Monday 11/1/21 AWS/Cloud Study Update

Adrian Cantrill’s SAA-C02 study course,, 80 minutes:

‘R53 Global DNS’ section: ‘R53 Public Hosted Zones’, ‘R53 Private Hosted Zones’, ‘Cname VS R53 Alias’, ‘Simple Routing’, ‘Health Checks’, ‘Failover Routing’

PUBLIC HOSTED ZONES: A hosted zone is a dns database for a given section of the global dns database, specifically for a domain, and it is R53 globally resilient. It hosts dns records (canonical, aaaa, ms, x txt, ip version six equivalent). There are two kinds of hosted zones in AWS, public and private. Public hosted zones are created automatically when domains are created, and they can also be created separately. Hosted zone databases are referenced via delegation using name server records, and are authoritative for a domain. Hosted zones are accessible from the public internet and vpc’s, hosted on 4 r53 name servers, and use ‘name server records’ to point at these name servers (for integration with the public dns record). These resource records are created within the hosted zone. Externally registered domains can point at R53 public zone via the vpc+2 address (vpc resolver); the root servers are queried by the resolver server.

PRIVATE HOSTED ZONES: These are operationally similar to public hosted zones but are not public, and are associated with vpc’s. They are only accessibly in vpc’s they are associated with. You can associate a vpc with private hosted zones using cli, ui, and api. Using different accounts is supported using cli/api. You can also create split-view (public and private accessible) hosted zones for public and internal use with the same zone name. Vpc’s associated with the resolver server in the private hosted zone have access. For this to work the hosted zone needs to be running inside a vpc and the vpc needs to be associated with that hosted zone.

CNAME VS R53 ALIAS: In dns, an ‘a’ record maps a name to an ip address, while a ‘cname’ record maps a name to another name. The cname is invalid for apex/naked domains. Many AWS services don’t provide ip, but a dns name. ALIAS record maps a name to an AWS resource. They can be used both for naked/apex and normal domain. For AWS resources AWS encourages you to try to use ALIAS records, and there is no charge for ALIAS requests pointing at AWS resources. You can have an ‘a record’ alias and a ‘cname name record’ alias, which needs to match the record type with the type of record you’re pointing at. The type of record is implemented by AWS, outside standard of DNS, and is only useable if R53 is hosting your domains

SIMPLE ROUTING: Simple routing starts with a hosted zone and can create one record per name. Each record using simple routing can have multiple values, and all values are used in the resolution of a www request in a random order. This routing is best for routing requests to one service, and doesn’t support health checks.

HEALTH CHECKS: This feature supports many of the advanced architectures of r53. Health checks exist separately from but used by records inside r53. You don’t create health checks within records. Health checks exist separately, and are configured separately. They are used to evaluate the health of something. Health checks are performed by a fleet of health checkers. Health checks are located globablly. If checking health of systems hosted on public internet, you must allow these checks from health checkers. They are not just limited to AWS targets. The health check just needs an ip address, occurs every 30 seconds by default (also every 10s but this costs money), is available for http/https, tcp, and http/https with string matching. R53 must be able to establish endpoint with connection within 4 seconds, and the endpoint must respond with http status code in 200 to 300 range within 2 seconds. When r53 health checker receives the status code, it must receive the response body from endpoint within 2 seconds. r53 searches response body for string you specified, and the string must appear entirely in first 5,120 bytes or endpoint fails health check. There are three types of health checks: endpoint, cloudwatch, or calculated checks (checks of checks)

FAILOVER ROUTING: This feature lets you route traffic to a primary resource if the resource is healthy or to a different resource if the primary resource is unhealthy. This starts with a hosted zone and www inside hosted zone. with failover routing you can add multiple records of same name. They are referred to as primary and secondary records. Each of these records points at a resource. Key element of failover routing is the inclusion of a health check, and health checks generally occur on primary records. If health check on primary value is healthy, traffic is routed to the primary. If unhealthy, traffic routed to secondary.

Published by pauldparadis

Working towards cloud networking security as a profession.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: