DEV Community

Cover image for Cost effective strategies for AWS Landing Zone: streamlining on-premise DNS queries
Lucian Patian for AWS Community Builders

Posted on • Edited on

Cost effective strategies for AWS Landing Zone: streamlining on-premise DNS queries

This year seems to be in the frugality zodiac sign so I decided to share a few best practices for reducing costs within your landing zone.

In this article, will cover the use of outbound endpoints and rules from Route53 resolver to efficiently direct traffic from all your AWS accounts towards private (on-premise) managed (sub)domains, ultimately keeping your expenses in check.

In a hybrid DNS scenario, you want to query the private (on-premise) DNS servers for the IPs of your private (sub)domains. AWS provides the option to configure a Route53 resolver outbound endpoint and DNS forward rules for each of your private (sub)domains.

The outbound endpoint is a configuration of the Route53 DNS resolver that creates network interfaces inside your VPC, facilitating the forwarding of queries towards the on-premise DNS based on the defined rules.

Image description

A Route53 resolver rule is a setting for a private domain where you declare the IPs of your on-premise DNS servers, which will reply with the IPs of the private (sub)domains.

Image description

Up until now everything might sound quite standard and there's there's no mention of costs. However, if you check the upper right part of the above picture, you'll notice that the sharing status of this rule is marked as "not shared."

Now, let's assume that most of your AWS accounts within the landing zone need access to the same private (sub)domains. Creating Route53 resolver rules for each account could significantly increase your organization's bill.

The trick is to utilize the Resource Access Manager service. Create a resource share by selecting the Route53 Resolver Rules type and add the AWS account IDs from your organization in the Shared Principals configuration. This way, all AWS accounts listed in the Shared Principals configuration can use the same Route53 rule for your on-premise domain, and you'll only be charged for the network interfaces created in your central account..

The last step is to login into your AWS accounts added previously in the Shared principals configuration, go to Route53 resolver rules, select the shared rule and attach it to your local VPC.

What tips & tricks do you have for keeping the costs low in your AWS landingzone?

In a separate article I wrote how to bypass inbound endpoints from the Route53 resolver and forward traffic from your on-premise DNS to your Route53 private zone files, having no costs.

Top comments (0)