Blog
Both work. One forces you to redo DNS when the upstream IP changes. Pick the one that survives.
When pointing a subdomain at your tagging server, you have two DNS choices: CNAME or A record. The right answer is almost always CNAME. A records exist for cases where CNAME is not allowed (apex domains, mostly), and they introduce a maintenance burden that catches teams off guard later.
A CNAME record maps your subdomain to a hostname (like tagging-xxx.run.app). The DNS resolver follows the CNAME, then resolves the target hostname to whatever IP it points to today. If the upstream IP changes (it does, often), your DNS keeps working without intervention.
An A record maps your subdomain directly to an IP address. If the upstream IP changes, your tagging URL breaks until you update the record. SprTags and similar managed services do change underlying IPs on rare occasions for maintenance and scaling. You will not get advance notice; the service is responsible for keeping the hostname stable, not the IP.
DNS standards do not allow a CNAME on the apex of a domain. If you are trying to point example.com directly (no subdomain), the apex restriction kicks in. Two workarounds:
data.example.com works as well as example.com for tagging purposes.Cloudflare lets you proxy CNAME records (orange cloud), but for tagging URLs the proxy breaks the upstream SSL handshake. Set the proxy status to grey-cloud (DNS only). The tagging server will provision its own SSL certificate, which is what you want.
If you want Cloudflare in front of the tagging server for caching or WAF, that is a different setup that requires uploading your own certificate to the upstream container. Most teams skip this, because the tagging server already runs on a CDN-like infrastructure and an extra layer adds latency without obvious benefit.
Once the DNS resolves, follow up with the loader update steps to actually start using the new hostname.