Mastering GCP Infrastructure with Terraform: Regional HTTPS Load Balancer with Cloud DNS – Part 4
Introduction
🌟 Welcome to the final installment of our series, “Mastering GCP Infrastructure with Terraform: Regional HTTPS Load Balancer with Cloud DNS.” In Part 3, we built a robust backend infrastructure with Instance Templates, Managed Instance Groups (MIGs), health checks, and autoscaling.
In Part 4, we’ll bring everything together by setting up a Regional HTTPS Load Balancer and integrating Cloud DNS. This ensures secure and reliable routing of traffic to your backend infrastructure. Additionally, we’ll configure HTTP-to-HTTPS redirection and a Cloud NAT for outbound internet access.
By the end of this part, your infrastructure will be fully operational, scalable, and production-ready.
Setting Up the Load Balancer
The load balancer is the heart of our infrastructure. It distributes incoming traffic to backend instances securely and efficiently. Let’s go step by step.
1. Static IP for the Load Balancer
resource "google_compute_address" "mylb" {
name = "${local.name}-mylb-regional-static-ip"
region = var.gcp_region1
} - Purpose: Allocates a static IP for the load balancer, ensuring it has a fixed endpoint for external traffic.
- region: Scopes the IP to the same region (us-central1) as your backend infrastructure.
2. Backend Service and Health Check
resource "google_compute_region_health_check" "mylb" {
name = "${local.name}-mylb-myapp1-health-check"
check_interval_sec = 5
timeout_sec = 5
healthy_threshold = 2
unhealthy_threshold = 2
http_health_check {
request_path = "/index.html"
port = 80
}
}
resource "google_compute_region_backend_service" "mylb" {
name = "${local.name}-myapp1-backend-service"
protocol = "HTTP"
load_balancing_scheme = "EXTERNAL_MANAGED"
health_checks = [google_compute_region_health_check.mylb.self_link]
port_name = "webserver"
backend {
group = google_compute_region_instance_group_manager.myapp1.instance_group
capacity_scaler = 1.0
balancing_mode = "UTILIZATION"
}
} Health Check: Ensures the backend service routes traffic only to healthy instances.
Backend Service:
- Connects the load balancer to the MIG (myapp1).
- Balances traffic based on instance utilization (CPU usage).
3. URL Mapping
resource "google_compute_region_url_map" "mylb" {
name = "${local.name}-mylb-url-map"
default_service = google_compute_region_backend_service.mylb.self_link
} - Purpose: Routes all incoming requests to the default backend service unless specific URL rules are defined.
4. HTTPS Proxy and Forwarding Rule
resource "google_compute_region_target_https_proxy" "mylb" {
name = "${local.name}-mylb-https-proxy"
url_map = google_compute_region_url_map.mylb.self_link
certificate_manager_certificates = [google_certificate_manager_certificate.myapp1.id]
}
resource "google_compute_forwarding_rule" "mylb" {
name = "${local.name}-mylb-forwarding-rule"
target = google_compute_region_target_https_proxy.mylb.self_link
port_range = "443"
ip_protocol = "TCP"
ip_address = google_compute_address.mylb.address
load_balancing_scheme = "EXTERNAL_MANAGED"
} HTTPS Proxy:
- Terminates HTTPS traffic using an SSL certificate from Certificate Manager.
- Routes decrypted traffic to the backend service.
Forwarding Rule:
- Directs incoming HTTPS traffic (port 443) to the HTTPS proxy.
- Uses the static IP (mylb) allocated earlier.
5. HTTP-to-HTTPS Redirection
resource "google_compute_region_url_map" "http" {
name = "${local.name}-myapp1-http-to-https-url-map"
default_url_redirect {
redirect_response_code = "MOVED_PERMANENTLY_DEFAULT"
strip_query = false
https_redirect = true
}
}
resource "google_compute_region_target_http_proxy" "http" {
name = "${local.name}-myapp1-http-to-https-proxy"
url_map = google_compute_region_url_map.http.self_link
}
resource "google_compute_forwarding_rule" "http" {
name = "${local.name}-myapp1-http-to-https-forwarding-rule"
target = google_compute_region_target_http_proxy.http.self_link
port_range = "80"
ip_protocol = "TCP"
ip_address = google_compute_address.mylb.address
load_balancing_scheme = "EXTERNAL_MANAGED"
} URL Map for HTTP:
- Redirects all HTTP traffic to HTTPS.
- Returns a 301 Moved Permanently response.
Forwarding Rule for HTTP:
- Listens on port 80 and redirects requests to the HTTP proxy for redirection.
Adding Cloud DNS
locals {
mydomain = "myapp1.rezaops.com"
dns_managed_zone = "rezaopscom"
}
resource "google_dns_record_set" "a_record" {
managed_zone = local.dns_managed_zone
name = "${local.mydomain}."
type = "A"
ttl = 300
rrdatas = [google_compute_address.mylb.address]
} Cloud DNS:
- Creates an A record mapping myapp1.rezaops.com to the static IP of the load balancer.
- ttl: Sets a time-to-live value of 300 seconds for DNS caching.
Final Outputs
output "mylb_static_ip_address" {
description = "The static IP address of the load balancer."
value = google_compute_address.mylb.address
}
output "mylb_target_https_proxy_self_link" {
description = "The self-link of the target HTTPS proxy."
value = google_compute_region_target_https_proxy.mylb.self_link
} Purpose:
- Exposes critical properties of the load balancer, such as the static IP address and HTTPS proxy.
Why These Steps Matter
- HTTPS Load Balancer: Ensures secure and reliable traffic routing to your backend infrastructure.
- HTTP-to-HTTPS Redirect: Improves security by forcing all traffic to use HTTPS.
- Cloud DNS: Simplifies access to your application using a human-readable domain name.
- Scalability: Supports dynamic scaling through the MIG and autoscaling policies configured earlier.
Conclusion
🎉 Congratulations! You’ve now completed the infrastructure setup for your Regional HTTPS Load Balancer with Cloud DNS in GCP. Let’s recap:
- Configured a load balancer to route secure traffic to your backend.
- Added HTTP-to-HTTPS redirection for improved security.
- Integrated Cloud DNS for seamless domain mapping.
Your infrastructure is now production-ready, scalable, and secure.