By using AWS re:Post, you agree to the Terms of Use

Private DNS name for cross-account request to application load balancer routing via PrivateLink

0

Hi, we're exploring to use PrivateLink to access a cross-account endpoint service backed by internal NLB and internal ALB as target. Currently we have multiple services in EKS cluster hosted in private subnets, and the ALB is configured with host-based routing (using DNS from a private hosted zone) and HTTPS auto-redirect for internal use. I'm wondering when a consumer VPC is accessing via PrivateLink through its interface endpoint, is there a way to easily apply DNS hostname from the request so that the forwarded traffic to ALB can still be recognized and do the proper routing?

Thanks!

1 Answers
3
Accepted Answer

Hello,

Please see this Knowledge Center article which explains Provider and Consumer side of the configurations for enabling custom Private DNS names:

https://aws.amazon.com/premiumsupport/knowledge-center/vpc-private-dns-name-endpoint-service/

The PrivateLink and NLB are pass-through for HTTPS and the actual SSL offloading or termination is likely on the ALB. As such, the PL as well as NLB are not going to look at or modify anything in the HTTP header. As long as the Clients on the Consumer side use the correct HTTP Hostnames in their request ALB would do the host-based routing just fine.

As for the DNS resolution, the Client (Consumer) side, will have no visibility of NLB/ALB/EKS, they would connect to the VPC endpoint IPs in the consumer VPC. In the below example the PL is setup for 2 AZs, DNS will do round robin for 2 VPC Endpoint private IPs to which Clients will connect to consume the service.

Reference: https://d1.awsstatic.com/whitepapers/aws-privatelink.pdf

Just an Example showing how a Client connects to a PL:

Enter image description here

Hope this helps

profile picture
answered a month ago
  • Thanks Tushar_J, please help me understand a bit more. I see that via enabling private DNS name from the provider, the consumer can use that name while setting up interface endpont in replacement of generated Endpoint-Specific Regional DNS Hostname. What I am still bit unclear is that, say we havesharedservice.company.com as the shared endpoint service, is the consumer able to call service1.sharedservice.company.com right away? Or does it require them to set up private hosted zone and add that as a record? Would you recommend to do a private hosted zone association across VPCs?

  • Hi Tushar_j, thanks for the info. From what I understand, enable private DNS requires to own a public domain, which is additional to our current setting as everything is internal. In addition, this only creates the private DNS name as one record in consumer’s PHZ (automatically I suppose), in the case of multiple rules that set up on ALB for host based routing, we still need a mechanism to add all DNS records as required, such as s1.my service.com , s2.myservice.com etc which both map to the endpoint DNS for downstream routing. Is that the correct understanding?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions