Logging
You can enable, disable, and view logs for an external Application Load Balancer backend service .
You enable or disable logging for each backend service. You can configure whether to log all requests or a randomly sampled fraction.
You must ensure that you don't have a logs exclusion that applies to
external Application Load Balancers. For information about how to verify that Cloud HTTP Load
Balancer
logs are allowed, see Exclusion filters
.
Logs sampling and collection
The requests (and corresponding responses) handled by load balancer backend
virtual machine (VM) instances are sampled. These sampled requests are then
processed to generate logs. You control the fraction of the requests that are
emitted as log entries according to the logConfig.sampleRate
parameter
.
When logConfig.sampleRate
is 1.0
(100%), this means that logs are
generated for all of the requests
and written to Cloud Logging.
Optional fields
Log records contain required fields and optional fields. The What is logged section lists which fields are optional and which are required. All required fields are always included. You can customize which optional fields you keep.
-
If you select include all optional, all optional fields in the log record format are included in the logs. When new optional fields are added to the record format, the logs automatically include the new fields.
-
If you select exclude all optional, all optional fields are omitted.
-
If you select custom, you can specify the optional fields that you want to include, such as
tls.protocol,tls.cipher,orca_load_report.cpu_utilization,orca_load_report.mem_utilization.
For information about customizing optional fields, see Enable logging on a new backend service .
Enabling logging on a new backend service
Console
-
In the Google Cloud console, go to the Load Balancingpage.
-
Click the name of your load balancer.
-
Click Edit.
-
Click Backend Configuration.
-
Select Create a backend service.
-
Complete the required backend service fields.
-
In the Loggingsection, select the Enable loggingcheckbox.
-
Set a Sample ratefraction. You can set a number from
0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of the requests are logged. The default value is1.0. -
Optional: To include all the optional fields in the logs, in the Optional fieldssection, click Include all optional fields.
Pro tip: To specify the CUSTOMoption, use the gcloud CLI and the REST API.
-
To finish editing the backend service, click Update.
-
To finish editing the load balancer, click Update.
gcloud: Regional mode
Create a backend service and enable logging by using the gcloud compute backend-services create
command
.
gcloud compute backend-services create BACKEND_SERVICE \ --region= REGION \ --enable-logging \ --logging-sample-rate= VALUE \ --load-balancing-scheme=EXTERNAL_MANAGED \ --logging-optional= LOGGING_OPTIONAL_MODE \ --logging-optional-fields= OPTIONAL_FIELDS
where
-
--regionindicates that the backend service is regional. Use this field for backend services used with regional external Application Load Balancers. -
--enable-loggingenables logging for that backend service. -
--logging-sample-ratelets you specify a value from0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of the requests are logged. This field is only meaningful with the--enable-loggingparameter. Enabling logging but setting the sampling rate to0.0is equivalent to disabling logging. The default value is1.0. -
--logging-optionallets you specify the optional fields that you want to include in the logs:-
INCLUDE_ALL_OPTIONALto include all optional fields. -
EXCLUDE_ALL_OPTIONAL(default) to exclude all optional fields. -
CUSTOMto include a custom list of optional fields that you specify inOPTIONAL_FIELDS.
-
-
--logging-optional-fieldslets you specify a comma-separated list of optional fields that you want to include in the logs.For example,
tls.protocol,tls.ciphercan only be set ifLOGGING_OPTIONAL_MODEis set toCUSTOM. If you use custom metrics and want to log elements of the ORCA load report, you setLOGGING_OPTIONAL_MODEtoCUSTOMand specify which elements must be logged in theOPTIONAL_FIELDSfield. For example,orca_load_report.cpu_utilization,orca_load_report.mem_utilization.
Enabling logging on an existing backend service
Console
-
In the Google Cloud console, go to the Load Balancingpage.
-
Click the name of your load balancer.
-
Click Edit.
-
Click Backend Configuration.
-
Click Editnext to your backend service.
-
In the Loggingsection, select the Enable loggingcheckbox.
-
In the Sample ratefield, set the sampling probability. You can set a number from
0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of the requests are logged. The default value is1.0. -
Optional: To include all the optional fields in the logs, in the Optional fieldssection, click Include all optional fields.
