🗺️ Amazon Route 53 - SOA-C03 Practice Questions

Review hosted zones, routing policies, health checks, failover routing, resolver endpoints, private hosted zones, and DNS troubleshooting.

26Questions Available
2Exam Domains

Practice Route 53 Questions Now

Start a timed practice session focusing on Amazon Route 53 topics from the SOA-C03 question bank.

Start SOA-C03 Practice Quiz →

SOA-C03 Route 53 Question Bank (26 Questions)

Browse all 26 practice questions covering Amazon Route 53 for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Networking & Content Delivery

    A company has a hybrid DNS architecture. AWS workloads need to resolve on-premises DNS names (e.g., `db.corp.internal`), and on-premises servers need to resolve AWS Route 53 Private Hosted Zone names (e.g., `app.aws.internal`). The environments are connected via Direct Connect. Which Route 53 Resolver configuration is required?

    AAn outbound endpoint only — for forwarding AWS DNS queries to on-premises DNS servers.
    BAn inbound endpoint only — for on-premises DNS servers to forward queries to AWS.
    CBoth an outbound endpoint (for AWS-to-on-premises resolution) AND an inbound endpoint (for on-premises-to-AWS resolution).
    DAssociate the Route 53 Private Hosted Zone with the on-premises network, which eliminates the need for resolver endpoints.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  2. Question 2Networking and Content Delivery

    A SysOps administrator uses Route 53 resolver and wants DNS queries from on-premises to resolve private hosted zone records. Which component routes these queries to Route 53?

    ARoute 53 inbound resolver endpoint
    BRoute 53 outbound resolver endpoint
    CRoute 53 private hosted zone association
    DDirect Connect private VIF

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  3. Question 3Reliability & Business Continuity

    A SysOps Administrator has configured Route 53 failover routing with a primary record pointing to an ALB in us-east-1 and a secondary record pointing to a static S3 website in us-west-2. The Route 53 health check for the primary ALB fails, but DNS is not failing over. What is the MOST likely cause?

    AThe health check interval is set to 30 seconds, which is too slow to detect the failure.
    BThe primary alias record does not have "Evaluate Target Health" enabled, so Route 53 does not consider the health check status.
    CThe secondary record has a higher TTL than the primary, causing DNS resolvers to cache the primary record.
    DRoute 53 failover routing requires that both records be in the same hosted zone, and they are in different hosted zones.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  4. Question 4Networking & Content Delivery

    A company has on-premises DNS servers and uses Amazon Route 53 for public DNS. The company needs instances in their VPC to resolve on-premises domain names, and on-premises servers need to resolve private hosted zone records in Route 53. Which solution should the administrator implement?

    ACreate Route 53 Resolver inbound and outbound endpoints with appropriate forwarding rules
    BConfigure DHCP options sets in the VPC to point to on-premises DNS servers
    CCreate a Route 53 public hosted zone with all on-premises DNS records
    DUse a Transit Gateway to enable DNS resolution between on-premises and VPC

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  5. Question 5Networking and Content Delivery

    A SysOps administrator needs to enable communication between an on-premises DNS server and a Route 53 private hosted zone. Which component needs to be created?

    ARoute 53 outbound resolver endpoint
    BRoute 53 inbound resolver endpoint in the VPC
    CDirect Connect private VIF
    DRoute 53 public hosted zone

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  6. Question 6Reliability & Business Continuity

    A SysOps Administrator configures Route 53 health checks for a multi-region active-passive failover setup. The primary region runs an ALB, and the secondary is an S3 static website. The administrator needs a health check that evaluates the primary ALB and fails over to S3 only when both the ALB endpoint AND a CloudWatch alarm for backend health are in a failure state. Which Route 53 health check type should be used?

    AAn HTTP health check against the ALB endpoint.
    BA TCP health check against the ALB on port 443.
    CA calculated health check that combines an HTTP health check for the ALB and a CloudWatch alarm health check, treating the endpoint as unhealthy only when both child checks fail.
    DA CloudWatch alarm health check only, which monitors the ALB's `HealthyHostCount` metric.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  7. Question 7Reliability & Business Continuity

    A company has Route 53 health checks configured for a primary ALB in us-east-1 and a failover record pointing to a secondary ALB in us-west-2. During a simulated failure, Route 53 does not failover because the health check still reports healthy. The ALB returns HTTP 200 from its default health check path, but the application behind it is not functioning. What should the administrator change?

    AConfigure the Route 53 health check to monitor a dedicated deep health check endpoint that validates application dependencies
    BSwitch from an alias record to a CNAME record so Route 53 health checks can evaluate the ALB directly
    CEnable Route 53 latency-based routing instead of failover routing
    DConfigure the ALB target group health check to use TCP instead of HTTP

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  8. Question 8Reliability and Business Continuity

    A SysOps administrator configured a Route 53 failover routing record. The health check is using HTTPS on port 443, but the primary endpoint is showing as unhealthy even though the website is functioning. What should be checked?

    AThe website's SSL certificate is expired
    BRoute 53 health checker IP ranges are blocked by the origin's security group or WAF
    CRoute 53 health checks only support HTTP, not HTTPS
    DThe health check interval is too short

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  9. Question 9Networking & Content Delivery

    A company hosts a public zone in Route 53 and needs to enable DNSSEC signing to protect against DNS spoofing and man-in-the-middle attacks. Which steps must the SysOps Administrator perform to enable DNSSEC for the hosted zone?

    AEnable DNSSEC signing in the Route 53 hosted zone, which creates a KSK (Key Signing Key) backed by a KMS key in us-east-1. Then establish a chain of trust by adding a DS (Delegation Signer) record to the parent zone (domain registrar).
    BCreate DKIM records in the hosted zone and enable DNSSEC in the domain registrar.
    CEnable DNSSEC on the VPC resolver and it automatically applies to all public hosted zones.
    DImport a third-party SSL certificate into Route 53 for zone signing.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  10. Question 10Networking & Content Delivery

    A company has an on-premises DNS server that needs to resolve private hosted zone records in an AWS VPC. The administrator needs to configure DNS resolution from on-premises to AWS. What should be set up?

    ACreate a Route 53 Resolver inbound endpoint in the VPC, configure the on-premises DNS server to forward queries for the private hosted zone domain to the endpoint IP addresses
    BCreate a Route 53 Resolver outbound endpoint and a forwarding rule to send queries to the on-premises DNS server
    CEnable DNS forwarding on the VPC's DHCP options set to include the on-premises DNS server IP
    DCreate a public hosted zone with the same domain and allow on-premises servers to resolve through public DNS

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  11. Question 11Networking & Content Delivery

    A SysOps administrator is setting up DNS resolution for a hybrid environment. On-premises servers need to resolve AWS private hosted zone records, and EC2 instances need to resolve on-premises DNS domains. Which configuration supports bidirectional DNS resolution?

    AConfigure the VPC DHCP options set with the on-premises DNS server addresses and forward all DNS traffic through a VPN connection
    BCreate Route 53 Resolver inbound endpoints (for on-premises to resolve AWS records) and outbound endpoints with forwarding rules (for AWS to resolve on-premises records)
    CEnable DNS hostnames and DNS resolution on the VPC and configure the on-premises DNS server to forward queries to the VPC's .2 resolver IP address
    DDeploy a custom BIND DNS server in the VPC that conditionally forwards to both Route 53 and the on-premises DNS server

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  12. Question 12Networking & Content Delivery

    A SysOps administrator wants to monitor and log all DNS queries made by EC2 instances within a VPC, including queries to private hosted zones and external domains. Which service should be used?

    AEnable VPC Flow Logs with a custom format that includes DNS fields
    BEnable Route 53 Resolver query logging for the VPC, which logs all DNS queries to CloudWatch Logs, S3, or Kinesis Data Firehose
    CConfigure CloudTrail to capture Route 53 DNS query events
    DInstall the CloudWatch agent on all EC2 instances and configure it to capture DNS query logs from the local resolver

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  13. Question 13Networking and Content Delivery

    A SysOps administrator wants to enable DNS resolution for private hosted zones in a VPC that is peered with another VPC. What must be configured?

    AEnable DNS resolution in the VPC peering connection for both VPCs
    BShare the private hosted zone via Route 53 resolver
    CCreate a Route 53 inbound endpoint in each VPC
    DBoth A and B work

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  14. Question 14Networking and Content Delivery

    A SysOps administrator uses Amazon Route 53 Resolver DNS Firewall. What does it protect against?

    ADDoS attacks on DNS infrastructure
    BDNS-based threats such as DNS exfiltration, C2 communication via DNS, and access to malicious domains from within the VPC
    CUnauthorized zone transfers
    DDNS spoofing attacks

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  15. Question 15Networking and Content Delivery

    A SysOps administrator wants to improve DNS query resilience for a VPC using Route 53 Resolver. Which feature improves resolver availability?

    ARoute 53 Resolver supports multiple endpoints per AZ for redundancy
    BThe Route 53 Resolver at the VPC+2 address is managed by AWS and automatically highly available
    CDeploy custom BIND DNS servers in each AZ
    DEnable Route 53 DNS failover for the resolver

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  16. Question 16Reliability & Business Continuity

    A company uses Route 53 with a failover routing policy for a web application. The primary endpoint is in us-east-1 and the secondary endpoint is in eu-west-1. The SysOps administrator notices that Route 53 is not failing over even though the primary endpoint is unhealthy. What is the most likely cause?

    AThe Route 53 health check for the primary endpoint is configured to check the wrong IP address or URL path.
    BThe health check evaluation interval is set to 30 seconds, which is too slow to detect the failure.
    CThe secondary record does not have a health check associated with it, and Route 53 requires both records to have health checks.
    DThe TTL on the primary DNS record is set too high, causing resolvers to cache the old record beyond the failover time.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  17. Question 17Reliability & Business Continuity

    A company runs a web application across two AWS Regions for disaster recovery. During Region failover, traffic should gradually shift to the secondary Region rather than switching 100% at once to validate stability. Which Route 53 routing policy should the administrator use?

    AFailover routing policy with health checks
    BWeighted routing policy with health checks, gradually adjusting weights
    CLatency-based routing policy
    DGeolocation routing policy

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  18. Question 18Reliability & Business Continuity

    A company uses Amazon Route 53 with an alias record pointing to an Application Load Balancer. The team wants Route 53 to stop routing traffic to the ALB if all targets behind it become unhealthy. How does Route 53 alias health checking work in this scenario?

    ARoute 53 automatically evaluates the health of the alias target (ALB). If all ALB targets are unhealthy, Route 53 considers the alias record unhealthy and stops returning it in DNS responses (if other records exist in a failover or weighted policy).
    BAn explicit Route 53 health check must be created for the ALB's DNS name and associated with the alias record.
    CRoute 53 alias records do not support health checking; the administrator must use a CNAME record instead.
    DRoute 53 queries the ALB's `/health` path directly to determine health status.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  19. Question 19Reliability & Business Continuity

    A SysOps administrator is configuring Amazon Route 53 health checks for a multi-region application. The primary region endpoint sometimes takes 8 seconds to respond, causing Route 53 health checks to fail. What should the administrator adjust?

    AIncrease the Route 53 health check request interval from 10 seconds to 30 seconds
    BIncrease the health check failure threshold from 3 to 5
    CChange the health check type from HTTP to TCP
    DConfigure a calculated health check that requires 2 out of 3 child checks to be healthy

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  20. Question 20Reliability & Business Continuity

    A SysOps administrator manages Route 53 health checks for a multi-region application. There are individual health checks for endpoints in four regions. The team wants a single health check that reports unhealthy only when health checks in two or more regions fail simultaneously. Which Route 53 feature should be used?

    ACreate a Route 53 failover routing policy with the four health checks as primary and secondary
    BCreate a calculated health check that monitors the four child health checks and set the threshold to report unhealthy when 2 or more child checks are unhealthy
    CCreate a CloudWatch composite alarm that monitors the four health check metrics and configure Route 53 to use the composite alarm
    DCreate an EventBridge rule that evaluates Route 53 health check events and triggers a Lambda function to update a custom health check

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  21. Question 21Networking & Content Delivery

    A company with offices in multiple countries wants to route users to the AWS Region closest to them, but also wants the ability to shift a percentage of traffic from one Region to another for gradual regional failover. Which Route 53 routing policy should be used?

    AGeolocation routing policy
    BGeoproximity routing policy with bias values to shift traffic toward or away from specific Regions
    CLatency-based routing policy
    DWeighted routing policy with weights proportional to regional capacity

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  22. Question 22Reliability and Business Continuity

    A SysOps administrator uses Amazon Route 53 for DR. They want automatic failover from a primary region to a secondary region. Which routing policy achieves this?

    AWeighted routing
    BFailover routing with health checks on the primary endpoint
    CLatency routing
    DGeolocation routing

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  23. Question 23Reliability and Business Continuity

    A SysOps administrator configures Route 53 health checks. The health check uses HTTP. What does Route 53 check by default?

    AReturns any HTTP response (including 5xx errors)
    BReturns HTTP 2xx or 3xx status code within the timeout
    CReturns exactly HTTP 200 only
    DOnly checks that the TCP connection is established

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  24. Question 24Networking & Content Delivery

    A SysOps Administrator configures Route 53 with multiple IP addresses for a single domain name. The administrator wants Route 53 to return all healthy IP addresses in response to each DNS query, and clients should pick one. Which routing policy should be used?

    ASimple routing policy with multiple values in a single record.
    BMultivalue answer routing policy with health checks associated with each record.
    CWeighted routing policy with equal weights for each IP.
    DLatency-based routing policy to return the closest IP.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  25. Question 25Select All That ApplyNetworking & Content Delivery

    A company uses Route 53 to host a public DNS zone. The security team wants to protect the zone against DNS spoofing and cache poisoning attacks by enabling cryptographic signing of DNS records. Which TWO steps must the SysOps administrator perform? (Select TWO.)

    AEnable DNSSEC signing on the Route 53 hosted zone
    BCreate a KMS customer-managed key (asymmetric, ECC_NIST_P256) in us-east-1 for DNSSEC signing
    CImport a self-signed SSL certificate into ACM for the hosted zone
    DConfigure the domain registrar to add a DS record to the parent zone
    EEnable DNSSEC validation on the VPC DNS resolver

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  26. Question 26Reliability and Business Continuity

    A SysOps administrator uses Amazon RDS Multi-AZ for high availability. During a Multi-AZ failover, what happens to the DNS endpoint?

    AThe endpoint changes to the standby instance's new DNS name
    BThe DNS endpoint remains the same but resolves to the standby instance's IP after failover
    CApplications must manually update their connection strings
    DThe primary instance's IP address is reassigned to the standby

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz

Key Route 53 Concepts for SOA-C03

route 53route53dnshosted zonehealth checkfailoverresolverprivate hosted zone

SOA-C03 Route 53 Exam Tips

Amazon Route 53 questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: route 53, route53, dns, hosted zone, health check, failover.

What SOA-C03 Expects

  • Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
  • Route 53 scenarios for SOA-C03 are frequently mapped to Domain 2 (22%), Domain 5 (18%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Route 53 interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Route 53 Concepts

  • Know the core Route 53 building blocks cold: route 53, route53, dns, hosted zone.
  • Review the edge-case features and limits for health check, failover; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Route 53 pairs with VPC, CloudFront, Direct Connect in real deployment patterns.
  • For SOA-C03, explain why the chosen Route 53 design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

  • Watch for answers that deploy quickly but are hard to monitor or recover.
  • Questions in Reliability and Business Continuity often include distractors that look correct for Route 53 but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Route 53 implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Reliability and Business Continuity (22%) outcomes for SOA-C03?
  • Can you explain security and access boundaries for Route 53 without relying on default-open assumptions?
  • Can you describe how Route 53 integrates with VPC and CloudFront during failure, scaling, and monitoring events?

Exam Domains Covering Route 53

Domain 2Reliability and Business Continuity22%Domain 5Networking and Content Delivery18%

Related Resources

🎯 Free SOA-C03 Mock Exam VPC Questions CloudFront Questions Direct Connect Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub30-Day Study PlanFull Practice Exam