Route 53 Resolver: Inbound and Outbound Endpoints

This study guide covers the architectural requirements and implementation patterns for AWS Route 53 Resolver endpoints, essential for hybrid DNS environments where AWS VPCs and on-premises networks must resolve each others' domain names.

Learning Objectives

By the end of this guide, you should be able to:

Differentiate between Inbound and Outbound resolver endpoints.
List the technical requirements (VPC, IP addresses, Security Groups) for endpoint creation.
Configure Forwarding Rules for outbound DNS resolution.
Design a highly available hybrid DNS architecture using Direct Connect (DX) or VPN.

Key Terms & Glossary

Route 53 Resolver: The regional service that provides DNS resolution for VPCs.
Inbound Endpoint: A set of IP addresses in your VPC that receive DNS queries from your on-premises network or other VPCs.
Outbound Endpoint: A set of resources that forward DNS queries from your VPC to external DNS resolvers (e.g., on-premises DNS).
Forwarding Rule: A configuration associated with an outbound endpoint that defines which domain names should be forwarded to which target IP addresses.
Conditional Forwarding: The process of sending specific DNS queries (like internal.corp) to a specific resolver while letting others go to the default public DNS.

The "Big Idea"

In a hybrid cloud environment, the "Big Idea" is DNS Seamlessness. Without endpoints, your AWS resources can't see your on-premises servers by name, and your on-premises employees can't access AWS private hosted zones. Resolver Endpoints act as the bridge, allowing DNS traffic to flow across VPN or Direct Connect links, making the hybrid network feel like one cohesive unit.

Formula / Concept Box

Requirement	Inbound Endpoint	Outbound Endpoint
Initiator	On-premises / External	EC2 / AWS Resources
Target	Route 53 Resolver	On-premises DNS Server
Connectivity	VPN or Direct Connect	VPN or Direct Connect
Security Group (Inbound)	Allow UDP/TCP 53 from On-prem	N/A (Response traffic only)
Security Group (Outbound)	N/A	Allow UDP/TCP 53 to On-prem
High Availability	Min 2 IP addresses in 2 AZs	Min 2 IP addresses in 2 AZs

Hierarchical Outline

I. Inbound Endpoints (The "Receiver")
- Purpose: Allows external clients to query Route 53 Private Hosted Zones.
- Components: Elastic Network Interfaces (ENIs) with private IPs.
- Traffic Flow: On-prem DNS $\rightarrow$ VPN/DX $\rightarrow$ Inbound Endpoint IP $\rightarrow$ Route 53 Resolver.
II. Outbound Endpoints (The "Sender")
- Purpose: Allows VPC resources to query on-premises domains (e.g., corp.local).
- Configuration: Requires Forwarding Rules to trigger the endpoint.
- Traffic Flow: EC2 $\rightarrow$ Route 53 Resolver $\rightarrow$ Outbound Endpoint $\rightarrow$ VPN/DX $\rightarrow$ On-prem DNS.
III. Shared Requirements
- VPC Association: Must be created within a specific VPC.
- Subnet Selection: Recommended to use multiple Availability Zones for redundancy.
- Security Groups: Must allow DNS traffic (Port 53) on both UDP and TCP.

Visual Anchors

Hybrid DNS Query Flow (Outbound)

Loading Diagram...

Network Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum width=2.5cm, minimum height=1cm, align=center}] \node (vpc) [fill=blue!10] {AWS VPC$10.0.0.0/16)}; \node (endpoint) [below of=vpc, fill=orange!20] {Resolver Endpoint$ENIs)}; \node (vpngw) [below of=endpoint, fill=gray!20] {VPN / Direct Connect}; \node (onprem) [below of=vpngw, fill=green!10] {Corporate Data Center\DNS Resolver};

code

\draw [<->, thick] (vpc) -- (endpoint);
\draw [<->, thick] (endpoint) -- (vpngw);
\draw [<->, thick] (vpngw) -- (onprem);

\node at (4, -1) [draw=none] {\small \textbf{Inbound:} On-prem \rightarrow AWS};
\node at (4, -2) [draw=none] {\small \textbf{Outbound:} AWS \rightarrow On-prem};

\end{tikzpicture}

Definition-Example Pairs

Forwarding Rule: A logic set that tells the resolver which queries go where.
- Example: Create a rule for *.internal that points to 172.16.0.10 (on-prem DNS) via the outbound endpoint.
Recursive Query: A query where the DNS client expects the server to find the answer for them.
- Example: An EC2 instance asks Route 53 for google.com; Route 53 performs the recursion and returns the IP.

Worked Examples

Problem: Setting up High Availability

Scenario: A network engineer is deploying an Inbound Endpoint. To ensure it survives an AZ failure, how should the IP addresses be allocated?

Step-by-Step Solution:

Identify AZs: Choose at least two Availability Zones (e.g., us-east-1a and us-east-1b).
Select Subnets: Select a private subnet in each of those AZs.
Assign IPs: Route 53 Resolver will assign one IP per subnet/AZ.
Update On-Prem: Configure the on-premises DNS forwarder to use both IP addresses as targets. If one AZ goes down, the on-premises server will fail over to the second IP.

Checkpoint Questions

Which port must be open in the Security Group for both Inbound and Outbound endpoints?
True or False: Outbound endpoints require a VPN or Direct Connect to reach on-premises servers.
What happens if a VPC query does not match any Forwarding Rules?
Can a single endpoint be both Inbound and Outbound at the same time?

[!TIP] Answers: 1. Port 53 (UDP and TCP). 2. True. 3. It is resolved using the default Route 53 public resolver. 4. No, they are separate logical resources, though you can configure both in the same VPC.

Muddy Points & Cross-Refs

Port 53 Protocol: Many forget that modern DNS uses both UDP and TCP. Ensure your security groups allow both.
Circular Lookups: Be careful not to point an AWS Forwarding Rule to an on-premises server that forwards that same query back to AWS. This creates a loop.
Cross-Ref: For more on sharing these rules across multiple accounts, see AWS Resource Access Manager (RAM).

Comparison Tables

Endpoints vs. Private Hosted Zones

Feature	Private Hosted Zone	Resolver Endpoint
Function	Stores DNS records ( $A$ , $CNAME$ , etc.)	Routes DNS queries to/from VPC
Scope	Local to VPC/Account	Hybrid Connectivity
Cost	Per zone per month	Per ENI per hour + Query cost
Requirement	VPC Association	VPN or Direct Connect

Study Guide: Route 53 Resolver Inbound and Outbound Endpoints