Stay organized with collections
Save and categorize content based on your preferences.
This page provides instructions about how to create a zone with cross-project
binding enabled.
For detailed background information, see Cross-project
binding.
Permissions required for this task
To perform this task, you must have been granted the following permissions
or the following IAM roles.
Permissions
dns.networks.bindPrivateDNSZone on the project that owns the VPC network
dns.managedZones.create on the project that owns the DNS zone
Roles
roles/dns.admin
Limitations
Your projects need to be in the same organization.
You cannot associate a zone to a VPC network in a project
outside the organization.
Set up cross-project binding
You can create a managed private zone that can be bound to a network that is
owned by a different project within the same organization. Instead of
specifying the network in the same project, specify the URL of the network in
another project under the same organization.
Example: Suppose that you have two projects, project A and project B. The
VPC network is in project A. To make sure that all
the VMs in that VPC network are able to resolve the DNS zones
in project B, follow these steps.
Create a private zone by running the dns managed-zones create
command in project B,
where you want to create or manage the DNS zone:
gcloud dns managed-zones create NAME \
--dns-name=DNS_SUFFIX \
--description="Cross Project Binding" \
--visibility=private \
--networks=VPC_NETWORK
Replace the following:
NAME: a name for your zone
DNS_SUFFIX: the DNS suffix for your zone, such as
example.private
VPC_NETWORK: the shared VPC URL
that is authorized to query the zone from project A, such as
https://www.googleapis.com/compute/v1/projects/project-a/global/networks/default.
This creates a private zone in project B where you want to create and manage
the DNS zone. Your output is similar to the following:
Created
[https://dns.googleapis.com/dns/v1/projects/project-b/managedZones/my-zone].
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide outlines the process of creating a managed private zone with cross-project binding enabled, allowing it to be associated with a network in a different project within the same organization.\u003c/p\u003e\n"],["\u003cp\u003eTo perform this task, users need \u003ccode\u003edns.networks.bindPrivateDNSZone\u003c/code\u003e permission on the VPC network's project and \u003ccode\u003edns.managedZones.create\u003c/code\u003e permission on the DNS zone's project, or the \u003ccode\u003eroles/dns.admin\u003c/code\u003e role.\u003c/p\u003e\n"],["\u003cp\u003eThe projects involved must be within the same organization, and zones cannot be linked to VPC networks outside this organizational boundary.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves obtaining the VPC network's URL from the first project using the \u003ccode\u003egcloud compute networks describe\u003c/code\u003e command and then using that URL when creating the private zone in the second project with the \u003ccode\u003egcloud dns managed-zones create\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eThe VPC Network will be associated with a DNS zone in a different project within the organization so that all the VMs in that VPC network can resolve the DNS zones.\u003c/p\u003e\n"]]],[],null,["# Create a zone with cross-project binding\n\nThis page provides instructions about how to create a zone with cross-project\nbinding enabled.\nFor detailed background information, see [Cross-project\nbinding](/dns/docs/zones/zones-overview#cross-project_binding).\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* the following IAM roles.\n\n**Permissions**\n\n- `dns.networks.bindPrivateDNSZone` on the project that owns the VPC network\n- `dns.managedZones.create` on the project that owns the DNS zone\n\n**Roles**\n\n- `roles/dns.admin`\n\nLimitations\n-----------\n\n- Your projects need to be in the same organization.\n- You cannot associate a zone to a VPC network in a project outside the organization.\n\nSet up cross-project binding\n----------------------------\n\nYou can create a managed private zone that can be bound to a network that is\nowned by a different project within the same organization. Instead of\nspecifying the network in the *same* project, specify the URL of the network in\n*another* project under the same organization.\n\nExample: Suppose that you have two projects, *project A* and *project B* . The\nVPC network is in *project A* . To make sure that all\nthe VMs in that VPC network are able to resolve the DNS zones\nin *project B*, follow these steps.\n\n1. To get the network URL, use the [`gcloud compute networks\n describe` command](/sdk/gcloud/reference/compute/networks/describe) in\n *project A*:\n\n ```\n gcloud compute networks describe NETWORK_NAME\n ```\n\n Replace \u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e with the name of the\n VPC network in *project A*.\n\n Your output lists the network URL as `SelfLink`, which is the URL that you need.\n The output looks similar to the following: \n\n ```\n autoCreateSubnetworks: true\n creationTimestamp: '2021-08-11T14:07:16.454-07:00'\n description: Default network for the project\n id: '2485375699124847339'\n kind: compute#network\n name: default\n routingConfig:\n routingMode: REGIONAL\n selfLink: https://www.googleapis.com/compute/v1/projects/project-a/global/networks/default\n subnetworks:\n ```\n2. Create a private zone by running the [`dns managed-zones create`\n command](/sdk/gcloud/reference/dns/managed-zones/create) in *project B*,\n where you want to create or manage the DNS zone:\n\n ```\n gcloud dns managed-zones create NAME \\\n --dns-name=DNS_SUFFIX \\\n --description=\"Cross Project Binding\" \\\n --visibility=private \\\n --networks=VPC_NETWORK\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e: a name for your zone\n - \u003cvar translate=\"no\"\u003eDNS_SUFFIX\u003c/var\u003e: the DNS suffix for your zone, such as `example.private`\n - \u003cvar translate=\"no\"\u003eVPC_NETWORK\u003c/var\u003e: the shared VPC URL that is authorized to query the zone from *project A*, such as https://www.googleapis.com/compute/v1/projects/project-a/global/networks/default.\n\n This creates a private zone in *project B* where you want to create and manage\n the DNS zone. Your output is similar to the following: \n\n ```\n Created\n [https://dns.googleapis.com/dns/v1/projects/project-b/managedZones/my-zone].\n ```\n\nWhat's next\n-----------\n\n- To work with managed zones, see [Create, modify, and delete zones](/dns/docs/zones).\n- To find solutions for common issues that you might encounter when using Cloud DNS, see [Troubleshooting](/dns/docs/troubleshooting).\n- To get an overview of Cloud DNS, see [Cloud DNS overview](/dns/docs/overview)."]]
