gcloud compute target-https-proxies update

NAME
gcloud compute target-https-proxies update - update a target HTTPS proxy
SYNOPSIS
gcloud compute target-https-proxies updateNAME[--quic-override=QUIC_OVERRIDE][--tls-early-data=TLS_EARLY_DATA][--url-map=URL_MAP][--certificate-manager-certificates=[CERTIFICATE_MANAGER_CERTIFICATES,…]    |--clear-ssl-certificates    |--ssl-certificates=SSL_CERTIFICATE,[…]--global-ssl-certificates    |--ssl-certificates-region=SSL_CERTIFICATES_REGION    |--certificate-map=CERTIFICATE_MAP    |--clear-certificate-map][--clear-http-keep-alive-timeout-sec    |--http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC][--clear-server-tls-policy    |--server-tls-policy=SERVER_TLS_POLICY][--clear-ssl-policy    |--ssl-policy=SSL_POLICY--global-ssl-policy    |--ssl-policy-region=SSL_POLICY_REGION][--global    |--region=REGION][--global-url-map    |--url-map-region=URL_MAP_REGION][GCLOUD_WIDE_FLAG]
DESCRIPTION
gcloud compute target-https-proxies update is used to change theSSL certificate and/or URL map of existing target HTTPS proxies. A target HTTPSproxy is referenced by one or more forwarding rules which specify the networktraffic that the proxy is responsible for routing. The target HTTPS proxy inturn points to a URL map that defines the rules for routing the requests. TheURL map's job is to map URLs to backend services which handle the actualrequests. The target HTTPS proxy also points to at most 15 SSL certificates usedfor server-side authentication. The target HTTPS proxy can be associated with atmost one SSL policy.
EXAMPLES
Update the URL map of a global target HTTPS proxy by running:
gcloudcomputetarget-https-proxiesupdatePROXY_NAME--url-map=URL_MAP

Update the SSL certificate of a global target HTTPS proxy by running:

gcloudcomputetarget-https-proxiesupdatePROXY_NAME--ssl-certificates=SSL_CERTIFIFCATE

Update the URL map of a global target HTTPS proxy by running:

gcloudcomputetarget-https-proxiesupdatePROXY_NAME--url-map=URL_MAP--region=REGION_NAME

Update the SSL certificate of a global target HTTPS proxy by running:

gcloudcomputetarget-https-proxiesupdatePROXY_NAME--ssl-certificates=SSL_CERTIFIFCATE--region=REGION_NAME
POSITIONAL ARGUMENTS
NAME
Name of the target HTTPS proxy to update.
FLAGS
--quic-override=QUIC_OVERRIDE
Controls whether load balancer may negotiate QUIC with clients. QUIC is a newtransport which reduces latency compared to that of TCP. Seehttps://www.chromium.org/quic for moredetails.QUIC_OVERRIDE must be one of:
DISABLE
Disallows load balancer to negotiate QUIC with clients.
ENABLE
Allows load balancer to negotiate QUIC with clients.
NONE
Allows Google to control when QUIC is rolled out.
--tls-early-data=TLS_EARLY_DATA
TLS 1.3 Early Data ("0-RTT" or "zero round trip") allows clients to include HTTPrequest data alongside a TLS handshake. This can improve applicationperformance, especially on networks where connection interruptions may becommon, such as on mobile. This applies to both HTTP over TCP (ie: HTTP/1.1 andHTTP/2) and HTTP/3 over QUIC.TLS_EARLY_DATA must be oneof:
DISABLED
TLS 1.3 Early Data is not advertised, and any (invalid) attempts to send EarlyData will be rejected.
PERMISSIVE
Enables TLS 1.3 Early Data for requests with safe HTTP methods (GET, HEAD,OPTIONS, TRACE). This mode does not enforce any other limitations for requestswith Early Data. The application owner should validate that Early Data isacceptable for a given request path.
STRICT
Enables TLS 1.3 Early Data for requests with safe HTTP methods, and HTTPrequests that do not have query parameters. Requests that send Early Datacontaining non-idempotent HTTP methods or with query parameters will be rejectedwith a HTTP 425.
--url-map=URL_MAP
A reference to a URL map resource. A URL map defines the mapping of URLs tobackend services. Before you can refer to a URL map, you must create the URLmap. To delete a URL map that a target proxy is referring to, you must firstdelete the target HTTPS proxy.
At most one of these can be specified:
At most one of these can be specified:
Certificate resource - certificate-manager-certificates to attach. Thisrepresents a Cloud resource. (NOTE) Some attributes are not given arguments inthis group but can be set in other ways.

To set theproject attribute:

  • provide the argument--certificate-manager-certificates on thecommand line with a fully specified name;
  • provide the argument--project on the command line;
  • set the propertycore/project.

To set thelocation attribute:

  • provide the argument--certificate-manager-certificates on thecommand line with a fully specified name;
  • default value of location is [global].
--certificate-manager-certificates=[CERTIFICATE_MANAGER_CERTIFICATES,…]
IDs of the certificates or fully qualified identifiers for the certificates.

To set thecertificate attribute:

  • provide the argument--certificate-manager-certificates on thecommand line.
  • --clear-ssl-certificates
    Remove any attached SSL certificates from the HTTPS proxy.
    --ssl-certificates=SSL_CERTIFICATE,[…]
    References to at most 15 SSL certificate resources that are used for server-sideauthentication. The first SSL certificate in this list is considered the primarySSL certificate associated with the load balancer. The SSL certificates mustexist and cannot be deleted while referenced by a target HTTPS proxy.
    At most one of these can be specified:
    --global-ssl-certificates
    If set, the ssl certificates are global.
    --ssl-certificates-region=SSL_CERTIFICATES_REGION
    Region of the ssl certificates to operate on. If not specified, you might beprompted to select a region (interactive mode only).

    To avoid prompting when this flag is omitted, you can set thecompute/region property:

    gcloudconfigsetcompute/regionREGION

    A list of regions can be fetched by running:

    gcloudcomputeregionslist

    To unset the property, run:

    gcloudconfigunsetcompute/region

    Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

    At most one of these can be specified:
    Certificate map resource - The certificate map to attach. This represents aCloud resource. (NOTE) Some attributes are not given arguments in this group butcan be set in other ways.

    To set theproject attribute:

  • provide the argument--certificate-map on the command line with afully specified name;
  • provide the argument--project on the command line;
  • set the propertycore/project.
  • To set thelocation attribute:

    • provide the argument--certificate-map on the command line with afully specified name;
    • default value of location is [global].
    --certificate-map=CERTIFICATE_MAP
    ID of the certificate map or fully qualified identifier for the certificate map.

    To set themap attribute:

  • provide the argument--certificate-map on the command line.
  • --clear-certificate-map
    Removes any attached certificate map from the HTTPS proxy.
    At most one of these can be specified:
    --clear-http-keep-alive-timeout-sec
    Clears the previously configured HTTP keepalive timeout.
    --http-keep-alive-timeout-sec=HTTP_KEEP_ALIVE_TIMEOUT_SEC
    Represents the maximum amount of time that a TCP connection can be idle betweenthe (downstream) client and the target HTTP proxy. If an HTTP keepalive timeoutis not specified, the default value is 610 seconds. For global externalApplication Load Balancers, the minimum allowed value is 5 seconds and themaximum allowed value is 1200 seconds.
    At most one of these can be specified:
    --clear-server-tls-policy
    Removes any attached Server TLS policy.
    Or at least one of these can be specified:
    Server tls policy resource - The server TLS policy to attach. This represents aCloud resource. (NOTE) Some attributes are not given arguments in this group butcan be set in other ways.

    To set theproject attribute:

  • provide the argument--server-tls-policy on the command line with afully specified name;
  • provide the argument--project on the command line;
  • set the propertycore/project.
  • To set thelocation attribute:

    • provide the argument--server-tls-policy on the command line with afully specified name;
    • provide the argument--region on the command line;
    • default value of location is [global].
    --server-tls-policy=SERVER_TLS_POLICY
    ID of the server_tls_policy or fully qualified identifier for theserver_tls_policy.

    To set theserver_tls_policy attribute:

  • provide the argument--server-tls-policy on the command line.
  • At most one of these can be specified:
    --clear-ssl-policy
    Removes any attached SSL policy from the HTTPS proxy.
    Or at least one of these can be specified:
    --ssl-policy=SSL_POLICY
    A reference to an SSL policy resource that defines the server-side support forSSL features and affects the connections between clients and load balancers thatare using the HTTPS proxy. The SSL policy must exist and cannot be deleted whilereferenced by a target HTTPS proxy.
    At most one of these can be specified:
    --global-ssl-policy
    If set, the SSL policy is global.
    --ssl-policy-region=SSL_POLICY_REGION
    Region of the SSL policy to operate on. Overrides the defaultcompute/region property value for this command invocation.
    At most one of these can be specified:
    --global
    If set, the target HTTPS proxy is global.
    --region=REGION
    Region of the target HTTPS proxy to update. If not specified, you might beprompted to select a region (interactive mode only).

    To avoid prompting when this flag is omitted, you can set thecompute/region property:

    gcloudconfigsetcompute/regionREGION

    A list of regions can be fetched by running:

    gcloudcomputeregionslist

    To unset the property, run:

    gcloudconfigunsetcompute/region

    Alternatively, the region can be stored in the environment variableCLOUDSDK_COMPUTE_REGION.

    At most one of these can be specified:
    --global-url-map
    If set, the URL map is global.
    --url-map-region=URL_MAP_REGION
    Region of the URL map to operate on. Overrides the defaultcompute/region property value for this command invocation.
    GCLOUD WIDE FLAGS
    These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

    Run$gcloud help for details.

    NOTES
    These variants are also available:
    gcloudalphacomputetarget-https-proxiesupdate
    gcloudbetacomputetarget-https-proxiesupdate

    Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

    Last updated 2026-01-21 UTC.