amazon-web-servicesamazon-route53aws-vpn

DNS Record for EC2 in private subnet accessible via Client VPN


We have an EC2 in our private subnet hosting a Jenkins server. We have a Client VPN Endpoint to connect to this private subnet. Our EC2 SG allows Inbound HTTP requests from the VPN SG and this VPN SG allows Outbound HTTP requests to our EC2 SG. So while connected to the VPN, we can connect to the EC2 using its Private IP address.

We now want to add a DNS Record on top of this Private IP address.

We already have a private Hosted Zone associated with the right VPN. Our Endpoint VPN references the 2 DNS Server IP Addresses meaning that we've filled the DNS servers field of the Client VPN Endpoint with the two IP Addresses of our Route 53 Resolver Inbound Endpoint. "DNS resolution" and "DNS hostnames" are enabled in our VPC. Finally, we have a simple A Record whose value is the EC2 Private IP.

When logged into our VPN, the DNS Record is still not working. What are we missing?

Complementary information:

Queries ran on my laptop that could help

❯ dig my.dns.internal

;; communications error to 127.0.0.53#53: timed out

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> my.dns.internal
;; global options: +cmd
;; no servers could be reached

❯ cat /etc/resolv.conf

nameserver 127.0.0.53
options edns0 trust-ad
search .

❯ resolvectl status
...
Link 4 (tun0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: resolverIp1
       DNS Servers: resolverIp1 resolverIp2

Doc checked on this topic:


Solution

  • Quick solution

    The issue was that my Resolver Inbound Endpoint IP Addresses, meaning its Network Interface's Security Group, were closed to my VPN. To fix this you have to:

    If it still doesn't work

    To be checked

    Debug tools