Using VPC/VNet DNS Server
All Aviatrix Gateways use a well-known public DNS server for their hostname resolutions. This is necessary as the gateways must access services such as AWS SQS to retrieve messages from the Aviatrix Controller and the accessibility cannot depend on the underline connectivity. This is true even when a VPC has private DNS configured via its DHCP options, that is, while all EC2 instances use the private DNS to resolve hostnames, Aviatrix gateways use a well known public DNS for its own hostname resolution needs.
Aviatrix also provides the feature Use VPC/VNet DNS Server, which allows you to force the Aviatrix gateways to use a private DNS server.
When enabled, this feature removes the default DNS server for the Aviatrix Gateway and instructs the gateway to use the VPC/VNet DNS server configured in VPC/VNet DHCP option.
When disabled, the Aviatrix Gateway will revert to use its built-in (default) DNS server.
Here is one example use case to enable this feature:
If you enable Logging on the Aviatrix Controller, all Aviatrix Gateways forward their log information to the configured log server. But if the log server is deployed on-prem with a private DNS name, the Aviatrix gateway’s default DNS server cannot resolve the domain name of the private log server. By enabling the VPC/VNet DNS server, the gateway will start to use the VPC/VNet DNS server which should resolve the private DNS name of the log server.
Another use case is when Aviatrix Egress FQDN is enabled for non-HTTP/HTTPS ports, the Aviatrix gateway must use the VPC/VNet’s DHCP option to accurately obtain the IP address of a given hostname.
When enabling this feature, Controller checks to make sure the gateway can indeed reach the VPC/VNet DNS server; if not, an error is returned. |
There is a caveat when the "Use VPC/VNet DNS Server" is enabled on a Spoke gateway where the custom DNS server is on-prem or is only reachable through the IPsec tunnels.
If the Spoke gateway has high-availability (HA) enabled, it will have an issue when the "Use VPC/VNet DNS Server" feature is applied to the primary Spoke Gateway. After the initial configuration, the system should work as intended. However, if a primary Spoke Gateway fails over to the backup gateway, and the system attempts to fail back again, it will have a problem.
The reason is that the Aviatrix primary gateway, after the first failover, has lost connectivity to the private DNS since the tunnel is down. However, the primary gateway must first obtain messages from the AWS SQS sent by the Controller to execute and re-establish the tunnel. Therefore, the Spoke Gateway will be stuck and the tunnel will remain down. The situation can be resolved by disabling the "Use VPC/VNet DNS Server" on the Spoke Gateway.
In a Transit network, if you want the Aviatrix Gateways to use a private DNS server, this DNS server must be reachable regardless of the network tunnel status. |