Using Route53 and CloudFlare for specific websites

Hi there,

I want to set up only a specific website to be protected by Cloud Flare in its DNS, while I leave/keep the rest of my websites on Route 53 (Both websites are under a single root domain). I’m currently using Route 53, but I only want to migrate one subdomain (production website) in my root domain to Cloud Flare, so I can use its firewall capabilities. How do I go about doing this?

You’ll find more information here. Note that this requires a Business or Enterprise plan. The Free plan requires you to use Cloudflare name servers for the entire domain.


Hi Svanlund,

I followed this article here. I tried doing it and it works I think. But the problem here is that my root domain still needs to be confirmed and its name servers to be changed. I have only created a record in my cloudflare dns for this specific subdomain, and create a record in route 53 for this specific subdomain to point to cloudflare’s name servers. This way you don’t have to change the Name server for the root domain. But then, I won’t be able to access the features in cloudflare since the root domain’s name server needs to be updated. Is there any way I can bypass this confirmation just for the subdomain I created?

Nope. Eventually, Cloudflare will catch on that you’re not using the proper name servers and drop that zone from your account.

Is there any way I can get a free trial on the Business Plan so I can make use of this?

Are you planning on spending $200/month just for this?

Is there any alternative? We just want to use our production site on cloudflare.

The alternative would be to use Cloudflare DNS for the entire domain and copy all your Route 53 DNS records over here. Then only :orange: Proxy that one subdomain.

We have our root domain But we only want to use our production site for cloudflare.

I see, so all records in our route 53 needs to be in the CloudFlare DNS, but only proxy (orange cloud) our live

So I can’t just only copy the subdomain to CloudFlare, it has to be the whole DNS Route 53 records?

Will there be any downtime to the other records that are not proxied when I export it to CloudFlare? E.g. when I change the nameservers on Route 53 to point to CloudFlare.

If all DNS records are perfectly matched, there will be no downtime. It’ll be a gradual transition from one identical set of DNS records to the other identical set. It’d be best to make sure they’re all set to :grey: DNS Only as you verify that the transition worked.

How long does it usually take for the migration from route 53 to CloudFlare to take effect? And what happens if my website is still down and I have to revert the NameServer to route53 in case it happens?

Name server changes can take up to 48 hours to fully propagate.

What if my websites are still down after the name server change, so I need to revert the Name servers on route 53 to the original one. Then this will take 48 hours again to propagate to make my website available again. Will this be the case?

Are your websites down now?

Changing nameservers should be completely hitless provided you don’t make a mistake. But changing nameservers again and again will always cause more problems than it solves.

  1. If you currently have DNSSEC enabled, remove the DS records at your registrar, and wait 24 hours.
  2. Export your current DNS records from Route53 to a BIND formatted text file.
  3. Add your domain to Cloudflare, and import the records from the BIND file
  4. Make sure all DNS records are :grey:
  5. Manually verify that all the records have been created and are correct.
  6. Repeat step 5, properly this time.
  7. Change nameservers with your registrar.

At this point the name server change will be propagating, but both Route53 and Cloudflare are serving the exact same data, so nobody will notice that anything has changed.

Make sure your MX records do not point to a hostname that is also used as a webserver. Similarly, make sure you don’t use the webserver DNS entries for things like FTP. If they do, the next step will cause them to break.

Verify that your Origin webserver has a valid certificate for your webserver, and that the SSL mode is set to “Full (Strict)”. This will ensure you don’t end up with a mismatch when you start enabling the Cloudflare proxy.

Once you have confirmed that the name server change has completed, you can start to change your website DNS entries to :orange: and start using Cloudflare features.


Hi Michael,

Thanks for the detailed explanation, I understand now. So only records with the orange cloud in Flare’s DNS record will only use Cloudflare features. Just a follow up question, does this mean that every new record I create in route 53 after this name server change must also be propagated in CloudFlare’s DNS even if the orange cloud is toggled or not? Or will it still work even if the dns record is not added in cloudflare’s DNS.

Once you change nameservers Route53 does not have anything to do with your DNS, only the records in Cloudflare will matter.


Thanks, Michael and team, for your responses :grinning: