Choosing the Right DNS Architecture for VMware Cloud on AWS
By Schneider Larbi, Specialist Solutions Architect at AWS
By James Devine, Sr. Outposts Solutions Architect at AWS
VMware Cloud on AWS customers have many options to implement hybrid DNS solutions, ranging from self-hosted to fully managed native services from Amazon Web Services (AWS).
In this post, we’ll cover DNS architectures that use native AWS services as well as traditional Active Directory designs. We’ll also cover integration with Amazon Route 53 Private Hosted Zones and inbound endpoints, and discuss the configuration of DNS within VMware Cloud on AWS.
DNS name resolution is critical when running workloads on VMware Cloud on AWS. Infrastructures must be able to resolve host names of workloads running on VMware Cloud on AWS, as well as workloads and services running in the connected Amazon Virtual Private Cloud (Amazon VPC).
Overall, the goal is a single view of DNS that’s available for virtual machines (VMs) running on VMware Cloud on AWS, as well as instances running in the connected VPC, or another VPC altogether.
We will highlight some of the most common options to accomplish this hybrid DNS. For more alternatives and approaches, please see the Hybrid Cloud DNS Options Whitepaper.
Many customers use Microsoft DNS for name resolution on-premises, and can continue to do so when they migrate to VMware Cloud on AWS. In fact, there are more options available that include the use of native AWS services.
One way customers can implement their existing DNS infrastructure on VMware Cloud on AWS is to deploy VMs to their VMware Cloud on AWS and configure the Microsoft DNS service. The VMs are connected to a selected logical network within VMware Cloud on AWS.
Note that it’s best practice to use a static IP addresses for the DNS servers so that name resolution is not impacted by an IP address change.
All of your servers within the VMware Cloud on AWS environment can use the Microsoft DNS VMs for name resolution. There are scenarios where there’s the need for DNS resolution to native AWS services from the connected Amazon VPC.
We recommend you also deploy additional DNS servers as Amazon Elastic Compute Cloud (Amazon EC2) instances in the connected VPC to optimize DNS queries between resources in VMware Cloud on AWS and resources in the connected VPC. VMs and Amazon EC2 instances should then utilize both the VMs and instances for DNS name resolution.
Figure 1 – Microsoft DNS service architecture.
The diagram in Figure 1 shows the Microsoft DNS service installed on a VM running within a VMware Cloud on AWS cluster with an extension running on an EC2 instance in the connected VPC.
Managed Microsoft DNS
Customers can also use AWS Directory Services to provide DNS resolution through a managed service. This architecture follows the same pattern of setting up a Managed Active Directory environment in the connected VPC.
The directory service provides IP addresses that can be entered into the IPs in the DNS configuration on VMware Cloud on AWS.
It’s worth noting that with this architecture, if you exclusively use AWS Managed Microsoft DNS, you are not be able to deploy additional DNS servers as VMs within VMware Cloud on AWS cluster as an extension to the AWS Managed DNS service.
However, you can still use the DNS service from the connected VPC and use the Compute Gateway and Management Gateways as forwarders in the DNS settings for VMware Cloud on AWS.
Figure 2 – Microsoft Managed DNS service architecture.
AWS Managed Microsoft Active Directory (AD) can provide additional DNS forwarding capabilities if customers have requirements for DNS resolution to Amazon Route 53 and even on-premises. Refer to this blog post for additional details.
It’s also possible to use open source DNS servers, such as BIND, in which case similar design considerations apply.
Amazon Route 53 Resolver Inbound Endpoint
Amazon Route 53 service offers another alternative for providing DNS to VMware Cloud on AWS environments through the use of an inbound endpoint, which is a managed service that provides a DNS resolver.
The endpoint has the same view of DNS as the VPC in which it resides. This allows for private hosted zone name resolution, internet name resolution, and fully customizable name resolution through the use of forwarding rule.
An inbound endpoint can be provisioned directly inside the connected VPC. The endpoint can have multiple elastic network interfaces (ENIs), each with their own IP address.
For high availability, at least two ENIs in different availability zones should be used. Each ENI is capable of 10,000 queries per second and more ENIs can be added to scale out.
Figure 3 – Amazon Route 53 Resolver inbound endpoint architecture.
Private Hosted Zones
Amazon Route 53 supports private hosted zones, which provide private domain name resolution to resources within a VPC. Many customers use private hosted zones to support private domain names that are only resolvable from within a VPC.
Customers who have many VPCs, in addition to VMware Cloud on AWS, can use this option for DNS resolution to resolve DNS queries within the VPCs and VMware Cloud on AWS.
When using an inbound endpoint directly for DNS resolution, any private hosted zones associated with the VPC are resolvable. If using Microsoft DNS servers you must add a conditional forwarding rule. An inbound endpoint is still used in this case, as it provides scalable DNS resolution.
Figure 4 – Private hosted zones architecture.
Configuring DNS Options for VMware Cloud on AWS
DNS options for VMware Cloud on AWS are configured through the VMware Cloud Services Console under the Networking and Security section. Within the DNS section, you can enter DNS server IP addresses for the Compute Gateway and Management Gateway.
These gateways serve as forwarders for the DNS service to forward your DNS queries to the specified DNS servers. On each of the gateways, you enter your DNS server IP addresses, and can optionally specify the Fully Qualified Domain Name Zones.
If using private hosted zones with resolver endpoints, you can enter the endpoint IP addresses in the DNS IP section of the DNS setting under the VMware Cloud on AWS Console. Figure 5 shows what the setting looks like when configured on VMware Cloud on AWS.
Figure 5 – Entering endpoint IP addresses in the DNS IP section of the DNS setting.
You can also add specific zones to the DNS configuration to allow your DNS infrastructure to resolve names to the specified zones, as represented below.
Figure 6 – Adding specific zones to the DNS configuration.
There are a number of considerations when implementing DNS, as VMware Cloud on AWS can add complexities. First and foremost is availability. Name resolution is critical in any system, and it’s important to ensure it is configured in a highly available manner.
When running Microsoft DNS servers, be sure to consider the fault domains and availability. For example, you can deploy DNS servers in VMs as well as Amazon EC2 instances for added redundancy. This helps increase availability and reduce latency DNS name resolution for your workloads in the VMware Cloud on AWS connected VPC.
Consider using Amazon Route 53 inbound endpoint for DNS resolution, as it provides a managed DNS service that’s highly available and scalable, and integrates well with VMware Cloud on AWS. It also makes it easy to integrate with a large number of VPCs. Each ENI that makes up an endpoint is capable of 10,000 queries per second, and this can scale by adding additional ENIs.
Within the connected VMware Cloud, there is an Amazon Route 53 resolver that’s meant for DNS resolution from instances. This is also known as Amazon Provided DNS, or the .2 resolver. Do not use this address for DNS resolution within VMware Cloud on AWS.
There is a limit of 1,024 queries per second from an endpoint, and in the case of VMware Cloud on AWS this limit is shared with all the VMs running within the software-defined data center (SDDC). This limit can quickly be surpassed at even a moderate scale and cause DNS queries to intermittently fail.
By default, the VMware Cloud on AWS is configured with public DNS resolver IP addresses of 184.108.40.206 and 220.127.116.11 to allow for public DNS resolution. Depending on your DNS infrastructure, you will likely want to change this setting and use one of the DNS options mentioned in this post.
A number of options for providing DNS resolution for a VMware Cloud on AWS environment are available. You can continue to use the methods you use on-premises, or you can adopt AWS cloud-native services to provide greater availability, scalability, and easy of management.