← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 03 · Multi-Cloud Security Curriculum

Network Security in Multi-Cloud

Master VPC architecture, security groups, private endpoints, hybrid connectivity, WAF, and DDoS protection across AWS, Azure, and GCP.

20
Interview Q&As
25
MCQ Questions
4
Simulations
8
Hours Content

Topics Covered

TopicKey Services
VPC / VNet / VPC-SC ArchitectureAWS VPC, Azure VNet, GCP VPC
Subnets, Routing, GatewaysInternet GW, NAT GW, Route Tables
Firewall ControlsSecurity Groups, NSGs, GCP Firewall Rules
Private Endpoints & Service EndpointsAWS PrivateLink, Azure Private Endpoint
Hybrid & Multi-Cloud ConnectivityVPN, ExpressRoute, Direct Connect
DDoS & WAFAWS Shield, Azure DDoS, GCP Cloud Armor
Network MonitoringVPC Flow Logs, Network Watcher
Zero Trust Network Access (ZTNA)SASE, micro-segmentation
💡 Interview Focus: Interviewers love comparing AWS vs Azure vs GCP networking. Know Security Groups vs NSGs cold, understand VPC peering limitations, and be able to design a secure hybrid network architecture.
Core Concepts · ~20 min reading

Network Security Fundamentals

Virtual Private Cloud (VPC) Architecture

A VPC is a logically isolated section of the cloud provider's network. You define your own IP address space (CIDR), subnets, route tables, and gateways.

FeatureAWS VPCAzure VNetGCP VPC
ScopeRegionalRegionalGlobal (subnets are regional)
SubnetsAZ-scopedRegionalRegional
Default networkDefault VPCNone (must create)Default VPC
PeeringVPC PeeringVNet PeeringVPC Peering
🔑 Key: GCP VPCs are global — one VPC can span all regions, unlike AWS/Azure which are regional. This simplifies multi-region architectures but requires careful firewall rule scoping.

Firewall Controls Comparison

FeatureAWS Security GroupsAzure NSGsGCP Firewall Rules
ScopeInstance (ENI) levelSubnet or NIC levelVPC-wide (tag/SA based)
StatefulnessStatefulStatefulStateful
Default behaviorDeny all inbound, allow all outboundDeny all inbound, allow all outbound (default rules)Deny all ingress, allow all egress
Rule typesAllow onlyAllow + Deny (priority-based)Allow + Deny (priority-based)
TargetingSG ID referencesIP, service tag, ASGNetwork tags, service accounts

Routing & Gateways

ComponentPurposeNotes
Internet Gateway (IGW)Allows public subnet resources to reach internetAWS; requires public IP on instance
NAT GatewayAllows private subnet outbound internet (no inbound)Managed, high availability; charged per GB
Route TableDetermines where subnet traffic goesEach subnet associated with one route table
VPC PeeringPrivate connectivity between two VPCsNo transitive routing; doesn't scale to many VPCs
Transit Gateway (AWS)Hub-and-spoke: connect many VPCs + on-premTransitive routing supported; scalable
Virtual WAN (Azure)Azure equivalent of Transit GatewayGlobal hub for VNets + on-prem

Private Connectivity

  • AWS PrivateLink: Expose a service (your own or AWS) via private IP inside a VPC. Traffic never traverses the internet. Enables SaaS providers to offer private endpoints to customers.
  • Azure Private Endpoint: Gives a PaaS resource (e.g., Azure SQL, Key Vault, Storage) a private IP inside your VNet. Accessed over Microsoft backbone, not internet.
  • Azure Service Endpoints: Route VNet traffic to Azure services over the Azure backbone but resource still has public IP — less secure than Private Endpoints.
  • GCP Private Service Connect: Similar to AWS PrivateLink — private IP access to Google APIs or partner services.

Hybrid & Multi-Cloud Connectivity

OptionAWSAzureGCPUse Case
IPSec VPNSite-to-Site VPNVPN GatewayCloud VPNEncrypted tunnel over internet; cost-effective
Dedicated CircuitDirect ConnectExpressRouteCloud InterconnectPrivate, high-bandwidth, low-latency; no internet
SD-WANMulti-providerAzure Virtual WANNCCSoftware-defined, multi-cloud routing
⚠️ VPN encrypts traffic but uses the public internet — latency and bandwidth can vary. ExpressRoute/Direct Connect are private but expensive. Choose based on SLA requirements and budget.

DDoS Protection & WAF

ControlAWSAzureGCP
DDoS (Basic)AWS Shield Standard (free)Azure DDoS Basic (free)Cloud Armor (basic)
DDoS (Advanced)AWS Shield Advanced ($3,000/mo)Azure DDoS StandardCloud Armor Enterprise
WAFAWS WAF (rules, rate limiting)Azure WAF (Front Door / App GW)GCP Cloud Armor (WAF policies)
Interview Q&A · 20 Questions

Interview Questions & Model Answers

Click any question to reveal the model answer.

1What is a VPC and how does it provide network isolation in the cloud?Easy
A VPC (Virtual Private Cloud) is a logically isolated virtual network within a cloud provider's infrastructure. It provides network isolation by:
  • Defining a private IP address space (CIDR block) exclusively for your resources
  • Using separate route tables to control traffic flow
  • Applying security groups / NSGs as virtual firewalls at the instance or subnet level
  • Preventing resources in different VPCs from communicating unless explicitly peered or connected
💡 AWS VPCs are regional; GCP VPCs are global (subnets are regional). This is a common interview trick question about GCP networking.
2What is the difference between a public and private subnet?Easy
  • Public subnet: Has a route to an Internet Gateway (IGW). Resources can have public IPs and be reached from the internet. Used for: load balancers, bastion hosts, NAT gateways.
  • Private subnet: No route to IGW. Resources have only private IPs. Can reach internet via NAT Gateway (outbound only). Used for: databases, application servers, internal services.
💡 Best practice: Put databases and app servers in private subnets. Only expose what must be public (load balancers, jump hosts) in public subnets.
3How do AWS Security Groups differ from Azure NSGs?Medium
FeatureAWS Security GroupAzure NSG
LevelInstance (ENI)Subnet or NIC
Rule typesAllow onlyAllow + Deny
PriorityAll rules evaluated, most permissive winsPriority number (100–4096), lowest wins
DefaultDeny all inbound, allow all outboundDeny all inbound/outbound (default rules)
ReferencingCan reference other SG IDsIP ranges, service tags, ASG names
💡 Security Groups are "allow-only" — you cannot explicitly deny. NSGs support explicit deny rules with priority ordering, making them more granular.
4What is the difference between a NAT gateway and an internet gateway?Easy
  • Internet Gateway (IGW): Allows bidirectional traffic between a VPC and the internet. Resources in public subnets with public IPs use IGW for both inbound and outbound traffic.
  • NAT Gateway: Allows resources in private subnets to initiate outbound connections to the internet (e.g., software updates) while blocking unsolicited inbound traffic from the internet. Translates private IPs to the NAT's public IP.
💡 IGW = two-way door. NAT Gateway = one-way exit valve. Private subnets need NAT for internet egress but remain unreachable from outside.
5What is VPC peering and what are its limitations?Medium
VPC peering creates a private network connection between two VPCs (same or different accounts/regions) allowing them to communicate using private IPs.

Limitations:
  • No transitive routing: If VPC-A peers with VPC-B and VPC-B peers with VPC-C, VPC-A cannot reach VPC-C through VPC-B
  • CIDR overlap: Peered VPCs cannot have overlapping IP ranges
  • Scaling: N*(N-1)/2 peering connections needed for full mesh — use Transit Gateway for many VPCs
  • No bandwidth limits guarantee beyond the underlying network
💡 For more than 5-10 VPCs, Transit Gateway (AWS) or Virtual WAN (Azure) is preferred over mesh peering.
6What is AWS Transit Gateway and when would you use it?Medium
AWS Transit Gateway is a regional network transit hub that connects VPCs and on-premises networks through a central gateway. It supports transitive routing — VPCs connected to the TGW can communicate with each other without individual peering.

Use cases:
  • Connecting dozens/hundreds of VPCs in a hub-and-spoke topology
  • Centralized inspection (route all traffic through a security VPC with firewall)
  • Connecting on-premises networks via VPN or Direct Connect to multiple VPCs
  • Multi-region connectivity via TGW peering
💡 Cost: TGW charges per attachment and per GB. For <5 VPCs, standard peering may be cheaper. TGW shines at scale.
7What is a Private Endpoint in Azure and why is it used?Medium
An Azure Private Endpoint is a network interface with a private IP address from your VNet, connected to an Azure PaaS service (Storage, SQL, Key Vault, etc.) or a partner service.

Why use it:
  • Traffic between your VNet and the service stays on the Microsoft backbone — never traverses the internet
  • Eliminates public IP exposure for PaaS resources
  • Enables data exfiltration protection (disable public access entirely)
  • Works across peered VNets and on-premises via ExpressRoute
💡 Service Endpoints route traffic over the Azure backbone but the resource still has a public IP. Private Endpoints give the resource a truly private IP in your VNet — much stronger isolation.
8What is AWS PrivateLink?Medium
AWS PrivateLink allows you to access services (AWS services, your own services, or third-party services) privately from within your VPC using private IP addresses. It creates a VPC Endpoint that routes traffic via the AWS backbone without traversing the internet.

Types:
  • Interface Endpoint: An ENI with private IP in your subnet — for most services (S3, ECR, KMS, Secrets Manager, etc.)
  • Gateway Endpoint: Route table entry for S3 and DynamoDB (free)
SaaS use case: An ISV can expose their service via a Network Load Balancer + PrivateLink, allowing customers to access it privately from their own VPCs.
💡 PrivateLink allows VPCs with overlapping CIDRs to connect (unlike peering) since traffic goes through endpoints, not direct routing.
9What is the difference between a VPN and ExpressRoute/Direct Connect?Medium
FeatureSite-to-Site VPNExpressRoute / Direct Connect
PathPublic internet (encrypted)Private dedicated circuit
LatencyVariable (internet)Consistent, low latency
BandwidthUp to ~1.25 Gbps1–100 Gbps
SLABest-effortCarrier-backed SLA
CostLowHigh (circuit + port fees)
Setup timeHoursWeeks–months
💡 Banks, healthcare, and regulated industries typically require Direct Connect / ExpressRoute for compliance (data must not traverse the public internet). Startups use VPN to get started.
10How does AWS Shield protect against DDoS attacks?Easy
  • AWS Shield Standard (free): Automatically protects all AWS customers against common network and transport layer DDoS attacks (SYN floods, UDP reflection). No configuration needed.
  • AWS Shield Advanced ($3,000/mo + data transfer): Enhanced detection for complex DDoS attacks, near real-time visibility, DDoS cost protection (credits if attack causes scaling costs), access to AWS DDoS Response Team (DRT), application-layer (L7) protection via AWS WAF integration.
💡 Shield Advanced is worth it for revenue-critical applications where downtime costs exceed the monthly fee, or for organizations requiring SLA-backed DDoS protection.
11What is a Web Application Firewall (WAF) and how does it work?Easy
A WAF inspects HTTP/HTTPS traffic between users and web applications, filtering malicious requests based on rules before they reach the application.

Protection: SQL injection, XSS, CSRF, bad bots, rate limiting, geo-blocking, OWASP Top 10 attacks.

Cloud WAF options:
  • AWS WAF: rule groups, managed rules (OWASP, AWS managed), rate-based rules
  • Azure WAF: integrated with Front Door and Application Gateway, OWASP rulesets
  • GCP Cloud Armor: preconfigured WAF rules, adaptive protection (ML-based)
💡 WAF operates at Layer 7 (application). It doesn't protect against volumetric DDoS — combine WAF with Shield/DDoS Protection for full coverage.
12What are VPC Flow Logs and how are they used for security?Medium
VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC. Fields: source/destination IP, source/destination port, protocol, bytes transferred, action (ACCEPT/REJECT), start/end time.

Security uses:
  • Detect port scanning (many rejected connections from one IP)
  • Identify unusual data volumes (potential exfiltration)
  • Investigate security incidents (reconstruct network timeline)
  • Detect communication to known malicious IPs
  • Compliance and audit requirements
Storage: CloudWatch Logs (AWS), Log Analytics (Azure), Cloud Logging (GCP).
💡 Flow logs show WHAT communicated, not the content (payload). For deep packet inspection, you need a network IDS/IPS solution.
13What is ZTNA vs traditional VPN?Hard
FeatureTraditional VPNZTNA
Trust modelTrust once connected to networkNever trust, always verify
AccessFull network access after loginApplication-level access only
VerificationAt connection time onlyContinuous (device, user, context)
Lateral movement riskHigh (attacker moves freely once in)Low (isolated per-app access)
User experienceOften slow, hairpinningDirect-to-app, faster
💡 ZTNA is the foundation of SASE (Secure Access Service Edge). Major vendors: Zscaler ZPA, Cloudflare Access, Palo Alto Prisma Access.
14What is network micro-segmentation?Hard
Micro-segmentation divides a network into very small, isolated zones at the workload or application level (not just perimeter or VLAN), enforcing granular security policies between segments — including east-west (internal) traffic.

Why it matters: Traditional perimeter firewalls only protect north-south (in/out) traffic. Once an attacker is inside, they move freely. Micro-segmentation stops lateral movement by requiring explicit allow rules between every workload.

