Blog Main Image

Achieving Cross-Account DNS Resolution on AWS Using Route 53

By Khushi Carpenter, Piyush Jalan / Sep 23, 2024

Introduction

In today’s complex AWS environments, where multiple accounts are used to segregate development, testing, and production workloads, managing DNS efficiently becomes crucial. With each account potentially using its own Private Hosted Zones (PHZs), resolving DNS queries across these accounts can become a challenging task. This fragmentation often leads to difficulties in maintaining seamless DNS resolution and managing configurations effectively.

To address these challenges, this guide presents a practical approach for achieving cross-account DNS resolution using AWS Route 53 profiles. By leveraging Route 53 profiles, you can streamline DNS management across different AWS accounts, ensuring that your DNS queries are resolved accurately and securely while simplifying administration and enhancing overall manageability.

Solution Overview

The following architecture will be implemented for the solution:

AWS Route 53 Resolver profiles can be used to enable cross-account DNS resolution. Here’s a step-by-step guide to setting up this architecture.

Pre-requisite:

Accounts configured for cross-DNS query resolution must have a network connection.

Step 1: Create a Route 53 Profile in the Shared-Services Account

  1. Log in to the AWS Management Console and navigate to the Route 53 dashboard.
  2. Go to the Route 53 Profiles section and create a new Profile in the Shared-Services account. This profile will be used to manage DNS resolution across multiple accounts.
    • Name: Shared-Services-Resolver-Profile

Step 2: Associate the Shared-Services VPC

  1. In the Shared-Services account, navigate to the VPC section.
  2. Select the VPC you want to associate with the Profile.
  3. Associate this VPC with the Route 53 Profile created in Step 1. This configuration allows DNS queries from other VPCs to be resolved through this shared profile.

Step 3: Associate the Shared-Services Private Hosted Zone

  1. In the Shared-Services account, navigate to the Private Hosted Zone section.
  2. Select the Private Hosted Zone you want to associate with the Profile.
  3. Associate the Private Hosted Zone with the Route 53 Profile created in Step 1. This configuration allows DNS queries of the Private Hosted Zone to be resolved through this shared profile.

Step 4: Share the Route 53 Profile with Other Accounts

  1. Navigate to AWS Resource Access Manager (RAM) in the Shared-Services account.
  2. Create a resource share and include the Route 53 Resolver Profile.
  3. Share the profile with the AWS workload accounts that need DNS resolution capabilities.

Step 5: Associate Private Hosted Zones (PHZs) with the Route 53 Profile

  1. In each workload account, go to the Route 53 dashboard, select Hosted Zones and VPC.
  2. For each account, associate the private hosted zones (PHZs) and respective VPC with the Route 53 Resolver Profile shared from the Shared-Services account. This ensures DNS records are available to all associated VPCs.

Use Case Example

Consider the scenario where host1.finops.com in the Account A which needs to resolve host2.devops.com in the Account B:

  1. DNS Query Initiation: host1.finops.com sends a DNS query to resolve host2.devops.com.
  2. PHZ Association: The FinOps VPC’s PHZ is associated with the devops VPC’s PHZ using the shared Route 53 profile.
  3. DNS Resolution: The Route 53 Resolver in the FinOps VPC looks up the devops.com PHZ and returns the IP address for host2.devops.com to host1.finops.com.

Results

Benefits:

  • Streamlined DNS Management: Simplifies DNS configuration and reduces administrative overhead.
  • Consistent Configuration: Ensures DNS changes are automatically propagated across all accounts.
  • Unified Integration: Maintains consistency with on-premises DNS setups.
  • Scalability: Easily scales with additional accounts or VPCs.
  • High Availability: Ensures robust DNS resolution with high availability.

Conclusion

By implementing a cross-account DNS resolution architecture using AWS Route 53 profiles, organizations can achieve a scalable, manageable, and secure DNS system. This setup not only simplifies DNS management across multiple AWS accounts but also ensures continuity with existing on-premises DNS configurations.

Main Logo
Rocket