AWS Certified Solutions Architect – Professional — Question 673

A company is migrating mobile banking applications to run on Amazon EC2 instances in a VPC. Backend service applications run in an on-premises data center.
The data center has an AWS Direct Connect connection into AWS. The applications that run in the VPC need to resolve DNS requests to an on-premises Active
Directory domain that runs in the data center.
Which solution will meet these requirements with the LEAST administrative overhead?

Answer options

• A. Provision a set of EC2 instances across two Availability Zones in the VPC as caching DNS servers to resolve DNS queries from the application servers within the VPC.
• B. Provision an Amazon Route 53 private hosted zone. Configure NS records that point to on-premises DNS servers.
• C. Create DNS endpoints by using Amazon Route 53 Resolver Add conditional forwarding rules to resolve DNS namespaces between the on-premises data center and the VPC.
• D. Provision a new Active Directory domain controller in the VPC with a bidirectional trust between this new domain and the on-premises Active Directory domain.

Correct answer: C

Explanation

Amazon Route 53 Resolver endpoints with conditional forwarding rules provide a fully managed solution to forward DNS queries from a VPC to on-premises DNS servers over AWS Direct Connect. This approach requires minimal administrative effort compared to deploying, patching, and maintaining self-managed DNS servers on EC2 instances. Other options, such as setting up a new Active Directory domain controller with bidirectional trusts, add unnecessary operational complexity and overhead.