Hi,
I have the following Pritunl configuration:
- Multiple AWS accounts, each with its own set of public and private Route53 zones. For example account1 -
.client1.company.cowithapi.client1.company.coin the public zone andadmin.client1.company.coin private zone. Same for another account -api.client2.company.coandadmin.client2.company.co; - Each AWS account has its own Pritunl instance, there are no peering connections between accounts;
- Each Pritunl instance uses build-in DNS from AWS DNS attributes for your VPC - Amazon Virtual Private Cloud followed by 8.8.8.8;
This setup works fine as long as a user connects to a single VPN at a time. However, if the user connects to both VPNs, only the second connection will be able to resolve private zone addresses.
Could you please advise about best practices with AWS split-view DNS and Pritunl? Are there any settings that could help in this case?
Here are the options that I have considered, each with its set of downsides:
- Associating all VPC with all private zones. This works, but does not scale, as it requires a quadratic count of associations,
- Create a special infra VPC, and associate it with all private zones. Set up DNS there and use this DNS in all VPNs. Unfortunately, it seems that it’s impossible to attach public IP to a Route53 inbound endpoint, so maybe a self-hosted DNS server is still an option;
- Create peering and use Route53 rules to forward DNS queries between accounts. I would like to avoid peering between accounts for security reasons. In this case, looks like the schema with multiple VPN servers becomes redundant. If there is peering, a shared VPN should work fine.