[SEO Subhead]
This Guidance demonstrates an automated approach for creating the DNS resolution required when creating Amazon VPC Lattice services with custom domain names in multi-account environments. It simplifies the configuration process by automating the Amazon Route 53 DNS setup based on Amazon VPC Lattice service creation and removal actions, eliminating the operational effort of creating resources at scale. You can benefit from a simplified way to connect services across multiple AWS accounts, allowing applications to transparently access the required DNS resolution.
Note: [Disclaimer]
Architecture Diagram
[Architecture diagram description]
Step 1
When a new spoke account deploys automation resources, an Amazon EventBridge rule checks that a new Amazon Simple Notification Service (Amazon SNS) topic has been created with the proper tag.
Step 2
The New SNS topic EventBridge rule in the spoke account sends the event to the networking account using a custom event bus to notify the creation of a new SNS topic.
Step 3
The SNS subscription AWS Lambda function is invoked to subscribe the Amazon Simple Queue Service (Amazon SQS) topic in the networking account to the newly created SNS topic in the spoke account.
Step 4
The New VPC Lattice service EventBridge rule checks for a proper tag in Amazon VPC Lattice.
Step 5
The VPC Lattice service info Lambda function is invoked to obtain the DNS information of Amazon VPC Lattice and publish that information to an SNS topic in the spoke account.
Step 6
The SNS topic in the spoke account sends the Amazon VPC Lattice DNS information to the networking account through the Amazon SQS queue.
Step 7
Messages arriving to the Amazon SQS queue will invoke the Create/Update Alias record Lambda function.
Step 8
Unsuccessfully processed messages are stored in an Amazon SQS dead-letter queue (DLQ) for monitoring.
Step 9
The Create/Update Alias record Lambda function will create or update the corresponding alias record in the Amazon Route 53 private hosted zone.
Step 10
AWS Systems Manager and AWS Resource Access Manager (AWS RAM) are used for parameter storage and cross-account data sharing.
Step 1
When a new spoke account deploys automation resources, an Amazon EventBridge rule checks that a new Amazon Simple Notification Service (Amazon SNS) topic has been created with the proper tag.
Step 2
The New SNS topic EventBridge rule in the spoke account sends the event to the networking account using a custom event bus to notify the creation of a new SNS topic.
Step 3
The SNS subscription AWS Lambda function is invoked to subscribe the Amazon Simple Queue Service (Amazon SQS) topic in the networking account to the newly created SNS topic in the spoke account.
Step 4
The New VPC Lattice service EventBridge rule checks for a proper tag in Amazon VPC Lattice.
Step 5
The VPC Lattice service info Lambda function is invoked to obtain the DNS information of Amazon VPC Lattice and publish that information to an SNS topic in the spoke account.
Step 6
The SNS topic in the spoke account sends the Amazon VPC Lattice DNS information to the networking account through the Amazon SQS queue.
Step 7
Messages arriving to the Amazon SQS queue will invoke the Create/Update Alias record Lambda function.
Step 8
Unsuccessfully processed messages are stored in an Amazon SQS dead-letter queue (DLQ) for monitoring.
Step 9
The Create/Update Alias record Lambda function will create or update the corresponding alias record in the Amazon Route 53 private hosted zone.
Step 10
AWS Systems Manager and AWS Resource Access Manager (AWS RAM) are used for parameter storage and cross-account data sharing.
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational ExcellenceRead the Operational Excellence whitepaper
EventBridge automates your Amazon VPC Lattice creation process, invoking a Lambda function to retrieve DNS information and send it to Amazon SNS. In the AWS accounts that own the DNS configuration, Amazon SQS subscribes to the SNS topic cross-account, then invokes a Lambda function to automate the alias record creation. This automation reduces operational overhead, providing a transparent DNS resolution for your consumer services, especially in multi-account environments and at scale.
-
SecurityRead the Security whitepaper
Secure your Amazon SQS and Amazon SNS resources by defining resource policies that grant access only to the specified account, organization, or resource. AWS Identity & Access Management (IAM) roles for your Lambda functions restrict access to the corresponding resources, such as EventBridge, Amazon SQS, and Amazon SNS.
AWS RAM securely shares resources, like the SQS queue and EventBridge bus, with only the AWS accounts within your AWS organization. Implementing the principle of least privilege through minimum permissions helps ensure that access to your Amazon VPC Lattice DNS resolution automation is limited to the necessary configuration resources and involved AWS accounts.
-
ReliabilityRead the Reliability whitepaper
Amazon SQS and Amazon SNS provide durable scaling mechanisms to process Lambda and EventBridge events reliably. A DLQ in Amazon SQS monitors and retries unsuccessfully processed messages to enhance the resilience of your automation. As managed services, Lambda, Amazon SNS, and Amazon SQS reduce the chance of failure, keeping your Amazon VPC Lattice DNS resolution automation running without downtime.
-
Performance EfficiencyRead the Performance Efficiency whitepaper
The real-time event processing capabilities of EventBridge and the regional, serverless nature of Lambda, Amazon SNS, and Amazon SQS, provide optimal performance with minimal operational overhead. The cross-account setup helps ensure the lowest possible processing time, enabling seamless connectivity between a consumer and an Amazon VPC Lattice service as soon as it is created.
-
Cost OptimizationRead the Cost Optimization whitepaper
EventBridge, Lambda, Amazon SNS, and Amazon SQS resources are only used when a new Amazon VPC Lattice service is created, avoiding unnecessary costs for long-running processes. These computing resources follow a serverless paradigm, where the compute capacity is only needed for the specific actions required, resulting in cost-effective operations.
-
SustainabilityRead the Sustainability whitepaper
The fully managed nature of EventBridge, Lambda, Amazon SNS, and Amazon SQS, are used on an event-basis, providing high efficiency and low cost for short-running periods. The use of these short computational services and real-time event processing reduces the overall resource consumption and environmental footprint.
Related Content
[Title]
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.