AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company is migrating a multi-tier finance application to AWS in several waves. Some application servers will remain in the on-premises data center while others move into multiple AWS accounts. The application components communicate by using the existing private FQDN finance.internal.example.com.
During the migration, the solution must provide bidirectional resolution for AWS-hosted and on-premises hostnames without sending DNS traffic over the public internet. The design must also centralize DNS management to reduce operational overhead and scale to support dozens of workload VPCs in different accounts within the same Region.
Which approach meets these requirements with the LEAST management effort?
Launch BIND DNS servers on EC2 instances in every workload VPC, replicate the on-premises zone by zone transfer, and manually update the records for AWS resources.
Enable EC2 ClassicLink in each workload VPC and update the DHCP option set so that VPC DNS queries are forwarded directly to the on-premises DNS servers.
Create a Route 53 private hosted zone for internal.example.com in every workload VPC and configure the on-premises DNS server with conditional forwarders that point to each VPC's .2 resolver address.
In a shared-services account, create Route 53 Resolver inbound and outbound endpoints in a centralized DNS VPC that is connected to the data center by AWS Direct Connect. Host the private hosted zone there, create outbound Resolver rules for on-premises domains, share those rules and the private hosted zone associations with workload VPCs by using AWS Resource Access Manager (RAM), and configure a conditional forwarder on the on-premises DNS server that targets the inbound endpoint IP addresses.
Using centralized Route 53 Resolver endpoints in a shared-services VPC satisfies all requirements:
Bidirectional, private DNS traffic: Inbound endpoints let on-premises DNS servers forward queries for AWS-hosted names over the private Direct Connect link, and outbound endpoints let AWS resources resolve on-premises domains without traversing the internet.
Centralized and scalable: One set of highly-available endpoints can serve many VPCs. Resolver forwarding rules that use the outbound endpoint, and private hosted zone associations, can be shared to other accounts through AWS RAM, so additional VPCs need no extra infrastructure.
Least operational overhead: DNS is managed in a single place; no extra EC2-based DNS servers or per-VPC hosted zones are required.
The other options each fail to meet one or more requirements:
Creating separate private hosted zones in every VPC fragments DNS management and forces the on-premises DNS to maintain many forwarders.
Using EC2-ClassicLink is not a viable solution, as it is a retired legacy service for EC2-Classic networking and does not solve cross-account private DNS resolution.
Running BIND servers on EC2 instances in every VPC meets the technical need but adds significant cost and administration compared with the managed Route 53 Resolver service.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Route 53 Resolver, and how does it enable private DNS resolution?
Open an interactive chat with Bash
What is AWS Direct Connect, and why is it critical for private DNS traffic in this solution?
Open an interactive chat with Bash
What is AWS Resource Access Manager (RAM), and how does it simplify DNS management in multi-account environments?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Accelerate Workload Migration and Modernization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access