gcloud alpha compute forwarding-rules create - create a forwarding rule to direct network traffic to a load balancer
gcloud alpha compute forwarding-rules create NAME (--backend-service=BACKEND_SERVICE | --target-google-apis-bundle=TARGET_GOOGLE_APIS_BUNDLE | --target-grpc-proxy=TARGET_GRPC_PROXY | --target-http-proxy=TARGET_HTTP_PROXY | --target-https-proxy=TARGET_HTTPS_PROXY | --target-instance=TARGET_INSTANCE | --target-pool=TARGET_POOL | --target-service-attachment=TARGET_SERVICE_ATTACHMENT | --target-ssl-proxy=TARGET_SSL_PROXY | --target-tcp-proxy=TARGET_TCP_PROXY | --target-vpn-gateway=TARGET_VPN_GATEWAY) [--address=ADDRESS] [--allow-global-access] [--allow-psc-global-access] [--description=DESCRIPTION] [--disable-automate-dns-zone] [--ip-protocol=IP_PROTOCOL] [--ip-version=IP_VERSION] [--is-mirroring-collector] [--load-balancing-scheme=LOAD_BALANCING_SCHEME] [--network=NETWORK] [--network-tier=NETWORK_TIER] [--service-directory-registration=SERVICE_DIRECTORY_REGISTRATION] [--service-label=SERVICE_LABEL] [--source-ip-ranges=SOURCE_IP_RANGE,[...]] [--subnet=SUBNET] [--subnet-region=SUBNET_REGION] [--target-instance-zone=TARGET_INSTANCE_ZONE] [--target-pool-region=TARGET_POOL_REGION] [--target-service-attachment-region=TARGET_SERVICE_ATTACHMENT_REGION] [--target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION] [--address-region=ADDRESS_REGION | --global-address] [--backend-service-region=BACKEND_SERVICE_REGION | --global-backend-service] [--global | --region=REGION] [--global-target-http-proxy | --target-http-proxy-region=TARGET_HTTP_PROXY_REGION] [--global-target-https-proxy | --target-https-proxy-region=TARGET_HTTPS_PROXY_REGION] [--global-target-tcp-proxy | --target-tcp-proxy-region=TARGET_TCP_PROXY_REGION] [--port-range=[PORT | START_PORT-END_PORT] | --ports=ALL | [PORT | START_PORT-END_PORT],[...]] [GCLOUD_WIDE_FLAG ...]
(ALPHA) gcloud alpha compute forwarding-rules create is used to create a forwarding rule. A forwarding rule directs traffic that matches a destination IP address (and possibly a TCP or UDP port) to a forwarding target (load balancer, VPN gateway or VM instance).
Forwarding rules can be either global or regional, specified with the --global or --region=REGION flags. For more information about the scope of a forwarding rule, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts.
Forwarding rules can be external, internal, internal managed, or internal self-managed, specified with the --load-balancing-scheme=[EXTERNAL|EXTERNAL_MANAGED|INTERNAL|INTERNAL_MANAGED|INTERNAL_SELF_MANAGED] flag. External forwarding rules are accessible from the internet, while internal forwarding rules are only accessible from within their VPC networks. You can specify a reserved static external or internal IP address with the --address=ADDRESS flag for the forwarding rule. Otherwise, if the flag is unspecified, an ephemeral IP address is automatically assigned (global IP addresses for global forwarding rules and regional IP addresses for regional forwarding rules); an internal forwarding rule is automatically assigned an ephemeral internal IP address from the subnet specified with the --subnet flag. You must provide an IP address for an internal self-managed forwarding rule.
Different types of load balancers work at different layers of the OSI networking model http://en.wikipedia.org/wiki/Network_layer. Layer 3/4 targets include target pools, target SSL proxies, target TCP proxies, and backend services. Layer 7 targets include target HTTP proxies and target HTTPS proxies. For more information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts.
When creating a forwarding rule, exactly one of --target-instance, --target-pool, --target-http-proxy, --target-https-proxy, --target-grpc-proxy, --target-ssl-proxy, --target-tcp-proxy, --target-vpn-gateway, --backend-service or --target-google-apis-bundle must be specified.
To create a global forwarding rule that will forward all traffic on port 8080 for IP address ADDRESS to a target http proxy PROXY, run:
$ gcloud alpha compute forwarding-rules create RULE_NAME --global \ --target-http-proxy=PROXY --ports=8080 --address=ADDRESS
To create a regional forwarding rule for the subnet SUBNET_NAME on the default network that will forward all traffic on ports 80-82 to a backend service SERVICE_NAME, run:
$ gcloud alpha compute forwarding-rules create RULE_NAME \ --load-balancing-scheme=INTERNAL \ --backend-service=SERVICE_NAME --subnet=SUBNET_NAME \ --network=default --region=REGION --ports=80-82
- NAME
Name of the forwarding rule to create.
- Exactly one of these must be specified:
- --backend-service=BACKEND_SERVICE
Target backend service that receives the traffic.
- --target-google-apis-bundle=TARGET_GOOGLE_APIS_BUNDLE
Target bundle of Google APIs that will receive forwarded traffic via Private Service Connect. Acceptable values are all-apis, meaning all Google APIs, or vpc-sc, meaning just the APIs that support VPC Service Controls
- --target-grpc-proxy=TARGET_GRPC_PROXY
Target gRPC proxy that receives the traffic.
- --target-http-proxy=TARGET_HTTP_PROXY
Target HTTP proxy that receives the traffic. Acceptable values for --ports flag are: 80, 8080.
- --target-https-proxy=TARGET_HTTPS_PROXY
Target HTTPS proxy that receives the traffic. Acceptable values for --ports flag are: 443.
- --target-instance=TARGET_INSTANCE
Name of the target instance that receives the traffic. The target instance must be in a zone in the forwarding rule's region. Global forwarding rules cannot direct traffic to target instances. If not specified and the compute/zone property isn't set, you might be prompted to select a zone (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/zone property:
$ gcloud config set compute/zone ZONE
A list of zones can be fetched by running:
$ gcloud compute zones list
To unset the property, run:
$ gcloud config unset compute/zone
Alternatively, the zone can be stored in the environment variable CLOUDSDK_COMPUTE_ZONE.
- --target-pool=TARGET_POOL
Target pool that receives the traffic. The target pool must be in the same region as the forwarding rule. Global forwarding rules cannot direct traffic to target pools.
- --target-service-attachment=TARGET_SERVICE_ATTACHMENT
Target service attachment that receives the traffic. The target service attachment must be in the same region as the forwarding rule.
- --target-ssl-proxy=TARGET_SSL_PROXY
Target SSL proxy that receives the traffic. For the acceptable ports, see Port specifications https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.
- --target-tcp-proxy=TARGET_TCP_PROXY
Target TCP proxy that receives the traffic. For the acceptable ports, see Port specifications https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.
- --target-vpn-gateway=TARGET_VPN_GATEWAY
Target VPN gateway (Cloud VPN Classic gateway) that receives forwarded traffic. Acceptable values for --ports flag are: 500, 4500.
- --address=ADDRESS
The IP address that the forwarding rule serves. When a client sends traffic to this IP address, the forwarding rule directs the traffic to the target that you specify in the forwarding rule.
If you don't specify a reserved IP address, an ephemeral IP address is assigned. You can specify the IP address as a literal IP address or as a reference to an existing Address resource. The following examples are all valid:
- —
100.1.2.3
- —
2600:1901::/96
- —
https://compute.googleapis.com/compute/v1/projects/project-1/regions/us-central1/addresses/address-1
- —
projects/project-1/regions/us-central1/addresses/address-1
- —
regions/us-central1/addresses/address-1
- —
global/addresses/address-1
- —
address-1
The load-balancing-scheme (EXTERNAL, EXTERNAL_MANAGED, INTERNAL, INTERNAL_SELF_MANAGED, INTERNAL_MANAGED) and the target of the forwarding rule determine the type of IP address that you can use. The address type must be external for load-balancing-scheme EXTERNAL or EXTERNAL_MANAGED. For other load-balancing-schemes, the address type must be internal. For detailed information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications.
