Cloud Load Balancing release notes

GRPC_WITH_TLS health checks are used for health checking gRPC backends with TLS enabled. For more information, see the following:

• Success criteria for gRPC
• Create health checks

This feature is in General availability.

The global and classic external Application Load Balancers implemented on Google Front-Ends (GFEs) now reject TLS connections when the client and the load balancer support ALPN (Application-Layer Protocol Negotiation), but don't share common ALPN protocols.

Previously, if a client proposed a list of application protocols during the TLS handshake using the ALPN extension and none were supported by the load balancer, ALPN would be deactivated and the connection would default to using HTTP/1 as the default application protocol. After this update, the GFE instead returns an SSL_TLSEXT_ERR_ALERT_FATAL response which causes the load balancer to terminate the TLS handshake, and the connection to close. This change ensures that an application-layer protocol is always explicitly negotiated between the clients and the load balancers that support ALPN.

You can specify a custom ephemeral /96 IPv6 address range when creating a regional IPv6 forwarding rule. For more information, see the following:

• Internal passthrough Network Load Balancer overview
• Backend service-based external passthrough Network Load Balancer overview
• Protocol forwarding overview

This feature is in General availability.

Application Load Balancers support authorization policies that let you establish access control checks for incoming traffic.

For details, see Authorization policy overview.

This feature is in General availability.

Both internal passthrough Network Load Balancers and external passthrough Network Load Balancers support load balancing to managed instance groups (MIGs) comprised of IPv6-only VM instances.

For more details, see the following pages:

• Set up an external passthrough Network Load Balancer with a backend service
• Set up an internal passthrough Network Load Balancer with VM instance group backends

This feature is in General availability.

Percentage-based request mirroring is now supported for the global and regional external Application Load Balancers (classic is not supported). By default, the mirrored backend service receives all requests, even if the original traffic is being split between multiple weighted backend services. You can now configure the mirrored backend service to receive only a percentage of the requests by using the mirrorPercent flag to specify the percentage of requests to be mirrored, expressed as a value between 0 and 100.0.

For an example, see Set up traffic management for regional external Application Load Balancers.

This feature is available in General availability.

A security fix was made which changes the behavior of requests and responses sent with the Transfer-Encoding: Chunked header to be more RFC 9112 compliant. The RFC states that both the chunked_body and the last-chunk fields must end in CRLF. This is now enforced.

The global and classic external Application Load Balancers implemented on Google Front-Ends (GFEs) now support HTTP/1.0 explicitly as a protocol during ALPN (Application-Layer Protocol Negotiation) negotiation.

Previously, when the GFEs didn't support HTTP/1.0 explicitly, the GFE would return an SSL_TLSEXT_ERR_NOACK response, disable ALPN, and fall back to using HTTP/1 (which includes HTTP/1.0 and HTTP/1.1) as the default application protocol. After this change, GFEs will instead return HTTP/1.0, which provides clients with positive confirmation that their advertised HTTP/1.0 was accepted.

You are not expected to make any changes with this update. If a TLS handshake with HTTP/1.0 is unsuccessful, please contact support.

The internal and external passthrough Network Load Balancers now support load balancing to unmanaged instance groups comprised of IPv6-only VM instances.

Protocol forwarding also supports IPv6-only target instances.

For more details, see the following pages:

• Protocol forwarding overview
• Backend service-based external passthrough Network Load Balancer overview
• Internal passthrough Network Load Balancer overview
• Set up an internal passthrough Network Load Balancer with IPv6-only subnets and backends

This feature is available in General Availability.

Cross-region internal Application Load Balancers can now route requests for static content to Cloud Storage buckets.

For more information, see Set up a cross-region internal Application Load Balancer with Cloud Storage buckets.

This capability is now in General Availability.

Starting October 15, 2025, the global and classic external Application Load Balancers are improving HTTP header handling for headers with obs-fold values to comply with the RFC 9112 standard

Previously, these load balancers would forward HTTP headers with obs-fold values (those split across multiple lines, with subsequent lines starting with a space or a tab) without any changes. Starting October 15, 2025, each obs-fold will be replaced with one or more space characters (SP octets) before forwarding the message upstream. This ensures that the header is correctly interpreted as a single line, as required by the HTTP specification.

What you need to do

Review your current client applications and backend services before October 15, 2025 and ensure that they generate HTTP headers with obs-fold values in a single-line format when communicating with these load balancers.

Because the obs-fold header fields have been deprecated in RFC 9112, compliant clients and servers should already avoid using this format. However, there is a possibility that services that specifically rely on the old, non-compliant multi-line format of headers with obs-fold values might experience unexpected behavior. You should proactively check your backend service logs for any errors originating from your services due to the modified obs-fold headers.

For more information on the HTTP specification regarding headers with obs-fold values, review RFC 9112, Section 5.2: Obsolete Line Folding.

Global external Application Load Balancers now support the JA4 fingerprint. The JA4 fingerprint can be added to a custom request header using the tls_ja4_fingerprint variable.

This capability is now in General Availability.

Application Load Balancers and Proxy Network Load Balancers now support TLS certificates with large key sizes. Previously, these load balancers supported only certificates with RSA-2048 or ECDSA P-256 key types. With this update, you can now use self-managed certificates with RSA-3072, RSA-4096, and ECDSA P-384 keys.

Key details:

• Supported key types (for self-managed certificates): RSA-2048, RSA-3072, RSA-4096, ECDSA P-256, and ECDSA P-384

• Load balancing coverage for self managed certificates:

  • Certificate Manager SSL certificates: Global and regional load balancing

  • Compute Engine SSL Certificates: Regional load balancing

• Pricing: An additional charge of $0.45 per 1 million connections applies with certificates that use RSA-3072 and RSA-4096 key types. There are no per-connection charges for certificates that use RSA-2048, ECDSA P-256, or ECDSA P-384 key types.

For more information, see the documentation for Supported key types.

This capability is now in General Availability.

Zonal affinity, configured on the backend service of an internal passthrough Network Load Balancer, lets you limit cross-zone traffic, reduce latency, and improve performance, all while maintaining the benefits of a multi-zonal architecture.

Internal passthrough Network Load Balancers support three zonal affinity options that offer varying degrees of preference for routing new connections to eligible backends that are in the same zone as a supported client.

For more information, see Zonal affinity for internal passthrough Network Load Balancers.

This feature is in Preview.

Cloud Load Balancing now supports failover for global, classic, and regional external Application Load Balancers. Failover is handled by creating two or more regional external Application Load Balancers in the regions where you want the traffic to failover to. Only regional external Application Load Balancers can be used as failover backup load balancers.

For details, see Failover for external Application Load Balancers.

This feature is available in General availability.

Regional external Application Load Balancers, cross-region internal Application Load Balancers, regional internal Application Load Balancers, regional internal proxy Network Load Balancers, cross-region internal proxy Network Load Balancers, and regional external proxy Network Load Balancers now support IPv4 and IPv6 (dual-stack) backends.

The following backends have dual-stack support:

• VM instance groups
• Zonal NEGs (GCE_VM_IP_PORT endpoints)

You can also convert your existing single-stack load balancers from IPv4-only to dual stack (IPv4 and IPv6) deployments.

For details, see the following pages:

• IPv6 overview
• Convert your existing Application Load Balancer to IPv6
• Convert your existing proxy Network Load Balancer to IPv6

This feature is available in General Availability.

Percentage-based request mirroring is now supported for the cross-region and regional internal Application Load Balancers. By default, the mirrored backend service receives all requests, even if the original traffic is being split between multiple weighted backend services. You can now configure the mirrored backend service to receive only a percentage of the requests by using the mirrorPercent flag to specify the percentage of requests to be mirrored expressed as a value between 0 and 100.0.

For an example, see Set up traffic management for regional internal Application Load Balancers.

This capability is available in Preview.

Cloud Load Balancing resources now let you use custom constraints to define your own restrictions on Google Cloud services. To learn about which load balancing resources support custom constraints, and some sample use cases, see Manage Cloud Load Balancing resources using custom constraints.

For more information about custom constraints, see the following:

• Custom organization policies
• Custom constraint supported services

This feature is available in General Availability.

Percentage-based request mirroring is now supported for the global and regional external Application Load Balancers (classic is not supported). By default, the mirrored backend service receives all requests, even if the original traffic is being split between multiple weighted backend services. You can now configure the mirrored backend service to receive only a percentage of the requests by using the mirrorPercent flag to specify the percentage of requests to be mirrored expressed as a value between 0 and 100.0.

For an example, see Set up traffic management for regional external Application Load Balancers.

This capability is available in Preview.

Support for IPv6 static routes with a next hop internal passthrough Network Load Balancer (next-hop-ilb) is available in Preview.

Service Extensions plugins are available for Google Cloud Application Load Balancers, excluding Classic, in Preview.

Service Extensions plugins help you insert WebAssembly (Wasm) plugins in a fully managed serverless environment directly into the data path of Application Load Balancers.

For details, see Plugins for Cloud Load Balancing.

All the Application Load Balancers, except the classic Application Load Balancer, now support stateful cookie-based session affinity. When you use stateful cookie-based affinity, the load balancer includes an HTTP cookie in the Set-Cookie header in response to the initial HTTP request. With stateful session affinity, customers can preserve stickiness to the selected backend.

For details, see Stateful cookie-based session affinity.

This capability is in General Availability.

To take advantage of the new features of the global external Application Load Balancer, you can now migrate your classic Application Load Balancer resources to the global external Application Load Balancer infrastructure.

To migrate to the global external Application Load Balancer, you change the load balancing scheme of your load balancing resources—specifically, the backend services and forwarding rules—from EXTERNAL to EXTERNAL_MANAGED. You can also rollback resources to the classic Application Load Balancer infrastructure, as long as you do so within 90 days of changing the load balancing scheme.

For more details on the migration process, see the following pages:

• Migration overview
• Migrate resources from classic to global external Application Load Balancer
• Roll back migrated resources to classic Application Load Balancer

This capability is available in Preview.

Global external Application Load Balancers and global external proxy Network Load Balancers can now load balance IPv6 traffic. The following backends have dual-stack support:

• VM instance groups
• Zonal NEGs (GCE_VM_IP_PORT endpoints)

You can also convert your existing single-stack load balancers from IPv4-only to dual stack (IPv4 and IPv6) deployments.

For details, see the following pages:

• IPv6 overview
• Convert your existing Application Load Balancer to IPv6
• Convert your existing proxy Network Load Balancer to IPv6

This feature is available in General Availability.

Internal and external passthrough Network Load Balancers now support connection draining for UDP and other non-TCP protocol traffic.

For details, see Enable connection draining.

This feature is available in Preview.

You can now use the Google Cloud Console to create the following load balancers in Premium Tier:

• Regional external Application Load Balancer
• Regional external proxy Network Load Balancer

Previously, only Standard Tier support was available in the Console.

Previously, the classic external Application Load Balancer had lenient HTTP/2 request parsing that did not reject requests containing certain invalid characters in the request path. The same requests would have been rejected if they had arrived over HTTP/1 or HTTP/3.

Now, all HTTP requests, including HTTP/2 requests, are rejected if the path contains a character that isn't one of the following:

• An allowed ASCII character specified in RFC 3986, sections 3.3 and 3.4.

• One of the following special allowed characters: [ ] { } | ^

All other characters must be properly URL encoded.

You can identify rejected requests in the proxy logs by looking for the following:

• responseCode: 400
• response_code_details: invalid_http2_client_request_path

The regional external Application Load Balancers, cross-region internal Application Load Balancers, regional internal Application Load Balancers, now support a configurable client HTTP keepalive timeout. The client HTTP keepalive timeout represents the maximum amount of time that a TCP connection can be idle between the (downstream) client and the target HTTP(S) proxy.

For details, see

• External Application Load Balancers: Client HTTP keepalive timeout
• Internal Application Load Balancers: Client HTTP keepalive timeout

This capability is available in General Availability.

Envoy-based Application Load Balancers now support authorization policies that let you establish access control checks for incoming traffic. For details, see Authorization policy.

This feature is available in Preview.

The Global external Application Load Balancer and the Classic Application Load Balancer will no longer support TLS sessionID resumption. They continue to support modern forms of TLS resumption.

The TLS protocol supports an optimization which allows a client reconnecting to a server with which it has communicated before to perform a cheaper abbreviated handshake. This optimization is available in several modes, which include the modern PSK and ticket mechanisms, as well as the long-obsolete sessionID mechanism.

The Global external Application Load Balancer and the Classic Application Load Balancer are the only Google Cloud products that currently support the obsolete sessionID mechanism.

This sessionID mechanism is going to be disabled over the next 4-5 weeks. Clients that currently make use of sessionID will transparently fall back to full TLS handshakes. To recover the performance optimization gains, we recommend that you upgrade clients to modern TLS libraries which support the PSK or ticket mechanisms.

Regional external Application Load Balancer, regional internal Application Load Balancer, and cross-region internal Application Load Balancer support mutual TLS (mTLS).

With mTLS, the load balancer requests that the client send a certificate to authenticate itself during the TLS handshake with the load balancer. You can configure a trust store to validate the client certificate's chain of trust.

For details, see the following:

• Mutual TLS authentication
• Set up mutual TLS with user-provided certificates
• Set up mutual TLS with a private CA

This capability is in General Availability.

The global external Application Load Balancer and the classic Application Load Balancer already support frontend mTLS (General Availability).

Cloud Load Balancing now supports failover for global, classic, and regional external Application Load Balancers. Failover is handled by creating two or more regional external Application Load Balancers in the regions where you want the traffic to failover to. Only regional external Application Load Balancers can be used as failover backup load balancers.

For details, see Failover for external Application Load Balancers.

This feature is available in Preview.

All the Application Load Balancers, except the classic Application Load Balancer, now support stateful cookie-based session affinity. When you use stateful cookie-based affinity, the load balancer includes an HTTP cookie in the Set-Cookie response header of the initial HTTP request.

For details, see Stateful cookie-based session affinity.

This capability is in Preview.

Regional external Application Load Balancers, cross-region internal Application Load Balancers, regional internal Application Load Balancers, regional internal proxy Network Load Balancers, cross-region internal proxy Network Load Balancers, and regional external proxy Network Load Balancers support IPv4 and IPv6 (dual-stack) backends.

Ingress IPv4 traffic can now be proxied over an IPv4 or IPv6 connection to the IPv4 and IPv6 (dual-stack) backends.

The following backends support dual stack:

• VM instance group
• Zonal NEGs (GCE_VM_IP_PORT)

You can now convert the load balancers from IPv4 based deployments to dual stack (IPv4 and IPv6) deployments.

For details, see:

• IPv6 overview

• Convert Application Load Balancer to IPv6

• Convert proxy Network Load Balancer to IPv6

This feature is available in Preview.

Cloud Load Balancing introduces advanced cost, latency, and resiliency optimizations for your global external Application Load Balancers. These include the following capabilities:

• You can use a service load balancing policy to customize the parameters that influence how traffic is distributed within the backends associated with a backend service (for example, load balancing algorithm and auto-capacity draining).
• You can designate specific backends as preferred backends.

For details, see Advanced load balancing optimizations.

This feature is in General Availability.

You can now access backend services residing in different projects than the external or internal Application Load Balancers with cross-project service referencing.

For details, see:

• Set up a global external Application Load Balancer with Shared VPC

• Set up regional external Application Load Balancers with Shared VPC

• Set up an internal Application Load Balancer with Shared VPC

This feature is available in General Availability.

Bring your own IP lets you bring your own public IPv6 addresses to Google Cloud. IPv6 BYOIP addresses can be used with external passthrough Network Load Balancers. Bring your own IP for IPv6 addresses is available in General Availability.

Global external Application Load Balancers and global external proxy Network Load Balancers can now load balance IPv6 traffic. The following backends support dual stack:

• VM instance group
• Zonal NEGs (GCE_VM_IP_PORT)

You can now convert the load balancer from IPv4 based deployments to dual stack (IPv4 and IPv6) deployments.

For details, see:

• IPv6

• Convert Application Load Balancer to IPv6

• Convert proxy Network Load Balancer to IPv6

This feature is available in Preview.

Internal passthrough Network Load Balancer now supports load-balancing for TCP, UDP, ICMP, ICMPv6, SCTP, ESP, AH, and GRE protocols. To handle multiple protocol traffic, you set the load balancer's forwarding rule protocol to L3_DEFAULT and set the backend service protocol to UNSPECIFIED.

For details, see:

Set up an internal passthrough Network Load Balancer with VM instance group backends for multiple protocols

This feature is available in General Availability.

Application Load Balancers now support Certificate Manager allowlisted certificates. For more information, see Mutual TLS authentication.

This capability is in General Availability.

The cross-region internal proxy Network Load Balancer supports backends in multiple regions, provides seamless cross-region failover, and is globally accessible by clients from any Google Cloud region, on premise, or other clouds.

For details, see the Internal proxy Network Load Balancer overview.

To set up a cross-region internal proxy Network Load Balancer, see the following pages:

• Instance group backends

• Mixed zonal and hybrid connectivity NEG backends

This capability is in General Availability.

The cross-region internal Application Load Balancer supports backends in multiple regions, provides seamless cross-region failover using Cloud DNS routing policies, and is globally accessible by clients from any Google Cloud region, on premise, or other clouds. Supports Google-managed certificates using Cloud Certificate Manager and Certificate Authority Service.

For details, see the Internal Application Load Balancer overview.

To set up a cross-region internal Application Load Balancer, see the following pages:

• Instance group backends

• Mixed zonal and hybrid connectivity NEG backends

• Cloud Run backends

This capability is in General Availability.

You can now configure advanced traffic management using flexible pattern matching. This feature allows you to use wildcard syntax anywhere in your path matcher configuration. You can use this feature to customize origin routing for different types of traffic and request and response behaviors. In addition, you can now use results from your pattern matching to rewrite the path that is sent to the origin.

Pattern matching with wildcards is now supported for the following products:

• Global external Application Load Balancer (launched previously)
• Regional external Application Load Balancer
• Cross-region internal Application Load Balancer
• Regional internal Application Load Balancer
• Traffic Director

For details, see URL maps overview: Wildcards and pattern matching operators in path templates for route rules.

This capability is available in General availability.

Typically with HTTPS communication, the authentication works only one way: the client verifies the identity of the server. For applications that require the load balancer to authenticate the identity of clients that connect to it, regional external Application Load Balancer, regional internal Application Load Balancer, and cross-region internal Application Load Balancer support mutual TLS (mTLS).

With mTLS, the load balancer requests that the client send a certificate to authenticate itself during the TLS handshake with the load balancer. You can configure a trust store that the load balancer uses to validate the client certificate's chain of trust.

For details, see the following:

• Mutual TLS authentication
• Set up mutual TLS with user-provided certificates
• Set up mutual TLS with a private CA

This capability is in Preview.

Global external Application Load Balancer and global external Application Load Balancer (classic) already support frontend mTLS(General Availability).

The Google Cloud Console has launched a new wizard experience to walk you through the process of selecting a new load balancer. The new wizard walks you through all the available options (internal or internet-facing, proxy or passthrough, global or regional) and guides you to the appropriate load balancer for your use-case.

Try out the new wizard in the Google Cloud Console at Create a load balancer.

Regional external Application Load Balancers and regional internal Application Load Balancers now support Certificate Manager certificates. For more information, see Certificates and Google Cloud load balancers.

This capability is in General Availability.

The global external Proxy Network Load Balancer is implemented on globally distributed GFEs and supports advanced traffic management capabilities. This load balancer can be configured to handle either TCP or SSL traffic by using either a target TCP proxy or a target SSL proxy respectively. Global external proxy Network Load Balancers support backends such as instance groups, hybrid NEGs, and Private Service Connect NEGs. For details, see the External proxy Network Load Balancer overview.

To set up a global external Proxy Network Load Balancer, see the following pages:

• Instance group backends with SSL
• Instance group backends with TCP

This capability is in General Availability.

Global external Application Load Balancers now let you customize your own error responses when an HTTP error status code (4xx and 5xx) is generated. You can customize error responses for errors generated by both the load balancer and the backend instances. You can also customize error responses for error response codes that are generated when traffic is denied by Cloud Armor.

For more information, see the following pages:

• Custom error responses overview
• Configure custom error responses

This feature is available in Preview.

External passthrough Network Load balancers now support zonal NEGs with GCE_VM_IP endpoints. This also lets you add any network interface of a VM as an endpoint for a zonal NEG backend, as long as the network interface belongs to the same subnetwork as the NEG. In comparison, you can only attach the nic0 of a VM to an instance group backend.

For more details, see the following pages:

• External passthrough Network Load Balancer overview: Backends
• Zonal NEGs overview
• Set up an external passthrough Network Load Balancer with a GCE_VM_IP zonal NEG

The following regional load balancers can now be configured in either Premium or Standard Network Service Tier:

• Regional internal Application Load Balancers
• Regional external Application Load Balancers
• Regional internal proxy Network Load Balancers
• Regional external proxy Network Load Balancers

For more information about Network Service Tiers, see the Network Service Tiers overview.

This feature is available in General Availability.

Forwarding rules used with Application Load Balancers now let you specify any single port from1-65535.

For more information, see the following:

• Summary of load balancer types
• External Application Load Balancer overview
• Internal Application Load Balancer overview

This feature is available in General Availability.

Regional Application Load Balancers and regional proxy Network Load Balancers now support load balancing traffic to external backends outside Google Cloud. To define an external backend for a load balancer, you use a regional internet network endpoint group (NEG).

For details, see the following:

• Internet NEG concepts
• Set up a regional external Application Load Balancer with an external backend
• Set up a regional internal Application Load Balancer with an external backend
• Set up a regional internal proxy Network Load Balancer with an external backend
• Set up a regional external proxy Network Load Balancer with an external backend

This capability is in General Availability.

Service Extensions callouts are available for Google Cloud Application Load Balancers, excluding Classic.

By using this feature, you can direct your load balancers to make gRPC calls to user-managed or partner-hosted applications from within the Cloud Load Balancing data processing path. These applications can then apply various policies or functions, such as header or payload manipulation, security screening, or custom logging on the traffic before returning the traffic to the load balancer for further processing.

For details, see the following topics in the Service Extensions documentation:

• Cloud Load Balancing extensions overview
• Configure a callout extension

Service Extensions is in Preview.

Cloud Load Balancing introduces the global external Proxy Network Load Balancer. The global external Proxy Network Load Balancer is implemented on globally distributed GFEs and supports advanced traffic management capabilities. This load balancer can be configured to handle either TCP or SSL traffic by using either a target TCP proxy or a target SSL proxy respectively. Global external proxy Network Load Balancers support backends such as instance groups, hybrid NEGs, and Private Service Connect NEGs.

Load balancers that are already deployed in the classic mode are renamed as classic Proxy Network Load Balancer in the console.

For details, see the External proxy Network Load Balancer overview.

To set up a global external Proxy Network Load Balancer, see the following pages:

• Instance group backends with SSL
• Instance group backends with TCP

This capability is in Preview.

With the launch of global external Proxy Network Load Balancer, we now support three deployment modes with the external Proxy Network Load Balancer—classic (General Availability), Regional (General Availability) and global (Preview). No changes have been made to the API.

For details, see the External proxy Network Load Balancer overview.

Typically with HTTPS communication, the authentication works only one way: the client verifies the identity of the server. For applications that require the load balancer to authenticate the identity of clients that connect to it, both a global external Application Load Balancer and a global external Application Load Balancer (classic) support mutual TLS (mTLS).

With mTLS, the load balancer requests that the client send a certificate to authenticate itself during the TLS handshake with the load balancer. You can configure a trust store that the load balancer uses to validate the client certificate's chain of trust.

For details, see the following:

• Mutual TLS authentication
• Set up mutual TLS with signed certificates
• Set up mutual TLS with a private CA
• Set up mutual TLS for a global external Application Load Balancer (classic)
• Set up mutual TLS for a global external Application Load Balancer

This capability is in General Availability.

Regional external HTTP(S), internal HTTP(S), and the regional internal TCP proxy load balancers now use distributed Envoy health checks instead of Google's centralized health checking mechanism. Envoy health check probes originate from the proxy-only subnet associated with the load balancer.

For more details, see the Hybrid NEG documentation: Distributed Envoy health checks.

This feature is available in General availability.

Cloud Load Balancing is introducing new advanced cost, latency, and resiliency optimizations for your global external Application Load Balancer. These include the following capabilities:

• You can use a service load balancing policy to customize the parameters that influence how traffic is distributed within the backends associated with a backend service (for example, load balancing algorithm and auto-capacity draining).
• You can designate specific backends as preferred backends.

For details, see Advanced load balancing optimizations.

This feature is in Preview.

Internal passthrough Network Load Balancers can now be configured to handle private IPv6 traffic within your VPC. To enable this, you must configure your dual-stack subnet, backend VMs, health checks, and the forwarding rules to handle IPv6 traffic.

For details, see:

• Internal passthrough Network Load Balancer overview

• Set up load balancer with dual-stack subnets

This feature is available in General Availability.

The following changes have been made to the Google Cloud console:

• Firewall rules has moved to Network security > Firewall policies.
• SSL policies has moved to Network services > SSL policies.

Regional Application Load Balancers and regional proxy Network Load Balancers now support load balancing traffic to external backends outside Google Cloud. To define an external backend for a load balancer, you use a regional internet network endpoint group (NEG).

For details, see the following:

• Internet NEG concepts
• Set up a regional internal Application Load Balancer with an external backend
• Set up a regional internal proxy Network Load Balancer with an external backend

This capability is in Preview.

Cloud Load Balancing introduces the cross-region internal Application Load Balancer.

The cross-region internal Application Load Balancer supports backends in multiple regions, provides seamless cross-region failover, and is globally accessible by clients from any Google Cloud region, on premise, or other clouds.

For details, see the Internal Application Load Balancer overview.

To set up a cross-region internal Application Load Balancer, see the following pages:

• Instance group backends

• Mixed zonal and hybrid connectivity NEG backends

This capability is in Preview.

With the launch of cross-region internal Application Load Balancer, we now support two deployment modes with the internal Application Load Balancer—regional (General Availability) and cross-region (Preview). In the regional mode, you configure the Internal Application Load Balancer in a specific region, and associate it with backends only in the load balancer's region. Load balancers deployed in the regional mode are renamed as regional internal Application Load Balancer in the console. No changes have been made to the API.

For details, see the Internal Application Load Balancer overview.

The global external Application Load Balancer now supports a configurable client HTTP keepalive timeout. The client HTTP keepalive timeout represents the maximum amount of time that a TCP connection can be idle between the (downstream) client and the target HTTP/S proxy.

For details, see

• Client HTTP keepalive timeout
• Update client HTTP keepalive timeout

This capability is available in General Availability.

Internal passthrough Network Load Balancer now supports load-balancing for TCP, UDP, ICMP, ICMPv6, SCTP, ESP, AH, and GRE protocols. To handle multiple protocol traffic, you set the load balancer's forwarding rule protocol to L3_DEFAULT and set the backend service protocol to UNSPECIFIED.

For details, see:

Set up an internal passthrough Network Load Balancer with VM instance group backends for multiple protocols

This feature is available in Preview.

The Cloud Load Balancing Console now allows you to see the equivalent API code for actions you take in the Console. When you create or update a load balancer, before you click Create or Update, you can click Equivalent Code to view the load balancer API resources that will be created, updated, or deleted.

This capability is in General Availability.

Network Load Balancing now supports user-specified weights on the backend service. This allows you to manage the backend load distribution of your load balancer and avoid overloading them.

For details, see:

• Weighted load balancing
• Configure weighted load balancing

This feature is in General Availability.

The Cloud Load Balancing Console now allows you to see the equivalent API code for actions you take in the Console. When you create or update a load balancer, before you click Create or Update, you can click Equivalent Code to view the load balancer API resources that will be created, updated, or deleted.

This capability is in Preview.

Network Load Balancing logging and Internal TCP/UDP Load Balancing logging are now available in General availability.

The global external HTTP(S) load balancer now supports advanced traffic management using flexible pattern matching. This allows you to use wildcards anywhere in your path matcher. You can use this to customize origin routing for different types of traffic and request and response behaviors. In addition, you can now use results from your pattern matching to rewrite the path that is sent to the origin.

For details, see URL maps overview: Wildcards and pattern matching operators in path templates for route rules.

This capability is available in Preview.

Internal TCP/UDP load balancers can now be configured to handle private IPv6 traffic within your VPC. To enable this, you must configure your dual-stack subnet, backend VMs, health checks, and the forwarding rules to handle IPv6 traffic.

For details, see:

• Internal TCP/UDP Load Balancing overview

• Set up load balancer with dual-stack subnets

This feature is available in Preview.

Cloud Load Balancing introduces a new version of the external HTTP(S) load balancer. The new global external HTTP(S) load balancer with advanced traffic management capabilities contains many of the features of our existing classic HTTP(S) load balancer, but with an ever-growing list of traffic management capabilities such as weighted traffic splitting, request mirroring, outlier detection, fault injection, and so on.

For details on the new load balancer, see:

• External HTTPS(S) Load Balancing overview
• Load balancer features (External HTTP(S) > Global )
• Setting up a global external HTTP(S) load balancer
• Traffic management for global external HTTP(S) load balancers

This load balancer is available in General Availability.

External TCP/UDP Network Load Balancing now supports load-balancing GRE traffic. To handle GRE protocol traffic, you set the load balancer's forwarding rule protocol to L3_DEFAULT and set the backend service protocol to UNSPECIFIED.

For details, see:

• Backend service-based external TCP/UDP Network Load Balancing overview

This feature is available in General Availability.

Forwarding rules for external TCP/UDP network load balancers can now be configured to direct traffic coming from a specific range of source IP addresses to a specific backend service (or target instance). This is called traffic steering.

For details, see:

• Network load balancer overview: Traffic steering
• Configure traffic steering

This capability is in Preview.

Regional external and regional internal HTTP(S) load balancers now support regional SSL policies. SSL policies give you the ability to control the features of SSL that your Google Cloud load balancers negotiate with clients.

For details, see:

• SSL policies overview
• Using SSL policies

This feature is in Preview.

Regional external and regional internal HTTP(S) load balancers now support using Cloud Run services as backends for the load balancer. This is configured using a serverless network endpoint group (NEG).

For details, see:

• Serverless NEG concepts
• Setting up a regional external HTTP(S) load balancer with a Cloud Run backend
• Setting up an internal HTTP(S) load balancer with a Cloud Run backend

This feature is available in Preview.

Regional external HTTP(S) load balancers now support Shared VPC configurations where the load balancer's forwarding rule, target proxy, and URL map, can be created in a host or service project, while the backend services and backends can be distributed across multiple service projects in the Shared VPC environment. This is referred to as cross-project service referencing. Cross-project backend services can be referenced from a single URL map.

Cross-project service referencing gives service developers and admins autonomy over the exposure of their services through the centrally managed load balancer.

For details, see:

• Shared VPC architectures
• Setting up a regional external HTTP(S) load balancer with Shared VPC

This feature is available in Preview.

Backend subsetting for internal HTTP(S) load balancers improves performance and scalability by assigning a subset of backends to each of the proxy instances.

This feature is in Preview.

TCP Proxy and SSL Proxy load balancers now support Google Cloud Armor. For more information, see the Cloud Armor security policy overview.

This feature is available in Preview.

Starting October 1, 2022, we'll apply an outbound data processing charge of $0.008 - $0.012 per GB (based on region) to all Cloud Load Balancing products in order to maintain consistency and alignment with the variable costs of the services across our Cloud Load Balancing portfolio. The charge will be called Outbound data processed by load balancer and the price will mirror the existing price for the Inbound data processed by load balancer charge.

If you are on an existing contract, your prices will not change for the lifetime of the contract, or until renewal.

The current internal HTTP(S) load balancer pricing already includes this charge, so no changes are being made there.

To learn more about this change, see the Google Cloud Blog post: Unlock more choice with updates to Google Cloud's infrastructure capabilities and pricing.

Backend subsetting for internal TCP/UDP load balancers lets you scale your internal TCP/UDP load balancer to support a larger number of backend VM instances per internal backend service.

This feature is in General availability.

You can now use a combination of zonal NEGs (of type GCE_VM_IP_PORT) and hybrid NEGs (of type NON_GCP_PRIVATE_IP_PORT) as backends for your global external HTTP(S) load balancers. For all supported backend combinations, see the table at Backend services.

Network Load Balancing introduces a new monitoring resource type loadbalancing.googleapis.com/ExternalNetworkLoadBalancerRule that lets you monitor all the supported protocols including TCP, UDP, ESP, and ICMP.

For details, see Monitoring Network Load Balancing.

This feature is available in General Availability.

Internal TCP/UDP Load Balancing now supports source-IP address session affinity (CLIENT_IP_NO_DESTINATION) in Public Preview.

Network Load Balancing now supports load-balancing ESP (Encapsulating Security Payload) and ICMP (Internet Control Message Protocol) traffic. To handle these protocols, you specify the new L3_DEFAULT protocol on the load balancer's forwarding rule.

For details, see:

• Forwarding rule protocols for backend service-based network load balancers
• Setting up Network Load Balancing for multiple protocols

This feature is available in General Availability.

External TCP/UDP Network Load Balancing now allows you to configure a connection tracking policy. A connection tracking policy introduces the following new properties to let you customize your load balancer's connection tracking behavior:

• Tracking mode
• Connection persistence on unhealthy backends

To learn about how connection tracking works, see Backend selection and connection tracking.

To learn how to configure a connection tracking policy, see Configure a connection tracking policy.

This feature is available in General Availability.

Network Load Balancing introduces a new monitoring resource type loadbalancing.googleapis.com/ExternalNetworkLoadBalancerRule that lets you monitor all the supported protocols including TCP, UDP, ESP, and ICMP.

For details, see Monitoring Network Load Balancing.

This feature is available in Preview.

Internal HTTP(S) Load Balancing now supports Shared VPC configurations where the load balancer's frontend and URL map can be created in a host or service project, while the backend services and backends can be distributed across multiple service projects in the Shared VPC environment. This is referred to as cross-project service referencing. Cross-project backend services can be referenced in a single URL map.

Cross-project service referencing gives service developers and admins autonomy over the exposure of their services through the centrally managed load balancer.

For details, see:

• Shared VPC architectures
• Setting up Internal HTTP(S) Load Balancing with Shared VPC

This feature is available in Preview.

The default behavior for HTTP/3 and Google QUIC is changing for global external HTTP(S) load balancers. The default setting of quicOverride=NONE will now advertise support for HTTP/3 to your clients. This change is currently rolling out globally.

If you don't want this behavior to change, you can disable HTTP/3 by setting quicOverride to DISABLE. For instructions, see Configuring HTTP/3.

External HTTP(S) Load Balancing and Cloud CDN now support HTTP/3. HTTP/3 is based on the IETF QUIC transport protocol. Compared to HTTP/2, it reduces request latency, improves throughput, and mitigates head-of-line blocking. HTTP/3 is already supported on most major web browsers.

To learn how to enable HTTP/3 on your external HTTP(S) load balancer, visit the documentation.

Symmetric hashing for internal TCP/UDP load balancers as next hops—When load balancing to multiple NICs on the backends, you no longer need to use source network address translation (SNAT). SNAT isn't required because Google Cloud uses symmetric hashing. This means that when packets belong to the same flow, Google Cloud calculates the same hash. In other words, the hash doesn't change when the source IP address:port is swapped with the destination IP address:port.

This feature is in General Availability.

Network Load Balancing now supports load-balancing ESP (Encapsulating Security Payload) and ICMP (Internet Control Message Protocol) traffic. To handle these protocols, you specify the new L3_DEFAULT protocol on the load balancer's forwarding rule.

For details, see:

• Forwarding rule protocols for backend service-based network load balancers
• Setting up Network Load Balancing for multiple protocols

This feature is available in Preview.

Starting May 15, 2021, a newly-created custom static route using a next hop forwarding rule of an internal TCP/UDP load balancer will forward all protocol traffic, not just TCP and UDP traffic.

If a route created before May 15, 2021 is still in operation on August 14, 2021, it will automatically be migrated to forward all protocol traffic starting August 15, 2021. If you don't want to wait until then, you can enable forwarding of traffic for all protocols by creating new routes and deleting the old ones.

For more information, see Processing of TCP, UDP, and other protocol traffic.

Zonal NEGs (with GCE_VM_IP network endpoints) can now be used as backends for internal TCP/UDP load balancers. For more information on this type of zonal NEG, see Zonal NEGs overview. For instructions on how to set up an internal TCP/UDP load balancer with a zonal NEG backend, see Setting up Internal TCP/UDP Load Balancing with zonal NEGs

This feature is in General Availability.

Internal TCP/UDP Load Balancing now supports session affinity for the UDP protocol. This feature is available in General Availability.

Health check logging is now available in General Availability.

External TCP/UDP Network Load Balancing is now supported with backend services. Compared to the target pool backend, a backend service gives you more fine-grained control over your load balancer, including access to features such as connection draining, failover policies, and support for managed instance groups as backends.

Network load balancers with a backend service can also use health checks that match the traffic (TCP, SSL, HTTP, HTTPS, or HTTP/2) they are distributing.

To get started, see:

• Network Load Balancing with backend services
• Setting up a network load balancer with a backend service
• Transitioning a network load balancer from a target pool to a backend service

This feature is available in Preview.

For HTTP requests, the httpRequest.remoteIp and httpRequest.serverIp fields can include port information. For example 10.0.0.1:80.

External HTTP(S) Load Balancing is now supported for App Engine, Cloud Functions, and Cloud Run services. To configure this, you will need to use a new type of network endpoint group (NEG) called a Serverless NEG.

This feature is now available in General Availability.

Added a new tutorial for delivering HTTP and HTTPS content over the same hostname when using Cloud CDN. While many browsers enforce the use of Transport Layer Security (TLS) and disallow non-secure content delivery, there are still use cases where non-secure delivery and secure delivery must be allowed over the same hostname.

Network endpoint groups (NEGs) now support global, internet endpoints that let you create custom origins for Cloud CDN and deliver content over Google's high performance, distributed edge caching infrastructure when the content is hosted on-premises or in another cloud. This feature is available in General Availability.

Health check logging is now available in Beta.

To help you get started quickly, added two new examples for external HTTP(S) Load Balancing:

• Setting up a simple external HTTP load balancer
• Setting up a simple external HTTPS load balancer

Internal HTTP(S) Load Balancing now supports configurable idle timeouts.

IAM Conditions now supports forwarding rule attributes. You can use these attributes to specify the types of forwarding rules that a member can create. This feature is available in General Availability.

Updated and reorganized documentation for SSL certificates.

Internal HTTP(S) Load Balancing now supports accessing your load balancer from a connected network through VPC Peering, Cloud VPN, and Cloud Interconnect.

For Internal TCP/UDP Load Balancing, load balancing to multiple NICs on a single backend VM instance is now available in General Availability.

Global access for Internal TCP/UDP Load Balancing is now available in General Availability.

Network endpoint groups (NEGs) now support global, internet endpoints that let you create custom origins for Cloud CDN and deliver content over Google's high performance, distributed edge caching infrastructure when the content is hosted on-premises or in another cloud. This feature is available in Beta.

IAM Conditions now supports forwarding rule attributes. You can use these attributes to specify the types of forwarding rules that a member can create. This feature is available in Beta.

Network Load Balancing monitoring is now available in General Availability.

Improved documentation for Adding backend buckets to load balancers.

Added load balancer feature tables.

Internal TCP/UDP Load Balancing as next hop is available in General Availability..

Internal TCP/UDP Load Balancing with global access is available in Beta.

Internal HTTP(S) Load Balancing is available in General Availability.

Multiple domains for Google-managed SSL certificates is now available in Beta.

For Internal TCP/UDP Load Balancing, load balancing to multiple NICs on a single backend VM instance is now available in Beta.

Expanded information about the probe IP ranges for backend health checks.

For the HTTP(S), TCP proxy, and SSL proxy load balancers, the Stackdriver logging timestamp field in the LogEntry now shows the time that requests arrived at the load balancer. Previously, the timestamp showed the time the response was sent by the load balancer back to the client.

Added information about TCP and UDP request and return packets for Internal TCP/UDP Load Balancing.

HTTP(S) Load Balancing logging is now available in Beta.

Documentation update: Creation of new load balancing tutorial that is both content-based and cross-regional.

• The Content-based load balancing tutorial has been modified to include cross-region functionality.
• The Cross-region load balancing tutorial has been removed.
• Links to both original tutorials now redirect to the combined tutorial.
• Modified file Adding a Cloud Storage bucket to content-based load balancing to create two buckets and modify the load balancer accordingly.

Internal TCP/UDP Load Balancing as next hop is available in Beta.

External HTTP(S) load balancers validate protocol selection during ALPN negotiation. For more information, see RFC 7301.

Creating user-defined request headers is published. The information is removed from the backend services documentation

Internal HTTP(S) Load Balancing is available in Beta.

HTTP/2 health checking is available in General Availability.

HTTP/2 between the load balancer and backends is available in General Availability.

The user-defined request header feature is available in General Availability.

Network endpoint groups in load balancing is available in General Availability.

Documentation update: The quotas and limits for load balancing resources are now documented. See Load Balancing Resource Quotas.

Documentation update: The global forwarding rules page (previously at /load-balancing/docs/https/global-forwarding-rules) is combined with Forwarding rule concepts.

Traffic Director is available in Beta.

Internal TCP/UDP Load Balancing with failover groups is available in Beta.

Content-based HTTP(S) health checking is now available in Beta.

HTTP/2 and gRPC to backend VMs is now available in Beta.

QUIC support for HTTPS Load Balancing is now available in General Availability.

SSL Policies configuration for HTTPS and SSL Proxy Load Balancing is now available in General Availability.

QUIC support for HTTPS Load Balancing is now available in Beta.

User-defined request headers for HTTP(S) Load Balancing is now available in Beta.

SSL Policies for HTTPS and SSL Proxy Load Balancing is now available in Beta.

Internal Load Balancing access across VPN or Interconnect is now available in General Availability.

Internal Load Balancing access across VPN or Interconnect is now available in Beta.

IPv6 Termination for HTTP(S), SSL Proxy, and TCP Proxy Load Balancing is now available in General Availability.

Multiple SSL certificate support is now available in General Availability.

Regional instance groups for Internal Load Balancing is now available in General Availability.

TCP Proxy Load Balancing is now available in General Availability.

IPv6 Termination for HTTP(S), SSL Proxy, and TCP Proxy Load Balancing is now available in Beta.

Websocket support for HTTP(S) Load Balancing is now available in General Availability.

TCP Proxy Load Balancing is now available in Beta.

Google Cloud Storage support for HTTP(S) Load Balancing is now available in General Availability.

IPv6 Termination for HTTP(S), SSL Proxy, and TCP Proxy Load Balancing is now available in Alpha.

HTTP(S) Load Balancing is now available in General Availability.

HTTPS Load Balancing is now available in Beta.