Deliver secure and non-secure content over the same hostname
It is common to deliver HTTP and HTTPS content over the same hostname when usingCloud CDN. While many browsers enforce the use of Transport LayerSecurity (TLS) and disallow non-secure content delivery, there are still usecases where non-secure delivery and secure delivery must be allowed over thesame hostname. This article discusses how you can achieve this functionalityusing Cloud CDN.
Challenge
When a client is establishing a connection with a CDN edge server, the end-userdelivery protocol is negotiated. Most conventional CDN platforms direct trafficto their respective delivery footprint by:
- Pointing to a domain name belonging to the CDN, using a DNS CNAME record.
- Routing traffic to a subset of servers that support TLS negotiation for thatdomain name.
Because Cloud CDN integrates with Cloud Load Balancing, Cloud CDN'sapproach differs from the approach of conventional CDNs. Cloud CDN leverages theAnycast IP address of the external Application Load Balancer. When configuring Cloud CDN,you have a specific IP address to direct traffic to. This requires an Arecord (for IPv4) and/or AAAA (for IPv6) record construct in your DNS record,rather than a CNAME record with a hostname value.
By default, when configuring the frontend of the load balancer,Google Cloud dynamically assigns an ephemeral IP address. Because you needto configure your HTTP and HTTPS configurations separately, this can cause youto have two IP addresses for your Cloud CDN instance. Because the sameA or AAAA record IP address is for both HTTP and HTTPS, it's not possible toproperly handle this case in DNS.
Solution
When delivering both secure and non-secure content over the same hostname, theclient is directed to an edge server that can negotiate either HTTP or HTTPS. Tomake this work with Cloud CDN, you can reserve an IP address and bind thereserved IP address to both the HTTP and HTTPS frontend configuration in theexternal Application Load Balancer.
In the diagram:
- incoming requests for www.example.com come from clients using HTTP/2,HTTPS, and HTTP.
Two IP addresses are reserved, one for IPv4 and one for IPv6:
- 34.95.111.204
- [2600:1901:0:b13e::]
These two IP addresses are bound to www.example.com in Cloud DNS.
When configuring the external Application Load Balancer, the frontendconfiguration includes four forwarding rules that use the reserved IP addresses:
Name Protocol IP:Port ipv4-http HTTP 34.95.111.204:80 ipv4-https HTTPS 34.95.111.204:443 ipv6-http HTTP [2600:1901:0:b13e::]:80 ipv6-https HTTPS [2600:1901:0:b13e::]:443 For Cloud CDN cache misses, the load balancer distributes requests tothe backend origins, based on settings defined in the load balancer's URL map.
Step 1: Reserve a global external IP address
Create an IPv4 or an IPv6 address (or both). To support IPv4 and IPv6addressing, you must create one IPv4 address and one IPv6 address.
In your DNS record,create an A (or AAAA) record to direct traffic to thisreserved IP address.
Console
Note: For global external Application Load Balancers, the Google Cloud console isn't supported.- In the Google Cloud console, go to theExternal IP addresses page.
- ClickReserve static address to reserve an IPv4 address.
- Assign aName of
ipv4-address. - Set the Network tier toPremium.
- Set theIP version toIPv4.
- Set theType toGlobal.
- ClickReserve.
The load balancer usesPremium Tiernetworking, as required whenCloud CDN is enabled.
gcloud
gcloud compute addresses create ipv4-address \ --network-tier=PREMIUM \ --ip-version=IPV4 \ --global
Note the IPv4 address that was reserved:
gcloud compute addresses describe lb-ipv4-1 \ --format="get(address)" \ --global
Repeat this step for IPv6.
For more information, seeReserving a new static external IPaddress.
Step 2: Bind the reserved IP address to the load balancer
This section shows how to assign the IP address(es) to your load balancer.End-to-end instructions for setting up the load balancer are beyond the scope ofthis article. For an example setup, seeCreating an HTTPS load balancer.
The frontend configuration section allows you to select the protocol usedbetween the client and the load balancer.
In this example, you are using both HTTP and HTTPS between the client andthe load balancer, so you need one or more SSL certificate resources toconfigure the proxy.
Console
Note: For global external Application Load Balancers, the Google Cloud console isn't supported.Configuring the HTTP forwarding rule
- In the Google Cloud console, go to theLoad balancing page.
- Select your load balancer and clickEdit.
- In the left panel, clickFrontend configuration.