Pro tip: To specify the CUSTOMoption, use the gcloud CLI and the REST API.
-
To finish editing the backend service, click Update.
-
To finish editing the load balancer, click Update.
gcloud: Regional mode
Enable logging on an existing backend service with the gcloud compute backend-services update
command
.
gcloud compute backend-services update BACKEND_SERVICE \ --region= REGION \ --enable-logging \ --logging-sample-rate= VALUE \ --logging-optional= LOGGING_OPTIONAL_MODE \ --logging-optional-fields= OPTIONAL_FIELDS
where
-
--regionindicates that the backend service is regional. Use this field for backend services used with regional external Application Load Balancers. -
--enable-loggingenables logging for that backend service. -
--logging-sample-ratelets you specify a value from0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of the requests are logged. Only meaningful with the--enable-loggingparameter. Enabling logging but setting the sampling rate to0.0is equivalent to disabling logging. The default value is1.0. -
--logging-optionallets you specify the optional fields that you want to include in the logs.-
INCLUDE_ALL_OPTIONALto include all optional fields. -
EXCLUDE_ALL_OPTIONAL(default) to exclude all optional fields. -
CUSTOMto include a custom list of optional fields that you specify inOPTIONAL_FIELDS.
-
-
--logging-optional-fieldslets you specify a comma-separated list of optional fields that you want to include in the logs.For example,
tls.protocol,tls.cipher. Can only be set ifLOGGING_OPTIONAL_MODEis set toCUSTOM.
Disabling or modifying logging on an existing backend service
Console
-
In the Google Cloud console, go to the Load Balancingpage.
-
Click the name of your load balancer.
-
Click Edit.
-
Click Backend Configuration.
-
Click Editnext to your backend service.
-
To disable logging entirely, in the Loggingsection, clear the Enable loggingcheckbox.
-
If you leave logging enabled, you can set a different Sample ratefraction. You can set a number from
0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of the requests are logged. The default value is1.0. For example,0.2means 20% of the sampled requests generate logs. -
To finish editing the backend service, click Update.
-
To finish editing the load balancer, click Update.
gcloud: Regional mode
Disable logging on a backend service with the gcloud compute backend-services update
command
.
Disabling logging entirely
gcloud compute backend-services update BACKEND_SERVICE \ --region= REGION \ --no-enable-logging
where
-
--regionindicates that the backend service is regional. Use this field for backend services used with regional external Application Load Balancers. -
--no-enable-loggingdisables logging for that backend service.
Enabling logging optional fields on an existing backend service
gcloud compute backend-services update BACKEND_SERVICE \ --global \ --enable-logging \ --logging-sample-rate= VALUE \ --logging-optional= LOGGING_OPTIONAL_MODE \ --logging-optional-fields= OPTIONAL_FIELDS
where
-
--logging-sample-ratelets you specify a value from0.0through1.0, where0.0means that no requests are logged and1.0means that 100% of the requests are logged. Only meaningful with the--enable-loggingparameter. Enabling logging but setting the sampling rate to0.0is equivalent to disabling logging. The default value is1.0. -
--logging-optionallets you specify the optional fields that you want to include in the logs:-
INCLUDE_ALL_OPTIONALto include all optional fields. -
EXCLUDE_ALL_OPTIONAL(default) to exclude all optional fields. -
CUSTOMto include a custom list of optional fields that you specify inOPTIONAL_FIELDS.
-
-
--logging-optional-fieldslets you specify a comma-separated list of optional fields that you want to include in the logs.For example,
tls.protocol,tls.ciphercan only be set ifLOGGING_OPTIONAL_MODEis set toCUSTOM. If you use custom metrics and want to log elements of the ORCA load report, you setLOGGING_OPTIONAL_MODEtoCUSTOMand specify which elements must be logged in theOPTIONAL_FIELDSfield. For example,orca_load_report.cpu_utilization,orca_load_report.mem_utilization.
