Skip navigation links

Package software.amazon.awscdk.services.route53

Amazon Route53 Construct Library

See: Description

Package software.amazon.awscdk.services.route53 Description

Amazon Route53 Construct Library

---

cfn-resources: Stable

cdk-constructs: Stable

To add a public hosted zone: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_route53;
 
 
 new PublicHostedZone(this, "HostedZone", new PublicHostedZoneProps()
         .zoneName("fully.qualified.domain.com"));

To add a private hosted zone, use PrivateHostedZone. Note that enableDnsHostnames and enableDnsSupport must have been enabled for the VPC you're configuring for private hosted zones. 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_ec2;
 import software.amazon.awscdk.aws_route53;
 
 
 Vpc vpc = new Vpc(this, "VPC");
 
 PrivateHostedZone zone = new PrivateHostedZone(this, "HostedZone", new PrivateHostedZoneProps()
         .zoneName("fully.qualified.domain.com")
         .vpc(vpc));

Additional VPCs can be added with zone.addVpc().

Adding Records

To add a TXT record to your zone: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_route53;
 
 
 new TxtRecord(this, "TXTRecord", new TxtRecordProps()
         .zone(myZone)
         .recordName("_foo")// If the name ends with a ".", it will be used as-is;
         // if it ends with a "." followed by the zone name, a trailing "." will be added automatically;
         // otherwise, a ".", the zone name, and a trailing "." will be added automatically.
         // Defaults to zone root if not specified.
         .values(asList("Bar!", "Baz?"))
         .ttl(Duration.minutes(90)));

To add a NS record to your zone: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_route53;
 
 
 new NsRecord(this, "NSRecord", new NsRecordProps()
         .zone(myZone)
         .recordName("foo")
         .values(asList("ns-1.awsdns.co.uk.", "ns-2.awsdns.com."))
         .ttl(Duration.minutes(90)));

To add an A record to your zone: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_route53;
 
 
 new ARecord(this, "ARecord", new ARecordProps()
         .zone(myZone)
         .target(route53.RecordTarget.fromIpAddresses("1.2.3.4", "5.6.7.8")));

To add an A record for an EC2 instance with an Elastic IP (EIP) to your zone: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_ec2;
 import software.amazon.awscdk.aws_route53;
 
 
 Instance instance = Instance.Builder.create(this, "Instance")Map.of();
 
 CfnEIP elasticIp = new CfnEIP(this, "EIP", new CfnEIPProps()
         .domain("vpc")
         .instanceId(instance.getInstanceId()));
 
 new ARecord(this, "ARecord", new ARecordProps()
         .zone(myZone)
         .target(route53.RecordTarget.fromIpAddresses(elasticIp.getRef())));

To add an AAAA record pointing to a CloudFront distribution: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_route53;
 import software.amazon.awscdk.aws_route53_targets;
 
 
 new AaaaRecord(this, "Alias", new AaaaRecordProps()
         .zone(myZone)
         .target(route53.RecordTarget.fromAlias(new CloudFrontTarget(distribution))));

Constructs are available for A, AAAA, CAA, CNAME, MX, NS, SRV and TXT records.

Use the CaaAmazonRecord construct to easily restrict certificate authorities allowed to issue certificates for a domain to Amazon only.

To add a NS record to a HostedZone in different account you can do the following:

In the account containing the parent hosted zone: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_route53;
 
 
 PublicHostedZone parentZone = new PublicHostedZone(this, "HostedZone", new PublicHostedZoneProps()
         .zoneName("someexample.com")
         .crossAccountZoneDelegationPrincipal(new AccountPrincipal("12345678901"))
         .crossAccountZoneDelegationRoleName("MyDelegationRole"));

In the account containing the child zone to be delegated: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_iam;
 import software.amazon.awscdk.aws_route53;
 
 
 PublicHostedZone subZone = new PublicHostedZone(this, "SubZone", new PublicHostedZoneProps()
         .zoneName("sub.someexample.com"));
 
 // import the delegation role by constructing the roleArn
 String delegationRoleArn = Stack.of(this).formatArn(new ArnComponents()
         .region("")// IAM is global in each partition
         .service("iam")
         .account("parent-account-id")
         .resource("role")
         .resourceName("MyDelegationRole"));
 IRole delegationRole = iam.Role.fromRoleArn(this, "DelegationRole", delegationRoleArn);
 
 // create the record
 // create the record
 new CrossAccountZoneDelegationRecord(this, "delegate", new CrossAccountZoneDelegationRecordProps()
         .delegatedZone(subZone)
         .parentHostedZoneName("someexample.com")// or you can use parentHostedZoneId
         .delegationRole(delegationRole));

Imports

If you don't know the ID of the Hosted Zone to import, you can use the HostedZone.fromLookup: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 HostedZone.fromLookup(this, "MyZone", Map.of(
         "domainName", "example.com"));

HostedZone.fromLookup requires an environment to be configured. Check out the documentation for more documentation and examples. CDK automatically looks into your ~/.aws/config file for the [default] profile. If you want to specify a different account run cdk deploy --profile [profile]. 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 MyDevStack.Builder.create(app, "dev")
         .env(Map.of(
                 "account", process.env.getCDK_DEFAULT_ACCOUNT(),
                 "region", process.env.getCDK_DEFAULT_REGION()))
         .build();

If you know the ID and Name of a Hosted Zone, you can import it directly: 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object zone = HostedZone.fromHostedZoneAttributes(this, "MyZone", Map.of(
         "zoneName", "example.com",
         "hostedZoneId", "ZOJJZC49E0EPZ"));

Alternatively, use the HostedZone.fromHostedZoneId to import hosted zones if you know the ID and the retrieval for the zoneName is undesirable. 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object zone = HostedZone.fromHostedZoneId(this, "MyZone", "ZOJJZC49E0EPZ");

VPC Endpoint Service Private DNS

When you create a VPC endpoint service, AWS generates endpoint-specific DNS hostnames that consumers use to communicate with the service. For example, vpce-1234-abcdev-us-east-1.vpce-svc-123345.us-east-1.vpce.amazonaws.com. By default, your consumers access the service with that DNS name. This can cause problems with HTTPS traffic because the DNS will not match the backend certificate: 

 curl: (60) SSL: no alternative certificate subject name matches target host name 'vpce-abcdefghijklmnopq-rstuvwx.vpce-svc-abcdefghijklmnopq.us-east-1.vpce.amazonaws.com'

Effectively, the endpoint appears untrustworthy. To mitigate this, clients have to create an alias for this DNS name in Route53.

Private DNS for an endpoint service lets you configure a private DNS name so consumers can access the service using an existing DNS name without creating this Route53 DNS alias This DNS name can also be guaranteed to match up with the backend certificate.

Before consumers can use the private DNS name, you must verify that you have control of the domain/subdomain.

Assuming your account has ownership of the particular domain/subdomain, this construct sets up the private DNS configuration on the endpoint service, creates all the necessary Route53 entries, and verifies domain ownership. 

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.Stack;
 import aws.cdk.lib.aws.ec2.Vpc;
 import aws.cdk.lib.aws.ec2.VpcEndpointService;
 import aws.cdk.lib.aws.elasticloadbalancingv2.NetworkLoadBalancer;
 import aws.cdk.lib.aws.route53.PublicHostedZone;
 
 
 stack = new Stack();
 vpc = new Vpc(stack, "VPC");
 nlb = new NetworkLoadBalancer(stack, "NLB", new NetworkLoadBalancerProps()
         .vpc(vpc));
 vpces = new VpcEndpointService(stack, "VPCES", new VpcEndpointServiceProps()
         .vpcEndpointServiceLoadBalancers(asList(nlb)));
 // You must use a public hosted zone so domain ownership can be verified
 zone = new PublicHostedZone(stack, "PHZ", new PublicHostedZoneProps()
         .zoneName("aws-cdk.dev"));
 VpcEndpointServiceDomainName.Builder.create(stack, "EndpointDomain")
         .endpointService(vpces)
         .domainName("my-stuff.aws-cdk.dev")
         .publicHostedZone(zone)
         .build();
Skip navigation links

Copyright © 2021. All rights reserved.