Open in app

Sign in

Write

Sign in

AWS Virtual Private Cloud (VPC) Interview Questions and Answers

Sanjay Kumar PhD
6 min readDec 24, 2024

--

Image generated by DALL E

AWS Virtual Private Cloud (VPC)

AWS Virtual Private Cloud (VPC) is an essential service in AWS that allows you to create a logically isolated virtual network within the AWS Cloud. This network gives you full control over your networking environment, enabling you to define IP address ranges, create subnets, and configure route tables and gateways.

Q: What is a VPC?

Amazon Virtual Private Cloud (VPC) is a service that enables you to launch AWS resources into a customizable virtual network. This network simulates a traditional data center environment, while leveraging the scalability and flexibility of AWS infrastructure. You can manage the networking settings, such as IP address ranges, subnets, route tables, and network gateways, to tailor the environment to your needs.

Q: What are subnets?

A subnet in AWS is a segment of your VPC’s IP address range. Subnets are used to isolate and organize resources within a VPC:

  • Public subnets: For resources that need internet access.
  • Private subnets: For resources that do not require direct internet access.
    Each subnet is confined to a single Availability Zone, ensuring high availability and fault isolation.

Q: Explain the difference between a Security Group and a Network Access Control List (NACL).

Security Group:

  • Acts as a virtual firewall for EC2 instances.
  • Operates at the instance level.
  • Supports allow rules only.
  • Stateful: If inbound traffic is allowed, the response traffic is automatically allowed outbound.

Network Access Control List (NACL):

  • Acts as a firewall for one or more subnets.
  • Operates at the subnet level.
  • Supports both allow and deny rules.
  • Stateless: Each traffic direction (inbound/outbound) is evaluated separately according to its rules.

Q: What is an Internet Gateway, and why is it used?

An Internet Gateway (IGW) is a component that connects instances in a VPC to the internet. It serves as:

  • A target for internet-routable traffic in route tables.
  • A translator for public IPv4 addresses, enabling communication between the VPC and the internet.

Q: How can you securely connect your on-premises network to a VPC?

You can securely connect your on-premises network to your VPC using:

  1. AWS Direct Connect:
  • A private, dedicated connection that bypasses the public internet.
  • Offers reduced latency, increased bandwidth, and a consistent network experience.
  1. VPN Connection:
  • Uses the public internet to establish a secure, encrypted connection.
  • Requires setting up a VPN gateway in your AWS environment for high availability.

Q: What is a NAT Gateway, and why would you use it?

A NAT Gateway (Network Address Translation Gateway) allows instances in a private subnet to initiate outbound internet connections, while preventing inbound internet connections.

  • Use cases: Software updates, secure data processing tasks requiring internet access.

Q: Describe how routing works in a VPC.

Each VPC has a route table that defines the rules for directing network traffic. Key points:

  • Subnets must be associated with a route table, which determines the traffic flow for that subnet.
  • Default route tables include local routes for internal VPC communication.
  • Additional routes can direct traffic to destinations like Internet Gateways, NAT Gateways, VPN connections, or AWS Direct Connect.

Q: What are VPC Endpoints?

VPC Endpoints enable private connectivity between a VPC and supported AWS services or PrivateLink-powered services without requiring an internet gateway, NAT device, VPN connection, or Direct Connect.

  • Benefits:
  • Traffic remains within the AWS network.
  • Instances do not need public IP addresses to access these services.

What are the key components of a VPC?

  1. Subnets: Divide the VPC into smaller network sections.
  2. Route Tables: Define the rules for directing traffic within the VPC.
  3. Internet Gateway (IGW): Enables internet access for public subnets.
  4. NAT Gateway: Provides internet access for private subnets without exposing them to inbound connections.
  5. Security Groups: Virtual firewalls for EC2 instances.
  6. Network Access Control Lists (NACLs): Subnet-level firewalls for traffic control.
  7. Elastic IPs: Static IP addresses for AWS resources.
  8. VPC Peering: Connects two VPCs for private communication.
  9. VPC Endpoints: Private connectivity to AWS services

Q: What are the differences between public and private subnets?

Public Subnet:

  • Contains resources that need direct internet access.
  • Associated with a route table that routes traffic to an Internet Gateway.

Private Subnet:

  • Contains resources without direct internet access.
  • Often uses a NAT Gateway for outbound internet traffic.

How do you assign IP addresses in a VPC?

You can assign IP addresses in a VPC by specifying the CIDR (Classless Inter-Domain Routing) block. Examples:

  • Private IPs are assigned to instances automatically or manually from the CIDR range.
  • Public IPs can be assigned dynamically or via Elastic IPs for static allocation.

What is the difference between Elastic IP and Public IP?

Elastic IP:

  • A static, public IPv4 address.
  • Stays assigned to your account until explicitly released.
  • Useful for associating a fixed IP with an instance.

Public IP:

  • A dynamic IPv4 address assigned to an instance during launch.
  • Released when the instance is stopped or terminated.

Q: What is VPC Peering?

VPC Peering enables communication between two VPCs in the same or different AWS accounts and regions.

  • Traffic remains private and does not traverse the internet.
  • Use cases: Sharing resources between environments or teams.

What are Transit Gateways?

A Transit Gateway acts as a hub for connecting multiple VPCs and on-premises networks through a single connection.

  • Supports centralized routing.
  • Simplifies network architecture for multi-VPC environments.

What are the differences between VPC and Classic EC2?

VPC:

  • Default network for all new AWS accounts.
  • Offers complete control over IP ranges, subnets, and routing.
  • Supports advanced networking features like NAT, VPN, and VPC endpoints.

Classic EC2 (deprecated):

  • No longer available for new accounts.
  • Resources were launched in a flat, non-isolated network.

How do you monitor and troubleshoot VPCs?

  1. VPC Flow Logs: Capture detailed information about IP traffic within your VPC.
  2. CloudWatch: Monitor VPC metrics and set alarms for unusual activity.
  3. CloudTrail: Track API calls and configuration changes.
  4. Reachability Analyzer: Diagnose connectivity issues between resources.

What is the purpose of a VPN Gateway?

A VPN Gateway establishes a secure, encrypted connection between your on-premises network and a VPC.

  • Useful for hybrid cloud environments.
  • Two types:
  • Site-to-Site VPN: For permanent connections.
  • Client VPN: For individual users accessing AWS resources securely.

What are default and custom VPCs?

Default VPC:

  • Automatically created in each AWS region.
  • Comes with a predefined CIDR block, subnets, route tables, and an Internet Gateway.
  • Simplified setup for beginner users.

Custom VPC:

  • Fully customizable networking setup.
  • Allows specific configurations for advanced use cases.

Q: What is an Elastic Network Interface (ENI)?

An ENI is a virtual network card attached to an EC2 instance.

  • Provides multiple private/public IPs for an instance.
  • Useful for applications requiring dual-homed network configurations or redundancy.

Q: What is the role of a bastion host?

A bastion host provides secure access to private instances in a VPC.

  • Acts as a jump server.
  • Typically placed in a public subnet with restricted access.

Q: How does AWS PrivateLink work?

AWS PrivateLink enables private access to AWS services or your own services hosted in a VPC, without exposing traffic to the internet.

  • Traffic is routed through VPC endpoints.
  • Enhances security for sensitive data.

Q: Can you explain VPC flow log use cases?

  1. Security Analysis: Identify malicious traffic patterns.
  2. Troubleshooting: Diagnose connectivity issues.
  3. Compliance: Maintain logs for audits.
  4. Monitoring Traffic: Gain insights into traffic patterns.

Q: How do you handle inter-region connectivity between VPCs?

  1. VPC Peering (Inter-region): Allows private communication between VPCs in different regions.
  2. AWS Transit Gateway: Connects multiple VPCs and on-premises networks globally.
  3. VPN or Direct Connect: For secure communication over the internet or private connections.

Q: What are the benefits of using VPC Endpoints over an Internet Gateway?

  • Keeps traffic private and secure within the AWS network.
  • Eliminates the need for public IP addresses.
  • Reduces data transfer costs compared to internet-based traffic.
AWS
Data Engineering
Data Science
Machine Learning
Vpc

--

--

Sanjay Kumar PhD
Sanjay Kumar PhD

Written by Sanjay Kumar PhD

222 Followers
433 Following

AI Product | Data Science| GenAI | Machine Learning | LLM | AI Agents | NLP| Data Analytics | Data Engineering | Deep Learning | Statistics

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams