A route 53 private hosted zone is a container that holds information about how you want Amazon Route 53 to respond to DNS queries for a domain and its subdomains within one or more VPCs that you create with the Amazon VPC service.
Private zones are convenient when you want to register services for DNS, but then don’t want to make the DNS records available publicly.
Here is an example:
An application in account 987654321 wants to call a service in account 123456789. A DNS record exists in account 123456789 with the name of api.application-dev.domain.com, but since this is private, it is shared only with its own VPC.
This post only describes how to allow the zone to be associated with multiple VPCs, it is not intended to go over how to peer or connect the vpcs using a transit gateway, that is intended for another post.
How to associate the private zone with another VPC?
As far as I am aware, this can only be done via the CLI, and not within the AWS console.
First you need to create a vpc association authorisation, to allow the hosted zone to be shared with the management account. This command is run against the applications-dev account, and the vpc needs to be the management vpc.
AWS_PROFILE=applications-dev aws route53 create-vpc-association-authorization --hosted-zone-id=Z1234 --vpc VPCRegion=eu-west-2,VPCId=vpc-5678
Next, you need to associate the vpc with the hosted zone. This command is run against the management account, and the vpc needs to be the management vpc.
AWS_PROFILE=shared aws route53 associate-vpc-with-hosted-zone --hosted-zone-id=Z1234 --vpc VPCRegion=eu-west-2,VPCId=vpc-5678
You will notice now on your zone, that multiple VPCs are now included in the list
If you perform an NSlookup from VPC2, you will resolve the records you expected, from VPC1’s private zone.