- gcloud compute forwarding-rules create - create a forwarding rule to direct network traffic to a load balancer
gcloud compute forwarding-rules create
) [--address
] [--allow-global-access
] [--allow-psc-global-access
] [--description
] [--disable-automate-dns-zone
] [--ip-collection
] [--ip-collection-region
] [--ip-protocol
] [--ip-version
] [--is-mirroring-collector
] [--load-balancing-scheme
] [--network
] [--network-tier
] [--service-directory-registration
] [--service-label
] [--source-ip-ranges
,[…]] [--subnet
] [--subnet-region
] [--target-instance-zone
] [--target-pool-region
] [--target-service-attachment-region
] [--target-vpn-gateway-region
] [--address-region
] [--backend-service-region
] [--global
] [--global-target-http-proxy
] [--global-target-https-proxy
] [--global-target-tcp-proxy
] [--port-range
] |--ports
gcloud compute forwarding-rules create
is used to create a forwarding rule. A forwarding rule directs traffic that matches a destination IP address (and possibly a TCP or UDP port) to a forwarding target (load balancer, VPN gateway or VM instance).Forwarding rules can be either global or regional, specified with the
flags. For more information about the scope of a forwarding rule, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts.--region=REGION
Forwarding rules can be external, internal, internal managed, or internal self-managed, specified with the
flag. External forwarding rules are accessible from the internet, while internal forwarding rules are only accessible from within their VPC networks. You can specify a reserved static external or internal IP address with the--load-balancing-scheme=[EXTERNAL|EXTERNAL_MANAGED|INTERNAL|INTERNAL_MANAGED|INTERNAL_SELF_MANAGED]
flag for the forwarding rule. Otherwise, if the flag is unspecified, an ephemeral IP address is automatically assigned (global IP addresses for global forwarding rules and regional IP addresses for regional forwarding rules); an internal forwarding rule is automatically assigned an ephemeral internal IP address from the subnet specified with the--address=ADDRESS
flag. You must provide an IP address for an internal self-managed forwarding rule.--subnet
Different types of load balancers work at different layers of the OSI networking model (http://en.wikipedia.org/wiki/Network_layer). Layer 3/4 targets include target pools, target SSL proxies, target TCP proxies, and backend services. Layer 7 targets include target HTTP proxies and target HTTPS proxies. For more information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts. When creating a forwarding rule, exactly one of
must be specified.--target-google-apis-bundle
To create a global forwarding rule that will forward all traffic on port 8080
for IP address ADDRESS to a target http proxy PROXY, run:
gcloud compute forwarding-rules create RULE_NAME --global --target-http-proxy=PROXY --ports=8080 --address=ADDRESS
To create a regional forwarding rule for the subnet SUBNET_NAME on the default network that will forward all traffic on ports 80-82 to a backend service SERVICE_NAME, run:
gcloud compute forwarding-rules create RULE_NAME --load-balancing-scheme=INTERNAL --backend-service=SERVICE_NAME --subnet=SUBNET_NAME --network=default --region=REGION --ports=80-82
- Name of the forwarding rule to create.
Exactly one of these must be specified:
- Target backend service that receives the traffic.
- Target bundle of Google APIs that will receive forwarded traffic via Private Service Connect. Acceptable values are all-apis, meaning all Google APIs, or vpc-sc, meaning just the APIs that support VPC Service Controls
- Target gRPC proxy that receives the traffic.
- Target HTTP proxy that receives the traffic. For the acceptable ports, see Port specifications.
- Target HTTPS proxy that receives the traffic. For the acceptable ports, see Port specifications.
Name of the target instance that receives the traffic. The target instance must
be in a zone in the forwarding rule's region. Global forwarding rules cannot
direct traffic to target instances. If not specified and the
property isn't set, you might be prompted to select a zone (interactive mode only).compute/zone
To avoid prompting when this flag is omitted, you can set the
gcloud config set compute/zone ZONE
A list of zones can be fetched by running:
gcloud compute zones list
To unset the property, run:
gcloud config unset compute/zone
Alternatively, the zone can be stored in the environment variable
- Target pool that receives the traffic. The target pool must be in the same region as the forwarding rule. Global forwarding rules cannot direct traffic to target pools.
- Target service attachment that receives the traffic. The target service attachment must be in the same region as the forwarding rule.
- Target SSL proxy that receives the traffic. For the acceptable ports, see Port specifications.
- Target TCP proxy that receives the traffic. For the acceptable ports, see Port specifications.
- Target VPN gateway (Cloud VPN Classic gateway) that receives forwarded traffic. Acceptable values for --ports flag are: 500, 4500.
Exactly one of these must be specified:
The IP address that the forwarding rule serves. When a client sends traffic to
this IP address, the forwarding rule directs the traffic to the target that you
specify in the forwarding rule.
If you don't specify a reserved IP address, an ephemeral IP address is assigned. You can specify the IP address as a literal IP address or as a reference to an existing Address resource. The following examples are all valid:
- 2600:1901::/96
- https://compute.googleapis.com/compute/v1/projects/project-1/regions/us-central1/addresses/address-1
- projects/project-1/regions/us-central1/addresses/address-1
- regions/us-central1/addresses/address-1
- global/addresses/address-1
- address-1
The load-balancing-scheme (EXTERNAL, EXTERNAL_MANAGED, INTERNAL, INTERNAL_SELF_MANAGED, INTERNAL_MANAGED) and the target of the forwarding rule determine the type of IP address that you can use. The address type must be external for load-balancing-scheme EXTERNAL or EXTERNAL_MANAGED. For other load-balancing-schemes, the address type must be internal. For detailed information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#ip_address_specifications.
- If True, then clients from all regions can access this internal forwarding rule. This can only be specified for forwarding rules with the LOAD_BALANCING_SCHEME set to INTERNAL or INTERNAL_MANAGED. For forwarding rules of type INTERNAL, the target must be either a backend service or a target instance.
- If specified, clients from all regions can access this Private Service Connect forwarding rule. This can only be specified if the forwarding rule's target is a service attachment (--target-service-attachment).
- Optional textual description for the forwarding rule.
If specified, then a DNS zone will not be auto-generated for this Private
Service Connect forwarding rule. This can only be specified if the forwarding
rule's target is a service attachment
) or Google APIs bundle (--target-google-apis-bundle=API_BUNDLE
) --ip-collection
- Resource reference to a public delegated prefix. The PublicDelegatedPrefix (PDP) must be a sub-prefix in EXTERNAL_IPV6_FORWARDING_RULE_CREATION mode.
Region of the public delegated prefix to operate on. If not specified, the
region is set to the region of the forwarding rule. Overrides the default
property value for this command invocation. --ip-protocol
IP protocol that the rule will serve. The default is
.Note that if the load-balancing scheme is
, the protocol must be one of:TCP
.For a load-balancing scheme that is
, all IP_PROTOCOL options are valid.IP_PROTOCOL
must be one of:AH
. --ip-version
Version of the IP address to be allocated or assigned. The default is IPv4.
must be one of:IPV4
. --is-mirroring-collector
- If set, this forwarding rule can be used as a collector for packet mirroring. This can only be specified for forwarding rules with the LOAD_BALANCING_SCHEME set to INTERNAL.
This defines the forwarding rule's load balancing scheme. Note that it defaults
to EXTERNAL and is not applicable for Private Service Connect forwarding rules.
must be one of:EXTERNAL
- Classic Application Load Balancers, global external proxy Network Load Balancers, external passthrough Network Load Balancers or protocol forwarding, used with one of --target-http-proxy, --target-https-proxy, --target-tcp-proxy, --target-ssl-proxy, --target-pool, --target-vpn-gateway, --target-instance.
- Global and regional external Application Load Balancers, and regional external proxy Network Load Balancers, used with --target-http-proxy, --target-https-proxy, --target-tcp-proxy.
- Internal passthrough Network Load Balancers or protocol forwarding, used with --backend-service.
- Internal Application Load Balancers and internal proxy Network Load Balancers, used with --target-http-proxy, --target-https-proxy, --target-tcp-proxy.
- Traffic Director, used with --target-http-proxy, --target-https-proxy, --target-grpc-proxy, --target-tcp-proxy.
