405. VPC With Custom Domain Name - qyjohn/AWS_Tutorials GitHub Wiki
-
Create a new VPC with CIDR range 192.168.0.0/16. Create a DHCP option sets with a custom domain name "example.net", with AmazonProvidedDNS. Update the VPC to use the newly created DHCP option sets. Also update the VPC to enable DNS Resolution and DNS Hostnames.
-
Create 3 subnets with CIDR ranges 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24. Create an Internet Gateway (IGW) and modify the route table to make the VPC public subnets.
-
Create the 1st private hosted zone for the VPC. The domain name is example.net. Use the following bash script to generate the A records. In Route53 Console, use "Imported Zone File" to import the generated records.
#!/bin/bash
for i in `seq 0 2`; do
for j in `seq 0 255`; do
echo "ip-192-168-$i-$j.example.net 3600 A 192.168.$i.$j"
done
done
- Create the 2nd private hosted zone for the VPC. The domain name is in-addr.appr. Use the following bash script to generate the PTR records. In Route53 Console, use "Imported Zone File" to import the generated records.
#!/bin/bash
for i in `seq 0 2`; do
for j in `seq 0 255`; do
echo "$j.$i.168.192.in-addr.arpa. 3600 PTR ip-192-168-$i-$j.example.net."
done
done
- At this point you should have both DNS resolution and reverse DNS resolution for your VPC. You can verify this by launching an EMR cluster into the VPC, with the following DNS lookup and reverse lookup tests.
[hadoop@ip-192-168-2-8 ~]$ nslookup 192.168.2.8
Server: 127.0.0.1
Address: 127.0.0.1#53
8.2.168.192.in-addr.arpa name = ip-192-168-2-8.example.net.
[hadoop@ip-192-168-2-8 ~]$ nslookup ip-192-168-2-8.example.net
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: ip-192-168-2-8.example.net
Address: 192.168.2.8
Install and configure FreeIPA for Kerberos authentication using this Quick Start Guide.
First configure hostname:
sudo hostnamectl set-hostname ipa.example.net
Add the following line to /etc/hosts
192.168.1.166 ipa.example.net ipa
Also, you will need to update your private hosted zones to setup both DNS resolution and reverse DNS resolution for ipa.example.net.
ipa.example.net 360 A 192.168.1.166
166.1.168.192.in-addr.apra 360 PTR ipa.example.net
Install and configure FreeIPA server
sudo yum install freeipa-server
sudo ipa-server-install
Please remember to add the necessary DNS records to the privated hosted zone for example.net. Then perform some tests:
kinit admin
klist
ipa user-add
ipa passwd <user>
kinit <user>
klist
RDP into an EC2 Windows instance in the same VPC, access the admin UI
https://ipa.example.net/ipa/ui/
Launched another EC2 instance with RHEL
sudo yum install krb5-workstation pam_krb5
Copy /etc/krb5.conf from the FreeIPA server, comment out the following to lines:
#includedir /etc/krb5.conf.d/
#includedir /var/lib/sss/pubconf/krb5.include.d/
Then do a test from the client. As we can see, Kerberos authentication is now working.
kinit <user>
klist