Enabling Cross Region Access to VPC Lattice Services using VPC Resource Gateway

For this we will assume you have a service network in us-east-1 and a service network in us-west-2. We will assume you have a service in us-east-1 with a custom dns name of service.example.com and want to be able to access that from the service network in us-west-2 with the same name. We will also assume you have registered the public domain example.com and can create publicly accessible records for service.example.com.

Step 1. Create the VPC Lattice service networks in us-east-1 and us-west-2 and associate them to the VPCs that you want to access the service network.

Step 2. Create the VPC Lattice service in us-east-1 with a custom domain, service.example.com and associate it to the service network created in step 1.

Step 3. Create a Route 53 private hosted zone for example.com and create an Alias record for service.example.com that points to the lattice service using the dns name and hosted zone ID provided by lattice. Associate this private hosted zone to any VPCs the lattice service network is associated to in us-east-1. Do not associate this to any VPCs in US-West-2.

Step 4. Create a dedicated VPC in us-east-1, and create a VPC Lattice service network endpoint, powered by PrivateLink, in this dedicated VPC and ensure the VPC is associated to the service network from step 1.

Step 5. Create a dedicated VPC in us-west-2, and create a Resource Gateway in that VPC

Step 6. Peer the VPC in us-east-1 from step 4, with the VPC in US-west-2 in step 5 using VPC peering and create the necessary routes on both sides to traverse the peer.

Step 7. Create an alias record in the Route 53 public hosted zone for example.com that points service.example.com to the service association listed in the service network endpoint for service.example.com. NOTE each service you create will have a service network association dns name on the Service Network endpoint.

Step 8. Create a resource configuration in US-west-2 that points to the dns name service.example.com using the resource gateway created in Step 5. Then associate this resource configuration to the service network in US-west-2 created in step 1.

Step 9. Create a second Route 53 private hosted zone for example.com and create an alias record for service.example.com that points to the lattice service network association DNS name and hosted zone ID provided by lattice for the resource configuration created in Step 8. The associate this PHZ to any VPCs the lattice service network is associated to in us-west-2. Do not associate this private hosted zone to any VPCs in US-east-1.

Notes:

• Clearly label the two private hosted zones for example.com to know which one to associate with us-east-1 and which ones to associate with us-west-2. Crossing these zones will cause DNS to resolve to the wrong IP address and may cause client communication failures.
• Make sure to use alias records in the public hosted zone as Resource Gateway cannot resolve to the VPC lattice default service name (ending with .on.aws) even through a CNAME recursion. The private hosted zones should also use alias records to improve performance by limiting a step of recursion in the dns query, but CNAMEs will work if needed for some reason.
• You will need to create a resource configuration and all 3 associated DNS records (2 private and 1 public) for any new service.
• Consider using Route 53 profiles to share and associate the private hosted zones in each region.