OpenMCF logoOpenMCF

Loading...

GCP Cloud CDN

Deploys a Google Cloud CDN endpoint backed by a Global Application Load Balancer, with support for GCS bucket, Compute Engine, Cloud Run, and external origin backends. The component provisions the backend resource, URL map, global IP address, forwarding rules, and optionally Google-managed SSL certificates, HTTP-to-HTTPS redirect, and Cloud Armor integration.

What Gets Created

When you deploy a GcpCloudCdn resource, OpenMCF provisions:

  • Global IP Address — a static anycast IP for the load balancer frontend
  • Backend Bucket or Backend Service — one of the following, depending on the configured backend type:
    • Backend Bucket with CDN enabled (for GCS bucket origins)
    • Backend Service with CDN enabled and a Serverless NEG (for Cloud Run origins)
    • Backend Service with CDN enabled and an Internet NEG (for external origins)
    • Backend Service with CDN enabled (for Compute Engine instance group origins)
  • Health Check — HTTP health check for Compute Engine backends (when healthCheck is configured)
  • URL Map — routing configuration that directs all traffic to the backend
  • HTTPS Proxy + Forwarding Rule — TLS termination and port-443 forwarding (when frontendConfig is specified)
  • Google-managed SSL Certificate — automatic certificate provisioning and renewal (when frontendConfig.sslCertificate.googleManaged is specified)
  • HTTP Proxy + Forwarding Rule — port-80 forwarding (when no frontendConfig is specified, or for HTTP-to-HTTPS redirect)
  • HTTP-to-HTTPS Redirect — 301 redirect URL map, HTTP proxy, and forwarding rule (enabled by default when frontendConfig is specified)

Prerequisites

  • GCP credentials configured via environment variables or OpenMCF provider config
  • An existing GCP project — referenced via gcpProjectId
  • IAM permissions to create Compute Engine load balancer resources in the target project
  • An existing origin — depending on backend type:
    • A GCS bucket (for gcsBucket backend)
    • A Managed Instance Group (for computeService backend)
    • A deployed Cloud Run service (for cloudRunService backend)
    • A reachable external hostname (for externalOrigin backend)
  • DNS configuration (optional) — if using custom domains, the ability to create DNS records pointing to the global IP

Quick Start

Create a file cdn.yaml:

apiVersion: gcp.openmcf.org/v1
kind: GcpCloudCdn
metadata:
  name: my-cdn
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.GcpCloudCdn.my-cdn
spec:
  gcpProjectId:
    value: my-gcp-project-123
  backend:
    gcsBucket:
      bucketName: my-static-site-bucket

Deploy:

openmcf apply -f cdn.yaml

This creates a Cloud CDN endpoint backed by a GCS bucket, using the default CACHE_ALL_STATIC cache mode with a 1-hour default TTL and a 1-day max TTL.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
gcpProjectIdStringValueOrRefGCP project ID. Can reference a GcpProject resource via valueFrom.Required
backendobjectBackend origin configuration. Exactly one backend type must be specified.Required

Backend Types (one of):

FieldTypeDescription
backend.gcsBucket.bucketNamestringName of the GCS bucket to use as origin.
backend.computeService.instanceGroupNamestringName of the Managed Instance Group to use as backend.
backend.cloudRunService.serviceNamestringName of the Cloud Run service to use as backend.
backend.cloudRunService.regionstringGCP region where the Cloud Run service is deployed.
backend.externalOrigin.hostnamestringFQDN or IP address of the external origin.

Optional Fields

FieldTypeDefaultDescription
cacheModeenumCACHE_ALL_STATICCaching strategy: CACHE_ALL_STATIC, USE_ORIGIN_HEADERS, or FORCE_CACHE_ALL.
defaultTtlSecondsint323600Default TTL in seconds when origin does not specify Cache-Control. Range: 0-31536000.
maxTtlSecondsint3286400Maximum TTL in seconds. Hard ceiling that overrides origin headers. Range: 0-31536000.
clientTtlSecondsint32value of maxTtlSecondsClient-facing TTL in seconds. Overrides max-age for browser caches. Range: 0-31536000.
enableNegativeCachingboolfalseCache HTTP 4xx/5xx error responses to reduce origin load during failures.
advancedConfigobject—Advanced CDN configuration (cache keys, signed URLs, negative caching policies).
advancedConfig.cacheKeyPolicyobject—Controls which request attributes are included in the cache key.
advancedConfig.cacheKeyPolicy.includeQueryStringbooltrueInclude URL query string in cache key.
advancedConfig.cacheKeyPolicy.queryStringWhiteliststring[][]Whitelist of query parameters to include in cache key (all others ignored).
advancedConfig.cacheKeyPolicy.includeProtocolbooltrueInclude request protocol (HTTP vs HTTPS) in cache key.
advancedConfig.cacheKeyPolicy.includeHostbooltrueInclude Host header in cache key.
advancedConfig.cacheKeyPolicy.includedHeadersstring[][]Request headers to include in cache key. Supported: Accept, Accept-Encoding, Origin.
advancedConfig.signedUrlConfig.enabledbool—Enable signed URL validation for private content delivery.
advancedConfig.signedUrlConfig.keysSignedUrlKey[]—Signing keys for URL validation. Each key requires keyName and keyValue.
advancedConfig.negativeCachingPoliciesNegativeCachingPolicy[][]Per-status-code caching policies. Each entry requires code (400-599) and ttlSeconds (0-86400).
advancedConfig.serveWhileStaleSecondsint320Serve stale content while revalidating with origin. Range: 0-604800.
advancedConfig.enableRequestCoalescingbooltrueCombine multiple identical requests into one origin fetch.
frontendConfigobject—Load balancer frontend configuration (SSL, domains, Cloud Armor).
frontendConfig.customDomainsstring[][]Custom domains for the CDN endpoint.
frontendConfig.sslCertificate.googleManaged.domainsstring[]—Domains for Google-managed SSL certificate (auto-provisioned via Let's Encrypt).
frontendConfig.sslCertificate.selfManaged.certificatePemstring—PEM-encoded SSL certificate chain (bring your own certificate).
frontendConfig.sslCertificate.selfManaged.privateKeyPemstring—PEM-encoded private key for self-managed certificate.
frontendConfig.cloudArmor.enabledbool—Enable Cloud Armor WAF/DDoS protection.
frontendConfig.cloudArmor.securityPolicyNamestring—Name of existing Cloud Armor security policy to attach.
frontendConfig.enableHttpsRedirectbooltrueCreate an HTTP-to-HTTPS 301 redirect.
backend.gcsBucket.enableUniformAccessbooltrueUse uniform bucket-level IAM access (no legacy ACLs).
backend.computeService.healthCheckobject—Health check config for Compute Engine backends.
backend.computeService.protocolenumHTTPBackend protocol: HTTP or HTTPS.
backend.computeService.portint3280/443Port where backend instances serve traffic.
backend.externalOrigin.portint32443/80Port for the external origin.
backend.externalOrigin.protocolenumHTTPSProtocol for connecting to external origin: HTTP or HTTPS.

Examples

Static Website with GCS Bucket Backend

Serve a static site from a GCS bucket with default caching settings:

apiVersion: gcp.openmcf.org/v1
kind: GcpCloudCdn
metadata:
  name: static-site-cdn
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.GcpCloudCdn.static-site-cdn
spec:
  gcpProjectId:
    value: my-prod-project
  backend:
    gcsBucket:
      bucketName: my-static-site-bucket
  cacheMode: CACHE_ALL_STATIC
  defaultTtlSeconds: 3600
  maxTtlSeconds: 86400
  enableNegativeCaching: true

Cloud Run Backend with Custom Domain and HTTPS

Cache a Cloud Run service behind a custom domain with a Google-managed SSL certificate:

apiVersion: gcp.openmcf.org/v1
kind: GcpCloudCdn
metadata:
  name: api-cdn
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.GcpCloudCdn.api-cdn
spec:
  gcpProjectId:
    value: my-prod-project
  backend:
    cloudRunService:
      serviceName: my-api-service
      region: us-central1
  cacheMode: USE_ORIGIN_HEADERS
  defaultTtlSeconds: 300
  maxTtlSeconds: 3600
  frontendConfig:
    customDomains:
      - cdn.example.com
    sslCertificate:
      googleManaged:
        domains:
          - cdn.example.com
    enableHttpsRedirect: true

Full-Featured with Advanced Caching and Cloud Armor

Production deployment with tuned cache keys, negative caching policies, stale-while-revalidate, signed URLs, and Cloud Armor protection:

apiVersion: gcp.openmcf.org/v1
kind: GcpCloudCdn
metadata:
  name: media-cdn
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.GcpCloudCdn.media-cdn
spec:
  gcpProjectId:
    valueFrom:
      kind: GcpProject
      name: my-project
      field: status.outputs.project_id
  backend:
    gcsBucket:
      bucketName: media-assets-bucket
      enableUniformAccess: true
  cacheMode: FORCE_CACHE_ALL
  defaultTtlSeconds: 86400
  maxTtlSeconds: 604800
  clientTtlSeconds: 3600
  enableNegativeCaching: true
  advancedConfig:
    cacheKeyPolicy:
      includeQueryString: true
      queryStringWhitelist:
        - version
        - lang
      includeProtocol: false
      includeHost: true
    signedUrlConfig:
      enabled: true
      keys:
        - keyName: primary-key
          keyValue: "dGhpcy1pcy1hLXNhbXBsZS1rZXk="
        - keyName: rotation-key
          keyValue: "cm90YXRpb24ta2V5LXZhbHVl"
    negativeCachingPolicies:
      - code: 404
        ttlSeconds: 600
      - code: 503
        ttlSeconds: 60
    serveWhileStaleSeconds: 86400
    enableRequestCoalescing: true
  frontendConfig:
    customDomains:
      - media.example.com
      - cdn.example.com
    sslCertificate:
      googleManaged:
        domains:
          - media.example.com
          - cdn.example.com
    cloudArmor:
      enabled: true
      securityPolicyName: media-waf-policy
    enableHttpsRedirect: true

External Origin Backend

Cache content from an origin server outside GCP (multi-cloud or on-premises):

apiVersion: gcp.openmcf.org/v1
kind: GcpCloudCdn
metadata:
  name: hybrid-cdn
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: staging.GcpCloudCdn.hybrid-cdn
spec:
  gcpProjectId:
    value: my-staging-project
  backend:
    externalOrigin:
      hostname: origin.example.com
      port: 443
      protocol: HTTPS
  cacheMode: USE_ORIGIN_HEADERS
  defaultTtlSeconds: 1800
  maxTtlSeconds: 7200

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
cdnUrlstringPublic URL of the Cloud CDN endpoint (e.g., https://<ip-address>)
globalIpAddressstringStatic global anycast IP address assigned to the load balancer. Use for DNS records.
backendNamestringName of the backend resource (BackendBucket or BackendService)
backendIdstringFull resource ID of the backend (e.g., projects/{project}/global/backendBuckets/{name})
cdnEnabledstringWhether Cloud CDN is enabled on the backend
cacheModestringCache mode configured for this CDN (CACHE_ALL_STATIC, USE_ORIGIN_HEADERS, FORCE_CACHE_ALL)
urlMapNamestringURL map name for load balancer routing configuration
httpsProxyNamestringTarget HTTPS proxy name (set when frontendConfig is specified)
sslCertificateNamestringSSL certificate name or ID (set when frontendConfig is specified)
cloudArmorPolicyNamestringCloud Armor security policy name (empty if Cloud Armor is not configured)
backendTypestringBackend type: GCS_BUCKET, COMPUTE_SERVICE, CLOUD_RUN, or EXTERNAL
gcsBucketNamestringGCS bucket name (only set when backendType is GCS_BUCKET)
instanceGroupNamestringCompute Engine instance group name (only set when backendType is COMPUTE_SERVICE)
cloudRunServiceNamestringCloud Run service name (only set when backendType is CLOUD_RUN)
cloudRunRegionstringCloud Run service region (only set when backendType is CLOUD_RUN)
externalHostnamestringExternal origin hostname (only set when backendType is EXTERNAL)
customDomainsstring[]Custom domains configured for this CDN
healthCheckUrlstringHealth check URL (set when health check is configured for Compute Engine backends)
monitoringDashboardUrlstringCloud Console link to view CDN cache hit ratio, bandwidth, and request metrics

Related Components

  • GcpProject — provides the GCP project for CDN resource creation
  • GcpGcsBucket — provisions a GCS bucket that can serve as the CDN origin
  • GcpGkeCluster — container orchestration that can be fronted by Cloud CDN
  • GcpDnsRecord — creates DNS records pointing custom domains to the CDN global IP
  • GcpDnsZone — manages the DNS zone for custom domain configuration

Next article

GCP Cloud Composer Environment

GCP Cloud Composer Environment Deploys a Google Cloud Composer environment — a managed Apache Airflow service that provisions the underlying GKE cluster, Cloud SQL metadata database, Airflow web server, and Cloud Storage DAG bucket. Supports Composer 2.x and 3, with configurable workload sizing, private networking, CMEK encryption, and scheduled recovery snapshots. What Gets Created When you deploy a GcpCloudComposerEnvironment resource, OpenMCF provisions: Cloud Composer Environment — a...
Read next article
Presets
2 ready-to-deploy configurationsView presets →