Top 20 AWS VPC Interview Questions

Top 20 AWS VPC interview questions

Below we’ve detailed a list of 20 most popular AWS VPC interview questions. First, you go through the title of each question and then get to the heart of their answer one by one. Answers have been as much simplified as possible.

1. What is the actual definition of the term “VPC”?

Answer: Well, VPC is a private network space within the Amazon cloud that enables you to launch AWS resources. It’s the actual networking layer of Amazon EC2, about which we have already discussed. Each private network you create on the cloud will be logically separated from other virtual networks in the cloud.

Although the structure of VPC looks similar to a standard network that you’d operate in a data center, a VPC will have the benefits of the scalable infrastructure of AWS. Another major advantage of VPC is that it is fully customizable. You can create subnets, set up root tables, configure network gateways, setup network access control lists, choose IP address range, and many more in a Virtual Private Cloud.

2. What are the components of Amazon VPC?

Answer: The foremost element in Amazon VPC architecture is VPC network itself. It’s a logically separated part of AWS cloud. It’s possible to define your Virtual Private Cloud’s IP address from the range you’ve chosen. The second element is the Internet Gateway which is the connecting point between your VPC and the public internet. Subnets are the functional parts of your private cloud’s IP address range.

NAT Gateways are used to connect between instances of your private subnet with internet or other AWS services. Customer Gateways are your side of a VPN connection in AWS while Virtual Private Gateways are Amazon VPC side of VPN connection. This type of questions lies under the general or basic AWS VPC interview questions. Whether you are a fresher or have some experience, you may come across such questions so get prepared with the answer.

Components of Amazon VPC with Brief description:

ElementBrief description
Virtual Private Cloud (VPC)A logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from a range you select.
SubnetA segment of a VPC’s IP address range where you can place groups of isolated resources.
Internet GatewayThe Amazon VPC side of a connection to the public Internet.
NAT GatewayA highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.
Hardware VPN ConnectionA hardware-based VPN connection between your Amazon VPC and your datacenter, home network, or co-location facility.
Virtual Private GatewayThe Amazon VPC side of a VPN connection. The Customer gateway is the customer side of a VPN connection.
Peering ConnectionA peering connection enables you to route traffic via private IP addresses between two peered VPCs
VPC EndpointEnables Amazon S3 access from within your VPC without using an Internet gateway or NAT, and allows you to control the access using VPC endpoint policies.

3. What are Internet Gateways in VPC?     

Answer: An Internet Gateway is highly available, horizontally scaled VPC component. Gateways establish coherent connections between your Amazon VPC network and the internet. There can be only one gateway associated with each VPC. These are the VPC components that provide NAT (Network Address Translation) for instances which have already assigned public IP addresses. In the case of internet routable traffic, such a gateway provides a target in your VPC route tables.

Also Read: How to Build Virtual Private Cloud (VPC) in AWS

4. What is a NAT Device?

Answer: A NAT device in your VPC will enable instances in the private subnet to trigger outbound IPv4 traffic to other AWS services/internet while hindering inbound traffic initiated on the internet. Here when traffic goes out to the internet, IP address gets replaced by NAT device’s address and when the response comes back to the instances, the device translates the address of instances back to the private IP addresses. AWS has two types of NAT devices – NAT instance and NAT gateway. Linux AMIs are configured to run as NAT instances. NAT does not support IPv6 as well.

5. What is a subnet in VPC?

Answer: According to AWS documentation, subnets are nothing but a range of IP addresses in your VPC. It is possible to launch the resources of AWS into your desired subnet. For resources that need internet access, you can use a public subnet. Whereas for resources that don’t need the internet, a private subnet is sufficient.

The default subnet in your VPC must have the netmask value 20 that can give up to 4096 addresses per subnet. The subnet is always confined within a single availability zone whereas VPC can span across multiple zones.

Want to become an AWS Certified Architect? Start your preparation now for the AWS Certified Solutions Architect Associate exam.

6. What is the default VPC? Explain its advantages.

Answer: The questions based on default VPC are among the top AWS VPC interview questions. It’s a logically isolated virtual network that gets created automatically in AWS cloud for an account when the user makes use of Amazon EC2 resources for the first time.

You can alter the components of the default VPC as per your need. There are several advantages of a default VPC. Here, a user can access high-level features such as different IPs, network interfaces without creating a separate VPC or launching instances.

7. What is ELB (Elastic Load Balancing) and how does it affect VPC?

Answer: As the name implies ELB is a load balancer service for AWS deployments. A load balancer divides the amount of work a computer has to do into more computers and get it done faster. In the same way here ELB distributes incoming application traffic into multiple targets like EC2 instances.

There are 3 types of ELBs to ensure scalability, availability, and security for ensuring your applications as fault tolerant. These are classic, network, and application load balancers. Network and application load balancers can be used in conjunction with VPC and these can route traffics to targets within VPCs.

Also, learn about Amazon Route 53 and Route 53 Pricing.

8. What do you know about VPC Peering? 

Answer: You may be asked about the AWS VPC peering bandwidth in AWS VPC interview. It’s simply the networking connection between two VPs in the same network. It’s possible to create a VPC peering connection between your own VPs or VPC with another AWS account within the same region. It’s not needed for AWS to break the existing VPC infrastructure to enable VPC peering. There is no need of a special hardware for this purpose. It’s not creating a VPN connection or network gateway within the AWS.

The main intention behind such a connection is to facilitate data transfer across multiple VPNs spanning different AWS accounts. This type of peering is a one-to-one relationship wherein transitive connection is not supported.  And while talking about AWS VPC peering bandwidth, there are no bandwidth limitations for peering connections as well.

Know More:

9. What are the differences between Private, Public & Elastic IP Addresses?

Answer: The questions based on Elastic Network Interfaces are among the most common AWS VPC interview questions.

As the name implies, private IP addresses are IP addresses that aren’t accessible over the internet. If you want to communicate between instances in the same network, private IPs are used. At an instance launching time, a private IP from subnet’s IP address range and a DNS hostname is assigned to eth0 of the instance (default network interface).

A private IP address remains associated with the network interface will get released only when the instance is terminated (not when the instance is stopped or restarted). On the contrary, a public IP address is easily accessible over the internet.

When you launch a VPC instance, one public IP will automatically assign to the instance which isn’t associated with your AWS account. Every time you restart and stop the instance, AWS will allocate a new public IP to the instance. The main difference between a public and elastic IP is that elastic IP is persistent. It’ll be associated with your AWS account until you terminate it. Anyhow, you can detach elastic IP from one instance and attach the same IP to a different instance. Elastic IP is also accessible over the internet.

10. Is there any limit to the number of VPCs, subnets, gateways, VPNs that I can create?

Answer: Yes, there is definitely a limit. You can create 5 VPCs per region. If you want to increase this limit, you’ve to increase the number of internet gateways by the same number. And, per VPC 200 subnets are allowed. 5 elastic IP addresses are allowed per region. The number of Internet, VPN and NAT gateways per region is also set to 5.

Anyhow, customer gateways are allowed to 50 per region. One can create 50 VPN connections per region. It is highly recommended to cover questions based on connectivity while going through the top AWS VPC interview questions.

Read Now: Amazon Braket

11. Can you illustrate what is CIDR Routing in VPC?

Answer: The questions based on IP address are the common among frequently-asked AWS VPC interview questions. This CIDR question can be answered in the following manner. Classless inter-domain routing (CIDR) is a set of Internet protocol (IP) standards that are used to allocate IP addresses for networks and individual devices. With CIDR, a single IP address can be used to pick many unique IP addresses.


Generally, A CIDR IP looks like a normal IP address except there is a slash followed by a number in CIDR. This part is called the IP network prefix. In VPC, CIDR block size can be from /16 to /28 in case of IPv4. When you’re creating a VPC, you actually have to specify a range of IP address in form of CIDR just like This CIDR is the primary CIDR block of your VPC.

CIDR offers the benefits of effective management of available IP address space and reduce the number of routing table entries. If you are still wondering what does CIDR stand for, learn more!

12. What are Security Groups in VPC?

Answer: In VPC, a security group’s function is to manage the traffic for the instances. Instances can be single in number or many. Actually, it does act as a virtual firewall that can control inbound and outbound traffic for different EC2 instances. You can manually add rules to each security group to control the traffic within the associated instances.

In AWS console, security groups can be located in both VPC and EC2 sections. By default, all security groups allow outbound traffic. In the same way, you can define rules to allow inbound traffic. But one thing- you are only allowed to create “allow” rules rather setting up denial rules to restrict security permissions. Also, it’s possible to change the rules of a security group irrespective of the time and the process of changing rules will take place instantly. You may come across questions on security in an AWS VPC interview, so we’ve included it in our list of the best AWS VPC interview questions.

Must Read: How to improve connectivity and secure your VPC resources?

13. What do you mean by Network ACLs (Access Control List) in VPC?

Answer: Network ACLs does the similar function of a network security group in VPC; IE controlling inbound and outbound traffic in VPC. The main difference between a network ACL and a security group is that the latter’s role is to act as a firewall for associated EC2 instances whereas an ACL’s role is to serve firewall job for associated subnets. Your VPC generates an ACL automatically by default and it’s modifiable. Unlike a security group, this default network ACL allows all inbound and outbound traffic by default. And it’s possible to associate an ACL with multiple subnets. But at a time, only one subnet can be associated with a network ACL.

You can also create your own custom ACL and it can be associated with a subnet. Such an ACL denies all types of inbound/outbound traffic until you add rules to it. 

14. What is stateful and stateless filtering?

Answer: A stateful filtering checks the origin of the request and triggers automatic replay to the originating computer. On the other hand, stateless filtering only examines the source and destination IPs ignoring whether it’s a new request or replay to a request.

In VPC, security groups carry out stateful filtering whereas network ACLs perform stateless filtering. Filtering based questions are generally asked in the interview among other popular AWS VPC interview questions so you need to prepare yourself with the answer.

Also Read: AWS OpsWorks

15. What are the functions of an Amazon VPC router?

Answer: VPC router allows Amazon EC2 instances within subnets to interact with Amazon EC2 instances in other subnets within the same VPC. Virtual private gateways, subnets and Internet gateways, etc. can also communicate with each other by means of a VPC router.

Amazon KMS is a managed service that is integrated with various other AWS Services. You can use it in your applications to create, store and control encryption keys to encrypt your data. Learn AWS KMS Key Management Service.

16. How much Amazon charge you for sharing their cloud space with you?

Answer: Basically for a VPN connection to your VPC, Amazon charges nearly $0.5 for an hour. There is an option to terminate your VPN connection through AWS consoled if you don’t want to charge for this.

AWS internet gateway pricing charges vary through different geographic locations. You’ll be charged from $0.045 up to $0.054 per gateway-hour and GBs of data processed based on your location. Similarly, in the case of VPC peering pricing, the rates depend on the location of VPCs and peering connection. If both are in the same region, the charge of transferring data within a peering connection remains same as the transfer of data within the zone itself.

In case if they are placed in different regions, region data rate costs will apply. You may come across at least one question based on VPC peering pricing so here we’ve covered it under the most common AWS VPC interview questions and answers.

17. What is PrivateLink from AWS?

Answer: PrivateLink provides utmost availability and scalability for AWS customers to access their services maintaining the traffic within the AWS network. It delivers private connections between VPCs, on-premises applications, etc. securely on Amazon network.

18. What is ClassicLink in VPC?

Answer: If you want to connect Amazon EC2-classic instances to VPC, you have to use ClassicLink. This work only within the same region and this makes use of private IP addresses. Its working is simple- you just have to enable ClassicLink in your VPC account and associate a security group from VPC to EC2-classic instance.

This type of questions are the additions AWS VPC interview questions that you shouldn’t miss so prepare yourself with the answer.

19. What is so special about VPC that stands out it from other private clouds?

Answer: There’s no need for a particular hardware, physical data centers or virtual private networks if you want a private network within the cloud – AWS VPC will provide it. The advanced security features of VPC makes it almost invulnerable to privacy & security threats.

20. What is a VPS?  

Answer: Beginners who were trying AWS VPC interview questions for the first time used to get confused with this question, since these terms look similar.

Actually, VPS or Virtual Private Server is none other than the host server offered by web hosting companies like BlueHost and GoDaddy (These companies also provide shared hosting services wherein the server is shared by several users). Here, a single host divided to multiple virtual units, each having an independent function. Each of these units is virtual private servers which can work without depending on one another. You’ll get access to the complete physical server including root access.

In the case of VPC, its functions are similar to that of a VPS but its servers don’t have to place in a single location.

Also Read: CNAME vs Alias

Final Words 

Hope, we’ve covered most of the frequently asked AWS VPC interview questions asked during many interviews of the companies that are using AWS services. You can get placed even in Amazon itself if you’re competent enough with necessary skills and a valid AWS certification in hand. We will try to regularly update this guide so as to make you competent enough in this highly sought after career. If you come across any doubts, feel free to check our extensive collection of AWS resources.

It is important to prepare yourself with the latest AWS VPC interview questions while going for an AWS interview to crack it. Besides, having an AWS certification also increases your chance of getting selected in the interview. So, start preparing for the AWS Certifications to add a credential in your resume and get a better job.