ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 445 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 445
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is implementing a multi-account strategy; however, the Management team has expressed concerns that services like DNS may become overly complex. The company needs a solution that allows private DNS to be shared among virtual private clouds (VPCs) in different accounts. The company will have approximately 50 accounts in total.
What solution would create the LEAST complex DNS architecture and ensure that each VPC can resolve all AWS resources?

  • A. Create a shared services VPC in a central account, and create a VPC peering connection from the shared services VPC to each of the VPCs in the other accounts. Within Amazon Route 53, create a privately hosted zone in the shared services VPC and resource record sets for the domain and subdomains. Programmatically associate other VPCs with the hosted zone.
  • B. Create a VPC peering connection among the VPCs in all accounts. Set the VPC attributes enableDnsHostnames and enableDnsSupport to ג€trueג€ for each VPC. Create an Amazon Route 53 private zone for each VPC. Create resource record sets for the domain and subdomains. Programmatically associate the hosted zones in each VPC with the other VPCs.
  • C. Create a shared services VPC in a central account. Create a VPC peering connection from the VPCs in other accounts to the shared services VPC. Create an Amazon Route 53 privately hosted zone in the shared services VPC with resource record sets for the domain and subdomains. Allow UDP and TCP port 53 over the VPC peering connections.
  • D. Set the VPC attributes enableDnsHostnames and enableDnsSupport to ג€falseג€ in every VPC. Create an AWS Direct Connect connection with a private virtual interface. Allow UDP and TCP port 53 over the virtual interface. Use the on-premises DNS servers to resolve the IP addresses in each VPC on AWS.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by donathon at Oct. 4, 2019, 8:40 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
donathon
Highly Voted 3 years, 9 months ago
A B: enableDnsHostnames: Indicates whether instances with public IP addresses get corresponding public DNS hostnames. If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true. enableDnsSupport: Indicates whether the DNS resolution is supported. This is not needed. C: Do it from the central account is less complex and faster. D: This is not recommended and not the least complex solution. This will be difficult to maintain too. I don’t think it’s even possible.
upvoted 27 times
Moon
3 years, 9 months ago
good analysis. I do support "A" also.
upvoted 1 times
...
Smart
3 years, 9 months ago
On side note: enableDnsHostnames & enableDnsSupport is required for Private Hosted Zone
upvoted 4 times
...
donathon
3 years, 9 months ago
In this setup you want to query Route 53 private hosted zone resolution across multiple accounts, and VPC’s from your resources on-premises. In this design setup you will use a shared services VPC to accomplish this. At the same time, you also want to conditionally forward queries for on-premises domains from the VPCs to the on-premises DNS resolver. These VPCs are inter-connected using a hub and spoke topology. Each of the spoke VPCs belongs to a different account, and they are managed by their respective accounts. When a Route 53 private hosted zone needs to be resolved in multiple VPCs and AWS accounts as described earlier, the most reliable pattern is to share the private hosted zone between accounts and associate it to each VPC that needs it. Although it’s possible to use Route 53 Resolver forwarding to solve this use case, this introduces additional costs, possible inter-Availability Zone dependencies, and complexity, which directly associating zones avoids. https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/
upvoted 18 times
virtual
3 years, 9 months ago
Thanks for your explanation.
upvoted 2 times
...
DashL
3 years, 8 months ago
First of all, the solution doesn't need hybrid architecture. A much better solution is available using DNS Resolver (which doesn't even need VPC peering): https://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/ However, with the given options, the most logical answer is A
upvoted 2 times
...
...
...
SkyZeroZx
Most Recent 2 years ago
Selected Answer: A
Do it from the central account is less complex and faster , then A
upvoted 1 times
...
unknownUser22952
2 years, 5 months ago
C is incorrect, because the other VPCs are not associated with the central hosted zone, and just because the VPC is peered to the other VPC which is associated with the hosted zone, it cannot send requests to the hosted zone which doesn't have VPC attachment. We need to explicitly mention the Route53 Resolver IP while making the request. Hence I go with option A
upvoted 2 times
...
evargasbrz
2 years, 6 months ago
Selected Answer: A
You can use AWS CLI – See create-vpc-association-authorization in the AWS CLI Command Reference https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html
upvoted 1 times
...
hobokabobo
2 years, 7 months ago
Selected Answer: C
A) You cannot programatically associate vpcs in a simple way. They are AWS resources. B) same C) sure this is how it works. DNS in the central account listens on port 53 udp. Create a peering and allow access. Go with the subnet IP of the dns server (Network ip plus 2) will resolve. D) direct connect: even more nonsense.
upvoted 1 times
...
dmscountera
2 years, 9 months ago
Selected Answer: A
Based on all comments
upvoted 1 times
...
AzureDP900
3 years, 7 months ago
A is perfect based on https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/ provided by donathon
upvoted 1 times
...
andylogan
3 years, 8 months ago
It's A
upvoted 1 times
...
WhyIronMan
3 years, 8 months ago
I'll go with A
upvoted 3 times
...
Waiweng
3 years, 8 months ago
A is correct
upvoted 2 times
...
gpark
3 years, 8 months ago
A --- B would be correct with there is the limited number of VPC like 2. More than 3 VPC scenarios will need Transit Gateway. It would be a burden to VPC peering all the VPCs.
upvoted 1 times
student2020
3 years, 8 months ago
VPC peering/TGW is not even required to shared a PHZ with different AWS accounts
upvoted 1 times
...
...
Kian1
3 years, 8 months ago
going with A
upvoted 2 times
...
Ebi
3 years, 9 months ago
My answer is A
upvoted 3 times
...
T14102020
3 years, 9 months ago
Correct answer is A. Use shared VPC services
upvoted 1 times
...
jackdryan
3 years, 9 months ago
I'll go with A
upvoted 3 times
...
Bulti
3 years, 9 months ago
Answer is A. You need to programmatically associate the VPC in another account to the private hosted zone in a central account. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html C is similar to A in terms of how VPCs are peered but the association of VPC in each account to the Route 3 private hosted zone is incorrectly described.
upvoted 4 times
...
fullaws
3 years, 9 months ago
A is correct
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel