Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Oct 10, 2025
1 parent 86a6a9b commit 4bceca2
Show file tree
Hide file tree
Showing 5 changed files with 624 additions and 787 deletions.
6 changes: 3 additions & 3 deletions ...entation/02_Solutions_and_Service_Architecture/GCP Networking Designs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# Conversion

```script
pandoc --extract-media=images/dns GCP\ Cloud\ DNS\ Service\ Architecture.docx -o dns.md
pandoc --extract-media=images/networking GCP\ Networking\ Solution\ Architecture.docx -o networking.md
pandoc --extract-media=images/private-service GCP\ Private\ Service\ Connect\ Service\ Design.docx -o private-service.md
pandoc --to gfm --extract-media=images/dns GCP\ Cloud\ DNS\ Service\ Architecture.docx -o dns.md
pandoc --to gfm --extract-media=images/networking GCP\ Networking\ Solution\ Architecture.docx -o networking.md
pandoc --to gfm --extract-media=images/private-service GCP\ Private\ Service\ Connect\ Service\ Design.docx -o private-service.md
```
6 changes: 6 additions & 0 deletions gcp/documentation/02_Solutions_and_Service_Architecture/GCP Networking Designs/convert.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/bash

pandoc --to gfm --extract-media=images/dns GCP\ Cloud\ DNS\ Service\ Architecture.docx -o dns.md
pandoc --to gfm --extract-media=images/networking GCP\ Networking\ Solution\ Architecture.docx -o networking.md
pandoc --to gfm --extract-media=images/private-service GCP\ Private\ Service\ Connect\ Service\ Design.docx -o private-service.md

189 changes: 83 additions & 106 deletions ...cumentation/02_Solutions_and_Service_Architecture/GCP Networking Designs/dns.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@

**Service Architecture**

**\
**
GCP Cloud DNS**

![](images/dns/media/image1.png){width="6.5in"
height="1.6979166666666667in"}
<img src="images/dns/media/image1.png"
style="width:6.5in;height:1.69792in" />

1 Revision History [1](#revision-history)

Expand Down Expand Up @@ -94,23 +94,15 @@ List of Table

# Revision History

[]{#_Toc157520309 .anchor}Table 1 Revision History
<span id="_Toc157520309" class="anchor"></span>Table 1 Revision History

-----------------------------------------------------------------------------
Version Date Author Description
--------- ------------ ------------ -----------------------------------------
0.01 8/3/2023 Ethan Rowe Initial template draft

0.02 10/11/2023 Michael Draft content
Willetts

0.03 12/13/2023 Ethan Rowe Updated DNS Suffix to csp3 and best
practices link.

1.00 1/30/2024 Ethan Rowe Baseline inf/core #426

-----------------------------------------------------------------------------
| Version | Date | Author | Description |
|---------|------------|------------------|-----------------------------------------------------|
| 0.01 | 8/3/2023 | Ethan Rowe | Initial template draft |
| 0.02 | 10/11/2023 | Michael Willetts | Draft content |
| 0.03 | 12/13/2023 | Ethan Rowe | Updated DNS Suffix to csp3 and best practices link. |
| 1.00 | 1/30/2024 | Ethan Rowe | Baseline inf/core \#426 |
| | | | |

# Overview

Expand Down Expand Up @@ -180,7 +172,7 @@ the DNS server.

## Value

GCP's Cloud DNS provides highly available DNS services. Cloud DNS is a
GCPs Cloud DNS provides highly available DNS services. Cloud DNS is a
managed service and simplifies the cost and complexity of managing an
equivalent server footprint. Cloud DNS permits name registration and
resolution of census.gov assets from within GCP.
Expand All @@ -194,71 +186,68 @@ web service. You can use Cloud DNS to perform three main functions in
any combination: domain registration, DNS resolution & routing, and
health checking.

- **Highly Reliable:** Cloud DNS is provided as a managed service from
GCP. There is no management of servers or activities other than
configuration necessary to utilize Cloud DNS.
- **Highly Reliable:** Cloud DNS is provided as a managed service from
GCP. There is no management of servers or activities other than
configuration necessary to utilize Cloud DNS.

- **Scalable:** Cloud DNS automatically scales to handle large traffic
spikes and can be configured to handle DNS for GCP assets, as well
as on-prem and even public if need.
- **Scalable:** Cloud DNS automatically scales to handle large traffic
spikes and can be configured to handle DNS for GCP assets, as well as
on-prem and even public if need.

