I have a GCP VPC and it is connected to on-prem using Public Cloud Interconnect.
Traffic flow between onprem and the VPC is ok. All routes and firewalls are configured correctly.
Now I would like to have the company DNS servers available for VMs in my VPC.
My 3 DNS servers are
10.17.121.30 dns-01.net.company.corp
10.17.122.10 dns-02.net.company.corp
10.17.122.170 dns-03.net.company.corp
Now I have done the below config in Cloud DNS in GCP.
The DNS name is company.corp
The "In use by" is referring my VPC.
The IPs 10.17.121.30, 10.17.122.10 and 10.17.122.170 are on-prem and are accessible from the VPC over port 53.
But after having done all the above, if I try to connect to any on-prem machine using its name, I get
telnet: could not resolve example-server.corp.sap/443: No address associated with hostname
The above request is being made from a VM inside the VPC.
Which leads me to believe that my DNS servers might not be correctly configured. What have I missed here ?
If you are intending to have your VMs able to resolve hostnames within your on-premises network, then you will need to make use of DNS forwarding. You would need to configure your private zone as a forwarding zone. Once this is done you can use your forwarding zone to query on-premises servers.
Related
I was trying to find the IP Address of DNS server hosted in private zone in GCP to resolve some traffic routing related issue on the firewall. But i am not able to find it in Cloud DNS GUI console.
Cloud DNS Private zones require that you use the metadata server for name resolution. Compute Engine instances receive internal DNS resolution information as part of their DHCP leases. By default, the instance's metadata server (169.254.169.254) resolves internal DNS names. If you change the name server configuration for your instance, you cannot resolve records in Compute Engine internal DNS (the .internal zone) or in Cloud DNS managed private zones, forwarding zones, and peering zones unless your replacement DNS server forwards these queries to 169.254.169.254.
I have a site to site VPN connection from my on prem network to the VPC RDS resides in. I am trying to connect to mysql using the DNS endpoint RDS provides. I am unable to connect to the DNS endpoint but I am able to connect using the private ip that the endpoint resolves to.
I assume that the DNS is internal to AWS and my on prem network can not resolve it.
The RDS instance is publicly accessible.
How could I connect using the DNS endpoint?
Your assumption is right and you need to configure on-premise DNS resolution to internal AWS DNS. I didn't do that before, but Resolving DNS Queries Between VPCs and Your Network - Amazon Route 53 can help you :-)
Also, you can just open RDS to public internet, but it's not safe (and not your case, I assume)
I have an AWS VPC with Private Hosted Zone (PHZ) setup so all machines launched within the VPC can resolve my console-defined domains, for example a1.mydomain.
I would like for on-site machines at the end of my VPN (not in VPC but connected to a VPN server machine in the VPC) to be able to resolve these PHZ domains as well.
Is this possible?
In order to resolve PHZ, the request must come from the DNS resolver of the VPC:
Setup a DNS server on the VPN instance that forwards queries of a1.mydomain to the VPC DNS resolver which is the third address of your VPC network (.2)
Make sure to setup the DNS server to forward other queries to a public DNS server like Google (8.8.8.8/8.8.4.4) or CloudFlare (1.1.1.1)
Setup the VPN to push its own private IP as a DNS server to users
On-premise machines connected to the VPN will be able to resolve records in PHZ
Using a bind9 + OpenVPN works quite well
Does GCP support an internal DNS service? I don't need my zone to be public but I want my gce instances to use it for resolving internal services.
I am not very clear on your requirements, but if you just want two vm instances in a project VPC to communicate with each other then you can use internal dns, instead of using internal IP address which might change when a vm instance gets recreated.
GCP provides internal dns that can be used by two VM instances in the same VPC to communicate.
Note that vm instances in two different VPC can not communicate with each other across VPCs using this method (unless a VPN or other mechanism is configured to connect VPCs)
There are two ways to access/configure Internal DNS
Global DNS
Zonal DNS (Default for all organizations or standalone projects that have enabled the Compute Engine API after September 06, 2018.)
An internal fully qualified domain name (FQDN) for an instance has the following formats:
Instances using the default global DNS : [HOST_NAME] .c.[PROJECT_ID].internal
Instances enabled for Zonal DNS : [HOST_NAME].[ZONE].c.[PROJECT_ID].internal
You can address instances over the internal VPC network using this FQDN.
For example, if your instances are enabled for Zonal DNS, you can ping from one instance to another instance over the internal VPC network using the zonal fully qualified domain name:
ping example-instance.us-west1-c.c.example-project.internal -c 1
Yes, as of Oct 2018, Google Cloud DNS now supports Private DNS Zones.
You can create domains and DNS entries (pointing to whatever instances, load balancers, services) that will only be visible internally to the VPC networks you allow, and not available over the internet.
Announcement:
https://cloud.google.com/blog/products/networking/introducing-private-dns-zones-resolve-to-keep-internal-networks-concealed
Documentation:
https://cloud.google.com/dns/docs/quickstart#create_a_managed_private_zone
It appears based on this VPC doc that you would need to set up your own DNS server.
DNS server Each instance's metadata server acts as a DNS server. It
stores the DNS entries for all VPC network IP addresses in the local
VPC network and calls Google's public DNS server for entries outside
the VPC network. You cannot configure this DNS server, but you can set
up your own DNS server if you like and configure your instances to use
that server instead by editing the /etc/resolv.conf file.
EDIT:
As the more recent answers have pointed out, Cloud DNS now supports private zones.
I've read through all the white papers for Route53, Private Hosted Zones, and Workspaces and I'm too the point of banging my head on the wall. :p
I'm having trouble getting an EC2 instance and an Amazon Workspace within a private cloud to communicate using a Fully Qualified Domain Name. I need them to communicate with a FQDN instead of an IP address so that I can have an encrypted connection with an SSL.
Here is my configuration:
Setup a VPC with two public subnets, a route table, and internet gateway.
VPC is setup with DNSResolution and DNSHostnames enabled.
Setup a Simple AD for the workspace within the private VPC.
Setup an EC2 instance within the private VPC with a public subnet.
Setup the EC2 instance with a security group that allows port 80,443, and 5003 open to 0.0.0.0/0.
Setup a workspace within the private VPC with no security group.
Disabled the firewall within the EC2 instance and Workspace.
Setup a Hosted Zone on Route53 configured for Private and linked to the VPC.
Setup an A Record pointing the private IP of the EC2 instance.
If I run a ping from the Workspace to the DNS record that was setup in Route53, I get a successful connection.
If I try to reach the EC2 server using a Web browser on Port 80 or Port 443 using the DNS record, it fails.
If I try to reach the Ec2 server using an application that runs on Port 5003 using the DNS record, it fails.
If I try to reach the EC2 server with either web browser or application by referencing the IP, it is successful. So I know that my ports aren't being blocked.
Did I configure the route53 record incorrectly or am I missing a particular IAM Role permission set?
Thanks and let me know if I need to elaborate on any of the configuration.
SimpleAD DNS is being used instead of Route53. If the zone is the same then only one or the other can be used I'm afraid.
For example if you have host.com DNS zone in SimpleAD then the workspace won't use R53 for any *.host.com resolution. Try a different private zone in R53 and therefore fqdn for the EC2 instance private IP address.
https://forums.aws.amazon.com/thread.jspa?threadID=215126