Networking Fundamentals

Networking Fundamentals Quiz

Quiz

Question 1 of 38 (0 answered)

Question 1

What is the valid CIDR block size range for an AWS VPC?

Minimum /24, Maximum /8 Minimum /28, Maximum /16 Minimum /32, Maximum /16 Minimum /16, Maximum /8

✓

Correct!

AWS VPCs support CIDR blocks from /28 (16 IP addresses) to /16 (65,536 IP addresses). This allows flexibility in VPC sizing while maintaining reasonable limits.

✗

Incorrect

AWS VPCs support CIDR blocks from /28 (16 IP addresses) to /16 (65,536 IP addresses). This allows flexibility in VPC sizing while maintaining reasonable limits.

Think about the range from smallest to largest supported VPC sizes.

Question 2

How many IP addresses does AWS reserve in every subnet?

✓

Correct!

AWS reserves exactly 5 IP addresses in every subnet: .0 (network address), .1 (VPC router), .2 (DNS server — VPC base + 2), .3 (reserved for future use), and .255 (broadcast address). In a /24 subnet this leaves 251 usable addresses.

✗

Incorrect

These reserved addresses serve routing, DNS, and administrative purposes.

Question 3

A VPC can span multiple AWS Regions.

True False

✓

Correct!

VPCs are regional constructs and cannot span multiple Regions. However, a single VPC can span all Availability Zones within a Region. To connect VPCs across regions, you would use VPC Peering or Transit Gateway with inter-region peering.

✗

Incorrect

Consider the scope of a VPC - is it global, regional, or AZ-specific?

Question 4

What is the primary difference between a public subnet and a private subnet?

Public subnets automatically assign public IP addresses to all instances Public subnets have a route to an Internet Gateway in their route table Private subnets cannot communicate with other subnets in the VPC Public subnets are always in different Availability Zones

✓

Correct!

A public subnet is defined by having a route to an Internet Gateway (0.0.0.0/0 → IGW) in its route table. Auto-assigning public IPs is a common setting on public subnets but is not what defines them — a subnet without the IGW route is still private regardless of IP assignment settings.

✗

Incorrect

Focus on routing configuration, not IP assignment settings or location.

Question 5

Given a VPC with CIDR 10.0.0.0/16, which route is automatically added to all route tables?

VPC CIDR: 10.0.0.0/16

Route Table:
Destination        Target
--------------------------
?                  ?

What will this code output?

`0.0.0.0/0` → `local` `10.0.0.0/16` → `local` `10.0.0.0/16` → `igw-xxxxx` `0.0.0.0/0` → `igw-xxxxx`

✓

Correct!

The local route (10.0.0.0/16 → local) is automatically added to all route tables in the VPC. This enables communication between all resources within the VPC. It cannot be modified or deleted.

✗

Incorrect

The local route (10.0.0.0/16 → local) is automatically added to all route tables in the VPC. This enables communication between all resources within the VPC. It cannot be modified or deleted.

This route enables intra-VPC communication and is automatic.

Question 6

What keyword is used in route tables to enable intra-VPC communication?

✓

Correct!

The local target in route tables enables communication between all resources within the VPC. Every VPC route table automatically includes this route for the VPC’s CIDR block.

✗

Incorrect

The local target in route tables enables communication between all resources within the VPC. Every VPC route table automatically includes this route for the VPC’s CIDR block.

It’s a 5-letter word that describes traffic staying within the VPC.

Question 7

What is the difference between a NAT Gateway and a NAT Instance?

NAT Gateway:

Managed by AWS (no maintenance)
Highly available within an AZ
Scales automatically up to 45 Gbps
No security groups (use NACLs)
Higher cost, lower operational overhead

NAT Instance:

Self-managed EC2 instance
Single point of failure (manual HA needed)
Limited by instance type bandwidth
Supports security groups
Can be used as bastion host
Lower cost, higher operational overhead

Did you get it right?

✓

Correct!

✗

Incorrect

Question 8

What are the requirements for an EC2 instance in a public subnet to have internet access?

Internet Gateway attached to the VPC Route table entry: 0.0.0.0/0 → IGW Public IP address or Elastic IP assigned to instance Security Group allows desired traffic Network ACL allows traffic VPC endpoint configured for routing internet-bound traffic Elastic IP must be used — auto-assigned public IPs are insufficient

✓

Correct!

All five requirements must be met: (1) IGW attached to VPC, (2) route to IGW in subnet’s route table, (3) a public IP on the instance — auto-assigned and Elastic IP are both valid, (4) Security Group allowing traffic, and (5) NACL allowing traffic including ephemeral ports (1024–65535) for responses. VPC endpoints are for private AWS service access, not general internet routing.

✗

Incorrect

Internet access requires multiple layers to be configured correctly.

Question 9

Security Groups are stateful, meaning return traffic is automatically allowed.

True False

✓

Correct!

Security Groups are stateful - they automatically track connection state and allow return traffic. If you allow an inbound request, the response is automatically allowed regardless of outbound rules. This is different from NACLs which are stateless.

✗

Incorrect

Think about whether you need to configure both inbound and outbound rules for a connection.

Question 10

At what level are Network ACLs (NACLs) applied?

Instance level (ENI) Subnet level VPC level, applying to all subnets automatically Availability Zone level

✓

Correct!

NACLs are applied at the subnet level, affecting all instances within that subnet. Although NACLs are created and managed within the VPC, each NACL must be explicitly associated with specific subnets — they do not automatically apply to all subnets. Each subnet has exactly one NACL; Security Groups apply at the instance (ENI) level.

✗

Incorrect

NACLs provide a boundary defense for a specific network segment.

Question 11

Arrange the security layers in order from outermost to innermost when traffic enters a VPC:

Drag to arrange in the correct order (first to last)

⋮⋮ Internet Gateway

⋮⋮ Security Group

⋮⋮ Network ACL

⋮⋮ EC2 Instance OS Firewall

✓

Correct!

Traffic flows through multiple security layers: Internet Gateway → Network ACL (subnet boundary) → Security Group (instance firewall) → EC2 Instance. This defense-in-depth strategy provides multiple security checkpoints.

✗

Incorrect

Question 12

Complete the route table entry for a private subnet to route internet traffic through a NAT Gateway:

Fill in the destination CIDR block

Destination        Target
--------------------------
10.0.0.0/16       local
_____             nat-1234567890

Your answer:

✓

Correct!

The route 0.0.0.0/0 → NAT Gateway directs all internet-bound traffic from the private subnet through the NAT Gateway. The NAT Gateway then forwards traffic to the Internet Gateway.

✗

Incorrect

The route 0.0.0.0/0 → NAT Gateway directs all internet-bound traffic from the private subnet through the NAT Gateway. The NAT Gateway then forwards traffic to the Internet Gateway.

Question 13

Which statements are true about VPC Flow Logs?

Captures actual packet contents (payload data) Captures network traffic metadata (source, destination, ports) Can be sent to CloudWatch Logs or S3 Shows whether traffic was accepted or rejected Can be created at VPC, subnet, or ENI level Can actively block or drop traffic in real time

✓

Correct!

VPC Flow Logs capture metadata only (not packet contents), including source/destination IPs, ports, protocol, and accept/reject status. They can be sent to CloudWatch, S3, or Kinesis and can be scoped to VPC, subnet, or individual network interfaces. Flow Logs are read-only — they record traffic but cannot block it. Use Security Groups or NACLs for traffic blocking.

✗

Incorrect

Flow Logs are for metadata analysis, not deep packet inspection or traffic control.

Question 14

How many NAT Gateways should you deploy for high availability in a VPC with resources across two Availability Zones?

One NAT Gateway shared across both AZs One NAT Gateway per AZ (total of 2) One NAT Gateway per subnet (depends on subnet count) Three NAT Gateways for redundancy

✓

Correct!

Deploy one NAT Gateway per Availability Zone for high availability. NAT Gateways are AZ-specific, so if an AZ fails, only a NAT Gateway in another AZ can provide internet access. Each private subnet routes to the NAT Gateway in its own AZ.

✗

Incorrect

NAT Gateways are highly available within an AZ but not across AZs.

Question 15

VPC Peering connections are transitive, meaning if VPC-A peers with VPC-B and VPC-B peers with VPC-C, then VPC-A can communicate with VPC-C.

True False

✓

Correct!

VPC Peering is NOT transitive. Each VPC pair requires a direct peering connection. If VPC-A needs to communicate with VPC-C, a direct peering connection must be established between them, even if both peer with VPC-B. For transitive routing, use Transit Gateway instead.

✗

Incorrect

Consider whether VPC Peering supports hub-and-spoke patterns.

Question 16

What is AWS Transit Gateway and when should you use it?

AWS Transit Gateway is a regional hub that enables transitive routing between VPCs and on-premises networks using a hub-and-spoke model.

Key Features:

Transitive routing: A → TGW → C works (VPC Peering does not)
Scales to thousands of VPCs; centralized management
Route tables enable network segmentation (prod/dev isolation)
Inter-region peering and Direct Connect integration

Use when: connecting 3+ VPCs, need transitive routing, or centralizing on-premises connectivity

Did you get it right?

✓

Correct!

✗

Incorrect

Question 17

What is the main advantage of Gateway Endpoints over Interface Endpoints for S3 and DynamoDB?

Gateway Endpoints provide faster data transfer speeds Gateway Endpoints have no hourly charges or data processing fees Gateway Endpoints support more AWS services Gateway Endpoints provide better security with encryption

✓

Correct!

Gateway Endpoints (available only for S3 and DynamoDB) have no hourly charges or data processing fees, unlike Interface Endpoints. They work via route table entries rather than ENIs, making them cost-effective for high-volume S3/DynamoDB access.

✗

Incorrect

Think about cost differences between the two endpoint types.

Question 18

In a NACL, what happens when traffic matches rule number 100 that denies it, but rule 200 would allow it?

NACL Inbound Rules:
Rule #   Type        Port   Source       Allow/Deny
-----------------------------------------------
100      SSH         22     0.0.0.0/0    DENY
200      SSH         22     0.0.0.0/0    ALLOW
*        All         All    0.0.0.0/0    DENY

SSH request from 203.0.113.5 arrives.

What will this code output?

Traffic is allowed (both rules are evaluated) Traffic is denied (rule 100 matches first) Traffic is allowed (ALLOW overrides DENY) Error: conflicting rules

✓

Correct!

NACL rules are evaluated in numerical order (lowest to highest). The first matching rule is applied and evaluation stops. Since rule 100 matches first and denies the traffic, rule 200 is never evaluated. This demonstrates the importance of rule ordering in NACLs.

✗

Incorrect

NACLs use a ‘first match wins’ evaluation strategy.

Question 19

A client sends an HTTP request through a NACL. The inbound rule allows port 80, but the client never receives a response. What is the most likely cause?

The security group is blocking return traffic The NACL has no outbound rule allowing ephemeral ports The route table is misconfigured The server’s OS firewall is blocking outbound responses

✓

Correct!

NACLs are stateless — they do not automatically allow return traffic. Even if inbound port 80 is permitted, the response travels back on an ephemeral port (1024-65535). Without an explicit outbound rule allowing that port range, the response is dropped. Security Groups, by contrast, are stateful and handle return traffic automatically. An OS firewall could also block responses, but a missing NACL outbound rule is the most common cause of this specific symptom.

✗

Incorrect

NACLs don’t track connection state like security groups do.

Question 20

Which components are required to implement AWS PrivateLink?

VPC Interface Endpoint (consumer side) Internet Gateway Network Load Balancer (provider side) VPC Endpoint Service (provider side) NAT Gateway

✓

Correct!

AWS PrivateLink requires three main components: (1) VPC Interface Endpoint (ENI in consumer VPC), (2) VPC Endpoint Service (provider configuration), and (3) Network Load Balancer (fronts the provider’s service). Internet Gateway and NAT Gateway are not needed as PrivateLink uses AWS’s private network.

✗

Incorrect

PrivateLink is about private connectivity, not internet-facing components.

Question 21

What is the maximum number of VPC peering connections needed for a full mesh topology with 5 VPCs?

5 connections 10 connections 15 connections 20 connections

✓

Correct!

For a full mesh topology, the formula is N*(N-1)/2. With 5 VPCs: 5*(5-1)/2 = 5*4/2 = 10 peering connections. This demonstrates why VPC Peering becomes complex at scale and why Transit Gateway is recommended for many VPCs.

✗

Incorrect

Use the formula N*(N-1)/2 where N is the number of VPCs.

Question 22

Arrange these networking components from least granular (broadest scope) to most granular (narrowest scope):

Drag to arrange from broadest to narrowest scope

⋮⋮ VPC

⋮⋮ Security Group

⋮⋮ Subnet

⋮⋮ ENI

✓

Correct!

The hierarchy from broadest to narrowest: VPC spans an entire region and multiple AZs → Subnet exists in a single AZ → Security Group applies to instances → ENI is the actual network interface attached to an instance.

✗

Incorrect

Question 23

A subnet can span multiple Availability Zones for high availability.

True False

✓

Correct!

Subnets are AZ-specific and cannot span multiple AZs. Each subnet exists in exactly one Availability Zone. To achieve high availability, you must create subnets in multiple AZs and distribute resources across them.

✗

Incorrect

Think about the AZ binding of subnets.

Question 24

Which VPC Flow Logs analysis would help identify potential port scanning activity?

Aggregate SUM(bytes) GROUP BY srcaddr Filter: dstport = 22 AND action = REJECT Filter: srcaddr = {suspicious-ip}, COUNT DISTINCT(dstport) Filter: action = ACCEPT, GROUP BY protocol

✓

Correct!

Port scanning is detected by observing a single source IP attempting connections to many different destination ports. The query filters for a suspicious source IP and counts distinct destination ports, revealing scanning patterns where one host probes many ports.

✗

Incorrect

Port scanning involves one source trying many different ports.

Question 25

Explain the concept of Security Group chaining and its benefits.

Security Group Chaining is when a Security Group rule references another Security Group as its source or destination instead of a CIDR block, enabling identity-based access control between workloads.

Example:

Web tier SG: Outbound to sg-app on port 8080
App tier SG: Inbound from sg-web on port 8080, Outbound to sg-db on port 3306
DB tier SG: Inbound from sg-app on port 3306

Benefits:

Dynamic: Rules automatically apply to all instances with referenced SG
Maintainable: No need to update IP addresses when instances change
Secure: Enforces tier-based access control
Scalable: Works regardless of instance count in each tier
Clear: Documents architectural relationships

Did you get it right?

✓

Correct!

✗

Incorrect

Question 26

Complete the Security Group rule to allow HTTPS traffic from anywhere:

Fill in the source CIDR block for ‘anywhere’

Type        Protocol   Port   Source
--------------------------------------
HTTPS       TCP        443    _____

Your answer:

✓

Correct!

0.0.0.0/0 represents all IPv4 addresses (anywhere on the internet). For public web servers, this is the appropriate source for HTTP (80) and HTTPS (443) traffic. For SSH/RDP, you should restrict to specific IP ranges.

✗

Incorrect

Question 27

What are the key differences between Security Groups and NACLs?

Security Groups are stateful, NACLs are stateless Security Groups apply at instance level, NACLs apply at subnet level Security Groups support only ALLOW rules, NACLs support both ALLOW and DENY Security Groups evaluate all rules, NACLs evaluate rules in order Security Groups are mandatory, NACLs are optional NACLs are evaluated after Security Groups when traffic arrives at a subnet

✓

Correct!

All four differences are correct: (1) SGs are stateful (auto-allow return), NACLs are stateless, (2) SGs at instance level, NACLs at subnet level, (3) SGs only ALLOW rules, NACLs have both ALLOW/DENY, (4) SGs evaluate all rules, NACLs use first-match. NACLs are evaluated BEFORE Security Groups — traffic hits the subnet boundary (NACL) first, then reaches the instance (SG). Both security controls are applied but the order matters for troubleshooting.

✗

Incorrect

Focus on statefulness, scope, rule types, and evaluation logic.

Question 28

In a three-tier architecture, which subnets should the database tier be placed in?

Public subnets for easy access Private subnets to prevent direct internet access Public subnets in one AZ, private in another Public subnets with strict Security Group rules allowing only application tier traffic

✓

Correct!

Database tiers should always be in private subnets to prevent direct internet access. Restricting access via Security Group rules is necessary but not sufficient — placing databases in public subnets exposes them to the internet even if the SG is locked down. Private subnets provide defense in depth by ensuring there is no route from the internet to the database, regardless of Security Group configuration.

✗

Incorrect

Think about security best practices for sensitive data — SG restrictions alone are not sufficient.

Question 29

An Internet Gateway has bandwidth constraints that may limit high-traffic applications.

True False

✓

Correct!

Internet Gateways are horizontally scaled and redundant by AWS with no bandwidth constraints or availability risk. They automatically scale to handle your traffic without any configuration or capacity planning on your part.

✗

Incorrect

Consider AWS-managed service characteristics.

Question 30

How many IP addresses are available for use in a /24 subnet after AWS reserves its required addresses?

✓

Correct!

A /24 subnet has 256 total IP addresses. AWS reserves 5 addresses (.0 network, .1 router, .2 DNS, .3 future, .255 broadcast), leaving 256 - 5 = 251 usable addresses.

✗

Incorrect

A /24 subnet has 256 total IP addresses. AWS reserves 5 addresses (.0 network, .1 router, .2 DNS, .3 future, .255 broadcast), leaving 256 - 5 = 251 usable addresses.

Start with 256 IPs in a /24, subtract AWS’s 5 reserved addresses.

Question 31

What happens when a NAT Gateway in AZ-A fails and private subnet instances in AZ-A need internet access?

Traffic automatically fails over to NAT Gateway in AZ-B Instances lose internet access until NAT Gateway is restored AWS automatically creates a replacement NAT Gateway Traffic routes through the Internet Gateway directly

✓

Correct!

NAT Gateways are highly available within an AZ but do not automatically fail over across AZs. If the NAT Gateway in AZ-A fails, instances in that AZ lose internet access. This is why the best practice is to create separate NAT Gateways in each AZ with AZ-specific route tables.

✗

Incorrect

NAT Gateways provide HA within an AZ, not across AZs.

Question 32

What type of public IP address must be allocated and associated with a NAT Gateway at creation time?

✓

Correct!

A NAT Gateway requires an Elastic IP (EIP) at creation time — this becomes its fixed public IP for all outbound traffic from the private subnet. Unlike auto-assigned public IPs that change when an instance restarts, an EIP is static and stays allocated to your account until you release it. You must pre-allocate the EIP before creating the NAT Gateway; you cannot attach one after the fact.

✗

Incorrect

This AWS-managed static public IP persists until explicitly released from your account.

Question 33

A newly created custom NACL denies all inbound and outbound traffic until explicit rules are added.

True False

✓

Correct!

A new custom NACL starts with only the default deny-all rule (*) — all traffic is blocked until you add explicit ALLOW rules. This is the opposite of the default NACL (auto-created with the VPC), which includes a rule 100 ALLOW-all entry and permits all traffic. Confusing these two is a common operational mistake: associating a brand-new custom NACL with a subnet immediately cuts off all connectivity to instances in that subnet.

✗

Incorrect

The ‘default NACL’ (VPC-created) and ‘a new custom NACL’ (user-created) have different initial configurations.

Question 34

You can create a VPC Peering connection between two VPCs that have overlapping CIDR blocks.

True False

✓

Correct!

VPC Peering requires non-overlapping CIDR blocks between the peered VPCs. AWS routes traffic based on destination IP, which is impossible to do unambiguously if two peered VPCs share the same IP range. This constraint applies to the entire VPC CIDR — even if you only intend to route between specific non-overlapping subnets. Plan your VPC IP address space carefully upfront, because CIDR conflicts block peering entirely.

✗

Incorrect

AWS needs to distinguish traffic by destination IP — what happens if two VPCs share the same IP range?

Question 35

Which statements are true about the AWS default VPC?

Uses the CIDR block 172.31.0.0/16 Has an Internet Gateway attached by default Includes a default subnet in each Availability Zone The default NACL denies all traffic until rules are added The default Security Group allows all inbound traffic from any IP address Is automatically created in every AWS Region for every account

✓

Correct!

The default VPC uses 172.31.0.0/16, comes with an IGW pre-attached, has a public subnet in each AZ, and is auto-created per Region per account. Two common wrong assumptions: (1) the default NACL actually starts with ALLOW-all rules (unlike a new custom NACL which starts deny-all); (2) the default Security Group allows inbound only from instances sharing the same SG — not from any IP. The default VPC is convenient for testing, but custom VPCs are recommended for production.

✗

Incorrect

Focus on what AWS pre-configures versus what must be set up manually, and watch for the NACL and Security Group default behaviors.

Question 36

An EC2 instance sends a packet destined for 10.0.1.50. Which route is selected?

Route Table:
Destination        Target
---------------------------------
10.0.0.0/16       local
10.0.1.0/24       tgw-0abc123456
0.0.0.0/0         igw-0def789012

What will this code output?

`10.0.0.0/16` → `local` `10.0.1.0/24` → `tgw-0abc123456` `0.0.0.0/0` → `igw-0def789012` No route matches — packet is dropped

✓

Correct!

AWS route tables use longest prefix match: the most specific (narrowest) route wins. The destination 10.0.1.50 matches both 10.0.0.0/16 (/16, broader) and 10.0.1.0/24 (/24, more specific). Because /24 is a narrower match, 10.0.1.0/24 → tgw-0abc123456 is selected over the local route. This is why you can override the default local route for specific subnets by adding a more specific route — specificity always beats rule order.

✗

Incorrect

Which CIDR prefix is the narrowest (most specific) match for the destination IP?

Question 37

A VPC Peering connection between VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16) shows status Active. EC2 instances in VPC-A still cannot reach VPC-B. What is the most likely cause?

The peering connection must reach Provisioned status before routing works Neither VPC’s route table has an entry pointing to the peering connection Security Groups in different VPCs cannot reference each other by group ID VPC Peering requires a Transit Gateway attachment to enable actual data transfer

✓

Correct!

An Active peering status means the connection is established — but traffic will not flow until both VPCs have explicit route table entries pointing to the peering connection. VPC-A’s route table needs 10.1.0.0/16 → pcx-xxxxx and VPC-B’s needs 10.0.0.0/16 → pcx-xxxxx. Forgetting to add these routes on one or both sides is the most common cause of ‘Active but broken’ peering. Security Groups can reference SGs from peered VPCs (same region). VPC Peering and Transit Gateway are alternative solutions — peering does not require TGW.

✗

Incorrect

An active peering connection establishes the link, but something else must tell each VPC where to send packets.

Question 38

Which statement correctly describes the key architectural difference between a Gateway Endpoint and an Interface Endpoint?

A Gateway Endpoint creates an ENI with a private IP in your subnet; an Interface Endpoint modifies the route table A Gateway Endpoint adds a route using a managed prefix list to your route table; an Interface Endpoint creates an ENI with a private IP Gateway Endpoints require a security group; Interface Endpoints use bucket policies instead Gateway Endpoints support any AWS service; Interface Endpoints are limited to S3 and DynamoDB

✓

Correct!

Gateway Endpoints (only S3 and DynamoDB) work by inserting a route into your route table using a managed prefix list (pl-xxxxx → vpce-gateway) — no ENI is created, no security group is needed, and there are no hourly charges. Interface Endpoints create an actual ENI in your subnet with a private IP, require a security group, incur hourly per-AZ charges, and support most AWS services plus third-party SaaS via PrivateLink. A common trap: trying to attach a security group to a Gateway Endpoint fails because no ENI exists — use S3 bucket policies or DynamoDB resource policies for access control instead.

✗

Incorrect

One type changes your routing table; the other puts a network interface directly in your subnet.

Quiz Results

Score

0/0

Accuracy

Right

Wrong

Skipped

Last updated on April 21, 2026

Global Infrastructure Edge and Hybrid Networking