exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 718 discussion

A company requires that all internal application connectivity use private IP addresses. To facilitate this policy, a solutions architect has created interface endpoints to connect to AWS public services. Upon testing, the solutions architect notices that the service names are resolving to public IP addresses, and that internal services cannot connect to the interface endpoints.
Which step should the solutions architect take to resolve this issue?

  • A. Update the subnet route table with a route to the interface endpoint
  • B. Enable the private DNS option on the VPC attributes
  • C. Configure the security group on the interface endpoint to allow connectivity to the AWS services
  • D. Configure an Amazon Route 53 private hosted zone with a conditional forwarder for the internal application
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
oxfordsolutions
Highly Voted 3 years, 2 months ago
yup its B https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#vpce-private-dns
upvoted 19 times
...
pablobairat
Highly Voted 3 years, 1 month ago
It is C, Private DNS is turned on by default for endpoints created for AWS services and AWS Marketplace Partner services, so B is ruled out of the question. Source: https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html
upvoted 10 times
tgv
3 years, 1 month ago
good catch!
upvoted 1 times
...
sashsz
2 years, 8 months ago
Learn some more about the security group's purpose for EP interface It's B
upvoted 3 times
...
...
hilft
Most Recent 2 years, 4 months ago
I think it's B
upvoted 2 times
...
dkp
2 years, 4 months ago
Ans is B https://aws.amazon.com/premiumsupport/knowledge-center/vpc-interface-configure-dns/
upvoted 1 times
...
asfsdfsdf
2 years, 4 months ago
Selected Answer: B
I will go with B. For everyone saying its C - if this was an SG issue the address would be resolved with the private IP but not accessaible. you can see proof here: https://aws.amazon.com/premiumsupport/knowledge-center/vpc-interface-configure-dns/ For the interface VPC endpoint, verify that private DNS names is turned on. If private DNS names isn't turned on, the service domain name or endpoint domain name resolves to regional public IPs. For steps to turn on private DNS names, see Modify an interface endpoint.
upvoted 1 times
...
Chitty9
2 years, 5 months ago
Option C is appropriate. Option B also correct if this point not highlighted-internal services are unable to connect to the interface endpoints.
upvoted 1 times
...
dev10
2 years, 8 months ago
Ans B: even though private DNS option is enabled we still need to ensure the VPC attributes are set to true. To use private DNS, you must set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport. There is a possibility that DNS private option was turned off when the interface endpoint was created inside the VPC.
upvoted 2 times
...
Bigbearcn
2 years, 9 months ago
Selected Answer: B
The service name are resolved to public IP address, so the application is using the default DNS name, not the endpoint hostname. So you need to enable private DNS option to resolve it to private address. read the Private DNS for interface endpoints in the link https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html.
upvoted 2 times
...
HellGate
2 years, 10 months ago
My answer is C. You don't need to check private DNS because it’s turned on by default while you need to configure SG. https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html
upvoted 1 times
...
saeidp
2 years, 10 months ago
private DNS option on the VPC attributes is a bit confusing. Private DNS is enabled by default on private endpoints not VPC. It appears the answer is pointing to VPC attributes DNS hostnames and DNS resolution Yes without the above enabled attributes privatelink will not work. answere is B
upvoted 2 times
saeidp
2 years, 10 months ago
I change my answer. Private DNS is enabled by default. in this case C is correct
upvoted 1 times
...
...
tkanmani76
2 years, 10 months ago
C - https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html
upvoted 1 times
...
vbal
2 years, 11 months ago
Enable private DNS for the endpoint so you can make requests to the service using its default DNS hostname; If you don't enable it the default DNS Hostname resolves to Public IP of the Service. B.
upvoted 1 times
...
AzureDP900
2 years, 12 months ago
C is right Configure the security group on the interface endpoint to allow connectivity to the AWS services. Interface endpoint need Security groups .. look at Gateway endpoint vs interface endpoint. Neal Davis having similar question
upvoted 3 times
...
ByomkeshDas
3 years ago
Security group issue is far beyond the question requirement. It is just like a firewall which can allow some traffic. The question clearly said that "the service names resolve to public IP addresses". So it is a DNS resolve related issue not ACL related issue. So option B is correct..
upvoted 3 times
...
andylogan
3 years, 1 month ago
It's C
upvoted 2 times
...
Cotter
3 years, 1 month ago
B for sure.https://www.examtopics.com/user/student22/
upvoted 1 times
...
student22
3 years, 1 month ago
B You have enable private DNS option. Otherwise it will resolve to the public address.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...