Use private DNS in interconnected VCNs and On-premises
Use your own private domain names in Oracle Cloud Infrastructure (OCI).
When you use the private DNS service, you also get DNS resolution between virtual cloud networks (VCNs) and between VCNs and on-premises networks. Private DNS allows the following capabilities:
- Create private DNS zones with your own, non-public, names and create records for the private resources.
- Private DNS resolver for DNS resolution to and from other private networks.
- Support for DNS views for split-horizon environments.
This architecture demonstrates the use of Private DNS in Oracle Cloud Infrastructure.
A private DNS resolver allows resolution of local, internal resources that have custom domain names. The domain names do not need to be sub-domains of oraclevcn.com, as with the default Internet and VCN Resolver. The private DNS resolves your custom domain names, and forwards requests for other domains to the Internet and VCN Resolver. For example, in the architecture described here the private DNS resolver on the spoke VCN resolves a query for a hostname on the example.com domain. Also, a query originating from the on-premises network can be forwarded to the private resolver of the hub.example.com VCN to resolve addresses in the spoke.example.com domain.
The following diagram illustrates this reference architecture.
Description of the illustration architecture-deploy-private-dns.png
The architecture has the following components:
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
- Availability domains
Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.
- Virtual cloud network (VCN) and subnets
A VCN is a customizable, private network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. You can segment VCNs into subnets, which can be scoped to a region or to an availability domain. Both regional subnets and availability domain-specific subnets can coexist in the same VCN. A subnet can be public or private.
- Private DNS Resolver
A Private DNS Resolver provides full control of naming and record management in a private DNS zone. The listening, or ingress, interface receives queries from another VCN or from your on-premises DNS server for name resolution. The forwarding, or egress, interface forwards queries to another VCN or to your on-premises DNS server for name resolution.
Your requirements might differ from the architecture described here. Use the following recommendations as a starting point.
When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.
Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.
After you create a VCN, you can change, add, and remove its CIDR blocks.
When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.
- DNS resolver
VCNs always have resolvers, but you need to enable DNS on subnets if you want to use the internal resolver and OCI system-generated zone within the subnet.
Consider the following points when deploying this reference architecture.
There are no performance considerations. The service is offered as a managed platform, requiring no intervention for operation.
The security is integrated with OCI Identity and Access Management (IAM).
There are no availability considerations. The DNS service is a platform service and fully redundant.
Private DNS has no cost and is provided with Oracle Cloud Infrastructure.
To learn more about DNS in Oracle Cloud Infrastructure, see the following resources: