DNS Configuration using Amazon Route 53

Cloud Native Service Add-on Pack Deployment Guide (Latest Version)

A wildcard DNS A record must be created for the cluster in addition to the DNS A record for the cluster itself. Reverse lookup PTR records should also exist for both entries when possible. An example wildcard FDQN may look like the following: *.my-cluster.my-domain.com. Make a note of this FQDN for later use.

This wildcard domain will be used in the installer to configure access to some of the built-in services if they are installed:

  • Keycloak will be available at: auth.my-cluster.my-domain.com

  • Grafana will be available at: dashboards.my-cluster.my-domain.com

  • Other ingress rules may be configured to provide access to other services.


The DNS entries must be resolvable by the clients and the cluster


If the cluster contains multiple nodes, a load balancer must be created to balance requests across the cluster nodes. The DNS entries should point to the load balancer, not to the cluster nodes.

The below steps assume that you have a created a Route 53 domain, for more information please refer to https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html#domain-register-procedure

  • Once you have the domain, create a hosted zone.


The following steps should be performed to create a DNS record pointing directly to the system that was created. This should be used for single node VMIs for development purposes only.

  • Within the hosted zone, create an A record with wildcard as per below with the public IP address of the system.


  • The public IP address can be retrieved from the console as shown below.


The following steps should be performed to create a DNS record pointing to the load balancer instance for the cluster. This should be used with EKS, or multi-node K8S clusters.

These steps should be performed in place of the steps above.

  • Create a Target group for the EC2 instance(s) by navigating to the EC2 Dashboard page, selecting Target groups, then clicking on Create target group as shown below.


  • Select the target type as Instances and define the target group name as shown below.


  • Select the protocol as TCP and port as 443, then select the appropriate EKS VPC for your cluster. Select TCP for the health check protocol, then click Next as shown below.


  • You should then see the Registered target page with a list of available instances as shown below. Select the appropriate instance and click on Include as pending below as shown below. You should then see the instances under the Review targets section.


  • Next, click on Create target group as shown below.


  • You should then see the target group which you have created under the Target group section of the EC2 Dashboard.


  • Once you have created the Target group, now navigate to the Load Balancer section on the EC2 Dashboard. Click Create load balancer.


  • Choose Network Load Balancer as a type, and click the Create button.


  • Next, define the Load Balancer name and IP address type as IPv4 as shown below.


  • Next, select the appropriate EKS VPC and availability zones. Set the Listener protocol as TCP port 443, with Mappings to Public Subnet and the target group you’ve created earlier as shown below.


  • Verify the information under the Summary section, then click on Create load balancer as shown below.


  • Navigate back to the Load balancers page on the EC2 as shown below, it should show the network load balancer that you have created. Wait for a few minutes for the state to change to Active before proceeding.


  • Once the load balancer is running, within the hosted zone in Route 53 created from the previous section, create an A record with wildcard as shown below.

    Select Alias as the type, and select the appropriate region and load balancer that was previously created.


To access the application dashboards (for Keycloak, Grafana, etc), enable port 443 to access the application following the steps below.

  • Navigate to the EC2 console dashboard and select the Security tab. Select the security group for your cluster as per below


  • Once the security group is selected, click on Edit Inbound Rule.


  • First Click on Add rule then add the HTTPS (Port 443) rule as shown below. Save the rules once completed.


© Copyright 2022-2023, NVIDIA. Last updated on May 23, 2023.