Module 03 · Multi-Cloud Security Curriculum
Network Security in Multi-Cloud
Master VPC architecture, security groups, private endpoints, hybrid connectivity, WAF, and DDoS protection across AWS, Azure, and GCP.
20
Interview Q&As
25
MCQ Questions
4
Simulations
8
Hours Content
Topics Covered
| Topic | Key Services |
|---|---|
| VPC / VNet / VPC-SC Architecture | AWS VPC, Azure VNet, GCP VPC |
| Subnets, Routing, Gateways | Internet GW, NAT GW, Route Tables |
| Firewall Controls | Security Groups, NSGs, GCP Firewall Rules |
| Private Endpoints & Service Endpoints | AWS PrivateLink, Azure Private Endpoint |
| Hybrid & Multi-Cloud Connectivity | VPN, ExpressRoute, Direct Connect |
| DDoS & WAF | AWS Shield, Azure DDoS, GCP Cloud Armor |
| Network Monitoring | VPC Flow Logs, Network Watcher |
| Zero Trust Network Access (ZTNA) | SASE, micro-segmentation |
💡 Interview Focus: Interviewers love comparing AWS vs Azure vs GCP networking. Know Security Groups vs NSGs cold, understand VPC peering limitations, and be able to design a secure hybrid network architecture.
Core Concepts · ~20 min reading
Network Security Fundamentals
Virtual Private Cloud (VPC) Architecture
A VPC is a logically isolated section of the cloud provider's network. You define your own IP address space (CIDR), subnets, route tables, and gateways.
| Feature | AWS VPC | Azure VNet | GCP VPC |
|---|---|---|---|
| Scope | Regional | Regional | Global (subnets are regional) |
| Subnets | AZ-scoped | Regional | Regional |
| Default network | Default VPC | None (must create) | Default VPC |
| Peering | VPC Peering | VNet Peering | VPC Peering |
🔑 Key: GCP VPCs are global — one VPC can span all regions, unlike AWS/Azure which are regional. This simplifies multi-region architectures but requires careful firewall rule scoping.
Firewall Controls Comparison
| Feature | AWS Security Groups | Azure NSGs | GCP Firewall Rules |
|---|---|---|---|
| Scope | Instance (ENI) level | Subnet or NIC level | VPC-wide (tag/SA based) |
| Statefulness | Stateful | Stateful | Stateful |
| Default behavior | Deny all inbound, allow all outbound | Deny all inbound, allow all outbound (default rules) | Deny all ingress, allow all egress |
| Rule types | Allow only | Allow + Deny (priority-based) | Allow + Deny (priority-based) |
| Targeting | SG ID references | IP, service tag, ASG | Network tags, service accounts |
Routing & Gateways
| Component | Purpose | Notes |
|---|---|---|
| Internet Gateway (IGW) | Allows public subnet resources to reach internet | AWS; requires public IP on instance |
| NAT Gateway | Allows private subnet outbound internet (no inbound) | Managed, high availability; charged per GB |
| Route Table | Determines where subnet traffic goes | Each subnet associated with one route table |
| VPC Peering | Private connectivity between two VPCs | No transitive routing; doesn't scale to many VPCs |
| Transit Gateway (AWS) | Hub-and-spoke: connect many VPCs + on-prem | Transitive routing supported; scalable |
| Virtual WAN (Azure) | Azure equivalent of Transit Gateway | Global hub for VNets + on-prem |
Private Connectivity
- AWS PrivateLink: Expose a service (your own or AWS) via private IP inside a VPC. Traffic never traverses the internet. Enables SaaS providers to offer private endpoints to customers.
- Azure Private Endpoint: Gives a PaaS resource (e.g., Azure SQL, Key Vault, Storage) a private IP inside your VNet. Accessed over Microsoft backbone, not internet.
- Azure Service Endpoints: Route VNet traffic to Azure services over the Azure backbone but resource still has public IP — less secure than Private Endpoints.
- GCP Private Service Connect: Similar to AWS PrivateLink — private IP access to Google APIs or partner services.
Hybrid & Multi-Cloud Connectivity
| Option | AWS | Azure | GCP | Use Case |
|---|---|---|---|---|
| IPSec VPN | Site-to-Site VPN | VPN Gateway | Cloud VPN | Encrypted tunnel over internet; cost-effective |
| Dedicated Circuit | Direct Connect | ExpressRoute | Cloud Interconnect | Private, high-bandwidth, low-latency; no internet |
| SD-WAN | Multi-provider | Azure Virtual WAN | NCC | Software-defined, multi-cloud routing |
⚠️ VPN encrypts traffic but uses the public internet — latency and bandwidth can vary. ExpressRoute/Direct Connect are private but expensive. Choose based on SLA requirements and budget.
