US flag signifying that this is a United States Federal Government website An official website of the United States government

Custom domains

Custom domains

By default, your application will be accessible via a subdomain of To make your application accessible via your own domain, you need to create entries in your DNS system and configure

How to set up a custom domain

To make your app accessible via your custom domain name, use the CDN service. That page provides instructions for the DNS entries you need to create in your DNS system.

Addressing federal requirements and recommendations

  • IPv6: ensures all applications are accessible over IPv6. You don’t have to take any action.
  • HTTPS: ensures all applications are accessible only over HTTPS with HTTP Strict Transport Security (HSTS) headers in accordance with the HTTPS-Only Standard. You don’t have to take any action.
  • DNSSEC: can’t configure DNSSEC in your DNS system, because does not have access to your DNS system. If you need DNSSEC for your domain, you are responsible for configuring DNSSEC in your DNS system. supports your ability to map that domain to your application that is hosted on

Additional details are available in the FedRAMP P-ATO documentation package, including in System Security Plan controls SC-20, SC-21, SC-22, and SC-23.

Comparison of default domains and custom domains

Here’s an example of the difference between a default * domain and a custom domain. In this example, an agency’s application App A is using a default domain, and their application App B is using a custom domain.

graph TD subgraph Amazon Web Services subgraph CDN CG-DNS Router[App router] subgraph Org: agency-org subgraph App A space AppA[App A] end subgraph App B space AppB[App B] end end end end Public((Public user)) -->|HTTPS| A-DNS(Agency DNS: Public((Public user)) -->|HTTPS| CG-DNS(DNS: A-DNS -->|HTTPS| CDN(CDN) CG-DNS -->Router CDN -->Router Router -->AppA Router -->AppB

Figure 1. domain comparison

How domains and routes work in

A “route” is a domain with an optional subdomain and path that maps client requests to a particular application, such as:


Cloud Foundry’s Routes and Domains documentation explains the overall model and terminology that uses.

Find the org, space, and app for a route

If you know a route is mapped to an application on, but you’re not sure which application it is, you can install and use cf-route-lookup. This is a CF CLI plugin.

You need to log into the CF CLI to use this tool, and it will only show you information from orgs and spaces that you have permission to view.

> cf lookup-route
Bound to:

If you look up a route mapped to an application in an org or space that you can’t access, you’ll see Error retrieving apps: Route not found.

If you look up a route that isn’t mapped to any application on, you’ll see Error retrieving apps: Could not find matching domain.