50 Cloud Engineer Interview Questions (2026) + Answers

Interview Format Overview

Most cloud engineer interview loops in 2026 include four rounds: recruiter screen, technical phone screen (60 minutes), onsite or virtual technical (3-5 hours split into system design, hands-on, and behavioral), and a hiring manager conversation.

Expect AWS or Azure fundamentals regardless of the job spec. Questions increase in depth by round. The technical phone screen covers breadth. The onsite goes deep into design trade-offs and troubleshooting.

Cloud Fundamentals (Q1-Q10)

Q1: What is cloud computing?

On-demand delivery of IT resources (compute, storage, databases, networking, analytics) over the internet with pay-as-you-go pricing. Removes the need to buy and maintain physical hardware.

Q2: Explain IaaS, PaaS, and SaaS with examples.

IaaS gives you virtual machines and networks (EC2, Azure VMs). PaaS gives you a runtime without managing OS (Elastic Beanstalk, App Service). SaaS is a finished application (Gmail, Salesforce).

Q3: What is horizontal vs. vertical scaling?

Vertical scaling adds more CPU, RAM, or disk to a single machine. Horizontal scaling adds more machines to a pool that share load. Horizontal is more resilient and cloud-native; vertical is simpler but hits hardware limits.

Q4: What is a region and an availability zone?

A region is a geographic area like us-east-1. An Availability Zone is an isolated data center (or cluster) within a region with independent power, cooling, and networking. Deploying across AZs protects against single-AZ failure.

Q5: What is elasticity vs. scalability?

Scalability is the ability to grow. Elasticity is the ability to grow and shrink automatically in response to demand. Auto Scaling groups are elastic; a hand-provisioned larger instance is scalable but not elastic.

Q6: What are the main benefits of cloud over on-premise?

Lower upfront cost, pay-as-you-go, global reach, rapid provisioning, managed services, and built-in redundancy. Trade-offs include ongoing operational cost and vendor lock-in.

Q7: What is RTO and RPO?

RTO (Recovery Time Objective) is how quickly you must restore service after an incident. RPO (Recovery Point Objective) is how much data loss is acceptable. Both drive your DR architecture choices.

Q8: Explain the shared responsibility model.

The cloud provider is responsible for security of the cloud (hardware, facilities, hypervisor). The customer is responsible for security in the cloud (data, identity, configuration, patches on VMs).

Q9: What is infrastructure as code?

Defining infrastructure through declarative files (Terraform, CloudFormation, Bicep) that are version-controlled and repeatable. Replaces manual click-ops and reduces drift.

Q10: What is a serverless architecture?

An architecture where the cloud provider fully manages the servers. You deploy code (Lambda, Azure Functions) and the provider handles scaling, patching, and availability. Billing is per invocation.

AWS-Specific Questions (Q11-Q20)

Q11: Explain the difference between S3 storage classes.

Standard is for frequent access. Intelligent-Tiering auto-moves objects based on access. Standard-IA and One Zone-IA are for infrequent access. Glacier and Glacier Deep Archive are for archive with retrieval latency.

Q12: Difference between security groups and NACLs?

Security groups are stateful and attach to instances. NACLs are stateless and attach to subnets. Security groups allow rules only; NACLs have allow and deny. Use security groups as the primary control.

Q13: When would you use DynamoDB over RDS?

Use DynamoDB for single-digit millisecond latency at scale with known access patterns (key-value/document). Use RDS for relational schemas with joins, complex queries, and ACID transactions.

Q14: What is IAM and how does least privilege apply?

IAM controls who can do what in AWS. Least privilege means granting only the permissions needed for the task. Use IAM roles and scoped policies rather than root credentials.

Q15: Describe SQS vs. SNS vs. EventBridge.

SQS is a queue (pull-based, one consumer per message). SNS is pub/sub (push, fan-out to subscribers). EventBridge is event-routing with schema and filtering, ideal for event-driven architectures.

Q16: How would you design a highly available web app on AWS?

Deploy across multi-AZ. Use ALB in front of an Auto Scaling group of EC2/ECS. Multi-AZ RDS with read replicas. CloudFront + S3 for static assets. Route 53 for DNS with health checks.

Q17: What's the difference between Elastic Beanstalk and ECS?

