---
title: "Google Cloud Private Service Connect DNS Zone Configuration"
slug: "google-cloud-private-service-connect-dns-zone-configuration"
updated: 2025-01-06T14:05:38Z
published: 2025-01-06T14:05:38Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nasuni.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Cloud Private Service Connect DNS Zone Configuration

## Scope

The scope of this document is to provide guidance on how to configure an additional DNS zone, which is required for the Private Service Connect (PSC) service integration to work with the Nasuni Edge Appliance.

## Out of Scope

This document assumes that the customer has a Google Cloud Subscription and has pre-configured Private Service Connect. Therefore, this document DOES NOT cover the following:

- Installation of Nasuni Edge Appliance
- Google account registration
- Private Service Connect configuration
- On-premises connectivity to Google Cloud Network:
  - Cloud Interconnect attachments (VLANs)
  - Cloud VPN tunnels

## Overview

Private Service Connect allows access to Google services via API, without traffic traveling over the public Internet. By default, if you have an application that uses a Google service, such as Cloud Storage, your application connects to the *default DNS*name for that service, such as [storage.googleapis.com](https://storage.googleapis.com/) (default target endpoint within the Nasuni Cloud Credentials).

Since Private Service Connect is a Google-managed service, Nasuni customers utilizing this service do not have to worry about scaling or resilience, but they should be aware of [quota availability](https://cloud.google.com/vpc/docs/quota#quotas). For example, the main quota used by Private Service Connect is the maximum number of forwarding rules that can be created to connect to services.

In addition, you can create private endpoints using internal IP addresses, and you can then assign DNS names to this internal IP address with meaningful names like *storage-prodpoc.p.googleapis.com* or *storage-nonprodpoc.p.googleapis.com*. These names and IP addresses are internal to your VPC network, VPC-peered network, and any on-premises networks that are connected to it using Cloud VPN tunnels or Cloud Interconnect attachments (VLANs). For more details, refer to [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect#benefits-apis).

The prerequisites for using Private Service Connect from an on-premises network are as follows:

1. The on-premises network needs to be connected to a VPC network using either Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).
2. The Private Service Connect endpoint belongs to the VPC network to be attached to the on-premises network.
3. The on-premises network needs to have appropriate routes for the Private Service Connect endpoint.
4. You must configure the on-premises systems so that queries to your private DNS zones can be made.

Additional information regarding prerequisites and configuration can be found at [Access Google APIs using Private Service Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis#on-premises).

***Note****: When creating a new Private Service Connect, this allows access to all API services available for this endpoint. It is the Nasuni customer’s responsibility to have the appropriate firewall rules in place to ensure that only specific hosts or services are accessible.*

## Configuration Steps

Configuration includes creating a DNS zone, adding a DNS A record, and testing.

#### Creating a DNS zone

To create DNS zone, follow these steps:

1. **Login**to [console.cloud.google.com](https://console.cloud.google.com/).
2. In the top left corner, click “**Select a project**”, and select the appropriate project.
3. In the **Navigation** menu, locate “**Network services**” under **Networking**, and select**Cloud DNS**.
4. In the **Cloud DNS** window, click**CREATE ZONE**.
5. For the **Zone Type**, select**Private**.
6. Enter a zone **Name**.
7. In the **DNS Name** field, add****googleapis.com.
8. Leave the **DNSSEC** field as the default (**Off**).
9. (Optional) Enter a **Description**.
10. Leave the **Cloud Logging** field as the default (**Off**).
11. Click**CREATE**.

The DNS zone is created.

#### Adding a DNS A record

To add a DNS A record, follow these steps:

1. In the **Cloud DNS** window, click****the newly created **Cloud DNS zone**.
2. Click****“**ADD RECORD SET**”.

***Note****: By default, SOA and NS records are created automatically when a new Cloud DNS zone is created.*
3. In the “**Create record set”** window, leave****the **DNS Name** blank.
4. For the **Resource Record Type**, select**A**, and leave****both **TTL*** and **TTL Unit** as the defaults.
5. Select****the **Default** record type.
6. In the **IPv4 Address** field, add****the Private Service Connect endpoint IPv4 address (See prerequisites).
7. Repeat****steps 1-6. However, in step 3, add*****.googleapis.com.

This adds the DNS A record.

#### Testing Private Service Connect connectivity

To test Private Service Connect connectivity, follow these steps:

1. In the **Navigation** menu, locate **Network Intelligence** under **Networking**, and select**Connectivity Tests**.
2. In the **Connectivity Tests** window, click**CREATE CONNECTIVITY TEST**.
3. Enter a **Test name**.
4. Select****the appropriate protocol to test.
5. In the **Source endpoint** field, enter****the client host IP address. This is the Nasuni Edge Appliance private IP address.
6. Leave ‘**This is an IP address used in Google Cloud**’ checked.
7. Ensure****that the appropriate **Project** is selected.
8. In the **Source network endpoint** field, select****the appropriate VPC.
9. In the **Destination endpoint** field, enter****the Private Service Connect endpoint host IP address.
10. Ensure****that the appropriate Project is selected.
11. Set****the **Destination port** to 80.
12. Click**SAVE**.

***Note****: Keep in mind that, by design, ICMP is not enabled within the Private Service Connect service. Therefore, do not rely on PING commands when testing the end-to-end connectivity. Instead, utilize the above GCP Connectivity Tests tool. It is also IMPERATIVE to ensure that the Nasuni Edge Appliance client DOES NOT have an ephemeral public IP address attached. This ensures that traffic between Nasuni and the Cloud Storage service remains within Google’s Network.*

Links: [https://cloud.google.com/vpc/docs/private-service-connect](https://cloud.google.com/vpc/docs/private-service-connect#benefits-apis)