Q: What is a subnet in AWS?
A: A subnet in AWS is a segmented section of a Virtual Private Cloud (VPC) where you can launch AWS resources. Subnets help in organizing resources, controlling network traffic, and securing your applications. Subnets are defined within a specific Availability Zone (AZ) of a region.
Example code snippet to create a subnet:
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24 --availability-zone us-west-2a
Q: How do I configure access control for a subnet in AWS?
A: Access control for subnets in AWS is managed through security groups and network access control lists (ACLs). Security groups act as a firewall for associated instances, controlling inbound and outbound traffic. Network ACLs are an additional layer of security that controls traffic to and from subnets.
Example code snippet to create a security group:
aws ec2 create-security-group --group-name MySecurityGroup --description "My security group" --vpc-id <vpc-id>
Example code snippet to configure network ACL rules:
aws ec2 create-network-acl --vpc-id <vpc-id> --tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=MyNetworkACL}]'
Q: How can I route traffic between subnets in AWS?
A: Traffic between subnets in the same VPC can be routed using route tables. By default, AWS creates a main route table for your VPC, but you can create custom route tables and associate them with specific subnets.
Example code snippet to create a custom route table:
aws ec2 create-route-table --vpc-id <vpc-id>
Example code snippet to associate a route table with a subnet:
aws ec2 associate-route-table --subnet-id <subnet-id> --route-table-id <route-table-id>
Q: How do I enable Internet access for resources in a subnet?
A: To enable Internet access for resources in a subnet, you need to create an Internet Gateway (IGW) and update the route table associated with the subnet to route traffic destined for the Internet through the IGW.
Example code snippet to create an Internet Gateway:
aws ec2 create-internet-gateway
Example code snippet to attach the Internet Gateway to your VPC:
aws ec2 attach-internet-gateway --vpc-id <vpc-id> --internet-gateway-id <igw-id>
Example code snippet to update the route table:
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0 --gateway-id <igw-id>
Important Interview Questions and Answers on AWS Cloud Subnet and Access
Q: What is a subnet in AWS?
A subnet in AWS is a range of IP addresses in your VPC (Virtual Private Cloud). It helps segment your VPC into smaller networks for better organization and security.
Q: What is CIDR notation and how is it used with subnets?
CIDR (Classless Inter-Domain Routing) notation is a compact representation of an IP address and its associated network mask. It's expressed as a combination of an IP address and a prefix length, like 10.0.0.0/24, where /24 denotes the number of bits used for the network portion of the address. In AWS, CIDR notation is used to define the range of IP addresses for subnets.
Q: How do you create a subnet in AWS using AWS CLI?
Here is the code.
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block <cidr-block>
Q: What is an Internet Gateway (IGW) in AWS and how is it related to subnets?
An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. To enable internet access for instances in a subnet, the subnet must be associated with a route table that has a route to the IGW.
Q: How do you associate a subnet with a route table in AWS using AWS CLI?
Here is the code.
aws ec2 associate-route-table --subnet-id <subnet-id> --route-table-id <route-table-id>
Q: What is Network Access Control List (NACL) in AWS and how does it differ from Security Groups?
NACLs act as a firewall for controlling traffic in and out of one or more subnets in a VPC. They operate at the subnet level and evaluate traffic based on rules you specify. Unlike Security Groups, NACLs are stateless, meaning you must explicitly allow inbound and outbound traffic separately.
Q: How do you create a Network Access Control List (NACL) using AWS CLI?
Here is the code.
aws ec2 create-network-acl --vpc-id <vpc-id>
Q: What is the default NACL behavior?
By default, a newly created NACL denies all inbound and outbound traffic. You must explicitly allow desired traffic by adding inbound and outbound rules.
Q: How do you add inbound and outbound rules to a Network Access Control List (NACL) using AWS CLI?
Here is the code.
aws ec2 create-network-acl-entry --network-acl-id <nacl-id> --ingress --rule-number <num> --protocol <protocol> --port-range <port-range> --cidr-block <cidr-block> --action <action>
aws ec2 create-network-acl-entry --network-acl-id <nacl-id> --egress --rule-number <num> --protocol <protocol> --port-range <port-range> --cidr-block <cidr-block> --action <action>
Q: How do you set up a security group to allow SSH access to instances in a subnet using AWS CLI?
Here is the code.
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr <your-ip>/32