Built for Google Cloud agencies — 14-day free trial

Google-managed certs hang in PROVISIONING.
gcloud describe shows ACTIVE while the LB serves a default cert.

Google Cloud agencies running HTTPS Load Balancer with Google-managed SSL, Cloud Run with direct custom-domain mapping, and multi-tier LB + backend mTLS deployments deal with Google-managed certs that hang in PROVISIONING state when DNS hasn't propagated to the LB's anycast IP, Cloud Run domain mappings that silently fail renewal when only A (not AAAA) is present, and frontend-vs-backend cert lifecycle splits where the backend mTLS cert expires and causes 502s. Merlonix monitors every GCP-attached subdomain so the silent cert provisioning hangs and renewal failures surface before clients see broken sites.

Start free for 14 days Or start free — $0, no card How it works

No credit card either way — start free, or trial the full workspace.

Check cadence (Agency): 1 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where GCP agencies get caught out

Three failure modes specific to Google Cloud deployments with Google-managed HTTPS Load Balancer certs, Cloud Run custom-domain mappings, and HTTPS LB + backend mTLS for compliance.

GCP agencies deal with Google-managed certs that hang in PROVISIONING state when DNS hasn't propagated globally to the LB's anycast IP (gcloud describe misleadingly shows ACTIVE before it fully provisions per-region), Cloud Run custom domain mappings that silently fail renewal validation when the AAAA record is missing (the cert serves from cache until the 90-day expiry, then fails dramatically), and frontend-vs-backend mTLS cert lifecycle splits where the visible Google-managed frontend cert auto-renews but the self-managed backend cert expires and causes 502 Bad Gateway failures because GKE pods fail mTLS health checks and the LB removes them from rotation.

Google-managed cert provisioning hang

A Google-managed cert hangs in PROVISIONING when DNS hasn't propagated to the LB's anycast IP

A GCP agency builds a client B2B SaaS with a global HTTPS Load Balancer at api.client.com pointing at a Cloud Run service in us-central1. The Terraform module creates the LB, the URL map, the HTTPS target proxy, the global forwarding rule, AND a google_compute_managed_ssl_certificate resource. The agency runs terraform apply, the cert resource appears in the project. gcloud compute ssl-certificates describe api-client-cert --format="get(managed.status)" returns ACTIVE. The agency engineer confirms with their lead, marks the launch as ready, and the client begins routing production traffic. Browser requests to api.client.com return a Google default cert (the LB's certificate-binding hash, which doesn't match api.client.com). NET::ERR_CERT_COMMON_NAME_INVALID warnings appear. The agency engineer assumes a DNS propagation issue and waits — but the actual problem is that the Google-managed cert needs ongoing global DNS validation across multiple regions, and the agency provisioned the cert before DNS had propagated to all regions. The cert sits in PROVISIONING state from the per-region perspective even though the resource-level status shows ACTIVE. Discovery requires gcloud compute ssl-certificates describe --format=json and inspecting the managed.domainStatus map — most agencies don't look there. The fix is waiting for DNS propagation to complete, which can take hours; the LB serves the wrong cert the entire time.

Cloud Run missing AAAA record

A Cloud Run custom domain mapping with the AAAA record skipped silently fails its cert renewal

A GCP agency operates a client marketing site at app.client.com deployed as a Cloud Run service with a direct custom-domain mapping (not fronted by an HTTPS Load Balancer). The gcloud run domain-mappings create app.client.com --service=marketing-app --region=us-central1 command outputs four DNS records to add: an A record pointing at a Cloud Run IPv4, an AAAA record pointing at a Cloud Run IPv6, and one additional CNAME for cert validation. The agency engineer adds the A record and the CNAME at the client's DNS provider but skips the AAAA record because the project plan doesn't mention IPv6 traffic. The cert is issued because Cloud Run accepts partial DNS configurations at provisioning time; the mapping enters READY state. The site works for browsers that resolve A first (older systems, IPv4-only networks). Modern Chrome and Firefox on dual-stack home/office networks resolve AAAA first, hit a no-route response, fall back to A, and succeed — the user experiences a slight latency hit on first request but the site works. 90 days later, Cloud Run's cert renewal validation runs. The renewal flow checks BOTH the A record AND the AAAA record (because both were configured at mapping-creation time). The AAAA record query returns NXDOMAIN; the validation step fails. Cloud Run logs the failure to Cloud Logging but doesn't generate an alert (cert provisioning failures don't default-route to ops paging). The cert continues to serve from cache for the remaining ~30 days of validity. Then the cert expires. The site starts serving an expired cert. Browsers throw cert errors. The agency engineer doesn't know what changed (the configuration hasn't been touched in 5 months); tracing the failure to the missing AAAA record requires gcloud run domain-mappings describe app.client.com --format=json and inspecting the spec.certificateMode and status.conditions fields.

Frontend vs backend mTLS cert split

The Google-managed frontend cert auto-renews while the self-managed backend mTLS cert expires unwatched

A GCP agency builds a client payment platform on GCP with a regional HTTPS Load Balancer at api.client.com in us-central1, routing to a GKE-hosted backend service. The backend service is a payment-processing API that requires mutual TLS between the LB and the Service for PCI compliance — the LB authenticates itself to the GKE backend using a client cert (the backend cert from the LB's perspective). The frontend cert (the LB's public-facing cert for api.client.com) is a Google-managed certificate that auto-renews. The backend cert is a self-managed cert issued by the client's private CA (as required by PCI rules for compliance audits). Both certs are provisioned at launch with 12-month expiry windows. Cloud Monitoring fires an alert at month 11 on the frontend cert; the agency engineer renews via the Google-managed cert flow (gcloud compute ssl-certificates create). The renewed cert is attached to the HTTPS target proxy; the LB serves the new cert. Cloud Monitoring doesn't alert on the backend cert because self-managed certs don't have a Cloud Monitoring metric by default — the agency would have needed to provision a custom log-based metric that reads the cert's notAfter field. At month 12, the backend cert expires. GKE's readiness probe (which presents the backend cert during mTLS handshake) starts failing. Pods are marked NotReady; the GKE Service removes them from the endpoint slice; the LB removes the backend from rotation. The LB returns 502 Bad Gateway for all api.client.com requests. The agency engineer sees the 502s in Cloud Logging, traces through the LB to the backend service, and only discovers the expired backend cert by manually inspecting the pod logs. The customer-visible incident lasts ~2 hours before the renewal cert is generated, deployed to the cluster, and pods come back to Ready.

How it works

SSL and DNS monitoring for GCP agencies across Google-managed HTTPS Load Balancer cert provisioning, Cloud Run custom-domain AAAA record dependencies, and HTTPS LB + backend mTLS cert lifecycle splits.

Merlonix monitors SSL expiry and DNS integrity across every GCP-attached subdomain — app.* (Cloud Run direct mapping or HTTPS LB frontend), api.* (HTTPS LB with GKE backend), and per-region Cloud Run service endpoints — and catches Google-managed cert provisioning hangs where gcloud describe shows ACTIVE but the per-region domainStatus is FAILED_NOT_VISIBLE, Cloud Run cert renewal failures caused by a missing AAAA record (the silent failure mode that surfaces 120 days later when the cert expires), and HTTPS LB + backend mTLS cert lifecycle splits where the visible frontend cert renews on schedule but the self-managed backend cert expires and causes 502s — before GKE pods fail health checks and the LB starts removing them from rotation.

Add GCP application domains — apex, www., app., api.*, plus Cloud Run service endpoints and HTTPS Load Balancer frontend domains — with DNS TXT verification that catches Google-managed cert provisioning hangs and Cloud Run AAAA record omissions

Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — app.* (Cloud Run direct mapping or HTTPS Load Balancer frontend), api.* (HTTPS Load Balancer with GKE backend), plus per-region Cloud Run service endpoints — are added without additional verification. Monitoring every GCP-attached subdomain catches the Google-managed cert provisioning hang where the resource-level status shows ACTIVE but the per-region domainStatus is FAILED_NOT_VISIBLE (the served cert won't match the configured hostname) and the Cloud Run AAAA record omission (a forward DNS check confirms both A and AAAA records are present before the cert renewal validation runs). Under two minutes per client.

A, AAAA, and CNAME record monitoring across Cloud DNS, third-party DNS, and Cloud Run cert-validation records — surfacing the partial DNS configurations that break the 90-day renewal cycle silently

Three independent DNS resolvers check every A record, AAAA record, and CNAME delegation on every monitoring interval. Cloud Run custom domain mappings that omit the AAAA record are surfaced immediately as a drift event — not when the cert renewal silently fails 90 days later and the cert expires 30 days after that. When an HTTPS Load Balancer's anycast IP changes (rare but possible during Google's regional rebalancing), the A record drift is logged immediately and the agency knows to update the client's DNS before the next renewal cycle.

SSL monitoring 30 days before expiry across Google-managed HTTPS Load Balancer certs (auto-renew), Cloud Run domain-mapping certs (auto-renew but renewal-validation-dependent), and self-managed backend mTLS certs (manual renewal — the silent failure mode)

Full SSL chain validation on every GCP-attached subdomain — apex, app.*, api.*. Independent checks per-tier catch the frontend-vs-backend mTLS cert lifecycle split where the visible Google-managed frontend cert auto-renews but the self-managed backend cert expires and causes 502s because GKE pods fail mTLS health checks. Self-managed backend certs are checked by validating the cert presented during the LB's health-check probe — the same way the LB sees the backend, so the alert fires before the LB starts removing pods from rotation. An expiry alert fires 30 days before any cert expires, with separate alerts per cert resource so the frontend cert and the backend mTLS cert can't mask each other.

Vendor status for GCP (per-region status pages — us-central1, us-east1, europe-west1), HTTPS Load Balancer, Cloud Run, Cloud DNS, and GKE to distinguish GCP regional incidents from per-tenant SSL configuration failures

Merlonix monitors GCP's per-region status pages, HTTPS Load Balancer, Cloud Run, Cloud DNS, and GKE alongside client SSL and DNS. When a us-central1 HTTPS Load Balancer regional incident causes cert provisioning failures across multiple client tenants simultaneously, you see the vendor event — not a cluster of individual SSL alerts that each require separate investigation to determine whether the root cause is a GCP regional outage, a Google-managed cert provisioning hang from a recent custom-domain addition, or a Cloud Run AAAA record omission breaking the renewal cycle.

What the numbers mean for GCP agencies

Monitoring built for GCP agencies where one client product means a Cloud Run service at app.* (Google-managed cert via domain-mapping), an HTTPS Load Balancer at api.* (Google-managed cert auto-renewed), and a GKE backend behind it (self-managed mTLS cert for compliance) — each with independent cert lifecycles and independent failure modes.

GCP agencies managing Google-managed cert provisioning across multi-region HTTPS Load Balancer deployments, Cloud Run custom-domain mappings across multi-service frontends, and frontend-vs-backend mTLS cert lifecycle splits across PCI-compliant multi-cluster GKE backends need monitoring that covers every GCP-attached subdomain — because a Google-managed cert provisioning hang is silent (the gcloud describe output shows ACTIVE before it fully provisions), and the frontend-vs- backend mTLS lifecycle split only surfaces when GKE pods fail health checks and the LB starts returning 502s.

< 10 min

Time from DNS change to alert — catches Cloud Run custom-domain AAAA record omissions that break the 90-day renewal cycle, HTTPS Load Balancer anycast IP changes during Google's regional rebalancing, and Cloud DNS to Cloudflare migrations that strip the cert-validation CNAMEs the Google-managed cert resource expects

30 days

SSL expiry warning lead time — enough time to identify a frontend-vs-backend mTLS cert lifecycle split (the visible Google-managed frontend cert renewed on schedule but the self-managed backend cert is days from expiry and GKE pods are about to fail health checks), a Cloud Run cert renewal failure caused by a missing AAAA record, or a Google-managed cert stuck in PROVISIONING state because DNS hasn't propagated to the LB's anycast IP — and correct it before 502s appear for users

11 vendors

Upstream services monitored — GCP per-region status pages (us-central1, us-east1, europe-west1), HTTPS Load Balancer, Cloud Run, Cloud DNS, and GKE included to distinguish GCP regional incidents from per-tenant SSL configuration failures

250 assets

Maximum monitored domains on the Agency plan — covers GCP app.* (Cloud Run or HTTPS LB frontend), api.* (HTTPS LB + GKE backend), plus per-region Cloud Run service endpoints across a full GCP client portfolio

Pricing

Flat monthly fee. Every GCP region, every Cloud Run service endpoint, every HTTPS Load Balancer included.

No per-region charges. No per-service fees. Pick the tier that fits your GCP client and per-tier cert count and monitor every Cloud Run, HTTPS Load Balancer, and backend mTLS SSL surface without billing surprises.

See full feature comparison →

Starter

For individual GCP developers managing a small client portfolio with single-region Cloud Run services and HTTPS Load Balancer frontends.

$19/ month

15 monitored assets
3 seats
5 min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For GCP agencies managing multi-region Cloud Run deployments with separate Google-managed certs, HTTPS Load Balancer frontends, and self-managed backend mTLS certs for compliance.

$79/ month

60 monitored assets
10 seats
1 min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full GCP client roster including multi-region HTTPS Load Balancer frontends, multi-cluster GKE backends with mTLS, and per-tenant Cloud Run subdomain mappings.

$199/ month

250 monitored assets
Unlimited seats
1 min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Compliance

For regulated-vertical teams that need continuous, audit-ready evidence.

$699/ month

500 monitored assets
Unlimited seats
1 min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Compliance

Know when a Google-managed cert is hanging in PROVISIONING state because DNS hasn't propagated to the LB's anycast IP before a customer reports the broken site.

Add your first GCP client domain in under two minutes. Cloud Run, HTTPS Load Balancer, and backend mTLS SSL across every region for that client are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Or start free — $0 Read the agency SSL checklist →

Google-managed certs hang in PROVISIONING.gcloud describe shows ACTIVE while the LB serves a default cert.