This page describes how domain peering works in Managed Service for Microsoft Active Directory (Managed Microsoft AD).
Managed Microsoft AD offers highly available and hardened Microsoft Active Directory domains hosted by Google Cloud. Authorized networks make Managed Microsoft AD available on your VPC in the domain resource project. Domain peering makes Managed Microsoft AD available to non-domain-resource projects, such as VPC resource projects, as well.
How domain peering works
Managed Microsoft AD creates a domain peering resource in both the domain resource project and the VPC resource project. This ensures that both projects have visibility to peering and appropriate operators have provided their consent before networks are connected.
After you have successfully configured a domain peering, Managed Microsoft AD VPC peers with the VPC networks and creates a Cloud DNS peering zone to provide seamless domain discovery.
You must configure domain peering only after you create the domain. If a domain already exists, you must configure peering for both projects.
How domain peering differs from authorized network
Managed Microsoft AD domain supports adding up to 5 authorized networks from the domain resource project. Additionally, domain peering lets you add up to 10 networks to the Managed Microsoft AD domain from other projects.
With Managed Microsoft AD domain peering, the authorized network originates from projects other than the domain resource project. This functionality provides the flexibility of sharing a single Managed Microsoft AD domain with multiple projects and networks outside the domain resource project. This makes it possible to use different deployment models such as hub and spoke.