When you associate a Route 53 private hosted zone with a VPC in a different AWS account, the system is designed to trust the VPC owner to manage DNS resolution for that VPC, but it’s the hosted zone owner who ultimately controls the DNS records.
Let’s see this in action. Imagine Account A owns a private hosted zone my-internal-zone.com and Account B owns a VPC vpc-0123456789abcdef0.
First, in Account A (the Route 53 owner):
aws route53 associate-vpc-with-hosted-zone \
--hosted-zone-id Z0123456789ABCDEF \
--vpc VPCRegion=us-east-1,VPCId=vpc-0123456789abcdef0
This command tells Route 53 in Account A that vpc-0123456789abcdef0 should now be able to resolve records within my-internal-zone.com.
Next, in Account B (the VPC owner):
You don’t run a specific command to "accept" the association from the VPC side. Instead, you ensure your VPC’s DNS settings are configured to use the associated private hosted zone. This is typically handled by Route 53 itself when the association is made, but you can verify it by looking at your VPC’s DNS settings.
Now, if you were to launch an EC2 instance in vpc-0123456789abcdef0 with the private IP 10.0.1.50 and create a record in my-internal-zone.com in Account A:
In Account A:
aws route53 change-resource-record-sets \
--hosted-zone-id Z0123456789ABCDEF \
--change-batch '{"Changes":[{"Action":"CREATE","ResourceRecordSet":{"Name":"app.my-internal-zone.com.","Type":"A","TTL":300,"ResourceRecords":[{"Value":"10.0.1.50"}]}}]}'
From an EC2 instance within vpc-0123456789abcdef0 in Account B, you can now dig app.my-internal-zone.com and expect to get 10.0.1.50. The magic here is that the VPC’s DNS resolver, managed by AWS within the VPC, is configured by Route 53 to forward queries for my-internal-zone.com to the Route 53 service in Account A.
The problem this solves is enabling private DNS resolution for resources spread across different AWS accounts, without exposing those private zones to the entire internet or requiring complex network peering for DNS alone. It allows a central team (Account A) to manage the authoritative DNS for internal services, while individual teams (Account B) can consume those DNS records for their VPCs.
Internally, when a DNS query for app.my-internal-zone.com originates from an instance in vpc-0123456789abcdef0, the VPC’s DNS resolver checks its configuration. Because the VPC is associated with my-internal-zone.com, the resolver knows to send this query to the Route 53 service endpoint for that hosted zone. Route 53 in Account A then looks up app.my-internal-zone.com within its zone data and returns the A record value (10.0.1.50) back to the VPC’s resolver, which finally returns it to the requesting instance.
The exact levers you control are:
- Hosted Zone Owner (Account A): Who creates, modifies, and deletes DNS records within the private hosted zone. They control the
Name,Type,TTL, andValueof records. - VPC Owner (Account B): Who associates or disassociates the VPC with the hosted zone. They control whether their VPC can resolve names in that hosted zone. They cannot modify records in the hosted zone.
Crucially, the AssociateVPC call is idempotent and creates an entry in the VPC’s DNS resolver configuration, but it doesn’t force the VPC to use that zone if other, more specific private zones (or public zones) have been configured to handle the same domain name. Route 53’s resolution order is hierarchical: if a VPC is associated with multiple private zones, or has custom DNS servers configured, the most specific match or the custom server takes precedence.
The most surprising true thing about this cross-account association is that the VPC owner doesn’t explicitly "grant permission" for their VPC to resolve names in the hosted zone; rather, the hosted zone owner enables the association, and the VPC owner implicitly accepts it by having their VPC’s DNS configured to allow resolution from associated private zones. It’s a one-way enablement from the hosted zone’s perspective.
The next challenge you’ll likely encounter is managing multiple VPCs associated with the same private hosted zone, or conversely, associating a single VPC with multiple private hosted zones, and understanding the resolution order when domain names overlap.