Updating logging optional mode from CUSTOM to others
gcloud compute backend-services update BACKEND_SERVICE \ --global \ --enable-logging \ --logging-sample-rate= VALUE \ --logging-optional= LOGGING_OPTIONAL_MODE \ --logging-optional-fields=
where
-
--logging-optionallets you specify the optional fields that you want to include in the logs:-
INCLUDE_ALL_OPTIONALto include all optional fields. -
EXCLUDE_ALL_OPTIONAL(default) to exclude all optional fields.
-
-
--logging-optional-fieldsmust be explicitly configured as shown to clear any existingCUSTOMfields. The API doesn't let you combine a non-CUSTOMmode withCUSTOMfields.
Modifying the logging sample rate
gcloud compute backend-services update BACKEND_SERVICE \ --global | --region= REGION \ --logging-sample-rate= VALUE
View logs
HTTP(S) logs are indexed first by a forwarding rule , then by a URL map .
To view logs, go to the Logs Explorerpage:
-
To view all logs, in the Resourcefilter menu, select Cloud HTTP Load Balancer > All forwarding rules.
-
To view logs for one forwarding rule, select a single forwarding rule name.
-
To view logs for one URL map, select a forwarding rule, and then select a URL map.
Log fields of type boolean
typically only appear if they have a value of true
. If a boolean field has a value of false
, that field is omitted from
the log.
UTF-8
encoding
is enforced for log fields. Characters that are not UTF-8
characters are replaced with question marks. For regional external Application Load Balancers
, you can export logs-based metrics
using
resource logs ( resource.type="http_external_regional_lb_rule"
).
What is logged
External Application Load Balancer log entries contain information useful for monitoring and debugging your HTTP(S) traffic. Log records contain required fields, which are the default fields of every log record.
Log records contain optional fields that add additional information about your HTTP(S) traffic. Optional fields can be omitted to save storage costs.
Some log fields are in a multi-field format, with more than one piece of data in a given field. For example, thetls
field is of the TlsInfo
format, which contains the TLS protocol and TLS cipher in a single field.
These multi-field fields are described in the following record format table. insertID
timestamp
logName
The MonitoredResource is the resource type associated with a log entry.
The MonitoredResourceDescriptor
describes the schema of a MonitoredResource
object by
using a type name and a set of labels. For more information,
see Resource labels
.
-
proxyStatus -
tls -
backendTargetProjectNumber -
mtls -
authzPolicyInfo -
backendNetworkName -
orca_load_report
The proxyStatus
field holds a string that specifies
why the regional external Application Load Balancer returned the HttpRequest.status
.
The field isn't logged if the value is an empty string. This can
happen if the proxy or backend doesn't return a status code or the
status code that is returned isn't 0
, 4 XX
,
or 5 XX
.
The proxyStatus
field has two parts:
- proxyStatus error
- Optional: proxyStatus details
authzPolicyInfo
field stores information about the
authorization policy result. This information is only available for
regional external Application Load Balancers that have enabled authorization policies
. For more information, see what is logged for authorization policies
.The tls
field holds the TlsInfo
field that specifies the TLS
metadata for the connection between the client and the load balancer.
This field is only available if the client is
using TLS/SSL encryption.
Use the --logging-optional-fields
parameter to specify which elements must be logged:
-
tls.protocol -
tls.cipher
You can't
set --logging-optional-fields
to tls
to specify all elements.
The mtls
field holds the MtlsInfo
value that specifies the
mTLS metadata for the connection between the client and the
load balancer. This field is only available if the
load balancer uses frontend mutual TLS (mTLS).
backendNetworkName
field specifies the
VPC network of the backend.The orca_load_report
field contains some or all
elements of the ORCA load report returned by the backend. This field is
only present if the backend returns an ORCA load report and you
configured the load balancer to log the ORCA load report.
Use the --logging-optional-fields
parameter to specify which of the following elements of the ORCA load
report must be logged:
-
orca_load_report.cpu_utilization -
orca_load_report.mem_utilization -
orca_load_report.request_cost -
orca_load_report.utilization -
orca_load_report.rps_fractional -
orca_load_report.eps -
orca_load_report.named_metrics -
orca_load_report.application_utilization
You can also set --logging-optional-fields
to orca_load_report
to specify that all elements must be
logged.
TlsInfo field format
| Field | Field format | Field type: Required or Optional | Description |
|---|---|---|---|
|
protocol
|
string | Optional | TLS protocol that clients use to establish a connection with the
load balancer. Possible values are TLSv1
, TLSv1.1
, TLSv1.2
, TLSv1.3
,
or QUIC
.
This value is set to NULL
if the client is not using TLS/SSL
encryption. |
|
cipher
|
string | Optional | TLS cipher that clients use to establish a connection with the load
balancer. This value is set to NULL
if the client isn't
using HTTP(S) or the client isn't using TLS/SSL encryption. |
MtlsInfo field format
| Field | Field format | Field type: Required or Optional | Description |
|---|---|---|---|
|
clientCertPresent
|
bool | Optional | |
|
clientCertChainVerified
|
bool | Optional | |
|
clientCertError
|
string | Optional | Predefined strings representing the error conditions. For more information about the error strings, see Client validation mode . |
|
clientCertSha256Fingerprint
|
string | Optional | Base64-encoded SHA-256 fingerprint of the client certificate. |
|
clientCertSerialNumber
|
string | Optional | The serial number of the client certificate.
If the serial number is longer than 50 bytes, the string |
|
clientCertValidStartTime
|
string | Optional | Timestamp ( RFC 3339
date string format) before which the client certificate isn't valid.
For example, |
|
clientCertValidEndTime
|
string | Optional | Timestamp ( RFC 3339
date string format) after which the client certificate isn't valid.
For example, |
|
clientCertSpiffeId
|
string | Optional | The SPIFFE ID from the subject alternative name (SAN) field. If the value isn't valid or exceeds 2048 bytes, the SPIFFE ID is set to an empty string. If the SPIFFE ID is longer than 2048 bytes, the string |
|
clientCertUriSans
|
string | Optional | Comma-separated Base64-encoded list of the SAN extensions of type
URI. The SAN extensions are extracted from the client certificate.
The SPIFFE ID is not
included in the If the |
|
clientCertDnsnameSans
|
string | Optional | Comma-separated Base64-encoded list of the SAN extensions of type DNSName. The SAN extensions are extracted from the client certificate. If the |
|
clientCertIssuerDn
|
string | Optional | Base64-encoded full Issuer field from the certificate. If the |
|
clientCertSubjectDn
|
string | Optional | Base64-encoded full Subject field from the certificate. If the |
|
clientCertLeaf
|
string | Optional | The client leaf certificate for an established mTLS connection where the certificate passed validation. Certificate encoding is compliant with RFC 9440 : the binary DER certificate is encoded using Base64 (without line breaks, spaces, or other characters outside the Base64 alphabet) and delimited with colons on either side. If |
|
clientCertChain
|
string | Optional | The comma-delimited list of certificates, in standard TLS order, of the client certificate chain for an established mTLS connection where the client certificate passed validation, not including the leaf certificate. Certificate encoding is compliant with RFC 9440 . If the combined size of |
Resource labels
The following table lists the resource labels for resource.type="http_external_regional_lb_rule"
.
backend_name
backend_scope
UNKNOWN
whenever backend_name
is unknown.backend_scope_type
REGION
/ ZONE
). Might be UNKNOWN
whenever backend_name
is unknown.backend_target_name
backend_target_type
BACKEND_SERVICE
, or UNKNOWN
is returned if the backend wasn't assigned.backend_type
INSTANCE_GROUP
, NETWORK_ENDPOINT_GROUP
, or UNKNOWN
is returned
if the backend wasn't assigned.forwarding_rule_name
matched_url_path_rule
UNMATCHED
or UNKNOWN
as fallbacks. -
UNMATCHEDrefers to a request that matches no URL path rules, so it uses the default path rule. -
UNKNOWNindicates an internal error or a failed TLS connection.
network_name
project_id
region
target_proxy_name
url_map_name
url_map_name
is empty.proxyStatus error field
The proxyStatus
field contains a string that specifies why the load
balancer returned an error. There are two parts in the proxyStatus
field, proxyStatus error
and proxyStatus details
.
This section describes the strings that are supported in the proxyStatus error
field.
