AWS Networking & CDN
Route 53
Highly available DNS service with traffic routing policies and health checking
Amazon Route 53 is a highly available, scalable DNS service that also provides domain registration and health checking. It is deeply integrated with AWS services and supports advanced traffic routing policies that enable architectures like blue/green deployments, latency-based routing, and failover - making it essential knowledge for any AWS architect.
DNS Record Types and Alias Records
Route 53 supports all standard DNS record types and adds a proprietary Alias record type that eliminates the need for CNAME at zone apex (root domain).
| Record Type | Purpose | Example |
|---|---|---|
| A | IPv4 address | api.example.com -> 52.10.20.30 |
| AAAA | IPv6 address | api.example.com -> 2001:db8::1 |
| CNAME | Canonical name alias | www.example.com -> example.com (not at zone apex) |
| Alias | AWS-specific alias (free queries, works at apex) | example.com -> ALB or CloudFront domain |
| MX | Mail server routing | example.com -> mail.example.com with priority |
| TXT | Text records for verification | SPF, DKIM, domain ownership verification |
| NS | Nameserver delegation | Delegates a subdomain to another hosted zone |
| PTR | Reverse DNS lookup | IP -> hostname for email reputation |
| SRV | Service location records | Used by some SaaS discovery protocols |
Use Alias records instead of CNAMEs whenever pointing to AWS resources (ALB, CloudFront, S3 website, API Gateway). Alias records are free, work at the zone apex, and respond with the actual IP addresses of the target.
Routing Policies Compared
Route 53 routing policies control which record values are returned to DNS queries. They can be combined with health checks for automatic failover.
| Policy | How It Works | Use Case |
|---|---|---|
| Simple | Returns all values; client chooses | Single resource; no health checks |
| Weighted | Returns records proportionally by weight (0-255) | A/B testing; gradual deployments (10/90 split) |
| Latency | Returns the region with lowest measured latency for the user | Multi-region apps; improves user experience |
| Failover | Returns primary unless health check fails, then secondary | Active-passive DR; regional failover |
| Geolocation | Routes by user's country or continent | Data sovereignty; localized content |
| Geoproximity | Routes by geographic distance with bias adjustment | Fine-grained regional control; Traffic Flow only |
| Multi-value | Returns up to 8 healthy records randomly | Client-side load balancing; basic HA without ALB |
| IP-based | Routes by CIDR block of the resolver | ISP-specific routing; known IP ranges |
Geolocation routes by the user's DNS resolver location, not the user's actual IP. Users on corporate or public DNS resolvers (like 8.8.8.8) may be incorrectly geolocated. Always have a default record for geolocation - queries that don't match any location would otherwise return NXDOMAIN.
Health Checks and DNS Failover
Route 53 health checks monitor endpoints and can automatically remove unhealthy records from DNS responses. They work across all routing policies.
| Health Check Type | What It Monitors | Key Setting |
|---|---|---|
| Endpoint | HTTP/HTTPS/TCP to a specific IP or domain | Interval: 10s (fast) or 30s; threshold: 3 failures |
| Calculated | Combines multiple child health checks with AND/OR logic | Good for service-level composite status |
| CloudWatch Alarm | Health is based on a CloudWatch alarm state | For resources Route 53 cannot reach directly (private) |
For resources in private VPCs, Route 53 health checkers cannot reach them directly because they operate from public IP ranges. Use a CloudWatch alarm health check instead - create a CloudWatch alarm on a metric (e.g., ALB HealthyHostCount), then link the Route 53 health check to that alarm.
# Create a health check for an HTTP endpoint
aws route53 create-health-check \
--caller-reference 2024-01-01 \
--health-check-config \
"Type=HTTP,FullyQualifiedDomainName=api.example.com,Port=80,RequestInterval=30,FailureThreshold=3"
# Create a failover record set (primary)
aws route53 change-resource-record-sets \
--hosted-zone-id Z1234 \
--change-batch '{
"Changes": [{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "api.example.com",
"Type": "A",
"Failover": "PRIMARY",
"HealthCheckId": "abc-123",
"AliasTarget": {
"DNSName": "my-alb.us-east-1.elb.amazonaws.com",
"EvaluateTargetHealth": true,
"HostedZoneId": "ZALBHOSTEDZONEID"
}
}
}]
}'Private Hosted Zones and DNS Resolution
Private hosted zones let you resolve custom domain names within VPCs without exposing them to the internet. They are essential for service discovery in multi-VPC architectures.
| Feature | Public Hosted Zone | Private Hosted Zone |
|---|---|---|
| Resolvable from | Anywhere on the internet | Only within associated VPCs |
| Requires | Domain registration or NS delegation | Associated VPCs with enableDnsSupport and enableDnsHostnames enabled |
| Split-horizon DNS | N/A | Same name with different values per zone (internal vs external) |
| Cost | $0.50/month + $0.40 per million queries | $0.10/month + $0.40 per million queries |
For on-premises DNS resolution of Route 53 private zones, use Route 53 Resolver endpoints. An inbound endpoint allows on-premises DNS servers to forward queries to Route 53. An outbound endpoint lets Route 53 forward queries for on-premises domains to your on-premises DNS.
When associating a private hosted zone with VPCs in other accounts, you must use the AWS CLI or SDK - the console only shows VPCs in the same account.
Route 53 Pricing
| Component | Price | Notes |
|---|---|---|
| Hosted zone | $0.50/month (public), $0.10/month (private) | First 25 zones discounted |
| Standard queries | $0.40 per million | Most record types |
| Latency routing queries | $0.60 per million | Additional cost for latency measurement |
| Geo DNS queries | $0.70 per million | Geolocation and geoproximity |
| Health checks (AWS endpoint) | $0.50/month per check | Fast (10s interval): $1.00/month |
| Health checks (non-AWS) | $0.75/month per check | External endpoints cost more |
| Domain registration | $9-$400/year | Depends on TLD |
Interview Focus Points
- 1What is the difference between an Alias record and a CNAME? Why can't you use CNAME at the zone apex?
- 2Explain how you would implement a blue/green deployment using Route 53 weighted routing.
- 3How does Route 53 health checking work for resources in a private VPC?
- 4Walk through how you would set up active-passive failover between two regions using Route 53.
- 5What is the difference between Geolocation and Latency routing? When would you use each?
- 6How would you configure split-horizon DNS with Route 53 for internal vs external resolution?
- 7Explain Route 53 Resolver endpoints and when you need inbound vs outbound endpoints.
- 8What happens to Route 53 DNS resolution if you have overlapping records in a public and private hosted zone?