Built for Google Cloud agencies — 14-day free trial

Google-managed certs sit in PROVISIONING state forever when DNS hasn't propagated to the LB's anycast IP.
gcloud describe misleadingly shows ACTIVE before it fully provisions. Your client's LB serves a Google default cert.

Google Cloud agencies running HTTPS Load Balancer with Google-managed SSL, Cloud Run with direct custom-domain mapping, and multi-tier LB + backend mTLS deployments deal with Google-managed certs that hang in PROVISIONING state when DNS hasn't propagated to the LB's anycast IP, Cloud Run domain mappings that silently fail renewal when only A (not AAAA) is present, and frontend-vs-backend cert lifecycle splits where the backend mTLS cert expires and causes 502s. Merlonix monitors every GCP-attached subdomain so the silent cert provisioning hangs and renewal failures surface before clients see broken sites.

Start free for 14 days How it works

No credit card for the trial. Cancel any time.

Check cadence (Agency): 5 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where GCP agencies get caught out

Three failure modes specific to Google Cloud deployments with Google-managed HTTPS Load Balancer certs, Cloud Run custom-domain mappings, and HTTPS LB + backend mTLS for compliance.

GCP agencies deal with Google-managed certs that hang in PROVISIONING state when DNS hasn't propagated globally to the LB's anycast IP (gcloud describe misleadingly shows ACTIVE before it fully provisions per-region), Cloud Run custom domain mappings that silently fail renewal validation when the AAAA record is missing (the cert serves from cache until the 90-day expiry, then fails dramatically), and frontend-vs-backend mTLS cert lifecycle splits where the visible Google-managed frontend cert auto-renews but the self-managed backend cert expires and causes 502 Bad Gateway failures because GKE pods fail mTLS health checks and the LB removes them from rotation.

Google-managed SSL certificates for the HTTPS Load Balancer require global DNS propagation pointing at the LB's anycast IP BEFORE provisioning completes. Agencies provision the cert resource via Terraform or gcloud, attach it to the LB, and assume it'll issue — but the cert needs ongoing global DNS validation. If the agency provisions the cert before DNS cutover (or DNS hasn't propagated to all of Google's validation regions yet), the cert sits in PROVISIONING state. The LB falls back to a Google default cert with browser cert-mismatch warnings. Agencies don't notice for hours because gcloud describe output shows the cert as ACTIVE before it fully provisions across regions

A GCP agency provisions a new client product with a global HTTPS Load Balancer at api.client.com. Terraform creates the cert resource (google_compute_managed_ssl_certificate) and attaches it to the LB's HTTPS target proxy in the same apply. The agency engineer reads the gcloud describe output, sees status: ACTIVE on the cert resource, and assumes the cert is issued. But the cert resource shows ACTIVE before it has fully provisioned — the per-region status is FAILED_NOT_VISIBLE or PROVISIONING for hours. The LB serves a Google default cert. Browsers throw cert-mismatch warnings on the first request

A GCP agency builds a client B2B SaaS with a global HTTPS Load Balancer at api.client.com pointing at a Cloud Run service in us-central1. The Terraform module creates the LB, the URL map, the HTTPS target proxy, the global forwarding rule, AND a google_compute_managed_ssl_certificate resource. The agency runs terraform apply, the cert resource appears in the project. gcloud compute ssl-certificates describe api-client-cert --format="get(managed.status)" returns ACTIVE. The agency engineer confirms with their lead, marks the launch as ready, and the client begins routing production traffic. Browser requests to api.client.com return a Google default cert (the LB's certificate-binding hash, which doesn't match api.client.com). NET::ERR_CERT_COMMON_NAME_INVALID warnings appear. The agency engineer assumes a DNS propagation issue and waits — but the actual problem is that the Google-managed cert needs ongoing global DNS validation across multiple regions, and the agency provisioned the cert before DNS had propagated to all regions. The cert sits in PROVISIONING state from the per-region perspective even though the resource-level status shows ACTIVE. Discovery requires gcloud compute ssl-certificates describe --format=json and inspecting the managed.domainStatus map — most agencies don't look there. The fix is waiting for DNS propagation to complete, which can take hours; the LB serves the wrong cert the entire time.

Cloud Run custom domain mappings require BOTH an A record AND an AAAA record on the apex (or CNAMEs on subdomains). Most agencies set up the A record from the gcloud output but skip the AAAA record because "IPv6 isn't important." Browsers that resolve AAAA first (modern Chrome/Firefox on dual-stack networks) hit a no-route response, fall back to A, succeed — but Cloud Run's cert renewal validates against BOTH records and silently fails when only one is present. The cert continues to serve from cache until the 90-day expiry, then fails dramatically

A GCP agency maps a custom domain app.client.com directly to a Cloud Run service via gcloud run domain-mappings create. The gcloud output displays both an A record value and an AAAA record value that need to be set in DNS. The agency engineer adds the A record at the client's DNS provider but skips the AAAA record because the engineer assumed IPv6 isn't important for the client's users. The initial cert provisioning succeeds because Cloud Run accepts the partial DNS configuration. 90 days later, the cert renewal validation runs, queries for the AAAA record, finds nothing, and silently fails

A GCP agency operates a client marketing site at app.client.com deployed as a Cloud Run service with a direct custom-domain mapping (not fronted by an HTTPS Load Balancer). The gcloud run domain-mappings create app.client.com --service=marketing-app --region=us-central1 command outputs four DNS records to add: an A record pointing at a Cloud Run IPv4, an AAAA record pointing at a Cloud Run IPv6, and one additional CNAME for cert validation. The agency engineer adds the A record and the CNAME at the client's DNS provider but skips the AAAA record because the project plan doesn't mention IPv6 traffic. The cert is issued because Cloud Run accepts partial DNS configurations at provisioning time; the mapping enters READY state. The site works for browsers that resolve A first (older systems, IPv4-only networks). Modern Chrome and Firefox on dual-stack home/office networks resolve AAAA first, hit a no-route response, fall back to A, and succeed — the user experiences a slight latency hit on first request but the site works. 90 days later, Cloud Run's cert renewal validation runs. The renewal flow checks BOTH the A record AND the AAAA record (because both were configured at mapping-creation time). The AAAA record query returns NXDOMAIN; the validation step fails. Cloud Run logs the failure to Cloud Logging but doesn't generate an alert (cert provisioning failures don't default-route to ops paging). The cert continues to serve from cache for the remaining ~30 days of validity. Then the cert expires. The site starts serving an expired cert. Browsers throw cert errors. The agency engineer doesn't know what changed (the configuration hasn't been touched in 5 months); tracing the failure to the missing AAAA record requires gcloud run domain-mappings describe app.client.com --format=json and inspecting the spec.certificateMode and status.conditions fields.

GCP HTTPS Load Balancer with backend mTLS for compliance (PCI, HIPAA, financial APIs) means the frontend cert and the backend cert have independent lifecycles. The frontend cert is auto-renewed by Google; the backend cert is provisioned manually because mTLS requires a specific cert chain that the agency owns. Agencies focus on the frontend cert (most visible — Cloud Console highlights it) and forget the backend cert. The LB shows healthy; backend services start failing health checks once the backend cert expires; LB removes them from rotation; suddenly 502s appear for users

A GCP agency builds a client payment platform with an HTTPS Load Balancer at api.client.com routing to GKE backends that require mTLS for PCI compliance. The frontend cert (terminating user TLS at the LB) is a Google-managed cert that auto-renews. The backend cert (used for mTLS between the LB and the GKE Service) is a self-managed cert provisioned manually because the PCI rules require a specific CA. The agency engineer renews the frontend cert when Cloud Monitoring fires an expiry alert at month 11 but forgets the backend cert — there's no Cloud Monitoring alert for self-managed certs by default. The backend cert expires; GKE health checks fail; LB removes the backend; 502s appear

A GCP agency builds a client payment platform on GCP with a regional HTTPS Load Balancer at api.client.com in us-central1, routing to a GKE-hosted backend service. The backend service is a payment-processing API that requires mutual TLS between the LB and the Service for PCI compliance — the LB authenticates itself to the GKE backend using a client cert (the backend cert from the LB's perspective). The frontend cert (the LB's public-facing cert for api.client.com) is a Google-managed certificate that auto-renews. The backend cert is a self-managed cert issued by the client's private CA (as required by PCI rules for compliance audits). Both certs are provisioned at launch with 12-month expiry windows. Cloud Monitoring fires an alert at month 11 on the frontend cert; the agency engineer renews via the Google-managed cert flow (gcloud compute ssl-certificates create). The renewed cert is attached to the HTTPS target proxy; the LB serves the new cert. Cloud Monitoring doesn't alert on the backend cert because self-managed certs don't have a Cloud Monitoring metric by default — the agency would have needed to provision a custom log-based metric that reads the cert's notAfter field. At month 12, the backend cert expires. GKE's readiness probe (which presents the backend cert during mTLS handshake) starts failing. Pods are marked NotReady; the GKE Service removes them from the endpoint slice; the LB removes the backend from rotation. The LB returns 502 Bad Gateway for all api.client.com requests. The agency engineer sees the 502s in Cloud Logging, traces through the LB to the backend service, and only discovers the expired backend cert by manually inspecting the pod logs. The customer-visible incident lasts ~2 hours before the renewal cert is generated, deployed to the cluster, and pods come back to Ready.

How it works

SSL and DNS monitoring for GCP agencies across Google-managed HTTPS Load Balancer cert provisioning, Cloud Run custom-domain AAAA record dependencies, and HTTPS LB + backend mTLS cert lifecycle splits.

Merlonix monitors SSL expiry and DNS integrity across every GCP-attached subdomain — app.* (Cloud Run direct mapping or HTTPS LB frontend), api.* (HTTPS LB with GKE backend), and per-region Cloud Run service endpoints — and catches Google-managed cert provisioning hangs where gcloud describe shows ACTIVE but the per-region domainStatus is FAILED_NOT_VISIBLE, Cloud Run cert renewal failures caused by a missing AAAA record (the silent failure mode that surfaces 120 days later when the cert expires), and HTTPS LB + backend mTLS cert lifecycle splits where the visible frontend cert renews on schedule but the self-managed backend cert expires and causes 502s — before GKE pods fail health checks and the LB starts removing them from rotation.

Add GCP application domains — apex, www., app., api.*, plus Cloud Run service endpoints and HTTPS Load Balancer frontend domains — with DNS TXT verification that catches Google-managed cert provisioning hangs and Cloud Run AAAA record omissions

Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — app.* (Cloud Run direct mapping or HTTPS Load Balancer frontend), api.* (HTTPS Load Balancer with GKE backend), plus per-region Cloud Run service endpoints — are added without additional verification. Monitoring every GCP-attached subdomain catches the Google-managed cert provisioning hang where the resource-level status shows ACTIVE but the per-region domainStatus is FAILED_NOT_VISIBLE (the served cert won't match the configured hostname) and the Cloud Run AAAA record omission (a forward DNS check confirms both A and AAAA records are present before the cert renewal validation runs). Under two minutes per client.

A, AAAA, and CNAME record monitoring across Cloud DNS, third-party DNS, and Cloud Run cert-validation records — surfacing the partial DNS configurations that break the 90-day renewal cycle silently

Three independent DNS resolvers check every A record, AAAA record, and CNAME delegation on every monitoring interval. Cloud Run custom domain mappings that omit the AAAA record are surfaced immediately as a drift event — not when the cert renewal silently fails 90 days later and the cert expires 30 days after that. When an HTTPS Load Balancer's anycast IP changes (rare but possible during Google's regional rebalancing), the A record drift is logged immediately and the agency knows to update the client's DNS before the next renewal cycle.

SSL monitoring 30 days before expiry across Google-managed HTTPS Load Balancer certs (auto-renew), Cloud Run domain-mapping certs (auto-renew but renewal-validation-dependent), and self-managed backend mTLS certs (manual renewal — the silent failure mode)

Full SSL chain validation on every GCP-attached subdomain — apex, app.*, api.*. Independent checks per-tier catch the frontend-vs-backend mTLS cert lifecycle split where the visible Google-managed frontend cert auto-renews but the self-managed backend cert expires and causes 502s because GKE pods fail mTLS health checks. Self-managed backend certs are checked by validating the cert presented during the LB's health-check probe — the same way the LB sees the backend, so the alert fires before the LB starts removing pods from rotation. An expiry alert fires 30 days before any cert expires, with separate alerts per cert resource so the frontend cert and the backend mTLS cert can't mask each other.