The proxyStatus error field is applicable to the following load balancers:
- Regional external Application Load Balancer
- Cross-region internal Application Load Balancer
- Regional internal Application Load Balancer
destination_unavailable
500
, 503
connection_timeout
504
connection_terminated
The load balancer's connection to the backend ended before a complete response is received.
This proxyStatus error
is returned during any of the following scenarios:
- The load balancer's connection to the backend ended before a complete response is received.
- The TLS connection failed on the SSL handshake, and the client didn't establish a connection with the load balancer.
0
, 502
, 503
connection_refused
502
, 503
connection_limit_reached
The load balancer is configured to limit the number of connections it has to the backend, and that limit has been exceeded.
This proxyStatus error
is returned during
any of the following scenarios:
- If any backend is in maintenance mode, the traffic can't be routed to the backend.
- If the request is locally rate limited.
- Envoy is handling error conditions such as running out of memory.
502
, 503
destination_not_found
500
, 404
dns_error
502
, 503
proxy_configuration_error
500
proxy_internal_error
0
, 500
, 502
proxy_internal_response
410
status code means that the backend is unavailable due to
payment delinquency.http_response_timeout
504
, 408
http_request_error
400
, 403
, 405
, 406
, 408
, 411
, 413
, 414
, 415
, 416
, 417
, or 429
http_protocol_error
502
tls_protocol_error
0
tls_certificate_error
0
tls_alert_received
0
proxyStatus details field
The proxyStatus
field contains a string that specifies why the load
balancer returned an error. There are two parts in the proxyStatus
field, proxyStatus error
and proxyStatus details
.
The proxyStatus details
field is optional and is shown only when
additional information is available.
This section describes the strings that are supported in the proxyStatus details
field.
The proxyStatus details field is applicable to the following load balancers:
- Regional external Application Load Balancer
- Regional internal Application Load Balancer
- Cross-region internal Application Load Balancer
client_disconnected_before_any_response
backend_connection_closed
502
failed_to_connect_to_backend
503
failed_to_pick_backend
502
response_sent_by_backend
client_timed_out
The connection between the load balancer and client exceeded the idle timeout.
For more information about regional external Application Load Balancer, see Client HTTP keepalive timeout . For more information about internal Application Load Balancer, see Client HTTP keepalive timeout .0
, 408
backend_timeout
The backend timed out while generating a response.
502
http_protocol_error_from_backend_response
501
, 502
http_protocol_error_from_request
400
, 503
http_version_not_supported
400
handled_by_identity_aware_proxy
200
, 302
, 400
, 401
, 403
, 500
, 502
invalid_request_headers
The HTTP request headers received from a client contain at least one character that isn't allowed under an applicable HTTP specification.
For example, header field names that include a double quotation mark
( "
) or any characters outside of the standard
ASCII range (that is, any byte >= 0x80
) are invalid.
For more information, see:
400
, 404
ip_detection_failed
400
to 599
.request_body_too_large
413
, 507
request_header_timeout
408
, 504
denied_by_security_policy
403
throttled_by_security_policy
429
client_cert_chain_invalid_eku
0
client_cert_chain_max_name_constraints_exceeded
0
client_cert_invalid_rsa_key_size
0
client_cert_not_provided
0
client_cert_pki_too_large
Subject
and Subject Public Key Info
.
For more information, see Logged errors for closed connections
.0
client_cert_unsupported_elliptic_curve_key
0
client_cert_unsupported_key_algorithm
0
client_cert_validation_failed
TrustConfig
.
For more information, see Logged errors for closed connections
.0
client_cert_validation_not_performed
TrustConfig
.
