Alibaba Cloud DNS PrivateZone is a service for private domain name resolution and management within a Virtual Private Cloud (VPC). After you connect a virtual border router (VBR) instance, an IPsec-VPN connection, or a Cloud Connect Network (CCN) instance to a transit router (TR), the on-premises network can access Alibaba Cloud DNS PrivateZone for DNS resolution by using the transit router.
Limitations
An on-premises network connected through an IPsec-VPN connection can access Alibaba Cloud DNS PrivateZone only through an Enterprise Edition transit router.
If a VBR instance is connected to a Basic Edition transit router, the on-premises network can access Alibaba Cloud DNS PrivateZone only through the Basic Edition transit router and a VPC in the same region. The on-premises network cannot access Alibaba Cloud DNS PrivateZone by using a transit router and a VPC in a different region.
For example, if a VBR instance is in the China (Beijing) region, the on-premises network can access Alibaba Cloud DNS PrivateZone only through the Basic Edition transit router and a VPC in the China (Beijing) region.
Prerequisites
Ensure that you have deployed Alibaba Cloud DNS PrivateZone. For more information, see Alibaba Cloud DNS PrivateZone Quick Start.
Ensure that the VPC associated with Alibaba Cloud DNS PrivateZone and the VBR instance, IPsec-VPN connection, or CCN instance associated with the on-premises network are connected to a transit router. For more information, see Create a VPC connection, Create a VBR connection, Create a VPN connection, or Create a CCN connection.
If the on-premises network needs to access Alibaba Cloud DNS PrivateZone across regions, ensure that you have created an inter-region connection between the transit routers. For more information, see Create an inter-region connection.
If your on-premises network uses a CCN instance to connect to Alibaba Cloud and the account that owns the CCN instance is different from the accounts that own the VPC and the transit router, you must grant permissions to the CCN instance before you proceed. For more information, see Authorize a CCN instance.
Configure PrivateZone in an Enterprise Edition transit router
Add PrivateZone configuration
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
On the tab, find the transit router in the same region as the VPC associated with Alibaba Cloud DNS PrivateZone and click its ID.
On the details page of the transit router, click the Route Table tab.
On the Route Table tab, select the route table from the left-side list. In the Route Table Details section, click the Route Entry tab and then click Add Route Entry.
In the Add Route Entry dialog box, set the parameters and click OK.
Parameter
Description
Route Table
The system selects the current route table by default.
Transit Router ID
The system selects the current transit router by default.
Name
Enter a name for the route entry.
Destination CIDR
Enter the service IP addresses for Alibaba Cloud DNS PrivateZone.
Alibaba Cloud DNS PrivateZone provides services by using 100.100.2.136/32 and 100.100.2.138/32. Repeat this step to add routes for both CIDR blocks to the route table.
Blackhole Route
Select whether this is a blackhole route. Valid values:
Yes: This is a blackhole route. All traffic destined for this route is dropped.
No: This is not a blackhole route. You must specify a next hop.
In this example, select No.
Next Hop
Select the next hop for the route.
Select the connection ID of the VPC that is attached to the transit router.
Description
Enter a description for the route entry.
Delete PrivateZone configuration
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
On the tab, find the transit router in the same region as the VPC associated with Alibaba Cloud DNS PrivateZone and click its ID.
On the details page of the transit router, click the Route Table tab.
On the Route Table tab, select the route table from the left-side list. On the Route Entry tab of the Route Table Details section, find the route entry for Alibaba Cloud DNS PrivateZone.
In the Actions column of the route entry, click Delete. In the Delete Route Entry dialog box, click OK.
Configure PrivateZone by using APIs
You can call API operations using tools such as Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS) to add and manage routes for Alibaba Cloud DNS PrivateZone in the route table of an Enterprise Edition transit router. For more information about the API operations, see the following topics:
CreateTransitRouterRouteEntry: Adds a route entry to the route table of an Enterprise Edition transit router.
DeleteTransitRouterRouteEntry: Deletes a static route entry from the route table of an Enterprise Edition transit router.
Configure PrivateZone in a Basic Edition transit router
Add PrivateZone configuration
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
On the tab, find the transit router in the same region as the VPC associated with Alibaba Cloud DNS PrivateZone and click its ID.
If you are configuring Alibaba Cloud DNS PrivateZone for the first time, click the Access Private Zone tab on the details page of the transit router. Then, click Authorization. On the RAM Quick Authorization page, click Agree to Authorization.
After the authorization is complete, the on-premises network connected through the CCN instance, a component of Smart Access Gateway (SAG), can access Alibaba Cloud DNS PrivateZone.
Return to the Access Private Zone tab and click Configure PrivateZone. In the Configure PrivateZone dialog box, set the following parameters and click OK.
Host Region: The region where Alibaba Cloud DNS PrivateZone is deployed.
Host VPC: The VPC associated with Alibaba Cloud DNS PrivateZone.
Access Region: The region where the VBR instance, IPsec-VPN connection, or CCN instance that needs to access Alibaba Cloud DNS PrivateZone is deployed.
Delete PrivateZone configuration
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
On the tab, find the transit router in the region where Alibaba Cloud DNS PrivateZone is deployed and click its ID.
On the details page of the transit router, click the Access Private Zone tab. Find the configuration that you want to delete and click Delete in the Actions column.
In the Delete PrivateZone dialog box, click OK.
Configure PrivateZone by using APIs
You can call API operations using tools such as Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS) to configure access to Alibaba Cloud DNS PrivateZone in a Basic Edition transit router. For more information about the API operations, see the following topics:
RoutePrivateZoneInCenToVpc: Configures access to Alibaba Cloud DNS PrivateZone.
DescribeCenPrivateZoneRoutes: Queries the access configurations for Alibaba Cloud DNS PrivateZone.
UnroutePrivateZoneInCenToVpc: Deletes the access configuration for Alibaba Cloud DNS PrivateZone.