AWS KC Videos: How do I resolve records in a private hosted zone from outside the VPC?
Articles,  Blog

AWS KC Videos: How do I resolve records in a private hosted zone from outside the VPC?

hello I am Susana a cloud civil engineer here at AWS in Northern Virginia sometimes customer ask me how they can resolve records in private houses associated with the VPC from another VPC or from on-premise networks and tell them they can set up an institute instance as a DNS order in the V PC to resolve the records in the private house adjourn for the requests that are coming from outside of a PC you need to do this because the DNS resolver in the V PC is applies only to the queries that are coming from within the V PC today we’ll test the record created in a private house adjourn associated with the VPT from Menard ODBC which can belong to same or different regions or it can belong to different a SS accounts as well for the video purpose we’ll be testing out with two deputies which belong to the same account but are in different regions we will test on an existing environment with to be pcs in two different regions the setup is as follows for the videos for force the first V PC is in u.s. h2 region which has one public instance instance a which we will set up as a for water and a private instance we have a private house region associated with this V PC second V PC is in a P naught H one region which has one public instance from where we will test the record in the pirate hostage on here are a few things to check enable the DNS host name and DNS resolution in the legacy associated with the private hostage on in the security group associated with the forwarder allowed 50 and UDP traffic at port 53 from M sense in this way PC for this exercise you can leave Network eight years in all subnets at the default settings now let’s create a private house adjourn and associate it with a V PC after signing in to the AWS management console select the Amazon 1223 console once we are indeed all 53 console let’s select the section hostage Jones and telugu often create hostage on in the domain name section you can provide your domain name for this videos for both I’m going to use a domain name AWS at on the comment section you could say test hostage on and for the type field is electing the pirate hostage on once you select the type private hostage on it will give you an option to select the VPC that you want to share this private hostage on with I’ll be selecting my V PC in region one which is used in case this will create a private house adjourn and it will automatically provide the two records NS records and SOA record timet so inside did hostage on I’ll be creating a record which will be mapping to the private instance in VDC a in the first region so for this record are referring the name as private in the title are will be go we will be going with tried a ipv4 address in the alias will go with no in the TTL section we can go 300 seconds in the value are we putting the private IP address of the private instance in BBC one in the routing policy we can go with simple and we’ll hit the option create once we do that we’ll have a record private which will be pointing to the IP address 10.0 or 21.9 in any instances that are associated with the BTC they will be able to resolve this record but for us to resolve this record from outside an atc we need to have a forwarder which we’ll be doing in the next section we will install a bind on the public instance in the first V PC which will act as a for order for the in census India the BBC so now let’s log in to the Amazon ec2 console section this is my instance in the first region so are we going with this instance and we need to connect to this tensions from the terminal so let me just copy the sky I have logged into my public instance in the first V PC the DNS resolver by default for of a PC is the v bt base + 2 for this vtc decider is / 16 so the default resolver is Penta 0.02 we can check the current resolver by typing the following command okay now we can install the bind on this engines so once we install the bind in this instance we need to do some configuration in the main console which is inside B it is a directory here we need to add a section where we will define the host that we permit to query to this engine will allow the localhost look back and our instance in the second a PC which is a few few changes that will make in the option Chechen oil we’ll just make salt and we will just allow the query from the permitted holes that we just defined and we will allow recursion also from be permitted host let me give a meter spacing here and we will forward any query to the DNS resolver for the CDC so in the 400 sections we will define 1000 the team and we will set this up as forward only and DNS sake we will be doing as now as long as she doesn’t support DNS tech for DNS services as of now once we do the rest of the stuff we can play with default once we do that just save and exit now let’s check the syntax in the configuration file and now let’s restart the service once we start the service we’ll be testing the record in the private hostage on from another instance in the second basically I have log in to my instance in the second legacy we can check the current resolver that this particular instance is using right now by driving this fall in command we can see that right now it is using the default BBC cider plus 2 as the BBC tidal is 20 the 0 to 0 / section now we can edit the result dot-com file two points the names are worth to the IP address of the instance which is acting as a for order in the first VDC so I’m going to edit the name server to the IP address of the four order in the first view PC so right now we are using D we are forwarding our request to the public instance in the first CPC at this point we should be able to resolve the record that is created in the private hostage on from this instance since we are falling all our requests today for order in the first V PC we can in turn following the request to the bbc’s maybe three first V pcs dns resolver which is so let’s test out the record that we created in the private hostage on that is private dot each of the star so here we can see that we are able to resolve the records which is pointing to the private IP address of the private instance in the first two ABC thanks for watching and happy cloud computing from all of us here at AWS


  • Tony Chia

    Great topic. But doesn't this create a single point of failure? If the DNS forwarder is down then everything will be down from the 2nd VPC. Do you also need to set up a VPC peering between the first VPC and the 2nd VPC?

  • Abhijit Zanak

    I have vpn as per region in order to connect to instances in vpc, can I connect to instances multiple vpc from multiple regions using single vpn?

  • Yogi Maurya

    Hi Sujana, could you please update How to use a proxy instead of NAT Gateway for Internet Access from Private Subnet in AWS VPCs?

  • Naveen Kerati

    Hi there,
    By using the above i can able to resolve the records in private hosted zones from on-premise networks using a forwarder address. But how can i resolve the domain names in AWS VPC where the name servers are in on-premise networks?

  • Kashu and Pareena

    Nice Video but since in the VPC-Zone B I am sending all the requests to DNS forwarded in VPC-Zone A.What will happen if I need to communicate to the AWS resources in Zone A how will the DNS resolution happen in that case?

  • Antonio Gomez

    I have everything set up except "A private hosted zone" for my VPC, why is this required for the BIND to work? At the moment I've setup everything as said but its not working ( my case is for my on-premise hosts to resolve internal VPC records )

Leave a Reply

Your email address will not be published. Required fields are marked *