We have about 30 AWS accounts at this point (application, development, devops, shared services, sandboxes) and we are using AWS Control Towers tied into AWS SSO. We have recently created a designated networking account where we host the STNO solution and have decided this will be our centralized network traffic solution for all of our business needs.
We are trying to figure out what the best practices are for managing DNS, private DNS zones in particular at scale. With using a central networking account, we can see the appeal of having all private zones in a single account so that we can get a complete picture of and monitor/manage the entire organization, but is this the current best practice?
Will centralizing our private zones create problems for individual teams? For example, we want to give our Devs the ability to manage their private zone (dev.company.com) without allowing them to edit other zones. Is this possible with cross-account, centralized, private zones?
Should we even allow our dev teams to manage their own private zone? If not, what is the current best practice for managing private zones within an org?
Just hoping to get an idea of how other companies are managing this, what worked for previous clients, what didn't.