Google Cloud VPC – DNS Not Shared in Network Peering?

google-cloud-platformgoogle-compute-enginevpc-peering

I've got two VPC Networks:

  • A
  • B

They are linked with eachother trough VPC network peering. Machines from network A can reach machines from network B just fine via IP.

However, they are not capable of accessing eachother trough their internal dns names (machinea.c.gc-project.internal)

According to the google cloud documentation, it is not possible to do this, stating:

Compute Engine internal DNS names created in a network are not
accessible to peered networks. The IP address of the VM should be used
to reach the VM instances in peered network.

How can I resolve this so they in fact are capable of using the DNS names?

Right now I just placed the IP's in eachothers hosts files, but there should be some better way, right?

Best Answer

To a degree you have already answered your own question. You are right, as per the documentation you reference the internal DNS scheme is not available across VPC peering on GCP today.

You have three options.

  1. Use hosts files, as you have been. This is simple to set up, but can be complex to maintain as your environment grows, though you could look to configuration management tools to help there - e.g. Ansible - to automatically distribute and maintain updates.

  2. You could deploy a new DNS zone on Google Cloud DNS. More details of that service here: Cloud DNS Overview Though this service is for public zones only at this time, so you would need to register a domain or use one already owned. And as a public zone the names would be resolvable on the internet, which may or may not be desirable. You could also use an external public DNS provider.

  3. Deploy your own DNS servers. You could setup BIND or similar on virtual machines to act as a DNS server. You would need to update the DNS settings on the VMs to use these new servers and I would suggest deploying at least two, for example one in each of your VPCs, for resilience. The main advantage would be the zone can be private, so you would not need to buy a domain name or expose the records on the internet. Of course you would need to maintain the DNS servers, which may or may not be desirable. You could also run remote private DNS servers, for example over a VPN, but I wouldn't recommend that per se, as then you create a hard dependency on the VPN connection.

Worth adding that both AWS and Azure support private zones as part of their own DNS services, so it's not inconceivable that Google will add support for similar in the future.

Hope that helps.

Related Topic