- (Only for --load-balancing-scheme=INTERNAL or --load-balancing-scheme=INTERNAL_SELF_MANAGED or --load-balancing-scheme=EXTERNAL_MANAGED (regional) or --load-balancing-scheme=INTERNAL_MANAGED) Network that this forwarding rule applies to. If this field is not specified, the default network is used. In the absence of the default network, this field must be specified.
Network tier to assign to the forwarding rules.
must be one of:NETWORK_TIER
. The default value isPREMIUM
. --service-directory-registration
- The Service Directory service in which to register this forwarding rule as an endpoint. The Service Directory service must be in the same project and region as the forwarding rule you are creating.
(Only for Internal Load Balancing): https://cloud.google.com/load-balancing/docs/dns-names/
The DNS label to use as the prefix of the fully qualified domain name for this
forwarding rule. The full name will be internally generated and output as
dnsName. If this field is not specified, no DNS record will be generated and no
DNS name will be output. You cannot use the
flag if the forwarding rule references an internal IP address that has the--purpose=SHARED_LOADBALANCER_VIP
flag set. --source-ip-ranges
,[…]- List of comma-separated IP addresses or IP ranges. If set, this forwarding rule only forwards traffic when the packet's source IP address matches one of the IP ranges set here.
- (Only for --load-balancing-scheme=INTERNAL and --load-balancing-scheme=INTERNAL_MANAGED) Subnetwork that this forwarding rule applies to. If the network is auto mode, this flag is optional. If the network is custom mode, this flag is required.
Region of the subnetwork to operate on. If not specified, the region is set to
the region of the forwarding rule. Overrides the default
property value for this command invocation. --target-instance-zone
Zone of the target instance to operate on. Overrides the default
property value for this command invocation. --target-pool-region
Region of the target pool to operate on. If not specified, the region is set to
the region of the forwarding rule. Overrides the default
property value for this command invocation. --target-service-attachment-region
Region of the target service attachment to operate on. If not specified, you
might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the
gcloud config set compute/region REGION
A list of regions can be fetched by running:
gcloud compute regions list
To unset the property, run:
gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable
Region of the VPN gateway to operate on. If not specified, the region is set to
the region of the forwarding rule. Overrides the default
property value for this command invocation. -
At most one of these can be specified:
Region of the address to operate on. If not specified, you might be prompted to
select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the
gcloud config set compute/region REGION
A list of regions can be fetched by running:
gcloud compute regions list
To unset the property, run:
gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable
- If set, the address is global.
At most one of these can be specified:
Region of the backend service to operate on. If not specified, the region is set
to the region of the forwarding rule. Overrides the default
property value for this command invocation. --global-backend-service
- If set, the backend service is global.
At most one of these can be specified:
- If set, the forwarding rule is global.
Region of the forwarding rule to create. If not specified, you might be prompted
to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the
gcloud config set compute/region REGION
A list of regions can be fetched by running:
gcloud compute regions list
To unset the property, run:
gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable
At most one of these can be specified:
- If set, the http proxy is global.
Region of the http proxy to operate on. If not specified, you might be prompted
to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the
gcloud config set compute/region REGION
A list of regions can be fetched by running:
gcloud compute regions list
To unset the property, run:
gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable
At most one of these can be specified:
- If set, the https proxy is global.
Region of the https proxy to operate on. If not specified, you might be prompted
to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the
gcloud config set compute/region REGION
A list of regions can be fetched by running:
gcloud compute regions list
To unset the property, run:
gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable
At most one of these can be specified:
- If set, the tcp proxy is global.
Region of the tcp proxy to operate on. If not specified, you might be prompted
to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the
gcloud config set compute/region REGION
A list of regions can be fetched by running:
gcloud compute regions list
To unset the property, run:
gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable
At most one of these can be specified:
]- DEPRECATED, use --ports. If specified, only packets addressed to ports in the specified range are forwarded. For more information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.
],[…]- List of comma-separated ports. The forwarding rule forwards packets with matching destination ports. Port specification requirements vary depending on the load-balancing scheme and target. For more information, refer to https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts#port_specifications.
These flags are available to all commands:
$ gcloud help
for details. - NOTES
These variants are also available:
gcloud alpha compute forwarding-rules create
gcloud beta compute forwarding-rules create
gcloud compute forwarding-rules create
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-07-23 UTC.