Overview
The Resolver feature of Alibaba Cloud DNS PrivateZone allows you to create domain name-based forwarding rules and Domain Name System (DNS) outbound endpoints. For DNS requests that are sent within private zones associated with virtual private clouds (VPCs), you can use the created rules and endpoints to forward the requests to a third-party DNS or an on-premises DNS. This ensures that services deployed in a data center, an Alibaba Cloud VPC, and a hybrid cloud environment can access each other by using domain names.
Supported regions
The Resolver feature is available in the following regions: a total of 8 public cloud regions including China (Beijing), China (Shenzhen), China (Shanghai), China(Hangzhou), China(Zhangjiakou), China(Huhehaote), China(Hong Kong), USA(Virginia); 2 financial cloud regions in Shanghai and Shenzhen.
Procedure
Manage outbound endpoints
1. Create an outbound endpoint
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click the Resolver tab. On the Resolver tab, click Outbound Endpoints. Then, click Create Outbound Endpoint.
Configure the outbound endpoint.
Endpoint Name
The name of the outbound endpoint. Name the endpoint based on business requirements.
Outbound VPC
The VPC where the outbound endpoint resides. The Resolver forwards all the outbound DNS requests for the specified VPC.
Important(1) You cannot change the specified VPC after an outbound endpoint is created. This avoids the interruption of forwarding DNS requests caused by misoperations.
(2) Please refer to "Supported Regions" above for the current open Regions.The Alibaba Cloud DNS team will provide more available regions in the future based on their priorities. If you need to deploy outbound endpoints in other regions, submit a ticket with a description of the required region.
Security Group
The security group that is associated with the VPC. The forwarding rules of the security group will be applied to the VPC.
NoteOnly security groups not in managed mode are supported.
Source IP Address of Outbound Traffic
The IP addresses from which DNS requests are forwarded. Available IP addresses are those in subnets in the zones of the specified region. The IP addresses must not be occupied by Elastic Compute Service (ECS) instances. You must specify two to six IP addresses for the outbound endpoint to guarantee high availability. We recommend that you specify the IP addresses in different zones.
ImportantIf you do not specify IP addresses, the system automatically allocates IP addresses for the outbound endpoint.
Click Confirm. If the PrivateZone feature assumes no RAM role, a RAM role will be created for the feature.
The following message appears each time you create an outbound endpoint. If the RAM role exists, no RAM role will be created for PrivateZone.
View the created outbound endpoint on the Outbound Endpoints page. You can view the status of each endpoint on this page. An endpoint may be in the following states: Normal, Creating, Failed, Being Modified, Modification Failed, and Abnormal.
Important(1) It takes about 5 to 10 minutes to create an endpoint. If the status is Creating, wait patiently.
(2) You cannot modify or delete an outbound endpoint that is in the Creating state. If the status is Abnormal or Modification Failed, submit a ticket to troubleshoot the issue.
2. Modify an outbound endpoint
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click the Resolver tab. On the Resolver tab, click Outbound Endpoints. On the page that appears, find the outbound endpoint and click Edit. Modify the Endpoint Name and Source IP Address of Outbound Traffic parameters.
Click Confirm. After you modify an outbound endpoint, the endpoint enters the Being Modified state and you cannot modify or delete the endpoint when it is in the state.
3. Delete an outbound endpoint
1. Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
2. On the PrivateZone page, click the Resolver tab. On the Resolver tab, click Outbound Endpoints. On the page that appears, find the outbound endpoint and click Delete.
If a forwarding rule is associated with the outbound endpoint, you must delete the forwarding rule before you delete the endpoint. For more information, see the "Delete a forwarding rule" section.
Manage forwarding rules
1. Create a forwarding rule.
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click the Resolver tab. On the Resolver tab, click Forwarding Rules. Then, click Create Forwarding Rule.
In the Create Forwarding Rule pane, configure the forwarding rule.
Rule Name
Specify a rule name based on your business requirements.
Rule Type
You can set this parameter only to Forward to External DNS.
Forwarding Zone
The domain name that requires DNS request forwarding.
Outbound Endpoint
The outbound endpoint used to forward DNS requests to the specified IP addresses.
IP Address and Port of External DNS
The IP address and port of the third-party DNS to which DNS requests are forwarded. You can specify up to six pairs of IP addresses and ports.
The IP addresses in the following Classless Inter-Domain Routing (CIDR) blocks are reserved by the system. You cannot specify the IP addresses for the third-party DNS. 100.100.2.136-100.100.2.138,100.100.2.116-100.100.2.118
4. Click OK. The created forwarding rule appears on the Forwarding Rules page.
You cannot change the rule type, domain name, and outbound endpoint of a created forwarding rule. If rule modification is required, you can create a forwarding rule that meets your requirements and delete the original rule.
2. Modify a forwarding rule
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click the Resolver tab. On the Resolver tab, click Forwarding Rules. On the page that appears, find the forwarding rule and click Edit.
In the Edit Forwarding Rule pane, modify the Rule Name and IP Address and Port of External DNS parameters as required.
3. Delete a forwarding rule
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click the Resolver tab. On the Resolver tab, click Forwarding Rules. On the page that appears, find the forwarding rule and click Delete.
ImportantIf a forwarding rule is associated with a VPC, the rule is in the Bind state. In this case, you must disassociate the rule from the VPC before you delete the rule. For more information, see the "Associate a forwarding rule with a VPC" section.
You cannot delete a forwarding rule that is associated with a VPC.
Associate a forwarding rule with a VPC
After you create a forwarding rule, you must associate the forwarding rule with a VPC to enable the rule in the VPC.
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click the Resolver tab. On the Resolver tab, click Forwarding Rules. On the page that appears, find the forwarding rule and click Bind VPC in the Actions column. Select a VPC and click Confirm.
You can only associate a forwarding rule to a VPC that is in the same region as the outbound endpoint specified for the rule.
If different forwarding rules are associated with the same VPC, you must specify different domain names for these rules.
If a forwarding rule is associated with the same VPC as the private zone, the domain name specified for the forwarding rule can be the same as the private domain name. PrivateZone preferentially processes the DNS requests that are sent within the associated VPC.
Perform these steps to disassociate a forwarding rule from a VPC:
In the Forwarding Rule list, find the forwarding rule and click Bind VPC in the Actions column.
In the Bind VPC pane, remove the VPC from the associated VPC list and click Confirm.