Access Route53 private zones cross account

Using Route53 private zones can be a great way to maintain a private internal zone for your server infrastructure. However sometimes you may need to share this zone with another VPC in the same or in another AWS account.

The first situation is easy – a Route53 zone can be associated with any number of VPCs within a single AWS account using the AWS console.

The second is more tricky but is doable by creating a VPC association authorization request in the account with the zone, then accepting it from the other account.

# Run against the account with the zone to be shared.
aws route53 \
create-vpc-association-authorization \
--hosted-zone-id abc123 \
--vpc VPCRegion=us-east-1,VPCId=vpc-xyz123 

# Run against the account that needs access to the private zone.
aws route53 \
associate-vpc-with-hosted-zone \
--hosted-zone-id abc123 \
--vpc VPCRegion=us-east-1,VPCId=vpc-xyz123 \
--comment "Example Internal DNS Zone"

# List authori(z|s)ations once done
aws route53 \
list-vpc-association-authorizations \
--hosted-zone-id abc123

This doesn’t even require VPC peering since it works behind the scenes, with the associated zone now being resolvable using the default VPC DNS server on each zone that has been associated.

Note that the one catch is that this does not help you if you’re linking to a non-AWS VPC environment, such as an on-prem data centre via IPSec VPN or Direct Connect. Even though you can route to the VPC and systems inside it, the AWS DNS resolver for the VPC will refuse requests from IP space outside of the VPC itself.

So the only option is have an EC2 instance acting as a DNS forwarder inside the VPC, which is reachable from the linked data centre and yet since it’s in the VPC, can use the resolver.

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

3 Responses to Access Route53 private zones cross account

  1. hanzhimeng says:

    Speaking of AWS, I ve been trying to use codepipeline and codedeploy to deploy new version on an EC2 server.

    But I am having problems with existing files. I searched around for a bit and found there’s this –file-exists-behavior option I can use with cli or console. Is there anyway I can set this option using codepipeline?

  2. Dino Vitale says:

    Curious if another approach is more centralized model (instead of associations) where all the private hosted zones are created in one account (Acct X) and then grant cross account permission to role/user in other account so additional records can be added by Acct Y) . – is this feasible?

    • Jethro Carr says:

      The association stuff in this blog post relates only to being able to do DNS queries against a private zone. The model you propose would still require this for each account that needs to be able to resolve the private DNS records, but you’d also need (as you suggest) cross account permissions to allow users/roles in another account to manage the private zones.

Leave a Reply