Ensure that your external Application Load Balancers (ALBs) are configured to Google-managed SSL certificates instead of self-signed certificates in order to avoid triggering browser warnings and adding distrust for users visiting your site.
Google-managed SSL certificates offer several advantages over self-signed ones for external Application Load Balancers. They provide automatic renewal, eliminate the need for manual management, and are trusted by most modern browsers, ensuring better compatibility and security. Additionally, they offer built-in support for advanced features like HTTP/2 and QUIC, enhancing performance and user experience. Google-managed SSL certificates offer a more secure, automated, and user-friendly approach.
Audit
Case A: To determine if your external Application Load Balancers are using classic Google-managed SSL certificates, perform the following operations:
Case B: To determine if your external Application Load Balancers are using Google-managed SSL certificates (via certificate maps), perform the following operations:
Remediation / Resolution
Case A: To apply classic Google-managed SSL certificates to your external Application Load Balancers (ALBs), perform the following operations:
Case B: To apply Google-managed SSL certificates to your external Application Load Balancers (ALBs) via certificate maps, perform the following operations:
Configuring Google-managed SSL certificates for external Application Load Balancers via certificate maps is not currently supported using Google Cloud console.References
- Google Cloud Platform (GCP) Documentation
- SSL certificates overview
- Use Google-managed SSL certificates
- Encryption from the load balancer to the backends
- External Application Load Balancer overview
- Request routing to a multi-region classic Application Load Balancer
- Set up a classic Application Load Balancer with a managed instance group backend
- Manage certificate maps
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute url-maps list
- gcloud compute target-https-proxies list
- gcloud certificate-manager certificates describe
- gcloud compute ssl-certificates create
- gcloud compute target-https-proxies update
- gcloud certificate-manager maps entries list
- gcloud certificate-manager certificates create
- gcloud certificate-manager maps entries create
- gcloud certificate-manager maps entries delete