- In theName field, enter
ipv4-http. - In theProtocol field, select
HTTP. - SetIP version to
IPv4. - InIP address, select
ipv4-address, which you created earlier. - Ensure that thePort is set to
80, to allow HTTP traffic. - ClickDone.
Configuring the HTTPS forwarding rule
- In the Google Cloud console, go to theLoad balancing page.
- Select your load balancer and clickEdit.
- In the left panel, clickFrontend configuration.
- In theName field, enter
ipv4-https. - In theProtocol field, select
HTTPS. - SetIP version to
IPv4. - InIP address, select
ipv4-address, which you created earlier. - Ensure that thePort is set to
443, to allow HTTP traffic. - Click theCertificate drop-down list.
- If you already have aself-managed SSLcertificate resourceyou want to use as the primary SSL certificate, select it from thedrop-down menu.
- Otherwise, selectCreate a new certificate.
- SelectUpload my certificate orCreate Google managedcertificate.
- If you selectedUpload my certificate, completethese steps.
- Fill in aName of
www-ssl-cert. - In the appropriate fields upload yourPublic key certificate (.crt file),Certificate chain (.csr file), andPrivate key (.key file).
- ClickCreate.
- Fill in aName of
- If you chooseCreate Google managed certificate,enter aDomain.
- To add certificate resources in addition tothe primary SSL certificate resource:
- ClickAdd certificate.
- Select a certificate from theCertificates list orclickCreate a new certificate and follow the instructionsabove.
- ClickDone.
Repeat these steps for IPv6.
Review and finalize
- In the left panel, clickReview and finalize.
- Compare your settings to what you intended to create.
- If everything looks correct, clickUpdate.
gcloud
Create a target HTTP proxy to route requests to your URL map.
gcloud compute target-http-proxies create http-lb-proxy \ --url-map=web-map
Create a target HTTPS proxy to route requests to your URL map. Theproxy is the portion of the load balancer that holds the SSL certificatefor HTTPS Load Balancing, so you also load your certificate in this step.
gcloud compute target-https-proxies create https-lb-proxy \ --url-map=web-map --ssl-certificates=www-ssl-cert
Create two global forwarding rules to route incoming requests tothe proxy, one for each of the IP address(es) you created.
- For a global external Application Load Balancer, use the gcloud CLI command with
load-balancing-scheme=EXTERNAL_MANAGED. This setting offersadvanced traffic management capability. - For an classic Application Load Balancer, use
load-balancing-scheme=EXTERNAL.
gcloud compute forwarding-rules create ipv4-http \ --load-balancing-scheme=LOAD_BALANCING_SCHEME \ --network-tier=PREMIUM \ --address=ipv4-address \ --global \ --target-http-proxy=http-lb-proxy \ --ports=80
gcloud compute forwarding-rules create ipv4-https \ --load-balancing-scheme=LOAD_BALANCING_SCHEME \ --network-tier=PREMIUM \ --address=ipv4-address \ --global \ --target-https-proxy=https-lb-proxy \ --ports=443
- For a global external Application Load Balancer, use the gcloud CLI command with
After creating the global forwarding rules, it can take several minutes foryour configuration to propagate worldwide.
Step 3: Create an A or AAAA record in your DNS zone file
The last step in the process is creating an A and/or AAAA record in your DNS zonefile to point to Cloud CDN where your hostname value will answer with thereserved IP address(es) that you assigned on the load balancer.
Now, you can serve both HTTP and HTTPS over the same hostname through Cloud CDN.
Optional: Redirecting HTTP to HTTPS
If you want to redirect HTTP requests to your HTTPS load balancer, you must adda partial HTTP load balancer that has a frontend but no backends. The frontendreceives requests and then redirects them to the HTTPS load balancer. It doesthis by using the following:
- A forwarding rule with the same reserved external IP address that your HTTPS load balancer uses, as shown on this page.
- A target HTTP proxy, as shown on this page.
- A URL map that redirects traffic to the HTTPS load balancer.
Getting support
If you have questions about Google Cloud and Cloud CDN, contactyour Google Cloud Sales team or reach out via theGoogle CloudCommunity Slack channel and post a note in the #cloud-cdn channel.
What's next?
- For details about what content is cached, seeCachingdetails.
- For resolving load balancer issues, see theload balancer troubleshootingpage.
- For resolving Cloud CDN issues, see theCloud CDNtroubleshooting page.
- For information about using Cloud CDN in GKE,seeCloud CDN on the Ingress featurespage.
- To check whether Cloud CDN isserving responses from cache,View logs.
- Clean up the load balancer setup.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.