Skip to main content
GetInlytics.
Blog/Google Tag Gateway
Tracking Guide

Google Tag Gateway Setup: Every Option Explained (Cloudflare, GCP, CDN, and Server-Side GTM)

Google Tag Gateway lets your site serve Google tags and route measurement hits through your own domain instead of googletagmanager.com - making analytics traffic look first-party to ad blockers, Safari ITP, and corporate privacy filters. Google reports a median 11% improvement in measurement signal for advertisers who turn it on, and it is free. The catch is that "set up Google Tag Gateway" means four different things depending on your infrastructure. This guide covers all four, plus how to verify it is actually working.

By GetInlytics·11 min read·June 2026
Abstract illustration of website traffic and analytics tags routing through a gateway to cloud servers, representing Google Tag Gateway first-party measurement routing

How Google Tag Gateway works

In a standard setup, your page requests gtm.js from googletagmanager.com, and when tags fire, hits go straight from the browser to google-analytics.com or googleadservices.com. Every one of those cross-origin requests is visible to - and blockable by - privacy tooling.

With Google Tag Gateway, two things change:

Script serving

Your page requests the Google tag from a path on your own domain, for example yourdomain.com/a8x2/gtm.js. Your CDN receives that request, fetches the actual script from Google's gateway endpoint ([TAG-ID].fps.goog), and serves it back as if it were your own file.

Measurement routing

When tags fire, hits are sent to that same first-party path on your domain, and your CDN forwards them on to the correct Google product.

The measurement path defaults to a random four-character string, so it does not collide with anything on your site and is not easily fingerprinted by blocklists. Two things are worth clarifying up front:

GTG is a proxy, not a processing layer. It forwards requests; it does not let you inspect, transform, or filter data in transit. That is what server-side GTM does - the two are complementary, not interchangeable.
GTG does not bypass consent. Consent Mode v2 signals are respected exactly as before. What GTG recovers is the consented measurement that was being lost to technical blocking.

Setup option 1: Cloudflare (the 15-minute path)

If your site is already behind Cloudflare, this is the path Google built for you. The integration is native, free on both sides, and gateway-routed requests do not count toward Cloudflare usage or billing - including on the free plan.

What you need: a GTM container (or Google tag) live on your site, your domain on Cloudflare, and a Cloudflare user with Super Administrator, Administrator, or Zaraz Admin role.

The setup, end to end:

1In Google Tag Manager, go to Admin → Google tag gateway (the same flow exists in GA4 Admin and Google Ads).
2Review the measurement path. The default is a random 4-character path, customisable (for example /metrics) as long as it is not already used on your site.
3Click Sign into Cloudflare and authorise Google's access - this lets Google read your zones and create the routing automatically.
4Click Manage domains, select the domains to enable, and click Done. Closing the panel without clicking Done resets your selections.
5Click Save. Google creates all routing rules in Cloudflare's backend automatically - no DNS edits, no page rules, no code changes.

Domains then appear with one of four statuses: First-party (active), Not started, Paused, or Pending (enabled, no diagnostic data yet - normal in the first few hours).

Who this is for: any site already on Cloudflare. If you are on Cloudflare, there is essentially no reason to do this manually.

Setup option 2: Google Cloud Load Balancer (for GCP-hosted sites)

If your infrastructure runs on Google Cloud behind an external Application Load Balancer, there is a parallel in-UI flow driven from Google Ads.

What you need: the Google Tag Gateway Admin IAM role in your Google Cloud project, an existing external Application Load Balancer, and publish permissions on the relevant GTM containers.

The flow walks you through selecting your project, confirming the load balancer, customising the pre-selected domains, and completing setup. Behind the scenes, it provisions a backend service that handles geolocation lookup and forwards measurement traffic to Google, with a path rule (for example /metrics/*) prioritised above default routing.

Who this is for: companies hosting on GCP with load balancer infrastructure - typically larger, engineering-led organisations.

Setup option 3: Manual setup on other CDNs (Akamai, Fastly, CloudFront, Cloudflare manual)

Google publishes official self-service guides for Cloudflare (manual), Akamai, Fastly, and Google Cloud, and the same pattern extends to AWS CloudFront and any CDN that can forward requests to an external endpoint.

The pattern is always the same three jobs:

1Route the measurement path - requests to yourdomain.com/[path]/* are forwarded to [TAG-ID].fps.goog.
2Do not cache, and allow POST - tag scripts must not be cached at the edge, and measurement hits arrive as POST requests.
3Forward geolocation headers, or your GA4 geo reports degrade into (not set).

Per provider:

Akamai - in Property Manager, add the Google Tag Gateway behavior with your tag ID and serving path, plus a child rule matching /[path]/* that allows POST and disables the Edge Redirector Cloudlet. One rule per Google tag ID.
Fastly - the most technical option: a condition matching your measurement path, a host pointing at fps.goog, and VCL snippets (vcl_miss and vcl_pass) that inject the tag ID and geolocation headers.
AWS CloudFront - a new origin pointing to [TAG-ID].fps.goog, a new behavior with the CachingDisabled cache policy and the AllViewerExceptHostHeader origin request policy, with precedence above your other behaviors.
Cloudflare (manual) - a CNAME record for routing, an Origin Rule to forward requests, and Add Visitor Location Headers enabled in Transform Rules.

Budget around two hours if you already know your CDN. DNS-level changes can take up to 72 hours to propagate.

Not for: Shopify and similar hosted platforms where you have no CDN control - currently Google Tag Gateway's most significant structural limitation.

Setup option 4: GTG + CDN + server-side GTM (Google's recommended architecture)

GTG alone gets your scripts and hits onto first-party rails, but the data still flows to Google exactly as the browser produced it. Server-side GTM alone gives you a processing layer, but gtm.js is typically still served from Google's domain. Combining the two closes both gaps:

A CDN with GTG serves Google scripts from your domain - fast, first-party, with static-asset serving offloaded from your tagging server.
Measurement hits go to a same-origin path (for example yourdomain.com/metrics) routed to your server-side GTM container.
Server-side GTM processes the data - cleansing, enriching, consent-gating, and controlling exactly what gets forwarded to GA4, Google Ads, and Meta CAPI - before it ever leaves your infrastructure.

The requirement that trips people up: the combined setup needs same-origin paths. A server-side GTM endpoint on a subdomain like sgtm.yourdomain.com does not qualify for the recommended configuration - script serving and data collection should both live on paths of your main domain. If your server-side GTM is on a subdomain, migrating it should be part of the GTG project.

Who this is for: organisations spending meaningfully on paid media, or already running (or planning) server-side tagging. GetInlytics implements the full GTG plus server-side GTM architecture as a service - CDN configuration, server-side GTM deployment, same-origin routing, consent wiring, and post-launch verification.

How to verify your setup is actually working

1Script origin. Open DevTools → Network, reload, and search for gtm.js. It should load from yourdomain.com/[path]/..., not googletagmanager.com.
2Hit routing in Tag Assistant. Preview your container, trigger events, and check Summary → Output → Hits Sent. Hits should route through your measurement path.
3Gateway status. In GTM Admin → Google tag gateway, domains should read First-party. Still showing Pending after a day usually means a routing problem.
4Geo data. After 24 to 48 hours, check your GA4 geography reports. A spike in (not set) city data means geolocation headers are not being forwarded.
5Data continuity. Compare event and conversion volumes week-over-week. Flat or modestly up (recovered signal) is success. A drop means requests are routed but dropped - check that POST is allowed and caching is disabled.

FAQ

Is Google Tag Gateway the same as server-side GTM?

No. Google Tag Gateway is a forwarding proxy - it changes where tags load from and where hits are sent, but it does not process anything. Server-side GTM is a processing layer. Google's recommended architecture uses both together.

Does Google Tag Gateway cost anything?

No. It is free from Google, and on Cloudflare, gateway-routed requests do not count toward usage or billing for any Cloudflare product, including the free plan.

Does Google Tag Gateway let me track users who declined consent?

No. Consent Mode v2 behaves exactly as before - Google Tag Gateway does not override or bypass it. What it recovers is measurement from consented users whose requests were being blocked by ad blockers and Safari ITP.

Which Google Tag Gateway setup option should I choose?

If you are on Cloudflare, use the automatic in-UI setup. If you are on Google Cloud with an external Application Load Balancer, use the Google Ads flow. On Akamai, Fastly, or CloudFront, follow Google's manual setup guide for your provider. If you are running or planning server-side tagging, use the combined GTG plus CDN plus server-side GTM architecture. On Shopify or other closed platforms, GTG is not currently possible because you do not control the CDN.

My GA4 city data went to (not set) after enabling Google Tag Gateway. What happened?

Your CDN is not forwarding visitor geolocation headers. On Cloudflare manual setups, enable "Add Visitor Location Headers" in Transform Rules. On CloudFront, check that your Origin Request Policy forwards viewer headers. On Fastly, add geolocation injection in your VCL snippets. This is the most commonly reported post-setup issue.

Will ad blockers eventually block the Google Tag Gateway measurement path too?

Some blocklists attempt path-based detection, which is why Google defaults to a random four-character path. First-party, randomised paths are categorically harder to block than known third-party domains without breaking site functionality.

Can I run Google Tag Gateway with multiple Google tag IDs?

Yes, but manual setups need a separate forwarding configuration per tag ID - for example, Akamai requires a separate rule with the GTG behavior for each tag. The Cloudflare automatic flow handles multiple tags within the managed setup.

Conclusion

Google Tag Gateway is rare among Google measurement launches: free, genuinely effective, and on at least one path, almost effortless. On Cloudflare, it is fifteen minutes for a median 11% signal improvement.

If your stack is more complex - an enterprise CDN, GCP load balancing, or a full first-party architecture with server-side GTM - the value is bigger, and so is the implementation. Same-origin requirements, geolocation forwarding, consent wiring, and server-side GTM transport configuration all have to land together correctly.

Related articles and resources

Which Google Tag Gateway Setup Is Right for You? A Decision Guide (With Flowchart)How to Monitor GTM Tags - The Complete Guide for Analytics TeamsHow to Audit Consent Mode in GTM - GDPR Compliance ChecklistHow GTM Tags Affect Core Web Vitals - LCP, INP, CLS Impact Guide

Need Google Tag Gateway or server-side GTM implemented properly?

GetInlytics designs and deploys GTG, CDN routing, and server-side GTM architectures end to end - CDN configuration, consent wiring, and post-launch verification included.

Server-Side Tracking serviceFree GA4 & GTM audit