Amazon Route 53¶

What Is Amazon Route 53?¶

Amazon Route 53 is AWS’s managed DNS and intelligent traffic routing service.

It provides:

domain registration
DNS resolution
health checks
intelligent routing
failover

Route 53 translates:

app.example.com
↓
Destination Endpoint

Think of Route 53 as:

Global DNS and intelligent routing for AWS applications.

Why It Matters for Security¶

Route 53 helps organizations:

improve availability
reduce outage impact
control application routing
support disaster recovery
secure DNS architectures

Security teams use Route 53 for:

resilient applications
endpoint failover
DNS protection
controlled application exposure

Core Concepts¶

authoritative DNS
intelligent routing
health checks
failover
hosted zones
DNS resolution
domain registration

Important Integrations¶

Amazon CloudFront¶

Common pattern:

User
↓
Route 53
↓
CloudFront

Elastic Load Balancing (ALB/NLB)¶

Common routing target.

Used for:

application availability
multi-AZ architectures

Amazon S3¶

Supports:

static website routing

AWS Global Accelerator¶

Supports:

global application routing

Route 53 Resolver¶

Supports:

hybrid DNS
recursive DNS resolution

Very important distinction.

Route 53 Resolver DNS Firewall¶

Supports:

DNS filtering
malicious domain protection

AWS Certificate Manager¶

Supports:

TLS-enabled endpoints

Security Features¶

Health Checks¶

Route 53 monitors:

endpoints
applications
availability

Supports:

automated failover

DNS Failover¶

Pattern:

Primary
↓
Failure
↓
Secondary

Very important resilience capability.

Private Hosted Zones¶

Restrict DNS visibility to:

VPC environments

Useful for:

private applications
internal services

DNS Query Logging¶

Supports:

CloudWatch Logs
S3

Useful for:

auditing
investigations

DNS Firewall¶

Blocks:

malicious lookups
unauthorized domains

Very important security capability.

Advanced Security and Operational Concepts¶

DNSSEC¶

Route 53 supports:

DNSSEC signing

for:

public hosted zones

Protects against:

DNS spoofing
cache poisoning
DNS hijacking

Pattern:

User
↓
Route 53
↓
Signed Response

Very important DNS security capability.

Alias vs CNAME (Classic Trap)¶

Alias:

AWS resources
supports root domain

Examples:

ALB
CloudFront
S3

CNAME:

hostname mapping
not supported at root domain

Example:

example.com
→ Alias

www.example.com
→ CNAME

Very important distinction.

Route 53 Resolver Endpoints¶

Supports hybrid DNS.

Inbound Endpoint¶

Allows:

On-Premises
↓
Resolve
↓
AWS Private DNS

Example:

db.internal.aws

Outbound Endpoint¶

Allows:

AWS
↓
Resolve
↓
On-Premises DNS

Example:

corp.company.local

Very important networking distinction.

Advanced Health Check Types¶

Endpoint Health Checks¶

Monitors:

IP
URL
TCP

Calculated Health Checks¶

Combines multiple checks.

Example:

5 checks
↓
Threshold
↓
Healthy/Unhealthy

CloudWatch Alarm Health Checks¶

Very important exam trap.

Route 53 cannot directly check:

private endpoints
internal ALBs
databases

Pattern:

Private Resource
↓
Metric
↓
CloudWatch Alarm
↓
Route 53

Routing Policies¶

Simple¶

Single endpoint.

Weighted¶

Traffic distribution.

Latency¶

Lowest latency region.

Failover¶

Health-based routing.

Geolocation¶

Region-based routing.

Geoproximity¶

Distance-based routing.

Multi-Value¶

Returns healthy endpoints.

Route 53 Traffic Flow¶

Provides:

visual routing builder
routing combinations
versioning
rollback

Pattern:

Geo
↓
Latency
↓
Weighted

Very important enterprise feature.

Architecture Example¶

Secure Global DNS Architecture¶

flowchart LR

USER[Users]

R53[Route 53]

DNSSEC[DNSSEC]

HC[Health Checks]

CF[CloudFront]

APP1[Primary]

APP2[Secondary]

USER --> R53

DNSSEC --> R53

HC --> R53

R53 --> CF

CF --> APP1

CF -. Failover .-> APP2

classDef dns fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;

class USER,R53,CF dns;
class DNSSEC,HC,APP1,APP2 security;

Use case: secure global routing with DNS failover.

DNS Resolution Workflow¶

sequenceDiagram

autonumber

participant USER

participant DNS

participant R53

participant TARGET

USER->>DNS: Resolve domain

DNS->>R53: Query hosted zone

R53->>TARGET: Determine endpoint

TARGET-->>R53: Return address

R53-->>USER: DNS response

DNS Failover Workflow¶

sequenceDiagram

autonumber

participant USER

participant R53

participant HC

participant PRIMARY

participant SECONDARY

USER->>R53: Resolve request

R53->>HC: Check health

alt Healthy

R53->>PRIMARY: Route traffic

PRIMARY-->>USER: Response

else Failed

R53->>SECONDARY: Failover

SECONDARY-->>USER: Response

end

Route 53 vs CloudFront¶

Route 53	CloudFront
DNS	CDN
routing	delivery
no caching	edge caching

Route 53 vs Global Accelerator¶

Route 53	Global Accelerator
DNS routing	Anycast routing
endpoint selection	traffic acceleration

Route 53 vs Resolver¶

Route 53	Resolver
authoritative	recursive
hosted zones	hybrid DNS

Very important distinction.

Common Exam Traps¶

Trap 1 — Alias vs CNAME¶

Need root domain?

→ Alias

Trap 2 — Forgetting DNSSEC¶

Need DNS integrity?

→ DNSSEC

Trap 3 — Forgetting Health Checks¶

Failover requires:

→ Health Checks

Trap 4 — Confusing Resolver Direction¶

Inbound:

→ On-prem → AWS

Outbound:

→ AWS → On-prem

Trap 5 — Private Health Monitoring¶

Private resources:

→ CloudWatch Alarm

Trap 6 — Confusing Resolver¶

Resolver:

hybrid DNS

Route 53:

hosted zones

Trap 7 — Assuming DNS Firewall Filters Traffic¶

DNS Firewall:

filters lookups

Not:

network traffic

5-Second Recall¶

Identity¶

Route 53 = global DNS and intelligent routing

Keywords¶

If the scenario mentions:

DNS
health checks
failover
hosted zones
routing policies

Answer:

→ Amazon Route 53

Need CDN?¶

→ CloudFront

Need Global Traffic Acceleration?¶

→ Global Accelerator

Need Internal DNS?¶

→ Private Hosted Zone

Need Hybrid DNS?¶

→ Resolver

Need DNS Integrity?¶

→ DNSSEC

Need Private Health Checks?¶

→ CloudWatch Alarm

Quick Revision Notes¶

managed DNS
health checks
DNSSEC
alias records
hosted zones
Resolver
DNS Firewall
Traffic Flow
failover support
routing policies
CloudFront integration
global availability