Configure DNS bindings
This page describes how to configure DNS bindings for Standard VMware Engine Networks.
Each private cloud deploys a Cloud DNS Server that is used for all management appliances resolution. You can configure this server as the DNS server for all VMware workloads by setting up DNS bindings. To do so, you need to:
- Get the IP address of the Private Cloud's DNS server
- Set up DNS bind permissions to allow a user principal to bind to the intranet VPC
- Configure DNS for your VMware workloads or NSX-T segment DHCP DNS setting
Before you begin
You can only configure DNS bindings using the gcloud
tool or the API.
gcloud and API requirements
To use the gcloud
command line tool or the API to manage your VMware Engine
resources, we recommend configuring the tools as described below.
gcloud
Set your default project ID:
gcloud config set project PROJECT_ID
Set a default region and zone:
gcloud config set compute/region REGION
gcloud config set compute/zone ZONE
For more information on the gcloud vmware
tool,
see the Cloud SDK reference docs.
API
API examples in this documentation set use the cURL
command-line tool to
query the API. A valid access token is required as part of the cURL
request. There are many ways to get a valid access token; the following
steps use the gcloud
tool to generate a access token:
Login to Google Cloud:
gcloud auth login
Generate access token and export to TOKEN:
export TOKEN=`gcloud auth print-access-token`
Verify that TOKEN is set properly:
echo $TOKEN
Now, use the authorization token in your requests to the API. For example:
curl -X GET -H "Authorization: Bearer \"$TOKEN\"" -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations
Python
Python code samples in this documentation use the VMware Engine library to communicate with the API. To be able to use this approach, the library needs to be installed and the Application Default Credentials should be configured.
Download and install the Python library:
pip install google-cloud-vmwareengine
Configure the ADC information by executing those command in your shell:
gcloud auth application-default login
Or, use a Service Account key file:
export GOOGLE_APPLICATION_CREDENTIALS="FILE_PATH"
For more information about the library, visit the reference page or view code samples on GitHub.
Get a private cloud workload DNS server IP
Console
To get the IP address of your private cloud's DNS server, follow these steps.
In the Google Cloud console, go to the Private clouds page.
Click the name of the private cloud you want to connect to.
On the Summary page for the private cloud, under Private Cloud DNS servers, click Copy to copy the private Cloud DNS server IP address.
gcloud
To get the IP address of your private cloud's DNS server using
Google Cloud CLI, use the gcloud vmware private-clouds describe
command:
gcloud vmware private-clouds describe PRIVATE_CLOUD_ID \ --project=PROJECT_ID \ --location=REGION
Replace the following:
PRIVATE_CLOUD_ID
: the private cloud name for this requestPROJECT_ID
: the project ID for this requestREGION
: the region of the private cloud; if this is stretched private cloud, specify the zone for this private cloud
API
To get the IP address of your private cloud's DNS server using the VMware Engine API,
make a GET
request:
curl -X GET -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json; charset=utf-8" "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/privateCloud/PRIVATE_CLOUD_ID"
Replace the following:
PROJECT_ID
: the project ID for this requestREGION
: the region of the private cloud; if this is stretched private cloud, specify the zone for this private cloudPRIVATE_CLOUD_ID
: the private cloud name for this request.
Set up DNS bind permissions
You can only set up and manage DNS bind permissions using the gcloud
tool or
directly using the REST API. It is not possible to set up bindings
through the console.
Grant DNS bind permission
In order for a user to configure DNS bindings, you must grant a user principal the permission to bind to the intranet VPC. In this case, a user principal is the email address of the user who will bind the private DNS zone with the intranet VPC.
gcloud
gcloud vmware dns-bind-permission grant \ --user=USER
Replace USER with the email of the user who is going to bind the
private DNS zone with the intranet VPC. For example, example1@gmail.com
.
API
Make a POST
request to dnsBindPermissions:grant
method and provide the
user email address in the request body.
curl -X POST -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/global/dnsBindPermission:grant -d ' { "principal": { "user": "USER" } }'
Replace the following:
PROJECT_ID
: the project for this request.USER
: the email of the user for whom you want to revoke permissions. For example,example1@gmail.com
.
Revoke DNS Bind Permission
Revokes the DNS Bind Permission that was previously granted to the user.
gcloud
gcloud vmware dns-bind-permission revoke \ --user=USER
Replace USER with the email of the user for whom you want to revoke
permissions. For example, example1@gmail.com
.
API
Make a POST
request to dnsBindPermissions:revoke
and provide the user
email address in the request body.
curl -X POST -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/global/dnsBindPermission:revoke -d ' { "principal": { "user": "USER" } }'
Replace the following:
PROJECT_ID
: the project for this request.USER
: the email of the user for whom you want to revoke permissions. For example,example1@gmail.com
.
Describe DNS bind Permission
Describes DNS bind permissions for a project and which user principal has access to configure DNS bindings.
gcloud
gcloud vmware dns-bind-permission describe
API
Make a GET
request to dnsBindPermissions
resource.
curl -X GET -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/global/dnsBindPermission
Replace PROJECT_ID
with the project for this request.
Binding Private Cloud DNS Zone with the VMware Engine network intranet VPC
Once you grant a user principal the permissions to configure DNS bindings, the user can create a binding between the private DNS zone in Cloud DNS and the intranet VPC of the VMware Engine Network. VMware Engine uses DNS peering to facilitate Cloud DNS resolution.
Locating the Intranet VPC URL
You need the network intranet VPC URL to create the new binding. The VMware Engine network intranet VPC can be found by listing the details of the VMware Engine network.
Console
To locate the Intranet VPC URL using the Google Cloud console, follow these steps:
In the Google Cloud console, go to the VMware Engine networks page.
Locate the VMware Engine Network, click the Action option and select Copy Intranet VPC network URL.
gcloud
gcloud vmware networks describe VMWARE_ENGINE_NETWORK
Replace VMWARE_ENGINE_NETWORK
with the network to
describe. As part of the response, gcloud
returns the details of the network
which contains the intranet VPC URL.
API
Make a GET
request to the vmwareEngineNetworks
resource and provide
the name of the network:
curl -X GET -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/global/vmwarenEngineNetworks/NETWORK_ID
Replace the following:
PROJECT_ID
: the project for this requestNETWORK_ID
: the network to describe
Binding
The intended workflow, once bind permissions are configured, is to add a DNS peering to the VMware Engine network intranet VPC into your standard Cloud DNS zone management process for each zone.
gcloud
gcloud dns managed-zones create peering-DOMAIN \ --dns-name="DOMAIN" \ --visibility="private" \ --networks="INTRANET_VPC_URL" \ --target-project="PROJECT_ID" \ --target-network="EXISTING_VPC" \ --description="DESCRIPTION"
Replace the following:
DOMAIN
: the domain to extended, examplezone1.example.com
INTRANET_VPC_URL
: the intranet VPC URL for the VMware Engine networkEXISTING_VPC
: the URL of the existing VPC network that theDOMAIN
is already bound toPROJECT_ID
: the project ID for this request
API
Make a PATCH
request to the managedZones
resource and provide
the name of the zone:
curl -X POST -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json; charset=utf-8" https://dns.googleapis.com/v1/projects/PROJECT_ID/managedZones -d "{ "name": "peering-DOMAIN", "description": "", "dnsName": DOMAIN, "peeringConfig": { "targetNetwork": { "networkUrl": EXISTING_VPC } }, "privateVisibilityConfig": { "networks": [ { "networkUrl": INTRANET_VPC_URL } ] } }"
Replace the following:
PROJECT_ID
: the project ID for this requestDOMAIN
: the domain to extended, examplezone1.example.com
INTRANET_VPC_URL
: the intranet VPC URL for the VMware Engine network.EXISTING_VPC
: the URL of the existing VPC network that the DOMAIN is already bound to
Example DNS Bindings
The following are some example DNS bindings you might use.
Authoritative
gcloud dns managed-zones create zone1 \ --dns-name="zone1.example.com." \ --visibility="private" \ --description="DESCRIPTION" \ --networks="EXISTING_VPC"
gcloud dns managed-zones create peering-zone1 \ --dns-name="zone1.example.com." \ --visibility="private" \ --networks="INTRANET_VPC_URL" \ --target-project="PROJECT_ID" \ --target-network="EXISTING_VPC" \ --description="DESCRIPTION"
Conditional Forwarding
gcloud dns managed-zones create zone1 \ --description="DESCRIPTION" \ --dns-name="zone1.example.com." \ --visibility="private" \ --networks=EXISTING_VPC \ --forwarding-targets="DNS_SERVER_IP1","DNS_SERVER_IP2"
gcloud dns managed-zones create peering-zone1 \ --dns-name="zone1.example.com." \ --visibility="private" \ --networks="INTRANET_VPC_URL" \ --target-project="PROJECT_ID" \ --target-network="EXISTING_VPC" \ --description="DESCRIPTION"
Forwarding All
gcloud dns managed-zones create forward-all \ --description="" --dns-name="." \ --visibility="private" \ --networks="EXISTING_VPC" \ --forwarding-targets="DNS_SERVER_IP1","DNS_SERVER_IP2"
gcloud dns managed-zones create peering-forward-all \ --dns-name="." \ --visibility="private" \ --networks="INTRANET_VPC_URL" \ --target-project="PROJECT_ID" \ --target-network="EXISTING_VPC" \ --description="DESCRIPTION"
Google API Private
gcloud dns managed-zones create googleapis \ --dns-name="googleapis.com." \ --visibility="private" \ --description="Direct GCVE traffic to Private IPs for Google API Access" \ --networks="EXISTING_VPC"
gcloud dns managed-zones create peering-googleapis \ --dns-name="googleapis.com." \ --visibility="private" \ --networks="INTRANET_VPC_URL" \ --target-project="PROJECT_ID" \ --target-network="EXISTING_VPC" \ --description="DESCRIPTION"
gcloud dns record-sets create private.googleapis.com. \ --zone="googleapis" \ --type="A" \ --ttl="300" \ --rrdatas="199.36.153.8,199.36.153.9,199.36.153.10,199.36.153.11"
gcloud dns record-sets create *.googleapis.com. \ --zone="googleapis" \ --type="CNAME" \ --ttl="300" \ --rrdatas="private.googleapis.com."
Google API Restricted
gcloud dns managed-zones create googleapis \ --dns-name="googleapis.com." \ --visibility="private" \ --description="Direct GCVE traffic to Private IPs for Google API Access" \ --networks="EXISTING_VPC"
gcloud dns managed-zones create peering-googleapis \ --dns-name="googleapis.com." \ --visibility="private" \ --networks="INTRANET_VPC_URL" \ --target-project="PROJECT_ID" \ --target-network="EXISTING_VPC" \ --description="DESCRIPTION"
gcloud dns record-sets create restricted.googleapis.com. \ --zone="googleapis" \ --type="A" \ --ttl="300" \ --rrdatas="199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7"
gcloud dns record-sets create *.googleapis.com. \ --zone="googleapis" \ --type="CNAME" \ --ttl="300" \ --rrdatas="restricted.googleapis.com."