When you have mulitiple AWS accounts and a specic privated DNS name that you want to resovled from a VPC in a different account you need to allow the hosted zone to to be resolver from a differnet acccount. For example, you have a hoste zone in account A with serveral types of recoords and you want a DNS query for that zone get resovled from a specific VPC in account B. To allow the account B VPC resolve the hosted zone of accunt A, you need to do the following to
- Authorize the zone association from accocunt A
- Attach the zone with the VPC of account B from account B
Step 1: Take a note of the VPC ID and the hosted zone id.
- VPC ID IN Account B: vpc-087cb371
- HOsted zone Id in account A: Z07969891FB4C978V4WOV
Step 2: Authorization
Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance in Account A and run
aws route53 create-vpc-association-authorization –hosted-zone-id Z07969891FB4C978V4WOV –vpc VPCRegion=eu-west-1,VPCId=vpc-087cb371 –region eu-west-1
Step 3: Association
Login to the account B and run the command beloew, make sure the use right right account profile.
aws route53 associate-vpc-with-hosted-zone –hosted-zone-id Z07969891FB4C978V4WOV –vpc VPCRegion=eu-west-1,VPCId=vpc-087cb371 –region eu-west-1
Delete the the associaotn authorizaton
Connect to accont A and run the command below:
aws route53 delete-vpc-association-authorization –hosted-zone-id Z07969891FB4C978V4WOV –vpc VPCRegion=eu-west-1,VPCId=vpc-087cb371 –region eu-west-1
Ref: https://aws.amazon.com/premiumsupport/knowledge-center/private-hosted-zone-different-account/