Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Cloud Computing Last updated: September 6, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

In my previous post, I talked about how to implement SSL certificate on shared hosting, Cloud/VPS server, Cloudflare, etc. and some of you asked how to do it on Load Balancer (LB).

It’s a good idea to terminate the SSL handshake at a network edge device for many reasons.

  • It’s faster
  • You can make changes on the fly
  • Easy maintenance
  • SSL/TLS hardening managed by LB

Google Cloud Platform (GCP) is fantastic, and I use for Geek Flare and just love it. GCP offers many cloud solutions including the load balancer.

There are three types of load balancer available, and if you are hosting Web-based applications, then HTTP(S) type is recommended.

google-cloud-lb

Let’s take a look at how to implement SSL certificate on Google Cloud HTTP(S) load balancer.

For this exercise, I will use my lab domain (techpostal.com) to forward traffic to compute engine VM (Nginx) through LB.

ssl-communication-lb

I assume you already have the following ready.

  • Running web server
  • HTTP(S) LB with port 80

Implementing Certificate on Google Cloud LB

  • Login to Google Cloud >> Network services >> Load balancing (direct link)
  • Click edit for the respective LB

edit-google-cloud-lb

  • Go to frontend configuration >> Add Frontend IP and port
  • Select the protocol as HTTPS
  •  I’ve left IP as ephemeral, but in a production system it’s recommended to have a static
  • Drop-down Certificate and click “Create a new certificate.”

google-lb-front-end

It will prompt another window where you can enter private key, public and chain certificate.

  • Let’s get the CSR (Certificate Signing Request) created using OpenSSL
openssl req -out techpostal.csr -newkey rsa:2048 -nodes -keyout techpostal.key
  • Enter the necessary information as prompted
  • You will notice a key & CSR file created
root@web-server:~# ls -ltr
-rw-r--r-- 1 root root 1704 Sep  2 06:56 techpostal.key
-rw-r--r-- 1 root root 1017 Sep  2 06:56 techpostal.csr
root@web-server:~#

Now you need to send this CSR to a certificate authority to sign it. I am using Let’s Encrypt to sign my certificate and have entered those details and click “create.”

ssl-cert-gcp-lb

There are more FREE SSL certificate provider if you want to explore.

  • Click Done and then Update

google-lb-cert-updated

Let’s get the frontend IP details by expanding the LB

expand-google-lb

Now, you got to update your domain A record to point the load balancer IP at the domain registrar. Once done, try to access your URL with https, and it should work.

techpostal-ssl-ready

This concludes SSL handshake for techpostal.com is getting terminated at the load balancer.

Google Cloud take care of necessary SSL/TLS hardening to ensure it’s not exposed to a known protocol, cipher vulnerabilities. I did a test at SSL Labs and got A rating.

ssllabs-results-techpostal

I hope this quick guide helps you get SSL enabled on Google LB for your domain.

  • Chandan Kumar
    Author
    As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Thanks to our Sponsors
More great readings on Cloud Computing
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder