Network engineer interview questions

As asked

Traffic to your public service suddenly starts routing through an unexpected provider and latency triples. How would you investigate and respond to a possible BGP route leak?

Sample answer outline

Start with external visibility: route collectors, looking glasses, RPKI status, traceroutes from multiple regions, and provider status channels. Confirm whether your prefixes are being originated or propagated incorrectly, then work with upstream providers to filter or withdraw bad routes. Ensure your own route objects, ROAs, prefix filters, and max-prefix limits are correct before blaming the internet. Mitigate user impact with traffic engineering, alternate providers, or CDN routing where available. Candidates should understand that BGP convergence and provider coordination are operational realities, not instant local fixes.

Expect these follow-ups

• How does RPKI help, and what does it not prevent?
• What prefix filtering would you expect from a responsible upstream?
• How would you communicate customer impact during a routing incident?

As asked

A company wants all application traffic to managed databases and internal APIs to stay off the public internet. Walk me through the cloud networking design.

Sample answer outline

Use private subnets for workloads and private endpoints or PrivateLink-style services for managed databases and vendor APIs that support it. Route outbound internet access through controlled egress points, not from every workload subnet, and restrict security groups or firewall rules by service identity and port. DNS matters: the application should resolve the same service name to a private address inside the VPC or VNet. Discuss overlapping CIDRs, peering limits, transit gateways, and how this changes across AWS, Azure, and GCP. Weak answers often say 'use a VPN' without addressing name resolution, routing tables, or operational debugging.

Expect these follow-ups

• How would you debug an intermittent connection timeout to a private endpoint?
• When is VPC peering the wrong answer?
• How do you prevent all traffic from hairpinning through one expensive NAT path?

As asked

Users in one region cannot resolve api.example.com, while other regions are fine. Walk me through your DNS debugging process.

Sample answer outline

Check resolution from affected and unaffected recursive resolvers, then query authoritative nameservers directly to separate resolver cache problems from zone problems. Inspect TTLs, recent changes, DNSSEC validation failures, delegation, glue records, and geo-DNS or latency-based routing policies. Compare A, AAAA, CNAME, and ALIAS behaviour because IPv6 or a broken CNAME target can look regional. Use logs from managed DNS where available and confirm whether the issue is resolver-specific, ISP-specific, or authoritative. Weak answers stop at flushing cache and miss delegation or DNSSEC failures.

Expect these follow-ups

• How can a DNSSEC issue affect only some resolvers?
• What TTL would you choose before a planned cutover?
• How do you prove the application is healthy once DNS is fixed?

As asked

A company has flat network access between office, cloud, and production systems. How would you redesign segmentation using zero-trust principles?

Sample answer outline

Start by inventorying assets, data sensitivity, traffic flows, and identities before drawing new subnet boundaries. Segment by trust level and service purpose, then enforce access with identity-aware proxies, mutual TLS, security groups, firewall policies, and just-in-time admin access. Prefer explicit allow-lists based on service identity over broad IP ranges where the platform supports it. Roll out in observe mode first so legitimate flows are discovered and owners can fix dependencies. The best answers balance security with operability and include logging for denied flows.

Expect these follow-ups

• Where do VPNs fit in a zero-trust design?
• How do you avoid breaking batch jobs that use undocumented network paths?
• What is the difference between segmentation and microsegmentation?

As asked

A load balancer keeps sending traffic to unhealthy application nodes during deploys. How would you redesign health checks and draining?

Sample answer outline

Distinguish liveness, readiness, and dependency health. A node should be live if the process can keep running, ready only when it can serve real traffic, and draining when it should finish existing requests but reject new ones. Health checks should hit a cheap endpoint that validates critical dependencies without causing a cascading outage when one shared dependency is slow. Configure thresholds, intervals, slow-start, connection draining, and deregistration delay to match the application's startup and shutdown behaviour. Candidates often fail by using one shallow /health endpoint for every purpose.

Expect these follow-ups

• Should database connectivity be part of readiness?
• How do long-lived WebSocket connections change draining?
• What happens if all targets fail the health check at once?