Cross-project binding zones

This page provides an overview of cross-project binding and instructions about how to create a cross-project binding zone.

A typical Shared VPC setup has service projects that take ownership of a virtual machine (VM) application or services, while the host project takes ownership of the VPC network and network infrastructure. Often, a DNS namespace is carved out from the VPC network's namespace to match the service project's resources. For such a setup, it can be easier to delegate the administration of each service project's DNS namespace to the administrators of each service project (which are often different departments or businesses). Cross-project binding lets you separate the ownership of the DNS namespace of the service project from the ownership of the DNS namespace of the entire VPC network.

The following figure shows a typical Shared VPC setup with DNS peering.

A Shared VPC setup with DNS peering.
A Shared VPC setup with DNS peering (click to enlarge)

The following figure shows a setup using cross-project binding. Cloud DNS lets each service project create and own its DNS zones, but still have it bound to the shared network that the host project owns. This allows for better autonomy and a more precise permission boundary for DNS zone administration.

A setup with cross-project binding.
A setup with cross-project binding (click to enlarge)

Cross-project binding provides the following:

  • Service project administrators and users can create and manage their own DNS zones.
  • You don't need to create a placeholder VPC network.
  • Host project administrators don't have to manage the service project.
  • IAM roles still apply at the project level.
  • All the DNS zones are directly associated with the Shared VPC network.
  • Any-to-any DNS resolution is readily available. Any VM in the Shared VPC network can resolve associated zones.
  • There is no transitive hop limit. You can manage it in a hub and spoke design.

Create a cross-project binding zone

To create a managed private zone that can be bound to a network that is owned by a different project within the same organization, do the following:

  1. Follow the instructions to create a private zone.

  2. Instead of specifying the network in the same project, specify the URL of the network in another project under the same organization.

What's next

  • To create, update, list, and delete managed zones, see Manage zones.
  • To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshoot.
  • To get an overview of Cloud DNS, see Cloud DNS overview.