Domain Setup
DNS configuration and domain verification for Cloud Run
Domain Setup
This guide covers configuring custom domains for Cloud Run services using a Global Load Balancer.
Domain Strategy
| Service | Environment | Domain |
|---|---|---|
| HRMS Docs | Production | docs.hrms.bluewoo.com |
| HRMS Docs | Staging | docs-staging.hrms.bluewoo.com |
| HRMS App | Production | app.hrms.bluewoo.com |
| HRMS API | Production | api.hrms.bluewoo.com |
Overview
Since Cloud Run domain mapping isn't available in all regions (e.g., europe-west6), we use a Global Load Balancer for custom domains. This requires:
- Domain verification in Google Search Console
- Load Balancer setup (see Load Balancer Setup)
- DNS A record pointing to Load Balancer IP
Step 1: Verify Domain Ownership
1.1 Start Verification
gcloud domains verify bluewoo.comThis opens Google Search Console in your browser.
1.2 Choose Domain Verification
- Select "Domain" (left option)
- Enter:
bluewoo.com - Click Continue
1.3 Add TXT Record
Google will show a TXT record to add. In your DNS provider (GoDaddy):
| Type | Name | Value | TTL |
|---|---|---|---|
| TXT | @ | google-site-verification=XXXXXX | 1 Hour |
1.4 Complete Verification
- Add the TXT record in GoDaddy
- Return to Search Console
- Click Verify
- Wait for confirmation
1.5 Add Work Account (If Using Organization)
If you verified with a personal account but use a work account for GCP:
- In Search Console, go to Settings → Users and permissions
- Click Add user
- Enter your work email (e.g.,
you@company.com) - Set permission to Owner
- Click Add
Step 2: Set Up Load Balancer
Follow the complete Load Balancer Setup Guide.
After completion, you'll have a static IP address (e.g., 34.8.128.20).
Step 3: Configure DNS (GoDaddy)
3.1 Add A Record
- Log into GoDaddy
- Go to My Products → DNS
- Select your domain (
bluewoo.com) - Click Add New Record
| Type | Name | Value | TTL |
|---|---|---|---|
| A | docs.hrms | 34.8.128.20 | 1 Hour |
3.2 Verify DNS
# Check DNS propagation
dig docs.hrms.bluewoo.com
# Should return:
# docs.hrms.bluewoo.com. 3600 IN A 34.8.128.20DNS propagation typically takes 5-30 minutes, but can take up to 48 hours.
Step 4: Verify SSL Certificate
gcloud compute ssl-certificates describe hrms-docs-cert \
--global \
--project=bluewoo-hrms \
--format="table(name,managed.status,managed.domainStatus)"Expected output:
NAME STATUS DOMAIN_STATUS
hrms-docs-cert ACTIVE {'docs.hrms.bluewoo.com': 'ACTIVE'}Step 5: Test Access
# Test HTTPS
curl -sI https://docs.hrms.bluewoo.com | head -5
# Expected:
# HTTP/2 200
# ...Clean Up Old DNS Records
After migration, remove any old/unused DNS records:
Delete these if they exist:
- Old A records pointing to deprecated IPs
- Test subdomains (e.g.,
test,auth.test) - Unused CNAME records
Keep these:
@(root domain A record)www(CNAME to root)- Your new subdomain (e.g.,
docs.hrms) - NS records (required)
- SOA record (required)
Adding More Domains
To add another domain (e.g., app.hrms.bluewoo.com):
Option A: Same Load Balancer (Recommended)
-
Update SSL certificate to include new domain:
# Create new certificate with multiple domains gcloud compute ssl-certificates create hrms-multi-cert \ --domains="docs.hrms.bluewoo.com,app.hrms.bluewoo.com" \ --global # Update HTTPS proxy to use new certificate gcloud compute target-https-proxies update hrms-docs-https-proxy \ --ssl-certificates=hrms-multi-cert \ --global -
Add DNS A record for new subdomain pointing to same IP
Option B: Separate Load Balancer
Follow Load Balancer Setup to create a new LB for each service.
Customer Domains (Multi-Tenant)
For customer deployments like hrms.customer.com:
Customer Steps
- Customer adds A record in their DNS:
- Type:
A - Name:
hrms - Value:
34.8.128.20(your Load Balancer IP)
- Type:
Your Steps
-
Add domain to SSL certificate:
gcloud compute ssl-certificates create customer-cert \ --domains="hrms.customer.com" \ --global -
Update backend or create new URL map rule
Troubleshooting
ERR_NAME_NOT_RESOLVED
- DNS record not propagated yet
- Wait 5-30 minutes and retry
- Check with
digcommand
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- SSL certificate still provisioning
- Wait up to 24 hours after DNS is configured
403 Forbidden
- Cloud Run doesn't allow public access
- Run:
gcloud run services add-iam-policy-binding hrms-docs \ --region=europe-west6 \ --member="allUsers" \ --role="roles/run.invoker"
Certificate Stuck in PROVISIONING
- Verify DNS A record is correct
- Ensure no CAA records blocking Google
- Wait up to 24 hours
Quick Reference
DNS Records for hrms-docs
| Type | Name | Value |
|---|---|---|
| A | docs.hrms | 34.8.128.20 |
Commands
# Check DNS
dig docs.hrms.bluewoo.com
# Check SSL status
gcloud compute ssl-certificates describe hrms-docs-cert --global
# Test site
curl -sI https://docs.hrms.bluewoo.com | head -5Status: Verified and deployed to production