Google Cloud Private Service Connect DNS Zone Configuration

  • Published on Jan 6, 2025
  • 3 minute(s) read
  • CD
 Prev Next

Scope

The scope of this document is to provide guidance on how to configure an additional DNS zone, which is required for the Private Service Connect (PSC) service integration to work with the Nasuni Edge Appliance.

Out of Scope

This document assumes that the customer has a Google Cloud Subscription and has pre-configured Private Service Connect.
Therefore, this document DOES NOT cover the following:

  • Installation of Nasuni Edge Appliance

  • Google account registration

  • Private Service Connect configuration

  • On-premises connectivity to Google Cloud Network:

    • Cloud Interconnect attachments (VLANs)

    • Cloud VPN tunnels

Overview

Private Service Connect allows access to Google services via API, without traffic traveling over the public Internet. By default, if you have an application that uses a Google service, such as Cloud Storage, your application connects to the default DNS name for that service, such as storage.googleapis.com (default target endpoint within the Nasuni Cloud Credentials).

Since Private Service Connect is a Google-managed service, Nasuni customers utilizing this service do not have to worry about scaling or resilience, but they should be aware of quota availability. For example, the main quota used by Private Service Connect is the maximum number of forwarding rules that can be created to connect to services.

In addition, you can create private endpoints using internal IP addresses, and you can then assign DNS names to this internal IP address with meaningful names like storage-prodpoc.p.googleapis.com or storage-nonprodpoc.p.googleapis.com. These names and IP addresses are internal to your VPC network, VPC-peered network, and any on-premises networks that are connected to it using Cloud VPN tunnels or Cloud Interconnect attachments (VLANs). For more details, refer to Private Service Connect.

The prerequisites for using Private Service Connect from an on-premises network are as follows:

  1. The on-premises network needs to be connected to a VPC network using either Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).

  2. The Private Service Connect endpoint belongs to the VPC network to be attached to the on-premises network.

  3. The on-premises network needs to have appropriate routes for the Private Service Connect endpoint.

  4. You must configure the on-premises systems so that queries to your private DNS zones can be made.

Additional information regarding prerequisites and configuration can be found at Access Google APIs using Private Service Connect.

Note: When creating a new Private Service Connect, this allows access to all API services available for this endpoint. It is the Nasuni customer’s responsibility to have the appropriate firewall rules in place to ensure that only specific hosts or services are accessible.

Configuration Steps

Configuration includes creating a DNS zone, adding a DNS A record, and testing.

Creating a DNS zone

To create DNS zone, follow these steps:

  1. Login to console.cloud.google.com.

  2. In the top left corner, click “Select a project”, and select the appropriate project.

  3. In the Navigation menu, locate “Network services” under Networking, and select Cloud DNS.

  4. In the Cloud DNS window, click CREATE ZONE.

  5. For the Zone Type, select Private.

  6. Enter a zone Name.

  7. In the DNS Name field, add googleapis.com.

  8. Leave the DNSSEC field as the default (Off).

  9. (Optional) Enter a Description.

  10. Leave the Cloud Logging field as the default (Off).

  11. Click CREATE.

The DNS zone is created.

Adding a DNS A record

To add a DNS A record, follow these steps:

  1. In the Cloud DNS window, click the newly created Cloud DNS zone.

  2. Click ADD RECORD SET”.

    Note: By default, SOA and NS records are created automatically when a new Cloud DNS zone is created.

  3. In the “Create record set” window, leave the DNS Name blank.

  4. For the Resource Record Type, select A, and leave both TTL* and TTL Unit as the defaults.

  5. Select the Default record type.

  6. In the IPv4 Address field, add the Private Service Connect endpoint IPv4 address (See prerequisites).

  7. Repeat steps 1-6. However, in step 3, add *.googleapis.com.

This adds the DNS A record.

Testing Private Service Connect connectivity

To test Private Service Connect connectivity, follow these steps:

  1. In the Navigation menu, locate Network Intelligence under Networking, and select Connectivity Tests.

  2. In the Connectivity Tests window, click CREATE CONNECTIVITY TEST.

  3. Enter a Test name.

  4. Select the appropriate protocol to test.

  5. In the Source endpoint field, enter the client host IP address. This is the Nasuni Edge Appliance private IP address.

  6. Leave ‘This is an IP address used in Google Cloud’ checked.

  7. Ensure that the appropriate Project is selected.

  8. In the Source network endpoint field, select the appropriate VPC.

  9. In the Destination endpoint field, enter the Private Service Connect endpoint host IP address.

  10. Ensure that the appropriate Project is selected.

  11. Set the Destination port to 80.

  12. Click SAVE.

Note: Keep in mind that, by design, ICMP is not enabled within the Private Service Connect service. Therefore, do not rely on PING commands when testing the end-to-end connectivity. Instead, utilize the above GCP Connectivity Tests tool.
It is also IMPERATIVE to ensure that the Nasuni Edge Appliance client DOES NOT have an ephemeral public IP address attached. This ensures that traffic between Nasuni and the Cloud Storage service remains within Google’s Network.

Links: https://cloud.google.com/vpc/docs/private-service-connect

Related articles