Configuring DNS data flow from NS1 Connect to Route 53

Before IBM® Cloud Sync can synchronize DNS data from IBM NS1 Connect® to Amazon Route 53, you must configure the DNS data flow.

Before you begin

Make sure that you have:

  • A Cloud Sync subscription
  • NS1 Connect as your primary DNS provider
  • Route 53 as your secondary DNS provider
  • An Amazon Web Services (AWS) account with permissions to create policies and roles

About this task

Configuring a DNS data flow from NS1 Connect to Route 53 is a multi-step process that you complete in NS1 Connect and in AWS. If you need help on using AWS, refer to its help documentation.

First you establish the connection to a Route 53 network that NS1 Connect sends DNS data through. Then you enter the account ID that Cloud Sync connects to.

Finally, you enable cross-account access to allow NS1 Connect to perform DNS actions in your AWS account. To do so, you create an identity access management (IAM) policy and role for the NS1 Connect account for Cloud Sync services. This ensures that NS1 Connect can perform certain actions on certain objects through a trusted role in the NS1 Connect account. In this way, NS1 Connect validates that the AWS account ID that you provide is for an account that you control. NS1 Connect can then verify that it can perform certain actions in your AWS account.

If you initially configure the DNS data flow and you cannot validate the network connection, you can validate it later. Only when the network connection is validated can Cloud Sync synchronize DNS data from NS1 Connect to Route 53.

Configuring a DNS data flow from NS1 Connect to Route 53 is a one-time setup for each network and account ID that you want to connect.

You can configure the DNS data flow from NS1 Connect in either of the following instances:

  • If you are configuring NS1 Connect as your primary DNS provider for the first time
  • If NS1 Connect is already configured as your primary DNS provider through authoritative zone transfer (AXFR) and you want to take advantage of synchronizing authoritative DNS data through Cloud Sync

Procedure

  1. Click DNS > Network.
    The Networks page opens.
  2. Under Outbound networks, click Connect network.
    The Connect an external DNS network page opens.
  3. Under 1. Select an external DNS service, select the Amazon Route 53 checkbox.
  4. Click Next.
    The 2. Configure the connection page opens.
  5. In AWS network name, enter a unique name for the Route 53 network that you're connecting to.
    This name is displayed in the networks list in NS1 Connect and is displayed for each zone that is managed through this network.
  6. In AWS account ID, enter your account ID.
    Enter a number up to 12 digits long.
  7. Click Next.
    The network connection is created. On the 3. Prepare policy page are the code blocks that contain the policy and role definitions that you need to create policies and roles in AWS so that NS1 Connect can perform DNS actions in Route 53.
  8. In Are you using AWS organizations, select Yes or No to indicate whether you use AWS organization services.
    If you use AWS organization services, you might have AWS service control policies in place. Review the policies to make sure that the actions that NS1 Connect must perform aren't denied.
  9. If you selected No to using organizations, go to Step 11 to create a new IAM policy.
  10. If you selected Yes to using AWS organizations, review the service control policies and, if needed, exempt the NS1 Connect Cloud Sync role:
    1. In AWS, locate your service control policies.
    2. In NS1 Connect, expand 2. Review AWS service control policies and compare your service control policies to the actions shown in the code block.
      Cloud Sync performs the actions that are listed in the code block to synchronize data from NS1 Connect to Route 53.
    3. If any of the actions that are shown in the code block are denied in your service control policies, expand the 3. Edit conditions for policies denying required action(s) row of the 3. Prepare policy page.
      A condition to exempt the NS1 Connect Cloud Sync role from the AWS service control policies is displayed.
    4. Click the Copy icon in the condition block.
    5. In AWS, paste the condition under the Conditions block in all service control policies that deny any of the actions that the NS1 Connect Cloud Sync role requires.
  11. In AWS, create an IAM policy to define the actions that the NS1 Connect Cloud Sync role can perform.
    Create an inline policy. Use a name that best reflects the purpose of the policy. You assign this policy to the role in the next step.
    The policy keys that you need to add to the policy are shown in the 4. Create a new IAM policy row on the 3. Prepare policy page in NS1 Connect.
    1. Click the Copy icon in the code block that contains the policy keys.
    2. Paste the code block in the Policy editor of your IAM policy.
    3. Specify the permissions:
      To give the NS1 Connect Cloud Sync role permission to perform the actions for all DNS resources, enter an asterisk (*) in the Resource policy key.
      To give the NS1 Connect Cloud Sync role permissions to perform the actions for specific DNS resources, enter the zone IDs in the Resource policy key.
  12. In AWS, create a custom trust policy IAM role for the NS1 Connect Cloud Sync account.
    The parameters that you need to add to the role are shown in the 5. Configure a new IAM role row of the 3. Prepare policy page in NS1 Connect.
    1. Copy the code block that contains the role name and paste it in the Role name field in AWS.
    2. Copy the code block that contains the trust policy and paste it in the Custom trust policy statement in AWS.
    3. Add the policy that you created in Step 11 to this role.
  13. If you don't want to validate the network connection now, you can close the Connect an external DNS network page and validate the network connection later.
  14. If you want to validate the network connection now, click Validate connection.
    NS1 Connect makes calls to AWS to validate the account and verify the user. NS1 Connect also checks that a DNS action can be performed. The validation might take a few minutes.
  15. Click Next.
    The Summary page opens and displays the status of the validation, indicating whether it was validated.
  16. Click Done.

Results

If the network connection for the Route 53 network was not validated, a Needs validation tag shows for that network on the Networks page.

What to do next

If the Connection validated section of the Summary page showed an error, you must validate the connection. Otherwise, the DNS data isn't synchronized from NS1 Connect to Route 53 even if you publish a zone to this network in NS1 Connect.

If the connection was validated successfully:

  1. Publish the zones that you want to synchronize from NS1 Connect to the Route 53 network.
  2. In NS1 Connect, update zone NS records to include NS1 Connect and Route 53 as authoritative providers.
  3. In the domain registrar, update namesevers to include NS1 Connect and Route 53.