Top 20 AWS VPC interview questions

1. What is the actual definition of the term “VPC”?

Answer: VPC is a private network space within the Amazon cloud that enables you to launch AWS
resources. It’s the actual networking layer of Amazon EC2. Each private network you create on the cloud
will be logically separated from other virtual networks in the cloud.

Although the structure of VPC looks similar to a standard network that you’d operate in a data center, a
VPC will have the benefits of the scalable infrastructure of AWS. Another major advantage of VPC is that
it is fully customizable. You can create subnets, set up root tables, configure network gateways, setup
network access control lists, choose IP address range, and many more in a Virtual Private Cloud.
2. What are the components of Amazon VPC?

Answer: The foremost element in Amazon VPC architecture is VPC network itself. It’s a logically
separated part of AWS cloud. It’s possible to define your Virtual Private Cloud’s IP address from the
range you’ve chosen. The second element is the Internet Gateway which is the connecting point
between your VPC and the public internet. Subnets are the functional parts of your private cloud’s IP
address range.

NAT Gateways are used to connect between instances of your private subnet with internet or other AWS
services. Customer Gateways are your side of a VPN connection in AWS while Virtual Private Gateways
are Amazon VPC side of VPN connection. This type of questions lies under the general or basic AWS VPC
interview questions. Whether you are a fresher or have some experience, you may come across such
questions so get prepared with the answer.

Components of Amazon VPC with Brief description:

Element Brief description

Virtual Private A logically isolated virtual network in the AWS cloud. You define a VPC’s IP
Cloud (VPC) address space from a range you select.
Subnet A segment (Piece) of a VPC’s IP address range where you can place groups of
isolated resources.
Internet Gateway The Amazon VPC side of a connection to the public Internet.
NAT Gateway Network Address Translation (NAT) service for your resources in a private
subnet to access the Internet.
Hardware VPN A hardware-based VPN connection between your Amazon VPC and your
Connection datacenter, home network, or co-location facility.
Virtual Private The Amazon VPC side of a VPN connection. The Customer gateway is the
Gateway customer side of a VPN connection.
Peering Connection A peering connection enables you to route traffic via private IP addresses
between two peered VPCs
 VPC Endpoint Enables Amazon S3 access from within your VPC without using an Internet
gateway or NAT, and allows you to control the access using VPC endpoint
policies.
3. What are Internet Gateways in VPC?     

Answer: An Internet Gateway is highly available, horizontally scaled VPC component. Gateways establish
coherent connections between your Amazon VPC network and the internet. There can be only one
gateway associated with each VPC. These are the VPC components that provide NAT (Network Address
Translation) for instances which have already assigned public IP addresses. In the case of internet
routable traffic, such a gateway provides a target in your VPC route tables.

4. What is a NAT Device?

Answer: A NAT device in your VPC will enable instances in the private subnet to trigger outbound IPv4
traffic to other AWS services/internet while hindering inbound traffic initiated on the internet. Here
when traffic goes out to the internet, IP address gets replaced by NAT device’s address and when the
response comes back to the instances, the device translates the address of instances back to the private
IP addresses. AWS has two types of NAT devices – NAT instance and NAT gateway. Linux AMIs are
configured to run as NAT instances. NAT does not support IPv6 as well.

5. What is a subnet in VPC?

Answer: According to AWS documentation, subnet is a logical subdivision of an IP network in your VPC.

It is possible to launch the resources of AWS into your desired subnet. For resources that need internet
access, you can use a public subnet. Whereas for resources that don’t need the internet, a private
subnet is sufficient.

The default subnet in your VPC must have the netmask (Network Subnet Mask) value 20 that can give up
to 4096 addresses per subnet. The subnet is always confined within a single availability zone whereas
VPC can span across multiple zones.

6. What is the default VPC? Explain its advantages.

Answer: The questions based on default VPC are among the top AWS VPC interview questions. It’s a
logically isolated virtual network that gets created automatically in AWS cloud for an account when the
user makes use of Amazon EC2 resources for the first time.

You can alter the components of the default VPC as per your need. There are several advantages of a
default VPC. Here, a user can access high-level features such as different IPs, network interfaces without
creating a separate VPC or launching instances.
7. What is ELB (Elastic Load Balancing) and how does it affect VPC?

Answer: As the name implies (suggested) ELB is a load balancer service for AWS deployments. A load
balancer divides the amount of work a computer (Server) has to do into more computers and get it done
faster. In the same way here ELB distributes incoming application traffic into multiple targets like EC2
instances.

There are 3 types of ELBs to ensure scalability, availability, and security for ensuring your applications as
fault tolerant. These are classic, network, and application load balancers. Network and application load
balancers can be used in conjunction with VPC and these can route traffics to targets within VPCs.

8. What do you know about VPC Peering? 

Answer: You may be asked about the AWS VPC peering bandwidth in AWS VPC interview. It’s simply the
networking connection between two VPC in the same network. Amazon Virtual Private Cloud (Amazon
VPC) enables you to launch AWS resources into a virtual network that you've defined.

A VPC peering connection is a networking connection between two VPCs that enables you to route
traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can
communicate with each other as if they are within the same network. You can create a VPC peering
connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different
regions (also known as an inter-region VPC peering connection).

AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway
nor a VPN connection, and does not rely on a separate piece of physical hardware. There is no single
point of failure for communication or a bandwidth bottleneck.

The main intention behind such a connection is to facilitate data transfer across multiple VPNs spanning
different AWS accounts. This type of peering is a one-to-one relationship wherein transitive connection
is not supported.  And while talking about AWS VPC peering bandwidth, there are no bandwidth
limitations for peering connections as well.

9. What are the differences between Private, Public & Elastic IP Addresses?

Answer: As the name implies, private IP addresses are IP addresses that aren’t accessible over the
internet. If you want to communicate between instances in the same network, private IPs are used. At
an instance launching time, a private IP from subnet’s IP address range and a DNS hostname is assigned
to the instance (default network interface).

A private IP address remains associated with the network interface will get released only when the
instance is terminated (not when the instance is stopped or restarted). On the contrary, a public IP
address is easily accessible over the internet.
When you launch a VPC instance, one public IP will automatically assign to the instance which isn’t
associated with your AWS account. Every time you restart and stop the instance, AWS will allocate a new
public IP to the instance. The main difference between a public and elastic IP is that elastic IP is
persistent. It’ll be associated with your AWS account until you terminate it. Anyhow, you can detach
elastic IP from one instance and attach the same IP to a different instance. Elastic IP is also accessible
over the internet.

10. Is there any limit to the number of VPCs, subnets, gateways, VPNs that I can create?

Answer: Yes, there is definitely a limit. You can create 5 VPCs per region. If you want to increase this
limit, you’ve to increase the number of internet gateways by the same number. And, per VPC 200
subnets are allowed. 5 elastic IP addresses are allowed per region. The number of Internet, VPN and NAT
gateways per region is also set to 5.

Anyhow, customer gateways are allowed to 50 per region. One can create 50 VPN connections per
region. It is highly recommended to cover questions based on connectivity while going through the top
AWS VPC interview questions.

11. Can you illustrate what is CIDR Routing in VPC?

Answer: The questions based on IP address are the common among frequently-asked AWS VPC
interview questions. This CIDR question can be answered in the following manner. Classless inter-
domain routing (CIDR) is a set of Internet protocol (IP) standards that are used to allocate IP
addresses for networks and individual devices. With CIDR, a single IP address can be used to pick many
unique IP addresses.
Generally, A CIDR IP looks like a normal IP address except there is a slash followed by a number in CIDR.
This part is called the IP network prefix. In VPC, CIDR block size can be from /16 to /28 in case of IPv4.
When you’re creating a VPC, you actually have to specify a range of IP address in form of CIDR just like
10.0.0.0/16. This CIDR is the primary CIDR block of your VPC.

12. What are Security Groups in VPC?

Answer: It is like a firewall for the network, In VPC, a security group’s function is to manage the traffic
for the instances. Instances can be single in number or many. Actually, it does act as a virtual firewall
that can control inbound and outbound traffic for different EC2 instances. You can manually add rules to
each security group to control the traffic within the associated instances.

In AWS console, security groups can be located in both VPC and EC2 sections. By default, all security
groups allow outbound traffic. In the same way, you can define rules to allow inbound traffic. But one
thing- you are only allowed to create “allow” rules rather setting up denial rules to restrict security
permissions. Also, it’s possible to change the rules of a security group irrespective of the time and the
process of changing rules will take place instantly. You may come across questions on security in an AWS
VPC interview, so we’ve included it in our list of the best AWS VPC interview questions.

13. What do you mean by Network ACLs (Access Control List) in VPC?

Answer: Network ACLs does the similar function of a network security group doing in VPC; IE controlling
inbound and outbound traffic in VPC. The main difference between a network ACL and a security group
is that the latter’s role is to act as a firewall for associated EC2 instances whereas an ACL’s role is to
serve firewall job for associated subnets. Your VPC generates an ACL automatically by default and it’s
modifiable. Unlike a security group, this default network ACL allows all inbound and outbound traffic by
default. And it’s possible to associate an ACL with multiple subnets. But at a time, only one subnet can
be associated with a network ACL.

You can also create your own custom ACL and it can be associated with a subnet. Such an ACL denies all
types of inbound/outbound traffic until you add rules to it. 

14. What is stateful and stateless filtering?

Answer: Stateful filtering tracks the origin of a request and can automatically allow the reply to the
request to be returned to the originating computer. E.g. If you allow an incoming port 80, the outgoing
port 80 will be automatically opened, usually on a high numbered port (e.g., destination TCP port 63,
912) to pass through the stateful filter between the client and the webserver. The filtering device
maintains a state table that tracks the origin and destination port numbers and IP addresses. Only one
rule is required on the filtering device: Allow traffic inbound to the web server on TCP port 80.
Stateless filtering, on the other hand, only examines the source or destination IP address and the
destination port, ignoring whether the traffic is a new request or a reply to a request. In the above
example, two rules would need to be implemented on the filtering device: one rule to allow traffic
 inbound to the web server on TCP port 80, and another rule to allow outbound traffic from the
webserver (TCP port range 49, 152 through 65, 535).
15. What are the functions of an Amazon VPC router?

Answer: VPC router allows EC2 instances within subnets to interact with EC2 instances in other subnets
within the same VPC. Virtual private gateways, subnets and Internet gateways, etc. can also
communicate with each other by means of a VPC router.

The following are the key concepts for route tables.

 Main route table—the route table that automatically comes with your VPC. It controls the
routing for all subnets that are not explicitly associated with any other route table.
 Custom route table—a route table that you create for your VPC.
 Edge association—a route table that you use to route inbound VPC traffic to an appliance. You
associate a route table with the internet gateway or virtual private gateway, and specify the network
interface of your appliance as the target for VPC traffic.
 Route table association—the association between a route table and a subnet, internet gateway,
or virtual private gateway.
 Subnet route table—a route table that's associated with a subnet.
 Gateway route table—a route table that's associated with an internet gateway or virtual private
gateway.
 Local gateway route table—a route table that's associated with an Outposts local gateway. For
information about local gateways, see Local Gateways in the AWS Outposts User Guide.
 Destination—the range of IP addresses where you want traffic to go (destination CIDR). For
example, an external corporate network with a 172.16.0.0/12 CIDR.
 Propagation—Route propagation allows a virtual private gateway to automatically propagate
routes to the route tables. This means that you don't need to manually enter VPN routes to your route
tables. For more information about VPN routing options, see Site-to-Site VPN routing options in the Site-
to-Site VPN User Guide.
 Target—the gateway, network interface, or connection through which to send the destination
traffic; for example, an internet gateway.
 Local route—a default route for communication within the VPC.

How route tables work

Your VPC has an implicit router, and you use route tables to control where network traffic is directed.
Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet
(subnet route table). You can explicitly associate a subnet with a particular route table. Otherwise, the
subnet is implicitly associated with the main route table. A subnet can only be associated with one route
table at a time, but you can associate multiple subnets with the same subnet route table.

You can optionally associate a route table with an internet gateway or a virtual private gateway
(gateway route table). This enables you to specify routing rules for inbound traffic that enters your VPC
through the gateway. For more information, see Gateway route tables.

There is a quota on the number of route tables that you can create per VPC. There is also a quota on the
number of routes that you can add per route table. For more information, see Amazon VPC quotas.

16. How much Amazon charge you for sharing their cloud space with you?

Answer: Basically for a VPN connection to your VPC, Amazon charges nearly $0.5 for an hour. There is
an option to terminate your VPN connection through AWS consoled if you don’t want to charge for this.

AWS internet gateway pricing charges vary (Change) through different geographic locations. You’ll be
charged from $0.045 up to $0.054 per gateway-hour and GBs of data processed based on your location.
Similarly, in the case of VPC peering pricing, the rates depend on the location of VPCs and peering
connection. If both are in the same region, the charge of transferring data within a peering connection
remains same as the transfer of data within the zone itself.

In case if they are placed in different regions, region data rate costs will apply. You may come across at
least one question based on VPC peering pricing so here we’ve covered it under the most common AWS
VPC interview questions and answers.

17. What is Private Link from AWS?

Answer: Private Link provides utmost (Most extreme) availability and scalability for AWS customers to
access their services maintaining the traffic within the AWS network. It delivers private connections
between VPCs, on-premises applications, etc. securely on Amazon network.

18. What is Classic Link in VPC?

Answer: If you want to connect Amazon EC2-classic instances to VPC, you have to use Classic Link. This
work only within the same region and this makes use of private IP addresses. Its working is simple- you
just have to enable Classic Link in your VPC account and associate a security group from VPC to EC2-
classic instance.
This type of questions are the additions AWS VPC interview questions that you shouldn’t miss so prepare
yourself with the answer.

19. What is so special about VPC that stands out it from other private clouds?

Answer: There’s no need for a particular hardware, physical data centers or virtual private networks if
you want a private network within the cloud – AWS VPC will provide it. The advanced security features
of VPC makes it almost invulnerable to privacy & security threats.

20. What is a VPS?  

Answer: Actually, VPS or Virtual Private Server is none other than the host server offered by web
hosting companies like BlueHost and GoDaddy (These companies also provide shared hosting services
wherein the server is shared by several users). Here, a single host divided to multiple virtual units, each
having an independent function. Each of these units is virtual private servers which can work without
depending on one another. You’ll get access to the complete physical server including root access.

In the case of VPC, its functions are similar to that of a VPS but its servers don’t have to place in a single
location.

AWS VPC Interview Questions

2) How to connect My VPC to the Internet?

Amazon VPC enables the creation of an Internet gateway. This allows Amazon EC2 occurrences in the VPC to
access the Internet directly. There are numerous connectivity options for my VPC.  You can connect your Virtual
Private Cloud to the following:

 Your corporate data center with the help of a Hardware Virtual Private Network connection
 The Internet through an internet gateway
 The Internet as well as your corporate data center, together. You can do this by using both, the
virtual private gateway and the Internet gateway.
 Other VPCs through Virtual Private Cloud Peering condition
 Other Amazon Web Services

4) How to build a custom VPC?

In order to build a custom VPC, the following steps must be followed:

 Create a Virtual Private Cloud

 Then create Subnets
 Further create an Internet Gateway
 Attach this new Gateway to your VPC
 Create a new Route Table
  Add the gateway as a route to the new route table
 Add a subnet to the route table’s subnet association
 Create a web server for public subnet and a database server for the private subnet
 Create a new security group for the NAT
 Add HTTP and HTTPS inbound rules that let in traffic from the private subnets IP
 Create a NAT for public subnet
 Create an elastic IP
 Associate this IP to the NAT
 Disable destination/source checks for the NAT
  Add NAT to the initial VPC route table as a route.

5) What are the advantages of using Amazon Web Services VPC?

It helps you to build a virtual network in the Amazon Web Services cloud. Also, for this process, no
hardware, physical data centers or even VPNs will be required. You have absolute power over your own
network space. You can control how your network and Amazon EC2 that resources inside your network
is actually exposed to the Internet. You also have the leverage to hugely enhance the security options in
Amazon VPC to provide more granular access to and from the Amazon EC2 instances in your virtual
network.

6) Can the network traffic in your VPC be monitored?

Yes, you can use the Amazon VPC flow logs feature to monitor the traffic of network in your Virtual
Private Cloud.

7) Within which Amazon EC2 Region is Amazon VPC available?

It is available in multiple availability zones in all Amazon EC2 regions.

8) Can a VPC span multiple availability zones?

Yes, a virtual private cloud can easily span multiple availability zones.

9) How can you differentiate between stateful and stateless filtering?

 In case of stateful filtering, the point of origination of request is tracked and the reply is sent
automatically to the request, which is then returned to the computer from where it originated.

In case of Stateless Filtering, it doesn’t matter whether a new request is generated or an automatic reply
is sent to a request, the filter only seeks the origin or destination IP address & port.

10) How do you specify which availability zone my Amazon EC2 instances are launched in?

When Amazon EC2 instance is launched you must specify the subnet in which to launch the instance. This instance
will be then launched in the availability zone that is associated with the given subnet.

11) Can you use your present AMIs in Amazon VPC?

You can very well use your existing AMIs in Amazon VPC that is registered within the same region as your VPC.

12) Are there any bandwidth limitations for Internet gateways?

An Internet gateway is horizontally scaled, highly available as well as redundant. Thus, there are no
bandwidth limitations for Internet gateways.
13) How do you secure Amazon EC2 instances running within My VPC?
Amazon EC2 security groups are helpful to secure instances within an Amazon VPC. Security groups in
VPC help you to specify both inbound as well as outbound network traffic that is allowed to and from
each Amazon EC2 instance. The traffic that is not explicitly allowed to or from an instance is
automatically denied.

14) What are the differences between security groups and network ACLS in a VPC?
Security groups in a VPC mention which traffic is allowed to or from an Amazon EC2 instance. Network
ACLs operate at the subnet level and evaluate the traffic that is entering and exiting a subnet. Network
ACLs can be used to set both Allow as well as Deny rules. Network ACLs do not filter traffic between the
instances in the same subnet. Besides this, the network ACLs performs stateless filtering while security
groups perform filtering.

15) How do you determine which availability zone my subnets are located in?
When you create a subnet you need to mention the Availability Zone where to place the subnet. When
using the VPC Wizard, you can select the subnet’s Availability Zone in the wizard confirmation screen.
While using the API or the CLI you can mention the Availability Zone for the subnet just as you create the
subnet. If you do not specify an Availability Zone, the default “No Preference” option will be selected
and the subnet will be created in an available Availability Zone in that region.

16) What do you understand by default VPC?

When a user avails Amazon EC2 resources for the first time, a logically isolated virtual network is created
automatically in the AWS cloud for the AWS account. In a case where an instance is launched without a
subnet ID, it shall automatically be launched in the default VPC.

17) State the advantage of a default VPC?

There are several advantages of default VPC. Firstly, if a resource is launched in default VPC, the user can
avail the high-end network functions of Amazon VPC along with ease to use Amazon EC2.

Secondly, without creating a VPC or launching the instances, the user can still avail several features such
as different IP address, altering the security group membership, egress filtering of the security group and
several network interfaces.

18) Which account is enabled for default VPC?

If a user’s AWS account has been created after March then it can launch default VPC resources. If an
account has been created before March then it shall use any default VPC in any region specific to that.
The region should not have a previous launch or any provision related to Amazon RDS, Amazon Redshift
resources etc.

19) How will you differentiate between VPC security groups and VPC network ACLs?
 When we talk about the VPC security group, it is responsible for tracking only the allowed traffic in EC2
instance, which comes in and goes out from Amazon. VPC network ACLs is a lot different. They are
responsible for tracking the traffic only at the subnet level i.e. the traffic coming in or going out of
subnet. Network ACLs are unable to filter the traffic in the subnet between instances but can do
stateless filtering and are used to set Allow and Deny rules. The security group on the other end can
carry out stateful filtering.

20) How will you locate the availability Zone of subnets?

 In order to create and place the subnet you must be specific about the availability zone. The user can
use a VPC wizard for selecting the availability for a subnet with the help of a wizard confirmation screen.
The subnet can be created in a specific availability zone with the help of API or CLI. In case the user does
not select a specific availability zone then automatically the default zone “No Preference” gets selected.
The subnet, therefore, will get created in the zone that’s available in the region.

