Feat: support for internal cross-regional load balancer (#490)

Author: pawan1210

build/int.cloudbuild.yaml

@@ -127,6 +127,22 @@ steps:
     - verify lb-http-separate-frontend-and-backend
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSeparateFrontendAndBackend --stage teardown --verbose']
+  # Internal cross regional http load balancer with cloud-run
+- id: apply internal-lb-http
+  waitFor:
+    - create
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestInternalLbCloudRun --stage apply --verbose']
+- id: verify internal-lb-http
+  waitFor:
+    - apply internal-lb-http
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'sleep 360 && cft test run TestInternalLbCloudRun --stage verify --verbose']
+- id: teardown internal-lb-http
+  waitFor:
+    - verify internal-lb-http
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestInternalLbCloudRun --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/internal-lb-cloud-run/main.tf

@@ -0,0 +1,175 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  project = var.project_id
+}
+
+provider "google-beta" {
+  project = var.project_id
+}
+
+module "internal-lb-network" {
+  source                  = "terraform-google-modules/network/google//modules/vpc"
+  version                 = "~> 10.0.0"
+  project_id              = var.project_id
+  network_name            = "int-lb-network"
+  auto_create_subnetworks = false
+}
+
+module "internal-lb-subnet" {
+  source  = "terraform-google-modules/network/google//modules/subnets"
+  version = "~> 10.0.0"
+
+  subnets = [
+    {
+      subnet_name   = "int-lb-subnet-a"
+      subnet_ip     = "10.1.2.0/24"
+      subnet_region = "us-east1"
+    },
+    {
+      subnet_name   = "int-lb-proxy-only-subnet-a"
+      subnet_ip     = "10.129.0.0/23"
+      subnet_region = "us-east1"
+      purpose       = "GLOBAL_MANAGED_PROXY"
+      role          = "ACTIVE"
+    },
+    {
+      subnet_name   = "int-lb-subnet-b"
+      subnet_ip     = "10.1.3.0/24"
+      subnet_region = "us-south1"
+    },
+    {
+      subnet_name   = "int-lb-proxy-only-subnet-b",
+      subnet_ip     = "10.130.0.0/23"
+      subnet_region = "us-south1"
+      purpose       = "GLOBAL_MANAGED_PROXY"
+      role          = "ACTIVE"
+    }
+  ]
+
+  network_name = module.internal-lb-network.network_name
+  project_id   = var.project_id
+  depends_on   = [module.internal-lb-network]
+}
+
+module "backend-service-region-a" {
+  source                        = "GoogleCloudPlatform/cloud-run/google//modules/v2"
+  version                       = "~> 0.16.3"
+  project_id                    = var.project_id
+  location                      = "us-central1"
+  service_name                  = "bs-a"
+  containers                    = [{ "container_name" = "", "container_image" = "gcr.io/cloudrun/hello" }]
+  members                       = ["allUsers"]
+  ingress                       = "INGRESS_TRAFFIC_INTERNAL_ONLY"
+  cloud_run_deletion_protection = false
+  enable_prometheus_sidecar     = false
+}
+
+module "backend-service-region-b" {
+  source                        = "GoogleCloudPlatform/cloud-run/google//modules/v2"
+  version                       = "~> 0.16.3"
+  project_id                    = var.project_id
+  location                      = "us-west1"
+  service_name                  = "bs-b"
+  containers                    = [{ "container_name" = "", "container_image" = "gcr.io/cloudrun/hello" }]
+  members                       = ["allUsers"]
+  ingress                       = "INGRESS_TRAFFIC_INTERNAL_ONLY"
+  cloud_run_deletion_protection = false
+  enable_prometheus_sidecar     = false
+}
+
+module "internal-lb-http-backend" {
+  source  = "terraform-google-modules/lb-http/google//modules/backend"
+  version = "~> 12.0"
+
+  project_id            = var.project_id
+  name                  = "int-lb-http-backend"
+  enable_cdn            = false
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  locality_lb_policy    = "RANDOM"
+  serverless_neg_backends = [
+    { region : "us-central1", type : "cloud-run", service_name : module.backend-service-region-a.service_name },
+    { region : "us-west1", type : "cloud-run", service_name : module.backend-service-region-b.service_name }
+  ]
+}
+
+module "internal-lb-http-frontend" {
+  source  = "terraform-google-modules/lb-http/google//modules/frontend"
+  version = "~> 12.0"
+
+  project_id            = var.project_id
+  name                  = "int-lb-http-frontend"
+  url_map_input         = module.internal-lb-http-backend.backend_service_info
+  network               = module.internal-lb-network.network_name
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  internal_forwarding_rules_config = [
+    {
+      "region" : "us-east1",
+      "subnetwork" : module.internal-lb-subnet.subnets["us-east1/int-lb-subnet-a"].id
+    },
+    {
+      "region" : "us-south1",
+      "subnetwork" : module.internal-lb-subnet.subnets["us-south1/int-lb-subnet-b"].id
+    }
+  ]
+}
+
+resource "google_vpc_access_connector" "internal_lb_vpc_connector" {
+  provider       = google-beta
+  project        = var.project_id
+  name           = "int-lb-vpc-connector"
+  region         = "us-east1"
+  ip_cidr_range  = "10.8.0.0/28"
+  network        = module.internal-lb-network.network_name
+  max_throughput = 500
+  min_throughput = 300
+}
+
+module "frontend-service-a" {
+  source       = "GoogleCloudPlatform/cloud-run/google//modules/v2"
+  version      = "~> 0.16.3"
+  project_id   = var.project_id
+  location     = "us-east1"
+  service_name = "fs-a"
+  containers   = [{ "env_vars" : { "TARGET_IP" : module.internal-lb-http-frontend.ip_address_internal_managed_http[0] }, "ports" = { "container_port" = 80, "name" = "http1" }, "container_name" = "", "container_image" = "gcr.io/design-center-container-repo/redirect-traffic:latest-2002" }]
+  members      = ["allUsers"]
+  vpc_access = {
+    connector = google_vpc_access_connector.internal_lb_vpc_connector.id
+    egress    = "ALL_TRAFFIC"
+  }
+  ingress                       = "INGRESS_TRAFFIC_ALL"
+  cloud_run_deletion_protection = false
+  enable_prometheus_sidecar     = false
+  depends_on                    = [google_vpc_access_connector.internal_lb_vpc_connector]
+}
+
+module "frontend-service-b" {
+  source       = "GoogleCloudPlatform/cloud-run/google//modules/v2"
+  version      = "~> 0.16.3"
+  project_id   = var.project_id
+  location     = "us-east1"
+  service_name = "fs-b"
+  containers   = [{ "env_vars" : { "TARGET_IP" : module.internal-lb-http-frontend.ip_address_internal_managed_http[1] }, "ports" = { "container_port" = 80, "name" = "http1" }, "container_name" = "", "container_image" = "gcr.io/design-center-container-repo/redirect-traffic:latest-2002" }]
+  members      = ["allUsers"]
+  vpc_access = {
+    connector = google_vpc_access_connector.internal_lb_vpc_connector.id
+    egress    = "ALL_TRAFFIC"
+  }
+  ingress                       = "INGRESS_TRAFFIC_ALL"
+  cloud_run_deletion_protection = false
+  enable_prometheus_sidecar     = false
+}

examples/internal-lb-cloud-run/outputs.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "external_cloudrun_uris" {
+  description = "List of URIs for the frontend Cloud Run services"
+  value       = [module.frontend-service-a.service_uri, module.frontend-service-b.service_uri]
+}

examples/internal-lb-cloud-run/readme.md

@@ -0,0 +1,20 @@
+# HTTP Internal Regional Load Balancer Example
+
+This example creates a simple application with below components.
+
+* *Frontend Service*: Two cloud-run services to send request to internal cross-regional load balancers. The cloud-run service uses VPC access connector to send the request to the internal load balancer.
+* *Internal Load Balancer*: An internal cross-regional load balancer to distribute traffic to internal cloud run services.
+* *Backend Service*: Two cloud-run services to run the actual application code. These can be accessed within internal traffic. The internal Application Load Balancer is considered internal traffic.
+
+
+The `google_compute_backend_service` and its dependencies are created as part of `backend` module.
+The forwarding rules and its dependecies are created as part of `frontend` module.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | n/a | `string` | n/a | yes |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/internal-lb-cloud-run/variables.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type = string
+}

metadata.yaml

@@ -58,6 +58,8 @@ spec:
         location: examples/https-gke
       - name: https-redirect
         location: examples/https-redirect
+      - name: internal-lb-cloud-run
+        location: examples/internal-lb-cloud-run
       - name: lb-http-separate-frontend-and-backend
         location: examples/lb-http-separate-frontend-and-backend
       - name: mig-nat-http-lb
@@ -338,6 +340,8 @@ spec:
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
+          - roles/vpcaccess.admin
+          - roles/iam.serviceAccountAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
@@ -346,6 +350,7 @@ spec:
       - run.googleapis.com
       - iam.googleapis.com
       - certificatemanager.googleapis.com
+      - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.0, < 7"

modules/backend/README.md

@@ -21,7 +21,7 @@ This module creates `google_compute_backend_service` resource and its dependenci
 | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | <pre>object({<br>    host                = optional(string, null)<br>    request_path        = optional(string, null)<br>    request             = optional(string, null)<br>    response            = optional(string, null)<br>    port                = optional(number, null)<br>    port_name           = optional(string, null)<br>    proxy_header        = optional(string, null)<br>    port_specification  = optional(string, null)<br>    protocol            = optional(string, null)<br>    check_interval_sec  = optional(number, 5)<br>    timeout_sec         = optional(number, 5)<br>    healthy_threshold   = optional(number, 2)<br>    unhealthy_threshold = optional(number, 2)<br>    logging             = optional(bool, false)<br>  })</pre> | `null` | no |
 | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | <pre>list(object({<br>    host = string<br>    path = string<br>  }))</pre> | <pre>[<br>  {<br>    "host": "*",<br>    "path": "/*"<br>  }<br>]</pre> | no |
 | iap\_config | Settings for enabling Cloud Identity Aware Proxy Structure. | <pre>object({<br>    enable               = bool<br>    oauth2_client_id     = optional(string)<br>    oauth2_client_secret = optional(string)<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
-| load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, and INTERNAL\_SELF\_MANAGED for traffic director). | `string` | `"EXTERNAL_MANAGED"` | no |
+| load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no |
 | locality\_lb\_policy | The load balancing algorithm used within the scope of the locality. | `string` | `null` | no |
 | log\_config | This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. | <pre>object({<br>    enable      = bool<br>    sample_rate = number<br>  })</pre> | <pre>{<br>  "enable": true,<br>  "sample_rate": 1<br>}</pre> | no |
 | name | Name for the backend service. | `string` | n/a | yes |

modules/backend/main.tf

@@ -28,7 +28,7 @@ resource "google_compute_backend_service" "default" {
   description                     = var.description
   connection_draining_timeout_sec = var.connection_draining_timeout_sec
   enable_cdn                      = var.enable_cdn
-  compression_mode                = var.compression_mode
+  compression_mode                = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED" || var.load_balancing_scheme == "INTERNAL_MANAGED" ? null : var.compression_mode
   custom_request_headers          = var.custom_request_headers
   custom_response_headers         = var.custom_response_headers
   session_affinity                = var.session_affinity

modules/backend/metadata.display.yaml

@@ -77,6 +77,11 @@ spec:
         load_balancing_scheme:
           name: load_balancing_scheme
           title: Load Balancing Scheme
+          enumValueLabels:
+            - label: EXTERNAL_MANAGED
+              value: EXTERNAL_MANAGED
+            - label: INTERNAL_MANAGED
+              value: INTERNAL_MANAGED
         locality_lb_policy:
           name: locality_lb_policy
           title: Locality Lb Policy

modules/backend/metadata.yaml

@@ -50,6 +50,8 @@ spec:
         location: examples/https-gke
       - name: https-redirect
         location: examples/https-redirect
+      - name: internal-lb-cloud-run
+        location: examples/internal-lb-cloud-run
       - name: lb-http-separate-frontend-and-backend
         location: examples/lb-http-separate-frontend-and-backend
       - name: mig-nat-http-lb
@@ -77,7 +79,7 @@ spec:
         varType: string
         required: true
       - name: load_balancing_scheme
-        description: Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director).
+        description: Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, INTERNAL_MANAGED for internal load balancer and INTERNAL_SELF_MANAGED for traffic director)
         varType: string
         defaultValue: EXTERNAL_MANAGED
       - name: protocol
@@ -305,6 +307,8 @@ spec:
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
+          - roles/vpcaccess.admin
+          - roles/iam.serviceAccountAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
@@ -313,6 +317,7 @@ spec:
       - run.googleapis.com
       - iam.googleapis.com
       - certificatemanager.googleapis.com
+      - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.0, < 7"