DNS uses UDP port 53 for most of it operations but relies on TCP for operations that requires the transmission of packets exceeding 512 bytes. When the message size exceeds 512 bytes, it triggers a ‘TC’ bit (Truncation) in DNS to inform the client that the message length has exceeded the allowed size. The client needs then to re-transmit over TCP (size limit is 64000 bytes).
Back End Configuration
- 35.191.0.0/16 and 130.211.0.0/22 are the GCP reserved ranges for NLB HC
- 35.199.192.0/19 is the GCP reserved range for Cloud DNS type 1 source addresses
If you happen to run the HC across a device like routers or firewall you will need to configure DNAT for those devices to properly reply back to the HC of the LB:
- Source CIDR: 35.191.0.0/16 and 130.211.0.0/22
- Destination CIDR: LB Front End IP (with mask)
- Destination IP: router or firewall interface IP address
You will probably need also to create a DNAT for your backend service:
- Source CIDR: 35.199.192.0/19
- Destination CIDR: LB Front End IP (with mask)
- Destination IP: DNS server IP address
and a SNAT:
- Source CIDR: 35.199.192.0/19
- Destination CIDR: DNS server IP address (with mask)
- Destination IP: router or firewall interface IP address
TCP Load Balancer
We reserve a static IP to be shared between both LBs:
UDP Load Balancer
We have to select the previously reserved Internal IP for this design deployment to be successful:
The end result is two LBs, one TCP and another UDP sharing the front end VIP:
Cloud DNS Configuration
We create a dns-policy with a rule to forward all queries to the IP of NLB:
We also need to attach the networks that will utilize that policy:
References
https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts
https://cloud.google.com/load-balancing/docs/internal/internal-tcp-udp-lb-and-other-networks
https://cloud.google.com/load-balancing/docs/health-check-concepts
