Why can't I resolve domain names over my VPC peering connection?

7 minute read
0

I can't resolve domain names over my Amazon Virtual Private Cloud (Amazon VPC) peering connection.

Resolution

Note: The following scenarios assume that the VPC is configured with AmazonProvidedDNS. If you're using custom DNS and can't resolve domain names, then do the following:

  • Add the records in the custom DNS.
    -or-
  • Configure the DNS to forward certain queries to Amazon-provided DNS. Amazon-provided DNS is the .2 IP address of the VPC CIDR.

Scenario 1: Resolving to the public DNS of an Amazon EC2 instance created in the peered VPC

Amazon Elastic Compute Cloud (Amazon EC2) assigns a private and public DNS name at instance creation. The following domain names are assigned to instances by default:

  • Private DNS: ip-172-31-19-128.ec2.internal (for us-east-1 Region) or ip-172-31-12-97.us-west-2.compute.internal (for other Regions).
  • Public DNS: ec2-54-147-16-116.compute-1.amazonaws.com or ec2-35-88-61-144.us-west-2.compute.amazonaws.com.

If you configure the DHCP option set with a custom domain name, such as "example.com", then the EC2 instance uses that domain name. For example, ip-172-31-12-97.us-west-2.example.com.

Resolving to a private DNS from any instance in AWS resolves to a private IP address of the VPC where you created the instance:

$ dig ip-172-31-12-97.us-west-2.compute.internal +short
172.31.12.97

Resolving the public DNS of the instance from another instance created in the peered VPC resolves to the public IP address of the instance:

$ dig ec2-35-88-61-144.us-west-2.compute.amazonaws.com +short
35.88.61.144

You can resolve the public domain name to the private IP address of the EC2 instance. To do this, turn on one of the following options on the VPC peering connection:

  • Requester DNS resolution
    -or-
  • Accepter DNS resolution

For more information, see Turn on DNS resolution for a VPC peering connection.

After turning on DNS resolution, you can resolve the public DNS to the private IP address of the instance. For example: 

$ dig ec2-35-88-61-144.us-west-2.compute.amazonaws.com +short
172.31.12.97

If DNS resolution doesn't work after turning on DNS resolution on VPC peering, then use the following steps to troubleshoot the issue.

Troubleshooting steps

1.    Verify the source VPC and the destination VPC ID.

2.    Make sure that there is an active peering connection between the source and destination VPCs using VPC peering.

3.    Check the DNS configuration for the peering connection. Make sure that the DNS resolution is turned on for both the requester and accepter VPCs.

4.    Verify that the public domain name that you're resolving to exists. Check the destination VPC to make sure that there's an instance with the public IP mentioned in the domain name.

5.    Verify whether the DNS configuration in the VPC is AmazonProvidedDNS or CustomDNS. If you're using custom DNS, then verify that the custom DNS resolves the domain name of the public instance. If the custom DNS can't resolve the domain name, then do one of the following:

Add a static DNS record.

-or-

Redirect the query to AmazonProvidedDNS.

Scenario 2: Resolving to the domain name of the services created in a peered VPC

If you create a service with a domain name, then you can resolve that domain name from an instance in any peered VPC. Domain names created for these services are public records and can be resolved from anywhere.

For example, the following domain name records are publicly resolvable:

  • testCLB-520693273.us-east-1.elb.amazonaws.com
  • test-87913728ca9b8a68.elb.us-east-1.amazonaws.com
  • vpce-057d3426e21755b8a-svk1k3tm.ssm.us-east-1.vpce.amazonaws.com

Note: Even if the domain name is for a private load balancer, the record is public and resolves to the private IP address.

Service endpoint domain names, such as ssm.us-east-1.amazonaws.com, resolve to the public IP address. This is true even if there is an interface endpoint created in the peered VPC with the private DNS option turned on. Additionally, these names resolve to private IP addresses only if queried from within the VPC where you created the interface endpoint. In order to resolve the endpoint domain names to endpoint private IP addresses from a peered VPC, you must have the correct DNS architecture created.

In the following example, the interface VPC endpoint is configured on VPC A. To resolve the service domain name to the interface VPC endpoint IP addresses in VPC A from VPC B:

  1. Create an interface endpoint for the Service with PrivateDNS turned off.
  2. Create a private hosted zone using the service domain name (for example, ssm.us-east-1.amazonaws.com) from the account where the Interface endpoint is created.
  3. Make sure that DNS hostnames and DNS resolution are turned on for both VPCs in the peering connection.
  4. Create an Alias record pointing the service domain name to the regional endpoint of the interface endpoint DNS: vpce-057d3426e21755b8a-svk1k3tm.ssm.us-east-1.vpce.amazonaws.com. Or, create a record pointing the service domain name to the private IP addresses of the interface VPC endpoint created in VPC A.
  5. Associate the private hosted zone you created to the peered VPC (VPC B). If VPC B is cross-account, see How do I associate a Route 53 private hosted zone with a VPC on a different AWS account?

Troubleshooting steps

1.    Verify the source VPC and the destination VPC ID.

2.    Make sure that there is an active peering connection between the source and destination VPC.

3.    Make sure that DNS hostnames and DNS resolution are turned on for both VPCs in the peering connection.

4.    Verify whether the DNS configured in the VPC is AmazonProvidedDNS or CustomDNS. If you're using a custom DNS, then verify that the custom DNS can resolve the domain name. If the custom DNS can't resolve the domain name, then add a static DNS record or configure custom DNS to forward the query to AmazonProvidedDNS.

5.    Verify that both peered VPCs are associated to same private hosted zone where the domain name record is created.

6.    Make sure that the records are pointing to correct VPC endpoint region-specific domain or interface endpoint IP addresses.

Scenario 3: Custom domain name created in private hosted zone

You created a private hosted zone for a custom domain name that's used to resolve the domain to a record created in private hosted zone. VPC A is associated to a private hosted zone. VPC B has a peering connection to VPC A. You want to resolve the custom domain name from VPC B to VPC A.

To resolve, associate the VPC B to the private hosted zone for the custom domain where you created the record. After you make the association, you can resolve the custom domain name in a private hosted zone from resources in both of the peered VPCs.

Troubleshooting steps

1.    Verify the source VPC and the destination VPC ID.

2.    Verify whether the DNS configured in the VPC is AmazonProvidedDNS or CustomDNS. If you're using custom DNS, then you can't resolve to records hosted in private hosted zones. To correct this, add a static domain name record on the custom DNS. Or, configure custom DNS to forward the query to AmazonprovidedDNS.

3.    If you're using Amazon-provided DNS, then verify the domain that you're trying to resolve and where it's hosted (Amazon Route 53 or on-premises). If on-premises, make sure that the outbound resolver endpoint used to forward the query to on-premises DNS is configured correctly.

4.    If hosted in a Route 53 private hosted zone, verify that the source VPC is associated to the private hosted zone. The source VPC is the location from where you are trying to resolve the custom domain name.

5.    Make sure the FQDN that you're trying to resolve has a record created in the private hosted zone.


AWS OFFICIAL
AWS OFFICIALUpdated a year ago