21) What IP addresses range can be used in a VPC?

Question 2. What Are The Connectivity Options For My Vpc?

Answer :
You may connect your VPC to:
o The Internet (via an Internet gateway)
o Your corporate data center using a Hardware VPN connection (via the virtual
private gateway)
o Both the Internet and your corporate data center (utilizing both an Internet
gateway and a virtual private gateway)
o Other AWS services (via Internet gateway, NAT, virtual private gateway, or VPC
endpoints)
o Other VPCs (via VPC peering connections)

1. Question 8. Can Amazon Ec2 Instances Within A VPC Communicate With Amazon Ec2
Instances Not Within A VPC?
Answer :
Yes. If an Internet gateway has been configured, Amazon VPC traffic bound for Amazon EC2
instances not within a VPC traverses the Internet gateway and then enters the public AWS
network to reach the EC2 instance. If an Internet gateway has not been configured, or if the
instance is in a subnet configured to route through the virtual private gateway, the traffic
traverses the VPN connection, egresses from your datacenter, and then re-enters the public
AWS network.
2. Question 9. Why Can’t You Ping The Router, Or My Default Gateway, That Connects
My Subnets?
Answer :
 Ping (ICMP Echo Request and Echo Reply) requests to the router in your VPC is not supported.
Ping between Amazon EC2 instances within VPC is supported as long as your operating
system's firewalls, VPC security groups, and network ACLs permit such traffic. 

3. Question 16. How Do You Secure Amazon Ec2 Instances Running Within My Vpc?
Answer :
Amazon EC2 security groups can be used to help secure instances within an Amazon VPC.
Security groups in a VPC enable you to specify both inbound and outbound network traffic
that is allowed to or from each Amazon EC2 instance. Traffic which is not explicitly allowed to
or from an instance is automatically denied.
In addition to security groups, network traffic entering and exiting each subnet can be allowed
or denied via network Access Control Lists (ACLs).

4. Question 19. When You Call Describeinstances(), Do You See All Of My Amazon Ec2
Instances, Including Those In Ec2-classic And Ec2-vpc?
Answer :
Yes. DescribeInstances() will return all running Amazon EC2 instances. You can differentiate
EC2-Classic instances from EC2-VPC instances by an entry in the subnet field. If there is a
subnet ID listed, the instance is within a VPC.
5. Question 20. When You Call Describevolumes(), Do You See All Of My Amazon Ebs
Volumes, Including Those In Ec2-classic And Ec2-vpc?
Answer :
Yes. DescribeVolumes() will return all your EBS volumes.
6. Question 21. Can You Employ Auto Scaling Within Amazon Vpc?
Answer :
Yes
7. Question 22. What Is The Ip Range Of A Default Vpc?
Answer :
The default VPC CIDR is 172.31.0.0/16. Default subnets use /20 CIDRs within the default VPC
CIDR.

8. Question 25. Can You Launch Amazon Ec2 Cluster Instances In A Vpc?
Answer :
Yes. Cluster instances are supported in Amazon VPC, however, not all instance types are
available in all regions and Availability Zones.
9. Question 28. What Accounts Are Enabled For Default Vpc?
Answer :
 If your AWS account was created after March 18, 2013 your account may be able to launch
resources in a default VPC. See this Forum Announcement to determine which regions have
been enabled for the default VPC feature set. Also, accounts created prior to the listed dates
may utilize default VPCs in any default VPC enabled region in which you’ve not previously
launched EC2 instances or provisioned Amazon Elastic Load Balancing, Amazon RDS, Amazon
ElastiCache, or Amazon Redshift resources.
10. Question 29. How Can You Know If My Account Is Configured To Use A Default Vpc?
Answer :
The Amazon EC2 console indicates which platforms you can launch instances in for the
selected region, and whether you have a default VPC in that region. Verify that the region
you'll use is selected in the navigation bar. On the Amazon EC2 console dashboard, look for
"Supported Platforms" under "Account Attributes". If there are two values, EC2-Classic and
EC2-VPC, you can launch instances into either platform. If there is one value, EC2-VPC, you
can launch instances only into EC2-VPC. Your default VPC ID will be listed under "Account
Attributes" if your account is configured to use a default VPC. You can also use the EC2
DescribeAccountAttributes API or CLI to describe your supported platforms.
11. Question 30. Can You Create Other Vpcs And Use Them In Addition To My Default
Vpc?
Answer :
Yes. To launch an instance into nondefault VPCs you must specify a subnet-ID during instance
launch.
12. Question 31. Can You Create Additional Subnets In My Default Vpc, Such As Private
Subnets?
Answer :
Yes. To launch into nondefault subnets, you can target your launches using the console or the
--subnet option from the CLI, API, or SDK.
13. Question 32. Will You Need To Know Anything About Amazon Vpc In Order To Use A
Default Vpc?
Answer :
No. You can use the AWS Management Console, AWS EC2 CLI, or the Amazon EC2 API to
launch and manage EC2 instances and other AWS resources in a default VPC. AWS will
automatically create a default VPC for you and will create a default subnet in each Availability
Zone in the AWS region. Your default VPC will be connected to an Internet gateway and your
instances will automatically receive public IP addresses, just like EC2-Classic.
14. Question 33. Can You Use My Existing Amazon Ebs Snapshots?
Answer :
Yes, you may use Amazon EBS snapshots if they are located in the same region as your VPC.
15. Question 34. Can You Boot An Amazon Ec2 Instance From An Amazon Ebs Volume
Within Amazon Vpc?
Answer :
 Yes, however, an instance launched in a VPC using an Amazon EBS-backed AMI maintains the
same IP address when stopped and restarted. This is in contrast to similar instances launched
outside a VPC, which get a new IP address. The IP addresses for any stopped instances in a
subnet are considered unavailable.

16. Question 35. Can You Use Amazon Ec2 Reserved Instances With Amazon Vpc?
Answer :
Yes. You can reserve an instance in Amazon VPC when you purchase Reserved Instances.
When computing your bill, AWS does not distinguish whether your instance runs in Amazon
VPC or standard Amazon EC2. AWS automatically optimizes which instances are charged at
the lower Reserved Instance rate to ensure you always pay the lowest amount. However, your
instance reservation will be specific to Amazon VPC. Please see the Reserved Instances page
for further details.
17. Question 36. Do You Need To Have A Vpn Connection To Use A Default Vpc?
Answer :
No. Default VPCs are attached to the Internet and all instances launched in default subnets in
the default VPC automatically receive public IP addresses. You can add a VPN connection to
your default VPC if you choose.

18. Question 37. Can You Delete A Default Vpc?

Answer :
Yes. Contact AWS Support if you've deleted your default VPC and want to have it reset
19. Question 38. Can You Delete A Default Subnet?
Answer :
Yes, but once deleted, it’s gone. Your future instance launches will be placed in your
remaining default subnet(s).
20. Question 39. If You Delete My Side Of A Peering Connection, Will The Other Side Still
Have Access To My Vpc?
Answer :
No. Either side of the peering connection can terminate the peering connection at any time.
Terminating a peering connection means traffic won’t flow between the two VPCs.
21. Question 40. If You Peer Vpc A To Vpc B And I Peer Vpc B To Vpc C, Does That Mean
Vpcs A And C Are Peered?
Answer :
No. Transitive peering relationships are not supported.
22. Question 41. You Have An Existing Ec2-classic Account. Can I Get A Default Vpc?
Answer :
 The simplest way to get a default VPC is to create a new account in a region that is enabled for
default VPCs, or use an existing account in a region you've never been to before, as long as
the Supported Platforms attribute for that account in that region is set to "EC2-VPC".
23. Question 42. You Really Want A Default Vpc For My Existing Ec2 Account. Is That
Possible?
Answer :
Yes, however, we can only enable an existing account for a default VPC if you have no EC2-
Classic resources for that account in that region. Additionally, you must terminate all non-VPC
provisioned Elastic Load Balancers, Amazon RDS, Amazon ElastiCache, and Amazon Redshift
resources in that region. After your account has been configured for a default VPC, all future
resource launches, including instances launched via Auto Scaling, will be placed in your
default VPC. To request your existing account be setup with a default VPC, contact AWS
Support. We will review your request and your existing AWS services and EC2-Classic presence
to determine if you are eligible for a default VPC.
24. Question 43. How Are Iam Accounts Impacted By Default Vpc?
Answer :
If your AWS account has a default VPC, any IAM accounts associated with your AWS account
use the same default VPC as your AWS account.
25. Question 44. What If Your Peering Connection Goes Down?
Answer :
AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither
a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware.
There is no single point of failure for communication or a bandwidth bottleneck.
26. Question 45. Can You Create A Peering Connection To A Vpc In A Different Region?
Answer :
No. Peering connections are only available between VPCs in the same region.
27. Question 46. Can You Peer My Vpc With A Vpc Belonging To Another Aws Account?
Answer :
Yes, assuming the owner of the other VPC accepts your peering connection request.
28. Question 47. Can You Have More Than Two Network Interfaces Attached To My Ec2
Instance?
Answer :
The total number of network interfaces that can be attached to an EC2 instance depends on
the instance type. See the EC2 User Guide for more information on the number of allowed
network interfaces per instance type.
29. Question 48. Can You Attach A Network Interface In One Availability Zone To An
Instance In Another Availability Zone?
Answer :
Network interfaces can only be attached to instances residing in the same Availability Zone.
30. Question 49. Can You Attach A Network Interface In One Vpc To An Instance In
Another Vpc?
 Answer :
Network interfaces can only be attached to instances in the same VPC as the interface
31. Question 50. Can You Use Elastic Network Interfaces As A Way To Host Multiple
Websites Requiring Separate Ip Addresses On A Single Instance?
Answer :
Yes, however, this is not a use case best suited for multiple interfaces. Instead, assign
additional private IP addresses to the instance and then associate EIPs to the private IPs as
needed.
32. Question 51. Can You Detach The Primary Interface (eth0) On My Ec2 Instance?
Answer :
No. You can attach and detach secondary interfaces (eth1-ethn) on an EC2 instance, but you
can’t detach the eth0 interface.
33. Question 52. Can You Use Aws Direct Connect Or Hardware Vpn Connections To
Access Vpcs I’m Peered With?
Answer :
No. “Edge to Edge routing” isn’t supported in Amazon VPC. Refer to the VPC Peering Guide for
additional information.
34. Question 53. Can You Peer Two Vpcs With Matching Ip Address Ranges?
Answer :
No. Peered VPCs must have non-overlapping IP ranges.
35. Question 54. Is There Any Bandwidth Limitations For Peering Connections?
Answer :
Bandwidth between instances in peered VPCs is no different than bandwidth between
instances in the same VPC.
o A placement group can span peered VPCs; however, you will not get full-
bisection bandwidth between instances in peered VPCs.
2. Question 55. What Is Classiclink?
Answer :
Amazon Virtual Private Cloud (VPC) ClassicLink allows EC2 instances in the EC2-Classic
platform to communicate with instances in a VPC using private IP addresses. To use
ClassicLink, enable it for a VPC in your account, and associate a Security Group from that VPC
with an instance in EC2-Classic. All the rules of your VPC Security Group will apply to
communications between instances in EC2-Classic and instances in the VPC.
3. Question 56. How Do You Use Classiclink?
Answer :
In order to use ClassicLink, you first need to enable at least one VPC in your account for
ClassicLink. Then you associate a Security Group from the VPC with the desired EC2-Classic
instance. The EC2-Classic instance is now linked to the VPC and is a member of the selected
Security Group in the VPC. Your EC2-Classic instance cannot be linked to more than one VPC
at the same time.
4. Question 57. Does The Ec2-classic Instance Become A Member Of The Vpc?
 Answer :
The EC2-Classic instance does not become a member of the VPC. It becomes a member of the
VPC Security Group that was associated with the instance. All the rules and references to the
VPC Security Group apply to communication between instances in EC2-Classic instance and
resources within the VPC.
5. Question 58. Can You Modify The Vpc Route Tables? How?
Answer :
Yes. You can create route rules to specify which subnets are routed to the Internet gateway,
the virtual private gateway, or other instances.

6. Question 59. Can You Use The Aws Management Console To Control And Manage
Amazon Vpc?
Answer :
Yes. You can use the AWS Management Console to manage Amazon VPC objects such as
VPCs, subnets, route tables, Internet gateways, and IPSec VPN connections. Additionally, you
can use a simple wizard to create a VPC.
7. Question 60. How Many Vpcs, Subnets, Elastic Ip Addresses, Internet Gateways,
Customer Gateways, Virtual Private Gateways, And Vpn Connections Can You Create?
Answer :
You can have:
o Five Amazon VPCs per AWS account per region
o Two hundred subnets per Amazon VPC
o Five Amazon VPC Elastic IP addresses per AWS account per region
o One Internet gateway per VPC
o Five virtual private gateways per AWS account per region
o Fifty customer gateways per AWS account per region
o Ten IPsec VPN Connections per virtual private gateway
8. Question 61. What Does An Amazon Vpc Router Do?
Answer :
An Amazon VPC router enables Amazon EC2 instances within subnets to communicate with
Amazon EC2 instances in other subnets within the same VPC. The VPC router also enables
subnets, Internet gateways, and virtual private gateways to communicate with each other.
Network usage data is not available from the router; however, you can obtain network usage
statistics from your instances using Amazon CloudWatch.
9. Question 62. How Do Instances In A Vpc Access The Internet?
Answer :
You can use public IP addresses, including Elastic IP addresses (EIPs), to give instances in the
VPC the ability to both directly communicate outbound to the Internet and to receive
unsolicited inbound traffic from the Internet (e.g., web servers).
10. Question 63. How Do Instances Without Public Ip Addresses Access The Internet?
 Answer :
Instances without public IP addresses can access the Internet in one of two ways:
Instances without public IP addresses can route their traffic through a NAT gateway or a NAT
instance to access the Internet. These instances use the public IP address of the NAT gateway
or NAT instance to traverse the Internet. The NAT gateway or NAT instance allows outbound
communication but doesn’t allow machines on the Internet to initiate a connection to the
privately addressed instances.
For VPCs with a hardware VPN connection or Direct Connect connection, instances can route
their Internet traffic down the virtual private gateway to your existing datacenter. From there,
it can access the Internet via your existing egress points and network security/monitoring
devices.
11. Question 64. What Is Ipsec?
Answer :
IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating
and encrypting each IP packet of a data stream.
12. Question 65. How Does A Hardware Vpn Connection Work With Amazon Vpc?
Answer :
A hardware VPN connection connects your VPC to your datacenter. Amazon supports Internet
Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter
routes over an encrypted VPN connection to help maintain the confidentiality and integrity of
data in transit. An Internet gateway is not required to establish a hardware VPN connection.
13. Question 66. Which Customer Gateway Devices Can I Use To Connect To Amazon Vpc?
Answer :
There are two types of VPN connections that you can create: statically-routed VPN
connections and dynamically-routed VPN connections.
Customer gateway devices supporting statically-routed VPN connections must be able to:
o Establish IKE Security Association using Pre-Shared Keys
o Establish IPsec Security Associations in Tunnel mode
o Utilize the AES 128-bit or 256-bit encryption function
o Utilize the SHA-1 or SHA-2 (256) hashing function
o Utilize Diffie-Hellman (DH) Perfect Forward Secrecy in "Group 2" mode, or one of
the additional DH groups we support
o Perform packet fragmentation prior to encryption
o In addition to the above capabilities, devices supporting dynamically-routed VPN
connections must be able to:
o Establish Border Gateway Protocol (BGP) peerings
o Bind tunnels to logical interfaces (route-based VPN)
o Utilize IPsec Dead Peer Detection
14. Question 67. Name Any Vpcs For Which You Cannot Enable Classiclink?
Answer :
 ClassicLink cannot be enabled for a VPC that has a Classless Inter-Domain Routing (CIDR) that
is within the 10.0.0.0/8 range, with the exception of 10.0.0.0/16 and 10.1.0.0/16.  In addition,
ClassicLink cannot be enabled for any VPC that has a route table entry pointing to the
10.0.0.0/8 CIDR space to a target other than "local".
15. Question 68. What Tools Are Available To Me To Help Troubleshoot My Hardware Vpn
Configuration?
Answer :
The DescribeVPNConnection API displays the status of the VPN connection, including the state
("up"/"down") of each VPN tunnel and corresponding error messages if either tunnel is
"down". This information is also displayed in the AWS Management Console.

16. Question 69. How Do I Connect A Vpc To My Corporate Datacenter?

Answer :
Establishing a hardware VPN connection between your existing network and Amazon VPC
allows you to interact with Amazon EC2 instances within a VPC as if they were within your
existing network. AWS does not perform network address translation (NAT) on Amazon EC2
instances within a VPC accessed via a hardware VPN connection.

17. Question 70. Are There Any Vpn Connection Throughput Limitations?
Answer :
Amazon does not enforce any restrictions on VPN throughput. However, other factors, such as
the cryptographic capability of your customer gateway, the capacity of your Internet
connection, average packet size, the protocol being used (TCP vs. UDP), and the network
latency between your customer gateway and the virtual private gateway can affect
throughput.
18. Question 71. How Do You Assign Ip Address Ranges To Vpcs?
Answer :
You assign a single Classless Internet Domain Routing (CIDR) IP address block when you create
a VPC. Subnets within a VPC are addressed from this range by you. A VPC can be assigned at
most one (1) IP address range at any given time; addressing a VPC from multiple IP address
ranges is currently not supported. Please note that while you can create multiple VPCs with
overlapping IP address ranges, doing so will prohibit you from connecting these VPCs to a
common home network via the hardware VPN connection. For this reason we recommend
using non-overlapping IP address ranges.  You can allocate an Amazon-provided IPv6 CIDR
block to your VPC.
19. Question 72. What Ip Address Ranges Are Assigned To A Default Vpc?
Answer :
 Default VPCs are assigned a CIDR range of 172.31.0.0/16. Default subnets within a default VPC
are assigned /20 netblocks within the VPC CIDR range.
20. Question 73. Can You Assign Any Ip Address To An Instance?
Answer :
You can assign any IP address to your instance as long as it is:
o Part of the associated subnet's IP address range
o Not reserved by Amazon for IP networking purposes
o Not currently assigned to another interface
21. Question 74. Can You Assign Multiple Ip Addresses To An Instance?
Answer :
Yes. You can assign one or more secondary private IP addresses to an Elastic Network
Interface or an EC2 instance in Amazon VPC. The number of secondary private IP addresses
you can assign depends on the instance type. See the EC2 User Guide for more information on
the number of secondary private IP addresses that can be assigned per instance type.

22. Question 75. What Defines Billable Vpn Connection-hours?

Answer :
VPN connection-hours are billed for any time your VPN connections are in the "available"
state. You can determine the state of a VPN connection via the AWS Management Console,
CLI, or API. If you no longer wish to use your VPN connection, you simply terminate the VPN
connection to avoid being billed for additional VPN connection-hours.
23. Question 76. Can You Change A Vpc's Size?
Answer :
No. To change the size of a VPC you must terminate your existing VPC and create a new one.

24. Question 77. How Many Subnets Can I Create Per Vpc?
Answer :
Currently you can create 200 subnets per VPC. If you would like to create more, please submit
a case at the support center.
25. Question 78. Is There A Limit On How Large Or Small A Subnet Can Be?
Answer :
The minimum size of a subnet is a /28 (or 14 IP addresses.) for IPv4. Subnets cannot be larger
than the VPC in which they are created.

26. Question 79. How Do You Assign Private Ip Addresses To Amazon Ec2 Instances Within
A Vpc?
Answer :
 When you launch an Amazon EC2 instance within a VPC, you may optionally specify the
primary private IP address for the instance. If you do not specify the primary private IP
address, AWS automatically addresses it from the IP address range you assign to that subnet.
You can assign secondary private IP addresses when you launch an instance, when you create
an Elastic Network Interface, or any time after the instance has been launched or the interface
has been created.
27. Question 80. How Do You Disable Nat-t On My Connection?
Answer :
You will need to disable NAT-T on your device. If you don’t plan on using NAT-T and it is not disabled on
your device, we will attempt to establish a tunnel over UDP port 4500. If that port is not open the tunnel
will not establish.