The gcp:compute/regionTargetHttpsProxy:RegionTargetHttpsProxy resource, part of the Pulumi GCP provider, defines the HTTPS termination layer for regional load balancers: SSL certificates, URL routing, and optional mTLS validation. This guide focuses on four capabilities: SSL certificate attachment, connection timeout configuration, mutual TLS enforcement, and Certificate Manager integration.
HTTPS proxies sit between forwarding rules and URL maps, terminating SSL and routing requests to backend services. The examples are intentionally small. Combine them with your own VPC configuration, health checks, and forwarding rules.
Route HTTPS traffic to backend services
Regional load balancers terminate SSL at the proxy layer, then route requests to backend services based on hostname and path rules.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const defaultRegionSslCertificate = new gcp.compute.RegionSslCertificate("default", {
region: "us-central1",
name: "my-certificate",
privateKey: std.file({
input: "path/to/private.key",
}).then(invoke => invoke.result),
certificate: std.file({
input: "path/to/certificate.crt",
}).then(invoke => invoke.result),
});
const defaultRegionHealthCheck = new gcp.compute.RegionHealthCheck("default", {
region: "us-central1",
name: "http-health-check",
httpHealthCheck: {
port: 80,
},
});
const defaultRegionBackendService = new gcp.compute.RegionBackendService("default", {
region: "us-central1",
name: "backend-service",
protocol: "HTTP",
loadBalancingScheme: "INTERNAL_MANAGED",
timeoutSec: 10,
healthChecks: defaultRegionHealthCheck.id,
});
const defaultRegionUrlMap = new gcp.compute.RegionUrlMap("default", {
region: "us-central1",
name: "url-map",
description: "a description",
defaultService: defaultRegionBackendService.id,
hostRules: [{
hosts: ["mysite.com"],
pathMatcher: "allpaths",
}],
pathMatchers: [{
name: "allpaths",
defaultService: defaultRegionBackendService.id,
pathRules: [{
paths: ["/*"],
service: defaultRegionBackendService.id,
}],
}],
});
const _default = new gcp.compute.RegionTargetHttpsProxy("default", {
region: "us-central1",
name: "test-proxy",
urlMap: defaultRegionUrlMap.id,
sslCertificates: [defaultRegionSslCertificate.id],
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default_region_ssl_certificate = gcp.compute.RegionSslCertificate("default",
region="us-central1",
name="my-certificate",
private_key=std.file(input="path/to/private.key").result,
certificate=std.file(input="path/to/certificate.crt").result)
default_region_health_check = gcp.compute.RegionHealthCheck("default",
region="us-central1",
name="http-health-check",
http_health_check={
"port": 80,
})
default_region_backend_service = gcp.compute.RegionBackendService("default",
region="us-central1",
name="backend-service",
protocol="HTTP",
load_balancing_scheme="INTERNAL_MANAGED",
timeout_sec=10,
health_checks=default_region_health_check.id)
default_region_url_map = gcp.compute.RegionUrlMap("default",
region="us-central1",
name="url-map",
description="a description",
default_service=default_region_backend_service.id,
host_rules=[{
"hosts": ["mysite.com"],
"path_matcher": "allpaths",
}],
path_matchers=[{
"name": "allpaths",
"default_service": default_region_backend_service.id,
"path_rules": [{
"paths": ["/*"],
"service": default_region_backend_service.id,
}],
}])
default = gcp.compute.RegionTargetHttpsProxy("default",
region="us-central1",
name="test-proxy",
url_map=default_region_url_map.id,
ssl_certificates=[default_region_ssl_certificate.id])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "path/to/private.key",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "path/to/certificate.crt",
}, nil)
if err != nil {
return err
}
defaultRegionSslCertificate, err := compute.NewRegionSslCertificate(ctx, "default", &compute.RegionSslCertificateArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("my-certificate"),
PrivateKey: pulumi.String(invokeFile.Result),
Certificate: pulumi.String(invokeFile1.Result),
})
if err != nil {
return err
}
defaultRegionHealthCheck, err := compute.NewRegionHealthCheck(ctx, "default", &compute.RegionHealthCheckArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("http-health-check"),
HttpHealthCheck: &compute.RegionHealthCheckHttpHealthCheckArgs{
Port: pulumi.Int(80),
},
})
if err != nil {
return err
}
defaultRegionBackendService, err := compute.NewRegionBackendService(ctx, "default", &compute.RegionBackendServiceArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("backend-service"),
Protocol: pulumi.String("HTTP"),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
TimeoutSec: pulumi.Int(10),
HealthChecks: defaultRegionHealthCheck.ID(),
})
if err != nil {
return err
}
defaultRegionUrlMap, err := compute.NewRegionUrlMap(ctx, "default", &compute.RegionUrlMapArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("url-map"),
Description: pulumi.String("a description"),
DefaultService: defaultRegionBackendService.ID(),
HostRules: compute.RegionUrlMapHostRuleArray{
&compute.RegionUrlMapHostRuleArgs{
Hosts: pulumi.StringArray{
pulumi.String("mysite.com"),
},
PathMatcher: pulumi.String("allpaths"),
},
},
PathMatchers: compute.RegionUrlMapPathMatcherArray{
&compute.RegionUrlMapPathMatcherArgs{
Name: pulumi.String("allpaths"),
DefaultService: defaultRegionBackendService.ID(),
PathRules: compute.RegionUrlMapPathMatcherPathRuleArray{
&compute.RegionUrlMapPathMatcherPathRuleArgs{
Paths: pulumi.StringArray{
pulumi.String("/*"),
},
Service: defaultRegionBackendService.ID(),
},
},
},
},
})
if err != nil {
return err
}
_, err = compute.NewRegionTargetHttpsProxy(ctx, "default", &compute.RegionTargetHttpsProxyArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("test-proxy"),
UrlMap: defaultRegionUrlMap.ID(),
SslCertificates: pulumi.StringArray{
defaultRegionSslCertificate.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var defaultRegionSslCertificate = new Gcp.Compute.RegionSslCertificate("default", new()
{
Region = "us-central1",
Name = "my-certificate",
PrivateKey = Std.File.Invoke(new()
{
Input = "path/to/private.key",
}).Apply(invoke => invoke.Result),
Certificate = Std.File.Invoke(new()
{
Input = "path/to/certificate.crt",
}).Apply(invoke => invoke.Result),
});
var defaultRegionHealthCheck = new Gcp.Compute.RegionHealthCheck("default", new()
{
Region = "us-central1",
Name = "http-health-check",
HttpHealthCheck = new Gcp.Compute.Inputs.RegionHealthCheckHttpHealthCheckArgs
{
Port = 80,
},
});
var defaultRegionBackendService = new Gcp.Compute.RegionBackendService("default", new()
{
Region = "us-central1",
Name = "backend-service",
Protocol = "HTTP",
LoadBalancingScheme = "INTERNAL_MANAGED",
TimeoutSec = 10,
HealthChecks = defaultRegionHealthCheck.Id,
});
var defaultRegionUrlMap = new Gcp.Compute.RegionUrlMap("default", new()
{
Region = "us-central1",
Name = "url-map",
Description = "a description",
DefaultService = defaultRegionBackendService.Id,
HostRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapHostRuleArgs
{
Hosts = new[]
{
"mysite.com",
},
PathMatcher = "allpaths",
},
},
PathMatchers = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherArgs
{
Name = "allpaths",
DefaultService = defaultRegionBackendService.Id,
PathRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherPathRuleArgs
{
Paths = new[]
{
"/*",
},
Service = defaultRegionBackendService.Id,
},
},
},
},
});
var @default = new Gcp.Compute.RegionTargetHttpsProxy("default", new()
{
Region = "us-central1",
Name = "test-proxy",
UrlMap = defaultRegionUrlMap.Id,
SslCertificates = new[]
{
defaultRegionSslCertificate.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionSslCertificate;
import com.pulumi.gcp.compute.RegionSslCertificateArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.gcp.compute.RegionHealthCheck;
import com.pulumi.gcp.compute.RegionHealthCheckArgs;
import com.pulumi.gcp.compute.inputs.RegionHealthCheckHttpHealthCheckArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.compute.RegionUrlMap;
import com.pulumi.gcp.compute.RegionUrlMapArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapHostRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapPathMatcherArgs;
import com.pulumi.gcp.compute.RegionTargetHttpsProxy;
import com.pulumi.gcp.compute.RegionTargetHttpsProxyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultRegionSslCertificate = new RegionSslCertificate("defaultRegionSslCertificate", RegionSslCertificateArgs.builder()
.region("us-central1")
.name("my-certificate")
.privateKey(StdFunctions.file(FileArgs.builder()
.input("path/to/private.key")
.build()).result())
.certificate(StdFunctions.file(FileArgs.builder()
.input("path/to/certificate.crt")
.build()).result())
.build());
var defaultRegionHealthCheck = new RegionHealthCheck("defaultRegionHealthCheck", RegionHealthCheckArgs.builder()
.region("us-central1")
.name("http-health-check")
.httpHealthCheck(RegionHealthCheckHttpHealthCheckArgs.builder()
.port(80)
.build())
.build());
var defaultRegionBackendService = new RegionBackendService("defaultRegionBackendService", RegionBackendServiceArgs.builder()
.region("us-central1")
.name("backend-service")
.protocol("HTTP")
.loadBalancingScheme("INTERNAL_MANAGED")
.timeoutSec(10)
.healthChecks(defaultRegionHealthCheck.id())
.build());
var defaultRegionUrlMap = new RegionUrlMap("defaultRegionUrlMap", RegionUrlMapArgs.builder()
.region("us-central1")
.name("url-map")
.description("a description")
.defaultService(defaultRegionBackendService.id())
.hostRules(RegionUrlMapHostRuleArgs.builder()
.hosts("mysite.com")
.pathMatcher("allpaths")
.build())
.pathMatchers(RegionUrlMapPathMatcherArgs.builder()
.name("allpaths")
.defaultService(defaultRegionBackendService.id())
.pathRules(RegionUrlMapPathMatcherPathRuleArgs.builder()
.paths("/*")
.service(defaultRegionBackendService.id())
.build())
.build())
.build());
var default_ = new RegionTargetHttpsProxy("default", RegionTargetHttpsProxyArgs.builder()
.region("us-central1")
.name("test-proxy")
.urlMap(defaultRegionUrlMap.id())
.sslCertificates(defaultRegionSslCertificate.id())
.build());
}
}
resources:
default:
type: gcp:compute:RegionTargetHttpsProxy
properties:
region: us-central1
name: test-proxy
urlMap: ${defaultRegionUrlMap.id}
sslCertificates:
- ${defaultRegionSslCertificate.id}
defaultRegionSslCertificate:
type: gcp:compute:RegionSslCertificate
name: default
properties:
region: us-central1
name: my-certificate
privateKey:
fn::invoke:
function: std:file
arguments:
input: path/to/private.key
return: result
certificate:
fn::invoke:
function: std:file
arguments:
input: path/to/certificate.crt
return: result
defaultRegionUrlMap:
type: gcp:compute:RegionUrlMap
name: default
properties:
region: us-central1
name: url-map
description: a description
defaultService: ${defaultRegionBackendService.id}
hostRules:
- hosts:
- mysite.com
pathMatcher: allpaths
pathMatchers:
- name: allpaths
defaultService: ${defaultRegionBackendService.id}
pathRules:
- paths:
- /*
service: ${defaultRegionBackendService.id}
defaultRegionBackendService:
type: gcp:compute:RegionBackendService
name: default
properties:
region: us-central1
name: backend-service
protocol: HTTP
loadBalancingScheme: INTERNAL_MANAGED
timeoutSec: 10
healthChecks: ${defaultRegionHealthCheck.id}
defaultRegionHealthCheck:
type: gcp:compute:RegionHealthCheck
name: default
properties:
region: us-central1
name: http-health-check
httpHealthCheck:
port: 80
The proxy receives encrypted traffic, decrypts it using the certificate from sslCertificates, then consults the urlMap to determine which backend service handles the request. The URL map defines host rules and path matchers that route traffic based on the request URL. This example uses INTERNAL_MANAGED load balancing, which requires VPC configuration.
Configure connection keep-alive timeouts
Applications with long-polling clients or WebSocket-style connections need extended idle timeouts to prevent premature connection closure.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const defaultRegionSslCertificate = new gcp.compute.RegionSslCertificate("default", {
region: "us-central1",
name: "my-certificate",
privateKey: std.file({
input: "path/to/private.key",
}).then(invoke => invoke.result),
certificate: std.file({
input: "path/to/certificate.crt",
}).then(invoke => invoke.result),
});
const defaultRegionHealthCheck = new gcp.compute.RegionHealthCheck("default", {
region: "us-central1",
name: "http-health-check",
httpHealthCheck: {
port: 80,
},
});
const defaultRegionBackendService = new gcp.compute.RegionBackendService("default", {
region: "us-central1",
name: "backend-service",
portName: "http",
protocol: "HTTP",
timeoutSec: 10,
loadBalancingScheme: "INTERNAL_MANAGED",
healthChecks: defaultRegionHealthCheck.id,
});
const defaultRegionUrlMap = new gcp.compute.RegionUrlMap("default", {
region: "us-central1",
name: "url-map",
description: "a description",
defaultService: defaultRegionBackendService.id,
hostRules: [{
hosts: ["mysite.com"],
pathMatcher: "allpaths",
}],
pathMatchers: [{
name: "allpaths",
defaultService: defaultRegionBackendService.id,
pathRules: [{
paths: ["/*"],
service: defaultRegionBackendService.id,
}],
}],
});
const _default = new gcp.compute.RegionTargetHttpsProxy("default", {
region: "us-central1",
name: "test-http-keep-alive-timeout-proxy",
httpKeepAliveTimeoutSec: 600,
urlMap: defaultRegionUrlMap.id,
sslCertificates: [defaultRegionSslCertificate.id],
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default_region_ssl_certificate = gcp.compute.RegionSslCertificate("default",
region="us-central1",
name="my-certificate",
private_key=std.file(input="path/to/private.key").result,
certificate=std.file(input="path/to/certificate.crt").result)
default_region_health_check = gcp.compute.RegionHealthCheck("default",
region="us-central1",
name="http-health-check",
http_health_check={
"port": 80,
})
default_region_backend_service = gcp.compute.RegionBackendService("default",
region="us-central1",
name="backend-service",
port_name="http",
protocol="HTTP",
timeout_sec=10,
load_balancing_scheme="INTERNAL_MANAGED",
health_checks=default_region_health_check.id)
default_region_url_map = gcp.compute.RegionUrlMap("default",
region="us-central1",
name="url-map",
description="a description",
default_service=default_region_backend_service.id,
host_rules=[{
"hosts": ["mysite.com"],
"path_matcher": "allpaths",
}],
path_matchers=[{
"name": "allpaths",
"default_service": default_region_backend_service.id,
"path_rules": [{
"paths": ["/*"],
"service": default_region_backend_service.id,
}],
}])
default = gcp.compute.RegionTargetHttpsProxy("default",
region="us-central1",
name="test-http-keep-alive-timeout-proxy",
http_keep_alive_timeout_sec=600,
url_map=default_region_url_map.id,
ssl_certificates=[default_region_ssl_certificate.id])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "path/to/private.key",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "path/to/certificate.crt",
}, nil)
if err != nil {
return err
}
defaultRegionSslCertificate, err := compute.NewRegionSslCertificate(ctx, "default", &compute.RegionSslCertificateArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("my-certificate"),
PrivateKey: pulumi.String(invokeFile.Result),
Certificate: pulumi.String(invokeFile1.Result),
})
if err != nil {
return err
}
defaultRegionHealthCheck, err := compute.NewRegionHealthCheck(ctx, "default", &compute.RegionHealthCheckArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("http-health-check"),
HttpHealthCheck: &compute.RegionHealthCheckHttpHealthCheckArgs{
Port: pulumi.Int(80),
},
})
if err != nil {
return err
}
defaultRegionBackendService, err := compute.NewRegionBackendService(ctx, "default", &compute.RegionBackendServiceArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("backend-service"),
PortName: pulumi.String("http"),
Protocol: pulumi.String("HTTP"),
TimeoutSec: pulumi.Int(10),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
HealthChecks: defaultRegionHealthCheck.ID(),
})
if err != nil {
return err
}
defaultRegionUrlMap, err := compute.NewRegionUrlMap(ctx, "default", &compute.RegionUrlMapArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("url-map"),
Description: pulumi.String("a description"),
DefaultService: defaultRegionBackendService.ID(),
HostRules: compute.RegionUrlMapHostRuleArray{
&compute.RegionUrlMapHostRuleArgs{
Hosts: pulumi.StringArray{
pulumi.String("mysite.com"),
},
PathMatcher: pulumi.String("allpaths"),
},
},
PathMatchers: compute.RegionUrlMapPathMatcherArray{
&compute.RegionUrlMapPathMatcherArgs{
Name: pulumi.String("allpaths"),
DefaultService: defaultRegionBackendService.ID(),
PathRules: compute.RegionUrlMapPathMatcherPathRuleArray{
&compute.RegionUrlMapPathMatcherPathRuleArgs{
Paths: pulumi.StringArray{
pulumi.String("/*"),
},
Service: defaultRegionBackendService.ID(),
},
},
},
},
})
if err != nil {
return err
}
_, err = compute.NewRegionTargetHttpsProxy(ctx, "default", &compute.RegionTargetHttpsProxyArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("test-http-keep-alive-timeout-proxy"),
HttpKeepAliveTimeoutSec: pulumi.Int(600),
UrlMap: defaultRegionUrlMap.ID(),
SslCertificates: pulumi.StringArray{
defaultRegionSslCertificate.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var defaultRegionSslCertificate = new Gcp.Compute.RegionSslCertificate("default", new()
{
Region = "us-central1",
Name = "my-certificate",
PrivateKey = Std.File.Invoke(new()
{
Input = "path/to/private.key",
}).Apply(invoke => invoke.Result),
Certificate = Std.File.Invoke(new()
{
Input = "path/to/certificate.crt",
}).Apply(invoke => invoke.Result),
});
var defaultRegionHealthCheck = new Gcp.Compute.RegionHealthCheck("default", new()
{
Region = "us-central1",
Name = "http-health-check",
HttpHealthCheck = new Gcp.Compute.Inputs.RegionHealthCheckHttpHealthCheckArgs
{
Port = 80,
},
});
var defaultRegionBackendService = new Gcp.Compute.RegionBackendService("default", new()
{
Region = "us-central1",
Name = "backend-service",
PortName = "http",
Protocol = "HTTP",
TimeoutSec = 10,
LoadBalancingScheme = "INTERNAL_MANAGED",
HealthChecks = defaultRegionHealthCheck.Id,
});
var defaultRegionUrlMap = new Gcp.Compute.RegionUrlMap("default", new()
{
Region = "us-central1",
Name = "url-map",
Description = "a description",
DefaultService = defaultRegionBackendService.Id,
HostRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapHostRuleArgs
{
Hosts = new[]
{
"mysite.com",
},
PathMatcher = "allpaths",
},
},
PathMatchers = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherArgs
{
Name = "allpaths",
DefaultService = defaultRegionBackendService.Id,
PathRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherPathRuleArgs
{
Paths = new[]
{
"/*",
},
Service = defaultRegionBackendService.Id,
},
},
},
},
});
var @default = new Gcp.Compute.RegionTargetHttpsProxy("default", new()
{
Region = "us-central1",
Name = "test-http-keep-alive-timeout-proxy",
HttpKeepAliveTimeoutSec = 600,
UrlMap = defaultRegionUrlMap.Id,
SslCertificates = new[]
{
defaultRegionSslCertificate.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionSslCertificate;
import com.pulumi.gcp.compute.RegionSslCertificateArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.gcp.compute.RegionHealthCheck;
import com.pulumi.gcp.compute.RegionHealthCheckArgs;
import com.pulumi.gcp.compute.inputs.RegionHealthCheckHttpHealthCheckArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.compute.RegionUrlMap;
import com.pulumi.gcp.compute.RegionUrlMapArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapHostRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapPathMatcherArgs;
import com.pulumi.gcp.compute.RegionTargetHttpsProxy;
import com.pulumi.gcp.compute.RegionTargetHttpsProxyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultRegionSslCertificate = new RegionSslCertificate("defaultRegionSslCertificate", RegionSslCertificateArgs.builder()
.region("us-central1")
.name("my-certificate")
.privateKey(StdFunctions.file(FileArgs.builder()
.input("path/to/private.key")
.build()).result())
.certificate(StdFunctions.file(FileArgs.builder()
.input("path/to/certificate.crt")
.build()).result())
.build());
var defaultRegionHealthCheck = new RegionHealthCheck("defaultRegionHealthCheck", RegionHealthCheckArgs.builder()
.region("us-central1")
.name("http-health-check")
.httpHealthCheck(RegionHealthCheckHttpHealthCheckArgs.builder()
.port(80)
.build())
.build());
var defaultRegionBackendService = new RegionBackendService("defaultRegionBackendService", RegionBackendServiceArgs.builder()
.region("us-central1")
.name("backend-service")
.portName("http")
.protocol("HTTP")
.timeoutSec(10)
.loadBalancingScheme("INTERNAL_MANAGED")
.healthChecks(defaultRegionHealthCheck.id())
.build());
var defaultRegionUrlMap = new RegionUrlMap("defaultRegionUrlMap", RegionUrlMapArgs.builder()
.region("us-central1")
.name("url-map")
.description("a description")
.defaultService(defaultRegionBackendService.id())
.hostRules(RegionUrlMapHostRuleArgs.builder()
.hosts("mysite.com")
.pathMatcher("allpaths")
.build())
.pathMatchers(RegionUrlMapPathMatcherArgs.builder()
.name("allpaths")
.defaultService(defaultRegionBackendService.id())
.pathRules(RegionUrlMapPathMatcherPathRuleArgs.builder()
.paths("/*")
.service(defaultRegionBackendService.id())
.build())
.build())
.build());
var default_ = new RegionTargetHttpsProxy("default", RegionTargetHttpsProxyArgs.builder()
.region("us-central1")
.name("test-http-keep-alive-timeout-proxy")
.httpKeepAliveTimeoutSec(600)
.urlMap(defaultRegionUrlMap.id())
.sslCertificates(defaultRegionSslCertificate.id())
.build());
}
}
resources:
default:
type: gcp:compute:RegionTargetHttpsProxy
properties:
region: us-central1
name: test-http-keep-alive-timeout-proxy
httpKeepAliveTimeoutSec: 600
urlMap: ${defaultRegionUrlMap.id}
sslCertificates:
- ${defaultRegionSslCertificate.id}
defaultRegionSslCertificate:
type: gcp:compute:RegionSslCertificate
name: default
properties:
region: us-central1
name: my-certificate
privateKey:
fn::invoke:
function: std:file
arguments:
input: path/to/private.key
return: result
certificate:
fn::invoke:
function: std:file
arguments:
input: path/to/certificate.crt
return: result
defaultRegionUrlMap:
type: gcp:compute:RegionUrlMap
name: default
properties:
region: us-central1
name: url-map
description: a description
defaultService: ${defaultRegionBackendService.id}
hostRules:
- hosts:
- mysite.com
pathMatcher: allpaths
pathMatchers:
- name: allpaths
defaultService: ${defaultRegionBackendService.id}
pathRules:
- paths:
- /*
service: ${defaultRegionBackendService.id}
defaultRegionBackendService:
type: gcp:compute:RegionBackendService
name: default
properties:
region: us-central1
name: backend-service
portName: http
protocol: HTTP
timeoutSec: 10
loadBalancingScheme: INTERNAL_MANAGED
healthChecks: ${defaultRegionHealthCheck.id}
defaultRegionHealthCheck:
type: gcp:compute:RegionHealthCheck
name: default
properties:
region: us-central1
name: http-health-check
httpHealthCheck:
port: 80
The httpKeepAliveTimeoutSec property controls how long the proxy keeps idle connections open after completing a response. The default is 600 seconds; this example maintains that value explicitly. Regional HTTPS proxies accept values between 5 and 600 seconds.
Enforce mutual TLS authentication
Zero-trust architectures validate both server and client certificates, ensuring only authorized clients can connect.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const project = gcp.organizations.getProject({});
const defaultTrustConfig = new gcp.certificatemanager.TrustConfig("default", {
location: "us-central1",
name: "my-trust-config",
description: "sample description for trust config",
trustStores: [{
trustAnchors: [{
pemCertificate: std.file({
input: "test-fixtures/ca_cert.pem",
}).then(invoke => invoke.result),
}],
intermediateCas: [{
pemCertificate: std.file({
input: "test-fixtures/ca_cert.pem",
}).then(invoke => invoke.result),
}],
}],
labels: {
foo: "bar",
},
});
const defaultServerTlsPolicy = new gcp.networksecurity.ServerTlsPolicy("default", {
location: "us-central1",
name: "my-tls-policy",
description: "my description",
allowOpen: false,
mtlsPolicy: {
clientValidationMode: "REJECT_INVALID",
clientValidationTrustConfig: pulumi.all([project, defaultTrustConfig.name]).apply(([project, name]) => `projects/${project.number}/locations/us-central1/trustConfigs/${name}`),
},
});
const defaultRegionSslCertificate = new gcp.compute.RegionSslCertificate("default", {
region: "us-central1",
name: "my-certificate",
privateKey: std.file({
input: "path/to/private.key",
}).then(invoke => invoke.result),
certificate: std.file({
input: "path/to/certificate.crt",
}).then(invoke => invoke.result),
});
const defaultRegionHealthCheck = new gcp.compute.RegionHealthCheck("default", {
region: "us-central1",
name: "http-health-check",
checkIntervalSec: 1,
timeoutSec: 1,
httpHealthCheck: {
port: 80,
},
});
const defaultRegionBackendService = new gcp.compute.RegionBackendService("default", {
region: "us-central1",
name: "backend-service",
portName: "http",
protocol: "HTTP",
timeoutSec: 10,
loadBalancingScheme: "INTERNAL_MANAGED",
healthChecks: defaultRegionHealthCheck.id,
});
const defaultRegionUrlMap = new gcp.compute.RegionUrlMap("default", {
region: "us-central1",
name: "url-map",
description: "a description",
defaultService: defaultRegionBackendService.id,
hostRules: [{
hosts: ["mysite.com"],
pathMatcher: "allpaths",
}],
pathMatchers: [{
name: "allpaths",
defaultService: defaultRegionBackendService.id,
pathRules: [{
paths: ["/*"],
service: defaultRegionBackendService.id,
}],
}],
});
const _default = new gcp.compute.RegionTargetHttpsProxy("default", {
region: "us-central1",
name: "test-mtls-proxy",
urlMap: defaultRegionUrlMap.id,
sslCertificates: [defaultRegionSslCertificate.id],
serverTlsPolicy: defaultServerTlsPolicy.id,
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
project = gcp.organizations.get_project()
default_trust_config = gcp.certificatemanager.TrustConfig("default",
location="us-central1",
name="my-trust-config",
description="sample description for trust config",
trust_stores=[{
"trust_anchors": [{
"pem_certificate": std.file(input="test-fixtures/ca_cert.pem").result,
}],
"intermediate_cas": [{
"pem_certificate": std.file(input="test-fixtures/ca_cert.pem").result,
}],
}],
labels={
"foo": "bar",
})
default_server_tls_policy = gcp.networksecurity.ServerTlsPolicy("default",
location="us-central1",
name="my-tls-policy",
description="my description",
allow_open=False,
mtls_policy={
"client_validation_mode": "REJECT_INVALID",
"client_validation_trust_config": default_trust_config.name.apply(lambda name: f"projects/{project.number}/locations/us-central1/trustConfigs/{name}"),
})
default_region_ssl_certificate = gcp.compute.RegionSslCertificate("default",
region="us-central1",
name="my-certificate",
private_key=std.file(input="path/to/private.key").result,
certificate=std.file(input="path/to/certificate.crt").result)
default_region_health_check = gcp.compute.RegionHealthCheck("default",
region="us-central1",
name="http-health-check",
check_interval_sec=1,
timeout_sec=1,
http_health_check={
"port": 80,
})
default_region_backend_service = gcp.compute.RegionBackendService("default",
region="us-central1",
name="backend-service",
port_name="http",
protocol="HTTP",
timeout_sec=10,
load_balancing_scheme="INTERNAL_MANAGED",
health_checks=default_region_health_check.id)
default_region_url_map = gcp.compute.RegionUrlMap("default",
region="us-central1",
name="url-map",
description="a description",
default_service=default_region_backend_service.id,
host_rules=[{
"hosts": ["mysite.com"],
"path_matcher": "allpaths",
}],
path_matchers=[{
"name": "allpaths",
"default_service": default_region_backend_service.id,
"path_rules": [{
"paths": ["/*"],
"service": default_region_backend_service.id,
}],
}])
default = gcp.compute.RegionTargetHttpsProxy("default",
region="us-central1",
name="test-mtls-proxy",
url_map=default_region_url_map.id,
ssl_certificates=[default_region_ssl_certificate.id],
server_tls_policy=default_server_tls_policy.id)
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificatemanager"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/ca_cert.pem",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/ca_cert.pem",
}, nil)
if err != nil {
return err
}
defaultTrustConfig, err := certificatemanager.NewTrustConfig(ctx, "default", &certificatemanager.TrustConfigArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("my-trust-config"),
Description: pulumi.String("sample description for trust config"),
TrustStores: certificatemanager.TrustConfigTrustStoreArray{
&certificatemanager.TrustConfigTrustStoreArgs{
TrustAnchors: certificatemanager.TrustConfigTrustStoreTrustAnchorArray{
&certificatemanager.TrustConfigTrustStoreTrustAnchorArgs{
PemCertificate: pulumi.String(invokeFile.Result),
},
},
IntermediateCas: certificatemanager.TrustConfigTrustStoreIntermediateCaArray{
&certificatemanager.TrustConfigTrustStoreIntermediateCaArgs{
PemCertificate: pulumi.String(invokeFile1.Result),
},
},
},
},
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
defaultServerTlsPolicy, err := networksecurity.NewServerTlsPolicy(ctx, "default", &networksecurity.ServerTlsPolicyArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("my-tls-policy"),
Description: pulumi.String("my description"),
AllowOpen: pulumi.Bool(false),
MtlsPolicy: &networksecurity.ServerTlsPolicyMtlsPolicyArgs{
ClientValidationMode: pulumi.String("REJECT_INVALID"),
ClientValidationTrustConfig: defaultTrustConfig.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("projects/%v/locations/us-central1/trustConfigs/%v", project.Number, name), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
invokeFile2, err := std.File(ctx, &std.FileArgs{
Input: "path/to/private.key",
}, nil)
if err != nil {
return err
}
invokeFile3, err := std.File(ctx, &std.FileArgs{
Input: "path/to/certificate.crt",
}, nil)
if err != nil {
return err
}
defaultRegionSslCertificate, err := compute.NewRegionSslCertificate(ctx, "default", &compute.RegionSslCertificateArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("my-certificate"),
PrivateKey: pulumi.String(invokeFile2.Result),
Certificate: pulumi.String(invokeFile3.Result),
})
if err != nil {
return err
}
defaultRegionHealthCheck, err := compute.NewRegionHealthCheck(ctx, "default", &compute.RegionHealthCheckArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("http-health-check"),
CheckIntervalSec: pulumi.Int(1),
TimeoutSec: pulumi.Int(1),
HttpHealthCheck: &compute.RegionHealthCheckHttpHealthCheckArgs{
Port: pulumi.Int(80),
},
})
if err != nil {
return err
}
defaultRegionBackendService, err := compute.NewRegionBackendService(ctx, "default", &compute.RegionBackendServiceArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("backend-service"),
PortName: pulumi.String("http"),
Protocol: pulumi.String("HTTP"),
TimeoutSec: pulumi.Int(10),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
HealthChecks: defaultRegionHealthCheck.ID(),
})
if err != nil {
return err
}
defaultRegionUrlMap, err := compute.NewRegionUrlMap(ctx, "default", &compute.RegionUrlMapArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("url-map"),
Description: pulumi.String("a description"),
DefaultService: defaultRegionBackendService.ID(),
HostRules: compute.RegionUrlMapHostRuleArray{
&compute.RegionUrlMapHostRuleArgs{
Hosts: pulumi.StringArray{
pulumi.String("mysite.com"),
},
PathMatcher: pulumi.String("allpaths"),
},
},
PathMatchers: compute.RegionUrlMapPathMatcherArray{
&compute.RegionUrlMapPathMatcherArgs{
Name: pulumi.String("allpaths"),
DefaultService: defaultRegionBackendService.ID(),
PathRules: compute.RegionUrlMapPathMatcherPathRuleArray{
&compute.RegionUrlMapPathMatcherPathRuleArgs{
Paths: pulumi.StringArray{
pulumi.String("/*"),
},
Service: defaultRegionBackendService.ID(),
},
},
},
},
})
if err != nil {
return err
}
_, err = compute.NewRegionTargetHttpsProxy(ctx, "default", &compute.RegionTargetHttpsProxyArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("test-mtls-proxy"),
UrlMap: defaultRegionUrlMap.ID(),
SslCertificates: pulumi.StringArray{
defaultRegionSslCertificate.ID(),
},
