-
You can assign a DNS resolution binding to a hub VPC either by selecting it from a list of VPCs (if the hub VPC exists in the same account), or by entering the hub VPC cloud resource name (CRN) (if the hub VPC exists in another account).
-
If DNS-shared VPCs contain VPE gateways that conflict with the DNS hub VPEs or any of the VPEs shared with its existing DNS-shared VPCs, the DNS-shared VPC must disable the DNS resolution binding for that VPE, before it is created. You will
have similar issues if you try to create a conflicting VPE after the DNS resolution binding is already created.
-
When the resolver for DNS-shared VPC is delegated to the DNS hub VPC's custom resolver, disabling DNS sharing on an individual endpoint gateway in the DNS-shared VPC might cause DNS resolution failure on the DNS-shared VPC for this endpoint
gateway.
-
You cannot create more than one DNS resolution binding for a DNS-shared VPC.
-
You can view the DNS resolution binding details to get information about the hub VPC, as well as which endpoint gateways in the DNS-shared VPC have DNS sharing enabled.
-
You cannot delete the DNS resolution binding on a DNS-shared VPC if the DNS resolver type is set to Delegated. You must first update the DNS resolver type to System or Manual, and then delete the DNS resolution binding.
-
For the DNS-shared VPC to use the delegated DNS server on the hub VPC, the hub VPC must run the custom resolver on its networks.
-
You can enable or disable DNS sharing on each individual endpoint gateway in the DNS-shared VPC.
-
You can configure the DNS resolver of the DNS-shared VPC to the custom resolver on the hub VPC.
-
A DNS-shared VPC authorized user is able to change its DNS resolver to the custom resolver on the hub VPC. This is essential when the DNS-shared VPC attempts to connect to endpoint gateways on the hub VPC or any other DNS-shared VPCs sharing
their DNS network to the same hub.
-
A DNS-shared VPC authorized user can create or delete a DNS resolution binding. The DNS-shared authorized user must have the appropriate permission level on both VPCs:
Regardless of whether the DNS hub VPC and DNS-shared VPC are in different accounts, a delegation process is required to create a service-to-service policy, allowing the DNSBinding service role from the DNS-Shared to the DNS-Hub VPC.
- The user must have binding-create permissions on the dns-shared vpc
- The user must have binding-connect and read permissions on the dns-hub vpc
To change a DNS-shared VPC's DNS resolver to the custom resolver, the authorized user must have an Operator role (minimum) on the DNS-shared VPC, and viewer role on the DNS-Hub VPC.
-
Custom resolver authorized users on the hub VPC can operate the custom resolver independently. As a result, if the IP addresses of the custom resolver are updated, this automatically propagates to all delegated DNS-shared VPCs.
You are responsible for designing and managing your own architecture among multiple VPCs and accounts.