Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to create a Route 53 private hosted zone without causing NXDOMAIN for existing public subdomain records?

-1

We have a public hosted zone with an A record at apigateway.example.com pointing to an API Gateway custom domain. We need to create a private hosted zone for the parent domain example.com in our VPC to route traffic to an internal service.

The problem is that Route 53 requires a VPC association at creation time for private hosted zones, and the moment the zone is associated with our VPC, it takes over DNS resolution for all queries under example.com, including apigateway.example.com. Since the private zone doesn't have that record yet, queries return NXDOMAIN and our API Gateway calls break.

We tried adding the record immediately after creating the zone, but NXDOMAIN responses get negatively cached and we still see temporary errors.

The only workaround we've found is creating the private hosted zone with a placeholder VPC, adding all required records, and then associating it with our real VPC. This works but requires creating and cleaning up a throwaway VPC.

Is there a supported way to create a private hosted zone and populate it with records before it takes effect on a VPC? The CreateHostedZone API docs show VPC as Required: No, but the API rejects the request for private zones without a VPC.

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon Route 53Amazon VPCAmazon API GatewayRoute 53 Private DNSVirtual Private Cloud
Language
English
asked a month ago143 views
2 Answers
0
Accepted Answer

Hello.

While the AWS re:Post Agent response shares a method for creating a private hosted zone without specifying a VPC, a VPC must be associated with the private hosted zone during creation.
Therefore, I believe the safest approach is to associate an empty VPC with the private hosted zone, then create a record and associate the necessary VPC, as you have already tried.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html

When you create a private hosted zone, you must associate a VPC with the hosted zone, and the VPC that you specify must have been created by using the same account that you're using to create the hosted zone. After you create the hosted zone, you can associate additional VPCs with it, including VPCs that you created by using a different AWS account.
To associate VPCs that you created by using one account with a private hosted zone that you created by using a different account, you must authorize the association and then make the association programmatically. For more information, see Associating an Amazon VPC and a private hosted zone that you created with different AWS accounts.

If you don't associate a VPC when creating a private hosted zone, you will get the following error even when using the AWS CLI.
AWS re:Post Agent's AI-powered automated response cannot resolve this issue.

~ $ aws route53 create-hosted-zone \
>   --name example.internal \
>   --hosted-zone-config Comment="Private hosted zone",PrivateZone=true \
>   --caller-reference $(date +%s)

aws: [ERROR]: An error occurred (InvalidInput) when calling the CreateHostedZone operation: When you're creating a private hosted zone (when you specify true for PrivateZone), you must also specify values for VPCId and VPCRegion.
EXPERT
answered a month ago
EXPERT
reviewed a month ago
-2

You're correct that the API documentation can be misleading here. While the VPC parameter shows as "Required: No" in the API documentation, you can actually use the CreateHostedZone API operation to create a private hosted zone without initially specifying a VPC association. This allows you to populate the zone with all necessary records before associating it with your VPC.

Here's the recommended approach:

  1. Create the private hosted zone without VPC association: Use the CreateHostedZone API (not the console) to create your private hosted zone for example.com. Skip entering a VPC value during creation.

  2. Add all required DNS records: Before associating the zone with any VPC, add all the records you need, including the apigateway.example.com A record that points to your API Gateway custom domain. This ensures that when the zone becomes active in your VPC, all records are already in place.

  3. Associate with your VPC: Once all records are configured, associate the private hosted zone with your production VPC. At this point, DNS resolution will switch to the private zone, but since all records are already present, there will be no NXDOMAIN responses.

This approach eliminates the need for a placeholder VPC and prevents the negative caching issue you've been experiencing. The key is using the API rather than the console for the initial zone creation, as the console requires a VPC association but the API does not.

By pre-populating all records before the VPC association takes effect, you ensure a seamless transition without any DNS resolution failures or service interruptions.
Sources
Manage private hosted zone associations with Route 53 Global Resolver - Amazon Route 53
Considerations when working with a private hosted zone - Amazon Route 53

answered a month ago
  • Shail
    a month ago

    There's no way to create a private hosted zone without a VPC.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content