How to perform health check on local/private IPs (on Prem) in Amazon Route 53?

Question

We have VPN connected from AWS VPC to On Prem Server Farm. We would like to create Health Check for the servers from Amazon Route 53 to the endpoint (OnPrem IP via VPN) to enable to DNS Failover.

Answer 1

Since your endpoints are On-Prem and most likely have private ip address, they are not reachable to AWS health checkers from AWS data centers around the world.

So HTTP/HTTPS based health checks are not possible:

• HTTP and HTTPS health checks - Amazon Route 53 must be able to establish a TCP connection with the endpoint within four seconds

But it is possible to have cloudwatch alams based healthchecks:

• Health checks based on the state of CloudWatch alarms – If the state of a CloudWatch alarm is OK, the health check is considered healthy. If the state is Alarm, the health check is considered unhealthy. If CloudWatch doesn't have sufficient data to determine whether the state is OK or Alarm, the health check status depends on the setting for Health check status: healthy, unhealthy, or last known status.

Send a custom metric to cloudwatch from your endpoints. It could be a simple value (like sending 1 periodically) to a custom metric with dimension as Count. Set the alarm to OK state if there is data, insufficient data is considered ALARM state. Then configure a health check based on Cloudwatch alarm state.

See: Publish Custom Metrics.

Answer 2

Amazon Route 53 cannot perform Health Checks via a VPN connection.

From How Amazon Route 53 Determines Whether an Endpoint Is Healthy:

Amazon Route 53 propagates the health check configuration to the servers that perform health checks in AWS data centers around the world. A health-checking application (a health checker) in each data center sends a request to the endpoint that you specify at the request interval that you specify: every 10 seconds or every 30 seconds.

The Health Checkers are located on the public Internet and would not have access to your VPN connection.