Introduction

Route 53 health checks run from multiple AWS checker locations and can trigger DNS failover even when your application still serves normal traffic. False positives usually happen when the probe is stricter than the real client path: the health check hits the wrong hostname, a WAF blocks checker IPs, or a response-string match breaks after a harmless page change.

Symptoms

  • Route 53 marks an endpoint unhealthy while browser and API traffic still succeeds
  • Failover records switch traffic to a secondary region unexpectedly
  • Some checker regions report failure while others report success
  • CloudWatch alarms fire even though the origin's own monitoring looks normal

Common Causes

  • The health check uses an aggressive failure threshold or interval
  • HTTPS checks target a multi-certificate endpoint without SNI enabled
  • WAF, firewall, or rate limiting blocks Route 53 checker source IPs
  • A response string match depends on HTML or JSON that changed for non-failure reasons

Step-by-Step Fix

  1. 1.Inspect the health check configuration and status by checker location
  2. 2.The first goal is to see whether all checkers fail or only a subset. Partial regional failure usually points to network controls rather than an origin outage.

```bash aws route53 get-health-check \ --health-check-id hc-abc123 \ --query "HealthCheck.HealthCheckConfig"

aws route53 get-health-check-status \ --health-check-id hc-abc123 \ --query "HealthCheckObservations[*].[IPAddress,Region,StatusReport.Status]" ```

  1. 1.Re-test the exact hostname, path, and TLS behavior manually
  2. 2.Verify the same URL and host header the Route 53 probe uses, especially for HTTPS endpoints behind ALB, CloudFront, or shared reverse proxies.
bash
curl -Iv https://example.com/health
curl -sS --resolve example.com:443:203.0.113.10 https://example.com/health
  1. 1.Enable SNI and simplify the probe to a dedicated health path
  2. 2.If the endpoint serves multiple certificates or dynamic content, give Route 53 a stable path and make sure the TLS handshake uses the expected host name.
bash
aws route53 update-health-check \
  --health-check-id hc-abc123 \
  --enable-sni \
  --failure-threshold 3
  1. 1.Whitelist Route 53 checker IPs and remove brittle response matching
  2. 2.A dedicated /health endpoint with a minimal 200 response is more reliable than checking a home page protected by WAF, redirects, or application middleware.
bash
curl -s https://ip-ranges.amazonaws.com/ip-ranges.json

Prevention

  • Use a small dedicated health endpoint instead of the full application landing page
  • Keep the failure threshold at a production-safe value rather than 1
  • Enable SNI on every HTTPS Route 53 health check that targets a named virtual host
  • Review WAF and firewall policy whenever new Route 53 health checks are introduced