Create a peering zone

This page provides instructions about how to create a peering zone. For detailed background information, see Peering zones.

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following IAM roles.

Permissions

dns.managedZones.create to create a managed zone
dns.networks.targetWithPeeringZone to create a peering zone
dns.activePeeringZones.getZoneInfo to get information about a peering zone
dns.activePeeringZones.list to list peering zones
dns.activePeeringZones.deactivate to deactivate a peering zone

Roles

roles/dns.admin
roles/dns.peer

To create a new managed private peering zone when you need one VPC network (the consumer network) to query the VPC name resolution order of another VPC network (the producer network), follow these steps.

Console

In the Google Cloud console, go to the Create a DNS zone page.

Go to Create a DNS zone
For the Zone type, select Private.
Enter a Zone name such as my-new-zone.
Enter a DNS name suffix for the private zone. All records in the zone share this suffix, for example: example.private.
Optional: Add a description.
Under Options, select DNS peering.
Select the networks to which the private zone must be visible.
In Peer project, select a peer project.
In Peer network, select a peer network.
Click Create.

gcloud

In the project that contains the consumer VPC network, identify or create a service account.
Grant the DNS Peer role to the service account (from the previous step) in the project that contains the producer VPC network.
```
gcloud projects add-iam-policy-binding PRODUCER_PROJECT_ID \
   --member=SERVICE_ACCOUNT \
   --role=roles/dns.peer
```
Replace the following:
- PRODUCER_PROJECT_ID: the ID of the project that contains the producer VPC network
- SERVICE_ACCOUNT: the service account in the project that contains the consumer VPC network that was identified or created in step 1
In the project that contains the consumer VPC network, grant the DNS Administrator role to the service account and create a new managed private peering zone by running the dns managed-zones create command:
```
gcloud dns managed-zones create NAME \
  --description=DESCRIPTION \
  --dns-name=DNS_SUFFIX \
  --networks=CONSUMER_VPC_NETWORK \
  --account=SERVICE_ACCOUNT \
  --target-network=PRODUCER_VPC_NETWORK \
  --target-project=PRODUCER_PROJECT_ID \
  --visibility=private
```
Replace the following:
- NAME: a name for your zone
- DESCRIPTION: a description for your zone
- DNS_SUFFIX: the DNS suffix for your zone, such as example.com
- CONSUMER_VPC_NETWORK: the name of the consumer VPC network
- SERVICE_ACCOUNT: the service account in the project that contains the consumer VPC network, identified in step 1
  Note: If you do not add the the service account in the project that contains the consumer VPC network, the gcloud CLI uses the currently active IAM member, as indicated by gcloud auth list.
- PRODUCER_VPC_NETWORK: the name of the producer VPC network
- PRODUCER_PROJECT_ID: the ID of the project that contains the producer VPC network

Terraform

resource "random_id" "zone_suffix" {
  byte_length = 8
}

resource "google_dns_managed_zone" "peering_zone" {
  name        = "peering-zone-${random_id.zone_suffix.hex}"
  dns_name    = "peering.example.com."
  description = "Example private DNS peering zone"

  visibility = "private"

  private_visibility_config {
    networks {
      network_url = google_compute_network.network_source.id
    }
  }

  peering_config {
    target_network {
      network_url = google_compute_network.network_target.id
    }
  }
}

resource "google_compute_network" "network_source" {
  name                    = "network-source"
  auto_create_subnetworks = false
}

resource "google_compute_network" "network_target" {
  name                    = "network-target"
  auto_create_subnetworks = false
}

What's next

To work with managed zones, see Create, modify, and delete zones.
To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting.
To get an overview of Cloud DNS, see Cloud DNS overview.