AWS Zone Apex challenge with older DNS server

0

The University that I work for has its own DNS servers. They are older and need an IP address to point to for the zone apex record. DNS migration is not an option. We have a site in AWS Amplify. We want to use the Amplify website for our root domain, "example.edu". RFC 1034 says that the zone apex must be an A Record, and not a CNAME.

According to the article at https://aws.amazon.com/blogs/networking-and-content-delivery/solving-dns-zone-apex-challenges-with-third-party-dns-providers-using-aws/, there are three options: Route53, Elastic IPs with EC2 instances, and Global Accelerator.

Since we are using AWS Amplify, we can't do the EC2 option. The Route53 option won't work with our old DNS server, which only works with IP addresses. The third option is to use AWS Global Accelerator and an Application Load Balancer (ALB) which does a 301 redirect to our Cloudfront distribution that has the custom SSL cert for our Amplify instance.

When we point our DNS at the IP associated with AWS Global Accelerator, the redirect is working, but the URL is showing the Cloudfront distribution instead of example.com. I was told that whitelisting the Host header would fix this, but it just returns a 403 error saying that the request could not be satisfied.

I am not sure if I am on the right track and need some adjustment somewhere, or if I need to do something completely different.

2 Answers
0

Whatever Global Accelerator points to needs to be a proxy that fetches the Amplify content to preserve the apex URL. Maybe an ALB in front of a couple EC2 proxies or a Lambda function.

profile pictureAWS
EXPERT
kentrad
answered 2 years ago
0

Like @kentrad said above, If you need to host the application in Amplify then you would need something in the middle to handle rewriting the domain. Given the requirements you outlined, I’m not sure that Amplify is the best choice. There are other hosting options to Amplify that can still help with the management/overhead of the AWS infrastructure involved, like Elastic Beanstalk for example. Another alternative would be running your application on EC2 instances. You would still have the ability to integrate your CI/CD process with hooks into your source code repositories that would allow you to automate builds/deployments using AWS Code* services. Using Global Accelerator with an ALB endpoint that targets one or more EC2 instances would solve the redirect/rewrite issue you are experiencing and allow you to point the apex record to the IPs provided by the Global Accelerator.

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions