Home › Forums › AWS › AWS Certified Solutions Architect Professional › Route 53 resolve endpoints › Reply To: Route 53 resolve endpoints
-
Hello khawaja,
Thank you for your feedback.
We can see the difference of Inbound endpoint and outbound endpoit in this AWS doc: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
Inbound endpoint: DNS resolvers on your network can forward DNS queries to Route 53 Resolver via this endpoint
This allows your DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone.
Outbound endpoint: Resolver conditionally forwards queries to resolvers on your network via this endpoint
To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to. If a query matches multiple rules (example.com, acme.example.com), Resolver chooses the rule with the most specific match (acme.example.com) and forwards the query to the IP addresses that you specified in that rule.
On this scenario, EC2 instances within the VPC are unable to resolve the private endpoint addresses.
Let’s further investigate the scenario, this statement on the question: The Solutions Architect configured the two domain controllers as the DHCP options set associated with the VPC.
– we can conclude that the solutions architect is configuring a custom AD server / DNS server inside the VPC on AWS. Usually, when you deploy your own AD server/DHCP server, there will be two servers for redundancy.
Since the solutions architect is planning to use its custom different DNS server (and not AWS), you will not be able to resolve internal AWS domains such as names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com)
Therefore, in this scenario, all clients should just forward all DNS queries to the AD server. Then the AD server will forward any non-authoritative DNS queries to the VPC resolver.
First, the AD server will try to resolve all DNS queries by itself. Then if it encounters anything that it is not familiar with, like names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com), it will send it to the R53 resolver.
Therefore, we will be using an Inbound Endpoint.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo