Implementing Application: Private Route53 Hosted Zone and TLS Certificate from AWS Certificate Manager

Sid Malani Posted 26 August 2021

The Problem

At major mining company has an application stack with a number of internal web applications hosted on AWS. These should only be accessible via the internal networks via Virtual Private Network over the internet or Direct Connect fibre link. Since these services/applications are used across teams, friendly names are desirable. The services should be accessible via secure protocols (followed by authentication at a future date Cognito with AD auth etc) as they may contain critical information. 

Modis Cloud team at this customer was tasked with architecting, testing and implementing a solution to this issue in 2021.

The Solution

1.     Internal hosted zone for the subdomain 

An internal hosted zone xxx.$ was created. DNS A records with alias pointing to Application Load Balancer (ALB) records were created. This would allow DNS queries to the subdomains in that Virtual Private Cloud (VPC) to point to the required services. 

2.     Inbound Resolver Endpoints 

The services need to be accessible for users on premises with friendly names. To do this we needed the customers DNS servers to forward queries made for the xxx.$ domain to be forwarded to the Route 53 service. 

A Route 53 Resolver Inbound Endpoint was created for domain resolution for this subdomain in the shared account. A rule was requested to be created in ‘the customers DNS / AD to forward all DNS queries for xxx.$ to the Resolver endpoints. Security groups were set correctly on the 2 inbound endpoints to allow queries from the customers internal DNS servers. 

Further the internal hosted zone created for xxx.$ was shared to the “shared account” so any queries coming into the Route 53 in shared account could resolve the addresses. 

Now application subdomains such as $ and $ were easy to create and manage in the application account and the infrastructure supporting these services were tied together with some proper Infrastructure as Code (IaC) automation. 

3.     SSL Certificates 

With the DNS bit sorted the last bit of the puzzle was SSL certificates. We got certs issued for xxx.$ and *.xxx.$ issued via the Certificate Manager. The wildcard certificate was requested so that it could be used for any application subdomains within xxx.$ such as$ and$ 

Email validation was selected, as this is an internal hosted zone and only accessible from within the private corporate network, it cannot be domain validated. Issued certificates were applied to the ALBs and security groups were updated to allow 443 so all services are now accessible via HTTPS.

The Outcome

The solution now has effective security in all environments, meeting the customer’s security requirements and using commodity managed services, across both production and non-production environments.

About Modis

At Modis we connect people, technology and businesses to the opportunities they need to thrive in a rapidly advancing world. With 1,300+ technology professionals across six locations (Sydney, Melbourne, Brisbane, Adelaide, Canberra and Perth), we work with our clients to deliver solutions and talent to transform technology portfolios, streamline business functions, drive innovation or enhance organisational capability.

Find out how Modis can provide you with innovative AWS cloud based solutions and servicesModis has been an AWS Advanced Tier Partner since 2014. Modis' AWS Cloud Consulting services encompasses fundamentals of cyber security, fault tolerant digital system architecture, modernisation, traditional virtual machine or through to modern Serverless approaches, commercial off-the-shelf software operation to bespoke software development, delivered with high throughput, repeatable DevOps approaches to operations. With over half a decade of running critical authoritative government data sets that affects the lives of millions of citizens and the economies of the state, Modis has one of the most mature, experienced and recognised consulting service providers in the world. More importantly, we like to work very closely with our customers, not providing something to purchase, but taking a deep understanding of their business, and providing the recommendations and implementations to ensure a modern, efficient, reliable and secure environment for digital business systems.Contact us
Modis Australia | Animated map showing global locations
We operate around the world. Would you like to find out more about your local office?Find out about Modis