Private-Zone Route53 Health Checks

1

My customer is interested in monitoring and creating alerts for private-zone Route53 health checks. Their goal is to verify that internal DNS resolution remains available and working in AWS.

Looking at the documentation, we would need to have exposed instance (Public IP for the Route53 health checkers).

  • Is there a way to monitor Private-Zone Route53 health checks?
  • Does the SLA below include private-zone Route53 as well?
  • Is there a way to monitor/alert with CloudWatch on private-zone Route53 within a VPC?

https://aws.amazon.com/route53/sla/

AWS
asked 4 years ago3470 views
1 Answer
1
Accepted Answer

My customer is interested in monitoring and creating alerts for private-zone Route53 health checks. Their goal is to verify that internal DNS resolution remains available and working in AWS.

I think you perhaps misunderstand what Route 53 Health Checks are for. They do not verify that DNS resolution is available. They verify that tcp/http/https endpoints (usually IPs) are answering. In many cases, this allows Route 53 DNS records to be dynamically updated to include health endpoints only.

Is there a way to monitor Private-Zone Route53 health checks?

Health checks do not monitor DNS zones, they monitor tcp/http/https service endpoints.

If you mean to ask "is there is a way to health check endpoints privately inside a VPC?", the answer is "not directly today, but there are workarounds". Some customers do this by giving their VPC service a public IP and restricting connectivity to it exclusively to the health checker's public IPs (which are published). You can then use that health check to dynamically update a DNS entry in a private hosted zone.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-healthcheck.html

"Route 53 health checkers are outside the VPC. To check the health of an endpoint within a VPC by IP address, you must assign a public IP address to the instance in the VPC."

There are other ways this can be done indirectly also, e.g.:

https://aws.amazon.com/blogs/networking-and-content-delivery/performing-route-53-health-checks-on-private-resources-in-a-vpc-with-aws-lambda-and-amazon-cloudwatch/

All health checks get CloudWatch metrics, so you can set alarms on them.

Does the SLA below include private-zone Route53 as well? https://aws.amazon.com/route53/sla/

The SLA explicitly includes Private DNS. "This Amazon Route 53 Service Level Agreement (“SLA”) is a policy governing the use of Amazon Route 53 (including Private DNS) "

AWS
EXPERT
gavinmc
answered 4 years ago
  • Is private zone health-checks a feature being developed for the future?

  • I failed to create the stack because failure to access the lambda code on S3. Any idea? Thanks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions