cloud.google.com
Open in
urlscan Pro
2607:f8b0:400d:c0f::65
Public Scan
Submitted URL: https://cloud.google.com/dns/docs/policies#creating
Effective URL: https://cloud.google.com/dns/docs/policies
Submission: On August 04 via api from US — Scanned from US
Effective URL: https://cloud.google.com/dns/docs/policies
Submission: On August 04 via api from US — Scanned from US
Form analysis 1 forms found in the DOM
GET https://cloud.google.com/s/results
<form class="devsite-search-form" action="https://cloud.google.com/s/results" method="GET">
<div class="devsite-search-container">
<button type="button" search-open="" class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Open search"></button>
<div class="devsite-searchbox">
<input aria-activedescendant="" aria-autocomplete="list" aria-label="Search" aria-expanded="false" aria-haspopup="listbox" autocomplete="off" class="devsite-search-field devsite-search-query" name="q" placeholder="Search" role="combobox"
type="text" value="" aria-controls="devsite-search-popout-container-id-1">
<div class="devsite-search-image material-icons" aria-hidden="true">
</div>
<div class="devsite-search-shortcut-icon-container" aria-hidden="true">
<kbd class="devsite-search-shortcut-icon">/</kbd>
</div>
</div>
</div>
<div class="devsite-popout" id="devsite-search-popout-container-id-1">
<div class="devsite-popout-result devsite-suggest-results-container" devsite-hide=""></div>
</div>
</form>Text Content
*
Documentation Technology areas
close
* AI solutions, generative AI, and ML
* Application development
* Application hosting
* Compute
* Data analytics and pipelines
* Databases
* Distributed, hybrid, and multicloud
* Industry solutions
* Networking
* Observability and monitoring
* Security
* Storage
Cross-product tools
close
* Access and resources management
* Costs and usage management
* Google Cloud SDK, languages, frameworks, and tools
* Infrastructure as code
* Migration
Related sites
close
* Google Cloud Home
* Free Trial and Free Tier
* Architecture Center
* Blog
* Contact Sales
* Google Cloud Developer Center
* Google Developer Center
* Google Cloud Marketplace
* Google Cloud Marketplace Documentation
* Google Cloud Skills Boost
* Google Cloud Solution Center
* Google Cloud Support
* Google Cloud Tech Youtube Channel
More
/
* English
* Deutsch
* Español – América Latina
* Français
* Português – Brasil
* 中文 – 简体
* 日本語
* 한국어
Sign in
* Cloud DNS
Overview Guides Reference Resources More
Contact Us Start free
*
* Documentation
* Overview
* Guides
* Reference
* Resources
* Technology areas
* More
* Cross-product tools
* More
* Related sites
* More
* Console
* Contact Us
* Start free
* Discover
* Cloud DNS overview
* General DNS overview
* Best practices
* Key terms
* Get started
* Roles and permissions
* Tutorial: Set up a domain
* Quickstart: Set up DNS records
* Create and configure zones
* Overview
* Create, modify, and delete zones
* Set and manage IAM policies for zones
* Create a forwarding zone
* Create a peering zone
* Create a managed reverse lookup zone
* Create a zone with cross-project binding
* Create a zone with an internationalized domain name
* Work with GKE
* Configure a cluster scope
* Configure a cluster-scoped zone
* View operations on zones
* Create and manage records
* Overview
* Add, modify, and delete records
* Create and configure policies
* Overview
* Manage server policies
* Overview
* Configure server policies
* Manage response policies and rules
* Manage routing policies and health checks
* Overview
* Configure routing policies and health checks
* Operate and maintain
* Migrate to Cloud DNS
* Update domain name servers
* Chase CNAME records
* Follow name resolution order
* Use scopes and hierarchies
* Add special configurations
* Control access
* VPC Service Controls support
* DNS Security (DNSSEC) overview
* Manage DNSSEC
* Activate DNSSEC
* View DNSSEC keys
* Configure advanced DNSSEC
* Migrate DNSSEC-enabled zones
* Monitor and troubleshoot
* Use logging and monitoring
* Use the Cloud DNS monitoring dashboard
* Audit logging information
* Error messages
* Troubleshooting
* AI solutions, generative AI, and ML
* Application development
* Application hosting
* Compute
* Data analytics and pipelines
* Databases
* Distributed, hybrid, and multicloud
* Industry solutions
* Networking
* Observability and monitoring
* Security
* Storage
* Access and resources management
* Costs and usage management
* Google Cloud SDK, languages, frameworks, and tools
* Infrastructure as code
* Migration
* Google Cloud Home
* Free Trial and Free Tier
* Architecture Center
* Blog
* Contact Sales
* Google Cloud Developer Center
* Google Developer Center
* Google Cloud Marketplace
* Google Cloud Marketplace Documentation
* Google Cloud Skills Boost
* Google Cloud Solution Center
* Google Cloud Support
* Google Cloud Tech Youtube Channel
* On this page
* Before you begin
* Create DNS server policies
* Create an inbound server policy
* Create an outbound server policy
* Create a server policy for both
* List inbound forwarder entry points
* Update DNS policies
* Change VPC networks
* Enable or disable inbound forwarding
* List DNS policies
* Delete a DNS policy
* What's next
* Home
*
Cloud DNS
*
Documentation
*
Guides
Was this helpful?
Send feedback
CONFIGURE CLOUD DNS SERVER POLICIES
bookmark_borderbookmark Stay organized with collections Save and categorize
content based on your preferences.
* On this page
* Before you begin
* Create DNS server policies
* Create an inbound server policy
* Create an outbound server policy
* Create a server policy for both
* List inbound forwarder entry points
* Update DNS policies
* Change VPC networks
* Enable or disable inbound forwarding
* List DNS policies
* Delete a DNS policy
* What's next
*
This page describes how to configure Cloud DNS server policies and use them with
Virtual Private Cloud (VPC) networks. Before you use this page, review the DNS
server policies overview.
BEFORE YOU BEGIN
The Cloud DNS API requires that you create a Google Cloud project and enable the
Cloud DNS API.
If you are creating an application that uses the REST API, you must also create
an OAuth 2.0 client ID.
1. If you don't already have one, sign up for a Google Account.
2. Enable the Cloud DNS API in the Google Cloud console. You can choose an
existing Compute Engine or App Engine project, or you can create a new
project.
3. If you need to make requests to the REST API, you need to create an OAuth
2.0 ID: Setting up OAuth 2.0.
4. In the project, note the following information that you will need to input
in later steps:
* The client ID (xxxxxx.apps.googleusercontent.com).
* The project ID that you want to use. You can find the ID at the top of the
Overview page in the Google Cloud console. You could also ask your user to
provide the project name that they want to use in your app.
If you have not run the Google Cloud CLI previously, you must run the following
command to specify the project name and authenticate with the Google Cloud
console:
See more code actions.
Light code theme
Dark code theme
gcloud auth login
To choose a different project than one you have chosen previously, specify the
--project option at the command line.
CREATE DNS SERVER POLICIES
Each DNS server policy object can define any of the following server policies:
* An inbound server policy, enabling inbound forwarding
* An outbound server policy, specifying one or more alternative name servers
* Both an inbound and an outbound server policy
Each VPC network can reference no more than one DNS server policy. If you need
to define both inbound and outbound forwarding for a VPC network, create one
policy that defines both an inbound and an outbound policy.
CREATE AN INBOUND SERVER POLICY
To create an inbound server policy, follow these instructions. Cloud DNS creates
a set of inbound forwarder IP addresses from the primary IPv4 address ranges of
subnets in each VPC network to which the policy applies. After you create your
policy, you can list the entry points that Cloud DNS creates.
Important: For important details about how inbound server entry points associate
DNS queries with a VPC network and region, carefully review the Inbound server
policies section of the "DNS server policies" page.
gcloud Terraform More
To create an inbound server policy, run the dns policies create command:
See more code actions.
Light code theme
Dark code theme
gcloud dns policies create NAME \
--description=DESCRIPTION \
--networks=VPC_NETWORK_LIST \
--enable-inbound-forwarding
Replace the following:
* NAME: a name for the policy
* DESCRIPTION: a description for the policy
* VPC_NETWORK_LIST: a comma-delimited list of VPC networks where inbound
forwarding addresses must be created
resource "google_dns_policy" "default" {
name = "example-inbound-policy"
enable_inbound_forwarding = true
networks {
network_url = google_compute_network.default.id
}
}
resource "google_compute_network" "default" {
name = "network"
auto_create_subnetworks = false
}
CREATE AN OUTBOUND SERVER POLICY
To specify a list of alternative name servers for a VPC network, you can create
an outbound server policy.
Important: For important details about how use of alternative name servers
affects VPC network-scoped response policies, VPC network-scoped private zones,
and Compute Engine internal DNS, carefully review the Outbound server policies
section of the "DNS server policies overview" page. Also review Alternative name
server types, routing methods, and addresses and Alternative name server network
requirements.
gcloud Terraform More
To create an outbound server policy, run the dns policies create command:
gcloud dns policies create NAME \
--description=DESCRIPTION \
--networks=VPC_NETWORK_LIST \
--alternative-name-servers=ALTERNATIVE_NAMESERVER_LIST \
--private-alternative-name-servers=PRIVATE_ALTERNATIVE_NAMESERVER_LIST
Replace the following:
* NAME: a name for the policy
* DESCRIPTION: a description for the policy
* VPC_NETWORK_LIST: a comma-delimited list of VPC networks that query the
alternative name servers
* ALTERNATIVE_NAMESERVER_LIST: a comma-delimited list of IP addresses that you
can use as alternative name servers; private routing is only used for
alternative name servers that have RFC 1918 addresses
* PRIVATE_ALTERNATIVE_NAMESERVER_LIST: a comma-delimited list of IP addresses
that you can use as alternative name servers, accessed by using private
routing
resource "google_dns_policy" "default" {
name = "example-outbound-policy"
alternative_name_server_config {
target_name_servers {
ipv4_address = "172.16.1.10"
forwarding_path = "private"
}
target_name_servers {
ipv4_address = "172.16.1.20"
}
}
networks {
network_url = google_compute_network.default.id
}
}
resource "google_compute_network" "default" {
name = "network"
auto_create_subnetworks = false
}
CREATE A SERVER POLICY FOR BOTH
gcloud Terraform More
To create a DNS server policy for both inbound and outbound forwarding, run the
dns policies create command:
gcloud dns policies create NAME \
--description=DESCRIPTION \
--networks=VPC_NETWORK_LIST \
--alternative-name-servers=ALTERNATIVE_NAMESERVER_LIST \
--private-alternative-name-servers=PRIVATE_ALTERNATIVE_NAMESERVER_LIST \
--enable-inbound-forwarding
Replace the following:
* NAME: a name for the policy
* DESCRIPTION: a description for the policy
* VPC_NETWORK_LIST: a comma-delimited list of VPC networks where inbound
forwarding addresses must be created and that must query the alternative name
servers
* ALTERNATIVE_NAMESERVER_LIST: a comma-delimited list of IP addresses that you
can use as alternative name servers. Private routing is only used for
alternative name servers that have RFC 1918 addresses.
* PRIVATE_ALTERNATIVE_NAMESERVER_LIST: a comma-delimited list of IP addresses
that you can use as alternative name servers, accessed by using private
routing.
resource "google_dns_policy" "example_policy" {
name = "example-policy"
enable_inbound_forwarding = true
enable_logging = true
alternative_name_server_config {
target_name_servers {
ipv4_address = "172.16.1.10"
forwarding_path = "private"
}
target_name_servers {
ipv4_address = "172.16.1.20"
}
}
networks {
network_url = google_compute_network.network_1.id
}
networks {
network_url = google_compute_network.network_2.id
}
}
resource "google_compute_network" "network_1" {
name = "network-1"
auto_create_subnetworks = false
}
resource "google_compute_network" "network_2" {
name = "network-2"
auto_create_subnetworks = false
}
LIST INBOUND FORWARDER ENTRY POINTS
When an inbound server policy applies to a VPC network, Cloud DNS creates a set
of regional internal IP addresses that serve as destinations to which your
on-premises systems or name resolvers can send DNS queries. These addresses
serve as entry points to the name resolution order of your VPC network.
Note: If you disable and then re-enable inbound forwarding or if you delete and
recreate a VPC network, the entry point IP addresses change.
Google Cloud firewall rules do not apply to the regional internal addresses that
act as entry points for inbound forwarders. Cloud DNS accepts TCP and UDP
traffic on port 53 automatically.
Each inbound forwarder accepts and receives queries from Cloud VPN tunnels or
Cloud Interconnect attachments (VLANs) in the same region as the regional
internal IP address. VM instances can access the inbound forwarder through any
of the internal IP addresses in the same VPC network. To access inbound
forwarding, either the network interface must have an external IP address or a
subnet of the NIC must have Private Google Access enabled.
gcloud More
To list the set of regional internal IP addresses that serve as entry points for
inbound forwarding, run the compute addresses list command:
gcloud compute addresses list \
--filter='purpose = "DNS_RESOLVER"' \
--format='csv(address, region, subnetwork)'
UPDATE DNS POLICIES
The following sections provide information about changing VPC networks and
enabling or disabling inbound forwarding.
CHANGE VPC NETWORKS
The following list describes what happens when you change the list of VPC
networks to which a DNS policy applies:
* If the policy specifies an inbound policy, entry points for inbound
forwarders are created in VPC networks as needed.
* If the policy specifies an outbound policy, the name resolution order of each
VPC network is updated to include the specified alternative name servers.
gcloud More
To modify the list of networks to which a DNS server policy applies, run the dns
policies update command:
gcloud dns policies update NAME \
--networks=VPC_NETWORK_LIST
Replace the following:
* NAME: a name for the policy
* VPC_NETWORK_LIST: a comma-delimited list of VPC networks to which the policy
applies; the list of VPC networks that you specify replaces the previous list
ENABLE OR DISABLE INBOUND FORWARDING
You can enable inbound forwarding for a DNS server policy that defines only an
outbound policy (alternative name server). You can also disable inbound
forwarding for an existing DNS policy.
gcloud More
To enable inbound forwarding for a DNS server policy, run the dns policies
update command:
gcloud dns policies update NAME \
--enable-inbound-forwarding
To disable inbound forwarding for a DNS server policy, run the dns policies
update command:
gcloud dns policies update NAME \
--no-enable-inbound-forwarding
Replace NAME with the name of the policy.
LIST DNS POLICIES
gcloud More
To list DNS server policies in your project, run the dns policies list command:
gcloud dns policies list
DELETE A DNS POLICY
gcloud More
To delete a server policy, run the dns policies delete command:
gcloud dns policies delete NAME
Replace NAME with the name of the policy to delete.
WHAT'S NEXT
* To find solutions for common issues that you might encounter when using Cloud
DNS, see Troubleshooting.
* To get an overview of Cloud DNS, see Cloud DNS overview.
Was this helpful?
Send feedback
Except as otherwise noted, the content of this page is licensed under the
Creative Commons Attribution 4.0 License, and code samples are licensed under
the Apache 2.0 License. For details, see the Google Developers Site Policies.
Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-07-31 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand"
},{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode",
"label":"Incorrect information or sample code" },{ "type": "thumb-down", "id":
"missingTheInformationSamplesINeed", "label":"Missing the information/samples I
need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type":
"thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type":
"thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type":
"thumb-up", "id": "otherUp", "label":"Other" }] Need to tell us more?
* WHY GOOGLE
* Choosing Google Cloud
* Trust and security
* Open cloud
* Multicloud
* Global infrastructure
* Customers and case studies
* Analyst reports
* Whitepapers
* Blog
* PRODUCTS AND PRICING
* Google Cloud pricing
* Google Workspace pricing
* See all products
* SOLUTIONS
* Infrastructure modernization
* Databases
* Application modernization
* Smart analytics
* Artificial Intelligence
* Security
* Productivity & work transformation
* Industry solutions
* DevOps solutions
* Small business solutions
* See all solutions
* RESOURCES
* Google Cloud Affiliate Program
* Google Cloud documentation
* Google Cloud quickstarts
* Google Cloud Marketplace
* Learn about cloud computing
* Support
* Code samples
* Cloud Architecture Center
* Training
* Certifications
* Google for Developers
* Google Cloud for Startups
* System status
* Release Notes
* ENGAGE
* Contact sales
* Find a Partner
* Become a Partner
* Events
* Podcasts
* Developer Center
* Press Corner
* Google Cloud on YouTube
* Google Cloud Tech on YouTube
* Follow on X
* Join User Research
* We're hiring. Join Google Cloud!
* Google Cloud Community
* About Google
* Privacy
* Site terms
* Google Cloud terms
* Manage cookies
* Our third decade of climate action: join us
* Sign up for the Google Cloud newsletter Subscribe
* English
* Deutsch
* Español – América Latina
* Français
* Português – Brasil
* 中文 – 简体
* 日本語
* 한국어