Task Statement 2.3: Implement complex hybrid and multi-account DNS architectures.
📘AWS Certified Advanced Networking – Specialty
1. Basic Concept: Hosted Zones in AWS
In Amazon Route 53, a hosted zone is a container for DNS records (like A, CNAME, MX, etc.) for a domain.
There are two main types:
1. Public Hosted Zone (PHZ – Public)
- Used for internet-facing DNS
- Resolves domain names for users anywhere on the internet
2. Private Hosted Zone (PHZ – Private)
- Used for internal DNS inside AWS
- Resolves domain names only within VPCs
2. Public Hosted Zones (Detailed Explanation)
What is a Public Hosted Zone?
A Public Hosted Zone stores DNS records for a domain that should be accessible from the internet.
Key Characteristics
- DNS queries come from anywhere (internet)
- Used for public applications
- Requires domain delegation from registrar (NS records)
When to Use Public Hosted Zones
Use a Public Hosted Zone when:
1. You Need Internet Access
- Your application must be reachable by users worldwide
- Example:
- Website:
www.example.com - API:
api.example.com
- Website:
2. Hosting Public Services
- Web servers (EC2 + ALB)
- Public APIs
- SaaS applications
3. Domain Registered with a Registrar
- You connect your domain to Route 53
- Use NS records to point to Route 53 name servers
4. External DNS Resolution Required
- Any client outside AWS must resolve the domain
Example (IT Scenario)
- A company hosts a public website using:
- EC2 instances
- Application Load Balancer
- DNS:
www.company.com→ ALB DNS
- This must be accessible globally → Public Hosted Zone
3. Private Hosted Zones (Detailed Explanation)
What is a Private Hosted Zone?
A Private Hosted Zone allows DNS resolution only within one or more VPCs.
Key Characteristics
- Not visible on the internet
- Works only inside associated VPCs
- Uses Amazon-provided DNS resolver
When to Use Private Hosted Zones
Use a Private Hosted Zone when:
1. Internal Services (Very Important for Exam)
- Applications communicating inside a VPC
- Microservices architecture
Example:
db.internal.localapi.service.local
2. Backend Resources
- Databases (RDS, Aurora)
- Internal APIs
- Internal load balancers
3. Security Requirement (No Internet Exposure)
- You do NOT want public DNS resolution
- Only internal users should resolve names
4. Multi-VPC Architectures
- Centralized DNS across multiple VPCs
- Using:
- VPC association
- Shared services VPC
5. Hybrid Environments (On-Premises + AWS)
- Private Hosted Zones integrated with:
- On-prem DNS via:
- Route 53 Resolver inbound endpoints
- Conditional forwarding
- On-prem DNS via:
Example (IT Scenario)
- Internal application architecture:
- App server →
app.internal - Database →
db.internal
- App server →
- Only accessible within VPC → Private Hosted Zone
4. Key Differences (Very Important for Exam)
| Feature | Public Hosted Zone | Private Hosted Zone |
|---|---|---|
| Visibility | Internet | Only VPCs |
| Use Case | Public apps | Internal services |
| DNS Queries | Global users | Internal resources |
| Security | Public | Private |
| VPC Association | Not required | Required |
| Hybrid Support | Limited | Strong (with Resolver) |
5. Using Both Together (Common Exam Scenario)
You can use both Public and Private Hosted Zones for the same domain name.
This is called:
👉 Split-horizon DNS (or split-view DNS)
How It Works
Example domain: example.com
Public Hosted Zone:
www.example.com→ Public ALB
Private Hosted Zone:
www.example.com→ Internal ALB (different IP)
Behavior
- Inside VPC → resolves private IP
- Outside AWS → resolves public IP
Exam Tip
If the question says:
- “Same domain name, different responses inside vs outside”
👉 Answer: Split-horizon DNS using Public + Private Hosted Zones
6. Multi-Account Considerations (Exam Focus)
In multi-account environments:
Private Hosted Zones
- Can be shared using:
- AWS RAM (Resource Access Manager)
- Centralized DNS architecture:
- Shared services account hosts DNS
Public Hosted Zones
- Typically managed in:
- Central DNS account
- Delegation used for subdomains:
dev.example.comprod.example.com
7. Hybrid DNS (Very Important)
Private Hosted Zones are heavily used in hybrid environments.
Integration with On-Premises:
Using:
- Route 53 Resolver inbound endpoints
- Route 53 Resolver outbound endpoints
Flow Example:
- On-prem DNS → forwards query → Route 53 → Private Hosted Zone
Exam Tip
If the question mentions:
- “On-premises needs to resolve AWS private domains”
👉 Use: - Private Hosted Zone + Resolver endpoints
8. Common Mistakes (Exam Traps)
❌ Mistake 1:
Using Public Hosted Zone for internal services
✔ Correct: Use Private Hosted Zone
❌ Mistake 2:
Expecting Private Hosted Zone to work from internet
✔ Correct: It only works inside VPC
❌ Mistake 3:
Forgetting VPC association
✔ Private hosted zones must be associated with VPCs
❌ Mistake 4:
Not using split-horizon when required
✔ Use both hosted zones for same domain
9. Quick Decision Guide (Exam Shortcut)
Use this mental rule:
If DNS needs to be:
- 🌍 Accessible from internet → Public Hosted Zone
- 🔒 Internal only → Private Hosted Zone
- 🔄 Both (internal + external with different answers) → Both (Split DNS)
10. Final Exam Summary
To pass the exam, remember:
- Public Hosted Zone
- Internet-facing DNS
- Used for websites, APIs
- Private Hosted Zone
- Internal DNS inside VPC
- Used for backend, microservices, databases
- Both Together
- Split-horizon DNS
- Same domain, different resolution
- Hybrid DNS
- Private hosted zones + Route 53 Resolver
- Multi-account
- Share private zones via AWS RAM
- Delegate public zones
