Increase security and reduce costs through VPN connections between AWS and GCP step by step — (4) Use AWS Route53 from GCP

6 min readAug 6, 2023

This is the fourth story in the above posts.

The GCP server requires private access to AWS’ api, which is available only in the AWS VPC environment or internally. In a previous blog post, I explained how to link VPNs between AWS and GCP in turn. Therefore, please watch the blog post about how to link VPNs. This article describes how to query the DNS domain of Route53 from the GCP server.

Query domain from GCP to AWS Route53

Since the hosted zone registered in Route53 may be a public zone or a private zone, let me explain how it can be a domain query in GCP in both cases.

Scenario 1: I’m going to query the domain (‘private.aws.zone.com ‘) registered in AWS Route53 private zone from GCP.
Scenario 2: The GCP wants to query the domain (‘it-is-public-zone.com ‘ registered in the AWS Route53 public zone.

Domain Query from GCP to AWS Route53 Private Zone

By default, AWS Route53 Private Zone can only be queried on the connected AWS VPC.
Route53 private hosted zone above cannot be queried in external Internet environments and GCP Network.
However, if you connect AWS Route53 by creating a Forwarding DNS Zone in Cloud DNS, which is GCP’s DNS service, GCP can query AWS Route53 private hosted zone for domain

Setup

1. Create Inbound endpoints in AWS Route53

Route53 > Resolver > Inbound endpoitns

Create inbound endpoints to be used when querying Route53 in GCP.
The inbound endpoints’ interfaces are assigned from the subnet of the linked vpc.

Register the SG that the endpoint will use.
This SG should allow for TCP/UDP 53 port for 35.199.192.0/19 which is cidr of GCP Cloud DNS service.

2. Create DNS Forwarding zone in GCP Cloud DNS & register inbound endpoints

GCP Cloud DNS > CREATE Zone

Create a Forwarding Zone in the GCP Cloud DNS.
For DNS name, enter the domain (private.aws.zone.com) that is a domain which was registered in aws Route53 private hosted zone .
Registers the aws inbound endpoints you just created with DNS servers for Destination DNS servers.

3. Advertise GCP Cloud DNS CIDR on GCP Cloud Router

Custom Advertising GCP Cloud DNS ip range to GCP Cloud Router

Advertises Cloud DNS cidr (35.199.192.0/19) on Cloud Router used for VPN connection.
Cloud Router should advertise the GCP Cloud DNS cidr because AWS needs to find the routing path to GCP Cloud DNS.

4. Route the GCP Cloud DNS to the TGW in the route table of the subnet where inbound endpoints were created by AWS

VPC > Route tables > Create route table

Creates a path to the TGW that knows the GCP Cloud DNS cidr.

Static routing for GCP Cloud DNS ip range in subnets of inbound endpoints

If you add route(35.199.192.0/19 -> TGW) to the routing table on the subnet where the Route53 endpoint is located, because the TGW has routes for “35.199.192.0/19” already advertised by the Cloud Router, so it can return the records queried to the GCP Cloud DNS.

Architecture & Domain Query Scenario

GCP -> AWS Route53 Private Zone Domain Query Architecture

The above architecture allows domain queries from resources (VMs) within the GCP to AWS Route53 Private Zone. Let me explain the domain query scenario, assuming that VPN is already linked.

GCP VM lookups hi.private.aws.zone.com.
Forward domain queries to the Destination DNS Server IPs (AWS Inbound endpoints) registered by the GCP Cloud DNS Forwarding Zone.
Query the Route53 private.aws.zone.com(private zone) domain via AWS Inbound endpoints.
Returns the returned record to the GCP VM.
The GCP VM that sent the request knows the ip for the requested domain, so it starts ip-based communication.

Domain Query from GCP to AWS Route53 Public Zone

You can also query the Public Zone, not only Private Zone of AWS Route53. And Public Zone can be queried anywhere on the Internet, so there are no specific settings needed. This allows the GCP VM to query the domain without creating a separate forwarding zone.

However, you can query anywhere, but you can’t access the ip of the inquired record from anywhere. (If the queried ip is a private ip, not a public ip, there must be a path to access that ip)
The network must be connected to each other to access the ip you have queried and received.

GCP -> AWS Route53 Public Zone Domain Query Architecture

169.254.169.254 is the metadata server address for DNS queries used by GCP VMs.
When a GCP VM makes a DNS query, it queries through its metadata server (169.254.169.254) whether it is internal or external DNS. (Note)

internal resolver in GCP VM

If you request external DNS (such as .it-is-public-zone.com) to the metadata server for that DNS query, the request will be forwarded to Google's public NS and the request for internal DNS will be processed by Cloud DNS. (Note)
Of course, public DNS zones can also be configured to query route53 via VPN and AWS route53 endpoint by creating a forwarding DNS zone in Cloud DNS, but there is no reason to approach public DNS domains that way.
For the following three reasons, we decided that there is no need to create a separate forwarding zone in the public dns zone.
Using numerous external NS servers is less likely to cause problems than relying on only two endpoints (both are, of course, secure).
Since public DNS can be queried in an external Internet environment anyway, there is no need to access it while using vpn connection between private endpoint and gcp-aws.
And since there are several zones in the public DNS zone compared to the private dns zone, the process of registering as the forwarding DNS zone in the Cloud DNS can be bothering.

In this way, GCP can query AWS Route53 Private/Public hosted Zones for domain, enabling secure private communication over VPN tunnels in different cloud environments.