DevOps Interview Questions: How will you design your cloud VPC and subnets?

In this article, we are going to look into this question. The intent of this question is to find out if you are aware of how you can design your network infra. They want to hear from you about private traffic, public traffic, how the traffic will go out, etc.

Let’s start and have a look at the below diagram.

DevOps Interview Questions: How will you design your cloud VPC and subnets?
DevOps Interview Questions: How will you design your cloud VPC and subnets?

Here we have a VPC and we have divided the VPC into majorly two types of subnets, public and private subnets. How to understand this diagram.

RED LINES are outbound traffic, GREEN are internal, and YELLOW in inbound traffic.

In private subnets, we will keep all the application servers, databases, and tooling, Keep in mind you never need to put any of such servers in public subnets. Since public subnets expose the server directly to the world. Of course, you can have the mechanism to save your servers from public traffic but you never know a wrong security patch will expose your servers to a lot of problems.

In a public subnet, you need to have all your public load balancer, proxy boxes which you will use to access your internal tools if you don't wanna put a load balancer in front of all of them. The recommendation is to always use load balancers and then a proper authentication method like google auth. There is also a nat box present in the public subnet, you must be thinking why you need a nat box.

Here is a scenario for NAT box, say you have integrated with a payment system. You need to make API calls to these payments system. Now, these systems generally want to know where your calls will come from so that they can verify that if are coming from your network. With help of the NAT box, you can make sure your IPs are whitelist and all the traffic goes through that NAT box. Read more about NAT below.

So in short, all outbound traffic should go through NAT boxes, all inbound traffic should come from the public load balancers. Never expose or put any apps in public subnets. Database and application connectivity should be private.

You can further divide these types of subnets like below.

For apps subnet, you can have multiple subnets: apps-subnet1a, apps-subnet1b, apps-subnet2a, appssubent2b, and so on. These subnets can also be named after the types of apps you will deploy in those subnets.

Database subnets can be divided into sql-subnet and nosql-subnet.

These are all suggestions on how you can divide and use the subnets. For everyone, these suggestions can change and you can plan your infra based on that.

The next topic comes how you should divide your CIDR for these subnets and use them. We will cover this topic in the next article.

If you like the article please share and subscribe to stay updated on the new posts. You can turn on the notification so that you can get an update as soon as a new article is published.

Follow the below tag for more interview questions

Gaurav Yadav

Gaurav is cloud infrastructure engineer and a full stack web developer and blogger. Sportsperson by heart and loves football. Scale is something he loves to work for and always keen to learn new tech. Experienced with CI/CD, distributed cloud infrastructure, build systems and lot of SRE Stuff.

  • Pankaj

    Nice explanation

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.