DNS management and consistent naming across multiple VPCs and multiple accounts can often be a challenge. In this session, we implement a solution that provides a unified namespace across on-premises and AWS environments. Bring your laptop.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralizing DNS Management in a
Multi-Account Environment
Anuj Dewangan
Senior Solutions Architect
Amazon Web Services, Inc.
N E T 3 2 2

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introductions
• Name and role
• re:Invent must-dos (past and present)
• Experience with the AWS platform
• What interests you in this session?

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multiple-accounts, multiple DNS servers
Internal Hosted
Zone
dev-engineering
Internal Hosted
Zone
sandbox-engineering
Internal Hosted
Zone
prod-it
Internal Hosted
Zone
dev-research
Internal Hosted
Zone
business-
intelligence
Internal Hosted
Zone
prod-engineering
Each account/VPC can have multiple
domains and internal hosted zones

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating DNS across accounts—Complex!
Internal Hosted
Zone
prod-engineering
Internal Hosted
Zone
prod-it
Internal Hosted
Zone
dev-engineering
Up to 25 associations for 5 VPCs (5!) !!
How do you integrate on-premises DNS servers?
Internal Hosted
Zone
business-intelligence
Internal Hosted
Zone
sandbox-engineering
How do update existing hosted zones when new VPCs are added?

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Route 53 Resolver (announced November 19, 2018)
Managed DNS Resolver
service from Route 53
Create conditional
forwarding rules to re-direct
query traffic
Enables hybrid connectivity
over AWS Direct Connect
and Managed VPN

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resolver rules
Current query processing
Example:
Create an instance with in a VPC with
enableDnsSupport &
enableDnsHostnames both set true.
169.254.169.253

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resolver rules
Add an inbound resolver endpoint
Example:
Provide on-premises data centers
resolution for a private hosted zone.
169.254.169.253

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resolver rules
Resolver rules allow controlling the
resolution path for a domain
System resolver rule directs queries
down the default resolution path
169.254.169.253

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralizing DNS management with Route 53 Resolver
dev.awscloud.example.com
corporate data center
DNS Server
prod.awscloud.example.com sandbox.awscloud.example.com bi.awscloud.example.com it.awscloud.example.com
onprem.example.com
Cross-account Hosted Zone-VPC association
awscloud.example.com
DNS requests
onprem.example.com
(Forwarding rule)
Rules
DNS VPC
Route53 Resolver
Endpoints
Amazon
Route 53
Private
Hosted Zones
VPC
Names
Internet
Domains

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DNS resolution between accounts
dev.awscloud.example.com
prod.awscloud.example.com
DNS VPC
Amazon
Route 53
Internal Hosted
Zoneprod.awscloud.example.com
DNS request:
server1.prod.awscloud.example.com
server1.prod.awscloud.example.com
server1.dev.awscloud.example.com
Data
Cross-account Hosted
Zone-VPC association
Route53 Resolver
Inbound Endpoint

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DNS resolution between AWS and on-premises
dev.awscloud.example.com
corporate data center
DNS Server
onprem.example.com
DNS VPC
Amazon
Route 53
dev.awscloud.example.com
server1.dev.awscloud.example.com
DNS request:
server1.onprem.example.com
server1.dev.awscloud.example.com
DNS request:
server1.onprem.example.com
Cross-account Hosted
Zone-VPC association
onprem.example.com
(Forwarding rule – uses
outbound endpoints)
Rules
Route53 Resolver
Endpoints

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route 53 Resolver walkthrough

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route 53 Resolver walkthrough

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route 53 Resolver walkthrough—Inbound endpoint

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route 53 Resolver walkthrough—Inbound endpoint

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route 53 Resolver walkthrough—Inbound endpoint

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route 53 Resolver walkthrough—Outbound endpoint

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route 53 Resolver walkthrough—Outbound endpoint

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route 53 Resolver walkthrough—Create forwarding rule

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab environment and walkthrough
awscloudx.example.com
(Participant Account)
DNS VPC (AWS account)
Amazon
Route 53
awscloud.example.com
DNS requests:
server1.awscloud.example.com
server1.onprem.example.com
server1.awscloudx.example.com
corporate data center
DNS Server
onprem.example.com
(AWS account)
server1.onprem.example.com
Hosted Zone-VPC
association
Data
Management
client
Cross-account VPC peering
Cross-account VPC peering
DHCP
Options Set
awscloudx.example.com
server1.awscloudy.example.com
Associate hosted zone
awscloud.example.com
awscloudx.example.com
server1.awscloud.example.com
awscloud.example.com
(AWS account)
CDM-AWSCLOUD (AWS account)
onprem.example.com
(Forwarding rule)
Rules
Route53 Resolver
Endpoints

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pre-requisites
• Need an AWS account with access to Management Console
• Have permissions to launch VPC, Amazon Elastic Compute Cloud
(Amazon EC2) and Route 53 hosted zones. You will also need
permissions to create an IAM role.
• Note that there will be (a small) AWS cost to run an EC2 instance, for
VPC peering and for Route 53 in your account for the lab (please use
the provided lab credits).
• SSH client for connecting to Linux EC2 instance
Please clean-up your lab environment after the lab!

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab resources
• Lab guide available here: https://bit.ly/2QmvMGB

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Builder session repeats
Monday, November 26
NET 322-R: Centralizing DNS Management in a Multi-Account Environment
2:30 PM | Mirage, Grand Ballroom D, Table 4
Tuesday, November 27
NET 322-R1: Centralizing DNS Management in a Multi-Account Environment
4:00 PM | Aria West, Level 3, Starvine 3, Table 8
Wednesday, November 28
NET 322-R2: Centralizing DNS Management in a Multi-Account Environment
11:30 AM | Mirage, Grand Ballroom D, Table 7

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Monday, November 26
NET215: Introduction to Amazon Route 53 Resolver for Hybrid Cloud
1:45 PM – 2:45 PM | Venetian, Level 5, Palazzo O
Monday, November 28
ARC408: Under the Hood of Amazon Route 53
5:30 PM – 6:30 PM | Aria East, Level 2, Mariposa 3
Wednesday, November 28
ARC408: Under the Hood of Amazon Route 53
11:30 AM – 12:30 PM | Venetian, Level 4, Lando 4305

27. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Anuj Dewangan
anujddew@amazon.com

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone