This page illustrates how to deploy a global external Application Load Balancer to load balance traffic to network endpoints that are on-premises or in other public clouds and are reachable via hybrid connectivity.
After you complete these tasks, you can optionally explore enabling additional services (such as Cloud CDN and Google Cloud Armor) and advanced traffic management features.
If you haven't already done so, review the Hybrid connectivity NEGs overview to understand the network requirements to set up hybrid load balancing.
Setup overview
The example on this page sets up the following sample deployment:
You must configure hybrid connectivity before you attempt to set up a hybrid load balancing deployment. This document does not include the hybrid connectivity setup.
Depending on your choice of hybrid connectivity product (either Cloud VPN or Cloud Interconnect (Dedicated or Partner)), use the relevant product documentation to configure this.
Permissions
To set up hybrid load balancing, you must have the following permissions:
- On Google Cloud - Permissions to establish hybrid connectivity between Google Cloud and your on-premises environment or other cloud environments. For the list of permissions needed, see the relevant Network Connectivity product documentation.
- Permissions to create a hybrid connectivity NEG and the load balancer.
The Compute Load Balancer Admin
role
(roles/compute.loadBalancerAdmin) contains the permissions required to perform the tasks described in this guide.
 
- On your on-premises environment or other non-Google Cloud cloud environment - Permissions to configure network endpoints that allow services on your
on-premises environment or other cloud environments to be reachable from
Google Cloud by using an IP:Portcombination. For more information, contact your environment's network administrator.
- Permissions to create firewall rules on your on-premises environment or other cloud environments to allow Google's health check probes to reach the endpoints.
 
- Permissions to configure network endpoints that allow services on your
on-premises environment or other cloud environments to be reachable from
Google Cloud by using an 
Additionally, to complete the instructions on this page, you need to create a hybrid connectivity NEG, a load balancer, and zonal NEGs (and their endpoints) to serve as Google Cloud-based backends for the load balancer.
You should be either a project Owner or Editor, or you should have the following Compute Engine IAM roles.
| Task | Required role | 
|---|---|
| Create networks, subnets, and load balancer components | Compute Network Admin
       ( roles/compute.networkAdmin) | 
| Add and remove firewall rules | Compute Security Admin
       ( roles/compute.securityAdmin) | 
| Create instances | Compute Instance Admin
       ( roles/compute.instanceAdmin) | 
Establish hybrid connectivity
Your Google Cloud and on-premises environment or other cloud environments must be connected through hybrid connectivity by using either Cloud Interconnect VLAN attachments or Cloud VPN tunnels with Cloud Router or Router appliance VMs. We recommend that you use a high availability connection.
A Cloud Router enabled with global dynamic routing learns about the specific endpoint through Border Gateway Protocol (BGP) and programs it into your Google Cloud VPC network. Regional dynamic routing is not supported. Static routes are also not supported.
You can use either the same network or a different VPC network within the same project to configure both hybrid networking (Cloud Interconnect or Cloud VPN or a Router appliance VM) and the load balancer. Note the following:
- If you use different VPC networks, the two networks must be connected using either VPC Network Peering or they must be VPC spokes on the same Network Connectivity Center hub. 
- If you use the same VPC network, ensure that your VPC network's subnet CIDR ranges don't conflict with your remote CIDR ranges. When IP addresses overlap, subnet routes are prioritized over remote connectivity. 
For instructions, see the following documentation:
Set up your environment that is outside Google Cloud
Perform the following steps to set up your on-premises environment or other cloud environment for hybrid load balancing:
- Configure network endpoints to expose on-premises services to
Google Cloud (IP:Port).
- Configure firewall rules on your on-premises environment or other cloud environment.
- Configure Cloud Router to advertise certain required routes to your private environment.
Set up network endpoints
After you set up hybrid connectivity, you configure one or more network
endpoints within your on-premises environment or other cloud environments that
are reachable through Cloud Interconnect or Cloud VPN or
Router appliance by using an IP:port combination. This IP:port
combination is configured as one or more endpoints for the hybrid connectivity
NEG that is created in Google Cloud later on in this process.
If there are multiple paths to the IP endpoint, routing follows the behavior described in the Cloud Router overview.
Set up firewall rules
The following firewall rules must be created on your on-premises environment or other cloud environment:
- Create an ingress allow firewall rule to allow traffic from Google's health-checking probes to your endpoints. The source IP address ranges to be allowed are - 35.191.0.0/16and- 130.211.0.0/22. For more information, see Probe IP ranges and firewall rules.
Advertise routes
Configure Cloud Router to advertise the following custom IP ranges to your on-premises environment or other cloud environment:
- The ranges used by Google's health check probes: 35.191.0.0/16and130.211.0.0/22.
Set up the Google Cloud environment
For the following steps, make sure you use the same VPC network (called NETWORK in this procedure) that was used to configure hybrid connectivity between the environments.
Create the subnet for the backends
This subnet is used to create the load balancer's zonal NEG backends, the frontend, and the internal IP address.
Create this subnet in the NETWORK network that was used to configure hybrid connectivity between the environments.
Console
To support both IPv4 and IPv6 traffic, use the following steps:
- In the Google Cloud console, go to the VPC networks page. 
- Go to the network that was used to configure hybrid connectivity between the environments. - Click Edit.
- For the Subnet creation mode, choose Custom.
- Click Save.
 
