In this post, we’ll explore a case study of how an organization streamlined their DNS management by using AWS CLI, focusing on the delegation of NS records.
Background
Acme Corp, a fictitious company, has a centralized AWS environment (the Shared Network Account) and several other AWS accounts for different development stages and teams (e.g., Development, Staging, and Production). Each team has autonomy over their own AWS resources but needs to integrate closely with services hosted in other accounts. Acme Corp registered the domain acmecorp.com in their Shared Network Account and wanted each team to manage their own subdomains like dev.acmecorp.com for the Development team.
The DevOps team faced a challenge: They needed to delegate DNS management for each subdomain to the respective accounts without manual intervention, ensuring each team could manage their DNS independently while keeping the root domain under centralized control. The manual DNS updates through the AWS Management Console were prone to errors and were not scalable and creation of NS record was grayed out.
Solution
Step 1: Install and Configure the AWS CLI
Ensure that the AWS CLI is installed on your machine. If not, you can download and install it from the AWS CLI official website. Configure it using:
aws configureYou’ll need to enter your AWS Access Key ID, Secret Access Key, region, and output format.
Step 2: Create the NS Record
To create an NS record in the shared-network account’s Route 53 hosted zone, follow these steps:
- Retrieve the Hosted Zone ID for
acmecorp.com:
aws route53 list-hosted-zones-by-name --dns-name "acmecorp.com"Look for the HostedZoneId in the output:
{
"HostedZones": [
{
"Id": "/hostedzone/Z1A2BC3D4EFGH5",
"Name": "acmecorp.com.",
"CallerReference": "R2D2C3PO-0425-4680-9512-example",
"Config": {
"Comment": "Primary DNS for Acme Corp",
"PrivateZone": false
},
"ResourceRecordSetCount": 17
}
],
"DNSName": "acmecorp.com.",
"IsTruncated": false,
"MaxItems": "1"
}- Prepare the NS Record Data in JSON format. You’ll need the NS records from your Dev account’s private hosted zone for
dev..acmecorp.com
Here’s an example of the JSON file (change-batch.json) for creating the NS record:
{
"Comment": "Creating NS record for dev.acmecorp.com",
"Changes": [
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "dev.acmecorp.com.",
"Type": "NS",
"TTL": 300,
"ResourceRecords": [
{"Value": "ns-2048.awsdns-64.com"},
{"Value": "ns-2049.awsdns-65.net"},
{"Value": "ns-2050.awsdns-66.org"},
{"Value": "ns-2051.awsdns-67.co.uk"}
]
}
}
]
}Note: Replace the Value fields with the actual NS records from your Dev account.
- Create the NS Record using the
change-resource-record-setscommand:
aws route53 change-resource-record-sets --hosted-zone-id Z1A2BC3D4EFGH5 --change-batch file://change-batch.jsonReplace Z1A2BC3D4EFGH5 with the actual Hosted Zone ID of acmecorp.com
Step 3: Verify the Record Creation
After creating the NS record, you can verify that it has been added correctly by listing the records in the hosted zone:
aws route53 list-resource-record-sets --hosted-zone-id Z1A2BC3D4EFGH5Look through the output to see the newly created NS record.
Using AWS CLI for DNS management in a multi-account AWS environment proved to be a robust solution for Acme Corp. They were able to add NS records in the shared hosted zone without the issue they experienced with AWS Console.
About
With more than 20 years of experience in the technology sector, Mario has dedicated the last decade to offering consultancy, support, and strategic guidance to clients across various cloud platforms.
Disclaimer: The information shared on this blog is for informational purposes only and should not be considered as professional advice. The opinions presented here are personal and independent of any affiliations with tech companies or organizations.