TOP 50 Interview Questions on AWS Cloud Computing Services -VPC

1. What is Amazon Virtual Private Cloud?

It allows you to provision a logically isolated section of the AWS cloud where you’ll launch AWS resources during a virtual network that you simply define. In your virtual networking environment You have complete control, including creation of subnets, selection of your own IP address ranges, and configuration of route tables and network gateways. You may also create a hardware Virtual Private Network connection between VPC and corporate datacenter and leverage the AWS cloud as an extension of your corporate data center.

For your Amazon VPC you can easily customize the network configuration. For example, For your web servers you can create a public facing subnet that has access on the web , and place your backend systems like databases and with no Internet access application servers in a private-facing subnet. You can leverage multiple layers of security, including network access control lists and security groups, to assist control access in each subnet to Amazon EC2 instances.

2. What are connectivity options for my VPC ?

You may connect your VPC to:

• The Internet (via an Internet gateway)
• Your corporate data center employing a Hardware VPN connection (via the virtual private gateway)
• Both the web and your corporate data center (utilizing both an online gateway and a virtual private gateway)
• Other AWS services via virtual private gateway, Internet gateway, NAT, or VPC endpoints
• Other VPCs (via VPC peering connections)

3. What are Internet Gateways in VPC?

An Internet Gateway is a highly available, horizontally scaled VPC component. Gateways establish coherent connections between your Amazon VPC network and the internet. There can be only one gateway associated with each VPC. These are the VPC components that provide NAT (Network Address Translation) for instances which have already assigned public IP addresses. In the case of internet routable traffic, such a gateway provides a target in your VPC route tables.

4. What is a NAT Device?

A NAT device in your VPC will enable instances in the private subnet to trigger outbound IPv4 traffic to other AWS services/internet while hindering inbound traffic initiated on the internet. Here when traffic goes out to the internet, IP address gets replaced by NAT device’s address and when the response comes back to the instances, the device translates the address of instances back to the private IP addresses. AWS has two types of NAT devices – NAT instance and NAT gateway. Linux AMIs are configured to run as NAT instances. NAT does not support IPv6 as well.

5. What is a subnet in VPC?

According to AWS documentation, subnets are nothing but a range of IP addresses in your VPC. It is possible to launch the resources of AWS into your required subnet. For resources that need internet access, you can use a public subnet. Whereas for resources that don’t need the internet, a private subnet is sufficient.

The default subnet in your VPC must have the netmask value 20 that can give up to 4096 addresses per subnet. The subnet is always confined within a single availability zone whereas VPC can span across multiple zones.

6. What is the default VPC? Explain its advantages?

It’s a logically isolated virtual network that gets created automatically in AWS cloud for an account when the user makes use of Amazon EC2 resources for the first time.

You can alter the components of the default VPC as per your need. There are several advantages of a default VPC. Here, a user can access high-level features such as different IPs, network interfaces without creating a separate VPC or launching instances.

7. What is ELB and how does it affect VPC?

As the name implies ELB is a load balancer service for AWS deployments. A load balancer divides the amount of work a computer has to do into more computers and get it done faster. In the same way here ELB distributes incoming application traffic into multiple targets like EC2 instances.

There are 3 types of ELBs to ensure scalability, availability, and security for ensuring your applications are fault tolerant. These are classic, network, and application load balancers. Network and application load balancers can be used in conjunction with VPC and these can route traffics to targets within VPCs.

8. What do you know about VPC Peering?

It’s simply the networking connection between two VPs in the same network. It’s possible to create a VPC peering connection between your own VPs or VPC with another AWS account within the same region. It’s not needed for AWS to interrupt the prevailing VPC infrastructure to enable VPC peering. There is no need for a special hardware for this purpose. It’s not creating a VPN connection or network gateway within AWS.

The main intention behind such a connection is to facilitate data transfer across multiple VPNs spanning different AWS accounts. This type of peering is a one-to-one relationship wherein transitive connection is not supported. And while talking about AWS VPC peering bandwidth, there are no bandwidth limitations for peering connections as well.

9. What are the differences between Private, Public and Elastic IP Addresses?

As the name implies, private IP addresses are IP addresses that aren’t accessible over the internet. If you want to communicate between instances in the same network, private IPs are used. At an instance launching time, a private IP from subnet’s IP address range and a DNS hostname is assigned to eth0 of the instance (default network interface).

A private IP address associated with the network interface will get released only when the instance is terminated (not when the instance is stopped or restarted). On the contrary, a public IP address is easily accessible over the internet.

When you launch a VPC instance, one public IP will automatically assign to the instance which isn’t associated with your AWS account. Every time you restart and stop the instance, AWS will allocate a replacement public IP to the instance. The major difference between public and elastic IP is that elastic IP is persistent. It’ll be related to your AWS account until you terminate it. Anyhow, you can detach elastic IP from one instance and attach the same IP to a different instance. Elastic IP is also accessible over the internet.

10. Is there any limit to the number of VPCs, subnets, gateways, VPNs that I can create?

Yes, there is definitely a limit. You can create 5 VPCs per region. If you want to increase this limit, you’ve to increase the number of internet gateways by the same number. And, per VPC 200 subnets are allowed. 5 elastic IP addresses are allowed per region. The number of Internet, VPN and NAT gateways per region is also set to 5.

Anyhow, customer gateways are allowed to 50 per region. One can create 50 VPN connections per region. It is highly recommended to hide questions supporting connectivity while browsing the highest AWS VPC interview questions.

11. Can you illustrate what CIDR Routing is in VPC?

Answer: The questions based on IP address are common among frequently-asked AWS VPC interview questions. This CIDR question can be answered in the following manner. Classless inter-domain routing (CIDR) is a set of Internet protocol (IP) standards that are used to allocate IP addresses for networks and individual devices. With CIDR, a single IP address can be used to pick many unique IP addresses.

Generally, A CIDR IP looks like a normal IP address except there is a slash followed by a number in CIDR. This part is called the IP network prefix. In VPC, CIDR block size can be from /16 to /28 in case of IPv4. When you’re creating a VPC, you actually have to specify a range of IP addresses in the form of CIDR just like 10.0.0.0/16. This CIDR is the primary CIDR block of your VPC.

12. What are Security Groups in VPC?

In VPC, a security group’s function is to manage the traffic for the instances. Instances can be single in number or many. Actually, it does act as a virtual firewall that can control inbound and outbound traffic for different EC2 instances. You can manually add rules to each security group to control the traffic within the associated instances.

In the AWS console, security groups can be located in both VPC and EC2 sections. By default, all security groups allow outbound traffic. In the same way, you can define rules to allow inbound traffic. But one thing- you are only allowed to create “allow” rules rather setting up denial rules to restrict security permissions. Also, it’s possible to change the rules of a security group irrespective of the time and the process of changing rules will take place instantly. 

13. What do you mean by Network ACLs in VPC?

Network ACLs does the similar function of a network security group in VPC; IE controlling inbound and outbound traffic in VPC. The main difference between a network ACL and a security group is that the latter’s role is to act as a firewall for associated EC2 instances whereas an ACL’s role is to serve a firewall job for associated subnets. Your VPC generates an ACL automatically by default and it’s modifiable. Unlike a security group, this default network ACL allows all inbound and outbound traffic by default. And it’s possible to associate an ACL with multiple subnets. But at a time, only one subnet can be associated with a network ACL.

You can also create your own custom ACL and it can be associated with a subnet. Such an ACL denies all types of inbound/outbound traffic until you add rules to it.

14. What is stateful and stateless filtering?

A stateful filtering checks the origin of the request and triggers automatic reply to the originating computer. On the other hand, stateless filtering only examines the source and destination IPs ignoring whether it’s a replacement request or reply to an invitation .

In VPC, security groups carry out stateful filtering whereas network ACLs perform stateless filtering. 

15. What are the functions of an Amazon VPC router?

VPC router allows Amazon EC2 instances within subnets to interact with Amazon EC2 instances in other subnets within the same VPC. Virtual private gateways, subnets and Internet gateways, etc. can also communicate with each other by means of a VPC router.

16. What Are The Differences Between Security Groups In A Vpc And Network Acls In A Vpc?

Security groups during a VPC specify which traffic is allowed to or from an Amazon EC2 instance. Network ACLs operate at the evaluated traffic entering and subnet level and exiting a subnet. Network ACLs are often wont to set both Allow and Deny rules. Network ACLs don’t filter traffic between instances within the same subnet. In addition, It performs stateless filtering while security groups perform stateful filtering.

17. How does a hardware VPN connection work with Amazon VPC?

It connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transfer between datacenter routes and VPC over an encrypted VPN connection to assist maintain the confidentiality and integrity of knowledge in transit. An Internet gateway isn’t required to determine a hardware VPN connection.

18. What is ClassicLink in VPC?

If you want to connect Amazon EC2-classic instances to VPC, you have to use ClassicLink. This works only within the same region and this makes use of private IP addresses. Its working is simple- you only need to enable ClassicLink in your VPC account and associate a security group from VPC to EC2-classic instance.

19. What is so special about VPC that stands out from other private clouds?

There’s no need for a particular hardware, physical data centers or virtual private networks if you want a private network within the cloud – AWS VPC will provide it. The advanced security features of VPC makes it almost invulnerable to privacy & security threats.

20. What is a VPS?

Beginners who were trying AWS VPC interview questions for the primary time want to get confused with this question, since these terms look similar.

Actually, VPS or Virtual Private Server is none aside from the host server offered by web hosting companies like BlueHost and GoDaddy (These companies also provide shared hosting services wherein the server is shared by several users). Here, a single host is divided into multiple virtual units, each having an independent function. Each of these units is virtual private servers which can work without depending on one another. You’ll get access to the complete physical server including root access.

In the case of VPC, its functions are similar to that of a VPS but its servers don’t have to be placed in a single location.

21. How do I connect a VPC to my corporate datacenter?

To connect a VPC establish a hardware VPN connection between Amazon VPC and an existing network allows you to interact with Amazon EC2 instances within a VPC as if they were within your existing network. AWS doesn’t perform network address translation (NAT) on Amazon EC2 instances within a VPC accessed via a hardware VPN connection.

22. What factors affect the throughput of my VPN connection?

It can depend upon multiple factors, like the potential of your Customer Gateway (CGW), the capacity of your connection, average packet size, the protocol getting used (TCP vs. UDP), and therefore therefore the network latency between your CGW and the Virtual Private Gateway (VGW).

23. How do you connect my VPC to the Internet?

The creation of an Internet gateway supported by Amazon VPC. This gateway enables Amazon EC2 instances in the VPC to directly access the Internet.AWS Video Training

24. What is the IP range of a default VPC?

The default VPC CIDR is 172.31.0.0/16. Use /20 CIDRs as a default subnet  within the default VPC CIDR.

25. Can you launch Amazon EC2 Cluster Instances in a VPC?

Yes. Cluster instances are supported in Amazon VPC, however, not all instance types are available altogether regions and Availability Zones. Learn AWS Training Online From Real-Time Experts

26. Can you create other VPCs and use them in addition to my default VPC?

Yes. To launch an instance into non default VPCs you must specify a subnet-ID during the instance launch.

27. Can you create additional subnets in my default VPC, such as private subnets?

Yes. To get down to non default subnets, you’ll target your launches using the console or the –subnet option from the CLI, API, or SDK.

28. What are the components of Amazon VPC?

Amazon VPC comprises a spread of objects which will be familiar to customers with existing networks:

A Virtual Private Cloud: A logically isolated virtual network within the AWS cloud. You define a VPC’s IP address space from ranges you decide on .

Subnet: A segment of a VPC’s IP address range where you’ll place groups of isolated resources.

Internet Gateway: The Amazon VPC side of a connection to the general public Internet.

NAT Gateway: A highly available, managed Network Address Translation (NAT) service for your resources during a private subnet to access the web .

Peering Connection: via private IP addresses between two peered VPCs It enables you to route traffic.

VPC Endpoints: It enables private connectivity in AWS to services hosted from within your VPC without using NAT devices, online Gateway, VPN, or firewall proxies.

Egress-only Internet Gateway: A stateful gateway to supply egress only access for IPv6 traffic from the VPC to the web .

29. How do instances in a VPC access the Internet?

You can use public IP addresses, including Elastic IP addresses (EIPs), to offer instances within the VPC the power to both directly communicate outbound to the web and to receive unsolicited inbound traffic from the web (e.g., web servers). You can also use the solutions in the next question.

30. What IP address ranges can I use within my Amazon VPC?

You can use any IPv4 address range, including RFC 1918 or publicly routable IP ranges, for the first CIDR block. For the secondary CIDR blocks, certain restrictions apply. Publicly routable IP blocks are only reachable via the Virtual Private Gateway and can’t be accessed over the web through the web gateway. AWS doesn’t advertise customer-owned IP address blocks to the web . By calling the relevant API or via the AWS Management Console you can allocate an Amazon-provided IPv6 CIDR block to a VPC.

31. How do I assign IP address ranges to Amazon VPCs?

You assign one Classless Internet Domain Routing (CIDR) IP address range because the primary CIDR block once you create a VPC and may add up to four (4) secondary CIDR blocks after creation of the VPC. From these CIDR ranges by you Subnets within a VPC is addressed. We recommend using non-overlapping IP address ranges for this reason. 

32. How large of a VPC can I create?

Currently, Amazon VPC supports five (5) IP address ranges, one (1) primary and 4 (4) secondary for IPv4. Each of those ranges are often between /28 (in CIDR notation) and /16 in size. The IP address ranges of your VPC shouldn’t overlap with the IP address ranges of your existing network.

For IPv6, the VPC may be a fixed size of /56 (in CIDR notation). A VPC can have both IPv4 and IPv6 CIDR blocks associated with it.

33. Can I change the size of a VPC?

Yes. you’ll expand your existing VPC by adding four (4) secondary IPv4 IP ranges (CIDRs) to your VPC. You can shrink your VPC by deleting the secondary CIDR blocks you’ve got added to your VPC. You cannot however change the dimensions of the IPv6 address range of your VPC.

34. How many subnets can I create per VPC?

Currently you can create 200 subnets per VPC. If you would like to create more, please

submit a case at the support center.

35. Is there a limit on how large or small a subnet can be?

The minimum size of a subnet may be a /28 (or 14 IP addresses.) for IPv4. Subnets can’t be larger than the VPC during which they’re created.

For IPv6, the subnet size is fixed to be a /64. Only one IPv6 CIDR block is often allocated to a subnet.

36. How do I secure Amazon EC2 instances running within my VPC?

Amazon EC2 security groups are often wont to help secure instances within an Amazon VPC. Security groups during a VPC enable you to specify both inbound and outbound network traffic that’s allowed to or from each Amazon EC2 instance. Traffic which isn’t explicitly allowed to or from an instance is automatically denied.

In addition to security groups, network traffic entering and exiting each subnet are often allowed or denied via network Access Control Lists (ACLs).

37. Can Amazon EC2 instances within a VPC communicate with Amazon EC2 instances not within a VPC?

Yes. If an online gateway has been configured, Amazon VPC traffic bound for Amazon EC2 instances not within a VPC traverses the web gateway then enters the general public AWS network to reach the EC2 instance. If an online gateway has not been configured, or if the instance is during a subnet configured to route through the virtual private gateway, the traffic traverses the VPN connection, egresses from your datacenter, then re-enters the general public AWS network.

38. Can Amazon EC2 instances within a VPC in one region communicate with Amazon EC2 instances within a VPC in another region?

Yes. Instances in one region can communicate with one another using Inter-Region VPC Peering, public IP addresses, NAT gateway, NAT instances, VPN Connections or Direct Connect connections.

39. Can Amazon EC2 instances within a VPC communicate with Amazon S3?

Yes. There are multiple options for your resources within a VPC to speak with Amazon S3. You may use VPC Endpoint for S3, enabling you to use additional access policies to your Amazon S3 traffic. Use an online gateway to enable Internet access from your VPC and instances within the VPC can communicate with Amazon S3. 

40. Can I monitor the network traffic in my VPC?

Yes. you’ll use Amazon VPC traffic mirroring and Amazon VPC flow logs features to watch the network traffic in your Amazon VPC.

41. What is Amazon VPC traffic mirroring?

Amazon VPC traffic mirroring makes it easy for customers to replicate network traffic to and from an Amazon EC2 instance and forward it to out-of-band security and monitoring appliances for use-cases like content inspection, threat monitoring, and troubleshooting. These appliances are often deployed on a private EC2 instance or a fleet of instances behind a Network Load Balancer (NLB) with User Datagram Protocol (UDP) listener.

42. Which resources can be monitored with Amazon VPC traffic mirroring ?

It supports network packet captures at the Elastic Network Interface level for EC2 instances. Currently this feature is supported on all virtualized Nitro based EC2 instances.

43. When I call DescribeInstances(), do I see all of my Amazon EC2 instances, including those in EC2-Classic and EC2-VPC?

Yes. All running Amazon EC2 instances are returned by describeInstances(). You can differentiate EC2-Classic instances from EC2-VPC instances by an entry within the subnet field. If there’s a subnet ID listed, the instance is within a VPC.

44. Can I create a peering connection to a VPC in a different region?

Yes. Peering connections are often created with VPCs in several regions. Inter-region VPC peering is out there globally altogether commercial regions (excluding China).

45. Do I need an Internet Gateway to use peering connections?

No. VPC peering connections don’t require an online Gateway.

46. Is Inter-Region VPC Peering traffic encrypted?

Traffic is encrypted using modern AEAD (Authenticated Encryption with Associated Data) algorithms. Key management and key agreement is handled by AWS.

47. How do DNS translations work with Inter-Region VPC Peering?

By default, a question for a public hostname of an instance during a peered VPC during a different region will resolve to a public IP address. Route 53 private DNS are often wont to resolve to a personal IP address with Inter-Region VPC Peering.

48. Does the EC2-Classic instance become a member of the VPC?

The EC2-Classic instance doesn’t become a member of the VPC. It becomes a member of the VPC Security Group that was related to the instance. All the rules and references to the VPC Security Group apply to communication between instances in EC2-Classic instances and resources within the VPC.

49. How do I use ClassicLink?

In order to use ClassicLink, you initially got to enable a minimum of one VPC in your account for ClassicLink. Then you associate a Security Group from the VPC with the specified EC2-Classic instance. The EC2-Classic instance is now linked to the VPC and may be a member of the chosen Security Group within the VPC. Your EC2-Classic instance can’t be linked to one VPC at an equivalent time.

50. What is AWS PrivateLink?

AWS PrivateLink enables customers to access services hosted on AWS during a highly available and scalable manner, while keeping all the network traffic within the AWS network. Service users can use this to privately access services powered by PrivateLink from their Amazon VPC, without using public IPs, and without requiring the traffic to traverse across the Internet. Service owners can register their Network Load Balancers to PrivateLink services and supply the services to other AWS customers.