Amazon Route 53 Profiles - A Deeper look into Centralized DNS Configuration and Governance Solution

Gone are the days when we used to keep all resources in a single account for all environments. After the introduction of AWS Control Tower, following the Multi-Account strategy became the new normal. Though this new normal was very helpful in managing all account governance matters adeptly, centrally managing varying DNS configurations remained a challenge for many network administrators/engineers. With Amazon Route 53 Profiles, AWS appears to ease the overhead of centrally managing varying DNS configurations.

Let us try to do a deep dive into the Amazon Route 53 Profiles feature and try to understand the implications of this service.

Amazon Route 53 Profiles can group DNS configurations, such as Amazon Route 53 private hosted zone associations, Resolver forwarding rules, and DNS Firewall rules into a single container. It gives us the flexibility to share the profile across the account or the Organisation. It is a regional service feature hence you can make use of it in different accounts but in the same region. The default permission for consumers of a shared Profile is read-only. With read-only permission, they can see the associated resources and associate it to VPCs, but can't manage the resource associations.

Amazon Route 53 Profiles does give you the ability to centrally manage an Organizations DNS architecture, by creating and sharing profiles from a single centralized account. This central account(resource owner) will create the DNS resources and Private Hosted Zones that it will add to any number of profiles in the current region. Then share these profiles with all accounts under the Organization or share each profile with designated accounts for example Dev accounts, QA accounts, and Production accounts. These accounts would then associate the necessary VPCs with the Route53 Profile shared with them by the Central DNS/Networking account.

In the context of AWS architecture, the question often arises: "Do I need to create an Amazon Route 53 Profiles in each account?" The answer might surprise you. No, you don't necessarily need to. Once you've shared the profile via AWS Resource Access Manager (RAM), other accounts can access it too. It's like extending an invitation to a party – everyone gets to join in the DNS management fun! Just remember, that both RAM and Amazon Route 53 Profiles are regional, so keep that in mind as you navigate your AWS landscape. Of course, nothing is stopping you from creating a profile in any account you fancy. However, for streamlined central DNS management, it's often recommended to designate one account as the central hub. and yes, here's a little tip: a VPC can only cozy up to one profile at a time, so choose wisely!

How does central Amazon Route53 DNS control work using Amazon Route53 DNS Profiles? - A central DNS account(resource owner) will create the DNS resources and Private Hosted Zones that it will add to any number of profiles in the current region that it creates. Then share these profiles with all accounts under the Organization or share each profile with designated accounts for example Dev accounts, Research accounts, and production accounts. These accounts would then associate the necessary VPCs with the Amazon Route 53 Profiles shared with them by the Central DNS/Networking account.

From the Central N/W account the account Admin can then make changes to Hosted Zones, DNS Firewalls rules and configurations, DNSSEC VPC settings etc, these changes would propagate across all accounts the profile is shared with and apply to all VPCs associated with the profile all from one account.

Managing other VPC-created PHZs that are not owned or originated from the Account that has shared the Amazon Route 53 Profiles is not supported, those resources still belong to the account owner. The owner of the Amazon Route 53 Profiles can manage and change the record sets for the PHZs that they have shared.

Unless you own the hosted zone you can not manage the records of another hosted zone owned by another account using Amazon Route 53 Profiles, It will not give you this ability. If you have a handful or one hosted zone that you have shared across your ORG, then from Amazon Route53 you can make changes to that Hosted Zone which would propagate to all accounts the resource is shared with.

Do we need to have the Amazon Route 53 Profiles deployed in all the Accounts across the Org (If we have multiple accounts and each account has its own private hosted zones)?

If you have an AWS Organization, so once you create your Amazon Route 53 Profile in your network account, you can share these rules, or Hosted Zones to accounts within your Organization. There is no need to create a Route53 (profile) in each account.

So once you create the profile in the Networking account (Profile owner) if you already have the PHZ created and associated with the Amazon Route 53 Profile Admin then it will be shared and associated with the VPCs you have listed. If there is not a PHZ created then you can create one in the Networking account that owns Amazon Route 53 Profile) update the profile and now it will be accessible to all Org accounts that it is shared with, those accounts can then decide what VPCs will use the now available profile configuration.

You can create a central DNS architecture that you can use for all of your ORG VPCs to use.
But you cannot manage existing HostedZones created by those accounts using the Amazon Route 53 Profile. It is a solution to have a centrally managed DNS account where all of the Amazon Route 53 changes can be made and shared. So one networking account creates all of the hosted zones and DNS firewall rules etc, and shares these rules with the org and Org accounts can then, associate VPCs that will use this policy only.

Consider a scenario where you have multiple accounts deployed using AWS Control Tower, and each account has its own VPC Private hosted zone for corresponding DNS resolutions for respective accounts and resources, in that case, the Controller Account can share the profiler with single accounts (Child Accounts) or with your entire organization, organizational units, or AWS accounts, roles, and users in that organization. You can have two types of permissions for the child account.
- Permissions for owners
Profile owners can create, manage, and delete resources and manage VPC associations. The owner can view the VPC associations and resource associations made by the consumer.
- Permissions for consumers
The default permission for consumers of a shared Profile is read-only. With read-only permission, they can see the associated resources and associate it to VPCs, but can't manage the resource associations.

Approach to Manage Amazon Route 53 Profile for accounts that are managed using Control Tower.

When to take a call on If your Organisation needs this feature?

The answer is not straightforward, as every organization is different and has its varied complexity of DNS requirements. Your team should assess whether or not Amazon Route 53 Profile would be a good fit for your organization, and how migrating to a profile-based
structure would impact production, along with the added cost of using the new feature. These are all cases that would and should involve your team and Dev testing for suitability.

To create a Amazon Route 53 Profile:

The above CloudFormation snippet helps set up an Amazon Route 53 Profile and connects it to a specific VPC. You can name the profile and choose which VPC it's linked to. Once set up, the profile and VPC are linked together. The snippet also gives you two pieces of info after setup: the unique ID of the Profile and the connection ID between the Profile and VPC. These details make it easy to find and manage these resources later on.

For Amazon Route 53 Profile, the hourly rate is $0.75 per AWS account for up to 100 Profile-VPC associations pertaining to the profiles created by an account. Beyond the initial 100 associations, there is a charge of $0.0014 per Profile-VPC association per hour. The hourly rate of the base tier of the first 100 Profile-VPC associations includes associations across all Profiles owned by the AWS account.

Let us consider an example, where an AWS account creates a Amazon Route 53 Profile in the US East (N. Virginia) region that is associated with 200 VPCs in its account.
Total Profile-VPC associations = 200

At the end of a 30-day month, your AWS account would incur the following costs for Route 53 Profiles =
[$0.75 (per hour) (for first 100 VPCs) + Total of VPC associations beyond 100 * $0.0014] x [24 hours x 30 days] = [$0.75 + 100 x $0.0014] x 720 = $640.8

The overall assessment of this service suggests it offers an efficient way to manage various DNS records across accounts with minimal management overhead. However, pricing may pose a challenge for smaller enterprises. Despite its benefits, there are some limitations to consider. While Amazon Route 53 Profile can be shared across accounts, It's worth noting that each VPC can only be attached to one Amazon Route 53 Profile (So choose your profile wisely). Additionally, while Amazon Route 53 Profile facilitates resource sharing from a centralized account to others, they aren't designed to centralize the management of private hosted zones from multiple accounts.