Split-view/Split-horizon DNS with AWS Managed Active Directory possible?
Hi all, I have a bit of a quandary I'm trying to work out. Is it possible for me to utilize split-view/split-horizon DNS in my environment given the following?
- Using AWS' Managed Active Directory (AD domain is corp.example.loc)
- Would like to use the same domain name to resolve both public and private resources across multiple AWS accounts in our AWS Organization (separate environments and resources like dev.example.com, qa.example.com, test.example.com, security.example.com, and main example.com domain).
- Desired domain name for use is in the Production account as both Public and Private Hosted Zones.
As an example, we have some web-based apps that internal users connect to, but today, they go out over the internet and come back in through the public IP of the ALB they sit behind. This causes poor performance for internal users. Instead, I'd like to route the internal users either directly to the private IP of the instance or, if better, an internal-facing application load balancer.
I whipped up a quick diagram that I hope helps illustrates what I'm working with. All of the accounts are connected via a Transit Gateway.
- 최신
- 최다 투표
- 가장 많은 댓글
I do not see why this wouldn’t work. I’d recommend though moving your VPN to a central network account and making that the central egress.
Then I would move all route53 zones to the central network account. Then share the private zones to the corresponding accounts.
I would take the internal load balancer approach though make sure you are aware you can’t use the same target groups across different load balancers. You’d have to have separate TGs for each ELB
Hey Gary,
Thanks for your reply. I think I understand your last point about the internal load balancer but could you elaborate what you mean when you say, "you can't use the same target groups across different load balancers" ?
If you have EC2's registered in a target group, that target group and can only asscoicated with 1 ALB. You would need to create a 2nd Target group to asscoicate the EC2s to another ALB. So you need a Target group for the external ALB and another Target Group for the Internal ALB. If using ECS then you will need to configure the Service for 2 target groups