This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.
Route 53 Resolver examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Route 53 Resolver.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use associate-firewall-rule-group
.
- Amazon CLI
-
To associate a firewall rule group with a VPC
The following
associate-firewall-rule-group
example associates a DNS Firewall rule group with an Amazon VPC.aws route53resolver associate-firewall-rule-group \ --name
test-association
\ --firewall-rule-group-idrslvr-frg-47f93271fexample
\ --vpc-idvpc-31e92222
\ --priority101
Output:
{ "FirewallRuleGroupAssociation": { "Id": "rslvr-frgassoc-57e8873d7example", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-rule-group-association/rslvr-frgassoc-57e8873d7example", "FirewallRuleGroupId": "rslvr-frg-47f93271fexample", "VpcId": "vpc-31e92222", "Name": "test-association", "Priority": 101, "MutationProtection": "DISABLED", "Status": "UPDATING", "StatusMessage": "Creating Firewall Rule Group Association", "CreatorRequestId": "2ca1a304-32b3-4f5f-bc4c-EXAMPLE11111", "CreationTime": "2021-05-25T21:47:48.755768Z", "ModificationTime": "2021-05-25T21:47:48.755768Z" } }
For more information, see Managing associations between your VPC and Route 53 Resolver DNS Firewall rule groups
in the Amazon Route 53 Developer Guide. -
For API details, see AssociateFirewallRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use associate-resolver-endpoint-ip-address
.
- Amazon CLI
-
To associate another IP address with a Resolver endpoint
The following
associate-resolver-endpoint-ip-address
example associates another IP address with an inbound Resolver endpoint. If you specify only a subnet ID and omit the IP address from the--ip-address
parameter, Resolver chooses an IP address for you from among the available IP addresses in the specified subnet.aws route53resolver associate-resolver-endpoint-ip-address \ --resolver-endpoint-id
rslvr-in-497098ad5example
\ --ip-address="SubnetId=subnet-12d8exam,Ip=192.0.2.118"Output:
{ "ResolverEndpoint": { "Id": "rslvr-in-497098ad5example", "CreatorRequestId": "AWSConsole.25.0123456789", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-endpoint/rslvr-in-497098ad5example", "Name": "my-inbound-endpoint", "SecurityGroupIds": [ "sg-05cd7b25d6example" ], "Direction": "INBOUND", "IpAddressCount": 3, "HostVPCId": "vpc-304bexam", "Status": "UPDATING", "StatusMessage": "Updating the Resolver Endpoint", "CreationTime": "2020-01-02T23:25:45.538Z", "ModificationTime": "2020-01-02T23:25:45.538Z" } }
For more information, see Values That You Specify When You Create or Edit Inbound Endpoints
in the Amazon Route 53 Developer Guide. -
For API details, see AssociateResolverEndpointIpAddress
in Amazon CLI Command Reference.
-
The following code example shows how to use associate-resolver-rule
.
- Amazon CLI
-
To associate a Resolver rule with a VPC
The following
associate-resolver-rule
example associates a Resolver rule with an Amazon VPC. After you run the command, Resolver starts to forward DNS queries to your network based on the settings in the rule, such as the domain name of the queries that are forwarded.aws route53resolver associate-resolver-rule \ --name
my-resolver-rule-association
\ --resolver-rule-idrslvr-rr-42b60677c0example
\ --vpc-idvpc-304bexam
Output:
{ "ResolverRuleAssociation": { "Id": "rslvr-rrassoc-d61cbb2c8bexample", "ResolverRuleId": "rslvr-rr-42b60677c0example", "Name": "my-resolver-rule-association", "VPCId": "vpc-304bexam", "Status": "CREATING", "StatusMessage": "[Trace id: 1-5dc5a8fa-ec2cc480d2ef07617example] Creating the association." } }
For more information, see Forwarding Outbound DNS Queries to Your Network
in the Amazon Route 53 Developer Guide. -
For API details, see AssociateResolverRule
in Amazon CLI Command Reference.
-
The following code example shows how to use create-firewall-domain-list
.
- Amazon CLI
-
To create a Route 53 Resolver DNS Firewall domain list
The following
create-firewall-domain-list
example creates a Route 53 Resolver DNS Firewall domain list, named test, in your Amazon account.aws route53resolver create-firewall-domain-list \ --creator-request-id
my-request-id
\ --nametest
Output:
{ "FirewallDomainList": { "Id": "rslvr-fdl-d61cbb2cbexample", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-domain-list/rslvr-fdl-d61cbb2cbexample", "Name": "test", "DomainCount": 0, "Status": "COMPLETE", "StatusMessage": "Created Firewall Domain List", "CreatorRequestId": "my-request-id", "CreationTime": "2021-05-25T15:55:51.115365Z", "ModificationTime": "2021-05-25T15:55:51.115365Z" } }
For more information, see Managing your own domain lists
in the Amazon Route 53 Developer Guide. -
For API details, see CreateFirewallDomainList
in Amazon CLI Command Reference.
-
The following code example shows how to use create-firewall-rule-group
.
- Amazon CLI
-
To create a Firewall rule group
The following
create-firewall-rule-group
example creates a DNS Firewall rule group.aws route53resolver create-firewall-rule-group \ --creator-request-id
my-request-id
\ --nametest
Output:
{ "FirewallRuleGroup": { "Id": "rslvr-frg-47f93271fexample", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-rule-group/rslvr-frg-47f93271fexample", "Name": "test", "RuleCount": 0, "Status": "COMPLETE", "StatusMessage": "Created Firewall Rule Group", "OwnerId": "123456789012", "CreatorRequestId": "my-request-id", "ShareStatus": "NOT_SHARED", "CreationTime": "2021-05-25T18:59:26.490017Z", "ModificationTime": "2021-05-25T18:59:26.490017Z" } }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see CreateFirewallRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use create-firewall-rule
.
- Amazon CLI
-
To create a firewall rule
The following
create-firewall-rule
example creates a firewall rule in a DNS Firewall rule for domains listed in a DNS Firewall domain list.aws route53resolver create-firewall-rule \ --name
allow-rule
\ --firewall-rule-group-idrslvr-frg-47f93271fexample
\ --firewall-domain-list-idrslvr-fdl-9e956e9ffexample
\ --priority101
\ --actionALLOW
Output:
{ "FirewallRule": { "FirewallRuleGroupId": "rslvr-frg-47f93271fexample", "FirewallDomainListId": "rslvr-fdl-9e956e9ffexample", "Name": "allow-rule", "Priority": 101, "Action": "ALLOW", "CreatorRequestId": "d81e3fb7-020b-415e-939f-EXAMPLE11111", "CreationTime": "2021-05-25T21:44:00.346093Z", "ModificationTime": "2021-05-25T21:44:00.346093Z" } }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see CreateFirewallRule
in Amazon CLI Command Reference.
-
The following code example shows how to use create-resolver-endpoint
.
- Amazon CLI
-
To create an inbound Resolver endpoint
The following
create-resolver-endpoint
example creates an inbound Resolver endpoint. You can use the same command to create both inbound and outbound endpoints.aws route53resolver create-resolver-endpoint --name my-inbound-endpoint --creator-request-id 2020-01-01-18:47 --security-group-ids "sg-f62bexam" --direction INBOUND --ip-addresses SubnetId=subnet-ba47exam,Ip=192.0.2.255 SubnetId=subnet-12d8exam,Ip=192.0.2.254
Output:
{ "ResolverEndpoint": { "Id": "rslvr-in-f9ab8a03f1example", "CreatorRequestId": "2020-01-01-18:47", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-endpoint/rslvr-in-f9ab8a03f1example", "Name": "my-inbound-endpoint", "SecurityGroupIds": [ "sg-f62bexam" ], "Direction": "INBOUND", "IpAddressCount": 2, "HostVPCId": "vpc-304examp", "Status": "CREATING", "StatusMessage": "[Trace id: 1-5dc1ff84-f3477826e4a190025example] Creating the Resolver Endpoint", "CreationTime": "2020-01-01T23:02:29.583Z", "ModificationTime": "2020-01-01T23:02:29.583Z" } }
To create an outbound Resolver endpoint
The following
create-resolver-endpoint
example creates an outbound resolver endpoint using the values in the JSON-formatted documentcreate-outbound-resolver-endpoint.json
.aws route53resolver create-resolver-endpoint \ --cli-input-json file://c:\temp\create-outbound-resolver-endpoint.json
Contents of
create-outbound-resolver-endpoint.json
:{ "CreatorRequestId": "2020-01-01-18:47", "Direction": "OUTBOUND", "IpAddresses": [ { "Ip": "192.0.2.255", "SubnetId": "subnet-ba47exam" }, { "Ip": "192.0.2.254", "SubnetId": "subnet-12d8exam" } ], "Name": "my-outbound-endpoint", "SecurityGroupIds": [ "sg-05cd7b25d6example" ], "Tags": [ { "Key": "my-key-name", "Value": "my-key-value" } ] }
For more information, see Resolving DNS Queries Between VPCs and Your Network
in the Amazon Route 53 Developer Guide. -
For API details, see CreateResolverEndpoint
in Amazon CLI Command Reference.
-
The following code example shows how to use create-resolver-rule
.
- Amazon CLI
-
To create a Resolver rule
The following
create-resolver-rule
example creates a Resolver forwarding rule. The rule uses the outbound endpoint rslvr-out-d5e5920e37example to forward DNS queries forexample.com
to the IP addresses 10.24.8.75 and 10.24.8.156.aws route53resolver create-resolver-rule \ --creator-request-id
2020-01-02-18:47
\ --domain-nameexample.com
\ --namemy-rule
\ --resolver-endpoint-idrslvr-out-d5e5920e37example
\ --rule-typeFORWARD
\ --target-ips"Ip=10.24.8.75"
"Ip=10.24.8.156"
Output:
{ "ResolverRule": { "Status": "COMPLETE", "RuleType": "FORWARD", "ResolverEndpointId": "rslvr-out-d5e5920e37example", "Name": "my-rule", "DomainName": "example.com.", "CreationTime": "2022-05-10T21:35:30.923187Z", "TargetIps": [ { "Ip": "10.24.8.75", "Port": 53 }, { "Ip": "10.24.8.156", "Port": 53 } ], "CreatorRequestId": "2022-05-10-16:33", "ModificationTime": "2022-05-10T21:35:30.923187Z", "ShareStatus": "NOT_SHARED", "Arn": "arn:aws:route53resolver:us-east-1:111117012054:resolver-rule/rslvr-rr-b1e0b905e93611111", "OwnerId": "111111111111", "Id": "rslvr-rr-rslvr-rr-b1e0b905e93611111", "StatusMessage": "[Trace id: 1-22222222-3e56afcc71a3724664f22e24] Successfully created Resolver Rule." } }
-
For API details, see CreateResolverRule
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-firewall-domain-list
.
- Amazon CLI
-
To delete a Route 53 Resolver DNS Firewall domain list
The following
delete-firewall-domain-list
example deletes a Route 53 Resolver DNS Firewall domain list, named test, in your Amazon account.aws route53resolver delete-firewall-domain-list \ --firewall-domain-list-id
rslvr-fdl-9e956e9ffexample
Output:
{ "FirewallDomainList": { "Id": "rslvr-fdl-9e956e9ffexample", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-domain-list/rslvr-fdl-9e956e9ffexample", "Name": "test", "DomainCount": 6, "Status": "DELETING", "StatusMessage": "Deleting the Firewall Domain List", "CreatorRequestId": "my-request-id", "CreationTime": "2021-05-25T15:55:51.115365Z", "ModificationTime": "2021-05-25T18:58:05.588024Z" } }
For more information, see Managing your own domain lists
in the Amazon Route 53 Developer Guide. -
For API details, see DeleteFirewallDomainList
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-firewall-rule-group
.
- Amazon CLI
-
To delete a firewall rule group
The following
delete-firewall-rule-group
example deletes a firewall rule group.aws route53resolver delete-firewall-rule-group \ --firewall-rule-group-id
rslvr-frg-47f93271fexample
Output:
{ "FirewallRuleGroup": { "Id": "rslvr-frg-47f93271fexample", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-rule-group/rslvr-frg-47f93271fexample", "Name": "test", "RuleCount": 0, "Status": "UPDATING", "StatusMessage": "Updating Firewall Rule Group", "OwnerId": "123456789012", "CreatorRequestId": "my-request-id", "ShareStatus": "NOT_SHARED", "CreationTime": "2021-05-25T18:59:26.490017Z", "ModificationTime": "2021-05-25T21:51:53.028688Z" } }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see DeleteFirewallRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-firewall-rule
.
- Amazon CLI
-
To delete a firewall rule
The following
delete-firewall-rule
example deletes a specified firewall rule.aws route53resolver delete-firewall-rule \ --firewall-rule-group-id
rslvr-frg-47f93271fexample
\ --firewall-domain-list-idrslvr-fdl-9e956e9ffexample
Output:
{ "FirewallRule": { "FirewallRuleGroupId": "rslvr-frg-47f93271fexample", "FirewallDomainListId": "rslvr-fdl-9e956e9ffexample", "Name": "allow-rule", "Priority": 102, "Action": "ALLOW", "CreatorRequestId": "d81e3fb7-020b-415e-939f-EXAMPLE11111", "CreationTime": "2021-05-25T21:44:00.346093Z", "ModificationTime": "2021-05-25T21:45:59.611600Z" } }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see DeleteFirewallRule
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-resolver-endpoint
.
- Amazon CLI
-
To delete a Resolver endpoint
The following
delete-resolver-endpoint
example deletes the specified endpoint.Important If you delete an inbound endpoint, DNS queries from your network are no longer forwarded to Resolver in the VPC that you specified in the endpoint. If you delete an outbound endpoint, Resolver stops forwarding DNS queries from your VPC to your network for rules that specify the deleted outbound endpoint.
aws route53resolver delete-resolver-endpoint \ --resolver-endpoint-id
rslvr-in-497098ad59example
Output:
{ "ResolverEndpoint": { "Id": "rslvr-in-497098ad59example", "CreatorRequestId": "AWSConsole.25.157290example", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-endpoint/rslvr-in-497098ad59example", "Name": "my-inbound-endpoint", "SecurityGroupIds": [ "sg-05cd7b25d6example" ], "Direction": "INBOUND", "IpAddressCount": 5, "HostVPCId": "vpc-304bexam", "Status": "DELETING", "StatusMessage": "[Trace id: 1-5dc5b658-811b5be0922bbc382example] Deleting ResolverEndpoint.", "CreationTime": "2020-01-01T23:25:45.538Z", "ModificationTime": "2020-01-02T23:25:45.538Z" } }
-
For API details, see DeleteResolverEndpoint
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-resolver-rule
.
- Amazon CLI
-
To delete a Resolver rule
The following
delete-resolver-rule
example deletes the specified rule.Note If a rule is associated with any VPCs, you must first disassociate the rule from the VPCs before you can delete it.
aws route53resolver delete-resolver-rule \ --resolver-rule-id
rslvr-rr-5b3809426bexample
Output:
{ "ResolverRule": { "Id": "rslvr-rr-5b3809426bexample", "CreatorRequestId": "2020-01-03-18:47", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-rule/rslvr-rr-5b3809426bexample", "DomainName": "zenith.example.com.", "Status": "DELETING", "StatusMessage": "[Trace id: 1-5dc5e05b-602e67b052cb74f05example] Deleting Resolver Rule.", "RuleType": "FORWARD", "Name": "my-resolver-rule", "TargetIps": [ { "Ip": "192.0.2.50", "Port": 53 } ], "ResolverEndpointId": "rslvr-out-d5e5920e3example", "OwnerId": "111122223333", "ShareStatus": "NOT_SHARED" } }
-
For API details, see DeleteResolverRule
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-firewall-rule-group
.
- Amazon CLI
-
To disassociate a firewall rule group from a VPC
The following
disassociate-firewall-rule-group
example disassociates a DNS Firewall rule group from an Amazon VPC.aws route53resolver disassociate-firewall-rule-group \ --firewall-rule-group-association-id
rslvr-frgassoc-57e8873d7example
Output:
{ "FirewallRuleGroupAssociation": { "Id": "rslvr-frgassoc-57e8873d7example", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-rule-group-association/rslvr-frgassoc-57e8873d7example", "FirewallRuleGroupId": "rslvr-frg-47f93271fexample", "VpcId": "vpc-31e92222", "Name": "test-association", "Priority": 103, "MutationProtection": "DISABLED", "Status": "DELETING", "StatusMessage": "Deleting the Firewall Rule Group Association", "CreatorRequestId": "2ca1a304-32b3-4f5f-bc4c-EXAMPLE11111", "CreationTime": "2021-05-25T21:47:48.755768Z", "ModificationTime": "2021-05-25T21:51:02.377887Z" } }
For more information, see Managing associations between your VPC and Route 53 Resolver DNS Firewall rule groups
in the Amazon Route 53 Developer Guide. -
For API details, see DisassociateFirewallRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-resolver-endpoint-ip-address
.
- Amazon CLI
-
To disassociate an IP address from a Resolver endpoint
The following
disassociate-resolver-endpoint-ip-address
example removes an IP address from a specified Resolver inbound or outbound endpoint.Note An endpoint must have at least two IP addresses. If an endpoint currently has only two IP addresses and you want to replace one address with another address, you must first use associate-resolver-endpoint-ip-address
to associate the new IP address. Then you can disassociate one of the original IP addresses from the endpoint. aws route53resolver disassociate-resolver-endpoint-ip-address \ --resolver-endpoint-id
rslvr-in-f9ab8a03f1example
\ --ip-address="SubnetId=subnet-12d8a459,Ip=172.31.40.121"Output:
{ "ResolverEndpoint": { "Id": "rslvr-in-f9ab8a03f1example", "CreatorRequestId": "2020-01-01-18:47", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-endpoint/rslvr-in-f9ab8a03f1example", "Name": "my-inbound-endpoint", "SecurityGroupIds": [ "sg-f62bexam" ], "Direction": "INBOUND", "IpAddressCount": 3, "HostVPCId": "vpc-304bexam", "Status": "UPDATING", "StatusMessage": "Updating the Resolver Endpoint", "CreationTime": "2020-01-01T23:02:29.583Z", "ModificationTime": "2020-01-05T23:02:29.583Z" } }
-
For API details, see DisassociateResolverEndpointIpAddress
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-resolver-rule
.
- Amazon CLI
-
To disassociate a Resolver rule from an Amazon VPC
The following
disassociate-resolver-rule
example removes the association between the specified Resolver rule and the specified VPC. You can disassociate a rule from a VPC in the following circumstances:For DNS queries that originate in this VPC, you want Resolver to stop forwarding queries to your network for the domain name that is specified in the rule.You want to delete the forwarding rule. If a rule is currently associated with one or more VPCs, you must disassociate the rule from all VPCs before you can delete it.
aws route53resolver disassociate-resolver-rule \ --resolver-rule-id rslvr-rr-4955cb98ceexample \ --vpc-id vpc-304bexam
Output:
{ "ResolverRuleAssociation": { "Id": "rslvr-rrassoc-322f4e8b9cexample", "ResolverRuleId": "rslvr-rr-4955cb98ceexample", "Name": "my-resolver-rule-association", "VPCId": "vpc-304bexam", "Status": "DELETING", "StatusMessage": "[Trace id: 1-5dc5ffa2-a26c38004c1f94006example] Deleting Association" } }
-
For API details, see DisassociateResolverRule
in Amazon CLI Command Reference.
