Private Hosted Zone pointing to public ALB

0

Hello,

I'm exploring DNS configuration within AWS and have a specific question regarding DNS resolution behavior in a private hosted zone. Is it possible to create a CNAME record within a private hosted zone that points to a public Application Load Balancer (ALB), such that DNS queries to this CNAME record resolve to the ALB's private IP addresses instead of its public IP addresses? My current understanding is that querying a public ALB's DNS name typically resolves to its public IP addresses, even when the query originates from within the same VPC.

Thank you for your assistance.

2 Answers
2
Accepted Answer

Hello.

In the case of a public ALB, even if you create a CNAME record in a private hosted zone, the name will be resolved to the public IP address.
I tried it with my AWS account, and you can check it as follows.

# ALB DNS name
dig test-25675857.ap-northeast-1.elb.amazonaws.com

; <<>> DiG 9.18.28 <<>> test-25675857.ap-northeast-1.elb.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31239
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test-25675857.ap-northeast-1.elb.amazonaws.com.        IN A

;; ANSWER SECTION:
test-25675857.ap-northeast-1.elb.amazonaws.com. 60 IN A 52.68.6.50

;; Query time: 0 msec
;; SERVER: 172.31.0.2#53(172.31.0.2) (UDP)
;; WHEN: Tue Sep 17 11:17:16 UTC 2024
;; MSG SIZE  rcvd: 91

# Alias ​​record created in private hosted zone
dig testkobayashi.com

; <<>> DiG 9.18.28 <<>> testkobayashi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25020
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testkobayashi.com.             IN      A

;; ANSWER SECTION:
testkobayashi.com.      60      IN      A       52.68.6.50

;; Query time: 0 msec
;; SERVER: 172.31.0.2#53(172.31.0.2) (UDP)
;; WHEN: Tue Sep 17 11:17:40 UTC 2024
;; MSG SIZE  rcvd: 62

# CNAME record created in private hosted zone
dig test.testkobayashi.com

; <<>> DiG 9.18.28 <<>> test.testkobayashi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 880
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.testkobayashi.com.                IN      A

;; ANSWER SECTION:
test.testkobayashi.com. 300     IN      CNAME   test-25675857.ap-northeast-1.elb.amazonaws.com.
test-25675857.ap-northeast-1.elb.amazonaws.com. 60 IN A 52.68.6.50

;; Query time: 0 msec
;; SERVER: 172.31.0.2#53(172.31.0.2) (UDP)
;; WHEN: Tue Sep 17 11:18:44 UTC 2024
;; MSG SIZE  rcvd: 124
profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
  • Is there a way of redirecting the petitions originated from within the VPC, for instance to abc.com, to the public ALB without traversing the internet?

  • Public ALBs are resolved to public IP addresses, so communication using private IP addresses is not possible. If you want to access a public ALB from a VPC, you need to enable communication by going through a NAT Gateway or attaching a public IP address to EC2. By the way, strictly speaking, communication between AWS services is not carried out over the Internet, but within a network managed by AWS called the AWS Private Network. https://aws.amazon.com/vpc/faqs/?nc1=h_ls

    Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint? No. When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network. Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions.

  • Thanks for the explanation! Here's another doubt:

    If you connect to your VPC using a VPN endpoint, and then ask for resolution of abc.com to Route53, it would return always the public IP of the ALB. Wouldn't the ALB be directly accessible if the security group of the ALB has an inbound rule for the SG of the VPN endpoint? I remember having problems to connect when I was using the VPN endpoint, returning the public IP of the ALB.

  • I've tried connectivity to the public ALB using the VPN endpoint, security group's are well configured. Nevertheless, there's no connection to the ALB. Is there any explanation of why?

  • In the case of communication using a public IP address, connection will not be possible even if the security group is allowed in the security group's inbound rules. In other words, to access a public ALB that returns a public IP address, you need to go through a NAT Gateway, etc. https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing

    When you specify a security group as the source or destination for a rule, the rule affects all instances that are associated with the security groups. The instances can communicate in the specified direction, using the private IP addresses of the instances, over the specified protocol and port.

0

Adding to the extended discussion, the reason you can't connect to any of the public IPs that appear to be inside your VPC is that they aren't actually inside the VPC. Instead, traffic to a public IP address is translated when, and only when, a packet sent to one passes through an Internet Gateway (IGW) attached to the VPC hosting the elastic network interface (ENI) to which the public IP address is attached.

For inbound traffic from the internet (including traffic from other AWS resources in the same region reaching out to your IGW through their own IGWs), incoming connections have their destination IP translated to the primary private IP address of the ENI to which the public IP belongs.

For outbound traffic, connections to the other side of the IGW have the source IPs belonging to the ENI to which the public IP belongs translated to the public IP.

This is documented in this article: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-igw-internet-access.html#ip-addresses-and-nat

Traffic inside a VPC doesn't pass through its attached IGW in either direction. Routing traffic through a NAT gateway is possible, but it only translates the source IP address of the connection, not the public IP that is the destination. There are complex workarounds, such as using multiple VPCs and possibly attaching some of the EC2 instances to both VPCs, but they tend to get complicated and may involve overlapping costs.

Usually, the simplest solution is to set up a separate internal ALB inside the same VPC and configure it otherwise identically. Then create a private hosted zone (PHZ) in Route 53 for the public name (not the entire parent domain, only the public hostname of the ALB) and attach it to the VPC. Create an alias A record with an empty name (because the zone name is the same as the ALB's name) and point it to the internal ALB. This way, when the name of the ALB is queried from inside the VPC, the attached PHZ will return the private IPs of the internal ALB and not the public one.

If having a second ALB is problematic, perhaps because of an automation or IaC construct that only supports associating target resources with one ALB target group at a time, another alternative is to create an internal-only Network Load Balancer (NLB) that uses the target group type of ALB to point to the public ALB. The principle with the PHZ is the same, now just pointed to the internal NLB instead of a second ALB. The immediate benefit is that the ALB-level configuration of listener rules, certificates, logging, etc. is only configured once on the public ALB, and the NLB only passes through the raw TCP connections from internal users to the ALB, without knowing or caring about any specifics, such as TLS certificates or URL paths. In some cases, some of the other added features of an NLB may provide added value, such as the NLB's IP addresses remaining static, as opposed to an ALB's IPs changing at arbitrary intervals, and the NLB being possible to publish as a VPC endpoint service to share with other VPCs and accounts.

Whether the second load balancer is an ALB or NLB, the PHZ will have no effect on name resolution for DNS queries from outside the VPC with which the PHZ is associated. External users will continue to have the DNS name resolve to the public IPs of the existing ALB.

Note that for the public ALB, if you're using a public Route 53 hosted zone for your public DNS, you shouldn't use a CNAME record. You should instead create an A type (for IPv4) or AAAA (for IPv6) alias record and configure the destination as the DNS name of the ALB in the appropriate region. The difference is that Route 53 will not charge you for queries for alias records pointing to AWS resources, while the intermediate CNAME queries are chargeable. The additional CNAME query will also incur an additional round-trip by users connecting to the ALB, reducing performance. Finally, the CNAME will expose the native, immutable name of your ALB, which will allow malicious or suspect actors on the internet to track your resources by their native IDs, while an alias record only returns the constantly changing, ephemeral public IPs of an ALB that looks like every other.

Alias records for Route 53 are discussed in more detail in this documentation article: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html

EXPERT
Leo K
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions