Top / Google Cloud Platform / Google Compute Engine / Region Health Check

Google Compute Engine Region Health Check

This page shows how to write Terraform for Compute Engine Region Health Check and write them securely.

terraform-logo

Review your .tf file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

google_compute_region_health_check (Terraform)

The Region Health Check in Compute Engine can be configured in Terraform with the resource name google_compute_region_health_check. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L1
resource "google_compute_region_health_check" "automl_health_check" {
  provider = google-beta

  project = var.project_id
  region  = var.region
  name    = var.automl_health_check
External-lb.tf#L18
resource "google_compute_region_health_check" "hc" {
  provider           = google
  name        = "http-health-check"
  description = "Health check via http"
  region             = "us-central1"
  timeout_sec         = 1
main.tf#L1
resource "google_compute_region_health_check" "automl_health_check" {
  provider = google-beta

  project = var.project_id
  region  = var.region
  name    = var.automl_health_check
main.tf#L2
resource "google_compute_region_health_check" "default" {
  name     = var.rhc_name // "l7-ilb-hc"
  region   = var.rhc_region // "europe-west1"
  http_health_check {
    port_specification = var.rhc_port_speci // "USE_SERVING_PORT"
  }
04-loadbalancer.tf#L18
resource "google_compute_region_health_check" "hc" {
  provider           = google
  name               = "check-website-backend"
  check_interval_sec = 1
  timeout_sec        = 1
  region             = var.region

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

How often (in seconds) to send a health check. The default value is 5 seconds.

Creation timestamp in RFC3339 text format.

An optional description of this resource. Provide this property when you create the resource.

A so-far unhealthy instance will be marked healthy after this many consecutive successes. The default value is 2.

  • id optional computed - string
  • name required - string

Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression 'a-z?' which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

The Region in which the created health check should reside. If it is not provided, the provider region is used.

How long (in seconds) to wait before claiming failure. The default value is 5 seconds. It is invalid for timeoutSec to have greater value than checkIntervalSec.

  • type optional computed - string

The type of the health check. One of HTTP, HTTP2, HTTPS, TCP, or SSL.

A so-far healthy instance will be marked unhealthy after this many consecutive failures. The default value is 2.

  • grpc_health_check list block

    The gRPC service name for the health check. The value of grpcServiceName has the following meanings by convention: Empty serviceName means the overall status of all services at the backend. Non-empty serviceName means the health of that gRPC service, as defined by the owner of the service. The grpcServiceName can only be ASCII.

    The port number for the health check request. Must be specified if portName and portSpecification are not set or if port_specification is USE_FIXED_PORT. Valid values are 1 through 65535.

    Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence.

    Specifies how port is selected for health checking, can be one of the following values: 'USE_FIXED_PORT': The port number in 'port' is used for health checking. 'USE_NAMED_PORT': The 'portName' is used for health checking. * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, gRPC health check follows behavior specified in 'port' and 'portName' fields. Possible values: ["USE_FIXED_PORT", "USE_NAMED_PORT", "USE_SERVING_PORT"]

  • http2_health_check list block

    The value of the host header in the HTTP2 health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used.

    The TCP port number for the HTTP2 health check request. The default value is 443.

    Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence.

    Specifies how port is selected for health checking, can be one of the following values: 'USE_FIXED_PORT': The port number in 'port' is used for health checking. 'USE_NAMED_PORT': The 'portName' is used for health checking. * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTP2 health check follows behavior specified in 'port' and 'portName' fields. Possible values: ["USE_FIXED_PORT", "USE_NAMED_PORT", "USE_SERVING_PORT"]

    Specifies the type of proxy header to append before sending data to the backend. Default value: "NONE" Possible values: ["NONE", "PROXY_V1"]

    The request path of the HTTP2 health check request. The default value is /.

    The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII.

  • http_health_check list block

    The value of the host header in the HTTP health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used.

    The TCP port number for the HTTP health check request. The default value is 80.

    Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence.

    Specifies how port is selected for health checking, can be one of the following values: 'USE_FIXED_PORT': The port number in 'port' is used for health checking. 'USE_NAMED_PORT': The 'portName' is used for health checking. * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTP health check follows behavior specified in 'port' and 'portName' fields. Possible values: ["USE_FIXED_PORT", "USE_NAMED_PORT", "USE_SERVING_PORT"]

    Specifies the type of proxy header to append before sending data to the backend. Default value: "NONE" Possible values: ["NONE", "PROXY_V1"]

    The request path of the HTTP health check request. The default value is /.

    The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII.

  • https_health_check list block

    The value of the host header in the HTTPS health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used.

    The TCP port number for the HTTPS health check request. The default value is 443.

    Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence.

    Specifies how port is selected for health checking, can be one of the following values: 'USE_FIXED_PORT': The port number in 'port' is used for health checking. 'USE_NAMED_PORT': The 'portName' is used for health checking. * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTPS health check follows behavior specified in 'port' and 'portName' fields. Possible values: ["USE_FIXED_PORT", "USE_NAMED_PORT", "USE_SERVING_PORT"]

    Specifies the type of proxy header to append before sending data to the backend. Default value: "NONE" Possible values: ["NONE", "PROXY_V1"]

    The request path of the HTTPS health check request. The default value is /.

    The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII.

  • ssl_health_check list block

    The TCP port number for the SSL health check request. The default value is 443.

    Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence.

    Specifies how port is selected for health checking, can be one of the following values: 'USE_FIXED_PORT': The port number in 'port' is used for health checking. 'USE_NAMED_PORT': The 'portName' is used for health checking. * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, SSL health check follows behavior specified in 'port' and 'portName' fields. Possible values: ["USE_FIXED_PORT", "USE_NAMED_PORT", "USE_SERVING_PORT"]

    Specifies the type of proxy header to append before sending data to the backend. Default value: "NONE" Possible values: ["NONE", "PROXY_V1"]

    The application data to send once the SSL connection has been established (default value is empty). If both request and response are empty, the connection establishment alone will indicate health. The request data can only be ASCII.

    The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII.

  • tcp_health_check list block

    The TCP port number for the TCP health check request. The default value is 80.

    Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence.

    Specifies how port is selected for health checking, can be one of the following values: 'USE_FIXED_PORT': The port number in 'port' is used for health checking. 'USE_NAMED_PORT': The 'portName' is used for health checking. * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, TCP health check follows behavior specified in 'port' and 'portName' fields. Possible values: ["USE_FIXED_PORT", "USE_NAMED_PORT", "USE_SERVING_PORT"]

    Specifies the type of proxy header to append before sending data to the backend. Default value: "NONE" Possible values: ["NONE", "PROXY_V1"]

    The application data to send once the TCP connection has been established (default value is empty). If both request and response are empty, the connection establishment alone will indicate health. The request data can only be ASCII.

    The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII.

  • timeouts single block

>> from Terraform Registry

Explanation in Terraform Registry

Health Checks determine whether instances are responsive and able to do work. They are an important part of a comprehensive load balancing configuration, as they enable monitoring instances behind load balancers. Health Checks poll instances at a specified interval. Instances that do not respond successfully to some number of probes in a row are marked as unhealthy. No new connections are sent to unhealthy instances, though existing connections will continue. The health check will continue to poll unhealthy instances. If an instance later responds successfully to some number of consecutive probes, it is marked healthy again and can receive new connections. To get more information about RegionHealthCheck, see:

>> from Terraform Registry

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

risk-label

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

risk-label

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

risk-label

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

risk-label

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

risk-label

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.

Review your Google Compute Engine settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

The Other Related Google Compute Engine Resources

Frequently asked questions

What is Google Compute Engine Region Health Check?

Google Compute Engine Region Health Check is a resource for Compute Engine of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Compute Engine Region Health Check?

For Terraform, the byronwhitlock-google/AutoML-Labeling-Tool, d1nesh12345/Iac-demo and ericprocopio/automl-labeling-tool source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents