Interview Questions on AWS Networking: VPC, Subnets, and Security Groups

1. What is a Virtual Private Cloud (VPC) in AWS?

Answer:

A Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. You have control over IP address ranges, subnets, route tables, and security settings.

Example Explanation:

Imagine you are setting up a web application. You can create a VPC with both public subnets for the web servers and private subnets for the database servers, ensuring isolation and security.

2. What are subnets, and why are they used in a VPC?

Answer:

Subnets are subdivisions of a VPC's IP address range. They allow you to organize and isolate resources within a VPC. Subnets can be:

• Public Subnets: Accessible from the internet.
• Private Subnets: Not accessible from the internet.

Example Explanation:

In a multi-tier application, the public subnet can host a web server while the private subnet hosts a database server. This setup ensures that the database server is not exposed to the internet.

3. What is an Internet Gateway, and how is it used?

Answer:

An Internet Gateway (IGW) is a component that allows resources in a VPC to communicate with the Internet. It connects your VPC to the internet and supports bidirectional traffic.

Example Explanation:

If you deploy an EC2 instance in a public subnet and associate it with an IGW, the instance can receive HTTP requests from the internet and send responses back.

4. What is the difference between a Route Table and a Network ACL?

Answer:

• Route Table: Determines the path that network traffic follows within a VPC.
• Network ACL (NACL): Acts as a firewall for subnets, controlling inbound and outbound traffic at the subnet level.

Example Explanation:

If you want traffic from a public subnet to access the internet, update the route table with a route to the IGW. Use a network ACL to restrict specific IP ranges from accessing the subnet.

5. What is a Security Group, and how is it different from a Network ACL?

Answer:

A Security Group is a virtual firewall for an instance to control inbound and outbound traffic. Key differences include:

• Security Groups are stateful, meaning return traffic is automatically allowed.
• NACLs are stateless, requiring explicit rules for inbound and outbound traffic.

Example Explanation:

To allow HTTP access to a web server, you add a rule in the security group to allow inbound traffic on port 80. The return traffic is automatically permitted.

6. What are the key components of a VPC?

Answer:

Key components of a VPC include:

1. Subnets: Public and private subnets within the VPC.
2. Route Tables: Determine traffic flow within the VPC.
3. Internet Gateway (IGW): Connects the VPC to the internet.
4. NAT Gateway: Allows instances in private subnets to access the internet.
5. Security Groups: Instance-level firewalls.
6. Network ACLs: Subnet-level firewalls.

Example Explanation:

In a three-tier architecture:

• Subnets separate web, application, and database layers.
• A NAT Gateway in the public subnet enables private instances to fetch software updates.

7. What is a NAT Gateway, and why is it used?

Answer:

A NAT Gateway enables instances in a private subnet to connect to the internet while preventing inbound connections from the internet.

Example Explanation:

A private EC2 instance hosting a database can use a NAT Gateway to download security updates without exposing the instance to the internet.

8. What is the difference between a Public IP and an Elastic IP in AWS?

Answer:

• Public IP: Assigned automatically to instances in a public subnet. It changes if the instance is stopped and restarted.
• Elastic IP: A static, public IP address that you can allocate to your AWS account and associate with an instance.

Example Explanation:

Use an Elastic IP for a web server if you want its IP address to remain the same, even if you stop and start the instance.

9. What are VPC Peering Connections, and when would you use them?

Answer:

VPC Peering enables direct network connectivity between two VPCs in the same or different AWS accounts without traversing the public internet.

Example Explanation:

If your organization has two VPCs—one for development and another for production—you can use VPC Peering to allow the development VPC to access resources in the production VPC securely.

10. How does a Load Balancer work in AWS?

Answer:

A Load Balancer distributes incoming application traffic across multiple targets (like EC2 instances) to improve availability and fault tolerance. AWS offers:

• Application Load Balancer (ALB): For HTTP/HTTPS traffic.
• Network Load Balancer (NLB): For TCP/UDP traffic.
• Classic Load Balancer: For legacy applications.

Example Explanation:

For a web application, use an ALB to distribute incoming traffic to multiple EC2 instances in a public subnet.

11. What is an Endpoint in AWS VPC?

Answer:

A VPC Endpoint allows you to privately connect your VPC to supported AWS services without needing an IGW, NAT Gateway, or public IP.

Example Explanation:

To access S3 from a private subnet, create an S3 VPC Endpoint. This avoids exposing traffic to the public internet.

12. How do you secure VPC resources?

Answer:

1. Use Security Groups and NACLs to control traffic.
2. Enable VPC Flow Logs to monitor network traffic.
3. Use IAM policies to restrict access to resources.
4. Employ encryption for data in transit and at rest.

Example Explanation:

Enable VPC Flow Logs to analyze traffic patterns and identify unauthorized access attempts.

13. What is an Availability Zone, and how does it relate to VPC?

Answer:

An Availability Zone (AZ) is an isolated data center within a region. VPC subnets are created in specific AZs, enabling you to design fault-tolerant architectures.

Example Explanation:

Deploy EC2 instances in multiple AZs to ensure high availability. If one AZ fails, traffic can be routed to instances in another AZ.

14. How do you troubleshoot connectivity issues in a VPC?

Answer:

1. Check the route tables for correct entries.
2. Verify Security Group and NACL rules.
3. Use VPC Reachability Analyzer to simulate and identify connectivity issues.
4. Review VPC Flow Logs for traffic patterns.

Example Explanation:

If an instance in a private subnet cannot connect to the internet, ensure that the route table includes a NAT Gateway route.

15. What is AWS Transit Gateway, and how does it differ from VPC Peering?

Answer:

AWS Transit Gateway is a network transit hub that connects multiple VPCs and on-premises networks. Unlike VPC Peering, it supports large-scale architectures with centralized management.

Example Explanation:

If you have multiple VPCs across regions and an on-premises data centre, use a Transit Gateway for simplified connectivity and routing.

16. How do you monitor VPC traffic?

Answer:

1. Enable VPC Flow Logs to capture IP traffic going to and from network interfaces.
2. Use CloudWatch to analyze logs.
3. Integrate with third-party tools for advanced monitoring.

Example Explanation:

Analyze VPC Flow Logs to detect unauthorized access attempts or unexpected traffic spikes.

Conclusion and What's Next?

These AWS Networking questions and answers will prepare you for interviews involving VPC, subnets, and security groups.

From the next article, we will be going back to our technical article covering AWS VPC Peering vs Transit Gateway and exploring the benefits, challenges, and use cases for each with detailed examples and explanations.