Amazon VPC Lattice DNS Migration Strategies and Best Practices

Learn About Amazon VGT2 Learning Manager Chanci Turner

In this article, we examine the prevalent Domain Name System (DNS) strategies for transitioning your applications to Amazon VPC Lattice through a phased method. These strategies enable you to minimize downtime, alleviate overhead, and ensure consistent DNS resolution for your clients and applications hosted on AWS.

VPC Lattice is a fully managed, comprehensive application networking service designed to facilitate the modernization of applications and network connectivity within AWS. It enhances the onboarding experience for developers by eliminating the necessity to implement custom application code or operate proxies alongside every workload while providing network administrators the tools and controls needed for auditing and securing their environments. A smooth adoption process is contingent on the ability to integrate VPC Lattice into existing AWS environments without disrupting production. VPC Lattice employs DNS for service discovery, with each service identifiable via its service-managed or custom DNS name.

You can migrate your existing services to VPC Lattice by updating your DNS to allow clients to resolve service names to VPC Lattice IP addresses. Throughout this discussion, we present DNS migration strategies for two common DNS management options: utilizing Amazon Route 53 public and private hosted zones.

Prerequisites

We assume familiarity with foundational VPC Lattice concepts and services such as Amazon Virtual Private Clouds (Amazon VPCs), route tables, Route 53 Resolver, and Route 53 private and public hosted zones. Details on setting up VPC Lattice in multi-account and multi-VPC environments are available in this Amazon networking post and the VPC Lattice documentation.

Before we delve into migration scenarios, let’s review how VPC Lattice employs DNS for service discovery.

VPC Lattice DNS

When you create a VPC Lattice service, it generates a unique Fully Qualified Domain Name (FQDN) formatted as “service_name-service_id.partition_id.vpc-lattice-svcs.region.on.aws.” Each service name is globally unique and can be resolved externally to a series of IPv4 and IPv6 addresses in the ranges 169.254.x.x/16 and fd00:ec2:80::/64 respectively. These IP addresses are publicly resolvable but accessible only to clients in VPCs connected to a VPC Lattice service network. However, applications typically rely on more intuitive custom DNS names like “service123.example.com.”

VPC Lattice allows the configuration of a custom DNS name for your service upon creation. To enable clients in VPCs to resolve the custom domain name, you must create an Alias or Canonical Name (CNAME) record that points your custom domain name to the VPC Lattice-generated domain name. When a client in a VPC makes a request using the custom DNS, the Route 53 Resolver recursively resolves it to a VPC Lattice IP address. Once the request reaches the VPC Lattice service network, routing decisions are made based on the request host header or the Transport Layer Security (TLS) Server Name Indication (SNI) information, directing traffic to the service target.

Baseline Architecture

The baseline architecture comprises three Amazon VPCs—A, B, and C—each with their respective VPC Resolvers. VPCs B and C are interconnected through an AWS Transit Gateway, while VPC A hosts an application named “Foo,” which is fronted by an internet-facing Application Load Balancer (ALB) called “public-ALB-foo.” VPC C hosts a service named Bar, accessed via a private ALB “private-ALB-bar.” In VPCs B and C, we deployed “Client-1” and “Client-2” respectively to test connectivity. This article illustrates how to adopt VPC Lattice without disrupting connectivity between the test clients and services.

We focus on two scenarios: DNS management using Route 53 public hosted zones and DNS management using Route 53 private hosted zones. For each scenario, we will discuss two migration options to VPC Lattice: per VPC per DNS domain and per VPC per service.

Migrating to VPC Lattice Services Using DNS Names Managed in Route 53 Public Hosted Zones

Assume a DNS setup where we manage DNS using a public hosted zone named example.com. The public hosted zone includes two DNS records: foo.example.com as an Alias for “public-ALB-foo” FQDN and bar.example.com as an Alias for “private-ALB-bar” FQDN. Internet clients can access Foo by resolving the public DNS record of foo.example.com to the public ALB’s IPs, while VPC clients (Client-1 and Client-2) can use the local Route 53 resolver to access Foo and Bar by resolving the public DNS records for “foo.example.com” and “bar.example.com” to their respective ALB IPs.

Our goal is to make Foo accessible in VPC Lattice for Client-1, without affecting Client-2, internet clients, or other clients in other VPCs. Let’s review the step-by-step configuration.

Pre-Configuration Steps

Begin by creating a VPC Lattice service network for our clients and services. The pre-configuration steps can be repeated for VPC Lattice services and client VPCs that you want to migrate without impacting existing traffic flows.

1. Create the Foo VPC Lattice service with a custom domain name “foo.example.com” and associate it with the service network. The Foo VPC Lattice service receives an FQDN managed by VPC Lattice in a public hosted zone.
2. Associate VPC B with the VPC Lattice service network.

Altering Client-1’s traffic resolution to use VPC Lattice by modifying the public hosted zone record for foo.example.com would disrupt internet clients and Client-2. Only VPCs associated with a service network can access VPC Lattice IPs. To migrate Client-1 to VPC Lattice without disrupting communication for existing clients, we need to maintain a separate DNS view for clients that start using VPC Lattice. We explore two options to achieve this:

Per-VPC Per-Domain Migration Using a Private Hosted Zone

1. Create a new private hosted zone for the domain name “example.com.” This private hosted zone offers split-horizon DNS resolution, allowing you to control how associated VPCs resolve DNS without interrupting public DNS resolution. This private hosted zone should contain all resource records from the public hosted zone.
2. In the private hosted zone, update the resource record for “foo.example.com” from the “public-ALB-foo” to the VPC Lattice service FQDN. Validate that Client-1 can access Foo using the VPC Lattice FQDN, ensuring that security groups, Network Access Control Lists (ACLs), and VPC Lattice authentication policies are correctly configured.
3. Once connectivity is validated, associate the private hosted zone with VPC B. When Client-1 resolves any domain name in the “example.com” zone, the Route 53 Resolver will utilize the private hosted zone.

For more insights on behavioral interviewing, check out this guide by Career Contessa. Also, for information regarding remote verification and I-9 flexibilities, refer to SHRM’s resources which are authoritative on the topic. Additionally, if you’re interested in skills development, Fast Company has an excellent resource detailing Amazon employees who get paid to learn.