Hey everyone! I'm currently working on a project at my job where we are separating our primary AWS account into multiple sub-accounts. I want to implement private DNS zones for each sub-account, allowing workloads to resolve private IP addresses through these zones, even across different accounts. All the accounts are interconnected. I'm uncertain about the best approach to achieve this. Can anyone provide some guidance?
5 Answers
You can manage multiple accounts without profiles, but it might get a bit tricky. It's doable, just kind of annoying to maintain.
You meant that the VPCs are interconnected, right? The best way to handle this is by setting up RAM-based Route 53 rules and resolvers so that resolution works correctly across your network within the VPCs that the private hosted zones are linked to. We've effectively been using this model for over five years across more than 250 VPCs with thousands of private hosted zones across two regions.
Check out this guide: [AWS Route 53 Resolver Cookbook](https://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/). The key here is to associate your DNS zones with the VPC and share your rules effectively. It's pretty straightforward once you set everything up.
In our experience, we've used public DNS zones since connecting to resolved internal services wasn't an option. While it's generally not ideal—since internal lookups shouldn't resolve publicly unless absolutely necessary—if you’re not running Active Directory on Route 53, the risk is lower.
Private hosted zones are specific to each VPC and are tied to the account unless you use features like VPC subnet sharing with Resource Access Manager (RAM). If your goal is hybrid DNS resolution, Route 53 Resolver Endpoints can help forward DNS queries to other private hosted zones, provided the VPCs are properly routed together (like through VPC peering).
However, if you're dealing with private services that need to be discovered across VPCs, consider using VPC Lattice; it might be more suitable for your use case. If you only need to share a small number of services, Private Link is a simpler choice without needing to implement a service mesh. Both solutions allow you to define private CNAMEs in your VPC's private hosted zone.
VPC Lattice sounds expensive!