Resolve AWS RDS And Other DNS Names On VPN Networks using R53 Resolvers

If you are dealing with AWS RDS or Aurora then you are familiar with RDS Endpoints. Its a random string that points to the underlying host where your database server is hosted. The reason why AWS provides this endpoint is, during the failover the Host IP of the database server will change. Instead of using Virtual/Floating IP address they are using this kind of DNS names. So during the failover, they’ll update the new master’s IP address in the DNS server. And these endpoints are resolve by both internal and external networks.

Earlier days, we used to set up some Replica from RDS to On-Prem or cross-cloud platforms like Azure and GCP. But the replication connectivity is done via the public internet. Because the endpoint should not resolve the Private IP. But we had a couple of solutions to make this possible.

  1. Use Unbound to perform as a DNS forwarder.
  2. Use AWS Directory service (Simple AD).
  3. Use AWS Directory Service (Microsoft AD).
  4. Centralized DNS management.

But the effort for configuring this is not less and more time consuming one. Recently I had a chance to set up replication between Aurora to GCP VM. Instead of configuring the above mentioned solution I used R53.

AWS recently announced that, we can use Route53 for Hybrid DNS solutions via Managed VPN and Direct Connect. Its just a 5mins of work to set up this.

Before starting, this tutorial, make sure you have configured the VPN between AWS and GCP.

From AWS:

AWS Tunnels are up

From GCP:

GCP Tunnels are up

Then I have launched an RDS instance and tried to ping from the GCP VM.

root@bhuvi:/home# ping myfirstdb.XXXXXXXXXXX.us-east-1.rds.amazonaws.com
PING ec2-52-7-5-183.compute-1.amazonaws.com (52.7.5.183) 56(84) bytes of data.

It returns the Public IP of the Host 52.7.5.183. If you didn’t enable pubically accessible then it won’t return anything.

  1. Now lets setup the Route53 Resolver. You should choose the region where your RDS is launched. In my case its us-east-1.

2. Go to R53 → Resolver → Inbound Endpoint.

I just need my GCP VM should resolve the RDS endpoint, I don’t want to any other things with that. So for me its just an Inbound connection to RDS. So I selected Inbound Endpoint.

3. Click On Create Inbound Endpoint.

4. Under the VPC in Region, select the VPC where your RDS instance is launched.

5. And then this R53 endpoint will not automatically allow all the traffic. We can restrict who can use this Resolver to resolve DNS names. So I have created a security group and allowed my GCP VM to port 53.

6. AWS will deploy this endpoint on 2 availability zone to make sure its high availability. So in IP Address #1, provide the AZ and subnet for the first DNS endpoint. For #2 choose different AZ and subnet.

Make sure that the 2 subnets which you selected must be associated with the Route table where VGW is attached. Else it not work.

7. Click on Submit button.

Lets wait for the deployment. Then use the DNS resolvers IP address on your VM.

vi /etc/resolv.conf
#Add these lines
nameserver 172.31.26.33
nameserver 172.31.45.77

Now, lets test the connectivity.

root@bhuvi:/home/# ping myfirstdb.XXXXXXXX.us-east-1.rds.amazonaws.com
PING ec2-52-7-5-183.compute-1.amazonaws.com (172.31.40.43) 56(84) bytes of data.

Want to play more?

  • From this setup, I have manually added the resolver to the VM. You can use a startup script to add these lines while launching instances.
  • Or find out a way to use this for existing instances without adding manually.
  • Check what are all the things can be resolved, like ElasticSearch endpoint, Internal load balancers endpoint or S3.