Exam AWS Certified Solutions Architect - Professional topic 1 question 724 discussion

A is the answer, based on https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/ "When a Route 53 private hosted zone needs to be resolved in multiple VPCs and AWS accounts as described earlier, the most reliable pattern is to share the private hosted zone between accounts and associate it to each VPC that needs it."

"Although it is possible to use forwarding rules to resolve private hosted zones in other VPCs, we do not recommend that. The most reliable, performant and low-cost approach is to share and associate private hosted zones directly to all VPCs that need them." https://aws.amazon.com/vi/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/ So answer is A!!!!

The key difference lies in the centralized resolution vs. distributed resolution trade-off. Option D prioritizes performance by centralizing queries on the inbound resolver, leveraging Direct Connect and Transit Gateway. Option A, on the other hand, simplifies management but could introduce additional query hops and potential latency, especially if VPCs are geographically dispersed. Therefore, the optimal choice depends on various factors beyond just sharing the hosted zone. In this specific scenario: High performance is crucial. AWS Direct Connect connection exists. All VPCs need to resolve cloud.example.com. Option D with the Route 53 inbound resolver offers significant performance benefits over option A. However, if managing individual VPC associations is a higher priority and latency concerns are minimal, option A could be a viable alternative.

How can the answer not be A? In D they dont associate the zone with other VPCs, they also have don;t attach the other VPCs to transit gatweay, essentially the outcome would mean that the other vpcs have no dns resolution for the private zone and also no connectivity. If you want to add other VPCs to your private hosted zone you must associate those VPCs, this would solve the issues for resolving the DNS zone, attaching all zones to the transit gateway would then allow the connectivity.

Do smb know why HIGHEST performance is highlighted? I may reveal the difference between A and D

D https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-aws-transit-gateway-with-aws-privatelink-and-amazon-route-53-resolver/

AAA - Well explain here: https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/ -"When a Route 53 private hosted zone needs to be resolved in multiple VPCs and AWS accounts as described earlier, the most reliable pattern is to share the private hosted zone between accounts and associate it to each VPC that needs it. "

The key point is : the resources stored within VPCs, no were mentioned shared VPC

I will go with D there is a blog for this - there is no need to associate the private zone with all VPCs only with the shared one. the shared one will be already associated with others. https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/

D, after reading https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/

First criteria, On-premises systems should be able to resolve and connect to cloud.example.com which rules out outbound, must be inbound from DC. So that leaves us with A and D, both work but based on best practice, using shared VPC is more efficient, so answer must be D

A is the answer

D - We dont need to attach all the VPCs to TGW, only the Shared VPC. Private Hosted Zones and Forwarding Rules can be in shared VPC and shared using RAM to all the VPC (doesnt need Peering or TGW between VPCs for that, so A is incorrect)

When a Route 53 private hosted zone needs to be resolved in multiple VPCs and AWS accounts as described earlier, the most reliable pattern is to share the private hosted zone between accounts and associate it to each VPC that needs it from-> https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/

A or D? I am so confused...

D is the Answer. Read the link below. Don't blindly assume anything. https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/

The answer to the recent dump is marked with D. Is the answer A still valid?