You return faster responses to your users around the world by deploying services in multiple regions and routing your users to the nearest region. Deploying across multiple regions delivers low latency and higher availability in case of regional outages.
Because Cloud Run services deploy into individual regions, you need to deploy your service to multiple regions and then configure global load balancing for the service.
Deploy the service to multiple regions
You can deploy the same service to multiple regions using one of the following methods:
- Repeat the steps to deploy to a single region.
- Deploy a multi-region service.
Deploy a multi-region service
This section shows you how to deploy and configure a multi-region service from a single gcloud CLI command or a YAML file.
gcloud
To create and deploy a multi-region service, run the
gcloud beta run deploy
command using the--regions
flag:gcloud beta run deploy
SERVICE_NAME
\ --image=IMAGE_URL
\ --regions=REGIONS
Replace the following:
SERVICE_NAME
: The name of the multi-region service that you want to deploy.IMAGE_URL
: A reference to the container image, for example,us-docker.pkg.dev/cloudrun/container/hello:latest
.REGIONS
: The list of multiple regions that you want to deploy to. For example,us-central1,asia-east1
.
YAML
Create the YAML file for your service, using the
run.googleapis.com/regions
attribute to set the multiple regions that you want to deploy your service to:apiVersion: serving.knative.dev/v1 kind: Service metadata: name:
SERVICE_NAME
annotations: run.googleapis.com/launch-stage: BETA run.googleapis.com/regions:REGIONS
spec: template: spec: containers: - image:IMAGE_URL
Replace the following:
SERVICE_NAME
: The name of the multi-region service that you want to deploy to.REGIONS
: The list of multiple regions that you want to update. For example,us-central1,asia-east1
.IMAGE_URL
: A reference to the container image, for example,us-docker.pkg.dev/cloudrun/container/hello:latest
.
Create the service using the following command:
gcloud beta run multi-region-services replace service.yaml
Update a multi-region service
This section shows you how to add or remove regions from a multi-region service from a single gcloud CLI command or a YAML file.
gcloud
To add or remove regions from a multi-region service, run the
gcloud beta run multi-region-services update
command.
To add the multi-region service to an additional region or regions, use the
--add-regions
flag:gcloud beta run multi-region-services update
SERVICE_NAME
\ --add-regions=REGIONS
To remove the multi-region service from a region or regions, use the
--remove-regions
flag:gcloud beta run multi-region-services update
SERVICE_NAME
\ --remove-regions=REGIONS
Replace the following:
SERVICE_NAME
: The name of the multi-region service that you want to update.REGIONS
: The region or regions that you want to add your service to or remove your service from. For example,us-central1,asia-east1
.
YAML
To update an existing multi-region service, download its YAML configuration:
gcloud beta run multi-region-services describe SERVICE_NAME --format export > service.yaml
Update the
run.googleapis.com/regions
attribute to add or remove the list of regions that you want the service to deploy to:apiVersion: serving.knative.dev/v1 kind: Service metadata: name:
SERVICE_NAME
annotations: run.googleapis.com/launch-stage: BETA run.googleapis.com/regions:REGIONS
Replace the following:
SERVICE_NAME
: The name of the multi-region service that you want to deploy to.REGIONS
: The new list of multiple regions that you want the service revision to deploy to.
Update the service using the following command:
gcloud beta run multi-region-services replace service.yaml
Delete a multi-region service
To delete a multi-region service, run the
gcloud beta run multi-region-services delete
command:gcloud beta run multi-region-services delete
SERVICE_NAME
Replace
SERVICE_NAME
with the name of the multi-region service that you want to delete.
Configure global load balancing
This section shows you how to configure an external Application Load Balancer with a domain secured with a managed TLS certificate pointing to a global anycast IP address, which routes users to the nearest Google data center that deploys your service.
The architecture described in the following sections does not automatically route requests to a different region when a regional Cloud Run service becomes unresponsive or returns errors. To increase the availability of your multi-regional service, you can configure outlier detection to identify unhealthy Cloud Run services based on their HTTP error rate and diverge some requests to another region.
Create a load balancer
Creating an external load balancer involves creating various networking resources and connecting them together:
gcloud CLI
- Reserve a static IP address so you don't have to update your DNS records
when you recreate your load balancer.
In the command above, replace SERVICE_IP with a name for the IP address resource (e.g.gcloud compute addresses create --global SERVICE_IP
myservice-ip
).This IP address is a global anycast IPv4 address that routes to the Google datacenter or point of presence closest to your visitors.
-
Create a backend service.
gcloud compute backend-services create --global BACKEND_NAME
In the command above, replace BACKEND_NAME with a name you want to give to the backend service (e.g.
myservice-backend
). - Create a URL map.
gcloud compute url-maps create URLMAP_NAME --default-service=BACKEND_NAME
Replace URLMAP_NAME with a name you want to give to the URL map (e.g.
myservice-urlmap
). - Create a managed TLS certificate for your domain to serve HTTPS
traffic. (Replace example.com with your domain name.)
gcloud compute ssl-certificates create CERT_NAME \ --domains=example.com
Replace CERT_NAME with the name you want the managed SSL certificate to have (e.g.
myservice-cert
). - Create a target HTTPS proxy.
gcloud compute target-https-proxies create HTTPS_PROXY_NAME \ --ssl-certificates=CERT_NAME \ --url-map=URLMAP_NAME
Replace HTTPS_PROXY_NAME with the name you want to give to the target HTTPS proxy (e.g.
myservice-https
). - Create a forwarding rule connecting the networking resources you created
to the IP address.
gcloud compute forwarding-rules create --global FORWARDING_RULE_NAME \ --target-https-proxy=HTTPS_PROXY_NAME \ --address=SERVICE_IP \ --ports=443
Replace FORWARDING_RULE_NAME with the name of the forwarding rule resource you want to create (e.g.
myservice-lb
).
Terraform
Alternatively to the steps described in this section, you can use the Global HTTP Load Balancer Terraform Module.
Add the following to your Terraform file (for example main.tf
):
-
Configure the IP address:
Configures your IP address resource name to be
myservice-service-ip
. You can change this to your own value. This IP address is a global anycast IPv4 address that routes to the Google data center or point of presence closest to your visitors. -
Create and configure the backend service:
This resource configures the backend service to be named
myservice-backend
. You can change this to your own value. -
Configure the URL map:
Connects the backend service resource (
myservice-backend
) to the new URL map resource (myservice-lb-urlmap
). You can change these to your own values. -
Create a managed TLS certificate for your domain to serve HTTPS traffic. Replace
example.com
with your domain name in thegoogle_compute_managed_ssl_certificate
resource: -
Configure the HTTPS proxy:
Creates
google_compute_target_https_proxy
resource with target namemyservice-https-proxy
and connects previously created TLS certificate (myservice-ssl-cert
) and URL mapping resources (myservice-lb-urlmap
). You can change these to your own values. -
Configure the forwarding rule:
Creates
google_compute_global_forwarding_rule
resource with target namemyservice-https-proxy
and connects previously created HTTPS proxy target (myservice-https-proxy
) and IP address resource (myservice-service-ip
). You can change these to your own values. -
Apply this config:
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- Launch Cloud Shell.
-
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (also called a root module).
-
In Cloud Shell, create a directory and a new
file within that directory. The filename must have the
.tf
extension—for examplemain.tf
. In this tutorial, the file is referred to asmain.tf
.mkdir DIRECTORY && cd DIRECTORY && touch main.tf
-
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf
.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
-
Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgrade
option:terraform init -upgrade
Apply the changes
-
Review the configuration and verify that the resources that Terraform is going to create or
update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
-
Apply the Terraform configuration by running the following command and entering
yes
at the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Configure regional network endpoint groups
For each region you deployed to in the previous step, you must create serverless network endpoint groups (NEGs) and add them to the backend service using the following instructions:
gcloud CLI
-
Create a network endpoint group for the Cloud Run service in
REGION
:gcloud compute network-endpoint-groups create NEG_NAME \ --region=REGION \ --network-endpoint-type=SERVERLESS \ --cloud-run-service=SERVICE_NAME
Replace the following:
- NEG_NAME with the name of the network endpoint group resource. (e.g. `myservice-neg-uscentral1`)
- REGION with the [region][loc] your service is deployed in.
- SERVICE_NAME with the name of your service.
-
Add the network endpoint group to the backend service:
gcloud compute backend-services add-backend --global BACKEND_NAME \ --network-endpoint-group-region=REGION \ --network-endpoint-group=NEG_NAME
Specify the NEG_NAME you created in the previous step for the region.
-
Repeat the preceding steps for each region.
Terraform
-
Configure a network endpoint group with name
myservice-neg
for the Cloud Run service for each region specified inrun_regions
variable: -
Configure a backend service to attach the network endpoint group (
myservice-neg
):
Configure DNS records on your domain
To point your domain name to the forwarding rule you created, update its DNS records with the IP address that you created.
Find the reserved IP address of the load balancer by running the following command:
gcloud compute addresses describe \ --global SERVICE_IP \ --format='value(address)'
Replace SERVICE_IP with the name of the IP address you created previously. This command prints the IP address to the output.
Update your domain's DNS records by adding an
A
record with this IP address.
Configure custom audience if using authenticated services
Authenticated services are protected by IAM. Such Cloud Run services require client authentication that declares the intended recipient of a request at credential generation time (the audience).
Audience is usually the full URL of the target service, which by default for Cloud Run
services is a generated URL ending in run.app
. However, in a multi-region deployment,
a client cannot know in advance which regional service a request will be routed to.
So, for a multi-region deployment, configure your service to use
custom audiences.
Wait for load balancer to provision
After configuring the domain with the load balancer IP address, wait for DNS records to propagate. Similarly, wait for the managed TLS certificate to be issued for your domain and to be ready to start serving HTTPS traffic globally.
It might take up to 30 minutes for your load balancer to start serving traffic.
After it is ready, visit your website's URL with https://
prefix to try it out.
Verify status
To check the status of your DNS record propagation, use the
dig
command-line utility:dig A +short example.com
The output shows the IP address that you configured in your DNS records.
Check the status of your managed certificate issuance by running the following command:
gcloud compute ssl-certificates describe CERT_NAME
Replace CERT_NAME with the name you previously chose for the SSL certificate resource.
The output shows a line containing
status: ACTIVE
.
Set up HTTP-to-HTTPS redirect
By default, a forwarding rule only handles a single protocol and therefore
requests to your http://
endpoints respond with "404 Not Found". If you
need requests to your http://
URLs to redirect to the https://
protocol, create an additional URL map and a forwarding rule using the following instructions:
gcloud CLI
-
Create a URL map with a redirect rule.
gcloud compute url-maps import HTTP_URLMAP_NAME \ --global \ --source /dev/stdin <<EOF name: HTTP_URLMAP_NAME defaultUrlRedirect: redirectResponseCode: MOVED_PERMANENTLY_DEFAULT httpsRedirect: True EOF
Replace the HTTP_URLMAP_NAME with the name of the URL map resource you will create (for example,
myservice-httpredirect
). -
Create a target HTTP proxy with the URL map.
gcloud compute target-http-proxies create HTTP_PROXY_NAME \ --url-map=HTTP_URLMAP_NAME
Replace HTTP_PROXY_NAME with the name of the target HTTP proxy you will create (for example,
myservice-http
). -
Create a forwarding rule on port
80
with the same reserved IP address.gcloud compute forwarding-rules create --global HTTP_FORWARDING_RULE_NAME \ --target-http-proxy=HTTP_PROXY_NAME \ --address=SERVICE_IP \ --ports=80
Replace HTTP_FORWARDING_RULE_NAME with the name of the new forwarding rule you will create (for example,
myservice-httplb
).
Terraform
-
Create a URL map resource with a redirect rule:
-
Create a target HTTP proxy with the newly created URL map resource (
myservice-https-urlmap
): -
Create a forwarding rule on port
80
with the same reserved IP address resource (myservice-http-proxy
):
Use authenticated Pub/Sub push subscriptions with multi-region deployment
A Pub/Sub service by default delivers messages to push endpoints in the same Google Cloud region where the Pub/Sub service stores the messages. For a workaround to this behavior, refer to Using an authenticated Pub/Sub push subscription with a multi-region Cloud Rundeployment.