For more information, see Logged errors for closed connections
.0
client_cert_validation_search_limit_exceeded
client_cert_validation_timed_out
0
tls_version_not_supported
0
unknown_psk_identity
0
no_application_protocol
0
no_certificate
0
bad_certificate
0
unsupported_certificate
0
certificate_revoked
0
certificate_expired
0
certificate_unknown
0
unknown_ca
0
unexpected_message
0
bad_record_mac
0
record_overflow
TLSCiphertext
record was received that has a length more
than 2 14
+256
bytes, or a record was decrypted to a TLSPlaintext
record with more than 2 14
bytes
(or some other negotiated limit). The error results in a closed TLS
connection.0
handshake_failure
0
illegal_parameter
0
access_denied
0
decode_error
0
decrypt_error
0
insufficient_security
0
inappropriate_fallback
0
user_cancelled
0
missing_extension
0
unsupported_extension
ServerHello
or Certificate
that was not first offered in the corresponding ClientHello
or CertificateRequest
.
The error results in a closed TLS connection.0
unrecognized_name
0
bad_certificate_status_response
0
load_balancer_configured_resource_limits_reached
0
Failed TLS connection log entries
When the TLS connection between the client and the load balancer fails before
any backend is selected, log entries record the errors. You can configure the
backend services with different log sample rates. When a TLS connection fails,
the failed TLS connection log sample rate is the highest sample rate for any
backend service. For example, if you have configured two backend services with
logging sample rate as 0.3
and 0.5
, the failed TLS connection log sample
rate is 0.5
.
You can identify failed TLS connections by checking for these log entry details:
- proxyStatus error
type is
tls_alert_received,tls_certificate_error,tls_protocol_error, orconnection_terminated. - There is no backend information.
The following sample shows a failed TLS log entry with the proxyStatus error
field:
json_payload: {
@type: "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry"
proxyStatus: "error="tls_alert_received"; details="server_to_client: handshake_failure""
log_name: "projects/529254013417/logs/mockservice.googleapis.com%20name"
}
http_request {
latency {
nanos: 12412000
}
protocol: "HTTP/1.0"
remote_ip: "127.0.0.2"
}
resource {
type: "mock_internal_http_lb_rule"
labels {
backend_name: ""
backend_scope: ""
backend_scope_type: "UNKNOWN"
backend_target_name: ""
backend_target_type: "UNKNOWN"
backend_type: "UNKNOWN"
forwarding_rule_name: "l7-ilb-https-forwarding-rule-dev"
matched_url_path_rule: "UNKNOWN"
network_name: "lb-network"
region: "REGION"
target_proxy_name: "l7-ilb-https-proxy-dev"
url_map_name: ""
}
}
timestamp: "2023-08-15T16:49:30.850785Z"
Authorization policy request logs
The authz_info
object in the Load Balancer Log Entry JSON payload contains
information about authorization policies. You can configure log-based metrics
for traffic allowed or denied by these policies. Check more authorization policies log details
.
authz_info.policies[]
authz_info.policies[].name
The name is empty for the following reasons:
- No
ALLOWpolicy matches the request and the request is denied. - No
DENYpolicy matches the request and the request is allowed.
authz_info.policies[].result
ALLOWED
or DENIED
.authz_info.policies[].details
-
allowed_as_no_deny_policies_matched_request -
denied_as_no_allow_policies_matched_request -
denied_by_authz_extension -
denied_by_cloud_iap
authz_info.overall_result
ALLOWED
or DENIED
.Interacting with the logs
You can interact with the external Application Load Balancer logs by using the Cloud Logging API. The Logging API provides ways to interactively filter logs that have specific fields set. It exports matching logs to Cloud Logging, Cloud Storage, BigQuery, or Pub/Sub. For more information about the Logging API, see Logging API overview .
Monitoring
The load balancer exports monitoring data to Monitoring .
You can use monitoring metrics to do the following:
- Evaluate a load balancer's configuration, usage, and performance
- Troubleshoot problems
- Improve resource utilization and user experience
In addition to the predefined dashboards in Monitoring, you can create custom dashboards, set up alerts, and query the metrics through the Cloud Monitoring API .
Defining alerting policies
You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.
-
In the Google Cloud console, go to the notifications Alerting page:
If you use the search bar to find this page, then select the result whose subheading is Monitoring .
- If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
- From the Alerting page, select Create policy .
- To select the metric, expand the Select a metric
menu and then do the following:
- To limit the menu to relevant entries, enter
Regional External Application Load Balancer Ruleinto the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle. - For the Resource type , select Regional External Application Load Balancer Rule .
- Select a Metric category and a Metric , and then select Apply .
- To limit the menu to relevant entries, enter
- Click Next .
- The settings in the Configure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, see Create metric-threshold alerting policies .
- Click Next .
- Optional: To add notifications to your alerting policy, click Notification channels . In the dialog, select one or more notification channels from the menu, and then click OK .
- Optional: Update the Incident autoclose duration . This field determines when Monitoring closes incidents in the absence of metric data.
- Optional: Click Documentation , and then add any information that you want included in a notification message.
- Click Alert name and enter a name for the alerting policy.
- Click Create Policy .
Defining Cloud Monitoring custom dashboards
You can create custom Cloud Monitoring dashboards for the load balancer's metrics:
-
In the Google Cloud console, go to the Monitoringpage.
-
Select Dashboards > Create Dashboard.
-
Click Add Chart, and then give the chart a title.
-
To identify the time series to be displayed, choose a resource type and metric type:
- In the Resource & Metricsection, click the chart, and then in the Select a metricsection, select from the available options:
- For a regional external Application Load Balancer, select the resource type Regional External Application Load Balancer Rule.
- Click Apply.
-
To specify monitoring filters, click Filters > Add filter.
-
Click Save.
Metric reporting frequency and retention
Metrics for the external Application Load Balancers are exported to Cloud Monitoring in 1-minute granularity batches. Monitoring data is retained for six (6) weeks.
The dashboard provides data analysis in default intervals of 1H (one hour), 6H (six hours), 1D (one day), 1W (one week), and 6W (six weeks). You can manually request analysis in any interval from 6W to 1 minute.
Monitoring metrics
You can monitor the following metrics for external Application Load Balancers.
The following metrics for regional external Application Load Balancers are reported into Cloud Monitoring
.
These metrics are prepended with loadbalancing.googleapis.com/
.
| Metric | Name | Description |
|---|---|---|
|
Request count
|
https/external/regional/request_count
|
The number of requests served by the regional external Application Load Balancer. |
|
Request bytes count
|
https/external/regional/request_bytes
|
The number of bytes sent as requests from clients to the regional external Application Load Balancer. |
|
Response bytes count
|
https/external/regional/response_bytes
|
The number of bytes sent as responses from the regional external Application Load Balancer to the client. |
|
Total latencies
|
https/external/regional/total_latencies
|
A distribution of the total latency. Total latency is the time in milliseconds between the first byte of the request received by the proxy and the last byte of the response sent by the proxy. It includes: the time taken by the proxy to process the request, the time taken for the request to be sent from the proxy to the backend, the time taken by the backend to process the request, the time taken for the response to be sent back to the proxy, and the time taken for the proxy to process the response and send the response to the client. It doesn't include the RTT between the client and the proxy. Additionally,
pauses between requests on the same connection that use |
|
Backend latencies
|
https/external/regional/backend_latencies
|
A distribution of the backend latency. Backend latency is the time in milliseconds between the last byte of the request sent to the backend and the last byte of the response received by the proxy. It includes the time taken by the backend to process the request and the time taken for the response to be sent back to the proxy. |
Filtering dimensions for metrics
You can apply filters for metrics for external Application Load Balancers.
Metrics are aggregated for each regional external Application Load Balancer. You can filter
aggregated metrics by using the following dimensions for resource.type="http_external_regional_lb_rule"
.
backend_name
backend_scope
UNKNOWN
whenever backend_name
is unknown.backend_scope_type
REGION
/ ZONE
).
Might be UNKNOWN
whenever backend_name
is unknown.backend_target_name
backend_target_type
BACKEND_SERVICE
, or UNKNOWN
is returned if the backend wasn't assigned.backend_type
INSTANCE_GROUP
, NETWORK_ENDPOINT_GROUP
, or UNKNOWN
is returned
if the backend wasn't assigned.forwarding_rule_name
matched_url_path_rule
UNMATCHED
or UNKNOWN
as fallbacks. -
UNMATCHEDrefers to a request that doesn't match any URL path rules, so it uses the default path rule. -
UNKNOWNindicates an internal error.
network_name
project_id
region
target_proxy_name
url_map_name
