Setup some variables first
export PROJECT_ID=$(gcloud config get-value project)
export REGION=europe-west3 # should be the same as your mig
export MIG_NAME=service-x-mig # or whatever you already have
export VPC_NAME=default # or whatever you already have
export VPC_SUBNET=default # or whatever you already have
export CERTIFICATE_NAME=my-ssl-certificate
export PUBLIC_IP_NAME=service-x-proxy-ip
export HEALTH_CHECK_NAME=service-x-health-check
export PROXY_BACKEND_NAME=service-x-proxy-backend
export MIG_PROXY_MAP_NAME=service-x-proxy-map
export MIG_HTTPS_PROXY_NAME=service-x-https-proxy
export FORWARDING_RULE_NAME=service-x-forwarding-rule
export FIREWALL_RULE_NAME=service-x-glb-firewall-rule
Create health check for the load balancer
gcloud compute health-checks create https $HEALTH_CHECK_NAME \
--project $PROJECT_ID --port 443 --global \
--request-path /healthz/ingress
gcloud compute backend-services create $PROXY_BACKEND_NAME \
--project $PROJECT_ID \
--protocol HTTPS \
--health-checks $HEALTH_CHECK_NAME \
--port-name https \
--timeout 302s \
--connection-draining-timeout 300s \
--global
Add the instance group to the backend service
gcloud compute backend-services add-backend $PROXY_BACKEND_NAME \
--project $PROJECT_ID --instance-group $MIG_NAME \
--instance-group-region $REGION \
--balancing-mode UTILIZATION --max-utilization 0.8 --global
Create the URL map
gcloud compute url-maps create $MIG_PROXY_MAP_NAME \
--project $PROJECT_ID --default-service $PROXY_BACKEND_NAME
Create the target proxy
gcloud compute target-https-proxies create $MIG_HTTPS_PROXY_NAME \
--project $PROJECT_ID --url-map $MIG_PROXY_MAP_NAME \
--ssl-certificates $CERTIFICATE_NAME
Reserve an IP address for the load balancer
gcloud compute addresses create $PUBLIC_IP_NAME \
--project $PROJECT_ID \
--ip-version=IPV4 \
--global
(Optional) View the reserved IP address
gcloud compute addresses describe $PUBLIC_IP_NAME \
--project $PROJECT_ID --global
Create forwarder rule
gcloud compute forwarding-rules create $FORWARDING_RULE_NAME \
--project $PROJECT_ID --address $PUBLIC_IP_NAME --global \
--target-https-proxy $MIG_HTTPS_PROXY_NAME --ports 443
Allow the load balancer to access the instance group
NOTE: The range shown below is the default range for Google Load Balancers
gcloud compute firewall-rules create $FIREWALL_RULE_NAME \
--description "Allow incoming from GLB on TCP port 443 to service-x Proxy" \
--project $PROJECT_ID --network $VPC_NAME --allow=tcp:443 \
--source-ranges=130.211.0.0/22,35.191.0.0/16 --target-tags=gke-service-x-proxy