To use custom private IP addresses within a VPC for internal DNS resolution, create an Inbound Endpoint to allocate custom service addresses for your private zones. These addresses are created on demand and billed on a pay-as-you-go basis. This topic describes how to create an Inbound Endpoint to use custom service addresses for your private zones.
Overview
An Inbound Endpoint provides a service IP address that acts as a nameserver for DNS resolution within Alibaba Cloud. You can configure this address as the DNS server for clients inside your cloud network, such as ECS instances or containers. You can also configure it as the target IP address for clients outside your cloud network, such as hosts in an on-premises data center or external DNS servers, to access the internal DNS resolution service. Inbound Endpoints are available in two types: system-assigned and custom. The default system-assigned internal DNS resolution service addresses are 100.100.2.136 and 100.100.2.138. These addresses use anycast to provide DNS resolution for all VPCs in all regions. This service is free of charge.
Available regions
This feature is available in the following regions:
Public cloud regions: South Korea (Seoul), Singapore, China (Hong Kong), China (Shanghai), China (Beijing), China (Hangzhou), China (Ulanqab), China (Shenzhen), Philippines (Manila), US (Virginia), Malaysia (Kuala Lumpur), Germany (Frankfurt), Indonesia (Jakarta), and Japan (Tokyo).
Finance Cloud regions: China (Hangzhou), China (Beijing), and China (Shanghai).
Limitations
Limit | Threshold | Description |
Maximum query volume per service IP address for an inbound endpoint (Standard Edition) | 5,000 queries per second | Each inbound service IP address supports a peak query volume of up to 5,000 queries per second. DNS requests that exceed this limit are randomly dropped, and the service-level agreement (SLA) is not guaranteed. |
Maximum query volume per client source IP address | 5,000 queries per second |
|
Maximum external recursive query volume per client source IP address | 600 queries per second | |
Number of service IP addresses per Inbound Endpoint | Minimum: 2; Maximum: 6 | To ensure high availability, you must add at least two service IP addresses for a single Inbound Endpoint. A maximum of six service IP addresses can be added. |
Usage rules
The usage rules for an Inbound Endpoint vary based on the source of DNS query traffic.
DNS queries from internal clients
Rule scope | Inbound Endpoint | Inbound Endpoint |
Scope of service IP addresses | The inbound VPC. To allow access from other VPCs, you must connect them to the inbound VPC by using Express Connect or Cloud Enterprise Network (CEN). | Accessible from all VPCs |
Resolution scope defined by associated VPCs (for example, for Private Zone records, cache persistence records, and forwarding rules) | Supported. The resolution settings take effect only if the resolution scope of the domain name is the inbound VPC. | Supported. The resolution scope of the domain name can be the inbound VPC or other VPCs. The resolution settings take effect in the associated VPC. |
Implementation of split-line intelligent resolution | Configure a custom resolution line. | Configure a custom resolution line or set the resolution scope of the domain name. |
DNS queries from external clients
Rule scope | Inbound Endpoint | Inbound Endpoint |
Scope of service IP addresses | The inbound VPC. To allow access from an on-premises data center, you must connect it to the inbound VPC by using a leased line, VPN, or SWAN. | The inbound VPC. To allow access from an on-premises data center, you must connect it to the inbound VPC by using a leased line, VPN, or SWAN. |
Resolution scope defined by associated VPCs (for example, for Private Zone records, cache persistence records, and forwarding rules) | Supported. The resolution settings take effect only if the resolution scope of the domain name is the inbound VPC. | Supported. The resolution settings take effect only if the resolution scope of the domain name is the inbound VPC. |
Implementation of split-line intelligent resolution | Configure a custom resolution line. | Configure a custom resolution line. |
Add Inbound Endpoint
Go to the Alibaba Cloud DNS - Private DNS console.
On the Inbound Endpoint tab, click Add Inbound Endpoint and configure the parameters.
Parameter
Description
Edition
The edition of the Inbound Endpoint. Only Standard Edition is available.
Endpoint Name
Enter a name for the endpoint based on your business requirements.
Inbound VPC
All inbound DNS queries are routed through this VPC.
ImportantTo prevent service interruptions, you cannot change the associated inbound VPC after the Inbound Endpoint is created.
For a list of supported regions, see the "Available regions" section. To request this feature in another region, submit a ticket and specify the region.
Security Group
The rules of the security group are applied to the inbound VPC. For more information about how to create a security group, see Create a security group.
ImportantIn the inbound rules of the security group for the inbound VPC, you must allow traffic on port 53 from the source CIDR blocks of DNS queries.
If the inbound traffic originates from other VPCs in Alibaba Cloud, you must allow outbound traffic on port 53 in the security groups of those VPCs.
Inbound service IP addresses
Specify at least two available IP addresses from the vSwitches in an availability zone. These IP addresses must not be in use by ECS instances. For high availability, we recommend distributing these IP addresses across different availability zones. An Inbound Endpoint supports a maximum of six inbound service IP addresses.
ImportantYou cannot add or modify an Inbound Endpoint service IP address if it is the same as the destination IP address of a forwarding rule and the outbound endpoint of that rule is in the same VPC as the Inbound Endpoint. This restriction does not apply if the endpoints are in different VPCs. If a resolution loop occurs because the VPCs are connected through CEN, a SERVFAIL error is returned.
If you do not specify IP addresses, the system automatically assigns them.
Submit the form to create the Inbound Endpoint.
The newly created endpoint and existing endpoints appear in the Inbound Endpoint list. The status of an Inbound Endpoint can be Normal, Creating, Create failed., Modifying, Modify failed., or Abnormal.
ImportantCreating an Inbound Endpoint takes about 5 to 10 minutes. If the status is Creating, wait for the process to complete.
You cannot modify or delete an endpoint that is in the Creating or Modifying state. If the status is Abnormal or Modify failed., you can submit a ticket for assistance.
Modify an inbound endpointInbound Endpoint
Go to the Alibaba Cloud DNS - Private DNS console.
On the Inbound Endpoint tab, find the target endpoint and click Edit in the Actions column.
In the Modify Inbound Endpoint dialog box, you can modify settings such as the Endpoint Name, Inbound service IP addresses, and Edition. The Inbound VPC and Security Group cannot be changed after the endpoint is created. You must add a minimum of two and a maximum of six inbound service IP addresses. For each IP address, you must select an availability zone, a vSwitch, and an IP address. Before you modify or delete an IP address, ensure that its DNS query traffic is redirected to other active IP addresses.
After you submit the form, the status of the endpoint changes to Modifying. You cannot perform other operations on the endpoint while it is in this state.
Delete an inbound endpointInbound Endpoint
Delete a single inbound endpointInbound Endpoint
Go to the Alibaba Cloud DNS - Private DNS console.
On the Inbound Endpoint tab, find the endpoint that you want to delete and click Delete in the Actions column. Confirm the action in the dialog box that appears.
Delete inbound endpoints in batchesInbound Endpoint
Go to the Alibaba Cloud DNS - Private DNS console.
On the Inbound Endpoint tab, select the Inbound Endpoint that you want to delete and click Batch Delete at the bottom of the page. Confirm the action in the dialog box that appears.