Create DNS zones

This page guides you through how to configure DNS resolution for a new domain in Google Distributed Cloud (GDC) air-gapped. In GDC through the use of DNS zones.

The intended audience for this page is platform administrators and application operators responsible for managing DNS resolution for their organization.

You can create public or private DNS zones in your GDC environment to match the visibility and access requirements of your services:

• For services that require external network visibility and access: Set up a public DNS zone to allow users and systems outside your network access to your service. If you have a website, a public-facing API, or any service that needs to be reachable from outside your GDC Cloud environment, you need a public DNS zone to map your domain name to the appropriate IP addresses.
• For services that require secure and restricted access to internal systems: Set up a private DNS zone to hide your internal domain name and restrict access to your internal services. If you have an internal application, database, or microservice that needs to communicate with other internal services using only secure protocols and private IP addresses, you need a private DNS zone to map your domain name to the appropriate IP addresses A private DNS zone ensures that these services can find each other using internal domain names without exposing their existence or IP addresses to the external network. This enhances security and simplifies internal networking.

For more information about the difference between public and private DNS zones, see Zone types for Cloud DNS.

Before you begin

To configure DNS zones in GDC and add records, you must have the following:

• An existing project. For more information, see Create a project.
• The necessary identity and access roles. For more information, see Prepare IAM permissions.

Create a public DNS zone

Use the Kubernetes API in GDC to create a public DNS zone:

1. Create and apply a ManagedDNSZone resource to create a DNS zone accessible from outside of GDC:

   kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
   apiVersion: networking.global.gdc.goog/v1
   kind: ManagedDNSZone
   metadata:
     name: DNS_ZONE_NAME
     namespace: PROJECT_NAMESPACE
   spec:
     dnsName: DOMAIN_NAME
     description: DESCRIPTION
     visibility: PUBLIC
   EOF
   

   Replace the following:

   • GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.
   • DNS_ZONE_NAME: the name of your DNS zone.
   • PROJECT_NAMESPACE: the namespace of your project.
   • DOMAIN_NAME: the domain name for your public DNS zone, such as example.com.
   • DESCRIPTION: a description for your DNS zone. For example, Public DNS zone for example.com. This field is optional.

2. For a public DNS zone, you must configure the DNS resolver in your network to forward DNS requests for that DNS zone to the name servers in GDC that host that DNS zone. The name servers are listed in the status of a ManagedDNSZone custom resource:

   apiVersion: networking.global.gdc.goog/v1
   kind: ManagedDNSZone
   metadata:
     name: public-example-com
     namespace: PROJECT_NAMESPACE
   spec:
     dnsName: example.com
     description: "Public DNS zone for example.com"
     visibility: PUBLIC
   status:
   …
   nameServers:
     - ns.managed-dns-public.gdc1.staging.gpcdemolabs.com
   

   For this example, the DNS resolver needs to be updated to forward requests for example.com to ns.managed-dns-public.gdc1.staging.gpcdemolabs.com. This configuration assumes that the resolver already has the configuration needed to appropriately forward DNS requests for GDC's infrastructure DNS zone gdc1.staging.gpcdemolabs.com.

Create a private DNS zone

Use the Kubernetes API to create a private DNS zone:

• Create and apply a ManagedDNSZone resource to create a DNS zone accessible only from within the default customer VPC:

  kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
  apiVersion: networking.global.gdc.goog/v1
  kind: ManagedDNSZone
  metadata:
    name: DNS_ZONE_NAME
    namespace: PROJECT_NAMESPACE
  spec:
    dnsName: DOMAIN_NAME
    description: DESCRIPTION
    visibility: PRIVATE
  EOF
  

  Replace the following:

  • GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.
  • DNS_ZONE_NAME: the name of your DNS zone.
  • PROJECT_NAMESPACE: the namespace of your project.
  • DOMAIN_NAME: the domain name for your private DNS zone, such as example.com.
  • DESCRIPTION: a description for your DNS zone. For example, Private DNS zone for example.com. This field is optional.

What's next

• Create a DNS record