Fargate Linux Github Runner cannot find specific URL (nslookup) from private network over VPN

I run the Worker container (Fargate Worker: https://docs.gitlab.com/runner/configuration/runner_autoscale_aws_fargate/).

My problem is that the container (Gitlab-runner) is running on Fargate (‘awsvpc’ network mode), but ‘nslookup’ cannot find the private DNS server in the other part of the VPN site-to-site point.

I did it same thing on EC2. On EC2, when I updated resolved.conf like below:

sudo sed -i 's/#DNS=/DNS=192.168.x.x/g' /etc/systemd/resolved.conf
sudo sed -i 's/#Domains=/Domains=privateurl.net/g' /etc/systemd/resolved.conf
sudo systemctl restart systemd-resolved

From EC2, ‘nslookup subdomain.privateurl.net‘ returned positively, it found the name, address, and IP.

But, when I did the same thing on the container that runs on Fargate, ‘nslookup subdomain.privateurl.net‘ couldn’t find the name, address, and IP.

From the container, ‘ping ‘ is accomplished. It shows that there is a connection between the container on Fargate and the server (subdomain.privateurl.net) on the other side of the VPN. But ‘ping <subdomain.privateurl.net>‘ and ‘nslookup <subdomain.privateurl.net>‘ are not working properly. By the way, I made port mapping container port 53 to host 53 for DNS requests (nslookup).

I am suspecting that the container on Fargate (‘awsvpc’ network mode) is behaving differently than EC2.

CloudWatch Log:

nslookup subdomain.privateurl.net  # on ECS container
** server can't find subdomain.privateurl.net: NXDOMAIN

PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=63 time=15.8 ms
Asked By: Ömer Sezer

||

I found the solution to use Route 53 resolver.

resource "aws_route53_resolver_endpoint" "dns" {
  name               = "resolver"
  direction          = "OUTBOUND"
  security_group_ids = [data.aws_security_group.selected_sg.id]
  
  ip_address {
    subnet_id = data.aws_subnet.selected_subnet.id
    ip        = "172.x.x.x" # ip from vpc subnet
  }
  
  ip_address {
    subnet_id = data.aws_subnet.selected_subnet.id
    ip        = "172.x.x.x" # ip from vpc subnet
  }

}

resource "aws_route53_resolver_rule" "local" {
  domain_name          = "privateurl.net"
  name                 = "local"
  rule_type            = "FORWARD"
  resolver_endpoint_id = aws_route53_resolver_endpoint.dns.id
  
  target_ip {
    ip = "PrivateDNSIP"
    port = 53
  }
}

resource "aws_route53_resolver_rule_association" "local" {
  resolver_rule_id = aws_route53_resolver_rule.local.id
  vpc_id           = data.aws_vpc.selected.id
}
Answered By: Ömer Sezer
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.