Enabling Route 53 Resolver DNS Firewall protections for your VPC

You enable DNS Firewall protections for your VPC by associating one or more rule groups with the VPC. Whenever a VPC is associated with a DNS Firewall rule group, Route 53 Resolver provides the following DNS Firewall protections:

Resolver routes the VPC's outbound DNS queries through DNS Firewall, and DNS Firewall filters the queries using the associated rule groups.
Resolver enforces the settings in the VPC's DNS Firewall configuration.

To provide DNS Firewall protections to your VPC, you do the following:

Create and manage associations between your DNS Firewall rule groups and your VPC. For information about rule groups, see DNS Firewall rule groups and rules.
Configure how you want Resolver to handle DNS queries for the VPC during a failure, for example if DNS Firewall doesn't provide a response for a DNS query.

To remove an association between a rule group and a VPC

Locate the rule group's VPC associations by following the instructions in the preceding procedure To view a rule group's VPC associations.
Select the VPC that you want to remove from the list, then choose Disassociate. Verify, and then confirm the action.

On the rule group page, your VPC is listed in the Associated VPCs tab with the status of Disassociating. When the operation completes, DNS Firewall updates the list to remove the VPC.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Sharing rule groups between accounts

Managing associations between your VPC and firewall rule groups