AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.
[ aws . route53resolver ]
Creates a Resolver endpoint. There are two types of Resolver endpoints, inbound and outbound:
See also: AWS API Documentation
create-resolver-endpoint
--creator-request-id <value>
[--name <value>]
--security-group-ids <value>
--direction <value>
--ip-addresses <value>
[--outpost-arn <value>]
[--preferred-instance-type <value>]
[--tags <value>]
[--resolver-endpoint-type <value>]
[--protocols <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
--creator-request-id
(string)
A unique string that identifies the request and that allows failed requests to be retried without the risk of running the operation twice.CreatorRequestId
can be any unique string, for example, a date/time stamp.
--name
(string)
A friendly name that lets you easily find a configuration in the Resolver dashboard in the Route 53 console.
--security-group-ids
(list)
The ID of one or more security groups that you want to use to control access to this VPC. The security group that you specify must include one or more inbound rules (for inbound Resolver endpoints) or outbound rules (for outbound Resolver endpoints). Inbound and outbound rules must allow TCP and UDP access. For inbound access, open port 53. For outbound access, open the port that you're using for DNS queries on your network.
Some security group rules will cause your connection to be tracked. For outbound resolver endpoint, it can potentially impact the maximum queries per second from outbound endpoint to your target name server. For inbound resolver endpoint, it can bring down the overall maximum queries per second per IP address to as low as 1500. To avoid connection tracking caused by security group, see Untracked connections .
(string)
Syntax:
"string" "string" ...
--direction
(string)
Specify the applicable value:
INBOUND
: Resolver forwards DNS queries to the DNS service for a VPC from your networkOUTBOUND
: Resolver forwards DNS queries from the DNS service for a VPC to your networkPossible values:
INBOUND
OUTBOUND
--ip-addresses
(list)
The subnets and IP addresses in your VPC that DNS queries originate from (for outbound endpoints) or that you forward DNS queries to (for inbound endpoints). The subnet ID uniquely identifies a VPC.
Note
Even though the minimum is 1, Route 53 requires that you create at least two.(structure)
In a CreateResolverEndpoint request, the IP address that DNS queries originate from (for outbound endpoints) or that you forward DNS queries to (for inbound endpoints).
IpAddressRequest
also includes the ID of the subnet that contains the IP address.SubnetId -> (string)
The ID of the subnet that contains the IP address.Ip -> (string)
The IPv4 address that you want to use for DNS queries.Ipv6 -> (string)
The IPv6 address that you want to use for DNS queries.
Shorthand Syntax:
SubnetId=string,Ip=string,Ipv6=string ...
JSON Syntax:
[
{
"SubnetId": "string",
"Ip": "string",
"Ipv6": "string"
}
...
]
--outpost-arn
(string)
The Amazon Resource Name (ARN) of the Outpost. If you specify this, you must also specify a value for thePreferredInstanceType
.
--preferred-instance-type
(string)
The instance type. If you specify this, you must also specify a value for theOutpostArn
.
--tags
(list)
A list of the tag keys and values that you want to associate with the endpoint.
(structure)
One tag that you want to add to the specified resource. A tag consists of a
Key
(a name for the tag) and aValue
.Key -> (string)
The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value ofKey
might beaccount-id
.Value -> (string)
The value for the tag. For example, ifKey
isaccount-id
, thenValue
might be the ID of the customer account that you're creating the resource for.
Shorthand Syntax:
Key=string,Value=string ...
JSON Syntax:
[
{
"Key": "string",
"Value": "string"
}
...
]
--resolver-endpoint-type
(string)
For the endpoint type you can choose either IPv4, IPv6, or dual-stack. A dual-stack endpoint means that it will resolve via both IPv4 and IPv6. This endpoint type is applied to all IP addresses.
Possible values:
IPV6
IPV4
DUALSTACK
--protocols
(list)
The protocols you want to use for the endpoint. DoH-FIPS is applicable for inbound endpoints only.
For an inbound endpoint you can apply the protocols as follows:
- Do53 and DoH in combination.
- Do53 and DoH-FIPS in combination.
- Do53 alone.
- DoH alone.
- DoH-FIPS alone.
- None, which is treated as Do53.
For an outbound endpoint you can apply the protocols as follows:
- Do53 and DoH in combination.
- Do53 alone.
- DoH alone.
- None, which is treated as Do53.
(string)
Syntax:
"string" "string" ...
Where valid values are:
DoH
Do53
DoH-FIPS
--cli-input-json
(string)
Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
--debug
(boolean)
Turn on debug logging.
--endpoint-url
(string)
Override command's default URL with the given URL.
--no-verify-ssl
(boolean)
By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.
--no-paginate
(boolean)
Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.
--output
(string)
The formatting style for command output.
--query
(string)
A JMESPath query to use in filtering the response data.
--profile
(string)
Use a specific profile from your credential file.
--region
(string)
The region to use. Overrides config/env settings.
--version
(string)
Display the version of this tool.
--color
(string)
Turn on/off color output.
--no-sign-request
(boolean)
Do not sign requests. Credentials will not be loaded if this argument is provided.
--ca-bundle
(string)
The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.
--cli-read-timeout
(int)
The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.
--cli-connect-timeout
(int)
The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.
To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.
Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal's quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .
To create an inbound Resolver endpoint
The following create-resolver-endpoint
example creates an inbound Resolver endpoint. You can use the same command to create both inbound and outbound endpoints.
- aws route53resolver create-resolver-endpoint
- --name my-inbound-endpoint --creator-request-id 2020-01-01-18:47 --security-group-ids "sg-f62bexam" --direction INBOUND --ip-addresses SubnetId=subnet-ba47exam,Ip=192.0.2.255 SubnetId=subnet-12d8exam,Ip=192.0.2.254
Output:
{
"ResolverEndpoint": {
"Id": "rslvr-in-f9ab8a03f1example",
"CreatorRequestId": "2020-01-01-18:47",
"Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-endpoint/rslvr-in-f9ab8a03f1example",
"Name": "my-inbound-endpoint",
"SecurityGroupIds": [
"sg-f62bexam"
],
"Direction": "INBOUND",
"IpAddressCount": 2,
"HostVPCId": "vpc-304examp",
"Status": "CREATING",
"StatusMessage": "[Trace id: 1-5dc1ff84-f3477826e4a190025example] Creating the Resolver Endpoint",
"CreationTime": "2020-01-01T23:02:29.583Z",
"ModificationTime": "2020-01-01T23:02:29.583Z"
}
}
To create an outbound Resolver endpoint
The following create-resolver-endpoint
example creates an outbound resolver endpoint using the values in the JSON-formatted document create-outbound-resolver-endpoint.json
.
aws route53resolver create-resolver-endpoint \
--cli-input-json file://c:\temp\create-outbound-resolver-endpoint.json
Contents of create-outbound-resolver-endpoint.json
:
{
"CreatorRequestId": "2020-01-01-18:47",
"Direction": "OUTBOUND",
"IpAddresses": [
{
"Ip": "192.0.2.255",
"SubnetId": "subnet-ba47exam"
},
{
"Ip": "192.0.2.254",
"SubnetId": "subnet-12d8exam"
}
],
"Name": "my-outbound-endpoint",
"SecurityGroupIds": [ "sg-05cd7b25d6example" ],
"Tags": [
{
"Key": "my-key-name",
"Value": "my-key-value"
}
]
}
For more information, see Resolving DNS Queries Between VPCs and Your Network in the Amazon Route 53 Developer Guide.
ResolverEndpoint -> (structure)
Information about the
CreateResolverEndpoint
request, including the status of the request.Id -> (string)
The ID of the Resolver endpoint.CreatorRequestId -> (string)
A unique string that identifies the request that created the Resolver endpoint. TheCreatorRequestId
allows failed requests to be retried without the risk of running the operation twice.Arn -> (string)
The ARN (Amazon Resource Name) for the Resolver endpoint.Name -> (string)
The name that you assigned to the Resolver endpoint when you submitted a CreateResolverEndpoint request.SecurityGroupIds -> (list)
The ID of one or more security groups that control access to this VPC. The security group must include one or more inbound rules (for inbound endpoints) or outbound rules (for outbound endpoints). Inbound and outbound rules must allow TCP and UDP access. For inbound access, open port 53. For outbound access, open the port that you're using for DNS queries on your network.
(string)
Direction -> (string)
Indicates whether the Resolver endpoint allows inbound or outbound DNS queries:
INBOUND
: allows DNS queries to your VPC from your networkOUTBOUND
: allows DNS queries from your VPC to your networkIpAddressCount -> (integer)
The number of IP addresses that the Resolver endpoint can use for DNS queries.HostVPCId -> (string)
The ID of the VPC that you want to create the Resolver endpoint in.Status -> (string)
A code that specifies the current status of the Resolver endpoint. Valid values include the following:
CREATING
: Resolver is creating and configuring one or more Amazon VPC network interfaces for this endpoint.OPERATIONAL
: The Amazon VPC network interfaces for this endpoint are correctly configured and able to pass inbound or outbound DNS queries between your network and Resolver.UPDATING
: Resolver is associating or disassociating one or more network interfaces with this endpoint.AUTO_RECOVERING
: Resolver is trying to recover one or more of the network interfaces that are associated with this endpoint. During the recovery process, the endpoint functions with limited capacity because of the limit on the number of DNS queries per IP address (per network interface). For the current limit, see Limits on Route 53 Resolver .ACTION_NEEDED
: This endpoint is unhealthy, and Resolver can't automatically recover it. To resolve the problem, we recommend that you check each IP address that you associated with the endpoint. For each IP address that isn't available, add another IP address and then delete the IP address that isn't available. (An endpoint must always include at least two IP addresses.) A status ofACTION_NEEDED
can have a variety of causes. Here are two common causes:
- One or more of the network interfaces that are associated with the endpoint were deleted using Amazon VPC.
- The network interface couldn't be created for some reason that's outside the control of Resolver.
DELETING
: Resolver is deleting this endpoint and the associated network interfaces.StatusMessage -> (string)
A detailed description of the status of the Resolver endpoint.CreationTime -> (string)
The date and time that the endpoint was created, in Unix time format and Coordinated Universal Time (UTC).ModificationTime -> (string)
The date and time that the endpoint was last modified, in Unix time format and Coordinated Universal Time (UTC).OutpostArn -> (string)
The ARN (Amazon Resource Name) for the Outpost.PreferredInstanceType -> (string)
The Amazon EC2 instance type.ResolverEndpointType -> (string)
The Resolver endpoint IP address type.Protocols -> (list)
Protocols used for the endpoint. DoH-FIPS is applicable for inbound endpoints only.
For an inbound endpoint you can apply the protocols as follows:
- Do53 and DoH in combination.
- Do53 and DoH-FIPS in combination.
- Do53 alone.
- DoH alone.
- DoH-FIPS alone.
- None, which is treated as Do53.
For an outbound endpoint you can apply the protocols as follows:
- Do53 and DoH in combination.
- Do53 alone.
- DoH alone.
- None, which is treated as Do53.
(string)