Redis deployments in AWS environments often run in private VPCs without public IP addresses due to security requirements. In these architectures, standard public DNS record configurations in AWS Route 53 are not applicable. Instead, DNS resolution must be handled using private hosted zones and Route 53 Resolver endpoints.
This article explains how to configure AWS Route 53 when your Redis cluster nodes or endpoints do not have public IP addresses. It covers the required AWS components, network prerequisites, step-by-step configuration, and troubleshooting guidance.
Key sections include Prerequisites, Step-by-Step Configuration, and Troubleshooting.
Prerequisites
Before configuring Route 53 for a private Redis deployment:
Redis cluster or database endpoints exist inside a private VPC
No public IP addresses are assigned to cluster nodes
-
You have AWS IAM permissions to manage:
Route 53 hosted zones
Route 53 Resolver endpoints
VPC associations
-
Network connectivity exists between:
Client VPCs and Redis VPC
On-premises networks (if applicable) and AWS via VPN or Direct Connect
Step-by-Step Configuration
1. Create a Private Hosted Zone
In the AWS Console, go to Route 53 → Hosted Zones
Choose Create Hosted Zone
-
Select:
Type: Private Hosted Zone
Domain name: Your internal domain (for example,
redis.internal)
Associate the hosted zone with the VPC where Redis is deployed
This ensures DNS records are only resolvable inside the associated VPC(s).
2. Create DNS Records for Redis Endpoints
Open the newly created private hosted zone
-
Create a new record:
Record type: A record (or CNAME if applicable)
Value: Private IP address or internal hostname of the Redis endpoint
Save the record
Use internal IP addresses only. Public IPs are not required.
3. Configure Route 53 Resolver (Cross-VPC or Hybrid Environments)
If clients exist in a different VPC or on-premises network, configure Route 53 Resolver.
Create an Inbound Resolver Endpoint
Go to Route 53 → Resolver → Inbound Endpoints
Create an inbound endpoint in the Redis VPC
Assign at least two IP addresses in different subnets for high availability
This allows external networks (VPN, Direct Connect, peered VPCs) to resolve private DNS names.
Create an Outbound Resolver Endpoint (If Needed)
If Redis nodes need to resolve external domains, create an outbound endpoint and configure forwarding rules.
4. Associate Additional VPCs (If Required)
If multiple VPCs need DNS resolution:
Open the Private Hosted Zone
Choose Associate VPC
Add additional VPCs manually
Alternatively, use Route 53 Resolver rules for cross-account or complex routing.
Troubleshooting
Below are common issues encountered when configuring Route 53 without public IPs.
| Issue | Resolution |
|---|---|
| DNS name does not resolve | Verify the hosted zone is private and associated with the correct VPC |
| DNS works in one VPC but not another | Confirm VPC association or configure Resolver endpoints |
| On-prem clients cannot resolve | Verify inbound Resolver endpoint configuration and security group rules |
| Timeouts instead of NXDOMAIN | Check VPC security groups and NACLs for UDP/TCP 53 access |
| Record resolves to wrong IP | Confirm record type (A vs CNAME) and verify private IP value |
Security Considerations
Ensure Resolver endpoints are protected by restrictive security groups
Use least-privilege IAM policies for DNS management
Avoid exposing internal Redis endpoints publicly unless explicitly required
Regularly audit hosted zone associations
When to Use This Architecture
Use private Route 53 DNS when:
Security policy prohibits public IPs
Redis runs in private subnets
Hybrid or multi-VPC DNS resolution is required
You need internal service discovery for Redis clusters
If DNS resolution continues to fail after validating hosted zones, VPC associations, and resolver endpoints, collect:
nslookupordigoutput from a client hostVPC ID and hosted zone ID
Resolver endpoint configuration
Relevant security group rules
This information helps isolate routing versus DNS-layer issues quickly.
0 comments
Please sign in to leave a comment.