-
The following code example shows how to use get-firewall-config
.
- Amazon CLI
-
To get a firewall config for a VPC
The following
get-firewall-config
example retrieves the DNS Firewall behavior for the specified VPC.aws route53resolver get-firewall-config \ --resource-id
vpc-31e92222
Output:
{ "FirewallConfig": { "Id": "rslvr-fc-86016850cexample", "ResourceId": "vpc-31e9222", "OwnerId": "123456789012", "FirewallFailOpen": "DISABLED" } }
For more information, see DNS Firewall VPC configuration
in the Amazon Route 53 Developer Guide. -
For API details, see GetFirewallConfig
in Amazon CLI Command Reference.
-
The following code example shows how to use get-firewall-domain-list
.
- Amazon CLI
-
To get a Route 53 Resolver DNS Firewall domain list
The following
get-firewall-domain-list
example retrieves the domain list with the ID you specify.aws route53resolver get-firewall-domain-list \ --firewall-domain-list-id
rslvr-fdl-42b60677cexample
Output:
{ "FirewallDomainList": { "Id": "rslvr-fdl-9e956e9ffexample", "Arn": "arn:aws:route53resolver:us-west-2:123457689012:firewall-domain-list/rslvr-fdl-42b60677cexample", "Name": "test", "DomainCount": 0, "Status": "COMPLETE", "StatusMessage": "Created Firewall Domain List", "CreatorRequestId": "my-request-id", "CreationTime": "2021-05-25T15:55:51.115365Z", "ModificationTime": "2021-05-25T15:55:51.115365Z" } }
For more information, see Managing your own domain lists
in the Amazon Route 53 Developer Guide. -
For API details, see GetFirewallDomainList
in Amazon CLI Command Reference.
-
The following code example shows how to use get-firewall-rule-group-association
.
- Amazon CLI
-
To get a firewall rule group association
The following
get-firewall-rule-group-association
example retrieves a firewall rule group association.aws route53resolver get-firewall-rule-group-association \ --firewall-rule-group-association-id
rslvr-frgassoc-57e8873d7example
Output:
{ "FirewallRuleGroupAssociation": { "Id": "rslvr-frgassoc-57e8873d7example", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-rule-group-association/rslvr-frgassoc-57e8873d7example", "FirewallRuleGroupId": "rslvr-frg-47f93271fexample", "VpcId": "vpc-31e92222", "Name": "test-association", "Priority": 101, "MutationProtection": "DISABLED", "Status": "COMPLETE", "StatusMessage": "Finished rule group association update", "CreatorRequestId": "2ca1a304-32b3-4f5f-bc4c-EXAMPLE11111", "CreationTime": "2021-05-25T21:47:48.755768Z", "ModificationTime": "2021-05-25T21:47:48.755768Z" } }
For more information, see Managing associations between your VPC and Route 53 Resolver DNS Firewall rule groups
in the Amazon Route 53 Developer Guide. -
For API details, see GetFirewallRuleGroupAssociation
in Amazon CLI Command Reference.
-
The following code example shows how to use get-firewall-rule-group-policy
.
- Amazon CLI
-
To get an Amazon IAM policy
The following
get-firewall-rule-group-policy
example gets the Amazon Identity and Access Management (Amazon IAM) policy for sharing the specified rule group.aws route53resolver get-firewall-rule-group-policy \ --arn
arn:aws:route53resolver:us-west-2:AWS_ACCOUNT_ID:firewall-rule-group/rslvr-frg-47f93271fexample
Output:
{ "FirewallRuleGroupPolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"test\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::AWS_ACCOUNT_ID:root\"},\"Action\":[\"route53resolver:GetFirewallRuleGroup\",\"route53resolver:ListFirewallRuleGroups\"],\"Resource\":\"arn:aws:route53resolver:us-east-1:AWS_ACCOUNT_ID:firewall-rule-group/rslvr-frg-47f93271fexample\"}]}" }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see GetFirewallRuleGroupPolicy
in Amazon CLI Command Reference.
-
The following code example shows how to use get-firewall-rule-group
.
- Amazon CLI
-
To get a Firewall rule group
The following
get-firewall-rule-group
example retrieves information about a DNS Firewall rule group with the ID you provide.aws route53resolver get-firewall-rule-group \ --firewall-rule-group-id
rslvr-frg-47f93271fexample
Output:
{ "FirewallRuleGroup": { "Id": "rslvr-frg-47f93271fexample", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-rule-group/rslvr-frg-47f93271fexample", "Name": "test", "RuleCount": 0, "Status": "COMPLETE", "StatusMessage": "Created Firewall Rule Group", "OwnerId": "123456789012", "CreatorRequestId": "my-request-id", "ShareStatus": "NOT_SHARED", "CreationTime": "2021-05-25T18:59:26.490017Z", "ModificationTime": "2021-05-25T18:59:26.490017Z" } }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see GetFirewallRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use get-resolver-endpoint
.
- Amazon CLI
-
To get information about a Resolver endpoint
The following
get-resolver-endpoint
example displays details for the outbound specified endpoint. You can useget-resolver-endpoint
for both inbound and outbound endpoints by specifying the applicable endpoint ID.aws route53resolver get-resolver-endpoint \ --resolver-endpoint-id
rslvr-out-d5e5920e37example
Output:
{ "ResolverEndpoint": { "Id": "rslvr-out-d5e5920e37example", "CreatorRequestId": "2020-01-01-18:47", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-endpoint/rslvr-out-d5e5920e37example", "Name": "my-outbound-endpoint", "SecurityGroupIds": [ "sg-05cd7b25d6example" ], "Direction": "OUTBOUND", "IpAddressCount": 2, "HostVPCId": "vpc-304bexam", "Status": "OPERATIONAL", "StatusMessage": "This Resolver Endpoint is operational.", "CreationTime": "2020-01-01T23:50:50.979Z", "ModificationTime": "2020-01-02T23:50:50.979Z" } }
For more information, see Values That You Specify When You Create or Edit Inbound Endpoints
in the Amazon Route 53 Developer Guide. -
For API details, see GetResolverEndpoint
in Amazon CLI Command Reference.
-
The following code example shows how to use get-resolver-rule-association
.
- Amazon CLI
-
To get information about the association between a Resolver rule and a VPC
The following
get-resolver-rule-association
example displays details about the association between a specified Resolver rule and a VPC. You associate a resolver rule and a VPC using associate-resolver-rule. aws route53resolver get-resolver-rule-association \ --resolver-rule-association-id
rslvr-rrassoc-d61cbb2c8bexample
Output:
{ "ResolverRuleAssociation": { "Id": "rslvr-rrassoc-d61cbb2c8bexample", "ResolverRuleId": "rslvr-rr-42b60677c0example", "Name": "my-resolver-rule-association", "VPCId": "vpc-304bexam", "Status": "COMPLETE", "StatusMessage": "" } }
-
For API details, see GetResolverRuleAssociation
in Amazon CLI Command Reference.
-
The following code example shows how to use get-resolver-rule
.
- Amazon CLI
-
To get information about a Resolver rule
The following
get-resolver-rule
example displays details about the specified Resolver rule, such as the domain name that the rule forwards DNS queries for and the ID of the outbound resolver endpoint that the rule is associated with.aws route53resolver get-resolver-rule \ --resolver-rule-id
rslvr-rr-42b60677c0example
Output:
{ "ResolverRule": { "Id": "rslvr-rr-42b60677c0example", "CreatorRequestId": "2020-01-01-18:47", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-rule/rslvr-rr-42b60677c0example", "DomainName": "example.com.", "Status": "COMPLETE", "StatusMessage": "[Trace id: 1-5dc4b177-ff1d9d001a0f80005example] Successfully created Resolver Rule.", "RuleType": "FORWARD", "Name": "my-rule", "TargetIps": [ { "Ip": "192.0.2.45", "Port": 53 } ], "ResolverEndpointId": "rslvr-out-d5e5920e37example", "OwnerId": "111122223333", "ShareStatus": "NOT_SHARED" } }
For more information, see Values That You Specify When You Create or Edit Rules
in the Amazon Route 53 Developer Guide. -
For API details, see GetResolverRule
in Amazon CLI Command Reference.
-
The following code example shows how to use import-firewall-domains
.
- Amazon CLI
-
To import domains into a domain list
The following
import-firewall-domains
example imports a set of domains from a file into a DNS Firewall domain list that you specify.aws route53resolver import-firewall-domains \ --firewall-domain-list-id
rslvr-fdl-d61cbb2cbexample
\ --operationREPLACE
\ --domain-file-urls3://PATH/TO/YOUR/FILE
Output:
{ "Id": "rslvr-fdl-d61cbb2cbexample", "Name": "test", "Status": "IMPORTING", "StatusMessage": "Importing domains from provided file." }
For more information, see Managing your own domain lists
in the Amazon Route 53 Developer Guide. -
For API details, see ImportFirewallDomains
in Amazon CLI Command Reference.
-
The following code example shows how to use list-firewall-configs
.
- Amazon CLI
-
To list firewall configs
The following
list-firewall-configs
example lists your DNS Firewall configurations.aws route53resolver list-firewall-configs
Output:
{ "FirewallConfigs": [ { "Id": "rslvr-fc-86016850cexample", "ResourceId": "vpc-31e92222", "OwnerId": "123456789012", "FirewallFailOpen": "DISABLED" } ] }
For more information, see DNS Firewall VPC configuration
in the Amazon Route 53 Developer Guide. -
For API details, see ListFirewallConfigs
in Amazon CLI Command Reference.
-
The following code example shows how to use list-firewall-domain-lists
.
- Amazon CLI
-
To list all of Route 53 Resolver DNS Firewall domain lists
The following
list-firewall-domain-lists
example lists all the domain lists.aws route53resolver list-firewall-domain-lists
Output:
{ "FirewallDomainLists": [ { "Id": "rslvr-fdl-2c46f2ecfexample", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-domain-list/rslvr-fdl-2c46f2ecfexample", "Name": "AWSManagedDomainsMalwareDomainList", "CreatorRequestId": "AWSManagedDomainsMalwareDomainList", "ManagedOwnerName": "Route 53 Resolver DNS Firewall" }, { "Id": "rslvr-fdl-aa970e9e1example", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-domain-list/rslvr-fdl-aa970e9e1example", "Name": "AWSManagedDomainsBotnetCommandandControl", "CreatorRequestId": "AWSManagedDomainsBotnetCommandandControl", "ManagedOwnerName": "Route 53 Resolver DNS Firewall" }, { "Id": "rslvr-fdl-42b60677cexample", "Arn": "arn:aws:route53resolver:us-west-2:123456789111:firewall-domain-list/rslvr-fdl-42b60677cexample", "Name": "test", "CreatorRequestId": "my-request-id" } ] }
For more information, see Route 53 Resolver DNS Firewall domain lists
in the Amazon Route 53 Developer Guide. -
For API details, see ListFirewallDomainLists
in Amazon CLI Command Reference.
-
The following code example shows how to use list-firewall-domains
.
- Amazon CLI
-
To list domains in a domain list
The following
list-firewall-domains
example lists the domains in a DNS Firewall domain list that you specify.aws route53resolver list-firewall-domains \ --firewall-domain-list-id
rslvr-fdl-d61cbb2cbexample
Output:
{ "Domains": [ "test1.com.", "test2.com.", "test3.com." ] }
For more information, see Managing your own domain lists
in the Amazon Route 53 Developer Guide. -
For API details, see ListFirewallDomains
in Amazon CLI Command Reference.
-
The following code example shows how to use list-firewall-rule-group-associations
.
- Amazon CLI
-
To list DNS Firewall rule group associations
The following
list-firewall-rule-group-associations
example lists your DNS Firewall rule group associations with Amazon VPCs.aws route53resolver list-firewall-rule-group-associations
Output:
{ "FirewallRuleGroupAssociations": [ { "Id": "rslvr-frgassoc-57e8873d7example", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-rule-group-association/rslvr-frgassoc-57e8873d7example", "FirewallRuleGroupId": "rslvr-frg-47f93271fexample", "VpcId": "vpc-31e92222", "Name": "test-association", "Priority": 101, "MutationProtection": "DISABLED", "Status": "UPDATING", "StatusMessage": "Creating Firewall Rule Group Association", "CreatorRequestId": "2ca1a304-32b3-4f5f-bc4c-EXAMPLE11111", "CreationTime": "2021-05-25T21:47:48.755768Z", "ModificationTime": "2021-05-25T21:47:48.755768Z" } ] }
For more information, see Managing associations between your VPC and Route 53 Resolver DNS Firewall rule group
in the Amazon Route 53 Developer Guide. -
For API details, see ListFirewallRuleGroupAssociations
in Amazon CLI Command Reference.
-
The following code example shows how to use list-firewall-rule-groups
.
- Amazon CLI
-
To get a list of your Firewall rule groups
The following
list-firewall-rule-groups
example lists your DNS Firewall rule groups.aws route53resolver list-firewall-rule-groups
Output:
{ "FirewallRuleGroups": [ { "Id": "rslvr-frg-47f93271fexample", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-rule-group/rslvr-frg-47f93271fexample", "Name": "test", "OwnerId": "123456789012", "CreatorRequestId": "my-request-id", "ShareStatus": "NOT_SHARED" } ] }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see ListFirewallRuleGroups
in Amazon CLI Command Reference.
-
The following code example shows how to use list-firewall-rules
.
- Amazon CLI
-
To list firewall rules
The following
list-firewall-rules
example list all of your DNS Firewall rules within a firewall rule group.aws route53resolver list-firewall-rules \ --firewall-rule-group-id
rslvr-frg-47f93271fexample
Output:
{ "FirewallRules": [ { "FirewallRuleGroupId": "rslvr-frg-47f93271fexample", "FirewallDomainListId": "rslvr-fdl-9e956e9ffexample", "Name": "allow-rule", "Priority": 101, "Action": "ALLOW", "CreatorRequestId": "d81e3fb7-020b-415e-939f-EXAMPLE11111", "CreationTime": "2021-05-25T21:44:00.346093Z", "ModificationTime": "2021-05-25T21:44:00.346093Z" } ] }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see ListFirewallRules
in Amazon CLI Command Reference.
-
The following code example shows how to use list-resolver-endpoint-ip-addresses
.
- Amazon CLI
-
To list IP addresses for a specified inbound or outbound endpoint
The following
list-resolver-endpoint-ip-addresses
example lists information about the IP addresses that are associated with the inbound endpointrslvr-in-f9ab8a03f1example
. You can also uselist-resolver-endpoint-ip-addresses
for outbound endpoints by specifying the applicable endpoint ID.aws route53resolver list-resolver-endpoint-ip-addresses \ --resolver-endpoint-id
rslvr-in-f9ab8a03f1example
Output:
{ "MaxResults": 10, "IpAddresses": [ { "IpId": "rni-1de60cdbfeexample", "SubnetId": "subnet-ba47exam", "Ip": "192.0.2.44", "Status": "ATTACHED", "StatusMessage": "This IP address is operational.", "CreationTime": "2020-01-03T23:02:29.587Z", "ModificationTime": "2020-01-03T23:03:05.555Z" }, { "IpId": "rni-aac7085e38example", "SubnetId": "subnet-12d8exam", "Ip": "192.0.2.45", "Status": "ATTACHED", "StatusMessage": "This IP address is operational.", "CreationTime": "2020-01-03T23:02:29.593Z", "ModificationTime": "2020-01-03T23:02:55.060Z" } ] }
For more information about the values in the output, see Values That You Specify When You Create or Edit Inbound Endpoints
, and Values That You Specify When You Create or Edit Outbound Endpoints , both in the Amazon Route 53 Developer Guide. -
For API details, see ListResolverEndpointIpAddresses
in Amazon CLI Command Reference.
-
The following code example shows how to use list-resolver-endpoints
.
- Amazon CLI
-
To list Resolver endpoints in an Amazon Region
The following
list-resolver-endpoints
example lists the inbound and outbound Resolver endpoints that exist in the current account.aws route53resolver list-resolver-endpoints
Output:
{ "MaxResults": 10, "ResolverEndpoints": [ { "Id": "rslvr-in-497098ad59example", "CreatorRequestId": "2020-01-01-18:47", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-endpoint/rslvr-in-497098ad59example", "Name": "my-inbound-endpoint", "SecurityGroupIds": [ "sg-05cd7b25d6example" ], "Direction": "INBOUND", "IpAddressCount": 2, "HostVPCId": "vpc-304bexam", "Status": "OPERATIONAL", "StatusMessage": "This Resolver Endpoint is operational.", "CreationTime": "2020-01-01T23:25:45.538Z", "ModificationTime": "2020-01-01T23:25:45.538Z" }, { "Id": "rslvr-out-d5e5920e37example", "CreatorRequestId": "2020-01-01-18:48", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-endpoint/rslvr-out-d5e5920e37example", "Name": "my-outbound-endpoint", "SecurityGroupIds": [ "sg-05cd7b25d6example" ], "Direction": "OUTBOUND", "IpAddressCount": 2, "HostVPCId": "vpc-304bexam", "Status": "OPERATIONAL", "StatusMessage": "This Resolver Endpoint is operational.", "CreationTime": "2020-01-01T23:50:50.979Z", "ModificationTime": "2020-01-01T23:50:50.979Z" } ] }
-
For API details, see ListResolverEndpoints
in Amazon CLI Command Reference.
-
The following code example shows how to use list-resolver-rule-associations
.
- Amazon CLI
-
To list associations between Resolver rules and VPCs
The following
list-resolver-rule-associations
example lists the associations between resolver rules and VPCs in the current Amazon account.aws route53resolver list-resolver-rule-associations
Output:
{ "MaxResults": 30, "ResolverRuleAssociations": [ { "Id": "rslvr-autodefined-assoc-vpc-304bexam-internet-resolver", "ResolverRuleId": "rslvr-autodefined-rr-internet-resolver", "Name": "System Rule Association", "VPCId": "vpc-304bexam", "Status": "COMPLETE", "StatusMessage": "" }, { "Id": "rslvr-rrassoc-d61cbb2c8bexample", "ResolverRuleId": "rslvr-rr-42b60677c0example", "Name": "my-resolver-rule-association", "VPCId": "vpc-304bexam", "Status": "COMPLETE", "StatusMessage": "" } ] }
For more information, see How Route 53 Resolver Forwards DNS Queries from Your VPCs to Your Network
in the Amazon Route 53 Developer Guide. -
For API details, see ListResolverRuleAssociations
in Amazon CLI Command Reference.
-
The following code example shows how to use list-resolver-rules
.
