/
Route VPC DNS Traffic to BloxOne Threat Defense
Document toolboxDocument toolbox

Route VPC DNS Traffic to BloxOne Threat Defense

Owned by Shirly Tsang
Jun 04, 2024
2 min read

This portion of the Deployment guide explains how to forward DNS traffic from an AWS VPC to the BloxOne Threat Defense Cloud.

Prerequisites

The following are prerequisites to route VPC DNS Traffic to BloxOne Threat Defense:

  • BloxOne:

    • BloxOne Threat Defense Business Cloud or Advanced subscription

    • A CSP user account with BloxOne Threat Defense administrator permissions

  • AWS:

    • A VPC with one of the following:

      • NAT Gateway

      • VPN

      • Direct Connect connection

    • AWS Security Group/ACL that allows DNS traffic to BloxOne Anycast IPs

      • For a full list of these Anycast IPs please see the Infoblox Documentation portal here

Note: this guide only covers how to configure a NAT Gateway and does not cover the configuration of an AWS VPN or Direct Connect Connection.

Known Limitations

When forwarding AWS VPC DNS traffic to BloxOne Threat Defense, using Route53’s DNSSEC validation will break redirect functionality, BloxOne performs DNSSEC validation.

Workflow

This guide covers how to create and configure an AWS Virtual Private Cloud or VPC with a NAT Gateway. For detailed information on how to configure an AWS VPC please follow the AWS guide located here: Plan your VPC - Amazon Virtual Private Cloud

In order to forward DNS traffic to BloxOne, connectivity to BloxOne’s anycast IPs from your VPC must be possible. A full list of the BloxOne anycast IPs are located here. To enable your Outbound endpoint to connect to BloxOne, you will need a VPN, Direct Connect connection, or a NAT gateway. Additionally, you will need to know the public IP of the traffic that will be forwarded to BloxOne. This guide describes a basic topology of each configuration, contains links to AWS guides on how to configure them, and where to look for the public IP(s) needed for the BloxOne configuration. This guide provides an example of how to deploy a VPC with NAT Gateway.

Note: You may step 1 and 1a of this workflow if you have already configured a VPC with a NAT Gateway, a VPN, or have a Direct Connect Connection.

  1. Create or identify VPC to use

    1. (Optional) Create a NAT Gateway

  2. Locate the required IP for BloxOne from one of the following:

    1. VPN connection

    2. NAT rule

    3. AWS Direct Connect connection

  3. Create a Route 53 Outbound Endpoint

  4. Create a Route 53 Resolver rule

  5. Create an External Networks that represent your VPC(s) in the Infoblox CSP

 

 

Related content