Load Balancing

  1. Respect "X-Forwarded-Proto" header from Cloud Flare / other frontends

    Cloud Flare correctly sets the "X-Forwarded-Proto" to "https" when using their "flexible" option (https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) - this is the same as if we used the GCP load balancer directly to handle HTTPS and proxy via HTTP to our backends.

    I need my backend services, which listen on HTTP, to understand that the request came from a client using HTTPS - but Google Cloud load balancer is overwriting the X-Forward-Proto header to "http", even though the client is actually using HTTPS from our Cloud Flare frontend.

    This is the whole point of the "X-Forwarded-Proto" header, so I'm not sure why…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Load balancer fault is not informative

    Load balancer has a heartbeat mechanism to moniter the linked instances. In some cases the LB marks an instance as unhealthy but does not provide the reason for marking it as unhealthy. from instance perspective the HB is fine, since port mirroring is not available there is no clue why the LB marks an instance as unhealthy.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Cloud CDN and Security Policies

    According to the documentation "If you try to associate a Cloud Armor Security Policy for a backend service and Cloud CDN is enabled, the config will be rejected."
    This is a confusing restriction. If I need to block some unwanted traffic from a load balancer, I first need to disable CDN. But disabling CDN is not possible because that would completely overwhelm the backend services with traffic is expected to be served by the CDN. Especially during an attack, this would be extremely inconvenient.
    Why is this restriction in place? It would make more sense to remove it if possible.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Cloud armor Security Policy Redirect

    Cloud Armor - Security Policy Rules

    It would be very useful to be able to have more informative error messages to end users in case they are inadvertently restricted by a security policy.

    Currently the only available options are to return 403, 404 or 502, with no possible extra message.

    A simple solution to remedy this case would be to add an option redirect traffic to another URL. So adding an option to return a HTTP 307 (Temporary Redirect) code with a possiblilty to define an URL would be great.

    That way end users could be served a more informative…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Cloud Armor support for TCP load balancers

    Supporting at least a subset of Cloud Armor policies (e.g. Geo-based Access Control) for TCP load balancers would enable, for example, efficient use of Cloud Armor for nginx-ingress on GKE. Thanks!

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Only one loadbalancer for http traffic and https traffic independently to the same backend

    I would like to create one HTTP(S) loadbalancer with one backend (instance group) with port 80 behing forward to port 80 on the backend and port 443 behing forward to port 443 on the backend.

    At the moment we have to create 2 seperate loadbalancers with the same external IP to achieve this.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  7. Only one loadbalancer for http traffic and https traffic independently to the same backend

    I would like to create one HTTP(S) loadbalancer with one backend (instance group) with port 80 behing forward to port 80 on the backend and port 443 behing forward to port 443 on the backend.

    At the moment we have to create 2 seperate loadbalancers with the same external IP to achieve this.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow multiple health checks on an ILB

    An ILB can provide load balancing on multiple TCP ports. But, when you associate a health check to ILB, you can create only 1 health check on only 1 TCP port. If backend servers are listening on multiple TCP ports, it adds value to provide health check for all those ports

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Load balancer rewrite support

    Please support an apache [1] like mod_rewrite on load balancers.

    For example:
    RewriteRule "^puppy.html" "smalldog.html" [NC]

    1: https://httpd.apache.org/docs/2.4/rewrite/intro.html

    32 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. 12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Set load balancer timeout in k8s deplyment spec

    instead of manually running
    gcloud compute backend-services update --global ${BACKEND_NAME} --timeout=${TIMEOUT}

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Your Geo-IP data is not accurate.

    Hi Google Cloud, regarding your load balance geo-ip feature(https://cloud.google.com/compute/docs/load-balancing/http/backend-service#user-defined-request-headers …), we found it's not accurate and we would like to share our findings, may I have a contact (email)so I can send our findings?

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add support for App Engine backend

    It is not possible to select App Engine as a backend in the load balancer that means there is no easy way to provide cross-region failover.
    That basically forces you to use Compute Engine instances instead.

    22 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Enable GCLB gzip compression

    Right now, GCLB supports gzip compression only if the backend request comes already compressed. It would be great if GCLB could compress non-compressed backend responses too

    40 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Internal Load Balancer support UDP session affinity

    Internal load balancer doesn't support session affinity when using UDP.
    But Load Balancer does.

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. 44 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. enable the internal load balancer to use an instance group without an external IP

    if you create an instance group without an external ip when you create an internal load balancer, it creates a health check. Health check uses in external ip address for verification.

    oops. the instances do not have an external IP address.

    Health check should be installed on the load balancer and use the internal IP address of the backend services.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. TCP Proxy Load Balancing support he following ports: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1024-65535

    In https://cloud.google.com/compute/docs/load-balancing/tcp-ssl/tcp-proxy

    TCP Proxy Load Balancing advantages:

    Intelligent routing — the load balancer can route requests to backend locations where there is capacity. In contrast, an L3/L4 load balancer must route to regional backends without paying attention to capacity. Use of smarter routing allows provisioning at N+1 or N+2 instead of x*N.
    Security patching — If vulnerabilities arise in the TCP stack, we will apply patches at the load balancer automatically in order to keep your instances safe.
    TCP Proxy Load Balancing supports the following ports: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222

    Now…

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Ingress filter for HTTP(S) Load Balancing

    It would be great if we could filter what kind of traffic is allowed to the Load Balancer.
    Ie. To be able to allow/deny incoming requests by their Host and Path.
    I see too much of these "hacking attempts" in our request logs, requests that just connect with the IP address and try to access paths suchs as /phpmyadmin, /wp-admin, etc.
    It would be much more beneficial to be able to filter these kind of requests in the LB layer than in the application layer.

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow RSA and ECC certs per frontend

    It would be great if the load balancer supported both RSA and ECC certs for the same frontend.

    In our experience supporting ECC improves both connection startup time for the client and CPU usage on the server.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Load Balancing

Categories

Feedback and Knowledge Base