Hybrid Route 53 setup - multi-account

Lab Objective: Create and manage central rules for resolving Privately Hosted names in two separate AWS accounts. This is the DNS query data flow we are seeking to achieve through this lab. Courtesy of AWS DNS blog - Simplify DNS management in a multi-account environment with Route 53 Resolver

Lab Prerequisite: * Completion of previous three labs (resolvers, conditional forwarders and “hybrid strategy - simple”) * Two new AWS accounts * Route 53 Private Hosted Zone setup in each of the new AWS accounts (i.e. acc1.awscloud.private and acc2.awscloud.private)

Lab Setup - two new accounts: (objective: create two independent PHZs and authorize DNS VPC’s association) 1. In each new AWS account, create new Route 53 Private Hosted Zone (PHZ)

  Account A should host acc1.awscloud.private
  Account B should host acc2.awscloud.private
  1. In each account, go to the route 53 console (https://console.aws.amazon.com/route53) and click on the PHZ created
  2. Select Create record and create A record for host1.acc1.awscloud.private (in account A) and host2.acc2.awscloud.private (in account B) NOTE: assign any IP address belonging to the VPC CIDR
  3. Write down the VPC ID of the DNS VPC
  4. Use awscli tool and the awscli credential to authorize the association of the DNS VPC with the PHZs

    # you can get AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN values from the AWS SSO interface
    # Run the export commands prior to running the authorization command uniquely to the accounts
    export AWS_ACCESS_KEY_ID="..................."
    export AWS_SECRET_ACCESS_KEY=".............................."
    export AWS_SESSION_TOKEN="....................................."
    aws route53 create-vpc-association-authorization --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id>
    

    NOTE: hosted-zone-id can be obtained from the route 53 PHZ console; VPCRegion is the region of operation; VPCId is the VPC ID of the DNS VPC

    Lab Setup - DNS VPC: (objective: 1. Create VPC association with the PHZs and create a new conditional forwarding rule for the domain awscloud.private) NOTE: The procedure for VPC association with a PHZ is documented here After above commands are run once per each account, we can associate the DNS VPC to the PHZs 3. Run these commands for the account that hosts DNS VPC

    # you can get AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN values from the AWS SSO interface
    # Run the export commands prior to running the authorization command uniquely to the accounts
    export AWS_ACCESS_KEY_ID="..................."
    export AWS_SECRET_ACCESS_KEY=".............................."
    export AWS_SESSION_TOKEN="....................................."
    aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id>
    

Once the association is created, the DNS VPC is able to resolve DNS records in the associated PHZs. 4. Add the conditional forwarder rule for awscloud.private 5. Go to Route 53 Resolver Console (https://console.aws.amazon.com/route53resolver), select Rules 6. Select Create rule

Name: awscloud-private
Rule type: Forward
Domain name: awscloud.private
VPCs that use this rule: [local VPC]
Outbound endpoint: [select the outbound endpoint]
Target IP addresses: specify the Inbound endpoint IP addresses
  1. Click Submit
  2. Go to the Resource Access Manager console and share the new rule with the Organization (the steps are documented in the previous labs)

Lab Setup - two new accounts - one more time: (objective: now that the new rule has been created, we need to associate new accounts’ VPCs to the new rule) 1. Go to the Route 53 Resolver console (https://console.aws.amazon.com/route53resolver) 2. Click on the rule that has been shared 3. In the new window, locate the Associate VPC button and click it 4. Click on the Choose VPC drop down list and select the VPC 5. Click Add

Test 1. Launch an EC2 instance in the VPC of account A 2. From the EC2 instance execute following command: nslookup acc2.awscloud.private 3. Launch an EC2 instance in the VPC of account B 4. From the EC2 instance execute following command: nslookup acc1.awscloud.private

If the names resolve, the Route 53 setup is working.