Cross account name resolution failing - despite network connectivity

[liamraeAL]

We have deployed a standard hub and spoke architecture using this repository, and the example-spoke-vpc code.

Everything has run smoothly, and we can communicate via ICMP from an application in our dev spoke, to another EC2 instance in our test account (via the TGW)

However name resolution is failing - e.g. from DEVELOPMENT account - ping instance.test.network.internal (a Route53 A record in the TEST account, in the PHZ test.network.internal. The above command returns ping: instance.test.network.internal: Name or service not known

We have a top-level domain in the networking account network.internal but we get NXDOMAIN when we try to resolve that from any of the spoke accounts.

Any idea what we might be missing? We haven't changed any of the code from this repository, apart from non-consequential variables such as tags and IPAM CIDR ranges.

[liamraeAL]

The fix for this was amending the target of the forward rule to point to the aws_route53_resolver_endpoint.inbound.ip_address rather than the outbound resolver endpoint IPs.

Our use-case is purely internal AWS traffic, and name resolution. No external/on-prem outbound resolvers required.

resource "aws_route53_resolver_rule" "fwd" {
  domain_name          = var.private_root_domain
  name                 = "network-internal"
  rule_type            = "FORWARD"
  resolver_endpoint_id = aws_route53_resolver_endpoint.outbound.id

  dynamic "target_ip" {
    for_each = aws_route53_resolver_endpoint.inbound.ip_address

    content {
      ip = target_ip.value.ip
    }
  }
}