In this article, we explore a clever way to bypass inbound endpoints from the Route 53 resolver, offering a cost-effective solution to redirect traffic from your on-premise DNS to your Route 53 private zone files.
Before the release of AWS Verified Access, the norm was to keep resources private unless public access was absolutely necessary. Since AWS Verified Access hasn't become an industry standard yet, let's focus on a scenario involving a VPN or intranet setup, where you need access to private domains within your VPC.
In a hybrid DNS setup, AWS allows you to configure a Route 53 resolver inbound endpoint and create forwarding rules on your on-premise DNS server for each private domain.
The inbound endpoint is a configuration within the Route 53 DNS resolver that sets up the necessary network interfaces in your VPC to forward queries from your on-premise DNS to your AWS account.
To route traffic to your VPC, you'll need a forwarding rule on your on-premise DNS server for a specific domain, using the IPs of the Route 53 inbound resolver. Setting up inbound endpoints in each AWS account for a large organization can become costly.
Here's a cost-saving trick: use the on-premise DNS forwarding rule with the VPC resolver IP, which is the CIDR of your VPC ending in .2. For example, if your VPC CIDR is 172.10.10.0/24, the VPC resolver IP would be 172.10.10.2.
Whenever you need to access a private domain configured in a Route 53 zone file, simply create a forwarding rule for the domain on your on-premise DNS, directing it to the VPC resolver IP ending in .2.
This approach eliminates the need for Route 53 to create network interfaces for each inbound resolver, reducing costs.
What strategies do you use to keep costs down in your AWS Landing Zone?
In a previous article, I discussed how to use outbound endpoints and rules from the Route 53 resolver to efficiently direct traffic from all AWS accounts to private managed domains, keeping expenses low.
Top comments (0)