Amazon VPC

Question 1

What are the key components of an AWS VPC and their roles?

Answer 1

Region / Availability Zone — Physical AWS locations where VPC resources run.

VPC — Isolated virtual network.

Subnets (Public & Private) — Network segments within a VPC.

Public: Routed to the Internet Gateway

Private: No direct internet routing

Internet Gateway (IGW) — Enables internet access for public subnets.

NAT Gateway — Allows private subnets to reach the internet outbound only.

Route Tables — Control traffic routing for each subnet.

Security Groups — Stateful instance-level firewalls.

Network ACLs (NACLs) — Stateless subnet-level firewalls.

VPC Peering — Private connectivity between VPCs.

VPC Endpoints (S3, DynamoDB, etc.) — Private access to AWS services without IGW/NAT.

VPC Flow Logs — Capture network traffic metadata.

Site-to-Site VPN / Customer Gateway / Virtual Private Gateway — Connect on-prem networks to AWS.

Direct Connect (DX) — Dedicated private network link to AWS.

Transit Gateway — Central hub for connecting multiple VPCs and on-prem networks.

Question 2

What is CIDR notation in IPv4, and how does it define an IP range?

Answer 2

CIDR (Classless Inter-Domain Routing) is a method of allocating and representing IP address ranges.

Format: Base IP + /Subnet Mask

Example: 192.168.0.0/26

The subnet mask determines how many IPs are included:

/32 → 1 IP

/31 → 2 IPs

/30 → 4 IPs

/29 → 8 IPs

/28 → 16 IPs

/27 → 32 IPs

/26 → 64 IPs, etc.

Used throughout AWS networking (Security Groups, VPCs, Subnets).

Question 3

What does CIDR notation represent in IPv4, and how does the subnet mask determine the IP range?

Answer 3

CIDR = Classless Inter-Domain Routing

Format: Base IP + /Prefix (example: 192.168.0.0/26)

The /Prefix defines how many IPs are included:

/32 → 1 IP

/31 → 2 IPs

/30 → 4 IPs

/29 → 8 IPs

/28 → 16 IPs

/27 → 32 IPs

/26 → 64 IPs

CIDR is used to allocate and describe IP ranges in AWS networking (VPCs, subnets, SG rules).

Question 4

What does the subnet mask do in CIDR, and how does it affect the number of IP addresses?

Answer 4

“The Subnet Mask basically allows part of the underlying IP to get additional next values from the base IP.”

This determines how many IPs belong to the range:

192.168.0.0/32 → 1 IP

192.168.0.0/31 → 2 IPs

192.168.0.0/30 → 4 IPs

192.168.0.0/29 → 8 IPs

192.168.0.0/28 → 16 IPs

192.168.0.0/27 → 32 IPs

Formula: Total IPs = 2^(32 − prefix)

Question 5

What are the differences between public and private IPv4 addresses, and what ranges are reserved for private use?

Answer 5

IANA reserves specific IPv4 ranges for private (LAN) use:

10.0.0.0 – 10.255.255.255 (10.0.0.0/8)

172.16.0.0 – 172.31.255.255 (172.16.0.0/12)

192.168.0.0 – 192.168.255.255 (192.168.0.0/16)

All other IPv4 addresses are public, routable on the Internet.

Private IPs: internal-only, not globally unique.

Public IPs: internet-visible, must be globally unique.

Question 6

What are the key characteristics of the AWS default VPC?

Answer 6

Every new AWS account automatically includes a default VPC.

EC2 instances launch into the default VPC if no subnet is specified.

The default VPC has internet connectivity by default.

All EC2 instances launched in it receive a public IPv4 address automatically.

Instances get both public and private DNS names.

Question 7

What are the key IPv4 rules and limits for an AWS VPC?

Answer 7

A VPC = Virtual Private Cloud in AWS.

You can create multiple VPCs per region (default soft limit: 5).

Each VPC can have up to 5 CIDR blocks.

Allowed CIDR block sizes:

Minimum: /28 (16 IPs)

Maximum: /16 (65,536 IPs)

VPCs must use private IPv4 ranges only:

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

No overlapping CIDRs with your other networks.

Question 8

What IP addresses does AWS reserve inside each IPv4 subnet, and how does this affect usable IP count?

Answer 8

AWS reserves 5 IP addresses in every subnet (first 4 + last 1), so they cannot be assigned to EC2 instances.

Example for subnet 10.0.0.0/24:

10.0.0.0 — Network address

10.0.0.1 — Reserved for VPC router

10.0.0.2 — Reserved for Amazon-provided DNS

10.0.0.3 — Reserved for future use

10.0.0.255 — Network broadcast address (AWS doesn’t support broadcast)

Exam Tip:
If you need 29 usable IPs, a /27 subnet won’t work (32 total − 5 reserved = 27 usable).
Choose /26 instead (64 total − 5 reserved = 59 usable).

Question 9

What is an Internet Gateway (IGW) in AWS, and what does it enable for a VPC?

Answer 9

An IGW allows resources in a VPC (e.g., EC2 instances) to connect to the Internet.

It is horizontally scalable, highly available, and redundant.

It must be created separately from the VPC.

One VPC ↔ one IGW (a 1:1 attachment).

On its own, an IGW does NOT provide internet access —
route tables must be updated to send 0.0.0.0/0 traffic to the IGW.

Question 10

What is a Bastion Host in AWS, and how is it used?

Answer 10

A Bastion Host is used to SSH into private EC2 instances.

It is placed in a public subnet, which is connected to all private subnets.

The Bastion Host security group must allow inbound SSH (port 22) from a restricted CIDR (e.g., your corporate public IP range).

Private EC2 instances must allow traffic from the Bastion Host’s security group or its private IP.

Question 11

What is a NAT Instance in AWS, and how is it configured?

Answer 11

NAT = Network Address Translation
Allows private subnet EC2 instances to access the Internet.

Must be launched in a public subnet.

Must disable Source/Destination Check on the instance.

Must attach an Elastic IP (EIP).

Route tables must route outbound traffic from private subnets to the NAT Instance.

Question 12

What are key considerations and limitations of using a NAT Instance in AWS?

Answer 12

A pre-configured Amazon Linux NAT AMI is available.

That AMI reached end of standard support on Dec 31, 2020.

NAT Instances are not highly available by default.

Requires ASG in multi-AZ + resilient user-data script.

Bandwidth depends on EC2 instance type.

You must manage Security Groups & rules manually:

Inbound: allow HTTP/HTTPS from private subnets; allow SSH from your home network (via IGW).

Outbound: allow HTTP/HTTPS to the Internet.

Question 13

What is a NAT Gateway in AWS, and what are its key characteristics?

Answer 13

AWS-managed NAT service — no administration required.

Provides higher bandwidth and high availability within an AZ.

Billed per hour plus data processed.

Created in a specific Availability Zone and uses an Elastic IP.

Cannot be used by EC2 instances in the same subnet—only by instances in other subnets.

Requires an Internet Gateway (path: Private Subnet → NAT GW → IGW).

Supports 5 Gbps bandwidth with automatic scaling up to 100 Gbps.

No Security Groups to manage.

Question 14

How do you achieve high availability with NAT Gateways in AWS?

Answer 14

A NAT Gateway is resilient within a single Availability Zone.

To achieve fault tolerance, you must create multiple NAT Gateways—one in each AZ.

No cross-AZ failover is needed; if an AZ fails, workloads in that AZ don’t use NAT from other AZs.

Each private subnet should route internet-bound traffic to the NAT Gateway in the same AZ.

Question 15

How do NAT Gateways and NAT Instances differ in AWS?

Answer 15

NAT Gateway

Highly available within an AZ

Up to 100 Gbps bandwidth

Managed by AWS (no maintenance)

Cost: hourly + data processing

Uses an Elastic IP

No Security Groups required

Not usable by instances in the same subnet

NAT Instance

Requires scripts for multi-AZ failover

Bandwidth depends on EC2 instance type

You manage OS, patches, scaling

Cost depends on EC2 instance type + network charges

Must configure Security Groups

Can optionally be used as a Bastion Host

Question 16

What is a Network ACL in AWS, and how does it control traffic?

Answer 16

A NACL acts as a firewall for subnets, controlling inbound and outbound traffic.

One NACL per subnet; new subnets get the default NACL.

You define numbered rules (1–32766); lower numbers = higher precedence.

First matching rule wins.

The final rule (*) denies all unmatched traffic.

New NACLs deny everything until rules are added.

Great for blocking specific IPs at the subnet level.

AWS recommends adding rules in increments of 100.

Question 17

What are the characteristics and rules of the Default NACL in AWS?

Answer 17

Allows all inbound and outbound IPv4 traffic by default.

AWS recommends: Do NOT modify the Default NACL — create custom NACLs instead.

Inbound rules include:

Rule 100: Allow all IPv4 traffic

*Rule : Deny all

Outbound rules include:

Rule 100: Allow all IPv4 traffic

*Rule : Deny all

Automatically associated with new subnets unless you specify otherwise.

Question 18

What are ephemeral ports, and why are they required for network connections?

Answer 18

For two endpoints to communicate, both must use ports.

A client connects to a server’s fixed port (e.g., 443) and receives the response on an ephemeral port.

Ephemeral port ranges vary by OS:

IANA & Windows 10: 49152–65535

Many Linux kernels: 32768–60999

Ephemeral ports must be explicitly allowed in NACLs because NACLs are stateless.

Question 19

How do Security Groups differ from Network ACLs in AWS?

Answer 19

Security Groups (SGs)

Operate at the instance level

Stateful: return traffic is automatically allowed

Support allow rules only

All rules are evaluated before deciding

Apply only to instances explicitly attached to the SG

Network ACLs (NACLs)

Operate at the subnet level

Stateless: return traffic must be explicitly allowed

Support allow and deny rules

Rules evaluated in order, lowest number first; first match wins

Automatically apply to all instances in the associated subnet

Question 20

What is VPC Peering in AWS, and what are its key properties?

Answer 20

Privately connects two VPCs using AWS’s internal network.

Makes VPCs communicate as if on the same network.

CIDR blocks must NOT overlap.

Not transitive — each pair of VPCs must have its own peering connection.

Route tables must be updated in each VPC’s subnets so EC2 instances can reach each other.

Question 21

What important details should you remember about VPC Peering?

Answer 21

You can peer VPCs across different AWS accounts.

You can peer VPCs across different regions.

You can reference a security group in a peered VPC, as long as it is in the same region, even across accounts.

Question 22

What are VPC Endpoints (AWS PrivateLink), and why are they used?

Answer 22

Allow you to privately connect your VPC to supported AWS services without using IGWs, NAT, VPN, or Direct Connect.

Traffic never leaves the Amazon network.

Two types:

Interface Endpoints → Elastic Network Interfaces (ENIs) in subnets

Gateway Endpoints → For S3 and DynamoDB only

Provide secure, scalable, private connectivity.

Question 23

What are the two types of VPC Endpoints in AWS, and how do they differ?

Answer 23

Interface Endpoints (PrivateLink-powered)

Create an ENI with a private IP as the entry point

Require a Security Group

Support most AWS services

Cost: hourly + per-GB data processing

Gateway Endpoints

Create a gateway used as a route table target

Do NOT use Security Groups

Support S3 and DynamoDB only

Cost: free

Question 24

When should you use a Gateway Endpoint vs. an Interface Endpoint for Amazon S3?

Answer 24

Gateway Endpoint (preferred for exam)

Default recommended option

Free

Use it for almost all in-VPC access to S3

Interface Endpoint

Costs money (hourly + per GB)

Preferred when S3 access is required from:

On-premises networks (VPN or Direct Connect)

Another VPC

Another AWS Region

Question 25

How should a Lambda function inside a VPC access DynamoDB, and why?

Answer 25

DynamoDB is a public AWS service. Option 1 (not ideal): Access via public Internet, which requires: A NAT Gateway in a public subnet An Internet Gateway Option 2 (preferred & free): Use a VPC Gateway Endpoint for DynamoDB Keeps traffic inside the AWS network Removes need for NAT or IGW Requires updating route tables

Question 26

What are VPC Flow Logs, and what are they used for?

Answer 26

Capture information about IP traffic going into: VPCs Subnets Elastic Network Interfaces (ENIs) Help monitor and troubleshoot connectivity issues. Logs can be sent to S3, CloudWatch Logs, or Kinesis Data Firehose. Capture traffic from AWS-managed interfaces too (e.g., ELB, RDS, ElastiCache, Redshift, WorkSpaces, NAT Gateway, Transit Gateway).

Question 27

What key fields appear in a VPC Flow Log entry, and what do they help you analyze?

Answer 27

Common fields include: srcaddr / dstaddr — identify source and destination IPs srcport / dstport — identify traffic ports protocol — shows protocol used packets / bytes — volume of traffic start / end — timestamps action — ACCEPT or REJECT (based on SG/NACL rules) log-status — whether the record was successfully logged Used for analytics, troubleshooting, and detecting malicious behavior (e.g., analyzing with Athena or CloudWatch Logs Insights).

Question 28

How do you use VPC Flow Logs to troubleshoot Security Group and NACL issues?

Answer 28

Incoming Requests Inbound REJECT → Could be NACL or Security Group Inbound ACCEPT + Outbound REJECT → NACL problem Outgoing Requests Outbound REJECT → Could be NACL or Security Group Outbound ACCEPT + Inbound REJECT → NACL problem Key Tip: Check the ACTION field (ACCEPT or REJECT) to determine where the block occurs.

Question 29

How can VPC Flow Logs be integrated into AWS analytics and monitoring architectures?

Answer 29

Flow Logs can be sent to CloudWatch Logs for: Contributor Insights (e.g., Top-10 IPs) Metric Filters → CloudWatch Alarms → SNS alerts Flow Logs can be sent to S3 for: Athena queries QuickSight dashboards Used to analyze traffic patterns, troubleshoot issues, and detect anomalies (SSH, RDP, etc.).

Question 30

What are the key components of an AWS Site-to-Site VPN?

Answer 30

Virtual Private Gateway (VGW): AWS-side VPN concentrator Created and attached to the VPC ASN (Autonomous System Number) can be customized Customer Gateway (CGW): Software or physical device on the customer side Must have a publicly routable IP address Can sit behind NAT if NAT-T (NAT Traversal) is enabled

Question 31

What is required to establish an AWS Site-to-Site VPN connection?

Answer 31

Requires a Customer Gateway (CGW) device on-premises. The CGW must use a public Internet-routable IP address. If the CGW is behind a NAT device, it can still work if NAT-Traversal (NAT-T) is enabled.

Question 32

What is AWS VPN CloudHub, and when is it used?

Answer 32

Enables secure communication between multiple on-premises sites when you have multiple VPN connections. Provides a low-cost hub-and-spoke model for primary or secondary connectivity. Works over the public Internet (still encrypted because it’s a VPN). To set it up: Attach multiple VPN connections to the same Virtual Private Gateway (VGW) Configure dynamic routing Update route tables accordingly

Question 33

What is AWS Direct Connect, and what are its key benefits and use cases?

Answer 33

Provides a dedicated private network connection from your on-premises data center to AWS. Requires setting up a dedicated physical connection to an AWS Direct Connect location. You must create a Virtual Private Gateway (VGW) on your VPC. Can access both public AWS services (e.g., S3) and private VPC resources (e.g., EC2). Use cases: Higher bandwidth throughput for large data sets Lower, more predictable latency Hybrid environments (on-prem + AWS) Supports IPv4 and IPv6

Question 34

What is a Direct Connect Gateway, and when do you use it?

Answer 34

Allows a single Direct Connect connection to reach multiple VPCs across many regions (same AWS account). Solves the limitation that a Direct Connect link normally connects to one VPC in one region. You attach the Direct Connect Gateway to your on-premises Direct Connect connection, then attach multiple VPCs to it. Supports private virtual interfaces for routing traffic privately to VPCs.

Question 35

What are the two types of AWS Direct Connect connections and their characteristics?

Answer 35

Dedicated Connections 1 Gbps, 10 Gbps, 100 Gbps capacities A physical Ethernet port dedicated to a single customer Request starts with AWS, then completed by a Direct Connect Partner Hosted Connections 50 Mbps, 500 Mbps, up to 10 Gbps Provisioned through AWS Direct Connect Partners Capacity can be increased or decreased on demand 1, 2, 5, 10 Gbps options at select partners Setup often has lead times longer than one month

Question 36

How is encryption handled when using AWS Direct Connect?

Answer 36

Direct Connect traffic is private but NOT encrypted by default. To add encryption, combine Direct Connect + VPN, which provides an IPsec-encrypted private connection. This adds an extra security layer but is more complex to configure.

Question 37

How do you design AWS Direct Connect for high resiliency?

Answer 37

High Resiliency: Use one DX connection at multiple locations. Maximum Resiliency: Use separate DX connections that terminate on separate devices in more than one location. Ensures connectivity even if an entire DX location or device fails.

Question 38

How can a Site-to-Site VPN be used as a backup for AWS Direct Connect?

Answer 38

If Direct Connect fails, you can: Set up a second Direct Connect connection (expensive), or Use a Site-to-Site VPN as a backup connection. The VPN provides an encrypted fallback path over the Internet to maintain connectivity.

Question 39

What is an AWS Transit Gateway, and what are its key capabilities?

Answer 39

Provides transitive peering between thousands of VPCs and on-premises networks. Uses a hub-and-spoke (star) architecture. Regional resource, but can work cross-region. Can be shared across AWS accounts using Resource Access Manager (RAM). Supports TGW peering across regions. Route tables control which VPCs can communicate. Works with Direct Connect Gateway and VPN connections. Supports IP multicast (unique—no other AWS service supports it).

Question 40

What is ECMP in the context of Transit Gateway, and how does it help Site-to-Site VPN connections?

Answer 40

ECMP = Equal-Cost Multi-Path routing. Allows packets to be forwarded over multiple best paths. Use case: create multiple Site-to-Site VPN connections to a Transit Gateway. Benefit: increases total bandwidth to AWS by using multiple parallel VPN tunnels.

Question 41

What is VPC Traffic Mirroring and how is it used?

Answer 41

Captures and inspects network traffic within your VPC. Sends mirrored traffic to security appliances you manage. Sources: ENIs (Elastic Network Interfaces). Targets: Another ENI or a Network Load Balancer. Can capture all packets or filtered packets (with optional truncation). Works within the same VPC or across VPCs via VPC Peering. Use cases: content inspection, threat monitoring, troubleshooting.

Question 42

What is IPv6, and how does it differ from IPv4?

Answer 42

IPv4 provides 4.3 billion addresses—being exhausted. IPv6 is the successor to IPv4. Designed to provide 3.4 × 10³⁸ unique IP addresses. Every IPv6 address in AWS is public and Internet-routable (no private IPv6 ranges). Format: 8 groups of hexadecimal values (0000–ffff). Examples: 2001:db8:3333:4444:5555:6666:7777:8888 2001:db8:: (zero-compression) ::1234:5678 (leading zeros compressed)

Question 43

How does IPv6 operate inside an AWS VPC?

Answer 43

IPv4 cannot be disabled for VPCs or subnets. You can enable IPv6 to run in dual-stack mode (IPv4 + IPv6). EC2 instances receive: A private IPv4 address A public IPv6 address Instances can use either IPv4 or IPv6 to reach the Internet through an Internet Gateway. IPv6 traffic is public and globally routable.

Question 44

Why might you fail to launch an EC2 instance in a subnet, and how do you resolve IPv4 exhaustion issues?

Answer 44

IPv4 cannot be disabled for VPCs or subnets. If an EC2 instance fails to launch, the issue is not IPv6 capacity. The real cause is typically no available IPv4 addresses left in the subnet. Fix: Add a new IPv4 CIDR block to the VPC/subnet, or Resize / add a new subnet with more IPv4 capacity.

Question 45

What is an Egress-Only Internet Gateway, and why is it used?

Answer 45

Used for IPv6 only. Works like a NAT Gateway but for IPv6 traffic. Allows instances in your VPC to initiate outbound IPv6 connections. Prevents the Internet from initiating inbound IPv6 connections to your instances. Requires updating Route Tables to direct IPv6 ::/0 traffic to the Egress-Only IGW.

Question 46

What core networking components make up an AWS VPC?

Answer 46

CIDR: Defines the IP range for the VPC. VPC: Virtual Private Cloud where you define IPv4 & IPv6 CIDR blocks. Subnets: Tied to an Availability Zone; each has its own CIDR. Internet Gateway (IGW): Provides IPv4 & IPv6 internet access at the VPC level. Route Tables: Must be updated for IGW, VPC Peering, VPC Endpoints, etc. Bastion Host: Public EC2 instance used to SSH into private EC2 instances. NAT Instance: Legacy method for IPv4 internet access for private subnets. NAT Gateway: AWS-managed, scalable internet access for private subnets.

Question 47

What additional networking components and rules should you remember for VPC design?

Answer 47

NACLs: Stateless subnet firewalls; first rule match applies; 1 subnet = 1 NACL. Security Groups: Stateful firewalls at the ENI/instance level. VPC Peering: Non-transitive private connection between VPCs; CIDRs must not overlap. VPC Endpoints: Provide private access to AWS services—Gateway (S3/DynamoDB) or Interface (others). VPC Flow Logs: Capture IP traffic for VPCs, subnets, and ENIs. Site-to-Site VPN: Uses a VGW + CGW to connect on-premises to AWS.

Question 48

What additional advanced networking features should you know for AWS VPC?

Answer 48

Direct Connect: Create a private, dedicated connection to an AWS Direct Connect location via a Virtual Private Gateway. Direct Connect Gateway: Allows one DX connection to reach multiple VPCs across Regions. AWS PrivateLink / VPC Endpoint Services: Connect services privately from a service VPC to customer VPCs No VPC Peering, Internet, NAT, or Route Tables needed Requires Network Load Balancer + ENI ClassicLink: Connect EC2-Classic instances privately to a VPC. Transit Gateway: Transitive peering for VPCs, VPN, and Direct Connect. Traffic Mirroring: Capture and analyze ENI traffic. Egress-Only Internet Gateway: Outbound-only access for IPv6.

Question 49

What are the key rules for understanding AWS networking costs per GB?

Answer 49

Inter-Region Traffic: ~$0.02/GB Across Availability Zones: ~$0.02/GB using Public or Elastic IPs Across Availability Zones using Private IP: ~$0.01/GB Within the same AZ: Free General Tips: Use Private IPs instead of Public IPs for lower cost and better performance Keep traffic within the same AZ for maximum savings (but at the cost of HA)

Question 50

How can you reduce egress (outbound) network costs in AWS?

Answer 50

Egress = outbound traffic from AWS → typically not free Ingress = inbound traffic to AWS → typically free Keep as much traffic within AWS as possible to reduce egress charges Choose Direct Connect locations co-located in the same AWS Region to lower outbound costs Architect apps so that large data transfers happen inside AWS, not back to on-prem

Question 51

What are the key S3 data transfer cost rules for the USA?

Answer 51

S3 Ingress (uploads): Free S3 → Internet: $0.09/GB for the first 10 TB/month (Additional tiers exist but the slide only highlights the key baseline rate.)

Question 52

What AWS services can you use to protect your network?

Answer 52

NACLs — subnet-level stateless filtering Security Groups — instance/ENI-level stateful filtering AWS WAF — protects web apps from malicious requests AWS Shield / Shield Advanced — DDoS protection AWS Firewall Manager — central management of WAF, SGs, Shield, Network Firewall across accounts If you need full VPC-wide sophisticated protection, use AWS Network Firewall

Question 53

What is AWS Network Firewall, and what does it protect?

Answer 53

Provides Layer 3–Layer 7 protection for your entire VPC Can inspect traffic in any direction: VPC ↔ VPC Outbound ↔ Internet Inbound ↔ Internet Direct Connect & Site-to-Site VPN traffic Uses AWS Gateway Load Balancer internally Rules can be centrally managed across accounts using AWS Firewall Manager Designed for advanced, VPC-wide network inspection and filtering

Question 54

What fine-grained controls does AWS Network Firewall provide?

Answer 54

Block specific traffic patterns Block specific IP addresses Block or allow specific packet payloads Manage rules centrally across all your accounts Supports stateful and stateless rule engines for deep inspection