Google Cloud Networking Services Cheat Sheet

Virtual Private Cloud

  • Virtual Private Cloud (VPC) provides networking functionality for the cloud-based resources and services that is global, scalable, and flexible.
  • VPC networks are global resources, including the associated routes and firewall rules, and are not associated with any particular region or zone.
  • Subnets are regional resources and each subnet defines a range of IP addresses
  • IPv6 Support
    • VPC networks support dual-stack (IPv4 and IPv6) subnets in custom-mode VPC networks.
    • IPv6 functionality is available only in Premium Tier.
    • Supports both external (GUA – Globally Unique Addresses) and internal (ULA – Unique Local Addresses) IPv6 ranges.
    • VMs can have IPv4-only, dual-stack, or IPv6-only interfaces.
  • Cloud NGFW (Next Generation Firewall)
    • replaces legacy VPC firewall rules with network firewall policies.
    • protects workloads by applying controls at Layer 3, Layer 4, and Layer 7 of the network stack.
    • available in three tiers:
      • Essentials – rules based on IP ranges, ports, and protocols
      • Standard – adds FQDN objects, geo-location objects, and threat intelligence
      • Enterprise – adds Intrusion Detection and Prevention Service (IPS) powered by Palo Alto Networks, TLS inspection
    • Google recommends migrating from legacy VPC firewall rules to Cloud NGFW network firewall policies.
    • Network firewall policies can be attached to a single VPC or group of VPCs (unlike legacy VPC firewall rules which apply to a single VPC only).
  • Resources within a VPC network can communicate with one another by using internal IPv4 addresses, subject to applicable network firewall rules.
  • Private access options for services allow instances with internal IP addresses to communicate with Google APIs and services.
  • Private Service Connect (PSC)
    • allows consumers to access managed services privately from inside their VPC network.
    • allows managed service producers to host services in their own separate VPC networks and offer a private connection to consumers.
    • creates service endpoints in consumer VPCs that provide private connectivity and policy enforcement.
  • Shared VPC to keep a VPC network in a common host project shared with service projects. Authorized IAM members from other projects in the same organization can create resources that use subnets of the Shared VPC network
  • VPC Network Peering allows VPC networks to be connected with other VPC networks in different projects or organizations.
  • VPC networks can be securely connected in hybrid environments by using Cloud VPN or Cloud Interconnect.
  • Primary and Secondary IP address cannot overlap with the on-premises CIDR
  • VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes.

Cloud Load Balancing

  • Cloud Load Balancing is a fully distributed, software-defined managed load balancing service
  • distributes user traffic across multiple instances of the applications and reduces the risk of performance issues by spreading the load
  • provides health checking mechanisms that determine if backends, such as instance groups and zonal network endpoint groups (NEGs), are healthy and properly respond to traffic.
  • supports IPv6 clients with Application Load Balancers and proxy Network Load Balancers.
  • Note: Google Cloud has renamed load balancer types. HTTP(S) Load Balancing is now Application Load Balancer, TCP/UDP Load Balancing is now passthrough Network Load Balancer, and SSL Proxy/TCP Proxy are now proxy Network Load Balancer.
  • supports multiple Cloud Load Balancing types
    • Internal Application Load Balancer (formerly Internal HTTP(S) Load Balancing)
      • is a proxy-based, regional Layer 7 load balancer that enables running and scaling services behind an internal IP address.
      • also available as a cross-region internal Application Load Balancer for multi-region backends with automatic failover.
      • supports a regional backend service, which distributes HTTP and HTTPS requests to healthy backends (either instance groups containing CE VMs or NEGs containing GKE containers).
      • supports path based routing
      • preserves the Host header of the original client request and also appends two IP addresses (Client and LB) to the X-Forwarded-For header
      • supports a regional health check that periodically monitors the readiness of the backends.
      • has native support for the WebSocket protocol when using HTTP or HTTPS as the protocol to the backend
    • External Application Load Balancer (formerly External HTTP(S) Load Balancing)
      • is a global, proxy-based Layer 7 load balancer that enables running and scaling the services worldwide behind a single external IP address
      • distributes HTTP and HTTPS traffic to backends hosted on Compute Engine and GKE
      • offers global (cross-regional) and regional load balancing
      • supports content-based load balancing using URL maps
      • preserves the Host header of the original client request and also appends two IP addresses (Client and LB) to the X-Forwarded-For header
      • supports connection draining on backend services
      • has native support for the WebSocket protocol when using HTTP or HTTPS as the protocol to the backend
      • supports mutual TLS (mTLS) authentication for client certificate-based authentication.
    • Internal passthrough Network Load Balancer (formerly Internal TCP/UDP Load Balancing)
      • is a managed, internal, pass-through, regional Layer 4 load balancer that enables running and scaling services behind an internal IP address
      • distributes traffic among VM instances in the same region in a Virtual Private Cloud (VPC) network by using an internal IP address.
      • provides high-performance, pass-through Layer 4 load balancer for TCP or UDP traffic.
      • routes original connections directly from clients to the healthy backends, without any interruption.
      • does not terminate SSL traffic and SSL traffic can be terminated by the backends instead of by the load balancer
      • provides access through VPC Network Peering, Cloud VPN or Cloud Interconnect
      • supports health check that periodically monitors the readiness of the backends.
    • External passthrough Network Load Balancer (formerly External TCP/UDP Network Load Balancing)
      • is a managed, external, pass-through, regional Layer 4 load balancer that distributes TCP or UDP traffic originating from the internet to among VM instances in the same region
      • Load-balanced packets are received by backend VMs with their source IP unchanged.
      • Load-balanced connections are terminated by the backend VMs. Responses from the backend VMs go directly to the clients, not back through the load balancer (direct server return).
      • scope of a network load balancer is regional, not global. A network load balancer cannot span multiple regions. Within a single region, the load balancer services all zones.
      • supports connection tracking table and a configurable consistent hashing algorithm to determine how traffic is distributed to backend VMs.
      • supports additional protocols like UDP, ESP, GRE, ICMP, and ICMPv6.
    • External proxy Network Load Balancer (formerly External SSL Proxy and TCP Proxy Load Balancing)
      • is a reverse proxy load balancer that distributes SSL or TCP traffic coming from the internet to VM instances in the VPC network.
      • with SSL traffic, user SSL (TLS) connections are terminated at the load balancing layer, and then proxied to the closest available backend instances by using either SSL (recommended) or TCP.
      • supports global load balancing service with the Premium Tier and regional load balancing service with the Standard Tier
      • is intended for non-HTTP(S) traffic. For HTTP(S) traffic, use Application Load Balancers.
      • supports proxy protocol header to preserve the original source IP addresses of incoming connections to the load balancer

