Chapter 11: DNS, PKI, and Ingress

Word target: 3,500
Primary deliverable: Naming and TLS operating model
Key diagrams: Split DNS and certificate lifecycle

Learning Goals

• Design internal/external DNS strategy.
• Automate TLS issuance and renewal.
• Standardize ingress/reverse proxy patterns.

MVP Lab Worksheet

• Objective: Publish one internal TLS service.
• Starting state: DNS authority selected.
• Steps:
  1. Configure internal domain and records.
  2. Issue certificate for service endpoint.
  3. Validate HTTPS and cert renewal path.
• Evidence: DNS records + TLS test output.
• Exit criteria: Service reachable with valid cert chain.
• Rollback: Revert to previous ingress config.

Advanced Lab Worksheet

• Objective: Dual ingress model.
• Starting state: Internal ingress running.
• Steps:
  1. Add external endpoint with restricted exposure.
  2. Enforce authentication and rate controls.
  3. Test cert renewal and fail-safe behavior.
• Evidence: Security test checklist.
• Exit criteria: Internal and external ingress policies verified.
• Rollback: Disable external path and retain internal access.

Ubuntu Focus

Note where certificates and service configs live on Ubuntu filesystem.