Domain names, certificates, and resolution: Get your hands on GCP Cloud DNS and Google-managed free SSL certificates
Most of the friends who have bought domain names and built websites have experienced the pain of being tortured by various "parsing records", "SSL certificates" and "HTTPS handshake reporting errors.
The traditional process of building a website is as follows: you buy a domain name from manufacturer a, go to manufacturer B for analysis, and then go to manufacturer c to apply for a free 90-day SSL certificate. Every three months, you have to manually renew the certificate like a grave. Once you forget it, a blood red security warning will pop up directly when users visit the website-"Your connection is not a private connection", and the website traffic will collapse instantly.
In the Google Cloud(GCP, Google Cloud) ecosystem, there is an elegant ultimate solution:
Leverage Cloud DNS for domain name resolution with Google-managed free SSL certificates (Google-managed SSL certificates)
.
Today we refuse any nonsense and do not memorize official documents. Hand in hand to take you to configure the whole process, to achieve
Domain name global second-level resolution, SSL certificate automatic application, permanent free and automatic renewal
The Internet Gold Foundation.
The first stage: deep dismantling, DNS resolution and SSL certificate "hidden rules"
Before you start typing, you must build a physical world model between domain name, resolution and certificate in your mind, otherwise you will be dizzy when you configure it later.
The entire network access lifecycle can be divided into two steps:
Path finding phase (DNS resolution): The user enters www.yourcompany.com in the browser.
. Since the computer can't read letters, it has to ask Google's Cloud DNS authoritative server: "What is the server IP corresponding to this domain name?" DNS flipped through the ledger and returned an IP (such as 34.x. x.x). The computer got the IP and found the server's door.
Verification of the body stage (SSL certificate): when the door is found, the computer dare not directly pass the user's password and credit card number to the server. The server pulled out an SSL certificate to prove that "I am indeed an official yourcompany, not a hacker". The two sides hit it off and pulled up an HTTPS encrypted tunnel to secure the data.
In the past, these two phases were separated. And today we are going to play black technology, is to let
Google Cloud Load Balancer directly to the Google Certificate Authority (CA) for the password
Automatically help you weld these two steps seamlessly.
Phase II: Practical Exercise I-Handover the Domain Name Rear to GCP Cloud DNS
Whether your domain name is bought in GoDaddy, Namecheap or Aliyun, in order to enjoy the second-level resolution effective speed of Google's global backbone network, we will transfer the resolution right to Google.
1. Create a DNS zone in GCP (Managed Zo
ne)
Log in to the GCP console and navigate to Network Services (Network Services)-> Cloud DNS in the upper left corner ".
Click Create Zone at the top ".
Parameter Configuration: Region Type: Select Public ". Area name: give a name you can understand (such as my-company-zone). DNS name: accurately fill in the main domain name you bought outside (for example, yourcompany.com, do not bring www).
Click Create.
2. Go to the domain name registrar to modify the "power transfer stick" (NS record)
After the creation is successful, GCP will generate one in the record list by default.
NS Record
, which contains four official Google domain name server addresses (e. g.
ns-cloud-a1.googledomains.com.
All the way to
A4
).
Copy these four addresses.
Log in to the third-party background where you bought the domain name and find "Custom DNS Server (Custom Nameservers)" or "Modify DNS Modification".
Delete all the server addresses that originally came with you, paste them into the 4 addresses Google gave you, and click Save.
Insider on the operation and maintenance of large factories: this action is called "delegation of analytical power". From then on, users around the world will query your domain name again, and the traffic will go directly to Google's DNS edge nodes all over the world, and the effective speed of resolution will be shortened from a few hours to a few seconds.
The third stage: actual combat exercise 2-one-click application for free SSL certificate managed by Google
With the domain name resolution foundation, we will apply for the SSL certificate that can make the website light up with a "green security lock. In the large factory architecture specification, we
Never install the certificate directly in a VM virtual machine
, but it is uniformly mounted on the front-end load balancer (Load Balancer).
We come to the advanced network configuration battlefield and configure the front door of an external HTTP(S) load balancer:
Search to the Load Balancing page and click Create/Edit your external application load balancer.
Switch to the Front End Configuration (Frontend Configuration) tab.
Protocol (Protocol): The drop-down menu does not hesitate to select HTTPS (Note: Only HTTPS can be selected to hang the certificate).
IP address: It is recommended to choose a static external IP that you have reserved in advance.
Certificate (Certificate): Click the drop-down menu and select Create a new certificate ".
Core parameter perfusion: Name: google-managed-ssl-cert. Create
Create mode: Select Create a Google-managed Google-managed certificate ". Domain (Domains): Enter the domain name you want to bind the certificate. If you want both the primary and secondary domain names to be used, add them line by line, such as yourcompany.com in the first line and www.yourcompany.com in the second line.
Click Create and Save Front End Configuration.
The fourth stage: soul integration-configuration A record and certificate "activation scene"
At this point, the load balancer has been built and assigned a global static IP (assuming
35.201.x.x
), the certificate also entered the application status. But this time you look at the certificate status, it will show painful
PROVISIONING (in configuration/to be verified)
.
Because the Google Certificate Authority (CA) must do it once before it issues the certificate to you.
Ownership Challenge Validation
: it has to go to the public network to check,
www.yourcompany.com
Does this domain name now point to the IP of Google Cloud. If it is not right, it will refuse to issue the certificate.
Therefore, we must immediately go to the second stage.
Cloud DNS
In, get this routing path completely connected:
Back to Cloud DNS, click to enter the domain you created earlier.
Click "Add standard record set": resolvable domain (Routing Name): if it is the main domain name configured, keep it blank; If it is www, enter www. Resource Record Type: Select A record. IPv4 address: Enter the global static IP address (35.201.x.x) that the load balancer just got.
Click Create.
The long and emotional "green light" waiting period
When the record is created in Cloud DNS, Google's CA organization's detection nodes around the world will grab this record.
Since the full set is closed in Google's intranet, the verification speed is extremely fast. Wait about 10 to 20 minutes, refresh the front page of the load balancer, and you will find that the certificate status changes from yellow
PROVISIONING
turned green
ACTIVE
.
Type ht in the browser
tps://www.yourcompany.com
The page opens in seconds, and a perfect encrypted lock representing the highest security level appears on the left side of the address bar. Looking at the details of the certificate, the issuing authority clearly reads:
Google Trust Services
.
The fifth stage: the history of avoiding the pit and tears under the transnational business structure.
After this plan is configured, you can be the shopkeeper completely, because Google manages the certificate.
Before Expiration
30 days, it will automatically renew without feeling through DNS link in the background.
the certificate never expires as long as your load balancer and Cloud DNS are not deleted.
However, in the actual enterprise-level production environment, the operation and maintenance architect usually has to do the following two physical defense configurations in order to hand over a perfect final answer:
Force HTTP global redirection to HTTPS (don't let users go the wrong way)
Although you have HTTPS, many careless users or old friendship links will still pass through in reality.
ht
tp://yourcompany.com
(without s) to visit your site. If it is not processed, the user will see an insecure plaintext web page or directly see the error of the load balancer.
Hard core specification operation: in the GCP load balancer configuration, create an independent front end that only listens to HTTP port 80, check "enable advanced host, path and redirection rules" in the routing rule, and configure it as "force 301 to permanently redirect to HTTPS". In this way, any traffic that goes the wrong way will be instantly and forcibly broken back into the encrypted track.
2. Beware of the "multi-client certificate wildcard" pit.
The free certificate managed by Google has one small regret:
It currently does not support wildcard domain names (Wildcard, such as * .yourcompany.com)
.
This means that if your company has a large business, you will have to open 50 different secondary domain names in the future (e. g.
blog.
,
shop.
,
mail.
,
api.
), you can't bag the world with one certificate.
Solution to avoid pits: A single Google-managed certificate supports binding up to 100 domain names. You can fill all 50 second-level domain names in the same certificate list as incremental clear text. Or, if it's too much trouble, you can apply for a wildcard certificate outside with Let's Encrypt, and then mount it to the front end by uploading a custom certificate, but then you have to write your own script to maintain the renewal. For the vast majority of enterprises, the 100 places hosted by Google are completely enough to splurge.
Summary
The core essence of using GCP Cloud DNS and Google hosting certificates to build a website lies in eight words:
Resolve intranet closed loop, certificate hosting lock
. With extremely low DNS resolution fees and completely free certificate benefits, coupled with Google's distributed edge nodes for global load balancers, you can completely say goodbye to the anxiety of manually renewing certificates every quarter in an afternoon. No matter how stringent the compliance audit is, or the concurrent access of a large number of users, you can sit in front of the computer, as stable as Mount Tai.
