After a lot of replies I see that using VPN tunnels to reach servers is the best option.
But, there is DNS issue also.
I see two options with private zone (both are unwanted for us):
- set up DNS forwarding to our private DNS server in each AWS account (using bind9 for
example);
- create in Route53 zone with exact same domain name and populate it with actual SRV
records (this one is pretty ugly).
So, what about using public DNS domain in FreeIPA (say ipa.example.com)?