Skip to main content

Chapter 4: Global Distribution - Load Balancing and DNS

Google Cloud Load Balancing (GCLB) is not a set of virtual appliances you manage. It is a distributed, software-defined system built on the same infrastructure that powers Google Search, YouTube, and Gmail. It operates at planet scale, capable of handling millions of requests per second with sub-millisecond overhead. At the heart of GCLB are two foundational technologies: Maglev and GFE (Google Front End). Understanding these is the difference between a cloud “user” and a cloud “engineer.”

1. The Architecture of Planet-Scale Traffic

Maglev: The Distributed L4 Load Balancer

Maglev is Google’s large-scale software load balancer. Unlike traditional hardware load balancers that sit as a bottleneck in a rack, Maglev runs on standard Linux servers across Google’s edge points of presence (PoPs).
  • No Shared State: Maglev instances do not communicate with each other to synchronize connection state. Instead, they use consistent hashing (Maglev Hashing) to ensure that packets from the same connection always end up at the same backend server, even if a Maglev node fails or a new one is added.

Deep Dive: The Maglev Hashing Algorithm

Traditional load balancers often use simple modulo hashing (hash(flow) % N). However, if N changes (a backend goes down), nearly every flow is reassigned, causing a massive “connection storm.” Maglev uses a permutation-based consistent hashing algorithm:
  1. Lookup Table: Maglev maintains a large lookup table (typically 65,537 entries).
  2. Preference Lists: Each backend generates a random-but-deterministic permutation of the lookup table indices.
  3. Filling the Table: Backends take turns filling the lookup table based on their preference lists.
  4. Result: When a backend is added or removed, only a small fraction of the lookup table entries change (1N\frac{1}{N}). This maintains connection persistence even during massive scale-out events.
  • Connection Tracking: It maintains a local connection table but relies on its hashing algorithm as a fallback to ensure reliability.
  • Performance: It handles traffic at line rate, distributing packets across the internal Google network with incredible efficiency.

GFE (Google Front End): The L7 Powerhouse

GFE is the edge proxy that terminates TLS/SSL connections and handles HTTP(S) requests. When a user connects to a Google service, they are actually talking to a GFE.
  • Anycast IP: Every GFE announces the same global anycast IP via BGP. This ensures the user’s request hits the physically closest Google edge PoP.
  • Protocol Optimization: GFEs support the latest protocols, including HTTP/3 (QUIC) and TLS 1.3, reducing the number of round trips (RTT) needed to establish a connection.
  • SSL Termination: By terminating SSL at the edge, GFEs offload heavy cryptographic work from your backend VMs and reduce the latency of the TLS handshake.

2. Load Balancer Taxonomy

GCP offers a variety of load balancers tailored for different use cases. Choosing the right one is critical for performance and cost.

External Load Balancers (Internet-Facing)

TypeLayerScopeKey Feature
Global External HTTP(S)L7GlobalPath-based routing, Cloud CDN, Cloud Armor, gRPC/HTTP2 support.
Regional External HTTP(S)L7RegionalCompliance-friendly (data stays in region), simpler setup for regional apps.
Global External Proxy (TCP/SSL)L4GlobalTerminates TCP/SSL at the edge, forwards to backends globally.
Regional External Network (NLB)L4RegionalPass-through (preserves source IP), ultra-high performance UDP/TCP.

Internal Load Balancers (VPC-Internal)

TypeLayerScopeKey Feature
Internal HTTP(S)L7RegionalService-to-service L7 routing, health checks, Envoy-based.
Internal TCP/UDPL4RegionalLow-latency L4 load balancing for internal tiers (e.g., Database pools).

3. The Lifecycle of a Request: Internal vs. External

Understanding the packet path is crucial for debugging latency and security.

3.1 External Load Balancing Flow (The “Edge-to-Origin”)

When a user hits a Global External HTTP(S) LB, the traffic undergoes multiple transformations:
  1. Edge Entry: Request hits the nearest Google Edge PoP via Anycast.
  2. GFE Termination: The Google Front End (GFE) terminates TLS. This is where Cloud Armor and Cloud CDN logic is applied.
  3. URL Map Evaluation: The GFE checks the URL Map to see where the request should go.
  4. B4 Backbone: The request is encapsulated and sent over Google’s private fiber backbone (B4) to the destination region.
  5. Andromeda Delivery: Inside the region, the Andromeda SDN delivers the packet to the specific VM or Pod.

3.2 Internal Load Balancing Flow (The “Service-to-Service”)

Internal Load Balancers (ILB) operate differently. They are Regional and reside inside your VPC.
  1. Client Request: A VM in your VPC sends a request to the ILB’s internal IP.
  2. Andromeda Redirection:
    • For L4 ILB: The Andromeda SDN redirects the packet directly to a backend instance using Maglev-style consistent hashing.
    • For L7 ILB: Traffic is routed to a pool of Envoy proxies managed by Google. These proxies handle the L7 logic (URL mapping, retries, weighted splits).
  3. Local Backend: The traffic is delivered to a backend in the same region.
Principal Note: External LBs offer Global Anycast, meaning one IP for the whole world. Internal LBs are Regional, meaning you need an ILB in each region where you have clients, even if the backends are the same.

3.3 GKE Gateway API: The Modern Ingress

The Gateway API is the successor to the Kubernetes Ingress resource. It provides a more expressive, extensible, and role-oriented way to manage load balancing in GKE.
  • GatewayClass: Managed by the Cloud Provider. Defines the type of LB (e.g., gke-l7-global-external-managed).
  • Gateway: Managed by the Platform/Network team. Defines the IP and ports.
  • HTTPRoute: Managed by the Application team. Defines the routing rules (paths, headers, weights).
Why use it? It allows for Cross-namespace routing, where one Gateway can route to services in multiple namespaces, which was difficult with standard Ingress.

3.4 Multi-Cluster Ingress (MCI)

MCI allows you to use a single Global Load Balancer to distribute traffic across GKE clusters in multiple regions.
  • Global VIP: One IP for all clusters.
  • Failover: If the cluster in us-east1 fails, traffic is automatically routed to europe-west1.
  • Latency: Users are always routed to the cluster closest to them.

4. Cloud CDN: The Global Accelerator

Cloud CDN uses Google’s global edge network to serve content closer to users, reducing latency and backend load.

4.1 How it Works: Cache Keys and Invalidation

A Cache Key is the string used to identify a cached object. By default, it’s the full URL.
  • Optimization: You can include or exclude query strings, protocols, or specific headers from the cache key to improve the hit ratio.
  • Invalidation: Propagates globally in minutes. You can invalidate by path (/images/*) or by header.

4.2 Signed URLs for Private Content

If you have premium content (e.g., videos), you can use Signed URLs.
  1. The application generates a URL with a cryptographic signature and an expiration time.
  2. Cloud CDN verifies the signature at the edge.
  3. Access is granted without the request ever reaching your backend, provided the signature is valid.

5. Security with Identity-Aware Proxy (IAP)

IAP is the “Zero Trust” gateway for Google Cloud.

5.1 Beyond VPNs

Instead of using a VPN to access internal tools (e.g., Jenkins, Grafana), you can use IAP.
  • Context-Aware: IAP checks the user’s identity (IAM) and context (IP, device health).
  • Centralized: No more managing VPN certificates or client software.
  • Header Injection: IAP injects the X-Goog-IAP-JWT-Assertion header, allowing your application to trust the user’s identity without performing its own auth.

6. Cloud Armor: The Distributed Firewall

Cloud Armor is more than a WAF; it is a security policy engine that sits at the very edge of Google’s network.

4.1 How it Integrates with GFE

Cloud Armor rules are pushed to the Google Front Ends (GFEs). This means malicious traffic is dropped before it even enters Google’s internal backbone, saving you bandwidth and compute costs.

