- Newest
- Most votes
- Most comments
The difference in that blog post is that there is resolution of the "root" DNS name set up in the Application accounts. If someone wants to resolve "aws.customer.local" from within one of those accounts then there are forwarding rules in there for "customer.local" to be resolved on-prem, and then forwarding rules on-prem to resolve "aws.customer.local" in the Networking account.
Your setup currently doesn't have anything allowing resolution of "name.local" from your "dev" vpc. The simplest solution is probably to associate the name.local PHZ with the "dev" VPC.
Looking at this with a fresh set of eyes, I noticed a consideration at the bottom of the blog post - "If Application 1 needs to communicate to Application 2, then the PHZ from Account A must be shared with Account B. DNS queries can then be routed efficiently for those VPCs in different accounts." This is what I'm trying to do.
This led met to find this statement in another of their blog posts - "When a Route 53 private hosted zone needs to be resolved in multiple VPCs and AWS accounts as described earlier, the most reliable pattern is to share the private hosted zone between accounts and associate it to each VPC that needs it."
"associate it to each VPC that needs it" - in a cross account scenario, you must create an authorization (manual step, CLI or API) from one account and then an association (also manual, CLI or API) from the other account. So If you have five accounts/vpcs with their own overlapped PHZ that need to communicate, that's twenty auths and twenty associations you have to setup. Add one more account in the future, that's 10 more auths and 10 more assoc you need to add. You want to do VPC endpoints in a shared services account? that's even more PHZs you need to deal with.
This feels like a significant gap in functionality compared to how Transit Gateway provides routing between a large number of accounts. That routing is going to be of limited usefulness if you don't have a DNS solution to go with it, that is just as scalable as the transit gateway.
These are real concerns. Have a look at https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman which talks about how to do this at scale. With appropriate CloudFormation templates and a helper script for authorisations, it's manageable. BTW did this work? - "The simplest solution is probably to associate the name.local PHZ with the dev VPC".
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 months ago
I see what you're saying, but I can't imagine AWS would suggest routing VPC/account to VPC/account name resolution through an on-prem dns server as a recommended architecture.