Enable HTTPS for Google Cloud Load Balancers

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Load Balancing dashboard at https://console.cloud.google.com/net-services/loadbalancing.

04 On the Load balancing page, select Load balancers to access the list with the Google Cloud load balancers created for the selected project.

05 Choose the load balancer that you want to examine, and check the protocol type configured for the resource, available in the Protocol column. If the protocol type is set to HTTP, the selected Google Cloud load balancer is not using SSL to encrypt web traffic via HTTPS, therefore the communication between the load balancer and its clients is not secure.

06 Repeat steps no. 5 for each GCP load balancer available within the selected project.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
    --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-project5-stack-123123
cc-bigdata-project-112233

03 Run compute url-maps list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each load balancer (identified by an URL map) created for the selected project:

gcloud compute url-maps list
    --project cc-project5-stack-123123
    --format="table(name)"

04 The command output should return the name(s) of the existing load balancer(s):

NAME
cc-project5-web-load-balancer
cc-project5-app-load-balancer

05 Run compute target-https-proxies list command (Windows/macOS/Linux) using custom query filters to list the name and the associated URL map for each target HTTPS proxy deployed for the selected GCP project. A target HTTPS proxy is a network component which the load balancer uses to associate its URL map and SSL certificates with the global forwarding rules:

gcloud compute target-https-proxies list
    --project cc-project5-stack-123123
    --format="table(name,urlMap)"

06 The command output should return the requested configuration information. A target HTTPS proxy can be associated only with HTTPS load balancers:

NAME                                    URL_MAP
cc-project5-app-load-balancer-target-proxy   cc-project5-app-load-balancer

07 Repeat steps no. 3 – 6 for each GCP project deployed in your Google Cloud account.

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Load Balancing dashboard at https://console.cloud.google.com/net-services/loadbalancing.

04 On the Load balancing page, select Load balancers to access the list with the Google Cloud load balancers created for the selected project.

05 Choose the HTTP load balancer that you want to reconfigure (see Audit section part I to identify the right resource), click on the 3-dot button to access the options menu, then select Edit.

06 On the Edit HTTP(S) load balancer page, select Frontend configuration tab, and choose Add Frontend IP and port to create a new, secure frontend configuration for the selected load balancer.

07 On the frontend configuration panel, perform the following:

1. In the Name box, provide a name for your new frontend configuration.
2. Click Add a description to add a short description.
3. Select HTTPS (includes HTTP/2) from the Protocol dropdown list.
4. For Network Service Tier choose the appropriate network service tier for the resource.
5. Select IPv4 from the IP version dropdown list and choose the static IP address configured for the selected load balancer from the IP address dropdown list.
6. Choose 443 from the Port dropdown list to allow HTTPS traffic.
7. Click on the Certificate dropdown list and select your primary SSL certificate if you already have a self-managed SSL certificate resource. An SSL certificate resource contains SSL certificate information that the load balancer uses to terminate SSL/TLS when clients connect to it via HTTPS. If you need to create a new SSL certificate resource, select Create a new certificate and upload your self-managed SSL certificate (i.e. public key certificate, certificate chain, and private key). (Optional) Click on Additional certificates link to add more certificate resources in addition to the primary SSL certificate resource.
8. Select a secure SSL/TLS policy from the SSL policy dropdown list.
9. For QUIC negotiation select one of the following options:
   • Automatic (Default) to allow Google Cloud to control when QUIC is negotiated. QUIC is a UDP-based encrypted transport protocol optimized for HTTPS. Currently, when Automatic is selected QUIC is disabled. By selecting this option, you are allowing GCP to automatically enable QUIC negotiations and HTTP/3 in the future for the selected load balancer.
   • Enabled to allow the load balancer to negotiate QUIC with clients.
   • Disabled to prevent the load balancer from negotiating QUIC with clients.
10. Click Done to create the new frontend configuration.

08 On the Edit HTTP(S) load balancer page, click Update to associate the newly created HTTPS frontend configuration with the selected Google Cloud load balancer.

09 Repeat steps no. 5 – 8 to enable HTTPS for other insecure load balancers deployed for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project available within your Google Cloud account.

01 To create a global SSL certificate resource for your external Google Cloud load balancers, run compute ssl-certificates create command (Windows/macOS/Linux) with the --global parameter. Replace <ssl-certificate-file> and <private-key-file> with your own self-managed certificate files:

gcloud compute ssl-certificates create cc-project5-ssl-certificate
    --global
    --certificate=<ssl-certificate-file>
    --private-key=<private-key-file>

02 The command output should return the URL of the new SSL certificate resource:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/sslCertificates/cc-project5-ssl-certificate].

03 Run compute target-https-proxies create command (Windows/macOS/Linux) using the name of the GCP load balancer that you want to reconfigure as identifier parameter and the name of the newly created SSL certificate resource as command parameter, to create a target HTTPS proxy that routes requests to the selected load balancer (identified by the URL map). The HTTPS proxy is the component of the load balancer that holds your SSL certificate for secure load balancing:

gcloud compute target-https-proxies create cc-project5-web-load-balancer-target-proxy
    --url-map cc-project5-web-load-balancer
    --ssl-certificates cc-project5-ssl-certificate

04 The command output should return the URL of the newly created HTTPS proxy:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/targetHttpsProxies/cc-project5-web-load-balancer-target-proxy].

05 Run compute forwarding-rules create command (Windows/macOS/Linux) to create a global forwarding rule that routes incoming requests to the target HTTPS proxy created at the previous steps in order to enable HTTPS for the associated Google Cloud load balancer. Replace <ipv4-address> with the static IPv4 address configured for the selected load balancer:

gcloud compute forwarding-rules create cc-project5-https-frontend-config
    --global
    --address=<ipv4-address>
    --target-https-proxy=cc-project5-web-load-balancer-target-proxy
    --ports=443

06 The command output should return the URL of the new load balancer forwarding rule:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/forwardingRules/cc-load-balancer-https-frontend-config].

07 Repeat steps no. 1 – 6 to enable HTTPS for other insecure load balancers available within the selected project.

08 Repeat steps no. 1 – 7 for each GCP project deployed in your Google Cloud account.