Lab Objective: Create two conditional forwarding rules 1) Default 2) amazonaws.com (forwarded to SYSTEM)
* Route 53 Resolver endpoints
* AWS Organizations
* Dedicated DNS account (network or shared services accounts can be used)
* Access to Resource Access Manager (RAM) and create a new resource share
What is Route 53 Conditional Forwarder Rules?
As per this announcement: > Route 53 Resolver rules allow customers to conditionally forward DNS requests from your VPC to an on-premises DNS resolver.
This rule can apply to a single VPC or many VPCs. The same announcement further elaborates:
Rules are applied directly to your Amazon VPC and can be shared across multiple accounts. These rules will allow you to forward names like “example.com” across AWS Direct Connect and AWS Managed VPN so that it can resolve DNS names that are served from your data center.
The rules combined with the endpoints can accept the DNS queries from on-prem as well: > Conversely, you can create a Route 53 Resolver endpoint that serves as a forwarding target for your on-premises DNS server. This way workloads in your data center can resolve DNS names from services such as Route 53 Private DNS, AWS Private Link, Amazon Elastic File System, AWS Active Directory Service, and more.
Step-by-step guide 1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. In the navigation pane, choose Rules. 3. On the navigation bar, choose the Region where you want to create the rule. 4. Choose Create rule. 5. Specify these values
Name: amazon-aws Rule type: System VPCs that use this rule: list and select VPC(s) that will use this rule. For the lab, select all VPCs that have been created.
Once all values are filled out, the screen should look like this:
This rule will ensure that the resolution of *.amazonaws.com will not be forwarded anywhere but remain within the associated VPC. This is extremely important as the resources like ELB’s IP address can change underneath. In addition, VPC endpoints in each VPC must be resolved locally otherwise, it can reflect the truth of another VPC.
We need to create another rule to handle all other domains: 1. In the navigation pane, choose Rules. 2. On the navigation bar, choose the Region where you want to create the rule. 3. Choose Create rule.
Name: default-resolution Rule type: Forward Domain name: . VPCs that use this rule: list and select VPC(s) that will use this rule. For the lab, select all VPCs that have been created. Outbound endpoint: Click on the drop down list and choose the outbound endpoint created in the previous lab Target IP addresses: Type in the IP addresses of the Inbound endpoints created in the previous lab
Share the rule via Resource Access Manager: 1. Sign in to the AWS Management Console and open the resource access manager console at https://console.aws.amazon.com/ram/ 2. Click “Create resource share”
Name: Route 53 rule share Resources: click on the drop down list and select "Resolver Rules" then select the two rules created above Principals: check off "Allow external accounts" and manually type in the AWS Organizations ID (starts with o-). If not known, go to the AWS Organizations console to retrieve the Organizations ID.
Create resoure share
For testing and validation, turn to the next lab