Private Hosted Zone DNS

Open the Amazon VPC console.
Create an inbound endpoint.
Select
Services
Route 53
Resolver
Inbound Endpoints
.
Click
Create inbound endpoint
.
Enter a descriptive
Name
.
Select the VPC for the endpoint.
Attach a security group for this endpoint.
Set the
Endpoint Type
to IPv4.

Select the availability zone.
Select the subnet you created above.
If you have more than one availability zone, you must specify the availability zone and subnet for each.

Click
Create inbound endpoint
.
Note the IP address associated with each subnet attached to your inbound endpoint. Use these IP addresses when configuring your
DHCP option sets
in the following steps.
Select
VPC
DHCP option sets
.
You can create a new DHCP option set and add the IP address for each availability zone. If you have more than one availability zone, enter each IP address as a comma-separated list.

Select
VPC
and choose the VPC to secure.
From the
Actions
drop-down, select
Edit VPC settings
.
Under
DHCP settings
, choose the DHCP option set with you created above from the
DHCP option set
drop-down.

Click
Save changes
.
Edit your subnet route table.
Select
VPC
Route Tables
.
Select the route table for the subnet you want to secure.
Add a route and set the destination to the IP address of your DNS server and set the target to the Cloud NGFW endpoint.

Click
Save changes
.
Any DNS traffic from the protected subnet is routed through the Cloud NGFW endpoint and on to the Cloud NGFW for inspection and enforcement.