Vendor status for GCP (per-region status pages — us-central1, us-east1, europe-west1), HTTPS Load Balancer, Cloud Run, Cloud DNS, and GKE to distinguish GCP regional incidents from per-tenant SSL configuration failures

Merlonix monitors GCP's per-region status pages, HTTPS Load Balancer, Cloud Run, Cloud DNS, and GKE alongside client SSL and DNS. When a us-central1 HTTPS Load Balancer regional incident causes cert provisioning failures across multiple client tenants simultaneously, you see the vendor event — not a cluster of individual SSL alerts that each require separate investigation to determine whether the root cause is a GCP regional outage, a Google-managed cert provisioning hang from a recent custom-domain addition, or a Cloud Run AAAA record omission breaking the renewal cycle.

What the numbers mean for GCP agencies

Monitoring built for GCP agencies where one client product means a Cloud Run service at app.* (Google-managed cert via domain-mapping), an HTTPS Load Balancer at api.* (Google-managed cert auto-renewed), and a GKE backend behind it (self-managed mTLS cert for compliance) — each with independent cert lifecycles and independent failure modes.

GCP agencies managing Google-managed cert provisioning across multi-region HTTPS Load Balancer deployments, Cloud Run custom-domain mappings across multi-service frontends, and frontend-vs-backend mTLS cert lifecycle splits across PCI-compliant multi-cluster GKE backends need monitoring that covers every GCP-attached subdomain — because a Google-managed cert provisioning hang is silent (the gcloud describe output shows ACTIVE before it fully provisions), and the frontend-vs- backend mTLS lifecycle split only surfaces when GKE pods fail health checks and the LB starts returning 502s.

< 10 min

Time from DNS change to alert — catches Cloud Run custom-domain AAAA record omissions that break the 90-day renewal cycle, HTTPS Load Balancer anycast IP changes during Google's regional rebalancing, and Cloud DNS to Cloudflare migrations that strip the cert-validation CNAMEs the Google-managed cert resource expects

30 days

SSL expiry warning lead time — enough time to identify a frontend-vs-backend mTLS cert lifecycle split (the visible Google-managed frontend cert renewed on schedule but the self-managed backend cert is days from expiry and GKE pods are about to fail health checks), a Cloud Run cert renewal failure caused by a missing AAAA record, or a Google-managed cert stuck in PROVISIONING state because DNS hasn't propagated to the LB's anycast IP — and correct it before 502s appear for users

11 vendors

Upstream services monitored — GCP per-region status pages (us-central1, us-east1, europe-west1), HTTPS Load Balancer, Cloud Run, Cloud DNS, and GKE included to distinguish GCP regional incidents from per-tenant SSL configuration failures

200 assets

Maximum monitored domains on the Agency plan — covers GCP app.* (Cloud Run or HTTPS LB frontend), api.* (HTTPS LB + GKE backend), plus per-region Cloud Run service endpoints across a full GCP client portfolio

Pricing

Flat monthly fee. Every GCP region, every Cloud Run service endpoint, every HTTPS Load Balancer included.

No per-region charges. No per-service fees. Pick the tier that fits your GCP client and per-tier cert count and monitor every Cloud Run, HTTPS Load Balancer, and backend mTLS SSL surface without billing surprises.

See full feature comparison →

Starter

For individual GCP developers managing a small client portfolio with single-region Cloud Run services and HTTPS Load Balancer frontends.

$29/ month

10 monitored assets
1 seat
15-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For GCP agencies managing multi-region Cloud Run deployments with separate Google-managed certs, HTTPS Load Balancer frontends, and self-managed backend mTLS certs for compliance.

$79/ month

50 monitored assets
5 seats
10-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full GCP client roster including multi-region HTTPS Load Balancer frontends, multi-cluster GKE backends with mTLS, and per-tenant Cloud Run subdomain mappings.

$199/ month

200 monitored assets
15 seats
5-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Know when a Google-managed cert is hanging in PROVISIONING state because DNS hasn't propagated to the LB's anycast IP before a customer reports the broken site.

Add your first GCP client domain in under two minutes. Cloud Run, HTTPS Load Balancer, and backend mTLS SSL across every region for that client are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Read the agency SSL checklist →

Google-managed certs sit in PROVISIONING state forever when DNS hasn't propagated to the LB's anycast IP.gcloud describe misleadingly shows ACTIVE before it fully provisions. Your client's LB serves a Google default cert.