Why does the internal ALB example bind to a public Route 53 hosted zone?
The internal ALB [example](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/v0.84.3/examples/for-production/infrastructure-live/_envcommon/networking/alb-internal.hcl#L94) bind the domain record to the public hosted zone. Isn't the internal ALB supposed to be private?
All network connections to the internal ALB is indeed private, and is enforced by AWS firewalls automatically. That is, there is no network route that allows access to an internal ALB from outside the VPC. There are also Security Groups that are bound to the internal ALB that further restrict which resources within the VPC can access the ALB across the firewalls. Note that this setup does leak the cname of the internal ALB publicly. Depending on the risk tolerance, you could instead bind the record to a private route 53 hosted zone to keep the cname private, while still using an easy to remember address, permanent address for the service. However, this adds some overhead for the ACM certificate management, or for accessing the service over peering connections. This is why in our Reference Architecture (which that example is derived from), we balance the security risk with the operational simplicity of using a public Route 53 hosted zone.