Networking Fundamentals

Networking Fundamentals Quiz

Quiz

Question 1 of 31 (0 answered)

Question 1

What is the valid CIDR block size range for an AWS VPC?

Minimum /24, Maximum /8 Minimum /28, Maximum /16 Minimum /32, Maximum /16 Minimum /16, Maximum /8

✓

Correct!

AWS VPCs support CIDR blocks from /28 (16 IP addresses) to /16 (65,536 IP addresses). This allows flexibility in VPC sizing while maintaining reasonable limits.

✗

Incorrect

AWS VPCs support CIDR blocks from /28 (16 IP addresses) to /16 (65,536 IP addresses). This allows flexibility in VPC sizing while maintaining reasonable limits.

Think about the range from smallest to largest supported VPC sizes.

Question 2

Which IP addresses are reserved by AWS in a subnet with CIDR block 10.0.0.0/24?

10.0.0.0 - Network address 10.0.0.1 - VPC router 10.0.0.2 - DNS server 10.0.0.3 - Reserved for future use 10.0.0.255 - Broadcast address

✓

Correct!

AWS reserves 5 IP addresses in every subnet: the network address (.0), VPC router (.1), DNS server (.2), one for future use (.3), and broadcast address (.255). This leaves 251 usable IPs in a /24 subnet.

✗

Incorrect

AWS always reserves exactly 5 IP addresses in each subnet.

Question 3

A VPC can span multiple AWS Regions.

True False

✓

Correct!

VPCs are regional constructs and cannot span multiple Regions. However, a single VPC can span all Availability Zones within a Region. To connect VPCs across regions, you would use VPC Peering or Transit Gateway with inter-region peering.

✗

Incorrect

Consider the scope of a VPC - is it global, regional, or AZ-specific?

Question 4

What is the primary difference between a public subnet and a private subnet?

Public subnets have more IP addresses than private subnets Public subnets have a route to an Internet Gateway in their route table Private subnets cannot communicate with other subnets in the VPC Public subnets are always in different Availability Zones

✓

Correct!

A public subnet is defined by having a route to an Internet Gateway (0.0.0.0/0 → IGW) in its route table. Private subnets lack this direct route to the IGW, instead using NAT Gateways for outbound internet access.

✗

Incorrect

Focus on routing configuration, not size or location.

Question 5

Given a VPC with CIDR 10.0.0.0/16, which route is automatically added to all route tables?

VPC CIDR: 10.0.0.0/16

Route Table:
Destination        Target
--------------------------
?                  ?

What will this code output?

`0.0.0.0/0` → `local` `10.0.0.0/16` → `local` `10.0.0.0/16` → `igw-xxxxx` `0.0.0.0/0` → `igw-xxxxx`

✓

Correct!

The local route (10.0.0.0/16 → local) is automatically added to all route tables in the VPC. This enables communication between all resources within the VPC. It cannot be modified or deleted.

✗

Incorrect

The local route (10.0.0.0/16 → local) is automatically added to all route tables in the VPC. This enables communication between all resources within the VPC. It cannot be modified or deleted.

This route enables intra-VPC communication and is automatic.

Question 6

What keyword is used in route tables to enable intra-VPC communication?

✓

Correct!

The local target in route tables enables communication between all resources within the VPC. Every VPC route table automatically includes this route for the VPC’s CIDR block.

✗

Incorrect

The local target in route tables enables communication between all resources within the VPC. Every VPC route table automatically includes this route for the VPC’s CIDR block.

It’s a 5-letter word that describes traffic staying within the VPC.

Question 7

What is the difference between a NAT Gateway and a NAT Instance?

NAT Gateway:

Managed by AWS (no maintenance)
Highly available within an AZ
Scales automatically up to 45 Gbps
No security groups (use NACLs)
Higher cost, lower operational overhead

NAT Instance:

Self-managed EC2 instance
Single point of failure (manual HA needed)
Limited by instance type bandwidth
Supports security groups
Can be used as bastion host
Lower cost, higher operational overhead

Did you get it right?

✓

Correct!

✗

Incorrect

Question 8

What are the requirements for an EC2 instance in a public subnet to have internet access?

Internet Gateway attached to the VPC Route table entry: 0.0.0.0/0 → IGW Public IP address or Elastic IP assigned to instance Security Group allows desired traffic Network ACL allows traffic

✓

Correct!

All five requirements must be met: (1) IGW attached to VPC, (2) route to IGW in subnet’s route table, (3) public IP on instance, (4) Security Group allowing traffic, and (5) NACL allowing traffic on required ports including ephemeral ports.

✗

Incorrect

Internet access requires multiple layers to be configured correctly.

Question 9

Security Groups are stateful, meaning return traffic is automatically allowed.

True False

✓

Correct!

Security Groups are stateful - they automatically track connection state and allow return traffic. If you allow an inbound request, the response is automatically allowed regardless of outbound rules. This is different from NACLs which are stateless.

✗

Incorrect

Think about whether you need to configure both inbound and outbound rules for a connection.

Question 10

At what level are Network ACLs (NACLs) applied?

Instance level (ENI) Subnet level VPC level Availability Zone level

✓

Correct!

NACLs are applied at the subnet level, affecting all instances within that subnet. This is different from Security Groups which are applied at the instance level (ENI). Each subnet must be associated with exactly one NACL.

✗

Incorrect

NACLs provide a boundary defense for a specific network segment.

Question 11

Arrange the security layers in order from outermost to innermost when traffic enters a VPC:

Drag to arrange in the correct order (first to last)

⋮⋮ Internet Gateway

⋮⋮ Security Group

⋮⋮ Network ACL

⋮⋮ EC2 Instance OS Firewall

✓

Correct!

Traffic flows through multiple security layers: Internet Gateway → Network ACL (subnet boundary) → Security Group (instance firewall) → EC2 Instance. This defense-in-depth strategy provides multiple security checkpoints.

✗

Incorrect

Question 12

Complete the route table entry for a private subnet to route internet traffic through a NAT Gateway:

Fill in the destination CIDR block

Destination        Target
--------------------------
10.0.0.0/16       local
_____             nat-1234567890

Your answer:

✓

Correct!

The route 0.0.0.0/0 → NAT Gateway directs all internet-bound traffic from the private subnet through the NAT Gateway. The NAT Gateway then forwards traffic to the Internet Gateway.

✗

Incorrect

The route 0.0.0.0/0 → NAT Gateway directs all internet-bound traffic from the private subnet through the NAT Gateway. The NAT Gateway then forwards traffic to the Internet Gateway.

Question 13

Which statements are true about VPC Flow Logs?

Captures actual packet contents (payload data) Captures network traffic metadata (source, destination, ports) Can be sent to CloudWatch Logs or S3 Shows whether traffic was accepted or rejected Can be created at VPC, subnet, or ENI level

✓

Correct!

VPC Flow Logs capture metadata only (not packet contents), including source/destination IPs, ports, protocol, and accept/reject status. They can be sent to CloudWatch, S3, or Kinesis and can be scoped to VPC, subnet, or individual network interfaces.

✗

Incorrect

Flow Logs are for metadata analysis, not deep packet inspection.

Question 14

How many NAT Gateways should you deploy for high availability in a VPC with resources across two Availability Zones?

One NAT Gateway shared across both AZs One NAT Gateway per AZ (total of 2) One NAT Gateway per subnet (depends on subnet count) Three NAT Gateways for redundancy

✓

Correct!

Deploy one NAT Gateway per Availability Zone for high availability. NAT Gateways are AZ-specific, so if an AZ fails, only a NAT Gateway in another AZ can provide internet access. Each private subnet routes to the NAT Gateway in its own AZ.

✗

Incorrect

NAT Gateways are highly available within an AZ but not across AZs.

Question 15

VPC Peering connections are transitive, meaning if VPC-A peers with VPC-B and VPC-B peers with VPC-C, then VPC-A can communicate with VPC-C.

True False

✓

Correct!

VPC Peering is NOT transitive. Each VPC pair requires a direct peering connection. If VPC-A needs to communicate with VPC-C, a direct peering connection must be established between them, even if both peer with VPC-B. For transitive routing, use Transit Gateway instead.

✗

Incorrect

Consider whether VPC Peering supports hub-and-spoke patterns.

Question 16

What is AWS Transit Gateway and when should you use it?

AWS Transit Gateway is a regional network hub that connects multiple VPCs and on-premises networks with transitive routing using a hub-and-spoke model.

Key Features:

Transitive routing (A→TGW→C works)
Centralized management
Supports thousands of VPCs
Inter-region peering available
Route tables for network segmentation

Use When:

Connecting many VPCs (>3-5)
Need transitive routing
Centralizing on-premises connectivity
Requiring network segmentation between environments

Did you get it right?

✓

Correct!

✗

Incorrect

Question 17

What is the main advantage of Gateway Endpoints over Interface Endpoints for S3 and DynamoDB?

