Exam Cram Sheet925 words
AWS ANS-C01 Cram Sheet: Hybrid & Multi-Account DNS
Implement complex hybrid and multi-account DNS architectures
AWS Certified Advanced Networking Specialty (ANS-C01): Hybrid & Multi-Account DNS
This cram sheet focuses on the implementation of complex DNS architectures, specifically focusing on Route 53 Resolver, cross-account Private Hosted Zone (PHZ) sharing, and DNSSEC.
Topic Weighting
| Domain | Task | Exam Weight (Approx) |
|---|---|---|
| Domain 2: Network Implementation | 2.3 Implement complex hybrid/multi-account DNS | 8-10% of total exam |
[!IMPORTANT] This topic is high-yield. You must understand the directionality of traffic for Resolver Endpoints and the specific CLI/Console steps for cross-account PHZ association.
Key Concepts Summary
1. Route 53 Resolver Endpoints
- Inbound Endpoints: Allow on-premises DNS servers to resolve names in AWS PHZs. They provide IP addresses in your VPC that on-premise forwarders target.
- Outbound Endpoints: Allow EC2 instances/AWS resources to resolve on-premises DNS names. They use Resolver Rules to forward queries to on-premise DNS IPs.
- Rules: Defined at the Region level and associated with VPCs. Use AWS RAM to share these rules across accounts.
2. Private Hosted Zones (PHZ) & Cross-Account Sharing
- A PHZ is associated with one or more VPCs.
- To share a PHZ with a VPC in Account B from Account A:
- Account A: Create VPC association authorization (CLI:
associate-vpc-with-hosted-zone). - Account B: Accept the association (CLI:
associate-vpc-with-hosted-zone).
- Account A: Create VPC association authorization (CLI:
3. DNSSEC
- Provides origin authentication and integrity. Does NOT provide confidentiality (encryption).
- Key Records:
RRSIG: Cryptographic signature for a record set.DNSKEY: The public key used to verify the RRSIG.DS(Delegation Signer): Record in the parent zone to verify the child's DNSKEY.
Visual Anchors
Hybrid DNS Flow
Loading Diagram...
Multi-Account PHZ Association Logic
Loading Diagram...
Formula / Equation Sheet
| Component | Requirement / Constraint |
|---|---|
| Endpoint IPs | Minimum of 2 IPs in different Availability Zones for HA. |
| Recursive Queries | Route 53 Resolver handles up to 10,000 queries per second per IP. |
| Security Groups | Inbound/Outbound Endpoints require SG rules allowing UDP/TCP port 53. |
| Resolver Rules | Maximum of 1,000 rules per VPC. |
Common Pitfalls
- ❌ The "Double NAT" Trap: Don't assume Transit Gateway (TGW) handles DNS by default. TGW provides the path, but Resolver Endpoints provide the logic.
- ❌ PHZ vs Public: If a PHZ and Public zone have the same name (split-view), the VPC will always prioritize the PHZ record if it exists.
- ❌ RAM Sharing: Sharing a VPC via RAM does NOT automatically share its PHZ associations. You must perform the CLI association steps separately.
- ❌ DNSSEC Limitation: DNSSEC is supported for Public Hosted Zones, but as of now, implementation on Private Hosted Zones has limited support context for external validation.
Mnemonics / Memory Triggers
- R.O.I. (Resolver Outbound/Inbound):
- Outbound = Out to On-prem.
- Inbound = In from On-prem.
- R.A.M. (Resource Access Manager): Use it to Reach Across Multi-accounts for Resolver Rules.
- A-A (Authorize-Associate): The two-step dance for cross-account PHZs.
Worked Examples
Scenario: Configuring Hybrid Resolution for corp.internal
Goal: Instances in AWS VPC (10.0.0.0/16) must resolve db.corp.internal hosted on-premises (172.16.0.10).
- Create Outbound Endpoint: In the AWS Console, navigate to Route 53 > Outbound Endpoints. Assign it to the VPC and select two subnets/AZs.
- Configure Security Group: Ensure the Endpoint's SG allows outbound traffic to
172.16.0.10on Port 53 (UDP/TCP). - Create Resolver Rule:
- Rule Type: Forward.
- Domain Name:
corp.internal. - Target IPs:
172.16.0.10. - VPC Association: Associate this rule with your application VPC.
- Verification: Run
dig db.corp.internalfrom an EC2 instance. The query travels: EC2 → Resolver → Outbound Endpoint → Direct Connect/VPN → On-prem DNS.
Practice Set
- Scenario: You have 50 AWS accounts. You want all VPCs to use a centralized set of DNS forwarding rules to your on-premises data center. What is the most operationally efficient way to achieve this?
- Answer: Create the Resolver Outbound Endpoint and Rules in a Central Network Account, then use AWS RAM to share the Rules with the AWS Organization.
- Scenario: An on-premises client cannot resolve
service.internal(a PHZ in AWS). You have an Inbound Endpoint. What should you check first?- Answer: Check if the on-premises DNS server has a conditional forwarder for
service.internalpointing to the Inbound Endpoint IP addresses.
- Answer: Check if the on-premises DNS server has a conditional forwarder for
- Scenario: You are using the CLI to associate a PHZ in Account A with a VPC in Account B. Account A has issued the authorization. What is the specific CLI command Account B must run?
- Answer:
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <ID> --vpc VPCRegion=<Region>,VPCId=<ID>
- Answer:
Fact Recall Blanks
- To share Route 53 Resolver Rules across accounts, use the service ________.
- A(n) ________ endpoint allows on-premises servers to query Route 53.
- The ________ record in DNSSEC is used to link a parent zone to a child zone's public key.
- Route 53 Resolver Endpoints require at least ________ (number) IP addresses for high availability.
- The default VPC DNS service IP is always the base of the VPC CIDR plus ________.
▶Click for Answers
- AWS Resource Access Manager (RAM)
- Inbound
- DS (Delegation Signer)
- Two (2)
- Two (2) (e.g., 10.0.0.2 for a 10.0.0.0/16 VPC)