DNS Setup Guide: Cloudflare → AWS

Complete guide for linking reelog.app (Cloudflare) to AWS services.

📚 Understanding DNS Basics

DNS (Domain Name System) translates human-readable domain names to IP addresses.

User types: api.reelog.app
    ↓
Cloudflare DNS looks up: Where does api.reelog.app point?
    ↓
Returns: AWS IP address or CNAME
    ↓
User's browser connects to AWS server

🎯 What You'll Need to Configure

Based on your setup, you'll need DNS records for:

1. Main Website (reelog.app or www.reelog.app)
2. API Endpoint (api.reelog.app)
3. Admin Panel (admin.reelog.app)
4. AWS Cognito (if using custom domain)
5. S3 Buckets (for images/media)
6. Email (hello@reelog.app, etc.)

---

📋 Step 1: Access Cloudflare DNS

1. Log into Cloudflare: https://dash.cloudflare.com
2. Click on your domain: reelog.app
3. Go to DNS in the left sidebar
4. You'll see the DNS records table

---

🔧 Step 2: DNS Record Types Explained

A Record

• Points domain to an IP address
• Use for: Direct server connections
• Example: api.reelog.app → 54.123.45.67

CNAME Record

• Points domain to another domain name
• Use for: AWS services (S3, CloudFront, API Gateway, etc.)
• Example: api.reelog.app → your-api.us-east-2.elb.amazonaws.com

MX Record

• Points to mail servers
• Use for: Email routing
• Example: reelog.app → route1.mx.cloudflare.net

TXT Record

• Stores text data
• Use for: Email verification, SPF, DKIM, domain verification

---

🚀 Step 3: Configure DNS Records

3.1 Main Domain (Root Domain)

For your main website (when you deploy frontend):

Type: A
Name: @ (or reelog.app)
Content: [Your AWS IP address]
Proxy: ✅ Proxied (orange cloud)
TTL: Auto

OR if using CloudFront/S3:

Type: CNAME
Name: @
Target: [Your CloudFront distribution].cloudfront.net
Proxy: ✅ Proxied
TTL: Auto

Note: Cloudflare doesn't allow CNAME on root domain. Use:

• A record with IP address, OR
• CNAME Flattening (Cloudflare Pro feature), OR
• Use www.reelog.app as CNAME and redirect root

3.2 Admin Panel

For your admin panel frontend:

Option A: Separate Deployment (Recommended)

Type: CNAME
Name: admin
Target: [Your admin CloudFront distribution].cloudfront.net
Proxy: ✅ Proxied (orange cloud)
TTL: Auto

Option B: Same Deployment as Main Site

Type: CNAME
Name: admin
Target: reelog.app (or your main CloudFront)
Proxy: ✅ Proxied
TTL: Auto

Option C: Direct to S3/Static Hosting

Type: CNAME
Name: admin
Target: [admin-bucket].s3-website-us-east-2.amazonaws.com
Proxy: ✅ Proxied
TTL: Auto

Security Considerations:

• ✅ Use Cloudflare Access (optional) for extra protection
• ✅ Set up IP allowlist if needed (Cloudflare Firewall Rules)
• ✅ Use separate SSL certificate
• ✅ Consider rate limiting for admin subdomain

Note: Admin panel connects to same API (api.reelog.app) but uses /api/admin/* endpoints.

3.3 API Endpoint

When your API is deployed on AWS:

Option A: EC2/ECS with Load Balancer

Type: CNAME
Name: api
Target: your-load-balancer.us-east-2.elb.amazonaws.com
Proxy: ❌ DNS only (gray cloud) - for API, don't proxy
TTL: Auto

Option B: API Gateway

Type: CNAME
Name: api
Target: [api-id].execute-api.us-east-2.amazonaws.com
Proxy: ❌ DNS only
TTL: Auto

Option C: CloudFront (Recommended)

Type: CNAME
Name: api
Target: [cloudfront-distribution].cloudfront.net
Proxy: ❌ DNS only
TTL: Auto

For now (development):

Type: A
Name: api
Content: [Your local/public IP] (if testing)
Proxy: ❌ DNS only
TTL: Auto

3.4 WWW Subdomain

Type: CNAME
Name: www
Target: reelog.app (or your CloudFront)
Proxy: ✅ Proxied
TTL: Auto

3.5 AWS Cognito Custom Domain (Optional)

If you want auth.reelog.app for Cognito:

