Topics / ☁️AWS Cloud Practitioner

VPC & Networking Fundamentals

By Pritesh Yadav 22 min read

A VPC (Virtual Private Cloud) is your own private network inside AWS, split into subnets across Availability Zones. The hardest part of this topic on the CLF-C02 exam is keeping look-alike pieces straight: which gateway gives internet access, which firewall is stateful, and which connection option is private versus over the public internet. This set drills the exact pairs that get confused under exam pressure.

Most confused here: Internet Gateway = inbound + outbound internet for public subnets; NAT Gateway = outbound-only for private subnets. Security groups = stateful (instance-level); network ACLs = stateless (subnet-level). VPC peering = 1-to-1; Transit Gateway = hub-and-spoke at scale. Gateway endpoint = S3/DynamoDB only; Interface endpoint (PrivateLink) = most other services.

Q1 A private subnet holds application servers that must download OS security patches from the internet but must never be reachable directly from the internet. Which component makes this possible?

  1. An Internet Gateway attached to the VPC
  2. A NAT Gateway in a public subnet
  3. A VPC peering connection to a public VPC
  4. An Interface VPC endpoint
Answer: B
Why B is correct: A NAT (Network Address Translation) Gateway lets instances in a private subnet start outbound connections to the internet (for patches, updates) while blocking anyone on the internet from starting a connection back in. It sits in a public subnet and forwards the traffic out through the Internet Gateway.
Why the other options are wrong:
  • A — An Internet Gateway alone makes a subnet fully public (inbound and outbound), which violates the "never reachable from the internet" requirement.
  • C — VPC peering connects two VPCs privately; it does not provide internet access at all.
  • D — An Interface endpoint gives private access to specific AWS services, not general internet access for patch downloads.
Common trap: Candidates pick the Internet Gateway because it touches the internet, missing that "outbound-only" is the exact job of a NAT Gateway.

Q2 A security team wants a firewall layer that automatically allows return traffic for any connection that was permitted outbound, without writing a matching inbound rule. Which AWS feature behaves this way?

  1. Network ACL, because it is stateless
  2. Route table entries
  3. Security group, because it is stateful
  4. A NAT Gateway access list
Answer: C
Why C is correct: A security group is stateful, meaning it remembers connections it allowed. If outbound traffic is permitted, the response traffic is automatically allowed back in without a separate inbound rule. This is the defining behavior of a stateful firewall.
Why the other options are wrong:
  • A — A network ACL is stateless, so it does NOT remember connections; you must explicitly allow both directions.
  • B — Route tables decide where traffic goes, not whether it is allowed; they are not a firewall.
  • D — A NAT Gateway is not a configurable access list; it does address translation, not rule-based filtering.
Common trap: "Stateful" and "stateless" are swapped in memory. Remember: Security group = Stateful (both start with S and "remember").

Q3 A company needs a dedicated, consistent, high-bandwidth, low-latency connection from its on-premises data center to AWS that does not travel over the public internet. Which option fits best?

  1. AWS Direct Connect
  2. AWS Site-to-Site VPN
  3. VPC peering
  4. An Internet Gateway with a static route
Answer: A
Why A is correct: AWS Direct Connect provides a dedicated physical/private network link between on-premises and AWS. Because it bypasses the public internet, it delivers more consistent latency and bandwidth, which is exactly what the scenario asks for.
Why the other options are wrong:
  • B — A Site-to-Site VPN is encrypted but still travels over the public internet, so latency and bandwidth are less consistent.
  • C — VPC peering connects two AWS VPCs, not on-premises to AWS.
  • D — An Internet Gateway provides public internet access, not a private dedicated link.
Common trap: Both Direct Connect and VPN connect on-prem to AWS, so candidates guess. The keyword "does not travel over the public internet" = Direct Connect.

Q4 A startup needs to connect its data center to AWS quickly and cheaply, accepts encryption over the public internet, and does not require guaranteed bandwidth. Which option is the best match?

  1. AWS Direct Connect
  2. A Transit Gateway
  3. An Interface VPC endpoint
  4. AWS Site-to-Site VPN
Answer: D
Why D is correct: A Site-to-Site VPN creates an encrypted tunnel between on-premises and AWS over the existing public internet. It can be set up in minutes and is inexpensive, which fits a startup that does not need dedicated bandwidth.
Why the other options are wrong:
  • A — Direct Connect requires provisioning a physical circuit, which is slower to set up and more expensive — the opposite of "quick and cheap."
  • B — A Transit Gateway is a hub that connects many VPCs/VPNs together; it is not itself the connection to the data center.
  • C — An Interface endpoint provides private access to AWS services inside a VPC, not a data-center-to-AWS link.
Common trap: "Encrypted" makes people think Direct Connect is more secure, but the speed-and-cost-now clue points to VPN.

