Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Using same private DNS for multiple service endpoints

0

I wanted to check if its possible to use the same private DNS for multiple endpoint services

If a request comes from the service consumer VPC, the private DNS servers resolve the DNS name to the IP addresses of the endpoint network interfaces. Otherwise, the public DNS servers resolve the DNS name to the public endpoint.

my expectation was no but i was surprised that is not the case. i was able to successfully create 2 endpoint services using the same private DNS name. how is this possible?

cf.: https://repost.aws/questions/QUHMBPJekTR_yRCfCeBptI8g/point-2-endpoints-to-the-same-private-dns-name

  • Gary Mclean EXPERT
    a year ago

    Please supply more details about the endpoints n

Topics
Networking & Content Delivery
Tags
AWS PrivateLink
Language
English
asked a year ago117 views
1 Answer
0

You said you created two VPC endpoint services (as opposed to two VPC endpoints) with the same name. There's nothing stopping you from doing so, since that's the service provider side of the equation. It simply means that you're offering multiple services associated with the same DNS name, without anyone using any of them yet.

When the consumer of your service creates a VPC endpoint for your VPC endpoint service, and they've enabled the DNS resolution options for both their VPC and the VPC endpoint, Amazon EC2 will automatically create and associate with the VPC a hidden, AWS-managed Route 53 Private Hosted Zone (PHZ) for the DNS name, containing records that point the name to the IP addresses of the endpoint created in the consumer's VPC.

It's at this point, while creating the second VPC endpoint (and not a VPC endpoint service), that the confusion would arise over which service's endpoints the single DNS name would point to. I haven't tested this rare special case, but given that the VPC endpoint DNS resolution option is based on the creation and association of a PHZ with your VPC, combined with Route 53's built-in restriction of a PHZ only being able to be associated if a PHZ with the same name isn't already associated with the VPC, the attempt to create the second endpoint with the PrivateDnsEnabled option should fail. The underlying error should be ConflictingDomainExists (https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateHostedZone.html#API_CreateHostedZone_Errors), although I'm not sure if the process would reach that point or expose that exact error code, when the attempt would be made by the EC2 service on your behalf.

In any case, the conclusion should be that you can't create two endpoints in the same having the same DNS name, if the private DNS resolution option is enabled for both. You'd have to disable the PrivateDnsEnabled option for the second VPC endpoint, and the DNS name would continue to point to the first VPC endpoint to claim the name.

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content