How do I resolve a Route 53 private hosted zone over a VPN using AWS Directory Service?
Last updated: 2019-05-30
I have an Amazon Route 53 private hosted zone, and I want to access it over a VPN. How can I use an AWS Directory Service to do this?
Route 53 private hosted zone name servers respond only to queries from AWS DNS servers. To directly resolve private zones from your on-premises infrastructure, consider using Simple Active Directory (Simple AD). You can use a Simple AD directory to forward the DNS requests from your VPC to the IP address of AWS DNS servers.
These DNS servers resolve names configured in your Amazon Route 53 private hosted zones. By pointing your on-premises infrastructure to your Simple AD, you can resolve DNS requests to the private hosted zone of your choice.
Note: Simple AD is supported in the following Regions:
- US East (N. Virginia)
- US West (Oregon)
- Asia Pacific (Singapore)
- Asia Pacific (Sydney)
- Asia Pacific (Tokyo)
- EU (Ireland)
If Simple AD is not available in your region, you can use AWS Managed Microsoft AD to provide the same DNS resolution. For more information, see How to Set Up DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Microsoft Active Directory.
Create a new Simple AD:
- Sign in to the AWS Directory Service console, and then choose Set up directory.
- Choose Simple AD, choose Next.
- For Directory size info, choose Small or Large.
- For Directory DNS name, enter a domain name.
Note: Be sure that the domain name is different from your private hosted zone and Route 53 domain name. If the Route 53 and Simple AD domain names are the same, or if the Route 53 domain is a subdomain of the Simple AD domain, Simple AD can't forward the request to the private hosted zone.
- For Administrator password and Confirm password, enter a password and choose Next.
- For VPC, add the VPC associated with the private hosted zone, choose Next, and then choose Create directory.
- When the Status of your new AD is Active, choose Directory ID, and then take note of the DNS address under Directory Details. You use this IP address to configure your local DNS resolver.
Directory Service creates a security group on your behalf for the Simple AD controllers.
Be sure that this security group allows traffic from your on-premises IPs:
- Sign in to the Amazon EC2 console, and then choose Security Groups.
- Find the security group named directoryID_controllers, where the directoryID is the directory ID for your Simple AD.
- Open the security group, and then edit the inbound traffic rules to allow TCP/UDP traffic on port 53 from your on-premises CIDR.
Be sure that the route table on the VPC has proper entries for your on-premises virtual gateway.
When configuration is complete, you can connect to the Simple AD by editing the DHCP option set. In DHCP, set the IP addresses of the Simple AD so that they are the same as the DNS servers. You can also set up a forwarder or a conditional forwarder on your local DNS server.