AWS Certified Solutions Architect – Professional — Question 306

A company is using multiple AWS accounts. The DNS records are stored in a private hosted zone for Amazon Route 53 in Account A. The company's applications and databases are running in Account B.
A solutions architect will deploy a two-tier application in a new VPC. To simplify the configuration, the db.example.com CNAME record set for the Amazon RDS endpoint was created in a private hosted zone for Amazon Route 53.
During deployment, the application failed to start. Troubleshooting revealed that db.example.com is not resolvable on the Amazon EC2 instance. The solutions architect confirmed that the record set was created correctly in Route 53.
Which combination of steps should the solutions architect take to resolve this issue? (Choose two.)

Answer options

• A. Deploy the database on a separate EC2 instance in the new VPC. Create a record set for the instance's private IP in the private hosted zone.
• B. Use SSH to connect to the application tier EC2 instance. Add an RDS endpoint IP address to the /etc/resolv.conf file.
• C. Create an authorization to associate the private hosted zone in Account A with the new VPC in Account B.
• D. Create a private hosted zone for the example com domain in Account B. Configure Route 53 replication between AWS accounts.
• E. Associate a new VPC in Account B with a hosted zone in Account A. Delete the association authorization in Account A.

Correct answer: C, E

Explanation

To resolve DNS queries for a private hosted zone in one AWS account from a VPC in another AWS account, you must perform a cross-account VPC association. First, the owner of the private hosted zone (Account A) must authorize the association with the VPC in Account B. Then, the owner of the VPC (Account B) must associate the VPC with the hosted zone, after which the temporary association authorization in Account A can be safely deleted.