Create an application from existing resources

This quickstart shows you how to organize existing Google Cloud services into an App Hub application. First, you deploy a sample configuration, which you then use to define a global web application by registering its components as an application in App Hub.

This approach is for users who want to use their existing infrastructure to gain visibility and operational control by grouping resources into logical applications.

Before you begin

Before you start this quickstart, do the following:

Set up App Hub with an app-enabled folder .

Note: This quickstart creates an App Hub application within a single Google Cloud project, the management project located in the app-enabled folder.
Note the project ID of the management project to use throughout this document.
Verify that the following APIs are enabled in the management project. When you configure an app-enabled folder, most of the APIs you need for this quickstart are enabled automatically.
- Compute Engine API ( compute.googleapis.com )
- Infrastructure Manager API ( config.googleapis.com )
Enable APIs

Required roles

To get the permissions that you need to enable required APIs and create a sample application from existing resources, ask your administrator to grant you the following IAM roles on the management project:

To enable required APIs: Service Usage Admin ( roles/serviceusage.serviceUsageAdmin )
To get full access to required services:
- App Hub Admin ( roles/apphub.admin )
- Cloud Run Admin ( roles/run.admin )
- Compute Admin ( roles/compute.admin )
- Cloud Infrastructure Manager Admin ( roles/config.admin )

For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

Deploy resources for the application

You must first deploy a set of sample resources that you will later use to define a global application in App Hub:

A Cloud Run service that acts as the application's backend.
A global external Application Load Balancer that directs traffic to the Cloud Run service as a forwarding rule.

Follow these steps to deploy these resources:

gcloud

Set the required environment variables:
```
  export 
  
 PROJECT_ID 
 = 
 " PROJECT_ID 
" 
 export 
  
 REGION 
 = 
 " REGION 
" 
 
```
Replace the following:
- PROJECT_ID : the ID of your management project.
- REGION : your chosen region for resources, for example, us-central1 .

Deploy a sample Cloud Run service named hello-run :

 gcloud  
run  
deploy  
hello-run  
 \ 
  
--image = 
us-docker.pkg.dev/cloudrun/container/hello  
 \ 
  
--allow-unauthenticated  
 \ 
  
--region = 
 ${ 
 REGION 
 } 
  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

Create the global external Application Load Balancer. This process involves the following steps:

Create a serverless network endpoint group (NEG) called hello-run-neg :

 gcloud  
compute  
network-endpoint-groups  
create  
hello-run-neg  
 \ 
  
--region = 
 ${ 
 REGION 
 } 
  
 \ 
  
--network-endpoint-type = 
serverless  
 \ 
  
--cloud-run-service = 
hello-run  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

The NEG acts as a backend for the load balancer, pointing to your hello-run service.

Create a backend service to manage how traffic is distributed to the NEG:

 gcloud  
compute  
backend-services  
create  
hello-backend-service  
 \ 
  
--global  
 \ 
  
--load-balancing-scheme = 
EXTERNAL_MANAGED  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

Add the serverless NEG as a backend to the backend service:

 gcloud  
compute  
backend-services  
add-backend  
hello-backend-service  
 \ 
  
--global  
 \ 
  
--network-endpoint-group = 
hello-run-neg  
 \ 
  
--network-endpoint-group-region = 
 ${ 
 REGION 
 } 
  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

Create a URL map to route incoming requests to the backend service:

 gcloud  
compute  
url-maps  
create  
hello-url-map  
 \ 
  
--default-service = 
hello-backend-service  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

Create an HTTP proxy to receive requests and route them using the URL map:

 gcloud  
compute  
target-http-proxies  
create  
hello-http-proxy  
 \ 
  
--url-map = 
hello-url-map  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

Create a global forwarding rule:

 gcloud  
compute  
forwarding-rules  
create  
hello-forwarding-rule  
 \ 
  
--global  
 \ 
  
--load-balancing-scheme = 
EXTERNAL_MANAGED  
 \ 
  
--target-http-proxy = 
hello-http-proxy  
 \ 
  
--ports = 
 80 
  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

This forwarding rule provides a public IP address and port to handle incoming user requests and directs them to the proxy.

Terraform

Create a main.tf file and add the following code:

  # Provider configuration 
 provider 
  
 "google" 
  
 { 
  
 project 
  
 = 
  
 " PROJECT_ID 
" 
 } 
 # Cloud Run service 
 resource 
  
 "google_cloud_run_v2_service" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 "hello-run" 
  
 location 
  
 = 
  
 " REGION 
" 
  
 template 
  
 { 
  
 containers 
  
 { 
  
 image 
  
 = 
  
 "us-docker.pkg.dev/cloudrun/container/hello" 
  
 } 
  
 } 
 } 
 # Allow unauthenticated access to the Cloud Run service 
 resource 
  
 "google_cloud_run_v2_service_iam_member" 
  
 "noauth" 
  
 { 
  
 project 
  
 = 
  
 google_cloud_run_v2_service.default.project 
  
 location 
  
 = 
  
 google_cloud_run_v2_service.default.location 
  
 name 
  
 = 
  
 google_cloud_run_v2_service.default.name 
  
 role 
  
 = 
  
 "roles/run.invoker" 
  
 member 
  
 = 
  
 "allUsers" 
 }

Replace the following:

PROJECT_ID : the ID of your management project.
REGION : your chosen region for resources, for example, us-central1 .

