6.1 Set Up DNS Zones¶
This page covers adding the RCIIS domain to Cloudflare, configuring nameserver delegation, and creating the DNS records that point to the Cloudflare Load Balancers configured in Configure Geo Load Balancing.
Add Domain to Cloudflare¶
- Log in to the Cloudflare dashboard and select Add a Site.
- Enter the domain (e.g.,
rciis.africa) and select the appropriate plan. - Cloudflare scans existing DNS records and imports them. Review the imported records before proceeding.
Nameserver Delegation¶
After adding the domain, Cloudflare provides two nameservers. Update the domain registrar's NS records to point to these nameservers:
Note
Nameserver propagation can take up to 24–48 hours, though it typically completes within a few hours. Cloudflare will send a confirmation email once the zone is active.
DNS Records¶
RCIIS uses Cloudflare Load Balancers for all service endpoints rather than static DNS records. Each load balancer manages failover between the on-premise (EAC DC) and AWS origin pools. When you create a load balancer for a hostname, Cloudflare automatically creates the corresponding DNS record — you do not need to create separate A or CNAME records.
Service Endpoints¶
Each service hostname has its own Cloudflare Load Balancer. All load balancers reference the same two origin pools (EAC DC and AWS) but route traffic based on pool health.
| Hostname | Service | Description |
|---|---|---|
auth.rciis.africa |
Keycloak (public) | OpenID Connect / OAuth2 authentication endpoint |
keycloak.rciis.africa |
Keycloak (admin) | Keycloak administration console |
grafana.rciis.africa |
Grafana | Observability dashboards |
kafka.rciis.africa |
Kafka UI | Kafka topic browser and management |
gateway.rciis.africa |
APISIX Dashboard | API gateway management UI |
api.gateway.rciis.africa |
APISIX Gateway | API gateway data plane (partner state API traffic) |
flux.rciis.africa |
Flux Operator UI | GitOps deployment status dashboard |
esb.rciis.africa |
Nucleus ESB | Enterprise Service Bus API endpoint |
Tip
All hostnames point to the same underlying infrastructure — the Cilium Gateway on each cluster routes requests to the correct backend service based on the Host HTTP header.
Infrastructure Endpoints¶
These are direct DNS records (not load balanced) used for cluster management:
| Type | Name | Content | Proxy Status | Notes |
|---|---|---|---|---|
| A | dc.rciis.africa |
<EAC DC public IP> |
DNS only | Direct access to EAC DC Talos API / K8s API |
Warning
Infrastructure endpoints should be set to DNS only (grey cloud) to bypass Cloudflare's proxy. These are used for cluster management and should be restricted via firewall rules.
Proxied vs DNS-Only Records¶
| Mode | Icon | Behaviour | Use Case |
|---|---|---|---|
| Proxied | Orange cloud | Traffic passes through Cloudflare (WAF, CDN, DDoS protection) | Application endpoints accessed by partner states |
| DNS only | Grey cloud | Cloudflare only provides DNS resolution, traffic goes direct | Management endpoints, Talos API, direct NLB access |
For RCIIS:
- DNS only (via Load Balancer): All service endpoints use Cloudflare Load Balancers with proxy status set to DNS only. This is because TLS is terminated at the cluster level by cert-manager (Let's Encrypt certificates), not by Cloudflare. Enabling the Cloudflare proxy would break the TLS handshake since the cluster's certificates are issued for the
*.rciis.africahostnames, not for Cloudflare's edge. - DNS only (static): Management and infrastructure endpoints (
dc.rciis.africa) use standard DNS records.
Why DNS only for Load Balancers?
The RCIIS clusters use cert-manager with a Cloudflare DNS-01 solver to obtain Let's Encrypt TLS certificates. The certificates are installed on the Cilium Gateway inside the cluster. If Cloudflare's proxy were enabled, Cloudflare would attempt its own TLS termination at the edge, requiring either a Cloudflare-issued certificate or a custom certificate upload. Using DNS only allows end-to-end TLS from the client directly to the cluster's Cilium Gateway, with certificates managed automatically by cert-manager.
DNS Record Types Used¶
| Record Type | Purpose in RCIIS |
|---|---|
| A | Points a hostname to the EAC DC public IPv4 address |
| CNAME | Points a hostname to another hostname (e.g., AWS NLB DNS name) — used internally by Cloudflare Load Balancers |
| NS | Delegates the zone to Cloudflare's nameservers (set at the registrar) |
| TXT | Created automatically by cert-manager's DNS-01 solver for Let's Encrypt domain validation (_acme-challenge.*) |
Related Pages¶
- Configure Geo Load Balancing — Origin pools, health checks, session affinity, and failover configuration