Introduction
Amazon Web Services (AWS) provides a robust environment for building and managing cloud infrastructure. However, certain scenarios require the association of resources across different AWS accounts. One such scenario involves associating a Virtual Private Cloud (VPC) located in one AWS account with a Route 53 hosted zone located in another AWS account. While the AWS Management Console facilitates VPC-to-hosted zone association within the same account, cross-account association requires a different approach. In this article, we will explore how to achieve this association using AWS Command Line Interface (CLI) commands.
Use-case
The use case of associating a VPC in a different AWS account with a hosted zone involves enabling resources in one AWS account’s Virtual Private Cloud (VPC) to interact with a hosted zone in another AWS account’s Route 53 service. This association is useful for DNS resolution and communication purposes.
For the purpose of illustration, consider the following scenario where Account_B requires DNS resolution for the private hosted zone in Account_A.
Two AWS accounts, referred to as Account_A and Account_B, with corresponding account numbers 11111111 and 22222222, respectively.
A Private Hosted Zone has been established in Account_A, with the Hosted Zone ID being Z458514111102.
In Account_B, there exists a VPC identified by the VPC ID vpc-1458522bhuf.
-
You’ve configured two AWS profiles on your local computer, each assuming the corresponding AWS role with Route 53 permissions in the respective target accounts. The profiles are as follows:
- Account_A is represented by profile-A, and Account_B is represented by profile-B.
Profile_A Access Permissions:
List and get hosted zone in Route 53: route53:Get, route53:List**
Create and manage hosted zones in Route 53: *Route53:*HostedZone*
Create and manage VPC association authorizations : route53:*VPCAssociationAuthorization*
Profile_B Access Permissions:
Permissions to associate a VPC with a hosted zone : route53:AssociateVPCWithHostedZone
List and describe VPCs in Account_B : ec2:DescribeVpcs
Let’s examine the steps required to associate the VPC in Account_B with the hosted zone in Account_A.
Step 1: Create an association-authorization request in Account_A, the account where the hosted zone resides.
Following command should be executed in the account where the zone is intended to be shared, it is Account_A in our scenario.
aws route53 create-vpc-association-authorization --hosted-zone-id Z458514111102 --vpc VPCRegion=ap-southeast-2,VPCId=vpc-1458522bhuf --profile profile-A
This AWS CLI command initiates the process of creating an association-authorization request in Account_A. This request allows the VPC (vpc-1458522bhuf) from Account_B to be associated with the hosted zone specified by its ID (Z458514111102) in Account_A. The action is performed using the profile-A credentials for authentication.
Step 2: Associate the VPC in Account_B with the hosted zone in Account_A
*Following command should be executed inthe account that requires access to the private zone using AWS Route 53, *In our scenario, it pertains to Account_B.
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z458514111102 --vpc VPCRegion=ap-southeast-2,VPCId=vpc-1458522bhuf --profile profile-B
This command performs the association of the specified VPC (vpc-1458522bhuf) from Account_B with the hosted zone identified by its ID (Z458514111102) in Account_A. The process takes place using the **profile-B **credentials for authentication.
Upon completing the aforementioned two steps, the VPC located in Account_B has been effectively associated with the private hosted zone in Account_A.
Let’s confirm the above by executing the following command;
aws route53 list-hosted-zones-by-vpc --vpc-id vpc-1458522bhuf --vpc-region ap-southeast-2 --profile profile-B
This command will provide you with information about the all the private hosted zones that the VPC in Account_B (vpc-1458522bhuf) is associated with
This can be also confirmed using the Route 53 console in Account_A.
What is the outcome of the above ?
The outcome of the above process is the successful establishment of an association between the VPC in Account_B and the private hosted zone in Account_A. This means that any DNS* queries originating from resources within the VPC in *Account_B** will be able to resolve records from the associated private hosted zone in Account_A. This enables seamless communication and resource access between the VPCs in different AWS accounts using the DNS names defined in the*** private hosted zone***.
Step 3: Delete association-authorization request initiated in Step 1 (recommended).
Following commands should be executed in the account where the Association Authorization request is created , it is Account_A in our scenario
List the Authorizations created in Account _A
aws route53 list-vpc-association-authorizations --hosted-zone-id Z458514111102 --profile profile-A
Delete the VPC Authorization Association request
aws route53 delete-vpc-association-authorization --hosted-zone-id Z458514111102 --vpc VPCRegion=ap-southeast-2,VPCId=vpc-1458522bhuf --profile profile-A
This command removes the association-authorization request in Account_A that allowed the VPC (vpc-1458522bhuf) from Account_B to be associated with the hosted zone specified by its ID (Z458514111102) in Account_A. The action is performed using the profile-A credentials for authentication.
Deleting the associations is part of proper resource management. It helps you keep your AWS environment organized and efficient by removing unnecessary permissions.
Remember that deleting the association-authorization request won’t impact the existing associations between the VPC and the hosted zone. It simply prevents new associations from being made.
Conclusion
While the AWS Management Console provides an intuitive interface for many AWS tasks, certain scenarios, such as associating a VPC from one account with a Route 53 hosted zone in another account, require the power and flexibility of the AWS CLI. By following this guide, you can successfully accomplish cross-account VPC associations, ensuring efficient resource management and improved security across your AWS infrastructure.
Top comments (0)