nanog mailing list archives
Re: AWS S3 DNS load balancer
From: Karl Auer <kauer () biplane com au>
Date: Wed, 16 Jun 2021 01:14:58 +1000
On Tue, 2021-06-15 at 10:33 -0400, Christopher Morrow wrote:
Maybe Deepak means: "When I ask for an S3 endpoint I get 1 answer, which is 1 of a set of N. Why would the 'loadbalancer' send me all N?"
I've just taken a squiz at an S3-based website we have, and via the S3 URL it is a CNAME with a 60-secod TTL pointing at a set of A records with 5-second TTLs. Any one dig returns the CNAME and a single IP address: dig our-domain.s3-website-ap-southeast-2.amazonaws.com. our-domain.s3-website-ap-southeast-2.amazonaws.com. 14 IN CNAME s3- website-ap-southeast-2.amazonaws.com. s3-website-ap-southeast-2.amazonaws.com. 5 IN A 52.95.134.145 If the query is multiply repeated, the returned IP address changes, roughly every five seconds. What's interesting is the name attached to the A records, which does not include "our-domain". It seems to be a record pointing to ALL S3 websites in the region. And all of the addresses I saw reverse-resolve to that one name. So there is definitely some under-the-bonnet magic discrimination going on. In Route53 the picture is very different, with the published website host name (think "our-domain.com.au") resolving to four IP addresses that are all returned in the response to a single dig query. There is an A-ALIAS (a non-standard AWS record type) that points to a CloudFront distribution that has the relevant S3 bucket as its origin. Using the CNAME bypasses the CloudFront distribution unless steps are taken to forbid direct access to the bucket. It would be usual to use (and enforce) access via CloudFront, if for no other reason than to provide for HTTPS access. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer () biplane com au) http://www.biplane.com.au/kauer
Current thread:
- AWS S3 DNS load balancer Deepak Jain (Jun 15)
- Re: AWS S3 DNS load balancer Karl Auer (Jun 15)
- Re: AWS S3 DNS load balancer Christopher Morrow (Jun 15)
- RE: AWS S3 DNS load balancer Deepak Jain (Jun 15)
- Re: AWS S3 DNS load balancer Lukas Tribus (Jun 15)
- RE: AWS S3 DNS load balancer Deepak Jain (Jun 15)
- Re: AWS S3 DNS load balancer Christopher Morrow (Jun 15)
- Re: AWS S3 DNS load balancer Karl Auer (Jun 15)
- RE: AWS S3 DNS load balancer Deepak Jain (Jun 15)
- Re: AWS S3 DNS load balancer Andras Toth (Jun 16)
- Re: AWS S3 DNS load balancer Karl Auer (Jun 15)
- Re: AWS S3 DNS load balancer Christopher Morrow (Jun 15)