Hybrid DNS with GCP Network Connectivity Center and Enterprise IPAM

I recently worked through a hybrid DNS design for a Google Cloud environment with some interesting constraints that I think are worth writing up. The setup involved implementing a company-wide on-premises DNS system built on enterprise IPAM platforms (Infoblox, EfficientIP, or BlueCat) with two critical requirements: Security policies prohibit DNS queries originating from Google's public IP ranges The IPAM must remain the authoritative source for all DNS records, including GCP-hosted zones The solution involved deploying virtual machines within GCP to bridge these constraints. How DNS Works in Google Cloud By default, Compute Engine instances use the VPC-internal DNS resolver at 169.254.169.254 , handled by Cloud DNS based on the VPC network configuration. Cloud DNS Zone Types Private zones: Cloud DNS hosts records directly and is authoritative Forwarding zones: Cloud DNS forwards queries to target name servers; with private routing, source IPs originate from 35.199.192.0/19 Peering zo