How to install a free SSL certificate on GCP load balancer (GCLB)
*Moeyo Mensuke (Osaka Fukushima)
Hello!
My name is Hide, the ramen king of Beyond Osaka Office.
This is my 7th post.
Last time we talked about monitoring specific strings in your server with CloudwatchLogs! I wrote an interesting blog post about notifications using a useful tool called CloudwatchLogs, so if you're interested, please take a look!
● Monitor specific strings with CloudWatch Logs!
https://beyondjapan.com/blog/2022/07/cloudwatchlogs_word_monitoring/
About Google Managed SSL Certificates, which are free SSL certificates
A Google managed SSL certificate is a free SSL certificate that can be installed on Google Cloud Load Balancing (GCLB).
The types of GCLB that can be installed are as follows.
- Global external HTTP(S) load balancer
- Global external HTTP(S) load balancer (legacy)
- External SSL proxy load balancer
*Not supported for regional external HTTP(S) load balancers and internal HTTP(S).
Also, GCP updates automatically, which is very convenient. Additionally, multiple domains can be specified in the subject alternative name of a single certificate.
Installation can be done from either the "console" or the "gcloud command". This time we will install it from the console, so if you want to install it using the gcloud command, please refer to the article below!
● Try setting a free SSL certificate on the GCP load balancer using the gcloud command
Try setting a free SSL certificate on the GCP load balancer using the gcloud command
*Official document: Using Google managed SSL certificates
Installation procedure
*We will explain about compute and instance groups on the assumption that they have already been constructed.
① Network Services > Load Balancing > Click [Create Load Balancer]
② Click [Start configuration] in the HTTP(S) load balancing column
③ Select the following and click [Continue]
④ Enter the name of the load balancer (LB)
⑤ Set the following
● Name: Please set an appropriate name
● Protocol: HTTPS (including HTTP/2)
● IP version: IPv4
● IP address: *Set a static external IP address using the following steps
● Port: 443
⑥ Click [Create IP address] in the IP address field.
⑦ Fill in your name and description and click [Reservation]
*If creation is successful, the following settings will be automatically set.
⑧ Register the created static external IP address in DNS
*The IP address is written in the black part of the image below.
⑨Click Certificate > [Create new certificate]
⑩ Enter the following and click [Create]
● Name: Please enter a suitable name
● Creation mode: Create a Google managed certificate
● Domain: Please specify the domain registered in DNS
*After creation, it is complete when it is displayed as below.
⑪ Set the following
*If you want to set up redirection to https, please check [Enable redirection from HTTP to HTTPS].
⑫ Set up the backend
*If the end of https communication is LB, the front end will perform https communication, so please configure the back end to enable http communication.
⑬ Set the routing rule and click [Create]
⑭ Load Balancing > LB Name > Front End > Certificate > Click on certificate name
*Please perform this task after the LB update is complete.
⑮ Check whether the SSL certificate has been created
*If the status is ACTIVE, the SSL certificate can be used.
*To make it ACTIVE, you need to point the DNS of the specified domain to LB.
*If the status is [PROVISIONNIG (certifying)] as shown below, the SSL certificate is in the process of being created.
*If multiple domains are included in the subject alternative name, https communication using this certificate will not be possible until all domains have been authenticated.
*It will take up to 24 hours to complete the authentication.
⑯ Operation confirmation
・test
・test2
summary
What do you think? I think it was very easy to issue and install an SSL certificate from the console, like AWS's ACM.
Managing SSL certificates is often very troublesome, so if you can meet the security requirements, please use Google Managed SSL Certificates, which can be created once and then automatically updated!
Also, next time I will write an article about setting up URL redirects with LB.