parent
d0e2f0d59a
commit
7b2a82a7d6
|
@ -172,6 +172,13 @@ DNS configuration is further centralized by leveraging peering zones, so that
|
|||
|
||||
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
||||
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
||||
- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
|
||||
- `private.googleapis.com`
|
||||
- `restricted.googleapis.com`
|
||||
- `gcr.io`
|
||||
- `packages.cloud.google.com`
|
||||
- `pkg.dev`
|
||||
- `pki.goog`
|
||||
|
||||
To complete the configuration, the 35.199.192.0/19 range should be routed to the VPN tunnels from on-premises, and the following names should be configured for DNS forwarding to cloud:
|
||||
|
||||
|
|
|
@ -59,7 +59,7 @@ module "gcp-example-dns-private-zone" {
|
|||
}
|
||||
}
|
||||
|
||||
# Google API zone to trigger Private Access
|
||||
# Google APIs
|
||||
|
||||
module "googleapis-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
|
@ -81,3 +81,75 @@ module "googleapis-private-zone" {
|
|||
"CNAME *" = { records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "gcrio-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "gcr-io"
|
||||
domain = "gcr.io."
|
||||
client_networks = [
|
||||
module.landing-untrusted-vpc.self_link,
|
||||
module.landing-trusted-vpc.self_link
|
||||
]
|
||||
recordsets = {
|
||||
"A gcr.io." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "packages-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "packages-cloud"
|
||||
domain = "packages.cloud.google.com."
|
||||
client_networks = [
|
||||
module.landing-untrusted-vpc.self_link,
|
||||
module.landing-trusted-vpc.self_link
|
||||
]
|
||||
recordsets = {
|
||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "pkgdev-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "pkg-dev"
|
||||
domain = "pkg.dev."
|
||||
client_networks = [
|
||||
module.landing-untrusted-vpc.self_link,
|
||||
module.landing-trusted-vpc.self_link
|
||||
]
|
||||
recordsets = {
|
||||
"A pkg.dev." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "pkigoog-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "pki-goog"
|
||||
domain = "pki.goog."
|
||||
client_networks = [
|
||||
module.landing-untrusted-vpc.self_link,
|
||||
module.landing-trusted-vpc.self_link
|
||||
]
|
||||
recordsets = {
|
||||
"A pki.goog." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -102,6 +102,13 @@ DNS configuration is further centralized by leveraging peering zones, so that
|
|||
|
||||
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
||||
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
||||
- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
|
||||
- `private.googleapis.com`
|
||||
- `restricted.googleapis.com`
|
||||
- `gcr.io`
|
||||
- `packages.cloud.google.com`
|
||||
- `pkg.dev`
|
||||
- `pki.goog`
|
||||
|
||||
To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:
|
||||
|
||||
|
|
|
@ -50,7 +50,7 @@ module "gcp-example-dns-private-zone" {
|
|||
}
|
||||
}
|
||||
|
||||
# Google API zone to trigger Private Access
|
||||
# Google APIs
|
||||
|
||||
module "googleapis-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
|
@ -69,3 +69,63 @@ module "googleapis-private-zone" {
|
|||
"CNAME *" = { records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "gcrio-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "gcr-io"
|
||||
domain = "gcr.io."
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
recordsets = {
|
||||
"A gcr.io." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "packages-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "packages-cloud"
|
||||
domain = "packages.cloud.google.com."
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
recordsets = {
|
||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "pkgdev-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "pkg-dev"
|
||||
domain = "pkg.dev."
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
recordsets = {
|
||||
"A pkg.dev." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "pkigoog-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "pki-goog"
|
||||
domain = "pki.goog."
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
recordsets = {
|
||||
"A pki.goog." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -69,6 +69,13 @@ DNS often goes hand in hand with networking, especially on GCP where Cloud DNS z
|
|||
|
||||
- on-prem to cloud via private zones for cloud-managed domains, and an [inbound policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) used as forwarding target or via delegation (requires some extra configuration) from on-prem DNS resolvers
|
||||
- cloud to on-prem via forwarding zones for the on-prem managed domains
|
||||
- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
|
||||
- `private.googleapis.com`
|
||||
- `restricted.googleapis.com`
|
||||
- `gcr.io`
|
||||
- `packages.cloud.google.com`
|
||||
- `pkg.dev`
|
||||
- `pki.goog`
|
||||
|
||||
To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:
|
||||
|
||||
|
|
|
@ -50,6 +50,8 @@ module "dev-reverse-10-dns-forwarding" {
|
|||
forwarders = { for ip in var.dns.dev : ip => null }
|
||||
}
|
||||
|
||||
# Google APIs
|
||||
|
||||
module "dev-googleapis-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
|
@ -67,3 +69,63 @@ module "dev-googleapis-private-zone" {
|
|||
"CNAME *" = { records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "dev-gcrio-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
type = "private"
|
||||
name = "gcr-io"
|
||||
domain = "gcr.io."
