Centralized DNS with EC2-based servers and Route 53 Resolver provides consistent name resolution across hybrid SAP environments. Redundant DNS servers in private subnets, integrated with corporate AD and AWS private resources (ELBs, hosted zones), ensure high availability and seamless hybrid connectivity for SAP HANA, application servers, and supporting infrastructure.
Key Benefits
Automatic DNS configuration via DHCP for all EC2 instances.
Hybrid resolution: AWS private + on-premises AD + internet.
HA across AZs with Route 53 Resolver integration.
SAP-specific endpoints (ELBs, HANA clusters) always resolvable.
Objective
Deploy redundant DNS infrastructure ensuring:
Centralized name resolution for SAP workloads.
Route 53 Resolver integration for AWS private resources.
On-premises AD hybrid connectivity.
Automatic EC2 configuration via DHCP options.
Deployment Architecture
Technical Implementation Steps
Step 1: Launch DNS Server EC2 Instances
Configuration:
Parameter Value
AMI Windows Server 2022 / Amazon Linux 2
Type t3.medium
Subnets Private subnets (2+ AZs)
IPs Static: 10.0.1.10 (AZ1), 10.0.3.10 (AZ2)
IAM Role AmazonSSMManagedInstanceCore
Step 2: Install & Configure DNS Role (Windows Server)
# Install DNS role
Install-WindowsFeature DNS -IncludeManagementTools
# Configure forwarders
Add-DnsServerForwarder -IPAddress "169.254.169.253" # Route 53 Resolver (VPC DHCP)
Step 3: VPC DHCP Option Set
VPC Console → DHCP options sets → Create:
Domain name: yourcorp.local
DNS resolution: Enabled
DNS servers: 10.0.1.10,10.0.3.10,AWS-provided-DNS
NTP servers: AmazonTimeSyncService
Domain search list: yourcorp.local,internal
CLI:
aws ec2 create-dhcp-options --dhcp-configurations \
"Key=domain-name-servers,Values=10.0.1.10,10.0.3.10" \
"Key=domain-name,Values=yourcorp.local" \
--tag-specifications 'ResourceType=dhcp-options,Tags=[{Key=Name,Value=SAP-DNS-DHCP}]'
Step 4: Route 53 Resolver Endpoints
Inbound Endpoint (On-prem → AWS):
Name: onprem-to-aws-resolver
Direction: Inbound
VPC: VPC-Prod
Private subnets: 10.0.1.0/24 (AZ1), 10.0.3.0/24 (AZ2)
Security Group: TCP/UDP 53
Outbound Endpoint (AWS → On-prem):
Name: aws-to-onprem-resolver
Targets: On-prem DNS (10.0.0.10:53 via VPN)
Step 5: DNS Forwarder Configuration (Windows DNS Manager)
Forwarders:
├── *.yourcorp.local → 10.0.0.10 (On-prem AD)
├── *.internal → 169.254.169.253 (Route 53)
├── * → 10.0.0.20 (Firewall/NAT for internet)
Step 6: Private Hosted Zone Integration
Route 53 → Hosted zones → Create private hosted zone:
Domain: sap.yourcorp.local
VPC: VPC-Prod
Records:
├── sap-app-elb → prod-app-elb-1234567890.ap-southeast-1.elb.amazonaws.com
├── sap-hana-db → 10.0.4.15
Step 7: Validation Tests (from SAP App Server)
# Corporate AD resolution
nslookup dc1.yourcorp.local 10.0.1.10
# 10.0.1.10 (DNS1)
# AWS ELB resolution
nslookup prod-app-elb.ap-southeast-1.elb.amazonaws.com 10.0.1.10
# Dualstack ELB IPs
# SAP internal
nslookup sap-hana-db.yourcorp.local
# 10.0.4.15 (HANA)
# Failover test
sudo systemctl stop named # On DNS1
nslookup sap-hana-db.yourcorp.local 10.0.3.10 # DNS2 works
Monitoring & Health Checks
CloudWatch Agent on DNS servers:
json
{
"metrics": {
"metrics_collected": {
"DNS": {"queries": true, "responses": true}
}
}
}
Alarms:
Metric Threshold Action
DNS query failures >5% Critical
DNS server CPU >80% Warning
Resolver endpoint health Non-Zero failures Alert
Resolution Flow
SAP App Server → DHCP → DNS1(10.0.1.10)
↓
sap-hana-db.yourcorp.local?
↓
1. Check local zones → No
2. Forward yourcorp.local → On-prem AD
3. On-prem returns 10.0.4.15 → SUCCESS
↓
SAP HANA connection: 10.0.4.15:30015
SAP-Specific DNS Records
# ASCS
sap-ascs.yourcorp.local → 10.0.1.50:3600
# Application Servers (round-robin)
sap-app-01.yourcorp.local → 10.0.1.101
sap-app-02.yourcorp.local → 10.0.1.102
sap-app-03.yourcorp.local → 10.0.3.101 # AZ2
# HANA Cluster
sap-hana-primary.yourcorp.local → 10.0.4.15
sap-hana-secondary.yourcorp.local → 10.0.4.16
Best Practices
Static IPs: DNS servers outside DHCP range.
Split DNS: Corporate zones → On-prem, AWS zones → Route 53.
Health Checks: Route 53 health checks on DNS servers.
Automation: ASG + UserData for DNS server replacement.
Backup: Regular dnsmgmt.msc exports to S3.
Multi-Account Extension
Security OU → Central DNS servers
Prod OU → Prod-specific zones
Dev OU → Separate DNS (dev.yourcorp.local)
No comments:
Post a Comment