Lab: Implementing Hybrid and Multi-Account DNS with Route 53 Resolver
Implement complex hybrid and multi-account DNS architectures
Lab: Implementing Hybrid and Multi-Account DNS with Route 53 Resolver
This lab guides you through the process of building a complex DNS architecture. You will configure a Centralized DNS Hub that manages resolution for multiple VPCs and simulates a hybrid connection using Route 53 Resolver Endpoints and AWS Resource Access Manager (RAM).
Prerequisites
- AWS Account: An active AWS account with permissions to manage Route 53, VPC, and RAM.
- AWS CLI: Configured with the latest version.
- Region: We will use
us-east-1(N. Virginia) for this lab. - Key Pairs: An existing EC2 Key Pair for testing connectivity.
Learning Objectives
- Provision Route 53 Private Hosted Zones (PHZ) and associate them across multiple accounts/VPCs.
- Configure AWS RAM to share DNS resources across account boundaries.
- Implement Route 53 Resolver Inbound and Outbound endpoints for hybrid DNS resolution.
- Validate DNS resolution between isolated network segments.
Architecture Overview
[!NOTE] In this architecture, the Hub VPC acts as the DNS service provider, while the Spoke VPC acts as the consumer.
Step-by-Step Instructions
Step 1: Create the Network Foundation
You need two VPCs: one for the "Hub" and one for the "Spoke."
CLI Instructions:
# Create Hub VPC
aws ec2 create-vpc --cidr-block 10.10.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-hub-vpc}]'
# Create Spoke VPC
aws ec2 create-vpc --cidr-block 10.20.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-spoke-vpc}]'▶Console alternative
- Navigate to VPC Console > Your VPCs.
- Click Create VPC.
- Name:
brainybee-hub-vpc, CIDR:10.10.0.0/16. - Repeat for
brainybee-spoke-vpcwith CIDR10.20.0.0/16.
Step 2: Create and Share a Private Hosted Zone (PHZ)
Create a zone for corp.internal and share it with the Spoke VPC.
CLI Instructions:
# Create PHZ and associate with Hub VPC
aws route53 create-hosted-zone --name corp.internal --vpc VPCRegion=us-east-1,VPCId=<HUB_VPC_ID> --caller-reference $(date +%s) --hosted-zone-config PrivateZone=true[!IMPORTANT] To share this zone across accounts, you must use AWS Resource Access Manager (RAM) or the Route 53
associate-vpc-with-hosted-zonecommand with cross-account authorization.
Step 3: Configure Resolver Endpoints
To allow external or on-premises networks to resolve names in AWS, we create an Inbound Endpoint.
CLI Instructions:
# Create Inbound Endpoint (requires at least 2 IP addresses in different AZs)
aws route53resolver create-resolver-endpoint --name hub-inbound --direction INBOUND --security-group-ids <SG_ID> --ip-addresses SubnetId=<SUBNET_A_ID> SubnetId=<SUBNET_B_ID>▶Console alternative
- Go to Route 53 > Resolver > Inbound endpoints.
- Click Create inbound endpoint.
- Select Hub VPC and two subnets in different Availability Zones.
- Attach a security group allowing UDP/TCP port 53.
Checkpoints
- Zone Association: Verify that
corp.internallists both VPC IDs in its configuration. - Endpoint Status: Run
aws route53resolver list-resolver-endpointsand ensure the status isOPERATIONAL. - DNS Resolution: From a Spoke VPC instance, run
dig web.corp.internal. It should return the IP defined in your PHZ.
Conceptual DNS Flow
This diagram represents the logical flow of a query traversing the Resolver architecture.
\begin{tikzpicture}[scale=0.8] \draw[thick, rounded corners, fill=blue!5] (0,0) rectangle (4,2) node[midway] {Client VPC}; \draw[thick, rounded corners, fill=green!5] (6,0) rectangle (10,2) node[midway] {Resolver Hub}; \draw[thick, rounded corners, fill=orange!5] (12,0) rectangle (16,2) node[midway] {Target Resource};
\draw[->, thick] (4,1) -- node[above] {Forward Rule} (6,1);
\draw[->, thick] (10,1) -- node[above] {Lookup} (12,1);
\draw[dashed] (8, -0.5) node {AWS Internal Network};\end{tikzpicture}
Troubleshooting
| Problem | Potential Cause | Fix |
|---|---|---|
| DNS Query Timeout | Security Group blocking port 53 | Allow inbound TCP/UDP 53 from VPC CIDR on Endpoint SGs. |
| Name Not Found | VPC DNS attributes disabled | Ensure enableDnsHostnames and enableDnsSupport are set to true. |
| Cross-Account Error | Missing RAM permissions | Accept the resource share invitation in the consumer account. |
Stretch Challenge
Scenario: Your on-premises network uses the domain legacy.local (CIDR 192.168.0.0/16).
Goal: Create a Resolver Outbound Endpoint and a Forwarding Rule that directs all traffic for legacy.local to a dummy IP (e.g., 192.168.1.10). Verify that the Hub VPC tries to route these requests via the endpoint.
Cost Estimate
[!WARNING] Remember to run the teardown commands to avoid ongoing charges.
- Resolver Endpoints: ~$0.125 per ENI per hour. (2 IPs = $0.25/hr).
- Private Hosted Zone: $0.50 per month (pro-rated).
- Queries: $0.40 per million queries (first 1 Billion).
Clean-Up / Teardown
To avoid unexpected costs, delete resources in this order:
# 1. Delete Resolver Rules
aws route53resolver delete-resolver-rule --resolver-rule-id <RULE_ID>
# 2. Delete Resolver Endpoints
aws route53resolver delete-resolver-endpoint --resolver-endpoint-id <ENDPOINT_ID>
# 3. Delete Private Hosted Zone
aws route53 delete-hosted-zone --id <ZONE_ID>
# 4. Delete VPCs
aws ec2 delete-vpc --vpc-id <SPOKE_VPC_ID>
aws ec2 delete-vpc --vpc-id <HUB_VPC_ID>Concept Review
| Feature | Private Hosted Zone | Resolver Endpoint |
|---|---|---|
| Primary Use | Authoritative answers for VPC internal names. | Bridging DNS between AWS and external networks. |
| Directionality | N/A | Inbound (External -> AWS) or Outbound (AWS -> External). |
| Mechanism | Integrated with VPC DNS (.2 resolver). | Uses ENIs (Elastic Network Interfaces) in your VPC. |
| Sharing | Associated via API or shared via RAM. | Rules shared via RAM; Endpoints are regional resources. |