Inbound | Outbound Resolver Answer

[kiran-ballari]

Hi , I was doing final test directly which got 5 questions wrong . One of the question as attached below . My understanding is to get instances in your VPC to query a AD directory which is outside VPC you need to outbound forwarding rule, explanation are clearly documented here https://aws.amazon.com/premiumsupport/knowledge-center/route53-resolve-with-outbound-endpoint/. It’s not onpremise AD here , but outside VPC where AD deployed vs VPC that has resources. Can you pls clarify . I still think what I selected is correct .

[kiran-ballari]

[Ice-Guy]

The answer is definitely Outbound Resolver instead of Inbound Resolver as this scenario asked for EC2 instances within the VPC are unable to resolve the private endpoint addresses.

[Kenneth-Samonte-Tutorials-Dojo]

Hello kiran-ballari,

Thank you for your feedback.

We can see the difference of Inbound endpoint and outbound endpoit in this AWS doc: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

Inbound endpoint: DNS resolvers on your network can forward DNS queries to Route 53 Resolver via this endpoint

This allows your DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone.

Outbound endpoint: Resolver conditionally forwards queries to resolvers on your network via this endpoint

To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to. If a query matches multiple rules (example.com, acme.example.com), Resolver chooses the rule with the most specific match (acme.example.com) and forwards the query to the IP addresses that you specified in that rule.

On this scenario, EC2 instances within the VPC are unable to resolve the private endpoint addresses.

Let’s further investigate the scenario, this statement on the question: The Solutions Architect configured the two domain controllers as the DHCP options set associated with the VPC.

– we can conclude that the solutions architect is configuring a custom AD server / DNS server inside the VPC on AWS. Usually, when you deploy your own AD server/DHCP server, there will be two servers for redundancy.

Since the solutions architect is planning to use its custom different DNS server (and not AWS), you will not be able to resolve internal AWS domains such as names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com)

Therefore, in this scenario, all clients should just forward all DNS queries to the AD server. Then the AD server will forward any non-authoritative DNS queries to the VPC resolver.

First, the AD server will try to resolve all DNS queries by itself. Then if it encounters anything that it is not familiar with, like names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com), it will send it to the R53 resolver.

This situation, in essence, feels like an on-premises AD, but the instances are just inside the VPC.

Hope this helps.

Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

Regards,

Kenneth Samonte @ Tutorials Dojo