Terminating mTLS at the Cloud Run service level behind an External HTTPS Load Balancer

subhajit2022 · February 18, 2026, 12:01pm

Hi everyone,

We are designing an architecture where we need to enforce mutual TLS (mTLS) for specific services. However, due to some organizational constraints, we are not able to configure the mTLS policy directly on our Global External HTTPS Load Balancer.

Our goal is to find a way to terminate mTLS at the application level, specifically within our Cloud Run service, which sits behind the load balancer.

Our proposed flow is:

The External HTTPS Load Balancer receives the TLS connection from the client.
The load balancer forwards the client certificate information (passthrough) to the backend Cloud Run service via HTTP headers.
Our application code within the Cloud Run service inspects these headers, validates the client certificate, and then decides whether to accept or reject the request.

My questions are:

Is this a supported and recommended pattern for achieving application-level mTLS with Cloud Run?
What is the correct configuration on the External HTTPS Load Balancer to enable this client certificate passthrough?
Are there any best practices or potential pitfalls we should be aware of when implementing the certificate validation logic within the Cloud Run service itself?

Any guidance, examples, or insights from the community would be greatly appreciated.

Kind Regards,

Subhajit

bihagkashikar · February 19, 2026, 12:29am

Hi Subhajit, I am not sure if you have a solution to your use case above, however, based on what you have explained, Set up backend authenticated TLS | Cloud Load Balancing | Google Cloud Documentation should work with Trust config stores as certificate validation with cloud run. hope this helps.

a_aleinikov · February 19, 2026, 6:37am

Hi @subhajit2022 This is not a secure or supported way to implement mTLS With an External HTTPS Load Balancer TLS terminates at the load balancer and Cloud Run cannot receive the real client certificate There is no true certificate passthrough to Cloud Run Validating headers in the app is unsafe unless the load balancer performs mTLS and injects verified identity The correct approach is to configure mTLS on the load balancer or use a proxy like Envoy in front of Cloud Run

Topic		Replies	Views
x-forwarded-for-client-cert heade is not passed to backend by HTTP application load balancer Compute Infrastructure server-configuration	1	81	October 3, 2024
Using Cloud CDN together with mTLS Compute Infrastructure infrastructure-general , cloud-dns	4	51	January 22, 2026
Unlocking the power of GCP's Global Load Balancer - part 2 Community Articles googler-article , infrastructure , google-kubernetes-engine-gke	0	121	February 21, 2025

Terminating mTLS at the Cloud Run service level behind an External HTTPS Load Balancer

AI Suggested topics