How do I resolve private route53 domains in the Reference Architecture?
On route53 private, every different environment will be using the same internal services domain name according to [common.hcl](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/188d19e4c378da9adb2a05cdcf6e02ecf0fec034/examples/for-production/infrastructure-live/common.hcl#L95). I've broken those out into different subdomains before, calling out the env in the subdomain so like `product.{$ENV}.company.com` which allows me to resolve the domains per environment. But instead with this model, it's not called out and everything is `gruntworks.aws`. How do I differentiate the environments in this model?
Private domains can only be resolved from within the VPC that it is associated with. In the Reference Architecture, each environment has its own VPC, and each VPC has its own OpenVPN server. This means that you need to first VPN into the VPC via the OpenVPN server before you can even resolve the private domains. As such, the routing to environments happen first at the OpenVPN layer: you first decide which environment to connect to, and then from there you resolve the domain for that environment. Note that the private domains are intended for services that are only accessible within the VPC (not publicly exposed), which is why the Reference Architecture opts to use private route53 domains to manage them. If you have an alternative networking scenario where you have a central network that is peering into all the VPCs (e.g., a single VPC with its own OpenVPN server that peers into all your environments' network), then it might make more sense to set up the service domains as public domains so that they are resolvable anywhere you call out. In the Reference Architecture, you can point the route 53 domain/hosted zone for each service to the public one instead of the private one to create the domains there.