0

I have successfully built a VPN connection between gcp and aws using the following guide(https://cloud.google.com/solutions/automated-network-deployment-multicloud).

I can currently ping the resources on the other cloud providers based on the private IP. However, I would like to use the dns resolution that resolves to private IP of the AWS resource DNS names. Can someone please help me with this?. Using DNS server policy may not be the best of options for me as it points to alternative name server only and not the gcp’s internal name servers anymore. So how can I use forwarding zones in gcp for DNS names such as database-test.c34fdgt1ascxz.us-west-1.rds.amazonaws.com so that it resolves to private IP. The above example is for database which I have not made public. Has someone done this already? Or does anyone have any idea on how to go about this. Any help is much appreciated, thank you so much.

Suhas Chikkanna
  • 1,292
  • 5
  • 20
  • 34

2 Answers2

1

It is possible.

If your goal is to configure outbound forwarding to AWS, then you should remove this policy you just need a Cloud DNS managed zone to accomplish this. The DNS queries that are forwarded from GCP to AWS will come from the 35.199.192.0/19 address block.

The 35.199.192.0/19 traffic can be routed over a dynamic VPN tunnel dynamic (BGP), so you would just need to modify your AWS VPN gateway or router by adding a route that to reach 35.199.192.0/19.

It looks like a public address block, but Google uses this block only for forwarding, and does not announce it on the public Internet. And finally, AWS needs to be configured so that responses to DNS queries from 35.199.192.0/19 are routed back to GCP using the VPN tunnel configured between AWS and GCP.

In other words, this traffic needs to go through the VPN tunnel. To debug it you can use stackdriver logging and also by checking network captures on both endpoints.

Check this documentation guides: Creating Forward zones1 and DNS forwarding2.

Community
  • 1
  • 1
Lozano
  • 170
  • 6
  • Yes that does make sense to me. And this piece of information from your "It looks like a public address block, but Google uses this block only for forwarding" is quite crucial, that I didnt find. Thank you so much for that. – Suhas Chikkanna Aug 13 '19 at 16:15
  • Your answer includes "network captures on both endpoints". How is that set up in GCP and AWS and where do you download the captures from? – John Hanley Aug 13 '19 at 17:39
  • @john-hanley By capturing packets in the routers which deal with the VPN gateway. Also by capturing packets from a virtual machine behind then to ensure the correct resolution. Its also recommended to contact support since they have other tools to check the connectivity. – Lozano Aug 14 '19 at 11:45
  • I cannot find any "settings" that will enable capturing packets as you describe. Can you be more specific on an actual command or document link for capturing packets? – John Hanley Aug 14 '19 at 14:29
0

You can't resolve AWS private IP addresses by submitting the AWS public endpoint to GCP's DNS. That just wont work.

AWS uses a service called Route53 resolver that will forward requests that can't be resolved internally to an external DNS server that you specify. We use this in our env's to resolve on-prem corp IP's that are not part of Route53. I have not tried this, but it's possible you can use that to point to GCP DNS.

Michael Quale
  • 568
  • 3
  • 16
  • Thank you, I wanted to know, if something similar is possible from the GCP side. That is, requests that can't be resolved internally by GCP being forwarded to AWS for resolution. – Suhas Chikkanna Aug 13 '19 at 14:18
  • If that was possible you would not get the private IP addresses. You could do that with publicly exposed endpoints. – Michael Quale Aug 13 '19 at 23:56