Custom domain names for VPC Lattice resources

Amazon VPC Lattice is a fully managed application networking service that lets you connect, secure, and monitor communication between your services and resources within and across VPCs and accounts. Today, we announce custom domain names for Lattice resources. In this post, we will examine this feature in detail.

Resource owners can now specify an Fully Qualified Domain Name (FQDN) as the custom domain name for a Lattice resource before sharing it with consumers in other VPCs and accounts. Consumers can then access the resource using this FQDN. VPC Lattice manages a private hosted zone in the consumer’s VPC that enables clients to connect to the resource using the custom domain name. Resource owners have the flexibility to either use domains they own or domains they don’t own such as Amazon-provided or third-party domains. Consumers can choose which types of domains they want to allow VPC Lattice to manage private hosted zones for in their VPCs.

In the rest of this post, we will first go over the use cases that this feature  and  describe how the feature works with examples.

Prerequisites

This guide assumes you understand VPC Lattice fundamentals. If you need background information, review the VPC Lattice User Guide before proceeding.

Key Use Cases
Custom domain names for resources extend VPC Lattice’s capabilities by addressing several important new use cases:

• Cluster-based resources: Customers can now use resource configurations to share and access cluster-based resources across VPC and account boundaries, such as cache clusters, Kafka clusters, etc. To access cluster-based resources, a client needs to know the cluster topology and be able to query specific nodes in the cluster. With this feature, cluster owners can specify a custom domain name for each node in the cluster, thereby enabling clients to identify and query individual nodes directly.
• TLS-based applications: Customers can now use resource configurations to share and access TLS-based applications. In Transport Layer Security (TLS), clients must connect using a domain for which the server can present a valid certificate. With this feature, resource owners can specify the required domain name as the custom domain name in the resource configuration, ensuring seamless TLS connectivity for clients.
• Amazon-provided or third-party owned domains: Customers can now share resources whose domains are provided by Amazon or third parties. AWS-native resources often have endpoints of the form example.amazonaws.com or example.aws. With this feature, a resource owner can share such resources by creating a resource configuration and specifying the Amazon-provided endpoint as custom domain name. For example, an Amazon MSK cluster might have multiple broker endpoints such as b-1.example-cluster.abc123.c2.kafka.us-east-1.amazonaws.com and b-2.example-cluster.abc123.c2.kafka.us-east-1.amazonaws.com. Resource owners can create resource configurations for each broker endpoint, specifying the MSK-provided domains as custom domain names, enabling consumers to connect to specific Kafka brokers using the AWS-provided endpoints.
• Enhanced Security posture: Resource owners can use both verified and unverified custom domains. Verified domains are those whose ownership is verified by AWS, ensuring that a given domain is used only by its legitimate owner. They provide enhanced security posture to consumers. Unverified domains offer flexibility for development scenarios or when using Amazon/third-party domains. This dual approach maintains strong security controls for production workloads while providing flexibility for development and testing environments.

Now, let’s examine the important VPC Lattice components that enable this functionality.

Introducing Domain Verification

Domain verification is the process of proving ownership of a domain (e.g., example.com) that you want to use as a custom domain name for resource configurations. For instance, if you are part of Example Organization, your resource and application endpoints follow patterns such as abc.example.com or xyz.example.com. You may therefore want to use FQDNs (Fully Qualified Domain Names)—complete domain names that specify the exact location in the DNS hierarchy—ending in ‘example.com’ as custom domain names for your resource configurations. Domain Verification streamlines this process.

A Domain Verification object contains two key properties: the domain and its verification status.

Verification Process: When you initiate verification for a domain, VPC Lattice automatically creates a Domain Verification object in ‘pending’ status and returns a TXT record configuration comprising of a (Name, Value) pair. To prove your ownership of the domain, you must create a TXT record using this pair in your domain’s DNS zone. VPC Lattice checks whether the TXT record matches what was returned. Upon successful validation, the status of the Domain Verification changes to ‘verified’.

Integration with Resource Configuration: A resource configuration reflects its custom domain name’s verification status. When you describe a resource configuration using a verified domain such as example.com, you will see the verification status as a property of the resource configuration.

Subdomain Inheritance: Once you verify a domain, all its subdomains are automatically considered verified. For instance, after verifying example.com, you can immediately use FQDNs such as abc.example.com and def.xyz.example.com as custom domain names for resource configurations in your account with no additional verification required.

Configuration Steps

The example below captures the verification process.

Step 1: Start domain verification

To start domain verification from the AWS Management Console, navigate to the VPC menu, select Domain Verifications and click Start domain verification.

Figure 1 shows how to start the domain verification process using the AWS Management Console

To check the verification status, navigate to Domain Verification under the Lattice and PrivateLink menu, where you will see the TXT record name and value that need to be added to your DNS zone

Figure 2: Domain Verification status on AWS Management Console

Step 2: Create TXT record

Add this name-value pair as a TXT record in your domain’s DNS zone to prove ownership. VPC Lattice will then update the Domain Verification to ‘verified’. The status change may take a few hours to complete.

Figure 3: Shows how to create TXT records for Route53 hosted zones

How It Works

Now that we understand Domain Verification, let us walk through an end-to-end workflow covering three personas: resource owner, consumer (VPC owner), and service network owner.

Resource Owner Experience

Step 1 (Optional): Verify your domain

As a resource owner, you have the flexibility to use a verified or unverified domain. The verification status is visible to consumers with whom you share the resource configuration. For verified domains, you will need a Domain Verification object with ‘verified’ status. Keep the Domain Verification ID ready for the next step.

Step 2: Create Resource Configuration

When creating a resource configuration of type ‘Single’ with a custom domain name:

• For verified domains: Provide the Domain Verification ID in the Resource Configuration.
• For unverified domains: Leave the ID field blank if you are using an Amazon-provided domain, a third-party domain that you do not own, or a domain you have not verified. In this case, the resource configuration will reflect a status of ‘unverified’.

Figure 4: Shows how to specify a custom domain name and verification ID for a resource configuration

Resource Configuration of type ‘Group’ and ‘Child’

A resource configuration of type ‘group’ does not have a custom domain name, but it dictates the custom domain names of its children. You first define a ‘Group Domain’ on the group. Subsequently, for each child you can specify a custom domain name that is a subdomain of the Group Domain.

When using verified domains, you only need to provide the Domain Verification ID corresponding to the Group Domain. This Domain Verification automatically applies to each child.

Step 1: Create the Resource Configuration Group

Begin by creating the group that will contain your child configurations:

• Open the Amazon VPC console
• Navigate to Resource configurations under PrivateLink and Lattice
• Click Create Resource configuration
• Enter a unique name for your group
• Select Resource group as the configuration type
• Enter Group Domain Name for the group

Figure 5: Shows how to create a group resource configuration group and specify a Group Domain

Step 2: Specify a custom domain name for the child resource configuration

Figure 6: Creating a child resource configuration and specifying a custom domain name

VPC Owners

As a consumer, you can access resource configurations shared with you from your VPC and/or on-premises network. To do so, you must first connect the resource configuration to your VPC either directly using a Resource Endpoint (RE), or by placing the resource configuration in a service network and connecting the service network to your VPC using a Service Network Endpoint (SN-E) or Service Network Association (SN-A). Refer to the Understanding VPC Lattice Components section to learn more about RE, SN-E, and SN-A.

Regardless of which connection method you choose, you have three controls to configure the types of domains for which you want VPC Lattice to manage private hosted zones in your VPC.

The first control in the console is ‘Enable DNS Names’, which tells VPC Lattice to manage private hosted zones in your VPC. If you do not enable DNS names, no zones will be created. In the CLI and APIs, this control is called ‘private-dns-enabled’.

Once you have enabled DNS names, you can use the second control called ‘Private DNS preferences’ to configure the types of domains for which you want to allow zone creation. You can choose among several options:

• ‘All domains’ (VPC Lattice manages private hosted zones for all custom domain names), ‘Verified domains only’ (VPC Lattice manages private hosted zones only for custom domain names that are verified),
• ‘Specified domains only’ (VPC Lattice manages private hosted zones only if the custom domain name is in the list of domains you have allowed), and
• ‘Verified domains and specified domains’ (VPC Lattice manages private hosted zones if the custom domain name is either verified or is in the list of domains you have allowed). The default is ‘Verified domains only’.

If you select either “Specified domains only” or “Verified domain and allowed domains”, you can use the third control called ‘Specified domains’ to provide the list of domains you want to allow. You can use wildcards in your specified domains list.

Service Network Owners

As a Service Network Owner, you have an ‘Enable DNS Name’ control that overrides the Enable DNS Names control configured by a VPC owner for their SN-E or SN-A. When creating a service-network-resource-association to add a resource configuration to a service network, you must enable DNS name for the resource configuration. If you do not enable DNS name, VPC Lattice will not manage private hosted zones for that resource configuration in any VPC to which the service network is connected, even if the SN-E or SN-A has enabled DNS names. This creates a hierarchical control structure where the service network setting acts as the top-level control that overrides VPC-level settings.

Step 1: From the VPC console:

• Navigate to Lattice Service networks
• Select your service network
• Go to the Resource associations tab
• Click Create resource association
• Select your resource configuration
• Enable host names
• Create the association.

Figure 7: Service network creation and enabling DNS names

Step 2: From the VPC console:

• Navigate to Endpoints
• Click Create endpoint
• Select VPC Lattice service networks as the service category
• Choose your service network and VPC
• Configure the networking settings
• Create the endpoint.

Figure 8: Shows the three controls when creating a Resource endpoint

Considerations

Domain Verification: Multiple AWS accounts can verify ownership of the same domain. VPC Lattice periodically checks your DNS zone for the TXT record. If the TXT record is deleted, the Domain Verification corresponding to that domain will switch to a status of ‘unverified’. The ‘unverified’ status will be inherited by all its subdomains and resource configurations where the Domain Verification is being used.

Resource Configuration Requirements: Custom domain names and Domain Verification ID must be specified at the time of creation of the resource configuration. A resource configuration cannot be modified after creation to add a custom domain name or Domain Verification ID.

Group Domain: A group domain is required on a group resource configuration if you want VPC Lattice to create private hosted zones in consumer VPCs. If you do not specify a Group Domain, you can still specify custom domain names for each child. The custom domain names will be discoverable by the consumers who whom you share the group resource configuration, but VPC Lattice will not manage private hosted zones for them in the consumer VPC.

Domain Conflicts: Multiple resource configurations can have the same custom domain name. However, two resource configurations with the same custom domain name cannot be added to the same service network or as child resource configurations of the same group. If a VPC already has a hosted zone for given domain, then VPC Lattice skips private hosted zone creation in that VPC for other resources with the same custom domain name.

Conclusion

Custom domain names for VPC Lattice resource configurations allow customers to share and access resources in VPC Lattice, such as clusters and TLS applications. By eliminating manual DNS configuration steps, this feature enables you to focus on building and deploying applications rather than managing DNS infrastructure. Domain Verification provides a scalable approach to prove ownership for domains. Automatic private hosted zone creation simplifies accessing resources.

This enhancement reinforces VPC Lattice’s core value proposition of simplifying application networking so that developers can focus on building and deploying applications. Whether you are running databases, clusters, or other resources, custom domain names reduce infrastructure management overhead.

The feature is available in all AWS Regions where VPC Lattice is offered. For more information, visit the VPC Lattice documentation or explore the VPC Lattice Getting Started guide.