Create a peering zone

This page provides instructions about how to create a peering zone. For detailed background information, see Peering zones.

To create a new managed private peering zone when you need one VPC network (the consumer network) to query the VPC name resolution order of another VPC network (the producer network), follow these steps.

Console

  1. In the Google Cloud console, go to the Create a DNS zone page.

    Go to Create a DNS zone

  2. For the Zone type, select Private.

  3. Enter a Zone name such as my-new-zone.

  4. Enter a DNS name suffix for the private zone. All records in the zone share this suffix, for example: example.private.

  5. Optional: Add a description.

  6. Under Options, select DNS peering.

  7. Select the networks to which the private zone must be visible.

  8. In Peer project, select a peer project.

  9. In Peer network, select a peer network.

  10. Click Create.

gcloud

  1. In the project that contains the consumer VPC network, identify or create a service account.

  2. Grant the DNS Peer role to the service account (from the previous step) in the project that contains the producer VPC network.

    gcloud projects add-iam-policy-binding PRODUCER_PROJECT_ID \
   --member=SERVICE_ACCOUNT \
   --role=roles/dns.peer

    Replace the following:

    • PRODUCER_PROJECT_ID: the ID of the project that contains the producer VPC network
    • SERVICE_ACCOUNT: the service account in the project that contains the consumer VPC network that was identified or created in step 1

  3. In the project that contains the consumer VPC network, grant the DNS Administrator role to the service account and create a new managed private peering zone by running the dns managed-zones create command:

    gcloud dns managed-zones create NAME \
  --description=DESCRIPTION \
  --dns-name=DNS_SUFFIX \
  --networks=CONSUMER_VPC_NETWORK \
  --account=SERVICE_ACCOUNT \
  --target-network=PRODUCER_VPC_NETWORK \
  --target-project=PRODUCER_PROJECT_ID \
  --visibility=private

    Replace the following:

    • NAME: a name for your zone
    • DESCRIPTION: a description for your zone
    • DNS_SUFFIX: the DNS suffix for your zone, such as example.com
    • CONSUMER_VPC_NETWORK: the name of the consumer VPC network
    • SERVICE_ACCOUNT: the service account in the project that contains the consumer VPC network, identified in step 1
    • PRODUCER_VPC_NETWORK: the name of the producer VPC network
    • PRODUCER_PROJECT_ID: the ID of the project that contains the producer VPC network

Terraform 

resource "random_id" "zone_suffix" {
  byte_length = 8
}

resource "google_dns_managed_zone" "peering_zone" {
  name        = "peering-zone-${random_id.zone_suffix.hex}"
  dns_name    = "peering.example.com."
  description = "Example private DNS peering zone"

  visibility = "private"

  private_visibility_config {
    networks {
      network_url = google_compute_network.network_source.id
    }
  }

  peering_config {
    target_network {
      network_url = google_compute_network.network_target.id
    }
  }
}

resource "google_compute_network" "network_source" {
  name                    = "network-source"
  auto_create_subnetworks = false
}

resource "google_compute_network" "network_target" {
  name                    = "network-target"
  auto_create_subnetworks = false
}

What's next