CONCEPT Cited by 1 source
VPC resolver packet rate limit¶
The AWS VPC resolver (a.k.a. AmazonProvidedDNS, reachable at
the VPC base IP + 2 — e.g. 10.0.0.2 if the VPC base is
10.0.0.0) is rate-limited to 1,024 packets per second per
elastic network interface (ENI). The limit applies to the
outgoing packet stream from a host toward the resolver; above
the cap, AWS drops excess packets at the VPC level, which from
the client's perspective looks like timeouts and triggers
resolver-level retries.
AWS documentation: VPC DNS quotas and considerations.
Architectural implication¶
The limit is per-ENI, not per-VPC or per-host. This has two practical consequences:
- Concentrated DNS routing creates a choke point. Running a central DNS server cluster (a small number of ENIs) that forwards to the VPC resolver on behalf of the whole fleet turns those ENIs into the saturation target. Any DNS workload large enough to exceed 1,024 × N pps (where N is the ENI count) will fail.
- The fix is topological, not rate-negotiated. Since each instance has its own ENI, the ceiling scales linearly with instance count if DNS forwarding is distributed to each host's local resolver rather than concentrated upstream. See patterns/distribute-dns-load-to-host-resolver.
Seen in¶
- Stripe — The secret life of DNS packets (2024-12-12). Canonical wiki disclosure. Measured: ~1,023 pps average reply rate from the VPC resolver during saturation events — ~exactly the AWS cap. 60-second tcpdump: 257,430 outbound packets to the resolver, 61,385 inbound replies. The 2024-12-12 post identifies the VPC-resolver cap as the root-cause constraint.