You can set up a custom domain rather than the default address that Cloud Run provides for a deployed service.
There are a few ways to set up a custom domain for a Cloud Run service:
- Use a global external Application Load Balancer (Recommended)
- Use Firebase Hosting
- Use Cloud Run domain mapping (Limited availability and Preview)
You can map multiple custom domains to the same Cloud Run service.
Before you begin
Purchase a new domain, unless you already have one that you want to use. You can use any domain name registrar.
Map a custom domain using a global external Application Load Balancer
With this option, you add a global external Application Load Balancer in front of your Cloud Run service and configure a custom domain at the load balancer level.
One advantage of using a global external Application Load Balancer is that it gives you a lot of control around your custom domain setup. For example, it lets you use your own TLS certificate or route specific URL paths to the Cloud Run service. It also lets you configure Cloud CDN for caching and Google Cloud Armor for additional security.
You can also map multiple services to a dynamic hostname or
path in your custom domain URL pattern for a single load balancer, for example, <service>.example.com
,
using URL masks.
Refer to the documentation on setting up a global external Application Load Balancer with Cloud Run.
Map a custom domain using Firebase Hosting
With this option, you configure Firebase Hosting in front of your Cloud Run service and connect a domain to Firebase Hosting.
Using Firebase Hosting has a low price and optionally lets you host and serve static content alongside the dynamic content served by your Cloud Run service.
To map a custom domain using Firebase Hosting:
- Add Firebase to your Google Cloud project.
- Install the Firebase CLI.
In a folder different from the source code of your service, create a
firebase.json
file with the following content:{ "hosting": { "rewrites": [{ "source": "**", "run": { "serviceId": "SERVICE_NAME", "region": "REGION" } }] } }
Replace SERVICE_NAME and REGION with the name and region of your Cloud Run service.
Deploy the Firebase Hosting configuration:
firebase deploy --only hosting --project PROJECT_ID
Read more about Firebase Hosting and Cloud Run.
Map a custom domain using Cloud Run domain mapping (Limited availability and Preview)
Cloud Run domain mapping limitations
The following considerations apply to Cloud Run domain mappings:
- Cloud Run domain mappings are in the preview launch stage. Due to latency issues, they are not production-ready and are not supported at General Availability. At the moment, this option is not recommended for production services.
- A Google-managed certificate for HTTPS connections is automatically issued and renewed when you map a service to a custom domain.
- Provisioning the SSL certificate usually takes about 15 minutes but can take up to 24 hours.
- You cannot disable TLS 1.0 and 1.1. If this is an issue, you can use Firebase Hosting or Cloud Load Balancing to enable TLS 1.2-only traffic.
- You cannot upload and use your own (self-managed) certificates.
- Cloud Run domain mappings are limited to 64 characters.
- Domain mapping is available in the following regions:
asia-east1
asia-northeast1
asia-southeast1
europe-north1
europe-west1
europe-west4
us-central1
us-east1
us-east4
us-west1
- To map custom domains in other regions, you must use one of the other mapping options.
- When you use Cloud Run domain mappings, you map a custom domain to your service, then update your DNS records.
- You can map a domain, such as
example.com
or a subdomain, such assubdomain.example.com
. - You can only map a domain to
/
, not to a specific URL path like/users
. - You cannot use wildcard certificates with this feature.
Map a custom domain to a service
You can use the Google Cloud console, gcloud CLI, or Terraform to map a custom domain to a service.
Console
Open the domain mappings page in the Google Cloud console:
Domain mappings pageClick Add Mapping.
If your display window is too small, the Add Mapping button isn't displayed and you must click the three-dot vertical ellipse icon in the corner of the page.
From the drop-down list, select the service you are mapping the custom domain to.
Select Cloud Run Domain Mappings.
In the Add mapping form, select Verify a new domain.
In the Base domain to verify field, you must verify the ownership of a domain before you can use it, unless you purchased your domain from Google.
If you want to map
subdomain.example.com
orsubdomain1.subdomain2.example.com
, you must verify ownership ofexample.com
. For more information on verifying domain ownership, refer to Search Console helpClick Continue.
After domain verification is finished, click Continue verification and close.
Update your DNS records at your domain registrar website using the DNS records displayed in the last step. You can display the records at any time by clicking DNS Records in the "..." action menu for a domain mapping.
Click Done.
gcloud
You must verify domain ownership the first time you use that domain in the Google Cloud project, unless you purchased your custom domain from Google. You can determine whether the custom domain you want to use has been verified by running the following command:
gcloud domains list-user-verified
If your ownership of the domain needs to be verified, open the Search Console verification page:
gcloud domains verify BASE-DOMAIN
where
BASE-DOMAIN
is the base domain you want to verify. For example, if you want to mapsubdomain.example.com
, you must verify the ownership ofexample.com
.In Search Console, complete domain ownership verification. For more information, refer to Search Console help.
Map your service to the custom domain:
gcloud beta run domain-mappings create --service SERVICE --domain DOMAIN
- Replace
SERVICE
with your service name. - Replace
DOMAIN
with your custom domain, for example,example.com
orsubdomain.example.com
- Replace
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
To create a Cloud Run service, add the following to your existing main.tf
file:
Replace the value for name
with your own service name.
Map your Cloud Run service to the custom domain:
Replace verified-domain.com
with your custom verified domain, for example, example.com
or subdomain.example.com
.
Add your DNS records at your domain registrar
After you've mapped your service to a custom domain in Cloud Run, you must update your DNS records at your domain registrar. As a convenience, Cloud Run generates and displays the DNS records you must enter. You must add these records that point to the Cloud Run service at your domain registrar for the mapping to go into effect.
If you're using Cloud DNS as your DNS provider, see Adding a record.
Retrieve the DNS record information for your domain mappings using the following:
Console
Go to the Cloud Run domain mappings page:
Domain mappings pageClick the three-dot vertical ellipse icon to the right of your service, then click DNS RECORDS to display all the DNS records:
gcloud
gcloud beta run domain-mappings describe --domain [DOMAIN]
Replace
[DOMAIN]
with your custom domain, for example,example.com
orsubdomain.example.com
.You need all of the records returned under the heading
resourceRecords
.Sign in to your account at your domain registrar and then open the DNS configuration page.
Locate the host records section of your domain's configuration page and then add each of the resource records that you received when you mapped your domain to your Cloud Run service.
When you add each of the previous DNS records to the account at the DNS provider:
- Select the type returned in the DNS record in the previous step:
A
, orAAAA
, orCNAME
. - Use the name
www
to map towww.example.com
. - Use the name
@
to mapexample.com
.
- Select the type returned in the DNS record in the previous step:
Save your changes in the DNS configuration page of your domain's account. In most cases, it takes only a few minutes for these changes to take effect, but in some cases it can take up to several hours, depending on the registrar and the Time-To-Live (TTL) of any previous DNS records for your domain. You can use a
dig
tool, such as the onlinedig
version, to confirm the DNS records have been successfully updated.Test for success by browsing to your service at its new URL, for example,
https://www.example.com
. It can take several minutes for the managed SSL certificate to be issued.
Add verified domain owners to other users or service accounts
When a user verifies a domain, that domain is only verified to that user's account. This means that only that user can add more domain mappings that use that domain. So, to enable other users to add mappings that use that domain, you must add them as verified owners.
If you need to add verified owners of your domain to other users or service accounts, you can add permission through the Search Console page:
Navigate to the following address in your web browser:
Under Properties, click the domain that you want to add a user or service account to.
Go to the Verified owners list, click Add an owner, and then enter a Google Account email address or service account ID.
To view a list of your service accounts, open the Service Accounts page in the Google Cloud console:
Delete a Cloud Run domain mapping
You can use the Google Cloud console or the gcloud CLI to delete a domain mapping.
Console
Open the Domain mappings page in the Google Cloud console:
Domain mappings pageIn the Domain mappings page, select the domain mapping that you want to delete and click Delete.
gcloud
Delete the domain mapping:
gcloud beta run domain-mappings delete --domain DOMAIN
- Replace
DOMAIN
with your custom domain, for example,example.com
orsubdomain.example.com
.
- Replace
Using custom domains with authenticated services
Authenticated services are protected by IAM. Such Cloud Run services require client authentication that declares the intended recipient of a request at credential-generation time (the audience).
Audience is usually the full URL of the target service, which by default for Cloud Run
services is a generated URL ending in run.app
. However, if you use a custom domain,
you must avoid using that automatically generated run.app
URL as the audience.
Instead, configure the service for a custom audience
so that it accepts your custom domain as a valid authentication audience.
What's next
- To set up a custom domain for Cloud Run by using a global external Application Load Balancer with Terraform, explore the sample code.