Cloud CDN

  • Cloud CDN is Google Cloud’s web acceleration solution that caches website and application content closer to the user.
  • uses Google’s global edge network to serve content closer to users, which accelerates the websites and applications.
  • works with the global external Application Load Balancer or the classic Application Load Balancer to deliver content to users
  • Cloud CDN content can be sourced from various types of backends
    • Instance groups
    • Zonal network endpoint groups (NEGs)
    • Serverless NEGs: One or more App Engine, Cloud Run, or Cloud Functions services
    • Internet NEGs, for endpoints that are outside of Google Cloud (also known as custom origins)
    • Buckets in Cloud Storage
  • supports content targeting (GA) — enables device characterization and geo-targeting for responsive websites, language customization, and currency settings.
  • Cloud CDN with Google Cloud Armor enforces security policies only for requests for dynamic content, cache misses, or other requests that are destined for the origin server. Cache hits are served even if the downstream Google Cloud Armor security policy would prevent that request from reaching the origin server.
  • recommends
    • using versioning instead of cache invalidation
    • using custom keys to improve cache hit ratio
    • cache static content
  • Media CDN
    • is Google Cloud’s media delivery solution, complementing Cloud CDN.
    • optimized for high-throughput egress workloads, such as streaming video and large file downloads.
    • uses YouTube’s infrastructure to bring video streams (VoD and live) and large file downloads closer to users.
    • supports Cloud Armor edge security policies for DDoS protection.

Cloud VPN

  • securely connects the peer network to the VPC network or two VPCs through an IPsec VPN connection.
  • encrypts the data as it travels over the internet.
  • only supports site-to-site IPsec VPN connectivity and not client-to-gateway scenarios. Cannot be used to route traffic to the public internet.
  • allows users to access private RFC1918 addresses on resources in the VPC from on-prem computers also using private RFC1918 addresses.
  • can be used with Private Google Access for on-premises hosts
  • HA VPN
    • provides a high-available and secure connection between the on-premises and the VPC network through an IPsec VPN connection in a single region
    • provides an SLA of 99.99% service availability, when configured with two interfaces and two external IP addresses.
    • supports IPv6 (dual-stack) tunnels for both inner and outer IP addresses.
    • supports customizable cipher options for VPN tunnels.
  • Classic VPN
    • provides a 99.9% SLA.
    • Classic VPN dynamic routing (BGP) was deprecated on August 1, 2025. HA VPN is now the only option for BGP connectivity in Cloud VPN. Existing tunnels continue to function but without an availability SLA. If deleted, they cannot be recreated.
    • Does not support IPv6 traffic.
  • HA VPN over Cloud Interconnect
    • allows encrypting traffic traversing Dedicated or Partner Interconnect connections.
    • deploys HA VPN tunnels over VLAN attachments for additional security and compliance.
    • Each HA VPN tunnel has a bandwidth of 3 Gbps.
  • supports up to 3Gbps per tunnel with a maximum of 8 tunnels
  • supports static as well as dynamic routing using Cloud Router
  • supports IKEv1 or IKEv2 using a shared secret

Cloud Interconnect

  • Cloud Interconnect provides options for extending the on-premises network to the VPC networks in Google Cloud.
  • Dedicated Interconnect (Dedicated connection)
    • provides a direct physical connection between the on-premises network and Google’s network
    • requires your network to physically meet Google’s network in a colocation facility with your own routing equipment
    • supports only dynamic routing
    • supports 10 Gbps, 100 Gbps, and 400 Gbps circuits.
  • Partner Interconnect (Use a service provider)
    • provides connectivity between the on-premises and VPC networks through a supported service provider.
    • supports bandwidth from 50 Mbps minimum to 50 Gbps maximum.
    • provides Layer 2 and Layer 3 connectivity
      • For Layer 2 connections, you must configure and establish a BGP session between the Cloud Routers and on-premises routers for each created VLAN attachment
      • For Layer 3 connections, the service provider establishes a BGP session between the Cloud Routers and their edge routers for each VLAN attachment.
  • Cross-Cloud Interconnect
    • provides dedicated, private connectivity between Google Cloud and another cloud provider (AWS, Azure, OCI, Alibaba Cloud).
    • offers 10 Gbps or 100 Gbps managed, encrypted links.
    • supports security options such as IPsec VPN or MACsec.
    • Partner Cross-Cloud Interconnect (for AWS) provides an on-demand method for establishing cross-cloud transport without manually setting up networking components.
  • Cross-Site Interconnect
    • is a transparent, on-demand, Layer 2 connectivity solution between on-premises network sites.
    • leverages Google’s global infrastructure for high-performance and high-bandwidth connectivity.
  • Single Interconnect connection does not offer redundancy or high availability and its recommended to
    • use 2 in the same metropolitan area (city) as the existing one, but in a different edge availability domain (metro availability zone).
    • use 4 with 2 connections in two different metropolitan areas (city), and each connection in a different edge availability domain (metro availability zone)
    • Cloud Routers are required one in each Google Cloud region
  • Cloud Interconnect does not encrypt the connection between your network and Google’s network. For additional security, use HA VPN over Cloud Interconnect or application-level encryption.

Cloud Router

  • is a fully distributed, managed service that provides dynamic routing and scales with the network traffic.
  • works with both legacy networks and VPC networks.
  • isn’t supported for Direct Peering or Carrier Peering connections.
  • helps dynamically exchange routes between the Google Cloud networks and the on-premises network.
  • peers with the on-premises VPN gateway or router to provide dynamic routing and exchanges topology information through BGP.
  • Google Cloud recommends creating two Cloud Routers in each region for a Cloud Interconnect for 99.99% availability.
  • supports following dynamic routing mode
    • Regional routing mode – provides visibility to resources only in the defined region.
    • Global routing mode – provides visibility to resources in all regions
  • is part of the Network Connectivity Center, which provides a hub-and-spoke model for managing connectivity across VPC networks, on-premises, and other clouds.

Network Connectivity Center

  • provides a hub-and-spoke model for managing network connectivity at scale.
  • enables site-to-site data transfer between on-premises locations through Google’s network.
  • supports VPC spokes, hybrid spokes (VPN/Interconnect), and router appliance spokes.
  • solves transitivity challenges through features like producer VPC spoke integration supporting Private Service Access (PSA) and Private Service Connect (PSC) propagation.
  • uses ECMP routing and BGP for route distribution between networks.

Cloud DNS

  • is a high-performance, resilient, reliable, low-latency, global DNS service that publishes the domain names to the global DNS in a cost-effective way.
  • With Shared VPC, Cloud DNS managed private zone, Cloud DNS peering zone, or Cloud DNS forwarding zone must be created in the host project
  • provides Private Zone which supports DNS services for a GCP project. VPCs in the same project can use the same name servers
  • supports DNS Forwarding for Private Zones, which overrides normal DNS resolution for the specified zones. Queries for the specified zones are forwarded to the listed forwarding targets.
  • supports DNS Peering, which allows sending requests for records that come from one zone’s namespace to another VPC network within GCP
  • supports DNS Outbound Policy, which forwards all DNS requests for a VPC network to the specified server targets. It disables internal DNS for the selected networks.
  • DNS Routing Policies
    • supports weighted round robin, geolocation, and failover routing policies.
    • can be configured with health checks for automatic failover.
    • supports internal passthrough Network Load Balancers and internal proxy Network Load Balancers as health checked targets.
  • Cloud DNS VPC Name Resolution Order
    • DNS Outbound Server Policy
    • DNS Forwarding Zone
    • DNS Peering
    • Compute Engine internal DNS
    • Public Zones
  • supports DNSSEC, a feature of DNS, that authenticates responses to domain name lookups and protects the domains from spoofing and cache poisoning attacks

Related Posts

Google Cloud Load Balancing – ALB, NLB & Proxy

Google Cloud Load Balancing

📢 Important Naming Update (2023-2024)

Google Cloud has rebranded all Cloud Load Balancing products. The older names (HTTP(S) Load Balancing, SSL Proxy, TCP Proxy, Network Load Balancing) are now replaced with the new naming convention:

  • Application Load Balancer (formerly HTTP/S Load Balancing) — Layer 7
  • Proxy Network Load Balancer (formerly SSL Proxy & TCP Proxy Load Balancing) — Layer 4 proxy-based
  • Passthrough Network Load Balancer (formerly TCP/UDP Network Load Balancing) — Layer 4 passthrough

The older names may still appear in some documentation and exam questions.

  • Cloud Load Balancing distributes user traffic across multiple instances of applications, reducing the risk of performance issues by spreading the load.
  • Cloud Load Balancing helps serve content as close as possible to users on a system that can respond to over one million queries per second.
  • Cloud Load Balancing is a fully distributed, software-defined managed service. It isn’t hardware-based and there is no need to manage a physical load balancing infrastructure.
  • Google Cloud load balancers are built on the same frontend-serving infrastructure that powers Google’s own services (Search, Gmail, YouTube).

Cloud Load Balancing — Current Product Family (Updated Naming)

Load Balancer Type Previous Name Layer Proxy/Passthrough
Application Load Balancer HTTP(S) Load Balancing Layer 7 Proxy
Proxy Network Load Balancer SSL Proxy / TCP Proxy Load Balancing Layer 4 Proxy
Passthrough Network Load Balancer TCP/UDP Network Load Balancing Layer 4 Passthrough

Cloud Load Balancing Features

External versus Internal Load Balancing

  • External load balancing
    • for internet-facing applications
    • Types
      • External Application Load Balancer (formerly External HTTP/S LB) — Global, Classic, or Regional modes
      • External Proxy Network Load Balancer (formerly SSL Proxy & TCP Proxy LB) — Global, Classic, or Regional modes
      • External Passthrough Network Load Balancer (formerly External TCP/UDP Network LB) — Regional only
  • Internal load balancing
    • for internal clients inside of Google Cloud VPC networks
    • Types
      • Internal Application Load Balancer (formerly Internal HTTP/S LB) — Cross-region or Regional modes
      • Internal Proxy Network Load Balancer (formerly Internal TCP Proxy) — Cross-region or Regional modes
      • Internal Passthrough Network Load Balancer (formerly Internal TCP/UDP Network LB) — Regional only

Global versus Regional Load Balancing

  • Regional load balancing
    • for single-region applications
    • supports IPv4 and IPv6 (Preview for some types)
    • Types
      • Regional External Application Load Balancer
      • Regional Internal Application Load Balancer
      • Regional External Proxy Network Load Balancer
      • Regional Internal Proxy Network Load Balancer
      • External Passthrough Network Load Balancer
      • Internal Passthrough Network Load Balancer
  • Global load balancing
    • for globally distributed applications
    • provides access using a single anycast IP address
    • supports IPv4 and IPv6 termination
    • requires Premium Tier of Network Service Tiers
    • Types
      • Global External Application Load Balancer (Premium Tier)
      • Classic Application Load Balancer (Premium Tier, global; Standard Tier, regional)
      • Global External Proxy Network Load Balancer (Premium Tier)
      • Cross-region Internal Application Load Balancer
      • Cross-region Internal Proxy Network Load Balancer

