Create a zone with cross-project binding

This page provides instructions about how to create a zone with cross-project binding enabled. For detailed background information, see Cross-project binding.

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following IAM roles.

Permissions

dns.networks.bindPrivateDNSZone on the project that owns the VPC network
dns.managedZones.create on the project that owns the DNS zone

Roles

roles/dns.admin

Limitations

Your projects need to be in the same organization.
You cannot associate a zone to a VPC network in a project outside the organization.

Set up cross-project binding

You can create a managed private zone that can be bound to a network that is owned by a different project within the same organization. Instead of specifying the network in the same project, specify the URL of the network in another project under the same organization.

Example: Suppose that you have two projects, project A and project B. The VPC network is in project A. To make sure that all the VMs in that VPC network are able to resolve the DNS zones in project B, follow these steps.

To get the network URL, use the gcloud compute networks describe command in project A:

gcloud compute networks describe NETWORK_NAME

Replace NETWORK_NAME with the name of the VPC network in project A.

Your output lists the network URL as SelfLink, which is the URL that you need. The output looks similar to the following:

autoCreateSubnetworks: true
creationTimestamp: '2021-08-11T14:07:16.454-07:00'
description: Default network for the project
id: '2485375699124847339'
kind: compute#network
name: default
routingConfig:
 routingMode: REGIONAL
selfLink: https://www.googleapis.com/compute/v1/projects/project-a/global/networks/default
subnetworks:

Create a private zone by running the dns managed-zones create command in project B, where you want to create or manage the DNS zone:
```
gcloud dns managed-zones create NAME \
 --dns-name=DNS_SUFFIX \
 --description="Cross Project Binding" \
 --visibility=private \
 --networks=VPC_NETWORK
```
Replace the following:
- NAME: a name for your zone
- DNS_SUFFIX: the DNS suffix for your zone, such as example.private
- VPC_NETWORK: the shared VPC URL that is authorized to query the zone from project A, such as https://www.googleapis.com/compute/v1/projects/project-a/global/networks/default.
This creates a private zone in project B where you want to create and manage the DNS zone. Your output is similar to the following:
```
Created
[https://dns.googleapis.com/dns/v1/projects/project-b/managedZones/my-zone].
```

What's next

To work with managed zones, see Create, modify, and delete zones.
To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting.
To get an overview of Cloud DNS, see Cloud DNS overview.