Setup Your Private Domain Name System in AWS

During my work, I encountered several times in a need of architecting & developing internal systems, which requires access from specific people inside the company. In terms of visibility & security, you probably don’t want these systems to be available to the internet, and therefore you must find a solution.

On AWS, you have the option to create private subnets inside your VPC and access the application through VPN. That seems like a nice solution, right? but when you want to publish the application internally, you probably don’t want to deliver it with an internal IP address such as 10.0.0.79.

In the solution offered in this post, we’ll learn how to use AWS Route53 Private Hosted Zones, alongside with Amazon Active Directory Services in order to achieve a solution that will make the domain ec2.localhost visible to the people residing inside your VPC, with the help of the VPN connection.

Prerequisites:

  1. Make sure you’re in a region with supports Directory Service Simple AD, We’ll be creating our infrastructure in Ireland for this guide purposes. For a full list of regions supporting Simple AD, visit the [3] reference and search for Simple AD.

VPC

  1. Create two subnets on two different availability zones. If you’ll accidentally create the two subnets on the same availability zone, you’ll have to recreate one of them, which concludes removing all instances on the unneeded availability zone.
    For example:
    First Subnet CIDR— 10.0.0.0/24
    Second subnet CIDR — 10.0.1.0/24
  2. Create a route table and make sure you’re associating at least the first subnet to it, so the instances that we’ll want to access will be available for local access (Communication between instances) and internet access (Software Updates, VPN).
  3. Create an Internet Gateway and associate it to your VPC. Update the route table you created earlier with association to the IGW you just created. You want to IGW to access the whole internet, so your VPN server will be able to operate normally with computer anywhere in the world. For that reason, you’d probably want to specify 0.0.0.0/0 as you’re destenation CIDR.
  4. Create a Virtual Private Gateway (VGW) and associate it with your VPC.
    Update you’re route table the VGW will be able to access all the instances inside the VPC — CIDR 10.0.0.0/8.

EC2

Route 53

  1. Create a new A record on your newly created private hosted zone. Name it whatever you want (You can keep the name empty for resolving ec2.localhost). Point the A record to the IP address of the ec2 instance you created earlier.

Directory Service

  1. Take a note of the DNS addresses you got from the Simple AD. You’ll need to specify them on your local network adapter so you’ll have access to the private hosted zone on Route 53 that you created earlier.

VPN and DNS routing

  1. Configure your OpenVPN server — using the configuration file /etc/openvpn/server.conf, configure the server to push route to your VPC, uncommenting the following line: push "route 10.0.0.0 255.255.255.0". Next, you’ll need to configure the server to point the requests to your newly created DNS server from Simple AD you configured in the Directory Service step. Uncomment and edit the following line: push "redirect-gateway def1". Then, define the addresses: push "dhcp-option DNS 10.0.x.x twice, using the DNS addresses you noted.

References

Cloud Security Expert at CyberArk. https://www.cyberark.com @avishayil