How do I associate a Route 53 private hosted zone with a VPC on a different AWS account?
4 minute read
I want to associate my Amazon Route 53 private hosted zone with a virtual private cloud (VPC) that belongs to a different AWS account.
In the following resolution, use one of these options to run the commands:
Option 1: AWS Command Line Interface (AWS CLI). The resolution uses two example Amazon Elastic Compute Cloud (Amazon EC2) instances, one in Account A and the other in Account B. If you don't have two Amazon EC2 instances or don't have access to launch new EC2 instances, then use the AWS CLI on your local machine. Use the correct AWS Identity and Access Management (IAM) credentials from both accounts. For more information, see Using an IAM Identity Center activated named profile. Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
2. If using the AWS CLI, then run the following command to update the AWS CLI version. Configure the AWS CLI to use the credentials of an AWS Identity and Access Management (IAM) user that has Route 53 access.
pip3 install awscli --upgrade --user
3. In the EC2 instance in Account A, run the following command to list the available hosted zones. Note the hosted zone ID in Account A that you want to associate with Account B.
aws route53 list-hosted-zones
4. In the EC2 instance in Account A, run the following command. The command output lists the VPCs from other accounts that you can associate with your private hosted zone. The accounts listed in the command output are those accounts that you submitted one or more CreateVPCAssociationAuthorization requests for.
Note: If the VPC in Account B doesn't appear in the VPC association authorizations list, then proceed to step 5. If it does appear in the list, then proceed to step 6.
5. In the EC2 instance in Account A, run the following command. This command authorizes the association between the private hosted zone in Account A and the VPC in Account B. In the following command, use the hosted zone ID that you obtained in the previous step. Use the AWS Region and ID of the VPC in Account B.
Note: If one of the following scenarios is true, then use the --region in the command:
You're running the command from an EC2 instances in a different Region.
The user's credentials are associated with a Region other than us-east-1.
7. In the EC2 instance in Account B, run the following command. This command creates the association between the private hosted zone in Account A and the VPC in Account B. Use the hosted zone ID from step 3. Use the Region and ID of the VPC in Account B.
Note: The sample output might show a status of PENDING. This occurs because the VPC can't use the private hosted zone to perform DNS resolution. It might take a few minutes for the private hosted zone to associate with the VPC and for the changes to propagate./p>
8. It's a best practice to delete the association authorization after you create the association. This step prevents you from recreating the same association later. To delete the authorization, reconnect to the EC2 instance in Account A. Then, run the following command: