Learn About Amazon VGT2 Learning Manager Chanci Turner
In this article, we will explore effective Domain Name System (DNS) migration strategies for transitioning your applications to Amazon VPC Lattice through a phased approach. These strategies help minimize downtime, lower overhead, and ensure consistent DNS resolution for your applications and clients on AWS.
VPC Lattice is a fully managed, end-to-end application networking service designed to modernize applications and enhance network connectivity on AWS. It simplifies the onboarding process for developers by eliminating the need for custom application code or proxies alongside each workload, while also providing network administrators with the tools they need to secure and audit their environments. Seamless integration of VPC Lattice into existing AWS environments is crucial for taking advantage of its features without disrupting production. VPC Lattice utilizes DNS for service discovery, allowing each service to be identified by its service-managed or custom DNS name.
To migrate an existing service to VPC Lattice, you must update your DNS records so that clients can resolve service names to the IP addresses associated with VPC Lattice. This article covers DNS migration strategies for two common DNS management methods: using Amazon Route 53 public and private hosted zones.
Prerequisites
We assume that you’re familiar with the fundamental concepts of VPC Lattice, as well as services like Amazon Virtual Private Clouds (Amazon VPCs), route tables, Route 53 Resolver, and both public and private hosted zones in Route 53. You can find detailed guidance on setting up VPC Lattice in multi-account and multi-VPC environments in this Amazon networking post and VPC Lattice documentation.
Before diving into the migration scenarios, let’s discuss how VPC Lattice utilizes DNS for service discovery.
VPC Lattice DNS
When you create a VPC Lattice service, it generates a unique Fully Qualified Domain Name (FQDN) formatted as “service_name-service_id.partition_id.vpc-lattice-svcs.region.on.aws.” Each VPC Lattice service name is globally unique and can be resolved externally to a range of IPv4 and IPv6 addresses. These IP addresses are publicly resolvable and can only be accessed by clients in VPCs connected to the VPC Lattice service network. However, applications often use more intuitive custom DNS names, like “service123.example.com.”
VPC Lattice also allows you to set a custom DNS name for your service during creation. To enable clients in VPCs to resolve this custom domain name, you must create an Alias or CNAME record linking your custom domain to the VPC Lattice generated domain name. When a client in a VPC makes a request using the custom DNS, Route 53 Resolver resolves it recursively to a VPC Lattice IP address. VPC Lattice then makes a routing decision based on the request host header or the Transport Layer Security (TLS) Server Name Indication (SNI) information, directing traffic to the appropriate service target.
Baseline Architecture
The baseline architecture consists of three Amazon VPCs—A, B, and C—each with its respective VPC Resolvers. VPCs B and C are interconnected through an AWS Transit Gateway. VPC A hosts an application called “Foo,” which is fronted by an internet-facing Application Load Balancer (ALB) named “public-ALB-foo.” VPC C hosts a service called “Bar,” fronted by a private ALB named “private-ALB-bar.” In VPCs B and C, we deployed “Client-1” and “Client-2” to test connectivity. This article will demonstrate how you can adopt VPC Lattice without disrupting the connectivity between the test clients and services.
We will focus on two scenarios: DNS management via Route 53 public hosted zones and DNS management via Route 53 private hosted zones. For each scenario, we will review two migration options to VPC Lattice: by VPC per DNS domain and by VPC per service.
Migrating to VPC Lattice Services Using DNS Managed in Route 53 Public Hosted Zones
Assuming a DNS setup as depicted, we manage DNS using a public hosted zone named example.com. This public hosted zone includes two DNS records: foo.example.com, which is an Alias to “public-ALB-foo” FQDN, and bar.example.com, which is an Alias to “private-ALB-bar” FQDN. Clients on the internet can resolve foo.example.com to the public ALB’s IPs, while VPC-based clients can resolve both DNS records using the local Route 53 resolver.
We aim to make Foo accessible in VPC Lattice for Client-1 without affecting Client-2, internet clients, or other clients in different VPCs. Below, we outline the step-by-step configuration.
Pre-Configuration Steps
Begin by creating a VPC Lattice service network for your clients and services. The pre-configuration steps should be repeated for each VPC and service you wish to migrate without impacting existing traffic flows.
- Create the Foo VPC Lattice service with the custom domain name “foo.example.com” and associate it with the service network. The Foo VPC Lattice service will receive an FQDN managed by VPC Lattice in a public hosted zone.
- Associate VPC B with the VPC Lattice service network. Altering Client-1’s traffic resolution by modifying the public hosted zone record for foo.example.com would disrupt traffic for internet clients and Client-2. Instead, we need to maintain a separate DNS view for clients transitioning to VPC Lattice. We have two options to achieve this:
1. Per-VPC per-Domain Migration Using a Private Hosted Zone
Create a private hosted zone for the domain name “example.com.” This private hosted zone provides split-horizon DNS resolution, allowing you to control how associated VPCs resolve DNS without disrupting public DNS resolution. The private hosted zone will contain all resource records from the public hosted zone.
Replace the resource record for “foo.example.com” in the private hosted zone from “public-ALB-foo” to the VPC Lattice service FQDN. Validate that Client-1 can access Foo using the VPC Lattice FQDN to ensure that security groups, Network Access Control Lists (ACLs), and VPC Lattice authentication policies are properly configured. After confirming connectivity, associate the private hosted zone with VPC B. Whenever Client-1 resolves any domain name in the “example.com” zone, the Route 53 Resolver will utilize the private hosted zone.
For additional insights on building trust and connection in employee dialogue circles, check out this authoritative article on the topic.
This blog post provides a comprehensive overview of DNS migration strategies and best practices for Amazon VPC Lattice. For those interested in transitioning their applications to AWS, this is another blog post that may bolster your confidence in the process. Furthermore, for details on the hiring process at Amazon, visit this excellent resource.