Mapping custom domains

You can use a custom domain rather than the default address that Cloud Run provide for a deployed service.

To use a custom domain for a service, you map your service to the custom domain, then update your DNS records. You can map a service to a domain, such as example.comor to a subdomain, such as subdomain.example.com.

If you are using HTTPS, the following considerations apply:

  • For Cloud Run, a managed certificate for HTTPS connections is automatically issued when you map a service to a custom domain. Note that provisioning the SSL certificate should take about 15 minutes. You cannot upload and use your own certificates.

  • For Cloud Run for Anthos on Google Cloud, only HTTP is available by default. You can install a wildcard SSL certificate to enable SSL for all services mapped to domains included in the wildcard SSL certificate. For more information see Enabling HTTPS.

You can map multiple custom domains to the same Cloud Run service.

Before you begin

Purchase a new domain, unless you already have one that you want to use. You can use any domain name registrar, but if you use Google Domains, the domain is automatically verified for Cloud Run, so you won't have to go through the domain verification process.

Mapping a custom domain to a service

You can use the gcloud command line to map a custom domain to a service.

Console

  1. Go to the Cloud Run domain mappings page:
    Domain mappings page

    Note that if your display window is too small, if you navigate to the Domain Mappings page from the main Cloud Run page, the Mapping Custom Domains button isn't displayed: you have to click the 3-dot vertical ellipse icon at the right of the page.

  2. In the Domain Mappings page, click Add Mapping.

  3. From the dropdown list in the Add Mapping form, select the service you are mapping the custom domain to:

    Add domain mappings

  4. Enter the domain name.

  5. Click Continue.

  6. For Cloud Run (fully managed), you will need to verify the ownership of a domain before being able to use it, unless you purchased your domain from Google. If you want to map subdomain.example.com, you should verify ownership of example.com. For more information on verifying domain ownership, refer to Webmaster Central help

  7. Update your DNS records at your domain registrar web site using the DNS records displayed in the last step. You can display the records at any time by clicking DNS Records in the "..." action menu for a domain mapping.

  8. Click Done.

Command line

  1. For Cloud Run (fully managed) only, you must verify domain ownership the first time you use that domain in the Google Cloud project, unless you purchased your custom domain from Google. You can determine whether the custom domain you want to use has been verified by using the command

    gcloud beta domains list-user-verified

    If your ownership of the domain needs to be verified, open the Webmaster Central verification page:

    gcloud beta domains verify BASE-DOMAIN

    where BASE-DOMAIN is the base domain you want to verify. For example, if you want to map subdomain.example.com, you should verify the ownership of example.com.

    In Webmaster Central, complete domain ownership verification. For more information, refer to Webmaster Central help.

  2. Map your service to the custom domain:

    gcloud run domain-mappings create --service SERVICE --domain DOMAIN
    • Replace SERVICE with your service name.
    • Replace DOMAIN with your custom domain, for example, example.com or subdomain.example.com
  3. If you are using Cloud Run for Anthos on Google Cloud, reserve the IP address attached to the Load Balancer for the Istio ingress gateway service as a static IP:

    gcloud compute addresses create ADDRESS-NAME --addresses EXTERNAL-IP --region REGION

    Replace

    • ADDRESS-NAME with the name you want to give your static IP.
    • EXTERNAL-IP with the IP address in the A record you obtained. in the previous step using gcloud run domain-mapping describe.
    • REGION with the region you are using. (Not the cluster zone.)

Cloud Run Istio ingress gateway

To get the external IP for the Istio ingress gateway:

kubectl get svc ISTIO-GATEWAY -n NAMESPACE 
Replace ISTIO-GATEWAY and NAMESPACE as follows:
Cluster version ISTIO-GATEWAY NAMESPACE
1.15.3-gke.19 and greater
1.14.3-gke.12 and greater
1.13.10-gke.8 and greater
istio-ingress gke-system
All other versions istio-ingressgateway istio-system

where the resulting output looks something like this:

NAME            TYPE           CLUSTER-IP     EXTERNAL-IP  PORT(S)
ISTIO-GATEWAY    LoadBalancer   XX.XX.XXX.XX   pending     80:32380/TCP,443:32390/TCP,32400:32400/TCP

The EXTERNAL-IP for the Load Balancer is the IP address you must use.

Base path mapping

The term base path refers to the URL path name that is after the domain name. For example, users is the base path of example.com/users. Cloud Run only allows you to map a domain to /, not to a specific base path. So any path routing has to be handled by using a router inside the service's container or by using Firebase Hosting.

Add your DNS records at your domain registrar

After you've mapped your service to a custom domain in Cloud Run, you need to update your DNS records at your domain registrar. As a convenience, Cloud Run generates and displays the DNS records you need to enter. You must add these records that point to the Cloud Run service at your domain registrar for the mapping to go into effect.

  1. Retrieve the DNS record information for your domain mappings using:

    Console

    1. Go to the Cloud Run domain mappings page:
      Domain mappings page

    2. Click the 3-dot vertical ellipse icon to the right of your service, then click DNS RECORDS to display all the DNS records:

    select DNS records

    Command line

    gcloud run domain-mappings describe --domain [DOMAIN]

    Replace [DOMAIN] with your custom domain, for example, example.com or subdomain.example.com.

    You need all of the records returned under the heading resourceRecords.

  2. Log in to your account at your domain registrar and then open the DNS configuration page.

  3. Locate the host records section of your domain's configuration page and then add each of the resource records that you received when you mapped your domain to your Cloud Run service.

  4. When you add each of the above DNS records to the account at the DNS provider:

    • Select the type returned in the DNS record in the previous step: A, or AAAA, or CNAME.
    • Use the name www to map to www.example.com.
    • Use the name @ to map example.com.
  5. Save your changes in the DNS configuration page of your domain's account. In most cases, it takes only a few minutes for these changes to take effect, but in some cases it can take up several hours, depending on the registrar, and on the Time-To-Live (TTL) of any previous DNS records for your domain. You can use a dig tool, such as this online dig version) to confirm the DNS records have been successfully updated.

  6. Test for success by browsing to your service at its new URL, for example https://www.example.com. Note that it can take several minutes for the automatic SSL certificate to be issued.

Adding verified domain owners users or service accounts

When a user verifies a domain, that domain is only verified to that user's account. This means that only that user can add more domain mappings that use that domain. So, to enable other users to add mappings that use that domain, you must add them as verified owners.

If you need to add verified owners of your domain to other users or service accounts, you can add permission through the Webmaster Central page:

  1. Navigate to this address in your web browser:

    https://www.google.com/webmasters/verification/home

  2. Under Properties, click the domain for which you want to add a user or service account.

  3. Scroll down to the Verified owners list, click Add an owner, and then enter a Google Account email address or service account ID.

    To view a list of your service accounts, open the Service Accounts page in the Cloud Console:

    Go to Service Accounts page

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Run Documentation