Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.
📘AWS Certified Advanced Networking – Specialty
🔹 What is DNS?
DNS (Domain Name System) translates human-readable names into IP addresses.
- Example:
app.company.com→10.1.2.50
- Without DNS, users and systems would need to remember IP addresses.
In AWS networking, DNS is critical for:
- Connecting on-premises systems to AWS resources
- Resolving private and public domain names
- Enabling hybrid cloud communication
🔹 Key AWS DNS Service
✅ Amazon Route 53
Amazon Route 53 is AWS’s managed DNS service.
Core Functions:
- Domain registration
- DNS routing
- Health checking
🔹 DNS Components You MUST Know for the Exam
1️⃣ Hosted Zones
A hosted zone is a container for DNS records.
Types:
🔸 Public Hosted Zone
- Used for internet-facing DNS
- Example:
www.company.com→ public IP
🔸 Private Hosted Zone
- Used inside VPCs only
- Not accessible from the internet
- Example:
db.internal.company.com→ private IP
Key Exam Points:
- Private hosted zones can be associated with multiple VPCs
- Works across regions (with proper setup)
- Requires VPC DNS settings enabled
2️⃣ DNS Records
DNS records define how names resolve.
Common Types:
- A Record → maps to IPv4
- AAAA Record → maps to IPv6
- CNAME → maps one name to another
- MX → mail servers
- TXT → verification/security
AWS-Specific:
- Alias Record
- Maps directly to AWS resources
- Example:
- Load Balancer
- CloudFront
- S3 static website
- Benefits:
- No additional cost
- Supports zone apex (root domain)
3️⃣ Route 53 Resolver
This is the DNS service inside a VPC.
Key IP:
169.254.169.253(VPC DNS resolver)
Functions:
- Resolves:
- Private hosted zones
- Public domains (via recursion)
🔹 Hybrid DNS (VERY IMPORTANT FOR EXAM)
This is the core topic for on-premises + AWS integration.
4️⃣ Resolver Endpoints
Used to connect on-premises DNS with AWS DNS.
🔸 Inbound Endpoint
- Allows on-premises → AWS DNS queries
📌 Use case:
- On-prem server resolves:
app.aws.internal
🔸 Outbound Endpoint
- Allows AWS → on-prem DNS queries
📌 Use case:
- EC2 resolves:
db.corporate.local
Key Exam Points:
- Requires security groups
- Uses IP addresses in subnets
- Must configure routing (VPN/Direct Connect)
🔹 DNS Resolution Flow (Hybrid)
Example Flow:
- On-prem DNS receives query for:
app.aws.internal
- It forwards request to:
- Route 53 inbound endpoint
- Resolver checks:
- Private hosted zone
- Returns private IP
🔹 Conditional Forwarding
What is it?
Conditional forwarding sends DNS queries for specific domains to a specific DNS server.
Example:
| Domain | Forward To |
|---|---|
aws.internal | Route 53 inbound endpoint |
corp.local | On-prem DNS |
Where Used:
- On-prem DNS servers
- Route 53 Resolver rules
In AWS:
You configure Resolver Rules:
Types:
- Forwarding Rule
- Sends queries to external DNS
- System Rule
- Default AWS resolution
- Recursive Rule
- Internal resolution
Key Exam Points:
- Rules are associated with VPCs
- Supports multiple domain forwarding
- Works with outbound endpoints
🔹 Split-Horizon DNS (Important Concept)
Also called Split-View DNS
Definition:
Same domain name → different IPs depending on source.
Example:
| Source | Result |
|---|---|
| Internet | Public IP |
| VPC | Private IP |
Implementation:
- Public hosted zone + Private hosted zone (same domain)
Exam Tip:
- AWS automatically chooses:
- Private hosted zone inside VPC
- Public outside
🔹 DNS and VPC Settings
To use DNS properly in AWS:
Enable:
enableDnsSupport→ must be TRUEenableDnsHostnames→ for public names
Default DNS Behavior:
- EC2 instances use:
- VPC Resolver automatically
🔹 DNS with Hybrid Connectivity
Works with:
- Site-to-Site VPN
- AWS Direct Connect
Requirements:
- Proper routing
- Security group rules
- Resolver endpoints
🔹 DNS Failover & Routing Policies (Exam Bonus)
Route 53 supports:
- Simple routing
- Weighted routing
- Latency-based routing
- Failover routing
- Geolocation routing
Health Checks:
- Automatically redirect traffic if endpoint fails
🔹 Common Exam Scenarios
✅ Scenario 1:
On-prem needs to resolve AWS private domain
✔ Solution:
- Create inbound endpoint
- Configure conditional forwarding
✅ Scenario 2:
EC2 needs to resolve on-prem domain
✔ Solution:
- Create outbound endpoint
- Create forwarding rule
✅ Scenario 3:
Same domain for internal & external users
✔ Solution:
- Use split-horizon DNS
✅ Scenario 4:
Highly available DNS resolution
✔ Solution:
- Use multiple resolver endpoints (multi-AZ)
🔹 Security Considerations
- Use security groups on resolver endpoints
- Restrict DNS traffic (UDP/TCP 53)
- Avoid open DNS resolvers
- Use private hosted zones for internal services
🔹 Key Exam Tips (VERY IMPORTANT)
- Route 53 Resolver is region-specific
- Resolver endpoints are ENIs inside subnets
- DNS queries use:
- UDP 53 (primary)
- TCP 53 (fallback)
- Private hosted zones:
- Only work inside associated VPCs
- Conditional forwarding = Resolver rules in AWS
🧠 Final Summary
To pass the exam, you must understand:
- Hosted Zones (Public vs Private)
- Route 53 Resolver
- Inbound & Outbound Endpoints
- Conditional Forwarding (Resolver Rules)
- Hybrid DNS architecture
- Split-horizon DNS
- DNS flow between on-prem and AWS
