- EC2 Image Builder: Build your golden VM images on AWS - Wed, Jan 19 2022
- Configuring DFS Namespaces for Amazon FSx for Windows file servers - Fri, Jan 7 2022
- AWS Systems Manager Session Manager: Securely connect EC2 instances - Wed, Dec 22 2021
Resolver endpoints come in two flavors:
- Inbound endpoints: This would enable your resources in the on-prem network to resolve AWS resource domain names or records in a Route 53 private hosted zone by allowing your on-prem network DNS resolvers to forward queries to Route 53 Resolver.
- Outbound endpoints: This would enable your AWS resources to resolve the domain names of your on-prem network resources using resolver rules, which would forward selected queries to the on-prem network DNS resolvers.
Before we get started, make sure you have the following prerequisites in place:
- Ensure that there's network connectivity between your on-prem network and AWS via a VPN connection or Direct Connect.
- Enable DNS host names and resolutions in the DNS support attributes in the VPC in which you would create the endpoint.
- There's at least a private hosted zone with the records you would like to resolve created there and attached to the VPCs with the resources that the records point to.
- For the inbound endpoint, you would need a security group with inbound rules that allow incoming traffic from the on-prem network IP addresses via the following port:
- TCP/UDP 53
- For the outbound endpoint, you would need a security group with outbound rules that allow outgoing TCP/UDP traffic to the on-prem network IP addresses via the ports used by the on-prem network DNS servers. By default this is 53, but if other ports are used, configure them accordingly.
Note: Unlike Route 53 hosted zones, Route 53 Resolver endpoints are regional resources, not global.
Resolve domain names in AWS from your on-prem network ^
To be able to resolve AWS resource domain names from your on-prem network, do the following:
Create a Resolver inbound endpoint
Navigate to the Route 53 console and click Inbound endpoints.
Click Create inbound endpoint.
Then enter a name for the endpoint and select a VPC through which all the inbound DNS queries will flow on the way to the Resolver. Then set the security group, which is mentioned in the prerequisites.
Note: The VPC in which you would create the endpoint should be attached to the private hosted zone.
Afterward, specify the IP addresses of the endpoint. To improve reliability, Resolver requires that you specify two IP addresses for DNS queries. It is recommended to span them across different availability zones.
Note: You can add more than two IPs if you wish.
Finally, you can set the tags and click Submit to start the endpoint creation.
Create a conditional forwarder
Now, you need to allow your on-prem network DNS server to conditionally forward DNS queries for the private hosted zone and private AWS resources to the IP addresses of the inbound endpoint created earlier.
Navigate to your on-prem network DNS server and create a conditional forwarder.
In the DNS Domain field, enter the domain name of the private hosted zone and the IP addresses of the endpoints created earlier. Then select the Store this conditional forwarder in Active Directory option to get the conditional forwarder replicated with other DNS servers in the forest.
If you would like to resolve private Amazon resources, domain names such as EC2 instances, EFS, etc., which are not publicly exposed, you can create another conditional forwarder. In this case, the DNS domain you specify should be amazonaws.com.
Once the endpoint and the conditional forwarder are created, you can start resolving domain names from your on-prem network against the records in the private hosted zone.
Resolve domain names in your on-prem network from AWS ^
To be able to resolve your on-prem network resource domain names from AWS, do the following:
Create an outbound endpoint
Navigate to the Route 53 console and click Outbound endpoints.
Click Create outbound endpoint.
Follow the same steps you followed in creating an inbound endpoint, but for the security group, select the security group you created earlier for the outbound endpoint.
Create a Resolver rule
Navigate to the Route 53 Console and click Rules.
Click Create rule.
Then enter a friendly name for the Resolver rule. Select the Forward rule type, specify the domain name of the on-prem network and the VPCs to which this rule will be associated, the outbound endpoint you created earlier, and the Target IP addresses, which are the IP addresses of the on-prem network DNS servers.
Once the configurations are submitted and the rule is created, you can test resolving domain names from the AWS VPCs you specified in the rule configuration against the on-prem network.
Subscribe to 4sysops newsletter!
In this article, we've gone through how to create a hybrid DNS between AWS and on-prem using AWS Resolver endpoints. If you've got any further questions, please mention them in the comments.