Thursday, January 15, 2026

AWS VPC Interview Questions and Answers

 

VPC Basics

What is a Virtual Private Cloud (VPC) in AWS?
A Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud that you control. It acts like your own private data center within AWS, where you can define networking components such as IP address ranges, subnets, route tables, and gateways. This isolation ensures that your resources are secure and operate independently from other AWS customers. You can also configure connectivity to on-premises networks using VPN or Direct Connect.

Why would you use a VPC in AWS?
A VPC provides network isolation, security, and flexibility. Key benefits include:

  • Security: Control inbound and outbound traffic using Security Groups and NACLs.
  • Customization: Define IP ranges, create subnets, and configure routing.
  • Hybrid Connectivity: Connect AWS resources to on-premises environments securely.
  • Compliance: Meet regulatory requirements by isolating workloads.
    Example: Hosting a multi-tier application where the web tier is in a public subnet and the database tier is in a private subnet.

Can you have multiple VPCs within a single AWS account?
Yes. AWS allows multiple VPCs per region within a single account. This is useful for:

  • Environment Separation: Development, staging, and production environments.
  • Business Unit Isolation: Different teams or projects can have their own VPCs.
  • Security: Isolate workloads to reduce blast radius in case of a breach.

What is the default VPC?
AWS creates a default VPC in each region for new accounts. It includes:

  • One subnet per Availability Zone.
  • An Internet Gateway attached.
  • Preconfigured route tables and security groups.
    This makes it easy to launch resources without manual setup.

Can you delete the default VPC?
Yes, you can delete it. However, AWS recommends creating custom VPCs for production workloads because they offer better control over IP addressing, subnetting, and security.

CIDR Ranges

What is a CIDR range in the context of VPC?
CIDR (Classless Inter-Domain Routing) notation defines the IP address range for your VPC. For example:

  • 10.0.0.0/16 → 65,536 IP addresses.
  • 192.168.0.0/24 → 256 IP addresses.
    This determines how many IPs you can assign to resources.

How do you select an appropriate CIDR block for a VPC?
Consider:

  • Current Needs: Number of EC2 instances, load balancers, etc.
  • Future Growth: Avoid running out of IPs.
  • Avoid Overlap: Ensure no overlap with on-premises networks or other VPCs for peering or VPN.
    Example: For a large environment, choose /16. For small workloads, /24 may suffice.

What is the smallest and largest VPC CIDR block you can create?

  • Smallest: /28 → 16 IP addresses (11 usable after AWS reserves 5).
  • Largest: /16 → 65,536 IP addresses (65,531 usable).
    AWS reserves 5 IPs per subnet:
  • Network address.
  • VPC router.
  • DNS.
  • Future use.
  • Broadcast address.

Public and Private Subnets

What is the difference between a public subnet and a private subnet in a VPC?

  • Public Subnet: Has a route to the Internet Gateway. Instances can have public IPs and be accessed from the internet.
  • Private Subnet: No direct route to the internet. Instances rely on NAT Gateway or NAT Instance for outbound traffic.

How are internet-facing resources placed in a VPC?
Internet-facing resources (e.g., web servers) are placed in public subnets with public IPs. Alternatively, they can be in private subnets and access the internet through a NAT Gateway for outbound traffic only.

How do private subnets communicate with the internet?
Through a NAT Gateway or NAT Instance, which allows outbound traffic while blocking inbound traffic from the internet.

Network ACLs

What is a Network Access Control List (NACL) in a VPC?
A NACL is a stateless firewall at the subnet level that controls inbound and outbound traffic using numbered rules (allow/deny). Each rule specifies protocol, port range, and source/destination IP.

How does a NACL differ from a security group?

  • NACL: Stateless, subnet-level, explicit allow/deny rules.
  • Security Group: Stateful, instance-level, only allow rules.
    Example: NACL can block traffic from a specific IP range, while Security Groups cannot deny traffic explicitly.

Can a NACL block traffic based on protocol and port number?
Yes. NACL rules can filter traffic by protocol (TCP, UDP, ICMP) and port numbers.

VPC Peering

What is VPC peering and when would you use it?
VPC peering connects two VPCs so resources can communicate privately as if on the same network. Use cases:

  • Sharing resources between environments.
  • Multi-tier applications across VPCs.

Can you peer VPCs in different AWS accounts?
Yes, cross-account peering is supported with mutual acceptance of the peering request.

What are the limitations of VPC peering?

  • Peering is not transitive (A-B-C cannot communicate through B).
  • Limited to the same region unless using inter-region peering.

Transit Gateway Basics

What is an AWS Transit Gateway?
A Transit Gateway acts as a central hub to connect multiple VPCs, VPNs, and Direct Connect links, simplifying network architecture.

How does a Transit Gateway simplify connectivity?
It eliminates complex peering meshes by providing a single point for routing traffic between networks.

Can a Transit Gateway span multiple AWS regions?
Yes, Transit Gateway supports inter-region peering.

Site-to-Site VPN Connection

What is a Site-to-Site VPN connection in AWS?
It securely connects your on-premises network to your AWS VPC over an encrypted tunnel using a Virtual Private Gateway.

When would you use a Site-to-Site VPN connection?
When you need secure connectivity without exposing resources to the public internet.

What information is needed to establish a Site-to-Site VPN connection?

  • Customer Gateway public IP
  • Pre-shared key
  • BGP ASN (if using dynamic routing)

VPC Endpoints

What is a VPC endpoint?
A VPC endpoint enables private connectivity between your VPC and AWS services without traversing the public internet.

How does a VPC endpoint enhance security?
Traffic stays within the AWS network, reducing exposure to external threats.

Types of VPC endpoints:

  • Interface Endpoint: For most AWS services (powered by PrivateLink).
  • Gateway Endpoint: For S3 and DynamoDB.

Routing in a VPC

How does routing work within a VPC?
Each subnet uses a route table to determine traffic flow. Routes can point to Internet Gateway, NAT Gateway, VPN, or VPC peering.

What is the purpose of a route table?
It defines the next hop for traffic based on destination IP.

Can you associate multiple route tables with a subnet?
No, only one route table per subnet, but you can create multiple route tables for different subnets.

Elastic IP Addresses

What is an Elastic IP (EIP)?
A static public IPv4 address that remains associated with your account, even if the instance stops or terminates.

How do you associate an Elastic IP with an EC2 instance?
Via AWS Console, CLI, or SDK. Once associated, it becomes the instance’s public IP.

Direct Connect

What is AWS Direct Connect?
A dedicated network link between your on-premises data center and AWS for private, high-bandwidth, low-latency connectivity.

When use Direct Connect instead of VPN?
For higher performance, reliability, and when transferring large volumes of data.

Flow Logs

What are VPC Flow Logs?
Logs capturing IP traffic details for network interfaces in your VPC, useful for monitoring and troubleshooting.

How are Flow Logs useful?
They help analyze traffic patterns, detect anomalies, and troubleshoot connectivity issues.

NAT Gateways vs NAT Instances

Purpose of NAT Gateway:
Allows private subnet resources to access the internet without exposing them to inbound traffic.

Difference from NAT Instance:
NAT Gateway is managed, scalable, and highly available. NAT Instance requires manual setup and maintenance.

VPC Endpoints for S3 & DynamoDB

What is a VPC endpoint for S3/DynamoDB?
Provides private connectivity to S3/DynamoDB without using the public internet, improving security and performance.

VPC Security Best Practices

  • Use Security Groups and NACLs effectively.
  • Minimize public exposure by using private subnets.
  • Enable Flow Logs for monitoring.
  • Encrypt data in transit and at rest.

VPC Limits

AWS imposes quotas on VPC resources (e.g., number of VPCs per region, subnets per VPC, Elastic IPs per account). These limits are documented in AWS service quotas.

-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AWS IAM interview Question and Answers

  1. What is AWS IAM? Answer: AWS Identity and Access Management (IAM) is a core AWS service that enables you to securely manage access to A...