This chapter covers Amazon Route 53 Private Hosted Zones, a critical component for DNS resolution within Amazon Virtual Private Clouds (VPCs). For the SAA-C03 exam, you must understand how private hosted zones enable internal DNS for resources like EC2 instances, RDS databases, and ELBs using private IP addresses, and how they interact with public hosted zones for split-brain DNS. Approximately 5-8% of exam questions directly test your knowledge of Route 53 private hosted zones, often in the context of hybrid networking, multi-tier application architectures, or VPC peering. Mastering this topic is essential for designing resilient and secure architectures.
Jump to a section
Imagine a large corporation with 10,000 employees, each with a desk phone and a direct internal extension (e.g., extension 1234). The company also has a public phone number for external callers. When an employee wants to call another employee, they dial the internal extension. The corporate phone system has an internal directory that maps every employee name to their extension. This directory is only accessible from phones inside the company's private network; external callers cannot query it. If an external caller dials the company's public number and asks for 'John Doe', the receptionist looks up John's extension in the internal directory, then transfers the call. The receptionist is the only bridge between the public and private worlds. Now, the company also has a public website, www.example.com, which is hosted on public servers. External customers can reach it via public DNS. But internally, the company uses the same domain name 'example.com' for internal resources like 'hr.example.com' (an internal HR portal). The internal DNS server holds records for 'hr.example.com' pointing to a private IP address (10.0.1.5). When an employee types 'hr.example.com' in their browser, the internal DNS resolves it to 10.0.1.5, not the public IP. This is exactly how Route 53 Private Hosted Zones work: they provide DNS resolution within one or more VPCs for internal resources using private IP addresses, and they can optionally be associated with a public hosted zone for the same domain, allowing split-brain DNS. The private hosted zone is like the internal phone directory, the public hosted zone is like the public phone book, and the VPC is the corporate network where internal directories are accessible.
What is a Route 53 Private Hosted Zone?
A Route 53 private hosted zone is a container for DNS records that are resolvable only from within one or more specified Amazon VPCs. It allows you to use custom domain names (e.g., example.com) for internal resources without exposing those names to the public internet. The private hosted zone is associated with VPCs via a simple association; you can associate up to 100 VPCs per private hosted zone by default (this limit can be increased). The VPCs must be in the same AWS account unless you use cross-account association (supported via Route 53 Resolver).
Why Private Hosted Zones Exist
Before private hosted zones, you had to either:
Run your own DNS server on an EC2 instance (e.g., BIND) inside the VPC, which required maintenance, scaling, and high availability.
Use public hosted zones and rely on security groups or NACLs to restrict access, which is insecure and complex.
Use custom host files or internal DNS solutions that don't integrate with AWS services.
Private hosted zones solve these problems by providing a fully managed, highly available, and scalable DNS service that natively integrates with VPCs and AWS services. They automatically register private IP addresses for resources like EC2 instances (when you enable DNS hostnames) and allow you to create alias records pointing to AWS resources (e.g., ELB, RDS, CloudFront) using private IPs.
How It Works Internally
When a DNS query is made from an EC2 instance inside a VPC associated with a private hosted zone, the following sequence occurs:
The instance's stub resolver sends a DNS query to the VPC's DNS resolver (the Amazon-provided DNS server at the VPC+2 IP address, e.g., 10.0.0.2).
The VPC DNS resolver first checks its cache. If not cached, it forwards the query to the Route 53 DNS service.
Route 53 checks the private hosted zones associated with the VPC. If the domain name matches a private hosted zone, it returns the record from that zone (e.g., an A record with a private IP).
If no match is found in private hosted zones, Route 53 falls back to the public hosted zone for that domain (if it exists) or performs standard public DNS resolution.
This fallback mechanism is the basis for split-brain DNS: you can have the same domain name (e.g., example.com) defined in both a public hosted zone (for external users) and a private hosted zone (for internal users). Internal queries resolve to private IPs, external queries resolve to public IPs.
Key Components, Defaults, and Limits
Private hosted zone: A DNS zone that is not publicly accessible. You create one per domain you want to resolve privately.
VPC association: Each private hosted zone is associated with one or more VPCs. By default, you can associate up to 100 VPCs per zone. The VPCs must have DNS resolution enabled (the enableDnsSupport attribute must be true).
DNS records: Supports standard record types (A, AAAA, CNAME, MX, TXT, etc.) plus Route 53-specific alias records. Alias records can point to AWS resources like ELB, CloudFront, S3, and RDS, and they are free (no charge for alias queries).
Split-brain DNS: When the same domain exists in both public and private hosted zones, private queries use the private zone, public queries use the public zone. This is enabled by associating the private zone with VPCs.
TTL: Default TTL for records is 300 seconds (5 minutes) for most record types, but you can set custom TTLs. Alias records have a TTL of 60 seconds by default.
Reverse DNS: Private hosted zones support reverse DNS (PTR records) for custom IP ranges within your VPC CIDR. To set up reverse DNS, you create a private hosted zone with a name like 0.0.10.in-addr.arpa for a 10.0.0.0/24 range.
Resolver endpoints: For hybrid environments, you can use Route 53 Resolver endpoints to forward DNS queries between your on-premises network and VPCs. Outbound endpoints forward queries from VPC to on-premises; inbound endpoints accept queries from on-premises. Resolver rules can conditionally forward queries to specific DNS servers.
Configuration and Verification
To create a private hosted zone:
aws route53 create-hosted-zone --name example.com --caller-reference my-unique-string --vpc VPCRegion=us-east-1,VPCId=vpc-12345678To associate an additional VPC:
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z1234567890 --vpc VPCRegion=us-east-1,VPCId=vpc-87654321Verification: From an EC2 instance in the associated VPC, use dig or nslookup:
dig example.com @169.254.169.253The Amazon DNS server IP is 169.254.169.253 (link-local address) or the VPC+2 IP. If the query returns a private IP, the private hosted zone is working.
Interaction with Related Technologies
VPC Peering: Private hosted zones are NOT automatically shared across peered VPCs. You must explicitly associate the private hosted zone with each VPC that needs to resolve the domain. However, you can use Route 53 Resolver to forward queries across peering connections.
Transit Gateway: Similarly, private hosted zones do not propagate across transit gateway attachments. You need to associate the zone with each VPC or use Resolver endpoints.
AWS Direct Connect and VPN: For hybrid DNS, you can use Resolver endpoints to forward queries between on-premises and VPCs. Private hosted zones can be used to resolve on-premises hostnames if you configure conditional forwarding.
AWS PrivateLink: You can use private hosted zones to resolve interface VPC endpoint DNS names to private IPs, enabling access to AWS services via PrivateLink without traversing the internet.
Important Exam Considerations
The private hosted zone must be associated with the VPC for queries to resolve. Simply creating the zone without associating VPCs will result in no resolution.
The VPC must have DNS resolution enabled (enableDnsSupport=true) and DNS hostnames enabled (enableDnsHostnames=true) for EC2 instances to receive private DNS names.
Alias records in private hosted zones can point to AWS resources but only if those resources are accessible from the VPC. For example, an alias to an internet-facing ELB will resolve to the ELB's public IP, not a private IP, unless the ELB is internal.
You can use private hosted zones with overlapping CIDRs as long as the VPCs are in the same account and the zone is associated with each VPC. However, DNS resolution may be ambiguous if two VPCs have the same IP range; Route 53 returns the record as stored (no location-based routing).
The create-hosted-zone API with a VPC ID creates the zone and associates it in one step. If the VPC is in a different account, you must use the create-vpc-association-authorization and associate-vpc-with-hosted-zone APIs.
Common Exam Scenarios
Split-brain DNS: An organization uses example.com for both public website and internal applications. They create a public hosted zone for example.com with records pointing to public IPs, and a private hosted zone for example.com associated with their VPC, with records pointing to private IPs. Internal EC2 instances get private IPs, external users get public IPs.
Multi-tier application: A web tier ELB is accessed via app.example.com. The private hosted zone has an alias record pointing to the internal ELB's DNS name. The application tier resolves db.example.com to an RDS instance's private IP via a CNAME record.
Hybrid DNS: On-premises network uses Active Directory DNS. An outbound Resolver endpoint forwards queries for corp.example.com to on-premises DNS servers. A private hosted zone for aws.example.com resolves internal AWS resources.
Create Private Hosted Zone
Using the AWS Management Console, CLI, or SDK, you create a private hosted zone for a domain (e.g., internal.example.com). You must specify the domain name and optionally associate one or more VPCs at creation time. The zone is automatically assigned a delegation set of four Route 53 name servers (e.g., ns-123.awsdns-45.com). However, unlike public hosted zones, you do not need to update the domain registrar's NS records because the zone is only used within VPCs. The zone's SOA record is automatically created with a default TTL of 900 seconds (15 minutes).
Associate VPCs
Associate the private hosted zone with the VPC(s) where you want DNS resolution to occur. You can associate up to 100 VPCs by default. The VPC must have DNS resolution enabled (enableDnsSupport=true). If the VPC is in a different AWS account, you must first authorize the association using create-vpc-association-authorization, then the owning account associates the VPC. The association is regional: a VPC in us-east-1 can only be associated with a private hosted zone in us-east-1. Cross-region association is not supported. Once associated, the VPC's DNS resolver (at 169.254.169.253) will query the private hosted zone for matching domains.
Create DNS Records
Add DNS records to the private hosted zone. Supported record types include A, AAAA, CNAME, MX, TXT, SRV, NS, SOA, PTR, and alias records. Alias records are particularly powerful because they can point to AWS resources (ELB, CloudFront, S3, RDS, etc.) and are free of charge. When creating an alias record, you specify the resource's DNS name (e.g., my-load-balancer-1234567890.us-east-1.elb.amazonaws.com). Route 53 automatically resolves the alias to the resource's IP address(es). For non-alias records, you specify the value (e.g., an IP address or another domain name). TTL values can be set per record; default is 300 seconds.
Test Resolution from EC2 Instance
Launch an EC2 instance in the associated VPC (ensure DNS hostnames are enabled). SSH into the instance and use dig or nslookup to query the domain. For example: dig internal.example.com @169.254.169.253. The response should return the private IP address from the private hosted zone. If the query fails, check that the VPC is associated, DNS resolution is enabled, and the instance's security group allows outbound DNS traffic (UDP and TCP port 53). Also verify that the instance's resolver configuration uses the VPC DNS server (default).
Configure Split-Brain DNS (Optional)
If you also have a public hosted zone for the same domain (e.g., example.com), internal queries will resolve to private IPs, and external queries will resolve to public IPs. This is split-brain DNS. To achieve this, simply create both a public and a private hosted zone for example.com. Associate the private zone with your VPC. No additional configuration is needed because Route 53 automatically prioritizes the private zone for queries originating from associated VPCs. Note that the private zone does not inherit records from the public zone; you must duplicate any records you want to be available internally.
Enterprise Scenario 1: Internal Application Discovery
A large financial services company runs hundreds of microservices across multiple VPCs in a single AWS account. Each microservice is fronted by an internal Application Load Balancer (ALB). Developers need to discover services by name (e.g., payments.internal.example.com) without hardcoding IPs. The company creates a private hosted zone for internal.example.com and associates it with all VPCs via a script that loops through VPC IDs. They create alias records for each internal ALB, pointing to the ALB's DNS name. This allows any service to resolve payments.internal.example.com to the ALB's private IP. The alias records automatically update if the ALB's IP changes. The main challenge is managing record updates as services are added or removed. They use Infrastructure as Code (Terraform) to maintain the records. Misconfiguration example: forgetting to associate a new VPC with the private hosted zone causes DNS failures for services in that VPC, leading to application errors that are hard to debug because the DNS query falls back to public resolution and returns a public IP (if a public zone exists) or NXDOMAIN.
Enterprise Scenario 2: Hybrid DNS with On-Premises
A multinational corporation has an on-premises data center running Active Directory DNS. They want to extend their internal domain corp.example.com to AWS. They set up a Direct Connect connection and deploy Route 53 Resolver inbound and outbound endpoints. On-premises DNS servers are configured to forward queries for aws.corp.example.com to the inbound Resolver endpoint IPs. In AWS, they create a private hosted zone for aws.corp.example.com and associate it with their VPCs. They also create Resolver rules that forward queries for corp.example.com to the on-premises DNS servers via the outbound endpoint. This allows EC2 instances to resolve on-premises hostnames (e.g., fileserver.corp.example.com) and on-premises servers to resolve AWS hostnames (e.g., app.aws.corp.example.com). The traffic flows over Direct Connect, ensuring low latency and security. A common pitfall is not configuring the Resolver rules correctly—if the rule is missing, queries for corp.example.com will be forwarded to the public internet (if no private zone exists) or fail. Also, the forward rule must have the correct target IP addresses (on-premises DNS servers).
Scenario 3: Multi-Account DNS
A SaaS provider uses a multi-account strategy with a central networking account and multiple workload accounts. Each workload account has its own VPC. They want all VPCs to resolve a common set of internal DNS names (e.g., db.internal.example.com pointing to a central RDS instance). They create a private hosted zone in the networking account and use cross-account VPC association to associate it with VPCs in workload accounts. The workload account VPCs must authorize the association. The central zone is updated when the RDS instance is replaced. The challenge is managing cross-account permissions and ensuring that the private hosted zone is associated with every new VPC. They use AWS Organizations and Service Catalog to automate VPC creation and association. Misconfiguration: if the cross-account association authorization expires or is revoked, DNS resolution breaks silently.
What SAA-C03 Tests on Private Hosted Zones
The SAA-C03 exam focuses on the following aspects of Route 53 private hosted zones, aligned with Objective 2.5 (Design Resilient Architectures) and Domain 2 (Resilient Architectures):
Split-brain DNS: You must understand that a private hosted zone for the same domain as a public hosted zone allows internal resources to resolve to private IPs while external users get public IPs. The exam often presents a scenario where an organization wants internal and external DNS for the same domain, and the correct answer is to create a private hosted zone and associate it with the VPC.
VPC association: The private hosted zone must be explicitly associated with VPCs. A common wrong answer is that private hosted zones automatically resolve in all VPCs in the account. The exam tests that you must associate each VPC individually.
Alias records: Alias records are free and can point to AWS resources. The exam may ask which record type to use for pointing to an ELB within a private hosted zone—the answer is an alias record, not a CNAME (CNAME cannot be used at the zone apex).
Hybrid DNS: Using Route 53 Resolver endpoints to forward queries between on-premises and VPCs. The exam may ask how to enable on-premises servers to resolve private hosted zone names—the answer is to use an inbound Resolver endpoint.
Limits: Default limit of 100 VPCs per private hosted zone, and VPCs must be in the same region as the zone.
Common Wrong Answers and Why
"Create a public hosted zone and restrict access with security groups": This is wrong because security groups cannot filter DNS queries; they operate at the network interface level. DNS queries are UDP-based and come from random ports. The correct approach is a private hosted zone.
"Private hosted zones automatically resolve in all VPCs in the account": This is false. You must associate each VPC. A candidate might think that because public hosted zones are globally accessible, private ones are too.
"Use a CNAME record to point to an internal ELB": CNAME records cannot be used at the zone apex (e.g., example.com). Also, alias records are preferred because they are free and update automatically when the ELB's IP changes.
"Private hosted zones support geolocation routing": False. Private hosted zones only support simple routing (essentially static records). Geolocation, latency, weighted, and failover routing are only available in public hosted zones.
Specific Numbers and Terms
Default VPC association limit: 100 VPCs per private hosted zone.
VPC DNS server IP: 169.254.169.253 (link-local) or VPC+2 (e.g., 10.0.0.2).
Alias record TTL: 60 seconds default.
SOA record TTL: 900 seconds default.
Record types supported: A, AAAA, CNAME, MX, TXT, SRV, NS, SOA, PTR, alias.
Cross-account association: Requires authorization via create-vpc-association-authorization.
Edge Cases
Overlapping VPC CIDRs: If two VPCs have the same IP range, a private hosted zone can still be associated with both, but DNS resolution may return the same IP for both, which could be incorrect if the resource exists in only one VPC.
Private hosted zone with no records: The zone still exists and will return NXDOMAIN for any query. The VPC DNS resolver will not fall back to public DNS for that domain if a private zone exists (even empty).
Deleting a VPC: If you delete a VPC that is associated with a private hosted zone, the association is automatically removed. The zone remains.
Eliminating Wrong Answers
When you see a question about internal DNS resolution, immediately ask: "Does the scenario require resolution within VPCs?" If yes, the answer must involve a private hosted zone. If the question mentions hybrid DNS (on-premises to VPC), look for Route 53 Resolver endpoints. If the question mentions the same domain for internal and external, it's split-brain DNS. Eliminate answers that use public hosted zones only, or that suggest using security groups to restrict DNS.
Private hosted zones provide DNS resolution within VPCs using private IPs; they are not publicly accessible.
You must explicitly associate each VPC with a private hosted zone; automatic association does not occur.
Split-brain DNS is achieved by creating both a public and private hosted zone for the same domain.
Alias records in private hosted zones can point to AWS resources and are free; they update automatically when the resource's IP changes.
Private hosted zones only support simple routing; routing policies like latency and geolocation are not available.
Cross-account VPC association requires authorization via create-vpc-association-authorization.
Default limit: 100 VPCs per private hosted zone (can be increased).
VPC must have DNS resolution enabled (enableDnsSupport=true) for private hosted zones to work.
These come up on the exam all the time. Here's how to tell them apart.
Route 53 Private Hosted Zone
DNS resolution only within associated VPCs.
Cannot be accessed from the internet.
Supports simple routing only (no latency, geolocation, failover, weighted).
Must be associated with VPCs explicitly.
Alias records can point to internal AWS resources (e.g., internal ELB).
Route 53 Public Hosted Zone
DNS resolution globally from the internet.
Accessible by anyone on the internet.
Supports all routing policies (simple, latency, geolocation, failover, weighted).
No VPC association required.
Alias records can point to public AWS resources (e.g., internet-facing ELB, CloudFront).
Mistake
Private hosted zones are automatically associated with all VPCs in the account.
Correct
Private hosted zones must be explicitly associated with each VPC. You cannot associate a private hosted zone with all VPCs in an account in a single action; you must associate them individually or via automation.
Mistake
You can use a CNAME record at the apex of a private hosted zone.
Correct
CNAME records cannot be used at the zone apex (e.g., example.com). This is a DNS standard (RFC 1034). For the apex, you must use an A, AAAA, or alias record.
Mistake
Private hosted zones support latency-based routing.
Correct
Private hosted zones only support simple routing (essentially static records). Routing policies like latency, geolocation, failover, and weighted are only available in public hosted zones.
Mistake
If a private hosted zone does not have a record for a query, Route 53 falls back to the public hosted zone for the same domain.
Correct
If a private hosted zone exists for the domain, Route 53 will respond with NXDOMAIN if the record is not found. It does NOT fall back to the public zone. To achieve split-brain DNS, you must duplicate records in both zones.
Mistake
Private hosted zones can be associated with VPCs in different regions.
Correct
Private hosted zones are regional. You can only associate VPCs from the same region as the hosted zone. Cross-region association is not supported.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Create both a public hosted zone and a private hosted zone for the same domain (e.g., example.com). In the public zone, add records with public IPs. In the private zone, add records with private IPs. Associate the private zone with your VPC. When a query comes from within the VPC, Route 53 returns the private zone record. External queries use the public zone. Note that the private zone does not inherit records from the public zone; you must duplicate any records you need internally.
Yes, but you must use cross-account VPC association. First, the VPC owner creates a VPC association authorization (via create-vpc-association-authorization). Then, the private hosted zone owner associates the VPC using the authorization ID. This is done via the AWS CLI, SDK, or console. The VPC must be in the same region as the private hosted zone.
A private hosted zone is a container for DNS records that are resolved within VPCs. A Resolver rule is used to forward DNS queries to specific DNS servers (e.g., on-premises DNS) for a given domain. Resolver rules are used for hybrid DNS scenarios, while private hosted zones are for pure AWS internal DNS. They can work together: a private hosted zone can resolve AWS resources, and Resolver rules can forward queries for on-premises domains.
Common causes: (1) The VPC is not associated with the private hosted zone. (2) The VPC does not have DNS resolution enabled (enableDnsSupport=true). (3) The instance's resolver is not using the VPC DNS server (check /etc/resolv.conf). (4) The record does not exist in the private zone. (5) The instance is in a subnet without a route to the DNS server (should be default). Verify using dig @169.254.169.253 from the instance.
Yes, you can associate a private hosted zone with multiple VPCs even if they have overlapping CIDRs. However, DNS resolution will return the same IP address for a given record regardless of which VPC the query originates from. This can cause issues if the same IP is used in multiple VPCs for different resources. You would need separate zones or different domain names to avoid ambiguity.
Yes, standard Route 53 pricing applies to DNS queries in private hosted zones. However, alias records are free (no charge for queries to alias records). There is also a monthly charge per hosted zone (same as public hosted zones). Queries to non-alias records incur a per-query fee.
Create a private hosted zone for the reverse DNS domain corresponding to your VPC CIDR. For example, for CIDR 10.0.0.0/24, create a zone named '0.0.10.in-addr.arpa'. Then add PTR records mapping IPs to hostnames. Associate the zone with the VPC. Queries for reverse lookups (e.g., dig -x 10.0.0.5) will resolve to the PTR record.
You've just covered Route 53 Private Hosted Zones — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?