Task Statement 2.2: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
1. What is Hybrid DNS?
Hybrid DNS means resolving domain names between:
- On-premises network (data center)
- AWS VPCs (single or multiple accounts/Regions)
This allows systems to communicate using domain names instead of IP addresses.
2. Why DNS is Important in Hybrid Connectivity
In real IT environments:
- Applications use hostnames (e.g., app.internal.company.com)
- IP addresses can change frequently in AWS
- Without proper DNS:
- Systems cannot find each other
- Applications may fail
👉 Therefore, DNS ensures seamless communication across environments
3. Key AWS DNS Service: Amazon Route 53
Amazon Route 53
Route 53 is AWS’s DNS service that provides:
- Domain registration
- DNS routing
- Health checks
- Hybrid DNS support
4. Core Components of Hybrid DNS
4.1 VPC DNS Features
Each VPC has built-in DNS:
- AmazonProvidedDNS
- Located at:
- VPC base IP + 2 (e.g., 10.0.0.2)
- Resolves:
- Internal AWS hostnames
- Private hosted zones
4.2 Private Hosted Zones (PHZ)
- Used for internal DNS within AWS
- Not visible on the internet
- Can be shared across:
- Multiple VPCs
- Multiple accounts (via AWS RAM)
Example:
internal.company.local → resolves to EC2 private IP
4.3 Public Hosted Zones
- Used for internet-facing DNS
- Example:
www.company.com → public IP
5. Route 53 Resolver (Very Important for Exam)
Route 53 Resolver
This is the key service for hybrid DNS.
It allows DNS queries to flow between:
- AWS → On-premises
- On-premises → AWS
6. Route 53 Resolver Endpoints
There are two types (very important for exam):
6.1 Inbound Endpoint
Purpose:
Allows on-premises DNS servers to query AWS DNS
Flow:
On-prem DNS → Route 53 Inbound Endpoint → Private Hosted Zone
Use Case:
- Resolve AWS private domain names from on-prem
6.2 Outbound Endpoint
Purpose:
Allows AWS resources to query on-prem DNS
Flow:
EC2 → Route 53 Resolver → Outbound Endpoint → On-prem DNS
Use Case:
- Resolve on-prem domain names inside AWS
7. DNS Query Forwarding Rules
To control DNS traffic, use:
Forwarding Rules
- Define where queries should go
- Example:
company.local → forward to on-prem DNS
Types:
- Conditional forwarding
- Based on domain name
8. Hybrid DNS Architecture Patterns
8.1 Centralized DNS (Recommended)
- One shared services VPC
- Contains:
- Resolver endpoints
- DNS forwarding rules
Other VPCs:
- Use this centralized DNS
Benefits:
- Easier management
- Scalable
- Secure
8.2 Distributed DNS
- Each VPC has its own DNS setup
Drawbacks:
- Complex
- Hard to manage
- Not scalable
9. Connectivity Requirements (Critical for Exam)
DNS does not work alone. It requires network connectivity:
You must have:
- AWS Site-to-Site VPN
- OR AWS Direct Connect
These provide connectivity between:
- On-prem network
- AWS VPC
Without this:
❌ DNS queries cannot reach the destination
10. Security Considerations
10.1 Security Groups
- Must allow:
- UDP 53 (DNS)
- TCP 53 (DNS fallback)
10.2 Network ACLs
- Ensure DNS traffic is allowed
10.3 IAM Policies
- Control access to:
- Route 53
- Resolver rules
11. Multi-Account and Multi-Region DNS
Important for exam:
Use AWS RAM (Resource Access Manager)
AWS Resource Access Manager
- Share:
- Resolver rules
- Private hosted zones
Cross-Region DNS
- Route 53 is global
- PHZ can be associated with multiple VPCs (same Region or cross-Region via architecture)
12. Split-Horizon DNS (Exam Favorite)
Also called:
👉 Split-view DNS
Concept:
Same domain, different answers depending on location
Example:
app.company.comFrom internet → public IP
From AWS/on-prem → private IP
Benefit:
- Internal traffic stays private
- External users access public endpoint
13. High Availability Best Practices
For exam:
- Use multiple Resolver endpoints (different AZs)
- Configure:
- Redundant DNS servers on-prem
- Use:
- Health checks (Route 53)
14. Common Exam Scenarios
Scenario 1:
On-prem cannot resolve AWS private domain
✔ Solution: Inbound endpoint + PHZ
Scenario 2:
AWS cannot resolve on-prem domain
✔ Solution: Outbound endpoint + forwarding rule
Scenario 3:
Multiple VPCs need DNS
✔ Solution: Centralized DNS VPC + shared rules
Scenario 4:
Same domain internal + external
✔ Solution: Split-horizon DNS
15. Step-by-Step Configuration (Simplified)
Step 1: Create Private Hosted Zone
- Define internal domain
Step 2: Associate VPCs
Step 3: Create Resolver Endpoints
- Inbound (for on-prem → AWS)
- Outbound (for AWS → on-prem)
Step 4: Configure Forwarding Rules
- Domain-based routing
Step 5: Configure On-Prem DNS
- Forward AWS domains to inbound endpoint
Step 6: Ensure Network Connectivity
- VPN or Direct Connect
16. Key Exam Tips (Very Important)
- Inbound endpoint = on-prem → AWS
- Outbound endpoint = AWS → on-prem
- Private Hosted Zone = internal DNS
- Route 53 Resolver = hybrid DNS bridge
- Forwarding rules = control query direction
- Connectivity (VPN/DX) is mandatory
- Centralized DNS is best practice
17. Summary
Hybrid DNS in AWS allows seamless name resolution between:
- On-premises systems
- AWS VPCs (single or multiple accounts/Regions)
This is achieved using:
- Amazon Route 53
- Private Hosted Zones
- Route 53 Resolver endpoints
- DNS forwarding rules
When configured correctly, applications can communicate using domain names across environments, which is essential for modern cloud networking.