Gateway Endpoints provide faster data transfer speeds Gateway Endpoints have no hourly charges or data processing fees Gateway Endpoints support more AWS services Gateway Endpoints provide better security with encryption

✓

Correct!

Gateway Endpoints (available only for S3 and DynamoDB) have no hourly charges or data processing fees, unlike Interface Endpoints. They work via route table entries rather than ENIs, making them cost-effective for high-volume S3/DynamoDB access.

✗

Incorrect

Think about cost differences between the two endpoint types.

Question 18

In a NACL, what happens when traffic matches rule number 100 that denies it, but rule 200 would allow it?

NACL Inbound Rules:
Rule #   Type        Port   Source       Allow/Deny
-----------------------------------------------
100      SSH         22     0.0.0.0/0    DENY
200      SSH         22     0.0.0.0/0    ALLOW
*        All         All    0.0.0.0/0    DENY

SSH request from 203.0.113.5 arrives.

What will this code output?

Traffic is allowed (both rules are evaluated) Traffic is denied (rule 100 matches first) Traffic is allowed (ALLOW overrides DENY) Error: conflicting rules

✓

Correct!

NACL rules are evaluated in numerical order (lowest to highest). The first matching rule is applied and evaluation stops. Since rule 100 matches first and denies the traffic, rule 200 is never evaluated. This demonstrates the importance of rule ordering in NACLs.

✗

Incorrect

NACLs use a ‘first match wins’ evaluation strategy.

Question 19

A client sends an HTTP request through a NACL. The inbound rule allows port 80, but the client never receives a response. What is the most likely cause?

The security group is blocking return traffic The NACL has no outbound rule allowing ephemeral ports The route table is misconfigured HTTP is not allowed by default in AWS

✓

Correct!

NACLs are stateless — they do not automatically allow return traffic. Even if inbound port 80 is permitted, the response travels back on an ephemeral port (1024-65535). Without an explicit outbound rule allowing that port range, the response is dropped. Security groups, by contrast, are stateful and handle return traffic automatically.

✗

Incorrect

NACLs don’t track connection state like security groups do.

Question 20

Which components are required to implement AWS PrivateLink?

VPC Interface Endpoint (consumer side) Internet Gateway Network Load Balancer (provider side) VPC Endpoint Service (provider side) NAT Gateway

✓

Correct!

AWS PrivateLink requires three main components: (1) VPC Interface Endpoint (ENI in consumer VPC), (2) VPC Endpoint Service (provider configuration), and (3) Network Load Balancer (fronts the provider’s service). Internet Gateway and NAT Gateway are not needed as PrivateLink uses AWS’s private network.

✗

Incorrect

PrivateLink is about private connectivity, not internet-facing components.

Question 21

What is the maximum number of VPC peering connections needed for a full mesh topology with 5 VPCs?

5 connections 10 connections 15 connections 20 connections

✓

Correct!

For a full mesh topology, the formula is N*(N-1)/2. With 5 VPCs: 5*(5-1)/2 = 5*4/2 = 10 peering connections. This demonstrates why VPC Peering becomes complex at scale and why Transit Gateway is recommended for many VPCs.

✗

Incorrect

Use the formula N*(N-1)/2 where N is the number of VPCs.

Question 22

Arrange these networking components from least granular (broadest scope) to most granular (narrowest scope):

Drag to arrange from broadest to narrowest scope

⋮⋮ VPC

⋮⋮ Security Group

⋮⋮ Subnet

⋮⋮ ENI

✓

Correct!

The hierarchy from broadest to narrowest: VPC spans an entire region and multiple AZs → Subnet exists in a single AZ → Security Group applies to instances → ENI is the actual network interface attached to an instance.

✗

Incorrect

Question 23

A subnet can span multiple Availability Zones for high availability.

True False

✓

Correct!

Subnets are AZ-specific and cannot span multiple AZs. Each subnet exists in exactly one Availability Zone. To achieve high availability, you must create subnets in multiple AZs and distribute resources across them.

✗

Incorrect

Think about the AZ binding of subnets.

Question 24

Which VPC Flow Logs analysis would help identify potential port scanning activity?

Aggregate SUM(bytes) GROUP BY srcaddr Filter: dstport = 22 AND action = REJECT Filter: srcaddr = {suspicious-ip}, COUNT DISTINCT(dstport) Filter: action = ACCEPT, GROUP BY protocol

✓

Correct!

Port scanning is detected by observing a single source IP attempting connections to many different destination ports. The query filters for a suspicious source IP and counts distinct destination ports, revealing scanning patterns where one host probes many ports.

✗

Incorrect

Port scanning involves one source trying many different ports.

Question 25

Explain the concept of Security Group chaining and its benefits.

Security Group Chaining is when a Security Group rule references another Security Group as its source or destination instead of a CIDR block, enabling identity-based access control between workloads.

Example:

Web tier SG: Outbound to sg-app on port 8080
App tier SG: Inbound from sg-web on port 8080, Outbound to sg-db on port 3306
DB tier SG: Inbound from sg-app on port 3306

Benefits:

Dynamic: Rules automatically apply to all instances with referenced SG
Maintainable: No need to update IP addresses when instances change
Secure: Enforces tier-based access control
Scalable: Works regardless of instance count in each tier
Clear: Documents architectural relationships

Did you get it right?

✓

Correct!

✗

Incorrect

Question 26

Complete the Security Group rule to allow HTTPS traffic from anywhere:

Fill in the source CIDR block for ‘anywhere’

Type        Protocol   Port   Source
--------------------------------------
HTTPS       TCP        443    _____

Your answer:

✓

Correct!

0.0.0.0/0 represents all IPv4 addresses (anywhere on the internet). For public web servers, this is the appropriate source for HTTP (80) and HTTPS (443) traffic. For SSH/RDP, you should restrict to specific IP ranges.

✗

Incorrect

Question 27

What are the key differences between Security Groups and NACLs?

Security Groups are stateful, NACLs are stateless Security Groups apply at instance level, NACLs apply at subnet level Security Groups support only ALLOW rules, NACLs support both ALLOW and DENY Security Groups evaluate all rules, NACLs evaluate rules in order Security Groups are mandatory, NACLs are optional

✓

Correct!

All four differences are correct: (1) SGs are stateful (auto-allow return), NACLs are stateless, (2) SGs at instance level, NACLs at subnet level, (3) SGs only ALLOW rules, NACLs have both ALLOW/DENY, (4) SGs evaluate all rules, NACLs use first-match. Both are actually mandatory but you can use defaults.

✗

Incorrect

Focus on statefulness, scope, rule types, and evaluation logic.

Question 28

In a three-tier architecture, which subnets should the database tier be placed in?

Public subnets for easy access Private subnets to prevent direct internet access Public subnets in one AZ, private in another No subnet needed, databases are region-level resources

✓

Correct!

Database tiers should always be in private subnets to prevent direct internet access. They should only be accessible from the application tier via security group rules. This follows the principle of least privilege and defense in depth.

✗

Incorrect

Think about security best practices for sensitive data.

Question 29

An Internet Gateway has bandwidth constraints that may limit high-traffic applications.

True False

✓

Correct!

Internet Gateways are horizontally scaled and redundant by AWS with no bandwidth constraints or availability risk. They automatically scale to handle your traffic without any configuration or capacity planning on your part.

✗

Incorrect

Consider AWS-managed service characteristics.

Question 30

How many IP addresses are available for use in a /24 subnet after AWS reserves its required addresses?

✓

Correct!

A /24 subnet has 256 total IP addresses. AWS reserves 5 addresses (.0 network, .1 router, .2 DNS, .3 future, .255 broadcast), leaving 256 - 5 = 251 usable addresses.

✗

Incorrect

A /24 subnet has 256 total IP addresses. AWS reserves 5 addresses (.0 network, .1 router, .2 DNS, .3 future, .255 broadcast), leaving 256 - 5 = 251 usable addresses.

Start with 256 IPs in a /24, subtract AWS’s 5 reserved addresses.

Question 31

What happens when a NAT Gateway in AZ-A fails and private subnet instances in AZ-A need internet access?

Traffic automatically fails over to NAT Gateway in AZ-B Instances lose internet access until NAT Gateway is restored AWS automatically creates a replacement NAT Gateway Traffic routes through the Internet Gateway directly

✓

Correct!

NAT Gateways are highly available within an AZ but do not automatically fail over across AZs. If the NAT Gateway in AZ-A fails, instances in that AZ lose internet access. This is why the best practice is to create separate NAT Gateways in each AZ with AZ-specific route tables.

✗

Incorrect

NAT Gateways provide HA within an AZ, not across AZs.

Quiz Results

Score

0/0

Accuracy

Right

Wrong

Skipped

Last updated on March 8, 2026

Global Infrastructure Edge and Hybrid Networking