Are AWS Certifications worth it? : AWS Solutions Architect - Professional (SAP) Certification 1
Written by Minhyeok Cha
Today, I've organized the AWS Solution Architect - Professional (SAP) certification exam questions in terms of real-world console or architectural structures.
Question 1.
A company needs to design a hybrid DNS solution. This solution uses Amazon Route 53 private hosting zones for the cloud.example.com domain for resources stored in VPC.
The company has the following DNS resolution requirements:
On-premises systems must be able to resolve and connect to cloud.example.com.
All VPCs should be able to resolve cloud.example.com.
There is already an AWS Direct Connect connection between the on-premises corporate network and the AWS Transit Gateway.
What architecture should the company use to meet these requirements with the best performance?
ⓐ Connect the private hosting zone to all VPCs. Create a Route 53 inbound resolver in a shared services VPC. Connect all VPCs to the transit gateway and create forwarding rules on the on-premises DNS server for cloud.example.com pointing to the inbound resolver.
ⓑ Connect the private hosting zone to all VPCs. Deploy Amazon EC2 conditional forwarders in a shared services VPC. Connect all VPCs to the transit gateway and create forwarding rules on the on-premises DNS server for cloud.example.com pointing to the conditional forwarder.
ⓒ Connect the private hosting zone to the shared services VPC. Create a Route 53 outbound resolver in the shared services VPC. Connect all VPCs to the transit gateway and create forwarding rules on the on-premises DNS server for cloud.example.com pointing to the outbound resolver.
ⓓ Connect the private hosting zone to the shared services VPC. Create a Route 53 inbound resolver in the shared services VPC. Connect the shared services VPC to the transit gateway and create forwarding rules on the on-premises DNS server for cloud.example.com pointing to the inbound resolver.
Solutions
The key to this question is how to centrally manage DNS for a hybrid cloud using AWS services. Combining the company's requirements, the answer is A. Let's examine this one by one.
Answer: A
Breaking down the DNS requirements in the question:
First, connecting the private hosting zone to all VPCs is configured as follows
This setting allows traffic routing by directly connecting the private hosting to VPCs.
As seen in the blue box, to use this function, you need to set enableDnsHostnames and enableDnsSupport to true in VPC settings.
Second, establish a connection to the inbound resolver endpoint's IP address via Direct Connect or VPN. This allows on-premises to resolve and connect to cloud.example.com.
Assuming DX and VPN are set up, implementing the Route 53 resolver's endpoint results in the following architecture.
Using this architecture, you can create inbound and outbound endpoints (specified for VPCs) and create a VPC Route53 private hosting zone for the designated endpoints using the first method.
By completing this task, you can verify that all VPCs (though they need to be specified separately) and on-premises can resolve the domain through the AWS Transit Gateway and DX (or VPN).
※ cf.
You can simply check the connected domain using the following command.
Use the telnet command for port 53 connection confirmation between the inbound endpoint resolver IP address:
telnet <inbound endpoint resolver IP address> 53.
To check the validity of domain resolution, complete a domain name lookup from the on-premises DNS server or local host.
For Windows: nslookup <private hosted zone domain name>
For Linux or macOS: dig <private hosted zone domain name>
If the previous command fails to return records, you can bypass the on-premises DNS server. Use the following command to send a DNS query directly to the inbound resolver endpoint IP address.
For Windows: nslookup <private hosted zone domain name> @ <inbound endpoint IP address>
For Linux or macOS: dig <private hosted zone domain name> @ <inbound endpoint IP address>
Question 2
A company provides weather data to multiple customers through a REST-based API. The API is hosted in Amazon API Gateway and integrates with various AWS Lambda functions for each API operation. The company uses Amazon Route 53 for DNS and has created a resource record for Weather.example.com. The company stores data for the API in an Amazon DynamoDB table. The company needs a solution to provide failover capability for the API to another AWS region.
Which solution meets these requirements?
ⓐ Deploy a new set of Lambda functions in a new region. Update the API Gateway API to use an edge-optimized API endpoint targeting Lambda functions in both regions. Convert the DynamoDB table into a global table.
ⓑ Deploy a new API Gateway API and Lambda functions in a different region. Change the Route 53 DNS record to multi-value answer. Add both API Gateway APIs to the response. Enable health check monitoring. Convert the DynamoDB table into a global table.
ⓒ Deploy a new API Gateway API and Lambda functions in a different region. Change the Route 53 DNS record to a failover record. Enable health check monitoring. Convert the DynamoDB table into a global table.
ⓓ Deploy a new API Gateway API in a new region. Change Lambda functions to global functions. Change the Route 53 DNS record to multi-value answer. Add both API Gateway APIs to the response. Enable health check monitoring. Convert the DynamoDB table into a global table.
Solutions
Question 2 involves frequently used AWS services in combination: API Gateway - Lambda - DynamoDB, with the DNS using Route 53 service records.
This question seeks a combination that can handle failover to another region in case of an API outage.
Many might think the answer is C, focusing solely on the “Change the Route 53 DNS record to a failover record” option.
However, surprisingly, the answer is indeed C.
Answer: C
For DNS usage, if there's an outage, the following configuration is necessary for managing failover to another region:
Create API resources in the main region (domain).
Create API resources in the sub-region (domain).
Map the created APIs to a custom domain.
Create a Route 53 DNS failover record.
Additionally, continue reading the problem, you’ll find health monitoring activation and DynamoDB global table.
Completing these steps results in the following architecture.
This problem mainly requires building a solution for disaster recovery, but this time we will also solve the API design.
1. Create APIs for both main and sub-regions. (Configure separate regions)
It’s easy to create an API Gateway, but we need a domain name. AWS API G/W has a custom domain creation feature.
It’s easy to make, but note that a TLS, i.e., ACM certificate, is required.
Perform the same task in the sub-region as well.
2. Create a Route 53 health check.
First, use the domain of the API in the main region created above.
This step involves setting up an alarm to switch to the sub-region in case of an outage.
3. Routing Policy - Configure failover.
You need to know that there are various record policy methods in Route 53.
Among various policies, we need to check the failover method.
Add records using primary (main region) and secondary (sub-region) in the main region - each created API domain - record type.
4. DynamoDB Global table
There is a separate section for creating global table replicas, so it’s easy to find.
Conclusion
I hope the problems solved today help you with your certification preparation.
Look forward to more in-depth problem explanations and key strategies in the next post!