Cloud engineer technical fundamentals interview questions

As asked

Explain how DNS resolution works for an EC2 instance inside a VPC. Where does the resolver sit, what happens when the instance looks up an RDS endpoint, and how does Route 53 Resolver fit in?

Sample answer outline

Candidate should describe the VPC resolver at the base of the VPC CIDR plus 2 (169.254.169.253), how it resolves both public DNS and Route 53 private hosted zones attached to the VPC, and that RDS endpoints resolve to private IPs within the VPC. Route 53 Resolver Endpoints extend this to resolve on-premises DNS from the VPC and vice versa via forwarding rules.

Expect these follow-ups

• What is the difference between enableDnsSupport and enableDnsHostnames on a VPC?
• How would you resolve an on-premises hostname from a Lambda function in a VPC?

As asked

A senior cloud engineer should be able to reason about networking at multiple OSI layers. Where do security groups, NACLs, ALBs, and CloudFront each operate, and what does that mean for how they filter or inspect traffic?

Sample answer outline

Security groups operate at layer 4 (stateful TCP/UDP), NACLs at layer 3/4 (stateless IP/port), ALBs at layer 7 (HTTP/HTTPS with header inspection and routing), and CloudFront at layer 7 with TLS termination at the edge. This determines what each can inspect: security groups cannot block based on HTTP path, but ALBs can route based on it. NACLs can block an IP range regardless of port.

Expect these follow-ups

• Can a security group block a specific HTTP User-Agent header?
• What layer does AWS WAF operate at and how does it attach to ALB and CloudFront?

As asked

Explain the principle of immutable infrastructure. How does it change how you think about patching, deployment, and rollback compared to mutable servers?

Sample answer outline

Immutable infrastructure means servers are never modified after creation. When a change is needed, a new image is built and instances are replaced. Benefits: no configuration drift, deployments are reversible by deploying the previous image, and servers match the code that created them. In cloud terms this means baking AMIs with Packer, using ASG rolling replacements, and never SSHing into production to apply patches.

Expect these follow-ups

• How do you handle stateful data in an immutable infrastructure model?
• What is configuration drift and how does immutability eliminate it?

As asked

Explain at a high level how BGP is used in AWS Direct Connect to advertise routes between your on-premises network and your VPCs.

Sample answer outline

Candidate should explain that Direct Connect uses BGP sessions over private VIFs, your router advertises on-prem prefixes to AWS, and AWS advertises VPC CIDR ranges back. They should mention AS path prepending to influence traffic flow, BGP communities to control route scope in Transit Gateway, and that Direct Connect does not provide encryption so you layer IPsec if needed.

Expect these follow-ups

• What is a private VIF versus a transit VIF?
• How do you make Direct Connect resilient to a single location failure?

As asked

Explain the CAP theorem and tell me where DynamoDB, Aurora, and ElastiCache fall on it. How does this inform when you choose each?

Sample answer outline

DynamoDB with eventual consistency is AP (available and partition-tolerant, trades consistency). DynamoDB strong reads are CP in practice. Aurora sacrifices availability during write-node failover for consistency (CP-leaning). ElastiCache Redis (single node) is CP. The lesson: in a partition-tolerant distributed world, you choose between availability and consistency per use case. For user carts you may accept eventual consistency; for financial transactions you need strong consistency.

Expect these follow-ups

• How does DynamoDB global tables complicate the CAP classification?
• What is the practical difference between eventual and strong consistency in DynamoDB reads in terms of cost?

As asked

What is the difference between a NAT Gateway and a NAT instance in AWS? Is there any scenario in 2024 where a NAT instance still makes sense?

Sample answer outline

NAT Gateway is managed, scales automatically to 100 Gbps, highly available per AZ, and requires no patching. NAT instance is an EC2 VM you manage yourself. In 2024, NAT instances still make sense for very low-traffic dev environments where the NAT Gateway per-hour charge is not justified, or when you need packet filtering or port forwarding capabilities the managed NAT Gateway does not support. Also relevant: NAT Gateway charges per GB of data processed.

Expect these follow-ups

• Why do you need one NAT Gateway per AZ and what happens if you use just one for all AZs?
• What is the data processing charge for NAT Gateway and how do you minimise it?

As asked

Explain the difference between encryption at rest and in transit. For an S3 bucket storing sensitive data accessed by a Lambda, what controls cover each, and who manages the keys?

Sample answer outline

Encryption at rest protects data on disk (S3 SSE-S3, SSE-KMS, or SSE-C). In transit uses TLS between Lambda and S3. For SSE-KMS, AWS KMS holds the key and Lambda's IAM role needs kms:Decrypt. SSE-S3 uses AWS-managed keys with no KMS API call needed. Strong answers distinguish SSE-KMS customer-managed keys (CMK) from AWS-managed keys (aws/s3) and the auditability difference via CloudTrail.

Expect these follow-ups

• What is the difference between SSE-KMS and CSE (client-side encryption)?
• When would you choose customer-managed KMS keys over AWS-managed keys?

As asked

Explain the difference between a container and a VM from a resource isolation and kernel perspective. How does this change how you think about security boundaries on ECS versus EC2?

Sample answer outline

VMs run a full guest OS on a hypervisor with hardware-level isolation per VM. Containers share the host kernel with namespace and cgroup isolation, which is lighter but weaker. On ECS EC2 launch type, multiple containers share the host kernel so a container escape could affect co-tenants. On ECS Fargate, AWS provides stronger isolation because Fargate uses a micro-VM per task (Firecracker). This matters when multi-tenant workloads share compute.

Expect these follow-ups

• What is Firecracker and how does it differ from a traditional hypervisor?
• How does ECS Fargate handle CPU and memory limits differently from EC2-launched containers?

As asked

A Lambda function makes outbound calls to an RDS Postgres database. What limits the number of concurrent connections it can open, and what happens when that limit is hit?

Sample answer outline

Lambda concurrency limit determines how many parallel Lambda instances run, each potentially holding a DB connection. RDS max_connections is set by instance class (e.g., db.t3.micro allows ~85). When all connections are exhausted, new Lambda invocations get a connection refused or timeout. The fix is RDS Proxy which pools and multiplexes connections, or reducing Lambda concurrency, or using pg_bouncer.

Expect these follow-ups

• How does RDS Proxy improve this and what does it cost?
• How do you calculate the max_connections value for a given RDS instance class?

As asked

Explain the S3 consistency model. What changed in December 2020, and how does the new model affect how you write applications that read immediately after a write?

Sample answer outline

Before December 2020, S3 offered read-after-write consistency for new objects but eventual consistency for overwrites and deletes. AWS changed S3 to strong read-after-write consistency for all operations in all regions in December 2020. Applications no longer need retry logic for listing after a write or reading immediately after an overwrite. This simplifies code that used to add delays or retries.

Expect these follow-ups

• Does S3 strong consistency change how you think about atomic multi-object updates?
• How does S3 Select consistency interact with the object consistency model?

As asked

Explain how DNS resolution works for an EC2 instance inside a VPC. Where does the resolver sit, what happens when the instance looks up an RDS endpoint, and how does Route 53 Resolver fit in?

Sample answer outline

Candidate should describe the VPC resolver at the base of the VPC CIDR plus 2 (169.254.169.253), how it resolves both public DNS and Route 53 private hosted zones attached to the VPC, and that RDS endpoints resolve to private IPs within the VPC. Route 53 Resolver Endpoints extend this to resolve on-premises DNS from the VPC and vice versa via forwarding rules.

Expect these follow-ups

• What is the difference between enableDnsSupport and enableDnsHostnames on a VPC?
• How would you resolve an on-premises hostname from a Lambda function in a VPC?

As asked

A senior cloud engineer should be able to reason about networking at multiple OSI layers. Where do security groups, NACLs, ALBs, and CloudFront each operate, and what does that mean for how they filter or inspect traffic?

Sample answer outline

Security groups operate at layer 4 (stateful TCP/UDP), NACLs at layer 3/4 (stateless IP/port), ALBs at layer 7 (HTTP/HTTPS with header inspection and routing), and CloudFront at layer 7 with TLS termination at the edge. This determines what each can inspect: security groups cannot block based on HTTP path, but ALBs can route based on it. NACLs can block an IP range regardless of port.

Expect these follow-ups

• Can a security group block a specific HTTP User-Agent header?
• What layer does AWS WAF operate at and how does it attach to ALB and CloudFront?

As asked

Explain the principle of immutable infrastructure. How does it change how you think about patching, deployment, and rollback compared to mutable servers?

Sample answer outline

Immutable infrastructure means servers are never modified after creation. When a change is needed, a new image is built and instances are replaced. Benefits: no configuration drift, deployments are reversible by deploying the previous image, and servers match the code that created them. In cloud terms this means baking AMIs with Packer, using ASG rolling replacements, and never SSHing into production to apply patches.

Expect these follow-ups

• How do you handle stateful data in an immutable infrastructure model?
• What is configuration drift and how does immutability eliminate it?

As asked

Explain at a high level how BGP is used in AWS Direct Connect to advertise routes between your on-premises network and your VPCs.

Sample answer outline

Candidate should explain that Direct Connect uses BGP sessions over private VIFs, your router advertises on-prem prefixes to AWS, and AWS advertises VPC CIDR ranges back. They should mention AS path prepending to influence traffic flow, BGP communities to control route scope in Transit Gateway, and that Direct Connect does not provide encryption so you layer IPsec if needed.

Expect these follow-ups

• What is a private VIF versus a transit VIF?
• How do you make Direct Connect resilient to a single location failure?

As asked

Explain the CAP theorem and tell me where DynamoDB, Aurora, and ElastiCache fall on it. How does this inform when you choose each?

Sample answer outline

DynamoDB with eventual consistency is AP (available and partition-tolerant, trades consistency). DynamoDB strong reads are CP in practice. Aurora sacrifices availability during write-node failover for consistency (CP-leaning). ElastiCache Redis (single node) is CP. The lesson: in a partition-tolerant distributed world, you choose between availability and consistency per use case. For user carts you may accept eventual consistency; for financial transactions you need strong consistency.

Expect these follow-ups

• How does DynamoDB global tables complicate the CAP classification?
• What is the practical difference between eventual and strong consistency in DynamoDB reads in terms of cost?

As asked

What is the difference between a NAT Gateway and a NAT instance in AWS? Is there any scenario in 2024 where a NAT instance still makes sense?

Sample answer outline

NAT Gateway is managed, scales automatically to 100 Gbps, highly available per AZ, and requires no patching. NAT instance is an EC2 VM you manage yourself. In 2024, NAT instances still make sense for very low-traffic dev environments where the NAT Gateway per-hour charge is not justified, or when you need packet filtering or port forwarding capabilities the managed NAT Gateway does not support. Also relevant: NAT Gateway charges per GB of data processed.

Expect these follow-ups

• Why do you need one NAT Gateway per AZ and what happens if you use just one for all AZs?
• What is the data processing charge for NAT Gateway and how do you minimise it?

As asked

Explain the difference between encryption at rest and in transit. For an S3 bucket storing sensitive data accessed by a Lambda, what controls cover each, and who manages the keys?

Sample answer outline

Encryption at rest protects data on disk (S3 SSE-S3, SSE-KMS, or SSE-C). In transit uses TLS between Lambda and S3. For SSE-KMS, AWS KMS holds the key and Lambda's IAM role needs kms:Decrypt. SSE-S3 uses AWS-managed keys with no KMS API call needed. Strong answers distinguish SSE-KMS customer-managed keys (CMK) from AWS-managed keys (aws/s3) and the auditability difference via CloudTrail.

Expect these follow-ups

• What is the difference between SSE-KMS and CSE (client-side encryption)?
• When would you choose customer-managed KMS keys over AWS-managed keys?

As asked

Explain the difference between a container and a VM from a resource isolation and kernel perspective. How does this change how you think about security boundaries on ECS versus EC2?

Sample answer outline

VMs run a full guest OS on a hypervisor with hardware-level isolation per VM. Containers share the host kernel with namespace and cgroup isolation, which is lighter but weaker. On ECS EC2 launch type, multiple containers share the host kernel so a container escape could affect co-tenants. On ECS Fargate, AWS provides stronger isolation because Fargate uses a micro-VM per task (Firecracker). This matters when multi-tenant workloads share compute.

Expect these follow-ups

• What is Firecracker and how does it differ from a traditional hypervisor?
• How does ECS Fargate handle CPU and memory limits differently from EC2-launched containers?

As asked

A Lambda function makes outbound calls to an RDS Postgres database. What limits the number of concurrent connections it can open, and what happens when that limit is hit?

Sample answer outline

Lambda concurrency limit determines how many parallel Lambda instances run, each potentially holding a DB connection. RDS max_connections is set by instance class (e.g., db.t3.micro allows ~85). When all connections are exhausted, new Lambda invocations get a connection refused or timeout. The fix is RDS Proxy which pools and multiplexes connections, or reducing Lambda concurrency, or using pg_bouncer.

Expect these follow-ups

• How does RDS Proxy improve this and what does it cost?
• How do you calculate the max_connections value for a given RDS instance class?

As asked

Explain the S3 consistency model. What changed in December 2020, and how does the new model affect how you write applications that read immediately after a write?

Sample answer outline

Before December 2020, S3 offered read-after-write consistency for new objects but eventual consistency for overwrites and deletes. AWS changed S3 to strong read-after-write consistency for all operations in all regions in December 2020. Applications no longer need retry logic for listing after a write or reading immediately after an overwrite. This simplifies code that used to add delays or retries.

Expect these follow-ups

• Does S3 strong consistency change how you think about atomic multi-object updates?
• How does S3 Select consistency interact with the object consistency model?