Creating Amazon RouteĀ 53 and Route 53 VPC Resolver resources with AWS CloudFormation (original) (raw)
Amazon Route 53 and Route 53 VPC Resolver are integrated with AWS CloudFormation, a service that helps you to model and set up your AWS resources so that you can spend less time creating and managing your resources and infrastructure. You create a template that describes all the AWS resources that you want, and CloudFormation provisions and configures those resources for you.
When you use CloudFormation, you can reuse your template to set up your Route 53 and VPC Resolver resources consistently and repeatedly. Describe your resources once, and then provision the same resources over and over in multiple AWS accounts and Regions.
Route 53, VPC Resolver, and CloudFormation templates
To provision and configure resources for Route 53, VPC Resolver, and related services, you must understand CloudFormation templates. Templates are formatted text files in JSON or YAML. These templates describe the resources that you want to provision in your CloudFormation stacks. If you're unfamiliar with JSON or YAML, you can use CloudFormation Designer to help you get started with CloudFormation templates. For more information, see What is CloudFormation Designer? in the_AWS CloudFormation User Guide_.
Route 53 supports creating the following resource types in CloudFormation:
AWS::Route53::DNSSECAWS::Route53::HealthCheckAWS::Route53::HostedZoneAWS::Route53::KeySigningKeyAWS::Route53::RecordSetAWS::Route53::RecordSetGroup
For more information, including examples of JSON and YAML templates for Route 53 resources, see the Amazon Route 53 resource type reference in the AWS CloudFormation User Guide.
VPC Resolver supports creating the following resource types in CloudFormation:
AWS::Route53Resolver::FirewallDomainListAWS::Route53Resolver::FirewallDomainListAWS::Route53Resolver::FirewallRuleGroupAssociationAWS::Route53Resolver::ResolverDNSSECConfigAWS::Route53Resolver::ResolverEndpointAWS::Route53Resolver::ResolverQueryLoggingConfigAWS::Route53Resolver::ResolverQueryLoggingConfigAssociationAWS::Route53Resolver::ResolverRuleAWS::Route53Resolver::ResolverRuleAssociation
For more information, including examples of JSON and YAML templates for VPC Resolver resources, see the Route 53 VPC Resolver resource type reference in the AWS CloudFormation User Guide.
Best practices for Route 53 and CloudFormation
When using CloudFormation to manage Route 53 resources, follow these best practices to avoid common issues and ensure reliable deployments.
Understanding eventual consistency
Route 53 uses an eventually consistent model for DNS changes. This can affect CloudFormation operations, particularly during rollbacks and rapid successive changes.
Important
When CloudFormation attempts to roll back DNS record changes, the rollback might fail due to the Route 53 eventual consistency model. If CloudFormation tries to recreate a record that was recently deleted but still appears to exist due to eventual consistency, you might encounter InvalidChangeBatch errors that leave your DNS in a broken state.
To minimize issues related to eventual consistency:
- Plan changes carefully - Avoid making rapid successive changes to the same DNS records
- Test in non-production first - Always test DNS changes in development environments before applying to production
- Monitor deployments - Watch CloudFormation stack events closely during DNS-related deployments. For monitoring guidance, seeMonitoring Amazon Route 53.
- Have rollback procedures ready - Prepare manual recovery procedures in case automatic rollbacks fail
DNS record ordering and logical IDs
When creating multiple DNS records in CloudFormation, be careful about record ordering and logical ID assignment.
Warning
If you define DNS records in arrays or lists within your CloudFormation template, inserting new records in the middle of the list can cause CloudFormation to reassign logical IDs to existing records. This triggers record replacements that can lead to service disruptions and rollback failures.
Best practices for DNS record management:
- Use explicit logical IDs - Always assign explicit, meaningful logical IDs to DNS records rather than relying on array indices. For more information about CloudFormation logical IDs, see Resources section structure in the_AWS CloudFormation User Guide_
- Append new records - When adding new DNS records to existing lists, append them to the end rather than inserting them in the middle
- Group related records - Consider using
AWS::Route53::RecordSetGroupfor managing related records together. For more information, see AWS::Route53::RecordSetGroup in the_AWS CloudFormation User Guide_. - Review change sets - Always review CloudFormation change sets before deployment to identify unexpected record replacements. For more information, see Updating stacks using change sets in the_AWS CloudFormation User Guide_.
Handling rollback failures
If a CloudFormation rollback fails due to DNS-related issues, you might need to perform manual recovery.
To perform manual recovery from failed DNS rollbacks
- Identify the failed DNS records by reviewing CloudFormation stack events and Route 53 hosted zone records
- Manually create or update the missing DNS records through the Route 53 console or API. For information about creating records, see Working with records.
- Once DNS is restored, update your CloudFormation template to match the current state
- Deploy the corrected template to bring CloudFormation back in sync with the actual resources
To prevent rollback failures:
- Avoid making changes that could trigger DNS record replacements during high-traffic periods
- Implement health checks and monitoring to detect DNS issues quickly. For information about health checks, see Creating and updating health checks.
- Consider using blue-green deployment strategies for critical DNS changes. For more information about deployment best practices, see Best practices for Amazon Route 53.
- Document emergency procedures for manual DNS recovery
Learn more about CloudFormation
To learn more about CloudFormation, see the following resources: