AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How do I associate a Route 53 private hosted zone with a VPC in a different account?
I want to associate my Amazon Route 53 private hosted zone with an Amazon Virtual Private Cloud (Amazon VPC) that belongs to a different AWS account.
Short description
To associate a Route 53 private hosted zone with an Amazon VPC in another account, authorize the association from the account that owns the hosted zone. Then, create the association from the account that owns the Amazon VPC.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Prerequisites:
- Access to both the accounts.
- Either an Amazon Elastic Compute Cloud (Amazon EC2) instance in each account or the AWS CLI on your local machine with credentials for both accounts.
- AWS Identity and Access Management (IAM) permissions to manage Route 53 in Account A and associate VPCs with hosted zones in Account B.
The following resolution uses an EC2 instance in Account A and one in Account B. Account A is the account that has the hosted zone, and Account B is the account that has the VPC.
Authorize the association in Account A
Complete the following steps:
-
Connect to the instance, or configure AWS CLI credentials for Account A.
-
Configure the AWS CLI to use the credentials of an IAM user that has Route 53 access.
-
In the instance, run the list-hosted-zones command to list your hosted zones:
aws route53 list-hosted-zonesNote: From the command's output, note the hosted zone ID that you want to associate.
-
In the instance, run the list-vpc-association-authorizations command to check existing Amazon VPC association authorizations:
aws route53 list-vpc-association-authorizations --hosted-zone-id hosted-zone-idNote: The preceding command's output lists the VPCs from other accounts that you can associate with your private hosted zone. The listed accounts are the accounts that you submitted CreateVPCAssociationAuthorization requests for.
-
If the VPC that's in Account B isn't listed, then run the create-vpc-association-authorization command to create an authorization in Account A:
aws route53 create-vpc-association-authorization --hosted-zone-id hosted-zone-id --vpc VPCRegion=region,VPCId=vpc-id --region us-east-1Note: Replace hosted-zone-id with your hosted zone's ID, region, with the AWS Region that your VPC is in, and VPC Id with your VPC's ID. If you're in a different Region than us-east-1 or your credentials are associated with a Regions that isn't us-east-1, then include --region us-east-1.
Create the association in Account B
Complete the following steps:
-
Connect to the instance, or configure AWS CLI credentials for Account B.
-
To create the association, run the associate-vpc-with-hosted-zone command:
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id hosted-zone-id --vpc VPCRegion=region,VPCId=vpc-id --region us-east-1Note: To run the preceding command, use an IAM user or role that has AssociateVPCWithHostedZone and DescribeVpcs API permissions. Also, replace hosted-zone-id with your hosted zone's ID, region, with the AWS Region that your VPC is in, and VPC Id with your VPC's ID. If you're in a different Region than us-east-1 or your credentials are associated with a Region that isn't us-east-1, then include --region us-east-1.
The association status might show as PENDING because the VPC can't use the private hosted zone to perform DNS resolution. It can take a few minutes for the association to complete and changes to propagate.
Delete the association authorization
After you create the association, it's a best practice to delete the association authorization so that you don't recreate the same association.
To delete the authorization, reconnect to the instance in Account A, and then run the delete-vpc-association-authorization command:
aws route53 delete-vpc-association-authorization --hosted-zone-id hosted-zone-id --vpc VPCRegion=region,VPCId=vpc-id --region us-east-1
Note: Replace hosted-zone-id with your hosted zone's ID, region, with the AWS Region that your VPC is in, and VPC Id with your VPC's ID. If you're in a different Region than us-east-1 or your credentials are associated with a Region that isn't us-east-1, then include --region us-east-1.
Verify the association
To confirm that the VPC is associated with the private hosted zone, complete the following steps:
- Open the Route 53 console.
- Select your private hosted zone domain.
- In the Hosted zone details section, verify that the ID for Account B's VPC appears.
After you complete the association, instances in Account B's VPC can resolve records in Account A's private hosted zone.
Related information
Working with private hosted zones
Using identity-based policies (IAM policies) for Amazon Route 53
- Tags
- Amazon Route 53
- Language
- English
Relevant content
- asked 9 months ago
- asked 2 years ago
- asked 10 months ago
