Skip to main content

AWS SOA-C02 Drill: Route 53 Resolver Endpoints - Inbound vs Outbound for Hybrid DNS

·836 words·4 mins·
Certification Drills AWS SOA-C02 Route 53 Resolver DNS Hybrid Cloud
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).

For SOA-C02 candidates, the confusion often lies in when to use inbound vs outbound Route 53 Resolver endpoints. In production, this is about knowing exactly how VPC DNS queries interact with on-premises DNS namespaces and how to securely and reliably route them. Let’s drill down.

The Certification Drill (Simulated Question)
#

Scenario
#

DiveTech Solutions runs a critical web application in a VPC configured with the default DHCP option set. The app needs to connect to an on-premises Microsoft SQL Server database identified by the DNS name sqlcorp.local. However, the application fails to resolve this DNS name to an IP address.

The Requirement:
#

Enable DNS resolution in the VPC so that queries for the on-premises domain sqlcorp.local resolve correctly.

The Options
#

  • A) Create an Amazon Route 53 Resolver inbound endpoint and add a forwarding rule for sqlcorp.local. Associate the rule with the VPC.
  • B) Create an Amazon Route 53 Resolver inbound endpoint and add a system rule for sqlcorp.local. Associate the rule with the VPC.
  • C) Create an Amazon Route 53 Resolver outbound endpoint and add a forwarding rule for sqlcorp.local. Associate the rule with the VPC.
  • D) Create an Amazon Route 53 Resolver outbound endpoint and add a system rule for sqlcorp.local. Associate the rule with the VPC.

Google adsense
#

leave a comment:

Correct Answer
#

C

Quick Insight: The SysOps Imperative
#

  • This exam question tests your understanding that Route 53 Resolver outbound endpoints are used to forward DNS queries from a VPC to external DNS servers (such as on-premises).
  • Inbound endpoints are used for DNS queries that originate on-premises but need to be resolved in the VPC (opposite flow).
  • System rules are AWS-managed public suffix rules, not relevant here — forwarding rules for private domains must be created.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option C

The Winning Logic
#

This scenario requires the VPC’s DNS resolver to forward queries for the on-premises domain (sqlcorp.local) to the corporate on-prem DNS servers. This outgoing DNS query flow from AWS to on-premises requires a Route 53 Resolver outbound endpoint configured in the VPC. The forwarding rule for the private on-prem domain (sqlcorp.local) is associated with this outbound endpoint and the VPC, thus enabling resolution of on-prem DNS names from AWS.

  • Inbound endpoints serve the opposite purpose: allowing DNS queries from your on-premises network to be answered by AWS Route 53 Resolver inside a VPC (such as for AWS private hosted zones). This is not the direction required for this application resolving an on-prem name from inside the VPC.
  • System rules are predefined AWS public DNS rules, which do not apply to a private on-prem domain and cannot be customized.
  • Forwarding rules must be created here to route the queries properly to on-prem DNS servers via the outbound endpoint.

The Trap (Distractor Analysis):
#

  • Why not A or B? Both create inbound endpoints, wrongly assuming DNS queries originate externally and need resolution by AWS in the VPC. Here the queries originate in the VPC needing resolution externally, so inbound endpoints do not solve the issue.
  • Why not D? System rules do not allow custom routing for private domains like sqlcorp.local, so no effect. Also, system rules must be associated with inbound or outbound endpoints depending on direction, but won’t help here for this use case.

The Technical Blueprint
# 

# Example AWS CLI snippet to create an outbound endpoint
aws route53resolver create-resolver-endpoint \
    --name OutboundEndpointToOnPrem \
    --direction OUTBOUND \
    --security-group-ids sg-12345678 \
    --vpc-id vpc-12345678 \
    --ip-addresses SubnetId=subnet-abcde1234

# Create a forwarding rule for sqlcorp.local pointing to on-prem DNS IPs
aws route53resolver create-resolver-rule \
    --creator-request-id unique-string-1 \
    --domain-name sqlcorp.local \
    --rule-type FORWARD \
    --name OnPremForwardingRule \
    --target-ips Ip=10.0.10.5 Ip=10.0.10.6

# Associate the rule with the VPC
aws route53resolver associate-resolver-rule \
    --resolver-rule-id rslvr-rr-abcdefgh \
    --vpc-id vpc-12345678

The Comparative Analysis
#

Option Operational Overhead Automation Level Impact on DNS Resolution
A Medium Moderate No effect; inbound endpoint not used for outgoing queries
B Medium Moderate No effect; system rules cannot forward private domain queries
C Low High Correct: forwards VPC DNS queries to on-prem DNS
D Low Moderate No effect; system rules irrelevant here

Real-World Application (Practitioner Insight)
#

Exam Rule
#

For the exam, always pick a Route 53 Resolver outbound endpoint with forwarding rules when you need your VPC to resolve on-premises or external private DNS domains.

Real World
#

Sometimes hybrid DNS setups involve VPN or Direct Connect and require additional VPC DHCP option set customizations or firewall changes to allow DNS flow. But the fundamental DNS resolver endpoint direction and rules remain as shown here.

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the SOA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.