Amazon Virtual Private Cloud (VPC) Interview Questions and Answers
Q: What is Amazon Virtual Private Cloud (VPC)?
Answer: Amazon Virtual Private Cloud (Amazon VPC) is a logically isolated virtual network in the AWS cloud where you can launch AWS resources. Each VPC that you create is logically isolated from other in the AWS cloud. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can easily customize your Amazon VPC’s network configuration.
Q: What is a default VPC?
Answer: A default VPC (Virtual Private Cloud) is a pre-configured VPC that is automatically created for each AWS account in every AWS region. When you create a new AWS account, AWS provisions a default VPC to provide you with a basic networking environment.
Q: What are the components of Amazon VPC?
Answer: The main components of an Amazon VPC are -:
VPC: The Virtual Private Cloud itself is the main component. It is a logically isolated section of the AWS cloud where you can launch AWS resources.
Subnets: Subnets are subdivisions of the VPC’s IP address range. You can create multiple subnets within a VPC, and they are typically associated with different availability zones.
Route Tables: Route tables control the traffic between subnets within the VPC and between the VPC and the internet. Each subnet must be associated with a route table that specifies the routing rules.
Internet Gateway: An Internet Gateway (IGW) is a horizontally scalable and highly available AWS-managed gateway that allows communication between your VPC and the internet.
NAT Gateway: A Network Address Translation (NAT) Gateway allows instances in your private subnets to communicate with the internet while blocking inbound traffic initiated from the internet. It provides internet access for private instances without exposing their IP addresses to the public.
Security Groups: Security Groups act as virtual firewalls for your instances. They control inbound and outbound traffic based on user-defined rules. Each instance within a VPC is associated with one or more security groups.
Network Access Control Lists (ACLs): Network ACLs are stateless, subnet-level firewalls that control inbound and outbound traffic at the subnet level. They provide an additional layer of security for your VPC by allowing or denying traffic based on rules you define.
VPC Peering: VPC Peering enables you to connect multiple VPCs together, allowing them to communicate as if they were on the same network. It enables the resources in different VPCs to interact with each other using private IP addresses.
VPN Connections: Virtual Private Network (VPN) connections allow you to establish encrypted connections between your VPC and your on-premises network or other remote networks. It provides secure connectivity for resources in your VPC.
Q: Can you explain the use of Route Table?
Answer: A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed. When a network packet arrives at a Router, it determines the destination IP address of a received packet and makes the routing decisions to send packet to their destination.
Q: What does an Amazon VPC Router do?
Answer: Amazon VPC Router plays a vital role in ensuring the efficient and secure networking capabilities of the Amazon VPC service. It manages many things such as- The internal routing within the VPC, provides internet connectivity for instances within the VPC. It Supports NAT for outbound traffic, establishes VPN connections, and facilitates communication between peered VPCs.
Q: What are Internet Gateways in VPC?
Answer: An Internet Gateway is a redundant, horizontally scaled, and is a highly available VPC component. It allows communication between instances in your VPC and the internet using VPC route tables for internet-routable traffic. An Internet Gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic. Only one Internet Gateway can be attached per VPC. There is no additional cost for having an Internet Gateway in your account.
Q: What is a NAT Device?
Answer: A NAT (Network Address Translation) devices enable you to connect your virtual machines (EC2) in a private subnet to connect to the internet or other AWS services. For example, you can install or update software using NAT device to your server that sits in the private subnet, which has no internet access directly.
Q: What is a subnet in VPC?
Answer: A subnet or subnetwork is a logical sub-division of an IP network into multiple smaller networks.
In AWS a subnet is a component (A range of IP addresses) within your VPC to provide logical grouping of resources. A subnet can exist within one and only one Availability Zone (1 Subnet == 1 Availability Zone). You can launch AWS resources into any selected subnet.
Q: How do you determine which Availability Zone my subnets are in?
Answer: You can use the AWS Command Line Interface (CLI) or AWS SDKs to programmatically retrieve the information about your subnets and their associated Availability Zones. You can use the appropriate AWS CLI command or API call to obtain the details of your subnets and extract the Availability Zone information from the response.
Alternatively, You can check this by login to AWS Management Console and go to the VPC Dashboard, click on “Subnets” in the navigation pane, In the “Availability Zone” column, you will find the specific Availability Zone(s) where each subnet is located.
Q: How many maximum number of Amazon EC2 instances can you use within a VPC?
Answer: The maximum number of Amazon EC2 instances you can use within a VPC depends on various factors, including the type of instance, instance limits, available resources, and regional limits set by AWS. These limits can be increased by requesting a limit increase from AWS support.
For example: On-Demand Instances – By default, limit of 20 instances per region. Some specific instance families, such as t2.micro and t3.micro, may have a higher default limit of 100 instances per region for new accounts.
Additionally, the VPC itself has a maximum size of /16, which corresponds to 65536 IP addresses. This means that your VPC can accommodate up to 65536 – 5 = 65529 instances, assuming each instance requires only one IP address.
The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:
- 10.0.0.0 – Network address.
- 10.0.0.1 – Reserved by AWS for the VPC router.
- 10.0.0.2 – Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two.
- 10.0.0.3 – Reserved by AWS for future use.
- 10.0.0.255 – Network broadcast address. It is not supporting broadcast in a VPC.
Q: What is ClassicLink?
Answer: ClassicLink is specifically designed to connect EC2-Classic instances to a VPC. For newer EC2 instances running within a VPC, you do not need to use ClassicLink as they are already integrated into the VPC networking environment.
ClassicLink is a useful feature when you have existing EC2-Classic instances that need to communicate with resources in a VPC, enabling you to leverage the benefits of a VPC while preserving connectivity for older EC2-Classic instances.