Use SSL policies

SSL policies specify a minimum TLS version and a set of TLS capabilities that Cloud Load Balancing uses when negotiating SSL with clients. In this document, the term SSL refers to both the SSL and TLS protocols.

SSL policies are supported with the following load balancers:

  • Global SSL policies
    • Global external Application Load Balancer
    • Classic Application Load Balancer
    • External proxy Network Load Balancer (with a target SSL proxy)
    • Cross-region internal Application Load Balancer
  • Regional SSL policies
    • Regional external Application Load Balancer
    • Regional internal Application Load Balancer

For more information about how SSL policies work, see SSL policies for SSL and TLS protocols.

You can create and manage SSL policies by using the Google Cloud console or the Google Cloud CLI when you create an HTTPS or SSL load balancer or at any time after you create the load balancer.

Create SSL policies

You can create SSL policies with predefined profiles or with a custom profile.

Create an SSL policy with a predefined profile

Console

Global SSL policy

To create a global SSL policy with a predefined profile, do the following:

  1. In the Google Cloud console, go to the SSL policies page.

    Go to SSL policies

  2. Click Create policy.

  3. For Global SSL policy, click the Create button next to it. The Create policy page appears.

  4. Enter a name.

  5. For Minimum TLS Version, select a value.

  6. For Profile, select Compatible, Modern, Restricted, or FIPS_202205.

    • SSL policies that use the FIPS_202205 profile must use a minimum TLS version of 1.2.
    • If you set the minimum TLS version of an SSL policy to 1.3, the policy must use the RESTRICTED profile.

    The Enabled features and Disabled features for the profile are displayed.

  7. If there is a load balancer to which you want to attach the policy, click Apply to targets and select a forwarding rule as the target of the SSL policy. If necessary, add more targets.

  8. Click Create.

Regional SSL policy

To create a regional SSL policy with a predefined profile, do the following:

  1. In the Google Cloud console, go to the SSL policies page.

    Go to SSL policies

  2. Click Create policy.

  3. For Regional SSL policy, click the Create button next to it. The Create policy page appears.

  4. Enter a name.

  5. For Region, select a region.

  6. For Minimum TLS Version, select a value.

  7. For Profile, select Compatible, Modern, Restricted, or FIPS_202205.

    • SSL policies that use the FIPS_202205 profile must use a minimum TLS version of 1.2.
    • If you set the minimum TLS version of an SSL policy to 1.3, the policy must use the RESTRICTED profile.

    The Enabled features and Disabled features for the profile are displayed.

  8. If there is a load balancer to which you want to attach the policy, click Apply to targets and select a forwarding rule as the target of the SSL policy. If necessary, add more targets.

  9. Click Create.

gcloud

Global SSL policy

The following is the general syntax for creating a global SSL policy with a predefined profile.

  • SSL policies that use the FIPS_202205 profile must use a minimum TLS version of 1.2.
  • If you set the minimum TLS version of an SSL policy to 1.3, the policy must use the RESTRICTED profile.

gcloud compute ssl-policies create SSL_POLICY_NAME \
    --profile {COMPATIBLE | MODERN | RESTRICTED | FIPS_202205} \
    --min-tls-version {1.0 | 1.1 | 1.2 | 1.3}

Replace SSL_POLICY_NAME with the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients.

The following command creates a global SSL policy with the MODERN profile:

gcloud compute ssl-policies create my-ssl-policy \
    --profile MODERN \
    --min-tls-version 1.0

Regional SSL policy

The following is the general syntax for creating a regional SSL policy with a predefined profile.

  • SSL policies that use the FIPS_202205 profile must use a minimum TLS version of 1.2.
  • If you set the minimum TLS version of an SSL policy to 1.3, the policy must use the RESTRICTED profile.

gcloud compute ssl-policies create SSL_POLICY_NAME \
    --profile {COMPATIBLE | MODERN | RESTRICTED | FIPS_202205} \
    --min-tls-version {1.0 | 1.1 | 1.2 | 1.3} \
    --region REGION

Replace the following:

  • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients
  • REGION: the region for the SSL policy

The following command creates a regional SSL policy with the COMPATIBLE profile:

gcloud compute ssl-policies create my-ssl-policy \
    --profile COMPATIBLE \
    --min-tls-version 1.1 \
    --region us-west1

Create an SSL policy with a custom profile

Console

Global SSL policy

To create a global SSL policy with a custom profile, do the following:

  1. In the Google Cloud console, go to the SSL policies page.

    Go to SSL policies

  2. Click Create policy.

  3. For Global SSL policy, click the Create button next to it. The Create policy page appears.

  4. Enter a name.

  5. For Minimum TLS Version, select a value.

  6. For Profile, select Custom. All features are shown as Disabled features.

  7. In the list of Features, select each cipher suite that you want to enable. The cipher suites you enable are listed as Enabled features.