Passthrough vs Proxy-based Load Balancing

  • Proxy-based load balancing
    • acts as a proxy performing address and port translation and terminating the request before forwarding to the backend service
    • clients and backends interact with the load balancer
    • original client IP, port, and protocol is forwarded using X-Forwarded-For headers
    • automatically all proxy-based external load balancers inherit DDoS protection from Google Front Ends (GFEs)
    • Google Cloud Armor can be configured for Application Load Balancers
    • Types
      • Application Load Balancers (all modes — external and internal)
      • Proxy Network Load Balancers (all modes — external and internal)
  • Passthrough load balancing
    • does not terminate client connections; packets are passed unchanged to the backend
    • preserves client source IP address
    • supports additional protocols like UDP, ESP, and ICMP
    • Types
      • External Passthrough Network Load Balancer
      • Internal Passthrough Network Load Balancer

Layer 4 vs Layer 7

  • Layer 4-based load balancing
    • directs traffic based on data from network and transport layer protocols, such as IP address and TCP or UDP port
    • Types: Proxy Network Load Balancers and Passthrough Network Load Balancers
  • Layer 7-based load balancing
    • adds content-based routing decisions based on attributes, such as the HTTP header, URL path, cookies, and query parameters
    • Types: Application Load Balancers

Traffic type

  • For HTTP and HTTPS traffic, use:
    • External Application Load Balancer
    • Internal Application Load Balancer
  • For TCP traffic (with proxy), use:
    • External Proxy Network Load Balancer
    • Internal Proxy Network Load Balancer
  • For TCP/UDP traffic (passthrough), use:
    • External Passthrough Network Load Balancer
    • Internal Passthrough Network Load Balancer
  • For SSL offload, use:
    • External Proxy Network Load Balancer (with SSL)

Application Load Balancer Modes

  • Global External Application Load Balancer
    • Implemented on Google Front Ends (GFEs) using Envoy proxy
    • Supports advanced traffic management (traffic mirroring, weight-based splitting, header transformations)
    • Uses EXTERNAL_MANAGED load balancing scheme
    • Premium Tier only
    • Supports Cloud CDN, Cloud Armor, and Service Extensions
  • Classic Application Load Balancer
    • The legacy external Application Load Balancer on GFEs
    • Global in Premium Tier, regional in Standard Tier
    • Uses EXTERNAL load balancing scheme
    • Fewer advanced traffic management features than the global variant
    • Google recommends migrating to the Global External Application Load Balancer
  • Regional External Application Load Balancer
    • Implemented on open-source Envoy proxy
    • Supports advanced traffic management
    • Requires proxy-only subnet
    • Uses EXTERNAL_MANAGED load balancing scheme
    • Available in Premium or Standard Tier
  • Cross-region Internal Application Load Balancer
    • Distributes traffic to globally distributed internal backends
    • Supports global access and global backends
  • Regional Internal Application Load Balancer
    • Distributes Layer 7 traffic to backends within a single region in a VPC
    • Requires proxy-only subnet

Google Cloud Load Balancing Types

Refer blog post @ Google Cloud Load Balancing Types

Load Balancing Components

Backend Services

  • A backend service distributes requests to healthy backends.
  • Google Cloud supports several types of backends:
    • Instance groups — managed or unmanaged groups of VM instances
    • Zonal NEGs (GCE_VM_IP_PORT) — network endpoint groups in a single zone
    • Serverless NEGs — Cloud Run, App Engine, or Cloud Run functions
    • Internet NEGs — external endpoints outside Google Cloud
    • Hybrid NEGs — on-premises or other cloud backends via hybrid connectivity
    • Private Service Connect NEGs — access published services
    • Cloud Storage buckets — as backend buckets
  • A backend service is either global or regional in scope.
  • Backend service protocol options: HTTP, HTTPS, HTTP/2, H2C (cleartext HTTP/2), gRPC

Forwarding Rules

  • A forwarding rule and its corresponding IP address represent the frontend configuration of a Google Cloud load balancer.
  • Each forwarding rule provides a single IP address (IPv4 or IPv6) for DNS configuration.
  • Forwarding rules can be global or regional depending on the load balancer type.

Health Checks

  • Google Cloud provides health checking mechanisms that determine if backends are healthy and properly respond to traffic.
  • Health checks are global or regional depending on the load balancer type.
  • Each connection attempt is called a probe, and each health check system is called a prober.
  • Backends that respond successfully for the configured number of times are considered healthy; those that fail are marked unhealthy.
  • Supported health check protocols: HTTP, HTTPS, HTTP/2, TCP, SSL, gRPC

IPv6 Termination

  • Application Load Balancers and Proxy Network Load Balancers support IPv6 clients.
  • The load balancer accepts IPv6 connections from users and proxies those connections to backends.
  • Cross-region, regional external, and regional internal Application Load Balancers support terminating IPv6 traffic (Preview).

SSL Certificates

  • Load balancers that use HTTPS or SSL require SSL certificates.
  • Two configuration methods:
    • Compute Engine SSL certificates — self-managed or Google-managed
    • Certificate Manager — recommended approach for advanced certificate management, supports certificate maps, DNS/LB authorization, and wildcard certificates
  • Certificate Manager (2nd gen) — released in 2024/2025, provides centralized management, deployment, and automation of SSL/TLS certificates across organizations
  • Supports multiple SSL certificates per load balancer for multi-domain serving

SSL Policies

  • SSL policies control the SSL features (versions and ciphers) that the load balancer negotiates with clients.
  • Supported on Application Load Balancers and Proxy Network Load Balancers.
  • Predefined profiles: COMPATIBLE, MODERN, RESTRICTED, or CUSTOM

URL Maps

  • URL maps direct requests to a destination based on defined rules.
  • Supports routing based on host, path, headers, cookies, and query parameters.
  • Advanced traffic management: traffic mirroring, weight-based traffic splitting, URL rewrites, URL redirects, header-based routing.

