Stay organized with collections
Save and categorize content based on your preferences.
This page provides instructions about how to create a peering zone. For detailed
background information, see Peering
zones.
Permissions required for this task
To perform this task, you must have been granted the following permissions
or the following IAM roles.
Permissions
dns.managedZones.create to create a managed zone
dns.networks.targetWithPeeringZone to create a peering zone
dns.activePeeringZones.getZoneInfo to get information about a peering zone
dns.activePeeringZones.list to list peering zones
dns.activePeeringZones.deactivate to deactivate a peering zone
Roles
roles/dns.admin
roles/dns.peer
To create a new managed private peering zone when you need one VPC
network (the consumer network) to query the VPC name
resolution order of another VPC network (the producer
network), follow these steps.
Console
In the Google Cloud console, go to the Create a DNS zone page.
PRODUCER_PROJECT_ID: the ID of the project that
contains the producer VPC network
SERVICE_ACCOUNT: the service account in the project
that contains the consumer VPC network that was
identified or created in step 1
In the project that contains the consumer VPC network,
grant the DNS Administrator role to the
service account and create a new managed private peering zone by running the
dns managed-zones create
command:
gcloud dns managed-zones create NAME \
--description=DESCRIPTION \
--dns-name=DNS_SUFFIX \
--networks=CONSUMER_VPC_NETWORK \
--account=SERVICE_ACCOUNT \
--target-network=PRODUCER_VPC_NETWORK \
--target-project=PRODUCER_PROJECT_ID \
--visibility=private
Replace the following:
NAME: a name for your zone
DESCRIPTION: a description for your zone
DNS_SUFFIX: the DNS suffix for your zone, such as
example.com
CONSUMER_VPC_NETWORK: the name of the consumer
VPC network
SERVICE_ACCOUNT: the service account in the project
that contains the consumer VPC network, identified in
step 1
PRODUCER_VPC_NETWORK: the name of the producer
VPC network
PRODUCER_PROJECT_ID: the ID of the project that
contains the producer VPC network
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide outlines the process of creating a peering zone, which enables one VPC network (consumer) to query the name resolution order of another VPC network (producer).\u003c/p\u003e\n"],["\u003cp\u003eCreating a peering zone requires specific permissions, such as \u003ccode\u003edns.managedZones.create\u003c/code\u003e, \u003ccode\u003edns.networks.targetWithPeeringZone\u003c/code\u003e, and the DNS Peer role (\u003ccode\u003eroles/dns.peer\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eThe creation process can be done through the Google Cloud console by providing the necessary network information and selecting the appropriate zone type and peering options.\u003c/p\u003e\n"],["\u003cp\u003eUsing the \u003ccode\u003egcloud\u003c/code\u003e CLI, a service account with the DNS Peer role in the producer VPC network project is required, and the \u003ccode\u003egcloud dns managed-zones create\u003c/code\u003e command facilitates zone creation.\u003c/p\u003e\n"],["\u003cp\u003eThe data in a peering zone comes from the producer VPC network, and you cannot directly add records to a peering zone.\u003c/p\u003e\n"]]],[],null,["# Create a peering zone\n\nThis page provides instructions about how to create a peering zone. For detailed\nbackground information, see [Peering\nzones](/dns/docs/zones/zones-overview#peering_zones).\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* the following IAM roles.\n\n**Permissions**\n\n- `dns.managedZones.create` to create a managed zone\n- `dns.networks.targetWithPeeringZone` to create a peering zone\n- `dns.activePeeringZones.getZoneInfo` to get information about a peering zone\n- `dns.activePeeringZones.list` to list peering zones\n- `dns.activePeeringZones.deactivate` to deactivate a peering zone\n\n**Roles**\n\n- `roles/dns.admin`\n- `roles/dns.peer`\n\nTo create a new managed private peering zone when you need one VPC\nnetwork (the *consumer network* ) to query the VPC name\nresolution order of another VPC network (the *producer\nnetwork*), follow these steps. \n\n### Console\n\n| **Note:** You must be signed in to the Google Cloud console as an Identity and Access Management (IAM) member who has the [DNS Peer role](/dns/docs/access-control#roles) (`roles/dns.peer`) to the project that contains the producer VPC network. If you follow the `gcloud` directions instead, you can use a service account with this role.\n\n1. In the Google Cloud console, go to the **Create a DNS zone** page.