You can set up a custom domain rather than the default address thatCloud Run provides for a deployed service.

There are a few ways to set up a custom domain for a Cloud Runservice:

• Use aglobal external Application Load Balancer (Recommended)
• UseFirebase Hosting
• UseCloud Run domain mapping (Limited availability and Preview)

You can map multiple custom domains to the same Cloud Run service.

Before you begin

Purchase a new domain, unless you already have one that you want to use. Youcan use any domain name registrar.

Map a custom domain using a global external Application Load Balancer

With this option, you add aglobal external Application Load Balancerin front of your Cloud Run service and configure a custom domain atthe load balancer level.

One advantage of using a global external Application Load Balancer is that it gives you a lot ofcontrol around your custom domain setup.For example, it lets you use your own TLS certificate or routespecific URL paths to the Cloud Run service.It also lets you configureCloud CDN for caching andGoogle Cloud Armorfor additional security.

You can also map multiple services to a dynamic hostname orpath in your custom domain URL pattern for a single load balancer, for example,<service>.example.com,usingURL masks.

Refer to the documentation onsetting up a global external Application Load Balancer with Cloud Run.

Map a custom domain using Firebase Hosting

With this option, you configureFirebase Hostingin front of your Cloud Run service and connect a domain to FirebaseHosting.

Using Firebase Hosting has a low price and optionally lets you host andserve static content alongside the dynamic content served by yourCloud Run service.

To map a custom domain using Firebase Hosting:

1. Add Firebase to your Google Cloud project.
2. Install the Firebase CLI.

3. In a folder different from the source code of your service, create afirebase.json file with the following content:

   {"hosting":{"rewrites":[{"source":"**","run":{"serviceId":"SERVICE_NAME","region":"REGION"}}]}}

   ReplaceSERVICE_NAME andREGION with the name andregion of your Cloud Run service.

4. Deploy the Firebase Hosting configuration:

   firebasedeploy--onlyhosting--projectPROJECT_ID

5. Connect a custom domain to Firebase Hosting.

Read more aboutFirebase Hosting and Cloud Run.

Map a custom domain using Cloud Run domain mapping (Limited availability and Preview)

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Cloud Run domain mapping limitations

The following considerations apply to Cloud Run domain mappings:

• Cloud Run domain mappings are in thepreview launch stage.Due tolatency issues, they are notproduction-ready and are not supported at General Availability. At the moment,this option is not recommended for production services.
• A Google-managed certificate for HTTPS connections is automatically issued andrenewed when you map a service to a custom domain.
• Provisioning the SSL certificate usually takes about 15 minutes but can takeup to 24 hours.
• You cannot disable TLS 1.0 and 1.1. If this is an issue, you can use FirebaseHosting or Cloud Load Balancing to enable TLS 1.2-only traffic.
• You cannot upload and use your own (self-managed) certificates.
• Cloud Run domain mappings are limited to 64 characters.
• Domain mapping is available in the following regions:
  • asia-east1
  • asia-northeast1
  • asia-southeast1
  • europe-north1
  • europe-west1
  • europe-west4
  • us-central1
  • us-east1
  • us-east4
  • us-west1
• To map custom domains in other regions, you must use one of theother mapping options.
• When you use Cloud Run domain mappings, you map a custom domain to yourservice, then update your DNS records.
• You can map a domain, such asexample.com or a subdomain, such assubdomain.example.com.
• You can only map a domain to/, not to a specific URL path like/users.
• You cannot use wildcard certificates with this feature.

Map a custom domain to a service

You can use the Google Cloud console, gcloud CLI, or Terraform to map acustom domain to a service.

resource"google_cloud_run_v2_service""default"{name="custom-domain" # Replace with your service namelocation="us-central1"deletion_protection=false # set to true to prevent destruction of the resourcetemplate{containers{image="us-docker.pkg.dev/cloudrun/container/hello" # Replace with your container image}}}

data"google_project""project"{}resource"google_cloud_run_domain_mapping""default"{name="verified-domain.com"location=google_cloud_run_v2_service.default.locationmetadata{namespace=data.google_project.project.project_id}spec{route_name=google_cloud_run_v2_service.default.name}}

Add your DNS records at your domain registrar

After you've mapped your service to a custom domain in Cloud Run,you must update your DNS records at your domain registrar. As a convenience,Cloud Run generates and displays the DNS records you must enter. Youmust add these records that point to the Cloud Run service at yourdomain registrar for the mapping to go into effect.

If you're using Cloud DNS as your DNS provider, seeAdding arecord.

1. Retrieve the DNS record information for your domain mappings using the following:

   Console

   1. Go to the Cloud Run domain mappings page:
      Domain mappings page

   2. Click the three-dot vertical ellipse icon to the right of your service,then clickDNS RECORDS to display all the DNS records:

   

   gcloud

   gcloudbetarundomain-mappingsdescribe--domain[DOMAIN]

   Replace[DOMAIN] with your custom domain, for example,example.com orsubdomain.example.com.

   You need all of the records returned under the headingresourceRecords.

2. Sign in to your account at your domain registrar and then open the DNSconfiguration page.

3. Locate the host records section of your domain's configuration page andthen add each of the resource records that you received when you mappedyour domain to your Cloud Run service.

4. When you add each of the previous DNS records to the account at the DNS provider:

   • Select the type returned in the DNS record in the previous step:A, orAAAA,orCNAME.
   • Use the namewww to map towww.example.com.
   • Use the name@ to mapexample.com.

5. Save your changes in the DNS configuration page of your domain's account.In most cases, it takes only a few minutes for these changes to take effect, butin some cases it can take up to several hours, depending on the registrar andtheTime-To-Live (TTL) of anyprevious DNS records for your domain. You can use adig tool, such astheonlinedig version,to confirm the DNS records have been successfully updated.

6. Test for success by browsing to your service at its new URL, forexample,https://www.example.com. It can take several minutes forthe managed SSL certificate to be issued.

Add verified domain owners to other users or service accounts

When a user verifies a domain, that domain is only verifiedto that user's account. This means that only that user can add more domainmappings that use that domain. So, to enable other users to add mappings thatuse that domain, you must add them as verified owners.

1. Navigate to the following address in your web browser:

   https://search.google.com/search-console/welcome

2. UnderProperties, click the domain that you want to add a user or serviceaccount to.

3. Go to theVerified owners list, clickAdd an owner, and then enter a Google Account email address or service account ID.

   To view a list of your service accounts, open the Service Accounts page in the Google Cloud console:

   Go to Service Accounts page

Delete a Cloud Run domain mapping

You can use the Google Cloud console or the gcloud CLI to deletea domain mapping.

Using custom domains with authenticated services

Authenticated services areprotected by IAM.Such Cloud Run services require client authentication thatdeclares the intended recipient of a request at credential-generation time (theaudience).

Audience is usually the full URL of the target service, which by default forCloud Run services is a generated URL ending inrun.app.

If you use a custom domain, however, you canconfigure a custom audienceso that your service accepts your custom domain as a valid audience.

What's next

• Learn how tosecure your Cloud Run services.
• To set up a custom domain for Cloud Run by using a global external Application Load Balancer,seeSet up a global external Application Load Balancer with Cloud Run.