I am trying to follow Google’s official guide, High availability for regional external Application Load Balancers, but failover isn’t working and health checks are always in an unhealthy state, despite the service appearing to be working externally including over HTTPS. In other words, the health checks themselves are failing, but the geographic load balancing appears to not care.
There is Cloud DNS RR geographic routing policy with locations in europe-west2 and us-central1 and health checks enabled. Equivalent REST:
{
"checkIntervalSec": 45,
"creationTimestamp": "2025-08-28T07:50:05.292-07:00",
"description": "Health check for api.dev.example.com",
"healthyThreshold": 2,
"httpsHealthCheck": {
"host": "api.dev.example.com",
"port": 443,
"requestPath": "/healthcheck",
"proxyHeader": "NONE"
},
"id": "5062345330555474546",
"kind": "compute#healthCheck",
"logConfig": {
"enable": true
},
"name": "myhealthcheck",
"selfLink": "projects/myproject/global/healthChecks/api-dev-pr149-example-com-health-check",
"sourceRegions": [
"us-west4",
"us-east4",
"europe-west9"
],
"timeoutSec": 5,
"type": "HTTPS",
"unhealthyThreshold": 3
}
The logs show that these health checks are consistently failing with a libcurl error.
{
"insertId": "l47tc7c3ua",
"jsonPayload": {
"healthCheckProbeResult": {
"detailedHealthState": "UNHEALTHY",
"probeResultText": "Error: libcurl request failed: SSL connect error (TLS connect error: error:00000000:invalid library (0):OPENSSL_internal:invalid library (0))",
"previousHealthState": "UNHEALTHY",
"ipAddress": "34.8.155.187",
"targetIp": "34.8.155.187",
"targetPort": 443,
"healthCheckProtocol": "HTTPS",
"previousDetailedHealthState": "UNKNOWN",
"probeSourceRegion": "europe-west9",
"probeRequest": "/healthcheck",
"probeCompletionTimestamp": "2025-08-28T17:10:39.601273737Z",
"healthState": "UNHEALTHY"
}
},
"resource": {
"type": "gce_network_endpoint_group",
"labels": {
"network_endpoint_group_id": "676805940311085652",
"zone": "global"
}
},
"timestamp": "2025-08-28T17:10:41.179052490Z",
"severity": "INFO",
"receiveTimestamp": "2025-08-28T17:10:41.910769372Z"
}
To be clear, geographic routing is working including over HTTPS.
The health check docs say about Certificates and health checks
Google Cloud health check probers don’t perform certificate validation, even for protocols that require that your backends use certificates (SSL, HTTPS, and HTTP/2)
Just in case, I tried redefining the health checks without the host field, to no effect.
All of the IPs in the routing policy have similarly UNHEALTHY health check logs, in fact I can’t find any logs that show a HEALTHY status. Despite the health check errors, DNS queries from around the world (e.g. https://digger.tools/lookup/example.com/map) show all regions’ IP addresses being served to the appropriate continents, and the Cloud Run services are all handling traffic normally.
The docs say:
Cloud DNS enables automatic failover when the endpoints fail their health checks. When you use geolocation routing policies, the traffic fails over to the next closest geolocation to the source traffic.
But I have not found that to be the case. In fact, I only noticed these errors when investigating why injecting a fault into one region didn’t cause a failover.
