Skip to main content

How to configure DNS for public services

Introduction

In order for users to access public facing services with a URL (Uniform Resource Locator), DNS (Domain Name System) records must be created, and associated with a valid certificate.

This will enable users to securely access services over HTTPS (Hypertext Transfer Protocol Secure).

There are two main ways to use certificates for DNS on the Modernisation Platform; ACM (Amazon Certificate Manager) public certificates, and Gandi.net certificates imported into ACM.

Unless there is a good reason, ACM public certificates should be used as they are automatically managed and renewed. Gandi.net certificates cost more and require manual renewal.

DNS with ACM certificate

DNS with ACM

Non production environments

Non production environments should use the Modernisation Platform domain naming standards.

The following resources need to be created in different AWS accounts (see diagram above), the table details the resources and the AWS provider required for them.

Resource Terraform Resource Terraform Provider Description
ACM Public Certificate aws_acm_certificate default ACM Public certificate created in the application account. The domain name should equal the main modernisation-platform domain, “modernisation-platform.service.justice.gov.uk”, the SAN (subject alternative name) should equal the DNS record name entry, eg “my-application.hmpps-test.modernisation-platform.service.justice.gov.uk”
Route53 DNS record for certificate validation aws_route53_record aws.core-network-services Created in the modernisation-platform hosted zone, this record validates the public certificate.
Route53 DNS record for directing traffic to the service aws_route53_record aws.core-vpc Created in the hosted zone for the environment and business unit, eg “my-application.hmpps-test.modernisation-platform.service.justice.gov.uk”.

Production environments

Production environments should use a service.justice.gov.uk domain as per MoJ naming domains guidance.

The Modernisation Platform will need to request the delegation of the application domain (eg my-application.service.justice.gov.uk) from the Operations Engineering team via an email to the domains mailbox with the details of the records to be added to the service.justice.gov.uk domain and to discuss if the subdomain name meets the MoJ naming domains standard. Please contact the Modernisation Platform team in the #ask-modernisation-platform Slack channel to do this.

The Modernisation Platform team will then create a hosted zone for your domain. Once this has been completed the following resources need to be created in different AWS accounts (see diagram above), the table details the resources and the AWS provider required for them.

Resource Terraform Resource Terraform Provider Description
ACM Public Certificate aws_acm_certificate default ACM Public certificate created in the application account. The domain name should equal the application domain, “my-application.service.justice.gov.uk”
Route53 DNS record for certificate validation aws_route53_record aws.core-network-services Created in the application hosted zone, this record validates the public certificate.
Route53 DNS record for directing traffic to the service aws_route53_record aws.core-network-services Created in the application hosted zone, eg “my-application.service.justice.gov.uk”.

DNS with Gandi.net certificate

DNS with Gandi

Gandi.net certificates should only be used if it is not possible to use ACM, for example some applications require the certificate to be installed on the server if HTTPS terminates on the server rather than the load balancer.

Non production environments

Non production environments should use ACM public certificate as detailed above unless necessary.

Production environments

The Modernisation Platform will need to request the delegation of the application domain (eg my-application.service.justice.gov.uk) from the Operations Engineering team, along with a new Gandi.net certificate. Please contact the Modernisation Platform team in the #ask-modernisation-platform Slack channel to do this; to send an email to the domains mailbox with the details of the records to be added to the service.justice.gov.uk domain and to discuss if the subdomain name meets the MoJ naming domains standard.

The Modernisation Platform team will then create a hosted zone for your domain and a validation record for the Gandi.net certificate. Once this has been completed the following resources need to be created in different AWS accounts (see diagram above), the table details the resources and the AWS provider required for them.

Resource Terraform Resource Terraform Provider Description
Gandi.net certificate in ACM N/A N/A The new certificate should be imported into ACM in the application production account.
Data look up for the certificate in ACM aws_acm_certificate (data) default Data source to enable to imported certificate to be used by AWS services such as an elastic load balancer.
Route53 DNS record for directing traffic to the service aws_route53_record aws.core-network-services Created in the application hosted zone, eg “my-application.service.justice.gov.uk”.

The certificate should also be installed in the application as needed.

This page was last reviewed on 6 December 2024. It needs to be reviewed again on 6 June 2025 by the page owner #modernisation-platform .
This page was set to be reviewed before 6 June 2025 by the page owner #modernisation-platform. This might mean the content is out of date.