DNS resolution for AWS resource DNS names after establishing VPN connection(between GCP and AWS)

[Suhas Chikkanna]

Hi,

I have successfully built a VPN connection between gcp and aws using the following guide(https://cloud.google.com/solutions/automated-network-deployment-multicloud).I can currently ping the resources on the other cloud providers based on the private IP. However, I would like to use the dns resolution that resolve to private IP of AWS resource DNS names. Can someone please help me with this?. Using DNS server policy may not be the best of options for me as it points to alternative name server only and not the gcp’s internal name servers anymore. So how can I use forwarding zones in gcp for DNS names such as database-test.c34fdgt1ascxz.us-west-1.rds.amazonaws.com so that it resolves to private IP. The above example is for database which I have not made public. Has someone done this already? Or does anyone have any idea on how to go about this. Any help is much appreciated, thank you so much.

LIQID Investments GmbH, eingetragen im Handelsregister des Amtsgerichts Berlin-Charlottenburg, HRB 165254B. Geschäftsführer Christian Schneider-Sickert. Ust-ID: DE300456243. Muttergesellschaft der LIQID Asset Management GmbH.

VERTRAULICHKEITSHINWEIS:  Diese Nachricht und jegliche Anlagen sind vertraulich und unter Umständen geheim oder anderweitig vor einer Offenlegung geschützt. Falls Sie nicht der beabsichtigte Empfänger sind, ist es Ihnen nicht gestattet, diese Nachricht oder eine Anlage zu kopieren oder ihren Inhalt gegenüber irgendwelchen anderen Personen offenzulegen. Falls Sie diese Nachricht versehentlich erhalten haben, setzen Sie den Absender bitte umgehend davon in Kenntnis, und löschen Sie die Nachricht und jegliche Anlagen aus Ihrem System. Die LIQID Investments GmbH übernimmt keine Haftung in Bezug auf irgendwelche Auslassungen oder Fehler in dieser Nachricht, die sich unter Umständen aufgrund der Übertragung per E-Mail ergeben, oder für Schäden als Ergebnis einer unbefugten Änderung des Inhalts dieser Nachricht und jeglicher Anlagen. Die LIQID Investments GmbH garantiert nicht, dass diese Nachricht frei von Viren ist, und übernimmt keine Haftung in Bezug auf Schäden, die durch irgendeinen unter Umständen mit der Nachricht übertragenen Virus verursacht werden.

DISCLAIMER: This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. LIQID Investments GmbH does not accept liability for any omissions or errors in this message which may arise as a result of e-mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. LIQID Investments GmbH does not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith.

[José Atencio]

Hello Suhas,

Thank you for reaching Google Cloud Platform.  If I understand correctly, you have setup a VPN connection between your GCP and AWS projects and would like to be able to resolve the DNS names of your AWS resources from within GCP.

This is indeed possible to do with Private DNS Zones [1], and it is definitely much easier than you think.  The setup would look like this:

GCP VM >>> GCP Cloud DNS >>>>>> <VPN Tunnel> >>>>>> AWS Forwarding DNS server (BIND server managed by you) >>> AWS internal DNS

Let me explain:

1. Setup a Forwarding DNS instance (BIND server) inside your AWS infrastructure, which will, in turn, forward requests coming from GCP's Cloud DNS to AWS internal DNS.  This is a crucial step, as the AWS internal DNS might reject requests coming from IPs outside AWS (to check with AWS support).

2. The first step on GCP side would be to setup a Private DNS forwarding zone [2] for rds.amazonaws.com or any other subdomain as needed in your GCP project by means of Cloud DNS.  

3. Under Options, make sure to select "Forward queries to another server".

4. Select the VPC network to which this private zone will be visible.

5. Add the IPv4 address of the Forwarding DNS server you have setup.

Once this is setup on GCP, you will need to do the following on AWS:

1. Add a Firewall rule to allow traffic whose sources are in 35.199.192.0/19.

2. Create a route that directs traffic destined to 35.199.192.0/19 back to GCP, through your Cloud VPN tunnel.

DNS queries forwarded from GCP, have 35.199.192.0/19 as source.  This is the range used by Cloud DNS.

Replies to DNS queries from your DNS forwarder must be sent back to 35.199.192.0/19, but they cannot be sent over the Internet. The 35.199.192.0/19 address range is only reachable from within your VPC network or on-premises network connected to your VPC network. If your on-premises network (AWS) routes packets destined to 35.199.192.0/19 via the Internet, they will be dropped.

Also, GCP requires that the on-premises name server (BIND DNS Forwarder) that receives the request be the one that sends the reply to 35.199.192.0/19. If your name server sends the request to a different name server, and that other name server responds to 35.199.192.0/19, the response will be ignored. 

Please see the Requirements section on [2] for all details.

As you can see, this is the main reason why I suggested the creation of a Forwarding DNS server on one of your AWS instances, as I don't think you can get AWS internal DNS to accept incoming requests from 35.199.192.0/19

I hope you find this information useful! We are here to help.

[1] https://cloud.google.com/blog/products/networking/introducing-private-dns-zones-resolve-to-keep-internal-networks-concealed

[2] https://cloud.google.com/dns/zones/#creating-forwarding-zones