By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Split-view/Split-horizon DNS with AWS Managed Active Directory possible?

0

Hi all, I have a bit of a quandary I'm trying to work out. Is it possible for me to utilize split-view/split-horizon DNS in my environment given the following?

  1. Using AWS' Managed Active Directory (AD domain is corp.example.loc)
  2. Would like to use the same domain name to resolve both public and private resources across multiple AWS accounts in our AWS Organization (separate environments and resources like dev.example.com, qa.example.com, test.example.com, security.example.com, and main example.com domain).
  3. Desired domain name for use is in the Production account as both Public and Private Hosted Zones.

As an example, we have some web-based apps that internal users connect to, but today, they go out over the internet and come back in through the public IP of the ALB they sit behind. This causes poor performance for internal users. Instead, I'd like to route the internal users either directly to the private IP of the instance or, if better, an internal-facing application load balancer.

I whipped up a quick diagram that I hope helps illustrates what I'm working with. All of the accounts are connected via a Transit Gateway.

Enter image description here

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon VPCAWS Directory ServiceAmazon Route 53Application Load Balancer
Language
English
aws-architech
asked 3 months ago197 views
1 Answer
0

I do not see why this wouldn’t work. I’d recommend though moving your VPN to a central network account and making that the central egress.

Then I would move all route53 zones to the central network account. Then share the private zones to the corresponding accounts.

I would take the internal load balancer approach though make sure you are aware you can’t use the same target groups across different load balancers. You’d have to have separate TGs for each ELB

profile picture
EXPERT
Gary Mclean
answered 3 months ago
  • aws-architech
    3 months ago

    Hey Gary,

    Thanks for your reply. I think I understand your last point about the internal load balancer but could you elaborate what you mean when you say, "you can't use the same target groups across different load balancers" ?

  • Gary Mclean EXPERT
    3 months ago

    If you have EC2's registered in a target group, that target group and can only asscoicated with 1 ALB. You would need to create a 2nd Target group to asscoicate the EC2s to another ALB. So you need a Target group for the external ALB and another Target Group for the Internal ALB. If using ECS then you will need to configure the Service for 2 target groups

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content