Route 53: Setting up Private Hosted Zones (PHZ)

06 / Jul / 2015 by Navjot Singh 4 comments

It’s been a while since Amazon extended its Route53 service by adding a new feature called Private Hosted Zone which works within VPC. We recently started exploring it and thought of sharing our learning through this blog.

Introduction: This feature enables us to route the traffic between various resources present inside a VPC using custom DNS domains and their subdomains keeping the resources masked from the Internet.

Scenario: We will be hosting custom DNS domain name (say in Route53 as a private hosted zone and using it to point to a webserver’s private IP, which is running inside VPC.

Let’s get started by first launching an ec2 instance inside a VPC.

      1. Install any web server on the instance (say Nginx).
      2. To create private hosted zone ( in Route53, goto Route53 console and click on “Create Hosted Zones”.
        1. A pane on right side will appear and fill the details as follows.
          – Provide a domain name of your choice against “Domain Name” field.
          – Populate descriptive text against “Comment” field. This field is optional.
          – In the “Type” field, from the drop down list select “Private Hosted Zone for Amazon VPC”. Once we select it, “VPC ID” field would appear.
          – In “VPC ID” field, select the VPC from the drop down list in which we have launched the web server and click “Create”.
          – At the bottom of the pane, a highlighted block is advising us to enable DNSHostname and DNSSupport options for the VPC we selected to make things work.
          – DNSHostname option if set, the ec2 instances get DNS hostnames but not otherwise.
          DNSSupport option if set, AWS DNS service inside VPC is enabled else no DNS hostname would be resolved in the VPC.These options can be set in the AWS VPC console as follows.phz3Go to both the options and click “yes” when a dialog box appears to enable them.
          Note: DNSHostname and DNSSupport options are already enabled for default VPC and VPC created using the wizard.
      3. Go to the record sets “” hosted zone.
      4. Click on “Create Record Set” to create a new recordset and a pane on the right side will appear. Fill the details as follows.
        – Provide a domain name for this record set in “Name” field.
        – Since we will be using a private IP address of the web server, select A type record in “Type” field.
        – In the “value” field, provide the private IP address of the web server and click create.
      5. To test if it is working, login into the web server or any other instance in the VPC and try to resolve the subdomain using “nslookup” or any other utility. Below is the output of the “nslookup” command and it worked.



AWS Route53 health checks can not be associated with resource records sets in a privately hosted zones.

Use cases of Private Hosted Zones(PHZ):

1. Public and Private hosted zones can have the same domain name and can contain same subdomains inside them. Using this flexibility, one internal version of our  website can be maintained for testing code changes before making them public.
2. Failover could be implemented using PHZs for any component of the application. For example, we have an application connected to a database. Instead of providing IP or endpoint of a database in an application, a PHZ record in the database can be created and used in the application. We can create a script which keeps pinging the database and if anything goes wrong with the database, the script could change the standby database endpoint in the PHZ record.
3. Instead of creating a separate public sub-domain for load test , PHZs could be used to perform load test.
4. For intra-application communication, subdomains defined in PHZs could be used instead of hard-coding server IPs.
5. This feature reprieves the headache of managing our own internal DNS servers.


comments (4)

  1. NAm

    Hello, please explain in a more detail about use-case of it? I don’t understand how PHZ help us maintain for testing code before going public. I mean if we change any code of website running inside instance EC2, that would affect our website right away, right?

    In my understanding, PHZ is just used for easier look up. For example, i have 10 instance in VPC with 10 private IP and i want to manage them with human-readable name, i use PHZ so i don’t need to remember their private IP.

    1. Navjot Singh

      We, usually, have QA/UAT environment on AWS for testing. We can use same endpoints in the code that would work on QA/UAT and prod as well where both the environments are running in different VPCs.

      1. NAm

        So for example, i have an web app running in 3 instances (which are 3 different environment) called: development, staging and production.
        Only production instance go public because that’s for production.

        So i create public hosted zone with domain and give the value: public IP of production instance.
        Then i create private hosted zone for dev and staging with same domain and give the value: private IP of dev, staging instance.

        So if request come from Internet to that production instance, they can access my web app

        But since dev and stage are in private hosted zone, just request come from inside VPC work.

        I don’t know how they’re related to each other.
        If we maintain, change code in dev, staging instance. Well, it doesn’t have any affect on production instance, right? Why they even have a domain name?


Leave a Reply

Your email address will not be published. Required fields are marked *