Task Statement 2.3: Implement complex hybrid and multi-account DNS architectures.

📘AWS Certified Advanced Networking – Specialty

1. What Are Route 53 Resolver Endpoints?

In AWS, DNS resolution inside a VPC is handled by Route 53 Resolver.

However, by default:

VPCs can resolve public domains
VPCs can resolve private hosted zones (PHZs) attached to them

But they cannot directly communicate with external DNS systems (such as on-premises DNS servers or DNS in other environments).

👉 To solve this, AWS provides Resolver Endpoints:

Inbound Endpoints
Outbound Endpoints

These endpoints allow DNS queries to flow between AWS and external networks.

2. Inbound vs Outbound Endpoints (Core Concept)

Inbound Endpoint

Allows external systems → query DNS inside AWS
Example: On-premises → Route 53 Private Hosted Zone

Outbound Endpoint

Allows AWS resources → query external DNS
Example: EC2 → On-premises DNS server

3. Inbound Resolver Endpoint (Detailed)

3.1 Purpose

Inbound endpoints allow DNS queries coming from outside AWS to be resolved by Route 53.

👉 Used when:

External systems need to resolve AWS private domain names
Accessing private hosted zones from outside AWS

3.2 How It Works

You create an Inbound Endpoint in a VPC
AWS assigns private IP addresses (ENIs in subnets)
External DNS servers send queries to these IPs
Route 53 Resolver answers using:
- Private Hosted Zones
- VPC DNS

3.3 Key Requirements

1. Network Connectivity

Required:
- VPN (Site-to-Site VPN)
- AWS Direct Connect

👉 Without connectivity, inbound queries cannot reach AWS

2. Security Groups

Must allow:
- UDP 53 (DNS)
- TCP 53 (DNS fallback)

3. IP Address Planning

You must specify:
- At least 2 IP addresses
- In different Availability Zones

👉 Ensures high availability

4. DNS Configuration (External Side)

On-prem DNS must:
- Use conditional forwarding
- Forward specific domains to inbound endpoint IPs

3.4 Common Use Case (IT Example)

A company has:
- Internal DNS server in data center
- AWS private hosted zone: internal.aws.local

👉 Configuration:

On-prem DNS forwards internal.aws.local → inbound endpoint
Route 53 resolves and returns private IPs

3.5 Exam Tips (Inbound)

Used for external → AWS DNS resolution
Requires:
- Hybrid connectivity (VPN/Direct Connect)
- Security group rules for port 53
Uses Private Hosted Zones
Needs multi-AZ IPs

4. Outbound Resolver Endpoint (Detailed)

4.1 Purpose

Outbound endpoints allow AWS resources to resolve DNS names outside AWS.

👉 Used when:

AWS needs to resolve:
- On-premises domain names
- External private DNS systems

4.2 How It Works

Create Outbound Endpoint in a VPC
Define Resolver Rules
Route 53 forwards queries to:
- External DNS servers

4.3 Key Requirements

1. Network Connectivity

Required:
- VPN or Direct Connect

2. Resolver Rules (Very Important)

You must define:

Domain name to forward
Target DNS server IPs

👉 Types of rules:

Forwarding rules
System rules (default AWS)

4.4 Rule Types

a) Forwarding Rule

Sends DNS queries for a domain to external DNS

Example:

Domain: corp.local
Forward to: on-prem DNS

b) System Rule

Default AWS DNS resolution
No forwarding required

4.5 Rule Sharing (Multi-Account)

Rules can be shared using AWS RAM
Allows centralized DNS architecture

4.6 Security Requirements

Security group must allow:
- Outbound UDP/TCP 53

4.7 High Availability

Deploy endpoints in:
- Multiple subnets
- Different AZs

4.8 Common Use Case (IT Example)

EC2 instance needs to resolve:
- db.corp.local (on-prem database)

👉 Flow:

EC2 sends query
Route 53 checks rules
Forward rule matches
Query sent via outbound endpoint to on-prem DNS
Response returned

4.9 Exam Tips (Outbound)

Used for AWS → external DNS resolution
Requires:
- Resolver rules
- Target DNS IPs
Supports:
- Conditional forwarding
Can be shared across accounts

5. Key Differences (Very Important for Exam)

Feature	Inbound Endpoint	Outbound Endpoint
Direction	External → AWS	AWS → External
Purpose	Resolve AWS private domains externally	Resolve external domains from AWS
Requires Rules	No	Yes (forwarding rules)
Uses PHZ	Yes	No (for forwarding)
DNS Flow	External DNS → Route 53	Route 53 → External DNS

6. Architecture Patterns (Exam Critical)

6.1 Hybrid DNS Architecture

Both endpoints used together:

Inbound → resolve AWS domains from on-prem
Outbound → resolve on-prem domains from AWS

👉 This enables bi-directional DNS resolution

6.2 Centralized DNS (Multi-Account)

One VPC hosts:
- Inbound endpoint
- Outbound endpoint
Shared via:
- AWS RAM

👉 Other accounts:

Use shared rules/endpoints

6.3 Split-Horizon DNS

Same domain name:
- Different answers inside/outside AWS

7. Limitations and Considerations

7.1 Cost

Charged per:
- Endpoint hour
- IP address

7.2 Scaling

Each endpoint has:
- Query per second (QPS) limits

7.3 No Internet Access

Endpoints are:
- Private only
Not exposed publicly

7.4 Logging

Use:
- Route 53 Resolver query logging

7.5 Failover

Use:
- Multiple IPs across AZs
External DNS should:
- Retry queries

8. Step-by-Step Implementation (Simplified)

8.1 Inbound Endpoint

Create endpoint in VPC
Choose subnets (multi-AZ)
Assign IP addresses
Configure security group (port 53)
Update on-prem DNS:
- Add conditional forwarder

8.2 Outbound Endpoint

Create outbound endpoint
Select subnets and IPs
Configure security group
Create resolver rule:
- Domain name
- Target DNS IP
Associate rule with VPC

9. Common Exam Scenarios

Scenario 1

On-prem needs to resolve AWS private domain
✅ Use Inbound Endpoint

Scenario 2

EC2 needs to resolve on-prem domain
✅ Use Outbound Endpoint + Forwarding Rule

Scenario 3

Multi-account DNS centralization
✅ Use:
Shared outbound rules (AWS RAM)
Central DNS VPC

Scenario 4

Full hybrid DNS
✅ Use:
Both inbound and outbound endpoints

10. Final Exam Summary (Must Remember)

Inbound endpoint
→ External systems resolve AWS private DNS
Outbound endpoint
→ AWS resolves external DNS
Forwarding rules
→ Required for outbound only
Connectivity (VPN/DC)
→ Required for both
High availability
→ Multi-AZ endpoints required
Security
→ Allow TCP/UDP port 53