AWS VPC Interview Questions (4–6 Yrs Experience)

VPC Basic to Intermediate Concepts (AWS)

1. What is a VPC and why is it needed in AWS?
2. What are the key components of a VPC?
3. Differentiate between public and private subnets.
4. How do you make a subnet public or private?
5. What is the difference between a route table and a network ACL?
6. How do security groups and NACLs differ?
7. What is the CIDR range and how do you plan it in VPC design?
8. What is the purpose of an Internet Gateway (IGW)? Can you attach it to multiple VPCs?

---

Advanced Configuration and Real-Time Scenarios (AWS)

9. How would you connect two VPCs? What are the pros and cons of VPC Peering vs Transit Gateway?
10. Can you explain how NAT Gateway works? When would you use it?
11. Have you configured VPN or Direct Connect in a VPC? What are the use cases?
12. How do you secure a VPC to allow access only from a specific IP range or service?
13. How would you troubleshoot connectivity issues in a VPC?
14. Can a private subnet access the internet? If yes, how?
15. Explain how DNS resolution works in a VPC.

---

Design and Best Practices (AWS)

16. How would you design a VPC for a multi-tier application (Web, App, DB)?
17. What best practices do you follow for subnetting and IP range planning?
18. What is a flow log in VPC? What insights can you gain from it?
19. What is the impact of overlapping CIDR blocks in VPC peering?
20. How would you design a VPC for high availability and fault tolerance?

---

Scenario-Based Questions (AWS)

21. You are asked to allow external users to access a web app hosted in a private subnet. How would you do it securely?
22. A VPC peering connection is established, but traffic is not flowing. What would you check?
23. Your NAT Gateway is costing too much. What alternatives would you consider?
24. You need to allow your EC2 instances in private subnets to pull data from S3 without going over the internet. How would you achieve that?
25. How do you restrict SSH access to only a jump box or bastion host in a VPC?

---

VNet Security and NSGs (Azure)

1. What is a Network Security Group (NSG)? How does it work?
2. How are NSGs different from Azure Firewall?
3. Where can you associate an NSG in Azure (subnet vs. NIC)?
4. What happens if you apply NSGs at both subnet and NIC levels?
5. Can NSGs be used to block traffic between subnets? How?
6. What are Application Security Groups (ASGs) and how are they used in NSGs?
7. Can NSGs be applied to VPN Gateway subnets? Why or why not?
8. How do you monitor and troubleshoot denied NSG traffic?
9. What is the default behavior of NSG inbound and outbound rules?
10. Can you restrict RDP or SSH access using NSGs securely?

---

Flow Logs (Azure)

1. What are Network Watcher Flow Logs in Azure?
2. How do flow logs help in troubleshooting and security auditing?
3. What are the retention options for flow logs in Azure?
4. Can flow logs be integrated with other tools like Log Analytics or Sentinel?
5. What is the performance impact of enabling flow logs?
6. What is the difference between NSG flow logs version 1 and version 2?
7. How would you use flow logs to detect suspicious activity?
8. Can you visualize NSG flow logs? If so, how?
9. What are common scenarios where flow logs are crucial?
10. How do flow logs work with peered VNets?

---

VNet Peering (Azure)

1. What is VNet Peering in Azure and how does it differ from VPN Gateway connections?
2. What is the difference between global and regional peering?
3. Can you apply NSGs between peered VNets?
4. Can you use overlapping IP ranges in VNet peering? Why or why not?
5. What happens if you delete a peering connection from one side only?
6. What limitations should be considered when planning for transitive peering?
7. Can you use custom DNS across peered VNets?
8. Is traffic between peered VNets encrypted?
9. How does bandwidth cost work in VNet peering?
10. Can you peer VNets across different Azure subscriptions or tenants?

---

Azure Firewall

1. What is Azure Firewall? How is it different from NSGs and Application Gateway?
2. How do you deploy Azure Firewall in a hub-and-spoke architecture?
3. What are Firewall policies and how do they simplify rule management?
4. How does threat intelligence-based filtering work in Azure Firewall?
5. Can Azure Firewall perform TLS inspection?
6. How does Azure Firewall handle DNS filtering?
7. What’s the difference between Azure Firewall and a third-party NVA?
8. What are NAT and DNAT rules in Azure Firewall?
9. Can you use Azure Firewall with Forced Tunneling?
10. How do you monitor and log traffic through Azure Firewall?

---

VPC Security and Network ACLs / Security Groups (AWS)

1. What is the difference between Security Groups and Network ACLs in AWS?
2. Can you block a specific IP using a Security Group?
3. How do you design security for a multi-tier app in a VPC (Web, App, DB)?
4. What are the default rules in a Security Group?
5. How do you secure your EC2 instances in private subnets?
6. What’s the best practice to allow internal traffic between EC2s across different subnets?
7. How would you allow only a specific IP to access port 22 of an EC2 instance?
8. Can NACLs be stateful? What are the implications of that?
9. What would happen if both NACL and SG allow the traffic in, but NACL denies it out?
10. How do you control outbound traffic to the internet from private subnets?

---

VPC Flow Logs (AWS)

1. What are VPC Flow Logs and where can they be enabled?
2. What kind of traffic can you capture using VPC Flow Logs (accepted, rejected, all)?
3. Where can you send Flow Logs – CloudWatch or S3? What are the pros and cons?
4. How can you use flow logs to troubleshoot connectivity issues?
5. What are the limitations of VPC Flow Logs (e.g., UDP traffic capture)?
6. How would you use flow logs to detect a DDoS or scanning attempt?
7. What fields are included in a VPC flow log record?
8. Can flow logs be enabled at the VPC level?
9. Do VPC Flow Logs capture traffic to/from Amazon DNS and VPC endpoints?
10. How do you aggregate or visualize VPC Flow Logs for analysis?

---

VPC Peering (AWS)

1. What is VPC Peering? What are its use cases?
2. Can peered VPCs communicate across regions?
3. What are the limitations of VPC Peering in terms of transitive routing?
4. Can two VPCs with overlapping CIDR blocks be peered?
5. How do route tables change when peering is configured?
6. How do you troubleshoot traffic not flowing between peered VPCs?
7. Can you use security groups across peered VPCs?
8. How is VPC Peering billed?
9. What’s the difference between VPC Peering and Transit Gateway?
10. Is VPC Peering encrypted by default?

---

AWS Network Firewall

1. What is AWS Network Firewall and how does it differ from Security Groups and NACLs?
2. What are stateful vs stateless rules in AWS Network Firewall?
3. How do you deploy AWS Network Firewall in a centralized architecture?
4. Can AWS Network Firewall inspect east-west traffic?
5. What types of rule groups can you configure in AWS Network Firewall?
6. How do you log and monitor traffic using AWS Network Firewall?
7. What is the role of Suricata rules in AWS Network Firewall?
8. How do you handle TLS traffic inspection with AWS Network Firewall?
9. How does AWS Network Firewall integrate with Route Tables and Subnet routing?
10. What are the limitations of AWS Network Firewall compared to third-party solutions?

---

Site-to-Site VPN (AWS)

1. What is an AWS Site-to-Site VPN? How is it different from Client VPN?
2. What components are needed to establish a Site-to-Site VPN connection?
3. What are the two tunnels in a VPN connection used for?
4. How does AWS ensure high availability in Site-to-Site VPNs?
5. What encryption protocols are used in AWS VPN connections?
6. What happens if one VPN tunnel goes down? How do you monitor failover?
7. How do you configure BGP vs Static routing in AWS VPN?
8. Can you connect multiple on-prem networks to the same VPC via VPN?
9. What are the bandwidth and latency considerations for VPN vs Direct Connect?
10. How would you troubleshoot a non-working VPN tunnel in AWS?

---

VPC Endpoints (AWS)

1. What is the difference between an Interface Endpoint and a Gateway Endpoint?
2. Which AWS services support Gateway Endpoints?
3. How do VPC Endpoints enhance security for accessing AWS services?
4. Can you use VPC Endpoints to restrict internet access for EC2 instances?
5. What is PrivateLink and how does it relate to Interface Endpoints?
6. How do you restrict access to an S3 bucket using a VPC Endpoint policy?
7. Can you use VPC endpoints across accounts or regions?
8. How do DNS names work for Interface Endpoints?
9. What are the limitations of VPC Endpoints?
10. Can VPC Endpoints be used with Transit Gateway?

---

AWS Direct Connect

1. What is AWS Direct Connect and what are its key use cases?
2. What’s the difference between a public and private Direct Connect connection?
3. How is Direct Connect different from a Site-to-Site VPN?
4. What are Direct Connect Gateway and Virtual Interfaces (VIF)?
5. How do you ensure redundancy and failover in Direct Connect?
6. What is the minimum bandwidth offered in Direct Connect?
7. Can you use Direct Connect for multiple VPCs? How?
8. How does billing work with Direct Connect?
9. What are the steps to configure Direct Connect from scratch?
10. How do you secure your Direct Connect traffic?

---

AWS Transit Gateway

1. What is AWS Transit Gateway and why would you use it?
2. How does Transit Gateway improve over traditional VPC peering?
3. Can you explain the difference between attachments and route tables in TGW?
4. What types of attachments are supported in TGW?
5. How would you connect multiple VPCs and an on-prem data center using TGW?
6. Can Transit Gateway support multicast traffic?
7. How does traffic isolation work with multiple route tables in TGW?
8. What are Transit Gateway Connect and TGW VPN attachments?
9. What are the throughput limits of a Transit Gateway?
10. How do you monitor and log Transit Gateway traffic?