Within a virtual private cloud (VPC), you can use private domain names for communication. This allows you to access services on ECS instances without using IP addresses, which enhances security and isolation from the public internet. This feature lets you easily assign private domain names to your instances and automatically manages their DNS resolution records, eliminating manual updates.
Private domain names for ECS instances
A private domain name for an ECS instance is an internal domain name assigned to the instance within a VPC. It is used to identify and access the instance within the VPC. A DNS resolution service generates and resolves these domain names, which it then translates into IP addresses. This feature relies on Alibaba Cloud's Private DNS. The service addresses for Private DNS are assigned by the system and are 100.100.2.136 and 100.100.2.138.
Use cases
Hostname management: By using the private DNS resolution service and configuring the hostname type of an ECS instance to be IP address-based or instance ID-based, you can access the instance by its hostname within a specific VPC. This simplifies routine host management.
Service instantiation in the cloud: Services in the cloud often communicate with each other. By using private DNS resolution, you can generate an authoritative domain name within the VPC for each cloud service and resolve it to the private IP address of a specific ECS instance. This process allows you to reference services by a consistent name rather than a changing IP address.
If you require more advanced DNS configurations, such as DNS forwarding or recursion, you can use Private DNS. If you need public DNS resolution, Alibaba Cloud offers Alibaba Cloud DNS, a secure, fast, and stable authoritative DNS service.
Private domain name structure
A private domain name for an ECS instance is a four-level domain, with each level separated by a period (.). Examples: i-8ps2h6dsc74cuktb****.ap-southeast-3.ecs.internal or ip-172-16-0-89.ap-southeast-3.ecs.internal. The structure consists of the following parts:
Top-level domain (.internal): The internal domain for ECS, used within the private network.
Second-level domain (.ecs): The product identifier for ECS.
Subdomain (.[regionID]): The ID of the region where the instance is located. For example, if you select the Malaysia (Kuala Lumpur) region, the region ID is
ap-southeast-3. For more information about region IDs, see Regions and zones.Host identifier: Points to a specific ECS instance. ECS supports IP address-based and instance ID-based hostnames:
IP address-based hostname: A hostname based on the primary private IPv4 address of the ECS instance. For example,
ip-172-16-0-89(where the instance's primary private IPv4 address is 172.16.0.89).Instance ID-based hostname: A hostname based on the instance ID of the ECS instance. For example,
i-8ps2h6dsc74cuktb****(where the instance ID isi-8ps2h6dsc74cuktb****). If you use IPv6 for communication, you can choose the instance ID-based hostname.
Private DNS record types
ECS instance private domain names support the following four types of DNS resolution:
Type | Description | Generated domain name | Example | Use cases |
DNS resolution (A record) from an IP address-based hostname to the primary private IPv4 address | Maps the generated IP address-based private domain name to the instance's primary private IPv4 address. |
|
| Service access testing: By mapping the instance's IP address-based hostname to its corresponding IPv4 address, the IP address is visibly included in the domain name. This is suitable for testing scenarios. |
DNS resolution (A record) from an instance ID-based hostname to the primary private IPv4 address | Maps the generated instance ID-based private domain name to the instance's primary private IPv4 address. |
|
| Automated deployment and management: An ECS instance's IP address may change due to frequent operations. Using an instance ID-based hostname for DNS resolution automatically binds the latest IP address to the hostname, which simplifies configuration management and operations. |
DNS resolution (AAAA record) from an instance ID-based hostname to the primary private IPv6 address Note: This option is available only if an IPv6 address is assigned to the instance. | Maps the generated instance ID-based private domain name to the instance's IPv6 address. |
|
| IPv6 network connectivity: When a host or service supports both IPv4 and IPv6, an AAAA record allows IPv6-capable clients to establish connections by using IPv6 addresses. This takes advantage of the larger address space and improved communication efficiency of the IPv6 network. |
Reverse DNS resolution (PTR record) from a primary private IPv4 address to an IP address-based hostname | Maps the instance's primary private IPv4 address to the generated IP address-based private domain name. |
|
| Spam filtering: Many email servers use reverse DNS resolution to verify the legitimacy of the sending server. If an IP address does not correctly resolve back to a domain name, the email may be flagged as potential spam or rejected. Log analysis and tracking: In network security and system management, reverse DNS lookups can convert IP addresses into more understandable domain names, making it easier to analyze and track sources in log files. |
Limitations
Private domain names for ECS instances are system-generated. You cannot configure custom domain names.
Private domain names are effective only within a single VPC. Cross-VPC communication using private domain names is not supported.
Private domain names can be resolved only to the primary private IP address of the primary elastic network interface. Secondary private IP addresses are not supported.
The maximum number of DNS queries for each ECS instance in a VPC is 5,000 per second. If the peak number of DNS requests per second exceeds this limit, throttling may be triggered, and the 99.99% availability service level agreement (SLA) is not guaranteed.
Use private domain names for communication
Step 1: Enable the DNS hostname feature
Enabling the DNS hostname feature for a VPC is the primary control for private DNS resolution. Private domain names for ECS instances in the VPC become active only after you enable this feature. When you enable the DNS hostname feature, the DNS resolution service creates a built-in authoritative zone in the format [regionID].ecs.internal. For example, if you create a VPC in the Malaysia (Kuala Lumpur) region and enable this feature, a zone named ap-southeast-3.ecs.internal is created. This domain is effective only within that VPC. For more information, see Private domain names in VPCs.
The private DNS resolution settings that you configure for an ECS instance take effect only after you enable the DNS hostname feature for the VPC.
Log on to the VPC console.
In the top navigation bar, select the region where the target VPC is located.
On the VPC page, click the ID of the target VPC. In the Basic Information section, enable DNS hostname.
Step 2: Configure private DNS resolution
The mapping between an ECS instance's private domain name and its IP address, which is a DNS record, must be configured for the instance. You can configure these mappings when you create an instance or modify it later. The following sections demonstrate these operations.
On instance creation
You can also specify the PrivateDnsNameOptions-related parameters when you call the RunInstances API operation to create multiple instances and configure their private domain name resolution.
Procedure
Go to the ECS instance buy page.
Click the Custom Launch tab.
Configure parameters, such as Billing Method, Region, Instance Type, and Image.
For information about each parameter on the Custom Launch tab, see Parameters.
At the bottom of the page, expand advanced settings (Optional) and configure Private DNS Records.
Based on your scenario, select the desired mappings between private domain names and IP addresses. You can select multiple options. For more information about the record types, see Private DNS record types.
On instance modification
You can also specify the PrivateDnsNameOptions-related parameters when you call the ModifyInstanceAttribute API operation to modify instance attributes.
Procedure
Go to ECS console - Instances.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the target ECS instance and click its ID to go to the instance details page. In the All Operations column, choose ... Instance Properties > Modify Instance Properties. The Modify instance attributes dialog box appears.
Based on your scenario, select the desired mappings between private domain names and IP addresses. You can select multiple options. For more information about the record types, see Private DNS record types.
Click OK to save the configuration.
Step 3: Verify configuration
You can verify that private DNS resolution is working correctly by running commands on the ECS instance itself, or on another ECS instance that can communicate with it over the internal network within the same VPC. The commands to query DNS information vary depending on the operating system.
Linux instances
The host command is a utility in Linux for querying Domain Name System (DNS) information. The command allows you to query the mapping between domain names and IP addresses, and to perform a reverse lookup to find the domain name that corresponds to a given IP address.
Installing the host command: By default, Linux instances do not support the host command. You need to install it by running
sudo yum install bind-utils.Query example:
NoteThis example uses an instance with the following details. Replace the IP addresses and instance ID with your actual values.
Instance ID:
i-8psi44j4o4yqoh2b****Region ID:
ap-southeast-3IPv4 address:
172.16.0.89IPv6 address:
240b:XXXX:41:b200:1ca9:f9bb:ae4:1ea0Connect to the Linux instance.
For more information, see Connect to a Linux instance by using a password or key.
Based on the enabled private domain name resolution records, run the
hostcommand to query DNS information.To look up the IP address for the IP address-based domain name (A record):
host ip-172-16-0-89.ap-southeast-3.ecs.internal
To look up the IP address for the instance ID-based domain name (A record):
host i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internal
To look up the IPv6 address for the domain name (AAAA record):
host -t AAAA i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internal
To perform a reverse DNS lookup and find the domain name associated with an IP address (PTR record):
host 172.16.0.89
Windows instances
nslookup is a tool that is pre-installed in Windows. You can use it to query DNS records.
Query example:
NoteThis example uses an instance with the following details. Replace the IP addresses and instance ID with your actual values.
Instance ID:
i-8ps2h6dsc74cfy02****Region ID:
ap-southeast-3IPv4 address:
172.16.0.91IPv6 address:
240b:XXXX:41:b200:1ca9:f9bb:ae4:1e9aConnect to the Windows instance.
For more information, see Connect to a Windows instance by using a password or key.
Run the appropriate
nslookupcommand based on the private DNS resolution record that you enabled.To look up the IP address for the IP address-based domain name (A record):
nslookup ip-172-16-0-91.ap-southeast-3.ecs.internal
To look up the IP address for the instance ID-based domain name (A record):
nslookup i-8ps2h6dsc74cfy02****.ap-southeast-3.ecs.internal
To look up the IPv6 address for the domain name (AAAA record):
nslookup -type=AAAA i-8ps2h6dsc74cfy02****.ap-southeast-3.ecs.internal
To perform a reverse DNS lookup and find the domain name associated with an IP address (PTR record):
nslookup 172.16.0.91
After the verification is successful, the ECS instance that is configured for private domain name resolution can be accessed by other ECS instances in the same VPC. You can run the ping <private domain name> command on these instances to test the connection. For example, run ping ip-172-16-0-91.ap-southeast-3.ecs.internal.
To test IPv6 connectivity, you must assign an IPv6 address to both the source and destination instances. For more information, see IPv6 communication.
Other operations
Impact of operations
Change the VPC for an instance
If private DNS resolution is enabled for the ECS instance, you must ensure that the DNS hostname feature is also enabled for the destination VPC. For more information, see Change the VPC of an ECS instance.
Change the primary private IP address of an instance
Automatic remapping: When the primary private IPv4 or IPv6 address of your instance changes (for example, when you change the primary private IPv4 address), the private DNS resolution service automatically deletes the old record and creates a new record mapping the IP address-based hostname to the new IP address.
Release an instance
After an instance is released, all related DNS records in the built-in authoritative zone of the instance's VPC are deleted. The instance and its services can no longer be accessed by using the private domain name.
View private DNS settings
This section shows how to perform this operation:
You can also call the DescribeInstances API operation to query detailed information about an instance. The PrivateDnsNameOptions parameter in the response contains the private DNS resolution settings.
Go to ECS console - Instances.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
In the instance list, find the target ECS instance and click its ID to go to the instance details page. The Private DNS Records field shows the number of configured private DNS records.
Hover over the number to view the instance's current mappings between private domain names and IP addresses.
Disable private DNS resolution
To disable private DNS resolution for a specific ECS instance, you can deselect the configured options in the ECS console. For more information, see Step 2: Configure private DNS resolution.
If you want to disable private DNS resolution for all ECS instances in a VPC, you can disable the DNS hostname feature for the VPC. After this feature is disabled, the built-in authoritative zone associated with the VPC is deleted. As a result, the private domain names of all ECS instances in the VPC become invalid and can no longer be resolved to their corresponding IP addresses. For more information, see Private domain names in VPCs.
If your applications use private domain names instead of IP addresses to access resources, disabling the DNS hostname feature may cause access errors.
