🟢

Amazon Route 53 Resolver – Inbound & Outbound Endpoints

Purpose

The Route 53 Resolver extends DNS resolution between AWS and on-premises networks when using hybrid connectivity (Direct Connect or Site-to-Site VPN).

Inbound Endpoint

Lets on-premises systems resolve private DNS records in an AWS VPC.

Essentially, on-prem → AWS DNS.

You create an inbound endpoint in a VPC, associate it with one or more IP addresses in subnets, and point your on-prem DNS servers to these IPs as forwarders.

Example: On-premises client queries db.internal.example.com → forwarded to inbound endpoint → resolved by VPC's private hosted zone.

Outbound Endpoint

Lets AWS resources resolve on-premises DNS names or DNS in other networks.

Essentially, AWS → on-prem DNS.

You create an outbound endpoint in a VPC and define forwarding rules (rule type: Forward) to send certain domain queries to on-prem DNS servers over your hybrid connection.

Example: EC2 queries corp.local → matched by outbound rule → sent via VPN/DX to on-premises DNS server.

Key Points

Endpoints are regional but can be used across VPCs via Route 53 Resolver rules sharing (Resource Access Manager – RAM).

Support IPv4 (IPv6 not currently supported for endpoints).

Security is enforced by VPC Security Groups attached to the endpoint ENIs.

Pricing is per endpoint ENI/hour + per query.

Typical Architecture

Hybrid DNS:

Inbound endpoint for on-prem → AWS DNS queries.
Outbound endpoint for AWS → on-prem DNS queries.

Works seamlessly with private hosted zones and conditional forwarding rules.

Often paired with AWS Direct Connect or Site-to-Site VPN for secure DNS traffic.