aws-cdk-lib.aws_route53 module
| Language | Package |
|---|---|
 .NET | Amazon.CDK.AWS.Route53 |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awsroute53 |
 Java | software.amazon.awscdk.services.route53 |
 Python | aws_cdk.aws_route53 |
 TypeScript | aws-cdk-lib » aws_route53 |
Amazon Route53 Construct Library
To add a public hosted zone:
new route53.PublicHostedZone(this, 'HostedZone', {
zoneName: 'fully.qualified.domain.com',
});
To add a private hosted zone, use PrivateHostedZone. Note that
enableDnsHostnames and enableDnsSupport must have been enabled for the
VPC you're configuring for private hosted zones.
declare const vpc: ec2.Vpc;
const zone = new route53.PrivateHostedZone(this, 'HostedZone', {
zoneName: 'fully.qualified.domain.com',
vpc, // At least one VPC has to be added to a Private Hosted Zone.
});
Additional VPCs can be added with zone.addVpc().
Adding Records
To add a TXT record to your zone:
declare const myZone: route53.HostedZone;
new route53.TxtRecord(this, 'TXTRecord', {
zone: myZone,
recordName: '_foo', // If the name ends with a ".", it will be used as-is;
// if it ends with a "." followed by the zone name, a trailing "." will be added automatically;
// otherwise, a ".", the zone name, and a trailing "." will be added automatically.
// Defaults to zone root if not specified.
values: [ // Will be quoted for you, and " will be escaped automatically.
'Bar!',
'Baz?',
],
ttl: Duration.minutes(90), // Optional - default is 30 minutes
});
To add a NS record to your zone:
declare const myZone: route53.HostedZone;
new route53.NsRecord(this, 'NSRecord', {
zone: myZone,
recordName: 'foo',
values: [
'ns-1.awsdns.co.uk.',
'ns-2.awsdns.com.',
],
ttl: Duration.minutes(90), // Optional - default is 30 minutes
});
To add a DS record to your zone:
declare const myZone: route53.HostedZone;
new route53.DsRecord(this, 'DSRecord', {
zone: myZone,
recordName: 'foo',
values: [
'12345 3 1 123456789abcdef67890123456789abcdef67890',
],
ttl: Duration.minutes(90), // Optional - default is 30 minutes
});
To add an A record to your zone:
declare const myZone: route53.HostedZone;
new route53.ARecord(this, 'ARecord', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.4', '5.6.7.8'),
});
To add an A record for an EC2 instance with an Elastic IP (EIP) to your zone:
declare const instance: ec2.Instance;
const elasticIp = new ec2.CfnEIP(this, 'EIP', {
domain: 'vpc',
instanceId: instance.instanceId,
});
declare const myZone: route53.HostedZone;
new route53.ARecord(this, 'ARecord', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses(elasticIp.ref),
});
To create an A record of type alias with target set to another record created outside CDK:
This function registers the given input i.e. DNS Name(string) of an existing record as an AliasTarget to the new ARecord. To register a target that is created as part of CDK use this instead.
Detailed information can be found in the documentation.
