How do I use internal Amazon addresses with DNS?

The Problem:

When you spin-up a new Amazon EC2 server instance, a public IP is automatically assigned to it. If you want to assign a more “permanent” IP to it, you can use Elastic IP’s.

Either way, you end up with an “internal” (10.x.x.x or 172.16.x.x) IP address and a “public” Internet-routable IP address for each instance.

If you use VPC, the situation is similar, except that you can specify which “internal” IP to use for an instance, within your the VPC subnet, and you can opt to NOT have a public IP address.

If you DO have a public IP for your server (perhaps only to make it easier to access via SSH), you will need a convenient way to refer to both it’s “internal” and “public” addresses via DNS.

If your EC2 or VPC servers communicate among themselves using their public IP’s, you will be charged for the network bandwidth, and you’ll lose the benefit of being able to filter traffic (via Security Groups) differently for external access (via the public Elastic IP) and for internal access (to be accessed by other servers within the subnet).

You will probably want, for example, your webserver to access your MySQL server using the internal IP (10.x.x.x), while YOU will want to use the Elastic IP (such as when you SSH into the MySQL server.

The Solution:

Amazon gives us a handy solution to this problem. They have added a special feature to their DNS servers that makes it such that if you look up your instance by it’s “public DNS name”, such as:

..the Amazon DNS servers will answer the DNS query DIFFERENTLY when asked internally, or externally.

“Internal” users (other EC2/VPC instances) that query the DNS server will receive the “internal IP” associated with the instance that’s associated with that PUBLIC IP, or something like:

“External” (from the Internet) users that query the Amazon DNS server will receive the “public” or “Elastic IP” address, such as:, when you add you instance to DNS, you should¬†use a CNAME to the “public DNS name” instead of an “A” record that points directly as the Elastic IP, as such:



…you’ll get the benefit that when a lookup for “” is processed, it will respond based on whether the query was internal or from the Internet.

NOTE:¬†this functionality WILL NOT WORK FOR VPC unless the VPC in question has “VPC DNS hostnames” set to “yes” (otherwise it will always resolve to the public IP). You can change the setting at any time from the Amazon panel:

VPC settings

Look for “DNS hostnames” in the lower right:

VPC DNS hostnames

Test it:

From the EC2 instance:

eric@web1:~$ dig +short

From outside:

eric@homecomputer:~$ dig +short

See also:

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Reddit
  • StumbleUpon

Leave a Reply

Your email address will not be published. Required fields are marked *