Setting up Incapsula on a Sub-Domain in Route 53

We had an instance where we wanted to host an application over Incapsula, that was on a sub-domain (ie: portal.domain.com).

The DNS hosting was done completely in Amazon Route53. The procedure to get it setup was a bit tricky, since Incapsula only provides you a CNAME record if you are just hosting a sub-domain. Since hosted sub-domain record sets cannot contain root CNAMEs (portal.domain.com), there is a bit of a dns shuffle that needs to occur to getting this to work.

1.) First you need to setup your sub-domain as a separate record set in Route53. This will allow you to create a TXT record for this sub-domain. This TXT record is going to be required to pass the “domain authentication” challenge when setting up a new SSL cert for your domain in Incapsula.

2.) So create the new record set with the domain name (ie: portal.domain.com). After you do that, Route53 will automatically create nameserver records in this record set (ie: ns-1088.awsdns-08.org, ns-491.awsdns-61.com…etc).

You are going to need to copy these over and put them as nameserver records in your route domain, FOR this new sub-domain.

So in the root domain (domain.com), you’ll create a new nameserver record for “portal.domain.com” and add the name server records to it (ie: ns-1088.awsdns-08.org, ns-491.awsdns-61.com).

3.) Go back to your sub-domain record set (portal.domain.com) and add an A record going to the IP address of your webserver. We do this so we can test to make sure your sub-domain record DNS lookups are working properly.

From a local workstation, ping your sub-domain (portal.domain.com) and your ping should go to the IP address you configured above.

If it is working, we are all set for the next step of Incapsula setup.

4.) Add your sub-domain to your Incapsula account and configure it. When you get to the SSL configuration, it will provide you a TXT file you need to add to your sub-domain Route53 account. Add it and continue.

5.) When everything is configured and your SSL is confirmed, Incapsula will provide you with a new CNAME that will route traffic to your webserver. This is were the tricky part comes in.

Go into your root domain (domain.com) and DELETE the nameserver records for your sub-domain. This will effectively cut off the sub-domain recordset you created earlier. Now, still in the root domain (domain.com), simply create a cname record for the subdomain (portal.domain.com) and point it to your Incapsula CNAME.

We recommend keeping the sub-domain recordset in case you need to setup a new SSL or something again. (You would need to remove the cname to Incapsula, re-add the sub-domain NS records. After the verification is over, you’ll repeat step 5).

Hope this helps!