![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan.jpg?resize=640%2C774&ssl=1\")
<\/p>\nOver the past few months, in conversations I\u2019ve had with enterprises running workloads across multiple regions and hybrid clouds, one theme kept coming up: DNS keeps biting them. Everyone wants the same thing: consistent, resilient DNS services that \u201cjust work\u201d everywhere. But when you start layering in multi-cloud topologies, global reach and the need for fast failover, Anycast DNS quickly shifts from \u201cnice to have\u201d to \u201chard to manage.\u201d <\/p>\n
That\u2019s where this story begins. In this blog, we\u2019ll walk through how Infoblox Universal DDI\u2122 and NIOS-X can be deployed natively in AWS, integrated with Cloud WAN and extended with Anycast DNS to provide global reachability. The magic is in combining Infoblox\u2019s centralized management and automation with AWS\u2019s global networking fabric so you can onboard apps faster, reduce operational overhead and deliver a DNS fabric that\u2019s both highly available and cloud ready. <\/p>\n
The lab we built demonstrates a practical design with two AWS regions, Frankfurt and Paris. Each region has Shared Services and Production virtual private clouds (VPCs), with Infoblox NIOS-X appliances delivering Anycast DNS. AWS Cloud WAN ties the regions together, optimizing routing and ensuring DNS requests seamlessly fail over when needed. <\/p>\n
<\/p>\n
Figure 1. High-level topology across Frankfurt (eu-central-1) and Paris (eu-west-3) interconnected by AWS Cloud WAN<\/p>\n
The foundation of the design is the deployment of Infoblox NIOS-X appliances in the Shared Services VPCs across regions. These appliances act as the DNS engines for the environment and are centrally managed through the Universal DDI portal. Deployment leverages standard AWS EC2 workflows together with Infoblox join tokens for seamless onboarding. <\/p>\n
Deployment steps: <\/p>\n
While this blog keeps the focus on architecture, the lab that follows goes further. There we\u2019ll show how the same deployment workflow can be integrated into a continuous integration (CI)\/continuous delivery (CD) pipeline so that NIOS-X appliances can be spun up, registered and configured automatically as part of your infrastructure-as-code process.<\/p>\n
![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan.png?resize=640%2C424&ssl=1\")
<\/p>\n
Figure 2. Universal DDI portal showing NIOS-X appliances registered and online (Configure \u2192 Servers<\/em>) <\/p>\n Why This Matters:<\/strong> This automated onboarding workflow eliminates manual registration steps and ensures new appliances are consistently visible in Universal DDI across regions, reducing deployment time and human error. <\/p>\n In each AWS region, we provisioned two distinct VPCs: <\/p>\n This separation is not new. It\u2019s a classic networking design principle. In the data center, we always carved out a shared infrastructure domain: DNS, DHCP, Active Directory, logging, PKI, monitoring and other core services ran there, decoupled from individual app environments. Connectivity was enforced through virtual routing and forwarding (VRF) separation and route leaking, ensuring reachability while keeping lifecycles cleanly isolated. <\/p>\n In the cloud, the same logic applies, only the mechanics change. Instead of VRFs and firewalls, you use VPCs, peering, Transit Gateway, Cloud WAN and security constructs provided by the cloud service provider (CSP). The architectural pattern stays the same: shared infrastructure delivers consistency while application environments consume those services over well-defined, secure pathways. <\/p>\n As networking architects, we need to recognize that the move to cloud doesn\u2019t eliminate these design rules, it just translates them into new constructs. And at the global level, AWS Cloud WAN stitches those shared infrastructures together, providing the backbone that makes services like Anycast DNS available everywhere. <\/p>\n Figure 3. Create AWS global network in network manager <\/p>\n Figure 4. Create core network and select regions\/edge\/segments <\/p>\n Why This Matters:<\/strong> Defining edge locations and segments early provides a structured backbone that scales across multiple regions and simplifies traffic separation.