1. Introduction
This codelab will guide you through setting up Cloud DNS outbound forwarding zones using a Fully Qualified Domain Name (FQDN) as a forwarding target. This feature lets you direct DNS traffic to IP addresses resolved from a DNS name, rather than hard-coding IP addresses in your forwarding zone's configuration. This is particularly useful when your backend DNS resolver IP addresses change, as you can update the DNS record for the FQDN, and Cloud DNS automatically picks up the changes.
By the end of this codelab, you will be able to configure Cloud DNS forwarding zones that use the following:
- An FQDN target that matches a private zone with A/AAAA records.
- An FQDN target backed by Cloud DNS routing policies (geolocation or weighted round robin) for regional affinity or traffic distribution.
Overview of FQDN forwarding
Cloud DNS forwarding allows you to resolve private DNS names hosted outside of Google Cloud Platform (for example, on-premises or other clouds) from Google Cloud Platform resources. Traditionally, this supported forwarding to a list of target IP addresses. FQDN forwarding extends this by allowing you to specify an FQDN as a forwarding target in a forwarding zone.
When an FQDN is specified, Cloud DNS resolves it to IP addresses using an internal lookup, which uses the resolution logic of the source network. This means the FQDN target can match a private zone, a DNS routing policy (geolocation or weighted round robin), or even an Internet public domain name. Cloud DNS then forwards the query to the resolved destination IP.
What you'll build
Regional FQDN forwarding with a new private zone
You will build a setup that achieves regional affinity for DNS traffic. This involves creating a private DNS zone and configuring a geolocation routing policy within it, then linking a forwarding zone to this FQDN target. This ensures that traffic from a specific region (for example, us-east1) is forwarded to a corresponding regional DNS server.
FQDN forwarding with an existing private zone
You will learn to create a forwarding zone that targets an FQDN backed by an A/AAAA record within an existing private DNS zone. This demonstrates forwarding queries to statically defined IP addresses resolved using an FQDN forwarding target.
What you'll learn
The concept of FQDN forwarding
You will understand that FQDN forwarding extends DNS forwarding by allowing you to specify an FQDN forwarding target instead of just IP addresses as forwarding targets for outbound queries.
Benefits of FQDN forwarding
You will learn that this feature eliminates the need for manual updates when backend DNS resolver IP addresses change, as Cloud DNS automatically picks up changes from the FQDN's DNS record. It also enables more flexible scaling of DNS infrastructure by allowing DNS servers to be behind a shared name or scale dynamically.
Integration with Cloud DNS routing policies
You will learn how FQDN forwarding can be combined with Cloud DNS routing policies (geolocation or weighted round robin) to achieve regional affinity, optimize performance for geographically diverse deployments, and distribute traffic based on configured weights.
Google Cloud CLI command syntax
You will become familiar with the gcloud dns managed-zones create command and its relevant flags (--forwarding-targets, --private-forwarding-targets) for setting up FQDN forwarding zones.
Prerequisites
To complete this codelab, you need the following:
- A Google Account
- A Google Cloud project with billing enabled
- The gcloud command-line tool installed and configured
- A basic understanding of Cloud DNS and DNS concepts
2. Getting set up
Understanding FQDN forwarding scenarios
Cloud DNS FQDN forwarding supports several usage scenarios:
- Private zone with A/AAAA record: If the FQDN matches an A/AAAA record in a private zone, the resolved IP addresses are added to the forwarding list, and the behavior is identical to forwarding to target IP addresses directly.
- Private zone with geolocation policy: Geolocation policies allow you to specify source geolocation and provide corresponding answers, verifying traffic distribution based on geography. This is key for regional DNS forwarding and affinity.
- Private zone with weighted round robin (WRR) policy: WRR policies allow specifying different weights per IP address for a DNS name, verifying traffic is distributed according to configured weights.
- Public zone with A/AAAA record: If the FQDN does not match any private name visible to the same network, Cloud DNS attempts to resolve it using the public internet.
Understanding Google Cloud CLI command for FQDN forwarding
To create a forwarding zone with an FQDN forwarding target using gcloud CLI commands, you will use the gcloud dns managed-zones create command. The key flags for specifying an FQDN target are --forwarding-targets or --private-forwarding-targets. Please see the document for details about standard and private routing methods.