First, set up custom domain in AWS Cognito:

1. Go to AWS Cognito → User Pools → Your Pool
2. App integration → Domain → Create custom domain
3. Enter: auth.reelog.app
4. AWS will provide a CloudFront distribution

Then in Cloudflare:

Type: CNAME
Name: auth
Target: [cognito-cloudfront].cloudfront.net
Proxy: ❌ DNS only
TTL: Auto

3.6 S3 Bucket for Images

For static assets/images:

Option A: S3 Website Endpoint

Type: CNAME
Name: images (or cdn)
Target: [bucket-name].s3-website-us-east-2.amazonaws.com
Proxy: ✅ Proxied
TTL: Auto

Option B: CloudFront + S3 (Recommended)

Type: CNAME
Name: images
Target: [cloudfront-distribution].cloudfront.net
Proxy: ✅ Proxied
TTL: Auto

---

📧 Step 4: Email Setup

4.1 Enable Email Routing in Cloudflare

1. Go to Email Routing in Cloudflare sidebar
2. Click Get started
3. Cloudflare will create MX records automatically

4.2 Create Email Addresses

1. In Email Routing, click Create address
2. Create: hello@reelog.app
3. Forward to: your-personal-email@gmail.com
4. Repeat for: support@reelog.app, admin@reelog.app, etc.

MX Records (Auto-created by Cloudflare):

Type: MX
Name: @
Priority: 10
Target: route1.mx.cloudflare.net
TTL: Auto

4.3 SPF Record (Email Authentication)

Cloudflare auto-creates this, but verify:

Type: TXT
Name: @
Content: v=spf1 include:_spf.mx.cloudflare.net ~all
TTL: Auto

---

🔒 Step 5: SSL/HTTPS Setup

Cloudflare SSL (Automatic)

Cloudflare provides free SSL certificates automatically:

1. Go to SSL/TLS in Cloudflare sidebar
2. Set encryption mode: Full (strict)
3. Cloudflare handles SSL between:
   • User ↔ Cloudflare (HTTPS)
   • Cloudflare ↔ AWS (HTTPS)

AWS SSL Certificate

For direct AWS connections (without Cloudflare proxy):

1. Request certificate in AWS Certificate Manager (ACM)
2. Domain: *.reelog.app and reelog.app
3. Use with: CloudFront, API Gateway, Load Balancer

---

📝 Complete DNS Configuration Example

Here's what your Cloudflare DNS might look like:

Type    Name    Content/Target                              Proxy   TTL
----    ----    -----------------------------------------   -----   ---
A       @       54.123.45.67                                ✅      Auto
CNAME   www     reelog.app                                   ✅      Auto
CNAME   api     your-api.us-east-2.elb.amazonaws.com        ❌      Auto
CNAME   admin   admin-cloudfront.cloudfront.net              ✅      Auto
CNAME   auth    cognito-cloudfront.cloudfront.net           ❌      Auto
CNAME   images  images-cloudfront.cloudfront.net            ✅      Auto
MX      @       route1.mx.cloudflare.net (Priority: 10)     -       Auto
TXT     @      v=spf1 include:_spf.mx.cloudflare.net ~all  -       Auto

---

🧪 Step 6: Testing Your DNS

Test DNS Propagation

# Check A record
dig reelog.app
nslookup reelog.app

# Check CNAME
dig api.reelog.app
nslookup api.reelog.app

# Check MX (email)
dig MX reelog.app

Online Tools

• https://dnschecker.org - Check DNS propagation globally
• https://mxtoolbox.com - Check MX records
• https://www.whatsmydns.net - Visual DNS checker

Test Email

1. Send test email to hello@reelog.app
2. Check if it forwards to your Gmail
3. Reply from Gmail (if Cloudflare Email Routing supports it)

---

🎯 Step 7: AWS-Specific Configurations

7.1 EC2/ECS Deployment

If deploying API on EC2/ECS:

1. Get your Load Balancer DNS name:

   • AWS Console → EC2 → Load Balancers
   • Copy DNS name: your-lb.us-east-2.elb.amazonaws.com

2. Create CNAME in Cloudflare:

   api.reelog.app → your-lb.us-east-2.elb.amazonaws.com

3. Update Load Balancer:

   • Add SSL certificate (ACM)
   • Configure health checks
   • Set up security groups

7.2 API Gateway Deployment

If using API Gateway:

1. Create custom domain in API Gateway:

   • API Gateway → Custom domain names
   • Domain: api.reelog.app
   • Certificate: Request in ACM (us-east-2)
   • API mapping: Map to your API

2. Get API Gateway domain:

   • Copy: [api-id].execute-api.us-east-2.amazonaws.com

3. Create CNAME in Cloudflare:

   api.reelog.app → [api-id].execute-api.us-east-2.amazonaws.com

7.3 S3 + CloudFront Setup

For images/media:

1. Create S3 bucket:

   • Name: reelog-images (or similar)
   • Region: us-east-2
   • Block public access: Configure as needed

2. Create CloudFront distribution:

   • Origin: Your S3 bucket
   • Domain: images.reelog.app
   • SSL certificate: Request in ACM (us-east-1 for CloudFront)
   • Caching: Configure as needed

3. Create CNAME in Cloudflare:

   images.reelog.app → [cloudfront-id].cloudfront.net

7.4 AWS Cognito Custom Domain

For custom auth domain:

1. In AWS Cognito:

   • User Pools → Your Pool → App integration
   • Domain → Create custom domain
   • Domain prefix: auth
   • Certificate: AWS managed (or upload your own)

2. Get Cognito CloudFront domain:

   • Copy: auth-[random].auth.us-east-2.amazoncognito.com

3. Create CNAME in Cloudflare:

   auth.reelog.app → auth-[random].auth.us-east-2.amazoncognito.com

---

⚙️ Step 8: Cloudflare Settings

Proxy Settings (Orange vs Gray Cloud)

✅ Orange Cloud (Proxied):

• Traffic goes through Cloudflare
• DDoS protection
• CDN caching
• Use for: Websites, static assets

❌ Gray Cloud (DNS only):

• Direct connection to AWS
• No Cloudflare caching
• Use for: APIs (to avoid caching issues)

SSL/TLS Settings

1. Go to SSL/TLS → Overview
2. Set to: Full (strict)
3. This ensures HTTPS between Cloudflare and AWS

Page Rules (Optional)

Create rules for specific behavior:

Rule 1: api.reelog.app/*
- SSL: Full
- Cache Level: Bypass
- Disable Performance

Rule 2: images.reelog.app/*
- Cache Level: Cache Everything
- Edge Cache TTL: 1 month

---

🔍 Step 9: Verification Checklist

• Root domain (reelog.app) resolves
• www.reelog.app resolves
• api.reelog.app points to AWS
• SSL certificate works (HTTPS)
• Email forwarding works (hello@reelog.app)
• S3/CloudFront for images works
• AWS Cognito custom domain works (if configured)
• DNS propagation complete (check with dnschecker.org)

---

🚨 Common Issues & Solutions

Issue: "CNAME cannot be used on root domain"

Solution:

• Use A record with IP address, OR
• Use Cloudflare CNAME Flattening (Pro feature), OR
• Use www subdomain and redirect root

Issue: "SSL certificate error"

Solution:

• Ensure Cloudflare SSL is set to "Full (strict)"
• Verify AWS certificate is valid
• Check certificate region matches service region

Issue: "Email not forwarding"

Solution:

• Verify MX records are correct
• Check Email Routing is enabled
• Verify forwarding address is correct
• Check spam folder

Issue: "API returns 502/503"

Solution:

• Check AWS service is running
• Verify security groups allow Cloudflare IPs
• Check load balancer health checks
• Verify DNS is pointing to correct endpoint

---

📚 Additional Resources

• Cloudflare DNS Docs
• AWS Route 53 vs Cloudflare
• Cloudflare Email Routing
• AWS Certificate Manager

---

🎯 Quick Reference: Your Current Setup

Based on your codebase:

AWS Services:

• Cognito User Pool: us-east-2_TZtGx1T3X
• Region: us-east-2
• API: To be deployed (EC2/ECS/API Gateway)

Recommended DNS Setup:

reelog.app → [Main website/CloudFront]
www.reelog.app → [Main website/CloudFront]
api.reelog.app → [Your AWS API endpoint]
admin.reelog.app → [Admin panel/CloudFront]
auth.reelog.app → [AWS Cognito custom domain] (optional)
images.reelog.app → [S3/CloudFront] (when ready)

Next Steps:

1. Deploy your API to AWS
2. Get the endpoint URL
3. Create CNAME record in Cloudflare
4. Test connectivity

---

Last Updated: [Current Date] Domain: reelog.app Registrar: Cloudflare DNS Provider: Cloudflare