Google Compute Engine Forwarding Rule

google_compute_forwarding_rule (Terraform)

The Forwarding Rule in Compute Engine can be configured in Terraform with the resource name google_compute_forwarding_rule. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

dpreno-mcgill/cloudfun-lab

resource "google_compute_forwarding_rule" "proja_fr_esp" {
  provider    = google.proja
  name        = "fr-esp"
  ip_protocol = "ESP"
  ip_address  = google_compute_address.vpc-a-gw-staticip.address
  target      = google_compute_vpn_gateway.vpc-a-vpn-gateway.id

chavo1/terraform_enterprise

resource "google_compute_forwarding_rule" "http" {
  name       = "http-forwarding-rule"
  target     = google_compute_target_pool.default.id
  port_range = "80"
  ip_address = google_compute_address.static.address
}

Parameters

• all_ports optional - bool

For internal TCP/UDP load balancing (i.e. load balancing scheme is INTERNAL and protocol is TCP/UDP), set this to true to allow packets addressed to any ports to be forwarded to the backends configured with this forwarding rule. Used with backend service. Cannot be set if port or portRange are set.

• allow_global_access optional - bool

If true, clients can access ILB from all regions. Otherwise only allows from the local region the ILB is located at.

• backend_service optional - string

A BackendService to receive the matched traffic. This is used only for INTERNAL load balancing.

• creation_timestamp optional computed - string

Creation timestamp in RFC3339 text format.

• description optional - string

An optional description of this resource. Provide this property when you create the resource.

• id optional computed - string
• ip_address optional computed - string

The IP address that this forwarding rule serves. When a client sends traffic to this IP address, the forwarding rule directs the traffic to the target that you specify in the forwarding rule. The loadBalancingScheme and the forwarding rule's target determine the type of IP address that you can use. For detailed information, refer to IP address specifications. An address can be specified either by a literal IP address or a reference to an existing Address resource. If you don't specify a reserved IP address, an ephemeral IP address is assigned. The value must be set to 0.0.0.0 when the target is a targetGrpcProxy that has validateForProxyless field set to true. For Private Service Connect forwarding rules that forward traffic to Google APIs, IP address must be provided.

• ip_protocol optional computed - string

The IP protocol to which this rule applies. When the load balancing scheme is INTERNAL, only TCP and UDP are valid. Possible values: ["TCP", "UDP", "ESP", "AH", "SCTP", "ICMP"]

• is_mirroring_collector optional - bool

Indicates whether or not this load balancer can be used as a collector for packet mirroring. To prevent mirroring loops, instances behind this load balancer will not have their traffic mirrored even if a PacketMirroring rule applies to them. This can only be set to true for load balancers that have their loadBalancingScheme set to INTERNAL.

• load_balancing_scheme optional - string

This signifies what the ForwardingRule will be used for and can be EXTERNAL, INTERNAL, or INTERNAL_MANAGED. EXTERNAL is used for Classic Cloud VPN gateways, protocol forwarding to VMs from an external IP address, and HTTP(S), SSL Proxy, TCP Proxy, and Network TCP/UDP load balancers. INTERNAL is used for protocol forwarding to VMs from an internal IP address, and internal TCP/UDP load balancers. INTERNAL_MANAGED is used for internal HTTP(S) load balancers. Default value: "EXTERNAL" Possible values: ["EXTERNAL", "INTERNAL", "INTERNAL_MANAGED"]

• name required - string

Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression 'a-z?' which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

• network optional computed - string

For internal load balancing, this field identifies the network that the load balanced IP should belong to for this Forwarding Rule. If this field is not specified, the default network will be used. This field is only used for INTERNAL load balancing.

• network_tier optional computed - string

The networking tier used for configuring this address. If this field is not specified, it is assumed to be PREMIUM. Possible values: ["PREMIUM", "STANDARD"]

• port_range optional - string

This field is used along with the target field for TargetHttpProxy, TargetHttpsProxy, TargetSslProxy, TargetTcpProxy, TargetVpnGateway, TargetPool, TargetInstance. Applicable only when IPProtocol is TCP, UDP, or SCTP, only packets addressed to ports in the specified range will be forwarded to target. Forwarding rules with the same [IPAddress, IPProtocol] pair must have disjoint port ranges. Some types of forwarding target have constraints on the acceptable ports: TargetHttpProxy: 80, 8080 TargetHttpsProxy: 443 TargetTcpProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222 TargetSslProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222 * TargetVpnGateway: 500, 4500

• ports optional - set of string

This field is used along with the backend_service field for internal load balancing. When the load balancing scheme is INTERNAL, a single port or a comma separated list of ports can be configured. Only packets addressed to these ports will be forwarded to the backends configured with this forwarding rule. You may specify a maximum of up to 5 ports.

• project optional computed - string
• region optional computed - string

A reference to the region where the regional forwarding rule resides. This field is not applicable to global forwarding rules.

• self_link optional computed - string
• service_label optional - string

An optional prefix to the service name for this Forwarding Rule. If specified, will be the first label of the fully qualified service name. The label must be 1-63 characters long, and comply with RFC1035. Specifically, the label must be 1-63 characters long and match the regular expression 'a-z?' which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. This field is only used for INTERNAL load balancing.

• service_name optional computed - string

The internal fully qualified service name for this Forwarding Rule. This field is only used for INTERNAL load balancing.

• subnetwork optional computed - string

The subnetwork that the load balanced IP should belong to for this Forwarding Rule. This field is only used for INTERNAL load balancing. If the network specified is in auto subnet mode, this field is optional. However, if the network is in custom subnet mode, a subnetwork must be specified.

• target optional - string

The URL of the target resource to receive the matched traffic. The target must live in the same region as the forwarding rule. The forwarded traffic must be of a type appropriate to the target object.

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

A ForwardingRule resource. A ForwardingRule resource specifies which pool of target virtual machines to forward a packet to if it matches the given [IPAddress, IPProtocol, portRange] tuple. To get more information about ForwardingRule, see:

• API documentation
• How-to Guides
  • Official Documentation

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.