I have a Route 53 private hosted zone, and I want to access it over a VPN. How can I use an AWS Directory Service to do this?

Because Route 53 private hosted zone name servers only respond to queries from AWS DNS servers, if you need to directly resolve private zones from your on-premises infrastructure, consider using an AWS Directory Service Simple AD directory to forward DNS requests from your VPC to the IP address of AWS DNS servers.

These DNS servers will resolve names configured in your Amazon Route 53 private hosted zones. By pointing your on-premises infrastructure to your Simple AD, you can resolve DNS requests to the private hosted zone of your choice.

Start by creating a new Simple AD:

  1. Sign in to the AWS Directory Service console.
  2. Choose Create Simple AD, and fill in these fields with the following (for all other fields, provide values that are meaningful for you):

    For Directory DNS, make sure that the domain is different from your private hosted zone.
    For VPC, add the VPC associated with the private hosted zone.
    Directory size is set to Small by default; this is appropriate for the majority of use cases. If you’re serving more than 500 users, consider a large Simple AD.
  3. Choose Next. Make note of and remember the password for the Simple AD.
  4. Choose Create Simple AD.

When the status of your new AD is Active, choose Directory ID, and make note of DNS Address under Details. You use these IP addresses to configure your local DNS resolver.

Directory Service creates a security group on your behalf for the Simple AD controllers, among other things. Make sure this security group allows traffic from your on-premises IPs:

  1. Sign in to the Amazon EC2 console, and choose Security Groups.
  2. Find the security group named directoryID_controllers, where directoryID is the directory ID for your Simple AD.
  3. Open the security group, and edit the inbound traffic rules to allow TCP/UDP traffic on port 53 from the other CIDR.

Make sure the route table on the VPC has proper entries for your on-premises virtual gateway (VGW).

When configuration is complete, you can connect to the Simple AD by editing the DHCP option set to set the IP addresses of the Simple AD as the DNS servers, or by setting up a forwarder or a conditional forwarder on your local DNS server.

Route 53, private hosted zones, VPN

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-08-03