With the best practices found in the Well Architected framework design, the infrastructure is distributed across multiple accounts. One of the challenges in distributed infrastructure is maintaining coherent name resolution across accounts. Cross-account Route 53 solves this challenge.

1. ©Practical Code, LLC 2019
Route 53
for Multi-Account Environments
Jason E. Robinson
Cloud Solutions Architect
1.28.2019

2. ©Practical Code, LLC 2019
Practical Code, LLC
Our Mission: To Enable Those Solving the World’s Hardest
Problems
“There is an elegant solution to every problem.”
“Unmanageable esoteric code has twice the cost of maintainable
code.”
“Automation is achieved by addressing one workflow at a time.”

3. ©Practical Code, LLC 2019
Overview
With the best practices found in the Well Architected framework
design, the infrastructure is distributed across multiple accounts.
One of the challenges in distributed infrastructure is maintaining
coherent name resolution across accounts.
Cross-account Route 53 solves this challenge.

4. ©Practical Code, LLC 2019

5. ©Practical Code, LLC 2019
Setting Up Centralized Route 53
1. Set up central account for Route 53/DNS
2. Set up participating accounts
3. Create Route 53 associations
4. Configure on-premises DNS (if applicable)

6. ©Practical Code, LLC 2019
Create a private hosted zone using the Route 53 console
1. For each VPC that you want to associate with the Route 53 hosted zone, change the
following VPC settings to true:
– enableDnsHostnames
– enableDnsSupport
2. Sign in to the AWS Management Console and open the Route 53 console
at https://console.aws.amazon.com/route53/
3. If you're new to Route 53, choose Get Started Now under DNS Management. If you're
already using Route 53, choose Hosted Zones in the navigation pane
4. Choose Create Hosted Zone
5. In the Create Private Hosted Zone pane, enter a domain name and, optionally, a comment
6. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to
specify internationalized domain names, see DNS Domain Name Format
7. In the Type list, choose Private Hosted Zone for Amazon VPC

7. ©Practical Code, LLC 2019
Private Hosted Zone in Route 53
Hosted zone domain names must be unique across all accounts
• When you create a private hosted zone, you must associate a VPC with
the hosted zone, and the VPC that you specify must have been created
by using the same account that you're using to create the hosted zone.
After you create the hosted zone, you may associate it with additional
VPCs, including VPCs you created by using a different AWS account
• To associate VPCs that you created by using one account with a private
hosted zone that you created by using a different account, you must
authorize the association and then make the association
programmatically

8. ©Practical Code, LLC 2019
Set Up Participating Accounts
Each of these steps should be applied individually in each application
account that’s participating in central DNS resolution:
• Create the VPC(s) that will host your resources in participating account
• Create VPC Peering between local VPC(s) in each participating account
and DNS-VPC
• Create a private hosted zone in Route 53. Hosted zone domain names
must be unique across all accounts
• Associate VPC(s) in each participating account with the local private
hosted zone
• Change the default DNS servers on each VPC using DHCP option set
• Assign the DHCP option set to your VPC(s) in participating account

9. ©Practical Code, LLC 2019
Associating More VPCs with a Private Hosted Zone
To associate additional VPCs with a private hosted zone using the Route 53
console:
1. Sign in to the AWS Management Console and open the Route 53 console
2. In the navigation pane, choose Hosted Zones
3. Choose the radio button for the private hosted zone that you want to associate
more VPCs with
4. In the right pane, in VPC ID, choose the ID of the VPC that you want to
associate with this hosted zone
5. Choose Associate New VPC

10. ©Practical Code, LLC 2019
Associate a Route 53 zone with a VPC on a different account
To associate a Route 53 private hosted zone in one AWS account (Account A) with a VPC that belongs to another AWS
account (Account B), follow these steps using the AWS Command Line Interface (AWS CLI):
1. Connect to an EC2 instance in Account A
2. Run this command to list the available hosted zones in Account A. Note the hosted zone ID in Account A that you will associate
with Account B
aws route53 list-hosted-zones
3. Run the following command to authorize the association between the private hosted zone in Account A and the VPC in Account
B
aws route53 create-vpc-association-authorization --hosted-zone-id <hosted-zone-id> --vpc
VPCRegion=<region>,VPCId=<vpc-id>

11. ©Practical Code, LLC 2019
Associate a Route 53 zone with a VPC on a different account
Continued:
4. Connect to an EC2 instance in Account B
5. Run the following command to create the association between the private hosted zone in Account A and the VPC
in Account B. Note: Use the hosted zone ID from step #3, as well as the region and ID of the VPC in Account B
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted-zone-id> --
vpc VPCRegion=<region>,VPCId=<vpc-id>
6. It is recommended that you delete the association authorization after the association is created. Doing this prevents
you from recreating the same association later. To delete the authorization, reconnect to an EC2 instance in Account A.
Then, run this command:
aws route53 delete-vpc-association-authorization --hosted-zone-id <hosted-zone-id> --
vpc VPCRegion=<region>,VPCId=<vpc-id>
EC2 instances in the VPC from Account B can now resolve records in the private hosted zone in Account A

12. ©Practical Code, LLC 2019
Creating a DHCP Options Set
1. Open the Amazon VPC console
2. In the navigation pane, choose DHCP Options Sets, and then choose Create DHCP
options set
3. In the dialog box, enter values for the options that you want to use, and then
choose Yes, Create
4. The new set of DHCP options appears in your list of DHCP options
5. Make a note of the ID of the new set of DHCP options (dopt-xxxxxxxx). You will need it
to associate the new set of options with your VPC
6. Although you've created a set of DHCP options, you must associate it with your VPC
for the options to take effect. You can create multiple sets of DHCP options, but you can
associate only one set of DHCP options with your VPC at a time
Important: If your VPC has an Internet gateway, make sure to specify your own DNS
server or Amazon's DNS for the Domain name servers value. Otherwise, the instances
that need to communicate with the Internet won't have access to DNS.

13. ©Practical Code, LLC 2019
Changing the Set of DHCP Options a VPC Uses
To change the DHCP options set associated with a VPC
1. Open the Amazon VPC console
2. In the navigation pane, choose Your VPCs
3. Select the VPC, and select Edit DHCP Options Set from the Actions list
4. In the DHCP Options Set list, select a set of options from the list, and then choose Save
5. After you associate a new set of DHCP options with the VPC, any existing instances and all
new instances that you launch in that VPC use the options. They automatically pick up the
changes within a few hours, depending on how frequently the instance renews its DHCP
lease. If you want, you can explicitly renew the lease using the operating system on the
instance
You can set up your VPC to use no set of DHCP options.
1. Open the Amazon VPC console
2. In the navigation pane, choose Your VPCs
3. Select the VPC, and select Edit DHCP Options Set from the Actions list
4. In the DHCP Options Set list, select No DHCP Options Set from the list, and then
choose Save
5. The instances automatically pick up the changes within a few hours, depending on how
frequently the instance renews its DHCP lease. If you want, you can explicitly renew the lease
using the operating system on the instance

14. ©Practical Code, LLC 2019
Change the default DNS Servers on each VPC using DHCP option set

15. ©Practical Code, LLC 2019
Setting up on-premises DNS servers
• Only necessary if you would like to resolve AWS private domains from on-
premises servers and this task comes down to configuring forwarders on-
premise to forward DNS queries to AWS Managed Microsoft AD in DNS-
VPC for all domains
• The steps to implement conditional forwarders vary by DNS product. Follow
your product’s documentation to complete this configuration

16. ©Practical Code, LLC 2019
References
• How to centralize DNS management in a multi-account environment - https://aws.amazon.com/blogs/security/how-to-centralize-dns-management-in-a-
multi-account-environment
• Associate a Route 53 private hosted zone across accounts - https://aws.amazon.com/premiumsupport/knowledge-center/private-hosted-zone-different-
account/
• How to Set Up DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Microsoft Active Directory -
https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-
microsoft-active-directory
• Well-Architected Framework - https://aws.amazon.com/architecture/well-architected/
• VPC Creation- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenarios.html
• VPC Peering Connetion - https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html
• Creating a Private Hosted Zone - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html
• DHCP Option Sets - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html#ChangingDHCPOptionsofaVPC

17. Thank you!
Jason Robinson
jason.robinson@practicalcode.us
540-860-0772
https://practicalcode.us