Centralize DNS resolution by using AWS Managed Microsoft AD and on-premises Microsoft Active Directory - AWS Prescriptive Guidance

Centralize DNS resolution by using AWS Managed Microsoft AD and on-premises Microsoft Active Directory

Created by Brian Westmoreland (AWS)

Summary

This pattern provides guidance for centralizing Domain Name System (DNS) resolution within an AWS multi-account environment by using AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD). In this pattern the AWS DNS namespace is a subdomain of the on-premises DNS namespace. This pattern also provides guidance on how to configure the on-premises DNS servers to forward queries to AWS when the on-premises DNS solution uses Microsoft Active Directory.  

Prerequisites and limitations

Prerequisites 

  • An AWS multi-account environment set up by using AWS Organizations.

  • Network connectivity established between AWS accounts.

  • Network connectivity established between AWS and the on-premises environment (by using AWS Direct Connect or any type of VPN connection).

  • AWS Command Line Interface (AWS CLI) configured on a local workstation.

  • AWS Resource Access Manager (AWS RAM) used to share Amazon Route 53 rules between accounts. Therefore, sharing must be enabled within the AWS Organizations environment, as described in the Epics section.

Limitations 

  • AWS Managed Microsoft AD Standard Edition has a limit of 5 shares.

  • AWS Managed Microsoft AD Enterprise Edition has a limit of 125 shares.

  • This solution in this pattern is limited to AWS Regions that support sharing through AWS RAM.

Product versions

  • Microsoft Active Directory running on Windows Server 2008, 2012, 2012 R2, or 2016

Architecture

Target architecture 

Architecture for centralized DNS resolution on AWS

In this design, AWS Managed Microsoft AD is installed in the shared services AWS account. Although this is not a requirement, this pattern assumes this configuration. If you configure AWS Managed Microsoft AD in a different AWS account, you might have to modify the steps in the Epics section accordingly.

This design uses Route 53 Resolvers to support name resolution through the use of Route 53 rules. If the on-premises DNS solution uses Microsoft DNS, creating a conditional forwarding rule for the AWS namespace (aws.company.com), which is a subdomain of the company DNS namespace (company.com), is not straightforward. If you try to create a traditional conditional forwarder, it will result in an error. This is because Microsoft Active Directory is already considered authoritative for any subdomain of company.com. To get around this error, you must first create a delegation for aws.company.com to delegate authority of that namespace. You can then create the conditional forwarder.

The virtual private cloud (VPC) for each spoke account can have its own unique DNS namespace based on the root AWS namespace. In this design, each spoke account appends an abbreviation of the account name to the base AWS namespace. After the private hosted zones in the spoke account have been created, the zones are associated with the VPC in the spoke account as well as with the VPC in the central AWS network account. This enables the central AWS network account to answer DNS queries related to the spoke accounts.

Automation and scale

This design makes use of Route 53 Resolver endpoints to scale DNS queries between AWS and your on-premises environment.  Each Route 53 Resolver endpoint comprises multiple elastic network interfaces (spread across multiple Availability Zones), and each network interface can handle up to 10,000 queries per second.  Route 53 Resolver supports up to 6 IP addresses per endpoint, so altogether this design supports up to 60,000 DNS queries per second spread across multiple Availability Zones for high availability.  

Additionally, this pattern automatically accounts for future growth within AWS. The DNS forwarding rules configured on premises do not have to be modified to support new VPCs and their associated private hosted zones that are added to AWS. 

Tools

AWS services

Tools

  • AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell. In this pattern, the AWS CLI is used to configure Route 53 authorizations.

Epics

TaskDescriptionSkills required

Deploy AWS Managed Microsoft AD.

  1. Create and configure a new directory. For detailed steps, see Create your AWS Managed Microsoft AD directory in the AWS Directory Service Administration Guide.  

  2. Record the IP addresses of the AWS Managed Microsoft AD domain controllers.  These will be referenced in a later step.

AWS administrator

Share the directory.

After the directory has been built, share it with other AWS accounts in the AWS organization. For instructions, see Share your directory in the AWS Directory Service Administration Guide.  

Note

AWS Managed Microsoft AD Standard Edition has a limit of 5 shares. Enterprise Edition has a limit of 125 shares.

AWS administrator
TaskDescriptionSkills required

Create Route 53 Resolvers.

Route 53 Resolvers facilitate DNS query resolution between AWS and the on-premises data center.  

  1. Install Route 53 Resolvers by following the instructions in the Route 53 Developer Guide

  2. Configure Route 53 Resolvers in private subnets in at least two Availability Zones within the central AWS network account VPC for high availability.

Note

Although using the central AWS network account VPC isn’t a requirement, the remaining steps assume this configuration.

AWS administrator

Create Route 53 rules.

Your specific use case might require a large number of Route 53 rules, but you will need to configure the following rules as a baseline:

  • An outgoing rule for the on-premises namespace (company.com) by using the outbound Route 53 Resolvers.

    • Share this rule with spoke AWS accounts.

    • Associate this rule with spoke account VPCs.

  • An outgoing rule for the AWS namespace (aws.company.com) that points to the central network account Route 53 inbound Resolvers.

    • Share this rule with spoke AWS accounts.

    • Associate the rule with spoke account VPCs.

    • Do not associate this rule with the central AWS network account VPC (which houses the Route 53 Resolvers).

  • A second outgoing rule for the AWS namespace (aws.company.com) that points to the AWS Managed Microsoft AD domain controllers (use the IPs from the previous epic).

    • Associate this rule with the central AWS network account VPC (which houses the Route 53 Resolvers).

    • Do not share or associate this rule with other AWS accounts.

For more information, see Managing forwarding rules in the Route 53 Developer Guide.

AWS administrator
TaskDescriptionSkills required

Create the delegation.

Use the Microsoft DNS snap-in (dnsmgmt.msc) to create a new delegation for the company.com namespace within Active Directory. The name of the delegated domain should be aws. This makes the fully qualified domain name (FQDN) of the delegation aws.company.com. For the name servers, use the IP addresses of the AWS inbound Route 53 Resolvers in the central DNS AWS account for the IP values, and use server.aws.company.com for the name.

Active Directory

Create the conditional forwarder.

Use the Microsoft DNS snap-in (dnsmgmt.msc) to create a new conditional forwarder for aws.company.com.  Use the IP addresses of the AWS Managed Microsoft AD domain controllers for the target of the conditional forwarder.  

Active Directory
TaskDescriptionSkills required

Create the Route 53 private hosted zones.

Create a Route 53 private hosted zone in each spoke account.  Associate this private hosted zone with the spoke account VPC.  For detailed steps, see Creating a private hosted zone in the Route 53 Developer Guide.

AWS administrator

Create authorizations.

Use the AWS CLI to create an authorization for the central AWS network account VPC. Run this command from the context of each spoke AWS account:

aws route53 create-vpc-association-authorization --hosted-zone-id <hosted-zone-id> \ --vpc VPCRegion=<region>,VPCId=<vpc-id>

where:

  • <hosted-zone-id> is the Route 53 private hosted zone in the spoke account.

  • <region> and <vpc-id> are the AWS Region and VPC ID of the central AWS network account VPC.

AWS administrator

Create associations.

Create the Route 53 private hosted zone association for the central AWS network account VPC by using the AWS CLI. Run this command from the context of the central AWS network account:

aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted-zone-id> \ --vpc VPCRegion=<region>,VPCId=<vpc-id>

where:

  • <hosted-zone-id> is the Route 53 private hosted zone in the spoke account.

  • <region> and <vpc-id> are the AWS Region and VPC ID of the central AWS network account.

AWS administrator

Related resources