AWS VPC Interview Questions and Answers

Top AWS VPC Interview Questions and Answers (2023)

In this post, questions from AWS VPC Interview Questions will be answered for Experienced and Freshers. We’re trying to share our experience and learn how to help you make progress in your career.

AWS VPC Interviews Questions: 

Q1: What is VPC in AWS?

Q2. What are the components of Amazon VPC?

Q3. What are Internet Gateways in VPC?     

Q4. What is a NAT Device?

Q5. What do you understand by default VPC?

Q6. What are the advantage of a default VPC?

Q7. How will you differentiate between VPC security groups and VPC network ACLs?

Q8. What is ELB (Elastic Load Balancing) and how does it affect VPC?

Q9. What do you know about VPC Peering? 

Q10. Why Should You Use Amazon Vpc, Advantage Of Using Aws Vpc?

Q11. Can Amazon Ec2 Instances Within A Vpc Communicate With Amazon Ec2 Instances Not Within A Vpc?

Q12. Can You Monitor The Network Traffic In Your Vpc? 

Q13. Within Which Amazon Ec2 Region(s) Is Amazon Vpc Available?

Q14. Can A Vpc Span Multiple Availability Zones?

Q15. How Do You Specify Which Availability Zone My Amazon Ec2 Instances Are Launched In?

Q16. How Do You Secure Amazon Ec2 Instances Running Within My Vpc?

Q17. What are Security Groups in VPC?

Q18. What do you mean by Network ACLs (Access Control List) in VPC?

Q19. What Are The Differences Between Security Groups In A Vpc And Network Acls In A Vpc?

Q20. What are the functions of an Amazon VPC router?

Q21. What is PrivateLink from AWS?

Q22. What is ClassicLink in VPC?

Q23. What is a VPS?  

Q24. What Is The Ip Range Of A Default Vpc?

Q25. How Many Default Vpcs Can You Have?

Q26. Can You Create Other Vpcs And Use Them In Addition To My Default Vpc?

Q27. What is a subnet in VPC?

Q28. What are the steps to build a custom VPC?

Q29. What is the difference between stateful and stateless filtering?

Q30. How many Amazon EC2 instances can you use within a VPC?

Q31. Can You Delete A Default Vpc?

Q32. If You Peer Vpc A To Vpc B And Peer Vpc B To Vpc C, Does That Mean Vpcs A And C Are Peered?

Q33. Can You Create A Peering Connection To A Vpc In A Different Region?

Q34. Can You Peer Two Vpcs With Matching Ip Address Ranges?

Q35. Can You Use The Aws Management Console To Control And Manage Amazon Vpc?

Q36. How Many Vpcs, Subnets, Elastic Ip Addresses, Internet Gateways, Customer Gateways, Virtual Private Gateways, And Vpn Connections Can You Create?

Q37.  How Do Instances In A Vpc Access The Internet?

Q38. How Do Instances Without Public Ip Addresses Access The Internet?

Q39. What Is Ipsec?

Q40. Which Customer Gateway Devices Can I Use To Connect To Amazon Vpc?

Q41. How Many Subnets Can I Create Per Vpc?

Q42. How Do You Disable Nat-t On My Connection?

Q43. What are the features available in AWS VPC?

Q44. Difference between VPC and VPN?

Q45. How many VPC can be created in AWS Zone?

Q46. Tell me about the advantages of AWS VPC?

Q47. What is AWS VPN Cloud Hub? 

Q48. What is direct connect, direct connect gateway?

Q49. What is a Transit gateway?

Q50. Explain Transit GW with site-to-site VPN ECMP.

Q51. What is VPC traffic Mirroring?

Q52. What is Egress-Only Internet Gateway?

Q53. What is AWS Network Firewall ?

Q54. What are different Network protection on AWS.

 

Q1: What is VPC in AWS?

Amazon VPC (Amazon Virtual Private Cloud) is a service that allows you to launch AWS resources in a logically isolated virtual network that you identify. Most services in your virtual private cloud can use both IPv4 and IPv6, ensuring safe and convenient access to resources and applications.

 

Q2. What are the components of Amazon VPC?

The Amazon VPC contains various elements:

  1. A Virtual Private Cloud: A logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from ranges you select.
  2. Subnet: A segment of a VPC’s IP address range where you can place groups of isolated resources.
  3. Internet Gateway: The Amazon VPC side of a connection to the public Internet.
  4. NAT Gateway: A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.
  5. Hardware VPN Connection: A hardware-based VPN connection between your Amazon VPC and your datacenter, home network, or co-location facility.
  6. Virtual Private Gateway: The Amazon VPC side of a VPN connection.
  7. Customer Gateway: Your side of a VPN connection.
  8. Router: Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways, NAT gateways, and subnets.
  9. Peering Connection: A peering connection enables you to route traffic via private IP addresses between two peered VPCs.
  10. VPC Endpoints: Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.
  11. Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.

 

Q3. What are Internet Gateways in VPC?     

An Internet Gateway is a highly available, horizontally scaled VPC component. Gateways establish coherent connections between your Amazon VPC network and the internet. There can be only one gateway associated with each VPC. These are the VPC components that provide NAT (Network Address Translation) for instances which have already assigned public IP addresses. In the case of internet routable traffic, such a gateway provides a target in your VPC route tables.

 

Q4. What is a NAT Device?

A NAT device in your VPC will enable instances in the private subnet to trigger outbound IPv4 traffic to other AWS services/internet while hindering inbound traffic initiated on the internet. Here when traffic goes out to the internet, IP address gets replaced by NAT device’s address and when the response comes back to the instances, the device translates the address of instances back to the private IP addresses. AWS has two types of NAT devices – NAT instance and NAT gateway. Linux AMIs are configured to run as NAT instances. NAT does not support IPv6 as well.

 

Q5. What do you understand by default VPC?

 When a user avails Amazon EC2 resources for the first time, a logically isolated virtual network is created automatically in the AWS cloud for the AWS account. In a case where an instance is launched without a subnet ID, it shall automatically be launched in the default VPC.

 

 Q6. What are the advantages of a default VPC?

 There are several advantages of default VPC. Firstly, if a resource is launched in default VPC, the user can avail the high-end network functions of Amazon VPC along with ease to use Amazon EC2.

Secondly, without creating a VPC or launching the instances, the user can still avail several features such as different IP address, altering the security group membership, egress filtering of the security group and several network interfaces.

 

Q7. How will you differentiate between VPC security groups and VPC network ACLs?

 When we talk about the VPC security group, it is responsible for tracking only the allowed traffic in the EC2 instance, which comes in and goes out from Amazon. VPC network ACLs is a lot different. They are responsible for tracking the traffic only at the subnet level i.e. the traffic coming in or going out of the subnet. Network ACLs are unable to filter the traffic in the subnet between instances but can do stateless filtering and are used to set Allow and Deny rules. The security group on the other end can carry out stateful filtering.

 

 Q8. What is ELB (Elastic Load Balancing) and how does it affect VPC?

Answer: As the name implies ELB is a load balancer service for AWS deployments. A load balancer divides the amount of work a computer has to do into more computers and get it done faster. In the same way here ELB distributes incoming application traffic into multiple targets like EC2 instances.

 

There are 3 types of ELBs to ensure scalability, availability, and security for ensuring your applications are fault tolerant. These are classic, network, and application load balancers. Network and application load balancers can be used in conjunction with VPC and these can route traffic to targets within VPCs.

Also, learn about Amazon Route 53.

 

Q9. What do you know about VPC Peering? 

You may be asked about the AWS VPC peering bandwidth in an AWS VPC interview. It’s simply the networking connection between two VPs in the same network. It’s possible to create a VPC peering connection between your own VPs or VPC with another AWS account within the same region. It’s not needed for AWS to break the existing VPC infrastructure to enable VPC peering. There is no need for special hardware for this purpose. It’s not creating a VPN connection or network gateway within AWS.

 

The main intention behind such a connection is to facilitate data transfer across multiple VPNs spanning different AWS accounts. This type of peering is a one-to-one relationship wherein transitive connection is not supported.  And while talking about AWS VPC peering bandwidth, there are no bandwidth limitations for peering connections as well.

 

Q10. Why Should You Use Amazon Vpc, Advantage Of Using Aws Vpc?

Amazon VPC enables you to build a virtual network in the AWS cloud – no VPNs, hardware, or physical datacenters required. You can define your own network space and control how your network, and the Amazon EC2 resources inside your network, is exposed to the Internet. You can also leverage the greatly enhanced security options in Amazon VPC to provide more granular access both to and from the Amazon EC2 instances in your virtual network.

 

Q11. Can Amazon Ec2 Instances Within A Vpc Communicate With Amazon Ec2 Instances Not Within A Vpc?

Yes. If an Internet gateway has been configured, Amazon VPC traffic bound for Amazon EC2 instances not within a VPC traverses the Internet gateway and then enters the public AWS network to reach the EC2 instance. If an Internet gateway has not been configured, or if the instance is in a subnet configured to route through the virtual private gateway, the traffic traverses the VPN connection, egresses from your datacenter, and then re-enters the public AWS network.

 

Q12. Can You Monitor The Network Traffic In Your Vpc? 

Yes. You can use the Amazon VPC Flow Logs feature to monitor the network traffic in your VPC.

 

Q13. Within Which Amazon Ec2 Region(s) Is Amazon Vpc Available?

Amazon VPC is currently available in multiple Availability Zones in all Amazon EC2 regions.

 

Q14. Can A Vpc Span Multiple Availability Zones?

Yes, VPC spans across multiple availability zones. 

 

Q15. How Do You Specify Which Availability Zone My Amazon Ec2 Instances Are Launched In?

When you launch an Amazon EC2 instance you must specify the subnet in which to launch the instance. The instance will be launched in the Availability Zone associated with the specified subnet.

Q16. How Do You Secure Amazon Ec2 Instances Running Within My Vpc?

Amazon EC2 security groups can be used to help secure instances within an Amazon VPC. Security groups in a VPC enable you to specify both inbound and outbound network traffic that is allowed to or from each Amazon EC2 instance. Traffic which is not explicitly allowed to or from an instance is automatically denied.

 

In addition to security groups, network traffic entering and exiting each subnet can be allowed or denied via network Access Control Lists (ACLs).

 

Q17. What are Security Groups in VPC?

In VPC, a security group’s function is to manage the traffic for the instances. Instances can be single in number or many. Actually, it does act as a virtual firewall that can control inbound and outbound traffic for different EC2 instances. You can manually add rules to each security group to control the traffic within the associated instances.

 

Q18. What do you mean by Network ACLs (Access Control List) in VPC?

Answer: Network ACLs does the similar function of a network security group in VPC; IE controlling inbound and outbound traffic in VPC. The main difference between a network ACL and a security group is that the latter’s role is to act as a firewall for associated EC2 instances whereas an ACL’s role is to serve firewall job for associated subnets. Your VPC generates an ACL automatically by default and it’s modifiable. Unlike a security group, this default network ACL allows all inbound and outbound traffic by default. And it’s possible to associate an ACL with multiple subnets. But at a time, only one subnet can be associated with a network ACL.

 

Q.19 What Are The Differences Between Security Groups In A Vpc And Network Acls In A Vpc?

 

Security groups in a VPC specify which traffic is allowed to or from an Amazon EC2 instance. 

Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet. 

Network ACLs can be used to set both Allow and Deny rules. Network ACLs do not filter traffic between instances in the same subnet. In addition, network ACLs perform stateless filtering while security groups perform stateful filtering.

 

Q20. What are the functions of an Amazon VPC router?

VPC router allows Amazon EC2 instances within subnets to interact with Amazon EC2 instances in other subnets within the same VPC. Virtual private gateways, subnets and Internet gateways, etc. can also communicate with each other by means of a VPC router.

 

Q21. What is PrivateLink from AWS?

PrivateLink provides utmost availability and scalability for AWS customers to access their services maintaining the traffic within the AWS network. It delivers private connections between VPCs, on-premises applications, etc. securely on the Amazon network.

 

Q22. What is ClassicLink in VPC?

If you want to connect Amazon EC2-classic instances to VPC, you have to use ClassicLink. This works only within the same region and this makes use of private IP addresses. Its working is simple- you just have to enable ClassicLink in your VPC account and associate a security group from VPC to EC2-classic instance.

 

These types of questions are the additional AWS VPC interview questions that you shouldn’t miss so prepare yourself with the answer.

 

Q23. What is a VPS?  

Beginners who were trying AWS VPC interview questions for the first time used to get confused with this question, since these terms look similar. This question is getting asked to trick you. 

Actually, VPS or Virtual Private Server is none other than the host server offered by web hosting companies like BlueHost and GoDaddy (These companies also provide shared hosting services wherein the server is shared by several users). Here, a single host is divided into multiple virtual units, each having an independent function. Each of these units are virtual private servers which can work without depending on one another. You’ll get access to the complete physical server including root access.

In the case of VPC, its functions are similar to that of a VPS but its servers don’t have to be placed in a single location.

 

Q24. What Is The Ip Range Of A Default Vpc?

The default VPC CIDR is 172.31.0.0/16. Default subnets use /20 CIDRs within the default VPC CIDR.

 

Q25. How Many Default Vpcs Can You Have?

You can have one default VPC in each AWS region.

 

Q26. Can You Create Other Vpcs And Use Them In Addition To My Default Vpc?

Yes. To launch an instance into non default VPCs you must specify a subnet-ID during instance launch.

 

Q27. What is a subnet in VPC?

Subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting. AWS provides two types of subnetting one is Public which allow the internet to access the machine and another is private which is hidden from the internet.

 

Q28. What are the steps to build a custom VPC?

Below is the steps to building a custom VPC:

  • Create a VPC
  • Create subnets
  • Create an internet gateway (IGW)
  • Attach the new IGW to your VPC
  • Create a new route table (RT)
  • Add the IGW as a route to the new RT
  • Add a subnet to the RTs subnet associations
  • Create webserver (public subnet) and database server instances
  • Create a new security group for the NAT instance
  • Add HTTP and HTTPS inbound rules that allow traffic from the private subnets IP
  • Create a NAT instance
  • Community AMIs
  • Choose the first image
  • Diable Auto-assign Public IP
  • Add it to the NAT security group
  • Create an Elastic IP
  • Associate the Elastic IP to the NAT
  • Disable Source/Destination Checks for the NAT
  • Add the NAT instance as a route to the initial VPC RT

 

Q29. What is the difference between stateful and stateless filtering?

Stateful filtering tracks the origin of a request and can automatically allow the reply to the request to be returned to the originating computer. For example, a stateful filter that allows inbound traffic to TCP port 80 on a web server will allow the return traffic, usually on a high numbered port (e.g., destination TCP port 63, 912) to pass through the stateful filter between the client and the webserver. The filtering device maintains a state table that tracks the origin and destination port numbers and IP addresses. Only one rule is required on the filtering device: Allow traffic inbound to the web server on TCP port 80.

 

Stateless filtering, on the other hand, only examines the source or destination IP address and the destination port, ignoring whether the traffic is a new request or a reply to a request. In the above example, two rules would need to be implemented on the filtering device: one rule to allow traffic inbound to the web server on TCP port 80, and another rule to allow outbound traffic from the webserver (TCP port range 49, 152 through 65, 535).

 

Q30. How many Amazon EC2 instances can you use within a VPC?

You can run any number of Amazon EC2 instances within a VPC, so long as your VPC is appropriately sized to have an IP address assigned to each instance. You are initially limited to launching 20 Amazon EC2 instances at any one time and a maximum VPC size of /16 (65,536 IPs). If you would like to increase these limits, please complete the following form

 

Q31. Can You Delete A Default Vpc?

Yes. Contact AWS Support if you’ve deleted your default VPC and want to have it reset.

 

Q32. If You Peer Vpc A To Vpc B And Peer Vpc B To Vpc C, Does That Mean Vpcs A And C Are Peered?

No. Transitive peering relationships (transitive peering) are not supported.

 

Q33. Can You Create A Peering Connection To A Vpc In A Different Region?

No. Peering connections are only available between VPCs in the same region.

 

Q34. Can You Peer Two Vpcs With Matching Ip Address Ranges?

No. Peered VPCs must have non-overlapping IP ranges.

 

Q35. Can You Use The Aws Management Console To Control And Manage Amazon Vpc?

Yes. You can use the AWS Management Console to manage Amazon VPC objects such as VPCs, subnets, route tables, Internet gateways, and IPSec VPN connections. Additionally, you can use a simple wizard to create a VPC.

 

Q36. How Many Vpcs, Subnets, Elastic Ip Addresses, Internet Gateways, Customer Gateways, Virtual Private Gateways, And Vpn Connections Can You Create?

You can create:

  1. Five Amazon VPCs per AWS account per region
  2. Two hundred subnets per Amazon VPC
  3. Five Amazon VPC Elastic IP addresses per AWS account per region
  4. One Internet gateway per VPC
  5. Five virtual private gateways per AWS account per region
  6. Fifty customer gateways per AWS account per region
  7. Ten IPsec VPN Connections per virtual private gateway

 

Q37.  How Do Instances In A Vpc Access The Internet?

You can use public IP addresses, including Elastic IP addresses (EIPs), to give instances in the VPC the ability to both directly communicate outbound to the Internet and to receive unsolicited inbound traffic from the Internet (e.g., web servers).

 

Q38. How Do Instances Without Public Ip Addresses Access The Internet?

Instances without public IP addresses can access the Internet in one of two ways:

Instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the Internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the Internet to initiate a connection to the privately addressed instances.

For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.

 

Q39. What Is Ipsec?

IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.

 

Q40. Which Customer Gateway Devices Can I Use To Connect To Amazon Vpc?

There are two types of VPN connections that you can create: statically-routed VPN connections and dynamically-routed VPN connections.

Customer gateway devices supporting statically-routed VPN connections must be able to:

  • Utilize the AES 128-bit or 256-bit encryption function
  • Utilize the SHA-1 or SHA-2 (256) hashing function
  • Establish IKE Security Association using Pre-Shared Keys
  • Establish IPsec Security Associations in Tunnel mode
  • Utilize Diffie-Hellman (DH) Perfect Forward Secrecy in “Group 2” mode, or one of the additional DH groups we support
  • Perform packet fragmentation prior to encryption
  • In addition to the above capabilities, devices supporting dynamically-routed VPN connections must be able to:
  • Establish Border Gateway Protocol (BGP) peerings
  • Bind tunnels to logical interfaces (route-based VPN)
  • Utilize IPsec Dead Peer Detection

 

Q41. How Many Subnets Can I Create Per Vpc?

Currently you can create 200 subnets per VPC. If you would like to create more, please submit a case at the support center.

 

Q42. How Do You Disable Nat-t On My Connection?

You will need to disable NAT-T on your device. If you don’t plan on using NAT-T and it is not disabled on your device, we will attempt to establish a tunnel over UDP port 4500. If that port is not open the tunnel will not establish. 

 

Q43. What are the features available in AWS VPC?

This AWS VPC provides the given below features:

  • IPv4 and IPv6 address books.
  • Internet connectivity.
  • Subnet creation.
  • Route tables.
  • Elastic IP addresses.
  • Network/ Subnet security.
  • Additional networking services.

 

Q44. Difference between VPC and VPN?

VPC is from Amazon Web Services. It has been created as per zone for giving access to clients. It depends on multiple Subnet. But a VPN is a gateway, actually. This is the access point of the VPN network.

 

Q45. How many VPC can be created in AWS Zone?

You can create by default only 5 VPC in a single AWS zone.

 

Q46. Tell me about the advantages of AWS VPC?

There are a few advantages, they are:

  • Provide a complete process to build a virtual network.
  • No need for hardware, any physical data center, or VPN.
  • Full power access with control over your network.
  • EC2 instance is available to connect to the internet.
  • Can do enhanced security level in VPC with EC 2 instances.

 

Q47. What is AWS VPN Cloud Hub? 

AWS VPN Cloud hub  provides secure connection between multiple sites if you have multiple VPN connections. Low-cost hub and spoke modes for primary and secondary network. To set it up, connect multiple VPN connections on the same virtual gateway.

 

Q48. What is direct connect, direct connect gateway?

Direct Connect (DX) provides dedicated private connections from a remote network to your VPC. Dedicated connection must be set up between the data center and AWS direct connect locations. Supports both IPV4 and IPV6. Requires around 1 month to setup.

Direct Connect Gateway: need to setup direct connect to one or more VPC in many different region then you must use Direct Connect Gateway.

Direct Connect – Connection Types:

  1. Dedicated Connections: 1 GBPS, 10 GBPS and 100 GBPS. Physical ethernal port. Request is made to AWS and then completed by AWS direct connection partners. 
  2. Hosted Connections: 50 MBPS, 500 MBPS and 10 GBPS. Connects requests are made via AWS Direct Connect Partners. Capacity can be added or removed. 

 

Q49. What is a Transit gateway?

Transit Gateway: used for transitive peering between thousands of VPC and on-premises. Hub and spoke connections. Supports multicast IP. Works with direct connect GW and VPN connections. Route tables limit which VPC can talk with other VPC. Share cross account using RAM (Resource Access Manager). 

 

Q50. Explain Transit GW with site-to-site VPN ECMP.

Transit GW with site-to-site VPN ECMP: 

ECMP – Equal cost multi path routing. It is a routing strategy to allow forward packets to multiple best paths.

Q51. What is VPC traffic Mirroring?

VPC Trafic Mirroring: allows you to capture and inspects network traffic in your VPC. Capture traffics from ENI and to ENI or NLB.

Q52. What is Egress-Only Internet Gateway?

Egress-Only Internet Gateway: Used for only IPV4. Similar to NAT GW but for only IPV6. Allows instances in your VPC to outbound connections over IPV6. Must update route table.

Q53. What is AWS Network Firewall ?

AWS Network Firewall: Protects your entire amazon VPC. Layer 3 to layer 7 protection. Internally AWS Network Firewall uses AWS Gateway Load Balancers. Rules can be centrally managed across accounts by AWS firewall managers to apply to many VPC. Fine grain controls, supports 1000 of rules.

Traffic filtering: allow, drop or alter for traffic that matches rules

Active flow inspection: to protect against network threats with intrusion-prevention capabilities.

Q54. What are different Network protection on AWS.

  • NACL
  • VPC Security Groups
  • AWS WAF
  • AWS Shield standard and Advance
  • AWS Firewall Manager
  • AWS Network Firewall

 

Final Words

It is important to prepare yourself with the latest AWS VPC interview questions while going for an AWS interview to crack it. Besides, having an AWS certification also increases your chance of getting selected in the interview. So, start preparing for the AWS Certifications to add a credential in your resume and get a better job.

It is really important to be up to date. We keep updating AWS VPC interview questions if any new questions are being asked. 

 

Hope, we’ve covered most of the frequently asked AWS VPC interview questions asked during many interviews of the companies that are using AWS services. You can get placed even in Amazon itself if you’re competent enough with necessary skills and a valid AWS certification in hand. We will try to regularly update this guide so as to make you competent enough in this highly sought after career. If you come across any doubts, feel free to check our extensive collection of AWS resources.

 

Good Luck with AWS Learning 🙂

Related Posts:

Amazon Web Service – AWS Tutorial

AWS VPC – Amazon Virtual Private Cloud || Benefits & Components

AWS VPC Cheat Sheet