--forwarding-targets: List of IPv4/IPv6 addresses or one domain name of the target name server that the zone will forward queries to. Ignored for public visibility. Non-RFC1918 addresses will forward to the target through the Internet. RFC1918 addresses will forward through the VPC.--private-forwarding-targets: List of IPv4/IPv6 addresses or one domain name of the target name server that the zone will forward queries to. Ignored for public visibility. All addresses specified for this parameter will be reached through the VPC.
Sample syntax:
gcloud dns managed-zones create NAME \
--description=DESCRIPTION \
--dns-name=DNS_SUFFIX \
--networks=VPC_NETWORK_LIST \
--forwarding-targets=DEFAULT_FQDN_TARGET \
--visibility=private
Note that you can specify --private-forwarding-targets instead of --forwarding-targets.
Set up your Google Cloud Platform project
Login to gcloud CLI.
gcloud auth login
Create a project.
gcloud projects create my-codelab-project
Enable the Cloud DNS API. It may take a few minutes for this to take effect.
gcloud services enable dns.googleapis.com
This codelab uses the default VPC network that is created with a new project. You may also create a new network to use instead.
3. Set up regional FQDN forwarding (with new private zone)
This scenario demonstrates how to achieve regional DNS forwarding, ensuring traffic from a specific region is forwarded to a DNS server within that same region.
Create a private DNS zone
First, create a private DNS zone (for example, foo.com.) that will host your FQDN and its associated geolocation routing policy. This zone must be visible to your default network.
gcloud dns managed-zones create my-zone \
--description="Private Zone for FQDN outbound DNS forwarding." \
--dns-name=foo.com. \
--networks=default \
--visibility=private
Create a geolocation routing policy record set within the private zone
Next, create a record set (for example, geo.foo.com.) within my-zone and apply a geolocation routing policy. This example configures IP addresses for asia-east1 and asia-west1.
gcloud dns record-sets create geo.foo.com. \
--ttl="30" \
--type="A" \
--zone="my-zone" \
--routing-policy-type="GEO" \
--routing-policy-data="asia-east1=192.168.0.1;us-central1=192.168.0.2"
Note: If geofencing is disabled (default and recommended), queries will be directed to the nearest healthy region if a target in the original region is unhealthy.
Create a forwarding zone with the FQDN target
Create a forwarding zone (geo.test.com.) visible in the same default network, and set geo.foo.com. (the FQDN with the geolocation routing policy) as its forwarding target.
gcloud dns managed-zones create my-geo-fwd-zone \
--description="Forwarding zone for FQDN outbound DNS forwarding for routing policy." \
--dns-name=geo.test.com. \
--networks=default \
--private-forwarding-targets=geo.foo.com. \
--visibility=private
Any DNS query matching geo.test.com is now forwarded to the resolved IP (for example, 192.168.0.1 or 192.168.0.2) of geo.foo.com., based on the source region of the query.
4. Set up FQDN forwarding (with existing private zone)
Have an existing private DNS zone
Assume you already have a private DNS zone named my-zone (foo.com.) visible to the default network.
Create a DNS resource record within this private zone
Create an A type record for a.foo.com. within your existing my-zone.
gcloud dns record-sets create a.foo.com. \
--ttl="30" \
--type="A" \
--zone="my-zone" \
--rrdatas=1.2.3.4
Create a forwarding zone and specify the FQDN target
Similar to the regional FQDN scenario, create a forwarding zone and specify a.foo.com. as the forwarding target.
gcloud dns managed-zones create my-a-fwd-zone \
--description="Forwarding zone for FQDN outbound DNS forwarding for A record." \
--dns-name=a.test.com. \
--networks=default \
--private-forwarding-targets=a.foo.com. \
--visibility=private
Any DNS query matching a.test.com. will be forwarded to the resolved IP addresses 1.2.3.4 of a.foo.com.
5. Clean up
Before a private zone can be deleted, all ResourceRecordSets within the private zone must first be deleted (with the exception of NS and SOA records, which are automatically generated and must always exist in the private zone).
Delete the geolocation routing policy in the private zone.
gcloud dns record-sets delete "geo.foo.com." --type="A" --zone="my-zone"
Delete the A record in the private zone.
gcloud dns record-sets delete "a.foo.com." --type="A" --zone="my-zone"
Delete the private zone.
gcloud dns managed-zones delete "my-zone"
Delete the forwarding zone for the geolocation routing policy.
gcloud dns managed-zones delete "my-geo-fwd-zone"
Delete the forwarding zone for the A record.
gcloud dns managed-zones delete "my-a-fwd-zone"
6. Congratulations
Congratulations, you've successfully learned to use the FQDN outbound DNS forwarding!