Create a forwarding zone

This page provides instructions about how to create a forwarding zone. For detailed background information, see Forwarding zones.

To create a new managed private forwarding zone, complete the following steps.

Before you begin, ensure that you understand the following:

The differences between standard and private routing as shown in Forwarding targets and routing methods
The network requirements for forwarding targets
The best practices for Cloud DNS forwarding zones

Console

In the Google Cloud console, go to the Create a DNS zone page.

Go to Create a DNS zone
For the Zone type, select Private.
Enter a Zone name such as my-new-zone.
Enter a DNS name suffix for the private zone. All records in the zone share this suffix. For example, example.private.
Optional: Add a description.
Under Options, select Forward queries to another server.
Select the networks to which the private zone must be visible.
To add the IPv4 addresses of a forwarding target, click Add item. You can add multiple IP addresses.
To force private routing to the forwarding target, under Private forwarding, select the Enable checkbox.
Click Create.

gcloud

Run the dns managed-zones create command:

gcloud dns managed-zones create NAME \
    --description=DESCRIPTION \
    --dns-name=DNS_SUFFIX \
    --networks=VPC_NETWORK_LIST \
    --forwarding-targets=FORWARDING_TARGETS_LIST \
    --private-forwarding-targets=PRIVATE_FORWARDING_TARGETS_LIST \
    --visibility=private

Replace the following:

NAME: a name for your zone
DESCRIPTION: a description for your zone
DNS_SUFFIX: the DNS suffix for your zone, such as example.private
VPC_NETWORK_LIST: a comma-delimited list of VPC networks that are authorized to query the zone
FORWARDING_TARGETS_LIST: a comma-delimited list of IP addresses to which queries are sent. RFC 1918 IP addresses specified with this flag must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect. Non-RFC 1918 IP addresses specified with this flag must be internet accessible.
PRIVATE_FORWARDING_TARGETS_LIST: a comma-delimited list of IP addresses to which queries are sent. Any IP address specified with this flag must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect.

API

Send a POST request using the managedZones.create method:

POST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones
{

    "name": "NAME",
    "description": "DESCRIPTION",
    "dnsName": "DNS_NAME",
    "visibility": "private"
    "privateVisibilityConfig": {
        "kind": "dns#managedZonePrivateVisibilityConfig",
        "networks": [{
                "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
                "networkUrl": VPC_NETWORK_1
            },
            {
                "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
                "networkUrl": VPC_NETWORK_2
            },
            ....
        ]
    },
    "forwardingConfig": {
        "kind": "dns#managedZoneForwardingConfig",
        "targetNameServers": [{
                "kind": "dns#managedZoneForwardingConfigNameServerTarget",
                "ipv4Address": FORWARDING_TARGET_1
            },
            {
                "kind": "dns#managedZoneForwardingConfigNameServerTarget",
                "ipv4Address": FORWARDING_TARGET_2
            },
            ....
        ]
    },
}

Replace the following:

PROJECT_ID: the ID of the project where the managed zone is created
NAME: a name for your zone
DESCRIPTION: a description for your zone
DNS_NAME: the DNS suffix for your zone, such as example.private
VPC_NETWORK_1 and VPC_NETWORK_2: URLs for VPC networks in the same project that are able to query records in this zone. You can add multiple VPC networks as indicated. To determine the URL for a VPC network, describe the network with the following gcloud command, replacing VPC_NETWORK_NAME with the network's name:
```
gcloud compute networks describe VPC_NETWORK_NAME 

   --format="get(selfLink)"
```
FORWARDING_TARGET_1 and FORWARDING_TARGET_2: IP addresses of forwarding target name servers. You can add multiple forwarding targets as indicated. RFC 1918 IP addresses specified here must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect. Non-RFC 1918 IP addresses specified with this flag must be internet accessible.

Terraform

dns_managed_zone_private_forwarding/main.tf

View on GitHub

resource "google_dns_managed_zone" "private-zone" {
  name        = "private-zone"
  dns_name    = "private.example.com."
  description = "Example private DNS zone"
  labels = {
    foo = "bar"
  }

  visibility = "private"

  private_visibility_config {
    networks {
      network_url = google_compute_network.network-1.id
    }
    networks {
      network_url = google_compute_network.network-2.id
    }
  }

  forwarding_config {
    target_name_servers {
      ipv4_address = "172.16.1.10"
    }
    target_name_servers {
      ipv4_address = "172.16.1.20"
    }
  }
}

resource "google_compute_network" "network-1" {
  name                    = "network-1"
  auto_create_subnetworks = false
}

resource "google_compute_network" "network-2" {
  name                    = "network-2"
  auto_create_subnetworks = false
}

What's next

To create, update, list, and delete managed zones, see Manage zones.
To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshoot.
To get an overview of Cloud DNS, see Cloud DNS overview.