Setting up DNS
Requirements
Before deploying DNS, first purchase your chosen vanity and service domains in the core-dns
account or in your chosen registrar. Refer back to the Decide on Vanity (Branded) Domain and Decide on Service Discovery Domain design decisions for more information.
When registering a new domain, we have the option of using Route53’s built-in registrar or using an existing registrar. Many enterprise-scale organizations use MarkMonitor to manage their domain portfolio. Our convention is to use the core-dns
account as the registrar. This allows us to use AWS IAM roles and policies to manage access to the registered domains and to centralized DNS management.
Registering domain names using Amazon Route 53 - Amazon Route 53
We recommend checking with your legal department on where they want to consolidate domain ownership. It has larger ramifications as to IP/trademark defense.
1 Deploy DNS Components
The DNS stacks are broken up into primary and delegated deployments. Primary DNS zones only start with an NS
record
among other defaults and expect the the owner of their associated domain to add these NS
records to whatever console manages the respective domain.
Consult the dns-primary component documentation for more information.
The delegated DNS zones insert their NS
records into the primary DNS zone; thus they are mostly automated.
Consult the dns-delegated component documentation for more information.
To start the dns setup, run the following. This will go through creating primaries, and then follow up with establishing the delegates.
- Commands
- Atmos Workflow
deploy/dns
workflow in the examples/snippets/stacks/workflows/network.yaml
file:- No commands found
atmos workflow deploy/dns -f network
2 Configure Registrar NS
Records for Domain (Click Ops)
In order to connect the newly provisioned Hosted Zone to the purchased domains, add the NS
records to the chosen
Domain Registrar. Retrieve these with the output of dns-primary
. These will need to be manually added to the
registered domain.
-
Delegate Shared Service Domain,
acme-svc.com
atmos terraform output dns-primary -s core-gbl-dns
-
Delegate Platform Sandbox Vanity Domain,
acme-sandbox.com
atmos terraform output dns-primary -s plat-gbl-sandbox
-
Delegate Platform Dev Vanity Domain,
acme-dev.com
atmos terraform output dns-primary -s plat-gbl-dev
-
Delegate Platform Staging Vanity Domain,
acme-stage.com
atmos terraform output dns-primary -s plat-gbl-staging
-
Delegate Platform Prod Vanity Domain,
acme-prod.com
atmos terraform output dns-primary -s plat-gbl-prod
ACM
Each domain managed by the dns-primary
component will create its own ACM certificate. However, we need additional ACM certificates to validate delegated domains.
We use a separate instance of the acm
component to provision each service domain certificate.
We can deploy all required ACM certificates with the following command:
- Commands
- Atmos Workflow
deploy/acm
workflow in the examples/snippets/stacks/workflows/network.yaml
file:- No commands found
atmos workflow deploy/acm -f network