- --allow-global-access
If True, then clients from all regions can access this internal forwarding rule. This can only be specified for forwarding rules with the LOAD_BALANCING_SCHEME set to INTERNAL or INTERNAL_MANAGED. For forwarding rules of type INTERNAL, the target must be either a backend service or a target instance.
- --allow-psc-global-access
If specified, then clients from all regions can access this Private Service Connect forwarding rule. This can only be specified if the forwarding rule's target is a service attachment (--target-service-attachment).
- --description=DESCRIPTION
Optional textual description for the forwarding rule.
- --disable-automate-dns-zone
If specified, then a DNS zone will not be auto-generated for this Private Service Connect forwarding rule. This can only be specified if the forwarding rule's target is a service attachment (--target-service-attachment=SERVICE_ATTACHMENT) or Google APIs bundle (--target-google-apis-bundle=API_BUNDLE)
- --ip-protocol=IP_PROTOCOL
IP protocol that the rule will serve. The default is TCP.
Note that if the load-balancing scheme is INTERNAL, the protocol must be one of: TCP, UDP, ALL, L3_DEFAULT.
For a load-balancing scheme that is EXTERNAL, all IP_PROTOCOL options other than ALL are valid.
IP_PROTOCOL must be one of: AH, ESP, ICMP, SCTP, TCP, UDP, L3_DEFAULT, ALL.
- --ip-version=IP_VERSION
Version of the IP address to be allocated or assigned. The default is IPv4. IP_VERSION must be one of: IPV4, IPV6.
- --is-mirroring-collector
If set, this forwarding rule can be used as a collector for packet mirroring. This can only be specified for forwarding rules with the LOAD_BALANCING_SCHEME set to INTERNAL.
- --load-balancing-scheme=LOAD_BALANCING_SCHEME
This defines the forwarding rule's load balancing scheme. Note that it defaults to EXTERNAL and is not applicable for Private Service Connect forwarding rules. LOAD_BALANCING_SCHEME must be one of:
- EXTERNAL
External load balancing or forwarding, used with one of --target-http-proxy, --target-https-proxy, --target-tcp-proxy, --target-ssl-proxy, --target-pool, --target-vpn-gateway, --target-instance.
- EXTERNAL_MANAGED
Envoy based External HTTP(S) Load Balancing, used with --target-http-proxy, --target-https-proxy.
- INTERNAL
Internal load balancing or forwarding, used with --backend-service.
- INTERNAL_MANAGED
Internal load balancing, used with --target-http-proxy, --target-https-proxy, --target-tcp-proxy.
- INTERNAL_SELF_MANAGED
Traffic Director load balancing or forwarding, used with --target-http-proxy, --target-https-proxy, --target-grpc-proxy, --target-tcp-proxy.
- --network=NETWORK
(Only for --load-balancing-scheme=INTERNAL or --load-balancing-scheme=INTERNAL_SELF_MANAGED or --load-balancing-scheme=EXTERNAL_MANAGED (regional) or --load-balancing-scheme=INTERNAL_MANAGED) Network that this forwarding rule applies to. If this field is not specified, the default network is used. In the absence of the default network, this field must be specified.
- --network-tier=NETWORK_TIER
Network tier to assign to the forwarding rules. NETWORK_TIER must be one of: PREMIUM, STANDARD, FIXED_STANDARD. The default value is PREMIUM.
- --service-directory-registration=SERVICE_DIRECTORY_REGISTRATION
The Service Directory service in which to register this forwarding rule as an endpoint. The Service Directory service must be in the same project and region as the forwarding rule you are creating.
- --service-label=SERVICE_LABEL
(Only for Internal Load Balancing): https://cloud.google.com/load-balancing/docs/dns-names/ The DNS label to use as the prefix of the fully qualified domain name for this forwarding rule. The full name will be internally generated and output as dnsName. If this field is not specified, no DNS record will be generated and no DNS name will be output. You cannot use the --service-label flag if the forwarding rule references an internal IP address that has the --purpose=SHARED_LOADBALANCER_VIP flag set.
- --source-ip-ranges=SOURCE_IP_RANGE,[...]
List of comma-separated IP addresses or IP ranges. If not empty, this Forwarding Rule will only forward the traffic when the source IP address falls into one of the IP ranges set here.
- --subnet=SUBNET
(Only for --load-balancing-scheme=INTERNAL and --load-balancing-scheme=INTERNAL_MANAGED) Subnetwork that this forwarding rule applies to. If the network is auto mode, this flag is optional. If the network is custom mode, this flag is required.
- --subnet-region=SUBNET_REGION
Region of the subnetwork to operate on. If not specified, the region is set to the region of the forwarding rule. Overrides the default compute/region property value for this command invocation.
- --target-instance-zone=TARGET_INSTANCE_ZONE
Zone of the target instance to operate on. Overrides the default compute/zone property value for this command invocation.
- --target-pool-region=TARGET_POOL_REGION
Region of the target pool to operate on. If not specified, the region is set to the region of the forwarding rule. Overrides the default compute/region property value for this command invocation.
- --target-service-attachment-region=TARGET_SERVICE_ATTACHMENT_REGION
Region of the target service attachment to operate on. If not specified, you might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/region property:
$ gcloud config set compute/region REGION
A list of regions can be fetched by running:
$ gcloud compute regions list
To unset the property, run:
$ gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
- --target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION
Region of the VPN gateway to operate on. If not specified, the region is set to the region of the forwarding rule. Overrides the default compute/region property value for this command invocation.
- At most one of these can be specified:
- --address-region=ADDRESS_REGION
Region of the address to operate on. If not specified, you might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/region property:
$ gcloud config set compute/region REGION
A list of regions can be fetched by running:
$ gcloud compute regions list
To unset the property, run:
$ gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
- --global-address
If set, the address is global.
- At most one of these can be specified:
- --backend-service-region=BACKEND_SERVICE_REGION
Region of the backend service to operate on. If not specified, the region is set to the region of the forwarding rule. Overrides the default compute/region property value for this command invocation.
- --global-backend-service
If set, the backend service is global.
- At most one of these can be specified:
- --global
If set, the forwarding rule is global.
- --region=REGION
Region of the forwarding rule to create. If not specified, you might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/region property:
$ gcloud config set compute/region REGION
A list of regions can be fetched by running:
$ gcloud compute regions list
To unset the property, run:
$ gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
- At most one of these can be specified:
- --global-target-http-proxy
If set, the http proxy is global.
- --target-http-proxy-region=TARGET_HTTP_PROXY_REGION
Region of the http proxy to operate on. If not specified, you might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/region property:
$ gcloud config set compute/region REGION
A list of regions can be fetched by running:
$ gcloud compute regions list
To unset the property, run:
$ gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
- At most one of these can be specified:
- --global-target-https-proxy
If set, the https proxy is global.
- --target-https-proxy-region=TARGET_HTTPS_PROXY_REGION
Region of the https proxy to operate on. If not specified, you might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/region property:
$ gcloud config set compute/region REGION
A list of regions can be fetched by running:
$ gcloud compute regions list
To unset the property, run:
$ gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
- At most one of these can be specified:
- --global-target-tcp-proxy
If set, the tcp proxy is global.
- --target-tcp-proxy-region=TARGET_TCP_PROXY_REGION
Region of the tcp proxy to operate on. If not specified, you might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/region property:
$ gcloud config set compute/region REGION
A list of regions can be fetched by running:
$ gcloud compute regions list
To unset the property, run:
$ gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
- At most one of these can be specified:
- --port-range=[PORT | START_PORT-END_PORT]
DEPRECATED, use --ports. If specified, only packets addressed to ports in the specified range are forwarded. For more information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.
- --ports=ALL | [PORT | START_PORT-END_PORT],[...]
List of comma-separated ports. The forwarding rule forwards packets with matching destination ports. Port specification requirements vary depending on the load-balancing scheme and target. For more information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
$ gcloud compute forwarding-rules create
$ gcloud beta compute forwarding-rules create