diff --git a/src/app_charts/base/cloud/domain-redirect.yaml b/src/app_charts/base/cloud/domain-redirect.yaml
index c1c3c36e..168cd770 100644
--- a/src/app_charts/base/cloud/domain-redirect.yaml
+++ b/src/app_charts/base/cloud/domain-redirect.yaml
@@ -20,4 +20,23 @@ spec:
             name: dummy
             port:
               number: 80
-{{ end }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: domain-redirect
+spec:
+  hostnames:
+  - "www.endpoints.{{ .Values.project }}.cloud.goog"
+  parentRefs:
+  - name: crc-gateway
+    namespace: default
+    sectionName: https
+  rules:
+  - filters:
+    - type: RequestRedirect
+      requestRedirect:
+        scheme: https
+        hostname: {{ .Values.domain }}
+        statusCode: 301
+{{- end }}
diff --git a/src/app_charts/base/cloud/kubernetes-api.yaml b/src/app_charts/base/cloud/kubernetes-api.yaml
index e14d911b..315775b3 100644
--- a/src/app_charts/base/cloud/kubernetes-api.yaml
+++ b/src/app_charts/base/cloud/kubernetes-api.yaml
@@ -1,4 +1,4 @@
-{{ if eq .Values.onprem_federation "true" }}
+{{- if eq .Values.onprem_federation "true" }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -23,4 +23,46 @@ spec:
             name: kubernetes
             port:
               number: 443
-{{ end }}
\ No newline at end of file
+---
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: kubernetes-api{{ . }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /apis/core.kubernetes
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /auth
+    backendRefs:
+    - name: cr-syncer-auth-webhook
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: kubernetes
+      port: 443
+{{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/src/app_charts/base/cloud/oauth2-proxy.yaml b/src/app_charts/base/cloud/oauth2-proxy.yaml
index e5c92a9b..9b907a40 100644
--- a/src/app_charts/base/cloud/oauth2-proxy.yaml
+++ b/src/app_charts/base/cloud/oauth2-proxy.yaml
@@ -99,4 +99,50 @@ spec:
             name: oauth2-proxy
             port:
               name: http
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: oauth2-proxy
+spec:
+  hostnames:
+  - {{ .Values.domain }}
+  parentRefs:
+  - name: crc-gateway
+    namespace: default
+    sectionName: https
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /web-apis
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /apis
+    backendRefs:
+    - name: oauth2-proxy
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: oauth2-proxy-interactive
+spec:
+  hostnames:
+  - {{ .Values.domain }}
+  parentRefs:
+  - name: crc-gateway
+    namespace: default
+    sectionName: https
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /oauth2
+    backendRefs:
+    - name: oauth2-proxy
+      port: 80
 {{ end }}
diff --git a/src/app_charts/k8s-relay/cloud/http-route.yaml b/src/app_charts/k8s-relay/cloud/http-route.yaml
new file mode 100644
index 00000000..1c22f541
--- /dev/null
+++ b/src/app_charts/k8s-relay/cloud/http-route.yaml
@@ -0,0 +1,81 @@
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: kubernetes-relay-client{{ . }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /apis/core.kubernetes-relay/client
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /apis/core.token-vendor/v1/token.verify
+    backendRefs:
+    - name: token-vendor
+      namespace: app-token-vendor
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /client
+    backendRefs:
+    - name: kubernetes-relay-server
+      port: 80
+{{- end }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: kubernetes-relay-server{{ . }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /apis/core.kubernetes-relay/server
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /apis/core.token-vendor/v1/token.verify?robots=true
+    backendRefs:
+    - name: token-vendor
+      namespace: app-token-vendor
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /server
+    backendRefs:
+    - name: kubernetes-relay-server
+      port: 80
+{{- end }}
+---
+{{- end }}
diff --git a/src/app_charts/prometheus/cloud/grafana-http-route.yaml b/src/app_charts/prometheus/cloud/grafana-http-route.yaml
new file mode 100644
index 00000000..164923cc
--- /dev/null
+++ b/src/app_charts/prometheus/cloud/grafana-http-route.yaml
@@ -0,0 +1,43 @@
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: grafana{{ . }}
+  labels:
+    app.kubernetes.io/name: {{ $.Chart.Name }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /grafana
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: {{ tpl $.Values.gf_ingress_auth_url $ }}
+    backendRefs:
+    - name: oauth2-proxy
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: prom-grafana
+      port: 80
+{{- end }}
+---
+{{- end }}
diff --git a/src/app_charts/prometheus/cloud/prometheus-http-route.yaml b/src/app_charts/prometheus/cloud/prometheus-http-route.yaml
new file mode 100644
index 00000000..f8613699
--- /dev/null
+++ b/src/app_charts/prometheus/cloud/prometheus-http-route.yaml
@@ -0,0 +1,43 @@
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: prometheus{{ . }}
+  labels:
+    app.kubernetes.io/name: {{ $.Chart.Name }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /prometheus
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: {{ tpl $.Values.prom_ingress_auth_url $ }}
+    backendRefs:
+    - name: oauth2-proxy
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: kube-prometheus
+      port: 9090
+{{- end }}
+---
+{{- end }}
diff --git a/src/app_charts/prometheus/cloud/prometheus-relay.yaml b/src/app_charts/prometheus/cloud/prometheus-relay.yaml
index 5048ce9f..cc9ae0be 100644
--- a/src/app_charts/prometheus/cloud/prometheus-relay.yaml
+++ b/src/app_charts/prometheus/cloud/prometheus-relay.yaml
@@ -102,3 +102,47 @@ spec:
   selector:
     matchLabels:
       app: prometheus-relay-server
+---
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: prometheus-relay-server{{ . }}
+  labels:
+    app.kubernetes.io/name: {{ $.Chart.Name }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /apis/core.prometheus-relay/server
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /apis/core.token-vendor/v1/token.verify?robots=true
+    backendRefs:
+    - name: token-vendor
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /server
+    backendRefs:
+    - name: prometheus-relay-server
+      port: 80
+{{- end }}
+---
+{{- end }}
diff --git a/src/app_charts/token-vendor/cloud/http-route.yaml b/src/app_charts/token-vendor/cloud/http-route.yaml
index 6458be1c..bf38bcd4 100644
--- a/src/app_charts/token-vendor/cloud/http-route.yaml
+++ b/src/app_charts/token-vendor/cloud/http-route.yaml
@@ -1,5 +1,5 @@
 {{- range list "" "-auth" }}
-{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end -}}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
diff --git a/src/bootstrap/cloud/terraform/.terraform.lock.hcl b/src/bootstrap/cloud/terraform/.terraform.lock.hcl
new file mode 100644
index 00000000..2fb94548
--- /dev/null
+++ b/src/bootstrap/cloud/terraform/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+  version = "7.30.0"
+  hashes = [
+    "h1:1WM1iHQdoYqqx2LWOgWGQ83JbKwgTwAefdBNZA4tt4I=",
+    "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251",
+    "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3",
+    "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832",
+    "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50",
+    "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4",
+    "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803",
+    "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9",
+    "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af",
+    "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff",
+    "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748",
+    "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}