Mastering GCP Infrastructure with Terraform: Regional HTTPS Load Balancer with Cloud DNS - Part 4

Introduction

?? Welcome to the final installment of our series, "Mastering GCP Infrastructure with Terraform: Regional HTTPS Load Balancer with Cloud DNS." In Part 3, we built a robust backend infrastructure with Instance Templates, Managed Instance Groups (MIGs), health checks, and autoscaling.

In Part 4, we’ll bring everything together by setting up a Regional HTTPS Load Balancer and integrating Cloud DNS. This ensures secure and reliable routing of traffic to your backend infrastructure. Additionally, we’ll configure HTTP-to-HTTPS redirection and a Cloud NAT for outbound internet access.

By the end of this part, your infrastructure will be fully operational, scalable, and production-ready.

Setting Up the Load Balancer

The load balancer is the heart of our infrastructure. It distributes incoming traffic to backend instances securely and efficiently. Let’s go step by step.

1. Static IP for the Load Balancer

resource "google_compute_address" "mylb" {
    name   = "${local.name}-mylb-regional-static-ip"
    region = var.gcp_region1
}
        

• Purpose: Allocates a static IP for the load balancer, ensuring it has a fixed endpoint for external traffic.
• region: Scopes the IP to the same region (us-central1) as your backend infrastructure.

2. Backend Service and Health Check

resource "google_compute_region_health_check" "mylb" {
    name                = "${local.name}-mylb-myapp1-health-check"
    check_interval_sec  = 5
    timeout_sec         = 5
    healthy_threshold   = 2
    unhealthy_threshold = 2
    http_health_check {
        request_path = "/index.html"
        port         = 80
    }
}

resource "google_compute_region_backend_service" "mylb" {
    name                    = "${local.name}-myapp1-backend-service"
    protocol                = "HTTP"
    load_balancing_scheme   = "EXTERNAL_MANAGED"
    health_checks           = [google_compute_region_health_check.mylb.self_link]
    port_name               = "webserver"
    backend {
        group              = google_compute_region_instance_group_manager.myapp1.instance_group
        capacity_scaler    = 1.0
        balancing_mode     = "UTILIZATION"
    }
}
        

Health Check: Ensures the backend service routes traffic only to healthy instances.

Backend Service:

• Connects the load balancer to the MIG (myapp1).
• Balances traffic based on instance utilization (CPU usage).

3. URL Mapping

resource "google_compute_region_url_map" "mylb" {
    name            = "${local.name}-mylb-url-map"
    default_service = google_compute_region_backend_service.mylb.self_link
}
        

• Purpose: Routes all incoming requests to the default backend service unless specific URL rules are defined.

4. HTTPS Proxy and Forwarding Rule

resource "google_compute_region_target_https_proxy" "mylb" {
    name                          = "${local.name}-mylb-https-proxy"
    url_map                       = google_compute_region_url_map.mylb.self_link
    certificate_manager_certificates = [google_certificate_manager_certificate.myapp1.id]
}

resource "google_compute_forwarding_rule" "mylb" {
    name                    = "${local.name}-mylb-forwarding-rule"
    target                  = google_compute_region_target_https_proxy.mylb.self_link
    port_range              = "443"
    ip_protocol             = "TCP"
    ip_address              = google_compute_address.mylb.address
    load_balancing_scheme   = "EXTERNAL_MANAGED"
}
        

HTTPS Proxy:

• Terminates HTTPS traffic using an SSL certificate from Certificate Manager.
• Routes decrypted traffic to the backend service.

Forwarding Rule:

• Directs incoming HTTPS traffic (port 443) to the HTTPS proxy.
• Uses the static IP (mylb) allocated earlier.

5. HTTP-to-HTTPS Redirection

resource "google_compute_region_url_map" "http" {
  name = "${local.name}-myapp1-http-to-https-url-map"
  default_url_redirect {
    redirect_response_code = "MOVED_PERMANENTLY_DEFAULT"
    strip_query            = false
    https_redirect         = true
  }
}

resource "google_compute_region_target_http_proxy" "http" {
  name   = "${local.name}-myapp1-http-to-https-proxy"
  url_map = google_compute_region_url_map.http.self_link
}

resource "google_compute_forwarding_rule" "http" {
  name        = "${local.name}-myapp1-http-to-https-forwarding-rule"
  target      = google_compute_region_target_http_proxy.http.self_link
  port_range  = "80"
  ip_protocol = "TCP"
  ip_address  = google_compute_address.mylb.address
  load_balancing_scheme = "EXTERNAL_MANAGED"
}
        

URL Map for HTTP:

• Redirects all HTTP traffic to HTTPS.
• Returns a 301 Moved Permanently response.

Forwarding Rule for HTTP:

• Listens on port 80 and redirects requests to the HTTP proxy for redirection.

Adding Cloud DNS

locals {
  mydomain       = "myapp1.rezaops.com"
  dns_managed_zone = "rezaopscom"
}

resource "google_dns_record_set" "a_record" {
  managed_zone = local.dns_managed_zone
  name         = "${local.mydomain}."
  type         = "A"
  ttl          = 300
  rrdatas      = [google_compute_address.mylb.address]
}
        

Cloud DNS:

• Creates an A record mapping myapp1.rezaops.com to the static IP of the load balancer.
• ttl: Sets a time-to-live value of 300 seconds for DNS caching.

Final Outputs

output "mylb_static_ip_address" {
  description = "The static IP address of the load balancer."
  value       = google_compute_address.mylb.address
}

output "mylb_target_https_proxy_self_link" {
  description = "The self-link of the target HTTPS proxy."
  value       = google_compute_region_target_https_proxy.mylb.self_link
}
        

Purpose:

• Exposes critical properties of the load balancer, such as the static IP address and HTTPS proxy.

Why These Steps Matter

1. HTTPS Load Balancer: Ensures secure and reliable traffic routing to your backend infrastructure.
2. HTTP-to-HTTPS Redirect: Improves security by forcing all traffic to use HTTPS.
3. Cloud DNS: Simplifies access to your application using a human-readable domain name.
4. Scalability: Supports dynamic scaling through the MIG and autoscaling policies configured earlier.

Conclusion

?? Congratulations! You’ve now completed the infrastructure setup for your Regional HTTPS Load Balancer with Cloud DNS in GCP. Let’s recap:

• Configured a load balancer to route secure traffic to your backend.
• Added HTTP-to-HTTPS redirection for improved security.
• Integrated Cloud DNS for seamless domain mapping.

Your infrastructure is now production-ready, scalable, and secure.