I'm trying to make my small business network a bit more robust by adding a fallback ISP. What I can't figure out is how to manage the DNS for inbound connections. A simplified view of my network looks like this:
+-------+ +-------+
| ISP 1 | | ISP 2 |
+-------+ +-------+
| |
+-----------------+
| Dual WAN Router |
+-----------------+
|
+----------+
| Server |
+----------+
When I just had 1 ISP, I only had one WAN IP address to worry about and I simply updated my DNS A record anytime my dynamic IP changed. I'm using AWS (Route 53) for DNS, so it's pretty easy to write a script to get your current IP and then use their CLI tools to update your DNS records accordingly.
Now that I have two WAN IP addresses, I'm not exactly sure how to proceed. I have two main issues:
I want ISP 1 to be the primary (it has a better connection), but I want to fallback to ISP 2 if 1 is not available. I use the server for VoIP as well as HTTP and SSH. The VoIP needs to have pretty high availability (hence the redundant ISP). But, I don't know how to achieve failover like this.
How can I keep both DNS records up to date? With just one ISP, I can reliably determine the WAN IP from the Server with a command like this:
dig +short myip.opendns.com @resolver1.opendns.com
. With two ISPs, I can't imagine how I would get the IPs for both from the Server.
Ideas for #1
I have read about DNS round robin with multiple A records, but everywhere I find it mentioned it's recommended against. Another option seems to be BGP, but I don't understand it, and I kind of feel like I don't have what I need to implement it (this post seems to apply).
Another solution for #1 could be having a load balancer with a single IP that the domains point to. Then, that load balancer chooses which ISP to route traffic to based on some health check. The issue is that this needs to be protocol agnostic (i.e. work seamlessly with VoIP traffic as well as HTTP, etc.). That's why a DNS level solution seemed appealing.
I stumbled on this AWS blog post which looked promising, but my head exploded when I tried to figure out how I would keep the dynamic IPs up to date in the health checks and the various corresponding DNS records.
After reading this post, the "right" way to do this at my level seems to be a link balancer like this, but the cheapest model in that line is around $1,200 which is a bit more than I was looking for. Plus, I'm still a bit foggy on how to point the Name Servers for my domains to my link balancer when it's getting dynamic IPs from the ISPs.
Ideas for #2
I think I can configure my Dual WAN Router to call a webhook when IPs change, but that would be kind of complicated to implement.
Is there some magic bullet solution that I'm missing?
I use AWS Route53 health checks for inbound DNS resolution and internet failover.
Create a health check.
Create an public DNS entry for each service.
Associate the health check with the DNS entry.
It depends on your dual WAN router's features, but I believe the most straight-forward solution could be to make the router to use ISP/WAN 2 only when it detects that ISP/WAN 1 is down. This way you could have the server and its dynamic DNS script as is; it will update the same record to resolve to the public IP of WAN2 when WAN1 fails.
Of course this will take up to the
TTL
seconds until it's effective, but with a shortTTL
like300
that shouldn't cause too long downtime in percentage.