Q5 An organization currently uses a Site-to-Site VPN but wants the most reliable connection with the lowest jitter for a latency-sensitive financial application, while keeping the VPN as an encrypted backup. What should they add as the primary path?

  1. A second Site-to-Site VPN tunnel
  2. AWS Direct Connect
  3. A NAT Gateway in each Availability Zone
  4. A Gateway VPC endpoint
Answer: B
Why B is correct: Direct Connect is the recommended primary path when consistent, low-jitter performance matters, because it is a private dedicated line. A common pattern is Direct Connect as primary with a VPN as the cheaper encrypted failover.
Why the other options are wrong:
  • A — A second VPN tunnel still runs over the unpredictable public internet, so jitter does not improve meaningfully.
  • C — NAT Gateways handle outbound internet for private subnets; they have nothing to do with on-prem connectivity quality.
  • D — A Gateway endpoint gives private access to S3/DynamoDB, unrelated to data-center connectivity.
Common trap: The exam loves the "Direct Connect primary + VPN backup" design. Adding more VPNs does not fix internet-caused jitter.

Q6 An EC2 instance in a private subnet needs to read and write objects in Amazon S3 without any traffic leaving the AWS network or using a NAT Gateway. Which is the most cost-effective solution?

  1. A Gateway VPC endpoint for S3
  2. An Interface VPC endpoint for S3
  3. A NAT Gateway plus an Internet Gateway
  4. A VPC peering connection to the S3 service
Answer: A
Why A is correct: A Gateway VPC endpoint provides private connectivity to S3 (and DynamoDB) by adding a route in the route table. It keeps traffic on the AWS network, avoids a NAT Gateway, and has no hourly or data-processing charges — the most cost-effective choice for S3.
Why the other options are wrong:
  • B — An Interface endpoint also works for S3 but uses PrivateLink with per-hour and per-GB charges, so it is not the most cost-effective when a free Gateway endpoint exists.
  • C — A NAT Gateway routes traffic out to the internet and incurs charges — the scenario explicitly wants to avoid it.
  • D — VPC peering connects two VPCs; you cannot peer with the S3 service.
Common trap: Only S3 and DynamoDB use Gateway endpoints (free). Everything else uses Interface endpoints (PrivateLink, paid). For S3, Gateway is the cheaper default.

Q7 A team needs private connectivity from their VPC to Amazon CloudWatch and AWS Systems Manager so management traffic never touches the public internet. Which type of VPC endpoint supports these services?

  1. A Gateway VPC endpoint
  2. An Internet Gateway in a private subnet
  3. An Interface VPC endpoint (powered by AWS PrivateLink)
  4. A NAT Gateway with a private route
Answer: C
Why C is correct: Most AWS services (CloudWatch, Systems Manager, SNS, SQS, and many more) are reached privately through Interface VPC endpoints, which use AWS PrivateLink to place a private network interface in your subnet. Traffic stays on the AWS network.
Why the other options are wrong:
  • A — Gateway endpoints only support S3 and DynamoDB, not CloudWatch or Systems Manager.
  • B — An Internet Gateway sends traffic to the public internet, which is exactly what must be avoided.
  • D — A NAT Gateway routes outbound traffic over the internet; it does not keep traffic private to AWS.
Common trap: Remembering the short Gateway-endpoint list (S3, DynamoDB) is the key. If the service is NOT one of those two, the answer is an Interface endpoint.

Q8 A company has 15 VPCs that all need to communicate with each other and with an on-premises network. Managing a mesh of individual VPC peering connections has become unmanageable. What should they use?

  1. Add more VPC peering connections in a full mesh
  2. A NAT Gateway shared across all VPCs
  3. An Internet Gateway in each VPC
  4. AWS Transit Gateway
Answer: D
Why D is correct: AWS Transit Gateway acts as a central hub that connects many VPCs and on-premises networks through a single point, replacing a tangled mesh of peering links. It scales cleanly as the number of VPCs grows.
Why the other options are wrong:
  • A — VPC peering is one-to-one and non-transitive, so 15 VPCs would need many connections — the very problem being solved.
  • B — A NAT Gateway provides outbound internet access, not VPC-to-VPC connectivity.
  • C — Internet Gateways give public internet access; they do not interconnect VPCs privately.
Common trap: VPC peering is "not transitive" — traffic cannot hop through one VPC to reach another. At scale, Transit Gateway is the hub-and-spoke answer.

