Google Cloud - What is GFE?

GFE stands for Google Front End.

It is the software-defined distributed system that sits at the "Edge" of Google's network (in Points of Presence, or PoPs, all over the world). It acts as the first point of contact for traffic coming from the internet before it enters Google's private data centers.

If you use a Global External Load Balancer (L7XLB) in GCP, you are actually configuring a GFE.

What does the GFE do?

You can think of the GFE as a "Smart Receptionist" or "Airport Check-in Desk" for Google's network. It handles the messy work at the door so the backend servers don't have to.

SSL/TLS Termination:
- When a user connects to your application via HTTPS, the encryption is actually decrypted at the GFE (at the edge, close to the user).
- The GFE then passes the data to your backend instances (VMs, GKE pods) over Google's private, encrypted internal network. This saves your servers from burning CPU cycles on encryption math.
Global Load Balancing:
- Because GFEs are located all over the world, they use Anycast IPs.
- A user in London connects to the GFE in London; a user in Tokyo connects to the GFE in Tokyo. Both use the same IP address.
- The GFE then looks at your backend capacity and routes the traffic to the closest healthy server (e.g., routing the London user to your europe-west2 backend).
DDoS Protection (Google Cloud Armor):
- The GFE absorbs the impact of Distributed Denial of Service attacks.
- Because the GFE infrastructure is massive (it powers Gmail, YouTube, and Search), it can swallow huge traffic spikes without crashing, protecting your specific servers behind it.
Content Delivery (Cloud CDN):
- If you enable Cloud CDN, the GFE caches your images and static files right there at the edge. It serves them to users instantly without waking up your backend servers.

GFE vs. Your Load Balancer

The GFE is the massive, physical/software infrastructure Google owns and manages globally.
The Load Balancer (e.g., Global External Application Load Balancer) is the configuration you push to the GFE.

When you click "Create Load Balancer" in the GCP Console, you are effectively programming the GFE to say: "Hey, if you see traffic for api.myapp.com, please decrypt it and send it to my Instance Group A."

Why it matters

Understanding the GFE explains why GCP Load Balancers are different from traditional hardware load balancers (like F5) or AWS Application Load Balancers (which are regionally isolated). Because the GFE is a global mesh, a single GCP Load Balancer can front-end servers in 5 different regions simultaneously without complex DNS routing.

Does traffic to GCE Instance hit GFE?

Whether traffic to a Google Compute Engine (GCE) instance goes through the Google Front End (GFE) depends entirely on how the traffic reaches that instance.

The short answer is:

No – if you connect directly to the VM's External IP.
Yes – if you connect via a Proxy Load Balancer (like an HTTP/S Load Balancer).

1. Direct Connection to VM's External IP (No GFE)

When you SSH into a VM or access a web server using the VM's public IP (e.g., 35.x.x.x), the traffic bypasses the GFE.

The Path: Internet => Google Edge Router => Maglev (Network Load Balancer/NAT) => Andromeda (SDN) => VM.
What handles it: The connection is handled by Maglev (Google's software network load balancer) which performs the 1
NAT (translating the public IP to the VM's internal IP).
Implication: You get no Layer 7 smarts. There is no SSL termination, no DDoS protection from Cloud Armor, and no path-based routing. You are talking "directly" to the server's network stack.

2. Connection via Layer 7 Load Balancer (Yes, GFE)

If you put your VM behind an External Application Load Balancer (HTTP/S) or a Proxy Network Load Balancer, the traffic goes through the GFE.

The Path: Internet => GFE (Edge PoP) => Google Internal Network => VM.
What handles it: The GFE terminates the connection (TCP handshake & SSL). It then opens a new connection to your VM.
Implication: Your VM sees the traffic coming from Google's internal IP ranges (e.g., 130.211.0.0/22), not the original client's IP. This is where you get features like Cloud CDN and Identity-Aware Proxy (IAP).

3. Connection via Passthrough Load Balancer (No GFE)

If you use a Network Load Balancer (L4) (TCP/UDP passthrough), the traffic bypasses the GFE.

The Path: Internet => Maglev => Andromeda => VM.
What handles it: Maglev distributes the packets to your backend VMs but preserves the source IP address. It does not "proxy" the connection; it just routes the packets.

Summary Table

Traffic Type	Goes through GFE?	Technology Used	Client IP Visibility
Direct External IP	No	Maglev / Andromeda	Visible to VM
HTTP(S) Load Balancer	Yes	GFE	Hidden (Visible in X-Forwarded-For)
TCP/SSL Proxy LB	Yes	GFE	Hidden (Visible in Proxy Protocol)
Network LB (Passthrough)	No	Maglev	Visible to VM
Internal Traffic (VPC)	No	Andromeda	Visible to VM

What is Maglev?

Maglev is the "gatekeeper" that sits in front of the Google Front End (GFE) at the edge.

Here is the hierarchy of what happens when a packet hits Google's Edge (a Point of Presence or PoP):

The Router: A physical router receives the packet from the Internet (via BGP).
Maglev: The router passes the packet to Maglev.
- Maglev is the Layer 4 (Packet level) Load Balancer.
- Its job is to decide which specific GFE server in that building should handle this packet.
- It ensures that all packets for a single TCP connection go to the same GFE server (Connection Tracking).
GFE: Maglev forwards the packet to the GFE.
- The GFE is the Layer 7 (Application level) Load Balancer.
- It terminates the SSL, looks at the URL path, and decides which backend service to call.

Why Maglev is needed at the Edge

The GFE is just a software application running on a server. Google has thousands of these servers in a single edge location. Maglev is the system that allows those thousands of GFE servers to share a single public IP address (Anycast VIP).

Summary of Locations

Is GFE at the Edge? Yes. It terminates SSL there.
Is Maglev at the Edge? Yes. It balances traffic across the GFEs.
Is Maglev in the Data Center? Yes. It is also used internally to load balance traffic between internal services (like L4ILB or Passthrough Network Load Balancers).