Google Cloud DNS
You can integrate Google Cloud's Private Zone/Private DNS feature with Harmony SASE gateway. This enables you to utilize the capabilities of private DNS zones, that allows resolution of external records.
Prerequisites
-
Google Cloud Platform (GCP) project
-
VPC Network (you can create one or use Google's predefined subnets)
-
Site-to-Site VPN tunnel to the VPC from Harmony SASE
Enabling Private DNS with Harmony SASE Gateway
To allow administrator to expose Google Cloud DNS through a private IP within one or multiple networks defined in your VPC through GUI/Web Interface, do this:
-
Log in to Google Cloud Platform.
-
Go to Networking > Network services > Cloud DNS.
-
Click the DNS Server Policies tab.
-
Click Create Policy.
The Create a DNS policy page appears.
-
In the Name field, enter a name for the DNS policy. Use lowercase and no space.
-
In the Description field, add a description.
-
In the Logs section, select one of these:
-
On
-
Off
-
-
In the Inbound query forwarding section, select On.
-
In the Alternate DNS servers section, from the Networks list, select all desired networks.
-
Click Create.
The system generates a private IP address that you can use to configure Private DNS in Harmony SASE Administrator Portal.
-
To authenticate or initialize your gcloud CLI environment, run:
gcloud auth login -
To create an inbound server policy for DNS, run:
gcloud dns policies create {{NAME}} --description={{DESCRIPTION}} --networks={{VPC_NETWORK_LIST}} --enable-inbound-forwardingwhere,
{{NAME}}is the name for the policy,{{DESCRIPTION}}is the description of the policy, and{{VPC_NETWORK_LIST}}is the comma separated list of VPC networks (not subnets).For example:
Copyops-vlad:~ vbekker$ gcloud dns policies create inbounddnsvlad --description=inboundDNSVlad --networks=vladvpc --enable-inbound-forwarding
Created Policy [https://dns.googleapis.com/dns/v1/projects/vladgcp/policies/inbounddnsvlad].
{
"description": "inboundDNSVlad",
"enableInboundForwarding": true,
"enableLogging": false,
"id": "8199820556025819315",
"kind": "dns#policy",
"name": "inbounddnsvlad",
"networks": [
{
"kind": "dns#policyNetwork",
"networkUrl": "https://compute.googleapis.com/compute/v1/projects/vladgcp/global/networks/vladvpc"
}
]
} -
Validate the setup by performing the successful DNS lookup from the gateway directly to the server and also to DNS forwarder.
For example:
-
Directly querying the name server:
Copyvlad@vodFpGngx3:~$ dig www.vpcdnszone.com @192.168.128.2
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.vpcdnszone.com @192.168.128.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51251
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.vpcdnszone.com. IN A
;; ANSWER SECTION:
www.vpcdnszone.com. 300 IN A 192.168.128.50
;; Query time: 161 msec
;; SERVER: 192.168.128.2#53(192.168.128.2)
;; WHEN: Fri Mar 05 00:11:01 UTC 2021
;; MSG SIZE rcvd: 63 -
Through local forwarder:
Copyvlad@vodFpGngx3:~$ dig www.vpcdnszone.com
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.vpcdnszone.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46053
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.vpcdnszone.com. IN A
;; ANSWER SECTION:
www.vpcdnszone.com. 300 IN A 192.168.128.50
;; Query time: 156 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar 05 01:38:15 UTC 2021
;; MSG SIZE rcvd: 70
-
-
Enable Private DNS on the network in Harmony SASE Administration Guide. For more information on how to enable, see Private DNS.