Using Route 53 Resolver Endpoints in Hybrid and AWS Architectures – Domain Name Services – ANS-C01 Study Guide

Using Route 53 Resolver Endpoints in Hybrid and AWS Architectures

Resolvers in a VPC can be configured as either inbound, outbound, or both. Inbound allows queries from your internal DNS deployment to the DNS server in your VPC. Outbound enables VPC DNS queries to your on-premise DNS, and both enable queries in both directions. When configuring an outbound endpoint, one or more forwarding rules are created to enable the domain names to route the DNS queries inside the on-premise network. The outbound endpoints specify the VPC used for the queries. Figure 2.23 shows a Route 53 Resolver interconnected with an on-premise data center.

Outbound resolver endpoints require the following values:

  • The name of the endpoint, which can be any name you specify to help identify the endpoint and make it easy to identify in the AWS console.
  • The VPC used for outbound DNS queries, which is the VPC that connects to your network.
  • A security group for the endpoint that defines access control to the VPC. Specify an inbound rule that opens DNS on UDP and TCP port 53. Outbound rules will enable access to your on-premise DNS server from the VPC, and it is common to use UDP and TCP port 53, which is the standard port number for DNS. More than one security group can be applied.
  • IP addresses inside your VPC that the resolver will forward DNS queries to reach your internal DNS resolvers. For redundancy, specify an IP address in two or more availability zones.
  • When the IP addresses are defined, a VPC Elastic Network Interface (ENI) is created that resides in the VPC availability zone in the subnet you specified. If you are using multiple IP addresses to an endpoint, the order is not important, and for forwarded queries, the resolver will pick any IP address from the list.
  • The availability zone that DNS queries will traverse in transit to your network.
  • The subnet that the IP address resides in that DNS queries are originating from.
  • The IP address that the DNS queries are originating from; these can be selected for you form the subnet pool of the availability zone or statically configured.

FIGURE 2.23 Resolver endpoints

There can be four resolver endpoints per region and each endpoint can be assigned six IP addresses. There is a maximum of 1,000 rules per region and each endpoint can service up to 10,000 queries per second.

Using Route 53 for Global Traffic Management

DNS can be used in high-availability architectures of your AWS deployment. Multiregional failover can be achieved with the proper Route 53 configurations to detect a failure and reroute traffic to an operational region or availability zone. To ensure that your applications are available through natural disasters or planned outages at the regional or availability zone level and to enable cross-region replications, the advanced features of Route 53 can assist in maintaining your uptime metrics.