What is ExternalDNS and Why Use It?<\/h2>\n
When you work on EKS projects, you will have to expose services using Route 53 DNS (private or public). Normally, this is done manually by the DevOps or network team.<\/p>\n
ExternalDNS<\/strong> automates this process. It manages DNS records for you and keeps them in sync with your Kubernetes resources.<\/p>\n Here is how it works.<\/p>\n In short, it removes manual DNS management when deploying applications on EKS. Also, it gives you a GitOps-friendly workflow for DNS management.<\/p>\n Now, let’s understand how ExternalDNS works with EKS.<\/p>\n The following workflow explains how the ExternalDNS works on the EKS cluster<\/p>\n Here is how the ExternalDNS works in the EKS cluster.<\/p>\n Now, we can start the setup of the ExternalDNS on the EKS cluster.<\/p>\n To set up the ExternalDNS, we need the following requirements.<\/p>\n Once the prerequisites are ready, we can start the installation.<\/p>\n Before we install the ExternalDNS, we need to create an IAM Role for the External DNS to access Route53.<\/p>\n First, we need to give ExternalDNS permissions to manage Route53 records. We will do this by creating an IAM Policy using the following JSON.<\/p>\n Now, we can create the IAM Policy using the following command.<\/p>\n Export Policy ARN<\/a> for the upcoming configuration<\/p>\n At this point, you have created an IAM Policy that allows ExternalDNS to manage Route53 records (create, update, list).<\/p>\n Before creating the role, we need a Trust Policy<\/strong> that is suitable for the Pod Identity Agent<\/strong> to identify the role.<\/p>\n Next, we need an IAM Role that the ExternalDNS pods can assume. This role will be linked with our Service Account later.<\/p>\n Store the Role name and ARN as environment variables for the upcoming configurations.<\/p>\n Now, we have our IAM Role and Policy, so we need to attach the IAM Policy to the Role.<\/p>\n Now, the permission for the ExternalDNS is ready, so we need to attach this permission to the ExternalDNS Service Account.<\/p>\n We are deploying the ExternalDNS on a dedicated namespace on Kubernetes<\/a>, so we need to create a namespace.<\/p>\n Since ExternalDNS will run inside Kubernetes, we need a Service Account. It will later be associated with our IAM Role so the pods can use AWS permissions.<\/p>\n To apply the manifest, use the following command.<\/p>\n The Service Account in the Note: Assuming you already have the Pod Identity Agent Plugin on your EKS cluster.<\/p><\/blockquote>\n Create the necessary environment variables for the association.<\/p>\n Now, we can use the following command to perform the Pod Identity Association.<\/p>\n If you want to ensure that the Pod Identity Association is properly done, you can use the following command.<\/p>\n At this point, your Service Account and IAM Role are connected through Pod Identity. ExternalDNS pods running with this Service Account will have permissions to update Route53.<\/p>\n Now, we need to create a Deployment manifest to deploy the ExternalDNS.<\/p>\n To the major changes that you need to make to the following configuration.<\/p>\n Here,<\/p>\n The To deploy the manifest, use the following command.<\/p>\n Once the deployment is completed, use the following command to list them to ensure that the ExternalDNS is running without any issues.<\/p>\n The output ensures that the deployment is running without any issues. It is now watching Services and Ingress resources, ready to sync DNS records in Route53 automatically.<\/p>\n We can not test whether the External DNS automatically manages the DNS records on Route53.<\/p>\n ExternalDNS will create records for both the Kubernetes Service<\/strong><\/a> object and the Ingress<\/strong> object.<\/p>\n We can test both, but for that, we need a demo deployment.<\/p>\n To deploy this application, use the following command.<\/p>\n To create a DNS record for a service, we need to add an annotation ( Now, we need to create a service for this application with the mentioned annotation.<\/p>\n The External DNS works with both service types, such as NodePort<\/strong> and LoadBalancer<\/strong>.<\/p>\n We will start with a NodePort Service and add a DNS annotation. ExternalDNS should automatically create the record in Route53.<\/p>\n Here is the service YAML.<\/p>\n To deploy this, use the following command.<\/p>\n Once your service is created, ExternalDNS will create “A<\/strong>” and “TXT<\/strong>” DNS records for your service.<\/p>\n In this NodePort method, the ExternalDNS will map the IP address<\/strong> of the EKS worker nodes to the hostname, which you can check from the Route53 console.<\/p>\n The output confirms that the DNS records were automatically created in Route53.<\/p>\n Now, we can try to access our deployed application using this domain name.<\/p>\n For that, <\/p>\n Open the terminal on your local machine and run the Since this is a NodePort<\/strong> service, we need to add the NodePort number Now, we get the following output.<\/p>\n This ensures that the mapping is working correctly, so we can access the web page.<\/p>\n Next, we will test with the other service type, so delete this service using the following command.<\/p>\n Also, remove the DNS records from Route53.<\/p>\n Note: Since we use the policy as To create a LoadBalancer service for the same deployment, use the following contents.<\/p>\n To apply this service, use the following command.<\/p>\n In this service, an AWS Load Balancer<\/strong> is created to route the external traffic to the Kubernetes workload.<\/p>\n So the mapping will be done with the Load Balancer’s DNS name instead of the worker nodes IP. <\/p>\n Here, you can see one more record along with the “A” record, which is the “AAAA” record.<\/p>\n “AAAA” record is nothing but mapping the IPv6 address with the domain name. But you can see that both values are the same for both of the records.<\/p>\n Now, we can access the application using the domain name, and this time we do not have to use the nodeport number because it is a Load balancer service.<\/p>\n The output ensures that we can access the web page.<\/p>\n Next, we will try ExternalDNS with the Ingress object.<\/p>\n To delete this service, use the following command.<\/p>\n Delete the related Route53 records as well from the console.<\/p>\n External DNS not only works with services but also with the Ingress. You can use any method for the ingress (Nginx ingress<\/a> or AWS Load Balancer controller)<\/p>\n Here, I am showing an example with the AWS Load Balancer controller. <\/p>\n Assuming, you already have the AWS Load Balancer controller on the EKS cluster, if you don’t use the blog –> AWS Load Balancer Controller on EKS<\/a><\/p>\n Before creating an Ingress object, we need a service with type ClusterIP.<\/p>\n To apply this service.<\/p>\n Now, we can create an Ingress object for the deployment.<\/p>\n To apply this, use the following command.<\/p>\n This is also the same as the above one, but the difference is that here, the ALB controller provisions the Load Balancer in AWS.<\/p>\n Since the ALB<\/a> controller creates an Application Load Balancer for the Ingress object, we can use the AWS ACM TLS certificates with configuration.<\/p>\n If you want to safeguard your application by encrypting it using the TLS certificate<\/a>, we can use the certificates from the ACM service.<\/p>\n Assuming, you already have a TLS created on the AWS Certificate Manager<\/a>. If not, please refer to this blog –> Setup SSL\/TLS With AWS Certificate Manager<\/a><\/p>\n Now, we can configure this existing certificate on the Ingress object.<\/p>\n Here, you need to change the ARN of your ACM certificate.<\/p>\n To replace the existing ingress, use the following command.<\/p>\n Now, if you check over a browser, you can see that the validation of the certificate, which ensures that our connection is now secured.<\/p>\n This is how we secure our connection over the internet to the application in Kubernetes.<\/p>\n We can even automate the certificate creation using the Certificate Manager, for that you can refer to this blog<\/a>.<\/p>\n Let’s clean up the resources we created so you don’t leave extra DNS records or workloads running.<\/p>\n First, delete the ingress.<\/p>\n Now, we can delete the deployment and the service.<\/p>\n Before we endup the blog, we can have a look at how to actually use ExternalDNS in a hybrid DNS method.<\/p>\n Here are some of the best practices of the ExternalDNS.<\/p>\n This is the high-level overview of the External DNS, and it really simplifies the DNS Record creation and management of the Kubernetes resources.<\/p>\n Explore all the deployment fields so that you can choose the required parameters and values as per your requirements.<\/p>\n\n
ExternalDNS Workflow in AWK EKS<\/h2>\n
![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/09\/image-8.png\")
\n
external-dns.alpha.kubernetes.io\/hostname: app.devopscube.com<\/code><\/li>\nSetup Prerequisites <\/strong><\/h2>\n
\n
Step-by-Step Setup Guide<\/h2>\n
Step 1: Create an IAM Policy for External DNS<\/h3>\n
cat << EOF > eks_route53_policy.json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"route53:ChangeResourceRecordSets\"\n ],\n \"Resource\": [\n \"arn:aws:route53:::hostedzone\/*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"route53:ListHostedZones\",\n \"route53:ListResourceRecordSets\",\n \"route53:ListTagsForResource\"\n ],\n \"Resource\": [\n \"*\"\n ]\n }\n ]\n}\nEOF<\/code><\/pre>\naws iam create-policy \\\n --policy-name AllowExternalDNSUpdates \\\n --policy-document file:\/\/eks_route53_policy.json<\/code><\/pre>\nexport POLICY_NAME=\"AllowExternalDNSUpdates\"<\/code><\/pre>\nexport POLICY_ARN=$(aws iam list-policies --query \"Policies[?PolicyName=='${POLICY_NAME}'].Arn\" --output text)\n<\/code><\/pre>\nStep 2: Create an IAM Role for ExternalDNS<\/h3>\n
cat <<EOF > trust-policy.json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"pods.eks.amazonaws.com\"\n },\n \"Action\": [\n \"sts:AssumeRole\",\n \"sts:TagSession\"\n ]\n }\n ]\n}\nEOF<\/code><\/pre>\naws iam create-role \\\n --role-name externalDNSRole \\\n --assume-role-policy-document file:\/\/\"trust-policy.json\"<\/code><\/pre>\nexport ROLE_NAME=externalDNSRole<\/code><\/pre>\nexport ROLE_ARN=$(aws iam get-role --role-name $ROLE_NAME --query \"Role.Arn\" --output text)\n<\/code><\/pre>\naws iam attach-role-policy \\\n --policy-arn ${POLICY_ARN} \\\n --role-name ${ROLE_NAME}\n<\/code><\/pre>\nStep 3: Create a Service Account for the External DNS<\/h3>\n
export NAMESPACE=external-dns<\/code><\/pre>\nkubectl create ns ${NAMESPACE}<\/code><\/pre>\ncat << EOF > externaldns-sa.yaml\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: external-dns\n namespace: external-dns\n labels:\n app.kubernetes.io\/name: external-dns\nEOF<\/code><\/pre>\nkubectl apply -f externaldns-sa.yaml<\/code><\/pre>\nexternal-dns<\/code> namespace is now ready. This has to be mapped to the IAM Role through Pod Identity.<\/p>\nStep 4: Pod Identity Association<\/h3>\n
export CLUSTER_NAME=eks-spot-cluster\nexport SERVICE_ACCOUNT=external-dns<\/code><\/pre>\neksctl create podidentityassociation \\\n --cluster $CLUSTER_NAME \\\n --namespace $NAMESPACE \\\n --service-account-name $SERVICE_ACCOUNT \\\n --role-arn $ROLE_ARN<\/code><\/pre>\neksctl get podidentityassociations --cluster $CLUSTER_NAME<\/code><\/pre>\nStep 5: Install ExternalDNS <\/h3>\n
\n
--domain-filter<\/code> should be your Route53 hosted zone <\/a>name.<\/li>\nenv.value<\/code> should be the region where your EKS cluster is.<\/li>\n<\/ul>\ncat << EOF > external-dns.yaml\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRole\nmetadata:\n name: external-dns\n labels:\n app.kubernetes.io\/name: external-dns\nrules:\n- apiGroups: [\"\"]\n resources: [\"services\",\"endpoints\",\"nodes\",\"pods\"]\n verbs: [\"get\",\"list\",\"watch\"]\n- apiGroups: [\"discovery.k8s.io\"]\n resources: [\"endpointslices\"]\n verbs: [\"get\",\"list\",\"watch\"]\n- apiGroups: [\"networking.k8s.io\"]\n resources: [\"ingresses\",\"ingressclasses\"]\n verbs: [\"get\",\"list\",\"watch\"]\n- apiGroups: [\"gateway.networking.k8s.io\"]\n resources: [\"gateways\",\"httproutes\",\"grpcroutes\",\"tcproutes\",\"udproutes\",\"tlsroutes\"]\n verbs: [\"get\",\"list\",\"watch\"]\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n name: external-dns-viewer\n labels:\n app.kubernetes.io\/name: external-dns\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: external-dns\nsubjects:\n - kind: ServiceAccount\n name: external-dns\n namespace: external-dns \n---\n\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n name: external-dns\n namespace: external-dns\n labels:\n app.kubernetes.io\/name: external-dns\nspec:\n strategy:\n type: Recreate\n selector:\n matchLabels:\n app.kubernetes.io\/name: external-dns\n template:\n metadata:\n labels:\n app.kubernetes.io\/name: external-dns\n spec:\n serviceAccountName: external-dns\n containers:\n - name: external-dns\n image: registry.k8s.io\/external-dns\/external-dns:v0.18.0\n args:\n - --source=service\n - --source=ingress\n - --domain-filter=devopsproject.dev \n - --provider=aws\n - --policy=upsert-only \n - --aws-zone-type=public \n - --registry=txt\n - --txt-owner-id=external-dns\n env:\n - name: AWS_DEFAULT_REGION\n value: us-west-2\nEOF<\/code><\/pre>\n\n
--source<\/code> – Defines what Kubernetes objects should watch.<\/li>\n--domain-fiter<\/code> – Defines which hosted zone should use.<\/li>\n--provider<\/code> – Which DNS provider should choose (e.g., Route53, CloudFlare, CoreDNS, etc). To view all available providers, refer to this official documentation<\/a>.<\/li>\n--aws-zone-type<\/code> – Option to choose private or public hosted zone.<\/li>\n--registry<\/code> – This will create a record with the metadata of the DNS record creation, like who created this. <\/li>\n--txt-owner-id<\/code> – Defines the owner name of the DNS records.\n\n
--policy<\/code> parameters is an important one. It fefines whether the created records should be deleted or not. <\/p>\nupsert-only<\/code> will create\/update but will not delete. <\/p>\nsync<\/code> policy allows full synchronization. That means ExternalDNS will create, update, and <\/em><\/i>delete DNS records. It ensures the DNS zone matches the current cluster resource state.<\/div>\n<\/div>\nkubectl apply -f external-dns.yaml<\/code><\/pre>\nkubectl -n external-dns get deploy<\/code><\/pre>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/08\/image-113.png\")
<\/figure>\nTesting with Services (NodePort & LoadBalancer)<\/h2>\n
cat <<EOF > test-deployment.yaml\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n name: nginx\nspec:\n selector:\n matchLabels:\n app: nginx\n template:\n metadata:\n labels:\n app: nginx\n spec:\n containers:\n - image: nginx\n name: nginx\n ports:\n - containerPort: 80\n name: http\n - containerPort: 443\n name: https\nEOF<\/code><\/pre>\nkubectl apply -f test-deployment.yaml<\/code><\/pre>\nmetadata.annotations.external-dns.alpha.kubernetes.io\/hostname<\/code>) with the domain name on the service configuration.<\/p>\nService with Type NodePort<\/h3>\n
cat <<EOF > np-svc.yaml\napiVersion: v1\nkind: Service\nmetadata:\n name: nginx\n annotations:\n external-dns.alpha.kubernetes.io\/hostname: nginx.devopsproject.dev\nspec:\n type: NodePort\n selector:\n app: nginx\n ports:\n - name: http\n port: 80\n targetPort: 80\n nodePort: 32000\n - name: https\n port: 443\n targetPort: 443\n nodePort: 32443\nEOF<\/code><\/pre>\nkubectl apply -f np-svc.yaml<\/code><\/pre>\n\n
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/08\/image-114.png\")
<\/figure>\ncurl<\/code> command with the hostname.<\/p>\n32000<\/code> to the URL.<\/p>\ncurl nginx.devopsproject.dev:32000<\/code><\/pre>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/08\/image-116.png\")
<\/figure>\nkubectl delete -f np-svc.yaml<\/code><\/pre>\n--policy=upsert-only<\/code>, the created DNS records won’t be deleted automatically so we need to clean them up manually.<\/p><\/blockquote>\nService with Type Load Balancer<\/h3>\n
cat <<EOF > lb-svc.yaml\napiVersion: v1\nkind: Service\nmetadata:\n name: nginx\n annotations:\n external-dns.alpha.kubernetes.io\/hostname: nginx.devopsproject.dev\nspec:\n type: LoadBalancer\n selector:\n app: nginx\n ports:\n - name: http\n port: 80\n targetPort: 80\nEOF<\/code><\/pre>\nkubectl apply -f lb-svc.yaml<\/code><\/pre>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/08\/image-117.png\")
<\/figure>\ncurl nginx.devopsproject.dev<\/code><\/pre>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/08\/image-118.png\")
<\/figure>\nkubectl delete -f lb-svc.yaml<\/code><\/pre>\nTesting with Ingress & TLS (ACM Integration)<\/h2>\n
cat <<EOF > svc.yaml\napiVersion: v1\nkind: Service\nmetadata:\n name: nginx\nspec:\n type: ClusterIP\n selector:\n app: nginx\n ports:\n - name: http\n port: 80\n targetPort: 80\n - name: https\n port: 443\n targetPort: 443\nEOF<\/code><\/pre>\nkubectl apply -f svc.yaml<\/code><\/pre>\ncat << EOF > ingress.yaml\napiVersion: networking.k8s.io\/v1\nkind: Ingress\nmetadata:\n name: nginx-ingress\n namespace: default\n annotations:\n alb.ingress.kubernetes.io\/scheme: internet-facing\n alb.ingress.kubernetes.io\/healthcheck-path: \/\n alb.ingress.kubernetes.io\/target-type: 'ip'\n external-dns.alpha.kubernetes.io\/hostname: nginx.devopsproject.dev\nspec:\n ingressClassName: alb\n rules:\n - host: nginx.devopsproject.dev\n http:\n paths:\n - path: \/\n pathType: Prefix\n backend:\n service:\n name: nginx\n port:\n number: 80\nEOF<\/code><\/pre>\nkubectl apply -f ingress.yaml<\/code><\/pre>\nAWS Certificate Manager integration (Optional)<\/h3>\n
cat << EOF > ingress.yaml\napiVersion: networking.k8s.io\/v1\nkind: Ingress\nmetadata:\n name: nginx-ingress\n namespace: default\n annotations:\n alb.ingress.kubernetes.io\/scheme: internet-facing\n alb.ingress.kubernetes.io\/certificate-arn: arn:aws:acm:us-west-2:<AWS ACCOUNT ID>:certificate\/b7a364de-72e2-4a36-bb98-258e8d11a224\n alb.ingress.kubernetes.io\/ssl-policy: ELBSecurityPolicy-2016-08\n alb.ingress.kubernetes.io\/backend-protocol: HTTPS\n alb.ingress.kubernetes.io\/healthcheck-path: \/\n alb.ingress.kubernetes.io\/target-type: 'ip'\n alb.ingress.kubernetes.io\/listen-ports: '[{\"HTTP\":80,\"HTTPS\": 443}]'\n alb.ingress.kubernetes.io\/actions.ssl-redirect: '{\"Type\": \"redirect\", \"RedirectConfig\": { \"Protocol\": \"HTTPS\", \"Port\": \"443\", \"StatusCode\": \"HTTP_301\"}}'\n external-dns.alpha.kubernetes.io\/hostname: nginx.devopsproject.dev\nspec:\n ingressClassName: alb\n rules:\n - host: nginx.devopsproject.dev\n http:\n paths:\n - path: \/\n pathType: Prefix\n backend:\n service:\n name: nginx\n port:\n number: 443\nEOF<\/code><\/pre>\nkubectl replace -f ingress.yaml --force<\/code><\/pre>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/08\/image-120.png\")
<\/figure>\nCleanup<\/h2>\n
kubectl delete -f ingress.yaml<\/code><\/pre>\nkubectl delete -f svc.yaml \nkubectl delete -f test-deploy.yaml<\/code><\/pre>\nBest Practices<\/h2>\n
\n
--log-level=<\/code> to generate logs so that we can identify if any issues occurred.<\/li>\n<\/ol>\nConclusion<\/h2>\n
\n