Answer the question
In order to leave comments, you need to log in
What are the best practices for using private zones in AWS Route53?
There is an EC2 fleet that must talk to each other inside the infrastructure and some basins also respond to requests from the outside. Question: do I need to configure private zone(aws.local) and chain services to subdomains(ubuntu1.aws.local) to address messages within the network? How then to bind an SSL certificate in this case so that everything is secure?
Or is it enough to use Elastic IP for each machine + AWS Certificate manager + route53(public zone) and close all this with security groups?
Answer the question
In order to leave comments, you need to log in
1.
it's not entirely clear how your infrastructure is organized
Judging by the fact that you have the option "assign public IPs and manage public DNS names" - everything is located in the default vpc and this is not best practice.
It is recommended that you place instances that do not need internet access (those that host your services, that only serve your other services in the same VPC) on private VPC subnets.
In general, it is recommended to place ALL services on private subnets and organize access from the Internet to them using a proxy. AWS provides ALB(ELB\NLB depending on your needs), or you can set up your proxy (HAProxy, NGINX or others) on ec2 instance located in public subnet
2.
Route53 private zone
If your services are in a private subnet and you need to work with them by DNS names: you can register instances in the Route53 private zone or raise your private DNS on any software that you know how (in this case, you need to reconfigure the VPC settings in which you work in order to all services could work with your DNS)
You can also use service discovery software that provides DNS name resolution (for example, consul, but this will require raising a separate service on ec2 \ ecs to serve service discovery), or use the service discovery offered by AWS: Cloud Map - it uses route53 private zone for service registration and name resolution.
3.
Certificates
For services that are available publicly - nothing complicated: use Certificate Manager to issue certificates on ALB or
LetsEncrypt
if you use your own proxy software
to protect or not to protect communication between services in a private subnet depends on the level of your paranoia.
- ACM Private CA that you already know about
- If you use service discovery software, you can use the functionality offered by service mesh solutions, for example, consul connect service mesh: your application communicates with the consul proxy, which, providing TLS between nodes, directs application traffic to desired service
PS It is completely unclear why Mikrotik is in the tags
Or is it enough to use Elastic IP for each machine
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question