Cloud Infrastructure Interview Questions

Sample Answer

Start by measuring per stage I/O throughput and request rates, then match them to storage limits and network bandwidth for your instance types and VPC path. Check if you are doing too many small GETs and LISTs, which causes request throttling, then fix it with larger files, fewer partitions, and read ahead where supported. Verify you have sufficient aggregate NIC bandwidth, avoid cross AZ data paths when possible, and ensure endpoints to object storage stay on the provider backbone. Your first two changes are usually file compaction to reduce request count and right sizing or scaling out executors to align compute with available network throughput.

Sample Answer

You could do environment specific hostnames like meta-dev, meta-stg, meta-prod, or you could use the same hostname with split horizon DNS per environment. Split horizon wins here because you keep application configs identical and control resolution via private DNS zones associated to each network. You route traffic over private connectivity such as peering or transit, lock it down with security groups and mutual TLS, and restrict DNS recursion to approved resolvers. If DNS caching is misconfigured, you see sticky failures where clients keep an old IP after a failover, or they resolve prod from dev, so you set sane TTLs, monitor resolver hit rates, and force connection retries on address change.

Sample Answer

You could standardize on Delta Lake everywhere, or you could pick an open table format like Apache Iceberg that has first-class support across multiple engines. Delta wins here because you can get a tightly integrated managed runtime with Databricks on AWS, GCP, and Azure, plus consistent semantics for MERGE, OPTIMIZE, and time travel. Iceberg wins if you need broader engine interoperability, for example Trino, Flink, Spark, and multiple catalogs, and you want to avoid coupling to a single vendor implementation. In either case, you map storage to S3, GCS, or ADLS Gen2, compute to Spark on Databricks or a managed Spark service, and a metastore or catalog to Glue Data Catalog, BigLake or Dataplex, or Microsoft Purview, then you validate lock management, schema evolution, and CDC merge performance.

Sample Answer

Start with the roles: a streaming ingestion bus, a stream processor, durable storage, and an interactive SQL layer. On GCP you map Kinesis to Pub/Sub, Spark streaming to Dataproc or Dataflow if you switch engines, S3 to GCS, and Athena to BigQuery external tables or BigQuery over ingested tables. On Azure you map Kinesis to Event Hubs, Spark streaming to Azure Databricks, S3 to ADLS Gen2, and Athena to Synapse serverless SQL or an engine like Trino. For exactly-once into analytical tables, you lean on idempotent writes and transactional table formats, for example Delta or Iceberg with checkpointing, and you design keys and MERGE semantics so replays do not duplicate records.

Sample Answer

First, you list what is hurting you now: upgrade toil, scheduler stability, worker autoscaling, and incident load. Next, you map requirements that might block managed: custom operators, network connectivity, private dependencies, and strict control over execution environment. Then you compare failure semantics, especially retries and timeouts, and decide how you will make tasks idempotent and how you will persist state between attempts. Finally, you plan platform deltas: move secrets to managed secret store with rotation, standardize logs and traces with correlation IDs, and validate that managed limits on concurrency and DAG size will not break peak workloads.

Sample Answer

This question is checking whether you can design for failure in managed runtimes where retries, at least once delivery, and partial writes are normal. You make the write path idempotent by using deterministic object names from an event ID or window, writing to a temporary prefix, then committing via an atomic rename or a manifest commit protocol. You store processing state in a durable store, and you treat every invocation as potentially duplicated or out of order. You also account for platform limits like max execution time, concurrency ceilings, and eventual consistency patterns by batching, checkpointing, and using DLQs for poison messages.

Sample Answer

This question is checking whether you can separate reusable infrastructure logic from environment-specific configuration, and whether you understand how state boundaries affect safety. You keep a single set of modules, then drive differences via per-environment variable files, workspaces, or separate root modules, with remote state isolated per environment and per account or project. You avoid hardcoding IDs, instead you pass them in from well-owned sources like data lookups, outputs from a network foundation stack, or a controlled config repo. You also scope IAM so the dev pipeline cannot touch prod state or resources, and you require approvals for prod applies.

Sample Answer

The standard move is: never pass secret values through Terraform, instead create secret containers and permissions with IaC, and inject secret values at runtime from a secret manager. But here, state matters because many Terraform resources store inputs in state, so even a masked variable can end up persisted in plaintext in the backend. You model only the secret references in Terraform, like secret names, ARNs, or key IDs, and you write the actual values with a separate step that pulls from AWS Secrets Manager, GCP Secret Manager, or Key Vault using short-lived identity. You then promote by reusing the same naming convention and access policy, while the secret values remain environment-scoped and rotated independently.

Sample Answer

The standard move is to keep analysts off the raw tables and expose only governed interfaces like authorized views or tables protected by policy tags. But here, the pipeline service account needs full fidelity access because it must read PII to produce compliant aggregates, so you grant it dataset level or table level permissions plus policy tag access, while analysts get access only to views or to non-PII policy tags. You apply Data Catalog policy tags to sensitive columns and assign fine grained access via IAM on those tags, not broad dataset roles. You validate with audit logs by checking who accessed tagged columns and you add alerts for direct table reads outside the pipeline identity.

Sample Answer

Get this wrong in production and you end up with unauthorized PII exposure, audit findings, and potentially regulatory reporting obligations. The right call is to hard separate prod from non-prod using distinct accounts or at least separate virtual warehouses, roles, and databases with no default inheritance, then block cross environment reads with tight role grants and network policies. You implement row access policies, masking policies, and tag based classification so even approved roles see only what they need, and you force all access through least privilege roles with session policies. For CI/CD, you use a deployment role that can create objects but cannot query sensitive tables, and for break glass you create a time bound privileged role with approval logging and mandatory MFA, then audit every activation and query.

Sample Answer

Get this wrong in production and you either miss p99 during a regional event or you burn budget every hour on unnecessary cross region writes and reads. The right call is to start from the SLO, translate it into an RTO and RPO, then pick the cheapest topology that satisfies them, typically single region with fast failover if your RPO can tolerate seconds to minutes, otherwise active active. You quantify with a simple model: $$\text{monthly cost} = \text{compute} + \text{storage} + \text{replication writes} + \text{egress} + \text{read amplification}$$ and you plug in request rate, average item size, replication factor, and inter region $\$/GB. You also test failure mode latency, because active passive can meet 99.9% but still violate p99 if DNS, cache warmup, or rehydration is slow.

Sample Answer

Just adding more compute sounds reasonable but breaks under concurrency, because you still pay for scanning the same TB over and over. Precomputing everything as extracts does not work because freshness requirements and dimensional changes make it brittle. That leaves reducing scan and isolating workloads: materialize the expensive aggregations, cluster on common filter keys, and separate ETL from BI with distinct warehouses so one cannot starve the other. You verify with query profile deltas: bytes scanned, partitions pruned, spill, and queue time, and you track p95 and p99 over peak windows to ensure you fixed contention, not just average runtime.