Scopes and hierarchies

Cloud DNS scopes are a flexible way of attaching private DNS resources to Google Cloud objects. Originally, you could only attach private DNS resources such as private DNS zones, policies, and peering zones to Virtual Private Cloud (VPC) networks. By using DNS scopes, you can attach resources not only to multiple Google Cloud networks, but also to a smaller grouping, such as a Google Kubernetes Engine (GKE) cluster. Instead of attaching private DNS resources to networks, you can attach private DNS resources to scopes.

Cloud DNS scopes let you attach a private DNS resource to a VPC network and a GKE cluster. Within the boundaries of a particular scope, like in a network, you can create a custom view of DNS. For example, multiple GKE clusters in a single network can have their own cluster.local DNS hierarchy.

You can create a VPC-scoped or a GKE cluster-scoped DNS zone depending on whether you want DNS names to be visible to the entire VPC network or limit them to a GKE cluster:

  • VPC scope. Use this scope when DNS names have to be resolved VPC network-wide. A VPC-scoped DNS zone lets DNS names be available globally to the entire VPC network.

  • GKE cluster scope. Cloud DNS lets you create a scope for a single GKE cluster. You can then create one or more private managed zones for each cluster, just like you can for networks. Queries from within that cluster first check to see if the query can be answered by a resource scoped to that specific GKE cluster. If not, queries fall back to normal matching, which starts by checking if the query can be answered by any network-scoped resources.

Scopes hierarchy

DNS resolution occurs at the most specific scope available, walking up the hierarchy when a zone is not found in a lower scope. The cluster is the most specific scope, and Cloud DNS checks it first for a match.

Scopes also let managed zones and response policies bind to one or more selectors within the same scope (when applicable). You can configure a network and a scope to bind in the following ways:

  • Between multiple networks
  • Between a GKE cluster and a network
  • Between multiple networks and multiple GKE clusters

After you bind a managed zone or response policy to a selector, it is visible to clients within the scope.

To learn how to configure a cluster-scoped Cloud DNS zone, see Configuring a GKE cluster scope.

What's next