New Features (2023-2026)

HTTP/3 Support (IETF QUIC)

  • HTTP/3 is supported between external Application Load Balancers and clients.
  • Built on IETF QUIC — provides faster connection initiation, eliminates head-of-line blocking, supports connection migration.
  • Advertised via Alt-Svc HTTP response header.
  • Clients automatically fall back to HTTP/2 or HTTPS if HTTP/3 is unavailable.
  • Supported on Global External ALB, Classic ALB (Premium), and Regional External ALB.

Service Extensions (Plugins and Callouts)

  • Service Extensions lets you insert custom logic into the load balancing data path.
  • Plugins — run custom code (e.g., Rust/Wasm) directly in the request/response path with minimal latency.
  • Callouts — send gRPC callouts from the load balancer to external backend services for custom processing.
  • Use cases: custom authentication, header manipulation, request validation, A/B testing logic.
  • Supported on Application Load Balancers.

Authorization Policies

  • Authorization policies (AuthzPolicy) enforce access control on traffic entering load balancers.
  • Define rules specifying source of incoming traffic and permitted/restricted operations.
  • Applied on the forwarding rule of Application Load Balancers.
  • Can delegate authorization to IAP (Identity-Aware Proxy) and IAM.

Backend mTLS and Managed Workload Identity

  • Frontend mTLS — load balancer requests client certificates for mutual authentication.
  • Backend authenticated TLS — load balancer verifies backend server certificates.
  • Backend mTLS — mutual authentication between load balancer and backends.
  • Managed workload identity — automates certificate provisioning and rotation for backend mTLS.

Post-Quantum TLS

  • Google Cloud load balancers support quantum-safe key exchange (X25519MLKEM768 hybrid).
  • Combines NIST ML-KEM standard with traditional encryption for forward-secure TLS connections.
  • Protects against future quantum computing threats (harvest-now, decrypt-later attacks).

TLS 1.3 Early Data (0-RTT)

  • Reduces latency for resumed TLS connections by allowing clients to send data with the initial handshake.
  • Modes: STRICT (safe methods only, no query params), PERMISSIVE (safe methods with query params), DISABLED, UNRESTRICTED.
  • Supported on Global and Classic External Application Load Balancers.
  • Backends must handle potential replay risks with appropriate checks (HTTP 425 Too Early response).

Advanced Load Balancing Optimizations (Service LB Policy)

  • Auto-capacity draining — quickly drains traffic from unhealthy backends.
  • Failover threshold — configurable threshold to determine when failover triggers.
  • Traffic isolation — prevents cascading failures by limiting cross-region traffic overflow.
  • Load balancing algorithms — Waterfall by Region, Waterfall by Zone, Spray to Region.

Cloud Service Mesh Integration

  • Traffic Director has been rebranded to Cloud Service Mesh (GA June 2024).
  • Provides a managed service mesh with Envoy proxies or proxyless gRPC clients.
  • Integrates with Cloud Load Balancing for advanced traffic management.

GCP Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.

References:

Google Cloud Load Balancing Types Compared [2026 Guide]

Google Cloud Load Balancing Types – Comparison & Decision Guide [2025]

📢 Important Naming Update (2023)

Google Cloud has rebranded all load balancers with a simplified naming convention:

  • Application Load Balancer — previously “HTTP(S) Load Balancing” (Layer 7, proxy-based)
  • Proxy Network Load Balancer — previously “SSL Proxy” and “TCP Proxy Load Balancing” (Layer 4, proxy-based)
  • Passthrough Network Load Balancer — previously “TCP/UDP Network Load Balancing” (Layer 4, passthrough)

This post uses the current naming with references to previous names for clarity.

Google Cloud Load Balancer Summary

Load Balancer Deployment Mode Traffic Type Network Tier
Application Load Balancer Global external HTTP/HTTPS Premium
Regional external HTTP/HTTPS Premium or Standard
Classic HTTP/HTTPS Global in Premium, Regional in Standard
Regional internal HTTP/HTTPS Premium
Cross-region internal HTTP/HTTPS Premium
Proxy Network Load Balancer Global external TCP with optional SSL offload Premium
Regional external TCP Premium or Standard
Classic TCP with optional SSL offload Global in Premium, Regional in Standard
Regional internal TCP (no SSL offload) Premium
Cross-region internal TCP (no SSL offload) Premium
Passthrough Network Load Balancer External (regional) TCP, UDP, ESP, GRE, ICMP, ICMPv6 Premium or Standard
Internal (regional) TCP, UDP, ICMP, ICMPv6, SCTP, ESP, AH, GRE Premium

Google Cloud Load Balancer Comparison

Application Load Balancer — Internal (Regional)

Previously known as: Internal HTTP(S) Load Balancing

  • is a proxy-based, regional Layer 7 load balancer that enables running and scaling services behind an internal IP address.
  • distributes HTTP and HTTPS traffic to backends hosted on Compute Engine, GKE, and Cloud Run
  • is accessible only in the chosen region of the Virtual Private Cloud (VPC) network on an internal IP address.
  • can be made globally accessible by enabling global access on the forwarding rule, allowing clients from any region to access the load balancer.
  • enables rich traffic control capabilities based on HTTP(S) parameters.
  • is a managed service based on the open source Envoy proxy.
  • needs one proxy-only subnet in each region of a VPC network where the internal Application Load Balancer is used. All load balancers in a region and VPC network share the same proxy-only subnet.
  • supports path-based and host-based routing
  • supports advanced traffic management including traffic mirroring, weight-based traffic splitting, and header transformations
  • preserves the Host header of the original client request and also appends two IP addresses (Client and LB) to the X-Forwarded-For header
  • supports backend services distributing requests to healthy backends (instance groups, zonal NEGs, serverless NEGs for Cloud Run, or hybrid NEGs for on-premises backends).
  • supports health checks that periodically monitor the readiness of the backends.
  • if a backend becomes unhealthy, traffic is automatically redirected to healthy backends within the same region.
  • has native support for the WebSocket protocol
  • supports TLS 1.0, 1.1, 1.2, and 1.3 when terminating client SSL requests.
  • supports mutual TLS (mTLS) for client certificate-based authentication (added 2023)
  • supports IPv6 termination (Preview, expanded May 2026)
  • supports access from connected networks via VPC Network Peering, Cloud VPN, or Cloud Interconnect
  • isn’t compatible with the following features:
    • Cloud CDN
    • Cloud Storage buckets — now supported (GA April 2026)

Application Load Balancer — Internal (Cross-Region)

New deployment mode added in 2023

  • is a proxy-based Layer 7 load balancer that distributes HTTP/HTTPS traffic to backends across multiple regions.
  • provides an internal IP address accessible from any region (global access built-in).
  • enables high availability and cross-region failover — if backends in one region go down, traffic fails over to another region gracefully.
  • uses the open source Envoy proxy and supports advanced traffic management.
  • supports backends hosted on Compute Engine, GKE, Cloud Run (serverless NEGs), Cloud Storage (backend buckets), and hybrid NEGs for on-premises backends.
  • supports mutual TLS (mTLS) for frontend and backend authentication.
  • supports IPv6 termination (Preview).
  • ideal for multi-region internal services requiring automatic failover.

Application Load Balancer — External

Previously known as: External HTTP(S) Load Balancing

Available in three deployment modes:

  • Global external — Premium Tier only, uses Envoy proxy, supports advanced traffic management
  • Regional external — Premium or Standard Tier, uses Envoy proxy, provides jurisdictional compliance
  • Classic — Legacy mode using Google Front Ends (GFEs), global in Premium Tier, regional in Standard Tier

Note: Google recommends migrating from Classic to Global external Application Load Balancer for access to new features.

Key Features

  • is a global (or regional), proxy-based Layer 7 load balancer that enables running and scaling services worldwide behind a single external IP address.
  • distributes HTTP and HTTPS traffic to backends hosted on Compute Engine, GKE, Cloud Run, Cloud Storage, and external backends.
  • Global external mode uses Envoy proxy and supports advanced traffic management (traffic mirroring, weight-based splitting, header transformations).
  • Classic mode is implemented on Google Front Ends (GFEs) distributed globally.
    • In Premium Tier, GFEs offer global load balancing
    • With Standard Tier, the load balancing is handled regionally.
  • provides cross-regional or location-based load balancing, directing traffic to the closest healthy backend.
  • supports content-based load balancing using URL maps to select a backend service based on host name, request path, headers, or query parameters.
  • supports the following backend types:
    • Instance groups (managed and unmanaged)
    • Zonal network endpoint groups (NEGs)
    • Serverless NEGs: Cloud Run, App Engine, or Cloud Run functions services
    • Internet NEGs, for endpoints outside of Google Cloud
    • Hybrid NEGs, for on-premises or other cloud backends via Cloud VPN/Interconnect
    • Buckets in Cloud Storage
  • preserves the Host header of the original client request and appends to the X-Forwarded-For header
  • integrates with Cloud CDN for caching responses at edge locations
  • integrates with Google Cloud Armor for DDoS protection and WAF capabilities
  • supports Cloud Load Balancing Autoscaler for backend instance groups
  • supports connection draining on backend services
  • supports Session affinity:
    • NONE — no session affinity
    • Client IP affinity
    • Generated cookie affinity
    • Header field affinity (global external and regional external only)
    • HTTP cookie affinity (global external and regional external only)
  • if a backend becomes unhealthy, traffic is automatically redirected to healthy backends.
  • has native support for the WebSocket protocol and HTTP/2, gRPC
  • supports TLS 1.0, 1.1, 1.2, and 1.3
  • supports mutual TLS (mTLS) for client certificate-based authentication
  • supports SSL policies to control TLS cipher suites and versions
  • supports IPv6 termination
  • supports QUIC protocol (global external and classic modes)
  • supports Service Extensions to inject custom logic into the load balancing path
  • supports Authorization Policies for fine-grained access control

Passthrough Network Load Balancer — Internal

Previously known as: Internal TCP/UDP Load Balancing

  • is a managed, internal, pass-through, regional Layer 4 load balancer that enables running and scaling services behind an internal IP address.
  • distributes traffic among VM instances in the same region in a VPC network by using an internal IP address.
  • supports TCP, UDP, ICMP, ICMPv6, SCTP, ESP, AH, and GRE protocols.
  • routes original connections directly from clients to the healthy backends, without any interruption.
  • Responses from the healthy backend VMs go directly to the clients, not back through the load balancer. TCP responses use direct server return.
  • does not terminate SSL traffic; SSL traffic can be terminated by the backends.
  • Unlike proxy load balancers, it doesn’t terminate connections from clients and then open new connections to backends.
  • provides access through VPC Network Peering, Cloud VPN, or Cloud Interconnect
  • supports global access — when enabled, clients from any region can access the load balancer.
  • supports zonal NEGs with GCE_VM_IP endpoints as backends
  • supports zonal affinity to prefer routing new connections to backends in the same zone as the client (GA May 2026)
  • can be used as next hops for routes, enabling third-party appliance integration
  • supports Session affinity:
    • None: default, effectively same as Client IP, protocol, and port.
    • Client IP: based on client IP and destination IP.
    • Client IP and protocol: based on client IP, destination IP, and protocol.
    • Client IP, protocol, and port: 5-tuple hash (source IP, source port, destination IP, destination port, protocol).
  • UDP protocol doesn’t support sessions; session affinity doesn’t affect UDP traffic.
  • supports health checks (HTTP, HTTPS, HTTP2, TCP, SSL protocols); does not offer UDP health checks but can use TCP-based health checks.
  • supports failover backends that are only used when healthy VMs in primary backends fall below a configurable threshold.
  • supports multiple forwarding rules sharing a common IP address

Passthrough Network Load Balancer — External

Previously known as: External TCP/UDP Network Load Balancing

  • is a managed, external, pass-through, regional Layer 4 load balancer that distributes TCP or UDP traffic from the internet to VM instances in the same region.
  • supports TCP, UDP, ESP, GRE, ICMP, and ICMPv6 protocols.
  • is not a proxy — packets are pass-through:
    • Load-balanced packets are received by backend VMs with their source IP unchanged.
    • Load-balanced connections are terminated by the backend VMs.
    • Responses from the backend VMs go directly to the clients, not back through the load balancer.
    • TCP responses use direct server return.
  • scope is regional, not global. Within a single region, the load balancer services all zones.
  • supports two architectures:
    • Backend service-based (recommended) — uses instance groups or zonal NEGs with GCE_VM_IP endpoints
    • Target pool-based (legacy) — simpler but fewer features
  • supports zonal NEGs with GCE_VM_IP endpoints, enabling forwarding to any network interface (not just nic0)
  • supports weighted load balancing for gradual traffic migration
  • supports regional health checks (HTTP, HTTPS, HTTP2, TCP, SSL); does not offer UDP health checks.
  • supports connection tracking table and configurable consistent hashing algorithm for traffic distribution.
  • supports Session affinity:
    • None: default, effectively same as Client IP, protocol, and port.
    • Client IP: based on client IP and destination IP.
    • Client IP and protocol: based on client IP, destination IP, and protocol.
    • Client IP, protocol, and port: 5-tuple hash.
  • UDP protocol doesn’t support sessions; session affinity doesn’t affect UDP traffic.
  • supports connection draining for established TCP connections.
  • supports failover configuration for high availability.
  • available in Premium or Standard Network Service Tier.

Proxy Network Load Balancer — External (SSL/TCP Proxy)

Previously known as: External SSL Proxy Load Balancing and External TCP Proxy Load Balancing

Available in three deployment modes:

  • Global external — Premium Tier only, supports SSL offload
  • Regional external — Premium or Standard Tier, TCP only (no SSL offload)
  • Classic — Legacy mode, global in Premium Tier, regional in Standard Tier

Key Features

  • is a reverse proxy, Layer 4 load balancer that distributes SSL/TCP traffic from the internet to VM instances.
  • with SSL traffic, supports SSL offload where SSL (TLS) connections are terminated at the load balancing layer, then proxied to backends using SSL or TCP.
  • is intended for non-HTTP(S) traffic. For HTTP(S) traffic, use Application Load Balancer.
  • Global mode uses a single IP address for all users worldwide and automatically routes traffic to the closest backends.
  • supports proxy protocol header to preserve original source IP addresses.
  • supports two types of balancing mode:
    • CONNECTION: load spread based on concurrent connections the backend can handle.
    • UTILIZATION: load spread based on instance utilization.
  • supports Session Affinity with client IP affinity.
  • does not support mutual TLS (mTLS) authentication.
  • supports SSL policies to control minimum TLS versions and cipher suites.

Proxy Network Load Balancer — Internal

New deployment mode added in 2023

Available in two deployment modes:

  • Regional internal — for TCP traffic within a region
  • Cross-region internal — for TCP traffic across multiple regions

Key Features

  • is a proxy-based, internal, Layer 4 load balancer for TCP traffic.
  • uses Envoy proxy infrastructure.
  • does not support SSL offload (unlike the external proxy Network Load Balancer).
  • supports backends in instance groups, zonal NEGs, and hybrid NEGs.
  • provides access from connected networks via VPC Network Peering, Cloud VPN, or Cloud Interconnect.
  • cross-region mode enables backends distributed globally with automatic failover.

Choosing a Load Balancer

  • Choose an Application Load Balancer for HTTP(S) traffic with flexible Layer 7 features.
  • Choose a Proxy Network Load Balancer for TCP proxy load balancing with SSL offload to backends in one or more regions.
  • Choose a Passthrough Network Load Balancer to preserve client source IP addresses, avoid proxy overhead, and support additional protocols (UDP, ESP, ICMP, GRE).

Global vs. Regional

  • Global/Cross-region — distributed across multiple regions, resilient to both zonal and regional outages. Use when backends are in multiple regions or you need automatic cross-region failover.
  • Regional — distributed across zones within one region. Required for jurisdictional compliance where traffic must stay in a specific region.

Proxy vs. Passthrough

  • Proxy load balancers terminate client connections at the load balancer and open new connections to backends. Client IP is not preserved by default.
  • Passthrough load balancers don’t terminate client connections. Backend VMs receive packets with original source IP unchanged. Use when you need to preserve client IP.

Security Features (2023-2026 Updates)

  • Mutual TLS (mTLS) — Application Load Balancers now support frontend mTLS (client authenticates to LB) and backend mTLS (LB authenticates to backend). Supported on global external, regional external, regional internal, and cross-region internal Application Load Balancers. Backend mTLS is GA for all Application Load Balancer modes (2025-2026).
  • Authorization Policies — Fine-grained access control policies that can be applied to Application Load Balancers to allow or deny requests based on attributes. GA since October 2025. New policy profiles (Preview 2026) support REQUEST_AUTHZ for header-based decisions and CONTENT_AUTHZ for deep payload inspection (blocking prompt injection attacks, preventing data leaks).
  • SSL Policies — Control minimum TLS version and cipher suites. New FIPS_202205 profile (GA January 2026) restricts to FIPS 140-2/140-3 validated cryptographic modules. TLS 1.3 minimum enforcement is now supported.
  • Google Cloud Armor — DDoS protection and WAF for external Application Load Balancers (global, regional, and classic modes) and external proxy Network Load Balancers.
  • Post-Quantum TLS — Support for post-quantum key exchange (X25519MLKEM768) to protect against future quantum computing threats (GA June 2026). Three-phase rollout: opt-in now, default by October 2026, mandatory after October 2027.
  • Service Extensions — Inject custom processing logic into the load balancing data path. Plugins (Preview October 2024, enhanced 2026) let you run WebAssembly (Wasm) code in a fully managed serverless environment directly in the data path.
  • TLS 1.3 Early Data (0-RTT) — Supported on global external and classic Application Load Balancers (GA February 2025). Can improve performance for resumed connections by 30-50%.
  • Large TLS Key Support — RSA-3072, RSA-4096, and ECDSA P-384 keys now supported (GA July 2025) in addition to RSA-2048 and ECDSA P-256.
  • JA4 Fingerprint — Global external Application Load Balancers support JA4 TLS fingerprinting via custom request headers (GA July 2025) for advanced bot detection and traffic analysis.

Advanced Features (2025-2026 Updates)

  • SNI-based Routing (TLS Routes) — Proxy Network Load Balancers support routing TLS traffic based on Server Name Indication (SNI) hostnames without terminating TLS (Preview March 2026). Enables end-to-end mTLS and reduces IPv4 address exhaustion via single PSC endpoints.
  • Custom Metrics — Application Load Balancers support custom metrics-based traffic distribution instead of standard utilization/rate-based metrics (GA June 2025).
  • Traffic Duration & In-Flight Balancing — Configure backends with SHORT or LONG traffic duration settings. In-flight balancing mode distributes traffic when requests take more than a second (GA May 2026).
  • Traffic Isolation — Global/cross-region load balancers can restrict traffic to the nearest region only, with optional STRICT mode preventing overflow entirely (Preview May 2025).
  • Failover for External ALBs — Global, classic, and regional external Application Load Balancers support failover to regional external ALBs in other regions (GA November 2024).
  • Stateful Cookie-Based Session Affinity — All Application Load Balancers (except classic) support persistent cookie-based stickiness (GA October 2024).
  • Cross-VPC Backends — All Application and Proxy Network Load Balancers support backends in different VPC networks without Shared VPC (April 2025).
  • Cloud Storage Backend Buckets — Now available for regional external and regional internal Application Load Balancers (GA April 2026), completing support across the entire ALB portfolio.
  • Classic to Global Migration — Migrate classic Application Load Balancer resources to global external ALB infrastructure with 90-day rollback option (GA May 2025).

GCP Cloud Load Balancing Decision Tree

Google Cloud Load Balancer Decision Tree

GCP Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Your development team has asked you to set up an external TCP load balancer with SSL offload. Which load balancer should you use?
    1. External proxy Network Load Balancer (SSL proxy)
    2. Application Load Balancer (HTTP)
    3. External proxy Network Load Balancer (TCP proxy)
    4. Application Load Balancer (HTTPS)
  2. You have an instance group that you want to load balance. You want the load balancer to terminate the client SSL session. The instance group is used to serve a public web application over HTTPS. You want to follow Google-recommended practices. What should you do?
    1. Configure an external Application Load Balancer.
    2. Configure an internal passthrough Network Load Balancer.
    3. Configure an external proxy Network Load Balancer (SSL proxy).
    4. Configure an external proxy Network Load Balancer (TCP proxy).
  3. Your development team has asked you to set up load balancer with SSL termination. The website would be using HTTPS protocol. Which load balancer should you use?
    1. External proxy Network Load Balancer (SSL proxy)
    2. Application Load Balancer (HTTP)
    3. External proxy Network Load Balancer (TCP proxy)
    4. External Application Load Balancer (HTTPS)
  4. You have an application that receives SSL-encrypted TCP traffic on port 443. Clients for this application are located all over the world. You want to minimize latency for the clients. Which load balancing option should you use?
    1. External Application Load Balancer (HTTPS)
    2. External passthrough Network Load Balancer
    3. External proxy Network Load Balancer (SSL Proxy)
    4. Internal passthrough Network Load Balancer. Add a firewall rule allowing ingress traffic from 0.0.0.0/0 on the target instances.
  5. You need to deploy an internal load balancer for HTTP traffic that can automatically failover to backends in another region if the primary region goes down. Which load balancer should you choose?
    1. Regional internal Application Load Balancer
    2. Cross-region internal Application Load Balancer
    3. Internal passthrough Network Load Balancer
    4. Internal proxy Network Load Balancer
  6. Your organization requires that TLS be terminated only within a specific region for compliance. You need an external load balancer for HTTPS traffic. Which deployment mode should you use?
    1. Global external Application Load Balancer
    2. Classic Application Load Balancer (Premium Tier)
    3. Regional external Application Load Balancer
    4. External proxy Network Load Balancer (SSL proxy)
  7. You want to load balance UDP traffic to backend VMs while preserving the client source IP address. Which load balancer type should you use?
    1. External Application Load Balancer
    2. External proxy Network Load Balancer
    3. External passthrough Network Load Balancer
    4. Internal Application Load Balancer
  8. You need to set up mutual TLS (mTLS) authentication where the load balancer verifies client certificates. Which load balancer supports this? (Choose two)
    1. Global external Application Load Balancer
    2. External passthrough Network Load Balancer
    3. Regional internal Application Load Balancer
    4. External proxy Network Load Balancer (SSL proxy)

References