How do I associate a Route 53 private hosted zone with a VPC on a different AWS account?

Last updated: 2019-09-24

I want to associate my Amazon Route 53 private hosted zone with a virtual private cloud that belongs to a different AWS account. How can I do this?

Resolution

To associate a Route 53 private hosted zone in one AWS account (Account A) with a virtual private cloud that belongs to another AWS account (Account B), follow these steps using the AWS Command Line Interface (AWS CLI):

Note: You can also use the AWS SDK or Route 53 API for this procedure.

1.    Connect to an EC2 instance in Account A.

2.    Run the following commands to update the AWS CLI version. Be sure that the AWS CLI is configured to use the credentials of an IAM user that has Route 53 access.

pip3 install awscli --upgrade --user

3.    Run this command to list the available hosted zones in Account A. Note the hosted zone ID in Account A that you will associate with Account B.

aws route53 list-hosted-zones

4.    Run the following command to authorize the association between the private hosted zone in Account A and the virtual private cloud in Account B. Use the hosted zone ID from the previous step, as well as the Region and ID of the virtual private cloud in Account B.

aws route53 create-vpc-association-authorization --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id>

5.    Connect to an EC2 instance in Account B.

6.    Run the following command to create the association between the private hosted zone in Account A and the virtual private cloud in Account B. Use the hosted zone ID from step #3, as well as the Region and ID of the virtual private cloud in Account B.

aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id>

7.    It's a best practice to delete the association authorization after the association is created. Doing this prevents you from recreating the same association later. To delete the authorization, reconnect to an EC2 instance in Account A. Then, run this command:

aws route53 delete-vpc-association-authorization --hosted-zone-id <hosted-zone-id>  --vpc VPCRegion=<region>,VPCId=<vpc-id>

EC2 instances in the virtual private cloud from Account B can now resolve records in the private hosted zone in Account A.