multi-cloud networking

AVX and AWS DNS

AWS DNS Design Options (from reference #1)

Option 1: Inbound and Outbound endpoints deployed in the hub vpc

  • Aviatrix spoke gateways see DNS traffic towards the hub vpc Route 53 Resolver Inbound endpoints
  • Aviatrix “sees” traffic from Route 53 Resolver Outbound endpoints towards the on-prem DNS resolver

Option 2: Inbound and Outbound endpoints deployed in the hub vpc for forwarding

  • Aviatrix does not see DNS traffic

Option 3: VPC sharing

This option will not be investigated as it does not fit a scalable and secure hub and spoke topology.

Option 4: Shared Private Zones and Forwarded Rules (AWS recommended)

  • Aviatrix sees Route 53 Resolver Outbound Enpoint DNS traffic towards the on-prem DNS resolver

Testing

Configuration Information

  • Route 53 Private Zone: kccd-lab-private.xyz
  • Bind Server Private Zone: kccd-lab.xyz

Hosted Private Zone:

Outbound Config:

Rule:

Inbound config:

Design Option 1

Create a dhcp option set pointing to the inbound endpoints:

and associate to the vpc:

Servers will have its /etc/resolv.conf updated to:

Design Option 2

This option configuration is covered in parts in design option 4.

Design Option 3

This option will not be investigated as it does not fit a scalable and secure hub and spoke topology.

Design Option 4

VPC with hosted private zone and forward rule attached:

VPC with no hosted private zone and no forward rule attached:

VPC with no hosted private zone and forward rule shared/attached:

That traffic surfs the AWS backbone. It ingress at .2 and surfaces from the outbound endpoint .142 reaching the DNS server .14:

VPC with hosted private zone shared/attached and forward rule shared/attached:

The association can be done using Profiles. Once a Profile is created on the hub, it is shared to the other accounts and then the VPCs are associated to the profile:

Once the association is complete, both domains resolves properly:

References

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html#resolver-overview-forward-vpc-to-network-domain-name-matches

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html#resolver-overview-forward-vpc-to-network-domain-name-matches

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/best-practices.html

Resolver Rules

Route 53 and AD Reference Architecture

Leave a Reply