Question 9

Domain 1: Design Solutions for Organizational Complexity

A company needs to architect a hybrid DNS solution. This solution will use an Amazon Route 53 private hosted zone for the domain cloud.example.com for the resources stored within VPCs. The company has the following DNS resolution requirements: • On-premises systems should be able to resolve and connect to cloud.example.com. • All VPCs should be able to resolve cloud.example.com. There is already an AWS Direct Connect connection between the on-premises corporate network and AWS Transit Gateway. Which architecture should the company use to meet these requirements with the HIGHEST performance?

A. Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VP B. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver. C. Associate the private hosted zone to all the VPCs. Deploy an Amazon EC2 conditional forwarder in the shared services VP D. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the conditional forwarder. E. Associate the private hosted zone to the shared services VP F. Create a Route 53 outbound resolver in the shared services VP

Correct answer: A

Explanation

Route 53 Resolver is the hybrid DNS service for “on-premises DNS integration,” and an inbound resolver endpoint lets corporate DNS query the private hosted zone over Direct Connect/TGW. Associating the private hosted zone to all VPCs lets every VPC resolve cloud.example.com locally, which gives the highest performance by avoiding extra DNS forwarding hops.

Why each option is right or wrong

A. Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VP

Route 53 private hosted zones are only resolvable from associated VPCs, so attaching the zone to every VPC is what makes in-VPC lookups for cloud.example.com work without any forwarding path or extra hop. For on-premises resolution, Route 53 Resolver inbound endpoints are the supported hybrid DNS entry point; they are queried over the existing Direct Connect/TGW path and use standard DNS on port 53, which preserves the lowest-latency design compared with chaining through additional resolvers.

B. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.

Transit Gateway attachment does not replace Route 53 Resolver forwarding for hybrid DNS resolution.

C. Associate the private hosted zone to all the VPCs. Deploy an Amazon EC2 conditional forwarder in the shared services VP

An EC2 conditional forwarder is not the AWS-managed hybrid DNS endpoint for private hosted zones.

D. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the conditional forwarder.

Forwarding to a conditional forwarder adds an unnecessary hop instead of using Route 53 Resolver.

E. Associate the private hosted zone to the shared services VP

A private hosted zone must be associated with every VPC that needs to resolve it.

F. Create a Route 53 outbound resolver in the shared services VP

Outbound resolvers send VPC DNS queries to external destinations; they do not accept on-premises queries.

Previous Next