This block defines the Google Cloud provider and configures a public-facing Cloud Run service using a sample hello-world container image. It also includes an IAM policy binding to allow unauthenticated invocations, making the service publicly accessible.

Add the following code to your main.tf file to create the global external Application Load Balancer:

  # Serverless NEG for the Cloud Run service 
 resource 
  
 "google_compute_region_network_endpoint_group" 
  
 "serverless_neg" 
  
 { 
  
 name 
  
 = 
  
 "hello-run-neg" 
  
 network_endpoint_type 
  
 = 
  
 "SERVERLESS" 
  
 region 
  
 = 
  
 " REGION 
" 
  
 cloud_run 
  
 { 
  
 service 
  
 = 
  
 google_cloud_run_v2_service.default.name 
  
 } 
 } 
 # Global external backend service 
 resource 
  
 "google_compute_backend_service" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 "hello-backend-service" 
  
 protocol 
  
 = 
  
 "HTTP" 
  
 load_balancing_scheme 
  
 = 
  
 "EXTERNAL_MANAGED" 
  
 backend 
  
 { 
  
 group 
  
 = 
  
 google_compute_region_network_endpoint_group.serverless_neg.id 
  
 } 
 } 
 # URL map to route requests to the backend service 
 resource 
  
 "google_compute_url_map" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 "hello-url-map" 
  
 default_service 
  
 = 
  
 google_compute_backend_service.default.id 
 } 
 # HTTP proxy to route requests to the URL map 
 resource 
  
 "google_compute_target_http_proxy" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 "hello-http-proxy" 
  
 url_map 
  
 = 
  
 google_compute_url_map.default.id 
 } 
 # Global forwarding rule to handle incoming requests 
 resource 
  
 "google_compute_global_forwarding_rule" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 "hello-forwarding-rule" 
  
 target 
  
 = 
  
 google_compute_target_http_proxy.default.id 
  
 port_range 
  
 = 
  
 "80" 
 }

This block defines the following components:

A serverless network endpoint group (NEG) , which acts as a backend for the load balancer and points to the Cloud Run service.
A backend service that directs traffic to the serverless NEG.
A URL map to route incoming requests to the backend service.
An HTTP proxy to receive requests and route them using the URL map.
A global forwarding rule , which provides a public IP address and port to handle incoming user requests and directs them to the proxy.

Initialize and apply the Terraform configuration:
```
 terraform  
init
terraform  
apply 
```
Terraform deploys the resources to your project.

Define the application in App Hub

After deploying the resources as a forwarding rule and a Cloud Run service, follow these steps to group them into an application in App Hub:

Console

Go to the Applicationspage from App Hub:

Go to Applications
Click Create application.
Select Globalas the application location.
Enter my-global-app for the Application nameand click Continue.
Optionally, add a display name, criticality, environment, and owners.
Click Create.
On the Services and workloadstab, click Register service/workload.
Select the forwarding rule, name it frontend-service , and click Register.
Select the Cloud Run service, name it backend-service , and click Register.

gcloud

Create the application:

 gcloud  
apphub  
applications  
create  
my-global-app  
 \ 
  
--location = 
global  
 \ 
  
--display-name = 
 "My Global Application" 
  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

Discover the IDs for the forwarding rule and the Cloud Run service in the appropriate region:

 gcloud  
apphub  
discovered-services  
list  
 \ 
  
--location = 
global  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 } 
gcloud  
apphub  
discovered-services  
list  
 \ 
  
--location = 
 ${ 
 REGION 
 } 
  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

Note the ID of the forwarding rule and the Cloud Run service.

 gcloud  
apphub  
applications  
services  
create  
frontend-service  
 \ 
  
--application = 
my-global-app  
 \ 
  
--discovered-service = 
projects/ ${ 
 PROJECT_ID 
 } 
/locations/global/discoveredServices/ FRONTEND_ID 
  
 \ 
  
--display-name = 
 "Frontend Service" 
  
 \ 
  
--location = 
global  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

Replace FRONTEND_ID with the ID of the forwarding rule.

 gcloud  
apphub  
applications  
services  
create  
backend-service  
 \ 
  
--application = 
my-global-app  
 \ 
  
--discovered-service = 
projects/ ${ 
 PROJECT_ID 
 } 
/locations/ ${ 
 REGION 
 } 
/discoveredServices/ BACKEND_ID 
  
 \ 
  
--display-name = 
 "Backend Service" 
  
 \ 
  
--location = 
global  
 \ 
  
--project = 
 ${ 
 PROJECT_ID 
 }

Replace BACKEND_ID with the ID of the Cloud Run service.

Terraform

Create an application.tf file and add the following code:

  # Application 
 resource 
  
 "google_apphub_application" 
  
 "my_global_app" 
  
 { 
  
 project 
  
 = 
  
 " PROJECT_ID 
" 
  
 location 
  
 = 
  
 "global" 
  
 application_id 
  
 = 
  
 "my-global-app" 
  
 display_name 
  
 = 
  
 "My Global Web App" 
  
 description 
  
 = 
  
 "A sample global web application." 
  
 scope 
  
 { 
  
 type 
  
 = 
  
 "GLOBAL" 
  
 } 
  
 attributes 
  
 { 
  
 criticality 
  
 { 
  
 type 
  
 = 
  
 "MEDIUM" 
  
 } 
  
 environment 
  
 { 
  
 type 
  
 = 
  
 "DEVELOPMENT" 
  
 } 
  
 business_owners 
  
 { 
  
 display_name 
  
 = 
  
 "Example Business Owner" 
  
 email 
  
 = 
  
 "business-owner@example.com" 
  
 } 
  
 developer_owners 
  
 { 
  
 display_name 
  
 = 
  
 "Example Developer" 
  
 email 
  
 = 
  
 "dev-owner@example.com" 
  
 } 
  
 operator_owners 
  
 { 
  
 display_name 
  
 = 
  
 "Example Operator" 
  
 email 
  
 = 
  
 "operator-owner@example.com" 
  
 } 
  
 } 
 }

This block uses the google_apphub_application resource to create a logical grouping for your services and workloads.

This example creates a global application and defines attributes for governance and discoverability, such as criticality, environment, and owners. You can modify those values for your sample configuration.

Add the following code to application.tf to discover your deployed resources:

  # Discover the forwarding rule 
 data 
  
 "google_apphub_discovered_service" 
  
 "frontend_service" 
  
 { 
  
 location 
  
 = 
  
 "global" 
  
 service_uri 
  
 = 
  
 "//compute.googleapis.com/${google_compute_global_forwarding_rule.default.id}" 
 } 
 # Discover the Cloud Run service 
 data 
  
 "google_apphub_discovered_service" 
  
 "backend_service" 
  
 { 
  
 location 
  
 = 
  
 " REGION 
" 
  
 service_uri 
  
 = 
  
 "//run.googleapis.com/${google_cloud_run_v2_service.default.id}" 
 }

The google_apphub_discovered_service data sources find the resource names of your existing infrastructure based on their URIs. This step lets App Hub identify the specific resources you want to register.

Add the following code to application.tf to register the discovered resources:

  # Register the forwarding rule as a service in the application 
 resource 
  
 "google_apphub_service" 
  
 "frontend" 
  
 { 
  
 project 
  
 = 
  
 " PROJECT_ID 
" 
  
 location 
  
 = 
  
 "global" 
  
 application_id 
  
 = 
  
 google_apphub_application.my_global_app.application_id 
  
 service_id 
  
 = 
  
 "frontend-service" 
  
 display_name 
  
 = 
  
 "Frontend Service (LB)" 
  
 discovered_service 
  
 = 
  
 data.google_apphub_discovered_service.frontend_service.name 
 } 
 # Register the Cloud Run service as a service in the application 
 resource 
  
 "google_apphub_service" 
  
 "backend" 
  
 { 
  
 project 
  
 = 
  
 " PROJECT_ID 
" 
  
 location 
  
 = 
  
 "global" 
  
 application_id 
  
 = 
  
 google_apphub_application.my_global_app.application_id 
  
 service_id 
  
 = 
  
 "backend-service" 
  
 display_name 
  
 = 
  
 "Backend Service (Cloud Run)" 
  
 discovered_service 
  
 = 
  
 data.google_apphub_discovered_service.backend_service.name 
 }

The google_apphub_service resources formally register the discovered resources into your application. This step creates the link between your infrastructure and the application you defined in App Hub.

Initialize and apply the Terraform configuration:
```
 terraform  
init
terraform  
apply 
```
Terraform registers the resources to your my-global-app application in App Hub.

Optional: Monitor your new application

After defining your application in App Hub, you can use integrated Google Cloud services to monitor its health and performance:

View operational data in Cloud Hub:
1. Set up Cloud Hub .
2. In the Google Cloud console, go to the Homepage of Cloud Hub.
  
  Go to Home
3. From the application selector, choose your my-global-app application. The page displays a summary of your application's health. For more information, see the Cloud Hub overview .
View detailed dashboards in Application Monitoring:
1. Set up Google Cloud Observability for Application Monitoring .
2. In the Google Cloud console, go to the Application monitoring page:
  
  Go to Application monitoring
  
  If you use the search bar to find this page, then select the result whose subheading is Monitoring .
3. From the project picker of the Google Cloud console, select the management project.
  
  The Application Monitoringpage displays predefined dashboards for your application. For more information, see Monitor application health and performance .
  
  For detailed instructions on how to use the predefined dashboards and explore your telemetry data, see View application telemetry .

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

Unregister services and workloads .
Delete the global application .
If you used Terraform to deploy your application, run terraform destroy in the directory containing your Terraform files to deprovision all the resources you created.
Optional: If you created a new project for this quickstart, delete the project .

Create an application from existing resources

Before you begin

Required roles

Deploy resources for the application

gcloud

Terraform

Define the application in App Hub

Console

gcloud

Terraform

Optional: Monitor your new application

Clean up

What's next