1. Home
  2. Training Library
  3. Amazon Web Services
  4. Amazon Web Services Courses
  5. Working with AWS's Domain Name System: Amazon Route 53

Private Hosted Zones


Route 53 Introduction
Health checks
Start course

This course has been replaced with a new course that you can find here


Amazon's Route 53 provides three services: record creation (which registers the human-readable names you'd like associated with your web domains), request handling (to direct web traffic to the right servers), and health checks (to ensure that traffic isn't being directed to servers that can't handle the load).

Very few web-facing AWS deployments can really be considered complete without applying the tools Route 53 makes available, so cloud expert David Robinson will guide you through some of the more common - and useful - domain-related tasks, including:

If you'd rather focus on AWS cloud computing basics, try our AWS introductory courses.

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


In this lesson, we will create a Private Hosted Zone for our domain. So what is a Private Hosted Zone and why do I need one? This is a very good question. A Private Hosted Zone is a DNS zone for your domain that is associated with one or more of your Virtual Private Clouds, VPCs, for internal routing. If you create a public and private hosted zone with the same domain name, you have created what is called Split-Horizon DNS, and is also known as Split-View DNS, Split-Brain DNS, or just Split DNS.

Split-Horizon DNS is designed to provide different authoritative answers to an identical query. So if I queried www.cloudacademylabs1.com, depending on whether I was on VPC or external, I would get a different response. There are a few things to be aware of with Route 53 Private Hosted Zones. To use Private Hosted Zones, you must set "enableDnsHostnames" and "enableDnsSupport" to true in your VPC.

Please refer to course AWS 261, Virtual Private Cloud, for more information on setting up your VPC. You can't associate Route 53 Health Checks with resource record sets in a Private Hosted Zone.

Private Hosted Zones take precedence over Public Hosted Zones. For example, if you have www.cloudacademylabs1.com in a Public Hosted Zone and you don't have a corresponding entry in the Private Hosted Zone when you are in an associated VPC, you won't be able to access this site as it only appears in the Public Hosted Zone.

You can't create name server records in a Private Hosted Zone to delegate responsibility for a subdomain.

The IP address for the Amazon-provided DNS servers for your VPC is the base VPC address range plus two. For example, if our VPC is, then our DNS server is Before we create our Private Hosted Zone in our VPC, we need to ensure that "enableDnsHostnames" and "enableDnsSupport" are both set to true.

If you're using the default VPC that AWS created, these are both set to true by default. Once we have met the prerequisites of our VPC, the next thing we need to do is to create our Public Hosted Zone. Go to the Amazon Route 53 console. Click create hosted zone. In the create hosted zone pane, enter a domain name and, optionally, a comment.

Select Private Hosted Zone for Amazon VPC in type from the drop-down menu. Select the VPC in VPC ID that you wish to associate this zone to from the drop-down menu. Click create. At present, we have associated this to a single VPC. To associate with additional VPCs from the hosted zones view, select the radio button for the zone that we just created, and then in the right-hand menu, click Associate New VPC from the drop-down, and then click associate, and repeat as necessary. If you inadvertently add a wrong VPC, or want to delete one in the future, you can click the X to the right of the VPC ID, and then select disassociate to remove it. Create a resource record set for www.cloudacademylabs1.com that has an internal IP address or different value to Public Hosted Zone, and then show that query from my computer results in one set of IP addresses, and from within VPC in a different result.

We will now create a resource record for www.cloudacademylabs1.com, and this will have a different IP Address from one that is in our Public Hosted Zone. So you will notice that when I run a dig query from my local machine, it returns the public hosted entry. But if I SSH into an EC2 instance, and then run the same query, you will see that it returns a different value, which is due to Private Hosted Zones taking precedence over that of Public Hosted Zones for instances running on the VPC.

About the Author
David Robinson
Systems Architect
Learning Paths

David's acknowledged hands on experience in the IT industry has seen him speak at international conferences, operate in presales environments and conduct actual design and delivery services.

David also has extensive experience in delivery operations. David has worked in the financial, mining, state government, federal government and public sectors across Asia Pacific and the US