Set up a GCP private DNS for Dedicated Cloud Gateway
Create a private DNS in Konnect using the Create Private DNS endpoint, then create a private DNS zone in GCP and give Konnect access to it.
Prerequisites
Dedicated Cloud Gateway
This is a Konnect tutorial that requires Dedicated Cloud Gateways access.
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
- Dedicated Cloud Gateway Control Plane Dedicated Cloud Gateway: You can use an existing Dedicated Cloud Gateway or create a new one to use for this tutorial.
- Network ID: The default Dedicated Cloud Gateway network ID can be found in API Gateway > Network
- Set these values as environment variables:
export KONNECT_TOKEN='YOUR KONNECT TOKEN' export KONNECT_NETWORK_ID='KONNECT NETWORK ID'Copied!
GCP permissions
This tutorial requires a GCP account with the DNS Peer (roles/dns.peer) and DNS Administrator (roles/dns.admin) roles, and the following custom permissions:
dns.managedZones.createdns.managedZones.listdns.networks.bindPrivateDNSZonedns.networks.targetWithPeeringZonedns.gkeClusters.bindPrivateDNSZonedns.managedZones.updatedns.managedZones.listdns.managedZones.patchdns.activePeeringZones.getZoneInfodns.activePeeringZones.listdns.activePeeringZones.deactivate
GCP project and VPC network
This tutorial requires a GCP project and a VPC network.
You will need the project ID and VPC name to configure the private DNS. Save these as environment variables to use them in Konnect API requests:
export GCP_PROJECT_ID='my-gcp-vpc-project'
export GCP_VPC_NAME='my-gcp-vpc-name'
Create a private DNS zone in GCP
If you’re using the Konnect UI, you can run the commands provided and click Connect. If you’re using the Konnect Cloud Gateways API, follow these steps:
- Run this command on your project to create a private DNS zone:
gcloud dns \ --project=$GCP_PROJECT_ID \ managed-zones create $DNS_NAME \ --description="Konnect private DNS" \ --dns-name=$DOMAIN_NAME \ --visibility="private" \ --networks=$GCP_VPC_NAMECopied!This step is only required if you don’t already have a private DNS zone in your GCP project.
- Run this command to give permission to Konnect’s service principal to access the project:
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ --member="principal://iam.googleapis.com/projects/133260365532/locations/global/workloadIdentityPools/aws-hdp-prod/subject/system:serviceaccount:network-peering-controller:network-peering-controller" \ --role="roles/dns.peer"Copied!If needed, you can also give Konnect access to your whole GCP organization using your organization ID:
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="principal://iam.googleapis.com/projects/133260365532/locations/global/workloadIdentityPools/aws-hdp-prod/subject/system:serviceaccount:network-peering-controller:network-peering-controller" \ --role="roles/dns.peer"Copied!
Validate
To validate that everything was configured correctly, send a GET request to the /private-dns endpoint to retrieve private DNS information:
curl -X GET "https://global.api.konghq.com/v2/cloud-gateways/networks/$KONNECT_NETWORK_ID/private-dns" \
-H "Authorization: Bearer $KONNECT_TOKEN"