When you have mulitiple AWS accounts and a specific privated DNS name that you want to resolve from a VPC in a different account you need to allow the hosted zone to be resolved from a differnet acccount. For example, you have a hosted zone in account A with several types of records and you want a DNS query for that zone get resovled from a specific VPC in account B. To allow the account B VPC resolve the hosted zone of account A, you need to do the following
- Authorize the zone association from accocunt A
- Attach the zone with the VPC of account B from account B
Step 1: Take a note of the VPC ID and the hosted zone id.
- VPC ID IN Account A: vpc-0xxxxxx22
- VPC ID IN Account B: vpc-0xxxxxx23
- HOsted zone Id in account A: VXXXXXXXXMV
Step 2: Authorization
Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance in Account A and run
aws route53 create-vpc-association-authorization –hosted-zone-id VXXXXXXXXMV –vpc VPCRegion=eu-west-1,VPCId=vpc-0xxxxxx22–region eu-west-1
Step 3: Association
Login to the account B and run the command beloew, make sure the use right right account profile.
aws route53 associate-vpc-with-hosted-zone –hosted-zone-id VXXXXXXXXMV –vpc VPCRegion=eu-west-1,VPCId=vpc-0xxxxxx23 –region eu-west-1
Delete the the associaotn authorizaton
Connect to accont A and run the command below:
aws route53 delete-vpc-association-authorization –hosted-zone-id VXXXXXXXXMV –vpc VPCRegion=eu-west-1,VPCId=vpc-0xxxxxx22 –region eu-west-1
Ref: https://aws.amazon.com/premiumsupport/knowledge-center/private-hosted-zone-different-account/
