setup instance group GCE with HTTPS load balancer that allows custom port

Question

I'm struggling with this setup for 3 days now, most certainly I'm doing something wrong, but from all the docs that I read I have no clue what to is the correct way.

My goal is quite simple. I have a docker image in which I have a rest api that is served on 9090 port. I would like to have access to it over https, the port doesn't matter, best would be to use 443 (default https port) but this is not mandatory.

What I did so far: Setup an instance-group with instance-template that uses docker image published on Google Container Registry. This instance-group is behind an HTTPS Load Balancer. I have tried a number of different configuration options of the LB to enable access to my instance. With instanced created from templates I no longer can setup custom firewall configurations associated with instances, in such way I was able to make a connection to a single VM over HTTP.

Guys, can you help in any way ?

--30.09.2019--------- Configuration Update:

I have engine group setup with named ports: http: 9090 https: 9090

the template is set with both http & https network allowed, but I don't have the possibility to add any rule that would enable 9090 over http or https, or that does not matter?

No the Load Balancer: Frontend: I have two endpoints: 80 for http and 443 for https. The backend uses the named port http(which should point to 9090).

--- Update 1/10/2019 Firewall rull:

Health check

Edit your question with the following. What are the load balancer frontend and backend configurations? How did you expose the container's port to be accessible outside the container host? There is a lot of information missing from your question. Be as detailed as possible. I would test first with an Unmanaged Instance Group with an existing VM instance. Once you have that working, go to the next steps with a Managed Instance Group. Also, start with HTTP (port 80) then worry about HTTPS (port 443). Normally the Load Balancer handles HTTPS and your backend handles only HTTP. — John Hanley
1) Your problem is caused by the health check. The health check is going to port 8080. Do you have a service listening on port 8080? 2) You have two named ports http->9090 and https->9090. Don't create two named ports going to the same destination port. Unless you are using both ports, this is not your problem, but I would delete the https definition. 3) Is your backend (container) supporting HTTP, HTTPS or both? Normally you just need HTTP. 4) Your configuration exposes three container ports (80, 8080, 9090). Which one is your service listening on? Delete the others. — John Hanley
5) Once you figure out question #4, enable the correct port in the VPC firewall to allow traffic in on that port. — John Hanley
yep, I think the health check is the reason, I found out that HC makes the instance-group and lb in verified state. I have now the backend lb and named port pointing to port 9090 thro http protocol. I have set the template to expose only port 9090. Still the only question is if I need to enforce some firewall rull on the vm instance to open the 9090 port or it is ok if I have it in the default netowork ? — Sniady

Kunal Deo Kunal Deo · Accepted Answer · 2019-09-30T03:48:53

You should use Named port to achieve this.

In the instance group, set port name and port in Port Mapping option.

Then in the load balancer configuration, select a backend then select a named port when prompted. Thats all you need to do.

setup instance group GCE with HTTPS load balancer that allows custom port

2 Answers