DDoS Protection & WAF
| Control | AWS | Azure | GCP |
|---|---|---|---|
| DDoS (Basic) | AWS Shield Standard (free) | Azure DDoS Basic (free) | Cloud Armor (basic) |
| DDoS (Advanced) | AWS Shield Advanced ($3,000/mo) | Azure DDoS Standard | Cloud Armor Enterprise |
| WAF | AWS WAF (rules, rate limiting) | Azure WAF (Front Door / App GW) | GCP Cloud Armor (WAF policies) |
Interview Q&A · 20 Questions
Interview Questions & Model Answers
Click any question to reveal the model answer.
1What is a VPC and how does it provide network isolation in the cloud?Easy▼
A VPC (Virtual Private Cloud) is a logically isolated virtual network within a cloud provider's infrastructure. It provides network isolation by:
- Defining a private IP address space (CIDR block) exclusively for your resources
- Using separate route tables to control traffic flow
- Applying security groups / NSGs as virtual firewalls at the instance or subnet level
- Preventing resources in different VPCs from communicating unless explicitly peered or connected
💡 AWS VPCs are regional; GCP VPCs are global (subnets are regional). This is a common interview trick question about GCP networking.
2What is the difference between a public and private subnet?Easy▼
- Public subnet: Has a route to an Internet Gateway (IGW). Resources can have public IPs and be reached from the internet. Used for: load balancers, bastion hosts, NAT gateways.
- Private subnet: No route to IGW. Resources have only private IPs. Can reach internet via NAT Gateway (outbound only). Used for: databases, application servers, internal services.
💡 Best practice: Put databases and app servers in private subnets. Only expose what must be public (load balancers, jump hosts) in public subnets.
3How do AWS Security Groups differ from Azure NSGs?Medium▼
| Feature | AWS Security Group | Azure NSG |
|---|---|---|
| Level | Instance (ENI) | Subnet or NIC |
| Rule types | Allow only | Allow + Deny |
| Priority | All rules evaluated, most permissive wins | Priority number (100–4096), lowest wins |
| Default | Deny all inbound, allow all outbound | Deny all inbound/outbound (default rules) |
| Referencing | Can reference other SG IDs | IP ranges, service tags, ASG names |
💡 Security Groups are "allow-only" — you cannot explicitly deny. NSGs support explicit deny rules with priority ordering, making them more granular.
4What is the difference between a NAT gateway and an internet gateway?Easy▼
- Internet Gateway (IGW): Allows bidirectional traffic between a VPC and the internet. Resources in public subnets with public IPs use IGW for both inbound and outbound traffic.
- NAT Gateway: Allows resources in private subnets to initiate outbound connections to the internet (e.g., software updates) while blocking unsolicited inbound traffic from the internet. Translates private IPs to the NAT's public IP.
💡 IGW = two-way door. NAT Gateway = one-way exit valve. Private subnets need NAT for internet egress but remain unreachable from outside.
5What is VPC peering and what are its limitations?Medium▼
VPC peering creates a private network connection between two VPCs (same or different accounts/regions) allowing them to communicate using private IPs.
Limitations:
Limitations:
- No transitive routing: If VPC-A peers with VPC-B and VPC-B peers with VPC-C, VPC-A cannot reach VPC-C through VPC-B
- CIDR overlap: Peered VPCs cannot have overlapping IP ranges
- Scaling: N*(N-1)/2 peering connections needed for full mesh — use Transit Gateway for many VPCs
- No bandwidth limits guarantee beyond the underlying network
💡 For more than 5-10 VPCs, Transit Gateway (AWS) or Virtual WAN (Azure) is preferred over mesh peering.
6What is AWS Transit Gateway and when would you use it?Medium▼
AWS Transit Gateway is a regional network transit hub that connects VPCs and on-premises networks through a central gateway. It supports transitive routing — VPCs connected to the TGW can communicate with each other without individual peering.
Use cases:
Use cases:
- Connecting dozens/hundreds of VPCs in a hub-and-spoke topology
- Centralized inspection (route all traffic through a security VPC with firewall)
- Connecting on-premises networks via VPN or Direct Connect to multiple VPCs
- Multi-region connectivity via TGW peering
💡 Cost: TGW charges per attachment and per GB. For <5 VPCs, standard peering may be cheaper. TGW shines at scale.
7What is a Private Endpoint in Azure and why is it used?Medium▼
An Azure Private Endpoint is a network interface with a private IP address from your VNet, connected to an Azure PaaS service (Storage, SQL, Key Vault, etc.) or a partner service.
Why use it:
Why use it:
- Traffic between your VNet and the service stays on the Microsoft backbone — never traverses the internet
- Eliminates public IP exposure for PaaS resources
- Enables data exfiltration protection (disable public access entirely)
- Works across peered VNets and on-premises via ExpressRoute
💡 Service Endpoints route traffic over the Azure backbone but the resource still has a public IP. Private Endpoints give the resource a truly private IP in your VNet — much stronger isolation.
8What is AWS PrivateLink?Medium▼
AWS PrivateLink allows you to access services (AWS services, your own services, or third-party services) privately from within your VPC using private IP addresses. It creates a VPC Endpoint that routes traffic via the AWS backbone without traversing the internet.
Types:
Types:
- Interface Endpoint: An ENI with private IP in your subnet — for most services (S3, ECR, KMS, Secrets Manager, etc.)
- Gateway Endpoint: Route table entry for S3 and DynamoDB (free)
💡 PrivateLink allows VPCs with overlapping CIDRs to connect (unlike peering) since traffic goes through endpoints, not direct routing.
9What is the difference between a VPN and ExpressRoute/Direct Connect?Medium▼
| Feature | Site-to-Site VPN | ExpressRoute / Direct Connect |
|---|---|---|
| Path | Public internet (encrypted) | Private dedicated circuit |
| Latency | Variable (internet) | Consistent, low latency |
| Bandwidth | Up to ~1.25 Gbps | 1–100 Gbps |
| SLA | Best-effort | Carrier-backed SLA |
| Cost | Low | High (circuit + port fees) |
| Setup time | Hours | Weeks–months |
💡 Banks, healthcare, and regulated industries typically require Direct Connect / ExpressRoute for compliance (data must not traverse the public internet). Startups use VPN to get started.
10How does AWS Shield protect against DDoS attacks?Easy▼
- AWS Shield Standard (free): Automatically protects all AWS customers against common network and transport layer DDoS attacks (SYN floods, UDP reflection). No configuration needed.
- AWS Shield Advanced ($3,000/mo + data transfer): Enhanced detection for complex DDoS attacks, near real-time visibility, DDoS cost protection (credits if attack causes scaling costs), access to AWS DDoS Response Team (DRT), application-layer (L7) protection via AWS WAF integration.
💡 Shield Advanced is worth it for revenue-critical applications where downtime costs exceed the monthly fee, or for organizations requiring SLA-backed DDoS protection.
11What is a Web Application Firewall (WAF) and how does it work?Easy▼
A WAF inspects HTTP/HTTPS traffic between users and web applications, filtering malicious requests based on rules before they reach the application.
Protection: SQL injection, XSS, CSRF, bad bots, rate limiting, geo-blocking, OWASP Top 10 attacks.
Cloud WAF options:
Protection: SQL injection, XSS, CSRF, bad bots, rate limiting, geo-blocking, OWASP Top 10 attacks.
Cloud WAF options:
- AWS WAF: rule groups, managed rules (OWASP, AWS managed), rate-based rules
- Azure WAF: integrated with Front Door and Application Gateway, OWASP rulesets
- GCP Cloud Armor: preconfigured WAF rules, adaptive protection (ML-based)
💡 WAF operates at Layer 7 (application). It doesn't protect against volumetric DDoS — combine WAF with Shield/DDoS Protection for full coverage.
12What are VPC Flow Logs and how are they used for security?Medium▼
VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC. Fields: source/destination IP, source/destination port, protocol, bytes transferred, action (ACCEPT/REJECT), start/end time.
Security uses:
Security uses:
- Detect port scanning (many rejected connections from one IP)
- Identify unusual data volumes (potential exfiltration)
- Investigate security incidents (reconstruct network timeline)
- Detect communication to known malicious IPs
- Compliance and audit requirements
💡 Flow logs show WHAT communicated, not the content (payload). For deep packet inspection, you need a network IDS/IPS solution.
13What is ZTNA vs traditional VPN?Hard▼
| Feature | Traditional VPN | ZTNA |
|---|---|---|
| Trust model | Trust once connected to network | Never trust, always verify |
| Access | Full network access after login | Application-level access only |
| Verification | At connection time only | Continuous (device, user, context) |
| Lateral movement risk | High (attacker moves freely once in) | Low (isolated per-app access) |
| User experience | Often slow, hairpinning | Direct-to-app, faster |
💡 ZTNA is the foundation of SASE (Secure Access Service Edge). Major vendors: Zscaler ZPA, Cloudflare Access, Palo Alto Prisma Access.
14What is network micro-segmentation?Hard▼
Micro-segmentation divides a network into very small, isolated zones at the workload or application level (not just perimeter or VLAN), enforcing granular security policies between segments — including east-west (internal) traffic.
Why it matters: Traditional perimeter firewalls only protect north-south (in/out) traffic. Once an attacker is inside, they move freely. Micro-segmentation stops lateral movement by requiring explicit allow rules between every workload.
Implementation in cloud: Security Groups per service, Kubernetes NetworkPolicies, service mesh (Istio mTLS), NSGs per subnet.
Why it matters: Traditional perimeter firewalls only protect north-south (in/out) traffic. Once an attacker is inside, they move freely. Micro-segmentation stops lateral movement by requiring explicit allow rules between every workload.
Implementation in cloud: Security Groups per service, Kubernetes NetworkPolicies, service mesh (Istio mTLS), NSGs per subnet.
💡 Real-world example: If a web server is compromised, micro-segmentation prevents it from talking to the database server unless explicitly allowed — limiting blast radius.
15How does GCP's firewall rule model differ from AWS security groups?Medium▼
- Scope: GCP firewall rules are VPC-wide and applied to VMs via network tags or service accounts. AWS SGs are attached to specific ENIs.
- Targeting: GCP uses network tags (arbitrary labels on VMs) to apply rules — more flexible for dynamic groups. AWS SGs can reference other SG IDs.
- Priority: GCP rules have priorities (0–65534); lower number = higher priority. AWS SGs evaluate all rules and take the most permissive.
- Allow + Deny: GCP supports explicit deny rules. AWS SGs only allow.
- Global scope: Because GCP VPCs are global, a single firewall rule can apply to VMs in multiple regions.
16What is SASE (Secure Access Service Edge)?Hard▼
SASE (pronounced "sassy") is a cloud-delivered security architecture that converges networking (SD-WAN) and security (ZTNA, SWG, CASB, FWaaS, DNS security) into a single cloud service delivered from the network edge close to users.
Key components:
Key components:
- SD-WAN for optimized routing
- ZTNA for application access
- SWG (Secure Web Gateway) for internet filtering
- CASB for SaaS security
- FWaaS (Firewall-as-a-Service)
💡 Gartner coined SASE in 2019. It's the answer to securing a distributed workforce where "the network perimeter is dead."
17What is east-west traffic and why is it important to control?Medium▼
- North-South traffic: Traffic between internal network and external internet (in/out of the perimeter).
- East-West traffic: Traffic between services/servers within the same network (internal lateral movement).
💡 Target breach (2013): attackers entered via an HVAC vendor and moved east-west to reach POS systems. East-west controls would have limited the damage.
18What is SD-WAN and how does it relate to cloud security?Hard▼
SD-WAN (Software-Defined Wide Area Network) uses software to control the connectivity, management, and services between data centers and remote branches/users, abstracting from the underlying physical network.
Cloud security relevance:
Cloud security relevance:
- Replaces expensive MPLS with intelligent routing over internet links
- Integrates with cloud security (SASE) for centralized policy
- Enables direct internet breakout at branch (rather than hair-pinning through HQ)
- Traffic encryption between sites
- Automatic failover to backup links
19How would you design a secure multi-cloud network architecture?Hard▼
A structured answer covering key layers:
- Consistent naming & CIDR planning: Allocate non-overlapping CIDRs across AWS, Azure, GCP to enable future peering/connectivity
- Private connectivity: Use Direct Connect + ExpressRoute + Cloud Interconnect for sensitive workloads; avoid internet for inter-cloud traffic
- Centralized firewall/inspection: Route inter-cloud traffic through a security hub VPC with NGFW
- ZTNA: Replace VPN with ZTNA for remote access to cloud workloads
- Consistent security policies: Use a CSPM tool (Wiz, Prisma Cloud) to enforce consistent controls across clouds
- Logging: Centralize flow logs in a SIEM; enable across all clouds
💡 This is a design question — show you think about governance (consistent policies) and not just connectivity. Interviewers want to see the SASE/Zero Trust mindset.
20What is a bastion host and when is it used?Easy▼
A bastion host (jump server) is a hardened, internet-facing server in a public subnet that provides a single controlled entry point for administrators to SSH/RDP into private subnet resources.
Security practices:
Security practices:
- MFA required
- Only specific source IPs allowed in security group
- No direct internet access from private servers
- Session logging and recording
- Minimal software installed (hardened)
💡 AWS SSM Session Manager is now preferred over bastion hosts — no inbound ports needed, uses IAM for access, full audit trail in CloudTrail.
MCQ Quiz · 25 Questions
Multiple Choice Questions
Progress:
0 / 25
Simulation 1
3-Cloud Network Component Matcher
Match each service or feature to its correct cloud provider using the dropdown.
Simulation 2
Traffic Flow Simulator
For each network scenario, determine if the traffic is Allowed, Blocked, or Needs NAT.
Simulation 3
Security Control Placement
Choose where each security control should be applied.
Simulation 4
Hybrid Connectivity Selector
Choose the best connectivity option for each scenario.
🎉