AWS Certified Solutions Architect – Professional (SAP-C02) — Question 305

A company is migrating mobile banking applications to run on Amazon EC2 instances in a VPC. Backend service applications run in an on-premises data center. The data center has an AWS Direct Connect connection into AWS. The applications that run in the VPC need to resolve DNS requests to an on-premises Active Directory domain that runs in the data center.

Which solution will meet these requirements with the LEAST administrative overhead?

Answer options

• A. Provision a set of EC2 instances across two Availability Zones in the VPC as caching DNS servers to resolve DNS queries from the application servers within the VPC.
• B. Provision an Amazon Route 53 private hosted zone. Configure NS records that point to on-premises DNS servers.
• C. Create DNS endpoints by using Amazon Route 53 Resolver. Add conditional forwarding rules to resolve DNS namespaces between the on-premises data center and the VPC.
• D. Provision a new Active Directory domain controller in the VPC with a bidirectional trust between this new domain and the on-premises Active Directory domain.

Correct answer: C

Explanation

Amazon Route 53 Resolver endpoints and conditional forwarding rules provide a fully managed, highly available solution to resolve DNS queries between a VPC and an on-premises environment with minimal operational overhead. Deploying self-managed EC2 DNS servers (Option A) or setting up a new domain controller with trusts (Option D) introduces significant administrative and maintenance overhead. Option B is incorrect because Route 53 private hosted zones do not support routing queries to on-premises DNS servers via NS records in this manner.