DNS configuration for published services
Service producers can publish services by using Private Service Connect. The service producer can optionally configure a DNS domain name to associate with the service. If a domain name is configured, and a service consumer creates an endpoint that targets that service, Private Service Connect and Service Directory automatically create DNS entries for the service in a private DNS zone in the service consumer's VPC network.
DNS configuration for service producers
When you publish a service (create a service attachment), you can optionally configure a DNS domain name.
You must own the domain name that you are configuring. If you specify a domain
name, but you don't own the domain, publishing the service fails. To verify
ownership, go to the Google Search
Console. For more information
about verifying domains, see Add a website
The domain name that you specify in the service attachment can be a subdomain
of the domain that you verify. For example, you can register
then create a service attachment with a domain name of
If you configure a domain name for a service, when a Private Service Connect endpoint is created that connects to that service, the following configurations are made in the service consumer's VPC network:
A Service Directory DNS zone is created for the specified domain.
A DNS entry for each Private Service Connect endpoint is created in the zone.
The recommended format for the domain name is
REGION.p.DOMAIN. Because this domain name is
used to create DNS entries in the service consumer's VPC network,
it's important to use a name that doesn't conflict with any existing DNS domain
names. Using this format reduces the risk of conflicts.
For example, if the service is configured with domain name
us-west1.p.example.com, and the service consumer creates a
Private Service Connect endpoint with the name
analytics, a DNS
analytics.us-west1.p.example.com is automatically created.
The load balancer that is hosting the service must be able to accept requests directed to this domain name. If you are using an internal HTTP(S) load balancer, you might need to update the load balancer configuration to reflect the domain names that you want service consumers to use. For example, update certificates or URL maps.
Automatic DNS configuration for service consumers
If the following configurations are present, DNS entries are automatically created for Private Service Connect endpoints:
The service producer has configured a domain name for the service.
The Private Service Connect endpoint is registered with a Service Directory namespace.
All new endpoints are automatically registered with Service Directory, but older endpoints might not be registered.
If both configurations are present, when the Private Service Connect
endpoint is created, a Service Directory DNS
zone is created
with the name:
This private zone stores DNS entries for services found in the
Service Directory namespace
After you create the Private Service Connect endpoint, you can verify if a Service Directory DNS zone is created. If the Service Directory DNS zone is not created, you can manually create a similar configuration. For more information, see View Service Directory DNS zones.
If you don't want these DNS entries to be created, do one of the following:
If you're not using Cloud DNS for another purpose, disable the Cloud DNS API, or remove the permissions that are required for Cloud DNS.
Wait for the DNS zone to be created, then Delete the DNS zone manually.
If you want to manually configure DNS, see Configure DNS manually.