4.2 Advanced Security Features

  • WAF Rules (OWASP Top 10): Pre-configured rules for SQLi, XSS, LFI, and RFI.
  • Threat Intelligence: Block traffic from known malicious actors, Tor exit nodes, or specific search engines using evaluateThreatIntelligence.
  • Adaptive Protection: Uses ML to establish a baseline of “normal” traffic and alerts on anomalies. It can even auto-generate a suggested rule during a DDoS attack.
  • Bot Management: Challenges clients with reCAPTCHA Enterprise if they exhibit bot-like behavior.

4.3 Bot Management Policy Example

# Create a security policy
gcloud compute security-policies create protect-my-app

# Add a rule to challenge suspicious traffic with reCAPTCHA
gcloud compute security-policies rules create 1000 \
    --security-policy=protect-my-app \
    --expression="evaluatePreconfiguredExpr('cve-canary')" \
    --action=redirect \
    --redirect-type=google-recaptcha

5. Cloud DNS: The Global Name Server

Cloud DNS is a high-performance, resilient, managed authoritative DNS service. It runs on the same infrastructure as Google’s public DNS (8.8.8.8).

Architectural Highlights

  • 100% Availability SLA: Provided by the massive redundancy of Google’s anycast infrastructure.
  • DNSSEC: Protects your domains from spoofing and cache poisoning attacks.
  • Split-Horizon DNS: Use the same domain name (e.g., app.internal) but resolve it to different IPs depending on whether the query comes from the internet or inside your VPC.

DNS Policies

  1. Weighted Round Robin: Distribute traffic across multiple IPs based on weights.
  2. Geolocation Routing: Return different IP addresses based on the user’s physical location.
  3. Failover Policy: Automatically switch to a backup IP if the primary health check fails (integrates with Cloud Monitoring).

6. Advanced Load Balancing: TCP/UDP Proxy and Internal Cross-Region

6.1 External TCP/UDP Proxy Load Balancing

For global traffic that isn’t HTTP/S (e.g., a proprietary database protocol or a global gaming server), the TCP/UDP Proxy Load Balancer is the solution.
  • Global Anycast: One IP for the world.
  • TLS Offloading: Can terminate SSL/TLS at the edge (Proxy SSL) even for non-HTTP traffic.
  • Packet Path: Traffic is terminated at the edge GFE and proxied over Google’s backbone to the backend.

6.2 Internal Load Balancing (Regional)

Internal Load Balancers (ILBs) are implemented in the Andromeda SDN layer.
  • No Proxy vMAC: Unlike traditional ILBs, GCP ILBs don’t use a proxy VM. Andromeda intercepts packets at the source VM’s vNIC and delivers them directly to the destination VM’s vNIC.
  • Latency: This results in virtually zero latency overhead compared to direct VM-to-VM communication.

7. Health Checks and High Availability

The Load Balancer is only as good as its health checks.
  • Types: HTTP, HTTPS, TCP, SSL, and HTTP/2.
  • Parameters:
    • Check Interval: How often to check (e.g., every 5 seconds).
    • Timeout: How long to wait for a response (e.g., 5 seconds).
    • Healthy Threshold: Number of consecutive successes to mark as healthy.
    • Unhealthy Threshold: Number of consecutive failures to mark as unhealthy.
  • Auto-Healing: When integrated with a Managed Instance Group (MIG), a failing health check can trigger the deletion and recreation of the VM.

8. Implementation: The “Perfect” Global Architecture

To build a truly resilient, high-performance system, combine these components:
  1. Cloud DNS with a CNAME pointing to the Global HTTP(S) LB Anycast IP.
  2. Cloud Armor policy attached to the LB to block SQLi and Geo-block restricted countries.
  3. Cloud CDN enabled on the Backend Service for static assets (/static/*).
  4. Managed Instance Groups (MIGs) in at least three regions (us-east1, europe-west1, asia-east1).
  5. Internal TCP/UDP LB in each region to handle traffic between the web tier and the database tier.

GFE Header Modification Rules

As the first point of contact, the GFE populates specific headers that are vital for backend logic:
  • X-Forwarded-For: Contains the client’s IP address and the chain of proxies it passed through.
  • X-Cloud-Trace-Context: A unique ID used for end-to-end tracing across services. Essential for SREs using Cloud Trace.
  • X-Forwarded-Proto: Indicates the protocol used by the client (usually https).
  • X-GFE-Backend-Request-Cost: (Optional) Informs the backend of the processing cost incurred at the edge.
Custom Header Transformation: You can configure the GFE to add, remove, or modify headers. For example, you can strip the Server header to hide your backend technology stack (Security through Obscurity) or add a X-Client-Geo header based on the user’s IP.

8. Troubleshooting the Traffic Path

  1. Check Health Checks: 90% of “LB not working” issues are due to failing health checks. Ensure your firewall allows the GCP health check ranges (35.191.0.0/16 and 130.211.0.0/22).
  2. Verify Firewall Rules: Your backend VMs must have an ingress rule allowing traffic from the LB proxies on the service port.
  3. Inspect URL Map: Use the console’s “Traffic Distribution” view to ensure your path rules are actually routing to the correct backend services.
  4. Cloud Trace: Use Cloud Trace to see the end-to-end latency of a request, identifying if the bottleneck is the LB, the network, or the backend application.

Interview Preparation

Answer: In GCP, a Global HTTP(S) Load Balancer provides a single Anycast IP address that is announced from every Google edge Point of Presence (PoP) worldwide via BGP.
  • Proximity: When a user sends a request, it is routed to the physically closest Google edge PoP.
  • TCP/SSL Termination: The connection is terminated at the edge GFE (Google Front End). This means the TCP handshake and SSL/TLS negotiation happen very close to the user, significantly reducing the “Time to First Byte” (TTFB).
  • Backbone Transit: After termination, the request travels over Google’s private, high-speed fiber backbone to the backend, bypassing the congested public internet.
Answer: Maglev is Google’s distributed L4 software load balancer. It achieves persistence using a unique consistent hashing algorithm (Maglev Hashing).
  • Mechanism: Each Maglev node maintains a large lookup table. It maps incoming flows to backend servers using a permutation-based hash.
  • Statelessness: Because the hashing is deterministic and consistent across all Maglev nodes, any node can receive a packet from an existing connection and route it to the correct backend without needing to query a central state database.
  • Resilience: If a Maglev node fails or a backend is added, the algorithm ensures that only a tiny fraction of existing connections are disrupted, preventing “connection storms.”
Answer: I would choose a Network Load Balancer (L4) when:
  1. Non-HTTP Traffic: The application uses protocols other than HTTP/S or gRPC (e.g., SMTP, gaming UDP traffic).
  2. Source IP Preservation: You need the backend VM to see the original client IP address without relying on headers (NLB is a “pass-through” load balancer).
  3. Performance: You need ultra-high throughput or very low latency where L7 proxying overhead is unacceptable.
  4. SSL Handling: You want to manage SSL termination directly on your backend VMs rather than at the edge.
Answer: Cloud Armor is built into the Google Front End (GFE) at the edge of the network.
  • DDoS Protection: It provides always-on L3/L4 volumetric DDoS protection by default.
  • Adaptive Protection: It uses Machine Learning to analyze traffic patterns and automatically detect/suggest rules for L7 attacks (like credential stuffing or scraping).
  • Scale: It can scale to mitigate the largest DDoS attacks in history without you needing to provision extra capacity.
  • Integration: It integrates directly with the Global Load Balancer, allowing you to enforce security policies before traffic ever enters your VPC.
Answer: Split-Horizon DNS allows you to use the same domain name (e.g., api.example.com) to resolve to different IP addresses depending on the source of the query.
  • Internal View: Queries from inside your VPC resolve to private internal IPs (e.g., 10.0.1.5).
  • External View: Queries from the public internet resolve to public IPs (e.g., the Load Balancer IP).
  • Implementation: In Cloud DNS, you create two zones with the same DNS name. One is set to Public and the other to Private (and associated with your VPC). Cloud DNS handles the routing logic automatically.