The gcp:compute/regionTargetHttpsProxy:RegionTargetHttpsProxy resource, part of the Pulumi GCP provider, defines a regional HTTPS proxy that terminates SSL connections and routes requests to URL maps. This guide focuses on four capabilities: SSL certificate attachment, connection keep-alive configuration, mutual TLS client authentication, and Certificate Manager integration.
HTTPS proxies require SSL certificates (either inline RegionSslCertificate or Certificate Manager resources), URL maps for routing, and backend services to handle requests. The examples are intentionally small. Combine them with your own forwarding rules and backend infrastructure.
Route HTTPS traffic to backend services
Regional load balancers begin by creating an HTTPS proxy that connects SSL certificates to a URL map, which then routes requests to backend services based on hostname and path.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const defaultRegionSslCertificate = new gcp.compute.RegionSslCertificate("default", {
region: "us-central1",
name: "my-certificate",
privateKey: std.file({
input: "path/to/private.key",
}).then(invoke => invoke.result),
certificate: std.file({
input: "path/to/certificate.crt",
}).then(invoke => invoke.result),
});
const defaultRegionHealthCheck = new gcp.compute.RegionHealthCheck("default", {
region: "us-central1",
name: "http-health-check",
httpHealthCheck: {
port: 80,
},
});
const defaultRegionBackendService = new gcp.compute.RegionBackendService("default", {
region: "us-central1",
name: "backend-service",
protocol: "HTTP",
loadBalancingScheme: "INTERNAL_MANAGED",
timeoutSec: 10,
healthChecks: defaultRegionHealthCheck.id,
});
const defaultRegionUrlMap = new gcp.compute.RegionUrlMap("default", {
region: "us-central1",
name: "url-map",
description: "a description",
defaultService: defaultRegionBackendService.id,
hostRules: [{
hosts: ["mysite.com"],
pathMatcher: "allpaths",
}],
pathMatchers: [{
name: "allpaths",
defaultService: defaultRegionBackendService.id,
pathRules: [{
paths: ["/*"],
service: defaultRegionBackendService.id,
}],
}],
});
const _default = new gcp.compute.RegionTargetHttpsProxy("default", {
region: "us-central1",
name: "test-proxy",
urlMap: defaultRegionUrlMap.id,
sslCertificates: [defaultRegionSslCertificate.id],
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default_region_ssl_certificate = gcp.compute.RegionSslCertificate("default",
region="us-central1",
name="my-certificate",
private_key=std.file(input="path/to/private.key").result,
certificate=std.file(input="path/to/certificate.crt").result)
default_region_health_check = gcp.compute.RegionHealthCheck("default",
region="us-central1",
name="http-health-check",
http_health_check={
"port": 80,
})
default_region_backend_service = gcp.compute.RegionBackendService("default",
region="us-central1",
name="backend-service",
protocol="HTTP",
load_balancing_scheme="INTERNAL_MANAGED",
timeout_sec=10,
health_checks=default_region_health_check.id)
default_region_url_map = gcp.compute.RegionUrlMap("default",
region="us-central1",
name="url-map",
description="a description",
default_service=default_region_backend_service.id,
host_rules=[{
"hosts": ["mysite.com"],
"path_matcher": "allpaths",
}],
path_matchers=[{
"name": "allpaths",
"default_service": default_region_backend_service.id,
"path_rules": [{
"paths": ["/*"],
"service": default_region_backend_service.id,
}],
}])
default = gcp.compute.RegionTargetHttpsProxy("default",
region="us-central1",
name="test-proxy",
url_map=default_region_url_map.id,
ssl_certificates=[default_region_ssl_certificate.id])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "path/to/private.key",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "path/to/certificate.crt",
}, nil)
if err != nil {
return err
}
defaultRegionSslCertificate, err := compute.NewRegionSslCertificate(ctx, "default", &compute.RegionSslCertificateArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("my-certificate"),
PrivateKey: pulumi.String(invokeFile.Result),
Certificate: pulumi.String(invokeFile1.Result),
})
if err != nil {
return err
}
defaultRegionHealthCheck, err := compute.NewRegionHealthCheck(ctx, "default", &compute.RegionHealthCheckArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("http-health-check"),
HttpHealthCheck: &compute.RegionHealthCheckHttpHealthCheckArgs{
Port: pulumi.Int(80),
},
})
if err != nil {
return err
}
defaultRegionBackendService, err := compute.NewRegionBackendService(ctx, "default", &compute.RegionBackendServiceArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("backend-service"),
Protocol: pulumi.String("HTTP"),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
TimeoutSec: pulumi.Int(10),
HealthChecks: defaultRegionHealthCheck.ID(),
})
if err != nil {
return err
}
defaultRegionUrlMap, err := compute.NewRegionUrlMap(ctx, "default", &compute.RegionUrlMapArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("url-map"),
Description: pulumi.String("a description"),
DefaultService: defaultRegionBackendService.ID(),
HostRules: compute.RegionUrlMapHostRuleArray{
&compute.RegionUrlMapHostRuleArgs{
Hosts: pulumi.StringArray{
pulumi.String("mysite.com"),
},
PathMatcher: pulumi.String("allpaths"),
},
},
PathMatchers: compute.RegionUrlMapPathMatcherArray{
&compute.RegionUrlMapPathMatcherArgs{
Name: pulumi.String("allpaths"),
DefaultService: defaultRegionBackendService.ID(),
PathRules: compute.RegionUrlMapPathMatcherPathRuleArray{
&compute.RegionUrlMapPathMatcherPathRuleArgs{
Paths: pulumi.StringArray{
pulumi.String("/*"),
},
Service: defaultRegionBackendService.ID(),
},
},
},
},
})
if err != nil {
return err
}
_, err = compute.NewRegionTargetHttpsProxy(ctx, "default", &compute.RegionTargetHttpsProxyArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("test-proxy"),
UrlMap: defaultRegionUrlMap.ID(),
SslCertificates: pulumi.StringArray{
defaultRegionSslCertificate.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var defaultRegionSslCertificate = new Gcp.Compute.RegionSslCertificate("default", new()
{
Region = "us-central1",
Name = "my-certificate",
PrivateKey = Std.File.Invoke(new()
{
Input = "path/to/private.key",
}).Apply(invoke => invoke.Result),
Certificate = Std.File.Invoke(new()
{
Input = "path/to/certificate.crt",
}).Apply(invoke => invoke.Result),
});
var defaultRegionHealthCheck = new Gcp.Compute.RegionHealthCheck("default", new()
{
Region = "us-central1",
Name = "http-health-check",
HttpHealthCheck = new Gcp.Compute.Inputs.RegionHealthCheckHttpHealthCheckArgs
{
Port = 80,
},
});
var defaultRegionBackendService = new Gcp.Compute.RegionBackendService("default", new()
{
Region = "us-central1",
Name = "backend-service",
Protocol = "HTTP",
LoadBalancingScheme = "INTERNAL_MANAGED",
TimeoutSec = 10,
HealthChecks = defaultRegionHealthCheck.Id,
});
var defaultRegionUrlMap = new Gcp.Compute.RegionUrlMap("default", new()
{
Region = "us-central1",
Name = "url-map",
Description = "a description",
DefaultService = defaultRegionBackendService.Id,
HostRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapHostRuleArgs
{
Hosts = new[]
{
"mysite.com",
},
PathMatcher = "allpaths",
},
},
PathMatchers = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherArgs
{
Name = "allpaths",
DefaultService = defaultRegionBackendService.Id,
PathRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherPathRuleArgs
{
Paths = new[]
{
"/*",
},
Service = defaultRegionBackendService.Id,
},
},
},
},
});
var @default = new Gcp.Compute.RegionTargetHttpsProxy("default", new()
{
Region = "us-central1",
Name = "test-proxy",
UrlMap = defaultRegionUrlMap.Id,
SslCertificates = new[]
{
defaultRegionSslCertificate.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionSslCertificate;
import com.pulumi.gcp.compute.RegionSslCertificateArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.gcp.compute.RegionHealthCheck;
import com.pulumi.gcp.compute.RegionHealthCheckArgs;
import com.pulumi.gcp.compute.inputs.RegionHealthCheckHttpHealthCheckArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.compute.RegionUrlMap;
import com.pulumi.gcp.compute.RegionUrlMapArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapHostRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapPathMatcherArgs;
import com.pulumi.gcp.compute.RegionTargetHttpsProxy;
import com.pulumi.gcp.compute.RegionTargetHttpsProxyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultRegionSslCertificate = new RegionSslCertificate("defaultRegionSslCertificate", RegionSslCertificateArgs.builder()
.region("us-central1")
.name("my-certificate")
.privateKey(StdFunctions.file(FileArgs.builder()
.input("path/to/private.key")
.build()).result())
.certificate(StdFunctions.file(FileArgs.builder()
.input("path/to/certificate.crt")
.build()).result())
.build());
var defaultRegionHealthCheck = new RegionHealthCheck("defaultRegionHealthCheck", RegionHealthCheckArgs.builder()
.region("us-central1")
.name("http-health-check")
.httpHealthCheck(RegionHealthCheckHttpHealthCheckArgs.builder()
.port(80)
.build())
.build());
var defaultRegionBackendService = new RegionBackendService("defaultRegionBackendService", RegionBackendServiceArgs.builder()
.region("us-central1")
.name("backend-service")
.protocol("HTTP")
.loadBalancingScheme("INTERNAL_MANAGED")
.timeoutSec(10)
.healthChecks(defaultRegionHealthCheck.id())
.build());
var defaultRegionUrlMap = new RegionUrlMap("defaultRegionUrlMap", RegionUrlMapArgs.builder()
.region("us-central1")
.name("url-map")
.description("a description")
.defaultService(defaultRegionBackendService.id())
.hostRules(RegionUrlMapHostRuleArgs.builder()
.hosts("mysite.com")
.pathMatcher("allpaths")
.build())
.pathMatchers(RegionUrlMapPathMatcherArgs.builder()
.name("allpaths")
.defaultService(defaultRegionBackendService.id())
.pathRules(RegionUrlMapPathMatcherPathRuleArgs.builder()
.paths("/*")
.service(defaultRegionBackendService.id())
.build())
.build())
.build());
var default_ = new RegionTargetHttpsProxy("default", RegionTargetHttpsProxyArgs.builder()
.region("us-central1")
.name("test-proxy")
.urlMap(defaultRegionUrlMap.id())
.sslCertificates(defaultRegionSslCertificate.id())
.build());
}
}
resources:
default:
type: gcp:compute:RegionTargetHttpsProxy
properties:
region: us-central1
name: test-proxy
urlMap: ${defaultRegionUrlMap.id}
sslCertificates:
- ${defaultRegionSslCertificate.id}
defaultRegionSslCertificate:
type: gcp:compute:RegionSslCertificate
name: default
properties:
region: us-central1
name: my-certificate
privateKey:
fn::invoke:
function: std:file
arguments:
input: path/to/private.key
return: result
certificate:
fn::invoke:
function: std:file
arguments:
input: path/to/certificate.crt
return: result
defaultRegionUrlMap:
type: gcp:compute:RegionUrlMap
name: default
properties:
region: us-central1
name: url-map
description: a description
defaultService: ${defaultRegionBackendService.id}
hostRules:
- hosts:
- mysite.com
pathMatcher: allpaths
pathMatchers:
- name: allpaths
defaultService: ${defaultRegionBackendService.id}
pathRules:
- paths:
- /*
service: ${defaultRegionBackendService.id}
defaultRegionBackendService:
type: gcp:compute:RegionBackendService
name: default
properties:
region: us-central1
name: backend-service
protocol: HTTP
loadBalancingScheme: INTERNAL_MANAGED
timeoutSec: 10
healthChecks: ${defaultRegionHealthCheck.id}
defaultRegionHealthCheck:
type: gcp:compute:RegionHealthCheck
name: default
properties:
region: us-central1
name: http-health-check
httpHealthCheck:
port: 80
The proxy terminates SSL using the certificate specified in sslCertificates, then forwards decrypted requests according to the urlMap. The URL map matches hostnames and paths to backend services. In this configuration, all traffic to mysite.com routes to the same backend service with INTERNAL_MANAGED load balancing for VPC-internal traffic.
