AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An organization has a Direct Connect link between its on-premises data center and an AWS VPC. EC2 instances in the VPC must resolve host names in the on-premises corp.example.com domain by using the existing on-premises DNS server at 10.0.0.2. The operations team wants a scalable solution that requires no per-instance configuration changes or manual record maintenance. According to AWS best practices, which action will meet these requirements?
Create a private hosted zone for corp.example.com in Route 53 and manually populate A and CNAME records for all on-premises hosts.
Enable DNS resolution and DNS hostnames in the VPC; the Amazon-provided DNS server will automatically forward corp.example.com queries across Direct Connect.
Update the VPC's DHCP options set to hand out 10.0.0.2 as the primary DNS server, then restart networking on every EC2 instance.
Create a Route 53 Resolver outbound endpoint in two private subnets. Add a rule that forwards queries for corp.example.com to 10.0.0.2 and associate the rule with the VPC.
Route 53 Resolver can forward DNS queries that originate in a VPC to external DNS servers through an outbound endpoint. Creating the endpoint in at least two subnets provides high availability, and a forwarding rule that targets the on-premises DNS IP ensures that any query for corp.example.com leaves the VPC and is answered by the data-center resolver. No changes are needed on the EC2 instances because they continue to use the Amazon-provided .2 resolver, which automatically consults the forwarding rule.
Creating a private hosted zone would require manually adding and updating records for every on-premises host, which is operationally heavy and error-prone. Relying on the Amazon-provided DNS alone will not work because it never forwards queries to on-premises networks. Pointing instances directly to the on-premises DNS server through the VPC's DHCP options removes the benefit of the Amazon-provided resolver (for internal AWS zones) and introduces a single point of failure without providing route-53-level visibility or logging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Route 53 Resolver outbound endpoint?
Open an interactive chat with Bash
Why is creating a private hosted zone not the best solution in this scenario?
Open an interactive chat with Bash
Why is relying on the Amazon-provided DNS resolver alone insufficient for external domains?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .