diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf
index 67e95dd3c..4b98acd54 100644
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster/main.tf
@@ -14,6 +14,16 @@
  * limitations under the License.
  */
 
+locals {
+  # The Google provider is unable to validate certain configurations of
+  # private_cluster_config when enable_private_nodes is false (provider docs)
+  is_private = try(var.private_cluster_config.enable_private_nodes, false)
+  peering = try(
+    google_container_cluster.cluster.private_cluster_config.0.peering_name,
+    null
+  )
+}
+
 resource "google_container_cluster" "cluster" {
   provider                    = google-beta
   project                     = var.project_id
@@ -36,8 +46,12 @@ resource "google_container_cluster" "cluster" {
   remove_default_node_pool    = true
 
   # node_config
+  # TODO(ludomagno): compute addons map in locals and use a single dynamic block
 
   addons_config {
+    dns_cache_config {
+      enabled = var.addons.dns_cache_config
+    }
     http_load_balancing {
       disabled = ! var.addons.http_load_balancing
     }
@@ -106,7 +120,7 @@ resource "google_container_cluster" "cluster" {
   }
 
   dynamic private_cluster_config {
-    for_each = var.private_cluster_config != null ? [var.private_cluster_config] : []
+    for_each = local.is_private ? [var.private_cluster_config] : []
     iterator = config
     content {
       enable_private_nodes    = config.value.enable_private_nodes
@@ -195,3 +209,12 @@ resource "google_container_cluster" "cluster" {
   }
 
 }
+
+resource "google_compute_network_peering_routes_config" "gke_master" {
+  count                = local.is_private && var.peering_config != null ? 1 : 0
+  project              = var.project_id
+  peering              = local.peering
+  network              = element(reverse(split("/", var.network)), 0)
+  import_custom_routes = var.peering_config.import_routes
+  export_custom_routes = var.peering_config.export_routes
+}
diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf
index e39667711..270a20f2a 100644
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster/variables.tf
@@ -17,24 +17,26 @@
 variable "addons" {
   description = "Addons enabled in the cluster (true means enabled)."
   type = object({
+    cloudrun_config            = bool
+    dns_cache_config           = bool
     horizontal_pod_autoscaling = bool
     http_load_balancing        = bool
-    network_policy_config      = bool
-    cloudrun_config            = bool
     istio_config = object({
       enabled = bool
       tls     = bool
     })
+    network_policy_config = bool
   })
   default = {
+    cloudrun_config            = false
+    dns_cache_config           = false
     horizontal_pod_autoscaling = true
     http_load_balancing        = true
-    network_policy_config      = false
-    cloudrun_config            = false
     istio_config = {
       enabled = false
       tls     = false
     }
+    network_policy_config = false
   }
 }
 
@@ -169,6 +171,15 @@ variable "node_locations" {
   default     = []
 }
 
+variable "peering_config" {
+  description = "Configure peering with the master VPC for private clusters."
+  type = object({
+    export_routes = bool
+    import_routes = bool
+  })
+  default = null
+}
+
 variable "pod_security_policy" {
   description = "Enable the PodSecurityPolicy feature."
   type        = bool
@@ -176,7 +187,7 @@ variable "pod_security_policy" {
 }
 
 variable "private_cluster_config" {
-  description = "Enable and configure private cluster."
+  description = "Enable and configure private cluster, private nodes must be true if used."
   type = object({
     enable_private_nodes    = bool
     enable_private_endpoint = bool