Route 53 - configuring Private Zone association and Route53 resolver to resolve private zones accross multiple accounts



I am trying to build a simple network to interconnect three accounts DEV, PROD, and Shared. The shared account has the VPN endpoint and from there I want to connect to all other accounts. The problem is the DNS resolution of Private Zones.

I have followed the manual on

1. aws route53 create-vpc-association-authorization --hosted-zone-id {} --vpc {} ...

2. aws route53 associate-vpc-with-hosted-zone --hosted-zone-id {} --vpc {} ..

but still, I do not see the Private Zone from other accounts in the Shared account.
I can see that the association was successful only when I try to add one of the associated domain names to the shared account when I get:

(ConflictingDomainExists 400: The VPC ... in the region ... has already been associated with the hosted zone ... with the same domain name.)

I have also tried to prepare Route53 resolver - inbound on one account and rule and outbound on the shared account, but still not able to resolve private DNS names from other accounts. I get the response from the inbound IP addresses on the DNS records when I specifically add it into the dig command as a DNS server. The outbound addresses on the SHARED account subnets are reachable under any TCP/UDP port.

The accounts are interconnected through Transit Gateway.

Could you please advise what am I doing wrong?

Thank you!

질문됨 2년 전1107회 조회
1개 답변

Hi, you can use this CLI command to see PHZs that have been shared with a VPC in your account from another account:

aws route53 list-hosted-zones-by-vpc --vpc-id vpc-xxxxxxxx --vpc-region xxxxxx

What are you using the PHZ for? Note that a PHZ is an override of resolution for the specified domain; it and its subdomains will be resolved as per records in the PHZ instead of via the usual DNS servers. So an EC2 instance in your DEV VPC for example should see that domain resolved as defined in the PHZ.

Resolver Endpoints are a bit different in that you're delegating a domain to be resolved somewhere rather than overriding its resolution with specific records. The two are for different use cases; I saw you mention VPN so you might want Resolver Endpoints for hybrid DNS resolution across on-prem and AWS.

If you happen to be using PHZs for sharing VPC Endpoints, this article might help - .

답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인