I recently ran into a configuration that had multiple accounts and VPCs that needed to share Route53 Private Private Hosted Zone records between them. Each account had it’s own Route53 private DNS, but in some cases services in each account needed to access hosts by name in other Accounts/VPCs.
Currently, the ability to authorize private hosted zones to a VPC in another AWS account is not available in the Console. You have to use the AWS CLI to accomplish this. So let’s assume we have two accounts with the following setup:
Account 1
Private Hosted Zone: account1.mydomaion.comPrivate Hosted Zone ID: ZZZZZZZZZZZZZZVPC ID: vpc-aaaa1234
Account 2
Private Hosted Zone: account2.mydomain.comPrivate Hosted Zone ID: ZYYYYYYYYYYYYYVPC ID: vpc-bbbb5678
Let’s assume I wan to share the private DNS between these accounts. You’ll need to have API keys for each of the accounts or run the commands from linux instances that have a role with the appropriate Route53 policy permissions. We’re going to have to switch between the accounts a couple times.
First we’re going to create an authorization to share Account 1 Private Hosted Zone w/ Account 2’s VPC:
Account 1
aws route53 create-vpc-association-authorization \
--hosted-zone-id ZZZZZZZZZZZZZZ \
--vpc VPCRegion=us-west-2,VPCId=vpc-bbbb5678
We’ll then switch to Account 2 and associate the VPC with Private Hosted Zone:
Account 2
aws route53 associate-vpc-with-hosted-zone \
--hosted-zone-id ZZZZZZZZZZZZZZ \
--vpc VPCRegion=us-west-2,VPCId=vpc-bbbb5678~~~~
Account 1
aws route53 create-vpc-association-authorization \
--hosted-zone-id ZZZZZZZZZZZZZZ \
--vpc VPCRegion=us-west-2,VPCId=vpc-bbbb5678
We’ll then switch to Account 2 and associate the VPC with Private Hosted Zone:
Account 2
aws route53 associate-vpc-with-hosted-zone \
--hosted-zone-id ZZZZZZZZZZZZZZ \
--vpc VPCRegion=us-west-2,VPCId=vpc-bbbb5678
While we’re here, lets create the authorization to shared Account 2’s Private Hosted Zone with Account 1:
aws route53 create-vpc-association-authorization \
--hosted-zone-id ZYYYYYYYYYYYYY \
--vpc VPCRegion=us-west-2,VPCId=vpc-aaaa1234
Back to Account 1 to complete the association:
Account 1
aws route53 associate-vpc-with-hosted-zone \
--hosted-zone-id ZYYYYYYYYYYYYY \
--vpc VPCRegion=us-west-2,VPCId=vpc-aaaa1234
AWS Recommends that you delete the authorization after you have completed the association:
Account 1
aws route53 delete-vpc-association-authorization \
--hosted-zone-id ZZZZZZZZZZZZZZ \
--vpc VPCRegion=us-west-2,VPCId=vpc-bbbb5678
Account 2
aws route53 delete-vpc-association-authorization \
--hosted-zone-id ZYYYYYYYYYYYYY \
--vpc VPCRegion=us-west-2,VPCId=vpc-aaaa1234
According to Route53 documentation, deleting the authorization does not affect authorizations you have accepted.
Account 1
aws route53 list-vpc-association-authorizations \
--hosted-zone-id ZZZZZZZZZZZZZZ
Account 2
aws route53 list-vpc-association-authorizations \
--hosted-zone-id ZYYYYYYYYYYYYY