|
||||
client_networks = [module.dev-spoke-vpc.self_link]
|
||||
recordsets = {
|
||||
"A gcr.io." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "dev-packages-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
type = "private"
|
||||
name = "packages-cloud"
|
||||
domain = "packages.cloud.google.com."
|
||||
client_networks = [module.dev-spoke-vpc.self_link]
|
||||
recordsets = {
|
||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "dev-pkgdev-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
type = "private"
|
||||
name = "pkg-dev"
|
||||
domain = "pkg.dev."
|
||||
client_networks = [module.dev-spoke-vpc.self_link]
|
||||
recordsets = {
|
||||
"A pkg.dev." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "dev-pkigoog-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.dev-spoke-project.project_id
|
||||
type = "private"
|
||||
name = "pki-goog"
|
||||
domain = "pki.goog."
|
||||
client_networks = [module.dev-spoke-vpc.self_link]
|
||||
recordsets = {
|
||||
"A pki.goog." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -50,6 +50,7 @@ module "prod-reverse-10-dns-forwarding" {
|
|||
forwarders = { for ip in var.dns.prod : ip => null }
|
||||
}
|
||||
|
||||
# Google APIs
|
||||
|
||||
module "prod-googleapis-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
|
@ -68,3 +69,63 @@ module "prod-googleapis-private-zone" {
|
|||
"CNAME *" = { records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "prod-gcrio-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
type = "private"
|
||||
name = "gcr-io"
|
||||
domain = "gcr.io."
|
||||
client_networks = [module.prod-spoke-vpc.self_link]
|
||||
recordsets = {
|
||||
"A gcr.io." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "prod-packages-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
type = "private"
|
||||
name = "packages-cloud"
|
||||
domain = "packages.cloud.google.com."
|
||||
client_networks = [module.prod-spoke-vpc.self_link]
|
||||
recordsets = {
|
||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "prod-pkgdev-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
type = "private"
|
||||
name = "pkg-dev"
|
||||
domain = "pkg.dev."
|
||||
client_networks = [module.prod-spoke-vpc.self_link]
|
||||
recordsets = {
|
||||
"A pkg.dev." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "prod-pkigoog-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.prod-spoke-project.project_id
|
||||
type = "private"
|
||||
name = "pki-goog"
|
||||
domain = "pki.goog."
|
||||
client_networks = [module.prod-spoke-vpc.self_link]
|
||||
recordsets = {
|
||||
"A pki.goog." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -108,6 +108,13 @@ DNS configuration is further centralized by leveraging peering zones, so that
|
|||
|
||||
- the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
|
||||
- the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
|
||||
- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
|
||||
- `private.googleapis.com`
|
||||
- `restricted.googleapis.com`
|
||||
- `gcr.io`
|
||||
- `packages.cloud.google.com`
|
||||
- `pkg.dev`
|
||||
- `pki.goog`
|
||||
|
||||
To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:
|
||||
|
||||
|
|
|
@ -50,7 +50,7 @@ module "gcp-example-dns-private-zone" {
|
|||
}
|
||||
}
|
||||
|
||||
# Google API zone to trigger Private Access
|
||||
# Google APIs
|
||||
|
||||
module "googleapis-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
|
@ -69,3 +69,63 @@ module "googleapis-private-zone" {
|
|||
"CNAME *" = { records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "gcrio-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "gcr-io"
|
||||
domain = "gcr.io."
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
recordsets = {
|
||||
"A gcr.io." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "packages-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "packages-cloud"
|
||||
domain = "packages.cloud.google.com."
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
recordsets = {
|
||||
"A packages.cloud.google.com." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "pkgdev-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "pkg-dev"
|
||||
domain = "pkg.dev."
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
recordsets = {
|
||||
"A pkg.dev." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
||||
module "pkigoog-private-zone" {
|
||||
source = "../../../modules/dns"
|
||||
project_id = module.landing-project.project_id
|
||||
type = "private"
|
||||
name = "pki-goog"
|
||||
domain = "pki.goog."
|
||||
client_networks = [module.landing-vpc.self_link]
|
||||
recordsets = {
|
||||
"A pki.goog." = { ttl = 300, records = [
|
||||
"199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
|
||||
] }
|
||||
"CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue