이 페이지에서는 Google Distributed Cloud (GDC) 에어 갭에서 새 도메인의 DNS 확인을 구성하는 방법을 안내합니다.
DNS 영역을 사용하여 GDC에서
이 페이지의 대상은 조직의 DNS 확인을 관리하는 플랫폼 관리자 및 애플리케이션 운영자입니다.
GDC 환경에서 서비스의 공개 상태 및 액세스 요구사항에 맞게 공개 또는 비공개 DNS 영역을 만들 수 있습니다.
외부 네트워크 공개 상태 및 액세스가 필요한 서비스: 네트워크 외부의 사용자 및 시스템이 서비스에 액세스할 수 있도록 공개 DNS 영역을 설정합니다. 웹사이트, 공개 API 또는 GDC Cloud 환경 외부에서 연결할 수 있어야 하는 서비스가 있는 경우 도메인 이름을 적절한 IP 주소에 매핑하는 공개 DNS 영역이 필요합니다.
내부 시스템에 대한 보안 및 제한된 액세스가 필요한 서비스의 경우: 비공개 DNS 영역을 설정하여 내부 도메인 이름을 숨기고 내부 서비스에 대한 액세스를 제한합니다. 보안 프로토콜과 비공개 IP 주소만 사용하여 다른 내부 서비스와 통신해야 하는 내부 애플리케이션, 데이터베이스 또는 마이크로서비스가 있는 경우 도메인 이름을 적절한 IP 주소에 매핑하는 비공개 DNS 영역이 필요합니다. 비공개 DNS 영역을 사용하면 이러한 서비스가 외부 네트워크에 존재 또는 IP 주소를 노출하지 않고 내부 도메인 이름을 사용하여 서로를 찾을 수 있습니다. 이렇게 하면 보안이 강화되고 내부 네트워킹이 간소화됩니다.
공개 DNS 영역과 비공개 DNS 영역의 차이점에 대한 자세한 내용은 Cloud DNS 영역 유형을 참고하세요.
이 예시에서는 example.com에 대한 요청을 ns.managed-dns-public.gdc1.staging.gpcdemolabs.com로 전달하도록 DNS 확인자를 업데이트해야 합니다. 이 구성에서는 리졸버에 이미 GDC의 인프라 DNS 영역 gdc1.staging.gpcdemolabs.com의 DNS 요청을 적절하게 전달하는 데 필요한 구성이 있다고 가정합니다.
비공개 DNS 영역 만들기
Kubernetes API를 사용하여 비공개 DNS 영역을 만듭니다.
기본 고객 VPC 내에서만 액세스할 수 있는 DNS 영역을 만들려면 ManagedDNSZone 리소스를 만들어 적용하세요.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[],[],null,["# Create DNS zones\n\n| **Preview:** This is a Preview feature that is available as-is and is not recommended for production environments. Google provides no Service-Level agreements (SLA) or technical support commitments for Preview features. For more information, see GDC's [feature stages](/distributed-cloud/hosted/docs/latest/gdch/resources/feature-stages).\n\nThis page guides you through how to configure DNS resolution for a new domain in Google Distributed Cloud (GDC) air-gapped.\nIn GDC through the use of DNS zones.\n\nThe intended audience for this page is platform administrators and application operators\nresponsible for managing DNS resolution for their organization.\n\nYou can create public or private DNS zones in your GDC environment to match the visibility and access requirements of your services:\n\n- **For services that require external network visibility and access:** Set up a public DNS zone to allow users and systems outside your network access to your service. If you have a website, a public-facing API, or any service that needs to be reachable from outside your GDC Cloud environment, you need a public DNS zone to map your domain name to the appropriate IP addresses.\n- **For services that require secure and restricted access to internal\n systems:** Set up a private DNS zone to hide your internal domain name and restrict access to your internal services. If you have an internal application, database, or microservice that needs to communicate with other internal services using only secure protocols and private IP addresses, you need a private DNS zone to map your domain name to the appropriate IP addresses A private DNS zone ensures that these services can find each other using internal domain names without exposing their existence or IP addresses to the external network. This enhances security and simplifies internal networking.\n\nFor more information about the difference between public and private DNS zones, see [Zone types for Cloud DNS](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/dns/dns-overview#zone-types).\n\nBefore you begin\n----------------\n\nTo configure DNS zones in GDC and add records, you must\nhave the following:\n\n- An existing project. For more information, see [Create a\n project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/create-a-project).\n- The necessary identity and access roles. For more information, see [Prepare IAM permissions](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/dns/dns-permissions).\n\nCreate a public DNS zone\n------------------------\n\nUse the Kubernetes API in GDC to create a public DNS zone:\n\n1. Create and apply a `ManagedDNSZone` resource to create a DNS zone\n accessible from outside of GDC:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e apply -f - \u003c\u003cEOF\n apiVersion: networking.global.gdc.goog/v1\n kind: ManagedDNSZone\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDNS_ZONE_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n dnsName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDOMAIN_NAME\u003c/span\u003e\u003c/var\u003e\n description: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDESCRIPTION\u003c/span\u003e\u003c/var\u003e\n visibility: PUBLIC\n EOF\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e: the global API server's kubeconfig path. For more information, see [Global and zonal API servers](/distributed-cloud/hosted/docs/latest/gdch/resources/multi-zone/api-servers). If you have not yet generated a kubeconfig file for the API server, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in) for details.\n - \u003cvar translate=\"no\"\u003eDNS_ZONE_NAME\u003c/var\u003e: the name of your DNS zone.\n - \u003cvar translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e: the namespace of your project.\n - \u003cvar translate=\"no\"\u003eDOMAIN_NAME\u003c/var\u003e: the domain name for your public DNS zone, such as `example.com`.\n - \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: a description for your DNS zone. For example, `Public DNS zone for example.com`. This field is optional.\n2. For a public DNS zone, you must configure the DNS resolver in your network to forward\n DNS requests for that DNS zone to the name servers in GDC that host that\n DNS zone. The name servers are listed in the status of a `ManagedDNSZone` custom resource:\n\n apiVersion: networking.global.gdc.goog/v1\n kind: ManagedDNSZone\n metadata:\n name: public-example-com\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n dnsName: example.com\n description: \"Public DNS zone for example.com\"\n visibility: PUBLIC\n status:\n ...\n nameServers:\n - ns.managed-dns-public.gdc1.staging.gpcdemolabs.com\n\n For this example, the DNS resolver needs to be updated to forward\n requests for `example.com` to\n `ns.managed-dns-public.gdc1.staging.gpcdemolabs.com`. This configuration assumes that the resolver already has the configuration needed to appropriately forward DNS requests for GDC's infrastructure DNS zone `gdc1.staging.gpcdemolabs.com`.\n\nCreate a private DNS zone\n-------------------------\n\nUse the Kubernetes API to create a private DNS zone:\n\n- Create and apply a `ManagedDNSZone` resource to create a DNS zone\n accessible only from within the default customer VPC:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e apply -f - \u003c\u003cEOF\n apiVersion: networking.global.gdc.goog/v1\n kind: ManagedDNSZone\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDNS_ZONE_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n dnsName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDOMAIN_NAME\u003c/span\u003e\u003c/var\u003e\n description: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDESCRIPTION\u003c/span\u003e\u003c/var\u003e\n visibility: PRIVATE\n EOF\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e: the global API server's kubeconfig path. For more information, see [Global and zonal API servers](/distributed-cloud/hosted/docs/latest/gdch/resources/multi-zone/api-servers). If you have not yet generated a kubeconfig file for the API server, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in) for details.\n - \u003cvar translate=\"no\"\u003eDNS_ZONE_NAME\u003c/var\u003e: the name of your DNS zone.\n - \u003cvar translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e: the namespace of your project.\n - \u003cvar translate=\"no\"\u003eDOMAIN_NAME\u003c/var\u003e: the domain name for your private DNS zone, such as `example.com`.\n - \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: a description for your DNS zone. For example, `Private DNS zone for example.com`. This field is optional.\n\nWhat's next\n-----------\n\n- [Create a DNS record](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/dns/create-dns-records)"]]