AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A company's networking account hosts a SharedServices VPC that already contains an outbound Amazon Route 53 Resolver endpoint deployed in two Availability Zones. The endpoint forwards DNS queries to the on-premises name servers at 192.168.0.10 and 192.168.0.11 over an AWS Direct Connect link. Several application VPCs that belong to different AWS accounts are attached to the same AWS Transit Gateway in the Region. All application workloads must resolve host names in the corp.example.com domain that are hosted on-premises. The architects want to avoid creating additional Resolver endpoints or custom DHCP option sets in each application account and want to minimize ongoing operational effort.
Which approach meets these requirements with the LEAST operational overhead?
Share the existing outbound Resolver endpoint with the application accounts by using AWS Resource Access Manager and update each application VPC's DHCP options set to use the endpoint's IP addresses as DNS servers.
Deploy a new inbound Route 53 Resolver endpoint in the SharedServices VPC and configure each application VPC to forward corp.example.com queries to the inbound endpoint's IP addresses.
Create a private hosted zone named corp.example.com in every application account and add NS records that point directly to the on-premises DNS servers.
Create a Route 53 Resolver forwarding rule for corp.example.com that targets the outbound endpoint, share the rule with the application accounts by using AWS Resource Access Manager, and associate it with every application VPC.
Creating a Route 53 Resolver forwarding rule for corp.example.com that targets the existing outbound endpoint lets Route 53 automatically forward only the matching queries to the on-premises DNS servers. When the rule is shared through AWS Resource Access Manager (RAM) and associated with each application VPC, those VPCs immediately adopt the rule; they still use the default VPC resolver (169.254.169.253), which consults the rule before deciding where to send the query, so no DHCP change is needed. Route 53 automatically establishes the path between the application VPC and the outbound endpoint, provided the endpoint's security group allows UDP/TCP 53 from the VPCs.
Resolver endpoints themselves cannot be shared via RAM; attempting to share the endpoint and pointing the DHCP option set to its IPs would therefore fail. An inbound Resolver endpoint is intended for on-premises systems to query AWS-hosted names, not for VPC-to-on-prem resolution. Creating a private hosted zone and NS records would shift authority for the corp.example.com zone to Route 53 instead of forwarding queries to the existing on-premises servers. Therefore, sharing a forwarding rule is the only option that meets the requirements with minimal overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Route 53 Resolver forwarding rule?
Open an interactive chat with Bash
How does AWS Resource Access Manager (RAM) enable resource sharing across accounts?
Open an interactive chat with Bash
Why can't Resolver endpoints be shared directly through RAM?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access