Hey all,
We have a vendor which requires us to use a VPCE svc (so, we create a VPC i/f endpoint) to reach their service. We enable private DNS on the i/f endpoint, and as expected, svc.my.vendor.com
pops up on the connection shortly thereafter. We then add an inbound resolver endpoint into our central networking account, point to it with a conditional forwarding zone from our on-prem DNS for *.my.vendor.com
, then RAM share the i/f endpoint out to the customer account. All is well with this approach, but as more and more vendors are giving us VPCE svcs to connect to, we fear the cost of all of these ENIs we have to provision (2 for i/f endpoint, and 2 for inbound resolver endpoint).
From what I have read, with an AWS Service (but I've not been able to find any guidance yet on PrivateLink partners/vendors), we should be able to disable private DNS on an i/f endpoint, create a PHZ stub zone of, say, .our.internal.domain
which has a wildcard record ALIAS'd to *.my.vendor.com
so that we can have some internal consistency in our naming, and what's more we can then use our shared inbound resolver endpoint instead of creating one for each vendor which asks us to use VPCE. This way, we only take 2 ENIs on the chin for the i/f endpoint itself. Additionally, our on-prem DNS team do not have to do extra work with new conditional forwarding zones, as adding another subdomain on an existing forwarding rule is almost a NOOP. However, as briefly mentioned in parenthesis above, I've found this guidance only in the context of AWS services. Before going down the rabbit hole of trying to prove this out, I wanted to field some opinions.
Put another way:
- Original Private DNS name on i/f endpoint:
svc.my.vendor.com
- We want to use our already-existing attached/associated PHZ so that we can hit
svc.our.internal.domain
and have it be forwarded by our on-prem DNS through the shared inbound rslvr endpoint, and then "route" to the VPCE i/f endpoint which hitherto has been known as svc.my.vendor.com
(but now probably isn't, due to it having private DNS disabled in order to make this solution possible..?)
Any ideas welcome,
Thanks!
Thanks Steve, helpful stuff. The linked James Devine article added the additional colour I needed on top of your quality post. Cheers.