Control connection reuse with keep-alive timeouts
Applications with specific connection pooling requirements can tune how long the proxy keeps idle connections open between completing a response and closing the socket.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const defaultRegionSslCertificate = new gcp.compute.RegionSslCertificate("default", {
region: "us-central1",
name: "my-certificate",
privateKey: std.file({
input: "path/to/private.key",
}).then(invoke => invoke.result),
certificate: std.file({
input: "path/to/certificate.crt",
}).then(invoke => invoke.result),
});
const defaultRegionHealthCheck = new gcp.compute.RegionHealthCheck("default", {
region: "us-central1",
name: "http-health-check",
httpHealthCheck: {
port: 80,
},
});
const defaultRegionBackendService = new gcp.compute.RegionBackendService("default", {
region: "us-central1",
name: "backend-service",
portName: "http",
protocol: "HTTP",
timeoutSec: 10,
loadBalancingScheme: "INTERNAL_MANAGED",
healthChecks: defaultRegionHealthCheck.id,
});
const defaultRegionUrlMap = new gcp.compute.RegionUrlMap("default", {
region: "us-central1",
name: "url-map",
description: "a description",
defaultService: defaultRegionBackendService.id,
hostRules: [{
hosts: ["mysite.com"],
pathMatcher: "allpaths",
}],
pathMatchers: [{
name: "allpaths",
defaultService: defaultRegionBackendService.id,
pathRules: [{
paths: ["/*"],
service: defaultRegionBackendService.id,
}],
}],
});
const _default = new gcp.compute.RegionTargetHttpsProxy("default", {
region: "us-central1",
name: "test-http-keep-alive-timeout-proxy",
httpKeepAliveTimeoutSec: 600,
urlMap: defaultRegionUrlMap.id,
sslCertificates: [defaultRegionSslCertificate.id],
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default_region_ssl_certificate = gcp.compute.RegionSslCertificate("default",
region="us-central1",
name="my-certificate",
private_key=std.file(input="path/to/private.key").result,
certificate=std.file(input="path/to/certificate.crt").result)
default_region_health_check = gcp.compute.RegionHealthCheck("default",
region="us-central1",
name="http-health-check",
http_health_check={
"port": 80,
})
default_region_backend_service = gcp.compute.RegionBackendService("default",
region="us-central1",
name="backend-service",
port_name="http",
protocol="HTTP",
timeout_sec=10,
load_balancing_scheme="INTERNAL_MANAGED",
health_checks=default_region_health_check.id)
default_region_url_map = gcp.compute.RegionUrlMap("default",
region="us-central1",
name="url-map",
description="a description",
default_service=default_region_backend_service.id,
host_rules=[{
"hosts": ["mysite.com"],
"path_matcher": "allpaths",
}],
path_matchers=[{
"name": "allpaths",
"default_service": default_region_backend_service.id,
"path_rules": [{
"paths": ["/*"],
"service": default_region_backend_service.id,
}],
}])
default = gcp.compute.RegionTargetHttpsProxy("default",
region="us-central1",
name="test-http-keep-alive-timeout-proxy",
http_keep_alive_timeout_sec=600,
url_map=default_region_url_map.id,
ssl_certificates=[default_region_ssl_certificate.id])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "path/to/private.key",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "path/to/certificate.crt",
}, nil)
if err != nil {
return err
}
defaultRegionSslCertificate, err := compute.NewRegionSslCertificate(ctx, "default", &compute.RegionSslCertificateArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("my-certificate"),
PrivateKey: pulumi.String(invokeFile.Result),
Certificate: pulumi.String(invokeFile1.Result),
})
if err != nil {
return err
}
defaultRegionHealthCheck, err := compute.NewRegionHealthCheck(ctx, "default", &compute.RegionHealthCheckArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("http-health-check"),
HttpHealthCheck: &compute.RegionHealthCheckHttpHealthCheckArgs{
Port: pulumi.Int(80),
},
})
if err != nil {
return err
}
defaultRegionBackendService, err := compute.NewRegionBackendService(ctx, "default", &compute.RegionBackendServiceArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("backend-service"),
PortName: pulumi.String("http"),
Protocol: pulumi.String("HTTP"),
TimeoutSec: pulumi.Int(10),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
HealthChecks: defaultRegionHealthCheck.ID(),
})
if err != nil {
return err
}
defaultRegionUrlMap, err := compute.NewRegionUrlMap(ctx, "default", &compute.RegionUrlMapArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("url-map"),
Description: pulumi.String("a description"),
DefaultService: defaultRegionBackendService.ID(),
HostRules: compute.RegionUrlMapHostRuleArray{
&compute.RegionUrlMapHostRuleArgs{
Hosts: pulumi.StringArray{
pulumi.String("mysite.com"),
},
PathMatcher: pulumi.String("allpaths"),
},
},
PathMatchers: compute.RegionUrlMapPathMatcherArray{
&compute.RegionUrlMapPathMatcherArgs{
Name: pulumi.String("allpaths"),
DefaultService: defaultRegionBackendService.ID(),
PathRules: compute.RegionUrlMapPathMatcherPathRuleArray{
&compute.RegionUrlMapPathMatcherPathRuleArgs{
Paths: pulumi.StringArray{
pulumi.String("/*"),
},
Service: defaultRegionBackendService.ID(),
},
},
},
},
})
if err != nil {
return err
}
_, err = compute.NewRegionTargetHttpsProxy(ctx, "default", &compute.RegionTargetHttpsProxyArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("test-http-keep-alive-timeout-proxy"),
HttpKeepAliveTimeoutSec: pulumi.Int(600),
UrlMap: defaultRegionUrlMap.ID(),
SslCertificates: pulumi.StringArray{
defaultRegionSslCertificate.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var defaultRegionSslCertificate = new Gcp.Compute.RegionSslCertificate("default", new()
{
Region = "us-central1",
Name = "my-certificate",
PrivateKey = Std.File.Invoke(new()
{
Input = "path/to/private.key",
}).Apply(invoke => invoke.Result),
Certificate = Std.File.Invoke(new()
{
Input = "path/to/certificate.crt",
}).Apply(invoke => invoke.Result),
});
var defaultRegionHealthCheck = new Gcp.Compute.RegionHealthCheck("default", new()
{
Region = "us-central1",
Name = "http-health-check",
HttpHealthCheck = new Gcp.Compute.Inputs.RegionHealthCheckHttpHealthCheckArgs
{
Port = 80,
},
});
var defaultRegionBackendService = new Gcp.Compute.RegionBackendService("default", new()
{
Region = "us-central1",
Name = "backend-service",
PortName = "http",
Protocol = "HTTP",
TimeoutSec = 10,
LoadBalancingScheme = "INTERNAL_MANAGED",
HealthChecks = defaultRegionHealthCheck.Id,
});
var defaultRegionUrlMap = new Gcp.Compute.RegionUrlMap("default", new()
{
Region = "us-central1",
Name = "url-map",
Description = "a description",
DefaultService = defaultRegionBackendService.Id,
HostRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapHostRuleArgs
{
Hosts = new[]
{
"mysite.com",
},
PathMatcher = "allpaths",
},
},
PathMatchers = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherArgs
{
Name = "allpaths",
DefaultService = defaultRegionBackendService.Id,
PathRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherPathRuleArgs
{
Paths = new[]
{
"/*",
},
Service = defaultRegionBackendService.Id,
},
},
},
},
});
var @default = new Gcp.Compute.RegionTargetHttpsProxy("default", new()
{
Region = "us-central1",
Name = "test-http-keep-alive-timeout-proxy",
HttpKeepAliveTimeoutSec = 600,
UrlMap = defaultRegionUrlMap.Id,
SslCertificates = new[]
{
defaultRegionSslCertificate.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionSslCertificate;
import com.pulumi.gcp.compute.RegionSslCertificateArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.gcp.compute.RegionHealthCheck;
import com.pulumi.gcp.compute.RegionHealthCheckArgs;
import com.pulumi.gcp.compute.inputs.RegionHealthCheckHttpHealthCheckArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.compute.RegionUrlMap;
import com.pulumi.gcp.compute.RegionUrlMapArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapHostRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapPathMatcherArgs;
import com.pulumi.gcp.compute.RegionTargetHttpsProxy;
import com.pulumi.gcp.compute.RegionTargetHttpsProxyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultRegionSslCertificate = new RegionSslCertificate("defaultRegionSslCertificate", RegionSslCertificateArgs.builder()
.region("us-central1")
.name("my-certificate")
.privateKey(StdFunctions.file(FileArgs.builder()
.input("path/to/private.key")
.build()).result())
.certificate(StdFunctions.file(FileArgs.builder()
.input("path/to/certificate.crt")
.build()).result())
.build());
var defaultRegionHealthCheck = new RegionHealthCheck("defaultRegionHealthCheck", RegionHealthCheckArgs.builder()
.region("us-central1")
.name("http-health-check")
.httpHealthCheck(RegionHealthCheckHttpHealthCheckArgs.builder()
.port(80)
.build())
.build());
var defaultRegionBackendService = new RegionBackendService("defaultRegionBackendService", RegionBackendServiceArgs.builder()
.region("us-central1")
.name("backend-service")
.portName("http")
.protocol("HTTP")
.timeoutSec(10)
.loadBalancingScheme("INTERNAL_MANAGED")
.healthChecks(defaultRegionHealthCheck.id())
.build());
var defaultRegionUrlMap = new RegionUrlMap("defaultRegionUrlMap", RegionUrlMapArgs.builder()
.region("us-central1")
.name("url-map")
.description("a description")
.defaultService(defaultRegionBackendService.id())
.hostRules(RegionUrlMapHostRuleArgs.builder()
.hosts("mysite.com")
.pathMatcher("allpaths")
.build())
.pathMatchers(RegionUrlMapPathMatcherArgs.builder()
.name("allpaths")
.defaultService(defaultRegionBackendService.id())
.pathRules(RegionUrlMapPathMatcherPathRuleArgs.builder()
.paths("/*")
.service(defaultRegionBackendService.id())
.build())
.build())
.build());
var default_ = new RegionTargetHttpsProxy("default", RegionTargetHttpsProxyArgs.builder()
.region("us-central1")
.name("test-http-keep-alive-timeout-proxy")
.httpKeepAliveTimeoutSec(600)
.urlMap(defaultRegionUrlMap.id())
.sslCertificates(defaultRegionSslCertificate.id())
.build());
}
}
resources:
default:
type: gcp:compute:RegionTargetHttpsProxy
properties:
region: us-central1
name: test-http-keep-alive-timeout-proxy
httpKeepAliveTimeoutSec: 600
urlMap: ${defaultRegionUrlMap.id}
sslCertificates:
- ${defaultRegionSslCertificate.id}
defaultRegionSslCertificate:
type: gcp:compute:RegionSslCertificate
name: default
properties:
region: us-central1
name: my-certificate
privateKey:
fn::invoke:
function: std:file
arguments:
input: path/to/private.key
return: result
certificate:
fn::invoke:
function: std:file
arguments:
input: path/to/certificate.crt
return: result
defaultRegionUrlMap:
type: gcp:compute:RegionUrlMap
name: default
properties:
region: us-central1
name: url-map
description: a description
defaultService: ${defaultRegionBackendService.id}
hostRules:
- hosts:
- mysite.com
pathMatcher: allpaths
pathMatchers:
- name: allpaths
defaultService: ${defaultRegionBackendService.id}
pathRules:
- paths:
- /*
service: ${defaultRegionBackendService.id}
defaultRegionBackendService:
type: gcp:compute:RegionBackendService
name: default
properties:
region: us-central1
name: backend-service
portName: http
protocol: HTTP
timeoutSec: 10
loadBalancingScheme: INTERNAL_MANAGED
healthChecks: ${defaultRegionHealthCheck.id}
defaultRegionHealthCheck:
type: gcp:compute:RegionHealthCheck
name: default
properties:
region: us-central1
name: http-health-check
httpHealthCheck:
port: 80
The httpKeepAliveTimeoutSec property sets how long (in seconds) the proxy maintains idle connections. The default is 600 seconds; this example extends it to match client connection pool behavior. Regional HTTPS load balancers accept values between 5 and 600 seconds.
Require client certificates with mutual TLS
Zero-trust architectures often require clients to present certificates for authentication, not just the server. Mutual TLS validates both sides of the connection.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const project = gcp.organizations.getProject({});
const defaultTrustConfig = new gcp.certificatemanager.TrustConfig("default", {
location: "us-central1",
name: "my-trust-config",
description: "sample description for trust config",
trustStores: [{
trustAnchors: [{
pemCertificate: std.file({
input: "test-fixtures/ca_cert.pem",
}).then(invoke => invoke.result),
}],
intermediateCas: [{
pemCertificate: std.file({
input: "test-fixtures/ca_cert.pem",
}).then(invoke => invoke.result),
}],
}],
labels: {
foo: "bar",
},
});
const defaultServerTlsPolicy = new gcp.networksecurity.ServerTlsPolicy("default", {
location: "us-central1",
name: "my-tls-policy",
description: "my description",
allowOpen: false,
mtlsPolicy: {
clientValidationMode: "REJECT_INVALID",
clientValidationTrustConfig: pulumi.all([project, defaultTrustConfig.name]).apply(([project, name]) => `projects/${project.number}/locations/us-central1/trustConfigs/${name}`),
},
});
const defaultRegionSslCertificate = new gcp.compute.RegionSslCertificate("default", {
region: "us-central1",
name: "my-certificate",
privateKey: std.file({
input: "path/to/private.key",
}).then(invoke => invoke.result),
certificate: std.file({
input: "path/to/certificate.crt",
}).then(invoke => invoke.result),
});
const defaultRegionHealthCheck = new gcp.compute.RegionHealthCheck("default", {
region: "us-central1",
name: "http-health-check",
checkIntervalSec: 1,
timeoutSec: 1,
httpHealthCheck: {
port: 80,
},
});
const defaultRegionBackendService = new gcp.compute.RegionBackendService("default", {
region: "us-central1",
name: "backend-service",
portName: "http",
protocol: "HTTP",
timeoutSec: 10,
loadBalancingScheme: "INTERNAL_MANAGED",
healthChecks: defaultRegionHealthCheck.id,
});
const defaultRegionUrlMap = new gcp.compute.RegionUrlMap("default", {
region: "us-central1",
name: "url-map",
description: "a description",
defaultService: defaultRegionBackendService.id,
hostRules: [{
hosts: ["mysite.com"],
pathMatcher: "allpaths",
}],
pathMatchers: [{
name: "allpaths",
