AWS Certified Solutions Architect – Professional (SAP-C02) — Question 489

A company requires that all internal application connectivity use private IP addresses. To facilitate this policy, a solutions architect has created interface endpoints to connect to AWS Public services. Upon testing, the solutions architect notices that the service names are resolving to public IP addresses, and that internal services cannot connect to the interface endpoints.

Which step should the solutions architect take to resolve this issue?

Answer options

• A. Update the subnet route table with a route to the interface endpoint.
• B. Enable the private DNS option on the VPC attributes.
• C. Configure the security group on the interface endpoint to allow connectivity to the AWS services.
• D. Configure an Amazon Route 53 private hosted zone with a conditional forwarder for the internal application.

Correct answer: B

Explanation

Enabling private DNS on the interface endpoint ensures that the standard AWS public service hostnames automatically resolve to the private IP addresses of the endpoint within the VPC. Without this VPC attribute enabled, name resolution will continue to return the public IP addresses of the AWS services, causing the traffic to bypass the private endpoint. Modifying subnet route tables or configuring Route 53 conditional forwarders is not the correct mechanism to resolve standard AWS service endpoint DNS names.