Here are some of the most common questions about AWS VPC (Virtual Private Cloud) presented in Q&A style for easy reference.
VPC Basics
Q1. What is a Virtual Private Cloud (VPC) in AWS?
A VPC (Virtual Private Cloud) is alogically isolated sectionof the AWS cloud where you can launch and manage your AWS resources with complete control over networking, IP ranges, and security.
It provides full control over network configuration, including IP address range, subnets, routing tables, and security settings.
Q2. Why would you use a VPC in AWS?
“I would use a VPC in AWS to have complete control over my networking environment. It allows me to defineIP ranges, create subnets, configure route tables, and set up security through NACLs and Security Groups. Basically, it provides isolation, security, and flexibility for hosting resources securely in the cloud.”
Q3. Can you have multiple VPCs in one AWS account?
Yes. Multiple VPCs can exist per account per region.
Q4. What is the default VPC?
A ready-to-use VPC created in every region with default subnets, route tables, and security groups.
Q5. Can you delete the default VPC?
Yes. But best practice → create custom VPCs for production use.
CIDR Ranges
Q6. What is a CIDR range in a VPC?
CIDR (Classless Inter-Domain Routing) defines the IP address range of a VPC. Example:10.0.0.0/16.
Q7. How do you select an appropriate CIDR block?
- Size it for current + future needs
- Avoid overlap with on-premises or peered networks
Q8. What is the smallest and largest CIDR block allowed?
- Smallest:/28(16 IPs, 11 usable)
- Largest:/16(65,536 IPs, 65,531 usable → AWS reserves 5 per subnet)
Public & Private Subnets
Q9. Difference between a public and private subnet?
- Public subnet → route to Internet Gateway
- Private subnet → no direct internet route
Q10. How are internet-facing resources placed in a VPC?
In public subnets with Elastic IPs/public IPs
Private subnets can access internet via NAT Gateway/Instance
Q11. How do private subnets access the internet?
Through a NAT Gateway (recommended) or NAT instance.
Network ACLs
Q12. What is a NACL?
A Network ACL is a stateless firewall that controls inbound and outbound traffic at the subnet level.
Q13. NACL vs Security Group?
- NACL: Subnet-level, stateless, explicit allow/deny
- SG: Instance-level, stateful, only allow rules
Q14. Can NACLs filter by protocol/port?
Yes → rules can allow/deny based on protocols & ports.
VPC Peering
Q15. What is VPC peering?
VPC Peering is a way to connect two VPCs so that they can communicate with each other using private IP addresses, just like they are part of the same network.
Q16. Can you peer across AWS accounts?
Yes, cross-account VPC peering is supported.
Q17. What are limitations of VPC peering?
- Non-transitive → Can’t route through a 3rd VPC.
- No overlapping CIDR ranges allowed.
- Service access limited → Can’t use another VPC to reach S3/DynamoDB.
- One-to-one only → No hub-and-spoke topology.
- Region restrictions → Some features not available cross-region.
Transit Gateway
Q18. What is AWS Transit Gateway?
“AWS Transit Gateway is like a central hub that connects multiple VPCs and on-prem networks. Unlike VPC peering, it supports transitive routing and makes management easier at scale.”
Q19. How does it simplify connectivity?
“Transit Gateway simplifies connectivity by acting as a single hub. Instead of creating many point-to-point VPC peering links, all VPCs and on-prem networks connect to the Transit Gateway once, and it handles the routing. This reduces complexity and makes the network easier to scale.”
Q20. Can Transit Gateway span regions?
Yes, supports inter-region attachments.
Site-to-Site VPN
Q21. What is a Site-to-Site VPN?
“A Site-to-Site VPN is a secure connection between an on-premises network and an AWS VPC over the internet. It allows private data to travel securely as if the networks were directly connected.”
Q22. When would you use it?
“You use a Site-to-Site VPN when you want to securely connect your on-premises network to AWS VPCs, for example, to access cloud resources from your office or data center.”
Q23. What info is needed to establish VPN?
“To establish a Site-to-Site VPN, you need the on-premises public IP, the AWS Virtual Private Gateway or Transit Gateway, and shared authentication info like a pre-shared key.”
VPC Endpoints
Q24. What is a VPC endpoint?
“A VPC Endpoint allows private connections between your VPC and AWS services without using the internet. It keeps traffic secure and stays within the AWS network.”
Q25. How do endpoints improve security?
"Endpoints improve security by controlling who and what can access the network. They run security tools to detect and block threats, protect data with encryption, enforce policies, and can isolate compromised devices to stop attacks from spreading. In short, endpoints act as a first line of defense for the network."
Q26. What are types of VPC endpoints?
- Interface Endpoint (AWS PrivateLink): Uses Elastic Network Interfaces (ENIs) with private IPs in your VPC. Connects your VPC privately to supported AWS services or your own services.
- Gateway Endpoint: Works at the route table level. Allows private access from your VPC to Amazon S3 and DynamoDB without using the internet or NAT.
Routing in VPC
Q27. How does routing work in VPC?
