How to Configure SSL for Your Intercom Help Center Custom Domain with Google Cloud

Recently we migrated our help docs over to Intercom Articles so we could take advantage of the very slick integrations it has with Intercom Messenger (which we absolutely love, and have been using to support our customers via chat / email for over 2 years now).

We had 3 main technical requirements for our Help Center:

1. We wanted to use a custom domain (learn.gqueues.com).
2. It needed to be served over a secure connection (HTTPS)
3. We wanted to use Google Cloud for any SSL configuration. (GQueues is built on Google Cloud and we didn’t want another account on a different platform with all the extra administrative tasks that would entail.)

Intercom has a great help doc on how to set up custom domains for Articles.  It’s a pretty straight-forward process to add your domain and create a CNAME record in your DNS provider. But, this process doesn’t support HTTPS.

Intercom also explains how to configure SSL using Cloudflare and AWS (CloudFront). Super helpful if you’re already on those platforms, but this didn’t meet our third requirement of using Google Cloud.

I scoured the internet for steps on how to set this up and found nothing. So I set about to figure it out myself!

The biggest challenge was figuring out which Google Cloud product to use, because, well, Google Cloud’s product naming strategy is a bit convoluted. Once I determined we should use a global external HTTPS load balancer with an Internet NEG as an external backend, I was well on my way!

Architecture

The architecture is just complicated enough that I found it useful to map out the flow through the various components.

6 steps to secure your Intercom Help Center with Google Cloud

You can follow these 6 quick steps to set up the system for your own Help Center.

(Okay - it’s actually a very involved process with many sub-steps, but we’ll walk you through every detail 😊 )

1. Create an Internet Network Endpoint Group (NEG)

The Internet NEG connects the load balancer to Intercom Articles. Start by going to Network endpoint groups in your Google Cloud Console and click CREATE NETWORK ENDPOINT GROUP.

‍

Fill in the fields as shown in the example below. The important detail is using “custom.intercom.help” as the fully qualified domain name (which I determined from Intercom’s CloudFront article).

Google Cloud Help Doc: Creating the NEG and internet endpoint

2. Create an external HTTP(S) load balancer

There are lots of steps to setting up a load balancer, and fortunately Google Cloud provides a decent “wizard” to walk you through the process.  We’ll break down each step with all the details needed for proper configuration.

2.1 Choose the load balancer type and start configuring

Go to Load balancing in your Google Cloud Console and click CREATE LOAD BALANCER.

‍
In the box for HTTP(S) Load Balancing click START CONFIGURATION.

Choose From Internet to my VMS or serverless services and Classic HTTP(S) Load Balancer and click CONTINUE.

Enter a name for the load balancer. I standardized how I named everything to help keep things straight: “intercom-help-” followed by the name of the particular object.

2.2 Create a Backend Service

In the Backend configuration panel choose CREATE A BACKEND SERVICE.

Give the backend service a name, choose Internet network endpoint group as the type, and select intercom-help-neg (the NEG you created in step 1).

Make your choices for the remaining optional settings. I chose to Enable Cloud CDN, which noticeably decreased the load time of articles in our Help Center. After choosing your desired options click CREATE.

2.3 Set host and path rules

You can use the default settings (Simple host and path rule) for this section because you want all traffic that goes to the load balancer to be served by the backend service you just created.

2.4 Create and configure a frontend

Name the frontend and choose HTTPS as the protocol.

In the IP address field, choose CREATE IP ADDRESS.

Note: An Ephemeral IP will not work, because later you will enter the IP address in your DNS provider, so it needs to be permanent to properly map your subdomain to the load balancer.

Name the IP address and click RESERVE.

In the Certificate field choose to CREATE A NEW CERTIFICATE.

You can choose to upload a certificate if you’ve already purchased one somewhere else, or create a Google-managed certificate. I went with the managed option, because it’s free (included in the cost of the load balancer) and requires no effort on my part to set it up and keep it current. Either way, you’ll want to make sure the certificate is for the subdomain you plan to use for your Intercom Help Center.

Name your certificate, enter the domain, and click CREATE.

Check Enable HTTP to HTTPS redirect, which automatically creates an additional partial HTTP load balancer consisting of a URL map, a forwarding rule, and a target HTTP proxy. This partial HTTP load balancer uses the same IP address as your HTTPS load balancer and redirects HTTP requests to your load balancer's HTTPS frontend. It uses 301 Moved Permanently as the default redirect response code.

If you don’t check this box, then you can still manually set it up later.

2.5. Review load balancer settings and create

Review everything you’ve set up and then click CREATE. It will take a few minutes for the load balancer to activate.

3. Review the HTTP to HTTPS Redirect

On the load balancer page you will notice a partial HTTP load balancer was automatically created for you that redirects traffic from HTTP to HTTPS. If you did not enable this option earlier, you can create the redirect yourself following these steps.

4. Review the load balancer and IP address

The load balancer you configured appears in the list now.

Click on it to review the settings, and copy the static IP address that was created.

5. Create an A record with your DNS provider

Now you can connect your subdomain to the load balancer by creating an A record. Go to your DNS provider and create a new A record with your subdomain and the IP address you copied earlier.

It will probably take several minutes for the A record to propagate and become active.  After it’s active, it will take another 10 minutes or so for the Google-managed SSL certificate to be provisioned (note: provisioning only starts once the A record has been set).

You can check the status of your SSL certificate in the Google Cloud Console.

Once it’s provisioned the status will turn to Active.

6. Configure Intercom Articles and test

Finally, go to your Intercom account -> Articles -> Settings and click on Set up the basics.

Here you can enter your custom subdomain and click Close.

Now test your custom domain and it should show your Intercom Help Center, served over HTTPS with a Google-managed SSL certificate.

Here’s what our Help Center at learn.gqueues.com looks like, with the certificate details:

Costs

At the time of this writing, Google Cloud charges 2.5 cents per hour for the Load Balancer, which comes to about $18 per month. You can view the latest pricing here to estimate your own costs.

Final thoughts

It definitely takes some effort to set up and configure a load balancer on Google Cloud and connect it to Intercom. We’re very happy with the result though -- everything is managed in Google Cloud, the charges are added to our existing bill, and the CDN makes our help articles load faster!

Hopefully these steps save you the hours (days!) of effort it took me to figure it all out 😊