\n\n [Go to Create a DNS zone](https://console.cloud.google.com/net-services/dns/zones/new/create)\n2. For the **Zone type** , select **Private**.\n\n3. Enter a **Zone name** such as `my-new-zone`.\n\n4. Enter a **DNS name** suffix for the private zone. All records in the\n zone share this suffix, for example: `example.private`.\n\n5. Optional: Add a description.\n\n6. Under **Options** , select **DNS peering**.\n\n7. Select the networks to which the private zone must be visible.\n\n8. In **Peer project**, select a peer project.\n\n9. In **Peer network**, select a peer network.\n\n10. Click **Create**.\n\n### gcloud\n\n| **Note:** If the IAM member is signed in to the Google Cloud CLI, or is signed in to the service account selected in step 1, you can skip steps 1 and 2. This service account must have at least the [DNS Peer role](/dns/docs/access-control#roles) (`roles/dns.peer`) to the project that contains the producer VPC network.\n\n1. In the project that contains the consumer VPC network,\n identify or [create a service\n account](/iam/docs/creating-managing-service-accounts#creating).\n\n2. Grant the [DNS Peer role](/dns/docs/access-control#roles) to the service\n account (from the previous step) in the project that contains the\n producer VPC network.\n\n ```\n gcloud projects add-iam-policy-binding PRODUCER_PROJECT_ID \\\n --member=SERVICE_ACCOUNT \\\n --role=roles/dns.peer\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePRODUCER_PROJECT_ID\u003c/var\u003e: the ID of the project that contains the producer VPC network\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e: the service account in the project that contains the consumer VPC network that was identified or created in step 1\n3. In the project that contains the consumer VPC network,\n grant the [DNS Administrator role](/dns/docs/access-control#roles) to the\n service account and create a new managed private peering zone by running the\n [`dns managed-zones create`](/sdk/gcloud/reference/dns/managed-zones/create)\n command:\n\n ```\n gcloud dns managed-zones create NAME \\\n --description=DESCRIPTION \\\n --dns-name=DNS_SUFFIX \\\n --networks=CONSUMER_VPC_NETWORK \\\n --account=SERVICE_ACCOUNT \\\n --target-network=PRODUCER_VPC_NETWORK \\\n --target-project=PRODUCER_PROJECT_ID \\\n --visibility=private\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e: a name for your zone\n - \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: a description for your zone\n - \u003cvar translate=\"no\"\u003eDNS_SUFFIX\u003c/var\u003e: the DNS suffix for your zone, such as `example.com`\n - \u003cvar translate=\"no\"\u003eCONSUMER_VPC_NETWORK\u003c/var\u003e: the name of the consumer VPC network\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e: the service account in the project that contains the consumer VPC network, identified in step 1 **Note:** If you do not add the the service account in the project that contains the consumer VPC network, the gcloud CLI uses the currently active IAM member, as indicated by `gcloud auth list`.\n - \u003cvar translate=\"no\"\u003ePRODUCER_VPC_NETWORK\u003c/var\u003e: the name of the producer VPC network\n - \u003cvar translate=\"no\"\u003ePRODUCER_PROJECT_ID\u003c/var\u003e: the ID of the project that contains the producer VPC network\n\n### Terraform\n\n\n resource \"random_id\" \"zone_suffix\" {\n byte_length = 8\n }\n\n resource \"google_dns_managed_zone\" \"peering_zone\" {\n name = \"peering-zone-${random_id.zone_suffix.hex}\"\n dns_name = \"peering.example.com.\"\n description = \"Example private DNS peering zone\"\n\n visibility = \"private\"\n\n private_visibility_config {\n networks {\n network_url = google_compute_network.network_source.id\n }\n }\n\n peering_config {\n target_network {\n network_url = google_compute_network.network_target.id\n }\n }\n }\n\n resource \"google_compute_network\" \"network_source\" {\n name = \"network-source\"\n auto_create_subnetworks = false\n }\n\n resource \"google_compute_network\" \"network_target\" {\n name = \"network-target\"\n auto_create_subnetworks = false\n }\n\n\u003cbr /\u003e\n\n| **Note:** You cannot add records to a peering zone directly; the data comes from the producer VPC network according to its [VPC name resolution\n| order](/dns/docs/vpc-name-res-order).\n\nWhat's next\n-----------\n\n- To work with managed zones, see [Create, modify, and delete zones](/dns/docs/zones).\n- To find solutions for common issues that you might encounter when using Cloud DNS, see [Troubleshooting](/dns/docs/troubleshooting).\n- To get an overview of Cloud DNS, see [Cloud DNS overview](/dns/docs/overview)."]]
