DEV Community

Cover image for Smart DNS Forwarding: Cost-Effective Strategies for Your AWS Landing Zone
Lucian Patian for AWS Community Builders

Posted on • Edited on

Smart DNS Forwarding: Cost-Effective Strategies for Your AWS Landing Zone

In this article, we explore a clever way to bypass inbound endpoints from the Route 53 resolver, offering a cost-effective solution to redirect traffic from your on-premise DNS to your Route 53 private zone files.

Before the release of AWS Verified Access, the norm was to keep resources private unless public access was absolutely necessary. Since AWS Verified Access hasn't become an industry standard yet, let's focus on a scenario involving a VPN or intranet setup, where you need access to private domains within your VPC.

In a hybrid DNS setup, AWS allows you to configure a Route 53 resolver inbound endpoint and create forwarding rules on your on-premise DNS server for each private domain.

The inbound endpoint is a configuration within the Route 53 DNS resolver that sets up the necessary network interfaces in your VPC to forward queries from your on-premise DNS to your AWS account.

Image description

To route traffic to your VPC, you'll need a forwarding rule on your on-premise DNS server for a specific domain, using the IPs of the Route 53 inbound resolver. Setting up inbound endpoints in each AWS account for a large organization can become costly.

Here's a cost-saving trick: use the on-premise DNS forwarding rule with the VPC resolver IP, which is the CIDR of your VPC ending in .2. For example, if your VPC CIDR is 172.10.10.0/24, the VPC resolver IP would be 172.10.10.2.

Whenever you need to access a private domain configured in a Route 53 zone file, simply create a forwarding rule for the domain on your on-premise DNS, directing it to the VPC resolver IP ending in .2.

This approach eliminates the need for Route 53 to create network interfaces for each inbound resolver, reducing costs.

What strategies do you use to keep costs down in your AWS Landing Zone?

In a previous article, I discussed how to use outbound endpoints and rules from the Route 53 resolver to efficiently direct traffic from all AWS accounts to private managed domains, keeping expenses low.

Heroku

Simplify your DevOps and maximize your time.

Since 2007, Heroku has been the go-to platform for developers as it monitors uptime, performance, and infrastructure concerns, allowing you to focus on writing code.

Learn More

Top comments (0)

Create a simple OTP system with AWS Serverless cover image

Create a simple OTP system with AWS Serverless

Implement a One Time Password (OTP) system with AWS Serverless services including Lambda, API Gateway, DynamoDB, Simple Email Service (SES), and Amplify Web Hosting using VueJS for the frontend.

Read full post

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay