Stay organized with collections
Save and categorize content based on your preferences.
This document provides the ways you can manage resources across multiple zones
in a Google Distributed Cloud (GDC) air-gapped universe. Each surface, whether it be the
GDC console, gdcloud CLI, APIs, or Terraform, provide
mechanisms to appropriately manage your resources in a designated zone for zonal
resources, or globally for resources supported for global provisioning. In a
multi-zone universe, you must manage your zonal and global resources for high
availability.
This document is for IT administrators within the platform administrator group
who are responsible for developing disaster recovery workflows, and application
developers within the application operator group who are responsible for
developing and maintaining applications in a GDC
universe.
Replace CA_CERT with the certificate authority (CA)
certificate installed in the system's trusted certificates store. For more
information, see
Web TLS certificate configuration.
API
You must explicitly define the kubeconfig file for the global management API
server in your kubectl commands when managing or provisioning global KRM API
custom resources. For example:
See Sign in for details
on how to acquire the kubeconfig file of the global management API server.
Apply the new global context for your Terraform module:
terraformapply
All subsequent Terraform actions are called in the global context.
Switch to a zonal context
Manage the resources of a particular zone by switching to a zonal context.
GDC console
The zonal context is set by navigating to the zonal URL, which follows this
syntax:
https://console.ORG_NAME.ZONE.SUFFIX
Navigate to the zonal URL to view the resources that are hosted within the
single zone.
Many resource pages also offer zone scope pickers, which let you switch
between zonal contexts from within the GDC console page.
Select your zonal context from the provided mechanisms to view and manage
your zonal resources.
gdcloud
Because the global context is configured by default when using the
gdcloud CLI, you must explicitly set your zonal context to
manipulate zonal resources. You can perform this action in one of the
following three ways, depending on your preferred workflow:
Replace CA_CERT with the certificate authority (CA)
certificate installed in the system's trusted certificates store. For
more information, see
Web TLS certificate configuration.
Run your gdcloud CLI command with the --zone flag included.
For example:
gdcloudauthprint-identity-token--zone=ZONE_NAME
You can set the --zone flag for any command that supports it. View
the gdcloud CLI reference documentation
for your specific command to confirm the --zone flag is available.
You can use the --zone flag from any global or zonal context.
API
You must explicitly define the kubeconfig file for the zonal management API
server in your kubectl commands when managing or provisioning zonal KRM API
custom resources. For example:
You can set the zonal context for your API calls automatically by setting
your kubectl context to the zone's management API server. See
Sign in for details.
Terraform
You must explicitly define the zonal management API server in your Terraform
module and initialize it:
Define the kubeconfig file for the zonal management API server in a
Terraform file within your module, such as the main.tf file:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eManaging resources in a multi-zone universe requires switching between global and zonal contexts, depending on whether the resource is provisioned globally or within a specific zone.\u003c/p\u003e\n"],["\u003cp\u003eThe global context can be accessed through the global URL for the GDC console or by configuring the \u003ccode\u003eorganization_console_url\u003c/code\u003e for the \u003ccode\u003egdcloud\u003c/code\u003e CLI and global API server in \u003ccode\u003ekubectl\u003c/code\u003e and Terraform.\u003c/p\u003e\n"],["\u003cp\u003eZonal context can be accessed through the zonal URL in the GDC console or by setting the \u003ccode\u003ezone\u003c/code\u003e parameter, the zonal URL, or using the \u003ccode\u003e--zone\u003c/code\u003e flag in the \u003ccode\u003egdcloud\u003c/code\u003e CLI, and configuring the zonal management API server in \u003ccode\u003ekubectl\u003c/code\u003e and Terraform.\u003c/p\u003e\n"],["\u003cp\u003eTo list all zones within a given universe, the \u003ccode\u003egdcloud zones list\u003c/code\u003e command can be used, which outputs a list of all available zones.\u003c/p\u003e\n"]]],[],null,["# Manage resources across zones\n\nThis document provides the ways you can manage resources across multiple zones\nin a Google Distributed Cloud (GDC) air-gapped universe. Each surface, whether it be the\nGDC console, gdcloud CLI, APIs, or Terraform, provide\nmechanisms to appropriately manage your resources in a designated zone for zonal\nresources, or globally for resources supported for global provisioning. In a\nmulti-zone universe, you must manage your zonal and global resources for high\navailability.\n\nThis document is for IT administrators within the platform administrator group\nwho are responsible for developing disaster recovery workflows, and application\ndevelopers within the application operator group who are responsible for\ndeveloping and maintaining applications in a GDC\nuniverse.\n\nFor more information, see\n[Audiences for GDC air-gapped documentation](/distributed-cloud/hosted/docs/latest/gdch/resources/audiences).\n\nSwitch to the global context\n----------------------------\n\nManage your resources globally by switching to the global context. \n\n### GDC console\n\nThe global context is set by navigating to the global URL, which follows\nthis syntax: \n\n https://console.\u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e.\u003cvar translate=\"no\"\u003eSUFFIX\u003c/var\u003e\n\nNavigate to the global URL to have a global view of your resources across\nzones.\n\n### gdcloud\n\nThe global URL is set with the `organization_console_url` parameter when\ninitializing the\n[gdcloud CLI default configuration](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-install#init-default-config).\nThe global context is assumed unless you have explicitly\n[set a zonal context](#switch-zonal-context).\n\nTo revert back to the global URL, complete the following steps:\n\n1. Set your default organization console URL to the global URL:\n\n gdcloud config set core/organization_console_url \u003cvar translate=\"no\"\u003eGLOBAL_URL\u003c/var\u003e\n\n2. Sign in to the global context:\n\n gdcloud auth login --login-config-cert=\u003cvar translate=\"no\"\u003eCA_CERT\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eCA_CERT\u003c/var\u003e with the certificate authority (CA)\n certificate installed in the system's trusted certificates store. For more\n information, see\n [Web TLS certificate configuration](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/web-tls-cert-config).\n\n| **Note:** If you set your zonal context with the `gdcloud config set core/zone` command, you must [reinitialize your gdcloud CLI instance](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-install#init-default-config) to reset back to the global context.\n\n### API\n\nYou must explicitly define the kubeconfig file for the global management API\nserver in your kubectl commands when managing or provisioning global KRM API\ncustom resources. For example: \n\n kubectl apply -f resource.yaml --kubeconfig \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e\n\nYou can set the global context for your API calls automatically by setting\nyour kubectl context to the global API server. See\n[Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details.\n\n### Terraform\n\nYou must explicitly define the global management API server in your\nTerraform module and initialize it:\n\n1. Define the kubeconfig file for the global management API server in a\n Terraform file within your module, such as the `main.tf` file:\n\n provider \"kubernetes\" {\n config_path = \"\u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e\"\n }\n\n See [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details\n on how to acquire the kubeconfig file of the global management API server.\n2. Apply the new global context for your Terraform module:\n\n terraform apply\n\nAll subsequent Terraform actions are called in the global context.\n\nSwitch to a zonal context\n-------------------------\n\nManage the resources of a particular zone by switching to a zonal context. \n\n### GDC console\n\nThe zonal context is set by navigating to the zonal URL, which follows this\nsyntax: \n\n https://console.\u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e.\u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e.\u003cvar translate=\"no\"\u003eSUFFIX\u003c/var\u003e\n\nNavigate to the zonal URL to view the resources that are hosted within the\nsingle zone.\n\nMany resource pages also offer zone scope pickers, which let you switch\nbetween zonal contexts from within the GDC console page.\n\nSelect your zonal context from the provided mechanisms to view and manage\nyour zonal resources.\n\n### gdcloud\n\nBecause the global context is configured by default when using the\ngdcloud CLI, you must explicitly set your zonal context to\nmanipulate zonal resources. You can perform this action in one of the\nfollowing three ways, depending on your preferred workflow:\n\n- [**Set the default zone configuration**](#zone-config): Recommended if you primarily work in zonal contexts.\n- [**Set the zonal URL configuration**](#zone-url): Recommended if you plan to frequently switch between global and zonal contexts.\n- [**Apply the `--zone` flag**](#zone-flag): Recommended if you want flexibility to directly apply a zonal context without any gdcloud CLI configuration updates.\n\nComplete the following steps to apply one of these approaches:\n\n**Set the default zone configuration**\n\n- Set the zone configuration for your gdcloud CLI instance:\n\n gdcloud config set core/zone \u003cvar translate=\"no\"\u003eZONE_NAME\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eZONE_NAME\u003c/var\u003e with the name of the zone to set for\n your context. See [List zones in a universe](#list-zones-in-universe) for\n instructions on finding a zone name.\n | **Note:** The gdcloud CLI does not support unsetting a configuration. Therefore, to remove the zonal context configuration and revert back to the global context, you must [reinitialize your gdcloud CLI instance](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-install#init-default-config).\n\n**Set the zonal URL configuration**\n\n1. Set your default organization console URL to the zonal URL:\n\n gdcloud config set core/organization_console_url \u003cvar translate=\"no\"\u003eZONAL_URL\u003c/var\u003e\n\n2. Sign in to the zone:\n\n gdcloud auth login --login-config-cert=\u003cvar translate=\"no\"\u003eCA_CERT\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eCA_CERT\u003c/var\u003e with the certificate authority (CA)\n certificate installed in the system's trusted certificates store. For\n more information, see\n [Web TLS certificate configuration](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/web-tls-cert-config).\n\n**Apply the `--zone` flag**\n\n- Run your gdcloud CLI command with the `--zone` flag included.\n For example:\n\n gdcloud auth print-identity-token --zone=\u003cvar translate=\"no\"\u003eZONE_NAME\u003c/var\u003e\n\n You can set the `--zone` flag for any command that supports it. View\n the [gdcloud CLI reference documentation](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-reference/gdcloud)\n for your specific command to confirm the `--zone` flag is available.\n\n You can use the `--zone` flag from any global or zonal context.\n\n### API\n\nYou must explicitly define the kubeconfig file for the zonal management API\nserver in your kubectl commands when managing or provisioning zonal KRM API\ncustom resources. For example: \n\n kubectl apply -f resource.yaml --kubeconfig \u003cvar translate=\"no\"\u003eZONAL_API_SERVER\u003c/var\u003e\n\nYou can set the zonal context for your API calls automatically by setting\nyour kubectl context to the zone's management API server. See\n[Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details.\n\n### Terraform\n\nYou must explicitly define the zonal management API server in your Terraform\nmodule and initialize it:\n\n1. Define the kubeconfig file for the zonal management API server in a\n Terraform file within your module, such as the `main.tf` file:\n\n provider \"kubernetes\" {\n config_path = \"\u003cvar translate=\"no\"\u003eZONAL_API_SERVER\u003c/var\u003e\"\n }\n\n See [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details\n on how to acquire the kubeconfig file of the zonal management API server.\n2. Apply the new global context for your Terraform module:\n\n terraform apply\n\nAll subsequent Terraform actions are called in the context of the zone you\nconfigured.\n\nList zones in a universe\n------------------------\n\nTo list all zones in your universe, run: \n\n gdcloud zones list\n\nThe output looks similar to the following: \n\n METADATA.NAME\n us-east1-a\n us-east1-b\n us-east1-c\n\nWhat's next\n-----------\n\n- Learn about the [global and zonal API servers](/distributed-cloud/hosted/docs/latest/gdch/resources/multi-zone/api-servers) available in a GDC universe.\n- Explore the [High availability guide](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/ha-apps/overview) to ensure your application is resilient to local zone failures.\n- Visit the [gdcloud CLI reference pages](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-reference/gdcloud) for a comprehensive list of gdcloud CLI commands that are available.\n- To configure Terraform, see the [Terraform overview](/distributed-cloud/hosted/docs/latest/gdch/resources/terraform)."]]
