Skip to content

DNS & Routing

DNS Architecture

DNS is managed in Cloudflare for the novavirtual.site domain. Traffic flows from Cloudflare to AWS ALBs via CNAME records.

DNS Records

Subdomain Type Target Proxied Service
staging-django-api CNAME Django ALB ❌ DNS only Django API
staging-portals CNAME Django ALB ❌ DNS only Nova Portal
staging-wp-cms CNAME WordPress ALB ✅ Proxied WordPress CMS
staging-gatsby CNAME WordPress ALB ✅ Proxied Gatsby Frontend
staging-caringforyou CNAME Foursites ALB ✅ Proxied Caring For You
staging-essential CNAME Foursites ALB ✅ Proxied Essential
staging-vital CNAME Foursites ALB ✅ Proxied Vital
staging-ashur CNAME Foursites ALB ✅ Proxied Ashur
staging-foursites CNAME Foursites ALB ✅ Proxied 404 (SEO silent)
docs CNAME nova-infra.gitlab.io ❌ DNS only Docs (GitLab Pages)

HIPAA — No Cloudflare Proxy for PHI

Django API and Portal subdomains are DNS only (gray cloud) because PHI data must NOT transit through Cloudflare. The ALB terminates TLS directly with AWS ACM certificates.

ALB Routing

Django ALB (prod-nhc-django)

Path-based routing on the HTTPS listener:

Priority Condition Target Port
10 /api/*, /auth/*, /admin/*, /ping/* Django API TG 8000
Default Everything else Portal TG 3000

WordPress ALB (prod-nhc-wordpress)

Host-based routing:

Priority Condition Target Port
10 staging-gatsby.novavirtual.site Gatsby TG 3006
Default Everything else WordPress TG 80

Foursites ALB (prod-nhc-foursites)

Host-based routing:

Priority Condition Target Port
5 staging-foursites.novavirtual.site Fixed 404
10 staging-essential.novavirtual.site Essential TG 3002
20 staging-vital.novavirtual.site Vital TG 3003
30 staging-ashur.novavirtual.site Ashur TG 3004
Default Everything else Caring For You TG 3001

ACM Certificates

Certificate Covers ALB
Django cert staging-django-api.novavirtual.site, staging-portals.novavirtual.site Django ALB
WordPress cert staging-wp-cms.novavirtual.site WordPress ALB
Wildcard cert *.novavirtual.site Foursites ALB + WordPress ALB (SNI)

WAF

Both the Django and Foursites ALBs have AWS WAF v2 web ACLs with rate limiting (2000 requests/5min per IP). WAF logs are sent to CloudWatch with 90-day retention (Django) and 30-day retention (Foursites).