AWS Route 53: Mastering Public and Private Hosted Zones

This study guide covers the architectural decision-making process for Amazon Route 53 hosted zones, specifically focusing on when to utilize public versus private zones and how they integrate into hybrid cloud environments.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between the use cases for Route 53 public and private hosted zones.
• Explain how private hosted zones are associated with Amazon VPCs.
• Identify the role of Route 53 Resolver endpoints in hybrid DNS architectures.
• Configure appropriate resource records for both internal and external name resolution.

Key Terms & Glossary

• Hosted Zone: A container for records that define how you want to route traffic for a domain (e.g., example.com) and its subdomains.
• Public Hosted Zone: A container that holds records for a domain that you want to route traffic for on the internet.
• Private Hosted Zone: A container that holds records for a domain that you want to route traffic for within one or more VPCs without exposing the records to the internet.
• Route 53 Resolver: The set of features that provides recursive DNS lookups for your VPC and enables hybrid DNS integration via endpoints.
• Split-Horizon DNS: A configuration where you use the same domain name for both internal and external resources, but the DNS queries return different IP addresses depending on the source.

The "Big Idea"

Think of Route 53 Hosted Zones as the Global and Private Address Books of your cloud infrastructure. While a Public Hosted Zone is like a listing in a public directory accessible to anyone on the street (the internet), a Private Hosted Zone is like an internal corporate directory accessible only to those inside the building (the VPC). Mastering the distinction allows you to maintain high security for internal services while providing seamless access for your external customers.

Formula / Concept Box

Hierarchical Outline

1. Public Hosted Zones
   • Internet Routing: Used for customer-facing applications and websites.
   • Record Management: Contains A, AAAA, CNAME, and Alias records pointing to public endpoints.
   • Authority: Automatically creates Name Server (NS) and Start of Authority (SOA) records upon creation.
2. Private Hosted Zones
   • Internal Routing: Routes traffic to EC2 instances, ELBs, or other services via private IP addresses.
   • VPC Scoping: Records are only visible to resources inside the associated VPCs.
   • Non-Internet Hosts: Ideal for microservices, database clusters, and internal APIs.
3. Hybrid Connectivity (Route 53 Resolver)
   • Inbound Endpoints: Allows on-premises DNS servers to query Route 53 Private Hosted Zones.
   • Outbound Endpoints: Allows AWS resources to query on-premises DNS servers using forwarding rules.

Visual Anchors

Decision Tree: Public vs. Private

Private Hosted Zone Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, align=center, rounded corners}] % VPC Box \draw[dashed, blue, thick] (-1,-1) rectangle (6,3); \node[draw=none, text=blue] at (2.5, 2.7) {Amazon VPC (10.0.0.0/16)};

\end{tikzpicture}

Definition-Example Pairs

• Split-Horizon DNS: Providing different DNS responses for the same domain based on the requester's location.
  • Example: Querying api.example.com from the internet returns the public IP of a WAF, while querying from a VPC returns the private IP of an internal Load Balancer.
• Outbound Resolver Endpoint: A resource that forwards DNS queries from your VPC to an external (on-premises) network.
  • Example: An EC2 instance tries to reach server.corp.local; the Outbound Endpoint forwards this to the data center DNS server via Direct Connect.

Worked Examples

Scenario: Configuring Hybrid DNS for a Migrated Application

Goal: Allow a VPC-hosted application to resolve the hostname of a legacy database still residing in an on-premises data center.

1. Requirement: The VPC must know that queries for *.corp.local should go to the on-premises DNS server at 192.168.1.50.
2. Step 1: Create Outbound Endpoint: Specify the VPC and the subnets where the endpoint interfaces will reside.
3. Step 2: Create Forwarding Rule:
   • Domain Name: corp.local
   • Rule Type: Forward
   • Target IP: 192.168.1.50
4. Step 3: Associate Rule: Link the rule to the application's VPC.
5. Result: When the EC2 instance queries db.corp.local, Route 53 Resolver sees the rule, sends the query through the outbound endpoint, and returns the on-premises IP.

Checkpoint Questions

1. What two records are automatically created by Route 53 when you create a new hosted zone?
2. True or False: A private hosted zone can be associated with VPCs in different AWS accounts.
3. Which Route 53 Resolver component is required to allow on-premises users to resolve names defined in a Private Hosted Zone?
4. Can you use a domain name in a Private Hosted Zone that you do not own or haven't registered publicly?

[!TIP] Answers: 1. NS and SOA. 2. True (using cross-account authorization). 3. Inbound Resolver Endpoint. 4. Yes, private zones do not require registration.

Muddy Points & Cross-Refs

• Overlapping Namespaces: If you have a private and public zone with the exact same name (e.g., example.com), the Resolver will prioritize the private zone for resources inside the VPC. If a record exists in the public zone but NOT the private zone, the Resolver will not "failover" to the public zone; it will return NXDOMAIN.
• DNSSEC: Note that DNSSEC is supported for public hosted zones but is NOT supported for private hosted zones.
• Logging: To troubleshoot resolution issues, use Route 53 Resolver Query Logging to see exactly which rules were matched and what IPs were returned.

Comparison Tables

Resolver Endpoints vs. Forwarding Rules