Route 53 - configuring Private Zone association and Route53 resolver to resolve private zones accross multiple accounts

0

Hello,

I am trying to build a simple network to interconnect three accounts DEV, PROD, and Shared. The shared account has the VPN endpoint and from there I want to connect to all other accounts. The problem is the DNS resolution of Private Zones.

I have followed the manual on https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html.

1. aws route53 create-vpc-association-authorization --hosted-zone-id {} --vpc {} ...

2. aws route53 associate-vpc-with-hosted-zone --hosted-zone-id {} --vpc {} ..

but still, I do not see the Private Zone from other accounts in the Shared account.
I can see that the association was successful only when I try to add one of the associated domain names to the shared account when I get:

(ConflictingDomainExists 400: The VPC ... in the region ... has already been associated with the hosted zone ... with the same domain name.)

I have also tried to prepare Route53 resolver - inbound on one account and rule and outbound on the shared account, but still not able to resolve private DNS names from other accounts. I get the response from the inbound IP addresses on the DNS records when I specifically add it into the dig command as a DNS server. The outbound addresses on the SHARED account subnets are reachable under any TCP/UDP port.

The accounts are interconnected through Transit Gateway.

Could you please advise what am I doing wrong?

Thank you!

jsima
質問済み 2年前1109ビュー
1回答
0

Hi, you can use this CLI command to see PHZs that have been shared with a VPC in your account from another account:

aws route53 list-hosted-zones-by-vpc --vpc-id vpc-xxxxxxxx --vpc-region xxxxxx

What are you using the PHZ for? Note that a PHZ is an override of resolution for the specified domain; it and its subdomains will be resolved as per records in the PHZ instead of via the usual DNS servers. So an EC2 instance in your DEV VPC for example should see that domain resolved as defined in the PHZ.

Resolver Endpoints are a bit different in that you're delegating a domain to be resolved somewhere rather than overriding its resolution with specific records. The two are for different use cases; I saw you mention VPN so you might want Resolver Endpoints for hybrid DNS resolution across on-prem and AWS.

If you happen to be using PHZs for sharing VPC Endpoints, this article might help - https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/ .

エキスパート
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