How can I make the same Route 53 domain name resolve to an internal load balancer within the VPC and an external load balancer outside it?

Question

We have an API hosted on ECS Fargate that can be called from the internet, and is also used by other services internally.

We expose a public facing load balancer for external traffic, with WAF rules, API gateway etc. We want to migrate to using an internal load balancer for the internal traffic so it is not affected by WAF, API gateway etc.

We would like to use the same name - call it `api.example.com.` - internally and externally.[1]

Things we have tried so far:
1. Create a private hosted zone `example.com.` alongside the public hosted zone `example.com.`, and create different records for `api` in each.
2.  Use [IP-based routing](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-ipbased.html)

1 fails because we now have to duplicate all _other_ records in both, otherwise they do not resolve inside the VPC, which is error prone and dangerous. At some point someone's going to forget and be deeply confused by things not resolving. As far as I can tell there is no way to configure the resolver to fall back on the public zone when no match is found in the private zone.

I think 2 fails because [the VPC resolver doesn't support EDNS Client Subnet](https://repost.aws/en/knowledge-center/route53-ip-based-routing). At any rate our VPC has CIDR `10.0.0.0/16` and my IP based record has a specific entry for `10.0.0.0/16`, but queries inside the VPC still resolve to the default entry. And `dig TXT o-o.myaddr.google.com -4` inside a container in the VPC does not return `o-o.myaddr.google.com.	60	IN	TXT	"edns0-client-subnet 92.236.229.0/24"`, which is the test suggested in [How do I troubleshoot issues with IP-based routing in Route 53?](https://repost.aws/en/knowledge-center/route53-ip-based-routing).

AWS already resolves EC2 names differently internally and externally; `ec2-3-4-5-6.compute-1.amazonaws.com.` resolves to `3.4.5.6` from outside the VPC, but to `10.0.1.2` from inside the VPC, yet can also correctly resolve an EC2 name from another VPC to its public name. I just want to do the same thing!

[1] Obviously an answer is "don't do that, create `api.internal.example.com.`", and we are considering it, but a) it does reduce cognitive load if it's the same name everywhere, and b) for reasons it would be tedious to go into changing the configuration of all the services that call it is going to be more painful than is ideal[2]

[2] Yes, yes, we should fix that.

Answer

I have done this several times across clients.

You are correct, you need a public and private hosted zone (split horizon). The Private hosted zone attached to a VPC will take presedence over the public. There is NO fail back to the public zone if records do not exist.

You are also correct, you need an internal load balancer which your private hosted zone points to for its records.

What you also need to do is create new target groups and create the new rules on the internal load balancer directing the traffic to the these new target groups.

You also then have to DUAL Register the ECS Services to the 2nd Target group. You cant do this in the GUI, however you can do this via CLi or code as follows :- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html

This means the External ALB will use one set of TG's and the Internal ALB will use the 2nd Set of target groups.
Then create your DNS records in your internal route 53 zone and jobs a gooden. The link above talks about the exact issue you wish to resolve with internal and external load balancer.

This will resolve your issues.

Answer

How about creating a private hosted zone with the name api.example.com that includes an alias record for the zone apex that points to the internal load balancer?

How can I make the same Route 53 domain name resolve to an internal load balancer within the VPC and an external load balancer outside it?

Relevant content