- Newest
- Most votes
- Most comments
To share Snowflake connectivity from your central networking account to other VPCs in member accounts, you can follow these steps:
-
Share the private hosted zone: You can use AWS CLI, SDK, or R53 API to share the private hosted zone with the member accounts. This will allow the consumer VPCs to associate the Private Hosted zone and ultimately resolve the DNS names to the VPC endpoint (VPCE).
-
Enable connectivity to the VPCE: Since you already have a Transit Gateway (TGW) in place connecting the central networking account and the member account VPCs, you likely already have connectivity to the VPCe from the member account. If not it is just a matter of updating the routing.
-
Configure security groups: Ensure that the security group associated with the VPCE in the central account allows inbound traffic from the CIDR ranges of the member account VPCs or more specific sources based on your requirements
-
Update DNS settings in member VPCs: In each member account VPC, make sure that DNS hostnames and DNS resolution are enabled to allow proper resolution of the Snowflake endpoints.
By implementing these steps, you'll enable the member account VPCs to resolve the Snowflake endpoints using the shared private hosted zone and route their traffic through the Transit Gateway to reach the VPCE in the central networking account.
This approach allows you to centralize and manage the Snowflake connectivity in one place while securely sharing it with other VPCs across your organization. It leverages your existing Transit Gateway setup for network connectivity, making efficient use of your current architecture.
Sources
Connecting to a private endpoint from a different VPC (including cross-account) - Neptune Analytics
AWS PrivateLink - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
Centralized access to VPC private endpoints - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
There was a mistake in the original form of the generated response. You aren't able to leverage RAM to share the Private hosted zone across account The correct procedure can be seen here - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html - Route 53 Resolver Profiles can also be useful managing this at scale - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/profiles.html
Haha I was just about to come back and post this but you were already here.
To see if im understanding correctly:
So Route 53 profiles provides an easy way to share my private hosted zone? And the alternative would be associating to the VPC's directly cross account? And they would probably have to accept or something like that? Im sure theres a terraform module for it.
Relevant content
- asked a year ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
Okay so what i'm getting is the following:
Am i missing something then? Or this seems about right?