Using Route 53 private hosted zones

Task Statement 1.2: Design DNS solutions that meet public, private, and hybrid
requirements.

📘AWS Certified Advanced Networking – Specialty

1. What is DNS and Route 53?

DNS (Domain Name System) is like the internet’s address book. It translates human-readable names (like server.example.com) into IP addresses (like 192.0.2.10) that computers use to talk to each other.

AWS Route 53 is AWS’s scalable DNS service. It can manage both public DNS (accessible from the internet) and private DNS (accessible only within your private networks).

2. What is a Private Hosted Zone?

A Private Hosted Zone (PHZ) is a DNS zone in Route 53 that is only accessible within one or more specified VPCs (Virtual Private Clouds).

Key points:

  • Unlike public hosted zones, PHZ does not resolve names over the internet.
  • PHZ is used to manage internal DNS names for resources inside AWS, such as EC2 instances, RDS databases, or internal load balancers.
  • You can create multiple PHZs if you have multiple internal environments or networks.

3. Why use Private Hosted Zones?

Private hosted zones are used in IT environments when you want internal services to have DNS names that only internal systems can resolve.

Examples in IT context:

  • Internal API endpoints: api.internal.example.com used by your internal applications.
  • Internal databases: db.internal.example.com that is only reachable from your VPC.
  • Multi-tier architectures: Internal load balancers that route traffic between app servers but are not public.

4. How Private Hosted Zones Work

Step 1: Create a Private Hosted Zone

  • In Route 53, you define the domain name (for example: internal.example.com).
  • You specify which VPC(s) the zone is associated with.
  • Only resources in those VPCs can resolve names in this zone.

Step 2: Add DNS Records

  • You can create records such as:
    • A record → Maps a hostname to an IPv4 address
    • AAAA record → Maps a hostname to an IPv6 address
    • CNAME record → Alias for another domain name
    • MX record → Mail server
  • Example: app.internal.example.com → 10.0.1.15

Step 3: Query the Private DNS

  • Only instances in the associated VPC(s) can query the private DNS.
  • If you try to query app.internal.example.com from outside the VPC, it will not resolve.

5. Key Features for Exam

  1. VPC Association
    • PHZ must be associated with one or more VPCs.
    • You can share PHZ across accounts using AWS Resource Access Manager (RAM).
  2. Split-Horizon DNS
    • You can have the same domain name for public and private hosted zones.
    • Example:
      • Public: example.com → resolves to public website
      • Private: example.com → resolves to internal apps
    • AWS uses VPC association to determine which DNS resolution to return.
  3. Private DNS for AWS Services
    • Some AWS services like PrivateLink, RDS, or ELB internal automatically use private DNS names if in a PHZ.
  4. Route 53 Resolver
    • Used to forward DNS queries between on-premises networks and AWS VPCs.
    • Allows hybrid environments (on-prem + AWS) to resolve internal AWS names.

6. Common Exam Scenarios

Here’s what the exam might ask about PHZ:

  1. Internal service name resolution
    • “You have an internal EC2 instance that needs to resolve db.internal.example.com. Which Route 53 solution do you use?”
      Answer: Private Hosted Zone associated with the VPC.
  2. Multiple VPCs needing same internal DNS
    • Use PHZ associated with multiple VPCs (or via RAM across accounts).
  3. Split-horizon DNS
    • “You have example.com publicly accessible, but internal apps use the same domain.”
      Answer: Use both public and private hosted zones for the same domain.
  4. Hybrid DNS with on-premises
    • Use Route 53 Resolver endpoints to forward queries between AWS VPC and on-premises network.

7. Exam Tips for PHZ

  • Always check VPC associations – PHZ is useless without associating to VPC.
  • Understand difference between public and private hosted zones.
  • Know how split-horizon DNS works.
  • Remember PHZ does not expose records to the internet.
  • Know Route 53 Resolver for hybrid environments.

8. Summary Table

FeaturePrivate Hosted ZonePublic Hosted Zone
VisibilityOnly inside associated VPC(s)Internet-wide
RecordsInternal services, internal ELBs, EC2Public websites, APIs
Split-horizonYes, can have same domain as publicNot applicable
VPC RequiredYesNo
Hybrid DNSWorks with Route 53 ResolverNot applicable

Key Takeaways for the Exam

  • PHZ = internal DNS for VPC
  • Must associate with VPC(s)
  • Supports split-horizon DNS
  • Works with Route 53 Resolver for hybrid
  • Records can be A, AAAA, CNAME, MX, etc.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by