Fail over applications with resources in different Amazon accounts in Route 53 ARC - Amazon Route 53 Application Recovery Controller
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Fail over applications with resources in different Amazon accounts in Route 53 ARC

You can use routing controls in one cluster in Amazon Route 53 Application Recovery Controller to support failover for applications with resources in a different Amazon account. Start by creating the routing controls in a cluster, and then create Route 53 ARC health checks with associated health check IDs. Then, add those health check IDs to the failover policies in the DNS record set of another Amazon account. Now, when you update the routing controls in Route 53 ARC that are associated with the health checks, failovers will act on the DNS record set of the second Amazon account.

To make sure that only authorized users can make these changes, create and attach IAM policies for users or roles at a control panel and routing control level, to allow access to specific resources in accounts only for authorized users or roles from different accounts.

Use the following guidance to step through the process.

Step 1. Create a routing control and health check

On the Route 53 ARC console, create a routing control and corresponding Route 53 ARC health check. For more information, see Creating a routing control in Route 53 ARC and Creating a routing control health check in Route 53 ARC .

Copy and save the health check ID for the health check.

Step 2. Create DNS failover records

In Amazon Route 53, create DNS failover records that reroute traffic by associating the health check ID with the records.

  • For cross-account routing, add the health check ID from the routing control that you saved in Step 1 to the record set of another account by doing one of the following:

    • On the Amazon Web Services Management Console, copy the health check ID for the routing control, and paste it in your failover DNS records in Route 53.

    • Use the Amazon Command Line Interface by using the steps in the following Amazon Web Services Support article: Route 53 cross account health checks.

Step 3. Create or modify IAM policies for secure access

Create or modify IAM policies to attach to users or roles to make sure that only authorized users can access the resources. For example, in the IAM console, create IAM policies for Route 53 Recovery Cluster (route53-routing-control) and Route 53 Recovery Controls (route53-recovery-control-config) that restrict Read/Write access to the specific control panels that host the routing controls, or that restrict access to each routing control resource ARN. For more information, see Amazon managed policies for Amazon Route 53 Application Recovery Controller.