Hands-on lab : Implementing Multi-Account Private DNS Management with AWS CLI and Route 53

Leave a Comment / By /

Objective: In this lab, students will learn how to set up a shared private DNS solution across multiple AWS accounts, simplifying DNS management and providing centralized control over domains and subdomains. They will use AWS CLI to create a shared services VPC, establish VPC peering connections, configure a private hosted zone in Amazon Route 53, and programmatically associate VPCs from other accounts with the hosted zone.

Prerequisites:

  • AWS CLI installed and configured with the necessary credentials.
  • Multiple AWS accounts (at least two) with appropriate permissions for VPC and Route 53 management.

Lab Tasks:

Task 1: Set Up a Shared Services VPC

  1. Use AWS CLI to create a shared services VPC in your central AWS account.
  2. Take note of the VPC ID generated during VPC creation.

Task 2: Establish VPC Peering Connections

  1. Use AWS CLI to create VPC peering connections from the shared services VPC to VPCs in other AWS accounts.
  2. Repeat this step for each VPC in different AWS accounts.

Task 3: Create a Private Hosted Zone in Route 53

  1. Use AWS CLI to create a private hosted zone in Amazon Route 53 associated with the shared services VPC.
  2. Note the hosted zone ID for the next task.

Task 4: Programmatically Associate VPCs with the Hosted Zone

  1. Use AWS CLI to programmatically associate VPCs from other accounts with the hosted zone.
  2. Repeat this step for each VPC that needs to be associated with the hosted zone.

Task 5: Verification

  1. From one of the AWS accounts, create an EC2 instance.
  2. Attempt to resolve the domain name within the private hosted zone using the EC2 instance.
  3. Verify that it successfully resolves to the internal IP address.

Conclusion:

  • Discuss the importance of a shared private DNS solution in multi-account environments.
  • Highlight the significance of centralizing DNS management for organizational domains and subdomains.
  • Encourage students to explore more advanced DNS configurations and network architecture for larger-scale multi-account AWS environments.

This lab will help students gain hands-on experience in setting up a shared private DNS solution, which is a valuable skill for managing AWS networking in real-world scenarios.

To implement the solution described, which involves setting up a shared private DNS for multiple AWS accounts, we can use AWS CLI (Command Line Interface) for various tasks, such as creating a shared services VPC, establishing VPC peering connections, configuring Amazon Route 53 private hosted zones, and programmatically associating VPCs from other accounts with the hosted zone. Let’s break down these steps and explain the relevant AWS CLI commands in detail.

Step 1: Set up a Shared Services VPC

In your central AWS account, you need to create a shared services VPC. This VPC will be used for managing the private DNS. Use the following AWS CLI command to create the shared services VPC:

aws ec2 create-vpc --cidr-block <CIDR_block>
  • <CIDR_block>: Replace this with the desired CIDR block for your VPC.

This command creates a new VPC and returns the VPC ID.

Step 2: Set Up VPC Peering Connections

You’ll need to establish VPC peering connections from the shared services VPC to each VPC in the other accounts. For each VPC peering connection, you can use the following AWS CLI command:

aws ec2 create-vpc-peering-connection --vpc-id <shared_services_vpc_id> --peer-vpc-id <other_vpc_id>
  • <shared_services_vpc_id>: Replace with the VPC ID of the shared services VPC in your central account.
  • <other_vpc_id>: Replace with the VPC ID of one of the other VPCs in a different AWS account.

This command initiates the VPC peering connection. You will need to perform this step for each of the VPCs in the other AWS accounts.

Step 3: Create a Private Hosted Zone in Route 53

Now, you need to create a private hosted zone in Amazon Route 53 associated with the shared services VPC. Here’s the AWS CLI command to do that:

aws route53 create-hosted-zone --name <zone_name> --vpc <vpc_id> --caller-reference <caller_reference> --hosted-zone-config Comment="<zone_comment>",PrivateZone=true
  • <zone_name>: Replace with the name of your private hosted zone (e.g., example.com).
  • <vpc_id>: Replace with the VPC ID of the shared services VPC.
  • <caller_reference>: A unique identifier for this hosted zone. You can generate one or use a timestamp.
  • <zone_comment>: An optional comment for the hosted zone.

This command creates a private hosted zone associated with your shared services VPC.

Step 4: Programmatically Associate VPCs with the Hosted Zone

To programmatically associate the VPCs from other accounts with the hosted zone, you can use the following AWS CLI command:

aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted_zone_id> --vpc VPCRegion=<region>,VPCId=<other_vpc_id>
  • <hosted_zone_id>: Replace with the ID of the hosted zone created in Step 3.
  • <region>: The AWS region where the other VPC is located.
  • <other_vpc_id>: The VPC ID of one of the other VPCs in a different AWS account.

Repeat this command for each VPC that needs to be associated with the hosted zone.

Summary

By following these steps and using the provided AWS CLI commands, you can set up a shared private DNS solution across multiple AWS accounts. This approach simplifies DNS management for your organization while providing centralized control over domains and subdomains. Be sure to replace the placeholders with your specific values when executing these commands.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top