<\/p>\n With the Cloud WAN backbone in place, the next step is to attach the regional resources so that traffic can actually flow across the global fabric. Attachments act as the integration points between VPCs, appliances and the Cloud WAN core network, enabling routing consistency and policy enforcement end-to-end. <\/p>\n Steps performed: <\/p>\n Design Callout: Why tunnel-less BGP? <\/p>\n By using tunnel-less mode, routing is simplified\u2014there\u2019s no Generic Routing Encapsulation (GRE) or IPsec encapsulation overhead, fewer moving parts and less operational complexity. Troubleshooting is more straightforward, since routes exchanged over Cloud WAN are visible as native BGP sessions without additional encapsulation layers. The result is a cleaner design that\u2019s easier to scale and operate. <\/p>\n Figure 5. VPC attachment creation with DNS support enabled <\/p>\n Figure 6. Connect attachment creation (NO_ENCAP\/tunnel-less) <\/p>\n Figure 7. Connect attachment BGP peer\u2019s configuration (peer IPs, ASNs)<\/p>\n Figure 7. Connect attachment BGP peers configuration details (BGP would show down since we didn\u2019t yet configure the NIOS-X side, but the screenshot here is when all is configured, hence it shows BGP Status UP)<\/p>\n Figure 8. VPC route tables (updated) <\/p>\n Why This Matters:<\/strong> Using both VPC and Connect attachments allows application VPCs and DNS infrastructure to be integrated consistently while enabling NIOS-X to advertise Anycast IPs into Cloud WAN through BGP. <\/p>\n Once VPCs and Connect attachments are in place, the next step is to apply Cloud WAN policies. Policies are the control plane logic that determine: <\/p>\n Think of Cloud WAN policies as the \u201cintent file\u201d for your global network\u2014they abstract away per-VPC routing complexity and instead let you describe connectivity in terms of segments and sharing rules. <\/p>\n Below is the full policy applied in our lab: <\/p>\n Core Configuration:<\/strong> Defines ASN ranges, inside CIDR blocks for Connect peers, edge locations and two segments (Shared Services, PROD). <\/p>\n Segment Actions:<\/strong> Allow Shared Services and PROD to exchange routes for reachability. <\/p>\n Rule 100:<\/strong> Associates Shared Services VPCs (vpc-024743b1d00009219, vpc-02add70a8637c5acf). <\/p>\n Rule 110:<\/strong> Associates PROD VPCs (vpc-098ea96bb41ecbfa7, vpc-0fb8ce0b7277bcaec). <\/p>\n Rule 120:<\/strong> Maps Frankfurt NIOS-X Connect attachment (attachment-060212557d5e7d06b) to Shared Services. <\/p>\n Rule 125:<\/strong> Maps Paris NIOS-X Connect attachment (attachment-00a26092ee329caeb) to Shared Services. <\/p>\n Why This Matters:<\/strong> VPCs are dynamically associated with the right segments, DNS appliances are always anchored in Shared Services and segments share routes for seamless DNS resolution. <\/p>\n Figure 9. AWS network manager policy view showing applied policy\/version <\/p>\n With connectivity in place, we enabled Anycast DNS in Universal DDI. <\/p>\n Steps performed for all NIOS-X appliances in the Infoblox Portal:<\/p>\n Figure 10. Universal DDI\u2014Enable DNS service (Configure \u2192 Service Deployment \u2192 Protocol Service \u2192 Create Service \u2192 DNS<\/em>)<\/p>\n Figure 11. Universal DDI\u2014Anycast configuration (Networking \u2192 Anycast \u2192 Create Anycast Configuration<\/em>) <\/p>\n Figure 12. Universal DDI\u2014Anycast service creation (Configure \u2192 Service Deployment \u2192 Protocol Service \u2192 Create Service \u2192 Anycast<\/em>) <\/p>\n Figure 13. Universal DDI\u2014BGP peer configuration for Anycast service<\/p>\n Figure 14. Universal DDI\u2014Anycast IP shows green\/active<\/p>\n We didn\u2019t cover it in this blog, but the hands-on lab that follows goes deeper. There, you\u2019ll see how to make Anycast DNS failover much faster, without being stuck with default BGP control-plane timers. In the lab, we show how you can use AWS Lambda to listen for events like a BGP session flapping or a route disappearing from the routing table\u2014and react in real time.<\/p>\n We validated the design end to end across both regions. <\/p>\n Checks performed:<\/p>\n Figure 15. Routes learned from Cloud WAN visible in the Cloud WAN route tables <\/p>\n Figure 16. AWS\u2014Connect peer\u2019s status shows UP (per region) <\/p>\n Figure 17. EC2 in PROD (Frankfurt)\u2014dig output resolving via Anycast IP <\/p>\n Figure 18. EC2 in PROD (Paris)\u2014dig output resolving via Anycast IP<\/p>\n Why This Matters:<\/strong> Validation proves Anycast DNS works seamlessly across regions\u2014routing handled by Cloud WAN, resiliency provided by BGP. <\/p>\n This lab showcases how Universal DDI and NIOS-X can be deployed in AWS to deliver a resilient, Anycast-based DNS fabric across multiple regions. By integrating with AWS Cloud WAN, enterprises gain a single policy-driven backbone that makes DNS highly available, globally reachable and easier to operate at scale. <\/p>\n What you get is more than just DNS resolution\u2014it is a cloud-native architecture that aligns with enterprise requirements for agility, security and reach while preserving the design principles you already know from on-prem networking. <\/p>\n And this is only the beginning. The hands-on lab that follows goes further, showing how to speed up failover beyond default BGP timers, how to use Lambda functions to react to routing events and even how to tie these deployments into a CI\/CD pipeline for full automation.<\/p>\n If you\u2019d like to explore this design in action, we\u2019ve created an on-demand lab where you can walk through deploying Infoblox Universal DDI with Anycast DNS on AWS Cloud WAN step by step. <\/p>\n Infoblox UDDI – DNS Anycast AWS with Cloud WAN Lab <\/a><\/p>\n This lab will give you hands-on experience with: <\/p>\n If you\u2019re interested in the Terraform code used to automate the setup, you can find it in the CloudWAN Terraform repository<\/a>. <\/p>\n We\u2019re just getting started. In my next blog, we\u2019ll explore how Infoblox Universal DDI and Anycast DNS can be deployed in Microsoft Azure using vWAN. The same principles apply, but the mechanics differ, and we\u2019ll dive into how Cloud WAN concepts translate into the Azure ecosystem. <\/p>\n Stay tuned for Part 2 in this series. <\/p>\nAWS Infrastructure Setup<\/h3>\n
\n
![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-1.png?resize=640%2C280&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-2.png?resize=640%2C285&ssl=1\")
<\/p>\nAttaching VPCs and Connect Attachments<\/h3>\n
\n
![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-3.png?resize=640%2C285&ssl=1\")
![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-4.png?resize=640%2C283&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-5.png?resize=640%2C286&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-6.png?resize=640%2C287&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-7.png?resize=640%2C164&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-8.png?resize=640%2C258&ssl=1\")
<\/p>\nDefining AWS Cloud WAN Policies<\/h3>\n
\n
