How do I resolve a Route 53 private hosted zone over a VPN using AWS Directory Service?

3 minute read

I have an Amazon Route 53 private hosted zone, and I want to access it over a VPN using AWS Directory Service.

Short Description

Route 53 private hosted zone name servers respond to queries only from AWS DNS servers. To directly resolve private zones from your on-premises infrastructure, use Simple Active Directory (Simple AD). Use a Simple AD directory to forward the DNS requests from your VPC to the IP address of AWS DNS servers.

These DNS servers resolve names configured in your Amazon Route 53 private hosted zones. Resolve DNS requests to the private hosted zone of your choice by pointing from your on-premises infrastructure to your Simple AD.

Note: Simple AD is supported in the following AWS Regions:

  • US East (N. Virginia)
  • US West (Oregon)
  • Asia Pacific (Singapore)
  • Asia Pacific (Sydney)
  • Asia Pacific (Tokyo)
  • EU (Ireland)

If Simple AD isn't available in your Region, then you can use AWS Managed Microsoft AD to provide the same DNS resolution. For more information, see How to set up DNS resolution between on-premises networks and AWS using AWS Directory Service and Microsoft Active Directory.


Create a new Simple AD

  1. Sign in to the AWS Directory Service console, and then choose Set up directory.
  2. Choose Simple AD, choose Next.
  3. For Directory size info, choose Small or Large.
  4. For Directory DNS name, enter a domain name.
    Note: Confirm that the domain name is different from your private hosted zone and Route 53 domain name. If the Route 53 and Simple AD domain names are the same, Simple AD can't forward the request to the private hosted zone. Also, in this case, Simple AD can't forward the request if the Route 53 domain is a subdomain of the Simple AD domain.
  5. For Administrator password and Confirm password, enter a password, and then choose Next.
  6. For VPC, add the VPC associated with the private hosted zone and choose Next. Then, choose Create directory.
  7. When the Status of your new AD is Active, choose Directory ID. Then, note of the DNS address under Directory Details. Use this IP address to configure your local DNS resolver.

Directory Service creates a security group on your behalf for the Simple AD controllers.

Confirm that security groups allow traffic

To confirm that correct security group allows traffic from your on-premises IPs, complete the following steps:

  1. Sign in to the Amazon EC2 console, and then choose Security Groups.
  2. Find the security group named directoryID_controllers, where the directoryID is the directory ID for your Simple AD.
  3. Open the security group, and then edit the inbound traffic rules to allow TCP/UDP traffic on port 53 from your on-premises CIDR.

Confirm that the route table on the VPC has proper entries for your on-premises virtual gateway.

When configuration is complete, you can connect to the Simple AD by editing the DHCP option set. In DHCP, set the IP addresses of the Simple AD so that they are the same as the DNS servers. You can also set up a forwarder or a conditional forwarder on your local DNS server.

Related information

What is AWS Directory Service?

AWS Managed Microsoft AD

Getting started with AWS Managed Microsoft AD

AWS OFFICIALUpdated a year ago