Resolving DNS for Hybrid Cloud using Route 53 Resolver via Terraform
Updated: Jan 24
Route 53 Resolver is an AWS solution to enterprises who are looking to use an existing DNS configuration in a hybrid network by bridging the data center and public cloud.
On a high level, Route 53 resolver:
1) Is a managed DNS resolver service from Route 53
2) Helps to create conditional forwarding rules to redirect query traffic
3) Enables hybrid connectivity over AWS Direct Connect and Managed VPN
Now, we will be working on creating a route 53 resolver inbound and outbound endpoints, and then share the rule with target VPCs in multi AWS accounts. (Note: All the VPCs used here are from multi account architecture and are associated via Transit Gateway and all the subnets used here have routes to On Premise Infrastructure using Direct Connect.)
The following diagram shows the path of a DNS query from a DNS resolver on your network to Route 53 Resolver:
The following diagram shows the path of a DNS query from an EC2 instance in one of your VPCs to a DNS resolver on your network.
To know more about how the DNS queries are resolved, you can visit the following documentation: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
Step 1: Create inbound endpoint
Step 2: Create outbound endpoint
Step 3: Create a resolver forward rule
Step 4: Rule association
Now that we have setup the inbound/outbound endpoints and associated with a rule, this rule can be shared with multiple VPCs in different accounts using Resource Access Manager (RAM).
Step 1: Create resource share
Step 2: Route 53 resolver rule association with RAM
Step 3: Send share invite to target accounts
Step 4: Route53 Resolver rule association to VPC
Now the invite is sent to the target AWS accounts. After that, we need to accept the RAM invite and associate the shared Route 53 resolver rule with the target VPC. Run the following code into the target AWS account:
We have learnt how to create inbound and outbound endpoints and how to share rules with multiple accounts. This will enable the resources from VPCs to resolve DNS to on premise and vice versa. Note that you will have to create a private hosted zone for inbound rules.
Lets see how we can test the outbound connection:
1) SSH into one of the Linux EC2 instance
2) Enter the following command - Format: dig “record name” “record type”
Verify if the DNS record is resolving to the correct IP address in the ANSWER SECTION.