AWS module 5.3 VPC networking

Question 1

Explain the TWO purposes of an Internet Gateway and how it interacts with route tables.

Answer 1

1. It acts as a target in route tables to allow internet-bound traffic (e.g., 0.0.0.0/0 → IGW).
2. It performs Network Address Translation (NAT) for instances with public IPs, enabling communication between private AWS networks and the internet.

Question 2

How would you make a subnet public? Give the full configuration steps.

Answer 2

A subnet becomes public when:

It has a route table with a route to an Internet Gateway (0.0.0.0/0 → IGW)

Instances in the subnet have public IPv4 or Elastic IP addresses

Question 3

Why can a subnet NOT be considered public just by attaching an Internet Gateway to the VPC?

Answer 3

Because the subnet must explicitly use a route table that directs internet traffic to the IGW. Without this route, traffic cannot leave the subnet.

Question 4

Explain the purpose of a NAT Gateway and how it differs from an Internet Gateway.

Answer 4

NAT Gateway:
* Allows private subnet instances to access the internet
* Blocks incoming connections from the internet

Internet Gateway:
* Allows both inbound and outbound communication (if permitted)

Question 5

Why must a NAT Gateway be placed in a public subnet?

Answer 5

Because it needs direct access to the Internet Gateway to forward traffic from private subnets to the internet.

Question 6

What additional requirement is needed when creating a NAT Gateway, and why?

Answer 6

An Elastic IP address must be attached.

Reason:
It provides a static public IP for outbound communication.

Question 7

After creating a NAT Gateway, what must be updated for private subnets to access the internet?

Answer 7

The route table associated with private subnets must include:
0.0.0.0/0 → NAT Gateway

Question 8

Explain what VPC sharing is and its purpose.

Answer 8

VPC sharing allows multiple AWS accounts in the same organisation to use subnets within a shared VPC.

Purpose:
* Centralised networking
* Resource sharing across accounts

Question 9

Why does AWS recommend using a NAT Gateway instead of a NAT Instance?

Answer 9

Because NAT Gateway:
* Is managed by AWS
* Provides higher availability
* Offers better bandwidth
* Requires less administrative effort

Question 10

What permissions do participants have in shared subnets?

Answer 10

They can:
* View
* Create
* Modify
* Delete resources within the shared subnets

Question 11

Explain VPC peering and its main function.

Answer 11

VPC peering connects two VPCs to allow private communication using internal IP addresses, as if they are in the same network.

Question 12

How do route tables enable communication in VPC peering?

Answer 12

Each VPC must add a route:
* Destination → other VPC CIDR block
* Target → Peering connection ID

Question 13

List THREE restrictions of VPC peering.

Answer 13

CIDR blocks must not overlap

Only one peering connection per VPC pair

No transitive peering (A → B → C is NOT allowed)

Question 14

Explain what “no transitive peering” means with an example.

Answer 14

If VPC A is connected to B, and B to C,
A cannot communicate with C through B.

Question 15

How can a VPC connect to an on-premises (remote) network?

Answer 15

Using a Site-to-Site VPN:

Steps:
* Attach Virtual Private Gateway to VPC
* Configure route tables
* Update security groups
* Configure VPN connection

Question 16

What is a major limitation of VPN connections in cloud networking?

Answer 16

Answer:
Performance can degrade due to internet latency, especially if the data centre is far from the AWS region

Question 17

What is AWS Direct Connect and when should it be used?

Answer 17

A dedicated private connection between on-premises infrastructure and AWS.

Used when:
* Low latency is required
* Stable and consistent performance is needed

Question 18

What is a VPC Endpoint (Gateway Endpoint) and what is its purpose?

Answer 18

A gateway that allows access to AWS services (e.g., S3, DynamoDB) without using the internet.

Question 19

Why is traffic through a VPC Endpoint considered more secure?

Answer 19

Because it does not leave the AWS network, reducing exposure to public internet threats.

Question 20

What is AWS PrivateLink and how does it improve security?

Answer 20

PrivateLink provides private connectivity to AWS services and applications via VPC interface endpoints.

It improves security by:
* Eliminating exposure to the public internet
* Keeping traffic within AWS infrastructure

Question 21

Compare VPC Peering vs PrivateLink in terms of connectivity.

Answer 21

VPC Peering:
* Full network-to-network connection
* Bidirectional

PrivateLink:
* Service-level connection
* More controlled and secure
* No full network exposure

Question 22

A company wants private instances to access the internet but prevent inbound connections. Design the architecture.

Answer 22

• Private subnet for instances
• NAT Gateway in a public subnet
• Internet Gateway attached to VPC
• Route table:

Private subnet → NAT Gateway

Public subnet → Internet Gateway

Question 23

If a private subnet has a route to an Internet Gateway, will it work? Why or why not?

Answer 23

No.
Because instances do not have public IP addresses, so they cannot communicate directly with the internet even if the route exists.

Question 24

Why is Elastic IP important in NAT Gateway architecture but not necessarily in public instances?

Answer 24

Because NAT Gateway requires a static public IP to represent all private instances, whereas public instances can use dynamic public IPs.