defaultService: defaultRegionBackendService.id,
pathRules: [{
paths: ["/*"],
service: defaultRegionBackendService.id,
}],
}],
});
const _default = new gcp.compute.RegionTargetHttpsProxy("default", {
region: "us-central1",
name: "test-mtls-proxy",
urlMap: defaultRegionUrlMap.id,
sslCertificates: [defaultRegionSslCertificate.id],
serverTlsPolicy: defaultServerTlsPolicy.id,
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
project = gcp.organizations.get_project()
default_trust_config = gcp.certificatemanager.TrustConfig("default",
location="us-central1",
name="my-trust-config",
description="sample description for trust config",
trust_stores=[{
"trust_anchors": [{
"pem_certificate": std.file(input="test-fixtures/ca_cert.pem").result,
}],
"intermediate_cas": [{
"pem_certificate": std.file(input="test-fixtures/ca_cert.pem").result,
}],
}],
labels={
"foo": "bar",
})
default_server_tls_policy = gcp.networksecurity.ServerTlsPolicy("default",
location="us-central1",
name="my-tls-policy",
description="my description",
allow_open=False,
mtls_policy={
"client_validation_mode": "REJECT_INVALID",
"client_validation_trust_config": default_trust_config.name.apply(lambda name: f"projects/{project.number}/locations/us-central1/trustConfigs/{name}"),
})
default_region_ssl_certificate = gcp.compute.RegionSslCertificate("default",
region="us-central1",
name="my-certificate",
private_key=std.file(input="path/to/private.key").result,
certificate=std.file(input="path/to/certificate.crt").result)
default_region_health_check = gcp.compute.RegionHealthCheck("default",
region="us-central1",
name="http-health-check",
check_interval_sec=1,
timeout_sec=1,
http_health_check={
"port": 80,
})
default_region_backend_service = gcp.compute.RegionBackendService("default",
region="us-central1",
name="backend-service",
port_name="http",
protocol="HTTP",
timeout_sec=10,
load_balancing_scheme="INTERNAL_MANAGED",
health_checks=default_region_health_check.id)
default_region_url_map = gcp.compute.RegionUrlMap("default",
region="us-central1",
name="url-map",
description="a description",
default_service=default_region_backend_service.id,
host_rules=[{
"hosts": ["mysite.com"],
"path_matcher": "allpaths",
}],
path_matchers=[{
"name": "allpaths",
"default_service": default_region_backend_service.id,
"path_rules": [{
"paths": ["/*"],
"service": default_region_backend_service.id,
}],
}])
default = gcp.compute.RegionTargetHttpsProxy("default",
region="us-central1",
name="test-mtls-proxy",
url_map=default_region_url_map.id,
ssl_certificates=[default_region_ssl_certificate.id],
server_tls_policy=default_server_tls_policy.id)
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificatemanager"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/ca_cert.pem",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/ca_cert.pem",
}, nil)
if err != nil {
return err
}
defaultTrustConfig, err := certificatemanager.NewTrustConfig(ctx, "default", &certificatemanager.TrustConfigArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("my-trust-config"),
Description: pulumi.String("sample description for trust config"),
TrustStores: certificatemanager.TrustConfigTrustStoreArray{
&certificatemanager.TrustConfigTrustStoreArgs{
TrustAnchors: certificatemanager.TrustConfigTrustStoreTrustAnchorArray{
&certificatemanager.TrustConfigTrustStoreTrustAnchorArgs{
PemCertificate: pulumi.String(invokeFile.Result),
},
},
IntermediateCas: certificatemanager.TrustConfigTrustStoreIntermediateCaArray{
&certificatemanager.TrustConfigTrustStoreIntermediateCaArgs{
PemCertificate: pulumi.String(invokeFile1.Result),
},
},
},
},
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
defaultServerTlsPolicy, err := networksecurity.NewServerTlsPolicy(ctx, "default", &networksecurity.ServerTlsPolicyArgs{
Location: pulumi.String("us-central1"),
Name: pulumi.String("my-tls-policy"),
Description: pulumi.String("my description"),
AllowOpen: pulumi.Bool(false),
MtlsPolicy: &networksecurity.ServerTlsPolicyMtlsPolicyArgs{
ClientValidationMode: pulumi.String("REJECT_INVALID"),
ClientValidationTrustConfig: defaultTrustConfig.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("projects/%v/locations/us-central1/trustConfigs/%v", project.Number, name), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
invokeFile2, err := std.File(ctx, &std.FileArgs{
Input: "path/to/private.key",
}, nil)
if err != nil {
return err
}
invokeFile3, err := std.File(ctx, &std.FileArgs{
Input: "path/to/certificate.crt",
}, nil)
if err != nil {
return err
}
defaultRegionSslCertificate, err := compute.NewRegionSslCertificate(ctx, "default", &compute.RegionSslCertificateArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("my-certificate"),
PrivateKey: pulumi.String(invokeFile2.Result),
Certificate: pulumi.String(invokeFile3.Result),
})
if err != nil {
return err
}
defaultRegionHealthCheck, err := compute.NewRegionHealthCheck(ctx, "default", &compute.RegionHealthCheckArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("http-health-check"),
CheckIntervalSec: pulumi.Int(1),
TimeoutSec: pulumi.Int(1),
HttpHealthCheck: &compute.RegionHealthCheckHttpHealthCheckArgs{
Port: pulumi.Int(80),
},
})
if err != nil {
return err
}
defaultRegionBackendService, err := compute.NewRegionBackendService(ctx, "default", &compute.RegionBackendServiceArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("backend-service"),
PortName: pulumi.String("http"),
Protocol: pulumi.String("HTTP"),
TimeoutSec: pulumi.Int(10),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
HealthChecks: defaultRegionHealthCheck.ID(),
})
if err != nil {
return err
}
defaultRegionUrlMap, err := compute.NewRegionUrlMap(ctx, "default", &compute.RegionUrlMapArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("url-map"),
Description: pulumi.String("a description"),
DefaultService: defaultRegionBackendService.ID(),
HostRules: compute.RegionUrlMapHostRuleArray{
&compute.RegionUrlMapHostRuleArgs{
Hosts: pulumi.StringArray{
pulumi.String("mysite.com"),
},
PathMatcher: pulumi.String("allpaths"),
},
},
PathMatchers: compute.RegionUrlMapPathMatcherArray{
&compute.RegionUrlMapPathMatcherArgs{
Name: pulumi.String("allpaths"),
DefaultService: defaultRegionBackendService.ID(),
PathRules: compute.RegionUrlMapPathMatcherPathRuleArray{
&compute.RegionUrlMapPathMatcherPathRuleArgs{
Paths: pulumi.StringArray{
pulumi.String("/*"),
},
Service: defaultRegionBackendService.ID(),
},
},
},
},
})
if err != nil {
return err
}
_, err = compute.NewRegionTargetHttpsProxy(ctx, "default", &compute.RegionTargetHttpsProxyArgs{
Region: pulumi.String("us-central1"),
Name: pulumi.String("test-mtls-proxy"),
UrlMap: defaultRegionUrlMap.ID(),
SslCertificates: pulumi.StringArray{
defaultRegionSslCertificate.ID(),
},
ServerTlsPolicy: defaultServerTlsPolicy.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var project = Gcp.Organizations.GetProject.Invoke();
var defaultTrustConfig = new Gcp.CertificateManager.TrustConfig("default", new()
{
Location = "us-central1",
Name = "my-trust-config",
Description = "sample description for trust config",
TrustStores = new[]
{
new Gcp.CertificateManager.Inputs.TrustConfigTrustStoreArgs
{
TrustAnchors = new[]
{
new Gcp.CertificateManager.Inputs.TrustConfigTrustStoreTrustAnchorArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/ca_cert.pem",
}).Apply(invoke => invoke.Result),
},
},
IntermediateCas = new[]
{
new Gcp.CertificateManager.Inputs.TrustConfigTrustStoreIntermediateCaArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/ca_cert.pem",
}).Apply(invoke => invoke.Result),
},
},
},
},
Labels =
{
{ "foo", "bar" },
},
});
var defaultServerTlsPolicy = new Gcp.NetworkSecurity.ServerTlsPolicy("default", new()
{
Location = "us-central1",
Name = "my-tls-policy",
Description = "my description",
AllowOpen = false,
MtlsPolicy = new Gcp.NetworkSecurity.Inputs.ServerTlsPolicyMtlsPolicyArgs
{
ClientValidationMode = "REJECT_INVALID",
ClientValidationTrustConfig = Output.Tuple(project, defaultTrustConfig.Name).Apply(values =>
{
var project = values.Item1;
var name = values.Item2;
return $"projects/{project.Apply(getProjectResult => getProjectResult.Number)}/locations/us-central1/trustConfigs/{name}";
}),
},
});
var defaultRegionSslCertificate = new Gcp.Compute.RegionSslCertificate("default", new()
{
Region = "us-central1",
Name = "my-certificate",
PrivateKey = Std.File.Invoke(new()
{
Input = "path/to/private.key",
}).Apply(invoke => invoke.Result),
Certificate = Std.File.Invoke(new()
{
Input = "path/to/certificate.crt",
}).Apply(invoke => invoke.Result),
});
var defaultRegionHealthCheck = new Gcp.Compute.RegionHealthCheck("default", new()
{
Region = "us-central1",
Name = "http-health-check",
CheckIntervalSec = 1,
TimeoutSec = 1,
HttpHealthCheck = new Gcp.Compute.Inputs.RegionHealthCheckHttpHealthCheckArgs
{
Port = 80,
},
});
var defaultRegionBackendService = new Gcp.Compute.RegionBackendService("default", new()
{
Region = "us-central1",
Name = "backend-service",
PortName = "http",
Protocol = "HTTP",
TimeoutSec = 10,
LoadBalancingScheme = "INTERNAL_MANAGED",
HealthChecks = defaultRegionHealthCheck.Id,
});
var defaultRegionUrlMap = new Gcp.Compute.RegionUrlMap("default", new()
{
Region = "us-central1",
Name = "url-map",
Description = "a description",
DefaultService = defaultRegionBackendService.Id,
HostRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapHostRuleArgs
{
Hosts = new[]
{
"mysite.com",
},
PathMatcher = "allpaths",
},
},
PathMatchers = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherArgs
{
Name = "allpaths",
DefaultService = defaultRegionBackendService.Id,
PathRules = new[]
{
new Gcp.Compute.Inputs.RegionUrlMapPathMatcherPathRuleArgs
{
Paths = new[]
{
"/*",
},
Service = defaultRegionBackendService.Id,
},
},
},
},
});
var @default = new Gcp.Compute.RegionTargetHttpsProxy("default", new()
{
Region = "us-central1",
Name = "test-mtls-proxy",
UrlMap = defaultRegionUrlMap.Id,
SslCertificates = new[]
{
defaultRegionSslCertificate.Id,
},
ServerTlsPolicy = defaultServerTlsPolicy.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.certificatemanager.TrustConfig;
import com.pulumi.gcp.certificatemanager.TrustConfigArgs;
import com.pulumi.gcp.certificatemanager.inputs.TrustConfigTrustStoreArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.gcp.networksecurity.ServerTlsPolicy;
import com.pulumi.gcp.networksecurity.ServerTlsPolicyArgs;
import com.pulumi.gcp.networksecurity.inputs.ServerTlsPolicyMtlsPolicyArgs;
import com.pulumi.gcp.compute.RegionSslCertificate;
import com.pulumi.gcp.compute.RegionSslCertificateArgs;
import com.pulumi.gcp.compute.RegionHealthCheck;
import com.pulumi.gcp.compute.RegionHealthCheckArgs;
import com.pulumi.gcp.compute.inputs.RegionHealthCheckHttpHealthCheckArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.compute.RegionUrlMap;
import com.pulumi.gcp.compute.RegionUrlMapArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapHostRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionUrlMapPathMatcherArgs;
import com.pulumi.gcp.compute.RegionTargetHttpsProxy;
import com.pulumi.gcp.compute.RegionTargetHttpsProxyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var defaultTrustConfig = new TrustConfig("defaultTrustConfig", TrustConfigArgs.builder()
.location("us-central1")
.name("my-trust-config")
.description("sample description for trust config")
.trustStores(TrustConfigTrustStoreArgs.builder()
.trustAnchors(TrustConfigTrustStoreTrustAnchorArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/ca_cert.pem")
.build()).result())
.build())
.intermediateCas(TrustConfigTrustStoreIntermediateCaArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/ca_cert.pem")
.build()).result())
.build())
.build())
.labels(Map.of("foo", "bar"))
.build());
var defaultServerTlsPolicy = new ServerTlsPolicy("defaultServerTlsPolicy", ServerTlsPolicyArgs.builder()
.location("us-central1")
.name("my-tls-policy")
.description("my description")
.allowOpen(false)
.mtlsPolicy(ServerTlsPolicyMtlsPolicyArgs.builder()
.clientValidationMode("REJECT_INVALID")
.clientValidationTrustConfig(defaultTrustConfig.name().applyValue(_name -> String.format("projects/%s/locations/us-central1/trustConfigs/%s", project.number(),_name)))
.build())
.build());
var defaultRegionSslCertificate = new RegionSslCertificate("defaultRegionSslCertificate", RegionSslCertificateArgs.builder()
.region("us-central1")
.name("my-certificate")
.privateKey(StdFunctions.file(FileArgs.builder()
.input("path/to/private.key")
.build()).result())
.certificate(StdFunctions.file(FileArgs.builder()
.input("path/to/certificate.crt")
.build()).result())
.build());
var defaultRegionHealthCheck = new RegionHealthCheck("defaultRegionHealthCheck", RegionHealthCheckArgs.builder()
.region("us-central1")
.name("http-health-check")
.checkIntervalSec(1)
.timeoutSec(1)
.httpHealthCheck(RegionHealthCheckHttpHealthCheckArgs.builder()
.port(80)
.build())
.build());
var defaultRegionBackendService = new RegionBackendService("defaultRegionBackendService", RegionBackendServiceArgs.builder()
.region("us-central1")
.name("backend-service")
.portName("http")
.protocol("HTTP")
.timeoutSec(10)
.loadBalancingScheme("INTERNAL_MANAGED")
.healthChecks(defaultRegionHealthCheck.id())
.build());
var defaultRegionUrlMap = new RegionUrlMap("defaultRegionUrlMap", RegionUrlMapArgs.builder()
.region("us-central1")
.name("url-map")
.description("a description")
.defaultService(defaultRegionBackendService.id())
.hostRules(RegionUrlMapHostRuleArgs.builder()
.hosts("mysite.com")
.pathMatcher("allpaths")
.build())
.pathMatchers(RegionUrlMapPathMatcherArgs.builder()
.name("allpaths")
.defaultService(defaultRegionBackendService.id())
.pathRules(RegionUrlMapPathMatcherPathRuleArgs.builder()
.paths("/*")
.service(defaultRegionBackendService.id())
.build())
.build())
.build());
var default_ = new RegionTargetHttpsProxy("default", RegionTargetHttpsProxyArgs.builder()
.region("us-central1")
.name("test-mtls-proxy")
.urlMap(defaultRegionUrlMap.id())
.sslCertificates(defaultRegionSslCertificate.id())
.serverTlsPolicy(defaultServerTlsPolicy.id())
.build());
}
}
resources:
default:
type: gcp:compute:RegionTargetHttpsProxy
properties:
region: us-central1
name: test-mtls-proxy
urlMap: ${defaultRegionUrlMap.id}
sslCertificates:
- ${defaultRegionSslCertificate.id}
serverTlsPolicy: ${defaultServerTlsPolicy.id}
defaultTrustConfig:
type: gcp:certificatemanager:TrustConfig
name: default
properties:
location: us-central1
name: my-trust-config
description: sample description for trust config
trustStores:
- trustAnchors:
- pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/ca_cert.pem
return: result
intermediateCas:
- pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/ca_cert.pem
return: result
labels:
foo: bar
defaultServerTlsPolicy:
type: gcp:networksecurity:ServerTlsPolicy
name: default
properties:
location: us-central1
name: my-tls-policy
description: my description
allowOpen: 'false'
mtlsPolicy:
clientValidationMode: REJECT_INVALID
clientValidationTrustConfig: projects/${project.number}/locations/us-central1/trustConfigs/${defaultTrustConfig.name}
defaultRegionSslCertificate:
type: gcp:compute:RegionSslCertificate
name: default
properties:
region: us-central1
name: my-certificate
privateKey:
fn::invoke:
function: std:file
arguments:
input: path/to/private.key
return: result
certificate:
fn::invoke:
function: std:file
arguments:
input: path/to/certificate.crt
return: result
defaultRegionUrlMap:
type: gcp:compute:RegionUrlMap
name: default
properties:
region: us-central1
name: url-map
description: a description
defaultService: ${defaultRegionBackendService.id}
hostRules:
- hosts:
- mysite.com
pathMatcher: allpaths
pathMatchers:
- name: allpaths
defaultService: ${defaultRegionBackendService.id}
pathRules:
- paths:
- /*
service: ${defaultRegionBackendService.id}
defaultRegionBackendService:
type: gcp:compute:RegionBackendService
name: default
properties:
region: us-central1
name: backend-service
portName: http
protocol: HTTP
timeoutSec: 10
loadBalancingScheme: INTERNAL_MANAGED
healthChecks: ${defaultRegionHealthCheck.id}
defaultRegionHealthCheck:
type: gcp:compute:RegionHealthCheck
name: default
properties:
region: us-central1
name: http-health-check
checkIntervalSec: 1
timeoutSec: 1
httpHealthCheck:
port: 80
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}
The serverTlsPolicy property references a ServerTlsPolicy resource that defines client validation rules. The TrustConfig specifies which certificate authorities to trust for client certificates. When clientValidationMode is set to REJECT_INVALID, the proxy rejects connections from clients without valid certificates.
Use Certificate Manager for centralized certificate lifecycle
Certificate Manager provides centralized certificate provisioning and renewal, separating certificate lifecycle from proxy configuration.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const defaultCertificate = new gcp.certificatemanager.Certificate("default", {
name: "my-certificate",
location: "us-central1",
selfManaged: {
pemCertificate: std.file({
input: "test-fixtures/cert.pem",
}).then(invoke => invoke.result),
pemPrivateKey: std.file({
input: "test-fixtures/private-key.pem",
}).then(invoke => invoke.result),
},
});
const defaultRegionBackendService = new gcp.compute.RegionBackendService("default", {
name: "backend-service",
region: "us-central1",
protocol: "HTTPS",
timeoutSec: 30,
loadBalancingScheme: "INTERNAL_MANAGED",
});
const defaultRegionUrlMap = new gcp.compute.RegionUrlMap("default", {
name: "url-map",
defaultService: defaultRegionBackendService.id,
region: "us-central1",
});
const _default = new gcp.compute.RegionTargetHttpsProxy("default", {
name: "target-http-proxy",
urlMap: defaultRegionUrlMap.id,
certificateManagerCertificates: [pulumi.interpolate`//certificatemanager.googleapis.com/${defaultCertificate.id}`],
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default_certificate = gcp.certificatemanager.Certificate("default",
name="my-certificate",
location="us-central1",
self_managed={
"pem_certificate": std.file(input="test-fixtures/cert.pem").result,
"pem_private_key": std.file(input="test-fixtures/private-key.pem").result,
})
default_region_backend_service = gcp.compute.RegionBackendService("default",
name="backend-service",
region="us-central1",
protocol="HTTPS",
timeout_sec=30,
load_balancing_scheme="INTERNAL_MANAGED")
default_region_url_map = gcp.compute.RegionUrlMap("default",
name="url-map",
default_service=default_region_backend_service.id,
region="us-central1")
default = gcp.compute.RegionTargetHttpsProxy("default",
name="target-http-proxy",
url_map=default_region_url_map.id,
certificate_manager_certificates=[default_certificate.id.apply(lambda id: f"//certificatemanager.googleapis.com/{id}")])
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificatemanager"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/cert.pem",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/private-key.pem",
}, nil)
if err != nil {
return err
}
defaultCertificate, err := certificatemanager.NewCertificate(ctx, "default", &certificatemanager.CertificateArgs{
Name: pulumi.String("my-certificate"),
Location: pulumi.String("us-central1"),
SelfManaged: &certificatemanager.CertificateSelfManagedArgs{
PemCertificate: pulumi.String(invokeFile.Result),
PemPrivateKey: pulumi.String(invokeFile1.Result),
},
})
if err != nil {
return err
}
defaultRegionBackendService, err := compute.NewRegionBackendService(ctx, "default", &compute.RegionBackendServiceArgs{
Name: pulumi.String("backend-service"),
Region: pulumi.String("us-central1"),
Protocol: pulumi.String("HTTPS"),
TimeoutSec: pulumi.Int(30),
LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
})
if err != nil {
return err
}
defaultRegionUrlMap, err := compute.NewRegionUrlMap(ctx, "default", &compute.RegionUrlMapArgs{
Name: pulumi.String("url-map"),
DefaultService: defaultRegionBackendService.ID(),
Region: pulumi.String("us-central1"),
})
if err != nil {
return err
}
_, err = compute.NewRegionTargetHttpsProxy(ctx, "default", &compute.RegionTargetHttpsProxyArgs{
Name: pulumi.String("target-http-proxy"),
UrlMap: defaultRegionUrlMap.ID(),
CertificateManagerCertificates: pulumi.StringArray{
defaultCertificate.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("//certificatemanager.googleapis.com/%v", id), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var defaultCertificate = new Gcp.CertificateManager.Certificate("default", new()
{
Name = "my-certificate",
Location = "us-central1",
SelfManaged = new Gcp.CertificateManager.Inputs.CertificateSelfManagedArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/cert.pem",
}).Apply(invoke => invoke.Result),
PemPrivateKey = Std.File.Invoke(new()
