When you start working on a Multi-Account Organization in AWS, there are two things that you will think about most of the time :
- Security
- Cost Optimization
So, to secure connections between your VPC and AWS Services you can do so by using the VPC interface endpoints, they will allow your resources to connect to AWS Services without the need of an Internet Gateway, NAT device, VPN or a AWS Direct Connect connection.
Instances in your VPC won’t use public IP addresses to communicate with AWS services, instead it uses VPC Endpoint for that.
But when you start thinking about using them, the first thing that comes to your mind is :
VPC Interface Endpoints Pricing :
Below you can find and example of how much 5 VPC Interface endpoints will cost you for 10 GB of total data processed by all VPCE Interface endpoints in the AWS region.
Actually too much money, specially if your going to use them in each account of your AWS Organization
So, there is a way to share them from one Account with other Accounts ?
Yes, there are multiple ways to do so and today I’m going to share with you one of the ways we’ve already used in our AWS Organization.
Let’s get to work
We can say that you have an Architecture similar to the one shown below, one Network/Shared Services Account, multiple Application Accounts where you’ve most of your workload, multiple VPCs, multiple VPC Interface endpoints in each VPC per Account and everything is connected together using a Transit Gateway.
What we are going to do ?
We are going to keep the VPC Interface endpoints in our Shared Services/Network Account, working on sharing them with the other accounts in our Organization and then remove the interface endpoints from the other accounts.
Which AWS Services will help us to do so ?
- Route53
- Resource Access Manager
So, let’s move to our account from where we want to share the interface endpoints.
When you create an Interface endpoint (for example for : EC2 Service), AWS automtically enables the Private DNS Name for this endpoint “ec2.eu-west-3.amazonaws.com” as shown below :
to be able to share this endpoint with the other accounts we need to disable the Private DNS Name so we can create a private hosted zone on Route53 for it.
to do so, just select the interface endpoint and go to Actions and then select Modify private DNS Name and disable it
Now, let’s go to Route53 to create a private hosted zone for our interface endpoint with it’s Private DNS Name, associate it to the VPC where we’ve already created the interface endpoint and then create a DNS record which will target our VPC endpoint as show below :
What are going to do next ?
In our centralized account we need setup some other few things :
- Inbound Resolver : The inbound resolver will receive queries forwarded from other VPCs’ DNS servers and from workloads running in participating AWS accounts. The Inbound resolver should be created on the same VPC where we’ve created the interface endpoint and associated to the Route53 Private hosted zone.
DNS queries reaches the default DNS server of our VPC and because the VPC is associated with the private hosted zone ec2.eu-west-3.amazonaws.com, the default DNS server will be able to resolve this domain.
- Outbound Resolver : The Outbound Resolver will forward the DNS queries coming from the other VPCs to the IP addresses of the Inbound Resolver.
- Resolver Rules : indicates that queries for ec2.eu-west-3.amazonaws.com should be forwarded through the Outbound Resolver.
I’ve created a rule called “ec2 rule” for the VPC interface endpoint Private DNS Name “ec2.eu-west-3.amazonaws.com” and targeting the IP Addresses of our Inbound Resolver
Resolver rules is what we are going to share with the other accounts in our organization.
Using Resource Access Manager, you can create a resource share and then share the resolver rule/rules with all the accounts in your organization
Final Step :
Now move to the other accounts, delete the EC2 VPC Interface endpoint and then switch to Route53.
Under Rules section, you can find the resolver rule already shared with you from the centeralized account, what you need to do now is just to associate your VPCs in this account with the resolver rule so that they will be able to resolve the ec2.eu-west-3.amazonaws.com using the DNS Server of the centeralized VPC in the Shared Services/Network Account.
IMPORTANT:
VPC interface endpoints, resolver rules, inbound & outbuond resolvers are all regional services, so if you want to share VPC interface endpoints in multiple regions, then you’ve to replicate everything.
In this case you will need to create multiple interface endpoints in different regions in the centeralized account, multiple private hosted zones (for example: ec2.eu-west-3.amazonaws.com & ec2.eu-central-1.amazonaws.com) targeting the endpoint in that region and multiple resolver rules one for each domain name.
This blog Post helped us during the setup of this solution : https://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/
Hope this will help you to save some money on AWS 💰
Thanks
Peter
Top comments (0)