Route 53 - configuring Private Zone association and Route53 resolver to resolve private zones accross multiple accounts



I am trying to build a simple network to interconnect three accounts DEV, PROD, and Shared. The shared account has the VPN endpoint and from there I want to connect to all other accounts. The problem is the DNS resolution of Private Zones.

I have followed the manual on

1. aws route53 create-vpc-association-authorization --hosted-zone-id {} --vpc {} ...

2. aws route53 associate-vpc-with-hosted-zone --hosted-zone-id {} --vpc {} ..

but still, I do not see the Private Zone from other accounts in the Shared account.
I can see that the association was successful only when I try to add one of the associated domain names to the shared account when I get:

(ConflictingDomainExists 400: The VPC ... in the region ... has already been associated with the hosted zone ... with the same domain name.)

I have also tried to prepare Route53 resolver - inbound on one account and rule and outbound on the shared account, but still not able to resolve private DNS names from other accounts. I get the response from the inbound IP addresses on the DNS records when I specifically add it into the dig command as a DNS server. The outbound addresses on the SHARED account subnets are reachable under any TCP/UDP port.

The accounts are interconnected through Transit Gateway.

Could you please advise what am I doing wrong?

Thank you!

asked 2 years ago1335 views
1 Answer

Hi, you can use this CLI command to see PHZs that have been shared with a VPC in your account from another account:

aws route53 list-hosted-zones-by-vpc --vpc-id vpc-xxxxxxxx --vpc-region xxxxxx

What are you using the PHZ for? Note that a PHZ is an override of resolution for the specified domain; it and its subdomains will be resolved as per records in the PHZ instead of via the usual DNS servers. So an EC2 instance in your DEV VPC for example should see that domain resolved as defined in the PHZ.

Resolver Endpoints are a bit different in that you're delegating a domain to be resolved somewhere rather than overriding its resolution with specific records. The two are for different use cases; I saw you mention VPN so you might want Resolver Endpoints for hybrid DNS resolution across on-prem and AWS.

If you happen to be using PHZs for sharing VPC Endpoints, this article might help - .

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions