I'm trying to figure out the best way to organize our company's accounts for various environments—live, UAT, and development—while also handling internal stuff like documentation and email. My concern is how this setup affects our DNS configuration. Basically, I need to manage the following:
- example.com for our main website
- auth.example.com for authentication related to the main site
- uat.example.com for our UAT environment
- auth.uat.example.com for the UAT authentication
- docs.example.com for internal resources
- [email protected] for company emails
Here are the options I'm considering:
1. Keep the main website, example.com, and internal resources in the management account, while separate accounts manage UAT and development with their own hosted zones.
2. Place example.com in its own account, but I'm unsure how to manage the email and internal subdomains this way.
3. Do all DNS setup in the management account, but can I point a Route 53 record to a distribution in another account? This might complicate certificate creation if I have to manually set up validation records.
4. Use live.example.com as the primary domain instead, which would make DNS delegation more straightforward and allow the sub-account to manage its own records easily.
5. Still weighing my options!
What's the usual approach for structuring this kind of setup?
4 Answers
Option 3 is definitely doable! You can point an alias record to a distribution from another account, which simplifies things a lot. But as a best practice, it's often easier to have the UAT hosted zone in the UAT account with an NS record in the parent zone.
Be careful with option 4; using a CNAME at the apex isn't supported! Instead, you might want to consider managing everything in the management account to keep it streamlined.
I typically keep my domain ownership in the production account and create hosted zones in the lower environments like dev or test. For example, example.com is managed in production with dev.example.com in the dev account. This way, each environment can manage its subdomains without conflicts.
Here's my setup: I keep absolutely nothing in the management account. If it's non-public, it goes in its own account for stuff like internal resources. For DNS records, you can point them to any service, even across different accounts, and managing validation records can be automated.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads