All Products
Search
Document Center

Use Alibaba Cloud DNS PrivateZone and VPN Gateway to allow ECS instances in a VPC to access an on-premises DNS

Last Updated: Oct 09, 2021

Scenario

An enterprise runs services in two isolated network environments, including a self-managed data center and an Alibaba Cloud virtual private cloud (VPC). The enterprise needs to access services between the data center and VPC by using Domain Name System (DNS) resolution. If operations and maintenance (O&M) engineers of the enterprise manage a separate set of DNS data for each network environment, they must perform a lot of repetitive work and face the high risk of data inconsistency and service instability. Therefore, O&M engineers need to share DNS data between the data center and VPC to allow real-time access between services. This topic describes how to use Alibaba Cloud DNS PrivateZone and VPN Gateway to allow Elastic Compute Service (ECS) instances in a VPC to access an on-premises DNS.

1

Solutions

In this topic, three solutions are provided to allow ECS instances in a VPC to access an on-premises DNS. This topic describes the configuration procedure and verification method of Solution 1 in detail.

Solution 1: Use the Resolver feature of Alibaba Cloud DNS PrivateZone to allow ECS instances in a VPC to access an on-premises DNS

1. Connect the VPC to the data center by using a Smart Access Gateway (SAG) device, an Express Connect circuit, or a VPN. For example, you can use an IPsec-VPN connection to connect the VPC to the data center.

Solution 2: Modify the DNS server information on ECS instances in a VPC to allow the ECS instances to access an on-premises DNS

1. Connect the VPC to the data center by using an SAG device, an Express Connect circuit, or a VPN. For example, you can use an IPsec-VPN connection to connect the VPC to the data center.

2. Modify the DNS server information on ECS instances in the VPC. Then, the ECS instances can send DNS requests to the on-premises DNS.

[centos]# vim /etc/resolv.conf

# Change the nameserver values to the IP addresses of the on-premises DNS.
nameserver 2.2.XX.XX
nameserver 3.3.XX.XX

Solution 3: Use the secondary DNS feature of Alibaba Cloud DNS PrivateZone to allow ECS instances in a VPC to access an on-premises DNS

1. Connect the VPC to the data center by using an SAG device, an Express Connect circuit, or a VPN. For example, you can use an IPsec-VPN connection to connect the VPC to the data center.

2. . You can synchronize DNS data from the on-premises DNS to the secondary DNS to resolve domain names.

Notice

We recommend that you use Berkeley Internet Name Domain (BIND) to build the on-premises DNS. The secondary DNS feature does not provide full support for the Windows DNS server.

Use the Resolver feature of Alibaba Cloud DNS PrivateZone to allow ECS instances in a VPC to access an on-premises DNS

What is Resolver?

The Resolver feature of Alibaba Cloud DNS PrivateZone allows you to create domain name-based forwarding rules and DNS outbound endpoints. For DNS requests that are sent within private zones associated with VPCs, you can use the created rules and endpoints to forward the requests to a third-party DNS. This ensures that services deployed in a data center, an Alibaba Cloud VPC, and a hybrid cloud environment can access each other by using domain names.

Preparations

1. Use Alibaba Cloud ECS instances to simulate a data center. Then, use BIND to build an on-premises DNS.

2. Create a VPC.

3. Activate Alibaba Cloud DNS PrivateZone.

References

Procedure

3

Step 1: Create a VPN gateway

Perform the following operations to create a VPN gateway:

  1. Log on to the VPC console.
  2. In the Interconnections section of the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the buy page, set the parameters of the VPN gateway, click Buy Now, and then complete the payment.
  5. Go to the VPN Gateways page to view the created VPN gateway. In this example, the public IP address of the VPN gateway that is associated with the VPC is x.x.x.217.

The VPN gateway is in the Preparing state after it is created and enters the Normal state after about 2 minutes. The Normal state indicates that the VPN gateway is initialized and ready for use.

Step 2: Create a customer gateway

Perform the following operations to create a customer gateway.

  1. In the Interconnections section of the left-side navigation pane, choose VPN > Customer Gateways.
  2. In the top navigation bar, select the region where you want to create the customer gateway.

  3. On the Customer Gateways page, click Create Customer Gateway.
  4. In the Create Customer Gateway panel, set the parameters for the customer gateway and click OK.
    • Name: Enter a name for the customer gateway.

    • IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to the VPC. In this example, the public IP address of the gateway device deployed in the data center is x.x.x.44.

    • Description: Enter a description for the customer gateway.

Step 3: Create an IPsec-VPN connection

Perform the following operations to create an IPsec-VPN connection:

  1. In the Interconnections section of the left-side navigation pane, choose VPN > IPsec Connections.
  2. In the top navigation bar, select the region where you want to create an IPsec-VPN connection.

  3. On the IPsec Connections page, click Create IPsec Connection.
  4. On the Create IPsec Connection page, set the parameters for the IPsec-VPN connection, and click OK.
    • Name: Enter a name for the IPsec-VPN connection.

    • VPN Gateway: Select the VPN gateway that you created.

    • Customer Gateway: Select the customer gateway that you created.

    • Local Network: Enter the CIDR block of the VPC with which the selected VPN gateway is associated. In this example, enter 172.25.0.0/16.

    • Remote Network: Enter the CIDR block of the data center. In this example, enter 172.28.0.0/16.

    • Effective Immediately: Specify whether to immediately start connection negotiations. Valid values:

      • Yes: starts negotiations immediately after you complete the configuration.

      • No: starts negotiations when traffic is detected.

    • Pre-Shared Key: Enter the pre-shared key. The pre-shared key must be the same as that of the gateway device deployed in the data center. Use the default settings for other parameters.

    • Advanced configurations:

      • IKE configurations:

        • Encryption Algorithm: Set this parameter based on your business requirements. In this example, select 3des.

        • Authentication Algorithm: Set this parameter based on your business requirements. In this example, select md5.

      • IPsec configurations:

        • Encryption Algorithm: Set this parameter based on your business requirements. In this example, select 3des.

        • Authentication Algorithm: Set this parameter based on your business requirements. In this example, select md5.

        • DH Group: Set this parameter based on your business requirements. In this example, select disabled.

Step 4: Load the configurations of the IPsec-VPN connection to the gateway device in the data center

Perform the following operations to load the configurations of the IPsec-VPN connection to the gateway device in the data center:

  1. In the Interconnections section of the left-side navigation pane, choose VPN > IPsec Connections.
  2. In the top navigation bar, select the region where the IPsec-VPC connection resides.

  3. On the IPsec Connections page, find the IPsec-VPN connection, click the More icon in the Actions column, and then select Download Configuration.
  4. Load the configurations of the IPsec-VPN connection to the gateway device in the data center. For more information, see

    Create SNAT entries to translate source private IP addresses.

  5. Perform the following operations to deploy strongSwan, which is used to establish the IPsec-VPN connection in this example:

    1. Run the yum install strongswan -y command to install strongSwan.

    2. Configure strongSwan. The configurations in this example are for reference only.

(1). [centos ~]# vim /etc/strongswan/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
    # strictcrlpolicy=yes
    uniqueids = never

conn %default
        ikelifetime=1440m   
        keylife=60m
        rekeymargin=3m
        keyingtries=0
        keyexchange=ikev1   # The IKE version.
        authby=psk

conn toMyIdc
      left=%defaultroute
      leftid=x.x.x.44    # The public IP address of the gateway device deployed in the data center.
      leftsubnet=172.28.0.0/16    # The CIDR block of the data center. To ensure that the IPsec-VPN connection is available to all devices in the data center, you must specify the CIDR block of the data center with this parameter.
      right=x.x.x.152      # The public IP address of the VPN gateway.
      rightid=x.x.x.152    # The public IP address of the VPN gateway.
      rightsubnet=172.17.0.0/16     # The CIDR block of the VPC with which the VPN gateway is associated.
      auto=start   # Immediately load the connection at the IPsec startup.
      type=tunnel
      ike=3des-md5-modp1024
      esp=3des-md5

(2). Configure the ipsec.secrets file. The configurations in this example are for reference only.

[centos ~]# vi /etc/strongswan/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
x.x.x.44 x.x.x.152 : PSK 1234567

(3). Configure the ./etc/sysctl.conf file. The configurations in this example are for reference only.

[centos ~]# vim /etc/sysctl.conf

# Specify whether to enable the forwarding of IPv4 packets. Default value: 0.
net.ipv4.ip_forward = 1
# Specify whether to disable the accepting and sending of IPv4 redirected packets. If the values are set to 0, malicious users cannot modify the route table on a remote host by using IP redirects.
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Make the configurations take effect.
[centos ~]# sysctl -p

c. Start strongSwan.

[centos ~]# systemctl start strongswan.service

d. Add a route. In this example, the route is added on the GUI.

On the GUI of the gateway device deployed in the data center, add the route for sending traffic to 172.17.0.0/16. The next-hop address is set to the strongSwan IP address 172.28.0.7.

Step 5: Configure routes for the VPN gateway

Perform the following operations to configure routes for the VPN gateway:

  1. In the Interconnections section of the left-side navigation pane, choose VPN > VPN Gateways.
  2. In the top navigation bar, select the region where the VPN gateway resides.

  3. On the VPN Gateways page, find the VPN gateway and click the gateway ID in the Instance ID/Name column.
  4. On the Destination-based routing tab, click Add Route Entry.
  5. In the Add Route Entry panel, set the parameters as required and click OK.
    • Destination CIDR Block: Enter the CIDR block of the data center. In this example, enter 172.28.0.0/16.

    • Next Hop: Select the IPsec-VPN connection that you created.

    • Publish to VPC: Specify whether to automatically advertise new routes to the VPC route table. In this example, select Yes.

    • Weight: Select a weight. In this example, select 100.

Step 6: Test the connectivity

Log on to an ECS instance that is not assigned a public IP address in the VPC. Run the ping command to ping the private IP address of a server in the data center to test the connectivity.

Step 7: Build the on-premises DNS

1. Run the yum install -y *bind command to install BIND.

2. Run the vim /etc/named.conf command to open the named.conf file and configure the file. The configurations in this example are for reference only.

zone "alidns-example.com" IN {
        type master;
        file "alidns-example.com.zone";
        allow-update {127.0.0.1; };
};

3. Run the vim /var/name d/alidns-example.com.zone command to open the alidns-example.com.zone file and configure the file. The configurations in this example are for reference only.

$TTL 3600
@       IN SOA  172.28.0.7. admin.alidns-example.com. (
                                        8       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       IN      NS      172.28.0.7.
@       IN      A       15.15.15.15

4. Run the systemctl start named.service command to start BIND.

Step 8: Configure Resolver

For more information about Resolver, see:

Resolver

1. Create an outbound endpoint.

Perform the following operations to create an outbound endpoint:

a. Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone. On the PrivateZone page, click the Resolver tab. On the Resolver tab, click Outbound Endpoints on the left. On the page that appears, click Create Outbound Endpoint.

b. In the Create Outbound Endpoint panel, set the parameters as required and click Confirm.

  • Endpoint Name: Enter a name for the outbound endpoint. In this example, enter Test.

  • Outbound VPC: Select the VPC where the outbound endpoint resides. Resolver forwards all the outbound DNS requests for the specified VPC. In this example, select a VPC in the China (Beijing) region.

  • Security Group: Select a security group that is associated with the VPC. The forwarding rules of the security group apply to the VPC. In this example, inbound and outbound traffic through TCP or UDP port 53 is allowed.

    Note

    Only security groups not in managed mode are supported. For more information, see Security groups in managed mode.

  • Source IP Address of Outbound Traffic: Set the IP addresses from which DNS requests are forwarded. Available IP addresses are those in subnets in the zones of the specified region. The IP addresses must not be occupied by ECS instances.

2. Create a forwarding rule.

a. On the Resolver tab, click Forwarding Rules on the left. On the page that appears, click Create Forwarding Rule. In the Create Forwarding Rule panel, set the parameters as required and click Confirm.

  • Rule Name: Enter a name for the forwarding rule. In this example, enter Test.

  • Rule Type: Set the type of the forwarding rule. You can set this parameter only to Forward to External DNS.

  • Forwarding Zone: Enter the domain name for which DNS requests need to be forwarded. In this example, enter alidns-example.com.

  • Outbound Endpoint: Select the outbound endpoint used to forward DNS requests. In this example, select the outbound endpoint Test that is created in the previous step.

  • IP Address and Port of External DNS: Enter the IP address and port number of the DNS server in the data center to which DNS requests are forwarded. In this example, set the IP address to 172.28.0.7 and port number to 53.

    Note

    If you enter a public IP address, but no public IP addresses are assigned to the ECS instances in the VPC where the outbound endpoint resides, you must activate

    NAT Gateway and configure the SNAT feature.

3. Associate the forwarding rule with the VPC where the outbound endpoint resides.

a. Find the forwarding rule and click Bind VPC in the Actions column. Select the VPC where the outbound endpoint resides and click Confirm. Resolver allows you to associate a forwarding rule with a VPC that belongs to another Alibaba Cloud account. For more information, see Associate VPC across accounts.

Step 9: Verify DNS resolution

a. Log on to an ECS instance in the VPC, run the following command, and then check whether the domain name is resolved as expected:

[centos ~]# dig alidns-example.com