Scenario:
I have a Google Compute Engine instance exposing a web application via HTTP port 80 and I can access it directly using an external IP address.
Then, I added a HTTP load balancer with a health check and afterwards, I could access the web application via the load balancer without any problem.
Now, if I remove the external IP address of the compute instance, the health check of the load balancer starts failing. I read [1] and added a firewall rule to allow health check probes coming from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16 but still the health check is failing.
If I add the external IP address back to the compute instance, health check becomes active. What I require here is to remove the public IP address of the compute instance and only expose the load balancer IP address to the internet.
Question:
Is it mandatory to have an external IP address on Google Cloud Compute Engine Instances for routing traffic via a Google Cloud HTTP load balancer? If not, may I know how to route HTTP traffic to compute instances using a HTTP load balancer without having external IP address on the compute instances? Appreciate your thoughts on this.
[1] https://cloud.google.com/compute/docs/load-balancing/health-checks
I contacted Google Cloud support team on this matter and found that external IP addresses are required for routing HTTP traffic from the HTTP load balancer to the Compute Engine instances.
The only possible solution here might be to apply firewall rules and block direct access to VMs according to the current design.
As per the public documentation:
HTTP(S) load balancing makes use of the targets' internal IPs, not
their external IPs.
Therefore, you do NOT need the external IP.
Actually that section explains how to remove the external IPs of the backends behind the load balancer while keeping at least one instance in the same network with a external IP. This helps you to SSH the instance with external IP and then SSH from that instance to the load-balanced instances via its internal IP.
This scenario should work with the HTTP(S) load balancer (Layer 7). If you are using the network load balancer (Layer 3), then you need the external IP and you need to allow health check probes not only from 35.191.0.0/16 but also from 209.85.152.0/22 and 209.85.204.0/22 as explained here.
The VMs behind the load balancer do not need public IP addresses. I have a setup running without public IP addresses on the backend, and I opened up the firewall rules from the load balancer addresses for health checks.
