0

I have two VPCs:

  • Inbound VPC with CIDR 10.0.0.0/16 (2 public subnets)
  • Private VPC with CIDR 10.1.0.0/16 (Private endpoints)

Both are connected with a Transit Gateway and I can resolve the DNS and the private APIs from the inbound VPC to the private VPC using a curl command from a EC2 instance.

However, I have created an ALB in the Inbound VPC that forward to the private DNS only accessible from the inbound VPC with the Transit Gateway and it cannot resolve it.

I think it's trying to resolve the forward DNS outside the VPC. The unique solution I see is to create an EC2 instance with a proxy (Nginx/Apache) and redirect the traffic from it.

Is there any other solution with it? For example, use Route 53 Resolver?

Thanks

user1911
  • 133
  • 1
  • 1
  • 4

1 Answers1

0

To achieve what you're trying to do generally you associate the R53 private hosted zone with the VPC that your ALB is in, plus the VPC that the resources it controls are in. You do this in the console like this, or with the API / CLI like this (key parts copied below, but read the link).

aws route53 create-vpc-association-authorization --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id> --region us-east-1
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id> --region us-east-1

Another common pattern is to have internet ingress on a per-VPC basis, rather than shared. That avoids the cost of sending all ingress traffic over the transit gateway, which can be significant for large systems.

Egress via a shared VPC is also quite common, even while ingress is direct. The AWS Landing Zone Accelerator framework sets it up well, can optionally include AWS Network Firewall (beware the cost) and can also set up shared VPC endpoints. In an enterprise landing zone the cost of VPC endpoints in each VPC adds up very quickly, so sharing them can save quite a bit of money.

Tim
  • 31,888
  • 7
  • 52
  • 78