Beanstalk is PaaS for deploying web apps (you hand it code; it runs it). ECS is a container orchestration service where you manage tasks and services on EC2 or Fargate.

Q18: Explain VPC peering vs. Transit Gateway.

VPC peering is a 1:1 connection between VPCs; does not transit. Transit Gateway is a hub that connects many VPCs and on-premise networks. Use Transit Gateway when you have more than a handful of VPCs.

Q19: What's an S3 bucket policy vs. IAM policy?

IAM policies attach to users/roles. Bucket policies attach to S3 buckets. Bucket policies can grant cross-account access without IAM roles and are evaluated together with IAM.

Q20: How do you secure an S3 bucket?

Block public access, use bucket policies with least privilege, enable SSE encryption, enable versioning and MFA delete, log access to CloudTrail, and use Access Analyzer to detect unintended public exposure.

Azure-Specific Questions (Q21-Q28)

Q21: What is an Azure Resource Group?

A logical container for resources that share a lifecycle. Deploy, update, and delete resources as a unit. Apply RBAC and policy at the resource group level.

Q22: Explain Azure Availability Zones and Availability Sets.

Availability Sets protect against rack-level failures within a single datacenter (fault/update domains). Availability Zones protect against datacenter-level failures. Zones are preferred for new deployments.

Q23: What's the difference between Azure AD and Entra ID?

Entra ID is the rebranded Azure AD. Same service, new name. It handles identity, SSO, MFA, and conditional access for Azure and Microsoft 365.

Q24: When would you use Azure Functions vs. Logic Apps?

Azure Functions for custom code and serverless compute. Logic Apps for no-code/low-code workflow orchestration with 400+ connectors. They can work together.

Q25: What is Azure Blob Storage?

Object storage for unstructured data. Tiers include hot, cool, cold, and archive. Similar to AWS S3. Use for backups, media, static sites, and data lakes.

Q26: Explain Azure Virtual Network peering.

Connects two VNets so resources can communicate as if in one network. Global peering works across regions. No gateway required, and traffic stays on Microsoft backbone.

Q27: What are the Azure network security layers?

NSGs at subnet/NIC, Azure Firewall at network boundary, DDoS Protection at subscription, Front Door/Application Gateway for web (L7) filtering.

Q28: Compare ARM templates, Bicep, and Terraform.

ARM is JSON and verbose. Bicep is a DSL that compiles to ARM, cleaner syntax. Terraform is cloud-agnostic with HCL and rich ecosystem. Many teams use Bicep for Azure-only, Terraform for multi-cloud.

Networking Questions (Q29-Q35)

Q29: Explain the OSI model layers.

L1 Physical, L2 Data Link (MAC), L3 Network (IP), L4 Transport (TCP/UDP), L5 Session, L6 Presentation, L7 Application (HTTP, DNS). Firewalls and load balancers operate at L3/L4 or L7.

Q30: What is CIDR notation?

Classless Inter-Domain Routing notation for IP ranges. /24 means 256 addresses, /16 means 65,536. Subnet sizes shrink as the number after / grows.

Q31: What is the difference between TCP and UDP?

TCP is connection-oriented, reliable, and in-order (HTTP, SSH). UDP is connectionless, unreliable, and fast (DNS, VoIP, gaming).

Q32: Explain a three-tier architecture.

Public subnet for web/ALB, private subnet for application servers, isolated subnet for databases. Only web layer exposed to internet; app/db only reachable through internal hops.

Q33: What is BGP and why does it matter in cloud?

Border Gateway Protocol routes between autonomous systems on the internet. Used in cloud for Direct Connect/ExpressRoute peering and for advertising routes between VPCs and on-premise.

Q34: Difference between NAT Gateway and Internet Gateway.

Internet Gateway allows bidirectional internet access. NAT Gateway allows private subnet resources to initiate outbound internet traffic but blocks inbound.

Q35: How does DNS resolution work?

Client asks resolver. Resolver walks from root nameserver to TLD (.com) to authoritative nameserver for the domain. Result is cached based on TTL.

Security Questions (Q36-Q42)

Q36: What is the principle of least privilege?

Grant the minimum permissions required to complete a task. Reduces blast radius when credentials leak and limits what compromised accounts can do.

Q37: Explain encryption at rest vs. in transit.

At rest: data is encrypted on disk (S3 SSE, EBS encryption). In transit: data is encrypted over the network (TLS, IPSec). Both are required for defense-in-depth.

Q38: What is a KMS?

Key Management Service. Manages encryption keys and controls access. Supports customer-managed and provider-managed keys. Logs key usage to CloudTrail/Activity Log.

Q39: How do you detect unauthorized access?

Enable CloudTrail/Activity Log, stream to SIEM (Security Hub, Sentinel, Splunk), alert on IAM changes, unusual regions, impossible travel, and failed MFA.

Q40: What is a WAF and where does it sit?

Web Application Firewall filters HTTP/HTTPS traffic at L7. Blocks SQL injection, XSS, and OWASP Top 10. Sits in front of ALBs, CloudFront, or API Gateway.

Q41: Explain zero trust architecture.

No implicit trust based on network location. Every request is authenticated, authorized, and encrypted. Uses identity, device posture, and continuous verification.

Q42: How do you rotate a leaked access key?

1) Create a new key. 2) Update services with the new key. 3) Verify traffic. 4) Deactivate the old key. 5) Delete after a retention window. 6) Search logs for unauthorized use.

Kubernetes/Containers (Q43-Q47)

Q43: What is a Pod?

Smallest deployable unit in Kubernetes. Contains one or more containers that share network, storage, and lifecycle. Most pods have one main container.

Q44: Difference between Deployment, StatefulSet, and DaemonSet.

Deployment: stateless, rolling updates. StatefulSet: stateful with stable identity and storage (databases). DaemonSet: one pod per node (log collector, monitoring agent).

Q45: What is a Service in Kubernetes?

A stable endpoint that routes traffic to a set of pods. Types: ClusterIP (internal), NodePort (external via node), LoadBalancer (cloud LB), ExternalName (DNS alias).

Q46: Explain Ingress vs. LoadBalancer service.

LoadBalancer gives one cloud LB per service. Ingress routes HTTP/S through a single entry point to many services with path/host rules. More cost-effective at scale.

Q47: How does Kubernetes handle a node failure?

The control plane detects the failed node (kubelet heartbeat lost). Pods on that node are marked for eviction. Replicas are rescheduled to healthy nodes by the scheduler.

Behavioral Questions (Q48-Q50)

Q48: Tell me about a time you solved a production outage.

Use STAR (Situation, Task, Action, Result). Name the impact, the detection path, your action, and what you learned. Avoid blaming others. Own the outcome.

Q49: How do you stay updated with cloud services?

AWS What's New, Azure Updates, release notes, AWS re:Invent/Ignite recordings, ExamCert blog, hands-on experimentation. Mention one concrete resource.

Q50: Why do you want to work with cloud?

Focus on impact: scale, speed of iteration, elasticity, and operational simplicity. Tie it back to what you've built. Avoid generic answers like "future-proof career".

How to Prepare in 2-3 Weeks

1. Week 1: Review fundamentals and one cloud provider in depth. Work through Q1-Q28 of this list.
2. Week 2: Networking and security depth. System design practice with 3-5 reference architectures.
3. Week 3: Mock interviews (use Pramp or peers). Behavioral stories. Final review of weak areas.

Frequently Asked Questions

What is the difference between horizontal and vertical scaling?

Vertical scaling adds more CPU, RAM, or disk to a single machine. Horizontal scaling adds more machines to a pool that share the workload. Horizontal scaling is more resilient and cloud-friendly; vertical scaling is simpler but hits hardware limits.

How would you design a highly available web application on AWS?

Deploy across multiple Availability Zones using an Application Load Balancer, an Auto Scaling group of EC2 instances or ECS tasks, and a Multi-AZ RDS database. Use CloudFront for static assets and Route 53 for DNS with health checks for failover.

What is IAM and why does it matter in the cloud?

IAM (Identity and Access Management) controls who can access what in a cloud account. It enforces the principle of least privilege, which reduces blast radius when credentials leak and helps meet compliance requirements.

How does a VPC differ from a traditional data center network?

A VPC is a software-defined isolated network in a cloud provider. It gives you control over IP ranges, subnets, routing, and security groups without managing physical switches or routers. It scales globally and can be peered across regions and accounts.

ExamCert Team

Cloud practitioners who've sat on both sides of the interview table. Content reviewed and updated for the 2026 hiring market.