Network engineer system design interview questions

As asked

A company wants all application traffic to managed databases and internal APIs to stay off the public internet. Walk me through the cloud networking design.

Sample answer outline

Use private subnets for workloads and private endpoints or PrivateLink-style services for managed databases and vendor APIs that support it. Route outbound internet access through controlled egress points, not from every workload subnet, and restrict security groups or firewall rules by service identity and port. DNS matters: the application should resolve the same service name to a private address inside the VPC or VNet. Discuss overlapping CIDRs, peering limits, transit gateways, and how this changes across AWS, Azure, and GCP. Weak answers often say 'use a VPN' without addressing name resolution, routing tables, or operational debugging.

Expect these follow-ups

• How would you debug an intermittent connection timeout to a private endpoint?
• When is VPC peering the wrong answer?
• How do you prevent all traffic from hairpinning through one expensive NAT path?

As asked

A company has flat network access between office, cloud, and production systems. How would you redesign segmentation using zero-trust principles?

Sample answer outline

Start by inventorying assets, data sensitivity, traffic flows, and identities before drawing new subnet boundaries. Segment by trust level and service purpose, then enforce access with identity-aware proxies, mutual TLS, security groups, firewall policies, and just-in-time admin access. Prefer explicit allow-lists based on service identity over broad IP ranges where the platform supports it. Roll out in observe mode first so legitimate flows are discovered and owners can fix dependencies. The best answers balance security with operability and include logging for denied flows.

Expect these follow-ups

• Where do VPNs fit in a zero-trust design?
• How do you avoid breaking batch jobs that use undocumented network paths?
• What is the difference between segmentation and microsegmentation?

As asked

A load balancer keeps sending traffic to unhealthy application nodes during deploys. How would you redesign health checks and draining?

Sample answer outline

Distinguish liveness, readiness, and dependency health. A node should be live if the process can keep running, ready only when it can serve real traffic, and draining when it should finish existing requests but reject new ones. Health checks should hit a cheap endpoint that validates critical dependencies without causing a cascading outage when one shared dependency is slow. Configure thresholds, intervals, slow-start, connection draining, and deregistration delay to match the application's startup and shutdown behaviour. Candidates often fail by using one shallow /health endpoint for every purpose.

Expect these follow-ups

• Should database connectivity be part of readiness?
• How do long-lived WebSocket connections change draining?
• What happens if all targets fail the health check at once?