How to Use Custom Domain Names inside AWS VPCs

Today I want to talk about how we can use our company-specific domain names for the hostnames that are assigned to our EC2 instances inside our VPCs, rather than the default region-specific domain name that AWS uses by default when assigning hostnames to the EC2 instances.

Scenario

Imagine that you have an existing corporate network on-premise that you now want to extend to AWS. You create a VPC in the region closest to your user base. You then connect your corporate network with your AWS VPC using VPN / Direct Connect. All your connected devices on your corporate network use a specific domain name, say the name of the company is ‘XYZ enterprise’ and so the company domain could be something like ‘xyz.com’. A connected computer that belongs to an employee named Andrew could have a hostname like ‘andrew-pc.xyz.com’.

Now, you want to reuse this same domain name for the EC2 instances that you are going to provision inside the AWS VPC. But, by default AWS VPCs use region-specific domain names for assigning the hostnames for the EC2 instances that are provisioned inside that VPC. How can you change this behaviour to assign the EC2 instance hostname using your own companies domain name? Continue reading to figure it out!

Default AWS VPC Domain Names

By default when we launch EC2 instances inside the default VPC or custom VPCs in our AWS accounts, they get assigned public DNS hostnames (if the ‘enableDnsHostname’ setting is turned on inside the VPC) and also private DNS hostnames which specifically are based on the default DHCP option sets that are assigned to the VPCs.

The public DNS name resolves to the public IP address of the EC2 instances when it is used from outside the VPC and the private DNS hostname resolves to the private IP address of the EC2 instance when used from inside the VPC. Inside the VPCs we need to turn on ‘enableDnsSupport’ and ‘enableDnsHostname’ settings for the domain names to get assigned to EC2 instances. By default, the EC2 instances are assigned private and public hostnames using the following pattern:

Internal:

External:

AWS DNS Server

Every AWS VPC has 5 private IP addresses reserved for internal use, out of the full VPC CIDR block range - The first 4 IP addresses and the last IP address in that range. Out of these 5 reserved IP addresses, the base VPC IP address + 2 is reserved for the AWS DNS Server also called Route 53 DNS resolver.

When the AWS DNS Server receives any DNS lookup requests it first tries to resolve those requests using the public or private hosted zones inside the Route 53 services associated with the VPC. If it is not able to resolve the DNS lookup requests from those hosted zones it then forwards the requests to a public DNS server on the internet.

DHCP Option Sets

Now, how do the EC2 instances know what DNS server they are supposed to forward the name resolve requests to? They get to know this information, in addition to other related information, from something called the DHCP option sets. These DHCP option sets are assigned at each VPC.

The default DHCP option set that gets assigned to a newly created VPC looks something like the one in the below screenshot. It points to the Domain name server ‘AmazonProvidedDNS’ which points to the DNS server running at base VPC IP address + 2. As we can see in the above screenshot, if the base IP address of the VPC is 10.0.0.0 then the DNS Server IP address should be 10.0.0.2).

Also, as we can see in the below screenshot of the default DHCP option set that gets assigned to a VPC created inside the us-east-1 region, the default domain name for EC2 instances is ‘ec2.internal’.

DHCP option sets are immutable, so if we want to have a custom domain name or a DNS server for our VPCs, we will need to create a new DHCP options set and assign it to our VPCs.

At a high level, the steps to follow to assign custom domain names for the EC2 instances inside a VPC are as follows:

• Create a new DHCP option set that includes the custom domain name.
• Associate the newly created DHCP option set with the VPC. At any point in time, only a single DHCP option set can be associated with any VPC.
• Make sure that the ‘enableDnsSupport’ and ‘enableDnsHostname’ settings are turned on inside the VPC. The ‘enableDnsHostname’ setting ensures that newly created EC2 instances inside the VPC get public hostnames in addition to public IP addresses.
• Launch an EC2 instance inside the VPC and check the private DNS hostnames allocated to the EC2 instances. It should use the custom domain name that was included in the custom DHCP option set associated with the VPC.
• Create a new private hosted zone inside the Route 53 service, with the same domain name that was included in the DHCP option set and associate the hosted zone with our VPC.
• Create ‘A’ records inside the private hosted zone for each of the EC2 instances and associate the two ‘A’ records with the private IP address of the EC2 instances.
• Now try doing a name lookup for an EC2 instance from inside another EC2 instance using its private hostname that includes the custom domain name. We should be able to get back the private IP address of that EC2 instance.

Demo: VPC with Custom Domain Names

Now, let’s see a demo of the complete process of creating a new VPC and associate it with our company domain name which in our case is ‘sanjaypsachdev.com’.

• Let’s log in to the AWS account and create a new VPC using the ‘Launch VPC Wizard’ inside the VPC console. c

• Let’s put in a CIDR block for the new VPC, select ‘No IPv6 CIDR block’, give a name to the VPC (VPC-1 in our case) and select an availability zone for the single public subnet that will be created inside this VPC. Click on ‘Create VPC’ to create the VPC. This will create a new VPC, a single subnet inside that VPC, create a route table, associate it with the subnet and also create an internet gateway and attach it to the VPC.

• Now, let’s create a new DHCP option set that will have our corporate domain name inside it and associate this DHCP option set with our newly created VPC. Let’s click on the ‘DHCP options Sets’ in the left menu inside the VPC dashboard.

• Let’s click on ‘Create DHCP option sets’ and inside the resulting dialogue box let’s put in our company domain name inside the ‘Domain name’ field. Also, let’s associate the newly created DHCP option set with our default DNS Server running inside the VPC (AmazonProvidedDNS).

• After saving the newly created DHCP option set, it should show up in the list of DHCP options sets.

• Now let’s go back to our newly created VPC and click on ‘Edit DHCP option set’ in the Actions menu with the VPC selected.

• Select the newly created DHCP option set in the ‘DHCP option set’ dropdown and click on ‘Save changes’. This will associate the newly created DHCP option set containing our corporate domain name with the VPC.

• Now, let’s create an EC2 instance inside our newly created VPC. Let’s auto-assign a public IP address to the instance so that we can log in and do some name lookups from inside it. Assign a private IP address to the EC2 instance from the VPC CIDR range. In our case, we assign an IP address 10.0.0.5 to it.

• Let’s create a new security group with SSH allowed from the internet so that we can log in to it and also allow ICMP inside the VPC so that we can ping the other instances inside the VPC for our test.

• Let’s create another EC2 instance inside the VPC. Let’s again auto-assign a public IP address to the instance so that we can log in and do some name lookups from inside it. Assign a private IP address to the EC2 instance from the VPC CIDR range. In our case, we assign an IP address 10.0.0.6 to it.

• Now, let’s go to the Route 53 Service dashboard inside the AWS console and let’s create a new private hosted zone, by clicking on the ‘Create hosted zone’ button.

• Enter the domain name the same as what was used inside the custom DHCP option set. This should be our company domain name. Select the ‘Private hosted zone’ type and associate the hosted zone with our newly created VPC.

• The newly created private hosted zone should show up as below.

• Now, let’s click on the ‘Create Record’ button and create two ‘A’ records for our EC2 instances inside our newly created VPC. The ‘Record name’ should be the name of the EC2 instances (EC2–1 and EC2–2) and the value should be the private IP addresses of those instances.

• Now, let’s log in to the first EC2 instance and check the hostname and the content of the ‘/etc/resolv.conf’ file.

As we can see in the above screenshot the hostname follows the desired pattern:

Also, the search domain inside the ‘/etc/resolv.conf’ file is ‘sanjaypsachdev.com’ due to the custom DHCP option set that we have assigned to the VPC.

Now let's try pinging the other EC2 instance (EC2–2) from inside the first EC2 instance (EC2–1). As we can see in the below screenshots, we can use the fully qualified domain name of the EC2 instance (EC2.sanjaypsachdev.com) or just the hostname (EC2) to ping the other EC2 instance. In the second case, it automatically appends the search domain to the EC2 instance hostname. The IP address that is used in both cases is the private IP address of that EC2 instance.

Now, let’s try to run the nslookup command using the hostname of the other EC2 instance.

As we can see in the above screenshot the DNS Server is located at the IP address that is the base VPC IP address + 2. Also, the IP address of ‘EC2–2' returned is the private IP address of that instance.

Conclusion

As we can see in the above demonstration, we can extend our corporate networks to AWS and reuse our corporate domain names for our EC2 instance hostnames, by creating custom DHCP option sets and also creating Route 53 hosted zones and associating them both with our VPCs. I hope this article has been useful and in case of any questions please reach out in the comments section. Thanks for reading.