Do you have an API hosted on AWS API Gateway? Do you wonder how you can deploy that API into multiple regions around the globe and have automatic fail-over protection in case one region goes offline so that your API keeps on working without any intervention? Well, you came to the right blog post. In this post, I will show you how to set up and configure your AWS Route53 DNS entries, health checks, and AWS API Gateway APIs in order to have that automatic multi-region DNS fail-over protection you’re looking for.
Initial Multi-Region DNS Fail-over Configuration
The first thing we need to do is have a domain setup in AWS Route 53. Once you have a domain, we also need to set up a hosted zone in Route 53 for that domain. Inside this hosted zone is where we will add the DNS records we need as part of our automatic DNS fail-over configuration. Once you have a domain name and hosted zone setup, let’s get going on configuring automatic DNS fail-over!
First things first, we need to have the desired API deployed to AWS API Gateway in each of the AWS regions we want in our setup. If you do not have that yet, you can follow this guide as an example of how to create an API using HTTP front-end with AWS Lambda as the back-end for processing the requests. You will need an endpoint on your API that will respond to GET requests and be able to return a status code of 2XX in order for our health checks to know that our API is healthy in each region.
Creating An SSL/TLS Certificate
Once you have that, you will need to create an SSL certificate on AWS Certificate Manager in each of the same regions to use with your domain which we will use in the next step. You will need to verify the entries you add to your SSL certificate. If you are using Route 53 as we have discussed in this article, you can expand each of the domain name listings and add it to Route 53. We then just need to wait on the verification to be complete before moving on to the next step.
Now that you have your API deployed to AWS API Gateway and we have an SSL certificate for our domain, we need to set up a custom domain name in AWS API Gateway in each of our AWS regions. Go to the AWS API Gateway console and click Create Custom Domain Name. It will open up a form to create a new custom domain which you should fill out as follows:
- For
Domain Name
, fill in your desired domain for this API. (e.g. examplecorp.com) - Choose
HTTP Protocol
- Security Policy:
TLS 1.2
(1.2 is the latest and most secure as of this writing. If there is a newer version as you’re reading this, choose it instead) - Endpoint Configuration:
Regional
(this selection is important!) - Choose the SSL certificate you created in the previous steps, then click
Save
Cool. Now we have everything configured in API Gateway. Let’s move on to Route 53 to finish up our automatic multi-region DNS fail-over!
Configuring Health Checks
We now need to set up the health checks that allow us to automatically determine if a certain region is unavailable. We will use this to route our traffic accordingly. Visit the AWS Route 53 Console then click on Health Checks in the left-hand menu and then click Create health check
.
Under the first section under Configure health check
, give this health check a name that would specify the region, service, and environment this is being used for so we can keep things organized and easy to know what health check is monitoring what. A good name may be something like Production — US-East-1 — API
for example. For What to monitor
, select Endpoint
.
Monitor Endpoint Configuration
Now, in the Monitor an endpoint
section, use the following configuration:
- Specify endpoint by:
Domain Name
- Protocol:
HTTPS
(this is required to be HTTPS because we use API Gateway API stage generated URLs which are HTTPS) - Domain Name: This will be the
Invoke URL
generated for the API stage in API Gateway such as dev, prod, etc after deploying an API. Template URL for where you can find it is https://console.aws.amazon.com/apigateway/home?region=us-east-1#/apis/{{API_ID}}/stages/dev and an example URL is dk0bnnfwn2.execute-api.us-east-1.amazonaws.com - Leave Port as default since it is determined by the protocol you selected
- For
Path
, enter the stage name for the URL you copied above (e.g. dev, production, etc) followed by the endpoint path you want the health check to monitor. (The one I mentioned earlier that needed to have a GET method and return a 2XX status code). For example, a valid path could bedev/health
You can expand the Advanced Configuration section and change some of the options if you wish. One I would possibly really consider modifying is the list of Health Checker Regions. You have to choose at least 3 regions, choose 3 for development APIs, and additional for my production APIs.
CloudWatch Alarms
Click Next
and on the next screen, you can set up CloudWatch alarms when the health check fails for the number of consecutive times specified in the Advanced Configuration
section on the first page. Continue on and create the health check.
Repeat the above steps for each of the regions you wish to deploy your API, remembering to grab the correct Invoke URL
for the API in each region. Now you should have all of your health checks in place. Let’s move on to the last piece of the puzzle, the DNS entries in your hosted zone for your domain.
Creating Route53 Record Sets
Let’s get the last piece configured now. Head over to the AWS Route 53 Console once again, and click on Hosted Zones
in the left menu, then click on the hosted zone for your domain. Click on Create Record Set
and enter the following details:
- Name: desired domain/subdomain mapping you want for this API (e.g. api.examplecorp.com).
- Record type:
CNAME
- Alias:
No
- TTL:
300 (5m)
- Value: This is the value of
Target Domain Name
generated when you created the custom domain in API Gateway. Copy that value and paste it here - Routing Policy:
Latency
- Select the region that matches the custom domain
Target Domain Name
you just pasted, and then give this policy a name that distinguishes it from the other regions and environments you may use. - Associate With Health Check:
Yes
then select the health check that corresponds with the same region and environment that matches the other values for this CNAME record - Click
Create
- Follow the same steps for all other regions you deployed your API to
Conclusion
That’s it! Now whenever one of your regions is unavailable for whatever reason, it will take just a few minutes (<5 minutes) for your other regions to pick up the load. The response times may be a little slower than the desired region since these are latency-based routing rules. However, your application should keep on working after the health checks fail the specified number of times and fail-over occurs! Congratulations! You have now set up automatic multi-region DNS fail-over using AWS Route53 and API Gateway!