Amazon Route 53
Developer Guide (API Version 2013-04-01)

Forwarding Outbound DNS Queries to Your Network

To forward DNS queries that originate on Amazon EC2 instances in one or more VPCs to your network, you create an outbound endpoint and one or more rules:

Outbound endpoint

An outbound endpoint determines the VPC that queries pass through and the IP addresses in the VPC that Resolver forwards queries to on their way to your network. You can use the same outbound endpoint for multiple VPCs in the same Region, or you can create multiple outbound endpoints. For each outbound endpoint, you need either an AWS Direct Connect connection to your network or a VPN connection.

Rules

To specify the domain names of the queries that you want to forward to DNS resolvers on your network, you create one or more rules. Each rule specifies one domain name. You then associate rules with the VPCs for which you want to forward queries to your network.

Configuring Outbound Forwarding

To configure Resolver to forward DNS queries that originate in your VPC to your network, perform the following procedures.

Important

After you create an outbound endpoint, you must create one or more rules and associate them with one or more VPCs. Rules specify the domain names of the DNS queries that you want to forward to your network.

To create an outbound endpoint

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Outbound endpoints.

  3. On the navigation bar, choose the Region where you want to create an outbound endpoint.

  4. Choose Create outbound endpoint.

  5. Enter the applicable values. For more information, see Values That You Specify When You Create or Edit Outbound Endpoints.

  6. Choose Create.

    Note

    Creating an outbound endpoint takes a minute or two. You can't create another outbound endpoint until the first one is created.

  7. Create one or more rules to specify the domain names of the DNS queries that you want to forward to your network. For more information, see the next procedure.

To create one or more forwarding rules, perform the following procedure.

To create forwarding rules and associate the rules with one or more VPCs

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Rules.

  3. On the navigation bar, choose the Region where you want to create the rule.

  4. Choose Create rule.

  5. Enter the applicable values. For more information, see Values That You Specify When You Create or Edit Rules.

  6. Choose Save.

  7. To add another rule, repeat steps 4 through 6.

Values That You Specify When You Create or Edit Outbound Endpoints

When you create or edit an outbound endpoint, you specify the following values:

Endpoint name

A friendly name that lets you easily find an outbound endpoint on the dashboard.

VPC in the region-name Region

All outbound DNS queries will flow through this VPC on the way to your network.

Security group for this endpoint

The ID of one or more security groups that you want to use to control access to this VPC. The security group that you specify must include one or more outbound rules. Outbound rules must allow TCP and UDP access on the port that you're using for DNS queries on your network.

For more information, see Security Groups for Your VPC in the Amazon VPC User Guide.

IP addresses

The IP addresses in your VPC that you want Resolver to forward DNS queries to on the way to resolvers on your network. These are not the IP addresses of the DNS resolvers on your network; you specify resolver IP addresses when you create the rules that you associate with one or more VPCs.

Important

We recommend that you specify IP addresses in at least two Availability Zones. You can optionally specify additional IP addresses in those or other Availability Zones.

For each IP address, specify the following values. Each IP address must be in an Availability Zone in the VPC that you specified in VPC in the region-name Region.

Availability Zone

The Availability Zone that you want DNS queries to pass through on the way to your network. The Availability Zone that you specify must be configured with a subnet.

Subnet

The subnet that contains the IP address that you want DNS queries to pass through on the way to your network. The subnet must have an available IP address.

Specify the subnet for an IPv4 address. IPv6 is not supported.

IP address

The IP address that you want DNS queries to pass through on the way to your network.

Choose whether you want Resolver to choose an IP address for you from among the available IP addresses in the specified subnet, or you want to specify the IP address yourself.

If you choose to specify the IP address yourself, enter an IPv4 address. IPv6 is not supported.

Tags

Specify one or more keys and the corresponding values. For example, you might specify Cost center for Key and specify 456 for Value.

These are the tags that AWS Billing and Cost Management provides for organizing your AWS bill. For more information about using tags for cost allocation, see Use Cost Allocation Tags for Custom Billing Reports in the AWS Billing and Cost Management User Guide.

Values That You Specify When You Create or Edit Rules

When you create or edit a forwarding rule, you specify the following values:

Rule name

A friendly name that lets you easily find a rule on the dashboard.

Rule type

When you want to forward DNS queries for specified domain name to resolvers on your network, choose Forward.

When you have a forwarding rule to forward DNS queries for a domain to your network and you want Resolver to process queries for a subdomain of that domain, choose System.

For example, to forward DNS queries for example.com to resolvers on your network, you create a rule and specify Forward for Rule type. To then have Resolver process queries for apex.example.com, you create a rule and specify System for Rule type.

VPCs that use this rule

The VPCs that use this rule to forward DNS queries for the specified domain name or names. You can apply a rule to as many VPCs as you want.

Domain name

DNS queries for this domain name are forwarded to the IP addresses that you specify in Target IP addresses. For more information, see How Resolver Determines Whether the Domain Name in a Query Matches Any Rules.

Outbound endpoint

Resolver forwards DNS queries through the outbound endpoint that you specify here to the IP addresses that you specify in Target IP addresses.

Target IP addresses

When a DNS query matches the name that you specify in Domain name, the outbound endpoint forwards the query to the IP addresses that you specify here. These are typically the IP addresses for DNS resolvers on your network.

Target IP addresses is available only when the value of Rule type is Forward.

Specify IPv4 addresses. IPv6 is not supported.

Tags

Specify one or more keys and the corresponding values. For example, you might specify Cost center for Key and specify 456 for Value.

These are the tags that AWS Billing and Cost Management provides for organizing your AWS bill. For more information about using tags for cost allocation, see Use Cost Allocation Tags for Custom Billing Reports in the AWS Billing and Cost Management User Guide.