Build SSL policy configurations for load balancers with TLS version requirements and cipher suite profiles.
Last verified: May 2026
Good balance of security and compatibility
Output will appear here...The builder constructs SSL Policy configurations: SSL policy resource (name, profile: COMPATIBLE/MODERN/RESTRICTED/CUSTOM, min_tls_version: TLS_1_0/TLS_1_1/TLS_1_2/TLS_1_3, custom_features list for CUSTOM profile only). Output is generated as gcloud compute ssl-policies commands and Terraform google_compute_ssl_policy resources, plus the load balancer target proxy binding to attach the policy.
Build SSL policy configurations for load balancers with TLS version requirements and cipher suite profiles. This tool helps GCP engineers generate valid configurations quickly without consulting documentation, reducing errors and accelerating infrastructure deployment. All processing runs in your browser with no data sent to external servers.
Your team's load balancers default to permissive SSL settings — TLS 1.0 allowed, weak ciphers enabled. Compliance audit flags this as a finding. The builder generates SSL policies for each load balancer: RESTRICTED profile with TLS_1_2 minimum. Apply via Terraform across the load balancer fleet. Pre-deploy, monitor logs for clients still using TLS 1.0/1.1 — typically 0.1% of traffic, mostly from old devices. After cutover, those clients fail (acceptable trade-off for compliance). Audit finding closed within 1 week.
Use the RESTRICTED profile (TLS 1.2+ only, modern ciphers only) for production load balancers. The default profile allows TLS 1.0 and 1.1 + older ciphers, which fails most modern compliance requirements (PCI-DSS 4.0, NIST). RESTRICTED is the right baseline; tune from there only if specific clients can't meet it.
MIN_TLS_VERSION=TLS_1_2 is mandatory for any compliance-relevant deployment. TLS 1.0 and 1.1 have known vulnerabilities and are deprecated by most security frameworks. The remaining clients still on TLS 1.0/1.1 are typically very old IoT devices or legacy systems — the right answer is often 'upgrade those clients' not 'weaken security policy'.
Custom SSL policies (specifying individual ciphers) are usually a mistake — you'll fall behind security best practices as new ciphers emerge and old ones get deprecated. Use Google's managed profiles (RESTRICTED / MODERN / COMPATIBLE) which Google updates automatically as crypto best practices evolve.
The SSL options surface what is currently documented in the Google Cloud reference for that service. When Google adds a new property or value, we add it here after verifying the schema in a real project. If a recently-announced feature is not yet selectable, treat that as a 'not yet supported' signal rather than an opinion that it should not be used.
Most SSL primitives behave the same in standard, Assured Workloads, and sovereign Google Cloud deployments, but available services, regions, and access controls differ. The output is portable in shape; you must verify service availability and any Assured Workloads constraints before applying in a controlled environment.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.