  8. If there is a load balancer to which you want to attach the policy, click Apply to targets and select a forwarding rule as the target of the SSL policy. If necessary, add more targets.

  9. Click Create.

Regional SSL policy

To create a regional SSL policy with a custom profile, do the following:

  1. In the Google Cloud console, go to the SSL policies page.

    Go to SSL policies

  2. Click Create policy.

  3. For Regional SSL policy, click the Create button next to it. The Create policy page appears.

  4. Enter a name.

  5. For Region, select a region.

  6. For Minimum TLS Version, select a value.

  7. For Profile, select Custom. All features are shown as Disabled features.

  8. In the list of Features, select each cipher suite that you want to enable. The cipher suites you enable are listed as Enabled features.

  9. If there is a load balancer to which you want to attach the policy, click Apply to targets and select a forwarding rule as the target of the SSL policy. If necessary, add more targets.

  10. Click Create.

gcloud

When you create an SSL policy with the CUSTOM profile, only the features that you specify in the create command are supported. Other features aren't supported.

Global SSL policy

The following is the general syntax for creating a global SSL policy with a custom profile:

gcloud compute ssl-policies create SSL_POLICY_NAME \
    --profile CUSTOM \
    --min-tls-version {1.0 | 1.1 | 1.2} \
    --custom-features SSL_FEATURE_1[,SSL_FEATURE_2,SSL_FEATURE_3]

Replace the following:

  • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients
  • SSL_FEATURE_1 | 2 | 3: the custom features to apply

The following example creates a global SSL policy that uses the CUSTOM profile with a minimum TLS version of 1.2 and features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.

gcloud compute ssl-policies create SSL_POLICY_NAME \
    --profile CUSTOM \
    --min-tls-version 1.2 \
    --custom-features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Regional SSL policy

The following is the general syntax for creating a regional SSL policy with a custom profile:

gcloud compute ssl-policies create SSL_POLICY_NAME \
    --profile CUSTOM \
    --min-tls-version {1.0 | 1.1 | 1.2} \
    --custom-features SSL_FEATURE_1[,SSL_FEATURE_2,SSL_FEATURE_3] \
    --region REGION

Replace the following:

  • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients
  • SSL_FEATURE_1 | 2 | 3: the custom features to apply
  • REGION: the region in which to apply the SSL policy

The following example creates a regional SSL policy that uses the CUSTOM profile with a minimum TLS version of 1.2 and features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.

gcloud compute ssl-policies create SSL_POLICY_NAME \
    --profile CUSTOM \
    --min-tls-version 1.2 \
    --custom-features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
    --region us-west1

List SSL policies

Console

In the Google Cloud console, go to the SSL policies page.

Go to SSL policies

You can view a list of all the available SSL policies. The Scope field indicates whether the SSL policy is global or regional.

gcloud

List both global and regional SSL policies:

gcloud compute ssl-policies list

List only global SSL policies:

gcloud compute ssl-policies list --global

List only regional SSL policies:

gcloud compute ssl-policies list --regions REGION

Replace REGION with the region in which to apply the SSL policy.

List features available in an SSL policy

Console

  1. In the Google Cloud console, go to the SSL policies page.

    Go to SSL policies

  2. Click the name of the policy whose features you want to see. The enabled and disabled cipher suites are listed.

gcloud

List the features available in global SSL policies:

gcloud compute ssl-policies list-available-features

List the features available in regional SSL policies:

gcloud compute ssl-policies list-available-features \
    --region REGION

Replace REGION with the region of the SSL policy whose features you want to list.

Modify SSL policies

Console

To modify a global or a regional SSL policy, do the following:

  1. In the Google Cloud console, go to the SSL policies page.

    Go to SSL policies

  2. Click the name of the policy that you want to modify.

  3. Click Edit.

  4. Make any changes you want.

  5. Click Save.

gcloud

To modify an existing SSL policy, pass any or all of the flags corresponding to the fields you want to update. Unspecified fields aren't updated.

If you update the features, previously enabled features are deleted and replaced with the new features you specify.

Global SSL policies

  • SSL policies that use the FIPS_202205 profile must use a minimum TLS version of 1.2.
  • If you set the minimum TLS version of an SSL policy to 1.3, the policy must use the RESTRICTED profile.

gcloud compute ssl-policies update SSL_POLICY_NAME \
    --profile {COMPATIBLE | MODERN | RESTRICTED | CUSTOM | FIPS_202205} \
    --min-tls-version {1.0 | 1.1 | 1.2 | 1.3} \
    --custom-features FEATURES

Replace the following:

  • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients
  • FEATURES: the features to apply to the SSL policy

Regional SSL policies

  • SSL policies that use the FIPS_202205 profile must use a minimum TLS version of 1.2.
  • If you set the minimum TLS version of an SSL policy to 1.3, the policy must use the RESTRICTED profile.

gcloud compute ssl-policies update SSL_POLICY_NAME \
    --profile {COMPATIBLE | MODERN | RESTRICTED | CUSTOM | FIPS_202205} \
    --min-tls-version {1.0 | 1.1 | 1.2 | 1.3} \
    [--custom-features FEATURES \]
    --region REGION

Replace the following:

  • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients
  • FEATURES: the features to apply to the SSL policy
  • REGION: the region of the SSL policy whose features you want to update

Create a target proxy with an SSL policy

Console

You can create a target proxy by using the Google Cloud console when you're creating or updating the load balancer as shown in the following documents:

gcloud

To create a target SSL proxy with a global SSL policy:

gcloud compute target-ssl-proxies create TARGET_SSL_PROXY_NAME \
    --backend-service BACKEND_SERVICE_NAME \
    --ssl-certificate SSL_CERTIFICATE_NAME \
    --ssl-policy SSL_POLICY_NAME

Replace the following:

  • TARGET_SSL_PROXY_NAME: the name of the target proxy
  • BACKEND_SERVICE_NAME: the name of the backend service
  • SSL_CERTIFICATE_NAME: the name of the TLS certificate
  • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients

To create a global target HTTPS proxy with a global SSL policy:

gcloud compute target-https-proxies create TARGET_HTTPS_PROXY_NAME \
    --ssl-certificate SSL_CERTIFICATE_NAME \
    --url-map URL_MAP_NAME \
    --ssl-policy SSL_POLICY_NAME

Replace the following:

  • TARGET_HTTPS_PROXY_NAME: the name of the target proxy
  • SSL_CERTIFICATE_NAME: the name of the TLS certificate
  • URL_MAP_NAME: the name of the URL map
  • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients

To create a regional target HTTPS proxy with a regional SSL policy:

gcloud compute target-https-proxies create REGIONAL_TARGET_HTTPS_PROXY_NAME \
    --ssl-certificates SSL_CERTIFICATE_NAME \
    --url-map URL_MAP_NAME \
    --url-map-region MAP_REGION \
    --ssl-policy SSL_POLICY_NAME \
    --region REGION

Replace the following:

  • REGIONAL_TARGET_HTTPS_PROXY_NAME: the name of the target proxy
  • SSL_CERTIFICATE_NAME: the name of the TLS certificate
  • URL_MAP_NAME: the name of the URL map
  • MAP_REGION: the name of the Google Cloud region where the URL map is located
  • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients
  • REGION: the region of the SSL policy that you want to create the target HTTPS proxy with

Attach an existing SSL policy to an existing target proxy

Console

Target proxies can't be modified in the Google Cloud console. Use the gcloud CLI or the API instead.

gcloud

Use these commands to attach an existing SSL policy to an SSL proxy or HTTPS proxy.

  • To find all projects in your organization that have target SSL proxies:

    gcloud asset search-all-resources \
    --scope=organizations/ORGANIZATION_ID \
    --asset-types=compute.googleapis.com/TargetSslProxy

    Replace ORGANIZATION_ID with the ID of the organization in which to find target SSL proxies.

  • To find all projects in your organization that have target HTTPS proxies:

    gcloud asset search-all-resources \
    --scope=organizations/ORGANIZATION_ID \
    --asset-types=compute.googleapis.com/TargetHttpsProxy

    Replace ORGANIZATION_ID with the ID of the organization in which to find target HTTPS proxies.

  • To list all global target SSL proxies in a project, use the targetSslProxies.aggregatedList method. Then, use the filter query parameter to search for target SSL proxies that don't reference an SSL policy.

    curl \
    'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies?filter=sslPolicy%3D%22%22&key=YOUR_API_KEY' \
    --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
    --header 'Accept: application/json' \
    --compressed

    Replace the following:

    • PROJECT_ID: the name of the project ID
    • YOUR_API_KEY: your API key
    • YOUR_ACCESS_TOKEN: your access token

  • To list all global and regional target HTTPS proxies in a project, use the targetHttpsProxies.aggregatedList method with the includeAllScopes query parameter set to true. Then, use the filter query parameter to search for target HTTPS proxies that don't reference an SSL policy.

    curl \
    'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/targetHttpsProxies?filter=sslPolicy%3D%22%22&includeAllScopes=true&key=YOUR_API_KEY' \
    --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
    --header 'Accept: application/json' \
    --compressed

    Replace the following:

    • PROJECT_ID: the name of the project ID
    • YOUR_API_KEY: your API key
    • YOUR_ACCESS_TOKEN: your access token

  • To attach an existing global SSL policy to a target SSL proxy:

    gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME \
    --ssl-policy SSL_POLICY_NAME

    Replace the following:

    • TARGET_SSL_PROXY_NAME: the name of the target proxy
    • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients

  • To attach an existing global SSL policy to a global target HTTPS proxy:

    gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME \
    --ssl-policy SSL_POLICY_NAME

    Replace the following:

    • TARGET_HTTPS_PROXY_NAME: the name of the target proxy
    • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients

  • To attach an existing regional SSL policy to a regional target HTTPS proxy:

    gcloud compute target-https-proxies update REGIONAL_TARGET_HTTPS_PROXY_NAME \
    --ssl-policy SSL_POLICY_NAME \
    --region REGION

    Replace the following:

    • REGIONAL_TARGET_HTTPS_PROXY_NAME: the name of the target proxy
    • SSL_POLICY_NAME: the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients
    • REGION: the region of the SSL policy that you want to attach to the regional target HTTPS proxy

If you don't provide the --ssl-policy flag or the --clear-ssl-policy flag in a target proxy update (for example, when updating an SSL certificate), the SSL policy is unchanged. The --clear-ssl-policy flag is described in Delete an SSL policy from a target proxy.

API

To set a global SSL policy for a global target proxy, use the targetHttpsProxies.patch method.

To set a regional SSL policy for a regional target proxy, use the regionTargetHttpsProxies.patch method.

Delete an SSL policy from a target proxy

Console

Target proxies can't be modified in the Google Cloud console. Use the gcloud CLI or the API instead.

gcloud

Use these commands to remove an SSL policy from an SSL proxy or HTTPS proxy. If you don't attach a different SSL policy to the target proxy, the load balancer uses the default SSL policy. Using the --clear-ssl-policy flag is equivalent to replacing an SSL policy with the default SSL policy.

To remove a global SSL policy from a target SSL proxy:

gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME \
    --clear-ssl-policy

Replace TARGET_SSL_PROXY_NAME with the name of the target proxy.

To remove a global SSL policy from a global target HTTPS proxy:

gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME \
    --clear-ssl-policy

Replace TARGET_HTTPS_PROXY_NAME with the name of the target proxy.

To remove a regional SSL policy from a regional target HTTPS proxy:

gcloud compute target-https-proxies update REGIONAL_TARGET_HTTPS_PROXY_NAME \
    --clear-ssl-policy \
    --region REGION

Replace the following:

  • REGIONAL_TARGET_HTTPS_PROXY_NAME: the name of the target proxy
  • REGION: the region of the SSL policy that you want to attach to the regional target HTTPS proxy

When you provide the --clear-ssl-policy flag in the update command, the SSL policy is removed from the proxy.

