re:Post – How do I share a Route 53 profile with a VPC in a different account?

by

4 minute read | Content level: Intermediate

AWS re:Post – How do I share a Route 53 profile with a VPC in a different account?

I want to associate my Amazon Route 53 profiles with an Amazon Virtual Private Cloud (Amazon VPC) that belongs to a different AWS account.

Short description

To associate Route 53 profiles from Account A with an Amazon VPC in Account B, share the resources from the account that owns the profiles. Then, accept the invitation from the AWS account with which you want to share.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you’re using the most recent AWS CLI version.

Prerequisites:

  • Access to both the accounts.
  • Route 53 profiles is a service that manages DNS settings for multiple VPCs. When you update a profile, those settings propagate to all VPCs associated with the profile.
  • Route 53 profiles is a regional service. You can only share and associate VPCs in the same region where you create the rules.

Route 53 profiles owner account (Account A)

Before you begin, consider the following:
Resource managed by profiles include:

  • Private hosted zones
  • Route 53 Resolver rules
  • DNS firewall rule groups

VPC configurations manged by profiles include:

  • Reserve DNS lookup configuration for Resolver rules
  • DNS firewall failure mode configuration
  • DNSSEC validation configuration

Complete the following steps:

Create the Route 53 profiles (if you don’t have one already)

  1. Run the create-profile command in AWS CLI to create the profile:
aws route53profiles create-profile --name [name]

Note: Replace name with your profile name.

  1. Run the list-profiles command to verify the created profile:
aws route53profiles list-profiles

Note: From the command’s output, note the profile ARN (Arn) that you want to associate.

Share the Route 53 profiles with AWS RAM

  1. Share the created profile with another AWS account by running the create-resource-share command:
aws ram create-resource-share --name [name] --resource-arns arn:aws:route53profiles:[region]:[account-a-id]:profile/[rp-profile-id] --principals [account-b-id]

Note: Replace name with your specified profile name, resource-arns with the ARN output from step 2, and principals with the account ID (Account B) you want to share with.

In the console, the Share status of the shared profile changes from “Not shared” to “Shared by me”.

Note: When creating a resource share limited to member AWS organization accounts, add –no-allow-external-principals to the command:

aws ram create-resource-share --name [name] --resource-arns arn:aws:route53profiles:[region]:[account-a-id]:profile/[rp-profile-id] --principals [account-b-id] --no-allow-external-principals

When sharing resources within an organization, principals in the organization can access shared resources without exchanging invitations.

Route 53 profiles shared account (Account B)

Accept the resource share invitation

  1. Run the get-resource-share-invitations command to check the invitation information:
aws ram get-resource-share-invitations

Note: From the command’s output, note the invitation ARN (resourceShareInvitationArn).

  1. Run the accept-resource-share-invitation command to accept the invitation:
aws ram accept-resource-share-invitation --resource-share-invitation-arn arn:aws:ram:[region]:[account-a-id]:resource-share/[resource-share-invitation-id]

Note: Replace resource-share-invitation-arn with the ARN from step 1 output.

Associate Route 53 profile with VPC

  1. Run the list-profiles command to verify the profile to associate:
aws route53profiles list-profiles

Note: From the command’s output, note the profile ID (Id).

  1. Run the associate-profile command to associate the VPC with the profile:
aws route53profiles associate-profile --name [name] --profile-id [rp-profile-id] --resource-id [vpc-id]

Note: Replace name with your specified profile name, profile-id with the Id from step 3 output, and resource-id with the VPC ID you want to associate.

  1. Run the list-profile-associations command to check the association status:
aws route53profiles list-profile-associations --profile-id [rp-profile-id]

Note: Replace profile-id with the Id from step 3 output and verify the associated VPC in ResourceId.

Now DNS queries from this VPC will follow the Route 53 profile rules.

Related information

[1] Documentation > AWS Route 53 > Working with shared Route 53 Profiles
[2] Documentation > AWS Command Line Interface > AWS RAM examples using AWS CLI
[3] Documentation > AWS RAM > Sharing your AWS resources

Leave a Comment