# Enable secure web access with custom domains in Lightsail Container service custom domains Enable custom domains for your Amazon Lightsail container service to use your registered domain names with your service. Before you enable custom domains, your container service accepts traffic only for the default domain that is associated with your service when you first create it (e.g., `containerservicename.123456abcdef.us-west-2.cs.amazonlightsail.com`). When you enable custom domains, you choose the Lightsail SSL/TLS certificate that you created for the domains that you want to use with your container service, and then you choose the domains you want to use from that certificate. After you enable custom domains, your container service accepts traffic for all of the domains that are associated with the certificate that you chose. **Important** If you choose a Lightsail container service as the origin of your distribution, Lightsail automatically adds the default domain name of your distribution as a custom domain on your container service. This enables traffic to be routed between your distribution and your container service. However, there are some circumstances in which you might need to manually add the default domain name of your distribution to your container service. For more information, see [Add the default domain of a distribution to a container service](amazon-lightsail-adding-distribution-default-domain-to-container-service.md). **Contents** + [Container service custom domain limits](#container-service-custom-domains-prerequisites) + [Prerequisites](#container-service-custom-domains-prerequisites) + [View custom domains for a container service](#container-service-view-custom-domains) + [Enable custom domains for a container service](#container-service-enable-custom-domains) + [Disable custom domains for a container service](#container-service-disable-custom-domains) ## Container service custom domain limits The following limits apply to container service custom domains: + You can use up to 4 custom domains with each of your Lightsail container services, and you cannot use the same domains on more than one service. + If you use a Lightsail DNS zone to manage the DNS of your domain, then you can route traffic for the apex of your domain (e.g., `example.com`) and for subdomains (e.g., `www.example.com`) to your container services. ## Prerequisites Before you get started, you need to create a Lightsail container service. For more information, see [Creating Amazon Lightsail container services](amazon-lightsail-creating-container-services.md). You also should have created and validated an SSL/TLS certificate for your container service. For more information, see [Create container service SSL/TLS certificates](amazon-lightsail-creating-container-services-certificates.md) and [Validate container service SSL/TLS certificates](amazon-lightsail-validating-container-services-certificates.md). ## View custom domains for a container service Complete the following procedure to view the custom domains that are currently enabled for your container service. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Containers**. 1. Choose the name of the container service for which you want to view the enabled custom domains. 1. Locate the custom domain values in the heading of the container service management page, as shown in the following example. These are the custom domains that are currently enabled for the container service. ![\[Custom domains for a container service in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/container-service-custom-domains-heading.png) 1. On the container service management page, choose the **Custom domains** tab. The custom domains being used under each attached certificate, are listed under the **Custom domain SSL/TLS certificates** section of the page. The certificates currently attached to your container service, are listed under the **Attached certificates** section. ## Enable custom domains for a container service Complete the following procedure to enable custom domains for your Lightsail container service by attaching a certificate to your service. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Containers**. 1. Choose the name of the container service for which you want to enable custom domains. 1. On the container service management page, choose the **Custom domains** tab. The **Custom domains** page displays the SSL/TLS certificates currently attached to your container service, if any. 1. Choose **Attach certificate**. If you have no certificates, then you must first create and validate an SSL/TLS certificate for your domains, before you can attach it to your container service. For more information, see [Create container service SSL/TLS certificates](amazon-lightsail-creating-container-services-certificates.md). 1. In the dropdown menu that appears, select a valid certificate for the domain(s) that you want to use with your container service. 1. Verify the certificate information is correct, then choose **Attach**. 1. The container service's **Status** will change to **Updating**. After the status changes to **Ready**, the certificate's domain will appear in the **Custom domains** section. 1. Choose **Add domain assignment** to point the domain to your container service. 1. Verify the certificate and DNS information are correct, then choose **Add assignment**. After a few moments, traffic for the domain that you selected will begin to be accepted by your container service. 1. After you've added the domain assignment, open a new browser window and browse to the custom domain that you enabled for your container service. The application that is running on your container service, if any, should load. ## Disable custom domains for a container service Complete the following procedure to disable custom domains for your Lightsail container service by detaching a certificate from your service, or by deselecting a previously selected domain. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Containers**. 1. Choose the name of the container service for which you want to disable custom domains. 1. On the container service management page, choose the **Custom domains** tab. The **Custom domains** page displays the SSL/TLS certificates currently attached to your container service, if any. 1. Choose one of the following options: 1. Choose **Configure container service domains** to either deselect domains that were previously selected, or to select more domains that are associated to the container service. 1. Choose **Detach** to detach the certificate from the container service, and remove all of its associated domains from the service. **Important** If you haven't already done so, modify the DNS records of your domain so that traffic routes stops routing to your container service and instead routes to another resource. **Topics** + [ ## Container service custom domain limits ](#container-service-custom-domains-limits) + [ ## Prerequisites ](#container-service-custom-domains-prerequisites) + [ ## View custom domains for a container service ](#container-service-view-custom-domains) + [ ## Enable custom domains for a container service ](#container-service-enable-custom-domains) + [ ## Disable custom domains for a container service ](#container-service-disable-custom-domains) + [Point Lightsail domain to container](amazon-lightsail-point-domain-to-container-service.md) + [Point Route 53 domain to container](amazon-lightsail-route-53-alias-record-for-container-service.md) # Route domain traffic to a Lightsail container service Point Lightsail domain to container You must point your registered domain names to your Amazon Lightsail container service after you enabled custom domains for your service. You do this by adding an alias record to the DNS zone of each of the domains specified on the certificates that you're using with your container service. All of the records that you add should point to the default domain (e.g., `https://...cs.amazonlightsail.com`) of your container service. In this guide, we provide you with the procedure to point your domains to your container service using a Lightsail DNS zone. For more information about Lightsail DNS zones, see [DNS in Amazon Lightsail](understanding-dns-in-amazon-lightsail.md). For more information about container services, see [Container services](amazon-lightsail-container-services.md). **Note** If you're using Route 53 to host the DNS of your domain, then you should add the alias record to the hosted zone of your domain in Route 53. For more information, see [Routing traffic for a domain in Route 53 to an Amazon Lightsail container service](amazon-lightsail-route-53-alias-record-for-container-service.md). ## Prerequisite Before you get started, you should enable custom domains for your Lightsail container service. For more information, see [Enabling and managing custom domains for your Amazon Lightsail container services](amazon-lightsail-enabling-container-services-custom-domains.md). ## Get the default domain of your container service Complete the following procedure to get default domain name of your container service, which you specify when you add an alias record to the DNS of your domain. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Containers**. 1. Choose the name of a container service for which want get the default domain name. 1. In the header section of your container service management page, make note of your default domain name. Your container service default domain name is similar to `...cs.amazonlightsail.com`. You must add this value as part of a canonical name (CNAME) record in the DNS of your domains. We recommend that you copy and paste this value into a text file that you can refer to later. For more information, see the following [Add the CNAME records to your domain's DNS zone](#add-container-service-default-domain-record) section of this guide. ## Add a record to your domain's DNS zone Complete the following procedure to add an address (A for IPv4 or AAAA for IPv6) record, or canonical (CNAME) record to your domain's DNS zone. 1. In the left navigation pane, choose **Domains & DNS**. 1. Under the **DNS zones** section of the page, choose the domain name to which you want to add the record that will direct traffic for your domain to your container service. 1. Choose the **DNS records** tab. 1. Complete one of the following steps depending on the current state of your DNS zone: + If you haven't added an A, AAAA, or CNAME record, choose **Add record**. + If you previously added an A, AAAA, or CNAME record, choose the edit icon next to the existing A, AAAA, or CNAME record listed on the page, and then skip to step 5 of this procedure. 1. Choose **A record**, **AAAA record**, or **CNAME record** in the **Record type** dropdown menu. + Add an A record to map the apex of your domain (e.g., `example.com`) or a subdomain (e.g., `www.example.com`) to your container service under the IPv4 network. + Add an AAAA record to map the apex of your domain (e.g., `example.com`) or a subdomain (e.g., `www.example.com`) to your container service under the IPv6 network. + Add a CNAME record to map a subdomain (e.g., `www.example.com`) to the public domain (default DNS) of your container service. 1. In the **Record name** text box, enter one of the following options: + For an A record or AAAA record, enter `@` to route traffic for the apex of your domain (e.g., `example.com`) to your container service, or enter a subdomain (e.g., `www`) to route traffic for a subdomain (e.g., `www.example.com`) to your container service. + For a CNAME record, enter a subdomain (e.g., `www`) to route traffic for a subdomain (e.g., `www.example.com`) to your container service. 1. Complete one of the following steps depending on the record you're adding: + For an A record or AAAA record, choose the name of your container service in the **Resolves to** text box. + For a CNAME record, enter the default domain name of your container service into the **Maps to** text box. 1. Choose the save icon to save the record to your DNS zone. Repeat these steps to add additional DNS records for domains on your certificate that you are using with your container service. Allow time for changes to propagate through the Internet’s DNS. After a few minutes, you should see if your domain is pointing to your container service. # Route domain traffic to a Lightsail container service using Route 53 Point Route 53 domain to container You can route traffic for a registered domain, such as `example.com`, to the applications running on a Amazon Lightsail container service. You do this by adding an alias record to the hosted zone of your domain that points to the default domain of your Lightsail container service. In this tutorial, we show you how to add an alias record for your Lightsail container service to a hosted zone in Route 53. You can do this only by using the AWS Command Line Interface (AWS CLI). It cannot be done using the Route 53 console. **Note** If you're using Lightsail to host the DNS of your domain, then you should add the alias record to the DNS zone of your domain in Lightsail. For more information, see [Routing traffic for a domain in Amazon Lightsail to a Lightsail container service](amazon-lightsail-point-domain-to-container-service.md). **Contents** + [Step 1: Complete the prerequisites](#route-53-container-service-prerequisites) + [Step 2: Get the hosted zone IDs for Lightsail container services](#route-53-container-service-hosted-zone-ids) + [Step 3: Create a record set JSON file](#route-53-container-service-create-record-set-json) + [Step 4: Add a record to the hosted zone of your domain in Route 53](#route-53-container-service-add-record-to-hosted-zone) ## Step 1: Complete the prerequisites Complete the following prerequisites if you haven't already: + Register a domain name in Route 53, or make Route 53 the DNS service for your registered (existing) domain name. For more information, see [Registering domain names using Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html) or [Making Amazon Route 53 the DNS service for an existing domain](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingDNS.html) in the *Amazon Route 53 Developer Guide*. + Deploy your applications to your Lightsail container service. For more information, see [Create and manage container service deployments](amazon-lightsail-container-services-deployments.md). + Enable your registered domain name on your Lightsail container service. For more information, see [Enable and manage custom domains](amazon-lightsail-enabling-container-services-custom-domains.md). + Configure the AWS CLI with your account. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md). ## Step 2: Get the hosted zone IDs for Lightsail container services You must specify a hosted zone ID for your Lightsail container service when you add an alias record to a hosted zone in Route 53. For example, if your Lightsail container service is in the US West (Oregon) (us-west-2) AWS Region, then you must specify hosted zone ID `Z0959753D43BBB908BAV` when adding an alias record for your Lightsail container service to a hosted zone in Route 53. Following are the hosted zone IDs for each AWS Region in which you can create a Lightsail container service. **EU (London) (eu-west-2)**: Z0624918ZXDYQZLOXA66 **US East (N. Virginia) (us-east-1)**: Z06246771KYU0IRHI74W4 **Asia Pacific (Singapore) (ap-southeast-1)**: Z0625921354DRJH4EY9V0 **EU (Ireland) (eu-west-1)**: Z0624732FELAMMKW3Y21 **Asia Pacific (Tokyo) (ap-northeast-1)**: Z0626125UAU4JWQ9JSKN **Asia Pacific (Seoul) (ap-northeast-2)**: Z06260262XZM84B2WPLHH **Asia Pacific (Jakarta) (ap-southeast-3)**: Z03072883T5HFTY4T7CDL **Asia Pacific (Malaysia) (ap-southeast-5)**: Z09430204C5DXNNO314Y **Asia Pacific (Mumbai) (ap-south-1)**: Z10460781IQMISS0I0VVY **Asia Pacific (Sydney) (ap-southeast-2)**: Z09597943PQQZATPFE96E **Canada (Central) (ca-central-1)**: Z10450993RIRIJJUUMA5W **Europe (Frankfurt) (eu-central-1)**: Z06137433FV04OY4EC6L0 **Europe (Stockholm) (eu-north-1)**: Z016970523TDG2TZMUXKK **Europe (Paris) (eu-west-3)**: Z09594631DSW2QUR7CFGO **US East (Ohio) (us-east-2)**: Z10362273VJ548563IY84 **US West (Oregon) (us-west-2)**: Z0959753D43BBB908BAV ## Step 3: Create a record set JSON file When you add a DNS record to the hosted zone of your domain in Route 53 using the AWS CLI, you must specify a set of configuration parameters for the record. The easiest way to do this is by creating a JSON (.json) file that contains all of the parameters, and then referencing the JSON file in your AWS CLI request. Complete the following procedure to create a JSON file with the record set parameters for the alias record: 1. Open a text editor, such as Notepad on Windows or Nano on Linux. 1. Copy and paste the following text into the text editor: ``` { "Comment": "Comment", "Changes": [ { "Action": "CREATE", "ResourceRecordSet": { "Name": "Domain.", "Type": "A", "AliasTarget": { "HostedZoneId": "LightsailContainerServiceHostedZoneID", "DNSName": " LightsailContainerServiceAddress.", "EvaluateTargetHealth": true } } } ] } ``` In your file, replace the following example text with your own: + *Comment* with a personal note or comment about the record set. + *Domain* with the registered domain name that you want to use with your Lightsail container service (for example, `example.com` or `www.example.com`). To use the root of your domain with your Lightsail container service, you must specify an `@` symbol in the subdomain space of your domain (for example, `@.example.com`). + *LightsailContainerServiceHostedZoneID* with the hosted zone ID for the AWS Region in which you created your Lightsail container service. For more information, see [Step 2: Get the hosted zone IDs for Lightsail container services](#route-53-container-service-hosted-zone-ids) earlier in this guide. + *LightsailContainerServiceAddress* with the public domain name of your Lightsail container service. You can get this by signing in to the Lightsail console, browsing to your container service, and copying the **Public domain** listed in the header section of the container service management page (for example, `container-service-1.q8cexampleljs.us-west-2.cs.amazonlightsail.com`). Example: ``` { "Comment": "Alias record for Lightsail container service", "Changes": [ { "Action": "CREATE", "ResourceRecordSet": { "Name": "@.example.com.", "Type": "A", "AliasTarget": { "HostedZoneId": "Z0959753D43BBB908BAV", "DNSName": "container-service-1.q8cexampleljs.us-west-2.cs.amazonlightsail.com.", "EvaluateTargetHealth": true } } } ] } ``` 1. Save the file to your local directory as `change-resource-record-sets.json`. ## Step 4: Add a record to the hosted zone of your domain in Route 53 Complete the following procedure to add a record to the hosted zone of your domain in Route 53 using the AWS CLI. You do this by using the  `change-resource-record-sets` command. For more information, see [change-resource-record-sets](https://docs.aws.amazon.com/cli/latest/reference/route53/change-resource-record-sets.html) in the *AWS CLI Command Reference*. **Note** You must install the AWS CLI and configure it for Lightsail and Route 53 before continuing with this procedure. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md). 1. Open a Command Prompt or Terminal window. 1. Enter the following command to add a record to the hosted zone of your domain in Route 53. ``` aws route53 change-resource-record-sets --hosted-zone-id HostedZoneID --change-batch PathToJsonFile ``` In the command, replace the following example text with your own: + *HostedZoneID* with the ID of the hosted zone for your registered domain in Route 53. Use the [list-hosted-zones](https://docs.aws.amazon.com/cli/latest/reference/route53/list-hosted-zones.html) command to get a list of IDs for the hosted zones in your Route 53 account. + *PathToJsonFile* with the local directory folder path on your computer of the .json file that contains the record parameters. For more information, see the [Step 3: Create a record set JSON file](#route-53-container-service-create-record-set-json) section earlier in this guide. Examples: On a Linux or Unix computer: ``` aws route53 change-resource-record-sets --hosted-zone-id Z123456789ABCDEFGHIJ --change-batch home/user/awscli/route53/change-resource-record-sets.json ``` On a Windows computer: ``` aws route53 change-resource-record-sets --hosted-zone-id Z123456789ABCDEFGHIJ --change-batch file://C:\awscli\route53\change-resource-record-sets.json ``` You should see a result similar to the following example: ![\[Result of the change resource record sets request\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-route-53-record-set.png) Allow time for the change to propagate through the internet's DNS, which might take several hours. After that is completed, internet traffic for your registered domain in Route 53 should begin routing to your Lightsail container service.