// Module included in the following assemblies:
//
// * cloud_experts_osd_tutorials/cloud-experts-osd-limit-egress-ngfw.adoc

:_mod-docs-content-type: PROCEDURE
[id="cloud-experts-osd-limit-egress-ngfw-create-private-DNS_{context}"]
= Creating private Domain Name System records for Private Google Access
The private Domain Name System (DNS) zone optimizes how your resources connect to Google APIs by ensuring traffic never travels over the public internet. It functions by intercepting DNS requests for Google services and resolving them to private IP addresses, forcing the connection onto Google's internal network for a faster, more secure data exchange.

. Create a private DNS zone for the googleapis.com domain by running the following command:
+
[source,terminal]
----
$ gcloud dns managed-zones create ${prefix}-googleapis \
    --visibility=private \
    --networks=https://www.googleapis.com/compute/v1/projects/${project_id}/global/networks/${prefix}-vpc \
    --description="Private Google Access" \
    --dns-name=googleapis.com
----
+
. Begin a record set transaction by running the following command:
+
[source,terminal]
----
$ gcloud dns record-sets transaction start \
    --zone=${prefix}-googleapis
----
+
. Stage the DNS records for Google APIs under the googleapis.com domain by running the following commands:
+
[source,terminal]
----
$ gcloud dns record-sets transaction add --name="*.googleapis.com." \
    --type=CNAME restricted.googleapis.com. \
    --zone=${prefix}-googleapis \
    --ttl=300
----
+
[source,terminal]
----
$ gcloud dns record-sets transaction add 199.36.153.4 199.36.153.5 199.36.153.6 199.36.153.7 \
    --name=restricted.googleapis.com. \
    --type=A \
    --zone=${prefix}-googleapis \
    --ttl=300

----
+
. Apply the staged record set transaction you started above by running the following command:
+
[source,terminal]
----
$ gcloud dns record-sets transaction execute \
    --zone=$prefix-googleapis
----