Document toolboxDocument toolbox

Configuring Amazon Route 53 Integration

Owned by Jyothi KP
Last updated: Jun 25, 2024
12 min read

To import a zone’s DNS data from Amazon Route 53 to NIOS, complete the prerequisites and follow the steps described in this topic. You can set up synchronization of DNS data from a single AWS account to a NIOS admin account or from multiple AWS accounts (belonging to an AWS organization) to a NIOS admin account.

Note

From NIOS 9.0.4 onwards, the following UI labels in Grid Manager have been changed:

  • The Grid > Amazon tab changed to Cloud DNS tab.

  • The Cloud DNS Sync service changed to Cloud Sync service.

Configuring Amazon Route 53 in NIOS

To configure Amazon Route 53 integration, complete the following:

  1. Create an Amazon Route 53 sync group and add sync tasks to the sync group, as described in the Configuring Amazon Route 53 Sync Groups section.

  2. Optionally, if you want NIOS to serve DNS for the hosted zones synchronized from Amazon Route 53, configure the primary and secondary servers accordingly. For information about how to configure the servers, refer to the Infoblox NIOS Documentation.

After you set up the Amazon Route 53 integration, you can do the following:

  • View all configured Amazon Route 53 sync groups.

  • View detailed information about the configured sync groups.

  • Modify sync groups and their sync tasks.

  • View the DNS data imported from Route 53.

Note

  • If you configure a Grid member with both vDiscovery and Route 53 synchronization, the tasks are run sequentially (not simultaneously) depending on the order of task execution.

  • The AWS Route 53 job can freeze during its run due to the following reasons:

    • Loss of network connectivity with the member node. To prevent this scenario, ensure that the member node is connected to the network.

    • RabbitMQ queue overflow. This can be confirmed with the error message "error:The AMQP connection was closed" found in Administration -> Logs -> Syslog in Grid Manager. To fix this scenario, restart all NIOS services or reboot the NIOS node.

Configuring Amazon Route 53 Sync Groups

You can configure an Amazon Route 53 sync group to include multiple synchronization tasks for different hosted zones in the same Route 53 end point. Before you create a sync group, ensure that you have configured the AWS user accounts (on the NIOS appliance) you want to use for configuring sync tasks. Note that all sync tasks in a sync group are performed for the same AWS user account. If the AWS user account is a management account that has member accounts in its AWS organization, the sync tasks are performed on member accounts only if Multiple Account Sync is enabled. When you disable individual sync tasks, the appliance skips those sync tasks during synchronization with Amazon Route 53.

When you configure a sync group, you can define a network view in which synchronized data resides. You cannot change the network view for the sync group once you save the configuration. If you want to change the network view for subsequent synchronization, create a new sync group. If you want to remove stale DNS data in a specific network view, you can search for the data by using the extensible attribute "DNS Source" = "AWS Route 53" in that network view and then remove the data accordingly. You can also use the CSV Import feature to export this data for removal. For more information about extensible attributes and CSV Import, refer to the Infoblox NIOS Documentation.

You can also select a specific DNS view to synchronize Route 53 zones and records from AWS to NIOS. This way, you can serve all those zones in a consolidated way from NIOS by querying a single Grid member. Depending on which network view you have selected, you may or may not be able to select a specific DNS view for consolidating your Route 53 zones and records. Ensure that you understand the various scenarios about how the appliance handles the consolidated data before you configure the Consolidate zone data into this DNS view option while adding or modifying a Route 53 sync group, as described in the section below.

Creating Route 53 Sync Groups

Note

  • Ensure that you have installed the Cloud Network Automation license on the Grid Master. For information about licenses, refer to the Infoblox NIOS Documentation.

  • After creating a sync group, wait for few minutes for the necessary processes to start in the background before starting a sync task.

To create a Route 53 sync group and add sync tasks, complete the following steps:

  1. Log in to Grid Manager (the Infoblox GUI).

  2. From the Grid tab, click the Cloud DNS tab.

  3. Expand the Toolbar and click Add.
    The Cloud DNS Sync Wizard is displayed.

  4. In Step 1 of 4 of the Cloud DNS Sync Wizard, complete the following, and then click Next:

    • Sync Group Name: Enter the name of the Amazon Route 53 sync group.

    • Disable Synchronization: Select this to disable synchronization for this sync group. This allows you to keep the current configuration including all sync tasks in the group, and enable them at a later time.

    • Member: Click Select to choose the Grid member that will pull DNS data from Amazon Route 53. Infoblox suggests that you select a member that is not running other services and can handle the synchronization load for this feature. If you have only one Grid member in the Grid, the appliance automatically displays the member's name here. Select Clear if you want to remove the current member. You can also specify a proxy server to pull data from Amazon Route 53. For information about how to set up a proxy server, refer to the Infoblox NIOS Documentation.

    • Comment: Enter additional information about this sync group. In the Sync Tasks section, do the following:
      Note that all sync tasks in the same sync group are performed for the same AWS user account. Create a new sync group if you want to synchronize data using another AWS user account.

  5. In Step 2 of 4 of the Cloud DNS Sync Wizard, complete the following, and then click Next:

    • Cloud Service Provider: Select AWS as the cloud platform on which the server from which DNS data needs to be synchronized, is deployed.

    • Credentials: Select the method you want to use to authenticate the connection between the Grid member and AWS for this sync group. You can select one of the following:

      • Use instance profile: An instance profile is a container for an IAM role that you use to pass role information to an EC2 instance when the instance is up and running. Select this option if you want to collect information from AWS by waiving a user's credentials and using configuration of a predefined IAM role to get a temporary token that allows cloud API calls. When this option is enabled, you do not need to provide user credentials.

        • Single account Route 53 Synchronization: If you are synchronizing data from a single AWS account, then before selecting this method for authentication, you must first configure the option for "instance profile" in AWS, define an IAM role in the instance profile, and then set the following AWS IAM permissions for this role, otherwise, this option will remain disabled:

          • iam:GetUser

          • route53:ListHostedZones

          • route53:GetHostedZone

          • route53:ListResourceRecordSets

        • Multi-account Route 53 Synchronization: If you are synchronizing data from multiple AWS accounts of an AWS organization, ensure that the EC2 instance is running in the parent account and the parent account has the org admin permissions in AWS. For more information, see Setting up the AWS Environment for Multi-Account Synchronization.

      • Use IAM credential: Select this if you want to authenticate by using IAM roles to grant secure access to AWS resources from your EC2 instances. Click Select to choose the IAM role and use its credentials to access AWS resources from your EC2 instances when they are up and running. For more information about instance profiles and IAM roles, refer to the AWS documentation.

    • Multiple Account Sync: Select this check box to enable multi-account support for Route 53 integration on the selected member. For more information, see the Enabling Multi-Account Route 53 Synchronization on a Sync Group section.

  6. In Step 3 of 4 of the Cloud DNS Sync Wizard, complete the following, and then click Next:

    1. Under Synchronize DNS data into, select the network view to which you want the appliance to add synchronized data.

      • This network view: From the drop-down list, select the NIOS network view to which you want to add the synchronized data. The default network view is displayed by default. When you select this option, you can choose to consolidate zone data into a specified DNS view by enabling the Consolidate zone data into this DNS view option and selecting a specific DNS view.
        When you synchronize Route 53 data from two or more different AWS endpoints, you must assign each AWS endpoint to a different network view.

      • The tenant's network view (if it does not exist, create a new one): This option is recommended. When you select this option, the synchronized data is saved to the tenant's network view. If the network view does not exist, the appliance creates it (only if a cloud license is installed in the Grid). The appliance uses tenant information to create a new NIOS network view for the synchronized data. For example, AWS tenants by default are associated with the 12-digit user account number (such as 2233441247523), which is the identifier for all objects that are created by that account in AWS. This tenant value becomes the identifier for the new network view as its data is synchronized.
        Note that you cannot modify the network view selection once you save the configuration. Create a new sync group if you want to change the network view. When you remove an old sync task from a sync group, the data remains in the database, and you can manually remove the old data by searching for all Route 53 zones that are associated with a particular network view; or you can use CSV import and export the stale data that you want to remove from the database.

    2. Consolidate zone data into this DNS view: Depending on which network view you have selected to synchronize Route 53 zone data, you may or may not be able to select a specific DNS view to which the zone data is being synchronized and consolidated. When this option is enabled, there is no restriction on the number of VPCs that a private hosted zone can have in AWS.
      Note that when Consolidate zone data into this DNS view is not enabled for a private hosted zone, if the number of characters in the zone’s VPC ID is more than 255 characters, Route 53 will not synchronize that specific DNS zone. This is due to the restriction that the value of an extensible attribute in NIOS cannot exceed 255 characters.
      Consider the following scenarios before selecting or clearing the selection on this option:

      • If you have selected a NIOS network view to add synchronized DNS data, you can select a specific DNS view to which you can add the synchronized Route 53 zone data. When you select this option, all zone data will be synchronized into the selected DNS view. If there are duplicate zones, the appliance places them in an order based on their VPC names and adds the first duplicate zone to the corresponding DNS view (depending on your configuration). It then creates new DNS views for subsequent zones that have the same zone name. For example, if your DNS view is "corp100view", the first duplicate zone is added to "corp100view", the second duplicate zone to "corp100view_1", and so on until all duplicate zones are added to their corresponding DNS views.
        If you choose to synchronize Route 53 data into a NIOS network view but you do not select this option, you are not allowed to select a specific DNS view and the appliance synchronizes all private zones into a newly created DNS view using the name "private%", where % stands for the key of the DNS view. A new DNS view is created for each VPC in which the zones reside. On the other hand, all public zones are synchronized into the default DNS view, and all duplicate zones are ignored.

      • If you have selected to add synchronized DNS data to a tenant's network view, you are not allowed to select a specific DNS view for the synchronized data. In this case, the appliance synchronizes all private zones into a newly created DNS view using the name "private%" where % stands for the key of the DNS view. A new DNS view is created for each VPC in which the zones reside. On the other hand, all public zones are synchronized into the default DNS view, and all duplicate zones are ignored.
        Note that you must not perform a Route 53 sync on multiple DNS views that reside in the same network view. Performing a Route 53 sync in more than one DNS view deletes the data from the other DNS views in which synchronization has taken place. To prevent this, create multiple network views each having a single DNS view and perform Route 53 sync on each of the DNS views.

  7. In Step 4 of 4 of the Cloud DNS Sync Wizard, complete the following:
    Under Sync Tasks, click the Add icon to add a sync task to this group. Grid Manager displays the Add Sync Task panel. Complete the following steps in the panel, and then click Add to add the task to the Sync Tasks table:

    • Name: Enter the name of the sync task. Use a name that best represents the task so that you can differentiate it from the other tasks.

    • Public Hosted Zone: Select this if you want to synchronize data from the Route 53 public hosted zones. In Amazon Route 53, public hosted zones contain information about routing traffic and resource record sets for domains and sub domains of queries that come from the public Internet, and are resolved within the AWS infrastructure.

    • Private Hosted Zone: Select this if you want to synchronize data from the Route 53 private hosted zones. In Amazon Route 53, private hosted zones contain information about routing traffic and resource record sets for a domain and its sub domains of queries that come from instances and resources of any given AWS VPCs, and are resolved within one or more AWS VPCs.

    • Filter: You can add a filter to select a specific zone or zones for synchronization purposes. To specify multiple zones, use commas to separate the values. You can also use wildcard characters in the filter. For example, you can enter “*abc*, ab?c.com, [a-z].com” in this field.

    • Interval: Define how often you want the synchronization to happen by entering the time interval and selecting the interval unit from the drop-down list.

    • Disable Synchronization: Select this to disable synchronization for this specific task. This allows you to keep the current configuration for the task and enable it at a later time.

    • Click the Add icon again to add more tasks. Grid Manager displays the following information for each saved task in the Sync Tasks table:

      • Name: The sync task name.

      • Interval: The synchronization interval.

      • Filter: The filter that you entered for synchronizing data from the specified zones.

  8. Save the configuration.

Enabling Multi-Account Route 53 Synchronization on a Sync Group

When configuring Route 53 integration in NIOS, you can enable the multi-account synchronization option on an existing or a new sync group. The option enables NIOS to discover multiple AWS accounts in an AWS organization and synchronize the DNS data using the Route 53 service. You can configure the multi-account synchronization option to synchronize DNS data from all or, starting from NIOS 9.0.4, from specific accounts (children) in an AWS organization (parent).

To enable the multi-account support, complete the following:

  1. Log in to Grid Manager (the Infoblox GUI).

  2. From the Grid tab, click the Cloud DNS tab.

  3. According to the Route 53 sync group, do one of the following:

    • For an existing Route 53 sync group:

      1. Select the sync group, and then click the Actions icon > Edit.
        The Cloud DNS Sync Group Properties windows is displayed.

      2. Click the Account Details tab.

    • For a new Route 53 sync group:

  4. Select Multiple Account Sync and configure the following settings:

    • Role ARN: Enter the ARN (Amazon Resource Name) of the role that you configured in your AWS management account.

    • Multi Account Options (introduced in NIOS 9.0.4): You can set the DNS data of all child accounts of an AWS organization to be synchronized or specify the accounts from which data must be synchronized.
      Select one of the following options:

      • Discover Child Accounts: Select this option if you want a sync task to discover and synchronize DNS data from all child accounts of an AWS organization to which the specified role ARN belongs.

      • Add or Upload Child Accounts: Select this option to specify the list of child accounts that a sync task must discover and synchronize DNS data from.
        Note: The multi-account sync option synchronizes DNS data from the specified child accounts and also their parent account for which you specified the role ARN.
        Additionally, you can do the following:
        - Export the added data to a .csv file by clicking the Export icon.
        - Delete the account by selecting the checkbox next to the account to be removed and clicking the Delete icon.

        To add child accounts, do one of the following:

        • Upload a CSV file:

          1. Click the CSV Import icon.

          2. In the Upload dialog box, click Select to browse for the CSV file containing the list of account IDs of child accounts you want to add.

          3. Select the file and click Open.

          4. Click Upload to upload the file, and then click Close.

        • Manually specify the account IDs of child accounts for which DNS data must be synchronized:

          1. Click the Add icon to add a row in the Account IDs table.

          2. Click the new row and specify the account ID of a child account.

          3. Repeat steps a and b for every child account that you want to add.

  5. Click Next and perform the remaining steps explained in the Creating Route 53 Sync Groups section.

  6. Save the configuration.