# Enabling Resolver DNS Firewall protections for your VPC
<a name="resolver-dns-firewall-vpc-protections"></a>

You enable DNS Firewall protections for your VPC by associating one or more rule groups with the VPC. Whenever a VPC is associated with a DNS Firewall rule group, Route 53 VPC Resolver provides the following DNS Firewall protections: 
+ VPC Resolver routes the VPC's outbound DNS queries through DNS Firewall, and DNS Firewall filters the queries using the associated rule groups. 
+ VPC Resolver enforces the settings in the VPC's DNS Firewall configuration. 

To provide DNS Firewall protections to your VPC, you do the following: 
+ Create and manage associations between your DNS Firewall rule groups and your VPC. For information about rule groups, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).
+ Configure how you want VPC Resolver to handle DNS queries for the VPC during a failure, for example if DNS Firewall doesn't provide a response for a DNS query.

# Managing associations between your VPC and Resolver DNS Firewall rule group
<a name="resolver-dns-firewall-vpc-associating-rule-group"></a>

**To view a rule group's VPC associations**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. Select the rule group that you want to associate.

1. Choose **View details**. The rule group page displays. 

1. Toward the bottom, you can see a tabbed details area that includes rules and associated VPCs. Choose the tab **Associated VPCs**.

**To associate a rule group with a VPC**

1. Locate the rule group's VPC associations by following the instructions in [ the preceding procedure](resolver-dns-firewall-rule-group-sharing.md) **To view a rule group's VPC associations**. 

1. In the **Associated VPCs** tab, choose **Associate VPC**.

1. Locate the VPC that you want to associate with the rule group in the dropdown. Select it, then choose **Associate**.

In the rule group page, your VPC is listed in the **Associated VPCs** tab. At first, the association's **Status** reports **Updating**. When the association is complete, the status changes to **Complete**. 

**To remove an association between a rule group and a VPC**

1. Locate the rule group's VPC associations by following the instructions in [ the preceding procedure](resolver-dns-firewall-rule-group-sharing.md) **To view a rule group's VPC associations**. 

1. Select the VPC that you want to remove from the list, then choose ** Disassociate**. Verify, and then confirm the action. 

On the rule group page, your VPC is listed in the **Associated VPCs** tab with the status of **Disassociating**. When the operation completes, DNS Firewall updates the list to remove the VPC. 

# DNS Firewall VPC configuration
<a name="resolver-dns-firewall-vpc-configuration"></a>

The DNS Firewall configuration for your VPC determines whether Route 53 VPC Resolver allows queries through or blocks them during failures, for example when DNS Firewall is impaired, unresponsive, or not available in the zone. VPC Resolver enforces a VPC's firewall configuration whenever you have one or more DNS Firewall rule groups associated with the VPC.

You can configure a VPC to fail open or fail closed. 
+ By default, the failure mode is closed, which means that VPC Resolver blocks any queries for which it doesn't receive a reply from DNS Firewall and sends a ` SERVFAIL` DNS response. This approach favors security over availability. 
+ If you enable fail open, VPC Resolver allows queries through if it doesn't receive a reply from DNS Firewall. This approach favors availability over security. 

**To change the DNS Firewall configuration for a VPC (console)**

1. Sign in to the AWS Management Console and open the VPC Resolver console at [ https://console.aws.amazon.com/route53resolver/](https://console.aws.amazon.com/route53resolver/).

1. In the navigation pane under **Resolvers**, choose ** VPCs**. 

1. In the **VPCs** page, locate and edit the VPC. Change the DNS Firewall configuration to fail open or fail closed as needed. 

**To change the DNS Firewall behavior for a VPC (API)**
+ Update your VPC firewall configuration by calling [ UpdateFirewallConfig](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_UpdateFirewallConfig.html) and enabling or disabling ` FirewallFailOpen`. 

You can retrieve a list of your VPC firewall configurations through the API by calling [ ListFirewallConfigs](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_ListFirewallConfigs.html).