Send feedback
Terraform examples for an internal passthrough Network Load Balancer
Stay organized with collections
Save and categorize content based on your preferences.
You can use the following example to deploy a sample internal passthrough Network Load Balancer.
If you are new to using Terraform for Google Cloud,
see Get started with Terraform .
Internal passthrough Network Load Balancer with no backends
You can use a Terraform
module to bring up a minimal internal passthrough Network Load Balancer with a Virtual Private Cloud network,
subnetwork, and all of the necessary load balancing components, but no
backends. This can be useful if you already have some other script or
process for creating your backends.
For information about this example and to learn how to run it, see the
README
in GitHub.
Internal passthrough Network Load Balancer with managed instance group backend
You can use Terraform resources to bring up an internal passthrough Network Load Balancer with
a managed instance group backend.
Send feedback
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-25 UTC.
Need to tell us more?
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Terraform examples for an internal passthrough Network Load Balancer\n\nYou can use the following example to deploy a sample internal passthrough Network Load Balancer.\n\nIf you are new to using Terraform for Google Cloud,\nsee [Get started with Terraform](/docs/terraform/get-started-with-terraform).\n\nInternal passthrough Network Load Balancer with no backends\n-----------------------------------------------------------\n\nYou can use a [Terraform\nmodule](https://github.com/terraform-google-modules/terraform-google-lb-internal/tree/master/examples/minimal) to bring up a minimal internal passthrough Network Load Balancer with a Virtual Private Cloud network,\nsubnetwork, and all of the necessary load balancing components, but no\nbackends. This can be useful if you already have some other script or\nprocess for creating your backends.\n\nFor information about this example and to learn how to run it, see the\n[README](https://github.com/terraform-google-modules/terraform-google-lb-internal/blob/master/examples/minimal/README.md)\nin GitHub. \n\n module \"test_ilb\" {\n source = \"GoogleCloudPlatform/lb-internal/google\"\n version = \"~\u003e 7.0\"\n\n project = var.project_id\n network = google_compute_network.test.name\n subnetwork = google_compute_subnetwork.test.name\n region = var.region\n name = local.resource_name\n ports = [\"8080\"]\n source_tags = [\"source-tag-foo\"]\n target_tags = [\"target-tag-bar\"]\n backends = []\n health_check = local.health_check\n }\n\nInternal passthrough Network Load Balancer with managed instance group backend\n------------------------------------------------------------------------------\n\nYou can use [Terraform resources](https://github.com/terraform-google-modules/terraform-docs-samples) to bring up an internal passthrough Network Load Balancer with\na managed instance group backend. \n\n\n resource \"google_compute_network\" \"ilb_network\" {\n name = \"l4-ilb-network\"\n auto_create_subnetworks = false\n }\n\n resource \"google_compute_subnetwork\" \"ilb_subnet\" {\n name = \"l4-ilb-subnet\"\n ip_cidr_range = \"10.0.1.0/24\"\n region = \"europe-west1\"\n network = google_compute_network.ilb_network.id\n }\n\n resource \"google_compute_forwarding_rule\" \"google_compute_forwarding_rule\" {\n name = \"l4-ilb-forwarding-rule\"\n backend_service = google_compute_region_backend_service.default.id\n region = \"europe-west1\"\n ip_protocol = \"TCP\"\n load_balancing_scheme = \"INTERNAL\"\n all_ports = true\n allow_global_access = true\n network = google_compute_network.ilb_network.id\n subnetwork = google_compute_subnetwork.ilb_subnet.id\n }\n\n resource \"google_compute_region_backend_service\" \"default\" {\n name = \"l4-ilb-backend-subnet\"\n region = \"europe-west1\"\n protocol = \"TCP\"\n load_balancing_scheme = \"INTERNAL\"\n health_checks = [google_compute_region_health_check.default.id]\n backend {\n group = google_compute_region_instance_group_manager.mig.instance_group\n balancing_mode = \"CONNECTION\"\n }\n }\n\n resource \"google_compute_instance_template\" \"instance_template\" {\n name = \"l4-ilb-mig-template\"\n machine_type = \"e2-small\"\n tags = [\"allow-ssh\", \"allow-health-check\"]\n\n network_interface {\n network = google_compute_network.ilb_network.id\n subnetwork = google_compute_subnetwork.ilb_subnet.id\n access_config {\n # add external ip to fetch packages\n }\n }\n disk {\n source_image = \"debian-cloud/debian-12\"\n auto_delete = true\n boot = true\n }\n\n # install nginx and serve a simple web page\n metadata = {\n startup-script = \u003c\u003c-EOF1\n #! /bin/bash\n set -euo pipefail\n\n export DEBIAN_FRONTEND=noninteractive\n apt-get update\n apt-get install -y nginx-light jq\n\n NAME=$(curl -H \"Metadata-Flavor: Google\" \"http://metadata.google.internal/computeMetadata/v1/instance/hostname\")\n IP=$(curl -H \"Metadata-Flavor: Google\" \"http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip\")\n METADATA=$(curl -f -H \"Metadata-Flavor: Google\" \"http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True\" | jq 'del(.[\"startup-script\"])')\n\n cat \u003c\u003cEOF \u003e /var/www/html/index.html\n \u003cpre\u003e\n Name: $NAME\n IP: $IP\n Metadata: $METADATA\n \u003c/pre\u003e\n EOF\n EOF1\n }\n lifecycle {\n create_before_destroy = true\n }\n }\n\n resource \"google_compute_region_health_check\" \"default\" {\n name = \"l4-ilb-hc\"\n region = \"europe-west1\"\n http_health_check {\n port = \"80\"\n }\n }\n\n resource \"google_compute_region_instance_group_manager\" \"mig\" {\n name = \"l4-ilb-mig1\"\n region = \"europe-west1\"\n version {\n instance_template = google_compute_instance_template.instance_template.id\n name = \"primary\"\n }\n base_instance_name = \"vm\"\n target_size = 2\n }\n\n # allow all access from health check ranges\n resource \"google_compute_firewall\" \"fw_hc\" {\n name = \"l4-ilb-fw-allow-hc\"\n direction = \"INGRESS\"\n network = google_compute_network.ilb_network.id\n source_ranges = [\"130.211.0.0/22\", \"35.191.0.0/16\", \"35.235.240.0/20\"]\n allow {\n protocol = \"tcp\"\n }\n target_tags = [\"allow-health-check\"]\n }\n\n # allow communication within the subnet\n resource \"google_compute_firewall\" \"fw_ilb_to_backends\" {\n name = \"l4-ilb-fw-allow-ilb-to-backends\"\n direction = \"INGRESS\"\n network = google_compute_network.ilb_network.id\n source_ranges = [\"10.0.1.0/24\"]\n allow {\n protocol = \"tcp\"\n }\n allow {\n protocol = \"udp\"\n }\n allow {\n protocol = \"icmp\"\n }\n }\n\n # allow SSH\n resource \"google_compute_firewall\" \"fw_ilb_ssh\" {\n name = \"l4-ilb-fw-ssh\"\n direction = \"INGRESS\"\n network = google_compute_network.ilb_network.id\n allow {\n protocol = \"tcp\"\n ports = [\"22\"]\n }\n target_tags = [\"allow-ssh\"]\n source_ranges = [\"0.0.0.0/0\"]\n }\n\n resource \"google_compute_instance\" \"vm_test\" {\n name = \"l4-ilb-test-vm\"\n tags = [\"allow-ssh\"]\n zone = \"europe-west1-b\"\n machine_type = \"e2-small\"\n network_interface {\n network = google_compute_network.ilb_network.id\n subnetwork = google_compute_subnetwork.ilb_subnet.id\n }\n boot_disk {\n initialize_params {\n image = \"debian-cloud/debian-12\"\n }\n }\n }"]]
