If I have 3 AWS Accounts(A, B, and C), can I create a Route53 HostedZone(example.com) in account A, and route traffic to API gateways in accounts B and C(equally or based on health check) from the hostedZone in account A?
I've tried the following:
Create child hosted zone in account B and C(b.example.com)
Create ACM Certificate and API Gateway Custom Domain in account B and C(apigw.b.example.com)
Add Alias RecordSet type A to account A HostedZone pointing to API gateway's domain name and hosted zone ID.
Doing this results in example.com routing to the execute-api endpoint of API gateway, which is what I want, but access is restricted because example.com isn't included in the certificate's protected domains. I'm guessing this is because the ACM certificate is local to the child account and its hosted zone(b.example.com).
Changes made to get it working:
Get rid of child hosted zones in the API Gateway accounts
Create same domain name for every API Gateway(this works because they're regional).
Do cross account validation of ACM certificates.
So in short, yes you can do this and split everything by account. It just requires some cross account wiring for the CNAME records that validate the ACM certificates and the Alias A records that connect the API gateways to the cross account hosted zone.
Related
I added my name servers to my google domain and then added my google domain to my route 53 hosted zone. I then requested a certificate through aws certificate manager and added a record for it to route 53 hosted zone. My site is still loading as an unsecure connection. What steps did I miss, thank you for any help.
I have listed above the details of my question.
I then requested a certificate through aws certificate manager and added a record for it to route 53 hosted zone.
It seems like you created an ACM certificate and added the required record to the Route53 Zone.
However, that is not enough to provide an HTTPS connection. You need to make use of that ACM certificate in your service (EC2, Amplify, API Gateway, ...).
In order words, your server needs to handle the TLS/SSL handshake to have a secure connection.
See Services integrated with AWS Certificate Manager for a list of services and how you can use the certificate.
I have a question related to Cloud Front.
If I have CF enabled with s3 origin in Account A, and then I create a Route 53 DNS records in Account B and point to the CF.
I will need to add alternate domain name in CF which in Account A and a certificate as well. Will ACM generate a certificate in the Account A when DNS entry hello.example.com is in another account ?
Yes ACM will be happy to generate any certificate you ask it to, but to verify the certificate to complete the creation process you will have to create a DNS entry in whatever DNS service you are using. You don't even need to be using Amazon's Route53 DNS service, you can use ACM with any DNS service.
ou can do the following steps
Create ACM in us-east-1 region of Account A.
Once step 1 is done, you will copy the CNAME record of that ACM and go to Account B to create the DNS record for that CNAME values and use DNS validation. Please keep in mind, e.g hello.example.com is your public domain and hosted in Route53.
Back to account A and wait a few seconds, then you will see the status of ACM is issued and you can attach that ACM to your CF in Account A.
To make the custom endpoint work. On route 53 , I alias for which resource in aws? And what kind of route.And if I use CNAME do I have to use subdomain?
"After you enable a custom endpoint for your OpenSearch Service domain, you must create a CNAME mapping in Amazon Route 53 (or your preferred DNS service provider) to route traffic to the custom endpoint and its subdomains. Create the CNAME from the custom endpoint (the name of the record) to the auto-generated endpoint (the value of the record). Without this mapping, your custom endpoint won't work. For steps to create this mapping in Route 53, see Configuring DNS routing for a new domain and Creating a hosted zone for a subdomain. For other providers, consult their documentation." aws documentation
This works for me.
I create CNAME with the same name of custom endpoint and point to auto-generated endpoint.
I have a domain example.tld that is registered with one company and hosted with another. That website uses https and has a let's encrypt certificate setup by the hosting company through an automated script. I'm trying to an s3 bucket accessible from sub.example.tld.
I currently have a public s3 bucket and a CNAME setup with my hosting company to point sub to my bucket. I'm able to access the contents of my bucket from the http and https protocols using an Amazon generated domain, and from http only from sub.example.tld.
I know I can setup s3 with cloudflare and and use a cname with https there, however, since my domain name isn't hosted with aws I have to upload import a certificate which I do not have.
What I'm thinking of how I can proceed is to create a hosted zone in route 53 for sub.example.tld. Then I can delete the current CNAME registration with my hosting company to the bucket and instead create some kind of DNS record with my hosting company to point sub to the hosted zone with Amazon.
I'm able to create the following DNS records: A, CNAME, MX, NS, TXT, SRV, AAAA, DNAME, and CAA.
Does my idea of creating a hosted zone for the subdomain make sense? And if so, what type of DNS record would I create with my host to allow me to have a subdomain managed elsewhere?
I have similar question as Will Route53 private hosted zone work over AWS VPC Peering but with one difference.
Is it possible to setup same scenario when these two VPCs are in different Accounts? So hosted zone is in one Account with one VPC and there is second VPC but in different account (connected via VPC Peering).
Yes, it is possible to share a private route53 hosted zone with a different account.
If you want to associate a VPC that you created with one AWS account with a private hosted zone that you created with a different account, perform the following procedure:
To associate an Amazon VPC and a private hosted zone that you created with different AWS accounts
Using the account that created the hosted zone, authorize the association of the VPC with the private hosted zone by using one of the following methods:
AWS SDK or AWS Tools for Windows PowerShell – See the applicable documentation on the AWS Documentation page
AWS CLI – See the route53 page in the AWS Command Line Interface Reference
Amazon Route 53 API – See CreateVPCAssociationAuthorization in the Amazon Route 53 API Reference
Note the following:
If you want to associate multiple VPCs that you created with one account with a hosted zone that you created with a different account, you must submit one authorization request for each VPC.
When you authorize the association, you must specify the hosted zone ID, so the private hosted zone must already exist.
You can't use the Amazon Route 53 console either to authorize the association of a VPC with a private hosted zone or to make the association.
Using the account that created the VPC, associate the VPC with the hosted zone. As with authorizing the association, you can use the AWS SDK, Tools for Windows PowerShell, the AWS CLI, or the Amazon Route 53 API. If you're using the API, use the AssociateVPCWithHostedZone action.
Optional but recommended – Delete the authorization to associate the VPC with the hosted zone. Deleting the authorization does not affect the association, it just prevents you from reassociating the VPC with the hosted zone in the future. If you want to reassociate the VPC with the hosted zone, you'll need to repeat steps 1 and 2 of this procedure.
Note
For the limit on the number of authorizations that you can create, see Limits on Entities.
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html