If you don't provide the --clear-ssl-policy flag or the--ssl-policy flag in the target proxy update (for example, when updating an SSL certificate), the SSL policy is unchanged. The --ssl-policy flag is described in Attach an existing SSL policy to an existing target proxy.

Manage SSL policies

If you use custom constraints to restrict TLS capabilities, manually check for TLS compliance in pre-existing SSL policies that are attached to target SSL proxies and target HTTPS proxies.

Use the following sample steps to find and update SSL policies that don't meet your security goals.

  • To find all projects in your organization that have SSL policy resources:

    gcloud asset search-all-resources \
    --scope=organizations/ORGANIZATION_ID \
    --asset-types=compute.googleapis.com/SslPolicy

    Replace ORGANIZATION_ID with the ID of the organization in which to find all projects that have SSL policy resources.

  • To list all global and regional SSL policies in a project, use the sslPolicies.aggregatedList method with the includeAllScopes query parameter set to true. Then, use the filter query parameter to search for SSL policies that don't align with your security goals.

    For example, to find SSL policies with TLS version lower than 1.2, use the filter minTlsVersion="TLS_1_0" or minTlsVersion="TLS_1_1":

    curl \

  'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/sslPolicies?filter=minTlsVersion%3D%22TLS_1_0%22%20OR%20minTlsVersion%3D%22TLS_1_1%22&includeAllScopes=true&key=YOUR_API_KEY' \
  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
  --header 'Accept: application/json' \
  --compressed

    Replace the following:

    • PROJECT_ID: the name of the project ID
    • YOUR_API_KEY: your API key
    • YOUR_ACCESS_TOKEN: your access token

    To get your API key, see Manage API keys. To get your access token, use the projects.serviceAccounts.generateAccessToken method.

    Then update the SSL policies that don't meet your minimum TLS requirement.

    To update a global SSL policy, you can use the following command:

    gcloud compute ssl-policies update SSL_POLICY_NAME \
    --min-tls-version=TLS_1_2 \
    --global

    Replace SSL_POLICY_NAME with the name that you assigned to the SSL policy that defines the TLS capabilities that your load balancer uses when negotiating connections with clients.

    To update a regional SSL policy, you can use the following command:

    gcloud compute ssl-policies update SSL_POLICY_NAME \
    --min-tls-version=TLS_1_2 \
    --region REGION

    Replace the following:

    • SSL_POLICY_NAME: the name of the SSL policy
    • REGION: the region for the SSL policy

  • To list all the target SSL proxies in a project that aren't associated with an SSL policy, run the following command:

    curl \

  'https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/targetSslProxies?filter=sslPolicy%3D%22%22&key=YOUR_API_KEY' \
    --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
    --header 'Accept: application/json' \
    --compressed

    Replace the following:

    • PROJECT_ID: the name of the project ID
    • YOUR_API_KEY: your API key
    • YOUR_ACCESS_TOKEN: your access token

    To attach an SSL policy to these target proxies, see Attach an existing SSL policy to an existing target proxy.

  • You can also use either Cloud Asset Inventory or the Google APIs Explorer to find and update resources that don't meet your security requirements.

    For example, to look up a list of target SSL proxies that aren't associated with an SSL policy, you can use the following steps in Cloud Asset Inventory:

    1. In the Google Cloud console, go to the Asset inventory page.

      Go to Asset inventory

    2. Click Asset query.

    3. In the Edit query field, enter the following query and click Run.

      select * from `compute_googleapis_com_TargetSslProxy` where resource.data.sslPolicy IS NULL

    4. To attach an SSL policy to these target proxies, see Attach an existing SSL policy to an existing target proxy.

    5. Run the query in Cloud Asset Inventory until you see an empty response.

Limits

See Target proxies.

API reference

For descriptions of the properties and methods available to you when working with SSL policies through the REST API, see the following:

Product API documentation
  • Global external Application Load Balancer
  • Classic Application Load Balancer
  • Cross-region internal Application Load Balancer
  • Global external proxy Network Load Balancer
  • Classic proxy Network Load Balancer
 sslPolicies
  • Regional external Application Load Balancer
  • Regional internal Application Load Balancer
 regionSslPolicies

gcloud CLI reference

For the Google Cloud CLI reference, see the following:

What's next