Route53

  • Resolver Conditional forward rules
  • R53 Resolver - single endpoint which can represent multiple VPC in multiple accounts in the same region. Made of 1 or more ENI.  Available in each AZ.
  • Resolver checks if its Private Hosted zone (higher priority) followed by VPC DNS and then to Public DNS.
  • Inbound endpoints - Traffic from on-premise will reach R53 resolver through the inbound endpoint.
    • The IEP will be in the central VPC. Need not be in all other VPCs.
    • Individual VPC will have R53 PHZ and Associate all those Private hosted zone to central VPC.
  • Outbound endpoints
    • We may have zones in On-premises which our EC2 instance may have to resolve.
    • On-prem has its DNS server.
    • OEP - R53 resolver to query your on-premise DNS resolvers.
    • We need to create resolver rules to tell how to resolve
      • Forward and System - 2 types of rule
      • Forward has precedence over System rules.
    • Create OEP in central and just share the rules with all the individual VPC (dont need to have OEP in each VPC).
    • For VPC in other accounts the resolver rules can be shared through Resource access manager. 
  • Route 53 (https://github.com/Ernyoke/certified-aws-solutions-architect-professional/blob/main/02-networking/route53.md)
    1. If you want to map your instances to a custom domain name, you can use Amazon Route 53 to create a custom DNS-to-IP-mapping record. 
    2. An Amazon Route 53 hosted zone is a container that holds information about how you want Amazon Route 53 to respond to DNS queries for a domain and its subdomains. 
    3. Public Hosted Zones contain DNS information that is resolvable over the public internet while Private Hosted Zones are a specific implementation that only presents information to VPCs that have been attached to the specific private hosted zone. 
    4. In a Landing Zone setup where you have multiple VPCs/accounts, you can associate a single private hosted zone with multiple VPCs across AWS accounts and across Regions. The end hosts in the VPCs use their respective Route 53 Resolver IP (+2 offset the VPC CIDR) as the name server for DNS queries. The Route 53 Resolver in VPC accepts DNS queries only from resources within a VPC. 
    5. For inbound queries from on-premises to Route 53 hosted zones, DNS servers on your network can forward queries to inbound Resolver endpoints in a specified VPC. It is not recommended to create Route 53 Resolver endpoints in every VPC of the Landing Zone. Centralize them in a central egress VPC (in the Network services account). Using Resource Access Manager (RAM), share these Route 53 Resolver rules with multiple accounts (and associate with VPCs in the accounts). 
    6. DNSSEC is primarily used to protect your domain from DNS spoofing or man-in-the-middle attacks.
    7. Whether an endpoint is healthy depends on the type of health check:
      1. HTTP Health Check - the endpoint must respond with an HTTP status code of 2xx or 3xx within two seconds after connecting.

      2. TCP health checks – Route 53 must be able to establish a TCP connection with the endpoint within ten seconds.

      3. HTTP with string matching- The string must appear entirely in the first 5,120 bytes of the response body or the endpoint fails the health check. 

      4. The health check that does the monitoring is the parent health check, and the health checks that are monitored are child health checks. One parent health check can monitor the health of up to 255 child health checks.

      5. If you set Evaluate Target Health to No, Route 53 continues to route traffic to the records that an alias record refers to even if health checks for those records are failing.
      6. For instance like EC2 we cannot create Alias record. Alias is meant for ELB.  
      7. How you configure Route 53 to check the health of your resources depends on whether you're creating alias records or non-alias records:

        1. Alias records – Specify Yes for Evaluate Target Health.

        2. Non-alias records – Associate the health checks that you created with the corresponding records.

    8. To configure weighted routing, you create records that have the same name and type for each of your resources. You assign each record a relative weight that corresponds with how much traffic you want to send to each resource. (you might specify weights of 1 and 255. )
    9. For weighted records, Route 53 chooses a record based on the weight that you specify for each record. If you add health checks to all the records in a group of weighted records, but you give nonzero weights to some records and zero weights to others, Route 53 initially considers only the nonzero weighted records, only when all of them are unhealthy it chooses the zero-weighted records.
    10. By setting TTL of R53 to a higher value, you reduce the number of calls that DNS recursive resolvers must make to Route 53 to get the latest information in this record. This has the effect of reducing latency and reducing your bill for Route 53 service. 
    11. Attackers sometimes hijack traffic to internet endpoints such as web servers by intercepting DNS queries and returning their own IP addresses to DNS resolvers in place of the actual IP addresses for those endpoints. Users are then routed to the IP addresses provided by the attackers in the spoofed response, for example, to fake websites. You can protect your domain from this type of attack, known as DNS spoofing or a man-in-the-middle attack, by configuring Domain Name System Security Extensions (DNSSEC), a protocol for securing DNS traffic.

Comments

Post a Comment

Popular posts from this blog

Artificial Computation Intelligence

  Components of Problem Formulation Initial State - Is the starting configuration of system. Actions - The permissible moves or operations that can be performed in the problem space. Transition Model - Describes the result of applying specific action in a given state. Goal State - Desired configuration that indicates problem has been solved. Cost function - numerical cost for each action. Task is to setup an automated traffic monitoring system that should be equipped with 10 cameras at each intersection to detect traffic violoations and detect license plates to cross verify with stolen vehicle database. What is the problem formulation for this, provide PEAS description, which agent architecture will fit this ? PEAS Description: Performance Measure: The system's performance is measured by its accuracy in detecting traffic violations, identifying license plates, and cross-verifying them with the stolen vehicle database. Additionally, the efficiency of the system in processing and ana...
Read more

Serverless - Lambda functions

 Lambda All operational activities of applying patch, capacity provisioning, monitoring fleet health, code deployment etc is taken care by Lamda. Best suited for use cases which are event based, such as changes to S3 buckets,  serverless processing of streaming data, updates to Dynamo DB table or custom event generated by apps/devices. All code uploaded to Lambda is encrypted. Each Lambda has built-in ephemeral storage of 512 MB. In-bound network connections are blocked by Lambda. Total Metrics, Account and Function level concurrency usage, latency and throttled requests are metrics shared by Lambda through Cloud Watch. Each Lambda function has a log group which can be traced in Cloudwatch logs. We can define the memory to be set for the function. Lambda function max execution time is 15 mins. Lambda can do polling of resources that do not publish events. Or it can be triggered basis events. S3 Integration - The S3 Bucket notifications can be sent to Lambda functions. Lambda c...
Read more

System Design

 System Design Designing for scale Designing for availability Designing for performance Content delivery network Caching Designing for resilience Secure by design Perimeter Security Intrusion detection and Prevention Zscaler Network security Network Isolation Zero trust architecture Server security Application security Data at rest - Encryption using keys Data in transit Encryption Key management  Code Security OWASP guidelines Web security Authentication OAuth Single Signon LDAP Authorization Google Zanzibar OPA Mobile Security Wireless transmission security Penetration testing Architecture principles in system design 12 factor DRY SOLID Programming types Functional Reactive Architecture tools Abacus Modular design Do we need microservices? When to go for Microservices ? Building microservice architecture Breaking down into Microservices Domain driven design Inter service communication Direct Connectivity Circuit breakers Service Registry Distributed transaction management Sa...
Read more