Q9 Two VPCs need to exchange private traffic directly with each other, and no other VPCs are involved. The team wants the simplest, lowest-cost connection. What should they choose?

  1. AWS Transit Gateway
  2. VPC peering
  3. A Site-to-Site VPN between the VPCs
  4. An Interface VPC endpoint in each VPC
Answer: B
Why B is correct: VPC peering creates a direct private connection between exactly two VPCs with no extra hub charges. For a simple one-to-one link, it is the cheapest and simplest option.
Why the other options are wrong:
  • A — Transit Gateway adds an hourly hub charge and is overkill for just two VPCs.
  • C — A Site-to-Site VPN is meant for on-premises connectivity, not for linking two VPCs privately.
  • D — Interface endpoints provide access to AWS services, not general VPC-to-VPC connectivity.
Common trap: Transit Gateway is the right answer at scale, but for exactly two VPCs the simpler/cheaper peering wins. Read for the number of VPCs.

Q10 What single configuration decision determines whether a subnet is considered "public" or "private" in a VPC?

  1. Whether the subnet's route table has a route to an Internet Gateway
  2. Whether the subnet uses IPv4 or IPv6 addresses
  3. Whether a security group allows port 80
  4. Whether the subnet is in more than one Availability Zone
Answer: A
Why A is correct: A subnet is "public" only when its route table sends internet-bound traffic to an Internet Gateway. Without that route, the subnet is private. The route table is what defines public versus private connectivity.
Why the other options are wrong:
  • B — IPv4 versus IPv6 does not make a subnet public or private; routing does.
  • C — Security group rules control allowed traffic but do not provide a path to the internet.
  • D — A subnet always lives in exactly one Availability Zone; this has nothing to do with public/private status.
Common trap: People assume a public IP or an open security group makes a subnet public. The real switch is the route table's path to the Internet Gateway.

Q11 A security engineer must block a specific malicious IP range from reaching an entire subnet, using an explicit DENY rule. Which AWS control supports an explicit deny at the subnet level?

  1. A security group with a deny rule
  2. A route table blackhole entry
  3. A network ACL
  4. An Interface VPC endpoint policy
Answer: C
Why C is correct: A network ACL (Access Control List) operates at the subnet boundary and supports explicit allow AND deny rules. This makes it the right tool for blocking a known bad IP range across a whole subnet.
Why the other options are wrong:
  • A — Security groups only support allow rules; there is no deny rule in a security group.
  • B — A blackhole route can drop traffic to a destination but is not a clean per-source IP deny mechanism for inbound subnet filtering.
  • D — Endpoint policies control access to a specific service, not subnet-wide IP blocking.
Common trap: Security groups cannot DENY — only allow. When the question says "explicit deny" or "block an IP," it points to a network ACL.

Q12 Within a VPC, what is the primary job of a route table?

  1. To encrypt traffic between subnets
  2. To filter packets based on stateful rules
  3. To assign public IP addresses to instances
  4. To decide where network traffic from a subnet is directed
Answer: D
Why D is correct: A route table is a set of rules (routes) that determines where traffic leaving a subnet should go — for example, to an Internet Gateway, a NAT Gateway, a peering connection, or stay local within the VPC. It controls direction, not permission.
Why the other options are wrong:
  • A — Route tables do not encrypt traffic; that is handled by other services like VPN.
  • B — Filtering packets with stateful rules is the job of a security group, not a route table.
  • C — Public IP assignment is a subnet/instance setting, not a route table function.
Common trap: Route tables direct traffic; security groups and network ACLs filter it. Mixing "where it goes" with "whether it is allowed" is the classic confusion.

Q13 A web server should accept HTTPS from anyone, and a database server should accept connections only from that specific web server, identified directly rather than by IP. Which design best fits security group capabilities?

  1. Use network ACLs referencing each other
  2. Reference the web server's security group as the source in the database's security group
  3. Place both servers in the same subnet and rely on the route table
  4. Use a NAT Gateway to filter database traffic
Answer: B
Why B is correct: Security groups can reference another security group as the source. The database's security group can allow traffic only from instances in the web server's security group, which is cleaner than tracking changing IP addresses.
Why the other options are wrong:
  • A — Network ACLs work on IP ranges and subnets; they cannot reference security groups.
  • C — Putting both in one subnet with a shared route table does not restrict the database to only the web server.
  • D — A NAT Gateway provides outbound internet access; it is not a filtering layer between two instances.
Common trap: Only security groups can reference other security groups. Network ACLs are limited to IP ranges, so the "reference by group" clue rules them out.

Q14 Which statement correctly describes the scope at which security groups and network ACLs operate?

  1. Security groups operate at the instance level; network ACLs operate at the subnet level
  2. Both operate only at the subnet level
  3. Security groups operate at the subnet level; network ACLs operate at the instance level
  4. Both operate at the VPC level and apply to all subnets automatically
Answer: A
Why A is correct: A security group attaches to an instance's network interface and filters traffic at the instance level. A network ACL attaches to a subnet and filters traffic crossing the subnet boundary. These are two different layers of defense.
Why the other options are wrong:
  • B — Security groups are not subnet-level; they attach to instances.
  • C — The scopes are reversed here — this swaps the two controls.
  • D — Neither applies VPC-wide automatically; each must be associated with instances or subnets.
Common trap: The instance-vs-subnet scope gets reversed. Anchor it: Security group hugs the instance; network ACL guards the subnet door.

Q15 A solutions team mistakenly believes a single subnet can span two Availability Zones for high availability. Which statement correctly describes how subnets relate to Availability Zones?

  1. A subnet can span all AZs in a Region
  2. A subnet spans two AZs by default
  3. Each subnet lives in exactly one Availability Zone
  4. Subnets exist only at the Region level, not the AZ level
Answer: C
Why C is correct: Each subnet resides in exactly one Availability Zone. To build high availability, you create multiple subnets in different AZs and spread resources across them. A subnet itself never spans AZs.
Why the other options are wrong:
  • A — No subnet can span multiple AZs; the VPC spans the Region, but each subnet is tied to one AZ.
  • B — Subnets never span two AZs, by default or otherwise.
  • D — Subnets are AZ-scoped, while the VPC is Region-scoped — this option inverts that.
Common trap: A VPC spans a Region, so people assume subnets span AZs too. Remember: VPC = Region-wide; subnet = single AZ.

Q16 A network ACL was configured to allow inbound traffic on port 443 but the application still fails to respond. Outbound rules were left at "deny all." Why does the traffic break, and what is the underlying reason?

  1. Network ACLs are stateful, so this should work automatically
  2. Security groups override network ACLs
  3. The route table is missing an Internet Gateway route
  4. Network ACLs are stateless, so return traffic also needs an explicit outbound allow rule
Answer: D
Why D is correct: Network ACLs are stateless, meaning they do not remember connections. Even if inbound is allowed, the response (return) traffic is evaluated separately and needs an explicit outbound allow rule. With outbound set to deny all, replies are blocked.
Why the other options are wrong:
  • A — Network ACLs are stateless, not stateful, so it does not "just work."
  • B — Security groups and network ACLs both apply independently; one does not override the other.
  • C — A missing internet route is a different problem; here the symptom is specifically the deny-all outbound rule on a stateless ACL.
Common trap: Forgetting that stateless = both directions must be allowed. Security groups would auto-allow the return; network ACLs will not.

Q17 A company wants to privately expose its own application, running in its VPC, to a partner's VPC as a service — without using VPC peering or exposing it to the internet. Which AWS technology is designed for this?

  1. An Internet Gateway with restricted security groups
  2. AWS PrivateLink (via an endpoint service)
  3. A Gateway VPC endpoint
  4. A Site-to-Site VPN between the two VPCs
Answer: B
Why B is correct: AWS PrivateLink lets you publish your own application as an endpoint service that other VPCs can connect to privately through an Interface endpoint, without peering and without internet exposure. It is the AWS way to privately share a service.
Why the other options are wrong:
  • A — An Internet Gateway exposes traffic to the public internet, the opposite of the requirement.
  • C — Gateway endpoints only work for S3 and DynamoDB, not for sharing a custom application.
  • D — A Site-to-Site VPN is built for on-premises connectivity, not for privately publishing a VPC-hosted service.
Common trap: Candidates default to VPC peering for VPC-to-VPC, but "expose my app as a private service" is the signature use case for PrivateLink.

Q18 Which statement about an Internet Gateway is correct for the CLF-C02 exam?

  1. It allows resources in a public subnet to send and receive internet traffic
  2. It only allows outbound traffic and blocks all inbound traffic
  3. It must be deployed separately in each Availability Zone
  4. It is required for VPC-to-VPC peering connections
Answer: A
Why A is correct: An Internet Gateway is a horizontally scaled, highly available VPC component that enables two-way internet communication for resources in public subnets (those with a route to it). It handles both inbound and outbound internet traffic.
Why the other options are wrong:
  • B — Outbound-only is the behavior of a NAT Gateway, not an Internet Gateway.
  • C — An Internet Gateway is a single VPC-wide, redundant component; you do not deploy one per AZ.
  • D — VPC peering connects VPCs privately and does not use an Internet Gateway.
Common trap: Swapping Internet Gateway (two-way) with NAT Gateway (outbound-only). The Internet Gateway is the front door for both directions.

Q19 A finance team wants outbound internet access for private instances to be highly available and managed by AWS, with no servers to patch or scale. Which option meets this need?

  1. A self-managed NAT instance on EC2
  2. An Internet Gateway attached to the private subnet
  3. A NAT Gateway, a managed AWS service
  4. A Gateway VPC endpoint for internet access
Answer: C
Why C is correct: A NAT Gateway is a fully managed, highly available AWS service that provides outbound internet access for private subnets. AWS handles its scaling and availability, so there are no servers for the team to patch.
Why the other options are wrong:
  • A — A NAT instance is a regular EC2 instance you must patch, scale, and make highly available yourself — the opposite of managed.
  • B — Attaching an Internet Gateway to a private subnet would make it public, breaking the "private instances" requirement.
  • D — Gateway endpoints provide private access to S3/DynamoDB, not general internet access.
Common trap: NAT Gateway (managed by AWS) versus NAT instance (you manage the EC2). When the clue is "no servers to patch," choose the NAT Gateway.

Q20 A company asks whether a single VPC peering connection between VPC-A and VPC-B will also let VPC-A reach VPC-C, which is peered to VPC-B. What is the correct answer and reason?

  1. Yes, peering is transitive by default
  2. Yes, but only if a NAT Gateway is added
  3. Yes, if both peering connections share a route table
  4. No, because VPC peering is not transitive
Answer: D
Why D is correct: VPC peering is not transitive. A peering between A and B and another between B and C does not allow A to reach C through B. Each pair that must communicate needs its own direct connection — or you move to a Transit Gateway hub.
Why the other options are wrong:
  • A — Peering is explicitly non-transitive, so traffic cannot hop through a middle VPC.
  • B — A NAT Gateway provides outbound internet access and does nothing to enable transitive peering.
  • C — Sharing route tables does not change the fundamental non-transitive nature of peering.
Common trap: "Non-transitive" is a favorite exam fact. When many VPCs must interconnect, the right answer is Transit Gateway, not chained peering.

Q21 An Interface VPC endpoint and a Gateway VPC endpoint both provide private connectivity, but they differ. Which statement correctly captures a key difference?

  1. Gateway endpoints use elastic network interfaces; Interface endpoints use route table entries
  2. Gateway endpoints work only for S3 and DynamoDB and use route table entries; Interface endpoints use a private network interface and support many services
  3. Both endpoint types support every AWS service equally
  4. Interface endpoints are free, while Gateway endpoints always charge per hour
Answer: B
Why B is correct: Gateway endpoints support only S3 and DynamoDB and work by adding entries to your route table. Interface endpoints (AWS PrivateLink) place a private network interface in your subnet and support a broad range of AWS services. This is the core distinction tested on the exam.
Why the other options are wrong:
  • A — This reverses the mechanisms: Gateway uses route tables, Interface uses a network interface.
  • C — They do not support the same services; Gateway is limited to two services.
  • D — It is the reverse on cost — Gateway endpoints are free, while Interface endpoints carry hourly and data charges.
Common trap: Mixing up which uses route tables versus a network interface, and which is free. Gateway = route table + free + S3/DynamoDB only.

Q22 A media company needs to transfer very large datasets to AWS every day and is frustrated by inconsistent speeds and high data-transfer-out costs over its current internet VPN. Which option most directly addresses both consistent throughput and reduced data transfer cost?

  1. AWS Direct Connect
  2. A larger NAT Gateway
  3. Additional Interface VPC endpoints
  4. More VPC peering connections
Answer: A
Why A is correct: Direct Connect gives a dedicated private link with consistent, high throughput and often lower data-transfer pricing than internet-based transfer. For large daily dataset uploads, it solves both the speed-consistency and cost concerns the scenario raises.
Why the other options are wrong:
  • B — A NAT Gateway only handles outbound internet for private subnets and would add cost, not reduce transfer cost.
  • C — Interface endpoints provide private access to AWS services within a VPC, not a faster on-premises-to-AWS pipe.
  • D — VPC peering connects VPCs and has nothing to do with on-premises bulk data transfer.
Common trap: When a question stresses BOTH consistent large-scale throughput AND lower transfer cost from on-premises, Direct Connect is the intended answer over an internet VPN.

Continue reading

☁️ AWS Cloud Practitioner

Cloud Concepts, Value Proposition & Cloud Economics

☁️ AWS Cloud Practitioner

AWS Well-Architected Framework & the Six Pillars

☁️ AWS Cloud Practitioner

The Shared Responsibility Model