My Rancher cluster on AWS is using the Rancher DNS service to sync internal load balancers with AWS Route 53. By default, the Rancher DNS service is using the host’s EC2 public IP to populate Route 53. This is causing issues because we have a peered VPC that would like to use the same DNS name and have it resolve to the internal IP. Note that the Docker containers in the peered VPC may not be running Rancher.
For example, there is a Route 53 entry for a Rancher load balancer that is set to an A record with the public IP 54.xxxx.xxxx.xxxx by the Rancher DNS service. When a peered VPC attempts to use the DNS name, the peer receives the public IP which sends traffic out of and then back into the Amazon cloud. Due to this network path, inbound security rules are lost.
What I would like an option to do is, tell Rancher DNS that for certain services it should use a CNAME in Route 53 with the host’s public DNS name instead of an A record with the public IP. In this case, a CNAME with the value ec2-54-xxxx-xxxx-xxxx.compute-1.amazonaws.com. Public callers will resolve from the public DNS name to the public IP (54.xxxx.xxxx.xxxx) and peered callers will resolve to the private IP (172.xxxx.xxxx.xxxx). By using the private IP and calling directly, peered callers can utilize inbound security rules.
Otherwise, if all traffic to the load balancer goes through the Internet then inbound security rules lose most of their value. I would prefer not to open up certain ports to 0.0.0.0 or hard-coded EC2 IPs from the peered VPC (which are dynamic). Please let me know if this makes sense.