AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct solution for enabling bidirectional DNS resolution in a hybrid environment is to use both inbound and outbound Route 53 Resolver endpoints.

• To resolve on-premises domains from AWS (e.g., database.corp.local): An outbound endpoint is created in the VPC. A forwarding rule is associated with it, instructing the resolver to forward queries for the corp.local domain to the on-premises DNS servers. This handles the egress query flow from the VPC.

• To resolve AWS domains from on-premises (e.g., app-server.aws.corp.local): An inbound endpoint is created in the VPC. This provides IP addresses that act as DNS targets. The on-premises DNS servers are then configured with a conditional forwarder for the aws.corp.local domain, pointing to the IP addresses of the inbound endpoint. This handles the ingress query flow into the VPC.

Incorrect options explained:

• An option that swaps the roles of the endpoints is incorrect. Outbound endpoints send queries out from a VPC and do not have IP addresses that can be targeted by external forwarders. Inbound endpoints receive queries into a VPC.
• Using only an outbound endpoint is insufficient because it only facilitates one-way resolution (from VPC to on-premises) and does not provide a mechanism for on-premises servers to send queries to Route 53.
• Launching EC2 instances to run DNS forwarding software is an outdated pattern that adds operational overhead and complexity. The AWS-native, managed Route 53 Resolver service is the modern, highly available, and scalable solution for this use case, making it the superior choice.