Centralize DNS resolution by using AWS Managed Microsoft AD and on-premises Microsoft Active Directory
Created by Brian Westmoreland (AWS)
Summary
This pattern provides guidance for centralizing Domain Name System (DNS) resolution within an AWS multi-account environment by using AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD). In this pattern the AWS DNS namespace is a subdomain of the on-premises DNS namespace. This pattern also provides guidance on how to configure the on-premises DNS servers to forward queries to AWS when the on-premises DNS solution uses Microsoft Active Directory.
Prerequisites and limitations
Prerequisites
An AWS multi-account environment set up by using AWS Organizations.
Network connectivity established between AWS accounts.
Network connectivity established between AWS and the on-premises environment (by using AWS Direct Connect or any type of VPN connection).
AWS Command Line Interface (AWS CLI) configured on a local workstation.
AWS Resource Access Manager (AWS RAM) used to share Amazon Route 53 rules between accounts. Therefore, sharing must be enabled within the AWS Organizations environment, as described in the Epics section.
Limitations
AWS Managed Microsoft AD Standard Edition has a limit of 5 shares.
AWS Managed Microsoft AD Enterprise Edition has a limit of 125 shares.
This solution in this pattern is limited to AWS Regions that support sharing through AWS RAM.
Product versions
Microsoft Active Directory running on Windows Server 2008, 2012, 2012 R2, or 2016
Architecture
Target architecture
In this design, AWS Managed Microsoft AD is installed in the shared services AWS account. Although this is not a requirement, this pattern assumes this configuration. If you configure AWS Managed Microsoft AD in a different AWS account, you might have to modify the steps in the Epics section accordingly.
This design uses Route 53 Resolvers to support name resolution through the use of Route 53 rules. If the on-premises DNS solution uses Microsoft DNS, creating a conditional forwarding rule for the AWS namespace (aws.company.com
), which is a subdomain of the company DNS namespace (company.com
), is not straightforward. If you try to create a traditional conditional forwarder, it will result in an error. This is because Microsoft Active Directory is already considered authoritative for any subdomain of company.com
. To get around this error, you must first create a delegation for aws.company.com
to delegate authority of that namespace. You can then create the conditional forwarder.
The virtual private cloud (VPC) for each spoke account can have its own unique DNS namespace based on the root AWS namespace. In this design, each spoke account appends an abbreviation of the account name to the base AWS namespace. After the private hosted zones in the spoke account have been created, the zones are associated with the VPC in the spoke account as well as with the VPC in the central AWS network account. This enables the central AWS network account to answer DNS queries related to the spoke accounts.
Automation and scale
This design makes use of Route 53 Resolver endpoints to scale DNS queries between AWS and your on-premises environment. Each Route 53 Resolver endpoint comprises multiple elastic network interfaces (spread across multiple Availability Zones), and each network interface can handle up to 10,000 queries per second. Route 53 Resolver supports up to 6 IP addresses per endpoint, so altogether this design supports up to 60,000 DNS queries per second spread across multiple Availability Zones for high availability.
Additionally, this pattern automatically accounts for future growth within AWS. The DNS forwarding rules configured on premises do not have to be modified to support new VPCs and their associated private hosted zones that are added to AWS.
Tools
AWS services
AWS Directory Service for Microsoft Active Directory enables your directory-aware workloads and AWS resources to use Microsoft Active Directory in the AWS Cloud.
AWS Organizations is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.
AWS Resource Access Manager (AWS RAM) helps you securely share your resources across AWS accounts to reduce operational overhead and provide visibility and auditability.
Amazon Route 53 is a highly available and scalable DNS web service.
Tools
AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell. In this pattern, the AWS CLI is used to configure Route 53 authorizations.
Epics
Task | Description | Skills required |
---|---|---|
Deploy AWS Managed Microsoft AD. |
| AWS administrator |
Share the directory. | After the directory has been built, share it with other AWS accounts in the AWS organization. For instructions, see Share your directory in the AWS Directory Service Administration Guide. NoteAWS Managed Microsoft AD Standard Edition has a limit of 5 shares. Enterprise Edition has a limit of 125 shares. | AWS administrator |
Task | Description | Skills required |
---|---|---|
Create Route 53 Resolvers. | Route 53 Resolvers facilitate DNS query resolution between AWS and the on-premises data center.
NoteAlthough using the central AWS network account VPC isn’t a requirement, the remaining steps assume this configuration. | AWS administrator |
Create Route 53 rules. | Your specific use case might require a large number of Route 53 rules, but you will need to configure the following rules as a baseline:
For more information, see Managing forwarding rules in the Route 53 Developer Guide. | AWS administrator |
Task | Description | Skills required |
---|---|---|
Create the delegation. | Use the Microsoft DNS snap-in ( | Active Directory |
Create the conditional forwarder. | Use the Microsoft DNS snap-in ( | Active Directory |
Task | Description | Skills required |
---|---|---|
Create the Route 53 private hosted zones. | Create a Route 53 private hosted zone in each spoke account. Associate this private hosted zone with the spoke account VPC. For detailed steps, see Creating a private hosted zone in the Route 53 Developer Guide. | AWS administrator |
Create authorizations. | Use the AWS CLI to create an authorization for the central AWS network account VPC. Run this command from the context of each spoke AWS account:
where:
| AWS administrator |
Create associations. | Create the Route 53 private hosted zone association for the central AWS network account VPC by using the AWS CLI. Run this command from the context of the central AWS network account:
where:
| AWS administrator |
Related resources
Simplify DNS management in a multi-account environment with Route 53 Resolver
(AWS blog post by Mahmoud Matouk) Creating a directory with AWS Managed Microsoft AD (AWS Directory Service documentation)
Sharing an AWS Managed Microsoft AD directory (AWS Directory Service documentation)
Installing a Route 53 Resolver (Amazon Route 53 documentation)
Creating a Route 53 private hosted zone (Amazon Route 53 documentation)