15 Essential VPC and Networking Questions for DevOps Interviews
AWS Chapter 1.10: VPC Interview Questions
Virtual Private Cloud (VPC) and networking are cornerstone concepts for any DevOps professional, especially when working with cloud platforms like AWS. Employers often focus on these areas during interviews to test your technical knowledge and practical experience. To help you prepare, here’s a list of 15 key VPC and networking questions, including realistic scenario-based ones, designed to challenge your understanding and application of these concepts.
1. How many IPs are reserved in an each AWS VPC subnet, and why?
Answer: AWS reserves 5 IP addresses in every subnet:
The first IP for the network identifier.
The second IP for the VPC router.
The third IP for the DNS server.
The fourth IP is reserved for future use.
The last IP is reserved for broadcast (even though AWS does not support broadcast in VPC).
Follow-up Scenario: If you’re designing a subnet with a /24
CIDR block, how many usable IP addresses are available for resources? (Answer: 251 usable IPs)
2. What determines whether a subnet is public or private?
Answer: A subnet is considered public if:
It is associated with a route table that has a route to an internet gateway (IGW).
Scenario-Based Question: Given a VPC with multiple subnets, one of your subnets cannot access the internet. How would you troubleshoot and configure it as a public subnet?
3. What is the purpose of a bastion host, and how do you configure it?
Answer: A bastion host (or jump host) is a secure server used to access resources in private subnets. It acts as a gateway for administrative tasks.
Scenario-Based Question: A client wants to securely manage instances in private subnets. Explain the architecture and security configurations needed for setting up a bastion host.
4. What are AWS Session Manager and its advantages over bastion hosts?
Answer: AWS Session Manager is a fully managed service that provides secure shell access to EC2 instances without the need for a bastion host or inbound SSH ports.
Scenario-Based Question: If your organization decides to switch from bastion hosts to AWS Session Manager, what changes will you make to the infrastructure and IAM policies?
5. How do Security Groups and Network ACLs differ?
Answer:
Security Groups: Instance-level, stateful rules.
Network ACLs: Subnet-level, stateless rules.
Scenario-Based Question: A server in your VPC is unable to receive traffic from a specific IP range. How would you debug the issue using Security Groups and Network ACLs?
6. How would you design IP address allocation for a VPC with multiple environments (e.g., Dev, Staging, Prod)?
Answer: Use separate CIDR blocks for each environment to avoid overlap. For example:
Dev:
10.0.0.0/16
Staging:
10.1.0.0/16
Prod:
10.2.0.0/16
Scenario-Based Question: If you only have a /16
CIDR block for your entire VPC, how would you divide subnets for multiple environments while maximizing scalability?
7. What are the minimum and maximum CIDR blocks allowed in AWS VPC?
Answer:
Minimum:
/28
(16 IPs)Maximum:
/16
(65,536 IPs)
Scenario-Based Question: If your current VPC is /24
and running out of IPs, what options do you have to accommodate more resources?
8. How do you set up a highly available NAT Gateway?
Answer: Deploy NAT Gateways in multiple availability zones and associate route tables for private subnets in each AZ with the respective NAT Gateway.
Scenario-Based Question: A private subnet in one AZ is unable to reach the internet, but subnets in other AZs are working fine. What could be the issue?
9. What is the purpose of a route table, and how is it associated with subnets?
Answer: A route table defines rules for routing traffic. Each subnet is associated with a route table to determine how traffic is routed within the VPC or outside it.
Scenario-Based Question: You’ve been tasked with setting up a private subnet that communicates with an on-premises data center over a VPN. How would you configure the route table?
10. Explain how CIDR and subnetting work in a VPC.
Answer: CIDR (Classless Inter-Domain Routing) defines the IP range for a VPC. Subnetting divides this range into smaller, more manageable segments for organizing resources.
Scenario-Based Question: If a VPC has a /16
CIDR block, how would you divide it into four /18
subnets? Provide an example.
11. What is the difference between an Internet Gateway and a NAT Gateway?
Answer:
Internet Gateway (IGW): Allows public subnets to connect to the internet.
NAT Gateway: Allows private subnets to initiate outbound internet traffic without exposing their IPs.
Scenario-Based Question: Your application in a private subnet requires access to third-party APIs over the internet. How would you configure this using a NAT Gateway?
12. How does Elastic IP work in AWS?
Answer: Elastic IP (EIP) is a static public IPv4 address that can be associated with an EC2 instance, NAT Gateway, or Network Interface.
Scenario-Based Question: A server loses its public IP after a restart. How would you configure the setup to ensure this does not happen again?
13. How do you connect two VPCs using VPC Peering?
Answer: VPC Peering creates a direct network connection between two VPCs, allowing them to route traffic to each other privately.
Scenario-Based Question: You’re tasked with enabling communication between two VPCs in different regions. What steps would you take, and what limitations should you consider?
14. How does AWS Direct Connect differ from a VPN?
Answer:
Direct Connect: Provides a dedicated, high-bandwidth connection between your on-premises network and AWS.
VPN: Uses the internet to securely connect your on-premises network to AWS.
Scenario-Based Question: A client has latency-sensitive workloads that require reliable connectivity between on-premises and AWS. Which option would you recommend and why?
15. What are key considerations for designing a scalable VPC architecture?
Answer:
Plan CIDR ranges to allow for future growth.
Use multiple availability zones for redundancy.
Configure NAT Gateways for internet-bound private subnets.
Implement proper IAM and security policies.
Scenario-Based Question: Design a VPC architecture for a multi-region application that requires high availability, private and public subnets, and secure access to a backend database.
Final Thoughts
Preparing for DevOps interviews involves not only understanding the theoretical aspects of VPCs and networking but also being ready to solve practical, real-world problems. These questions cover a range of topics that reflect the challenges DevOps professionals face daily. Study these thoroughly, and you’ll be well-prepared to impress your interviewer.
Explore the Complete VPC Guide for DevOps Professionals
Loved this article? This is just one chapter from the Ultimate VPC Guide for DevOps Professionals—a comprehensive series designed to help you master VPCs, networking, and cloud architecture. Whether you’re preparing for a DevOps career or enhancing your existing skills, this guide has everything you need, from hands-on projects to interview questions.
👉 Read the full guide here and take your first step toward becoming a VPC and DevOps expert!