This chapter covers Cloud DNS Private Zones and Forwarding — two critical features for hybrid cloud networking and name resolution within Google Cloud. On the ACE exam, approximately 10-15% of networking questions touch on these topics, often testing your ability to configure private zones for internal name resolution and set up forwarding to on-premises DNS servers. You will learn the exact mechanisms, default behaviors, and configuration steps needed to pass exam scenarios involving split-horizon DNS, hybrid connectivity, and custom name resolution policies.
Jump to a section
Imagine a large company with multiple office buildings. Each building has its own internal mailroom that knows the names and locations of all employees within that building. When an employee wants to send a letter to someone in a different building, they drop it in their local mailroom. That mailroom checks its directory: if the recipient is not in this building, it forwards the letter to the company's central mail processing hub. The hub maintains a directory of all buildings and their mailrooms. If the hub also doesn't know the recipient, it forwards the letter to the public postal service (the internet). The hub can also be configured to send certain letters directly to a specific external courier (like a hybrid worker's home office) instead of the public service. In Cloud DNS, private zones are like building-specific directories — they only resolve names for VMs within that VPC network. Forwarding rules are like the hub's special courier routes — they send queries for specific domains to a custom target (e.g., on-premises DNS). And inbound server policies are like allowing external mailrooms to send letters to your internal employees by providing a public-facing address for your mail hub.
What Are Cloud DNS Private Zones?
Cloud DNS private zones are DNS zones that are only accessible from within one or more Google Cloud VPC networks. Unlike public zones, which are globally resolvable over the internet, private zones are invisible to the internet and only respond to queries originating from authorized VPC networks. This is essential for internal service discovery, such as resolving a backend service by its internal hostname (e.g., db.internal.example.com) without exposing that name to the public internet.
Private zones are associated with one or more VPC networks at creation time. A single private zone can be attached to multiple VPC networks, enabling cross-network name resolution. However, the zone is not automatically visible to peered networks — you must explicitly attach the zone to each VPC network that needs to resolve names in that zone.
How Private Zones Work Internally
When a VM in a VPC network sends a DNS query for a name that matches a private zone attached to that network, Cloud DNS intercepts the query and returns the authoritative answer from the zone. The resolution hierarchy is:
The VM's DNS resolver (typically the metadata server at 169.254.169.254) receives the query.
The metadata server forwards the query to Cloud DNS.
Cloud DNS checks if the query matches a private zone attached to the VM's VPC network.
If yes, it returns the record from the private zone.
If no, it falls back to the default resolution path (public internet or forwarding configuration).
Private zones support standard DNS record types: A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, and TXT. They also support wildcard records.
Key Components and Defaults
Zone Name: A user-defined label (e.g., my-private-zone).
DNS Name: The domain suffix (e.g., internal.example.com.). Must end with a trailing dot.
VPC Networks: A list of VPC networks that can query this zone. You can attach up to 25 VPC networks per private zone.
Record TTL: Default is 300 seconds (5 minutes). You can override per record.
Visibility: Private zones are not visible to the internet; they only respond to queries from authorized VPC networks.
Peering: Private zones do not automatically propagate to peered VPC networks. You must either attach the zone to the peered network or use DNS peering (covered later).
DNS Forwarding: Outbound and Inbound
Forwarding allows you to redirect DNS queries for specific domains to a custom DNS server (e.g., an on-premises DNS server) instead of using the public internet. There are two types:
#### Outbound DNS Forwarding (DNS Server Policy)
An outbound DNS server policy tells Cloud DNS to forward queries for certain domains to one or more target DNS servers. This is typically used when you have a hybrid cloud environment where on-premises DNS servers are authoritative for internal domains (e.g., corp.example.com).
Policy Name: A user-defined name for the policy.
Networks: The VPC networks to which the policy applies. All VMs in these networks will have their DNS queries intercepted.
Target Name Servers: A list of DNS server IP addresses (IPv4 or IPv6) that will receive forwarded queries. You can specify up to 4 target name servers per policy.
Forwarding Path: Queries are forwarded over the VPC network's default egress path. If the target is on-premises, you must have a VPN or Interconnect connection.
Private Zone Priority: Private zones take precedence over forwarding policies. If a query matches a private zone attached to the network, it is answered locally and not forwarded.
#### Inbound DNS Forwarding (Inbound Server Policy)
An inbound DNS server policy allows DNS queries from external networks (e.g., on-premises) to be resolved by Cloud DNS private zones. This is achieved by creating a VPC-internal IP address that acts as a DNS forwarding endpoint. On-premises DNS servers can then send queries to this IP, and Cloud DNS will resolve them using the private zones attached to the VPC network.
Inbound Endpoint: A dedicated IP address from a subnet in the VPC network. This IP is the target for on-premises DNS queries.
Subnet: You must specify a subnet from which the endpoint IP is allocated. The subnet must have private IP addresses available.
Security: You must configure firewall rules to allow inbound DNS traffic (UDP/TCP port 53) from the on-premises network to the endpoint IP.
Configuration Commands
#### Create a Private Zone using gcloud:
gcloud dns managed-zones create my-private-zone \
--dns-name=internal.example.com. \
--description="Private zone for internal services" \
--visibility=private \
--networks=my-vpc-network#### Add a DNS Record:
gcloud dns record-sets create db.internal.example.com. \
--zone=my-private-zone \
--type=A \
--ttl=300 \
--rrdatas=10.0.0.5#### Create an Outbound DNS Server Policy:
gcloud dns policies create my-forwarding-policy \
--description="Forward corp.example.com to on-prem" \
--networks=my-vpc-network \
--alternative-name-servers=10.1.0.1,10.1.0.2Note: The --alternative-name-servers flag specifies the target DNS servers. This policy will forward all queries that do not match a private zone to these servers. To forward only specific domains, you need to create a routing policy (see below).
#### Create a Routing Policy for Domain-Specific Forwarding:
gcloud dns policies create my-routing-policy \
--description="Forward only corp.example.com" \
--networks=my-vpc-network \
--enable-logging \
--alternative-name-servers=10.1.0.1 \
--private-alternative-name-servers=10.2.0.1 \
--dns-name=corp.example.com.Note: The --dns-name flag restricts forwarding to that specific domain. If omitted, the policy forwards all unresolved queries.
#### Create an Inbound Server Policy:
gcloud dns inbound-server-policies create my-inbound-policy \
--description="Inbound endpoint for on-prem" \
--network=my-vpc-networkThen create an endpoint:
gcloud dns inbound-server-policies endpoints create my-endpoint \
--policy=my-inbound-policy \
--subnet=my-subnetInteraction with Related Technologies
VPC Peering: Private zones do not automatically propagate to peered VPCs. To enable resolution across peers, you must either attach the zone to both networks or use DNS peering (a separate feature that allows a zone to be shared with a peered network without attaching it).
Cloud VPN / Interconnect: Required for forwarding to on-premises DNS servers. The forwarding path uses the VPC's external IP or private IP (depending on configuration). For private forwarding (using private Google Access), you can use --private-alternative-name-servers to force forwarding over private IP.
Firewall Rules: For inbound forwarding, you must create firewall rules allowing UDP/TCP 53 from the on-premises CIDR to the inbound endpoint IP. For outbound, no special rules are needed if the target is reachable via the VPC's default routes.
Cloud Logging: You can enable DNS logging for private zones and forwarding policies to troubleshoot resolution issues. Logs capture query names, types, and responses.
Defaults and Limits
Maximum number of private zones per project: 1000
Maximum number of VPC networks attached to a private zone: 25
Maximum number of target name servers per outbound policy: 4
Maximum number of inbound endpoints per project: 50
Default TTL for records: 300 seconds
DNS query timeout for forwarding: 5 seconds (configurable via --timeout on the policy)
Step-by-Step Mechanism for a Forwarded Query
VM sends DNS query for app.corp.example.com.
Metadata server (169.254.169.254) receives query.
Cloud DNS checks private zones attached to the VM's VPC network. No match for corp.example.com.
Cloud DNS checks outbound DNS server policies attached to the network. A policy matches with dns-name=corp.example.com. and target name servers 10.1.0.1, 10.1.0.2.
Cloud DNS forwards the query to 10.1.0.1 over the VPC's network path (via VPN/Interconnect).
On-premises DNS server responds with 10.0.1.50.
Cloud DNS returns the answer to the VM.
If the on-premises server is unreachable, Cloud DNS returns a SERVFAIL error after the timeout (default 5 seconds).
Identify Resolution Requirements
Determine which domains need private resolution (e.g., internal.example.com) and which need forwarding to on-premises (e.g., corp.example.com). Also identify the VPC networks involved. This step is critical because private zones take precedence over forwarding — if a domain overlaps, the private zone wins. Ensure no conflicting zone names exist.
Create Private Zones
Using gcloud or Console, create a private zone for each internal domain. Specify the DNS name (e.g., internal.example.com.) and attach the VPC networks that should be able to resolve names in that zone. You can attach up to 25 networks per zone. For cross-network resolution, attach all necessary networks. Record the zone's name server set (NS records) — these are internal Google Cloud nameservers.
Add DNS Records to Private Zones
Add A, AAAA, CNAME, or other records to the private zone. For example, create an A record for db.internal.example.com pointing to 10.0.0.5. Use gcloud dns record-sets create. The TTL defaults to 300 seconds. Ensure records are accurate — misconfigured records can cause resolution failures that are hard to debug.
Configure Outbound Forwarding Policy
If on-premises DNS servers are authoritative for certain domains, create an outbound DNS server policy. Use gcloud dns policies create with --alternative-name-servers. To forward only specific domains, add --dns-name=corp.example.com. Otherwise, all non-private-zone queries are forwarded. Attach the policy to the VPC network(s). Verify that the target DNS servers are reachable via VPN/Interconnect.
Configure Inbound Forwarding (Optional)
If on-premises needs to resolve private zone names, create an inbound server policy. Use gcloud dns inbound-server-policies create. Then create an endpoint with a subnet. Note the allocated IP address. Configure on-premises DNS servers to forward queries for your private domain (e.g., internal.example.com) to this IP. Add firewall rules to allow UDP/TCP 53 from on-premises CIDR to the endpoint IP.
Test and Validate Resolution
From a VM in the VPC, use nslookup or dig to test resolution of private zone names (e.g., nslookup db.internal.example.com). For forwarded domains, test app.corp.example.com — it should return the on-premises answer. For inbound, test from on-premises: dig @<endpoint-ip> db.internal.example.com. Enable Cloud DNS logging to capture query logs for troubleshooting.
Enterprise Scenario 1: Hybrid Cloud with On-Premises Active Directory
A large enterprise runs Active Directory on-premises with DNS zone corp.example.com. They have migrated some workloads to Google Cloud VPCs. They need Google Cloud VMs to resolve on-premises hostnames (e.g., fileserver.corp.example.com) and on-premises clients to resolve Google Cloud VM hostnames (e.g., app.internal.example.com).
Solution: Create a private zone internal.example.com attached to the VPC. Add A records for all Google Cloud VMs. Create an outbound DNS server policy that forwards corp.example.com to the on-premises AD DNS servers (IPs 10.1.0.1, 10.1.0.2). Create an inbound server policy with an endpoint IP from a subnet. Configure on-premises DNS to forward internal.example.com to that endpoint IP. Ensure VPN or Interconnect connectivity.
Common Pitfall: Forgetting to attach the private zone to all VPCs that need it. If the zone is only attached to the production VPC, the development VPC cannot resolve internal.example.com even if they are peered.
Scale Considerations: With thousands of records, Cloud DNS handles it seamlessly. However, forwarding policies have a limit of 4 target name servers. For large on-premises environments, use a load balancer or DNS forwarder as the target.
Enterprise Scenario 2: Multi-VPC Service Discovery
A SaaS company has separate VPCs for different environments (prod, staging, dev) and wants each environment to resolve internal service names like api.prod.internal only within that environment. They also want to share a common zone global.example.com across all VPCs.
Solution: Create a private zone prod.internal attached to the prod VPC, staging.internal attached to staging VPC, etc. Create a private zone global.example.com attached to all three VPCs. This allows each environment to have its own internal names while sharing common names.
Common Pitfall: Overlapping DNS names. If prod.internal and global.example.com both have a record for api, the more specific zone wins (longest suffix match). Ensure no unintended overlaps.
Performance: Cloud DNS provides low-latency resolution (typically <10ms) for private zones. No additional cost for queries within the same region.
Enterprise Scenario 3: DNS Forwarding for Third-Party SaaS
A company uses a third-party SaaS platform that requires DNS resolution of a custom domain saas.mycompany.com to a set of external IPs. They want all VMs in their VPC to use a specific external DNS server (e.g., 8.8.8.8) for that domain, but use Google's public DNS for everything else.
Solution: Create an outbound DNS server policy with --dns-name=saas.mycompany.com. and --alternative-name-servers=8.8.8.8. Attach to the VPC. This ensures only queries for that domain are forwarded; all other queries go to Google's public DNS.
Common Pitfall: If the policy does not specify a --dns-name, it forwards ALL unresolved queries, which may break resolution for other domains. Always use domain-specific policies unless you intend to forward everything.
What the ACE Exam Tests (Objective 2.1)
The exam objectives for this area include: "Planning and configuring DNS for hybrid environments" and "Configuring private zones and forwarding." Specific topics tested:
Creating private zones and attaching VPC networks.
Understanding that private zones are not automatically available to peered VPCs.
Configuring outbound DNS server policies with target name servers.
Configuring inbound DNS server policies and endpoints.
Understanding the precedence: private zones > forwarding policies > public DNS.
Knowing that forwarding policies can be domain-specific or catch-all.
Recognizing the need for network connectivity (VPN/Interconnect) for forwarding to on-premises.
Common Wrong Answers and Why
1. "Private zones are automatically shared with all VPCs in the project." WRONG. Private zones must be explicitly attached to each VPC network. They are not project-wide.
2. "To resolve on-premises names, you must use an inbound server policy." WRONG. Inbound is for on-premises to resolve Cloud private zones. Outbound is for Cloud to resolve on-premises names.
3. "Forwarding policies apply to all queries regardless of private zones." WRONG. Private zones take precedence. If a query matches a private zone, it is answered locally and not forwarded.
4. "You can attach a private zone to up to 100 VPC networks." WRONG. The limit is 25 networks per private zone.
Specific Numbers and Terms
25: Maximum VPC networks per private zone.
4: Maximum target name servers per outbound policy.
5 seconds: Default DNS query timeout for forwarding.
300 seconds: Default TTL for records.
169.254.169.254: Metadata server used as DNS resolver.
UDP/TCP 53: DNS port for inbound forwarding.
--alternative-name-servers: Flag to specify target DNS servers.
--dns-name: Flag to restrict forwarding to a specific domain.
Edge Cases the Exam Loves
Peered VPCs: If VPC A is peered with VPC B, and a private zone is attached to A but not B, VMs in B cannot resolve names in that zone unless the zone is also attached to B or DNS peering is used.
Overlapping Zones: If two private zones have overlapping DNS names (e.g., example.com and sub.example.com), the more specific zone (longer suffix) takes precedence for names within its domain.
Forwarding with No Connectivity: If the target name servers are unreachable, Cloud DNS returns SERVFAIL. The exam may test that you need VPN/Interconnect for on-premises targets.
Inbound Endpoint Subnet: The subnet used for the inbound endpoint must have available IPs. If the subnet is full, the endpoint creation fails.
How to Eliminate Wrong Answers
If a question mentions "on-premises DNS resolution for Cloud VMs," the answer involves outbound forwarding.
If a question mentions "Cloud private zone resolution from on-premises," the answer involves inbound forwarding.
If a question mentions "multiple VPCs needing the same private zone," look for attaching the zone to each VPC or using DNS peering.
If a question mentions "forwarding all queries to a custom DNS," ensure the policy does not have a --dns-name filter (catch-all).
Private zones are authoritative only within explicitly attached VPC networks.
Forwarding policies are outbound (Cloud to on-prem) or inbound (on-prem to Cloud).
Private zones take precedence over forwarding policies.
Maximum 25 VPC networks per private zone.
Maximum 4 target name servers per outbound policy.
Default TTL for DNS records is 300 seconds.
Forwarding to on-premises requires VPN or Interconnect.
Inbound endpoints require a subnet with available IPs and firewall rules for UDP/TCP 53.
DNS peering is an alternative to attaching zones to multiple VPCs.
Use --dns-name to restrict forwarding to specific domains; omit for catch-all.
These come up on the exam all the time. Here's how to tell them apart.
Private Zone
Authoritative for a domain within VPC networks
Requires explicit attachment to VPC networks
Answers queries with local records
Supports standard DNS record types
Maximum 25 VPC networks per zone
Forwarding Policy (Outbound)
Forwards queries to external DNS servers
Attached to VPC networks via policies
Does not store records; relays queries
Forwards all unresolved queries or specific domains
Maximum 4 target name servers per policy
Mistake
Private zones are automatically visible to all VPCs in the same project.
Correct
Private zones must be explicitly attached to each VPC network. They are not project-wide. You attach networks at zone creation or later via update.
Mistake
Forwarding policies apply to all DNS queries, including those matching private zones.
Correct
Private zones take precedence. If a query matches a private zone attached to the VPC, it is answered locally and not forwarded. Forwarding only applies to queries that do not match any private zone.
Mistake
Inbound server policies allow Cloud VMs to resolve on-premises DNS names.
Correct
Inbound server policies allow on-premises DNS servers to resolve Cloud private zone names. For Cloud VMs to resolve on-premises names, you need an outbound server policy.
Mistake
You can attach a private zone to any number of VPC networks.
Correct
The maximum is 25 VPC networks per private zone. If you need more, consider using DNS peering or multiple zones.
Mistake
DNS forwarding works over the internet without VPN or Interconnect.
Correct
For on-premises targets, you must have a VPN tunnel or Cloud Interconnect. Forwarding uses the VPC's network path, which is private only if you use private Google Access or dedicated interconnect.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the gcloud command: `gcloud dns managed-zones create ZONE_NAME --dns-name=DOMAIN. --visibility=private --networks=VPC_NETWORK`. Or use the Cloud Console under Network Services > Cloud DNS. You must specify at least one VPC network at creation, but you can add more later.
Outbound forwarding (DNS server policy) allows Cloud VMs to resolve DNS names by forwarding queries to an external DNS server (e.g., on-premises). Inbound forwarding (inbound server policy) allows external DNS servers (e.g., on-premises) to resolve Cloud private zone names by sending queries to a VPC-internal endpoint IP.
Yes, you can attach a private zone to up to 25 VPC networks. However, the zone is not automatically available to peered VPCs unless you also attach the zone to the peered network or use DNS peering.
Yes, for outbound forwarding to on-premises DNS servers, you must have a VPN tunnel or Cloud Interconnect connection between the VPC and the on-premises network. The forwarding path uses the VPC's network routes.
The private zone takes precedence. The query is answered from the private zone's records and is not forwarded. This is by design to ensure local resolution overrides external forwarding.
Enable Cloud DNS logging for the zone or policy. Use `gcloud dns managed-zones describe` to verify network attachments. Test resolution from a VM using `nslookup` or `dig`. Check firewall rules for inbound endpoints. Verify VPN/Interconnect connectivity for forwarding.
The default timeout is 5 seconds. You can configure it using the `--timeout` flag when creating the DNS server policy. If the target server does not respond within the timeout, Cloud DNS returns SERVFAIL.
You've just covered Cloud DNS Private Zones and Forwarding — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?