Why can't I resolve domain names over my VPC peering connection?

Last updated: 2022-04-12

I'm not able to resolve domain names over my Amazon Virtual Private Cloud (Amazon VPC) peering connection. How do I troubleshoot this?

Resolution

Note: The following scenarios assume that the VPC is configured with AmazonProvidedDNS. If you're using custom DNS and can't resolve domain names, do the following:

  • Add the records in the custom DNS.
    -or-
  • Configure the DNS to forward certain queries to Amazon-provided DNS. Amazon-provided DNS is the .2 IP address of the VPC CIDR.

Scenario 1: Resolving to the public DNS of an Amazon EC2 instance created in the peered VPC

Amazon Elastic Compute Cloud (Amazon EC2) assigns a private and public DNS name at instance creation. The following domain names are assigned to instances by default:

  • Private DNS: ip-172-31-19-128.ec2.internal (for us-east-1 Region) or ip-172-31-12-97.us-west-2.compute.internal (for other Regions).
  • Public DNS: ec2-54-147-16-116.compute-1.amazonaws.com or ec2-35-88-61-144.us-west-2.compute.amazonaws.com.

If you configure the DHCP option set with a custom domain name, such as "example.com", then the EC2 instance uses that domain name. For example, ip-172-31-12-97.us-west-2.example.com.

Resolving to a private DNS from any instance in AWS resolves to a private IP address of the VPC where you created the instance:

$ dig ip-172-31-12-97.us-west-2.compute.internal +short
172.31.12.97

Resolving the public DNS of the instance from another instance created in the peered VPC resolves to the public IP address of the instance:

$ dig ec2-35-88-61-144.us-west-2.compute.amazonaws.com +short
35.88.61.144

You can resolve the public domain name to the private IP address of the EC2 instance. To do this, turn on one of the following options on the VPC peering connection:

  • Requester DNS resolution
    -or-
  • Accepter DNS resolution

For more information, see Enable DNS resolution for a VPC peering connection.

After turning on DNS resolution, you can resolve the public DNS to the private IP address of the instance, as shown in the following example:

$ dig ec2-35-88-61-144.us-west-2.compute.amazonaws.com +short
172.31.12.97

If DNS resolution doesn't work after turning on DNS resolution on VPC peering, then use the following steps to troubleshoot the issue.

Troubleshooting steps

1.    Verify the source VPC and the destination VPC ID.

2.    Make sure that there is an active peering connection between the source and destination VPCs using VPC peering.

3.    Make sure that DNS hostnames and DNS resolution are turned on for both of the VPCs used in the peering connection.

4.    Check the DNS configuration for the peering connection, and make sure that the DNS resolution is turned on for both the requester and accepter VPCs.

5.    Verify that the public domain name that you're resolving to exists. Check the destination VPC to make sure that there is an instance with the public IP mentioned in the domain name.

6.    Verify whether the DNS configuration in the VPC is AmazonProvidedDNS or CustomDNS. If you're using custom DNS, then verify that the custom DNS resolves the domain name of the public instance. If the custom DNS can't resolve the domain name, do one of the following:

Add a static DNS record.

-or-

Redirect the query to AmazonProvidedDNS.

Scenario 2: Resolving to the domain name of the services created in a peered VPC

When you create a service with a domain name, you can resolve that domain name from an instance in any peered VPC. This is because the domain names created for these services are public records and can be resolved from anywhere. For example, the following domain name records are publicly resolvable:

  • testCLB-520693273.us-east-1.elb.amazonaws.com
  • test-87913728ca9b8a68.elb.us-east-1.amazonaws.com
  • vpce-057d3426e21755b8a-svk1k3tm.ssm.us-east-1.vpce.amazonaws.com

Note: Even if the domain name is for a private load balancer, the record is public and will resolve to the private IP address.

Service endpoint domain names, such as "ssm.us-east-1.amazonaws.com," resolve to the public IP address. This is true even if there is an interface endpoint created in the peered VPC with the private DNS option turned on. You can resolve the domain name of service endpoints to the private IP address of the interface endpoint. To do this, the resource must be part of the VPC where you created the interface endpoint.

Example

The interface VPC endpoint is configured on VPCA. You're trying to resolve the service domain name to the interface VPC endpoint IPs in VPCA from VPCB. In this scenario, you need an Amazon Route 53 outbound resolver endpoint in VPC B and a Route 53 inbound resolver endpoint in VPCA.

Note: For information on configuring Route 53 Resolver using the Wizard, see Getting started with Route 53 Resolver.

  1. Create a Route 53 resolver outbound endpoint in VPCB (where you want to access the endpoint DNS).
  2. Create a Route 53 resolver inbound endpoint in VPCA (where you created the endpoint).
  3. Create a Route 53 resolver rule with the domain name and target IP addresses in Region VPCA.

The outbound endpoint in VPCB forwards the DNS queries for the service domain name to the IPs of the inbound resolver endpoint in VPCA. The inbound endpoint in VPCA receives the DNS query for the service domain name. The inbound endpoint then forwards the query to the Amazon-Provided DNS server in VPCA for resolution.

After the Route 53 resolver endpoints are active, you can access the endpoint with the private DNS name.

Troubleshooting steps

1.    Verify the source VPC and the destination VPC ID.

2.    Make sure that there is an active peering connection between the source and destination VPC.

3.    Make sure that DNS hostnames and DNS resolution are turned on for both VPCs used in the peering connection.

4.    Check the DNS configuration for the peering connection, and make sure that the DNS resolution is turned on for both the requester and accepter VPCs.

5.    Verify that the public domain name that you're resolving to exists. Check the destination VPC and make sure that there is a VPC interface endpoint created in the VPC with Private DNS option enabled.

6.    Verify whether the DNS configured in the VPC is AmazonProvidedDNS or CustomDNS. If you're using a custom DNS, then verify that the custom DNS can resolve the domain name. If the custom DNS can't resolve the domain name, then add a static DNS record or configure custom DNS to forward the query to AmazonprovidedDNS.

7.    Verify that the route tables associated with the subnets with the VPC resolver endpoints have a peering route pointing to the source or destination VPC. Do this for all inbound and outbound VPC resolver endpoints in both VPCs.

8.    Verify that the network ACLs associated to subnets where resolver endpoints are created allow inbound traffic from the peered VPC CIDRs.

9.    Verify that the inbound and outbound resolvers are configured correctly and have the correct rules to forward traffic to the next hop. For more information, see How do I troubleshoot DNS resolution issues with Route 53 Resolver endpoints.

Scenario 3: Custom domain name created in private hosted zone

You created a private hosted zone for a custom domain name that's used to resolve the domain to a record created in private hosted zone. VPC A is associated to a private hosted zone. VPC B has a peering connection to VPC A. You want to resolve the custom domain name from VPC B to VPC A where you can resolve the custom domain.

There are two methods for achieving this:

  • Solution 1: Forward the query from VPC B to the main VPC A's DNS. This set up is similar to Scenario 2.
  • Solution 2: Associate the VPC B to the private hosted zone for the custom domain where you created the record. After you make the association, you can resolve the custom domain name in a private hosted zone from resources in both of the peered VPCs.

Troubleshooting steps

Note: For Solution 1, follow the troubleshooting steps mentioned in Scenario 2.

1.    Verify the source VPC and the destination VPC ID.

2.    Verify whether the DNS configured in the VPC is AmazonProvidedDNS or CustomDNS. If you're using custom DNS, then you can't resolve to records hosted in private hosted zones. To correct this, add a static domain name record on the custom DNS. Or, configure custom DNS to forward the query to AmazonprovidedDNS.

3.    If you're using Amazon-provided DNS, then verify the domain that you're trying to resolve and where it's hosted (Amazon Route 53 or on-premises). If on-premises, make sure that the outbound resolver endpoint used to forward the query to on-premises DNS is configured correctly.

4.    If hosted in a Route 53 private hosted zone, verify that the source VPC is associated to the private hosted zone. The source VPC is the location from where you are trying to resolve the custom domain name.

5.    Make sure the FQDN that you're trying to resolve has a record created in the private hosted zone.


Did this article help?


Do you need billing or technical support?