Route53

PreviousPrivateLink NextVPC

Last updated 4 years ago

Was this helpful?

Route53

Introduction

A regional, managed DNS services for:
- Domain Registration
- DNS Routing
- Health Checking
Not useful in resolving on-premise dependency

Feature

Routing policies
- Simple
  - Maps a hostname to a single resouce
  - Can't attach health checks
  - If multiple values are returned, a random one is chosen by client.
- Weighted
  - Control the % of the requests that go to specific endpoint.
  - Helpful to test 1% of traffic on new app version for example
  - Helpful to split traffic between two regions
  - Can be associated with health checks
  - Note: The weight don't need to sum up to 100.
- Latency
  - Redirect to the server that has the least latency close to users
  - Helpful when latency of users is a priority
  - Latency is evaluated in terms of user to designated AWS region
  - Has a failover capability if you enable health checks
- Failover
  - Monitoring endpoint by sending health check
- Geolocation
  - Based on user location
  - Should create a default policy in case not matched
Route53 only supports DNSSEC for domain registration. However, it doesn't support DNSSEC for DNS service. You must either:
- Use another DNS service provider
- Run a custom EC2 with DNS Server (ex: Bind, dnsmasq, KnotDNS, PowerDNS)
Complex Routing example
- Monitor endpoint (application, server, other AWS resource)
- Monitor other health checks (calculated health checks)
- Monitor CloudWatch alarms. Ex. throttling DynamoDB, alarms on RDS, other custom metrics.
- Health checks can be setup based on:
  - HTTP status code
  - Text in the first 5120 bytes of the response
  - Calculated health checks
    Create separate individual health checks
    Specify how many of the health checks need to pass to make the parent pass
- Health Checks for Private Hosted Zones
  - Health Checks are in AWS Cloud, cannot check your resources in private Subnet. Options:
    Create a CloudWatch Metric and alarm, then create a health check for the alarm.
    Assign a public IP to the resource
    Check dependent external resource instead. Ex. DB server.
Multi Value Routing Policy (Query)
- Used when routing traffic to multiple resouces
- Can associate a Route53 health checks with records
- Up to 8 healthy records are returned to clients for each query and let clients to choose which resource to access
- Multi Value is not a substitute for having an ELB.
Public DNS query logging
- Can configure a CloudWatch Logs log group in the US East Region only.

Reference

DNS Record types:
- SOA
  - Start of Authority, contains important management information about the zone, especially regarding the zone transfer
- A
  - hostname to IPv4
- AAAA
  - hostname to IPv6
- CNAME
  - hostname to hostname
    used for: RDS
  - Canonical name record, An alias of one name to another
  - Being chrage when doing query in Route53
  - Cannot set as Zone apex (Ex: A Zone Apex domain "example.com" can have multiple sub-domains like "www.example.com", "mail.example.com", etc.)
- ALIAS
  - hostname to AWS resource
    Used for: ELB, CloudFront, S3, Elastic Beanstalk, API Gateway
    Can set as Zone apex
  - Not being charged when doing query in Route53
- NS
  - Delegate a subdomain to a set of name servers
- MX record
  - Specifies a mail server responsible for accepting email messages on behalf of a recipient's domain
TTL (time to live): The time for which a DNS resolver caches a response
- Use HTTPS always
- - Use another DNS service provider
  - Run a custom EC2 with DNS Server (ex: Bind, dnsmasq, KnotDNS, PowerDNS)
Sharing Hosted Zone
- A container for records, and records contain information about how you want to route traffic for a specific domain, and its subdomains.
- - Enable the VPC setting: enableDnsHostNames, enableDnsSupport.
  - Create an A or AAAA record for resources (even to a database)
  - Establish VPC Peering (between central account VPC and other accounts' VPC)
    Programmatically (CLI) create the association between the private hosted zone to other VPC.
- Scenario: direct traffic according to geolocation
  - Create a public hosted zone for the domain in Route 53.
  - Update the DNS entries in the registrars database to use AWS DNS Servers as defined in the NS record on Route 53.
  - Create A-type records for all EC2 instances. Configure CNAME records for the main FQDN (A fully qualified domain name) that point to regional A records using a Geolocation routing policy. Create another CNAME record as a default route.

PreviousPrivateLink NextVPC

Last updated 4 years ago

Was this helpful?

Introduction

A regional, managed DNS services for:
- Domain Registration
- DNS Routing
- Health Checking
Not useful in resolving on-premise dependency

Feature

Routing policies
- Simple
  - Maps a hostname to a single resouce
  - Can't attach health checks
  - If multiple values are returned, a random one is chosen by client.
- Weighted
  - Control the % of the requests that go to specific endpoint.
  - Helpful to test 1% of traffic on new app version for example
  - Helpful to split traffic between two regions
  - Can be associated with health checks
  - Note: The weight don't need to sum up to 100.
- Latency
  - Redirect to the server that has the least latency close to users
  - Helpful when latency of users is a priority
  - Latency is evaluated in terms of user to designated AWS region
  - Has a failover capability if you enable health checks
- Failover
  - Monitoring endpoint by sending health check
- Geolocation
  - Based on user location
  - Should create a default policy in case not matched
Route53 only supports DNSSEC for domain registration. However, it doesn't support DNSSEC for DNS service. You must either:
- Use another DNS service provider
- Run a custom EC2 with DNS Server (ex: Bind, dnsmasq, KnotDNS, PowerDNS)
Complex Routing example
- Monitor endpoint (application, server, other AWS resource)
- Monitor other health checks (calculated health checks)
- Monitor CloudWatch alarms. Ex. throttling DynamoDB, alarms on RDS, other custom metrics.
- Health checks can be setup based on:
  - HTTP status code
  - Text in the first 5120 bytes of the response
  - Calculated health checks
    Create separate individual health checks
    Specify how many of the health checks need to pass to make the parent pass
- Health Checks for Private Hosted Zones
  - Health Checks are in AWS Cloud, cannot check your resources in private Subnet. Options:
    Create a CloudWatch Metric and alarm, then create a health check for the alarm.
    Assign a public IP to the resource
    Check dependent external resource instead. Ex. DB server.
Multi Value Routing Policy (Query)
- Used when routing traffic to multiple resouces
- Can associate a Route53 health checks with records
- Up to 8 healthy records are returned to clients for each query and let clients to choose which resource to access
- Multi Value is not a substitute for having an ELB.
Public DNS query logging
- Can configure a CloudWatch Logs log group in the US East Region only.

Reference

DNS Record types:
- SOA
  - Start of Authority, contains important management information about the zone, especially regarding the zone transfer
- A
  - hostname to IPv4
- AAAA
  - hostname to IPv6
- CNAME
  - hostname to hostname
    used for: RDS
  - Canonical name record, An alias of one name to another
  - Being chrage when doing query in Route53
  - Cannot set as Zone apex (Ex: A Zone Apex domain "example.com" can have multiple sub-domains like "www.example.com", "mail.example.com", etc.)
- ALIAS
  - hostname to AWS resource
    Used for: ELB, CloudFront, S3, Elastic Beanstalk, API Gateway
    Can set as Zone apex
  - Not being charged when doing query in Route53
- NS
  - Delegate a subdomain to a set of name servers
- MX record
  - Specifies a mail server responsible for accepting email messages on behalf of a recipient's domain
TTL (time to live): The time for which a DNS resolver caches a response
How to avoid :
- Use HTTPS always
- Use a DNS that has (asymmetric encryption to verify DNS data), can be:
  - Use another DNS service provider
  - Run a custom EC2 with DNS Server (ex: Bind, dnsmasq, KnotDNS, PowerDNS)
Sharing Hosted Zone
- A container for records, and records contain information about how you want to route traffic for a specific domain, and its subdomains.
- (on Internet)
- (within VPC(s), not for on-premise.)
  - Enable the VPC setting: enableDnsHostNames, enableDnsSupport.
  - Create an A or AAAA record for resources (even to a database)
  - Establish VPC Peering (between central account VPC and other accounts' VPC)
    Programmatically (CLI) create the association between the private hosted zone to other VPC.
- Scenario: direct traffic according to geolocation
  - Create a public hosted zone for the domain in Route 53.
  - Update the DNS entries in the registrars database to use AWS DNS Servers as defined in the NS record on Route 53.
  - Create A-type records for all EC2 instances. Configure CNAME records for the main FQDN (A fully qualified domain name) that point to regional A records using a Geolocation routing policy. Create another CNAME record as a default route.