-
Question on shared services VPC
updated 2 weeks, 4 days ago
2 Members
·
6
Posts
-
Hi,
my topic is about this question:
A company wants to implement a multi-account strategy that will be distributed across its several research facilities. There will be approximately 50 teams in total that will need their own AWS accounts. A solution is needed to simplify the DNS management as there is only one team that manages all the domains and subdomains for the whole organization. This means that the solution should allow private DNS to be shared among virtual private clouds (VPCs) in different AWS accounts.
Which of the following solutions has the LEAST complex DNS architecture and allows all VPCs to resolve the needed domain names?
In the correct answer you mention:
Set up VPC peering from this VPC to each VPC on the other accounts.
In the linked AWS blog entry at https://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/ it’s mentioned:
Note: This solution doesn’t require VPC-peering or connectivity between the source/destination VPCs and the DNS-VPC.
Is this not exactly the opposite to your statement?
The solution provided in the blog is basically similar to yours, right?
Thank’s and best regards,
Chris
-
Hello ch34,
Thank you for your feedback!
The link provided emphasizes Route 53 Resolver, which simplifies DNS management without requiring VPC peering or direct connectivity between the VPCs and the DNS VPC. This is a valid solution, particularly when you don’t want to establish VPC peering or other network connections between the VPCs in a multi-account setup.
However, VPC peering was mentioned in the correct solution because the question explicitly requires a solution to share DNS among VPCs in different AWS accounts. This typically implies the need for direct connectivity between VPCs to resolve domain names across accounts. In this case, VPC peering allows DNS to be shared directly between VPCs in different accounts, which aligns with the requirement stated in the question.
So, while both approaches can be used to manage DNS in a multi-account environment, the question’s focus on direct DNS resolution across VPCs leads to VPC peering as the best solution for this particular scenario.
I hope this helps! Let us know if you need further assistance.
Regards,
JR @ Tutorials Dojo -
Thank’s for your answer.
I agree, there is a difference between the blog entry and your question. This is fine for me now.
But I still have one question:
one of the possible answers is very similar to the correct one except the last part:
On each of the other AWS Accounts, create a Route 53 private hosted zone and configure the Name Server entry to use the DNS of the central account
This is technically possible and would work, right?
If yes the difference to the correct answer is just about easier maintenance because you don’t need to maintain DNS entries in each Subaccount?
-
Hello ch34,
Thank you for your question!
I think you are referring to this option: On AWS Resource Access Manager (RAM), set up a shared services VPC on your central account. Create a peering from this VPC to each VPC on the other accounts. On Amazon Route 53, create a private hosted zone associated with the shared services VPC. Manage all domains and subdomains on this hosted zone. On each of the other AWS Accounts, create a Route 53 private hosted zone and configure the Name Server entry to use the DNS of the central account. – While this option uses AWS RAM to share the private hosted zone, it is still incomplete. The subaccount VPCs must be explicitly associated with the central hosted zone through RAM for DNS resolution to work. Configuring NS records does not automatically associate the VPCs, and without the association, DNS queries will fail.
This solution adds unnecessary complexity by requiring each subaccount to create its own private hosted zone and configure NS records to point to the central account’s DNS servers. This extra step creates more maintenance overhead and increases the risk of misconfiguration.
I hope this helps!
Regards,
JR @ Tutorials Dojo
-
-
Exactly, this was the answer I was refering to.
So my impression was right, this would lead to extra work and yes, misconfiguration can happen more easily.
Thanks!
-
No worries, ch34! If you have any more questions, feel free to ask.
-
Log in to reply.