I have purchased a domain company.com and created a public sub-domain sales.company.com (a public hosted zone in route 53). I mapped(created A record) sub-domain to an internal application load balancer (ALB) i.e. this ALB can only be accessed within my company network. My understanding was a public sub-domain can be mapped to private internal ALB, but when i am trying to access this public sub-domain it is not reachable from internet and i get "This site can’t be reached".
Does ALB has to be a public ALB or is there anything else i need to fix here to make it publicly accessible ?
Since you are using a "public hosted zone in route 53", any A, CNAME or ALIAS record must be made to a public endpoint avaialble over the internet. From docs:
A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain.
Thus your ALB must be publicly available. If you want to keep it as an internal ALB (private), you have to create private hosted zone. This way you can access it only from within a VPC, not over the internet unless you are using VPN.
Related
Private route 53 has nameserver. To use private route 53, do I have to purchase the domain directly and connect to the name server?
There is a cname in public route 53 but not in private route 53. I don't know if you create a domain yourself or how to apply the domain and the name server works.
Neither a new domain acquisition nor the setup of new name servers is necessary in order to use Private Route 53. Domain name resolution on the public internet cannot be done using Private Route 53; it can only be done inside your VPC.
In Route 53, construct a private hosted zone that will let you utilize unique domain names for your internal resources. A domain name specific to your business, such as mycompany.local, is often created and linked to the private hosted zone to accomplish this. With the creation of the private hosted zone, you can construct DNS records that point to internal resources, including EC2 instances, RDS databases, and other resources in your VPC.
For my case, I have a Route 53 public DNS record, let say abc.com. This abc.com has a A record pointing to an ALB which routed to an EC2 (let's name it as EC2 A).
Normally, there are requests from internet calling this abc.com which will then routed to EC2 A. But for some case, EC2 in the same VPC of EC2 A will call abc.com as well. For this case, it will still go through the external path to reach EC2 A. But as both EC2 is in the same VPC, is there any way calling abc.com can be routed internally instead of going through the external path?
Consider creating private hosted zone as well for your domain in AWS route 53.
The domain abc.com uses a public hosted zone so it will always be routed through the internet.
I'm using Route-53 as a DNS management service.
I have a problem that I'm not really sure how to solve it. I've come here to seek ideas.
I have a partner who wants an IP address of the DNS server, so that they can integrate their on-prem DNS server, to what I'm using(Route-53). This is not possible as Route-53 doesn't give an IP address for accessing the DNS servers. This is because it's a managed service. How can I get IP address for the Route-53 DNS servers so that my integrating partner can use to integrate the DNS server from their end to mine(Route-53)?
I appreciate your advice.
Taken from AWS docs:
10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
I'm assuming your hosted zone is private, as if it was public, your partner wouldn't need to do any special configuration (unless they don't allow querying public DNS in their network).
If this is a private DNS, I think what you want is to setup a Route 53 Resolver. Specifically, you would want an inbound endpoint setup in your VPC. This will give you a specific IP address that you can provide to your partner. If you haven't already, you'd then need to configure network routing between your VPC and your partner's network (via a tunnel or peering).
AWS has a couple user guides for this, see below:
Route 53 Resolver Developer Guide
Route 53 Resolver announcement
I registered a domain name with AWS Route 53 as mydomain.com. Is there anyway that I can assign e.g. ns1.mydomain.com as a public hostname to an EC2 which does NOT have a Elasti IP?
Thanks
You can assign the domain name to any IP address of an instance. However be aware of the following limitations:
If a domain name is assigned to a private IP, it will not be connectable without network access to that IP
If the domain is assigned to a non-elastic public IP if the instance stops and starts you would lose the public IP so would need to update the DNS resolution.
If you have a public facing application, but want to keep network traffic that directly connects to the instance private you should look at using an ELB in front of the application to provide a security boundary between the internet and your application.
Utilize a load balancer in front of the instance and assign the public hostname to the load balancer.
Use S3 webpage redirect and assign the hostname to the S3 URI.
If the problems is that you don't have any elastic IP's left, you can request for more. This should be resolved within about 15 minutes.
We can connect to our AWS EC2 only from within the company VPN. I made a request to create DNS names for the servers. This would be made using AWS Route 53.
The operations team says that having a DNS name is a security risk and the explanation is
"Names are easy to guess compared to IP addresses"
"setting up a DNS for a sever in the public zone directly exposes the servers origin IP and opens up a potential to the DDOS attacks as well as subnet vulnerability"
The servers are not exposed outside our VPN. We have separate AWS accounts for different teams and public zone here refers to a different team.
Does the operations team have valid argument.
You should create a Route 53 Private Hosted Zone so the DNS name can't be resolved publicly.
You then need to configure the DNS server in the office to incorporate DNS responses from Route 53 by using a forwarder.
I don't know the full details, but here's some articles that should help:
Resolving DNS Queries Between VPCs and Your Network - Amazon Route 53
Resolve a Private Hosted Zone over VPN with Directory Service
Use an Inbound Endpoint to Resolve Records in a Private Hosted Zone From a Remote Network