Google Compute Engine Global Forwarding Rule

google_compute_global_forwarding_rule (Terraform)

The Global Forwarding Rule in Compute Engine can be configured in Terraform with the resource name google_compute_global_forwarding_rule. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

BlockBucket/Esplora_Docker

resource "google_compute_global_forwarding_rule" "mainnet-electrs-tls" {
  name        = "explorer-forwarding-rule-mainnet-electrs-tls"
  target      = google_compute_target_ssl_proxy.mainnet-electrs-tls-proxy[0].self_link
  port_range  = "700"
  ip_protocol = "TCP"
  ip_address  = google_compute_global_address.client-lb[0].address

PoWx-Org/obtc-esplora

resource "google_compute_global_forwarding_rule" "mainnet-electrs-tls" {
  name        = "explorer-forwarding-rule-mainnet-electrs-tls"
  target      = google_compute_target_ssl_proxy.mainnet-electrs-tls-proxy[0].self_link
  port_range  = "700"
  ip_protocol = "TCP"
  ip_address  = google_compute_global_address.client-lb[0].address

Blockstream/esplora

resource "google_compute_global_forwarding_rule" "mainnet-electrs-tls" {
  name        = "explorer-forwarding-rule-mainnet-electrs-tls"
  target      = google_compute_target_ssl_proxy.mainnet-electrs-tls-proxy[0].self_link
  port_range  = "700"
  ip_protocol = "TCP"
  ip_address  = google_compute_global_address.client-lb[0].address

Parameters

• description optional - string

An optional description of this resource. Provide this property when you create the resource.

• id optional computed - string
• ip_address optional computed - string

The IP address that this forwarding rule serves. When a client sends traffic to this IP address, the forwarding rule directs the traffic to the target that you specify in the forwarding rule. The loadBalancingScheme and the forwarding rule's target determine the type of IP address that you can use. For detailed information, refer to IP address specifications. An address can be specified either by a literal IP address or a reference to an existing Address resource. If you don't specify a reserved IP address, an ephemeral IP address is assigned. The value must be set to 0.0.0.0 when the target is a targetGrpcProxy that has validateForProxyless field set to true. For Private Service Connect forwarding rules that forward traffic to Google APIs, IP address must be provided.

• ip_protocol optional computed - string

The IP protocol to which this rule applies. When the load balancing scheme is INTERNAL_SELF_MANAGED, only TCP is valid. This field must not be set if the global address is configured as a purpose of PRIVATE_SERVICE_CONNECT and addressType of INTERNAL Possible values: ["TCP", "UDP", "ESP", "AH", "SCTP", "ICMP"]

• ip_version optional - string

The IP Version that will be used by this global forwarding rule. Possible values: ["IPV4", "IPV6"]

• load_balancing_scheme optional - string

This signifies what the GlobalForwardingRule will be used for. The value of INTERNAL_SELF_MANAGED means that this will be used for Internal Global HTTP(S) LB. The value of EXTERNAL means that this will be used for External Global Load Balancing (HTTP(S) LB, External TCP/UDP LB, SSL Proxy) (Beta only) Note: This field must be set "" if the global address is configured as a purpose of PRIVATE_SERVICE_CONNECT and addressType of INTERNAL. Default value: "EXTERNAL" Possible values: ["EXTERNAL", "INTERNAL_SELF_MANAGED"]

• name required - string

Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression 'a-z?' which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

• port_range optional - string

This field is used along with the target field for TargetHttpProxy, TargetHttpsProxy, TargetSslProxy, TargetTcpProxy, TargetVpnGateway, TargetPool, TargetInstance. Applicable only when IPProtocol is TCP, UDP, or SCTP, only packets addressed to ports in the specified range will be forwarded to target. Forwarding rules with the same [IPAddress, IPProtocol] pair must have disjoint port ranges. Some types of forwarding target have constraints on the acceptable ports: TargetHttpProxy: 80, 8080 TargetHttpsProxy: 443 TargetTcpProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222 TargetSslProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222 * TargetVpnGateway: 500, 4500

• project optional computed - string
• self_link optional computed - string
• target required - string

The URL of the target resource to receive the matched traffic. The forwarded traffic must be of a type appropriate to the target object. For INTERNAL_SELF_MANAGED load balancing, only HTTP and HTTPS targets are valid. (Beta only) For global address with a purpose of PRIVATE_SERVICE_CONNECT and addressType of INTERNAL, only "all-apis" and "vpc-sc" are valid.

• metadata_filters list block
  • filter_match_criteria required - string

  Specifies how individual filterLabel matches within the list of filterLabels contribute towards the overall metadataFilter match. MATCH_ANY - At least one of the filterLabels must have a matching label in the provided metadata. MATCH_ALL - All filterLabels must have matching labels in the provided metadata. Possible values: ["MATCH_ANY", "MATCH_ALL"]

  • filter_labels list block
    • name required - string

    Name of the metadata label. The length must be between 1 and 1024 characters, inclusive.

    • value required - string

    The value that the label must match. The value has a maximum length of 1024 characters.

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

Represents a GlobalForwardingRule resource. Global forwarding rules are used to forward traffic to the correct load balancer for HTTP load balancing. Global forwarding rules can only be used for HTTP load balancing. For more information, see https://cloud.google.com/compute/docs/load-balancing/http/

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.