- Optional: If you want to configure internal IPv6 address ranges on subnets in this network, complete these steps: - For VPC network ULA internal IPv6 range, select Enabled.
- For Allocate internal IPv6 range, select Automatically or Manually. - If you select Manually, enter a - /48range from within the- fd20::/20range. If the range is in use, you are prompted to provide a different range.
 
- In the Subnets tab, click Add subnet. 
- In the Add a subnet panel, configure the following fields: - In the Name field, provide a name for the subnet.
- In the Region field, select a region.
- In the IP address range field, enter an IP address range.
- For IP stack type, select IPv4 and IPv6 (dual-stack).
- For the IPv6 access type field, select External.
- Click Add.
 
To support IPv4 traffic, use the following steps:
- In the Google Cloud console, go to the VPC networks page. 
- Go to the network that was used to configure hybrid connectivity between the environments. - Click Edit.
- For the Subnet creation mode, choose Custom.
- Click Save.
 
- In the Subnets tab, click Add subnet. 
- In the Add a subnet panel, enter the following information: - In the Name field, provide a name for the subnet.
- In the Region field, select a region.
- In the IP address range field, enter an IP address range.
- For the IP stack type field, select IPv4 (single-stack).
- Click Add.
 
gcloud
Create a subnet in the NETWORK network that was used to configure hybrid connectivity between the environments.
For IPv4 and IPv6 traffic, use the following command:
gcloud compute networks update NETWORK \
    [ --enable-ula-internal-ipv6 [ --internal-ipv6-range=ULA_IPV6_RANGE ]] \
    --switch-to-custom-subnet-mode
gcloud compute networks subnets create LB_SUBNET_NAME \
    --network=NETWORK \
    --range=LB_SUBNET_RANGE \
    --region=REGION \
    --stack-type=IPV4_IPV6 \
    --ipv6-access-type=EXTERNAL
For IPv4 traffic, use the following command:
gcloud compute networks subnets create LB_SUBNET_NAME \
    --network=NETWORK \
    --range=LB_SUBNET_RANGE \
    --region=REGION
Replace the following:
- NETWORK: a name for the VPC network.
- LB_SUBNET_NAME: a name for the subnet.
- REGION: the name of the region.
- ULA_IPV6_RANGE: a- /48prefix from within the- fd20::/20range used by Google for internal IPv6 subnet ranges. If you don't use the- --internal-ipv6-rangeflag, Google selects a- /48prefix for the network.
Create firewall rule
In this example, you create the following firewall rule:
- fw-allow-health-check: An ingress rule, applicable to the Google Cloud instances being load balanced, that allows traffic from the load balancer and Google Cloud health checking systems (- 130.211.0.0/22and- 35.191.0.0/16). This example uses the target tag- allow-health-checkto identify the backend VMs to which it should apply.
Console
- In the Google Cloud console, go to the Firewall policies page. 
- Click Create firewall rule: - Enter a Name of fw-allow-health-check.
- In the Network section, select NETWORK.
- Under Targets, select Specified target tags.
- Populate the Target tags field with allow-health-check.
- Set Source filter to IPv4 ranges.
- Set Source IPv4 ranges to 130.211.0.0/22and35.191.0.0/16.
- Under Protocols and ports, select Specified protocols and ports.
- Select the checkbox next to TCP and type 80for the port numbers.
 
- Enter a Name of 
- Click Create. 
- To allow IPv6 subnet traffic, click Create firewall rule again and enter the following information: - Name: fw-allow-lb-access-ipv6
- Network: NETWORK
- Priority: 1000
- Direction of traffic: ingress
- Targets: Specified target tags
- Target tags field, enter allow-health-check-ipv6
- Source filter: IPv6 ranges
- Source IPv6 ranges: 2600:2d00:1:b029::/64,2600:2d00:1:1::/64
- Protocols and ports: Allow all
 
- Name: 
- Click Create. 
gcloud
- Create the - fw-allow-health-check-and-proxyrule to allow the load balancer and Google Cloud health checks to communicate with backend instances on TCP port- 80.- Replace NETWORK with the name of the VPC network used to configure hybrid connectivity. - gcloud compute firewall-rules create fw-allow-health-check \ --network=NETWORK \ --action=allow \ --direction=ingress \ --target-tags=allow-health-check \ --source-ranges=130.211.0.0/22,35.191.0.0/16 \ --rules=tcp:80
- Create the - fw-allow-health-check-ipv6rule to allow Google Cloud IPv6 health checks.- gcloud compute firewall-rules create fw-allow-health-check-ipv6 \ --network=NETWORK \ --action=allow \ --direction=ingress \ --target-tags=allow-health-check-ipv6 \ --source-ranges=2600:2d00:1:b029::/64,2600:2d00:1:1::/64 \ --rules=tcp,udp,icmp 
Set up the zonal NEG
For Google Cloud-based backends, we recommend you configure multiple zonal NEGs in the same region where you configured hybrid connectivity.
Zonal NEGs with one or moreGCE_VM_IP_PORT type endpoints support dual-stack.
For this example, we set up a zonal NEG (with GCE_VM_IP_PORT type endpoints)
in the REGION region. First create the VMs in
the GCP_NEG_ZONE zone. Then
create a zonal NEG in the same GCP_NEG_ZONE and
add the VMs' network endpoints to the NEG.
Create VMs
Console
- Go to the VM instances page in the Google Cloud console. 
 Go to VM instances
- Click Create instance. 
- Set the Name to - vm-a1.
- For the Region, choose REGION. 
- For the Zone, choose GCP_NEG_ZONE. 
- In the Boot disk section, ensure that Debian GNU/Linux 12 (bookworm) is selected for the boot disk options. Click Choose to change the image if necessary. 
- Click Advanced options and make the following changes: - Click Networking and add the following Network tags:
allow-health-check.
- Click Edit  under
Network interfaces and make the following changes then click
Done:
- Network: NETWORK
- Subnet: LB_SUBNET_NAME
- IP stack type: IPv4 and IPv6 (dual-stack)
 
- Click Management. In the Startup script field, copy and paste the following script contents. The script contents are identical for all four VMs: - #! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2 
 
- Click Networking and add the following Network tags:
- Click Create. 
- Repeat the following steps to create a second VM, using the following name and zone combination: - Name: vm-a2, zone: GCP_NEG_ZONE
 
- Name: 
gcloud
Create the VMs by running the following command two times, using these combinations for the name of the VM and its zone. The script contents are identical for both VMs.
- VM_NAME of vm-a1and any GCP_NEG_ZONE zone of your choice
- VM_NAME of - vm-a2and the same GCP_NEG_ZONE zone- To support both IPv4 and IPv6 traffic, run the following command: - gcloud compute instances create VM_NAME \ --zone=GCP_NEG_ZONE \ --image-family=debian-12 \ --image-project=debian-cloud \ --tags=allow-health-check,allow-health-check-ipv6 \ --ipv6-network-tier=PREMIUM \ --stack-type=IPV4_IPV6 \ --subnet=LB_SUBNET_NAME \ --metadata=startup-script='#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2'
Create the zonal NEG
Console
To create a zonal network endpoint group:
- Go to the Network Endpoint Groups page in the Google Cloud console. 
 Go to the Network Endpoint Groups page
- Click Create network endpoint group.
- Enter a Name for the zonal NEG. Referred to as GCP_NEG_NAME in this procedure.
- Select the Network endpoint group type: Network endpoint group (Zonal).
- Select the Network: NETWORK
- Select the Subnet: LB_SUBNET_NAME
- Select the Zone: GCP_NEG_ZONE
- Enter the Default port: 80.
- Click Create.
Add endpoints to the zonal NEG:
- Go to the Network Endpoint Groups page in the Google Cloud console. 
 Go to the Network endpoint groups
- Click the Name of the network endpoint group created in the previous step (GCP_NEG_NAME). You see the Network endpoint group details page.
- In the Network endpoints in this group section, click Add network endpoint. You see the Add network endpoint page.
- Select a VM instance to add its internal IP addresses as network endpoints. In the Network interface section, the name, zone, and subnet of the VM is displayed.
- In the IPv4 address field, enter the IPv4 address of the new network endpoint.
- In the IPv6 address field, enter the IPv6 address of the new network endpoint.
- Select the Port type.
- If you select Default, the endpoint uses the default port 80for all endpoints in the network endpoint group. This is sufficient for our example because the Apache server is serving requests at port80.
- If you select Custom, enter the Port number for the endpoint to use.
 
- If you select Default, the endpoint uses the default port 
- To add more endpoints, click Add network endpoint and repeat the previous steps.
- After you add all the endpoints, click Create.
gcloud
- Create a zonal NEG (with - GCE_VM_IP_PORTendpoints) using the- gcloud compute network-endpoint-groups createcommand:- gcloud compute network-endpoint-groups create GCP_NEG_NAME \ --network-endpoint-type=GCE_VM_IP_PORT \ --zone=GCP_NEG_ZONE \ --network=NETWORK \ --subnet=LB_SUBNET_NAME- You can either specify a - --default-portwhile creating the NEG, or specify a port number for each endpoint as shown in the next step.
- Add dual-stack endpoints to GCP_NEG_NAME. - gcloud compute network-endpoint-groups update GCP_NEG_NAME \ --zone=GCP_NEG_ZONE \ --add-endpoint='instance=vm-a1,ip=IPv4_ADDRESS, \ ipv6=IPv6_ADDRESS,port=80' \ --add-endpoint='instance=vm-a2,ip=IPv4_ADDRESS, \ ipv6=IPv6_ADDRESS,port=80'
Set up the hybrid connectivity NEG
When creating the NEG, use a ZONE that minimizes the geographic
distance between Google Cloud and your on-premises or other cloud
environment. For example, if you are hosting a service in an on-premises
environment in Frankfurt, Germany, you can specify the europe-west3-a
Google Cloud zone when you create the NEG.
Moreover, if you're using Cloud Interconnect, the ZONE used to create the NEG should be in the same region where the hybrid connectivity Cloud Interconnect VLAN attachment was configured.
For the available regions and zones, see the Compute Engine documentation: Available regions and zones.
Console
To create a hybrid connectivity network endpoint group:
- Go to the Network Endpoint Groups page in the Google Cloud console. 
 Go to Network endpoint groups
- Click Create network endpoint group.
- Enter a Name for the hybrid NEG. Referred to as ON_PREM_NEG_NAME in this procedure.
- Select the Network endpoint group type: Hybrid connectivity network endpoint group (Zonal).
- Select the Network: NETWORK
- Select the Subnet: LB_SUBNET_NAME
- Select the Zone: ON_PREM_NEG_ZONE
- Enter the Default port.
- Click Create
Add endpoints to the hybrid connectivity NEG:
- Go to the Network Endpoint Groups page in the Google Cloud console. 
 Go to the Network Endpoint Groups page
- Click the Name of the network endpoint group created in the previous step (ON_PREM_NEG_NAME). You see the Network endpoint group detail page.
- In the Network endpoints in this group section, click Add network endpoint. You see the Add network endpoint page.
- Enter the IP address of the new network endpoint.
- Select the Port type.
- If you select Default, the endpoint uses the default port for all endpoints in the network endpoint group.
- If you select Custom, you can enter a different Port number for the endpoint to use.
 
- To add more endpoints, click Add network endpoint and repeat the previous steps.
- After you add all the non-Google Cloud endpoints, click Create.
gcloud
- Create a hybrid connectivity NEG using the - gcloud compute network-endpoint-groups createcommand.- gcloud compute network-endpoint-groups create ON_PREM_NEG_NAME \ --network-endpoint-type=NON_GCP_PRIVATE_IP_PORT \ --zone=ON_PREM_NEG_ZONE \ --network=NETWORK
- Add the endpoint to - on-prem-neg:- gcloud compute network-endpoint-groups update ON_PREM_NEG_NAME \ --zone=ON_PREM_NEG_ZONE \ --add-endpoint="ip=ON_PREM_IP_ADDRESS_1,port=PORT_1" \ --add-endpoint="ip=ON_PREM_IP_ADDRESS_2,port=PORT_2"
You can use this command to add the network endpoints you previously
configured on-premises or in your cloud environment.
Repeat --add-endpoint as many times as needed.
You can repeat these steps to create multiple hybrid NEGs if needed.
Configure the load balancer
Console
gcloud
- Create a global static external IP address to which external
   clients send traffic.
  
  
  gcloud compute addresses create LB_IP_ADDRESS_NAME \ --network-tier=PREMIUM \ --global
- Create a health check
    for the backends.
  
  
  gcloud compute health-checks create http HTTP_HEALTH_CHECK_NAME \ --use-serving-port
- Create a backend service. You add both the zonal NEG and the hybrid connectivity NEG as backends to this backend service.
- Add the zonal NEG as a backend to the backend service:
  
  
  gcloud beta compute backend-services add-backend BACKEND_SERVICE \ --global \ --balancing-mode=RATE \ --max-rate-per-endpoint=MAX_REQUEST_RATE_PER_ENDPOINT \ --network-endpoint-group=GCP_NEG_NAME \ --network-endpoint-group-zone=GCP_NEG_ZONE--max-rate-per-endpointparameter.
- Add the hybrid NEG as a backend to the backend service:
  
  
  gcloud compute backend-services add-backend BACKEND_SERVICE \ --global \ --balancing-mode=RATE \ --max-rate-per-endpoint=MAX_REQUEST_RATE_PER_ENDPOINT \ --network-endpoint-group=ON_PREM_NEG_NAME \ --network-endpoint-group-zone=ON_PREM_NEG_ZONE
- Create a URL map to route incoming requests to the backend service.
  
  
  gcloud beta compute url-maps create URL_MAP_NAME \ --default-service BACKEND_SERVICE
- Perform this step only if you want to create an HTTPS load
balancer. This is not required for HTTP load balancers.
 To create an HTTPS load balancer, you must have an SSL certificate resource to use in the HTTPS target proxy. You can create an SSL certificate resource using either a Google-managed SSL certificate or a self-managed SSL certificate. Using Google-managed certificates is recommended because Google Cloud obtains, manages, and renews these certificates automatically.
 To create a Google-managed certificate, you must have a domain. If you don't have a domain, you can use a self-signed SSL certificate for testing.
 To create a Google-managed SSL certificate resource:gcloud compute ssl-certificates create SSL_CERTIFICATE_NAME \ --domains DOMAINgcloud compute ssl-certificates create SSL_CERTIFICATE_NAME \ --certificate CRT_FILE_PATH \ --private-key KEY_FILE_PATH
- Create a target HTTP(S) proxy to route requests to your URL map.
 For an HTTP load balancer, create an HTTP target proxy:gcloud beta compute target-http-proxies create TARGET_HTTP_PROXY_NAME \ --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \ --url-map=URL_MAP_NAMEgcloud beta compute target-https-proxies create TARGET_HTTPS_PROXY_NAME \ --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \ --ssl-certificates=SSL_CERTIFICATE_NAME \ --url-map=URL_MAP_NAMEReplace the following: - TARGET_HTTP_PROXY_NAME: the name of the target HTTP proxy.
- TARGET_HTTPS_PROXY_NAME: the name of the target HTTPS proxy.
- HTTP_KEEP_ALIVE_TIMEOUT_SEC: an optional field used to specify the client HTTP keepalive timeout. The timeout value must be from 5 to 1200 seconds. The default value is 610 seconds.
- SSL_CERTIFICATE_NAME: the name of the SSL certificate.
- URL_MAP_NAME: the name of the URL map.
 
- Create a forwarding rule to route incoming requests to the proxy.
 For an HTTP load balancer:gcloud beta compute forwarding-rules create HTTP_FORWARDING_RULE_NAME \ --load-balancing-scheme=EXTERNAL_MANAGED \ --network-tier=PREMIUM \ --address=LB_IP_ADDRESS_NAME \ --target-http-proxy=TARGET_HTTP_PROXY_NAME \ --global \ --ports=80gcloud beta compute forwarding-rules create HTTPS_FORWARDING_RULE_NAME \ --load-balancing-scheme=EXTERNAL_MANAGED \ --network-tier=PREMIUM \ --address=LB_IP_ADDRESS_NAME \ --target-https-proxy=TARGET_HTTPS_PROXY_NAME \ --global \ --ports=443
  gcloud beta compute backend-services create BACKEND_SERVICE \
      --health-checks=HTTP_HEALTH_CHECK_NAME \
      --load-balancing-scheme=EXTERNAL_MANAGED \
      --ip-address-selection-policy=PREFER_IPV6 \
      --global
  Connect your domain to your load balancer
After the load balancer is created, note the IP address that is associated with
the load balancer—for example, 30.90.80.100. To point your domain to your
load balancer, create an A record by using your domain registration service. If
you added multiple domains to your SSL certificate, you must add an A record
for each one, all pointing to the load balancer's IP address. For example, to
create A records for www.example.com and example.com, use the following:
NAME TYPE DATA www A 30.90.80.100 @ A 30.90.80.100
If you use Cloud DNS as your DNS provider, see Add, modify, and delete records.
Testing the load balancer
Now that you have configured your load balancer, you can start sending traffic to the load balancer's IP address.
- Go to the Load balancing page in the Google Cloud console. 
 Go to the Load balancing page
- Click on the load balancer you just created. 
- Note the IP Address of the load balancer. 
- Send traffic to the load balancer. - If you created an HTTP load balancer, you can test your load balancer using a web browser by going to - http://IP_ADDRESS. Replace- IP_ADDRESSwith the load balancer's IP address. You should be directed to the service you have exposed through the endpoint.
- If you created an HTTPS load balancer, you can test your load balancer by using - curlas follows. Replace- IP_ADDRESSwith the load balancer's IP address. You should be directed to the service you have exposed through the endpoint.- curl -k https://IP_ADDRESS - If that does not work and you are using a Google-managed certificate, confirm that your certificate resource's status is ACTIVE. For more information, see Google-managed SSL certificate resource status. Then test the domain pointing to the load balancer's IP address. For example: - curl -s https://DOMAIN_NAME - Replace DOMAIN_NAME with your application domain name, for example, - test.example.com.
 
- Testing the non-Google Cloud endpoints depends on the service you have exposed through the hybrid NEG endpoint. 
Additional configuration
This section expands on the configuration example to provide alternative and additional configuration options. All of the tasks are optional. You can perform them in any order.
Update client HTTP keepalive timeout
The load balancer created in the previous steps has been configured with a default value for the client HTTP keepalive timeout.To update the client HTTP keepalive timeout, use the following instructions.
Console
- In the Google Cloud console, go to the Load balancing page. 
- Click the name of the load balancer that you want to modify.
- Click Edit.
- Click Frontend configuration.
- Expand Advanced features. For HTTP keepalive timeout, enter a timeout value.
- Click Update.
- To review your changes, click Review and finalize, and then click Update.
gcloud
For an HTTP load balancer, update the target HTTP proxy by using the
    gcloud compute target-http-proxies update command:
      gcloud compute target-http-proxies update TARGET_HTTP_PROXY_NAME \
          --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \
          --global
    For an HTTPS load balancer, update the target HTTPS proxy by using the
    gcloud compute target-https-proxies update command:
      gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME \
          --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC \
          --global
    Replace the following:
- TARGET_HTTP_PROXY_NAME: the name of the target HTTP proxy.
- TARGET_HTTPS_PROXY_NAME: the name of the target HTTPS proxy.
- HTTP_KEEP_ALIVE_TIMEOUT_SEC: the HTTP keepalive timeout value from 5 to 600 seconds.