Scaling Out Secure Dedicated Ingress on GCP

close up photography of yellow green red and brown plastic cones on white lined surface
Photo by Pixabay on

Proposed Architecture

The architecture presented below satisfies GCP customers requirements to use third party compute instance based appliances in their flows.

The design considers HTTP(S) load balancers due its advanced capabilities.


  • HTTP(S) supports port 80, 8080, and 443.
  • The combination instance (responsible for SNAT/DNAT ingress traffic) and port (back end port) can be used a single time
  • An instance may belong to at most one load-balanced instance group

GCP Load Balancers Decision Chart

Chart from

Update DNS

  • Add the second app to Cloud DNS for proper name resolution
  • Create a second instance group and health check.

How to Scale Scenario 1

  • add a new external load balancer
  • add a new set of compute instances

How to Scale Scenario 2

  • add a second back end using another set of compute instances
  • Use Routing Rules to forward traffic to the new back end

How to Scale Scenario 3

  • add a new external HTTP(S) load balancer
  • create a new back end using the same instance group as before but using different ports
  • this step requires the creation of a new named port in the instance group
  • this step also requires proper secure firewall rules proper configured
  • compute instance DNAT using SRC:DST port 81 and DST:DST port 80

How to Scale Scenario 4

  • this scenario is a hybrid of scenarios 2 and 3
  • a new BE is created using port 82

The HC as before is the same as we are checking the health of the compute instances:

  • routing rules
  • compute instance DNAT config:


Leave a Reply