Implementation in cloud: Security Groups per service, Kubernetes NetworkPolicies, service mesh (Istio mTLS), NSGs per subnet.
💡 Real-world example: If a web server is compromised, micro-segmentation prevents it from talking to the database server unless explicitly allowed — limiting blast radius.
15How does GCP's firewall rule model differ from AWS security groups?Medium
  • Scope: GCP firewall rules are VPC-wide and applied to VMs via network tags or service accounts. AWS SGs are attached to specific ENIs.
  • Targeting: GCP uses network tags (arbitrary labels on VMs) to apply rules — more flexible for dynamic groups. AWS SGs can reference other SG IDs.
  • Priority: GCP rules have priorities (0–65534); lower number = higher priority. AWS SGs evaluate all rules and take the most permissive.
  • Allow + Deny: GCP supports explicit deny rules. AWS SGs only allow.
  • Global scope: Because GCP VPCs are global, a single firewall rule can apply to VMs in multiple regions.
16What is SASE (Secure Access Service Edge)?Hard
SASE (pronounced "sassy") is a cloud-delivered security architecture that converges networking (SD-WAN) and security (ZTNA, SWG, CASB, FWaaS, DNS security) into a single cloud service delivered from the network edge close to users.

Key components:
  • SD-WAN for optimized routing
  • ZTNA for application access
  • SWG (Secure Web Gateway) for internet filtering
  • CASB for SaaS security
  • FWaaS (Firewall-as-a-Service)
Vendors: Zscaler, Palo Alto Prisma SASE, Netskope, Cloudflare One.
💡 Gartner coined SASE in 2019. It's the answer to securing a distributed workforce where "the network perimeter is dead."
17What is east-west traffic and why is it important to control?Medium
  • North-South traffic: Traffic between internal network and external internet (in/out of the perimeter).
  • East-West traffic: Traffic between services/servers within the same network (internal lateral movement).
East-west traffic is critical because: most advanced attacks (ransomware, APTs) move laterally after initial compromise. Traditional perimeter firewalls don't inspect east-west traffic. Controlling it requires micro-segmentation, network policies, and internal firewalls/IDS.
💡 Target breach (2013): attackers entered via an HVAC vendor and moved east-west to reach POS systems. East-west controls would have limited the damage.
18What is SD-WAN and how does it relate to cloud security?Hard
SD-WAN (Software-Defined Wide Area Network) uses software to control the connectivity, management, and services between data centers and remote branches/users, abstracting from the underlying physical network.

Cloud security relevance:
  • Replaces expensive MPLS with intelligent routing over internet links
  • Integrates with cloud security (SASE) for centralized policy
  • Enables direct internet breakout at branch (rather than hair-pinning through HQ)
  • Traffic encryption between sites
  • Automatic failover to backup links
19How would you design a secure multi-cloud network architecture?Hard
A structured answer covering key layers:
  • Consistent naming & CIDR planning: Allocate non-overlapping CIDRs across AWS, Azure, GCP to enable future peering/connectivity
  • Private connectivity: Use Direct Connect + ExpressRoute + Cloud Interconnect for sensitive workloads; avoid internet for inter-cloud traffic
  • Centralized firewall/inspection: Route inter-cloud traffic through a security hub VPC with NGFW
  • ZTNA: Replace VPN with ZTNA for remote access to cloud workloads
  • Consistent security policies: Use a CSPM tool (Wiz, Prisma Cloud) to enforce consistent controls across clouds
  • Logging: Centralize flow logs in a SIEM; enable across all clouds
💡 This is a design question — show you think about governance (consistent policies) and not just connectivity. Interviewers want to see the SASE/Zero Trust mindset.
20What is a bastion host and when is it used?Easy
A bastion host (jump server) is a hardened, internet-facing server in a public subnet that provides a single controlled entry point for administrators to SSH/RDP into private subnet resources.

Security practices:
  • MFA required
  • Only specific source IPs allowed in security group
  • No direct internet access from private servers
  • Session logging and recording
  • Minimal software installed (hardened)
Modern alternatives: AWS Systems Manager Session Manager (no exposed port 22), Azure Bastion (browser-based, no public IP needed).
💡 AWS SSM Session Manager is now preferred over bastion hosts — no inbound ports needed, uses IAM for access, full audit trail in CloudTrail.

MCQ Quiz · 25 Questions

Multiple Choice Questions

Progress:
0 / 25
Simulation 1

3-Cloud Network Component Matcher

Match each service or feature to its correct cloud provider using the dropdown.

Simulation 2

Traffic Flow Simulator

For each network scenario, determine if the traffic is Allowed, Blocked, or Needs NAT.

Simulation 3

Security Control Placement

Choose where each security control should be applied.

Simulation 4

Hybrid Connectivity Selector

Choose the best connectivity option for each scenario.

🎉

Module 03 Complete!