This ended up being due to SNI getting enabled on our HTTPS binding in IIS when using a Let's Encrypt cert. Apparently, the GCP HTTPS LB does not like SNI.