AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An organization has a Direct Connect link between its on-premises data center and an AWS VPC. EC2 instances in the VPC must resolve host names in the on-premises corp.example.com domain by using the existing on-premises DNS server at 10.0.0.2. The operations team wants a scalable solution that requires no per-instance configuration changes or manual record maintenance. According to AWS best practices, which action will meet these requirements?
Enable DNS resolution and DNS hostnames in the VPC; the Amazon-provided DNS server will automatically forward corp.example.com queries across Direct Connect.
Create a private hosted zone for corp.example.com in Route 53 and manually populate A and CNAME records for all on-premises hosts.
Update the VPC's DHCP options set to hand out 10.0.0.2 as the primary DNS server, then restart networking on every EC2 instance.
Create a Route 53 Resolver outbound endpoint in two private subnets. Add a rule that forwards queries for corp.example.com to 10.0.0.2 and associate the rule with the VPC.
Route 53 Resolver can forward DNS queries that originate in a VPC to external DNS servers through an outbound endpoint. Creating the endpoint in at least two subnets provides high availability, and a forwarding rule that targets the on-premises DNS IP ensures that any query for corp.example.com leaves the VPC and is answered by the data-center resolver. No changes are needed on the EC2 instances because they continue to use the Amazon-provided .2 resolver, which automatically consults the forwarding rule.
Creating a private hosted zone would require manually adding and updating records for every on-premises host, which is operationally heavy and error-prone. Relying on the Amazon-provided DNS alone will not work because it never forwards queries to on-premises networks. Pointing instances directly to the on-premises DNS server through the VPC's DHCP options removes the benefit of the Amazon-provided resolver (for internal AWS zones) and introduces a single point of failure without providing route-53-level visibility or logging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Route 53 Resolver outbound endpoint?
Open an interactive chat with Bash
Why is creating a private hosted zone not the best solution in this scenario?
Open an interactive chat with Bash
Why is relying on the Amazon-provided DNS resolver alone insufficient for external domains?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .