target-http-proxy=my-http-proxy \
    --ports=80

Step 7: Configure SSL Certificate (for HTTPS)

Using Google-managed SSL certificates

# Create a managed SSL certificate
gcloud compute ssl-certificates create my-ssl-cert \
    --domains=api.yourdomain.com \
    --global

Using self-managed certificates

# Upload your own certificate
gcloud compute ssl-certificates create my-ssl-cert \
    --certificate=path/to/cert.pem \
    --private-key=path/to/private-key.pem \
    --global

Step 8: Configure Health Checks

Health checks ensure your Cloud Run service is healthy and ready to receive traffic.

# Create a health check
gcloud compute health-checks create https my-health-check \
    --port=443 \
    --request-path=/health \
    --check-interval=30s \
    --timeout=10s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3

Step 9: Configure Firewall Rules

Ensure proper firewall rules are in place to allow traffic from the load balancer to your Cloud Run service.

# Allow traffic from Google Cloud Load Balancer
gcloud compute firewall-rules create allow-lb-to-cloudrun \
    --direction=INGRESS \
    --priority=1000 \
    --network=default \
    --action=ALLOW \
    --rules=tcp:80,tcp:443 \
    --source-ranges=130.211.0.0/22,35.191.0.0/16 \
    --target-tags=cloud-run

Testing the Setup

Once everything is configured, test your setup:

1. Check Load Balancer Status

# Get the external IP of your load balancer
gcloud compute forwarding-rules describe my-https-forwarding-rule \
    --global \
    --format="value(IPAddress)"

2. Test Connectivity

# Test HTTP/HTTPS connectivity
curl -H "Host: api.yourdomain.com" https://LOAD_BALANCER_IP/

3. Monitor Logs

Check Cloud Run logs to ensure requests are being received:

# View Cloud Run logs
gcloud logs read "resource.type=cloud_run_revision" \
    --limit=50 \
    --format="table(timestamp,textPayload)"

Best Practices and Considerations

Security

  • Use HTTPS: Always configure SSL/TLS certificates for production
  • IAM Policies: Implement proper IAM policies for service access
  • VPC Security: Use VPC firewall rules to restrict access
  • Authentication: Consider using Cloud IAM or custom authentication

Performance

  • Regional Deployment: Deploy Cloud Run services in multiple regions for better performance
  • Caching: Implement Cloud CDN for static content
  • Connection Pooling: Configure appropriate connection pooling settings

Monitoring

  • Cloud Monitoring: Set up monitoring and alerting for your services
  • Logging: Enable structured logging for better observability
  • Tracing: Use Cloud Trace for request tracing

Cost Optimization

  • Right-sizing: Configure appropriate CPU and memory limits
  • Concurrency: Optimize concurrency settings for your workload
  • Scaling: Set appropriate min/max instance limits

Troubleshooting Common Issues

1. 502 Bad Gateway Errors

  • Check Cloud Run service health
  • Verify backend service configuration
  • Ensure proper firewall rules

2. SSL Certificate Issues

  • Verify domain ownership
  • Check certificate status
  • Ensure proper DNS configuration

3. Connectivity Issues

  • Verify VPC connector configuration
  • Check network endpoint group status
  • Validate firewall rules

Advanced Configuration

Custom Domains

To use custom domains with your setup:

  1. Configure DNS to point to your load balancer IP
  2. Create SSL certificates for your domains
  3. Update URL maps for domain-specific routing

Multiple Services

For routing to multiple Cloud Run services:

# Create path-based routing
gcloud compute url-maps add-path-matcher my-url-map \
    --path-matcher-name=api-matcher \
    --default-backend-service=my-backend-service \
    --path-rules="/api/v1/*=api-v1-backend,/api/v2/*=api-v2-backend"

Load Balancing Algorithms

Configure different load balancing algorithms based on your needs:

# Configure session affinity
gcloud compute backend-services update my-backend-service \
    --global \
    --session-affinity=CLIENT_IP

Conclusion

Setting up a Google Cloud Load Balancer with internal Cloud Run services provides a robust, scalable, and secure architecture for your backend services. This configuration offers the benefits of serverless computing while maintaining enterprise-grade networking and security features.

Key takeaways:

  • Internal Cloud Run services provide enhanced security
  • Load balancers offer advanced traffic management capabilities
  • Proper monitoring and logging are essential for production deployments
  • Regular testing and validation ensure optimal performance

By following this guide, you’ll have a production-ready setup that can scale with your application needs while maintaining security and performance standards.

Remember to regularly review and update your configuration as your requirements evolve, and always test changes in a staging environment before applying them to production.

Additional Resources

For more advanced configurations and enterprise setups, consider consulting with Google Cloud architects or certified partners to ensure optimal implementation for your specific use case.

Share:
Back to Blog

Related Posts

View All Posts »