Implementing dynamic subdomains in AWS requires coordination between DNS routing and SSL certificate validation. The key components are:
First, create a wildcard DNS record in Route 53:
# Route 53 Wildcard Record Example (CLI)
aws route53 change-resource-record-sets \
--hosted-zone-id Z1D633PEXAMPLE \
--change-batch '{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "*.example.com",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "Z2FDTNDATAQYW2",
"DNSName": "d1234abcdef.cloudfront.net",
"EvaluateTargetHealth": false
}
}
}]
}'
Request a wildcard certificate via AWS Certificate Manager (ACM):
# Request ACM Certificate (CloudFormation snippet)
Resources:
WildcardCert:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: "*.example.com"
ValidationMethod: DNS
Configure CloudFront to handle all subdomains:
// Sample CloudFront Function for subdomain routing
function handler(event) {
var request = event.request;
var host = request.headers.host.value;
// Route all subdomains to same origin
if (host.endsWith('.example.com')) {
request.origin = {
custom: {
domainName: 'your-alb-1234567890.us-west-2.elb.amazonaws.com',
port: 443,
protocol: 'https',
path: '',
sslProtocols: ['TLSv1.2'],
readTimeout: 30,
keepaliveTimeout: 5
}
};
}
return request;
}
Your EC2/ALB needs to:
- Accept Host header *.example.com
- Configure web server (Nginx example):
# Nginx server block for wildcard
server {
listen 443 ssl;
server_name ~^(?.+)\.example\.com$;
ssl_certificate /path/to/wildcard.crt;
ssl_certificate_key /path/to/wildcard.key;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
}
}
For serverless solutions:
# Serverless Framework configuration
resources:
Resources:
ApiGatewayRestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: wildcard-api
EndpointConfiguration:
Types:
- EDGE
When architecting multi-tenant SaaS applications or dynamic content platforms, developers often need to handle unlimited subdomains pointing to the same infrastructure. This requires two key AWS components working in tandem:
- DNS resolution through Route 53
- SSL termination with wildcard certificates
Create a wildcard DNS record in Route 53 that captures all subdomains:
{
"Comment": "Wildcard subdomain record",
"Changes": [{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "*.example.com",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "Z2FDTNDATAQYW2", // ALB hosted zone
"DNSName": "dualstack.my-alb-123456789.us-west-2.elb.amazonaws.com",
"EvaluateTargetHealth": false
}
}
}]
}
Request a wildcard certificate through AWS Certificate Manager (ACM):
aws acm request-certificate \ --domain-name "*.example.com" \ --validation-method DNS \ --idempotency-token 12345 \ --region us-east-1
For EC2 instances running Nginx, configure the server block:
server {
listen 443 ssl;
server_name ~^(?.+)\.example\.com$;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
For more scalable solutions, use ALB with ACM:
- Create target group pointing to your EC2 instances
- Configure listener on port 443 with ACM wildcard cert
- Set default action to forward to target group
Verify using dig and curl commands:
dig anytest.example.com +short # Should return your ALB/EC2 IP curl -I https://randomsubdomain.example.com # Should return 200 OK with valid SSL
- Route 53 hosted zone: $0.50/month per domain
- ALB: ~$0.0225/hour + $0.008/GB data processed
- ACM wildcard certificates: Free
# Check DNS propagation dig +trace anytest.example.com # Verify certificate installation openssl s_client -connect anytest.example.com:443 -servername anytest.example.com | openssl x509 -noout -text