Question 23

Domain 1: Design Solutions for Organizational Complexity

A financial-services company is building a hybrid-cloud architecture that connects its on-premises data center to multiple AWS VPCs over AWS Direct Connect. The company requires seamless, bidirectional DNS resolution: on-premises applications must resolve private hostnames for Amazon EC2 instances in the VPCs (for example, app-server.prod.vpc.example.com ), and EC2 instances must resolve hostnames that live only in the on-premises namespace (for example, db.corp.internal ). The solution must be highly available, scalable, and centrally manageable, and it must not require custom DNS server software on EC2 instances. Which solution meets these requirements most effectively?

A. Create a private hosted zone for the on-premises domain ( corp.internal ) and associate it with all VPCs. Create a Route 53 outbound endpoint and a rule to forward all queries from the VPCs to the on-premises DNS servers. B. Create a Route 53 inbound endpoint in each VPC. Configure the on-premises DNS servers with conditional forwarders that send all AWS-related DNS queries to the IP addresses of the inbound endpoints. C. Deploy a pair of highly available EC2 instances running BIND in a central VPC. Configure on-premises DNS servers to forward queries to these instances, and configure the BIND servers to forward queries for the on-premises domain back to the on-premises DNS servers. D. Create Route 53 Resolver inbound and outbound endpoints. Configure conditional forwarding on the on-premises DNS servers to send queries for the VPC domain to the inbound endpoint. Create Resolver rules to forward queries for the on-premises domain to the on-premises DNS servers via the outbound endpoint.

Correct answer: D

Explanation

Route 53 Resolver is the AWS hybrid DNS service for “Amazon Route 53 Resolver, on-premises DNS integration.” Inbound and outbound endpoints plus conditional forwarding provide bidirectional resolution across Direct Connect without custom DNS software, meeting the need for centralized, scalable hybrid DNS.

Why each option is right or wrong

Outbound endpoints forward VPC queries to on-premises DNS; private hosted zones do not represent on-prem namespaces.

B. Create a Route 53 inbound endpoint in each VPC. Configure the on-premises DNS servers with conditional forwarders that send all AWS-related DNS queries to the IP addresses of the inbound endpoints.

Inbound endpoints receive DNS queries from on-premises clients; they do not replace AWS-side forwarding for on-prem names.

C. Deploy a pair of highly available EC2 instances running BIND in a central VPC. Configure on-premises DNS servers to forward queries to these instances, and configure the BIND servers to forward queries for the on-premises domain back to the on-premises DNS servers.

BIND on EC2 is custom DNS software and adds operational overhead instead of managed Route 53 Resolver endpoints.

D. Create Route 53 Resolver inbound and outbound endpoints. Configure conditional forwarding on the on-premises DNS servers to send queries for the VPC domain to the inbound endpoint. Create Resolver rules to forward queries for the on-premises domain to the on-premises DNS servers via the outbound endpoint.

AWS Route 53 Resolver is the managed hybrid-DNS service for VPCs, and its inbound and outbound endpoints are the supported mechanism for bidirectional name resolution across Direct Connect without installing DNS software on EC2. Inbound endpoints let on-premises DNS servers query private hosted-zone names in the VPC, while outbound endpoints plus Resolver rules forward VPC-originated queries for the on-premises namespace to the corporate DNS servers; this is centrally managed, scalable, and highly available because the endpoints are deployed in multiple subnets/AZs.

Previous Next