๐Ÿš€ Powered by 8 AWS Services

Global Content Delivery.
Edge Security.

This application is hosted on S3, delivered globally via CloudFront CDN, protected by AWS WAF, secured with ACM SSL, routed through Route 53 DNS, load-balanced by ALB, and backed by API Gateway + Lambda.

โšก Test Live API ๐Ÿ—๏ธ View Architecture
0+ Edge Locations
0ms Avg Latency
0.99% Uptime SLA

How It Works

Follow the request from a user's browser to the backend and back

๐ŸŒ

User types URL

Route 53 resolves streamflix.com โ†’ nearest CloudFront edge IP

โ†’
๐Ÿ›ก๏ธ

WAF Inspection

AWS WAF checks for SQL injection, XSS, rate limits, and geo-blocks

โ†’
๐Ÿ”’

TLS Handshake

ACM Certificate establishes encrypted HTTPS connection

โ†’
โšก

Edge Cache

CloudFront serves from cache or fetches from S3 origin via OAC

โ†’
๐Ÿ”—

API Request

API Gateway routes dynamic requests to Lambda functions

AWS Services In This Stack

Click any card to learn more about that service

๐Ÿชฃ

Amazon S3

Static File Storage

  • Stores index.html, styles.css, app.js
  • All public access blocked (zero-trust)
  • Only CloudFront can read via OAC
  • 99.999999999% (11 nines) durability
๐ŸŒ

CloudFront CDN

Global Content Delivery

  • 450+ Points of Presence worldwide
  • Origin Access Control (OAC) to S3
  • HTTP โ†’ HTTPS redirect enforced
  • Cache invalidation on redeploy
๐Ÿ›ก๏ธ

AWS WAF

Edge Firewall

  • Rate limiting (100 req / 5 min)
  • SQL Injection protection
  • Cross-Site Scripting (XSS) blocking
  • Geo-restriction capable
๐Ÿ“ก

Route 53

DNS Management

  • Alias A-Record โ†’ CloudFront (free!)
  • CNAME for ACM DNS validation
  • Health checks & failover routing
  • 100% uptime SLA
๐Ÿ”

ACM Certificate

SSL/TLS Encryption

  • Free public SSL certificate
  • Must be in us-east-1 for CloudFront
  • Auto-renews before expiry
  • Wildcard support (*.domain.com)
๐Ÿ”—

API Gateway

Backend Router

  • HTTP API (low-cost, low-latency)
  • Routes GET /hello โ†’ Lambda
  • Built-in CORS configuration
  • Auto-deploy to prod stage
โš–๏ธ

Application Load Balancer

Layer 7 Load Balancing

  • Distributes traffic across targets (EC2, Lambda, IP)
  • Path-based routing (/api/*, /images/*)
  • Health checks on backend targets
  • Route 53 Alias record โ†’ ALB DNS name
ฮป

AWS Lambda

Serverless Compute

  • Runs code without managing servers
  • Pay only for compute time used
  • Triggered by API Gateway or ALB
  • Auto-scales from 0 to thousands

Live API Gateway Demo

Click the button to make a real GET request to your AWS Lambda backend through API Gateway

API Response

$ Waiting for request...

WAF Attack Simulation

See how AWS WAF protects your application from common attacks

SQL Injection

Simulates: ?id=1' OR '1'='1

Cross-Site Scripting

Simulates: <script>alert('xss')</script>

Rate Limiting

Simulates: 50 rapid requests in 3 seconds

Geo-Blocking

Simulates: Request from a blocked country

๐Ÿ“ก Route 53 Deep Dive

Understanding DNS record types, IP โ†” DNS mapping, and routing policies

Record Types: IP โ†’ DNS vs DNS โ†’ DNS

A Record Domain โ†’ IP Address
streamflix.com
โ†’
54.230.10.42

Maps a domain name directly to an IPv4 address. Used when you know the exact IP of your server (e.g., an EC2 instance with an Elastic IP).

streamflix.com โ†’ A โ†’ 54.230.10.42
AAAA Record Domain โ†’ IPv6 Address
streamflix.com
โ†’
2600:1f18:...:8a

Same as A record but for IPv6 addresses. Modern infrastructure increasingly uses IPv6.

streamflix.com โ†’ AAAA โ†’ 2600:1f18:2551:8a00::1
CNAME Record DNS Name โ†’ DNS Name
www.streamflix.com
โ†’
streamflix.com

Maps one domain name to another. Cannot be used at the zone apex (root domain like streamflix.com). Use for subdomains only!

www.streamflix.com โ†’ CNAME โ†’ streamflix.com
โš ๏ธ CNAME replaces ALL records at that name. Cannot coexist with other types.
ALIAS Record โญ DNS โ†’ AWS Resource (Free!)
streamflix.com
โ†’
d3abc.cloudfront.net

AWS-specific! Works at the zone apex. Points to AWS resources (CloudFront, ALB, S3, etc.). Free of charge โ€” no Route 53 query fees. This is the preferred way!

streamflix.com โ†’ ALIAS (A) โ†’ d3abc.cloudfront.net

Other Important Record Types

MX

Mail Exchange

Routes email to mail servers

streamflix.com โ†’ MX 10 โ†’ mail.google.com
TXT

Text Record

Domain verification, SPF, DKIM for email

streamflix.com โ†’ TXT โ†’ "v=spf1 include:_spf.google.com"
NS

Name Server

Delegates a hosted zone to specific DNS servers

streamflix.com โ†’ NS โ†’ ns-1234.awsdns-12.org
SOA

Start of Authority

Zone metadata: primary NS, admin email, serial number

Auto-created with every hosted zone
CAA

Certificate Authority Auth

Controls which CAs can issue SSL certs for your domain

streamflix.com โ†’ CAA โ†’ 0 issue "amazon.com"
SRV

Service Locator

Specifies host/port for services (SIP, LDAP, etc.)

_sip._tcp.streamflix.com โ†’ SRV โ†’ 10 5 5060 sip.example.com

Routing Policies โ€” How Route 53 Decides Where to Send Traffic

Simple Default ยท No Intelligence

The most basic routing. Maps a domain name to one or more resources. If you specify multiple IPs, Route 53 returns them all โ€” the client picks one randomly. No health checks.

Traffic Flow
User
โ†’
Server A
๐Ÿ“‹ How It Works
  1. User queries streamflix.com
  2. Route 53 returns the IP(s) you configured
  3. If multiple IPs โ†’ client picks randomly
๐Ÿข Real-World Example

A small company blog hosted on a single EC2 instance with an Elastic IP. No need for complex routing.

โš™๏ธ AWS Console Config
Record name: streamflix.com | Type: A | Value: 54.230.10.42 | Routing policy: Simple
โš ๏ธ No health checks! If the server dies, DNS still points to it.
Weighted Traffic Splitting ยท A/B Testing

Distributes traffic based on weights you assign. Route 53 calculates the percentage as: weight / total_weight. Setting a weight to 0 stops all traffic to that record.

Traffic Flow (70/30 Split)
User
โ†’
v2.0 (new) 70%
v1.0 (old) 30%
๐Ÿ“‹ How It Works
  1. Create 2+ records with the same name
  2. Assign weights: v2 = 70, v1 = 30
  3. 70% of queries โ†’ v2, 30% โ†’ v1
  4. Set v1 weight = 0 to finish migration
๐Ÿข Real-World Example

Canary deployment: Netflix deploys a new version to 5% of users. If no errors after 1 hour, increase to 50%, then 100%.

โš™๏ธ AWS Console Config
Record 1: A | Value: 10.0.1.10 | Weight: 70 | Set ID: "v2-prod"
Record 2: A | Value: 10.0.2.20 | Weight: 30 | Set ID: "v1-prod"
๐Ÿ’ก Supports health checks. If a weighted target fails, Route 53 removes it from rotation automatically.
Latency Fastest Region ยท Global Performance

Routes each user to the AWS region with the lowest network latency to them. AWS maintains a global latency database โ€” it's not measured live per request.

User in Mumbai โ†’ Nearest Region
India ๐Ÿ‡ฎ๐Ÿ‡ณ
โ†’
Mumbai 12ms โœ“
Virginia 210ms
Ireland 180ms
๐Ÿ“‹ How It Works
  1. Deploy app in multiple AWS regions
  2. Create latency records for each region
  3. User's DNS resolver asks Route 53
  4. Route 53 checks latency table โ†’ picks lowest
๐Ÿข Real-World Example

Amazon.com uses this! Users in India get routed to ap-south-1 (Mumbai), US users to us-east-1. Reduces page load time by 200ms+.

โš™๏ธ AWS Console Config
Record 1: A | Value: 13.235.x.x | Region: ap-south-1 | Set ID: "mumbai"
Record 2: A | Value: 54.230.x.x | Region: us-east-1 | Set ID: "virginia"
๐Ÿ” vs Geolocation: Latency = which server responds fastest. Geolocation = where the user physically is. A user in India might get fastest response from Singapore, not Mumbai.
Failover Disaster Recovery ยท Active-Passive

Creates an active-passive pair. Route 53 health-checks the primary. If the primary fails 3 times in a row, traffic automatically switches to the secondary. No manual intervention.

Primary fails โ†’ Auto-switch to standby
User
โ†’
Primary (us-east-1) โŒ
Standby (eu-west-1) โœ…
๐Ÿ“‹ How It Works
  1. Create a health check for primary endpoint
  2. Primary record โ†’ Failover type = PRIMARY
  3. Secondary record โ†’ Failover type = SECONDARY
  4. Health check fails 3x โ†’ Route 53 switches to secondary
  5. Primary recovers โ†’ Route 53 switches back
๐Ÿข Real-World Example

Banking website: Primary in us-east-1, standby in eu-west-1. If Virginia goes down (like the 2017 S3 outage), customers automatically hit Ireland. Zero downtime.

โš™๏ธ AWS Console Config
Record 1: A | Value: ALB-Primary | Failover: Primary | Health Check: hc-xyz
Record 2: A | Value: ALB-Standby | Failover: Secondary
๐Ÿ’ก The secondary can be a static S3 website showing "We're experiencing issues, please wait" โ€” this is a common pattern!
Geolocation Country-Based ยท Content Licensing

Routes based on where the user physically is (country, continent, or US state). NOT about speed โ€” this is about showing different content based on location.

Different countries โ†’ Different servers
๐Ÿ‡ฏ๐Ÿ‡ต Japan โ†’ jp.streamflix.com
๐Ÿ‡ฉ๐Ÿ‡ช Germany โ†’ eu.streamflix.com
๐ŸŒŽ Default โ†’ us.streamflix.com
๐Ÿ“‹ How It Works
  1. Create records with location rules:
    โ€ข Country = Japan โ†’ Tokyo ALB
    โ€ข Continent = Europe โ†’ Ireland ALB
    โ€ข Default โ†’ Virginia ALB
  2. Route 53 detects user's country from DNS resolver IP
  3. Matches the most specific rule first
๐Ÿข Real-World Example

Netflix content licensing: "Squid Game" is available in Korea but not in the US. Geo-routing ensures Korean users see Korean content library, US users see US library.

GDPR compliance: EU users are routed to EU-based servers that comply with European data laws.

โš™๏ธ AWS Console Config
Record 1: A | Value: 13.112.x.x | Location: Asia - Japan | Set ID: "japan"
Record 2: A | Value: 34.245.x.x | Location: Europe | Set ID: "europe"
Record 3: A | Value: 54.230.x.x | Location: Default | Set ID: "default"
โš ๏ธ Always create a Default record! Without it, users from unlisted locations get NO response (NXDOMAIN error).
๐Ÿ” vs Latency: Geolocation = "You ARE in India โ†’ go to India server." Latency = "You GET fastest response from Singapore โ†’ go there." Geolocation is legal/content-driven, Latency is performance-driven.
Multivalue DNS Load Balancing ยท Health-Aware

Returns up to 8 healthy IP addresses in response to a DNS query. The client randomly picks one. Like Simple routing BUT with health checks, so dead servers are excluded.

Returns only healthy IPs
User
โ†’
10.0.1.10 โœ…
10.0.2.20 โœ…
10.0.3.30 โŒ
๐Ÿ“‹ How It Works
  1. Create 8 A records, each with its own health check
  2. Route 53 checks health of all 8
  3. Returns only healthy ones (up to 8)
  4. Client picks one randomly
๐Ÿข Real-World Example

Small startup with 4 web servers and no budget for an ALB ($16/month). Use Multivalue to spread traffic and auto-remove bad servers from DNS.

โš™๏ธ AWS Console Config
Record 1: A | Value: 10.0.1.10 | Set ID: "web-1" | Health Check: hc-1
Record 2: A | Value: 10.0.2.20 | Set ID: "web-2" | Health Check: hc-2
Record 3: A | Value: 10.0.3.30 | Set ID: "web-3" | Health Check: hc-3
๐Ÿ” vs Simple: Simple returns ALL IPs (including dead ones). Multivalue only returns healthy IPs. vs ALB: ALB is true load balancing (Layer 7, sticky sessions, path routing). Multivalue is basic DNS-level distribution.
Geoproximity Distance + Bias ยท Traffic Flow Required

Routes based on geographic distance between user and resource, with a configurable bias to expand or shrink a region's "catchment area." Available only in Route 53 Traffic Flow (visual editor).

Bias expands Mumbai's coverage area
Mumbai (bias: +25) โ† attracts more traffic
Virginia (bias: 0) โ† normal area
Ireland (bias: -10) โ† shrinks area
๐Ÿ“‹ How It Works
  1. Open Route 53 โ†’ Traffic Flow โ†’ Create policy
  2. Add resources with lat/long or AWS region
  3. Adjust bias (โˆ’99 to +99)
  4. Positive bias = larger area = more traffic
  5. Negative bias = smaller area = less traffic
๐Ÿข Real-World Example

Expanding into a new market: You launch Mumbai servers but want to gradually shift Middle East traffic from Ireland โ†’ Mumbai. Increase Mumbai bias from 0 โ†’ +25 โ†’ +50 over weeks.

โš™๏ธ AWS Console Config
This policy is ONLY available via Route 53 Traffic Flow (visual editor).
Costs: $50/month per Traffic Flow policy.
๐Ÿ” vs Geolocation: Geolocation = hard country boundaries. Geoproximity = flexible distance-based with adjustable bias. You can "steal" traffic from nearby regions.
IP-Based CIDR Routing ยท ISP Optimization

Routes based on the client's IP address range (CIDR blocks). You define which IP ranges should go to which endpoints. Useful for ISP-specific or enterprise network optimization.

Different IP ranges โ†’ Different endpoints
203.0.113.0/24 โ†’ ISP-A endpoint
198.51.100.0/24 โ†’ ISP-B endpoint
Default โ†’ General endpoint
๐Ÿ“‹ How It Works
  1. Create a CIDR collection in Route 53
  2. Add CIDR blocks (e.g., 203.0.113.0/24)
  3. Associate CIDR blocks with DNS records
  4. Route 53 matches client IP โ†’ routes to matched record
๐Ÿข Real-World Example

Telecom company: Jio users (specific IP ranges) are routed to Mumbai CDN, Airtel users to a different CDN. Optimizes peering and reduces inter-ISP transit costs.

โš™๏ธ AWS Console Config
Step 1: Create CIDR collection โ†’ Add CIDR locations
Step 2: Create record โ†’ Routing: IP-based โ†’ Select CIDR location
๐Ÿ’ก Newest routing policy (added 2022). Rarely asked in interviews but very useful for ISPs and large enterprises.

๐Ÿงช Interactive: DNS Lookup Simulator

Select a record type and see how Route 53 resolves it

DNS Resolution

$ Select a record type and click "Resolve DNS"...

โš–๏ธ Application Load Balancer

Distributing traffic across multiple targets with health checks

๐ŸŒ
Users
โ†’
๐Ÿ“ก
Route 53
api.streamflix.com
ALIAS โ†’ ALB
โ†’
โš–๏ธ
ALB
Listener :443 (HTTPS)
ACM cert attached
โ†’
Target Group: /api/*
EC2-A โœ…
EC2-B โœ…
EC2-C โŒ
Target Group: /static/*
Lambda โœ…

๐Ÿ”€ Path-Based Routing

/api/* โ†’ EC2 instances
/static/* โ†’ Lambda function
/* โ†’ Default target group

๐Ÿฅ Health Checks

ALB pings /health every 30s.
If 3 consecutive failures โ†’ target = unhealthy โ†’ traffic diverted

๐Ÿ“ก DNS Mapping

ALB provides a DNS name: my-alb-1234.us-east-1.elb.amazonaws.com
Route 53 ALIAS record maps api.streamflix.com โ†’ ALB DNS

๐Ÿ”’ SSL Termination

ACM certificate attached to ALB listener on port 443. Backend targets can run on HTTP (port 80), reducing compute overhead.