DNS configuration for published services

Service producers can publish services by using Private Service Connect. The service producer can optionally configure a DNS domain name to associate with the service. If a domain name is configured, and a service consumer creates an endpoint that targets that service, Private Service Connect and Service Directory automatically create DNS entries for the service in a private DNS zone in the service consumer's VPC network.

DNS configuration for service producers

When you publish a service (create a service attachment), you can optionally configure a DNS domain name.

You must own the domain name that you are configuring. If you specify a domain name, but you don't own the domain, publishing the service fails. To verify ownership, go to the Google Search Console. For more information about verifying domains, see Add a website property. The domain name that you specify in the service attachment can be a subdomain of the domain that you verify. For example, you can register example.com and then create a service attachment with a domain name of us-west1.p.example.com.

If you configure a domain name for a service, when a Private Service Connect endpoint is created that connects to that service, the following configurations are made in the service consumer's VPC network:

A Service Directory DNS zone is created for the specified domain.
A DNS entry for each endpoint is created in the zone.

The recommended format for the domain name is REGION.p.DOMAIN. Because this domain name is used to create DNS entries in the service consumer's VPC network, it's important to use a name that doesn't conflict with any existing DNS domain names. Using this format reduces the risk of conflicts.

For example, if the service is configured with the domain name us-west1.p.example.com, and the service consumer creates an endpoint with the name analytics, a DNS record for analytics.us-west1.p.example.com is automatically created.

The load balancer that is hosting the service must be able to accept requests directed to this domain name. If you are using an internal Application Load Balancer, you might need to update the load balancer configuration to reflect the domain names that you want service consumers to use. For example, update certificates or URL maps.

Automatic DNS configuration for service consumers

If the following configurations are present, DNS entries are automatically created for endpoints:

The service producer has configured a domain name for the service.
The endpoint is registered with a Service Directory namespace.

All new endpoints are automatically registered with Service Directory, but older endpoints might not be registered.

If both configurations are present, when the endpoint is created, a Service Directory DNS zone is created with the name NAMESPACE--REGION. This private zone stores DNS entries for services found in the Service Directory namespace NAMESPACE in the region REGION. The character limit for NAMESPACE--REGION is 63 characters or fewer.

**Figure 1.** Automatic DNS configuration for endpoints using Service Directory (click to enlarge)

After you create the endpoint, you can verify if a Service Directory DNS zone is created. If the Service Directory DNS zone is not created, you can manually create a similar configuration. For more information, see View Service Directory DNS zones.

If you don't want these DNS entries to be created, do one of the following:

If you're not using Cloud DNS for another purpose, disable the Cloud DNS API, or remove the permissions that are required for Cloud DNS.
Wait for the DNS zone to be created, then Delete the DNS zone manually.

If you want to manually configure DNS, see Configure DNS manually.