Handling Private Hosted Zones in R53
Part 03 — AWS R53 Series
Background
As you know, there are two types of Hosted Zones available in AWS Route53 (R53).
- Public Hosted Zones
- Private Hosted Zones
In my previous R53 articles (see below links) I discussed Routing policies around a public hosted zone.
AWS Route53 and Routing Policies — Part 01: https://crishantha.medium.com/aws-route-53-and-routing-scenarios-671d12991260
AWS Route53 and Routing Policies — Part 02: https://crishantha.medium.com/aws-route-53-and-routing-policies-b7dc67e74516
In this article, I will be focusing on “Private Hosted Zones”. So lets dive in!
AWS R53 Private Hosted Zones
A private hosted zone is a container that holds information about how you want Amazon Route 53 to respond to DNS queries for a domain and its subdomains within one or more VPCs that you create with the Amazon VPC service [1]
As name suggests, Private Hosted Zones are not public and they are not accessible from the public Internet.
A “Private Hosted Zone” is primarily associated with a Virtual Private Cloud (VPC) and they cannot be queried outside of associated VPCs.
On figure 01, you can see two VPCs and one (the custom VPC) is attached to the private hosted zone and the other one, which is the default VPC is not attached to it.
The R53 resolver was previously names as the “VPC resolver”. It basically does attach an EC2 instance to a private hosted zone.
Lets Try It!
Lets now try to simulate the above (See Figure 01) scenario.
Step 01:
Create two public EC2 instances (one in the Default VPC and one in a Custom VPC)
Step 02:
Attach only the “Custom VPC” to the private hosted zone.
For this you are required to create a private hosted zone attaching the “Custom VPC” to it.
See the above (Figure 02) to see how we can select the “Private Hosted Zone” on the screen. Once you select the “Private Hosted Zone” check box, you will be prompted to select the VPCs, which you can attach to the “Private Hosted Zone”.
P.Note: You can enter any Domain Name here. (e.g.: crish-test.com). It is not required for you to register a Domain Name given here, mainly because this is created under a “Private Hosted Zone”.
On figure 03, you can see we have selected only the “Custom VPC” as an attachment to the Private Hosted Zone.
If all okay, you may click “Create Hosted Zone” button to create.
Step 03:
Once you click the “Create Hosted Zone” button, you will be forwarded to the “Record Sets” page.
Here, you may add an “A” record to test the scenario. I am here using an “A” record which will forward the traffic to a S3 bucket (assume I have already created a S3 bucket mapping the name of the “Domain Name” given under the “Private Hosted Zone” (See Figure 04).
P.Note: You can create any type of an “A” record such as a dummy EC2 instance, etc. Here I have used a S3 bucket for completeness.
Step 04:
Now it is the time to test!
You may SSH into the EC2 instance, which was created under the default VPC. Once you SSH into the EC2 instance, you may PING to the created private hosted zone domain (e.g. crish-test.com).
You can see that, the domain is not recognized as expected. This is due to the non-attachment to the private hosted zone (See Figure 05).
Now lets try the other EC2 instance, which was created within the custom VPC (See Figure 06).
You can clearly see, the EC2 instance, which was attached to the private hosted zone can PING the domain name specified under the private hosted zone.
References
- Working with AWS private hosted zones: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html
- Deep dive on DNS in the hybrid cloud (Re-Invent 2019): https://www.youtube.com/watch?v=_Z5jAs2gvPA
- Resolving DNS queries between VPCs and your network: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
