Create a backend service for each application. Select the corresponding names
port and health check for each application.
gcloud compute instance-groups set-named-ports vmseries \
--region=us-central1 \
--named-ports=app1:1000,app2:2000
gcloud compute backend-services create app1 \
--load-balancing-scheme=EXTERNAL_MANAGED \
--protocol=HTTP \
--port-name=app1 \
--health-checks=app1 \
--connection-draining-timeout=300 \
--global
gcloud compute backend-services add-backend app1 \
--instance-group=vmseries \
--instance-group-region=us-central1 \
--balancing-mode=RATE \
--max-rate-per-instance=10000 \
--global
gcloud compute backend-services create app2 \
--load-balancing-scheme=EXTERNAL_MANAGED \
--protocol=HTTP \
--port-name=app2 \
--health-checks=app2 \
--connection-draining-timeout=300 \
--global
gcloud compute backend-services add-backend app2 \
--instance-group=vmseries \
--instance-group-region=us-central1 \
--balancing-mode=RATE \
--max-rate-per-instance=10000 \
--global
gcloud compute url-maps create global-https-lb \
--default-service app1 \
--global
gcloud compute target-http-proxies create global-https-lb-target-proxy \
--url-map=global-https-lb \
--global-url-map \
--global
gcloud compute forwarding-rules create app1 \
--load-balancing-scheme=EXTERNAL_MANAGED \
--network-tier=PREMIUM \
--target-http-proxy=global-https-lb-target-proxy \
--ports=80 \
--global
gcloud compute forwarding-rules create app2 \
--load-balancing-scheme=EXTERNAL_MANAGED \
--network-tier=PREMIUM \
--target-http-proxy=global-https-lb-target-proxy \
--ports=80 \
--global
Configure the routing rules. Set the frontend address as the host to direct
traffic to each backend.
On your VM-Series firewall web interface, create 2 NAT policies to map the
named port to the correct destination.
Automation Example:
Here is a Terraform example that onboards a new backend service to an
existing HTTP(s) load balancer. The PAN-OS Terraform provider creates a service
object and NAT policy for the new service:
# Assign named port to instance group
resource "google_compute_instance_group_named_port" "main" {
group = var.instance_group
zone = “us-central1-a”
name = "app2"
port = "2000"
}
# Create health check
resource "google_compute_health_check" "main" {
name = "app2"
tcp_health_check {
port = "2000"
}
}
# Create backend service
resource "google_compute_backend_service" "main" {
name = "app2"
port_name = "app2"
load_balancing_scheme = "EXTERNAL_MANAGED"
health_checks = [google_compute_health_check.main.self_link]
backend {
balancing_mode = "RATE"
capacity_scaler = 1
group = var.instance_group
max_rate_per_instance = "10000"
}
}
# Create forwarding rule
resource "google_compute_global_forwarding_rule" "main" {
name = "app2"
load_balancing_scheme = "EXTERNAL_MANAGED"
port_range = "80"
target = var.global_lb_self_link
}
# Create VM-Series service object
resource "panos_service_object" "main" {
name = "app2"
vsys = "vsys1"
protocol = "tcp"
destination_port = "2000"
}
# Create VM-Series NAT policy
resource "panos_nat_rule_group" "main" {
provider = panos
position_keyword = "bottom"
rule {
name = "app2"
original_packet {
source_zones = ["untrust"]
destination_zone = "untrust"
destination_interface = "ethernet1/1"
service = panos_service_object.main.name
source_addresses = ["any"]
destination_addresses = ["any"]
}
translated_packet {
source {
dynamic_ip_and_port {
interface_address {
interface = "ethernet1/2"
}
}
}
destination {
dynamic_translation {
address = "<ip-address>"
}
}
}
}
}
