DNS - docs

Synthetiq serves the apps built on it through your domain of choice. You’ll add five DNS records, each created once: two to validate the certificates from the previous step, and three to serve the apps.

#	Record	Type	Points to
1	`_<token-a>.apps.yourcompany.com`	CNAME	`_<token-b>.<id>.acm-validations.aws.`
2	`_<token-c>.api.apps.yourcompany.com`	CNAME	`_<token-d>.<id>.acm-validations.aws.`
3	`*.api.apps.yourcompany.com`	CNAME	the load balancer’s DNS name
4	`*.apps.yourcompany.com`	CNAME	the CloudFront domain
5	`apps.yourcompany.com` (apex)	CNAME / ALIAS	the CloudFront domain

The names and values for records 1–2 are provided verbatim by ACM when you create the certificates in the previous step — every token is distinct, so copy each field exactly. Create these records before provisioning. Records 3–5 come after provisioning — synthetiq infra provision prints the exact values to point to.

Provider notes

Proxying providers (Cloudflare, etc.): create all five as DNS-only (proxy off). A proxied validation record will not validate.
Apex record (5): use your provider’s flattened CNAME / ALIAS / ANAME support. Cloudflare flattens apex CNAMEs automatically; in Route 53 use an ALIAS.

Permanence

Records 1–2 stay in place permanently — ACM uses them to auto-renew the certificates.
Records 3–5 are static: their targets only change if the load balancer or CloudFront distribution is replaced — an extremely rare event (e.g. you tore down and re-provisioned your infrastructure), and one the changeset diff flags before you apply.

Certificates

Service Account

⌘I

​Provider notes

​Permanence

Provider notes

Permanence