ServerTlsPolicy: defaultServerTlsPolicy.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var project = Gcp.Organizations.GetProject.Invoke();
var defaultTrustConfig = new Gcp.CertificateManager.TrustConfig("default", new()
{
Location = "us-central1",
Name = "my-trust-config",
Description = "sample description for trust config",
TrustStores = new[]
{
new Gcp.CertificateManager.Inputs.TrustConfigTrustStoreArgs
{
TrustAnchors = new[]
{
new Gcp.CertificateManager.Inputs.TrustConfigTrustStoreTrustAnchorArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/ca_cert.pem",
}).Apply(invoke => invoke.Result),
},
},
IntermediateCas = new[]
{
new Gcp.CertificateManager.Inputs.TrustConfigTrustStoreIntermediateCaArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/ca_cert.pem",
}).Apply(invoke => invoke.Result),
},
},
},
},
Labels =
{
{ "foo", "bar" },
},
});
var defaultServerTlsPolicy = new Gcp.NetworkSecurity.ServerTlsPolicy("default", new()
{
Location = "us-central1",
Name = "my-tls-policy",
Description = "my description",
AllowOpen = false,
MtlsPolicy = new Gcp.NetworkSecurity.Inputs.ServerTlsPolicyMtlsPolicyArgs
{
ClientValidationMode = "REJECT_INVALID",
ClientValidationTrustConfig = Output.Tuple(project, defaultTrustConfig.Name).Apply(values =>
{
var project = values.Item1;
var name = values.Item2;
return $"projects/{project.Apply(getProjectResult => getProjectResult.Number)}/locations/us-central1/trustConfigs/{name}";
}),
},
});
var defaultRegionSslCertificate = new Gcp.Compute.RegionSslCertificate("default", new()
{
Region = "us-central1",
Name = "my-certificate",
PrivateKey = Std.File.Invoke(new()
{
Input = "path/to/private.key",
}).Apply(invoke => invoke.Result),
Certificate = Std.File.Invoke(new()
{
Input = "path/to/certificate.crt",
}).Apply(invoke => invoke.Result),
});
var defaultRegionHealthCheck = new Gcp.Compute.RegionHealthCheck("default", new()
{
Region = "us-central1",
Name = "http-health-check",
CheckIntervalSec = 1,
TimeoutSec = 1,
HttpHealthCheck = new Gcp.Compute.Inputs.RegionHealthCheckHttpHealthCheckArgs
{
Port = 80,
},
});
var defaultRegionBackendService = new Gcp.Compute.RegionBackendService("default", new()
{
Region = "us-central1",
Name = "backend-service",
PortName = "http",
Protocol = "HTTP",
TimeoutSec = 10,
LoadBalancingScheme = "INTERNAL_MANAGED",
HealthChecks = defaultRegionHealthCheck.Id,
});
var defaultRegionUrlMap = new Gcp.Compute.RegionUrlMap("default", new()
{
Region = "us-central1",
Name = "url-map",
Description = "a description",
DefaultService = defaultRegionBackendService.Id,
HostRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapHostRuleArgs
{
Hosts = new[]
{
"mysite.com",
},
PathMatcher = "allpaths",
},
},
PathMatchers = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherArgs
{
Name = "allpaths",
DefaultService = defaultRegionBackendService.Id,
PathRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherPathRuleArgs
{
Paths = new[]
{
"/*",
},
Service = defaultRegionBackendService.Id,
},
},
},
},
});
var @default = new Gcp.Compute.RegionTargetHttpsProxy("default", new()
{
Region = "us-central1",
Name = "test-mtls-proxy",
UrlMap = defaultRegionUrlMap.Id,
SslCertificates = new[]
{
defaultRegionSslCertificate.Id,
},
ServerTlsPolicy = defaultServerTlsPolicy.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.certificatemanager.TrustConfig;
import com.pulumi.gcp.certificatemanager.TrustConfigArgs;
import com.pulumi.gcp.certificatemanager.inputs.TrustConfigTrustStoreArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.gcp.networksecurity.ServerTlsPolicy;
import com.pulumi.gcp.networksecurity.ServerTlsPolicyArgs;
import com.pulumi.gcp.networksecurity.inputs.ServerTlsPolicyMtlsPolicyArgs;
import com.pulumi.gcp.compute.RegionSslCertificate;
import com.pulumi.gcp.compute.RegionSslCertificateArgs;
import com.pulumi.gcp.compute.RegionHealthCheck;
import com.pulumi.gcp.compute.RegionHealthCheckArgs;
import com.pulumi.gcp.compute.inputs.RegionHealthCheckHttpHealthCheckArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.compute.RegionUrlMap;
import com.pulumi.gcp.compute.RegionUrlMapArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapHostRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapPathMatcherArgs;
import com.pulumi.gcp.compute.RegionTargetHttpsProxy;
import com.pulumi.gcp.compute.RegionTargetHttpsProxyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var defaultTrustConfig = new TrustConfig("defaultTrustConfig", TrustConfigArgs.builder()
.location("us-central1")
.name("my-trust-config")
.description("sample description for trust config")
.trustStores(TrustConfigTrustStoreArgs.builder()
.trustAnchors(TrustConfigTrustStoreTrustAnchorArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/ca_cert.pem")
.build()).result())
.build())
.intermediateCas(TrustConfigTrustStoreIntermediateCaArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/ca_cert.pem")
.build()).result())
.build())
.build())
.labels(Map.of("foo", "bar"))
.build());
var defaultServerTlsPolicy = new ServerTlsPolicy("defaultServerTlsPolicy", ServerTlsPolicyArgs.builder()
.location("us-central1")
.name("my-tls-policy")
.description("my description")
.allowOpen(false)
.mtlsPolicy(ServerTlsPolicyMtlsPolicyArgs.builder()
.clientValidationMode("REJECT_INVALID")
.clientValidationTrustConfig(defaultTrustConfig.name().applyValue(_name -> String.format("projects/%s/locations/us-central1/trustConfigs/%s", project.number(),_name)))
.build())
.build());
var defaultRegionSslCertificate = new RegionSslCertificate("defaultRegionSslCertificate", RegionSslCertificateArgs.builder()
.region("us-central1")
.name("my-certificate")
.privateKey(StdFunctions.file(FileArgs.builder()
.input("path/to/private.key")
.build()).result())
.certificate(StdFunctions.file(FileArgs.builder()
.input("path/to/certificate.crt")
.build()).result())
.build());
var defaultRegionHealthCheck = new RegionHealthCheck("defaultRegionHealthCheck", RegionHealthCheckArgs.builder()
.region("us-central1")
.name("http-health-check")
.checkIntervalSec(1)
.timeoutSec(1)
.httpHealthCheck(RegionHealthCheckHttpHealthCheckArgs.builder()
.port(80)
.build())
.build());
var defaultRegionBackendService = new RegionBackendService("defaultRegionBackendService", RegionBackendServiceArgs.builder()
.region("us-central1")
.name("backend-service")
.portName("http")
.protocol("HTTP")
.timeoutSec(10)
.loadBalancingScheme("INTERNAL_MANAGED")
.healthChecks(defaultRegionHealthCheck.id())
.build());
var defaultRegionUrlMap = new RegionUrlMap("defaultRegionUrlMap", RegionUrlMapArgs.builder()
.region("us-central1")
.name("url-map")
.description("a description")
.defaultService(defaultRegionBackendService.id())
.hostRules(RegionUrlMapHostRuleArgs.builder()
.hosts("mysite.com")
.pathMatcher("allpaths")
.build())
.pathMatchers(RegionUrlMapPathMatcherArgs.builder()
.name("allpaths")
.defaultService(defaultRegionBackendService.id())
.pathRules(RegionUrlMapPathMatcherPathRuleArgs.builder()
.paths("/*")
.service(defaultRegionBackendService.id())
.build())
.build())
.build());
var default_ = new RegionTargetHttpsProxy("default", RegionTargetHttpsProxyArgs.builder()
.region("us-central1")
.name("test-mtls-proxy")
.urlMap(defaultRegionUrlMap.id())
.sslCertificates(defaultRegionSslCertificate.id())
.serverTlsPolicy(defaultServerTlsPolicy.id())
.build());
}
}
resources:
default:
type: gcp:compute:RegionTargetHttpsProxy
properties:
region: us-central1
name: test-mtls-proxy
urlMap: ${defaultRegionUrlMap.id}
sslCertificates:
- ${defaultRegionSslCertificate.id}
serverTlsPolicy: ${defaultServerTlsPolicy.id}
defaultTrustConfig:
type: gcp:certificatemanager:TrustConfig
name: default
properties:
location: us-central1
name: my-trust-config
description: sample description for trust config
trustStores:
- trustAnchors:
- pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/ca_cert.pem
return: result
intermediateCas:
- pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/ca_cert.pem
return: result
labels:
foo: bar
defaultServerTlsPolicy:
type: gcp:networksecurity:ServerTlsPolicy
name: default
properties:
location: us-central1
name: my-tls-policy
description: my description
allowOpen: 'false'
mtlsPolicy:
clientValidationMode: REJECT_INVALID
clientValidationTrustConfig: projects/${project.number}/locations/us-central1/trustConfigs/${defaultTrustConfig.name}
defaultRegionSslCertificate:
type: gcp:compute:RegionSslCertificate
name: default
properties:
region: us-central1
name: my-certificate
privateKey:
fn::invoke:
function: std:file
arguments:
input: path/to/private.key
return: result
certificate:
fn::invoke:
function: std:file
arguments:
input: path/to/certificate.crt
return: result
defaultRegionUrlMap:
type: gcp:compute:RegionUrlMap
name: default
properties:
region: us-central1
name: url-map
description: a description
defaultService: ${defaultRegionBackendService.id}
hostRules:
- hosts:
- mysite.com
pathMatcher: allpaths
pathMatchers:
- name: allpaths
defaultService: ${defaultRegionBackendService.id}
pathRules:
- paths:
- /*
service: ${defaultRegionBackendService.id}
defaultRegionBackendService:
type: gcp:compute:RegionBackendService
name: default
properties:
region: us-central1
name: backend-service
portName: http
protocol: HTTP
timeoutSec: 10
loadBalancingScheme: INTERNAL_MANAGED
healthChecks: ${defaultRegionHealthCheck.id}
defaultRegionHealthCheck:
type: gcp:compute:RegionHealthCheck
name: default
properties:
region: us-central1
name: http-health-check
checkIntervalSec: 1
timeoutSec: 1
httpHealthCheck:
port: 80
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}
The serverTlsPolicy references a ServerTlsPolicy resource that defines client certificate validation rules. The TrustConfig specifies which certificate authorities are trusted for client validation. When clientValidationMode is set to REJECT_INVALID, the proxy rejects connections from clients without valid certificates.
Use Certificate Manager for certificate lifecycle
Certificate Manager centralizes certificate provisioning and renewal, eliminating manual certificate file management.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const defaultCertificate = new gcp.certificatemanager.Certificate("default", {
name: "my-certificate",
location: "us-central1",
selfManaged: {
pemCertificate: std.file({
input: "test-fixtures/cert.pem",
}).then(invoke => invoke.result),
pemPrivateKey: std.file({
input: "test-fixtures/private-key.pem",
}).then(invoke => invoke.result),
},
});
const defaultRegionBackendService = new gcp.compute.RegionBackendService("default", {
name: "backend-service",
region: "us-central1",
protocol: "HTTPS",
timeoutSec: 30,
loadBalancingScheme: "INTERNAL_MANAGED",
});
const defaultRegionUrlMap = new gcp.compute.RegionUrlMap("default", {
name: "url-map",
defaultService: defaultRegionBackendService.id,
region: "us-central1",
});
const _default = new gcp.compute.RegionTargetHttpsProxy("default", {
name: "target-http-proxy",
urlMap: defaultRegionUrlMap.id,
certificateManagerCertificates: [pulumi.interpolate`//certificatemanager.googleapis.com/${defaultCertificate.id}`],
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default_certificate = gcp.certificatemanager.Certificate("default",
name="my-certificate",
location="us-central1",
self_managed={
"pem_certificate": std.file(input="test-fixtures/cert.pem").result,
"pem_private_key": std.file(input="test-fixtures/private-key.pem").result,
})
default_region_backend_service = gcp.compute.RegionBackendService("default",
name="backend-service",
region="us-central1",
protocol="HTTPS",
timeout_sec=30,
load_balancing_scheme="INTERNAL_MANAGED")
default_region_url_map = gcp.compute.RegionUrlMap("default",
name="url-map",
default_service=default_region_backend_service.id,
region="us-central1")
default = gcp.compute.RegionTargetHttpsProxy("default",
name="target-http-proxy",
url_map=default_region_url_map.id,
certificate_manager_certificates=[default_certificate.id.apply(lambda id: f"//certificatemanager.googleapis.com/{id}")])
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificatemanager"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/cert.pem",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/private-key.pem",
}, nil)
if err != nil {
return err
}
defaultCertificate, err := certificatemanager.NewCertificate(ctx, "default", &certificatemanager.CertificateArgs{
Name: pulumi.String("my-certificate"),
Location: pulumi.String("us-central1"),
SelfManaged: &certificatemanager.CertificateSelfManagedArgs{
PemCertificate: pulumi.String(invokeFile.Result),
PemPrivateKey: pulumi.String(invokeFile1.Result),
},
})
if err != nil {
return err
}
defaultRegionBackendService, err := compute.NewRegionBackendService(ctx, "default", &compute.RegionBackendServiceArgs{
Name: pulumi.String("backend-service"),
Region: pulumi.String("us-central1"),
Protocol: pulumi.String("HTTPS"),
TimeoutSec: pulumi.Int(30),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
})
if err != nil {
return err
}
defaultRegionUrlMap, err := compute.NewRegionUrlMap(ctx, "default", &compute.RegionUrlMapArgs{
Name: pulumi.String("url-map"),
DefaultService: defaultRegionBackendService.ID(),
Region: pulumi.String("us-central1"),
})
if err != nil {
return err
}
_, err = compute.NewRegionTargetHttpsProxy(ctx, "default", &compute.RegionTargetHttpsProxyArgs{
Name: pulumi.String("target-http-proxy"),
UrlMap: defaultRegionUrlMap.ID(),
CertificateManagerCertificates: pulumi.StringArray{
defaultCertificate.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("//certificatemanager.googleapis.com/%v", id), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var defaultCertificate = new Gcp.CertificateManager.Certificate("default", new()
{
Name = "my-certificate",
Location = "us-central1",
SelfManaged = new Gcp.CertificateManager.Inputs.CertificateSelfManagedArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/cert.pem",
}).Apply(invoke => invoke.Result),
PemPrivateKey = Std.File.Invoke(new()
{
Input = "test-fixtures/private-key.pem",
}).Apply(invoke => invoke.Result),
},
});
var defaultRegionBackendService = new Gcp.Compute.RegionBackendService("default", new()
{
Name = "backend-service",
Region = "us-central1",
Protocol = "HTTPS",
TimeoutSec = 30,
LoadBalancingScheme = "INTERNAL_MANAGED",
});
var defaultRegionUrlMap = new Gcp.Compute.RegionUrlMap("default", new()
{
Name = "url-map",
DefaultService = defaultRegionBackendService.Id,
Region = "us-central1",
});
var @default = new Gcp.Compute.RegionTargetHttpsProxy("default", new()
{
Name = "target-http-proxy",
UrlMap = defaultRegionUrlMap.Id,
CertificateManagerCertificates = new[]
{
defaultCertificate.Id.Apply(id => $"//certificatemanager.googleapis.com/{id}"),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificatemanager.Certificate;
import com.pulumi.gcp.certificatemanager.CertificateArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateSelfManagedArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.compute.RegionUrlMap;
import com.pulumi.gcp.compute.RegionUrlMapArgs;
import com.pulumi.gcp.compute.RegionTargetHttpsProxy;
import com.pulumi.gcp.compute.RegionTargetHttpsProxyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.name("my-certificate")
.location("us-central1")
.selfManaged(CertificateSelfManagedArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/cert.pem")
.build()).result())
.pemPrivateKey(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/private-key.pem")
.build()).result())
.build())
.build());
var defaultRegionBackendService = new RegionBackendService("defaultRegionBackendService", RegionBackendServiceArgs.builder()
.name("backend-service")
.region("us-central1")
.protocol("HTTPS")
.timeoutSec(30)
.loadBalancingScheme("INTERNAL_MANAGED")
.build());
var defaultRegionUrlMap = new RegionUrlMap("defaultRegionUrlMap", RegionUrlMapArgs.builder()
.name("url-map")
.defaultService(defaultRegionBackendService.id())
.region("us-central1")
.build());
var default_ = new RegionTargetHttpsProxy("default", RegionTargetHttpsProxyArgs.builder()
.name("target-http-proxy")
.urlMap(defaultRegionUrlMap.id())
.certificateManagerCertificates(defaultCertificate.id().applyValue(_id -> String.format("//certificatemanager.googleapis.com/%s", _id)))
.build());
}
}
resources:
default:
type: gcp:compute:RegionTargetHttpsProxy
properties:
name: target-http-proxy
urlMap: ${defaultRegionUrlMap.id}
certificateManagerCertificates: # [google_certificate_manager_certificate.default.id] is also acceptable
- //certificatemanager.googleapis.com/${defaultCertificate.id}
defaultCertificate:
type: gcp:certificatemanager:Certificate
name: default
properties:
name: my-certificate
location: us-central1
selfManaged:
pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/cert.pem
return: result
pemPrivateKey:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/private-key.pem
return: result
defaultRegionUrlMap:
type: gcp:compute:RegionUrlMap
name: default
properties:
name: url-map
defaultService: ${defaultRegionBackendService.id}
region: us-central1
defaultRegionBackendService:
type: gcp:compute:RegionBackendService
name: default
properties:
name: backend-service
region: us-central1
protocol: HTTPS
timeoutSec: 30
loadBalancingScheme: INTERNAL_MANAGED
The certificateManagerCertificates property accepts Certificate Manager resource URLs instead of direct certificate files. Certificate Manager handles renewal and rotation automatically. You cannot use both certificateManagerCertificates and sslCertificates on the same proxy.
Beyond these examples
These snippets focus on specific proxy-level features: SSL termination with certificates, connection timeout tuning, and mutual TLS authentication. They’re intentionally minimal rather than full load balancer deployments.
The examples rely on pre-existing infrastructure such as RegionUrlMap resources for routing logic, RegionBackendService resources as traffic destinations, certificate files in PEM format, and VPC configuration for INTERNAL_MANAGED load balancing. They focus on configuring the HTTPS proxy rather than provisioning the complete load balancing stack.
To keep things focused, common proxy patterns are omitted, including:
- SSL policy configuration (sslPolicy)
- Multiple certificate rotation (up to 15 certificates)
- Integration with forwarding rules
- Health check configuration details
These omissions are intentional: the goal is to illustrate how each proxy feature is wired, not provide drop-in load balancer modules. See the RegionTargetHttpsProxy resource reference for all available configuration options.
Let's configure GCP Region Target HTTPS Proxies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
SSL Certificates & Authentication
Why am I getting a resourceInUseByAnotherResource error when removing serverTlsPolicy?
This error occurs when you remove
serverTlsPolicy from your configuration while simultaneously deleting or recreating the referenced ServerTlsPolicy resource. Use lifecycle.create_before_destroy within the ServerTlsPolicy resource to avoid this.Can I use both sslCertificates and certificateManagerCertificates?
No,
sslCertificates and certificateManagerCertificates are mutually exclusive and cannot be defined together on the same proxy.How many SSL certificates can I attach to a regional HTTPS proxy?
At least one SSL certificate is required, with a maximum of 15 certificates supported.
When do sslCertificates not apply to my proxy?
The
sslCertificates property has no effect when the load balancing scheme is set to INTERNAL_SELF_MANAGED.How do I configure mTLS authentication for my proxy?
Set the
serverTlsPolicy property to reference a networksecurity.ServerTlsPolicy resource that defines client validation rules and trust configuration.What format does certificateManagerCertificates accept?
Use either the full format
//certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificates/{resourceName} or the short format projects/{project}/locations/{location}/certificates/{resourceName}.Configuration & Timeouts
What are the HTTP keep-alive timeout limits?
The default is 600 seconds. For Regional HTTP(S) load balancers, the minimum is 5 seconds and the maximum is 600 seconds.
Resource Properties & Immutability
What properties can't I change after creating the proxy?
The
name, project, region, description, and httpKeepAliveTimeoutSec properties are immutable after creation.Using a different cloud?
Explore networking guides for other cloud providers: