US flag signifying that this is a United States Federal Government website An official website of the United States government

Custom domains

Custom domains

By default, your application will be accessible via a subdomain of app.cloud.gov. To make your application accessible via your own domain, you need to create entries in your DNS system and configure cloud.gov.

How to set up a custom domain

To make your app accessible via your custom domain name, use the CDN service. That page provides instructions for the DNS entries you need to create in your DNS system.

Addressing federal requirements and recommendations

  • IPv6: cloud.gov ensures all applications are accessible over IPv6. You don’t have to take any action.
  • HTTPS: cloud.gov ensures all applications are accessible only over HTTPS with HTTP Strict Transport Security (HSTS) headers in accordance with the HTTPS-Only Standard. You don’t have to take any action.
  • DNSSEC: cloud.gov can’t configure DNSSEC in your DNS system, because cloud.gov does not have access to your DNS system. If you need DNSSEC for your domain, you are responsible for configuring DNSSEC in your DNS system. cloud.gov supports your ability to map that domain to your application that is hosted on cloud.gov.

Additional details are available in the cloud.gov FedRAMP P-ATO documentation package, including in System Security Plan controls SC-20, SC-21, SC-22, and SC-23.

Comparison of default domains and custom domains

Here’s an example of the difference between a default *.app.cloud.gov domain and a custom domain. In this example, an agency’s application App A is using a default domain, and their application App B is using a custom domain.

graph TD subgraph Amazon Web Services subgraph cloud.gov CDN CG-DNS Router[App router] subgraph Org: agency-org subgraph App A space AppA[App A] end subgraph App B space AppB[App B] end end end end Public((Public user)) -->|HTTPS| A-DNS(Agency DNS: appB.agency.gov) Public((Public user)) -->|HTTPS| CG-DNS(DNS: appA_agency.app.cloud.gov) A-DNS -->|HTTPS| CDN(CDN) CG-DNS -->Router CDN -->Router Router -->AppA Router -->AppB

Figure 1. domain comparison

How domains and routes work in cloud.gov

A “route” is a domain with an optional subdomain and path that maps client requests to a particular application, such as:

  • myapp.app.cloud.gov
  • myapp.app.cloud.gov/test
  • app.example.gov
  • example.gov

Cloud Foundry’s Routes and Domains documentation explains the overall model and terminology that cloud.gov uses.

Find the org, space, and app for a route

If you know a route is mapped to an application on cloud.gov, but you’re not sure which application it is, you can install and use cf-route-lookup. This is a CF CLI plugin.

You need to log into the CF CLI to use this tool, and it will only show you information from orgs and spaces that you have permission to view.

> cf lookup-route example.gov
Bound to:
example-org/example-space/example-app

If you look up a route mapped to an application in an org or space that you can’t access, you’ll see Error retrieving apps: Route not found.

If you look up a route that isn’t mapped to any application on cloud.gov, you’ll see Error retrieving apps: Could not find matching domain.