Jeff Dickman - Blog There's something to this...

Sharing Private DNS between VPCs with Route53

I recently ran into a configuration that had multiple accounts and VPCs that needed to share Route53 Private Private Hosted Zone records between them. Each account had it’s own Route53 private DNS, but in some cases services in each account needed to access hosts by name in other Accounts/VPCs.

Currently, the ability to authorize private hosted zones to a VPC in another AWS account is not available in the Console. You have to use the AWS CLI to accomplish this. So let’s assume we have two accounts with the following setup:

Account 1

Private Hosted Zone:  account1.mydomaion.com
Private Hosted Zone ID:  ZZZZZZZZZZZZZZ
VPC ID:  vpc-aaaa1234

Account 2

Private Hosted Zone:  account2.mydomain.com
Private Hosted Zone ID:  ZYYYYYYYYYYYYY
VPC ID:  vpc-bbbb5678

Let’s assume I wan to share the private DNS between these accounts. You’ll need to have API keys for each of the accounts or run the commands from linux instances that have a role with the appropriate Route53 policy permissions. We’re going to have to switch between the accounts a couple times.

First we’re going to create an authorization to share Account 1 Private Hosted Zone w/ Account 2’s VPC:

Account 1

aws route53 create-vpc-association-authorization \
--hosted-zone-id ZZZZZZZZZZZZZZ \ 
--vpc VPCRegion=us-west-2,VPCId=vpc-bbbb5678

We’ll then switch to Account 2 and associate the VPC with Private Hosted Zone:

Account 2

aws route53 associate-vpc-with-hosted-zone \
--hosted-zone-id ZZZZZZZZZZZZZZ \
--vpc VPCRegion=us-west-2,VPCId=vpc-bbbb5678

While we’re here, lets create the authorization to shared Account 2’s Private Hosted Zone with Account 1:

aws route53 create-vpc-association-authorization \
--hosted-zone-id ZYYYYYYYYYYYYY \ 
--vpc VPCRegion=us-west-2,VPCId=vpc-aaaa1234

Back to Account 1 to complete the association:

Account 1

aws route53 associate-vpc-with-hosted-zone \
--hosted-zone-id ZYYYYYYYYYYYYY \
--vpc VPCRegion=us-west-2,VPCId=vpc-aaaa1234

AWS Recommends that you delete the authorization after you have completed the association:

Account 1

aws route53 delete-vpc-association-authorization \
--hosted-zone-id ZZZZZZZZZZZZZZ \ 
--vpc VPCRegion=us-west-2,VPCId=vpc-bbbb5678

Account 2

aws route53 delete-vpc-association-authorization \
--hosted-zone-id ZYYYYYYYYYYYYY \ 
--vpc VPCRegion=us-west-2,VPCId=vpc-aaaa1234

According to Route53 documentation, deleting the authorization does not affect authorizations you have accepted.

Account 1

aws route53 list-vpc-association-authorizations \
--hosted-zone-id ZZZZZZZZZZZZZZ

Account 2

aws route53 list-vpc-association-authorizations \
--hosted-zone-id ZYYYYYYYYYYYYY