Cost effective strategies for AWS Landing Zone: on-premise DNS forwarding optimization

lp

Lucian Patian

Posted on January 14, 2024

Cost effective strategies for AWS Landing Zone: on-premise DNS forwarding optimization

This article covers the bypass of inbound endpoints from the Route53 resolver, describing a cost-effective method to redirect traffic from your on-premise DNS to your Route53 private zone files.

Before AWS Verified Access was released, the standard security practice was to keep resources private unless public access was absolutely necessary.

Since AWS Verified Access is not yet an industry standard, we'll discuss the scenario of a VPN or intranet setup, focusing on accessing private (sub)domains deployed within our VPC.

In a hybrid DNS scenario, AWS provides the option to configure a Route53 resolver inbound endpoint, followed by the creation of forward rules on the on-premise DNS server for each private (sub)domain.

The inbound endpoint, a Route53 DNS resolver configuration, establishes necessary network interfaces within your VPC for forwarding queries from the on-premise DNS to your AWS account.

Image description

To direct traffic to your VPC, a forwarding rule on the on-premise DNS server is required for a specific (sub)domain, with the IPs of the Route53 inbound resolver added. Implementing inbound endpoints in each AWS account in a large organization could significantly impact overall costs.

The trick to cost savings lies in the on-premise DNS forwarding rule, where you utilize the VPC resolver IP, represented by the CIDR of your VPC ending in .2. For instance, if your VPC CIDR is 172.10.10.0/24, the VPC resolver IP would be 172.10.10.2.

Whenever you need to access a private domain configured in a Route53 zone file, simply create a forwarding rule for the (sub)domain on the on-premise DNS, directing it towards the VPC resolver IP ending in .2.

This method removes the need for Route53 to create network interfaces for each inbound resolver, eliminating associated costs.

What tips & tricks do you have for keeping the costs low in your AWS landingzone?

In a previous article, I wrote about using outbound endpoints and rules from the Route53 resolver to guide traffic from all AWS accounts towards private (on-premise) managed (sub)domains, keeping the costs low.

💖 💪 🙅 🚩
lp
Lucian Patian

Posted on January 14, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related