Overview
The resolver feature of Alibaba Cloud DNS PrivateZone allows you to create domain name-based forwarding rules and DNS outbound endpoints. For DNS requests that are sent within private zones associated with virtual private clouds (VPCs), you can use the rules and endpoints that you created to forward the requests to a third-party DNS. This ensures that services deployed in a data center, an Alibaba Cloud VPC, and a hybrid cloud environment can access each other by using domain names.
Supported regions
The resolver feature is available in the following regions:
Regions in the public cloud: China (Beijing), China (Shenzhen), China (Shanghai), China (Hangzhou), China (Zhangjiakou), China (Hohhot), China (Qingdao), China (Guangzhou), China (Chengdu), Indonesia (Jakarta), Germany (Frankfurt), UK (London), India (Mumbai), Singapore, China (Ulanqab), China (Hong Kong), and US (Virginia), Philippines, Janpan(Tokyo).
Regions in the Finance Cloud: China (Beijing), China (Shanghai), China (Shenzhen), China (Hangzhou).
Process
Outbound endpoints
Create an outbound endpoint.
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click Resolver. On the Resolver tab, click Outbound Endpoints. Then, click Create Outbound Endpoint.
Configure the outbound endpoint.
Endpoint Name
The name of the outbound endpoint. Specify a name for the outbound endpoint based on your business requirements.
Outbound VPC
The VPC where the outbound endpoint resides. The Resolver feature helps you forward all the outbound DNS requests over the specified VPC.
ImportantAfter you create an outbound endpoint, you cannot change the specified VPC of the endpoint. This prevents the forwarding of DNS requests from being interrupted due to misoperations.
For more information about the regions that support the resolver feature, see the "Supported regions" section of this topic. Alibaba Cloud continuously updates the feature to support more regions. If you need to deploy outbound endpoints in other regions, submit a ticket with a description of the required region.
Select Security Group
The security group that is associated with the VPC. The forwarding rules of the security group are applied to the VPC.
NoteOnly security groups that are not in managed mode are supported.
Source IP Address of Outbound Traffic
The IP addresses from which DNS requests are forwarded. Available IP addresses are the IP addresses in subnets in the zones of the specified region. The IP addresses must not be occupied by Elastic Compute Service (ECS) instances. You must specify two to six IP addresses for the outbound endpoint to ensure high availability. We recommend that you specify the IP addresses in different zones.
ImportantIf you do not specify IP addresses, the system automatically allocates IP addresses to the outbound endpoint.
Click OK. If no role exists, Alibaba Cloud DNS PrivateZone creates a service-linked role.
NoteNote: The following message appears each time you create an outbound endpoint. If a role exists, no role is created.
View the outbound endpoint on the Outbound Endpoints page. An endpoint can be in one of the following states: Normal, Creating, Failed, Being Modified, Modification Failed, and Abnormal.
ImportantThe system requires 5 to 10 minutes to create an outbound endpoint. If an outbound endpoint is in the Creating state, wait for a few minutes.
You cannot modify or delete an outbound endpoint that is in the Creating state. If an outbound endpoint is in the Abnormal or Modification Failed state, submit a ticket to troubleshoot and resolve the issue.
Modify the outbound endpoint
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click Resolver. On the Resolver tab, click Outbound Endpoints. On the page that appears, find the outbound endpoint and click Modify. Modify the Endpoint Name and Source IP Address of Outbound Traffic parameters.
Click OK. After you modify an outbound endpoint, the endpoint enters the Being Modified state. You cannot modify or delete an endpoint that is in the Being Modified state.
Delete the outbound endpoint
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click Resolver. On the Resolver tab, click Outbound Endpoints. On the page that appears, find the outbound endpoint and click Delete.
NoteIf a forwarding rule is associated with the outbound endpoint, you must delete the forwarding rule before you delete the endpoint. For more information, see Delete a forwarding rule.
Forwarding rules
Create a forwarding rule
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click Resolver. On the Resolver tab, click Forwarding Rules. Then, click Create Forwarding Rule.
In the Create Forwarding Rule panel, configure the following parameters:
Rule Name
Specify a rule name based on your business requirements.
Rule Type
Set the value to Forward to External DNS.
Forwarding Zone
The name of the domain from which you want to forward DNS requests.
Outbound Endpoint
The outbound endpoint that you want to use to forward DNS requests to the specified IP addresses.
IP Address and Port of External DNS
The IP address and port number of the third-party DNS to which DNS requests are forwarded. You can create up to six entries.
ImportantThe following IP addresses are reserved by the system. You cannot specify the IP addresses for this parameter. 100.100.2.136 to 100.100.2.138 and 100.100.2.116 to 100.100.2.118.
Click OK. The forwarding rule appears on the Forwarding Rules page.
ImportantAfter you create a forwarding rule, you cannot change the rule type, domain name, and outbound endpoint of the rule. If rule modification is required, you can create a forwarding rule that meets your requirements and delete the original rule.
Modify the forwarding rule
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click Resolver. On the Resolver tab, click Forwarding Rules. On the page that appears, find the forwarding rule and click Modify.
In the Modify Forwarding Rule panel, modify the Rule Name and IP Address and Port of External DNS parameters based on your business requirements.
Delete the forwarding rule
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click Resolver. On the Resolver tab, click Forwarding Rules. On the page that appears, find the forwarding rule and click Delete.
ImportantIf a forwarding rule is associated with a VPC, the rule is in the Associated state. In this case, you must disassociate the rule from the VPC before you delete the rule. For more information, see Disassociate a forwarding rule from a VPC.
If you want to delete a forwarding rule that is associated with a VPC, an error message appears, as show in the following figure.
Associate the forwarding rule with a VPC
Associate the forwarding rule with a VPC
After the forwarding rule is created, you must associate the forwarding rule with a VPC to enable the rule for the VPC.
Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
On the PrivateZone page, click Resolver. On the Resolver tab, click Forwarding Rules. On the page that appears, find the forwarding rule and click Associate VPC in the Actions column. In the Associate VPC panel, select a VPC that you want to associate with the forwarding rule and click OK. You can associate a forwarding rule with a VPC that belongs to a different account.
ImportantYou can associate a forwarding rule only with a VPC that is in the same region as the outbound endpoint specified for the rule.
If you associate different forwarding rules with the same VPC, you must specify different domain names for the rules.
If you associate a forwarding rule and a private zone with the same VPC, the domain name that is specified for the forwarding rule can be the same as the private domain name. Alibaba Cloud DNS PrivateZone preferentially processes the DNS requests that are sent within the associated VPC.
Disassociate the forwarding rule from the VPC
To disassociate the forwarding rule from the VPC, perform the following steps:
In the forwarding rule list, find the forwarding rule and click Associate VPC in the Actions column.
In the Associate VPC panel, clear the VPC and click OK.