BLOGS

 
  • Subhas Patil

Resolving DNS for Hybrid Cloud using Route 53 Resolver via Terraform

Updated: Jan 24

Route 53 Resolver is an AWS solution to enterprises who are looking to use an existing DNS configuration in a hybrid network by bridging the data center and public cloud.



On a high level, Route 53 resolver:

1) Is a managed DNS resolver service from Route 53

2) Helps to create conditional forwarding rules to redirect query traffic

3) Enables hybrid connectivity over AWS Direct Connect and Managed VPN


Now, we will be working on creating a route 53 resolver inbound and outbound endpoints, and then share the rule with target VPCs in multi AWS accounts. (Note: All the VPCs used here are from multi account architecture and are associated via Transit Gateway and all the subnets used here have routes to On Premise Infrastructure using Direct Connect.)



The following diagram shows the path of a DNS query from a DNS resolver on your network to Route 53 Resolver:


The following diagram shows the path of a DNS query from an EC2 instance in one of your VPCs to a DNS resolver on your network.


To know more about how the DNS queries are resolved, you can visit the following documentation: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html


Step 1: Create inbound endpoint


Step 2: Create outbound endpoint


Step 3: Create a resolver forward rule


Step 4: Rule association


Now that we have setup the inbound/outbound endpoints and associated with a rule, this rule can be shared with multiple VPCs in different accounts using Resource Access Manager (RAM).


Step 1: Create resource share


Step 2: Route 53 resolver rule association with RAM


Step 3: Send share invite to target accounts


Step 4: Route53 Resolver rule association to VPC


Now the invite is sent to the target AWS accounts. After that, we need to accept the RAM invite and associate the shared Route 53 resolver rule with the target VPC. Run the following code into the target AWS account:


We have learnt how to create inbound and outbound endpoints and how to share rules with multiple accounts. This will enable the resources from VPCs to resolve DNS to on premise and vice versa. Note that you will have to create a private hosted zone for inbound rules.


Lets see how we can test the outbound connection:

1) SSH into one of the Linux EC2 instance

2) Enter the following command - Format: dig “record name” “record type”


Verify if the DNS record is resolving to the correct IP address in the ANSWER SECTION.










15 views0 comments

Recent Posts

See All