AWS Certified Advanced Networking - Specialty

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create an S3 interface endpoint in the VPC. Update the on-premises application configuration to use the Regional VPC endpoint DNS hostname that is mapped to the S3 interface endpoint.

To access Amazon S3 without using the public IP address space in a hybrid architecture, the company can use an S3 interface endpoint or an S3 gateway endpoint within the VPC. However, the key difference between these options lies in how DNS resolution is handled for on-premises applications. Option A suggests creating an S3 interface endpoint and updating the on-premises application configuration to use the Regional VPC endpoint DNS hostname. This approach directly leverages the private connectivity provided by the interface endpoint without requiring additional DNS forwarding configurations. Option B, while also suggesting the creation of an S3 interface endpoint, complicates the solution by introducing a Route 53 Resolver inbound endpoint and DNS forwarding, which is not necessary for this scenario. Option C and D suggest using an S3 gateway endpoint, which is not suitable for this scenario because gateway endpoints do not support access from on-premises networks over AWS Direct Connect or VPN. Therefore, the most straightforward and correct solution is provided by option A.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Create an S3 interface endpoint in the VPC. Update the on-premises application configuration to use the Regional VPC endpoint DNS hostname that is mapped to the S3 interface endpoint.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A global company is designing a hybrid architecture to privately access AWS resources in the us-west-2 Region. Their existing setup includes a VPC with RFC 1918 IP address space, connected to an on-premises data center via AWS Direct Connect. Amazon Route 53 handles name resolution within the VPC, while on-premises DNS services are managed by local DNS servers in the data center. Applications in the data center require access to download objects from an Amazon S3 bucket in us-west-2.

What solution can the company implement to access Amazon S3 without utilizing public IP address space?

Exam-Like

Last updated: January 28, 2026 at 14:03

Create an S3 interface endpoint in the VPC. Update the on-premises application configuration to use the Regional VPC endpoint DNS hostname that is mapped to the S3 interface endpoint.

50.0%

Create an S3 interface endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNS servers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.

50.0%

Create an S3 gateway endpoint in the VPUpdate the on-premises application configuration to use the hostname that is mapped to the S3 gateway endpoint.

Create an S3 gateway endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNS servers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.