Using alias IP ranges with load balancing target pools (or something to that effect)

1,208 views
Skip to first unread message

Freark van der Bos

unread,
Sep 19, 2018, 3:44:33 AM9/19/18
to gce-discussion
I have a number of compute instances which have additional internal IP addresses configured using the alias IP features[1]. I run a number of services on these instances on port 80 and 443 bound to those different IPs. I have been looking for a way to make a target pool for load balancing[2], but I do not see a method where I can configure a target pool to specifically use an IP from the alias IP ranges.

In short my question is, can I (and if so how) use GCP load balancing features to load balance to specific internal IPs configured using the alias IP feature?

Mohibul (Google Cloud Support)

unread,
Sep 20, 2018, 10:12:34 PM9/20/18
to gce-discussion
My understanding is you would like to know how to use GCP load balancing features to load balance to specific internal IPs configured using the alias IP feature

First we should note that target pools are only used by network load balancing.  They are not used by any other type of load balancer.Internal load balancing, TCP Proxy, SSL Proxy, and HTTP(S) load balancing use backend services instead of target pools.

Specific to network load balancing, since the load balancer has an external IP address, and because that type of load balancer is not a proxy, packets are delivered with the destination IP being the external IP of the load balancer itself.  The instances in the target pool are configured to receive those packets by virtue of a NAT mapping performed by the load balancer's forwarding rule. Traffic is then delivered to the primary network interface of the VM.

VMs can only have a single network interface per VPC network, and load balancing only delivers packets to the primary network interface of a VM.

Alias IP is a means by which you can assign additional internal IP addresses to a network interface (including the primary network interface).

But alias IP is irrelevant here since the external IP of the network load balancer is the destination of the packet.  We deliver that packet to the primary network interface of the VM, regardless of what internal IP address that interface has, or whether it has alias IP addresses.

I would like to clarify two things here:
- network interfaces
- IP addresses per interface

Alias IP does not give the VM multiple network interfaces.  It just adds more internal IPs to the primary network interface.  But you don't need an internal IP for network load balancing.  You need an external IP, and that's set up when you create the forwarding rule for the load balancer itself.

To further assist you would you like to let us know detail what you are trying to accomplish. 

Freark van der Bos

unread,
Sep 21, 2018, 3:30:04 AM9/21/18
to gce-discussion
Hi Mohibul,

First of all, thank you for elaborating on the intricacies of GCP's loadbalancing features.

My understanding is you would like to know how to use GCP load balancing features to load balance to specific internal IPs configured using the alias IP feature

While that understanding is correct, it is also somewhat incomplete. I would like to have multiple external IP addresses to specific internal IP addresses where there some of those internal IP addresses are on the same instance. Let me give an example:
  • Application 1 runs on both instance A and instance B.
  • Application 2 runs on both instance A and instance B.
  • Internal security requirement demand that application 1 and application 2 may never run on the same IP+port (so I am not allowed to do virtual hosting on an instance itself to split up traffic for application 1 and application 2)
  • Loadbalancer configuration 1 is responsible for loadbalancing requests to application 1 and has a unique external IP.
  • Loadbalancer configuration 2 is responsible for loadbalancing requests to application 2 and has a unique external IP.
From what I understand portmapping isn't possible in GCPs load balancing features, so I cannot run the applications on different ports on the same instance. Therefor I will need the applications to bind to a different address. (all of these on the primary network interface) Let's say:
  • Application 1 on instance A is bound on primary internal IP 10.x.0.10
  • Application 2 on instance A is bound on internal alias IP 10.x.0.11
  • Application 1 on instance B is bound on primary internal IP 10.x.0.12
  • Application 2 on instance B is bound on internal alias IP 10.x.0.13
So I would like to figure out a loadbalancing configuration which can loadbalance to these applications on these IP addresses. I hope this makes the use case a little bit more clear and concrete.
 

First we should note that target pools are only used by network load balancing.  They are not used by any other type of load balancer.Internal load balancing, TCP Proxy, SSL Proxy, and HTTP(S) load balancing use backend services instead of target pools.

In the mean time since posting the question I have also tried using backend services, but I have not been able to find a solution for my use case there either.
 

Specific to network load balancing, since the load balancer has an external IP address, and because that type of load balancer is not a proxy, packets are delivered with the destination IP being the external IP of the load balancer itself.  The instances in the target pool are configured to receive those packets by virtue of a NAT mapping performed by the load balancer's forwarding rule. Traffic is then delivered to the primary network interface of the VM

I assume that the NAT mapping translates the external IP address of the loadbalancer frontend to the primary internal IP address of primary network interface of the target instance. I would assume that this is similar to the NAT mapping performed when just using the external IP address assigned to an instance.
 

VMs can only have a single network interface per VPC network, and load balancing only delivers packets to the primary network interface of a VM.

That is good to see confirmed. I had also experimented with additional network interfaces but also wasn't able to target those in a load balancing configuration.
 

Alias IP is a means by which you can assign additional internal IP addresses to a network interface (including the primary network interface).

But alias IP is irrelevant here since the external IP of the network load balancer is the destination of the packet.  We deliver that packet to the primary network interface of the VM, regardless of what internal IP address that interface has, or whether it has alias IP addresses.

"regardless of what internal IP address that interface has" This sounds illogical to me. Since you say the external IP is mapped using NAT there must be an IP used different to the external IP address. My assumption is that the logic of GCP's forwarding rule looks at the available instances of the target pool and take the primary assigned internal IP address of one and uses that in the network address translation to change the packets it delivers to that specific instance.

So, yeah, in a sense, the packet is delivered regardless of which actual internal IP address is assigned as the primary internal IP address, but it does which IP that is does have impact on the content of that packet. Maybe I just interpret that part of your sentence in a different way than you intended. Regardless, could you confirm that my thinking of the logic performed in the forwarding rule is similar to what is actually done?
 

I would like to clarify two things here:
- network interfaces
- IP addresses per interface

Alias IP does not give the VM multiple network interfaces.  It just adds more internal IPs to the primary network interface.  But you don't need an internal IP for network load balancing.  You need an external IP, and that's set up when you create the forwarding rule for the load balancer itself.

Thank you for further clarifying.

Gerrit DeWitt

unread,
Sep 21, 2018, 7:13:17 PM9/21/18
to gce-discussion
Hi Freark, would this be a concrete example of what you're trying to accomplish?

* Application 1 has an external IP address of 198.51.100.2 and is available to external customers on http://198.51.100.2:80.
* Application 2 has an external IP address of 198.51.100.3 and is available to external customers on http://198.51.100.3:80.

VMs in an instance group are running Applications 1 and 2 on internal ports like:
* Application 1 runs on port 8081.
* Application 2 runs on port 8082.

It's true that GCP Network Load Balancing and GCP Internal Load Balancing do not support port mapping because neither of those load balancers are proxies; they're both “pass through” load balancers.  Whatever ports are set on the forwarding rule are used on the instance.

We do have three types of load balancers that act as proxies, and these do support accepting traffic on ports that are different from the ports to which the traffic is delivered on the backend.  Our current proxy based load balancer offerings are:

- HTTP(S) Load Balancing: Forwarding rules accept traffic on ports 80 and 443
- SSL Proxy Load Balancing: Forwarding rules accept traffic on these ports: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222
- TCP Proxy Load Balancing: Forwarding rules accept traffic on these ports: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222

If you can use those ports as your “inputs,” you can direct traffic to arbitrary TCP ports on the backend instances.  To do this:

- For the instance group, you configure one or more named ports[1].  Each named port maps a name of your choice to a TCP port number.
You could, for example, set two named ports on the same instance group, one named port for each application:
Named Port: app-1, Port: TCP 8081
Named Port: app-2, Port: TCP 8082

- For each backend service (all three of the proxy load balancers listed above use backend services), you “subscribe to” a named port [2].
One backend service on the first load balancer uses the named port app-1.
One backend service on the second load balancer uses the named port app-2.

For HTTP(S) Load Balancing, it's possible to have multiple backend services attached to the same URL map.  The URL map is effectively the main configuration for the load balancer.  For all other types of load balancers that use backend services, including TCP Proxy and SSL Proxy, “the load balancer” is to one and only one backend service, though it might have multiple forwarding rules that point to it.

I hope this helps clarify a few things!

References:
2: --port-name flag:

Piotr Ziobrzynski

unread,
Jul 7, 2021, 9:32:32 AM7/7/21
to gce-discussion
Mohibul,

I like your description of the task at hand.  I have exactly the same situation with the GCP NetApp VM running internal SVMs (storage virtual machines) using aliased IP on the primary interface.  I need to load balance storage traffic of NFS/CIFS to those internal aliased IPs.  Have you ever figured out the GCP ILB configuration for that?

The task of implementing an ILB like that seems so basic: allocate ILB with the service IP, create a group of IPs to send the traffic to regardless if they are primary IP on the interface or the alias IP.  Adding tcp/udp ports to the IPs would also be good :-)

Best,
Peter

Tariq (Google Cloud Support)

unread,
Jul 12, 2021, 11:06:38 AM7/12/21
to gce-discussion
It is worth mentioning that Google Groups is a place for non-technical how-to questions (where you're likely to find information like service status updates and release notes, and ranging from book recommendations to creative shortcuts) [1].

Therefore, I would recommend you to consider reaching out to Stack Exchange sites [2] (e.g. Server Fault [3] or Stack Overflow [4]) where Google also participates that can help you find answers and troubleshoot problems.

If you find any indication of a GCP specific issue, you may consider reporting [5] the issue with Issue Tracker with all the details [6] (omitting PII/sensitive information). You may also file a case with the GCP Support [7] and we will be more than happy to help.

[2] Ask Technical Questions on Stack Exchange Sites: https://cloud.google.com/support/docs/stackexchange
[3] Server Fault (A question and answer site for deploying and managing IT platforms): https://serverfault.com/questions/tagged/google-cloud-platform
[4] Stack Overflow (A question and answer site for programmers): https://stackoverflow.com/questions/tagged/google-cloud-platform
[6] Report Issues with Issue Trackers: https://cloud.google.com/support/docs/issue-trackers

Reply all
Reply to author
Forward
0 new messages