Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 75 discussion

https://aws.amazon.com/es/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/ see Sharing PrivateLink endpoints between VPCs point

for me creating hundreds of zone associations to the VPC is the definition of operational overhead

C and D should work, and D has the least operational overhead. There is no reason to turn off private DNS unless the question requires more control.

C is the correct answer. Shared, central VPC + interface endpoint for the required services Disable private DNS, create private hosted zone and associated it with all VPC's Connect all VPC through TGW.

https://aws.amazon.com/jp/blogs/news/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/

I would also vote for C at first, but is there anything wrong with D as the answer with less operational overhead?

I think that it's correct answer is C according to SPOTO products.

This option uses interface VPC endpoints to centralize access to Amazon S3 and Systems Manager in a shared services VPC, eliminating the need for public endpoints. Private DNS is turned off to ensure that the fully qualified domain names (FQDNs) of the services are resolved to their public IP addresses. The use of Amazon Route 53 private hosted zones provides a centralized and scalable DNS solution, and alias records are created to point to the interface VPC endpoints in the shared services VPC. AWS Transit Gateway is used to connect all the VPCs to the central shared services VPC, reducing the operational overhead of managing direct VPC-to-VPC connections. Options A, B, and D either have higher operational overhead or do not provide an optimal solution for centralizing access to Amazon S3 and Systems Manager.

Check Amazon Feature interoperability for TGW DNS support On https://aws.amazon.com/transit-gateway/features/ Check https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html For DNS support, select this option if you need the VPC to resolve public IPv4 DNS host names to private IPv4 addresses when queried from instances in another VPC attached to the transit gateway. Check https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support If you use custom DNS domain names defined in a private hosted zone in Amazon Route 53, or use private DNS with interface VPC endpoints (AWS PrivateLink), you must set both the enableDnsHostnames and enableDnsSupport attributes to true.

Not D. "When you create a VPC endpoint to an AWS service or AWS PrivateLink SaaS, you can enable Private DNS. When enabled, the setting creates an AWS managed Route 53 private hosted zone (PHZ) for you. The managed PHZ works great for resolving the DNS name within a VPC however, it does not work outside of the VPC. This is where PHZ sharing and Route 53 Resolver come into play to help us get unified name resolution for shared VPC endpoints" https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-aws-transit-gateway-with-aws-privatelink-and-amazon-route-53-resolver/

When you create a VPC endpoint to an AWS service, you can enable private DNS. When enabled, the setting creates an AWS managed Route 53 private hosted zone (PHZ) which enables the resolution of public AWS service endpoint to the private IP of the interface endpoint. The managed PHZ only works within the VPC with the interface endpoint. In our setup, when we want spoke VPCs to be able to resolve VPC endpoint DNS hosted in a centralized VPC, the managed PHZ won’t work. To overcome this, disable the option that automatically creates the private DNS when an interface endpoint is created. Next, manually create a Route 53 PHZ and add an Alias record with the full AWS service endpoint name pointing to the interface endpoint, as shown in the following figure.

Enable private DNS option is ok. In this case, the DNS queries for S3 originating will be resolved to the private IPs of S3 interface endpoints I vote D

Why not B? What's the main difference for you to Choose C over B?

Private DNS needs to be turned off. Hence, D cannot be the answer.

how is Option C LEAST operational overhead?!

https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-access-to-vpc-private-endpoints.html

Private DNS turned on will only allow DNS resolution for interface endpoint within that VPC & not from other VPCs. Option C) is correct.