AWS Route 53 DNS - Health Checks

- aws networking dns

This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.

Route 53 Health Checks

Route 53 health checks evaluate the health of a record set. If a health check isn’t specified, the record is always presumed healthy. There are three types of health checks, endpoint, calculated, and CloudWatch alarms.

Endpoint Health Checks

These checks can test the health of endpoints using HTTP, HTTPS, or TCP connections. Note that the connections are coming from AWS health check (public) servers, so architect your security policies and NACLs accordingly. The health checks can be specified for an endpoint other than the DNS record. You cannot change the protocol type after you create a health check - you must create a new one. By default, Route 53 checks every 30 seconds though this can be changed to every 10. HTTP and HTTPS checks can do string matching. Latency is graphed and checks can be inverted. Also, health checks can trigger an SNS event.

Calculated Health Checks

A calculated health check checks other checks. It can be useful for services that have many dependencies. The health checks can be combined with AND or OR operations, including all checks must be healthy, n number of checks must be healthy, or one or more must be healthy. Health check results can be inverted, meaning a succesful health check marks returns an unhealthy status. This can be useful in complicated DR and failover scenarios.

CloudWatch Alarms

These use the results of CloudWatch alarms to set healthy/unhealthy. Alarm OK = healthy; Alarm ALARM = unhealthy. These can be inverted as well. These can be useful for hosts in private subnets that cannot be reached by an endpoint health check.

Create a Health Check with the AWS CLI

$ aws route53 create-health-check --caller-reference 2014-04-01-18:47 --health-check-config file://health-check.json


  "IPAddress": "IP address of the endpoint to check",
  "Type": "HTTP",
  "ResourcePath": "path of the file that you want Amazon Route 53 to request--all Types except TCP",
  "FullyQualifiedDomainName": "domain name of the endpoint to check--all Types except TCP",
  "SearchString": "if Type is HTTP_STR_MATCH or HTTPS_STR_MATCH, the string to search for in the response body from the specified resource",
  "RequestInterval": 10 | 30,
  "FailureThreshold": integer between 1 and 10