Lately I was playing with Docker and the AWS EFS file systems and I realized that I can’t access my new NFS file system because of the DNS resolution. The reason being that I use a DNS that’s at home and this DNS has no clue about any AWS resources. This is how my setup looks like.
I have two domain controllers, DC01 and DC02. The first one is at home/on-prem and the other one is in AWS. They are on a different subnets. I also have a site-to-site VPN connection between the two. All of my resources use the DNS servers that I provide. This means that the AWS DNS that comes as default when you create a new VPC was never used. I have a specific DHCP Option Set in AWS that I use to provide my DNS servers to all of my AWS resources.
And here is the problem. When I created a new EFS file system, I tried to mount it, but my DNS had no clue where this resource is. The hostname for the EFS is not publicly resolvable. On top of that, you can’t resolve this hostname from on-prem over VPN and Direct Connect even if you use the provided AWS DNS as a forwarder. The solution before was to build a DNS server in the cloud and make it as a forwarder. As of November 2018, AWS expanded the Route 53 DNS and now you can create inbound and outbound endpoints that do this for you. In my case, I needed amazonaws.com to be resolved by my DNS. All I have to do is to create an inbound endpoint in Route 53 and tell my DNS servers to use the IPs provided by Route 53.
Here is what I did.
In Route 53, click on Inbound endpoints. Click on Create inbound endpoint. Fill out the values by specifying a name for the inbound endpoint, the VPC where your resources reside and a security group that allow access. I am not quite sure what security levels are needed here, I assume TCP/UDP 53, so I assigned a security group that gives access to all my AWS resources to the resources on-prem. Try with TCP/UDP 53 first and see if it works.
Specify two subnets and let AWS choose the IPs. These are the actual DNS server IPs that AWS will provide for you.
Click Submit. Once completed you’ll see your inbound endpoint ready.
If you click on the endpoint, you’ll see the IPs that AWS provides to you.
Now, go back to your on-prem DNS and create a conditional forwarder for amazonaws.com.
Specify the domain amazonaws.com and enter the two IPs that were provided to you.
I made sure that they are stored in AD, so both DCs can get the settings. By default, a conditional forwarder is not stored in AD, which means it won’t replicate.
Now that everything is configured, I can resolve my EFS filesystem from my on-prem server.