When integrated with VGS, by default, the traffic is passed via VGS proxy, which looks like either tntdcjppp6x.sandbox.verygoodproxy.com or tntdcjppp6x.live.verygoodproxy.com, where tntdcjppp6x is your tenant identifier. Custom Hostnames allows making a Vault accessible at the non-VGS domain name (for example, www.customdomain.com). So any requests made through VGS will now reflect your domain alias.

Custom Hostnames are available for all customers. To add a CNAME, VGS will provision a TLS certificate. Each TLS certificate for Custom Hostname costs 40$ per month.

Custom Hostnames extend several benefits/functionality:

  • Branded visitor experience. Your site visitors will seamlessly transition between VGS and Client without recognizing that the content exists on two separate domains.
  • Automated provisioning and management of the entire TLS certificate lifecycle by VGS.
  • Ability to configure multiple inbound routes.


CNAME: a canonical name, an entry within the Domain Name System (DNS) that specifies where someone can find your web pages.

Default hostname: VGS term for the default domain with the form {{environment}}.verygoodsecurity.com

Domain alias: term for additional custom domains assigned to a site.

DNS provider: a company that maintains the DNS servers that translate a domain name to a destination.

TLS certificate: TLS stands for Transport Layer Security, together with the now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network.

Add a Custom Hostname

Add a new CNAME and a TLS certificate will be issued for it by VGS.

Dedicated TLS certificates are automatically generated and propagated through our global content delivery network, providing robust encryption, along with lightning-fast performance and compatibility.

Add a custom Hostname on the dashboard:

  1. Log in to the VGS dashboard.
  2. Go to the Vault Settings > Custom Hostnames
  3. Click Add
  4. Enter the domain alias (CNAME domain). For example payments.customdomain.com
  5. Click Save

Custom hostnames

The validation and deployment process completes in ~90 seconds. After adding the Custom Hostname, view the provisioning status under the Status column in the CNAMEs section. The provisioning takes up to 30 minutes. VGS defaults to auto-renewal of the TLS certificate.

If the provisioning was successful - the status will change from ‘Provisioning’ to ‘Valid’

If the hostname is invalid:

  • Visit your DNS provider
  • Add a CNAME record for mydomain pointing to either <tenant_id>.sandbox.verygoodproxy.com or <tenant_id>.live.verygoodproxy.com

If you’ve already done this, allow up to 24 hours for the changes to propagate. Once issued, certificates are valid for one (1) year, and renew automatically 30 days before expiration. Renewals require no action from your side.

Add Custom Hostname to inbound route

To assign a custom hostname an inbound route:

  1. Go to Routes › click Manage

  2. Click on + icon on the Custom Hostnames section

  3. Select custom hostname from the list or add a new CNAME

  4. Save the route

Custom hostnames routes

The Default CNAME is the VGS hostname used by your service/s. The default CNAME can be used only once. To change it, choose one of the CNAMEs from the list and then remove the default one.

Removing a CNAME

  1. Go to the Vault Settings > Custom Hostnames
  2. Press the ‘delete’ icon next to the custom hostname that needs to be removed.

Custom hostnames delete

CNAMEs Errors

In case your CNAME gets invalid. If, for instance, CNAME value points to the incorrect domain, the status field on Custom Hostnames tab changes from ‘Valid’ to ‘Invalid’.