Amazon DNS server and VPC Primary CIDR block

0

In the documentation[1][2] it says "For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR."

I had planned out a network topology, but when I read that sentence it now has me wondering if I need to treat that first subnet in the primary CIDR block differently than any other subnet.

I'm trying to understand what that means in relation to the IP address at the network base+2 that's reserved for the AWS DNS server on each subnet. As I understand it, a Subnet can have only one IPv4 CIDR block, so does this mean that if a Subnet is given a CIDR block from a non-primary VPC CIDR then while the network base+2 address is reserved for AWS DNS, there won't be anything there?

Another possible way I can interpret that statement is that if I allocate 10.32.0.0/16 to a VPC, and then create only one Subnet with CIDR 10.32.16.0/20 that there might be issues with AWS DNS because there's no subnet containing 10.32.0.2? Or that there might be issues if there was a network containing that IP but access to it from some other subnets is blocked by ACL?

1 Answer
1
Accepted Answer

Your subnet design is independent of AWS VPC DNS, see below statement:


The Amazon DNS server does not reside within a specific subnet or Availability Zone in a VPC. It's located at the address 169.254.169.253 (and the reserved IP address at the base of the VPC IPv4 network range, plus two) and fd00:ec2::253. For example, the Amazon DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2. For VPCs with multiple IPv4 CIDR blocks, the DNS server IP address is located in the primary CIDR block.

Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html

profile pictureAWS
EXPERT
answered a year ago
  • Just mentioning for clarity that this does mean that the subnet containing VPC Primary CIDR base+2 is special, and this should be taken into account with network design.

    For example, with the topology shown at https://aws-quickstart.github.io/quickstart-aws-vpc/ the VPC is 10.0.0.0/16, so the DNS server will use the IP 10.0.0.2, which is located within "Availability Zone 1" / "Private subnet A". If there were ACLs that prevented any of the other subnets from communicating with that subnet then systems on those subnets could only use the 169.254.169.253 IP for the AWS DNS service.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions