I am looking to resolve addresses in a private hosted zone network using customised forwarding rules configured in an on-prem DNS service. The forwarding rule would effectively say, "for my private domain xyz, forward queries to 10.1.1.2" where 10.1.1.2 is an AWS private IP address in a VPC corresponding to a resolver endpoint.
I looking to understand the differences between forwarding the queries to the standard .2 address in the VPC associated with the private zone, or setting up an inbound route 53 resolver endpoint to receive and resolve queries.
Apart from a difference in price, they both seem to do the same thing. I have confirmed using dig that I can use the .2 address to resolve private hosted zone records from outside the VPC (via transit gateway).
So technically, why would I want to use an inbound resolver endpoint, when I can resolve the queries more cheaply using the .2 address? What am I missing here?
I found some AWS doco that indicates .2 addresses are not usable outside the VPC, but I have confirmed this is incorrect.
Turns out that AWS Transit Gateway service does not support DNS query resolution against ".2" resolvers across attached VPCs. You may see DNS queries working in some availability zone(s) in some region(s), as well as from on-premise but this feature is not supported on AWS Transit Gateway and is not a recommended configuration in terms of security. To implement Centralized DNS management using AWS Transit Gateway, please follow this blog post:
Centralized DNS management of hybrid cloud with Amazon Route 53 and AWS Transit Gateway