Create a zone with cross-project binding

This page provides instructions about how to create a zone with cross-project binding enabled. For detailed background information, see Cross-project binding .

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following IAM roles.

Permissions

• dns.networks.bindPrivateDNSZone on the project that owns the VPC network
• dns.managedZones.create on the project that owns the DNS zone

Roles

• roles/dns.admin

Limitations

• Your projects need to be in the same organization.
• You cannot associate a zone to a VPC network in a project outside the organization.

Set up cross-project binding

You can create a managed private zone that can be bound to a network that is owned by a different project within the same organization. Instead of specifying the network in the same project, specify the URL of the network in another project under the same organization.

Example: Suppose that you have two projects, project A and project B . The VPC network is in project A . To make sure that all the VMs in that VPC network are able to resolve the DNS zones in project B , follow these steps.

1. To get the network URL, use the gcloud compute networks describe command in project A :

   gcloud compute networks describe NETWORK_NAME 
   

   Replace NETWORK_NAME with the name of the VPC network in project A .

   Your output lists the network URL as SelfLink , which is the URL that you need. The output looks similar to the following:

   autoCreateSubnetworks: true
   creationTimestamp: '2021-08-11T14:07:16.454-07:00'
   description: Default network for the project
   id: '2485375699124847339'
   kind: compute#network
   name: default
   routingConfig:
    routingMode: REGIONAL
   selfLink: https://www.googleapis.com/compute/v1/projects/project-a/global/networks/default
   subnetworks:

2. Create a private zone by running the dns managed-zones create command in project B , where you want to create or manage the DNS zone:

   gcloud dns managed-zones create NAME 
   \
    --dns-name= DNS_SUFFIX 
   \
    --description="Cross Project Binding" \
    --visibility=private \
    --networks= VPC_NETWORK 
   

   Replace the following:

   • NAME : a name for your zone
   • DNS_SUFFIX : the DNS suffix for your zone, such as example.private
   • VPC_NETWORK : the shared VPC URL that is authorized to query the zone from project A , such as https://www.googleapis.com/compute/v1/projects/project-a/global/networks/default.

   This creates a private zone in project B where you want to create and manage the DNS zone. Your output is similar to the following:

   Created
   [https://dns.googleapis.com/dns/v1/projects/project-b/managedZones/my-zone].

What's next

• To work with managed zones, see Create, modify, and delete zones .
• To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting .
• To get an overview of Cloud DNS, see Cloud DNS overview .