IBM Cloud Docs

Create a DNS resolution binding between a VPC and a DNS hub VPC so that the DNS hub VPC can resolve the DNS hostnames of Virtual Private Endpoint (VPE) gateways residing on the DNS-shared VPC. Keep in mind that VPE gateways bound to the DNS-shared VPCs must also be enabled for resolution binding (the default setting).

Before you begin

Before you create a DNS resolution binding, review the following prerequisites:

Review Planning considerations and Known issues and limitations.
Ensure a VPC enabled as a DNS hub already exists.
The hub VPC administrator must create an IAM service-to-service authorization policy that allows this DNS-shared VPC to have DNSBindingConnector permission on the hub VPC. This DNSBindingConnector role on the hub VPC is required regardless of whether the DNS-shared VPC is in the same or a different account. For more information, see Establishing service-to-service authorization.

You can create a DNS resolution binding with the UI, CLI, API, or Terraform.

Creating a DNS resolution binding in the UI

To create a DNS resolution binding in the IBM Cloud console, follow these steps:

From your browser, open the IBM Cloud console and log in to your account.
Select the Navigation Menu , then click Infrastructure > Network > VPCs.
Click the Virtual Private Cloud in which you want to share DNS records with the DNS hub VPC.
Scroll to the Optional DNS settings section, then expand the DNS resolution binding section and click Create.
In the Create side panel, enter a name for the resolution binding.
Enter the cloud resource name (CRN) of the DNS hub VPC, or use the menu to select a hub VPC within the same account.
Click Create to create the DNS resolution binding.

The VPC with the DNS resolution binding now shows a DNS-Shared tag next to its name.

Deleting a DNS resolution binding in the UI

To delete a DNS resolution binding in the IBM Cloud console, follow these steps:

From your browser, open the IBM Cloud console and log in to your account.
Select the Navigation Menu , then click Infrastructure > Network > VPCs.
Click the Virtual Private Cloud in which you want to delete the DNS resolution binding.
Scroll to the Optional DNS settings section, then expand the DNS resolution binding section.
Click Delete. If there is more than one binding, click the Actions icon , then click Delete.

Creating a DNS resolution binding from the CLI

To create a DNS resolution binding with the CLI, follow these steps:

Set up your CLI environment.
Log in to your account with the CLI. After you enter the password, the system prompts which account and region that you want to use:
```
ibmcloud login --sso
```

Enable the following feature flag:

export IBMCLOUD_IS_FEATURE_VPC_DNS_SHARING=true

To create a DNS resolution binding, enter the following command:

ibmcloud is vpc-dns-resolution-binding-create VPC --target-vpc TARGET_VPC [--name NAME] [--output JSON] [-q, --quiet]

Where:

VPC: Specifies the ID or name of the VPC.
--target-vpc TARGET_VPC: Specifies the ID or name of another VPC to bind this VPC to, for DNS resolution.
-name NAME: Specifies the name for this DNS resolution binding.
--output JSON: Specifies the output format, only JSON is supported. One of: JSON.
--q, --quiet: Suppresses verbose output.

Command examples

ibmcloud is vpc-dns-resolution-binding-create my-vpc --name my-dns-res-binding --target-vpc my-dns-binding-vpc --output JSON
ibmcloud is vpc-dns-resolution-binding-create 72251a2e-d6c5-42b4-97b0-b5f8e8d1f479 --name my-dns-res-binding --target-vpc my-dns-binding-vpc --output JSON

Deleting a DNS resolution binding from the CLI

To delete one or more resolution bindings with the CLI, follow these steps:

ibmcloud is vpc-dns-resolution-binding-delete VPC (DNS_RESOLUTION_BINDING1 DNS_RESOLUTION_BINDING2 ...) [--output JSON] [-f, --force] [-q, --quiet]

Where:

VPC: Specifies the ID or name of the VPC.
DNS_RESOLUTION_BINDING1: Specifies the ID or name of the DNS resolution binding.
DNS_RESOLUTION_BINDING2: Specifies the ID or name of the DNS resolution binding.
--output JSON: Specifies the output format, only JSON is supported. One of: JSON.
--f, --force: Forces the operation without confirmation.
--q, --quiet: Suppresses verbose output.

Command example

ibmcloud is vpc-dns-resolution-binding-delete r006-e5b9726b-c975-46bd-b713-c8aea55d51d8 r006-75ccea7b-c705-4b50-934d-2152f9eab4ec --name my-dns-resolution --output JSON

Creating a DNS resolution binding with the API

To create a resolution binding with the API, follow these steps:

Set up your API environment.
Store the following values in variables to be used in the API commands:
```
export hub_vpc_id=<hub_vpc_id>
export spoke_vpc_id=<spoke_vpc_id>
```

To create a DNS resolution binding, run the following command:

curl -sX POST "$vpc_api_endpoint/v1/vpcs/$spoke_vpc_id/dns_resolution_bindings?version=$version&generation=2" -H "Authorization: Bearer ${iam_token}" -d '{"vpc": {"id": "'$hub_vpc_id'"}}'

Sample output:

{
  "created_at": "2023-08-22T23:23:37Z",
  "endpoint_gateways": [],
  "href": "https://us-south.iaas.cloud.ibm.com/v1/vpcs/r006-955c4b01-006f-4630-8a6a-f57e30354974/dns_resolution_bindings/r006-f95df674-74af-47ea-91d9-0aec39972ae7",
  "id": "r006-f95df674-74af-47ea-91d9-0aec39972ae7",
  "lifecycle_state": "pending",
  "name": "my-binding",
  "resource_type": "vpc_dns_resolution_binding",
  "vpc": {
    "crn": "crn:[...]",
    "href": "https://us-south.iaas.cloud.ibm.com/v1/vpcs/r006-c6c9d533-a43b-488c-a4f5-b532f4ddd3e0",
    "id": "r006-c6c9d533-a43b-488c-a4f5-b532f4ddd3e0",
    "name": "hub-vpc",
    "remote": {},
    "resource_type": "vpc"
  }
}

Deleting a DNS resolution binding with the API

To delete a DNS resolution binding with the API, follow these steps:

Set up your API environment.
Store the following values in variables to be used in the API commands:
```
export dns_binding_id=<spoke_vpc_dns_binding_id>
```

To delete a DNS resolution binding, run the following command:

curl -sX DELETE "$vpc_api_endpoint/v1/vpcs/$spoke_vpc_id/dns_resolution_bindings/$dns_binding_id?version=$version&generation=2" -H "Authorization: Bearer ${iam_token}"

Creating a DNS resolution binding with Terraform

You can use Terraform to create a DNS resolution binding.

To use Terraform, download the Terraform CLI and configure the IBM Cloud Provider plug-in. For more information, see Getting started with Terraform.

VPC infrastructure services use a regional specific endpoint, which targets to us-south by default. If your VPC is created in another region, make sure to target the appropriate region in the provider block in the provider.tf file.

See the following example of targeting a region other than the default us-south.

provider "ibm" {
  region = "eu-de"
}

To create a DNS resolution binding:

resource "ibm_is_vpc_dns_resolution_binding" "my_dns_resolution_binding" {
	name = "example-dns"
	vpc_id = "vpc_id"
	vpc {
		id = "<target_vpc_id">
	}
}
resource "ibm_is_vpc_dns_resolution_binding" "my_dns_resolution_binding" {
	name = "example-dns"
	vpc_id = "vpc_id"
	vpc {
		crn = "<target_vpc_crn">
	}
}
resource "ibm_is_vpc_dns_resolution_binding" "my_dns_resolution_binding" {
	name = "example-dns"
	vpc_id = "vpc_id"
	vpc {
		href = "<target_vpc_href">
	}
}

Deleting a DNS resolution binding with Terraform

To delete a DNS resolution binding with Terraform, see the following example:

terraform destroy --target ibm_is_vpc_dns_resolution_binding.my_dns_resolution_binding

Next step

Configure a DNS custom resolver on the DNS hub VPC to be responsible for resolving DNS queries from hub and DNS-shared VPCs, as well as those from on-prem networks.

Creating and deleting a DNS resolution binding