For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
How do I configure and manage cross-account access for Amazon Route 53 resources?
I want to configure and manage access across AWS accounts for Amazon Route 53 resources, such as private hosted zones and Resolver endpoints.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
To set up cross-account access, create a central DNS account and at least one member account. The central DNS account hosts your primary Amazon Route 53 configuration, manages private hosted zones, and controls Route 53 Resolver endpoints. Member accounts contain resources that require access to DNS services from the central account. For example, a resource in a member account might require DNS resolution for records in a private hosted zone in a central account.
Set up the accounts
Complete the following steps in the central and member accounts to set up forwarding:
- In the central account, run the following create-hosted-zone command to create a private hosted zone with records:
Note: Replace example.internal with your hosted zone name and replace vpc-xxxxx with your VPCId.aws route53 create-hosted-zone \ --name example.internal \ --vpc VPCRegion=us-east-1,VPCId=vpc-xxxxx \ --caller-reference $(date +%s) - In the central account, run the following create-resolver-endpoint command to create an inbound endpoint:
Note: Replace subnet-xxxxx and subnet-yyyyy with your SubnetIDs, replace 10.0.0.10 and 10.0.1.10 with your IP addresses, and replace sg-xxxxx with your security-group-id.aws route53resolver create-resolver-endpoint \ --creator-request-id inbound-endpoint \ --direction INBOUND \ --ip-addresses \ SubnetId=subnet-xxxxx,Ip=10.0.0.10 \ SubnetId=subnet-yyyyy,Ip=10.0.1.10 \ --security-group-ids sg-xxxxx - In the member account, run the following create-resolver-endpoint command to create an outbound endpoint:
Note: Replace subnet-xxxxx and subnet-yyyyy with your SubnetIDs and replace sg-xxxxx with your security-group-id.aws route53resolver create-resolver-endpoint \ --creator-request-id outbound-endpoint \ --direction OUTBOUND \ --ip-addresses \ SubnetId=subnet-xxxxx \ SubnetId=subnet-yyyyy \ --security-group-ids sg-yyyyy - In the member account, run the following create-resolver-rule command to create an outbound Resolver rule:
Note: Replace rule1 with your rule name, replace example.internal with your hosted zone name, replace rslvr-endpoint-id with your resolver-endpoint-id, and replace 10.0.0.10 with your IP address.aws route53resolver create-resolver-rule \ --creator-request-id rule1 \ --domain-name example.internal \ --rule-type FORWARD \ --resolver-endpoint-id rslvr-endpoint-id \ --target-ips Ip=10.0.0.10
Use an Amazon Route 53 Profile to share resources
You can also use an Amazon Route 53 Profile to share your private hosted zone or outbound Resolver rules.
Complete the following steps:
- Create a Route 53 Profile in the central account.
- Associate your private hosted zone or Resolver rule with your Route 53 Profile.
- Use AWS Resource Access Manager (AWS RAM) to share the Route 53 Profile with your member account.
- Associate your Amazon VPC to the Route 53 Profile that's in your member account.
Use Amazon VPC to share resources
You can allow Amazon Virtual Private Cloud (Amazon VPC) resources in a member account to access private hosted zone records in your central account.
Complete the following steps:
- Create a private hosted zone in the central account.
- Associate the private hosted zone with an Amazon VPC in the member account.
Use AWS RAM to share Resolver rules and AWS resources
You can use AWS RAM to share Resolver rules and AWS resources from your central account.
You can also share Resolver rules across multiple accounts that are part of AWS Organizations or in an organizational unit (OU). Instead of an enumeration of each account, use AWS RAM to share an outbound Resolver rule with AWS Organizations.
Complete the following steps in your central account:
-
Run the following enable-sharing-with-aws-organization to set up AWS RAM:
aws ram enable-sharing-with-aws-organization -
Run the following create-resource-share command to create a resource share for your Resolver rule:
aws ram create-resource-share \ --name "dns-share" \ --resource-arns arn:aws:route53resolver:region:account-id:resolver-rule/resolver-rule --principals arn:aws:organizations::account-id:organization/o-xxxxxxxxxxNote: Replace dns-share with your resource share name, replace region with your region, replace account-id with your account-id, replace resolver-rule with your resolver rule, and replace o-xxxxxxxxxx with your organization.
Associate an outbound Resolver rule with a VPC in your member account
Complete the following steps:
- Open the Route 53 console.
- In the navigation pane, choose Rules.
- Choose the AWS Region where you created the rule.
- Select the rule that you want to associate with a VPC.
- Choose Associate VPC.
- Under VPCs that use this rule, select the VPC.
- Choose Add.
- Tags
- Amazon Route 53
- Language
- English
Relevant content
- asked 3 years ago
- asked 7 months ago
- AWS OFFICIALUpdated 2 years ago
