In today's budget-conscious world, finding ways to reduce costs in your AWS Landing Zone is more important than ever. Here, I'll share some practical tips on how to efficiently direct on-premise DNS queries using AWS Route 53, helping you save money.
In this guide, we'll explore how to use outbound endpoints and rules from the Route 53 resolver to effectively manage traffic from all your AWS accounts to your private (on-premise) managed domains, all while keeping expenses low.
In a hybrid DNS setup, you need to query your private (on-premise) DNS servers to get the IP addresses for your private domains. AWS offers a way to set up a Route 53 resolver outbound endpoint along with DNS forwarding rules for each of your private domains.
The outbound endpoint is part of the Route 53 DNS resolver that creates network interfaces inside your VPC. These interfaces help forward queries to your on-premise DNS based on the rules you set.
A Route 53 resolver rule allows you to specify the IP addresses of your on-premise DNS servers, which will respond with the IPs of your private domains.
While this setup might seem straightforward, the cost implications are often overlooked. If you look at the top-right corner of the image above, you'll see that the sharing status of this rule is marked as "not shared."
Imagine most of your AWS accounts in the landing zone need access to the same private domains. Creating separate Route 53 resolver rules for each account could lead to a hefty bill.
Here's a cost-saving trick: use the Resource Access Manager service. Create a resource share by selecting the Route 53 Resolver Rules type and add your AWS account IDs in the Shared Principals configuration. This way, all AWS accounts listed can use the same Route 53 rule for your on-premise domain, and you'll only have charges for the network interfaces created in your central account.
The final step is to log into the AWS accounts you added in the Shared Principals configuration, go to Route 53 resolver rules, select the shared rule and attach it to your local VPC.
What strategies do you use to keep costs down in your AWS Landing Zone?
In another article, I discuss how to bypass inbound endpoints from the Route 53 resolver and forward traffic from your on-premise DNS to your Route 53 private zone files at no cost.
Top comments (0)