22

Currently, I am using Route53 to manage my domains, subdomains etc. But I want to add DDoS protection to my endpoints. So I want to use Cloudflare also. But I couldn't find a way to use two of them at the same time, can I put Cloudflare dos protection in front of the AWS r53?

PaulG
  • 13,871
  • 9
  • 56
  • 78
bilal
  • 223
  • 1
  • 2
  • 4

1 Answers1

37

You cannot use both Route53 and CloudFlare at the same time for your domain root DNS zone.

If you want to use Route53, you can:

  • Use CloudFront to serve your entire website and then use the AWS DDoS protection (+ Amazon WAF for advanced ACLs).
  • If you are using ELB w/ some EC2 instances, you can enable VPC Flow Logs and use Kinesis + Lambda to dynamically recognise DoS attacks and then ban the attacker IPs.

If you want to use Cloudflare to only protect a subdomain, you can delegate the management of a specific DNS "sub-"zone to CloudFlare.

For example:

  • foobar.com is managed using a DNS zone of Route53
  • attacked-subdomain.foobar.com is a subdomain that you want to protect with CloudFlare.

You can add the following records to your Route53 zone:

  • attacked-subdomain.foobar.com NS nsXX.cloudflare.com
  • attacked-subdomain.foobar.com NS nsYY.cloudflare.com

Then you can manage "attacked-subdomain.foobar.com" from your CloudFlare control panel.

It's not possible to help you more without having more details about you current infrastructure and the (D)Dos you're receiving. I hope I answered your question!

PS: I'd suggest to you to read the following whitepaper https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf

Antonio
  • 1,565
  • 3
  • 20
  • 33