This submit is Half 2 of our two-part collection on hybrid multi-account entry patterns for Amazon OpenSearch Serverless. In Half 1, we explored a centralized structure the place a single account hosts a number of OpenSearch Serverless collections and a shared VPC endpoint. This strategy works nicely when a single enterprise unit or workforce manages collections on behalf of the group.
Nonetheless, many enterprises have a number of enterprise models that want unbiased possession of their OpenSearch Serverless infrastructure. When every enterprise unit desires to handle their very own collections, safety insurance policies, and VPC endpoints inside their very own AWS accounts, the centralized mannequin from Half 1 now not matches.
On this submit, we deal with this multi-business unit situation by introducing a sample the place the central networking account manages a customized personal hosted zone (PHZ) with CNAME information pointing to every enterprise unit’s VPC endpoint. This strategy maintains centralized DNS administration and connectivity whereas giving every enterprise unit full autonomy over their collections and infrastructure.
The problem with a number of enterprise models
When a number of enterprise models independently handle their very own OpenSearch Serverless collections in separate AWS accounts, every account has its personal VPC endpoint with its personal personal hosted zones. These personal hosted zones solely work inside their respective VPCs, creating DNS fragmentation throughout the group. Customers in spoke accounts and on-premises environments can’t resolve assortment endpoints in different accounts with out extra DNS configuration.
Managing particular person PHZ associations for every shopper VPC doesn’t scale, and asking every enterprise unit to coordinate DNS with each shopper creates operational overhead. You want a community structure that offers every workforce autonomy whereas retaining DNS administration and connectivity centralized.
Answer overview
This structure solves the issue by centralizing DNS administration within the networking account whereas leaving assortment and VPC endpoint possession with every enterprise unit. The networking account maintains a customized PHZ with CNAME information that map every assortment endpoint to the regional DNS title of its corresponding VPC endpoint. This practice PHZ is related to a Route 53 Profile and shared by means of AWS Useful resource Entry Supervisor (AWS RAM) to spoke accounts. On-premises DNS decision flows by means of the Route 53 Resolver inbound endpoint within the central networking VPC, which makes use of the identical customized PHZ.
We cowl two complementary patterns: Sample 1 for on-premises entry to collections throughout a number of enterprise unit accounts, and Sample 2 for spoke account entry to those self same collections. Each patterns depend on the centralized customized PHZ managed by your networking workforce.
Sample 1: On-premises entry to OpenSearch Serverless collections throughout a number of enterprise unit accounts
With this sample, your on-premises shoppers can privately entry OpenSearch Serverless collections hosted throughout a number of enterprise unit accounts, every with its personal VPC endpoint. The next diagram illustrates this multi-business-unit structure. It exhibits how on-premises DNS queries are resolved by means of the customized PHZ within the central networking account and routed to the proper enterprise unit’s VPC endpoint by means of AWS PrivateLink.
(A) The Route 53 Profiles are created within the central networking account and shared by means of AWS Useful resource Entry Supervisor (AWS RAM) with the central OpenSearch Serverless account.
(B) The central networking account has a customized PHZ with area us-east-1.aoss.amazonaws.com and related to central networking account VPC and with Route 53 Profiles.
(C) This PHZ accommodates CNAME information pointing to every enterprise unit’s VPC endpoints.
(D) Every enterprise unit account has Personal DNS enabled on its VPC endpoint.
(E) This routinely creates the next PHZs throughout VPC endpoint creation and associates them with the enterprise unit’s VPC, so DNS decision works regionally inside that VPC with out relying on the Route 53 Profiles.
us-east-1.aoss.amazonaws.comus-east-1.opensearch.amazonaws.comus-east-1.aoss-fips.amazonaws.comprivatelink.c0X.sgw.iad.prod.aoss.searchservices.aws.dev
DNS decision stream
- Your on-premises consumer initiates a request to
bu-1-collection-id-1.us-east-1.aoss.amazonaws.com. - The on-premises DNS resolver has a conditional forwarder for
us-east-1.aoss.amazonaws.comand forwards the question over AWS Direct Join or AWS Web site-to-Web site VPN to the Route 53 Resolver inbound endpoint IPs within the central networking VPC. - The inbound Resolver endpoint passes the question to the Route 53 VPC Resolver within the central networking VPC.
- The VPC Resolver finds the customized PHZ (
bu-1-collection-id-1.us-east-1.aoss.amazonaws.com) related to the central networking VPC. The CNAME file forbu-1-collection-id-1.us-east-1.aoss.amazonaws.comresolves to the regional DNS title of BU1’s VPC endpoint (for instance,vpce-1234567890abcdefghi.a2oselk.vpce-svc-0c3ebf9a1a3ad247b.us-east-1.vpce.amazonaws.com). - The VPC Resolver then resolves the VPC endpoint regional DNS title to its elastic community interfaces (ENIs) personal IP addresses.
- The visitors reaches BU1’s VPC endpoint elastic community interfaces (ENIs) by means of personal community connectivity as a result of the on-premises consumer connects over AWS Direct Join or AWS Web site-to-Web site VPN by means of AWS Transit Gateway or AWS Cloud WAN.
Knowledge stream
- Your on-premises consumer sends an HTTPS request to the resolved IP deal with with the TLS Server Title Indication (SNI) header set to
bu-1-collection-id-1.us-east-1.aoss.amazonaws.com, over AWS Direct Join or AWS Web site-to-Web site VPN by means of AWS Transit Gateway or AWS Cloud WAN. - Visitors reaches the VPC endpoint ENIs in BU1’s OpenSearch Serverless VPC.
- The VPC endpoint forwards the request to the OpenSearch Serverless service, which inspects the hostname and routes to BU1 Assortment 1.
To entry a set in BU2, your consumer follows the identical stream utilizing bu-2-collection-id-1.us-east-1.aoss.amazonaws.com. The customized PHZ accommodates a separate CNAME file pointing to BU2’s VPC endpoint, and the OpenSearch Serverless service routes to the proper assortment based mostly on the hostname.
Sample 2: Spoke account entry to OpenSearch Serverless collections throughout a number of enterprise unit accounts
Whereas Sample 1 addresses on-premises entry, you may additionally want to supply entry from compute assets and distributed functions in spoke accounts to OpenSearch Serverless collections throughout a number of enterprise unit accounts. With this sample, compute assets in spoke account VPCs can privately entry OpenSearch Serverless collections throughout a number of enterprise unit accounts by means of the centralized personal hosted zone (PHZ) within the networking account.
Within the following instance, we use an Amazon Elastic Compute Cloud (Amazon EC2) occasion as a compute useful resource as an example the sample. Nonetheless, the identical strategy applies to any compute useful resource inside the spoke VPC. The next diagram illustrates this multi-business-unit, multi-spoke structure, exhibiting how spoke VPCs resolve DNS by means of the shared Route 53 Profile and customized PHZ, then route visitors to the proper enterprise unit’s OpenSearch Serverless collections by means of AWS PrivateLink.
(A) The Route 53 Profiles, created within the central networking account, are shared by means of AWS RAM with all spoke accounts and with the central OpenSearch Serverless account.
(B) The central networking account has a customized PHZ with area us-east-1.aoss.amazonaws.com and related to central networking account VPC and with Route 53 Profiles.
(C) This PHZ accommodates CNAME information pointing to every enterprise unit’s VPC endpoints.
(D) Every enterprise unit account has Personal DNS enabled on its VPC endpoint.
(E) This routinely creates the next PHZs throughout VPC endpoint creation and associates them with the enterprise unit’s VPC, so DNS decision works regionally inside that VPC with out relying on the Route 53 Profiles.
us-east-1.aoss.amazonaws.comus-east-1.opensearch.amazonaws.comus-east-1.aoss-fips.amazonaws.comprivatelink.c0X.sgw.iad.prod.aoss.searchservices.aws.dev
DNS decision stream
- An Amazon EC2 occasion in BU1 Spoke VPC 1 initiates a request to
bu-1-collection-id-1.us-east-1.aoss.amazonaws.comand sends a DNS question to the Route 53 VPC Resolver. - The VPC Resolver finds the Route 53 Profiles related to the spoke VPC.
- The Profiles reference the customized PHZ (
us-east-1.aoss.amazonaws.com) managed within the central networking account. The CNAME file forbu-1-collection-id-1.us-east-1.aoss.amazonaws.comresolves to the regional DNS title of BU1’s VPC endpoint. - The VPC Resolver then resolves the VPC endpoint regional DNS title to its elastic community interfaces (ENIs) personal IP addresses.
- Visitors reaches the VPC endpoint ENIs by means of personal community connectivity as a result of the spoke VPC connects to BU1’s VPC by means of AWS Transit Gateway or AWS Cloud WAN.
Knowledge stream
- Your Amazon EC2 occasion sends an HTTPS request to the resolved IP deal with with the TLS SNI header set to
bu-1-collection-id-1.us-east-1.aoss.amazonaws.com, routed by means of AWS Transit Gateway or AWS Cloud WAN to BU1’s OpenSearch Serverless VPC. - The request arrives on the VPC endpoint ENIs in BU1’s OpenSearch Serverless VPC.
- The VPC endpoint forwards the request to the OpenSearch Serverless service, which inspects the hostname and routes to BU1 Assortment 1.
To entry a set in BU2, the identical stream applies utilizing bu-2-collection-id-1.us-east-1.aoss.amazonaws.com. The customized PHZ resolves to BU2’s VPC endpoint, and routes visitors by means of the transit gateway to BU2’s VPC. The identical applies to assets in different spoke accounts with the Route 53 Profiles related.
Customized PHZ file construction
The customized PHZ within the central networking account makes use of the area us-east-1.aoss.amazonaws.com and accommodates CNAME information that map every assortment endpoint to the regional DNS title of its corresponding VPC endpoint. Be aware that collections inside the identical enterprise unit account share the identical VPC endpoint, so their CNAME information level to the identical regional DNS title. Collections in numerous enterprise unit accounts level to completely different VPC endpoints.
Customized PHZ administration
In contrast to Half 1, the place the auto-created PHZs from the VPC endpoint deal with DNS decision, this sample requires your networking workforce to manually preserve the customized PHZ. When a enterprise unit provides a brand new assortment, the networking workforce should add a corresponding CNAME file to the customized PHZ.
Value issues
The structure patterns described on this submit use a number of AWS companies that may contribute to your total prices, together with Amazon Route 53 (hosted zones, DNS queries, and Resolver endpoints), and Route 53 Profiles. We advocate reviewing the official AWS pricing pages for essentially the most present charges:
For a full value estimate tailor-made to your workload, use the AWS Pricing Calculator.
Conclusion
On this submit, we confirmed how one can give on-premises shoppers and spoke account assets personal entry to OpenSearch Serverless collections distributed throughout a number of enterprise unit accounts. By centralizing DNS administration by means of a customized PHZ within the networking account and sharing it by means of Route 53 Profiles, you keep away from coordinating PHZ associations throughout accounts whereas giving every enterprise unit full possession of their collections and VPC endpoints.
Mixed with Half 1, you now have two architectural approaches for hybrid multi-account entry to OpenSearch Serverless: a centralized mannequin the place one account owns all collections and a shared VPC endpoint, and a distributed mannequin the place a number of enterprise models every handle their very own collections and VPC endpoints. Select the centralized mannequin when a single workforce manages collections on behalf of the group. Select the distributed mannequin when enterprise models want unbiased possession of their OpenSearch Serverless infrastructure.
For extra particulars, discuss with the Amazon OpenSearch Serverless VPC endpoint documentation and Route 53 Profiles documentation.
Concerning the authors
