How do I associate a Route 53 private hosted zone with a VPC on a different AWS account?

4 minute read
1

I want to associate my Amazon Route 53 private hosted zone with a virtual private cloud (VPC) that belongs to a different AWS account.

Resolution

In the following resolution, use one of these options to run the commands:

Note: You can also use the AWS SDK or Route 53 API for this process.

1.    Connect to an EC2 instance in Account A.

2.    If using the AWS CLI, then run the following command to update the AWS CLI version. Configure the AWS CLI to use the credentials of an AWS Identity and Access Management (IAM) user that has Route 53 access.

pip3 install awscli --upgrade --user

3.    In the EC2 instance in Account A, run the following command to list the available hosted zones. Note the hosted zone ID in Account A that you want to associate with Account B.

aws route53 list-hosted-zones

4.    In the EC2 instance in Account A, run the following command. The command output lists the VPCs from other accounts that you can associate with your private hosted zone. The accounts listed in the command output are those accounts that you submitted one or more CreateVPCAssociationAuthorization requests for.

aws route53 list-vpc-association-authorizations --hosted-zone-id <hosted-zone-id>

Note: If the VPC in Account B doesn't appear in the VPC association authorizations list, then proceed to step 5. If it does appear in the list, then proceed to step 6.

5.    In the EC2 instance in Account A, run the following command. This command authorizes the association between the private hosted zone in Account A and the VPC in Account B. In the following command, use the hosted zone ID that you obtained in the previous step. Use the AWS Region and ID of the VPC in Account B.

Note: If one of the following scenarios is true, then use the --region in the command:

  • You're running the command from an EC2 instances in a different Region.
  • The user's credentials are associated with a Region other than us-east-1.
aws route53 create-vpc-association-authorization --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id> --region us-east-1

6.    Connect to an EC2 instance in Account B.

7.    In the EC2 instance in Account B, run the following command. This command creates the association between the private hosted zone in Account A and the VPC in Account B. Use the hosted zone ID from step 3. Use the Region and ID of the VPC in Account B.

Note: Use an IAM user or role that has AssociateVPCWithHostedZone and DescribeVpcs API permissions to run the following command in Account B.

aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id> --region us-east-1

Note: The sample output might show a status of PENDING. This occurs because the VPC can't use the private hosted zone to perform DNS resolution. It might take a few minutes for the private hosted zone to associate with the VPC and for the changes to propagate./p>

8.    It's a best practice to delete the association authorization after you create the association. This step prevents you from recreating the same association later. To delete the authorization, reconnect to the EC2 instance in Account A. Then, run the following command:

aws route53 delete-vpc-association-authorization --hosted-zone-id <hosted-zone-id>  --vpc VPCRegion=<region>,VPCId=<vpc-id> --region us-east-1

9.    Complete the following steps to confirm VPC association to the private hosted zone:

Open the Route 53 console.

Select the private hosted zone domain name.

Verify the VPC ID of Account B Hosted zone details.

EC2 instances in the VPC from Account B can now resolve records in the private hosted zone in Account A.

Related information

Working with private hosted zones

AWS OFFICIAL
AWS OFFICIALUpdated a year ago