DNS Resolution Unshared Across VPCs

DNS resolution should be shared across peered VPCs to ensure that each VPC routes privately to endpoints in the peered VPC network.

Details ¶

When peering VPC networks, the networking becomes joined across the peered VPCs. This means that each VPC now has network access and routing to the other VPC’s network unless blocked by Security Groups or Network Access Control Lists. Any active AWS VPC utilises DNS services provided by AWS, which offer DNS resolution for AWS resources as well as private Hosted Zone records. However, as this DNS service is tied to each VPC individually and is managed directly by AWS the DNS records for each VPC are not naturally shared with the other peered VPC unless specifically configured to do so.

When VPCs are peered, there is an option to configure the DNS service for each VPC to share DNS names with the other peered VPC. This allows for resources in one VPC to resolve the AWS or private DNS records originating from the other VPC from it’s own DNS Service. If DNS records are not explicitly shared, the VPC will not have access to the private DNS records for resources in the peered VPC. Consequently, without these DNS records, you would need to rely on AWS private IP addresses, which will not update if the IP addresses of those resources change, or your VPC’s DNS will attempt to resolve to public DNS records, possibly sending the traffic over the public internet rather than over the privately peered network.

Without sharing DNS records when peering VPCs you’re losing access to resolving private records making much of the peering pointless. To gain the full value of peering private DNS records should be shared so that all services are aware of the private addresses available to them via DNS.

Remediation ¶

To resolve this issue, simply enable DNS cross-sharing on your VPC peering connection. This will populate the DNS records for each VPC, ensuring proper DNS resolution across the peered networks.