To use your private IP addresses for a private zone within a Virtual Private Cloud (VPC), you can create an inbound endpoint to allocate custom service addresses. These addresses are created on demand and use the pay-as-you-go billing method. This topic describes how to create an inbound endpoint to customize private Domain Name System (DNS) service addresses.
Overview
An inbound endpoint is the nameserver address for a private zone. You can configure it as the DNS service address for cloud-based clients, such as Elastic Compute Service (ECS) instances or containers. You can also configure it as the target IP address for external clients, such as on-premises hosts or external DNS servers, to access the private zone. There are two types of inbound endpoints: system-assigned and custom. The default system-assigned private zone addresses are 100.100.2.136 and 100.100.2.138. These addresses use anycast to provide DNS resolution services for all VPCs in all regions free of charge.
Available regions
This feature is available in the following regions:
Public cloud regions: South Korea (Seoul), Singapore, China (Hong Kong), China (Shanghai), China (Beijing), China (Hangzhou), China (Ulanqab), China (Shenzhen), Philippines (Manila), US (Virginia), Malaysia (Kuala Lumpur), Germany (Frankfurt), Indonesia (Jakarta), and Japan (Tokyo).
Finance Cloud regions: China (Hangzhou), China (Beijing), and China (Shanghai).
Limits
Limit | Threshold | Description |
Maximum requests for a single inbound service IP address (Standard Edition) | 5,000 queries per second | A single inbound service IP address supports a peak query rate of 5,000 queries per second. DNS requests that exceed this peak are randomly discarded. The Service-Level Agreement (SLA) is not guaranteed. |
Maximum requests from a single client source IP address | 5,000 queries per second |
|
Maximum external recursive resolution requests from a single client source IP address | 600 queries per second | |
Number of service IP addresses for a single inbound endpoint | A minimum of 2 and a maximum of 6 | To ensure high availability (HA), a single inbound endpoint must have at least two service IP addresses and can have a maximum of six. |
Usage rules
The usage rules for inbound endpoints vary depending on the source of DNS query traffic:
Internal DNS query traffic (from ECS instances and containers)
Effective scope | Custom inbound endpoint (custom IP address within a VPC) | System-assigned inbound endpoint (100.100.2.136/100.100.2.138) |
Inbound service IP addresses | The inbound VPC. Other VPCs that require access must establish network connectivity with the inbound VPC through Express Connect or Cloud Enterprise Network (CEN). | All VPCs. |
Set by associated VPCs (for example, for private authoritative domain names, cached domain names, or forwarding rules) | Supported. However, the domain name's effective scope must be the inbound VPC for the resolution settings to take effect. | Supported. The effective scope can be set to the inbound VPC or other VPCs. The resolution settings take effect within the associated VPC. |
Implementation of ACL-based intelligent resolution | Configure custom ACL-based resolution | Configure a custom access control list (ACL) or set the domain name's effective scope. |
External DNS query traffic (traffic entering through an inbound VPC)
Effective scope | Custom inbound endpoint (custom IP address within a VPC) | System-assigned inbound endpoint (100.100.2.136/100.100.2.138) |
Inbound service IP addresses | The inbound VPC. Data centers that require access must establish network connectivity with the inbound VPC through a leased line, VPN, or Smart Access Gateway (SAG). | The inbound VPC. Data centers that require access must establish network connectivity with the inbound VPC through a leased line, VPN, or SAG. |
Set by associated VPCs (for example, for private authoritative domain names, cached domain names, or forwarding rules) | Supported. However, the domain name's effective scope must be the inbound VPC for the resolution settings to take effect. | Supported. However, the domain name's effective scope must be the inbound VPC for the resolution settings to take effect. |
Implementation of ACL-based intelligent resolution | Configure custom ACL-based resolution | Configure a custom ACL. |
Create an inbound endpoint
On the Inbound Endpoint tab, click Create Inbound Endpoint. In the Create Inbound Endpoint dialog box, set the Edition, Endpoint Name, Inbound VPC, Security Group, and Inbound Service IP Address.
Edition: The edition of the inbound endpoint. The only option is Standard Edition.
Endpoint Name: A custom name for the endpoint.
Inbound VPC: The VPC that routes all inbound DNS query traffic.
ImportantYou cannot change the inbound VPC after an inbound endpoint is created. This prevents accidental traffic interruptions.
For more information about the regions where this feature is available, see the "Available regions" section. We are collecting feedback to prioritize the release in other regions. To request this feature in a specific region, you can submit a ticket and specify the region.
Security Group: The rules in the security group control inbound traffic to the VPC. For more information, see Create a security group.
ImportantIn the security group of the inbound VPC, allow inbound traffic on port 53 from the source CIDR block for DNS queries.
If inbound traffic originates from other VPCs within Alibaba Cloud, allow outbound traffic on port 53 in the security groups of those VPCs.
Inbound Service IP Address: The IP addresses for the service. Select available IP addresses from the vSwitch in the selected zone. Do not use IP addresses that are already assigned to other resources, such as ECS instances. To ensure high availability (HA), add at least two service IP addresses and distribute them across different zones. An inbound endpoint supports a maximum of six service IP addresses.
ImportantYou cannot add or modify a service IP address if it is the same as the target IP address of a forwarding rule and the outbound endpoint for that rule is in the same VPC as the inbound endpoint. This restriction does not apply if the endpoints are in different VPCs. If a resolution loop occurs because VPCs are connected through CEN, a SERVFAIL error is returned.
If you do not specify IP addresses, the system automatically assigns them.
Click OK to create the inbound endpoint.
The inbound endpoint list displays the newly created endpoint and any existing endpoints. The status of an inbound endpoint can be Normal, Creating, Creation Failed, Modifying, Modification Failed, or Abnormal.
ImportantCreating an inbound endpoint takes 5 to 10 minutes. If the status is Creating, wait for the process to complete.
You cannot modify or delete endpoints with a status of Creating or Modifying. If an endpoint's status is Abnormal or Modification Failed, submit a ticket to request an investigation.
Modify an inbound endpoint
On the Inbound Endpoint tab, find the endpoint that you want to modify and click Modify in the Actions column.
In the Modify Inbound Endpoint dialog box, you can modify the Endpoint Name and Inbound Service IP Address.
After you click OK, the endpoint status changes to Modifying. While the endpoint is in this state, you cannot perform Modify or Delete operations.
Delete an inbound endpoint
Delete a single inbound endpoint
On the Inbound Endpoint tab, find the endpoint to delete and click Delete in the Actions column. In the Delete Prompt dialog box, click OK.
Batch delete inbound endpoints
On the Inbound Endpoint tab, select the inbound endpoints that you want to delete, click Batch Delete at the bottom of the page, and then click OK in the Batch Delete Prompt dialog box.