declare const myZone: route53.HostedZone;
const targetRecord = 'existing.record.cdk.local';
const record = route53.ARecord.fromARecordAttributes(this, 'A', {
zone: myZone,
recordName: 'test',
targetDNS: targetRecord,
});
To add an AAAA record pointing to a CloudFront distribution:
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
declare const myZone: route53.HostedZone;
declare const distribution: cloudfront.CloudFrontWebDistribution;
new route53.AaaaRecord(this, 'Alias', {
zone: myZone,
target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
});
To add an HTTPS record:
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
declare const myZone: route53.HostedZone;
declare const distribution: cloudfront.CloudFrontWebDistribution;
// Alias to CloudFront target
new route53.HttpsRecord(this, 'HttpsRecord-CloudFrontAlias', {
zone: myZone,
target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
});
// ServiceMode (priority >= 1)
new route53.HttpsRecord(this, 'HttpsRecord-ServiceMode', {
zone: myZone,
values: [route53.HttpsRecordValue.service({ alpn: [route53.Alpn.H3, route53.Alpn.H2] })],
});
// AliasMode (priority = 0)
new route53.HttpsRecord(this, 'HttpsRecord-AliasMode', {
zone: myZone,
values: [route53.HttpsRecordValue.alias('service.example.com')],
});
Geolocation routing can be enabled for continent, country or subdivision:
declare const myZone: route53.HostedZone;
// continent
new route53.ARecord(this, 'ARecordGeoLocationContinent', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.0', '5.6.7.0'),
geoLocation: route53.GeoLocation.continent(route53.Continent.EUROPE),
});
// country
new route53.ARecord(this, 'ARecordGeoLocationCountry', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.1', '5.6.7.1'),
geoLocation: route53.GeoLocation.country('DE'), // Germany
});
// subdivision
new route53.ARecord(this, 'ARecordGeoLocationSubDividion', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.2', '5.6.7.2'),
geoLocation: route53.GeoLocation.subdivision('WA'), // Washington
});
// default (wildcard record if no specific record is found)
new route53.ARecord(this, 'ARecordGeoLocationDefault', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.3', '5.6.7.3'),
geoLocation: route53.GeoLocation.default(),
});
To enable weighted routing, use the weight parameter:
declare const myZone: route53.HostedZone;
new route53.ARecord(this, 'ARecordWeighted1', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.4'),
weight: 10,
});
To enable latency based routing, use the region parameter:
declare const myZone: route53.HostedZone;
new route53.ARecord(this, 'ARecordLatency1', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.4'),
region: 'us-east-1',
});
To enable multivalue answer routing, use the multivalueAnswer parameter:
declare const myZone: route53.HostedZone;
new route53.ARecord(this, 'ARecordMultiValue1', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.4'),
multiValueAnswer: true,
});
To enable IP-based routing, use the cidrRoutingConfig parameter:
declare const myZone: route53.HostedZone;
const cidrCollection = new route53.CfnCidrCollection(this, 'CidrCollection', {
name: 'test-collection',
locations: [{
cidrList: ['192.168.1.0/24'],
locationName: 'my_location',
}]
});
new route53.ARecord(this, 'CidrRoutingConfig', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.4'),
setIdentifier: 'test',
cidrRoutingConfig: route53.CidrRoutingConfig.create({
collectionId: cidrCollection.attrId,
locationName: 'test_location'
}),
});
To use the default CIDR record, call the route53.CidrRoutingConfig.default. This sets the locationName to *. The collectionId is still required.
declare const myZone: route53.HostedZone;
const cidrCollection = new route53.CfnCidrCollection(this, 'CidrCollection', {
name: 'test-collection',
locations: [{
cidrList: ['192.168.1.0/24'],
locationName: 'my_location',
}]
});
new route53.ARecord(this, 'DefaultCidrRoutingConfig', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('5.6.7.8'),
setIdentifier: 'default',
cidrRoutingConfig: route53.CidrRoutingConfig.withDefaultLocationName(cidrCollection.attrId),
});
To specify a unique identifier to differentiate among multiple resource record sets that have the same combination of name and type, use the setIdentifier parameter:
declare const myZone: route53.HostedZone;
new route53.ARecord(this, 'ARecordWeighted1', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.4'),
weight: 10,
setIdentifier: 'weighted-record-id',
});
Example not in your language?
Warning It is not possible to specify setIdentifier for a simple routing policy.
Constructs are available for A, AAAA, CAA, CNAME, MX, NS, SRV and TXT records.
Use the CaaAmazonRecord construct to easily restrict certificate authorities
allowed to issue certificates for a domain to Amazon only.
Health Checks
See the Route 53 Health Checks documentation for possible types of health checks.
Route 53 has the ability to monitor the health of your application and only return records for healthy endpoints.
This is done using a HealthCheck construct.
In the following example, the ARecord will be returned by Route 53 in response to DNS queries only if the HTTP requests to the example.com/health endpoint return a 2XX or 3XX status code.
In case, when the endpoint is not healthy, the ARecord2 will be returned by Route 53 in response to DNS queries.
declare const myZone: route53.HostedZone;
const healthCheck = new route53.HealthCheck(this, 'HealthCheck', {
type: route53.HealthCheckType.HTTP,
fqdn: 'example.com',
port: 80,
resourcePath: '/health',
failureThreshold: 3,
requestInterval: Duration.seconds(30),
});
new route53.ARecord(this, 'ARecord', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.4'),
healthCheck,
weight: 100,
});
new route53.ARecord(this, 'ARecord2', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('5.6.7.8'),
weight: 0,
});
Replacing existing record sets (dangerous!)
Use the deleteExisting prop to delete an existing record set before deploying the new one.
This is useful if you want to minimize downtime and avoid "manual" actions while deploying a
stack with a record set that already exists. This is typically the case for record sets that
are not already "owned" by CloudFormation or "owned" by another stack or construct that is
going to be deleted (migration).
N.B.: this feature is dangerous, use with caution! It can only be used safely when
deleteExistingis set totrueas soon as the resource is added to the stack. Changing an existing Record Set'sdeleteExistingproperty fromfalse -> trueafter deployment will delete the record!
declare const myZone: route53.HostedZone;
new route53.ARecord(this, 'ARecord', {
zone: myZone,
target: route53.RecordTarget.fromIpAddresses('1.2.3.4', '5.6.7.8'),
deleteExisting: true,
});
Cross Account Zone Delegation
If you want to have your root domain hosted zone in one account and your subdomain hosted
zone in a different one, you can use CrossAccountZoneDelegationRecord to set up delegation
between them.
In the account containing the parent hosted zone:
const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
zoneName: 'someexample.com',
});
const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
// The role name must be predictable
roleName: 'MyDelegationRole',
// The other account
assumedBy: new iam.AccountPrincipal('12345678901'),
});
parentZone.grantDelegation(crossAccountRole);
To restrict the records that can be created with the delegation IAM role, use the optional delegatedZoneNames property in the delegation options,
which enforces the route53:ChangeResourceRecordSetsNormalizedRecordNames condition key for record names that match those hosted zone names.
The delegatedZoneNames list may only consist of hosted zones names that are subzones of the parent hosted zone.
If the delegated zone name contains an unresolved token, it must resolve to a zone name that satisfies the requirements according to the documentation: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrset_conditionkeys_normalization
All letters must be lowercase. The DNS name must be without the trailing dot. Characters other than a–z, 0–9, - (hyphen), _ (underscore), and . (period, as a delimiter between labels) must use escape codes in the format \three-digit octal code. For example, \052 is the octal code for character *.
This feature allows you to better follow the minimum permissions privilege principle:
const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
zoneName: 'someexample.com',
});
declare const betaCrossAccountRole: iam.Role;
parentZone.grantDelegation(betaCrossAccountRole, {
delegatedZoneNames: ['beta.someexample.com'],
});
declare const prodCrossAccountRole: iam.Role;
parentZone.grantDelegation(prodCrossAccountRole, {
delegatedZoneNames: ['prod.someexample.com'],
});
In the account containing the child zone to be delegated:
const subZone = new route53.PublicHostedZone(this, 'SubZone', {
zoneName: 'sub.someexample.com',
});
// import the delegation role by constructing the roleArn
const delegationRoleArn = Stack.of(this).formatArn({
region: '', // IAM is global in each partition
service: 'iam',
account: 'parent-account-id',
resource: 'role',
resourceName: 'MyDelegationRole',
});
const delegationRole = iam.Role.fromRoleArn(this, 'DelegationRole', delegationRoleArn);
// create the record
new route53.CrossAccountZoneDelegationRecord(this, 'delegate', {
delegatedZone: subZone,
parentHostedZoneName: 'someexample.com', // or you can use parentHostedZoneId
delegationRole,
});
Delegating the hosted zone requires assuming a role in the parent hosted zone's account.
In order for the assumed credentials to be valid, the resource must assume the role using
an STS endpoint in a region where both the subdomain's account and the parent's account
are opted-in. By default, this region is determined automatically, but if you need to
change the region used for the AssumeRole call, specify assumeRoleRegion:
const subZone = new route53.PublicHostedZone(this, 'SubZone', {
zoneName: 'sub.someexample.com',
});
// import the delegation role by constructing the roleArn
const delegationRoleArn = Stack.of(this).formatArn({
region: '', // IAM is global in each partition
service: 'iam',
account: 'parent-account-id',
resource: 'role',
resourceName: 'MyDelegationRole',
});
const delegationRole = iam.Role.fromRoleArn(this, 'DelegationRole', delegationRoleArn);
new route53.CrossAccountZoneDelegationRecord(this, 'delegate', {
delegatedZone: subZone,
parentHostedZoneName: 'someexample.com', // or you can use parentHostedZoneId
delegationRole,
assumeRoleRegion: "us-east-1",
});
Add Trailing Dot to Domain Names
In order to continue managing existing domain names with trailing dots using CDK, you can set addTrailingDot: false to prevent the Construct from adding a dot at the end of the domain name.
new route53.PublicHostedZone(this, 'HostedZone', {
zoneName: 'fully.qualified.domain.com.',
addTrailingDot: false,
});
Enabling DNSSEC
DNSSEC can be enabled for Hosted Zones. For detailed information, see Configuring DNSSEC signing in Amazon Route 53.
Enabling DNSSEC requires an asymmetric KMS Customer-Managed Key using the ECC_NIST_P256 key spec.
Additionally, that KMS key must be in us-east-1.
const kmsKey = new kms.Key(this, 'KmsCMK', {
keySpec: kms.KeySpec.ECC_NIST_P256,
keyUsage: kms.KeyUsage.SIGN_VERIFY,
});
const hostedZone = new route53.HostedZone(this, 'HostedZone', {
zoneName: 'example.com',
});
// Enable DNSSEC signing for the zone
hostedZone.enableDnssec({ kmsKey });
The necessary permissions for Route 53 to use the key will automatically be added when using
this configuration. If it is necessary to create a key signing key manually, that can be done
using the KeySigningKey construct:
declare const hostedZone: route53.HostedZone;
declare const kmsKey: kms.Key;
new route53.KeySigningKey(this, 'KeySigningKey', {
hostedZone,
kmsKey,
keySigningKeyName: 'ksk',
status: route53.KeySigningKeyStatus.ACTIVE,
});
When directly constructing the KeySigningKey resource, enabling DNSSEC signing for the hosted
zone will be need to be done explicitly (either using the CfnDNSSEC construct or via another
means).
Imports
If you don't know the ID of the Hosted Zone to import, you can use the
HostedZone.fromLookup:
route53.HostedZone.fromLookup(this, 'MyZone', {
domainName: 'example.com',
});
HostedZone.fromLookup requires an environment to be configured. Check
out the documentation for more documentation and examples. CDK
automatically looks into your ~/.aws/config file for the [default] profile.
If you want to specify a different account run cdk deploy --profile [profile].
new MyDevStack(app, 'dev', {
env: {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION,
},
});
If you know the ID and Name of a Hosted Zone, you can import it directly:
const zone = route53.HostedZone.fromHostedZoneAttributes(this, 'MyZone', {
zoneName: 'example.com',
hostedZoneId: 'ZOJJZC49E0EPZ',
});
Alternatively, use the HostedZone.fromHostedZoneId to import hosted zones if
you know the ID and the retrieval for the zoneName is undesirable.
Note that any records created with a hosted zone obtained this way must have their name be fully qualified
const zone = route53.HostedZone.fromHostedZoneId(this, 'MyZone', 'ZOJJZC49E0EPZ');
You can import a Public Hosted Zone as well with the similar PublicHostedZone.fromPublicHostedZoneId and PublicHostedZone.fromPublicHostedZoneAttributes methods:
const zoneFromAttributes = route53.PublicHostedZone.fromPublicHostedZoneAttributes(this, 'MyZone', {
zoneName: 'example.com',
hostedZoneId: 'ZOJJZC49E0EPZ',
});
// Does not know zoneName
const zoneFromId = route53.PublicHostedZone.fromPublicHostedZoneId(this, 'MyZone', 'ZOJJZC49E0EPZ');
You can import a Private Hosted Zone with PrivateHostedZone.fromPrivateHostedZoneId and PrivateHostedZone.fromPrivateHostedZoneAttributes methods:
const privateZoneFromAttributes = route53.PrivateHostedZone.fromPrivateHostedZoneAttributes(this, 'MyPrivateZone', {
zoneName: 'example.local',
hostedZoneId: 'ZOJJZC49E0EPZ',
});
// Does not know zoneName
const privateZoneFromId = route53.PrivateHostedZone.fromPrivateHostedZoneId(this, 'MyPrivateZone', 'ZOJJZC49E0EPZ');
You can use CrossAccountZoneDelegationRecord on imported Hosted Zones with the grantDelegation method:
const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
// The role name must be predictable
roleName: 'MyDelegationRole',
// The other account
assumedBy: new iam.AccountPrincipal('12345678901'),
});
const zoneFromId = route53.HostedZone.fromHostedZoneId(this, 'MyZone', 'zone-id');
zoneFromId.grantDelegation(crossAccountRole);
const publicZoneFromId = route53.PublicHostedZone.fromPublicHostedZoneId(this, 'MyPublicZone', 'public-zone-id');
publicZoneFromId.grantDelegation(crossAccountRole);
const privateZoneFromId = route53.PrivateHostedZone.fromPrivateHostedZoneId(this, 'MyPrivateZone', 'private-zone-id');
privateZoneFromId.grantDelegation(crossAccountRole);
VPC Endpoint Service Private DNS
When you create a VPC endpoint service, AWS generates endpoint-specific DNS hostnames that consumers use to communicate with the service. For example, vpce-1234-abcdev-us-east-1.vpce-svc-123345.us-east-1.vpce.amazonaws.com. By default, your consumers access the service with that DNS name. This can cause problems with HTTPS traffic because the DNS will not match the backend certificate:
curl: (60) SSL: no alternative certificate subject name matches target host name 'vpce-abcdefghijklmnopq-rstuvwx.vpce-svc-abcdefghijklmnopq.us-east-1.vpce.amazonaws.com'
Effectively, the endpoint appears untrustworthy. To mitigate this, clients have to create an alias for this DNS name in Route53.
Private DNS for an endpoint service lets you configure a private DNS name so consumers can access the service using an existing DNS name without creating this Route53 DNS alias This DNS name can also be guaranteed to match up with the backend certificate.
Before consumers can use the private DNS name, you must verify that you have control of the domain/subdomain.
Assuming your account has ownership of the particular domain/subdomain, this construct sets up the private DNS configuration on the endpoint service, creates all the necessary Route53 entries, and verifies domain ownership.
import { NetworkLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const vpc = new ec2.Vpc(this, 'VPC');
const nlb = new NetworkLoadBalancer(this, 'NLB', {
vpc,
});
const vpces = new ec2.VpcEndpointService(this, 'VPCES', {
vpcEndpointServiceLoadBalancers: [nlb],
});
// You must use a public hosted zone so domain ownership can be verified
const zone = new route53.PublicHostedZone(this, 'PHZ', {
zoneName: 'aws-cdk.dev',
});
new route53.VpcEndpointServiceDomainName(this, 'EndpointDomain', {
endpointService: vpces,
domainName: 'my-stuff.aws-cdk.dev',
publicHostedZone: zone,
});