- Amazon CLI
-
To list Resolver rules
The following
list-resolver-rules
example lists all the Resolver rules in the current Amazon account.aws route53resolver list-resolver-rules
Output:
{ "MaxResults": 30, "ResolverRules": [ { "Id": "rslvr-autodefined-rr-internet-resolver", "CreatorRequestId": "", "Arn": "arn:aws:route53resolver:us-west-2::autodefined-rule/rslvr-autodefined-rr-internet-resolver", "DomainName": ".", "Status": "COMPLETE", "RuleType": "RECURSIVE", "Name": "Internet Resolver", "OwnerId": "Route 53 Resolver", "ShareStatus": "NOT_SHARED" }, { "Id": "rslvr-rr-42b60677c0example", "CreatorRequestId": "2020-01-01-18:47", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-rule/rslvr-rr-42b60677c0bc4e299", "DomainName": "example.com.", "Status": "COMPLETE", "StatusMessage": "[Trace id: 1-5dc4b177-ff1d9d001a0f80005example] Successfully created Resolver Rule.", "RuleType": "FORWARD", "Name": "my-rule", "TargetIps": [ { "Ip": "192.0.2.45", "Port": 53 } ], "ResolverEndpointId": "rslvr-out-d5e5920e37example", "OwnerId": "111122223333", "ShareStatus": "NOT_SHARED" } ] }
For more information, see How Route 53 Resolver Forwards DNS Queries from Your VPCs to Your Network
in the Amazon Route 53 Developer Guide. -
For API details, see ListResolverRules
in Amazon CLI Command Reference.
-
The following code example shows how to use list-tags-for-resource
.
- Amazon CLI
-
To list the tags for a Resolver resource
The following
list-tags-for-resource
example lists the tags that are assigned to the specified Resolver rule.aws route53resolver list-tags-for-resource \ --resource-arn
"arn:aws:route53resolver:us-west-2:111122223333:resolver-rule/rslvr-rr-42b60677c0example"
Output:
{ "Tags": [ { "Key": "my-key-1", "Value": "my-value-1" }, { "Key": "my-key-2", "Value": "my-value-2" } ] }
For information about using tags for cost allocation, see Using Cost Allocation Tags
in the Amazon Billing and Cost Management User Guide. -
For API details, see ListTagsForResource
in Amazon CLI Command Reference.
-
The following code example shows how to use put-firewall-rule-group-policy
.
- Amazon CLI
-
To attach an Amazon IAM policy to share a Firewall rule group policy
The following
put-firewall-rule-group-policy
example attaches an Amazon Identity and Access Management (Amazon IAM) policy for sharing the rule group.aws route53resolver put-firewall-rule-group-policy \ --firewall-rule-group-policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"test\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::AWS_ACCOUNT_ID:root\"},\"Action\":[\"route53resolver:GetFirewallRuleGroup\",\"route53resolver:ListFirewallRuleGroups\"],\"Resource\":\"arn:aws:route53resolver:us-east-1:AWS_ACCOUNT_ID:firewall-rule-group/rslvr-frg-47f93271fexample\"}]}"
Output:
{ "ReturnValue": true }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see PutFirewallRuleGroupPolicy
in Amazon CLI Command Reference.
-
The following code example shows how to use put-resolver-rule-policy
.
- Amazon CLI
-
To share a Resolver rule with another Amazon account
The following
put-resolver-rule-policy
example specifies a Resolver rule that you want to share with another Amazon account, the account that you want to share the rule with, and the rule-related operations that you want the account to be able to perform on the rules.Note You must run this command using credentials from the same account that created the rule.
aws route53resolver put-resolver-rule-policy \ --region
us-east-1
\ --arn"arn:aws:route53resolver:us-east-1:111122223333:resolver-rule/rslvr-rr-42b60677c0example"
\ --resolver-rule-policy "{\"Version\": \"2012-10-17\", \ \"Statement\": [ { \ \"Effect\" : \"Allow\", \ \"Principal\" : {\"AWS\" : \"444455556666\" }, \ \"Action\" : [ \ \"route53resolver:GetResolverRule\", \ \"route53resolver:AssociateResolverRule\", \ \"route53resolver:DisassociateResolverRule\", \ \"route53resolver:ListResolverRules\", \ \"route53resolver:ListResolverRuleAssociations\" ], \ \"Resource\" : [ \"arn:aws:route53resolver:us-east-1:111122223333:resolver-rule/rslvr-rr-42b60677c0example\" ] } ] }"Output:
{ "ReturnValue": true }
After you run
put-resolver-rule-policy
, you can run the following two Resource Access Manager (RAM) commands. You must use the account that you want to share the rule with:get-resource-share-invitations
returns the valueresourceShareInvitationArn
. You need this value to accept the invitation to use the shared rule.accept-resource-share-invitation
accepts the invitation to use the shared rule.For more information, see the following documentation:
get-resource-share-invitations
accept-resource-share-invitations Sharing Forwarding Rules with Other Amazon Accounts and Using Shared Rules in the Amazon Route 53 Developer Guide -
For API details, see PutResolverRulePolicy
in Amazon CLI Command Reference.
-
The following code example shows how to use tag-resource
.
- Amazon CLI
-
To associate tags with a Resolver resource
The following
tag-resource
example associates two tag key/value pairs with the specified Resolver rule.aws route53resolver tag-resource \ --resource-arn
"arn:aws:route53resolver:us-west-2:111122223333:resolver-rule/rslvr-rr-42b60677c0example"
\ --tags"Key=my-key-1,Value=my-value-1"
"Key=my-key-2,Value=my-value-2"
This command produces no output.
For information about using tags for cost allocation, see Using Cost Allocation Tags
in the Amazon Billing and Cost Management User Guide. -
For API details, see TagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use untag-resource
.
- Amazon CLI
-
To remove tags from a Resolver resource
The following
untag-resource
example removes two tags from the specified Resolver rule.aws route53resolver untag-resource \ --resource-arn
"arn:aws:route53resolver:us-west-2:111122223333:resolver-rule/rslvr-rr-42b60677c0example"
\ --tag-keysmy-key-1
my-key-2
This command produces no output. To confirm that the tags were removed, you can use list-tags-for-resource
. For information about using tags for cost allocation, see Using Cost Allocation Tags
in the Amazon Billing and Cost Management User Guide. -
For API details, see UntagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use update-firewall-config
.
- Amazon CLI
-
To update a firewall config
The following
update-firewall-config
example updates DNS Firewall configuration.aws route53resolver update-firewall-config \ --resource-id
vpc-31e92222
\ --firewall-fail-openDISABLED
Output:
{ "FirewallConfig": { "Id": "rslvr-fc-86016850cexample", "ResourceId": "vpc-31e92222", "OwnerId": "123456789012", "FirewallFailOpen": "DISABLED" } }
For more information, see DNS Firewall VPC configuration
in the Amazon Route 53 Developer Guide. -
For API details, see UpdateFirewallConfig
in Amazon CLI Command Reference.
-
The following code example shows how to use update-firewall-domains
.
- Amazon CLI
-
To update a domain list
The following
update-firewall-domains
example adds the domains to a domain list with the ID you provide.aws route53resolver update-firewall-domains \ --firewall-domain-list-id
rslvr-fdl-42b60677cexampleb
\ --operationADD
\ --domainstest1.com
test2.com
test3.com
Output:
{ "Id": "rslvr-fdl-42b60677cexample", "Name": "test", "Status": "UPDATING", "StatusMessage": "Updating the Firewall Domain List" }
For more information, see Managing your own domain lists
in the Amazon Route 53 Developer Guide. -
For API details, see UpdateFirewallDomains
in Amazon CLI Command Reference.
-
The following code example shows how to use update-firewall-rule-group-association
.
- Amazon CLI
-
To update a firewall rule group association
The following
update-firewall-rule-group-association
example updates a firewall rule group association.aws route53resolver update-firewall-rule-group-association \ --firewall-rule-group-association-id
rslvr-frgassoc-57e8873d7example
\ --priority103
Output:
{ "FirewallRuleGroupAssociation": { "Id": "rslvr-frgassoc-57e8873d7example", "Arn": "arn:aws:route53resolver:us-west-2:123456789012:firewall-rule-group-association/rslvr-frgassoc-57e8873d7example", "FirewallRuleGroupId": "rslvr-frg-47f93271fexample", "VpcId": "vpc-31e92222", "Name": "test-association", "Priority": 103, "MutationProtection": "DISABLED", "Status": "UPDATING", "StatusMessage": "Updating the Firewall Rule Group Association Attributes", "CreatorRequestId": "2ca1a304-32b3-4f5f-bc4c-EXAMPLE11111", "CreationTime": "2021-05-25T21:47:48.755768Z", "ModificationTime": "2021-05-25T21:50:09.272569Z" } }
For more information, see Managing associations between your VPC and Route 53 Resolver DNS Firewall rule group
in the Amazon Route 53 Developer Guide. -
For API details, see UpdateFirewallRuleGroupAssociation
in Amazon CLI Command Reference.
-
The following code example shows how to use update-firewall-rule
.
- Amazon CLI
-
To update a firewall rule
The following
update-firewall-rule
example updates a firewall rule with the parameters you specify.aws route53resolver update-firewall-rule \ --firewall-rule-group-id
rslvr-frg-47f93271fexample
\ --firewall-domain-list-idrslvr-fdl-9e956e9ffexample
\ --priority102
Output:
{ "FirewallRule": { "FirewallRuleGroupId": "rslvr-frg-47f93271fexample", "FirewallDomainListId": "rslvr-fdl-9e956e9ffexample", "Name": "allow-rule", "Priority": 102, "Action": "ALLOW", "CreatorRequestId": "d81e3fb7-020b-415e-939f-EXAMPLE11111", "CreationTime": "2021-05-25T21:44:00.346093Z", "ModificationTime": "2021-05-25T21:45:59.611600Z" } }
For more information, see Managing rule groups and rules in DNS Firewall
in the Amazon Route 53 Developer Guide. -
For API details, see UpdateFirewallRule
in Amazon CLI Command Reference.
-
The following code example shows how to use update-resolver-endpoint
.
- Amazon CLI
-
To update the name of a Resolver endpoint
The following
update-resolver-endpoint
example updates the name of a Resolver endpoint. Updating other values isn't supported.aws route53resolver update-resolver-endpoint \ --resolver-endpoint-id
rslvr-in-b5d45e32bdc445f09
\ --namemy-renamed-inbound-endpoint
Output:
{ "ResolverEndpoint": { "Id": "rslvr-in-b5d45e32bdexample", "CreatorRequestId": "2020-01-02-18:48", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-endpoint/rslvr-in-b5d45e32bdexample", "Name": "my-renamed-inbound-endpoint", "SecurityGroupIds": [ "sg-f62bexam" ], "Direction": "INBOUND", "IpAddressCount": 2, "HostVPCId": "vpc-304bexam", "Status": "OPERATIONAL", "StatusMessage": "This Resolver Endpoint is operational.", "CreationTime": "2020-01-01T18:33:59.265Z", "ModificationTime": "2020-01-08T18:33:59.265Z" } }
-
For API details, see UpdateResolverEndpoint
in Amazon CLI Command Reference.
-
The following code example shows how to use update-resolver-rule
.
- Amazon CLI
-
Example 1: To update settings Resolver endpoint
The following
update-resolver-rule
example updates the name of the rule, the IP addresses on your on-premises network that DNS queries are forwarded to, and the ID of the outbound Resolver endpoint that you're using to forward queries to your network.Note Existing values for
TargetIps
are overwritten, so you must specify all the IP addresses that you want the rule to have after the update.aws route53resolver update-resolver-rule \ --resolver-rule-id
rslvr-rr-1247fa64f3example
\ --config Name="my-2nd-rule",TargetIps=[{Ip=192.0.2.45,Port=53},{Ip=192.0.2.46,Port=53}],ResolverEndpointId=rslvr-out-7b89ed0d25exampleOutput:
{ "ResolverRule": { "Id": "rslvr-rr-1247fa64f3example", "CreatorRequestId": "2020-01-02-18:47", "Arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-rule/rslvr-rr-1247fa64f3example", "DomainName": "www.example.com.", "Status": "COMPLETE", "StatusMessage": "[Trace id: 1-5dcc90b9-8a8ee860aba1ebd89example] Successfully updated Resolver Rule.", "RuleType": "FORWARD", "Name": "my-2nd-rule", "TargetIps": [ { "Ip": "192.0.2.45", "Port": 53 }, { "Ip": "192.0.2.46", "Port": 53 } ], "ResolverEndpointId": "rslvr-out-7b89ed0d25example", "OwnerId": "111122223333", "ShareStatus": "NOT_SHARED" } }
Example 2: To update settings Resolver endpoint using a file for ``config`` settings
You can alternatively include the
config
settings in a JSON file and then specify that file when you callupdate-resolver-rule
.aws route53resolver update-resolver-rule \ --resolver-rule-id
rslvr-rr-1247fa64f3example
\ --config file://c:\temp\update-resolver-rule.jsonContents of
update-resolver-rule.json
.{ "Name": "my-2nd-rule", "TargetIps": [ { "Ip": "192.0.2.45", "Port": 53 }, { "Ip": "192.0.2.46", "Port": 53 } ], "ResolverEndpointId": "rslvr-out-7b89ed0d25example" }
For more information, see Values That You Specify When You Create or Edit Rules
in the Amazon Route 53 Developer Guide. -
For API details, see UpdateResolverRule
in Amazon CLI Command Reference.
-