- Knowledge Base
- Google Cloud Platform
- GCP Cloud Load Balancing
- Use Google-Managed SSL Certificates for Application Load Balancers
Ensure that your external Application Load Balancers (ALBs) are configured to Google-managed SSL certificates instead of self-signed certificates in order to avoid triggering browser warnings and adding distrust for users visiting your site.
Security Google-managed SSL certificates offer several advantages over self-signed ones for external Application Load Balancers. They provide automatic renewal, eliminate the need for manual management, and are trusted by most modern browsers, ensuring better compatibility and security. Additionally, they offer built-in support for advanced features like HTTP/2 and QUIC, enhancing performance and user experience. Google-managed SSL certificates offer a more secure, automated, and user-friendly approach.
Audit
Case A: To determine if your external Application Load Balancers are using classic Google-managed SSL certificates, perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the GCP project that you want to examine from the console top navigation bar.
03 Navigate to Network Services console available at https://console.cloud.google.com/net-services/.
04 In the left navigation panel, choose Load balancing, and select the Load balancers tab to list all the load balancers created for the selected GCP project.
05 Click inside the Filter box, select Load balancer type and Application, choose Access type and External, and select Protocols and HTTPS, to list only the HTTPS-ready external Application Load Balancers (ALBs) available in your GCP project.
06 Click on the name (link) of the Application Load Balancer that you want to examine and select the Details tab to access the configuration information available for the selected ALB.
07 In the Frontend section, click on the name (link) of the SSL certificate configured for the target HTTPS proxy, listed in the Certificate column.
08 On the Certificate Details page, check the type of the SSL certificate used by your load balancer, listed under the certificate name. If the certificate type is self-signed (i.e., the GCP console displays Self-signed certificate for \<load-balancer-name\>), the selected Application Load Balancer (ALB) is not configured to use a Google-managed SSL certificate.
09 Repeat steps no. 6 - 8 for each external Application Load Balancer available in the selected GCP project.
10 Repeat steps no. 2 – 9 for each project deployed within your Google Cloud Platform (GCP) account.
Using GCP CLI
01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account:
gcloud projects list --format="table(projectId)"
02 The command output should return the requested GCP project identifier(s):
PROJECT_ID cc-web-app-project-112233 cc-bigdata-project-123123
03 Run compute url-maps list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to list the name of each load balancer provisioned for the selected project:
gcloud compute url-maps list --project cc-web-app-project-112233 --format="table(name)"
04 The command output should return the requested identification information:
NAME: tm-project5-load-balancer
05 Run compute target-https-proxies list command (Windows/macOS/Linux) to list all the Google Compute Engine target HTTPS proxies available within the selected GCP project in order to identify the target HTTPS proxy used by your load balancer and the classic SSL certificate configured for the associated HTTPS proxy:
gcloud compute target-https-proxies list --project cc-web-app-project-112233 --global --format="table(name,urlMap,sslCertificates)"
06 The command output should return the requested configuration information:
NAME: tm-project5-load-balancer-target-proxy URL_MAP: tm-project5-load-balancer SSL_CERTIFICATES: tm-alb-classic-certificate
07 Run certificate-manager certificates describe command (Windows/macOS/Linux) to display all the information associated with the specified SSL certificate:
gcloud certificate-manager certificates describe tm-alb-classic-certificate --project cc-web-app-project-112233
08 The command output should return the requested configuration information:
ERROR: (gcloud.certificate-manager.certificates.describe) NOT_FOUND: Resource 'projects/cc-web-app-project-112233/locations/global/certificates/tm-alb-classic-certificate' was not found - '@type': type.googleapis.com/google.rpc.ResourceInfo resourceName: projects/cc-web-app-project-112233/locations/global/certificates/tm-alb-classic-certificate
If the certificate-manager certificates describe command output returns a 404 (not found) error message, as the one shown in the output example above, the certificate configured for your target HTTPS proxy is self-signed, therefore, the selected Application Load Balancer (ALB) is not configured to use a Google-managed SSL certificate.
09 Repeat steps no. 5 - 8 for each external Application Load Balancer available in the selected GCP project.
10 Repeat steps no. 3 – 9 for each project deployed within your Google Cloud Platform (GCP) account.
Case B: To determine if your external Application Load Balancers are using Google-managed SSL certificates (via certificate maps), perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the GCP project that you want to examine from the console top navigation bar.
03 Navigate to Network Services console available at https://console.cloud.google.com/net-services/.
04 In the left navigation panel, choose Load balancing, and select the Load balancers tab to list all the load balancers created for the selected GCP project.
05 Click inside the Filter box, select Load balancer type and Application, choose Access type and External, and select Protocols and HTTPS, to list only the HTTPS-ready external Application Load Balancers (ALBs) available in your GCP project.
06 Click on the name (link) of the Application Load Balancer that you want to examine and select the Details tab to access the configuration information available for the selected ALB.
07 In the Frontend section, click on the name (link) of the certificate map configured for the target HTTPS proxy, listed in the Certificate Map column. A certificate map is a resource that acts as a routing table, associating one or more certificates with specific hostnames.
08 On the Certificate Map Details page, click on the name (link) of the SSL certificate configured for the associated certificate map, listed in the Associated certificates column.
09 On the Certificate Details page, check the type of the SSL certificate used by your load balancer, listed next to Certificate type. If the certificate type is self-signed (i.e., the Certificate type is set to Self-managed), the selected Application Load Balancer (ALB) is not configured to use a Google-managed SSL certificate.
10 Repeat steps no. 6 - 9 for each external Application Load Balancer available in the selected GCP project.
11 Repeat steps no. 2 – 10 for each project deployed within your Google Cloud Platform (GCP) account.
Using GCP CLI
01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account:
gcloud projects list --format="table(projectId)"
02 The command output should return the requested GCP project identifier(s):
PROJECT_ID cc-web-app-project-112233 cc-bigdata-project-123123
03 Run compute url-maps list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to list the name of each load balancer provisioned for the selected project:
gcloud compute url-maps list --project cc-web-app-project-112233 --format="table(name)"
04 The command output should return the requested identification information:
NAME: tm-project5-load-balancer
05 Run compute target-https-proxies list command (Windows/macOS/Linux) to list all the Google Compute Engine target HTTPS proxies available within the selected GCP project in order to identify the target HTTPS proxy used by your load balancer and the certificate map configured for the associated HTTPS proxy. A certificate map is a resource that acts as a routing table, associating one or more certificates with specific hostnames:
gcloud compute target-https-proxies list --project cc-web-app-project-112233 --global --format="table(name,urlMap,certificateMap)"
06 The command output should return the requested configuration information:
NAME: tm-project5-load-balancer-target-proxy URL_MAP: tm-project5-load-balancer CERTIFICATE_MAP: tm-alb-certificate-map
07 Run certificate-manager maps entries list command (Windows/macOS/Linux) to list all the SSL certificates created for the certificate map associated with your load balancer:
gcloud certificate-manager maps entries list --map=tm-alb-certificate-map --format="value(certificates)"
08 The command output should return the name(s) of the associated SSL certificate(s):
tm-alb-ssl-certificate
If the certificate-manager certificates describe command output returns a 404 (not found) error message, as the one shown in the output example above, the certificate configured for your target HTTPS proxy is self-signed, therefore, the selected Application Load Balancer (ALB) is not configured to use a Google-managed SSL certificate.
09 Run certificate-manager certificates describe command (Windows/macOS/Linux) to determine if the specified SSL certificate is self-signed or Google-managed:
gcloud certificate-manager certificates describe tm-alb-ssl-certificate --format="yaml(selfManaged)"
10 The command output should return the requested configuration information:
selfManaged: {}
If the selfManaged attribute value is set to {}, as shown in the output example above, the certificate configured for your target HTTPS proxy is self-signed, therefore, the selected Application Load Balancer (ALB) is not configured to use a Google-managed SSL certificate.
11 Repeat steps no. 5 - 10 for each external Application Load Balancer available in the selected GCP project.
12 Repeat steps no. 3 – 11 for each project deployed within your Google Cloud Platform (GCP) account.
Remediation / Resolution
Case A: To apply classic Google-managed SSL certificates to your external Application Load Balancers (ALBs), perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the GCP project that you want to examine from the console top navigation bar.
03 Navigate to Network Services console available at https://console.cloud.google.com/net-services/.
04 In the left navigation panel, choose Load balancing, and select the Load balancers tab to list all the load balancers created for the selected GCP project.
05 Click inside the Filter box, select Load balancer type and Application, choose Access type and External, and select Protocols and HTTPS, to list only the HTTPS-ready external Application Load Balancers (ALBs) available in your GCP project.
06 Choose the Application Load Balancer that you want to configure, click on the Actions button (i.e., 3-dot icon), and select Edit.
07 Choose Frontend configuration, select the frontend configuration defined for your load balancer, click inside the Certificate box, and choose Create a new certificate to deploy a new Google-managed SSL certificate.
08 On the Create a Certificate setup panel, enter a unique name and a short description for the new certificate, select Create Google-managed certificate under Create mode, provide your domain name under Domains, and choose Create to create your new Google-managed SSL certificate.
09 Select the new SSL certificate, choose OK, and select Done to save the frontend configuration changes.
10 Choose Update to apply the changes and assign the new Google-managed SSL certificate to the selected Application Load Balancer (ALB).
11 Repeat steps no. 6 - 10 for each external Application Load Balancer that you want to configure, available in the selected GCP project.
12 Repeat steps no. 2 – 11 for each project deployed within your Google Cloud Platform (GCP) account.
Using GCP CLI
01 To create a new classic Google-managed SSL certificate for your external Application Load Balancer (ALB), run compute ssl-certificates create command (Windows/macOS/Linux) with the --global parameter:
gcloud compute ssl-certificates create tm-classic-managed-certificate --global --description="Google-managed SSL certificate for external Application Load Balancer" --domains="domain.com"
02 The command output should return the URL of the new Google-managed SSL certificate:
Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/sslCertificates/tm-classic-managed-certificate].
03 Once the SSL certificate is active, run compute target-https-proxies update command (Windows/macOS/Linux) to associate the new classic Google-managed SSL certificate with the target HTTPS proxy configured for your Application Load Balancer (ALB):
gcloud compute target-https-proxies update tm-project5-load-balancer-target-proxy --ssl-certificates tm-classic-managed-certificate --global-ssl-certificates --global
04 The command output should return the URL of the updated HTTPS proxy:
Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/targetHttpsProxies/tm-project5-load-balancer-target-proxy].
05 Repeat steps no. 1 - 4 for each external Application Load Balancer that you want to configure, available in the selected GCP project.
06 Repeat steps no. 1 – 5 for each project deployed within your Google Cloud Platform (GCP) account.
Case B: To apply Google-managed SSL certificates to your external Application Load Balancers (ALBs) via certificate maps, perform the following operations:
Configuring Google-managed SSL certificates for external Application Load Balancers via certificate maps is not currently supported using Google Cloud console.Using GCP CLI
01 To create a new Google-managed SSL certificate for your external Application Load Balancer (ALB), run the certificate-manager certificates create command (Windows/macOS/Linux):
gcloud certificate-manager certificates create tm-managed-ssl-certificate --domains="domain.com"
02 The command output should return the deployment status of the new Google-managed SSL certificate:
Create request issued for: [tm-managed-ssl-certificate] Waiting for operation [projects/cc-web-app-project-112233/locations/global/operations/operation-abcd1234abcd-abcd1234abcd-abcd1234-abcd1234] to complete...done. Created certificate [tm-managed-ssl-certificate].
03 To create a new entry for the certificate map associated with your external Application Load Balancer (ALB), run certificate-manager maps entries create command (Windows/macOS/Linux), as shown in the example below. For the --certificates parameter, specify the name of the managed SSL certificate created in the previous steps:
gcloud certificate-manager maps entries create tm-alb-certificate-map --map="tm-alb-certificate-map" --certificates="tm-managed-ssl-certificate" --hostname="domain.com"
04 The command output should return the deployment status of the new certificate map entry:
Waiting for 'operation-abcd1234abcd-abcd1234abcd-abcd1234-abcd1234' to complete... done. Created certificate map entry [tm-alb-certificate-map].
05 Run certificate-manager maps entries delete command (Windows/macOS/Linux) to remove the certificate map entry created for the self-signed SSL certificate:
gcloud certificate-manager maps entries delete tm-self-signed-cert-entry --map="tm-alb-certificate-map"
06 Type Y and press Enter for removal confirmation:
You are about to delete certificate map entry 'tm-self-signed-cert-entry' from certificate map 'tm-alb-certificate-map' Do you want to continue (Y/n)? Y Waiting for 'operation-abcd1234abcd-abcd1234abcd-abcd1234-abcd1234' to complete... done. Deleted map entry [tm-self-signed-cert-entry].
07 Repeat steps no. 1 - 6 for each external Application Load Balancer that you want to configure, available in the selected GCP project.
08 Repeat steps no. 1 – 7 for each project deployed within your Google Cloud Platform (GCP) account.
References
- Google Cloud Platform (GCP) Documentation
- SSL certificates overview
- Use Google-managed SSL certificates
- Encryption from the load balancer to the backends
- External Application Load Balancer overview
- Request routing to a multi-region classic Application Load Balancer
- Set up a classic Application Load Balancer with a managed instance group backend
- Manage certificate maps
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute url-maps list
- gcloud compute target-https-proxies list
- gcloud certificate-manager certificates describe
- gcloud compute ssl-certificates create
- gcloud compute target-https-proxies update
- gcloud certificate-manager maps entries list
- gcloud certificate-manager certificates create
- gcloud certificate-manager maps entries create
- gcloud certificate-manager maps entries delete