Alibaba Cloud DNS:Use Private DNS to enable mutual access between an ECS instance in a VPC and an on-premises data center

Scenarios

In a multi-cloud architecture or a hybrid cloud architecture, the services in the data center and the Alibaba Cloud Virtual Private Cloud (VPC) need to access each other by using Domain Name System (DNS) resolution. If you have enabled the connection between two isolated network environments through a Virtual Private Network (VPN) or leased line, you can follow this topic to achieve real-time access between services deployed in two isolated network environments.

Prerequisites

Two isolated network environments have been connected through VPNs or leased lines. For more information, see IPsec-VPN.

Schematic diagram

Expected results

• If you use an ECS instance in an Alibaba Cloud VPC to query the domain name app.example.com, the request is forwarded to the external DNS server through the outbound endpoint.

• If you use an Internet Data Center (IDC) or an ECS instance on Alibaba Cloud to query domain name test.oss-cn-hangzhou-internal.aliyuncs.com, the local DNS server forwards the request to Alibaba Cloud DNS PrivateZone through the inbound endpoint.

  Note

  In this example, test.oss-cn-hangzhou-internal.aliyuncs.com is an OSS internal endpoint. Chnage the endpoint based on your business requirements.

Procedure

Scenario 1: Use a VPC to access an on-premises DNS

1. Create an outbound endpoint. In this example, 192.168.100.74 and 192.168.192.219are created. For more information, see Create an outbound endpoint.

2. Create a forwarding rule: In this example, example.comserves as the forward zone. The IP addresses and ports of external DNS servers are not provided by Alibaba CLoud DNS. In this example, 192.168.100.100 and 192.168.100.200 are used. For more information, see Create a forwarding rule.

   Important

   If example.com has been set as a built-in authoritative zone, be sure to enable subdomain recursive resolution proxy.

3. Specify an effective range for the forwarding rule: The forwarding rule must take effect in the VPCs where ECS instances are located. For more information, see Specify an effective scope for a forwarding rule.

4. Run the dig app.example.com command on the ECS instances in the VPC for verification.

Scenario 2: Use an on-premises server to access Alibaba CLoud DNS

1. You can create an inbound endpoint on the Service Address tab of Alibaba Cloud Private DNS. In this example, 192.168.0.176 and 192.168.100.163 are used as inbound service IP addresses.

   Warning

   The forwarding rule must take effect in the inbound VPC within the effective scope of the built-in authoritative zone oss-cn-hangzhou-internal.aliyuncs.com. Otherwise, domain name resolution does not take effect.

   Important

   • On the Service Address tab, you can customize an IP address for an Alibaba Cloud Private DNS server within a specific VPC in Alibaba Cloud. This feature is applicable to scenarios where the CIDR block of your local DNS server conflicts with the default IP addresses of Alibaba Cloud Private DNS, and where the Alibaba Cloud DNS is only effective within a specific VPC. In this example, 100.100.2.136 and100.100.2.138 are used as the default IP addresses.

   • If the CIDR block of your on-premises network does not conflict with the default IP addresses of Private DNS, the default IP address can be used for DNS resolution.

2. Add a forwarding rule for local DNS servers to forward all requests matching oss-cn-hangzhou-internal.aliyuncs.com to the IP addresses for an inbound endpoint.

3. You can run the commanddig test.oss-cn-hangzhou-internal.aliyuncs.com on your local DNS server for verification.