A company has an Amazon VPC with a CIDR block of 10.0.0.0/16 and an AWS Site-to-Site VPN connection to an on-premises data center. The on-premises DNS servers host a private domain 'corp.example.com'. The SysOps administrator needs to enable EC2 instances in the VPC to resolve DNS names for 'corp.example.com' using the on-premises DNS servers. Which Route 53 feature should be configured?
Outbound endpoints forward DNS queries from the VPC to on-premises DNS servers for specified domain names.
Why this answer
Option B is correct because Route 53 Resolver outbound endpoints allow EC2 instances in a VPC to forward DNS queries for a specific domain (e.g., corp.example.com) to on-premises DNS servers via the Site-to-Site VPN connection. By creating a forwarding rule on the outbound endpoint, DNS queries for corp.example.com are sent to the on-premises DNS resolvers, enabling resolution of private DNS names without exposing the VPC to inbound traffic.
Exam trap
The trap here is that candidates often confuse inbound and outbound endpoints: inbound endpoints are for on-premises to query AWS DNS, while outbound endpoints are for AWS to query on-premises DNS, and the question specifically requires EC2 instances to resolve on-premises names, which is an outbound scenario.
How to eliminate wrong answers
Option A is wrong because Route 53 Resolver inbound endpoints are used to allow on-premises DNS resolvers to forward queries to Route 53 Resolver in the VPC, not for EC2 instances to query on-premises DNS servers. Option C is wrong because VPC peering is used to connect VPCs within AWS, not to connect a VPC to an on-premises network; the VPN connection already provides the network path, and peering does not enable DNS resolution across the VPN. Option D is wrong because a Route 53 private hosted zone for corp.example.com would require the domain to be hosted in Route 53, but the question states the domain is hosted on on-premises DNS servers; a private hosted zone would not forward queries to on-premises resolvers.