Resolve Private DNS Hostnames Across Cross-Tenancy Peered OCI VCNs
In the previous article, we created private connectivity
between two OCI tenancies using cross-tenancy VCN peering through DRG.
We used this setup to allow an Autonomous Database in one tenancy to
communicate privately with a VM database in another tenancy.
In this article, we will extend that setup and configure private
DNS resolution across the peered VCNs. Private network connectivity allows
resources to communicate using private IP addresses, but hostname resolution
across VCNs or tenancies does not always work automatically. For applications
and database connections, using hostnames is often better than using hardcoded
private IP addresses.
In this setup, we will have instances in different tenancies.
The details are as below. We have two VCNs connected using cross-tenancy VCN
peering through DRG.
|
Component |
Value |
|
Source VCN |
DBSource |
|
Source VCN CIDR |
192.168.0.0/16 |
|
Source hostname |
windows-instance.sub05070237210.dbsource.oraclevcn.com |
|
Source private IP |
192.168.0.213 |
|
Destination VCN |
DBVCN |
|
Destination VCN CIDR |
10.0.0.0/16 |
|
Destination hostname |
db19c.sub05052324220.dbvcn.oraclevcn.com |
|
Destination private IP |
10.0.0.169 |
|
Connectivity |
Cross-tenancy VCN peering through DRG |
The requirement is:
windows-instance.sub05070237210.dbsource.oraclevcn.com
should be able to resolve:
db19c.sub05052324220.dbvcn.oraclevcn.com
to:
10.0.0.169
High-Level Architecture
The private DNS resolution flow will look like this:
Windows instance in DBSource VCN
|
| DNS query for
db19c.sub05052324220.dbvcn.oraclevcn.com
DBSource VCN Resolver
|
| Resolver rule forwards
dbvcn.oraclevcn.com queries
DBSource Forwarding Endpoint
|
| Cross-tenancy DRG peering
DBVCN Listening Endpoint
|
| Resolves using DBVCN private
DNS view
db19c.sub05052324220.dbvcn.oraclevcn.com → 10.0.0.169
Prerequisites
Before configuring Private DNS, we need to make sure the
following are already in place:
- Cross-tenancy
VCN peering through DRG is configured between DBSource and DBVCN.
- Route
tables allow traffic from 192.168.0.0/16 to 10.0.0.0/16.
- Route
tables allow return traffic from 10.0.0.0/16 to 192.168.0.0/16.
- Security
lists or NSGs allow DNS traffic between the resolver endpoint subnets.
For DNS communication we can allow only UDP port 53 and TCP port 53, as both protocols are required.
First, confirm the private hostnames and private IP
addresses.
Source Instance
Source instance details:
VCN: DBSource
Hostname: windows-instance.sub05070237210.dbsource.oraclevcn.com
Private IP: 192.168.0.213
Destination Instance
Destination VM database details:
VCN: DBVCN
Hostname: db19c.sub05052324220.dbvcn.oraclevcn.com
Private IP: 10.0.0.169
Before Private DNS forwarding is configured, we may be able
to reach the destination private IP if routing and security are correct:
Test-NetConnection 10.0.0.169 -Port 1521
But hostname resolution may fail:
nslookup db19c.sub05052324220.dbvcn.oraclevcn.com
Step 2: Create a Listening Endpoint in Destination VCN
DBVCN
Since the hostname belongs to the destination VCN, create a listening
endpoint in DBVCN.
Go to:
OCI Console
→ Networking
→ Virtual Cloud Networks
→ DBVCN
→ DNS Resolver
→ Choose Endpoints in DNS resolver page.
→ Create Endpoint
Select:
Endpoint type: Listening
VCN: DBVCN
Subnet: Select a private subnet in DBVCN
Endpoint IP: Auto-assigned or manually selected
After the endpoint is created, note the listener endpoint IP
address. This IP address will be used in the resolver rule in the source VCN.
Choose DBVCN as Private view and click Save changes.
Step 3: Create a Forwarding Endpoint in Source VCN
DBSource
Now create a forwarding endpoint in the source VCN
DBSource.
Go to:
OCI Console
→ Networking
→ Virtual Cloud Networks
→ DBSource
→ DNS Resolver
→ Endpoints
→ Create Endpoint
Select Endpoint type: Forwarding
VCN: DBSource
Subnet: Select a private subnet in DBSource
Endpoint IP: Auto-assigned or manually selected
Click Create Endpoint Button.
As the next step, create resolver rule.
Step 4: Create a Resolver Rule in DBSource
Now create a resolver rule in the source VCN resolver. This
rule forwards DNS queries for the destination VCN domain to the DBVCN listening
endpoint.
Go to:
OCI Console
→ Networking
→ Virtual Cloud Networks
→ DBSource
→ DNS Resolver
→ Rules
→ Create Rule
Create a forwarding rule:
Click Add Rule button.
In Match condition, Rule Condition: Domains
Domain: dbvcn.oraclevcn.com
Rule:
Action: Forward
source Endpoint: The forward endpoint created in last step.
Destination IP: It is the IP of Listener
endpoint we created in Destination VCN.
Click Save Changes.
Step 5: Validate DNS Resolution from Source Windows
Instance
Log in to the source Windows instance:
windows-instance.sub05070237210.dbsource.oraclevcn.com
Run:
nslookup db19c.sub05052324220.dbvcn.oraclevcn.com
In case we need this hostname resolution in reverse way then
we need to create Listener endpoint at source and Forwarder endpoint.
No comments:
Post a Comment