Load balancer configuration for Cloud Run services

[tbolis-at-mulesoft]

Hi Team,
I think it would be very valuable to include the ability to configure a load balancer for Cloud Run services as part of the deployment/configuration process.

I started drafting a script for this with the help of my “friend” Gemini 3, and I think the result is quite good.

• script/setup_lb.sh
• script/whitelisted_ips.txt
• Makefile

Here is a recap of the resources and configurations the script creates:

Core Backend Infrastructure

Serverless NEG

• Regional Serverless Network Endpoint Group (NEG) in us-central1 targeting the Cloud Run service.

Backend Service

• Global backend service routing traffic to the NEG.

Cloud Run Configuration

• Ingress set to internal-and-cloud-load-balancing so the service only accepts traffic from the Load Balancer or internal VPC.

---

Security (Cloud Armor)

Security Policy

• Cloud Armor policy: default-security-policy-for-cloud-run-backendservice

Rules

• Default Deny: Reject all traffic (403).
• Whitelist Rules: Allow rules for each IP/CIDR listed in whitelisted_ips.txt.

Attachment

• The security policy is attached to the backend service.

---

Load Balancer (URL Map)

URL Map Behavior

• New Load Balancer:

  • Creates a Global External Application Load Balancer.
  • Adds a rewrite rule from /service-name/* → /.

• Existing Load Balancer:

  • Adds a new path matcher for the service, preserving existing routing rules.

---

Frontend & Networking (Only for NEW Load Balancer)

Global Static IP

• Reserves a global IP address.

Target Proxies

• Creates a Target HTTP Proxy.
• Creates a Target HTTPS Proxy (if HTTPS is enabled).

Forwarding Rules

• Port 80 (HTTP).
• Port 443 (HTTPS, if enabled).

SSL Certificate (Optional)

• Provisions a Google-managed SSL certificate for the specified domain.

---

Cloud DNS (Optional)

• Creates a managed DNS zone if none exists.
• Adds an A record pointing the domain to the Load Balancer's global IP.