AWS Certified Solutions Architect – Associate (SAA-C03) — Question 671

A company is designing a web application on AWS. The application will use a VPN connection between the company’s existing data centers and the company's VPCs.

The company uses Amazon Route 53 as its DNS service. The application must use private DNS records to communicate with the on-premises services from a VPC.

Which solution will meet these requirements in the MOST secure manner?

Answer options

• A. Create a Route 53 Resolver outbound endpoint. Create a resolver rule. Associate the resolver rule with the VPC.
• B. Create a Route 53 Resolver inbound endpoint. Create a resolver rule. Associate the resolver rule with the VPC.
• C. Create a Route 53 private hosted zone. Associate the private hosted zone with the VPC.
• D. Create a Route 53 public hosted zone. Create a record for each service to allow service communication

Correct answer: A

Explanation

To resolve on-premises private DNS records from resources within an AWS VPC, a Route 53 Resolver outbound endpoint is required to forward DNS queries to the on-premises DNS servers via the VPN connection. An inbound endpoint is used for the reverse scenario where on-premises resources need to resolve AWS DNS records. Using public hosted zones is insecure as it exposes internal infrastructure names to the public internet, while private hosted zones cannot natively forward queries to on-premises DNS servers.