AWS/Route53 private zone assosiate with other account

From Ever changing code
< AWS
Jump to navigation Jump to search

If you try to resolve private hosted zone records in a VPC that does not belong to the same account you need to create authorization to make this work.

# In account 'A', this is where the private zone is hosted
aws route53 list-hosted-zones
    {
      "Id": "/hostedzone/Z01111111RWDJEEXAMPLE",
      "Name": "acme.private.",
      "CallerReference": "PrivateDN-HostedZo-S11QC11ELX11",
      "Config": {
        "Comment": "acme.private - private DNS zone not accessible from the internet",
        "PrivateZone": true
      },

VPCID_ACCOUNT_B=vpc-11111111
aws route53 create-vpc-association-authorization --hosted-zone-id <hosted-zone-id>      --vpc VPCRegion=<region>,VPCId=<vpc-id>
aws route53 create-vpc-association-authorization --hosted-zone-id Z01111111RWDJEEXAMPLE --vpc VPCRegion=eu-west-1,VPCId=vpc-11111111
{
    "HostedZoneId": "Z01111111RWDJEEXAMPLE",
    "VPC": {
        "VPCRegion": "eu-west-1",
        "VPCId": "vpc-11111111"
    }
}

# In account 'B', where is your VPC that ec2 instances you wish to resolve the dns name/zone
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted-zone-id>      --vpc VPCRegion=<region>,VPCId=<vpc-id>
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z01111111RWDJEEXAMPLE --vpc VPCRegion=eu-west-1,VPCId=vpc-11111111
{
    "ChangeInfo": {
        "Id": "/change/C011111111XJESOAZRMKM",
        "Status": "PENDING",
        "SubmittedAt": "2020-09-11T13:59:34.280Z",
        "Comment": ""
    }
}

# In account 'A', delete association authorization. Optional good practice.
$ aws route53 list-vpc-association-authorizations --hosted-zone-id Z01111111RWDJEEXAMPLE --output text
Z01111111RWDJEEXAMPLE
VPCS	vpc-11111111	eu-west-1

aws route53 delete-vpc-association-authorization --hosted-zone-id Z01111111RWDJEEXAMPLE --vpc VPCRegion=eu-west-1,VPCId=vpc-11111111
# -> no-output
```

References