NAME

gcloud compute forwarding-rules create - create a forwarding rule to direct network traffic to a load balancer

SYNOPSIS

gcloud compute forwarding-rules create NAME (--backend-service=BACKEND_SERVICE | --target-google-apis-bundle=TARGET_GOOGLE_APIS_BUNDLE | --target-grpc-proxy=TARGET_GRPC_PROXY | --target-http-proxy=TARGET_HTTP_PROXY | --target-https-proxy=TARGET_HTTPS_PROXY | --target-instance=TARGET_INSTANCE | --target-pool=TARGET_POOL | --target-service-attachment=TARGET_SERVICE_ATTACHMENT | --target-ssl-proxy=TARGET_SSL_PROXY | --target-tcp-proxy=TARGET_TCP_PROXY | --target-vpn-gateway=TARGET_VPN_GATEWAY) [--address=ADDRESS] [--allow-global-access] [--description=DESCRIPTION] [--disable-automate-dns-zone] [--ip-protocol=IP_PROTOCOL] [--ip-version=IP_VERSION] [--is-mirroring-collector] [--load-balancing-scheme=LOAD_BALANCING_SCHEME] [--network=NETWORK] [--network-tier=NETWORK_TIER] [--service-directory-registration=SERVICE_DIRECTORY_REGISTRATION] [--service-label=SERVICE_LABEL] [--subnet=SUBNET] [--subnet-region=SUBNET_REGION] [--target-instance-zone=TARGET_INSTANCE_ZONE] [--target-pool-region=TARGET_POOL_REGION] [--target-service-attachment-region=TARGET_SERVICE_ATTACHMENT_REGION] [--target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION] [--address-region=ADDRESS_REGION | --global-address] [--backend-service-region=BACKEND_SERVICE_REGION | --global-backend-service] [--global | --region=REGION] [--global-target-http-proxy | --target-http-proxy-region=TARGET_HTTP_PROXY_REGION] [--global-target-https-proxy | --target-https-proxy-region=TARGET_HTTPS_PROXY_REGION] [--global-target-tcp-proxy | --target-tcp-proxy-region=TARGET_TCP_PROXY_REGION] [--port-range=[PORT | START_PORT-END_PORT] | --ports=ALL | [PORT | START_PORT-END_PORT],[...]] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION

gcloud compute forwarding-rules create is used to create a forwarding rule. A forwarding rule directs traffic that matches a destination IP address (and possibly a TCP or UDP port) to a forwarding target (load balancer, VPN gateway or VM instance).

Forwarding rules can be either global or regional, specified with the --global or --region=REGION flags. For more information about the scope of a forwarding rule, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts.

Forwarding rules can be external, internal, internal managed, or internal self-managed, specified with the --load-balancing-scheme=[EXTERNAL|EXTERNAL_MANAGED|INTERNAL|INTERNAL_MANAGED|INTERNAL_SELF_MANAGED] flag. External forwarding rules are accessible from the internet, while internal forwarding rules are only accessible from within their VPC networks. You can specify a reserved static external or internal IP address with the --address=ADDRESS flag for the forwarding rule. Otherwise, if the flag is unspecified, an ephemeral IP address is automatically assigned (global IP addresses for global forwarding rules and regional IP addresses for regional forwarding rules); an internal forwarding rule is automatically assigned an ephemeral internal IP address from the subnet specified with the --subnet flag. You must provide an IP address for an internal self-managed forwarding rule.

Different types of load balancers work at different layers of the OSI networking model http://en.wikipedia.org/wiki/Network_layer. Layer 3/4 targets include target pools, target SSL proxies, target TCP proxies, and backend services. Layer 7 targets include target HTTP proxies and target HTTPS proxies. For more information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts.

When creating a forwarding rule, exactly one of --target-instance, --target-pool, --target-http-proxy, --target-https-proxy, --target-grpc-proxy, --target-ssl-proxy, --target-tcp-proxy, --target-vpn-gateway, --backend-service or --target-google-apis-bundle must be specified.

EXAMPLES

To create a global forwarding rule that will forward all traffic on port 8080 for IP address ADDRESS to a target http proxy PROXY, run:

$ gcloud compute forwarding-rules create RULE_NAME --global \ --target-http-proxy=PROXY --ports=8080 --address=ADDRESS

To create a regional forwarding rule for the subnet SUBNET_NAME on the default network that will forward all traffic on ports 80-82 to a backend service SERVICE_NAME, run:

$ gcloud compute forwarding-rules create RULE_NAME \ --load-balancing-scheme=INTERNAL \ --backend-service=SERVICE_NAME --subnet=SUBNET_NAME \ --network=default --region=REGION --ports=80-82

POSITIONAL ARGUMENTS

NAME

Name of the forwarding rule to create.

REQUIRED FLAGS

Exactly one of these must be specified:
--backend-service=BACKEND_SERVICE

Target backend service that receives the traffic.

--target-google-apis-bundle=TARGET_GOOGLE_APIS_BUNDLE

Target bundle of Google APIs that will receive forwarded traffic via Private Service Connect. Acceptable values are all-apis, meaning all Google APIs, or vpc-sc, meaning just the APIs that support VPC Service Controls

--target-grpc-proxy=TARGET_GRPC_PROXY

Target gRPC proxy that receives the traffic.

--target-http-proxy=TARGET_HTTP_PROXY

Target HTTP proxy that receives the traffic. Acceptable values for --ports flag are: 80, 8080.

--target-https-proxy=TARGET_HTTPS_PROXY

Target HTTPS proxy that receives the traffic. Acceptable values for --ports flag are: 443.

--target-instance=TARGET_INSTANCE

Name of the target instance that receives the traffic. The target instance must be in a zone in the forwarding rule's region. Global forwarding rules cannot direct traffic to target instances. If not specified and the compute/zone property isn't set, you might be prompted to select a zone (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/zone property:

$ gcloud config set compute/zone ZONE

A list of zones can be fetched by running:

$ gcloud compute zones list

To unset the property, run:

$ gcloud config unset compute/zone

Alternatively, the zone can be stored in the environment variable CLOUDSDK_COMPUTE_ZONE.

--target-pool=TARGET_POOL

Target pool that receives the traffic. The target pool must be in the same region as the forwarding rule. Global forwarding rules cannot direct traffic to target pools.

--target-service-attachment=TARGET_SERVICE_ATTACHMENT

Target service attachment that receives the traffic. The target service attachment must be in the same region as the forwarding rule.

--target-ssl-proxy=TARGET_SSL_PROXY

Target SSL proxy that receives the traffic. For the acceptable ports, see Port specifications https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.

--target-tcp-proxy=TARGET_TCP_PROXY

Target TCP proxy that receives the traffic. For the acceptable ports, see Port specifications https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.

--target-vpn-gateway=TARGET_VPN_GATEWAY

Target VPN gateway (Cloud VPN Classic gateway) that receives forwarded traffic. Acceptable values for --ports flag are: 500, 4500.

OPTIONAL FLAGS

--address=ADDRESS

The IP address that the forwarding rule serves. When a client sends traffic to this IP address, the forwarding rule directs the traffic to the target that you specify in the forwarding rule.

If you don't specify a reserved IP address, an ephemeral IP address is assigned. You can specify the IP address as a literal IP address or as a reference to an existing Address resource. The following examples are all valid:

100.1.2.3

2600:1901::/96

https://compute.googleapis.com/compute/v1/projects/project-1/regions/us-central1/addresses/address-1

projects/project-1/regions/us-central1/addresses/address-1

regions/us-central1/addresses/address-1

global/addresses/address-1

address-1

The load-balancing-scheme (EXTERNAL, EXTERNAL_MANAGED, INTERNAL, INTERNAL_SELF_MANAGED, INTERNAL_MANAGED) and the target of the forwarding rule determine the type of IP address that you can use. The address type must be external for load-balancing-scheme EXTERNAL or EXTERNAL_MANAGED. For other load-balancing-schemes, the address type must be internal. For detailed information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications.

--allow-global-access

If True, then clients from all regions can access this internal forwarding rule. This can only be specified for forwarding rules with the LOAD_BALANCING_SCHEME set to INTERNAL or INTERNAL_MANAGED. For forwarding rules of type INTERNAL, the target must be either a backend service or a target instance.

--description=DESCRIPTION

Optional textual description for the forwarding rule.

--disable-automate-dns-zone

If specified, then a DNS zone will not be auto-generated for this Private Service Connect forwarding rule. This can only be specified if the forwarding rule's target is a service attachment (--target-service-attachment=SERVICE_ATTACHMENT) or Google APIs bundle (--target-google-apis-bundle=API_BUNDLE)

--ip-protocol=IP_PROTOCOL

IP protocol that the rule will serve. The default is TCP.

Note that if the load-balancing scheme is INTERNAL, the protocol must be one of: TCP, UDP, L3_DEFAULT.

For a load-balancing scheme that is EXTERNAL, all IP_PROTOCOL options are valid.

IP_PROTOCOL must be one of: AH, ESP, ICMP, SCTP, TCP, UDP, L3_DEFAULT.

--ip-version=IP_VERSION

Version of the IP address to be allocated or assigned. The default is IPv4. IP_VERSION must be one of: IPV4, IPV6.

--is-mirroring-collector

If set, this forwarding rule can be used as a collector for packet mirroring. This can only be specified for forwarding rules with the LOAD_BALANCING_SCHEME set to INTERNAL.

--load-balancing-scheme=LOAD_BALANCING_SCHEME

This defines the forwarding rule's load balancing scheme. Note that it defaults to EXTERNAL and is not applicable for Private Service Connect forwarding rules. LOAD_BALANCING_SCHEME must be one of:

EXTERNAL

External load balancing or forwarding, used with one of --target-http-proxy, --target-https-proxy, --target-tcp-proxy, --target-ssl-proxy, --target-pool, --target-vpn-gateway, --target-instance.

EXTERNAL_MANAGED

Envoy based External HTTP(S) Load Balancing, used with --target-http-proxy, --target-https-proxy.

INTERNAL

Internal load balancing or forwarding, used with --backend-service.

INTERNAL_MANAGED

Internal load balancing, used with --target-http-proxy, --target-https-proxy, --target-tcp-proxy.

INTERNAL_SELF_MANAGED

Traffic Director load balancing or forwarding, used with --target-http-proxy, --target-https-proxy, --target-grpc-proxy, --target-tcp-proxy.

--network=NETWORK

(Only for --load-balancing-scheme=INTERNAL or --load-balancing-scheme=INTERNAL_SELF_MANAGED or --load-balancing-scheme=EXTERNAL_MANAGED (regional) or --load-balancing-scheme=INTERNAL_MANAGED) Network that this forwarding rule applies to. If this field is not specified, the default network is used. In the absence of the default network, this field must be specified.

--network-tier=NETWORK_TIER

Network tier to assign to the forwarding rules. NETWORK_TIER must be one of: PREMIUM, STANDARD, FIXED_STANDARD. The default value is PREMIUM.

--service-directory-registration=SERVICE_DIRECTORY_REGISTRATION

The Service Directory service in which to register this forwarding rule as an endpoint. The Service Directory service must be in the same project and region as the forwarding rule you are creating.

--service-label=SERVICE_LABEL

(Only for Internal Load Balancing): https://cloud.google.com/load-balancing/docs/dns-names/ The DNS label to use as the prefix of the fully qualified domain name for this forwarding rule. The full name will be internally generated and output as dnsName. If this field is not specified, no DNS record will be generated and no DNS name will be output. You cannot use the --service-label flag if the forwarding rule references an internal IP address that has the --purpose=SHARED_LOADBALANCER_VIP flag set.

--subnet=SUBNET

(Only for --load-balancing-scheme=INTERNAL and --load-balancing-scheme=INTERNAL_MANAGED) Subnetwork that this forwarding rule applies to. If the network is auto mode, this flag is optional. If the network is custom mode, this flag is required.

--subnet-region=SUBNET_REGION

Region of the subnetwork to operate on. If not specified, the region is set to the region of the forwarding rule. Overrides the default compute/region property value for this command invocation.

--target-instance-zone=TARGET_INSTANCE_ZONE

Zone of the target instance to operate on. Overrides the default compute/zone property value for this command invocation.

--target-pool-region=TARGET_POOL_REGION

Region of the target pool to operate on. If not specified, the region is set to the region of the forwarding rule. Overrides the default compute/region property value for this command invocation.

--target-service-attachment-region=TARGET_SERVICE_ATTACHMENT_REGION

Region of the target service attachment to operate on. If not specified, you might be prompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/region property:

$ gcloud config set compute/region REGION

A list of regions can be fetched by running:

$ gcloud compute regions list

To unset the property, run:

$ gcloud config unset compute/region

Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.

--target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION

Region of the VPN gateway to operate on. If not specified, the region is set to the region of the forwarding rule. Overrides the default compute/region property value for this command invocation.

At most one of these can be specified:
--address-region=ADDRESS_REGION

Region of the address to operate on. If not specified, you might be prompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/region property:

$ gcloud config set compute/region REGION

A list of regions can be fetched by running:

$ gcloud compute regions list

To unset the property, run:

$ gcloud config unset compute/region

Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.

--global-address

If set, the address is global.

At most one of these can be specified:
--backend-service-region=BACKEND_SERVICE_REGION

Region of the backend service to operate on. If not specified, the region is set to the region of the forwarding rule. Overrides the default compute/region property value for this command invocation.

--global-backend-service

If set, the backend service is global.

At most one of these can be specified:
--global

If set, the forwarding rule is global.

--region=REGION

Region of the forwarding rule to create. If not specified, you might be prompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/region property:

$ gcloud config set compute/region REGION

A list of regions can be fetched by running:

$ gcloud compute regions list

To unset the property, run:

$ gcloud config unset compute/region

Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.

At most one of these can be specified:
--global-target-http-proxy

If set, the http proxy is global.

--target-http-proxy-region=TARGET_HTTP_PROXY_REGION

Region of the http proxy to operate on. If not specified, you might be prompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/region property:

$ gcloud config set compute/region REGION

A list of regions can be fetched by running:

$ gcloud compute regions list

To unset the property, run:

$ gcloud config unset compute/region

Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.

At most one of these can be specified:
--global-target-https-proxy

If set, the https proxy is global.

--target-https-proxy-region=TARGET_HTTPS_PROXY_REGION

Region of the https proxy to operate on. If not specified, you might be prompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/region property:

$ gcloud config set compute/region REGION

A list of regions can be fetched by running:

$ gcloud compute regions list

To unset the property, run:

$ gcloud config unset compute/region

Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.

At most one of these can be specified:
--global-target-tcp-proxy

If set, the tcp proxy is global.

--target-tcp-proxy-region=TARGET_TCP_PROXY_REGION

Region of the tcp proxy to operate on. If not specified, you might be prompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/region property:

$ gcloud config set compute/region REGION

A list of regions can be fetched by running:

$ gcloud compute regions list

To unset the property, run:

$ gcloud config unset compute/region

Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.

At most one of these can be specified:
--port-range=[PORT | START_PORT-END_PORT]

DEPRECATED, use --ports. If specified, only packets addressed to ports in the specified range are forwarded. For more information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.

--ports=ALL | [PORT | START_PORT-END_PORT],[...]

List of comma-separated ports. The forwarding rule forwards packets with matching destination ports. Port specification requirements vary depending on the load-balancing scheme and target. For more information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES

These variants are also available:

$ gcloud alpha compute forwarding-rules create

$ gcloud beta compute forwarding-rules create