By using AWS re:Post, you agree to the Terms of Use

Routing internal and external traffic using the same public subdomain name


I have a Windows 2019 server running a database application that is accessible by public users and private users from another Windows 2019 instance. I wish to use the same subdomain name for external and internal access, but find that traffic between the 2 AWS instances gets routed externally, which is less secure and slower, when I use the subdomain name for the connection. How do I configure VPC/Route 53 to ensure that traffic between instances remains private while public traffic is directed correctly using the same subdomain name?

3 Answers

The answer from AC is good; I'd add (based on the further response):

If your web users are connecting to and your database users are conencting to then it's easy to have different IP addresses for those different records - particularly where the web users go to a public IP and database goes to a private IP.

But: If the hostname is the same for both then it's far more difficult because the DNS server has to look at where the query is coming from (private or public) and return a different IP address based on that. And then it's even more difficult because the DNS server doesn't know whether the query is coming from the database application or the web browser - there's no way to tell. So it can only return a single IP address.

Therefore: If you are using the same hostname for both purposes (web/database) then you can't do what you want. Instead, use two hostnames and the PHZ as AC suggests above.

profile picture
answered 8 months ago

Hi, you can create a Private Hosted Zone (PHZ) in Route 53, add the corresponding internal entries (A/AAAA), and associate this PHZ with the said VPC. Here's the landing page that explains the steps/considerations:

answered 8 months ago

Thanks, AC. I was able to create a private zone as indicated and it worked for the database apps. It led me to a new problem. While I want the database traffic to to go to the other instance, I need the browser traffic to to go to the external website. When the hosted zone is active, the browser is unable to resolve DNS. Is there a setting to resolve that?

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions