Cross-Account Route 53 Private Hosted Zone Implementation Guide

Prerequisites

  • Admin access to both AWS accounts

  • VPC ID from Account B

  • Hosted Zone ID from Account A

  • AWS CLI configured with profiles for both accounts

Implementation Steps

1. Account A - Create Authorization

# Get Hosted Zone ID
aws route53 list-hosted-zones --profile account-a

# Create Authorization
aws route53 create-vpc-association-authorization \
    --hosted-zone-id <HOSTED_ZONE_ID> \
    --vpc VPCRegion=us-east-1,VPCId=<VPC_ID> \
    --profile account-a

2. Account B - Create Association

# Associate VPC with Hosted Zone
aws route53 associate-vpc-with-hosted-zone \
    --hosted-zone-id <HOSTED_ZONE_ID> \
    --vpc VPCRegion=us-east-1,VPCId=<VPC_ID> \
    --profile account-b

3. Account A - Clean Up Authorization

CloudFormation Implementation

Account A Template

Account B Template

Verification Steps

  1. Test DNS Resolution:

  1. Check VPC Associations:

Troubleshooting

  1. DNS Resolution Issues:

    • Verify DHCP options set

    • Check security groups

    • Confirm VPC DNS attributes

  2. Authorization Issues:

    • Verify IAM permissions

    • Check account IDs

    • Confirm VPC ID and region

  3. Association Issues:

    • Maximum VPC associations (50)

    • Region compatibility

    • VPC DNS settings

Security Considerations

  1. IAM Policies

  1. Network Access

    • Enable DNS hostnames

    • Enable DNS resolution

    • Configure proper NACL rules

Monitoring

  1. CloudWatch Metrics

    • DNS queries

    • Resolution success rates

  2. CloudTrail Logs

    • API activity

    • Authorization changes

Cost Considerations

  • Route 53 hosted zone charges

  • DNS query charges

  • Data transfer costs

Best Practices

  1. Clean up authorizations

  2. Use infrastructure as code

  3. Implement proper monitoring

  4. Document VPC associations

  5. Regular testing

PreviousAWS Cross-Account Network Sharing Implementation GuideNextRoute 53

Last updated

Was this helpful?