Amazon Route 53

Amazon Route 53 is AWS's managed DNS, domain registration, and health-checking service. It combines authoritative DNS hosting with traffic policies that let you route users based on geography, latency, weighted distribution, or the health of your endpoints.

Core Capabilities:

Domain Registration: Register and transfer domains directly; integrates with Route 53 hosted zones and ACM for TLS.
Authoritative DNS: Public and private hosted zones with high-availability anycast name servers.
Alias Records: AWS-specific record type that points to AWS resources (ALB, CloudFront, API Gateway, S3 website) — unlike CNAME, works at the zone apex and incurs no query charges.
Health Checks: HTTP/HTTPS/TCP probes from multiple regions; can be aggregated into calculated and CloudWatch-metric health checks.

Routing Policies:

Simple: One record, one target.
Weighted: Split traffic across multiple endpoints by weight — useful for canary deploys and A/B tests.
Latency-Based: Route users to the region with lowest network latency.
Geolocation & Geoproximity: Route by client country/continent, or by distance from AWS regions with a bias factor.
Failover: Active/passive DNS failover driven by health checks.
Multi-Value Answer: Up to 8 healthy records returned per query — basic client-side load balancing.
IP-Based: Route by client IP prefix — useful for ISP- or network-specific targeting.

Private DNS & Hybrid:

Private Hosted Zones: Resolvable only from associated VPCs — avoids leaking internal names to the public.
Route 53 Resolver: Hybrid DNS between VPCs and on-premises networks via inbound/outbound endpoints.
Resolver DNS Firewall: Block or allow outbound DNS queries by domain list — a cheap defense against data exfiltration via DNS.

Route 53 Application Recovery Controller (ARC):

Readiness Checks continuously verify that standby regions are actually ready to serve.
Routing Controls are manual on/off switches independent of DNS health checks — used in tightly governed multi-region failover runbooks.
Zonal Shift moves traffic away from an impaired AZ at the load-balancer level in seconds.

Service Limits & Quotas:

Hosted zones per account: 500 by default (soft, raisable).
Records per hosted zone: 10,000 by default (soft); higher available on request.
Domains registered per account: 20 (soft).
Health checks per account: 200 (soft); calculated health checks combine up to 256 child checks.
Traffic policy records per hosted zone: 5 (soft).
VPC associations per private hosted zone: 300 (soft).
Resolver endpoints per region: 4 inbound + 4 outbound by default; up to 6 IPs per endpoint.
Maximum TTL: No technical max for record TTL, but practical limit ~24 hours; minimum 0 seconds (use sparingly).

Pricing Model:

Hosted zones: $0.50 per hosted zone per month for the first 25; $0.10 each thereafter.
Standard queries: ~$0.40 per million queries for the first billion/month, less above. Latency, geo, and geoproximity queries are slightly more expensive.
Alias queries to AWS resources: Free — major reason to prefer alias records over CNAMEs pointing at AWS endpoints.
Health checks: ~$0.50/month per AWS endpoint check; ~$0.75/month for non-AWS endpoints; HTTPS, string matching, and fast intervals add small per-month surcharges.
Resolver endpoints: Per-IP per hour (~$0.125) plus per-million queries.
DNS Firewall: Per-million queries plus per-domain-list-association per month.
Domain registration: Annual fee per TLD — varies (e.g., .com ~$13/year).
Free tier: No standalone free tier for Route 53.
Common cost surprises: hundreds of unused hosted zones across accounts, health checks left enabled after retiring endpoints, querying via Resolver endpoints instead of free in-VPC resolver, and high-volume queries from buggy clients (DNS amplification).

Code Example:

Creating a public hosted zone, an alias record to a CloudFront distribution, and a failover record set with a health check via boto3:

import boto3

r53 = boto3.client("route53")

# 1) Create hosted zone (returns NS records to delegate from registrar)
zone = r53.create_hosted_zone(
    Name="example.com",
    CallerReference="example-2026-04-25",
    HostedZoneConfig={"Comment": "Production zone", "PrivateZone": False},
)
zone_id = zone["HostedZone"]["Id"].split("/")[-1]

# 2) Alias record at the zone apex pointing to CloudFront
r53.change_resource_record_sets(
    HostedZoneId=zone_id,
    ChangeBatch={"Changes": [{
        "Action": "UPSERT",
        "ResourceRecordSet": {
            "Name": "example.com",
            "Type": "A",
            "AliasTarget": {
                "HostedZoneId": "Z2FDTNDATAQYW2",  # CloudFront's fixed zone ID
                "DNSName": "d111111abcdef8.cloudfront.net.",
                "EvaluateTargetHealth": False,
            },
        },
    }]},
)

# 3) Health check + failover record set
hc = r53.create_health_check(
    CallerReference="api-primary-2026-04-25",
    HealthCheckConfig={
        "Type": "HTTPS",
        "FullyQualifiedDomainName": "api-primary.example.com",
        "Port": 443,
        "ResourcePath": "/health",
        "RequestInterval": 30,
        "FailureThreshold": 3,
    },
)["HealthCheck"]["Id"]

for set_id, target, hc_id in [
    ("primary", "api-primary.example.com.", hc),
    ("secondary", "api-dr.example.com.", None),
]:
    rrset = {
        "Name": "api.example.com",
        "Type": "CNAME",
        "SetIdentifier": set_id,
        "Failover": "PRIMARY" if set_id == "primary" else "SECONDARY",
        "TTL": 60,
        "ResourceRecords": [{"Value": target}],
    }
    if hc_id:
        rrset["HealthCheckId"] = hc_id
    r53.change_resource_record_sets(
        HostedZoneId=zone_id,
        ChangeBatch={"Changes": [{"Action": "UPSERT",
                                  "ResourceRecordSet": rrset}]},
    )

Common Interview Questions:

What is the difference between an Alias and a CNAME record?

CNAME is standard DNS — it can only exist on a non-apex name (you can't CNAME the zone apex like example.com) and queries are billed per-million. Alias is an AWS-specific virtual record stored in Route 53 that resolves to the current IPs of an AWS resource (ALB, CloudFront, API Gateway, S3 website endpoint, another Route 53 record). Aliases work at the apex and queries to AWS resources are free.

How do you do active-active multi-region with Route 53?

Use Latency-Based Routing: create a record for each region pointing to that region's endpoint, attach health checks. Route 53 returns the lowest-latency healthy region per client. Combine with weighted records inside each region for finer control. For runbook-driven failover (regulated environments), use Application Recovery Controller routing controls — explicit on/off switches independent of automated health.

What's the difference between Geolocation and Geoproximity routing?

Geolocation routes by the client's country or continent — discrete buckets. Geoproximity routes by the geographic distance between the client and an AWS region (or your custom location), with a "bias" factor that lets you expand or shrink a region's effective service area. Geoproximity requires Traffic Flow (an extra paid feature); Geolocation is part of standard Route 53.

Public vs. Private hosted zones — when do you use each?

Public hosted zones serve queries from anywhere on the internet. Private hosted zones are associated with one or more VPCs and resolve only from inside those VPCs — perfect for internal service discovery (db.internal.example.com) without exposing names publicly. You can have a public and private zone for the same domain ("split-horizon DNS") returning different answers internally vs. externally.

How do Route 53 health checks differ from ELB health checks?

ELB health checks decide whether to send traffic to a target inside a load balancer's target group — fast, granular, AZ-aware. Route 53 health checks decide whether to return a record set in DNS responses — coarser, slower (TTL-bounded), runs from globally distributed checkers. Both can complement each other: ELB handles per-instance failover within a region; Route 53 handles cross-region failover via DNS.

What is Route 53 Resolver and when is it different from default VPC DNS?

Every VPC has a default DNS resolver at VPC_CIDR.2 (e.g., 10.0.0.2). Route 53 Resolver adds endpoints: outbound endpoints forward queries from VPC to on-prem DNS (so your apps can resolve corporate domains), inbound endpoints accept queries from on-prem to resolve VPC private hosted zones. This is the bridge for hybrid DNS in AWS-on-prem hybrid architectures.