AWS Cloudfront 403 Error When Using Netlify DNS as NS for Domain on Route53


Recently I purchased a new domain on Route53 and wanted to serve the website for that domain on Netlfy. In order to connect Netlify with my domain, I used the host name custom DNS entries as my NS record on AWS Route53 (I did it this way since I have my A and AAAA records for my Cloudfront distribution). The issue which occurs is that often and randomly, I see an AWS issue on the page presenting a 403 when trying to load the webpage. Sometimes the site works perfectly with no issues, and other times this issue occurs. Additionally, sometimes I see a 404 ‘Page not found’ error by Netlify in API requests responses which are supposed to hit my AWS endpoints. I have successfully done this before but with subdomains which did not present any of these issues for me (also given that I configured the DNS differently) I am unsure if I am doing anything wrong, is this a Netlify configuration issue or AWS? There isn’t much online to help me out with this so any help would be much appreciated!

Could you share the domain?

Now I am receiving 502/403 errors. I have the NS for netlify on AWS route53 domain but this is happening. Now there is no traffic to the site at all.

Hey @Mwpereira

NS is (supposedly) pointing to Netlify

$ dig NS		4261	IN	NS		4261	IN	NS		4261	IN	NS		4261	IN	NS

however whois says otherwise

$ whois | grep 'Name Server'
Name Server:
Name Server:
Name Server:
Name Server:

and SOA agrees

$ dig SOA		933	IN	SOA 1 7200 900 1209600 86400

A records are not showing Netlify IPs either

$ dig A		77	IN	A		77	IN	A		77	IN	A		77	IN	A

compared to what Netlify provides

$ dig A		20	IN	A		20	IN	A

Have you followed in advice in [Support Guide] I changed my name servers / DNS on AWS Route53 but I’m still having issues?


Thank you for responding. I have looked over those instructions but unfortunately have had no luck. I see I have a set SOA record in Route53 which is related to the SOA snapshot you posted. Should I delete that record? Just to clarify, right now I have NS record pointed to Netlify’s DNS and I have A & AAAA records pointing to my cloudfront URL. I also have additional CNAMEs which point to other required resources.


Where are these records? Are you using Route53 to manage your DNS, or are you wanting to do it in Netlify?

If you are wanting to use Route53 to manage DNS, then you configure the custom domain as per the external DNS documentation

If you are using Netlify DNS, this is when you change nameservers to Netlify and configure all records pointing to non-Netlify resources as required (Netlify handles the configuration of records when you assign a domain to a site with special NETLIFY and NETLIFYv6 records.)

Sorry for explaining this poorly, but ultimately I am looking to just connect Netlify with my Route53 domain so I can have the client/website deployed on Netlify, and route traffic back to my Cloudfront resources (which is one I have the A & AAAA records pointing towards my Cloudfront). These records I’m modifying/setting at the moment are on Route53.

Recently tried adding a CNAME record for www following for apex -

I see

$ dig CNAME		377	IN	CNAME

however, this is not what the documentation instructs.

For the www (or other) subdomain, you add a CNAME record pointing to your Netlify site URL e.g. is used (as per the documentation) when adding an ALIAS, ANAME or flattened CNAME for the apex domain i.e.

So if using external DNS you would have

$ dig A		20	IN	A


$ dig CNAME		377	IN	CNAME	<your-site-name>

You would not have NS records for pointing to Netlify, nor would you add it to the domains ( as this is when you are using Netlify DNS to manage all DNS for your domain.

1 Like

Thank you for your continuous help. That A record IP -, is that to point towards Netlify? I require A and AAAA records to point towards Cloudfront.

I just tried your suggestion and now the site loads which is great, but I don’t believe I can make my API requests through Cloudfront since the A record is for Netlify and not Cloudfront.


The what content is served by Netlify? If the A record for is pointed to Cloudfront, content is not served by Netlify.

Is your API running on the apex domain? Perhaps put the API on a separate subdomain e.g.

1 Like

Currently, my apis run through Is it recommended to do this method instead of what I currently do?

It would be ideal for me to run everything through the root-level domain, but I can always split the apis to go through the subdomain.

If you want and served by Netlify, you will need to have both configured as previously outlined.

You could still do this (potentially) using a proxy to Cloudfront. You would need a URL (either a Cloudfront or custom) to use as and endpoint. E.G.

/*    200

Much is up to personal preference, and the system(s) used to run everything. If you where hosting everything on Cloudfront, that would work. But if you want to host the frontend on Netlify, and the backend on Cloudfront, it won’t (or at least not as easily.)

Thank you so much for all of your support.

One last question, would you think revealing the Cloufront domain name is safe? Say if I were to use redirects for API calls, I would redirect it to the Cloudfront domain.

If you are using a proxy as per the documentation, then the Cloudfront URL is not (AFAIK) exposed.

Wouldn’t it appear in the request/response? I could be wrong, just taking a guess here.

Have a look here: The route /api points to a Cloudflare Worker (it only returns Hello World.)

Awesome, thanks for all of the help!