How to share DNS services between accounts (for example, AWS RAM)

Task Statement 2.3: Implement complex hybrid and multi-account DNS architectures.

📘AWS Certified Advanced Networking – Specialty

1. What Does “Sharing DNS Services Between Accounts” Mean?

In AWS, large organizations usually have multiple AWS accounts (for security, billing, or environment separation like dev/test/prod).

Instead of creating separate DNS configurations in every account, you can:

👉 Centralize DNS in one account
👉 Share it with other accounts

This avoids duplication and ensures consistency.

2. Key Service Used: AWS RAM

AWS Resource Access Manager

AWS RAM (Resource Access Manager) allows you to share AWS resources across accounts.

For DNS, RAM is mainly used to share:

  • Route 53 Private Hosted Zones
  • (Indirectly) DNS resolution resources like Resolver rules

3. Why Share DNS Across Accounts?

Benefits (Important for Exam)

  • ✅ Centralized DNS management
  • ✅ Avoid duplicate hosted zones
  • ✅ Consistent naming across environments
  • ✅ Easier hybrid (on-premises + cloud) integration
  • ✅ Reduced operational overhead

4. Core Components You Must Know

4.1 Route 53 Private Hosted Zone (PHZ)

Amazon Route 53

A Private Hosted Zone is used for:

  • Internal DNS (inside VPCs)
  • Resolving domain names like: app.internal.company.local

👉 PHZ can be shared across accounts using AWS RAM

4.2 VPC Association

A Private Hosted Zone works only when it is associated with a VPC.

  • Normally: PHZ → 1 account → 1 or more VPCs
  • With sharing: PHZ → multiple accounts → multiple VPCs

5. How DNS Sharing Works (Step-by-Step)

Step 1: Create Private Hosted Zone

In a central DNS account:

  • Create a Private Hosted Zone
  • Add DNS records (A, CNAME, etc.)

Step 2: Share PHZ via AWS RAM

  • Create a Resource Share
  • Select:
    • Resource type: Private Hosted Zone
  • Choose:
    • Target accounts or AWS Organization

Step 3: Accept Share (If Required)

  • Target account must accept the shared resource
    (auto-accepted if using AWS Organizations)

Step 4: Associate VPCs from Other Accounts

In the target account:

  • Associate its VPC with the shared PHZ

Final Result

Now:

  • All associated VPCs (across accounts)
  • Can resolve the same DNS names

6. Example (IT-Based Scenario)

You have:

  • Account A (Networking Account)
    • Hosts central DNS (Private Hosted Zone)
  • Account B (Application Account)
    • Runs EC2 applications

Flow:

  1. PHZ created in Account A: internal.company.local
  2. Share PHZ using AWS RAM
  3. Account B associates its VPC
  4. EC2 instances in Account B can resolve: db.internal.company.local

7. Sharing Route 53 Resolver Rules (Important)

Besides PHZ, another key component:

Route 53 Resolver

Route 53 Resolver

Used for:

  • Hybrid DNS (AWS ↔ On-premises)
  • Conditional forwarding

Resolver Rule Sharing

You can share:

  • Outbound Resolver Rules
  • Inbound Resolver Rules

Using AWS RAM

Example Use Case:

  • Forward all queries for: onprem.local to on-premises DNS servers
  • Share this rule with multiple accounts

8. Permissions and Access Control

IAM Permissions Required

  • ram:CreateResourceShare
  • route53:AssociateVPCWithHostedZone
  • ec2:DescribeVpcs

Organization-Level Sharing

If using AWS Organizations:

AWS Organizations

  • Enable RAM sharing with organization
  • Automatically share resources across accounts

9. Important Limitations (Exam Critical)

Private Hosted Zones only

  • You cannot share public hosted zones

VPC Association Required

  • DNS works only if VPC is associated with PHZ

Same Region Constraint

  • PHZ is global, but VPC association is region-specific

One PHZ, Multiple VPCs

  • Supported across accounts

No Cross-Region Resolver Endpoints Sharing

  • Resolver endpoints must exist in each region

10. Common Architectures (Exam Scenarios)

10.1 Centralized DNS Account

  • One account manages:
    • Private Hosted Zones
    • Resolver rules
  • Shared with all application accounts

10.2 Hybrid DNS Architecture

  • On-premises DNS integrated with AWS
  • Use:
    • Resolver inbound/outbound endpoints
    • Shared rules across accounts

10.3 Multi-Environment Setup

  • Dev, Test, Prod accounts
  • All use same internal domain via shared PHZ

11. Best Practices

✔ Use a central networking account for DNS
✔ Share PHZ using AWS RAM instead of duplicating
✔ Use consistent domain naming
✔ Use Resolver rules for hybrid DNS
✔ Enable AWS Organizations integration
✔ Monitor using Route 53 query logging

12. Common Exam Traps

⚠️ Trying to share public hosted zones → Not supported
⚠️ Forgetting VPC association → DNS won’t work
⚠️ Confusing RAM with IAM → RAM is for resource sharing
⚠️ Not using Resolver rules for hybrid DNS
⚠️ Assuming automatic cross-account resolution without sharing

13. Quick Summary (Revision)

  • AWS RAM is used to share DNS resources
  • Private Hosted Zones can be shared across accounts
  • VPC association is required for DNS resolution
  • Resolver rules can also be shared
  • Centralized DNS architecture is recommended
  • Public hosted zones cannot be shared
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by