Cloud Engineer Interview Prep Guide

Cover global load balancing (Route 53/Cloud DNS with latency-based routing), regional deployments with auto-scaling groups, database strategy (Aurora Global Database or CockroachDB for multi-region writes), caching layer (ElastiCache/CloudFront), and asynchronous order processing with SQS/SNS. Address data consistency challenges, failover mechanisms, and how to handle regional outages transparently.

Discuss remote state backends (S3 + DynamoDB for locking), state file encryption, workspace or directory-based project organization, and CI/CD integration with Terraform Cloud or Atlantis. Cover state locking to prevent concurrent modifications, how to handle state drift, import existing resources, and when to split state files for blast radius control.

Start with Cost Explorer by service, then drill into specific resources. Check for: orphaned resources (unattached EBS volumes, unused Elastic IPs), oversized instances, missing auto-scaling policies, data transfer costs between regions/AZs, and runaway log storage. Discuss FinOps practices: tagging strategy for cost allocation, reserved instances vs savings plans, spot instance usage, and automated rightsizing recommendations.

Cover the key differences: AWS uses availability zones within regions with explicit subnet-AZ mapping; Azure VNets are regional with built-in cross-AZ networking; GCP VPCs are global with regional subnets. For multi-cloud connectivity, discuss VPN gateways, dedicated interconnects, and service mesh approaches. Address security with network segmentation, private endpoints, and zero-trust networking principles.

Use Terraform with EKS/AKS/GKE module, managed node groups with auto-scaling, ingress controller (nginx or ALB), cert-manager for TLS, and Prometheus/Grafana for monitoring. Show proper module structure with variables, outputs, and documentation. Discuss how to manage Kubernetes resources alongside cloud infrastructure and the boundary between Terraform and Helm/Kustomize.

Cover identity-based access (no implicit trust based on network location), least-privilege IAM policies, service mesh with mTLS between services, private endpoints for managed services, secrets management (Vault or cloud-native), network segmentation with security groups and NACLs, and continuous verification with CloudTrail/Azure Monitor/Cloud Audit Logs. Discuss the shift from perimeter security to identity-centric security.

Describe the migration approach (lift-and-shift vs re-platform vs re-architect), assessment phase with dependency mapping, pilot migration for risk reduction, and production cutover strategy. Include specific challenges: data migration timing, DNS cutover, performance differences, and unexpected costs. Provide metrics: downtime achieved, performance comparison, and cost impact versus on-premises.

Cover the DR tiers (pilot light, warm standby, multi-site active-active) and choose warm standby for this RTO/RPO. Discuss database replication (Aurora cross-region replicas, 15-minute RPO with automated backups), infrastructure pre-provisioning with IaC, DNS failover automation, data validation after failover, and regular DR testing with game days. Address compliance requirements specific to financial services.