Using Route53 Instead of Cloudflare
Learn how to setup portr with AWS Route53 for DNS management
If you prefer to use AWS Route53 instead of Cloudflare for DNS management, you can configure Portr to work with Route53 for SSL certificate provisioning.
The Caddy base image used by Portr is built with both Cloudflare and Route53 plugins.
Setup Process
Create an IAM Policy
Create an IAM policy using the template provided in libdns/route53.
Make sure you replace the hosted zone in the template with your actual hosted zone ID:
- arn:aws:route53:::hostedzone/ZABCD1EFGHIL
+ arn:aws:route53:::hostedzone/<your-hosted-zone-id>
Here's the complete IAM policy template:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetChange"
],
"Resource": [
"arn:aws:route53:::change/*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<your-hosted-zone-id>"
]
}
]
}
Create an IAM User
- Create a new IAM user in the AWS console
- Attach the policy created in step 1 to this user
- Note down the username for reference
Generate Access Keys
- Go to the user → Security credentials
- Click Create access key
- Choose Command Line Interface (CLI) as the use case
- Download or copy the access key ID and secret access key
Update Environment Variables
Add the Route53 credentials to your .env
file:
- CLOUDFLARE_API_TOKEN=
+ ROUTE53_ACCESS_KEY=<access-key-id>
+ ROUTE53_SECRET_ACCESS_KEY=<secret-access-key>
Update Docker Compose Configuration
Modify the Caddy labels in the tunnel service to use Route53 instead of Cloudflare:
labels:
caddy_1: "*.$PORTR_DOMAIN"
caddy_1.reverse_proxy: "{{upstreams http 8001}}"
- caddy_1.tls.dns: "cloudflare $CLOUDFLARE_API_TOKEN"
+ caddy_1.tls.dns: "route53"
+ caddy_1.tls.dns.access_key_id: "$ROUTE53_ACCESS_KEY"
+ caddy_1.tls.dns.secret_access_key: "$ROUTE53_SECRET_ACCESS_KEY"
caddy_1.encode: gzip
Start the Services
Start your Portr services:
docker compose up -d
Navigate to your domain to verify the tunnel is working correctly.
DNS Configuration
Make sure your Route53 hosted zone has the required DNS records:
Type | Name | Value |
---|---|---|
A | @ | your-server-ipv4 |
A | * | your-server-ipv4 |
Security Considerations
- Minimal permissions: The IAM policy grants only the necessary permissions for DNS management
- Dedicated user: Use a dedicated IAM user for Portr, not your root AWS account
- Key rotation: Regularly rotate your access keys for enhanced security
- Environment variables: Never commit AWS credentials to version control
Troubleshooting
Certificate Issues
If SSL certificates aren't being issued:
- Verify permissions: Ensure the IAM user has the correct permissions
- Check hosted zone: Confirm the hosted zone ID is correct
- DNS propagation: Wait for DNS changes to propagate (can take up to 48 hours)
- Review logs: Check Caddy logs for detailed error messages
Testing Your Setup
Verify your Route53 configuration:
# Check if DNS records are accessible
dig your-domain.com
# Test wildcard subdomain resolution
dig test.your-domain.com
# Verify SSL certificate
openssl s_client -connect your-domain.com:443 -servername your-domain.com
Cost Considerations
AWS Route 53 uses a tiered pricing structure as of 2025:
Hosted Zone Pricing
- First 25 hosted zones: $0.50 per hosted zone per month
- Additional hosted zones: $0.10 per hosted zone per month (zones 26+)
- Record sets: No additional charge for the first 10,000 record sets per hosted zone
- Additional record sets: $0.50 per 10,000 record sets per month
- Deletion policy: No charge for deleting hosted zones, but billing continues until end of billing period
DNS Query Pricing
Query Type | Volume | Price per Million Queries |
---|---|---|
Standard queries | First 1 billion/month | $0.40 |
Standard queries | Over 1 billion/month | $0.20 |
Latency-based routing | First 1 billion/month | $0.60 |
Latency-based routing | Over 1 billion/month | $0.30 |
Geo DNS queries | First 1 billion/month | $0.70 |
Geo DNS queries | Over 1 billion/month | $0.35 |
Alias queries | All volumes | Free |
Private hosted zone queries | All volumes | Free |
Additional Services
- Health checks: $0.50 per health check per month
- Application Recovery Controller: Additional costs apply
- DNS Firewall: Additional costs for rules and query volume
- Resolver: Additional costs for inbound/outbound endpoints
For most Portr deployments, the DNS costs will be minimal, typically under $1-2 per month for standard usage.
Last updated: July 2025
For the most current pricing information, visit the official AWS Route 53 pricing page.