\n{ \"version\": \"2021.12\", \"core-network-configuration\": { \"vpn-ecmp-support\": true, \"dns-support\": true, \"security-group-referencing-support\": false, \"inside-cidr-blocks\": [ \"172.16.222.0\/24\", \"172.16.223.0\/24\" ], \"asn-ranges\": [ \"65400-65500\" ], \"edge-locations\": [ { \"location\": \"eu-central-1\", \"asn\": 65400, \"inside-cidr-blocks\": [ \"172.16.222.0\/24\" ] }, { \"location\": \"eu-west-3\", \"asn\": 65402, \"inside-cidr-blocks\": [ \"172.16.223.0\/24\" ] } ] }, \"segments\": [ { \"name\": \"SharedServices\", \"edge-locations\": [ \"eu-central-1\", \"eu-west-3\" ], \"require-attachment-acceptance\": false }, { \"name\": \"PROD\", \"edge-locations\": [ \"eu-central-1\", \"eu-west-3\" ], \"require-attachment-acceptance\": false } ], \"network-function-groups\": [], \"segment-actions\": [ { \"action\": \"share\", \"mode\": \"attachment-route\", \"segment\": \"SharedServices\", \"share-with\": [ \"PROD\" ] }, { \"action\": \"share\", \"mode\": \"attachment-route\", \"segment\": \"PROD\", \"share-with\": [ \"SharedServices\" ] } ], \"attachment-policies\": [ { \"rule-number\": 100, \"description\": \"Attach SharedServices VPCs to SharedServices segment\", \"condition-logic\": \"or\", \"conditions\": [ { \"type\": \"resource-id\", \"operator\": \"equals\", \"value\": \"vpc-024743b1d00009219\" }, { \"type\": \"resource-id\", \"operator\": \"equals\", \"value\": \"vpc-02add70a8637c5acf\" } ], \"action\": { \"association-method\": \"constant\", \"segment\": \"SharedServices\" } }, { \"rule-number\": 110, \"description\": \"Attach PROD VPCs to PROD segment\", \"condition-logic\": \"or\", \"conditions\": [ { \"type\": \"resource-id\", \"operator\": \"equals\", \"value\": \"vpc-098ea96bb41ecbfa7\" }, { \"type\": \"resource-id\", \"operator\": \"equals\", \"value\": \"vpc-0fb8ce0b7277bcaec\" } ], \"action\": { \"association-method\": \"constant\", \"segment\": \"PROD\" } }, { \"rule-number\": 120, \"description\": \"Place CONNECT attachment for niosx01aws\/niosx02aws (eu-central-1) into SharedServices\", \"condition-logic\": \"or\", \"conditions\": [ { \"type\": \"resource-id\", \"operator\": \"equals\", \"value\": \"attachment-060212557d5e7d06b\" } ], \"action\": { \"association-method\": \"constant\", \"segment\": \"SharedServices\" } }, { \"rule-number\": 125, \"description\": \"Place CONNECT attachment for niosx03aws\/niosx04aws (eu-west-3) into SharedServices\", \"condition-logic\": \"or\", \"conditions\": [ { \"type\": \"resource-id\", \"operator\": \"equals\", \"value\": \"attachment-00a26092ee329caeb\" } ], \"action\": { \"association-method\": \"constant\", \"segment\": \"SharedServices\" } } ] } <\/code><\/pre>\nPolicy Breakdown:<\/h3>\n
![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-9.png?resize=640%2C202&ssl=1\")
<\/p>\nConfiguring Anycast DNS in Infoblox<\/h3>\n
\n
![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-10.png?resize=640%2C277&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-11.png?resize=640%2C279&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-12.png?resize=640%2C278&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-13.png?resize=640%2C276&ssl=1\")
![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-14.png?resize=640%2C276&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-15.png?resize=640%2C248&ssl=1\")
<\/p>\nValidation<\/h3>\n
\n
![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-16.png?resize=640%2C275&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-17.png?resize=640%2C277&ssl=1\")
![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-18.png?resize=640%2C278&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-19.png?resize=640%2C142&ssl=1\")
<\/p>\n![\"Figure](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/delivering-anycast-dns-in-aws-with-infoblox-universal-ddi-and-aws-cloud-wan-20.png?resize=640%2C143&ssl=1\")
<\/p>\nConclusion<\/h3>\n
Try It Yourself: Hands-On Lab<\/h3>\n
\n
Coming Next: Anycast on Azure<\/h3>\n