GCE (Google Compute Engine) for HTTP/HTTPS, with IPv6 but without SSL offloading

Question

I would like to run a webserver on a Google Compute Engine, being available both via HTTP and HTTPS and also being available via IPv6. Google cloud only supports IPv6 in the loadbalancer, so I'll need to set it up in there. I also need to take care of my own SSL (I have very good reasons for this), so I can't use SSL offloading.

Since I'm not using SSL offloading, I need to use "TCP (proxy)" for HTTPS/port443 (according to https://cloud.google.com/load-balancing/docs/choosing-load-balancer and I also because couldn't get it working any other way).

I've got port 443 working, now I need to add HTTP/port80. I'm currently trying to configure this using the webinterface. I tried:

1. TCP (proxy): this won't let me select port 80
2. TCP-LB: Once the back-end is configured, the front-end doesn't mention IPv6 any longer and only lets me create a new IPv4 or select an internal IP.
3. HTTP: this seemed like a good idea, but:
   • If I use the existing instancegroup and set port "80", this also changes the backend settings for https to port 80.
   • If I enter "80, 443" it seems to randomly select one of those ports instead of the one the traffic came in on.
   • If I create a new instance group with the same instance in it, I get the error "instance may belong to at most one load-balanced instance group"

How can I get both https and http to work on an IPv6 without using SSL offloading?

Answer 1

Yes, I reproduced the issue at my end, and it doesn’t give any option to select IPV6.

What I figured out after doing some research and confirming with my team that External IP addresses assigned to GCP VM instances are regional external IP addresses, which can only be IPv4, not IPv6. We support IPv6 only for global external IP addresses, and global external IP addresses can only be used with one of the following load balancers in Premium Tier: - HTTP(S) - SSL Proxy - TCP Proxy

So you should be able to partially accomplish what you are trying to achieve - an external IPv6 address for a VM - by putting that VM behind a TCP Proxy load balancer, but only for HTTPS. As you know that TCP 80 is not in the list of supported ports for TCP Proxy load balancing, it But it does support TCP 443, and it only terminates the TCP session, which should allow them to terminate HTTPS on the backend VM itself.

The same issue is with the SSL Proxy load balancing as it does not support port 80. The problem in using the HTTPS Load balancer is that it has to be terminated at the load balancer. The load balancer could still communicate with backend VMs via HTTPS, but the load balancer still does the public facing HTTPS termination. And this is also not suitable for you as you don’t want to do SSL offloading. So the conclusion is that it is not possible completely to use https and HTTP to work on an IPv6 without using SSL offloading

Answer 2

Actually, there is a limitation on the use of port 80 in TCP proxy Load Balancer. With that being said, the TCP Proxy LB has only the following ports available as Target Proxy: - 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222

So we couldn't use a target TCP proxy for ports 80

This information comes from this page where it also provides an overview and concepts about this type of Load Balancer. Please note that port 443 can be used in this case.

Did you try using a Network Load balancer? it might help you, see the attached link for more details.