DEV Community

Wakeup Flower
Wakeup Flower

Posted on

Route 53 Resolver outbound endpoint

#aws

🔹 What an outbound endpoint does

A Route 53 Resolver outbound endpoint allows DNS queries that originate inside your VPC (for example, from EC2 instances or AWS services) to be forwarded to external DNS servers — typically, on-premises DNS resolvers — through a VPN or AWS Direct Connect.

🔹 When to use an outbound endpoint

You use it whenever your workloads in AWS need to resolve private DNS names hosted outside AWS, such as:

  • On-premises Active Directory domains

    • e.g., AWS EC2 instances need to resolve server1.corp.local.

  • Hybrid environments where part of your application runs in AWS and part on-prem, and they share internal DNS zones.

  • Multi-VPC or multi-region setups where one environment needs to query DNS zones owned by another that isn’t accessible directly via Route 53 Private Hosted Zones.

  • Custom DNS servers running in another network (for example, a security appliance or custom name-resolution logic).

🔹 Typical architecture

  1. Your AWS VPC has resources (like EC2 instances or ECS tasks).
  2. Those resources need to resolve names that live on-premises.
  3. You create a Route 53 Resolver outbound endpoint in the VPC (requires two or more ENIs in different subnets for high availability).
  4. You create a resolver rule — e.g.,
  • Domain: corp.local
  • Forwarding target: 10.0.1.10 (on-prem DNS server)
    1. Associate that rule with the VPC.
    2. DNS queries for corp.local are automatically forwarded securely over the VPN/Direct Connect link to the on-prem resolver.

🔹 When not to use it

You don’t need an outbound endpoint if:

  • All your private zones are hosted in Route 53 Private Hosted Zones and don’t depend on on-prem DNS.
  • You only need on-prem → AWS resolution (then you’d use an inbound endpoint instead).
  • You’re using a centralized DNS design where one VPC acts as the shared resolver for others (those VPCs can use Resolver rules and peering instead).

🔹 Summary Table

Use case Resolver type Direction Example
AWS needs to resolve on-prem/private DNS Outbound Endpoint AWS → On-Prem ec2 → server.corp.local
On-prem needs to resolve AWS private DNS Inbound Endpoint On-Prem → AWS onprem → app.internal.aws

✅ In short:
Use a Route 53 Resolver outbound endpoint whenever AWS resources need to resolve DNS names that live outside of AWS (e.g., on-prem or external private zones) securely and automatically.

Top comments (0)