Picture this: you're setting up your AWS Landing Zone like the responsible cloud engineer you are. Multiple accounts, clean separation of concerns, everything by the book. You set up your first Route 53 resolver rule to handle private domain queries. Works like a charm.
Fast forward three months and fifteen AWS accounts later. Each account has its own resolver rule pointing to the same on-premise DNS servers. Everything looks consistent and well-organized.
Then the AWS bill arrives.
Your first reaction: "There must be some mistake in the billing calculation."
Your second reaction (after checking twice): "Oh no... I've been paying for the same DNS forwarding 15 different times."
Welcome to the Route 53 resolver cost multiplication trap, where good practices collide with your budget.
When reality hits
You dig into your AWS accounts and confirm what you suspected: every single account has its own Route 53 resolver rule pointing to the same on-premise DNS servers. Each rule creates its own network interfaces. Each interface costs money.
So naturally, you do what any rational person would do: you start questioning whether AWS is just expensive or if you're missing something obvious.
Understanding the problem
Being the careful engineer you are, you decide to understand exactly what's happening. You discover that Route 53 resolver rules work like this:
- Outbound endpoints: Create network interfaces in your VPC that forward DNS queries to your on-premise servers based on rules you define.
- Resolver rules: Tell those network interfaces which domains should be forwarded to which DNS servers.
The setup works beautifully. But here's the costly part: each account creates its own resolver rule with its own network interfaces. Those interfaces add up fast when you multiply them across multiple AWS accounts.
The real issue
Here's what's actually happening (and why it's both wasteful and fixable):
- Your current setup: each account has its own resolver rule to maintain separation
- AWS billing: each resolver rule creates its own network interfaces with separate charges
- Your finance team: "why does our DNS cost more than our compute?"
This is where things get interesting. You start researching and discover that AWS Resource Access Manager exists specifically to solve this problem.
Here's what you can actually do (and why AWS built it this way):
- AWS Resource Access Manager: "You can share resolver rules across accounts"
- Route 53 Resolver: "Shared rules use the same network interfaces, so you only pay once"
- Your AWS bill: "Finally, some sanity"
Want to fix your DNS cost explosion? Here's what you actually need to do:
- Create a resource share in AWS Resource Access Manager.
- Select Route 53 Resolver Rules as your resource type.
- Add your AWS account IDs to the shared principals.
- Watch your costs drop as all accounts use the same network interfaces.
Then in each target account:
- Navigate to Route 53 resolver rules
- Find your shared rule (it'll be there, marked as "shared")
- Connect it with your VPC
Result: One set of network interfaces, multiple accounts using them, much lower costs.
Think about it this way: your multiple resolver rules working is like buying individual gym memberships for each family member instead of a family plan: technically works, financially questionable, and definitely not something you want to explain to your CFO.
Use AWS Resource Access Manager to share resolver rules: it takes a few minutes of setup and prevents uncomfortable budget conversations.
In another article, I discuss how to bypass inbound endpoints from the Route 53 resolver and forward traffic from your on-premise DNS to your Route 53 private zone files at no cost.
Top comments (0)