amazon-web-servicesgoogle-cloud-platformamazon-route53google-cloud-dns

Not able to access a AWS route53 private zone records from a GCP instance


I have a VPN setup between a AWS VPC and a GCP VPC with transit gateway on AWS side, cloud router on GCP side, with BGP sessions setup. I can ping a GCP instance from the AWS side and vice-versa using private IPs. However I want to dial over a FQDN by querying the private zones, resolving into private IPs, rather than using private zones directly. I am able to successfully access GCP private zone from AWS instance using route53 resolver rules and outbound endpoints. Now when I try to setup the other round, i.e. trying to access AWS route53 private zone from the GCP VPC, it is not resolving into private IPs. These are the steps I've followed:

  1. Create a inbound endpoint on AWS route53 resolver for my AWS VPC. Allow port 53 UDP/TCP on the security group used for 35.199.192.0/19.
  2. Create a forwarding zone for my GCP VPC in GCP Cloud DNS with "private forwarding" enabled and forwarding target to the two IPs that step (1) provides.
  3. I have custom advertised 35.199.192.0/19 through the GCP cloud router.
  4. I have a route table entry in AWS to route the source 35.199.192.0/19 to the transit gateway of the VPN.

Along with the official docs, the two articles that I followed were https://blog.searce.com/multi-cloud-private-dns-forwarding-a77718e2a3f9 and https://medium.com/@derek10cloud/the-gcp-server-requires-private-access-to-aws-api-which-is-available-only-in-the-aws-vpc-9f969260e79d. I am not sure what I am doing wrong. I suspect my DNS queries are not being forwarded. If someone has successfully done it before or someone who knows how to do it right, please help me.


Solution

  • The issue was that I had "DNS hostname" setting for the VPC as disabled. Both "DNS resolution" and "DNS hostname" needs to be enabled as mentioned here: https://docs.aws.amazon.com/vpc/latest/userguide/AmazonDNS-concepts.html#vpc-dns-support

    If you use custom DNS domain names defined in a private hosted zone in Amazon RouteĀ 53, or use private DNS with interface VPC endpoints (AWS PrivateLink), you must set both the enableDnsHostnames and enableDnsSupport attributes to true.