Cloud DNS private zone forwarding over VPN doesn't work?

I’m either completing missing something (probably very likely), or Cloud DNS private zone forwarding is bonkers.

I have DNS servers in AWS that serves internal domains, and a VPN connection to a GCP VPC with an instance running. I’m trying to set up zone forwarding so that the GCP instance can make private zone queries, directing the queries via the internal IP of the DNS servers over the VPN.

I can query the DNS servers directly from the GCP instance - so all the firewall rules work in general.

However, when I set up Cloud DNS, with either an outbound forwarding policy or a zone forwarder, I never get a response from the internal resolver. It seems that although the query is kept on private networks, the IP address trying to query my DNS servers is in 35.199.192.0/19. And even if I allow that inbound, the response goes out to the internet.

Do I have to explicitly route 35.199.192.0/19 from AWS through the VPN tunnel? Could that cause other problem like access to services in that space that should be over the internet?

Yes, you do have to route that subnet. That subnet is not used by any other production system, and is rejected unless it comes from an internal address space in your VPC.

Check the third bullet in this link.

Agreed, this the right answer, the on-prem side needs a static route back to the /19 over the same link.

Huh…it just seems…so…ick. I’ll give it a try tomorrow.

I was able to get back to it today, and confirm that adding the route to the VPN tunnel on the AWS side makes all this work. Thanks!