05 VPC - gannurohith/devops-interview-wiki GitHub Wiki

📁 05 - VPC (Virtual Private Cloud) (Basic to Intermediate Q&A)

  1. What is a VPC in AWS? A Virtual Private Cloud is a logically isolated network in the AWS cloud where you can launch AWS resources.

  2. What components make up a VPC?

    • Subnets (public/private)
    • Route tables
    • Internet Gateway (IGW)
    • NAT Gateway
    • Security groups
    • Network ACLs
    • VPC Peering, etc.

  3. What is a CIDR block? It defines the IP range of a VPC, e.g., 10.0.0.0/16.

  4. What is the difference between a public and private subnet?

    • Public: Has a route to the internet via IGW.
    • Private: No direct internet access.

  5. How do you connect a VPC to the internet? Attach an Internet Gateway and update route tables.

  6. What is an Internet Gateway? A horizontally scaled, redundant gateway for internet access to VPC resources.

  7. What is a NAT Gateway? Enables instances in private subnets to access the internet without allowing inbound connections.

  8. What is a route table in VPC? A set of rules (routes) that determine where network traffic is directed.

  9. What are security groups in VPC? Stateful firewalls that control traffic to EC2 instances.

  10. What are NACLs? Network ACLs are stateless firewalls that control traffic to subnets.

  11. How do Security Groups differ from NACLs?

  • SGs are stateful and operate at instance level.
  • NACLs are stateless and operate at subnet level.

  1. Can you have multiple subnets in one AZ? Yes, you can divide an AZ into multiple subnets.

  2. Why would you use a private subnet? To isolate sensitive resources like databases or backend servers from the internet.

  3. What is VPC Peering? Allows network traffic between two VPCs via private IPs without the need for VPN or NAT.

  4. What are the limitations of VPC Peering?

  • Cannot transit through a third VPC.
  • Cannot overlap CIDRs.

  1. What is a Transit Gateway? A scalable hub for connecting multiple VPCs, on-prem networks, or VPNs.

  2. What is the default VPC? A pre-configured VPC that AWS sets up with default subnets and routing.

  3. How do you secure a VPC?

  • Use NACLs and SGs
  • Isolate tiers using subnets
  • Enable flow logs

  1. What are VPC Flow Logs? Logs of IP traffic going to/from network interfaces in your VPC.

  2. What is DNS Hostname support in VPC? Allows instances with public IPs to resolve names to public DNS.

  3. Can you assign multiple CIDR blocks to a VPC? Yes, via VPC CIDR block association (useful for IP range expansion).

  4. What is a VPC endpoint? Enables private connectivity to AWS services without using IGW, NAT, or VPN.

  5. Difference between interface and gateway endpoints?

  • Interface: ENIs for services like SSM, S3
  • Gateway: route table-based, used for S3/DynamoDB

  1. How do you implement high availability in a VPC? Deploy across multiple AZs with public/private subnets, load balancers, and NAT Gateways.

  2. How do you monitor VPC traffic? Use VPC Flow Logs, CloudWatch, and third-party tools like VPC Traffic Mirroring.

  3. What is the maximum number of VPCs per region? Default is 5, but it can be increased via AWS support.

  4. How do you access a private EC2 instance? Through a bastion host or via Systems Manager Session Manager.

  5. How do you enable DNS resolution within VPC? Set enableDnsSupport and enableDnsHostnames to true.

  6. What happens if you delete a VPC? All resources within are deleted, including subnets, IGW, route tables, etc.

  7. Can you create overlapping CIDR blocks in different VPCs? Yes, but VPC Peering or VPN connections won’t work unless CIDRs are unique.

05. VPC – Virtual Private Cloud (Q&A)

  1. What is a VPC in AWS? Why is it important? Answer: VPC is a logically isolated network in AWS where you can launch AWS resources. It gives control over IP range, routing, and security.

  2. How do subnets work within a VPC? Answer: Subnets divide a VPC’s IP range into smaller ranges. Public subnets are for internet-facing resources; private subnets for backend systems.

  3. How do you make a subnet public? Answer: Attach an internet gateway to the VPC, add a route to 0.0.0.0/0 in the subnet’s route table, and ensure the instance has a public IP.

  4. Difference between Internet Gateway and NAT Gateway? Answer: IGW allows inbound/outbound internet access for public subnets. NAT Gateway allows outbound access only for private subnets.

  5. How can you secure a VPC? Answer: Use network ACLs, security groups, flow logs, route table restrictions, no open CIDR blocks, and enforce IAM policies.

  6. Explain the difference between stateful and stateless firewall in AWS. Answer: Security groups are stateful—return traffic is automatically allowed. NACLs are stateless—you must explicitly allow return traffic.

  7. What is a route table and how does it affect traffic? Answer: It defines how traffic is routed from subnets. Each subnet must be associated with one route table.

  8. Can a subnet span multiple AZs? Answer: No. A subnet resides entirely in one Availability Zone.

  9. What is VPC Peering and when is it used? Answer: VPC Peering connects two VPCs to route traffic between them privately. Useful for service communication across VPCs without internet.

  10. What is a Transit Gateway? Answer: A scalable hub to connect multiple VPCs and on-premises networks via a central gateway.

  11. How do you troubleshoot connectivity issues in a VPC? Answer: Check security groups, NACLs, route tables, instance network interfaces, DNS resolution, and use VPC Reachability Analyzer.

  12. What are Flow Logs? How are they used? Answer: Flow Logs capture IP traffic going to/from interfaces. Used for troubleshooting, compliance, and monitoring.

  13. Difference between VPC endpoints and NAT? Answer: VPC endpoints enable private access to AWS services without internet. NAT allows outbound internet access for private subnets.

  14. What’s the best practice for subnet sizing? Answer: Plan based on instance count, reserve IPs for AZs, leave room for scaling (e.g., /24 for public, /26 or /28 for private subnets).

  15. How do you connect an on-premise network to AWS? Answer: Use VPN (IPsec), AWS Direct Connect for dedicated links, or both for hybrid models.

  16. How do you restrict access between subnets? Answer: Use separate security groups and NACLs to explicitly allow or deny communication.

  17. Can you have multiple route tables in a VPC? Answer: Yes. Each subnet must be associated with one route table, but a VPC can have many.

  18. What is the default VPC and how does it differ from custom VPCs? Answer: Default VPC comes pre-configured with public subnets and IGW. Custom VPCs offer full control over IPs, subnets, and routing.

  19. What happens if there’s no route to a destination in the route table? Answer: The traffic is dropped. Explicit routing is required in route tables.

  20. How to connect VPCs in different AWS regions? Answer: Use inter-region VPC peering or Transit Gateway with inter-region support.

  21. How do you implement high availability for NAT? Answer: Use one NAT Gateway per AZ and configure subnet route tables accordingly.

  22. Can a VPC have overlapping CIDR ranges? Answer: No. CIDR blocks must be unique across VPCs unless they are isolated (no peering or Transit GW).

  23. How to prevent IP spoofing in a VPC? Answer: AWS automatically blocks spoofed traffic and enforces source/destination checks.

  24. How do you audit traffic within a VPC? Answer: Use VPC Flow Logs, CloudTrail for API events, GuardDuty for threat detection.

  25. What tools can be used for VPC diagramming and documentation? Answer: Lucidchart, draw.io, Cloudcraft, or AWS Perspective tool.