{
Input = "test-fixtures/private-key.pem",
}).Apply(invoke => invoke.Result),
},
});
var defaultRegionBackendService = new Gcp.Compute.RegionBackendService("default", new()
{
Name = "backend-service",
Region = "us-central1",
Protocol = "HTTPS",
TimeoutSec = 30,
LoadBalancingScheme = "INTERNAL_MANAGED",
});
var defaultRegionUrlMap = new Gcp.Compute.RegionUrlMap("default", new()
{
Name = "url-map",
DefaultService = defaultRegionBackendService.Id,
Region = "us-central1",
});
var @default = new Gcp.Compute.RegionTargetHttpsProxy("default", new()
{
Name = "target-http-proxy",
UrlMap = defaultRegionUrlMap.Id,
CertificateManagerCertificates = new[]
{
defaultCertificate.Id.Apply(id => $"//certificatemanager.googleapis.com/{id}"),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificatemanager.Certificate;
import com.pulumi.gcp.certificatemanager.CertificateArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateSelfManagedArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.compute.RegionUrlMap;
import com.pulumi.gcp.compute.RegionUrlMapArgs;
import com.pulumi.gcp.compute.RegionTargetHttpsProxy;
import com.pulumi.gcp.compute.RegionTargetHttpsProxyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()
.name("my-certificate")
.location("us-central1")
.selfManaged(CertificateSelfManagedArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/cert.pem")
.build()).result())
.pemPrivateKey(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/private-key.pem")
.build()).result())
.build())
.build());
var defaultRegionBackendService = new RegionBackendService("defaultRegionBackendService", RegionBackendServiceArgs.builder()
.name("backend-service")
.region("us-central1")
.protocol("HTTPS")
.timeoutSec(30)
.loadBalancingScheme("INTERNAL_MANAGED")
.build());
var defaultRegionUrlMap = new RegionUrlMap("defaultRegionUrlMap", RegionUrlMapArgs.builder()
.name("url-map")
.defaultService(defaultRegionBackendService.id())
.region("us-central1")
.build());
var default_ = new RegionTargetHttpsProxy("default", RegionTargetHttpsProxyArgs.builder()
.name("target-http-proxy")
.urlMap(defaultRegionUrlMap.id())
.certificateManagerCertificates(defaultCertificate.id().applyValue(_id -> String.format("//certificatemanager.googleapis.com/%s", _id)))
.build());
}
}
resources:
default:
type: gcp:compute:RegionTargetHttpsProxy
properties:
name: target-http-proxy
urlMap: ${defaultRegionUrlMap.id}
certificateManagerCertificates: # [google_certificate_manager_certificate.default.id] is also acceptable
- //certificatemanager.googleapis.com/${defaultCertificate.id}
defaultCertificate:
type: gcp:certificatemanager:Certificate
name: default
properties:
name: my-certificate
location: us-central1
selfManaged:
pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/cert.pem
return: result
pemPrivateKey:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/private-key.pem
return: result
defaultRegionUrlMap:
type: gcp:compute:RegionUrlMap
name: default
properties:
name: url-map
defaultService: ${defaultRegionBackendService.id}
region: us-central1
defaultRegionBackendService:
type: gcp:compute:RegionBackendService
name: default
properties:
name: backend-service
region: us-central1
protocol: HTTPS
timeoutSec: 30
loadBalancingScheme: INTERNAL_MANAGED
The certificateManagerCertificates property accepts Certificate Manager resource references instead of inline RegionSslCertificate resources. This approach centralizes certificate management across multiple proxies and automates renewal workflows. You cannot use both sslCertificates and certificateManagerCertificates on the same proxy.
Beyond these examples
These snippets focus on specific proxy-level features: SSL certificate attachment (inline and Certificate Manager), connection keep-alive tuning, and mutual TLS with client validation. They’re intentionally minimal rather than full load balancer deployments.
The examples may reference pre-existing infrastructure such as certificate files (private keys and PEM certificates), and backend services, health checks, and URL maps. They focus on configuring the HTTPS proxy rather than provisioning the complete load balancing stack.
To keep things focused, common proxy patterns are omitted, including:
- SSL policy configuration (sslPolicy)
- Multiple certificate attachment (up to 15 certificates)
- Forwarding rule integration
- Certificate rotation and renewal workflows
These omissions are intentional: the goal is to illustrate how each proxy feature is wired, not provide drop-in load balancer modules. See the RegionTargetHttpsProxy resource reference for all available configuration options.
Let's configure GCP Region Target HTTPS Proxies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
SSL Certificates & TLS
Why am I getting a resourceInUseByAnotherResource error when updating serverTlsPolicy?
Removing
serverTlsPolicy while simultaneously deleting or recreating the referenced ServerTlsPolicy resource causes this error. Use lifecycle.create_before_destroy within the ServerTlsPolicy resource to avoid it.Can I use both sslCertificates and certificateManagerCertificates?
No,
sslCertificates and certificateManagerCertificates are mutually exclusive. Choose one certificate type for your proxy.Do sslCertificates work with INTERNAL_SELF_MANAGED load balancing?
No,
sslCertificates do not apply when the load balancing scheme is set to INTERNAL_SELF_MANAGED. Use certificateManagerCertificates or a different load balancing scheme instead.How many SSL certificates can I attach to a regional HTTPS proxy?
At least one SSL certificate is required, with a maximum of 15 certificates allowed.
What format does certificateManagerCertificates accept?
Accepts either the full URL format
//certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificates/{resourceName} or just the self_link projects/{project}/locations/{location}/certificates/{resourceName}.How do I configure mTLS authentication for my HTTPS proxy?
Set
serverTlsPolicy to reference a networksecurity.ServerTlsPolicy resource with clientValidationMode and clientValidationTrustConfig configured.Configuration & Limits
What are the HTTP keep-alive timeout limits?
The default is 600 seconds. For Regional HTTP(S) load balancers, the minimum is 5 seconds and the maximum is 600 seconds.
What are the naming requirements for a regional HTTPS proxy?
Names must be 1-63 characters long and match the regex
[a-z][-a-z0-9]*[a-z0-9]. The first character must be a lowercase letter, followed by dashes, lowercase letters, or digits, with the last character being a letter or digit (not a dash).Resource Lifecycle
What properties can't be changed after creating the proxy?
The following properties are immutable:
name, project, region, description, and httpKeepAliveTimeoutSec. Changing these requires recreating the resource.Using a different cloud?
Explore networking guides for other cloud providers: