Exam ANS-C01 All QuestionsBrowse all questions from this exam
Go to Exam
Question 79

A company has a hybrid cloud environment. The company’s data center is connected to the AWS Cloud by an AWS Direct Connect connection. The AWS environment includes VPCs that are connected together in a hub-and-spoke model by a transit gateway. The AWS environment has a transit VIF with a Direct Connect gateway for on-premises connectivity.

The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company is running a backend application in one of the VPCs.

The company uses a message-oriented architecture and employs Amazon Simple Queue Service (Amazon SQS) to receive messages from other applications over a private network. A network engineer wants to use an interface VPC endpoint for Amazon SQS for this architecture. Client services must be able to access the endpoint service from on premises and from multiple VPCs within the company's AWS infrastructure.

Which combination of steps should the network engineer take to ensure that the client applications can resolve DNS for the interface endpoint? (Choose three.)

    Correct Answer: A, C, F

    To ensure that client applications can resolve DNS for the interface endpoint, the network engineer should first create the interface endpoint for Amazon SQS with the option for private DNS names turned on. This will allow the interface endpoint to use the private DNS within the VPCs. Then, a private hosted zone for the SQS service (e.g., sqs.us-east-1.amazonaws.com) should be manually created and the necessary records added to point to the interface endpoint. This private hosted zone should be associated with other VPCs to ensure DNS resolution across VPCs. Finally, to access the SQS endpoint, client applications within VPCs and on-premises should use the private DNS name of the interface endpoint (e.g., <vpc endpoint name>.sqs.us-east-1.vpce.amazonaws.com), ensuring private connectivity and avoiding public internet traversal.

Discussion
Fati_2022Options: BCF

Its internal and the access should be private ,which makes F correct

trap

That's correct aws.amazon.com/blogs/networking-and-content-delivery/centralize-access-using-vpc-interface-endpoints/

[Removed]

It should be BCE according to the article. Because we create the private hosted zone in "C" and the required Records wich point to the interface dns name, we then can resolve the interface endpoint via the public endpoint url.

6e5b127

BCE public DNS name will be resolve to interface endpoint private IP finally Also, options B and F are indeed in conflict: If we turn off private DNS names (option B), the interface endpoint won't have a private DNS name to use, making option F impossible.

study_aws1

To access interface endpoints through other VPCs, we need to - 1. Disable private DNS for VPC endpoints 2. Create PHZ e.g. sqs.us-east-1.amazonaws.com 3. Create Alias record pointing to VPC endpoint DNS 4. Associate PHZ with all the spoke VPCs Hence, answer is B), C) & E)

MarcosSantos

Hello, does the letter E speak about public DNS? But in this case wouldn't it be correct to use private DNS? So the letter F instead of E?

Certified101Options: BCE

The combination of options B, C, and F would not be a correct solution to ensure that the client applications can resolve DNS for the interface endpoint. This is because option F suggests accessing the SQS endpoint by using the private DNS name of the interface endpoint .sqs.us-east-1.vpce.amazonaws.com in VPCs and on-premises, which would not work if the private DNS names option is turned off (as suggested by option B). Instead, the correct combination of steps would be options B, C, and E

FayeGOptions: ACF

As stated in https://aws.amazon.com/blogs/networking-and-content-delivery/centralize-access-using-vpc-interface-endpoints/ To quote: snip--- We can enable the Private DNS for an interface endpoint and with that we can resolve the AWS service endpoint DNS from within the same VPC (for example, sqs.us-east-1.amazonaws.com) [This is A]. However, the AWS service endpoint does not resolve from the peered VPCs. For this, we can create a Private Hosted Zone (for example, sqs.us-east-1.amazonaws.com) [this is C] and associate it with the peered VPCs [this is F]. snip--- Hence ACF is the correct answer.

Wiss7Options: BCE

Notice that that F you access via url record.VPC this is only doable in the same VPC not across VPCs and DX.

AradOptions: BCE

I think BCE is correct.

evargasbrzOptions: BCE

1. Disable private DNS for VPC endpoints 2. Create PHZ e.g. sqs.us-east-1.amazonaws.com 3. Create Alias record pointing to VPC endpoint DNS 4. Associate PHZ with all the spoke VPCs

MohamedSherif1Options: BCF

Create private hosted zones. If you want to access the interface endpoint sqs.us-east-1.amazonaws.com in the shared services VPC from spoke VPCs and on-premises servers

Neo00Options: BCE

Based on this post https://aws.amazon.com/es/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/

RaphaelloOptions: BCF

BCF are the correct answers. If you chose B & C, you cannot select E as the 3rd option. They do not work along. It's a private access, and therefore use the private DNS name of the interface endpoint.

kyuhuckOptions: ACF

A.->This allows the interface endpoint to use the Amazon SQS private DNS name within the VPCs. It automatically creates a private hosted zone and necessary DNS records that resolve the Amazon SQS service endpoint to the interface endpoint's IP addresses c -->This step is necessary if you need to extend the DNS resolution to VPCs that do not have the interface endpoint created directly,f->This ensures that all traffic to Amazon SQS from client applications, both in AWS VPCs and on-premises, is routed through the interface endpoint using its private DNS name, ensuring private connectivity and not traversing the public internet.

yaaraaab1233

public endpoint url

kaush4u

Option E : This is very tricky you need an inbound endoint setup to resolve sqs.us-east-1 amazonaws.com in from on premises .From VPC sqs.us-east-1 amazonaws.com will resolve to Interface Endpoint

Suresh108

BCEEEEEE (why it cant have F) https://medium.com/@satyajit.samantaray/centralize-access-using-vpc-interface-endpoints-to-access-aws-services-across-multiple-vpcs-using-a586c846b48 E. Access the SQS endpoint by using the public DNS name sqs.us-east-1 amazonaws.com in VPCs and on premises. correct, this is how other VPCs can resolve the endpoint F. Access the SQS endpoint by using the private DNS name of the interface endpoint .sqs.us-east-1.vpce.amazonaws.com in VPCs and on premises. it can't be resolved outside the hub vpc, hosted zone is not having vpce.amazonaws.com it has sqs.us-east-1 .amazonaws.com

VogdOptions: ACF

A. In order to get dns name resolvable by other VPC resolver's you need to have DNS names turned on C. There is no private zone created in the account once you create endpoint. Go and check it out. When you create interface endpoint you need to create private hosted zone manually and you would need to set up separate ALIAS record per separate AZ. F. If you want to access applications over private network as stated in the task-need to use private hosted zone.

siiiwwOptions: ACF

go with ACF

johnconnor

guys, it is BCF "How do we resolve the DNS for AWS service endpoint from the spoke VPCs? We can enable the Private DNS for an interface endpoint and with that we can resolve the AWS service endpoint DNS from within the same VPC (for example, sqs.us-east-1.amazonaws.com). However, the AWS service endpoint does not resolve from the peered VPCs. For this, we can create a Private Hosted Zone (for example, sqs.us-east-1.amazonaws.com) and associate it with the peered VPCs."