SSL/TLS certificate for internal HTTPS load balancer GCP

Question

We have setup a service on GCE that is meant to serve requests from both the internet and from other services inside of our VPC.

To manage this we've setup two load balancers in parallel, the first is a global HTTPS load balancer and the second an internal HTTPS load balancer. Both load balancers have backend services configured to send traffic to the same instance groups hosting our service.

For the global load balancer, we've created self-managed certs for our domains and setup a small vm to refresh these certs periodically.

We are stuck on how to configure certs for the internal load balancer. From our research it seems like the best options come down to creating self-signed certs and installing/trusting them on each VM that will communicate with the LB. However, it seems like the management of this (or similarly of managing our own local CA) could be costly. Does GCP offer any help in managing certs for internal deployments? Are we stuck with the self-signed cert route? Or, is there another approach that we should be exploring?

Thanks and we appreciate the help!

Answer 1

For the global load balancer, we've created self-managed certs for our domains and setup a small vm to refresh these certs periodically.

You can avoid the extra VM for refreshing certs by using google cloud managed SSL certificates. However it comes with certain limitations that might be relevant to you:

• Domain Validation (DV) certificates only
• single domain name per certificate
• wildcard common names or multiple subject alternate names are not supported

We are stuck on how to configure certs for the internal load balancer - which domain should this internal cert be configured for?

For the global HTTPS load balancer SSL certificates are not required on individual VM instances, because traffic between LB and backend instances is encrypted by default.

If you want to encrypt internal traffic between your VMs (and you really need this extra layer of protection), you have to use self signed certificates and specify them in the regional HTTP proxy config.

The DNS format the internal load balancer uses is:

[SERVICE_LABEL].[FORWARDING_RULE_NAME].il4.[REGION].lb.[PROJECT_ID].internal

You could create a self signed wild card certificate to match different internal services. Keeping your own certificate authority has some drawbacks, read more here https://security.stackexchange.com/a/121195/52705

Documentation:

• https://cloud.google.com/load-balancing/docs/ssl-certificates
• https://cloud.google.com/load-balancing/docs/dns-names