"Routing in a VPC is handled through route tables, which determine where network traffic is directed. Each subnet in a VPC is associated with a route table. The routes in the table specify destinations (CIDR blocks) and targets such as:
- Internet Gateway (IGW) – for internet traffic
- NAT Gateway/Instance – for private subnets to access the internet
- VPC Peering Connection – for traffic to another VPC
- Virtual Private Gateway – for VPN connections
- Local – for traffic within the same VPC
- When an instance sends traffic, the VPC checks the subnet’s route table and forwards the traffic to the appropriate target based on the destination IP."
Q28. Purpose of a route table?
"A route table in a VPC defines how network traffic is directed. It contains a set of rules, called routes, that specify the destination CIDR blocks and the targets (like Internet Gateway, NAT Gateway, VPC Peering, or local subnets). Each subnet is associated with a route table, so it knows where to send traffic both inside and outside the VPC. Essentially, a route table controls the flow of traffic in and out of a subnet."
Q29. Can you associate multiple route tables to a subnet?
No → only one active route table per subnet (main or custom).
Elastic IPs
Q30. What is an Elastic IP?
"An Elastic IP (EIP) is a static, public IPv4 address provided by AWS that you can associate with an instance or a network interface. It allows your instance to have a fixed public IP, even if you stop, start, or replace the instance, making it ideal for hosting servers that need consistent external access."
Q31. How do you associate it with an EC2 instance?
Via console, CLI, or SDK → assign to instance or ENI.
Direct Connect
Q32. What is AWS Direct Connect?
"AWS Direct Connect is a service that establishes a dedicated, private network connection between your on-premises data center and AWS. It provides more reliable, lower-latency, and secure connectivity compared to standard internet connections, and can help reduce bandwidth costs for transferring large amounts of data."
Q33. When use Direct Connect vs VPN?
"You use AWS Direct Connect when you need a dedicated, high-speed, low-latency, and secure connection between your on-premises network and AWS, especially for large-scale data transfer or enterprise workloads.
You use a VPN when you need a quick, secure, and cost-effective connection over the public internet, usually for smaller workloads, temporary setups, or backup connectivity.
In short: Direct Connect = performance & reliability, VPN = convenience & cost-efficiency."
Flow Logs
Q34. What are VPC Flow Logs?
"VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. They help you monitor, troubleshoot, and analyze network traffic for security, auditing, or performance purposes. The logs can be sent to CloudWatch Logs or S3 for further analysis."
Q35. How are they useful?
- Troubleshooting network issues
- Security monitoring (suspicious traffic)
- Compliance auditing
NAT Gateway & NAT Instance
Q36. Purpose of a NAT Gateway?
NAT stands for Network Address Translation.
It allows instances in a private subnet to access the internet (e.g., for updates, downloading packages), without exposing them to the internet.
Q37. NAT Gateway vs NAT Instance?
| Feature | NAT Gateway 🟢 (Recommended) | NAT Instance⚠️ (Older method) |
|---|---|---|
| Type | Managed service by AWS | Self-managed EC2 instance |
| Setup | Very easy (few clicks) | Manual setup, more complex |
| Maintenance | No maintenance needed | You manage updates, patches |
| Performance | Scalable, high bandwidth | Limited by EC2 instance type |
| HA (High Availability) | Automatic in multiple AZs | You must configure it manually |
| Cost | Slightly higher | Cheaper but more work |
| Best For | Production use | Learning, testing, small setups |
VPC Endpoints – S3 & DynamoDB
Q38. What is a VPC endpoint for S3?
"A VPC endpoint for S3 is a gateway endpoint that allows your VPC to privately access Amazon S3 without using the internet, NAT devices, or VPN. It adds a route to your subnet’s route table so traffic to S3 stays within the AWS network, improving security, performance, and cost-efficiency."
Q39. How does it work?
"A VPC endpoint for S3 works by creating a gateway in your VPC and updating the subnet’s route table with a route to the S3 service. When an instance in the subnet sends traffic to S3, the request is routed through the endpoint instead of going over the internet. This ensures that traffic stays within the AWS network, making it more secure, faster, and cost-efficient."
Q40. What is a VPC endpoint for DynamoDB?
"A VPC endpoint for DynamoDB is a gateway endpoint that allows instances in a VPC to privately access Amazon DynamoDB without using the internet, NAT devices, or VPN. It works by adding a route to your subnet’s route table so traffic to DynamoDB stays within the AWS network, improving security, performance, and cost-efficiency."
VPC Security & Limits
Q41. Best practices for securing a VPC?
- Use SGs & NACLs properly
- Place sensitive resources in private subnets
- Enable VPC Flow Logs
- Use encryption in transit & at rest
Q42. How to prevent public exposure of resources?
- Use private subnets + NAT
- Restrict SGs & NACLs
- Avoid assigning public IPs unnecessarily
Q43. Are there limits on VPC resources?
Yes. Examples:
- 5 VPCs per region (default, can increase)
- 200 subnets per VPC
- 5 Elastic IPs per account (default quota)
Related Keywords
AWS VPC, Amazon Virtual Private Cloud, VPC subnet, public subnet, CIDR block, Internet Gateway, NAT Gateway, Security Group, VPC Peering, AWS Transit Gateway, VPC Endpoints, Direct Connect, VPC Flow Logs, AWS networking, cloud security, and more.
.png)
.png)
.png)
0 Comments