Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 490 discussion

ensures proper DNS resolution for VPC endpoints.

By choosing option B, the solutions architect can enable private DNS on the VPC attributes, which will resolve service names to private IP addresses, allowing internal applications to connect to interface endpoints without issues.

The correct step the solutions architect should take to resolve the issue of service names resolving to public IP addresses and internal services not being able to connect to the interface endpoints is Option B: Enable the private DNS option on the VPC attributes. When you create an interface endpoint, AWS automatically creates a private DNS name for the service that resolves to the private IP addresses of the interface endpoint. However, by default, the private DNS option is disabled on the VPC, which means that DNS queries for the service name will be resolved using the public DNS instead of the private DNS provided by the interface endpoint. By enabling the private DNS option on the VPC attributes, you instruct the VPC to use the private DNS names provided by the interface endpoints for the specified AWS services. This ensures that the service names resolve to the private IP addresses of the interface endpoints, allowing internal services within the VPC to connect to the AWS services using private IP addresses, as per the company's policy.

B .. .because we had exact this problem once. C would be right if name would be resolved to a private IP, but as described it is not, it resolves to the public ip, so B

Sorry, Ignore my previous comment. private DNS would solve the issue. Option B is correct

C (security group) is correct. Private DNS resolution is neither a mandatory pre-requisite to use interface endpoints nor a requirement in this question. If you read the question again, resolving to a public IP is a distractor which makes us think that private DNS (option B) is the correct option. The real problem is the 2nd issue of the question - not able to connect which is a security group configuration issue. Even if you don't want to use private DNS, your interface endpoint will still work however, without security group rule configured, you can't use interface endpoint at all. Check this document for a list of pre-requisites - https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html and 2nd point says "To use private DNS..." which implies you may or may not want to use Private DNS however, 4th pre-requisite "Create a security group...." is mandatory.

Here in prerequisites for interface endpoint: To use private DNS, you must enable DNS hostnames and DNS resolution for your VPC. For more information, see View and update DNS attributes in the Amazon VPC User Guide. https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html

Private DNS for Interface Endpoints. Answer B.