AWS Certified Solutions Architect – Professional — Question 469

A company requires that all internal application connectivity use private IP addresses. To facilitate this policy, a solutions architect has created interface endpoints to connect to AWS public services. Upon testing, the solutions architect notices that the service names are resolving to public IP addresses, and that internal services cannot connect to the interface endpoints.
Which step should the solutions architect take to resolve this issue?

Answer options

• A. Update the subnet route table with a route to the interface endpoint
• B. Enable the private DNS option on the VPC attributes
• C. Configure the security group on the interface endpoint to allow connectivity to the AWS services
• D. Configure an Amazon Route 53 private hosted zone with a conditional forwarder for the internal application

Correct answer: B

Explanation

Enabling private DNS on the VPC attributes (along with enabling private DNS for the interface endpoint) allows AWS to resolve the public service endpoints to the private IP addresses of the VPC endpoint. Without this setting, DNS queries for the service names will continue to resolve to public IP addresses, preventing internal services from routing traffic through the endpoint. Other options, such as modifying route tables or configuring conditional forwarders, do not address the native DNS resolution behavior of VPC interface endpoints.