The Forward Zone feature forwards DNS queries from an Alibaba Cloud VPC to an external DNS system by using Forward Rule and Outbound Endpoint. This feature helps resolve service calls in hybrid cloud environments that span both cloud and on-premises networks.
Available regions
This feature is available in the following regions:
Public cloud regions: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Chengdu), China (Hong Kong), Singapore, UK (London), US (Virginia), Germany (Frankfurt), Japan (Tokyo), Indonesia (Jakarta), China (Ulanqab), China (Guangzhou), China (Heyuan), Philippines (Manila), South Korea (Seoul), Saudi Arabia (Riyadh) - Partner Operated, and Malaysia (Kuala Lumpur).
Finance Cloud regions: China (Shanghai) Finance and China (Shenzhen) Finance.
Procedure
Outbound Endpoint
Add Outbound Endpoint
Go to the Alibaba Cloud DNS PrivateZone console.
On the Forward Zone page, click the Outbound Endpoint tab, and then click Add Outbound Endpoint.
Configure the parameters and submit the form.
Endpoint Name: Enter a name for the endpoint based on your business requirements.
Outbound VPC: Select the VPC through which all outbound DNS queries will be forwarded.
ImportantOutbound Endpoint To prevent service disruptions, you cannot change the Outbound VPC after the endpoint is created.
For the list of supported regions, see the Available regions section. To request this feature in other regions, submit a ticket and specify the desired region.
Security Group: Select a security group whose rules will apply to the outbound VPC.
ImportantEnsure that outbound traffic on port 53 is allowed in the security group. Inbound rules do not affect the forwarding feature.
Currently, you can only select unmanaged security groups.
Source IP Addresses of Outbound Traffic: Specify available IP addresses from a subnet within a zone. These IP addresses must not be used by ECS instances. For high availability, you must add at least two source IP addresses. We recommend placing them in different zones. You can add a maximum of six source IP addresses.
ImportantIf you do not specify any IP addresses, the system automatically assigns them.
If a service-linked role does not exist, Alibaba Cloud DNS PrivateZone creates one for you.
NoteA prompt is displayed each time you create an Outbound Endpoint, but the role is created only if it does not already exist.
The newly created endpoint appears in the Outbound Endpoint list. The status of an Outbound Endpoint can be Normal, Creating, Modifying, Modify failed., or Abnormal.
ImportantThe creation process takes approximately 5 to 10 minutes. If the status is Creating, wait for the process to complete.
Modify an Outbound Endpoint
Go to the Alibaba Cloud DNS PrivateZone console.
On the Forward Zone page, select the Outbound Endpoint tab, and then click Edit in the Actions column of the target Outbound Endpoint.
Modify the settings and submit the form.
On the Edit Outbound Endpoint page, you can modify the Endpoint Name, Security Group, and Source IP Addresses of Outbound Traffic. You can add or remove IP address entries by specifying the zone, vSwitch, and subnet. The Outbound VPC field is read-only and cannot be changed.
After you submit the changes, the endpoint's status changes to Modifying. During this time, you cannot modify or delete the endpoint.
Delete an Outbound Endpoint
Go to the Alibaba Cloud DNS PrivateZone console.
On the Forward Zone page, select the Outbound Endpoint tab, and click Delete in the Actions column of the target outbound endpoint.
In the confirmation dialog box that appears, confirm the deletion of the Outbound Endpoint.
If the Outbound Endpoint is associated with a Forward Rule, you must first delete the corresponding Forward Rule before deleting the Outbound Endpoint. For more information, see Delete a forwarding rule.
Forward Rule
Create a Forward Rule
Go to the Alibaba Cloud DNS PrivateZone console.
On the Forward Zone page, select the Forward Rule tab, and click Add Forward Rule.
Configure the parameters and submit the form.
Forward Zone: Enter the domain name (zone) for which you want to forward DNS queries.
ImportantTo forward queries for all domains (the root domain), enter a period (
.).Top-level domain (TLD) forwarding is supported. For example, you can enter
com,cn, ortop.If a query matches multiple forwarding domains, such as
example.com,com, and., the rule for the most specific domain (example.com) takes precedence based on the longest-match principle.
Rule Name: Enter a name for the rule based on your business requirements.
Forward to Address: Specify the IP addresses and ports of the destination DNS servers. You can add up to six servers. Both private and public IP addresses are supported.
ImportantIf the outbound VPC and the inbound VPC are the same VPC, for an Outbound Endpoint, its associated Forward Rule cannot use an External DNS System IP Address that is the same as the Inbound Endpoint Service IP Address.
The following IP address ranges are reserved by the system and cannot be used as destination IP addresses for an external DNS system: 100.100.2.136 to 100.100.2.138, and 100.100.2.116 to 100.100.2.118.
If your external DNS server uses a public IP address and the ECS instances in the Outbound Endpoint VPC do not have public IP addresses, you must enable a
NAT Gateway and configure SNAT entries for a VPC NAT gateway.
Outbound Endpoint: Select the Outbound Endpoint that will forward DNS queries to the specified destination IP addresses.
NoteIf the effective scope of the domain name is within an Alibaba Cloud VPC, you must configure an Outbound Endpoint.
If the effective scope of the domain name is a Outbound Endpoint, you do not need to configure an outbound endpoint.
After you configure the settings, click OK. The new Forward Rule appears in the Forward Rule list.
ImportantAfter a Forward Rule is created, you cannot modify its rule type, Outbound Endpoint, or outbound endpoint. To make these changes, you must delete the current rule and create a new one.
Modify a Forward Rule
Go to the Alibaba Cloud DNS PrivateZone console.
On the Forward Zone page, click the Forward Rule tab, and then for the target Forward Rule, click the Modify button in the Actions column.
Modify the settings and submit the form.
Delete a Forward Rule
Go to the Alibaba Cloud DNS PrivateZone console.
On the Forward Zone page, select the Forward Rule tab, and click the Delete button in the Actions column of the target Forward Rule.
In the confirmation dialog box that appears, confirm the deletion.
ImportantIf the current Forward Rule is associated with a VPC, you must first disassociate it from the VPC before you can delete the rule.
Effective Scope
You must configure the Effective Scope to apply a Forward Rule to specific VPCs.
Go to the Alibaba Cloud DNS PrivateZone console.
On the Forward Zone page, select the Forward Rule tab, and then for the target Forward Rule in the Actions column, click the Effective Scope button.
Select the VPCs to apply the Forward Rule to, and then click OK. You can also associate VPCs that belong to other accounts.
Select the outbound endpoint. The outbound endpoint must be in the same region as the associated VPCs. Otherwise, the forwarding rule will fail. To apply the rule to a self-managed DNS cluster, select the desired cluster in the Effective in Self-managed DNS Cluster section.
The VPCs that you associate with a Forward Rule must be in the same region as the rule's Outbound Endpoint.
A VPC cannot be associated with multiple Forward Rule for the same forwarding domain.
If a Forward Rule and a Private Zone domain are configured with the same effective scope, the forwarded domain name can be the same as the Private Zone domain, and DNS requests from the associated VPC are handled with priority by Private Zone.
You can configure the Effective Scope to include both Alibaba Cloud VPCs and self-managed DNS clusters simultaneously.