AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company is building a hybrid-cloud architecture that connects its on-premises data center to multiple AWS VPCs over AWS Direct Connect. The company requires seamless, bidirectional DNS resolution: on-premises applications must resolve private hostnames for Amazon EC2 instances in the VPCs (for example, app-server.prod.vpc.example.com), and EC2 instances must resolve hostnames that live only in the on-premises namespace (for example, db.corp.internal). The solution must be highly available, scalable, and centrally manageable, and it must not require custom DNS server software on EC2 instances.
Which solution meets these requirements most effectively?
Create a Route 53 inbound endpoint in each VPC. Configure the on-premises DNS servers with conditional forwarders that send all AWS-related DNS queries to the IP addresses of the inbound endpoints.
Deploy a pair of highly available EC2 instances running BIND in a central VPC. Configure on-premises DNS servers to forward queries to these instances, and configure the BIND servers to forward queries for the on-premises domain back to the on-premises DNS servers.
Create a private hosted zone for the on-premises domain (corp.internal) and associate it with all VPCs. Create a Route 53 outbound endpoint and a rule to forward all queries from the VPCs to the on-premises DNS servers.
Create Route 53 Resolver inbound and outbound endpoints. Configure conditional forwarding on the on-premises DNS servers to send queries for the VPC domain to the inbound endpoint. Create Resolver rules to forward queries for the on-premises domain to the on-premises DNS servers via the outbound endpoint.
The most effective design is to use Amazon Route 53 Resolver endpoints and conditional-forwarding rules:
Create an inbound endpoint in a shared or hub VPC. This endpoint exposes two or more IP addresses (in different Availability Zones) that on-premises DNS servers forward queries to, allowing on-premises hosts to resolve records stored in Route 53 private hosted zones.
Create an outbound endpoint in the same VPC and configure Resolver rules (for example, *.corp.internal) that forward VPC-originated queries to the on-premises DNS servers. The outbound endpoint sends the traffic across Direct Connect or the site-to-site VPN link.
Because each endpoint requires at least two IP addresses in different AZs, the solution is highly available by design and fully managed-no EC2-hosted DNS servers need to be deployed or patched.
Self-managed BIND servers on EC2 can work but introduce operational overhead for scaling, patching, and failure handling, so they do not best satisfy the requirements.
Deploying only inbound endpoints enables on-premises-to-AWS lookups but provides no path for VPC-originated queries to reach on-premises DNS, so bidirectional resolution is not achieved.
Creating a private hosted zone for corp.internal plus an outbound endpoint still lacks an inbound endpoint, so on-premises resolvers cannot query AWS records. In addition, the private hosted zone would be redundant because a forwarding rule for the same domain would take precedence and send the queries to the on-premises DNS servers anyway.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Amazon Route 53 Resolver endpoint, and how does it differ for inbound and outbound traffic?
Open an interactive chat with Bash
What are conditional forwarding and Resolver rules in Route 53, and how are they configured?
Open an interactive chat with Bash
Why are self-managed BIND DNS servers on EC2 not recommended for this use case?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access