EC2 Interview Questions Part 02

50+ curated AWS EC2 interview questions with detailed answers — covering instance types, Auto Scaling, load balancers, storage, networking, and more. Basic to Advanced.

What is Amazon EC2 and what are its main use cases?

Basic

Amazon EC2 (Elastic Compute Cloud) is a web service that provides resizable virtual compute capacity in the cloud. You can launch and terminate instances on demand, paying only for what you use.

Common use cases:

Web and application hosting
Batch processing and big data workloads
Machine learning model training
Dev, test, and staging environments
High-performance computing (HPC)

# Launch an EC2 instance using AWS CLI
aws ec2 run-instances \
  --image-id ami-0abcdef1234567890 \
  --instance-type t3.micro \
  --key-name my-key-pair \
  --security-group-ids sg-0123456789abcdef0 \
  --subnet-id subnet-0123456789abcdef0 \
  --count 1

What is the difference between On-Demand, Reserved, and Spot instances?

Basic

AWS offers three main purchasing options for EC2 instances:

Type	Use Case	Savings vs On-Demand
On-Demand	Short-term, unpredictable workloads	Baseline (no discount)
Reserved	Steady-state, predictable workloads (1–3 yr term)	Up to 72%
Spot	Fault-tolerant, flexible workloads	Up to 90%

Key rule of thumb:

On-Demand → dev/test, unpredictable traffic
Reserved → production databases, always-on apps
Spot → batch jobs, CI/CD runners, rendering

Spot Instance Risk

Spot instances can be interrupted with a 2-minute warning when AWS needs capacity back. Never run stateful workloads (like a primary database) on Spot.

What are EC2 instance families and how do you choose the right one?

Basic

EC2 instance families are grouped by workload type:

Family	Optimized For	Example Types
General Purpose	Balanced CPU/memory/network	t3, m6i, m7g
Compute Optimized	High CPU, low memory ratio	c6i, c7g
Memory Optimized	In-memory DBs, big data	r6i, x2idn
Storage Optimized	High I/O, NVMe SSD	i4i, d3
Accelerated Computing	ML/GPU workloads	p4, g5, inf2

Naming convention — example m6i.xlarge:

m = family (general purpose)
6 = generation (6th gen)
i = Intel processor
xlarge = size (4 vCPU, 16 GiB RAM)

Pro Tip

Start with t3.micro for low-traffic apps. Use the AWS Compute Optimizer tool to get right-sizing recommendations based on actual CloudWatch usage data.

What is an AMI and how do you create a custom one?

Basic

An AMI (Amazon Machine Image) is a pre-configured template containing the OS, application server, and applications needed to launch an EC2 instance. Think of it as a snapshot of a fully configured server.

AMI types:

AWS-provided — Amazon Linux 2, Ubuntu, Windows Server
AWS Marketplace — third-party software (e.g., Bitnami WordPress)
Custom (private) — your own golden images with pre-installed software

Creating a custom AMI:

# 1. Launch a base instance and configure it
# 2. Create an AMI from the running instance
aws ec2 create-image \
  --instance-id i-0abcdef1234567890 \
  --name "my-app-server-v1.0" \
  --description "App server with Node.js 20 + Nginx" \
  --no-reboot

# 3. Use the AMI ID to launch new instances
aws ec2 run-instances \
  --image-id ami-<your-new-ami-id> \
  --instance-type t3.medium

Best Practice

Use --no-reboot carefully — it skips filesystem flush. For production golden images, stop the instance first to ensure data consistency.

What is the difference between Security Groups and Network ACLs?

Intermediate

Both control traffic in a VPC, but they operate at different layers:

Feature	Security Group	Network ACL
Level	Instance level	Subnet level
State	Stateful	Stateless
Rules	Allow only	Allow + Deny
Evaluation	All rules evaluated	Rules evaluated in order
Default	Deny all inbound	Allow all traffic

Stateful vs Stateless explained:

Security Group (stateful) — if you allow inbound port 80, the response traffic is automatically allowed out. You don’t need a separate outbound rule.
NACL (stateless) — you must explicitly add both inbound AND outbound rules for every connection, including ephemeral ports (1024–65535).

# Create a security group allowing HTTP + SSH
aws ec2 create-security-group \
  --group-name web-sg \
  --description "Allow HTTP and SSH" \
  --vpc-id vpc-0123456789abcdef0

# Add inbound rules
aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp --port 80 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp --port 22 --cidr 10.0.0.0/8

Interview Tip

A common trick question: “Can a Security Group deny specific IPs?” — No. Only NACLs can deny. Security Groups are allow-only. To block an IP at the instance level, use a NACL on the subnet.

EC2 Interview Questions Part 02

Add More Questions to This Guide