- **Secure:** Cloud DNS is integrated with IAM, the access to Cloud
DNS is secured by giving its permissions to only the authorized
users.
- **Secure:** Cloud DNS is integrated with IAM, the access to Cloud DNS
is secured by giving its permissions to only the authorized users.

- **Integrated:** Cloud DNS can be used to map domain names to GCP
resources including Cloud Storage Buckets, load balancers, and
virtual machines.
- **Integrated:** Cloud DNS can be used to map domain names to GCP
resources including Cloud Storage Buckets, load balancers, and virtual
machines.

```{=html}
<!-- -->
```
- **Hybrid DNS:** Supports private DNS that spans on-prem and other
cloud environments.

- **Traffic Routing:** According to the geolocation, latency, health,
and other factors, directs traffic to the optimal endpoint
available.
- **Hybrid DNS:** Supports private DNS that spans on-prem and other
cloud environments.

- **Traffic Routing:** According to the geolocation, latency, health,
and other factors, directs traffic to the optimal endpoint available.

### Requirements

- All Cloud DNS Zones forwards requests to Census Enterprise On-Prem
Infoblox for name resolution of resources in the applicable domain.
- All Cloud DNS Zones forwards requests to Census Enterprise On-Prem
Infoblox for name resolution of resources in the applicable domain.

- VPC Cloud DNS resolves the local VPC domain and the Shared Service
VPC Prod domain.
- VPC Cloud DNS resolves the local VPC domain and the Shared Service VPC
Prod domain.

- Cloud DNS resolves DNS queries of GCP domains from Census on-prem
and AWS networks.
- Cloud DNS resolves DNS queries of GCP domains from Census on-prem and
AWS networks.

- Route tables must advertise the Cloud DNS source range through the
VPN link for hybrid DNS to function correctly.
- Route tables must advertise the Cloud DNS source range through the VPN
link for hybrid DNS to function correctly.

- Cloud DNS endpoints must register in the Census Enterprise Infoblox.
- Cloud DNS endpoints must register in the Census Enterprise Infoblox.

## Assumptions

- DNS domain for GCP is approved.
- DNS domain for GCP is approved.

- DNS subdomain of GCP is approved for each VPC.
- DNS subdomain of GCP is approved for each VPC.

## Constraints

- Route tables must advertise the Cloud DNS source range through the
VPN link for hybrid DNS to function correctly.
- Route tables must advertise the Cloud DNS source range through the VPN
link for hybrid DNS to function correctly.

- Full DNS resolution among all Cloud DNS managed domains require a
full mesh implementation of peering zones. A design decision was
made to only peer with VPC's to provide routing from an originating
VPC. This design was reviewed by Google.
- Full DNS resolution among all Cloud DNS managed domains require a full
mesh implementation of peering zones. A design decision was made to
only peer with VPCs to provide routing from an originating VPC. This
design was reviewed by Google.

## Hybrid DNS

![Diagram Description automatically
generated](images/dns/media/image2.png){width="6.5in"
height="3.077777777777778in"}
<img src="images/dns/media/image2.png"
style="width:6.5in;height:3.07778in"
alt="Diagram Description automatically generated" />

[]{#_Toc157520308 .anchor}Figure DNS logical design
<span id="_Toc157520308" class="anchor"></span>Figure DNS logical design

The GCP Design leverages a custom domain name, \*.csp3.census.gov, with
subdomains managed for each VPC. The GCP Cloud DNS design centralizes
Expand All @@ -278,22 +267,20 @@ each VPC to handle outbound queries to on-prem.
The following points cover the traffic flow for how DNS resolution is
achieved for inbound and outbound queries to on-prem/ Infoblox.

- **Outbound DNS Resolution** --- GCP Cloud DNS utilizes forwarding
zones registered in each VPC to register the DNS servers used for
external resolution.
- **Outbound DNS Resolution** GCP Cloud DNS utilizes forwarding zones
registered in each VPC to register the DNS servers used for external
resolution.

```{=html}
<!-- -->
```
- **Inbound DNS resolution** -- An inbound server policy created in
the Prod Hub VPC to receive inbound DNS resolution requests. Each
GCP VPC Cloud DNS zone has a peering zone created in the Prod Hub
account to allow for resolution of any GCP resource from external
requests.

- **GCP VPC DNS resolution** -- Services utilize the standard GCP
metadata DNS resolution order to query Cloud DNS. Forwarding Zones
are created to direct queries for zones external to Cloud DNS.
- **Inbound DNS resolution** – An inbound server policy created in the
Prod Hub VPC to receive inbound DNS resolution requests. Each GCP VPC
Cloud DNS zone has a peering zone created in the Prod Hub account to
allow for resolution of any GCP resource from external requests.

- **GCP VPC DNS resolution** – Services utilize the standard GCP
metadata DNS resolution order to query Cloud DNS. Forwarding Zones are
created to direct queries for zones external to Cloud DNS.

## Interfaces

Expand Down Expand Up @@ -333,12 +320,11 @@ customer.

## *Roles and Responsibilities*

- GCP (Cloud Service Provider) -- Maintain, patch, and update Cloud
DNS.
- GCP (Cloud Service Provider) – Maintain, patch, and update Cloud DNS.

- Cloud Engineering Team -- Develop and maintain the DNS Design and
IaC to leverage Cloud DNS. Utilize Infrastructure as Code to
provision DNS records for GCP resources.
- Cloud Engineering Team Develop and maintain the DNS Design and IaC
to leverage Cloud DNS. Utilize Infrastructure as Code to provision DNS
records for GCP resources.

## Service Limits & Capacity Planning

Expand All @@ -360,29 +346,21 @@ number of queries and the number of managed zones maintained. Pricing
should always be checked against GCP documentation for the latest. As of
this writing, pricing and examples are provided in the tables below.

[]{#_Toc157520310 .anchor}Table Query Pricing

-----------------------------------------------------------------------
Number of Queries Regular Queries Routing Policy Queries
----------------------- ----------------------- -----------------------
0-1 Billion \$0.40/million per \$0.70/million per
month month

Over 1 Billion \$0.20/million per \$0.35/million per
month month
-----------------------------------------------------------------------

[]{#_Toc157520311 .anchor}Table Managed Zone Pricing
<span id="_Toc157520310" class="anchor"></span>Table Query Pricing

-----------------------------------------------------------------------
Managed Zones Price
----------------------------------- -----------------------------------
0-25 \$0.20/zone per month
| Number of Queries | Regular Queries | Routing Policy Queries |
|-------------------|--------------------------|--------------------------|
| 0-1 Billion | \$0.40/million per month | \$0.70/million per month |
| Over 1 Billion | \$0.20/million per month | \$0.35/million per month |

26-10,000 \$0.10/zone per month
<span id="_Toc157520311" class="anchor"></span>Table Managed Zone
Pricing

Over 10,000 \$0.03/zone per month
-----------------------------------------------------------------------
| Managed Zones | Price |
|---------------|-----------------------|
| 0-25 | \$0.20/zone per month |
| 26-10,000 | \$0.10/zone per month |
| Over 10,000 | \$0.03/zone per month |

# Backup and Recovery

Expand Down Expand Up @@ -423,17 +401,16 @@ Standards](https://uscensus.sharepoint.com/:f:/s/DITDSIRS/EpbVeuUQbE1Ftjo-SJpUjj

## Links

- [Google Cloud DNS SLA](https://cloud.google.com/dns/sla)
- [Google Cloud DNS SLA](https://cloud.google.com/dns/sla)

- [Current Cloud DNS Pricing](https://cloud.google.com/dns/pricing)
- [Current Cloud DNS Pricing](https://cloud.google.com/dns/pricing)

- [Cloud DNS Best
Practices](https://cloud.google.com/dns/docs/best-practices#reference_architectures_for_hybrid_dns)
- [Cloud DNS Best
Practices](https://cloud.google.com/dns/docs/best-practices#reference_architectures_for_hybrid_dns)

- [GCP Cloud DNS Quotas and
Limits](https://cloud.google.com/dns/quotas)
- [GCP Cloud DNS Quotas and Limits](https://cloud.google.com/dns/quotas)

- [GCP Operations
Plan](https://uscensus.sharepoint.com/:w:/s/DITDSIRS/EfHiSwwk1mFCtyuXFnCKGoMBjV158-8VEfxVUCVI37D3lQ?e=qordeA)
- [GCP Operations
Plan](https://uscensus.sharepoint.com/:w:/s/DITDSIRS/EfHiSwwk1mFCtyuXFnCKGoMBjV158-8VEfxVUCVI37D3lQ?e=qordeA)

[^1]: GCP Block from Cloud DNS.

0 comments on commit 4bceca2

Please sign in to comment.