Product Documentation

Appearance

EE: AWS cloud

Configuring DNS records for AWS

Prerequisites

  • The AWS CLI.
  • Necessary AWS permissions for DNS administration.

You may also choose to use kubectl to find your Yellowbrick IP address in the example below.

Instructions

Step 1: Create a ‘child’ hosted zone for your Yellowbrick environment and retrieve the NS records. This will be the account of your Yellowbrick deployment.

bash
export AWS_PAGER=""
export AWS_PROFILE=$YOURPROFILE
aws sts get-caller-identity

## Update childZoneDnsName to your environment
childZoneDnsName=""
    ## Example: childZoneDnsName="xyz.dev.yellowbrickcloud.com"

## Create the hosted zone
aws route53 create-hosted-zone --name $childZoneDnsName --caller-reference $(date +%Y%m%dT%H%M%SZ)
    ## Example: 
        aws route53 create-hosted-zone --name xyz.dev.yellowbrickcloud.com --caller-reference $(date +%Y%m%dT%H%M%SZ)

## Save the NS records of the child zone for reference for step 2.
childZoneId=$(aws route53 list-hosted-zones --query "HostedZones[?Name == '${childZoneDnsName}.'].Id | [0]" --output text | cut -d'/' -f3) && echo $childZoneId

aws route53 list-resource-record-sets --hosted-zone-id $childZoneId --query "ResourceRecordSets[?Type == 'NS'].ResourceRecords[].Value" --output text | tr '\t' '\n' > /tmp/nsrecords

Step 2: In the account of your root DNS zone, delegate and add the NS (nameserver) records of your child hosted zone to your domain. You will need to have access to the account of your root DNS zone.

bash
## Turn off the cli pager and ensure you are pointing to the correct aws account (root dns zone account) if not already.
export AWS_PROFILE=$YOUR-ROOT-DNS-Zone-ACCOUNT
    ## Example: AWS_PROFILE=yb-dns
aws sts get-caller-identity

rootZoneDnsName="${YOUR-ROOT-DNS-ZONE-NAME}"
    ## Example: rootZoneDnsName=dev.yellowbrickcloud.com
childZoneDnsName="${YOUR-CHILD-DNS-ZONE-NAME}"
    ## Example: childZoneDnsName=xyz.dev.yellowbrickcloud.com

cat /tmp/nsrecords

vim /tmp/ns.json

## Update the following template to reflect your 4 ns record 'values'. Also change the ${childZoneDnsName} value. Ensure the "." is at the end of each entry:
{
    "Comment": "Add NS records",
    "Changes": [
        {
            "Action": "UPSERT",
            "ResourceRecordSet": {
                "Name": "${childZoneDnsName}.",
                "Type": "NS",
                "TTL": 60,
                "ResourceRecords": [
                    { "Value": "${nsRecord1}." },
                    { "Value": "${nsRecord2}." },
                    { "Value": "${nsRecord3}." },
                    { "Value": "${nsRecord4}." }
                ]
            }
        }
    ]
}

    ## Example:
    # {
    #     "Comment": "Add NS records",
    #     "Changes": [
    #         {
    #             "Action": "UPSERT",
    #             "ResourceRecordSet": {
    #                 "Name": "${childZoneDnsName}.",
    #                 "Type": "NS",
    #                 "TTL": 60,
    #                 "ResourceRecords": [
    #                     { "Value": "ns-852.awsdns-42.net." },
    #                     { "Value": "ns-174.awsdns-21.com." },
    #                     { "Value": "ns-1857.awsdns-40.co.uk." },
    #                     { "Value": "ns-1384.awsdns-45.org." }
    #                 ]
    #             }
    #         }
    #     ]
    # }

## Add the NS records of your child zone to your root zone
rootZoneId=$(aws route53 list-hosted-zones --query "HostedZones[?Name == '${rootZoneDnsName}.'].Id | [0]" --output text | cut -d'/' -f3)

echo "${rootZoneId}"

aws route53 change-resource-record-sets --hosted-zone-id $rootZoneId --change-batch file:///tmp/ns.json 
    ## Example output:
    # {
    #     "ChangeInfo": {
    #         "Id": "/change/C08335323T0L071YY3EW9",
    #         "Status": "PENDING",
    #         "SubmittedAt": "2024-09-05T00:39:24.469000+00:00",
    #         "Comment": "Add NS records"
    #     }
    #  }

## Confirm child zone ns records were added to root zone:
aws route53 list-resource-record-sets \
    --hosted-zone-id $rootZoneId \
    --query "ResourceRecordSets[?Name == '${childZoneDnsName}.' && Type == 'NS']" \
    --output json

    ## Example output:
    # [
    #     {
    #         "Name": "xyz.dev.yellowbrickcloud.com.",
    #         "Type": "NS",
    #         "TTL": 60,
    #         "ResourceRecords": [
    #             {
    #                 "Value": "ns-2029.awsdns-61.co.uk."
    #             },
    #             {
    #                 "Value": "ns-562.awsdns-06.net."
    #             },
    #             {
    #                 "Value": "ns-190.awsdns-23.com."
    #             },
    #             {
    #                 "Value": "ns-1322.awsdns-37.org."
    #             }
    #         ]
    #     }
    # ]

Step 3: Test DNS resolution of the child hosted zone with dig or nslookupv

bash
dig -t NS $childZoneDnsName
    ## EXAMPLE: dig -t NS mysubdomain.dev.mydomain.com
        ## You should see an ANSWER section
            # ;; ANSWER SECTION:
            # mysubdomain.dev.mydomain.com. 172800 IN NS   ns-1241.awsdns-27.org.
            # mysubdomain.dev.mydomain.com. 172800 IN NS   ns-1703.awsdns-20.co.uk.
            # mysubdomain.dev.mydomain.com. 172800 IN NS   ns-490.awsdns-61.com.
            # mysubdomain.dev.mydomain.com. 172800 IN NS   ns-527.awsdns-01.net.

nslookup -type=ns $childZoneDnsName

Step 4: In the account of your Yellowbrick deployment, add the Yellowbrick Manager IP or DNS A record name to your hosted zone:

You will need to retrieve the Yellowbrick Manager ip and update the 'ip' variable. This record can be anything you desire (manager, mgr, yb-manager, etc). We will be creating a simple A record pointing to a name you desire (Example: 142.250.65.110 referencing manager.yellowbrick.com).

bash
## Ensure aws cli is pointed to the correct aws account of the Yellowbrick install. The account where the childZone is located
export AWS_PROFILE=$YOURPROFILE

## Update the dnsName to reflect your Yellowbrick Manager IP
dnsName=""
    ## Example: dnsName=afc7bd334fd5d4c5cbd2e7b2533e0e4b-e1f916f82bad35e7.elb.us-east-1.amazonaws.com

    ## You can also retrieve the dns via kubectl:
        ## dnsName=$(kubectl -n $NAMESPACE get service yb-manager-service -o json | jq '.status.loadBalancer.ingress[].hostname' | sed 's/"//g') && echo $dnsName

nlbName=$(echo "$dnsName" | awk -F'-' '{print $1}') && echo $nlbName

nlbZoneId=$(aws elbv2 describe-load-balancers --names $nlbName --query 'LoadBalancers[0].CanonicalHostedZoneId' | sed 's/"//g') && echo $nlbZoneId

childZoneId=$(aws route53 list-hosted-zones --query "HostedZones[?Name == '${childZoneDnsName}.'].Id | [0]" --output text | cut -d'/' -f3) && echo $childZoneId

## Edit the following json and add the A record to your child zone. You will need to change 'recordNameYm', 'childZoneDnsName', 'nlbZoneId', and 'dnsName'. The value for recordNameYm can be any string (Ex. "manager", "ym", "yb-manager", etc)

recordNameYm=""
    ## Example: recordNameYm="manager"

cat >/tmp/ym.json <<EOF
{
    "Comment": "Add A record for Yellowbrick Manager",
    "Changes": [
        {
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "${recordNameYm}.${childZoneDnsName}.",
                "Type": "A",
                "AliasTarget": {
                    "HostedZoneId": "${nlbZoneId}",
                    "DNSName": "${dnsName}.",
                    "EvaluateTargetHealth": true
                }
            }
        }
    ]
}
EOF

cat /tmp/ym.json
    ## Example json: The HostedZoneId is not the zone id of your childZone. It's the zone id of the NLB.
        {
            "Comment": "Add A record for Yellowbrick Manager",
            "Changes": [
                {
                    "Action": "CREATE",
                    "ResourceRecordSet": {
                        "Name": "manager.xyz.dev.yellowbrickcloud.com.",
                        "Type": "A",
                        "AliasTarget": {
                            "HostedZoneId": "Z26RNL4JYFTOTI",
                            "DNSName": "a5b093499a6cf43f08c56afb7dbcaf78-62235f00c1f799a3.elb.us-east-1.amazonaws.com.",
                            "EvaluateTargetHealth": true
                        }
                    }
                }
            ]
        }

Step 5: Apply the record for Yellowbrick Manager

bash
aws route53 change-resource-record-sets --hosted-zone-id $childZoneId --change-batch file:///tmp/ym.json

Step 6: Check DNS resolution for the Yellowbrick Manager

bash
dig -t A "${recordNameYm}.${childZoneDnsName}"
    ## Example: dig -t A manager.xyz.dev.yellowbrickcloud.com
    ## Example output:
    #   ;; ANSWER SECTION:
    #   manager.xyz.dev.yellowbrickcloud.com. 55 IN A   **.**.54.6

Step 7: Add the Yellowbrick instance IP(s) or DNS name of the NLB to your child hosted zone You will need to retrieve your IP associated with the instance. This can be found in the Yellowbrick Manager under "instances." For each instance, you will need to enter a DNS record by performing this step.

bash
## Ensure aws cli is pointed to the correct aws account of the Yellowbrick install. The account where the childZone is located
export AWS_PROFILE=$YOURPROFILE

## Retrieve the NLB A record of the instance from the Yellowbrick Manager under 'Instances' > 'Host/Port'. **IMPORTANT: Perform the remaining steps for each instance to create an entry into Route53. 
dnsName=""
    ## Example: dnsName=afc7bd334fd5d4c5cbd2e7b2533e0e4b-e1f916f82bad35e7.elb.us-east-1.amazonaws.com
    ## You can also retrieve the dns via kubectl:
        ## dnsName=$(kubectl -n $NAMESPACE get service ybinst-${instanceName} -o json | jq '.status.loadBalancer.ingress[].hostname' | sed 's/"//g') && echo $dnsName

nlbName=$(echo "$dnsName" | awk -F'-' '{print $1}') && echo $nlbName
nlbZoneId=$(aws elbv2 describe-load-balancers --names $nlbName --query 'LoadBalancers[0].CanonicalHostedZoneId' | sed 's/"//g') && echo $nlbZoneId
childZoneId=$(aws route53 list-hosted-zones --query "HostedZones[?Name == '${childZoneDnsName}.'].Id | [0]" --output text | cut -d'/' -f3) && echo $childZoneId

## Create the json for Route53. 'recordNameDw', 'childZoneDnsName', 'nlbZoneId', and 'dnsName' parameters should all be set. The value for recordNameDw can be any string (Ex. "dw", "myinstance", "dw-dev", etc).

recordNameDw=""
    ## Example: recordNameDw="dw"

cat >/tmp/dw.json <<EOF
{
    "Comment": "Add A record for Yellowbrick Manager",
    "Changes": [
        {
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "${recordNameDw}.${childZoneDnsName}.",
                "Type": "A",
                "AliasTarget": {
                    "HostedZoneId": "${nlbZoneId}",
                    "DNSName": "${dnsName}.",
                    "EvaluateTargetHealth": true
                }
            }
        }
    ]
}
EOF

cat /tmp/dw.json

    ## Example output: All of the parameters should be set from previous commands. The HostedZoneId is not the zone id of your childZone. It's the zone id of the NLB associated with the instance.
    #   {
    #       "Comment": "Add A record for Yellowbrick Manager",
    #       "Changes": [
    #           {
    #               "Action": "CREATE",
    #               "ResourceRecordSet": {
    #                   "Name": "dw.xyz.dev.yellowbrickcloud.com.",
    #                   "Type": "A",
    #                   "AliasTarget": {
    #                       "HostedZoneId": "***TOTI",
    #                       "DNSName": "***********99a3.elb.us-east-1.amazonaws.com.",
    #                       "EvaluateTargetHealth": true
    #                   }
    #               }
    #           }
    #       ]
    #   }

Step 8: Apply the record for the instance

bash
aws route53 change-resource-record-sets --hosted-zone-id $childZoneId --change-batch file:///tmp/dw.json

Step 9: Check DNS resolution

bash
dig -t A ${recordNameDw}.${childZoneDnsName} 
    ## Example: dig -t A manager.xyz.dev.yellowbrickcloud.com