Google Cloud Series

GCP Certificate, DNS & Traffic Consolidation

A platform-engineering walk-through: consolidate per-service GCP certs and load balancers onto wildcard + Certificate Maps, isolate regulated workloads on Private CA, and drive it all with Terraform and ArgoCD.

Start with Part 1 → 11 parts · 1 hr 51 min total · read in order
GCP Certificate, DNS & Traffic Consolidation
  1. 1 Audit GCP Certificate Sprawl on Per-Service ManagedCertificate Part 1 of 11

    Audit GCP Certificate Sprawl on Per-Service ManagedCertificate

    Reproduce the per-service ManagedCertificate sprawl pattern on GKE Autopilot with three live services, real cost math, and the exact evidence platform teams use to justify consolidation.

    11 min read·Apr 2026
  2. 2 Configure Cloud DNS DNSSEC and CAA on GCP (Terraform) Part 2 of 11

    Configure Cloud DNS DNSSEC and CAA on GCP (Terraform)

    Cert sprawl starts with DNS. If the zone you issue certs against isn’t locked down first, every cert you automate sits on a soft foundation: a…

    11 min read·Apr 2026
  3. 3 Issue GCP Wildcard Certs with DNS Authorization (Terraform) Part 3 of 11

    Issue GCP Wildcard Certs with DNS Authorization (Terraform)

    A single wildcard cert covering every service on a shared LB is what turns cert sprawl from a standing problem into a thing you barely think…

    9 min read·Apr 2026
  4. 4 Consolidate GCP Certs on a Shared LB with Cert Maps Part 4 of 11

    Consolidate GCP Certs on a Shared LB with Cert Maps

    Per-service ManagedCertificate attached to a per-service target HTTPS proxy is why you have 120 forwarding rules across 4 environments. Certificate Maps are the mechanism that collapses…

    13 min read·Apr 2026
  5. 5 Migrate GKE Ingress to Gateway API with Cert Manager Part 5 of 11

    Migrate GKE Ingress to Gateway API with Cert Manager

    On GKE, per-service Ingress plus per-service ManagedCertificate is the path of least resistance. It also scales badly: every service is its own LB, its own IP,…

    10 min read·Apr 2026
  6. 6 Choose GCP Regional vs Global External ALB Part 6 of 11

    Choose GCP Regional vs Global External ALB

    The default advice for new HTTPS services on GCP is “use a Global External ALB.” It’s usually right. Anycast means the same IP serves traffic from…

    10 min read·Apr 2026
  7. 7 Deploy GCP Private CA for Financial Service Certs Part 7 of 11

    Deploy GCP Private CA for Financial Service Certs

    The whole consolidation story so far collapses toward one wildcard cert on a shared LB. For most services that’s the right answer. For financial workloads (payments,…

    11 min read·Apr 2026
  8. 8 Implement SPKI Cert Pinning for GCP Private CA Part 8 of 11

    Implement SPKI Cert Pinning for GCP Private CA

    SPKI pinning is one of the few certificate-layer controls where the public-CA wildcard pattern from the rest of this series would be a liability rather than…

    10 min read·Apr 2026
  9. 9 Enforce GCP Cert Consolidation with Terraform and ArgoCD Part 9 of 11

    Enforce GCP Cert Consolidation with Terraform and ArgoCD

    Consolidation patterns that depend on good intentions decay fast. One PR at 5pm on a Friday that adds a google_compute_managed_ssl_certificate in a new project, and the…

    9 min read·Apr 2026
  10. 10 Build a Zero-Incident Cert Rotation Demo on GCP Part 10 of 11

    Build a Zero-Incident Cert Rotation Demo on GCP

    Every article in this series has delivered one piece: the DNSSEC-signed delegated zone, the wildcard cert, the shared LB with a cert map, the Gateway API…

    9 min read·Apr 2026
  11. 11 Monitor GCP Cert Rotations with Cloud Monitoring Runbooks Part 11 of 11

    Monitor GCP Cert Rotations with Cloud Monitoring Runbooks

    A cert rotation that you can’t see coming is a cert rotation that will page you at 3am when something breaks. Every consolidation outcome from this…

    10 min read·Apr 2026

More Google Cloud series

GCP Platform Guide 8

Press ESC to close