DEV Community

Cover image for Smart DNS Forwarding: Cost-Effective Strategies for Your AWS Landing Zone
Lucian Patian for AWS Community Builders

Posted on • Edited on

Smart DNS Forwarding: Cost-Effective Strategies for Your AWS Landing Zone

In this article, we explore a clever way to bypass inbound endpoints from the Route 53 resolver, offering a cost-effective solution to redirect traffic from your on-premise DNS to your Route 53 private zone files.

Before the release of AWS Verified Access, the norm was to keep resources private unless public access was absolutely necessary. Since AWS Verified Access hasn't become an industry standard yet, let's focus on a scenario involving a VPN or intranet setup, where you need access to private domains within your VPC.

In a hybrid DNS setup, AWS allows you to configure a Route 53 resolver inbound endpoint and create forwarding rules on your on-premise DNS server for each private domain.

The inbound endpoint is a configuration within the Route 53 DNS resolver that sets up the necessary network interfaces in your VPC to forward queries from your on-premise DNS to your AWS account.

Image description

To route traffic to your VPC, you'll need a forwarding rule on your on-premise DNS server for a specific domain, using the IPs of the Route 53 inbound resolver. Setting up inbound endpoints in each AWS account for a large organization can become costly.

Here's a cost-saving trick: use the on-premise DNS forwarding rule with the VPC resolver IP, which is the CIDR of your VPC ending in .2. For example, if your VPC CIDR is 172.10.10.0/24, the VPC resolver IP would be 172.10.10.2.

Whenever you need to access a private domain configured in a Route 53 zone file, simply create a forwarding rule for the domain on your on-premise DNS, directing it to the VPC resolver IP ending in .2.

This approach eliminates the need for Route 53 to create network interfaces for each inbound resolver, reducing costs.

What strategies do you use to keep costs down in your AWS Landing Zone?

In a previous article, I discussed how to use outbound endpoints and rules from the Route 53 resolver to efficiently direct traffic from all AWS accounts to private managed domains, keeping expenses low.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

Best Practices for Running  Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay