Resolving DNS for Hybrid Cloud using Route 53 Resolver via terraform
Route 53 Resolver is an AWS solution to enterprises who are looking to use an existing DNS configuration in a hybrid network by bridging the data center and public cloud.
On high level, Route 53 resolver
- is a managed DNS resolver service from route 53
- helps to create conditional forwarding rules to redirect query traffic
- enables hybrid connectivity over AWS Direct Connect and Managed VPN
Now, we will be working on creating a route 53 resolver inbound and outbound endpoints, and then share the rule with target VPCs in multi AWS accounts.
[Note: All the VPCs used here are from multi account architecture and are associated via Transit Gateway and all the subnets used here have routes to On Prem Infrastructure using Direct Connect.]
The following diagram shows the path of a DNS query from a DNS resolver on your network to Route 53 Resolver.
The following diagram shows the path of a DNS query from an EC2 instance in one of your VPCs to a DNS resolver on your network.
To know more about how the DNS queries are resolved, you can visit the following documentation: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
Step 1: Create Inbound Endpoint
resource “aws_route53_resolver_endpoint” “inbound” {
name = var.r53_inbound
direction = “INBOUND”
security_group_ids = [aws_security_group.app.id]
ip_address {
subnet_id = aws_subnet.app-1a.id
}
ip_address {
subnet_id = aws_subnet.app-1b.id
}
}Step 2: Create Outbound Endpoint
resource “aws_route53_resolver_endpoint” “outbound” {
name = var.r53_outbound
direction = “OUTBOUND”
security_group_ids = [aws_security_group.app.id]
ip_address {
subnet_id = aws_subnet.app-1a.id
}
ip_address {
subnet_id = aws_subnet.app-1b.id
}
}Step 3: Create a resolver forward rule
resource “aws_route53_resolver_rule” “fwd” {
domain_name = “abc.com” # Add your domain name here
name = var.r53_rule
rule_type = “FORWARD”
resolver_endpoint_id = aws_route53_resolver_endpoint.outbound.id target_ip {
ip = “1.2.3.4” #Add the on prem DNS IP here
}
target_ip {
ip = “5.6.7.8” #Add the on prem DNS IP here
}
}
Step 4: Rule association
resource "aws_route53_resolver_rule_association" "vpc" {
resolver_rule_id = aws_route53_resolver_rule.fwd.id
vpc_id = aws_vpc.main.id
}Now that we have setup the inbound/outbound endpoints and associated with a rule, this rule can be shared with multiple VPCs in different account using Resource Access Manager (RAM).
Lets see how to do that.
Sharing Route 53 Resolver Rule with VPCs in different account:
Step 1: Create resource share
resource "aws_ram_resource_share" "route53rslvr" {
name = var.ram_vpc
}Step 2: Route 53 resolver rule association with RAM
resource "aws_ram_resource_association" "route53rslvr" {
resource_arn = aws_route53_resolver_rule.fwd.arn
resource_share_arn = aws_ram_resource_share.route53rslvr.arn
}Step 3: Send share invite to target accounts
resource "aws_ram_principal_association" "prod-vpcs" {
count = length(var.prod-acct-ids)
principal = element(var.prod-acct-ids, count.index)
resource_share_arn = aws_ram_resource_share.route53rslvr.arn
}Now the invite is sent to the target aws accounts.
Next, we need to accept the RAM invite and associate the shared route 53 resolver rule with the target VPC.
Step 4: Route53 Resolver rule association to VPC
Run the following code into the target aws account:
resource "aws_route53_resolver_rule_association" "vpc" {
resolver_rule_id = aws_route53_resolver_rule.sys.id #rule id here
vpc_id = aws_vpc.main.id
}We have learnt how to create inbound,outbount endpoints and how to share rules with muti account. This will enable the resources from VPCs to resolve DNS to On prem and vice versa.
Note that you will have to create private hosted zone for inbound rules.
Lets see how we can test the outbound connection:
- SSH into one of the linux EC2 instance.
- Enter the following command
Format: dig “record name” “record type”
dig abc.com AVerify if the DNS record is resolving to the correct IP address in the ANSWER SECTION.
