- HTTP. HTTPS, TCP
- Can monitor:
§ Endpoint
§ Status of other health checks (calculated health check)
§ State of CloudWatch alarm
- Can define an address or an IP for R53 health check to monitor
- The IP monitored must be internet accessible, non-private/internal
- R53 can notify CloudWatch of unhealthy instances. An alarm will be set, SNS will trigger
- For Alias record – say Yes for Evaluate Target Health
- Can configure checks for specified endpoint (ex on a webserver), or another health check (ex: I have 3 webservers, heed two know only when 2 of those fail)
- Firewalls, SecGroups, NACLs need to be configured to allow R53 requests to the endpoint
Routing policies
Latency vs Geolocation
- Latency: Measure latency to each endpoint from user’s DNS resolver, pick lowest
- Geolocation: good when regulation control content to in-region
Weighted
- Weighted routing of DNS requests
- Good for load balancing (ex: server on premises stage-migrating onto cloud) or testing new versions of software
- Assign weight to each resource: ex weights 1-255. Assign 1 to a resource – gets 1/255th of the traffic. Assign 10 to another – gets 10/255th.
Multivalue
- Return up to 8 healthy IP’s to the requester
- If all are unhealthy – return up to 8 unhealthy ones
- Not a method of load balancing (can load balance on the client if want w the IP's returned)
Route53 Resolver
- https://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html
Failover & Geolocation
- Simple routing policy – single resource performs domain function
- Failover routing policy – primary/standby
- Geolocation routing policy – routing based on user location (ex: user public IP location detail)
Can specify by continent/country/state. If two regions are defined (North Am and Canada), the more precise (Canada) is preferred. If source region can’t be identified – can create a default DNS record. If no default exists – “no answer” is returned
- Latency routing policy – resource in multiple locations, route to resource providing best latency
- Weighted routing policy – route to multiple resources based on proportions you specify
- Geoproximity routing policy – route based on location of resources; optionally shift traffic from resource in one location to resource in another
- Multivalue answer routing policy – return up to 8 random healthy records – let the user decide which to use
Failover & Geolocation
- Simple routing policy – single resource performs domain function
- Failover routing policy – primary/standby
- Geolocation routing policy – routing based on user location (ex: user public IP location detail)
Can specify by continent/country/state. If two regions are defined (North Am and Canada), the more precise (Canada) is preferred. If source region can’t be identified – can create a default DNS record. If no default exists – “no answer” is returned
- Latency routing policy – resource in multiple locations, route to resource providing best latency
- Weighted routing policy – route to multiple resources based on proportions you specify
- Geoproximity routing policy – route based on location of resources; optionally shift traffic from resource in one location to resource in another
- Multivalue answer routing policy – return up to 8 random healthy records – let the user decide which to use
- Latency: Measure latency to each endpoint from user’s DNS resolver, pick lowest
- Geolocation: good when regulation control content to in-region
- Weighted routing of DNS requests
- Good for load balancing (ex: server on premises stage-migrating onto cloud) or testing new versions of software
- Assign weight to each resource: ex weights 1-255. Assign 1 to a resource – gets 1/255th of the traffic. Assign 10 to another – gets 10/255th.
- Return up to 8 healthy IP’s to the requester
- If all are unhealthy – return up to 8 unhealthy ones
- Not a method of load balancing (can load balance on the client if want w the IP's returned)
Route53 Resolver
- https://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/
- Route 53 Resolver makes hybrid cloud easier for enterprise customers by enabling seamless DNS query resolution across your entire hybrid cloud. Create DNS endpoints and conditional forwarding rules to allow resolution of DNS namespaces between your on-premises data center and Amazon Virtual Private Cloud (VPC)
-
Route 53 Resolver automatically answers DNS queries for local VPC
domain names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) and
records in private hosted zones (acme.example.com). For all other domain names,
Resolver performs recursive lookups against public name servers
- REGIONAL – since it resolves DNS queries in or out-of VPC. And VPC is a regional resource.
- You can integrate DNS resolution between Resolver and DNS resolvers on your network by configuring forwarding rules. Your network can include any network that is reachable from your VPC, such as the following:
§ The VPC itself
§ Another peered VPC
§ An on-premises network that is connected to AWS with AWS Direct Connect, a VPN, or a network address translation (NAT) gateway
- Before you start to forward queries, you create Resolver inbound and/or outbound endpoints in the connected VPC. These endpoints provide a path for inbound or outbound queries:
§ Inbound endpoint – one or more ENI in VPC; each ENI with at least 2 IPs in different subnets and different AZs
§ Outbound endpoint – an ENI in VPC with IP; defines where the queries will be sent to
§ Security Rule needs to allow port 53 on inbound or outbound
§ Rules – used by Resolver to determine which requests should go out from VPC to an external (on-premise) network. Can be Auto-defined or Custom
§ Conditional Forwarding
§ System Rules
§ Recursive Rules
§ Rules can be shared across accounts – and the outbound endpoint gets shared along the way as well
Resolver Billing
- billed for full month on the 1st of the month per zone per number of queries (in millions) even if started mid-month
- pricing goes up w every zone routing policy (Simple, Latency based, Geolocation, etc.)
- queries to aliases pointed to AWS services are free
- REGIONAL – since it resolves DNS queries in or out-of VPC. And VPC is a regional resource.
- You can integrate DNS resolution between Resolver and DNS resolvers on your network by configuring forwarding rules. Your network can include any network that is reachable from your VPC, such as the following:
§ The VPC itself
§ Another peered VPC
§ An on-premises network that is connected to AWS with AWS Direct Connect, a VPN, or a network address translation (NAT) gateway
- Before you start to forward queries, you create Resolver inbound and/or outbound endpoints in the connected VPC. These endpoints provide a path for inbound or outbound queries:
§ Inbound endpoint – one or more ENI in VPC; each ENI with at least 2 IPs in different subnets and different AZs
§ Outbound endpoint – an ENI in VPC with IP; defines where the queries will be sent to
§ Security Rule needs to allow port 53 on inbound or outbound
§ Rules – used by Resolver to determine which requests should go out from VPC to an external (on-premise) network. Can be Auto-defined or Custom
§ Conditional Forwarding
§ System Rules
§ Recursive Rules
§ Rules can be shared across accounts – and the outbound endpoint gets shared along the way as well
Resolver Billing
- billed for full month on the 1st of the month per zone per number of queries (in millions) even if started mid-month
- pricing goes up w every zone routing policy (Simple, Latency based, Geolocation, etc.)
- queries to aliases pointed to AWS services are free
-
Health checks – 50% more expensive
for checking on non AWS endpoints
No comments:
Post a Comment