CONTROLLED DATA
Leidos Proprietary - US Citizens ONLY
The information contained herein is proprietary to Leidos, Inc. It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
ECM is capable of configuring domains and subdomains that can be routed and resolved by the internal corporate DNS using Route 53 Private Hosted Zones.
There are two components of this that need to be configured before it will work. First, you need to setup the domain in the on-premises DNS system (BlueCat) to forward requests for it to the Route 53 Resolver Endpoints.
Those endpoints are:
Commercial:
10.102.5.172 (ns1.awsdev.leidos.com)
10.102.7.1 (ns2.awsdev.leidos.com)
GovCloud
10.102.133.53 (ns1.awsdevgov.leidos.com)
10.102.135.53 (ns1.awsdevgov.leidos.com)
On the AWS side, if you create the Private Hosted Zone so that it's not associated with the Shared Services VPC, you need to manually associate it with that VPC. This cannot be done via the AWS Console (currently). Associating the Private Hosted Zone with the Shared Services VPC allows that VPC to respond to queries for that zone through the outbound resolver endpoints listed above.
With the forwarder in place and the private hosted zone associated with the Shared Services VPC, you can then add records to the hosted zone that will manage routing within that subdomain:
DNS Resolver Endpoints and Rules
To allow DNS routes to flow between a VPC and an on-premises network you need to create Resolver Endpoints and then Resolver Rules that define what is allowed to be forwarded.
Outbound Endpoints
Creating an outbound endpoint allows VPC DNS (AmazonProvidedDNS, aka the .2 address) to query an external DNS system.
You also need to create a "Forward" rule that points at an IP address of the external DNS system. When creating the rule, you must specify the domain that you want forwarded to the external DNS system. Here we have a rule that forwards queries for *.leidos.com to the on-premises DNS.
Here is the data flow for outbound endpoints:
The current outbound endpoint IPs are set up in the Shared Services accounts:
Commercial (vpc-49bd3e31, us-east-1)
- 10.102.4.58
- 10.102.7.59
GovCloud (vpc-d2b23eb7, us-gov-west-1)
- 10.102.133.121
- 10.102.134.193
Inbound Endpoints
Creating an inbound endpoint allows an external DNS system to forward queries to AWS for Route 53 Private Hosted Zones.
Here again you need to create a "System" resolver rule that defines what domains can be used with this endpoint. Here is a rule that allows the inbound endpoint to respond to queries for the awsdev.leidos.com domain:
Here is the data flow for inbound endpoints:
The current inbound endpoint IPs are currently set up in the Shared Services accounts:
Commercial (vpc-49bd3e31, us-east-1)
- 10.102.5.172
- 10.102.7.1
GovCloud (vpc-d2b23eb7, us-gov-west-1)
- 10.102.133.53
- 10.102.135.53