Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 1 discussion

A. Correct answer. Source: https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/ NOT B. EC2 conditional forwarder will not meet Highest performance requirement. NOT C. Missing: Need to associate private hosted zone to all VPC. "All VPC’s will need to associate their private hosted zones to all other VPC’s if required to." Source: https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/ NOT D. Missing: Need to associate private hosted zone to all VPC. "All VPC’s will need to associate their private hosted zones to all other VPC’s if required to." Source: https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/

A because it requires all VPC can resolve the example.com. All VPCs must be associated with private hosted zone

On-premises systems should be able to resolve and connect to cloud.example.com, it is inbound resolver, C is incorrect. All VPCS will need to associate their private zones to the Transit Gateway, associated only the shared VPC with TGW forces all the DNS query from other VPCS forward to shared VPC, add the latency. d is incorrect

When a Route 53 private hosted zone needs to be resolved in multiple VPCs and AWS accounts as described earlier, the most reliable pattern is to share the private hosted zone between accounts and associate it to each VPC that needs it.

A. Correct answer. Source: https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/

Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.

1-1. Private hosted zone One Account -> 2 Account PHZ is not Equals. 1-2. VPCs in Private hosted zone 2. On-Premise -> AWS Domain Name Query [ Route 53 Resolver ] 3. Private hosted zone - Route 53 Resolver

"All VPCs and only need inbound Resolver"

Answer is A: Please see link below for the solution: https://docs.aws.amazon.com/whitepapers/latest/hybrid-cloud-dns-options-for-vpc/route-53-resolver-endpoints-and-forwarding-rules.html

The correct option would be option A: Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver. This option will allow the on-premises systems to resolve and connect to cloud.example.com by forwarding the DNS queries to the inbound resolver in the shared services VPC, which will then forward the queries to the private hosted zone. All VPCs will be able to resolve cloud.example.com by resolving the queries through the private hosted zone associated to all VPCs. Additionally, this option takes advantage of the already existing AWS Direct Connect connection between the on-premises corporate network and AWS Transit Gateway, which will provide the highest performance.

The best architecture to meet the given requirements with the HIGHEST performance would be Option A: A. Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver. This architecture ensures that all VPCs can resolve the cloud.example.com domain using the private hosted zone. Additionally, it creates a Route 53 inbound resolver in the shared services VPC that can handle DNS resolution requests from on-premises systems through the transit gateway. This setup allows for fast and efficient DNS resolution with minimal latency.

All options mention a Shared Services VPC that is not in the question. This is used for Route 53 for cloud.example.com. Option A - Associating all VPCs with the private hosted zone allows resolution of cloud.example.com; an inbound resolves allows on-premise resource to resolve to cloud.example.com; the final bit of connectivity allows on-premise to connect and resolve to cloud.example.com Option B - An Amazon EC2 Conditional Forwarder does not apply in this situation because an Active Directory is not in play in this situation Option C - Would not work because it is relying on an Outbound resolver (from cloud to on-premise) Option D - Would not work because the other VPCs are not connected to the private zone. Moreover, connectivity is not complete because only the Shared Services VPC is connected to the Transit Gateway

To achieve the highest performance hybrid DNS solution, the company should associate a Route 53 private hosted zone with "cloud.example.com" to all VPCs, then create a Route 53 inbound resolver in a shared services VPC. This inbound resolver is connected to the on-premises network via AWS Direct Connect and Transit Gateway, allowing on-premises systems to resolve the private hosted zone. Forwarding rules on the on-premises DNS server direct queries for "cloud.example.com" to the inbound resolver, ensuring seamless resolution for both on-premises and cloud resources.

A. Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.

"Inbound DNS resolution – Create Route 53 Resolver inbound endpoints in a centralized VPC and associate all the private hosted zones in your Landing Zone with this centralized VPC." Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/dns.html

Inbound resolver + private zone

Correct the answer: A