5

We're implementing an AWS serverless stack with multiple environments. Trying to follow best practices, we created multiple accounts for different purposes.

There's a DNS account, which is supposed to contain all hosted zones related to this project. It has a hosted zone for example.org.

We got multiple environments and a corresponding account for each. For now I'll focus on dev and prod.

This is how the host configuration should look like:

DEVELOPMENT

  • app.dev.example.org (CloudFront distribution in dev account)
  • login.dev.example.org (CloudFront distribution for Cognito Hosted UI in dev account)
  • api.dev.example.org (API Gateway in dev account)
  • cdn.dev.example.org (CloudFront distribution in dev account)

PRODUCTION

  • example.org (CloudFront distribution in prod account)
  • login.example.org (CloudFront distribution for Cognito Hosted UI in prod account)
  • api.example.org (API Gateway in prod account)
  • cdn.example.org (CloudFront distribution in prod account)

dev is straighforward. Setting up NS records for subdomain dev.example.org using NS servers from hosted zone dev.example.org in dev account and it's done.

prod is tricky, as we'd like to use the APEX record of example.org. Additionally, login.example.org, api.example.org and cdn.example.org don't have a common subdomain.

Searching for possible solutions, I came up with the following options:

  1. Create hosted zone for example.org in production account instead. Delegate subdomains to other accounts (i. e. dev) from there.
  2. (Not sure): Create a reusable delegation set. This way two hosted zones could be created (if I understood correctly), one in DNS account and one in prod account. They'd be sharing the same nameservers. I couldn't find out if this works cross-account though and didn't test it yet.
  3. (Not Sure): Setting up hosted zones in prod for each login.example.org, api.example.org and cdn.example.org. This would allow for setting subdomains APEX records from within prod account. This is not a solution for the APEX record of example.org. Besides, it's 3 additional hosted zones (just for accomplishing a workaround).

I wanted to see if I miss anything fundamental here and/or if anyone out there had a similar situation and an alternative/better solution. That use-case shouldn't be too exotic?

Henry
  • 53
  • 3

1 Answers1

0

Choose 1 - that's the easiest.

Or 4 - Use a cross-account access to insert records into the zone in "dns" account from "prod" account.

Also note that the ALIAS records can point to resources in other accounts, they don't have to be in the same one.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • Thanks a lot! Also thought about cross account access (from **prod** to **DNS**) but I guess you wouldn't be able to restrict access on a per-record basis. That'd almost be the same as having the hosted zone in **prod**. However, ALIAS records could be the way to go. I wasn't aware that you could point them to resources in other accounts. Only need to find out if destination records need to exist when creating an ALIAS. If not, this would be perfect for our needs. – Henry Aug 18 '20 at 06:05