Cloud Architect Interview: Questions + Answers & How To Prepare

Are you currently learning AWS and cloud computing? Do you want to pass the SSA-C03 exam and ace your cloud architect interviews and get hired?

Or perhaps you've seen the growth of AWS and are curious about what it takes to become a Cloud Architect?

Well either way, you’ve come to the right place!

I'm Amber Israelsen and I've been a developer and technical trainer for almost 20 years (that's scary to write)!

In this post, I'll walk you through the Cloud Architect role, outline what they actually do, and then break down the Cloud Architect job interview.

Most importantly, I've provided 25 interview questions and answers to help you prep for your interviews (or just test yourself to see if you're ready).

As a little bonus, I've also included some of tips and tricks on how to ace your cloud architect interview and secure your new role.

Sound good? Alright, go grab your favorite beverage and let’s get started!

Why work in Cloud Computing?

Unless you’ve been living under a rock, you know that cloud computing is everywhere these days.

Companies have been making the move to the cloud for many years to get better performance, reliability, and global reach - all at a lower cost than what they could do with their own data centers.

And thanks to this rise in cloud computing, there are now a lot of new jobs specializing in cloud services and applications.

Given this growth is projected to only continue, it also makes this a great future-proof career option (at least for the foreseeable future... you just never know about those robots right?!).

Sidenote: The three main players providing cloud computing services are Amazon Web Services, (otherwise known as 'AWS' and has the largest market share), Azure from Microsoft, and Google's 'Google Cloud' Platform.

Although I'm going to be giving you examples focused on the AWS Cloud Architect role, broadly speaking, the role is the same across each of the cloud providers, just the names of the services change.

Cloud Architect: Salary, job opportunities, and more

The Cloud Architect role is both a lucrative and prestigious position.

According to ZipRecruiter, the average salary for a Cloud Architect in the U.S. is over $155,000 per year.

Not bad right?

As for job opportunities, there are currently over 70,000+ Cloud Architect openings in the US alone.

So, it pays well and it’s in demand, but what exactly does the role look like?

What does a Cloud Architect do?

Simply put, a Cloud Architect designs architecture for new systems in the cloud, or for systems that are being migrated to the cloud.

Still confused? Fair.

It basically means they figure out how all the pieces fit together in a way that fulfills business requirements:

• How is the network set up?
• How do the servers talk to the databases?
• How do microservices fit together?
• How do you secure all of your resources?
• How do you handle disaster recovery?
• And how do you do all of this in a way that’s optimized and cost-effective?

Other potential tasks could be:

• Helping to plan the overall cloud strategy for a company
• Choosing a cloud provider (or more than one)
• Coming up with migration plans
• And generally guiding and educating others in the company about the “why” and “how” of cloud computing

Experience required

The Cloud Architect role is typically not an entry-level role.

Because a Cloud Architect is required to understand so many pieces of the technical puzzle, it’s helpful to have a few years experience, along with a varied background in tech, before pursuing the architect role.

That’s why most Cloud Architects usually start their career as a Software Developer, a Systems Engineer, a DevOps Engineer, a Network Administrator or even other roles like Database management or Cyber Security.

Joking aside though, you don’t need a background in all of these to get hired.

But having a background and experience in one (maybe two) of these will be a huge boost to your chances.

Then having a general working knowledge of the other areas is helpful but not the best use of your time. Just learn the rest of these things when you're on the job, getting paid to learn 😉.

Preparing for the Cloud Architect job interview

The usual interview prep

Like any other kind of interview, it’s always good to:

• Research the company. Learn what you can about their cloud journey and needs (even better if you speak with people at the company ahead of time)
• Learn what you can about the people you’ll be interviewing with
• Practice your responses. Do a mock interview with friends or family so that on the day of your interview, your responses are polished and top of mind
• Be on time (or even a little bit early) for the interview
• Dress the part. Try to mirror what’s appropriate for the company’s culture, erring on the side of dressing “up” if you’re unsure

Don’t neglect your soft skills

It’s not just about the tech. In addition to technical know-how, interviewers will also be looking at soft skills.

In the Cloud Architect role, you’ll have frequent interactions with senior leaders, you’ll lead and consult teams, and collaborate with other key roles across the company. Be ready to give examples of how you’ve done this effectively in the past.

Be sure to have lots of examples

Because Cloud Architect positions are in high demand, you’ll likely face some stiff competition when applying for jobs.

To stack the odds in your favor, prepare as much as you can through training, certifications, and getting a lot of hands-on experience!

The more you apply what you learn (ie: building your own projects or working on other real-world projects), the faster you’ll learn and remember. And better still, you'll also be building a project portfolio to help land those interviews.

My advice is simple. Build as many projects as you can, while piecing together as many services as you can!

If you’re thinking of working with AWS, a great start for inspiration is the Well-Architected Labs.

They have some great advice on building cloud architecture.

Okay, enough of the obvious prep! Let’s get to some interview questions and answers.

Cloud Architect Interview: 25 scenarios, questions, and answers

Generally speaking, questions for this role are going to involve a lot of scenarios that you will need to adapt your answers to.

What like?

Well, you’ll need to show a deep understanding of the various options, pros, cons, and trade-offs for your plan, as well as being able to justify any approach you would take.

It’s good to know the best possible way, but it’s also important to know how to build 'good enough' so that you can also meet the company's specific criteria.

Just be sure to explain your choices and why you suggest each option. Interviewers generally care about your thought process and reasoning than they do about the specific answer you give.

Cloud Architect interview questions

It's possible you could get “basic” questions such as how a specific feature or service works.

But you'll almost certainly get more difficult scenario based questions that present you with a problem you have to solve.

The questions I've provided below contain a mix of question types. The answers I've provided are answered specifically towards how things work on AWS but most of the answers are still relevant for other service providers.

If the company you're applying for uses something other than AWS (or uses multiple providers), google the question + {cloud provider} and research to see how the answer for the specific cloud services provider might change.

I'd also recommend that rather than just reading the questions and answers below, you read the question and write out your answer before looking at the answer.

Ok, let's dive into some questions you might get:

#1. Describe the core services in AWS

• Elastic Compute Cloud (EC2): The core compute option in AWS, these are virtual servers. An Elastic Block Store (EBS) volume is attached to an instance, effectively as its hard drive.
• Lambda: The key service for “serverless” computing. Lambda functions are bits of code that run in response to some trigger. With this option, you don’t have to worry about the underlying infrastructure needed to run the code; AWS does this for you.
• Simple Storage Service (S3): Object storage, used to store things such as images, videos, documents and logs.
• Virtual Private Cloud (VPC): A private network within AWS that’s used to house a customer’s resources.
• Relational Database Service (RDS): The main service for relational databases. It can run engines such as SQL Server, PostgreSQL, MySQL and Aurora.
• DynamoDB: The primary service for NoSQL or key-value databases. It’s highly scalable and performant.
• Identity and Access Management (IAM): The core service for user management and permissions.

#2. Explain three types of clouds

• Public cloud: The resources are owned and managed by a third-party cloud provider (such as AWS, Amazon or Google), and used by businesses and individuals.
• Private cloud: The resources are owned and managed by an organization, and used by its employees and customers.
• Hybrid cloud: A setup that includes both public and private cloud services. For example, maybe a company houses the majority of its applications on AWS, but for compliance reasons, they have to keep Human Resources applications in their own private cloud.

#3. List the broad categories of EC2 instance types

• General-purpose: Can be used for a variety of workloads, and provide a balance of compute, memory and networking resources.
• Computer optimized: Ideal for applications that need high-performance processors (such as media transcoding, high-performance web servers and gaming servers).
• Memory optimized: Used for applications that require fast performance and process a lot of data in memory (such as big data workloads).
• Storage optimized: Ideal for workloads that require high read/write access to storage (such as databases).
• Accelerated computing: These instances use hardware accelerators, and are frequently used for heavy calculations, graphics processing and pattern matching.

#4. A high-performance computing application requires extremely low latency and high network throughput across the instances that it runs on. What is the best way to accomplish this?

Use a Cluster placement group strategy.

With this strategy, instances are physically close together (the same rack) in a single Availability Zone. This will achieve the requirements stated in the question.

However, it should be noted that this strategy is not highly available, as instances only reside in a single AZ.

#5. You are creating EC2 instances for an application that does data warehousing and log processing. You need to choose the most appropriate type of EBS volume for this use case. What should you choose?

Throughput Optimized HDD.

This volume type makes sense when you need to read large “chunks” of files at once. Common use cases include Big Data/data warehousing and log processing.

#6. Your team has been tasked with reducing your AWS spend on compute resources. You’ve identified several interruptible workloads that are good candidates for cost savings. What EC2 pricing model would make the most sense in this scenario?

Spot instances.

With a Spot Instance, you can bid (specify the price you want to pay) on unused EC2 capacity. This can provide savings of up to 90% over On-Demand Instances.

With this model, instances can be shut down at any time. However, because the identified workloads are interruptible, this would still be a valid solution.

#7. How do you control the flow of traffic at the VPC subnet level?

Network access control list (NACL). This is a firewall that controls traffic in and out of a subnet.

You might be tempted to say Security Group, but that controls traffic at the instance level.

#8. Your company wants to establish a dedicated private connection from their on-premises data center to AWS. The connection cannot go over the public internet. What should you do?

Use Direct Connect.

Direct Connect offers a dedicated physical connection from an on-premises data center to AWS. It does not go over the public internet. However, it does take more time and expertise to set up and operate, as opposed to something like Site-to-Site VPN (but this option goes over the public internet).

#9. Your company uses several different Amazon Machine Images. An application needs to access the IDs for the AMIs. The IDs don’t need to be encrypted. What’s the most cost-effective way to store this information?

Systems Manager (SSM) Parameter Store.

SSM Parameter Store is a valid way to store secrets and other information such as IDs in AWS.

For data that is NOT encrypted (like mentioned in the question), this is the only option (AWS Secrets Manager requires encryption).

Also, Parameter Store is free, up to 10,000 parameters, so this would be the most cost-effective option.

#10. An auditor has asked for a “paper trail” of the changes that have occurred with resources in a production environment. What service can be used to show this?

AWS Config. his is used to inventory, record and audit the configuration of your AWS resources.

#11. A messaging application running on an EC2 instance needs to access the Simple Queue Service (SQS). How can you do this while ensuring a private connection on the AWS network (i.e., not over the public internet)?

VPC Endpoint, type Interface.

VPC endpoints, powered by PrivateLink, allow you to access other AWS services through a private network (vs. going across the public internet).

The “Interface” type is for all services except S3 and DynamoDB.

#12. An EC2 instance running in a private subnet needs to access the internet to do occasional patching. How can you accomplish this?

To enable internet access from a private subnet, you should create a NAT Gateway in a public subnet, add a route from the private subnet to it, and then add a route from the NAT Gateway to the Internet Gateway (which lives at the VPC level).

#13. You have two AWS accounts: Dev and Test. Resources in the Dev VPC need to be able to communicate with resources in the Test VPC, as if they were in the same VPC. How can you accomplish this?

VPC Peering.

VPC peering allows you to connect one or more VPCs to make them behave like a single network. This can be done in the same account or across accounts.

#14. You are configuring the network access control list (NACL) for a web application inside of a public subnet. Users will be visiting the website using HTTP. Which of the following is true?

You should allow inbound traffic on Port 80 and outbound traffic on Ports 1024-65535. Ports 1024-65535 will cover ephemeral ports for common clients.

#15. You’re creating a new VPC for your project. You need 254 IP addresses for your EC2 instances. Which subnet mask should you choose?

This one can be a bit tricky.

A subnet mask of /24 will give you 256 IP addresses (which seems to be sufficient).

However, AWS reserves the first four and last IP addresses in every subnet.

So 256 minus 5 is only 251, which isn’t enough to cover the requirements in the question.

Therefore, you would have to go to the next number down, which is /23 (the smaller the number, the more IP addresses).

#16. For Compliance reasons, a company must encrypt their data at rest in S3. They have keys on-premises, and the development team plans to do the encryption/uploads programmatically. Which encryption option should they use?

Server-side encryption with customer-provided keys (SSE-C).

The question states that the customer has keys on-premises, which means they should use server-side encryption with customer-provided keys (SSE-C).

With this option, the key is uploaded along with the object (via HTTPS only), and then encryption happens in AWS with the key that was uploaded.

SSE-C can only be done programmatically, which the development team is prepared to do.

#17. Your Compliance team requires that objects in an S3 bucket be retained for 7 years, and nobody should be able to delete or overwrite them. How can you accomplish this?

To prevent deletion/overwriting for 7 years, you should use object lock with the Retention Period setting, set to 7 years, and in Compliance mode so nobody (not even root) can delete/overwrite objects.

#18. Your team took over a relatively new application that uses S3 to store a large volume of objects that need to be accessed immediately. The previous team was not able to provide a lot of information about how often the data was accessed, but you need to ensure it’s being stored in the most cost-effective way. Which storage option should you use?

S3 Intelligent-Tiering.

This option makes the most sense when data is changing or the access patterns are unknown. AWS will determine the most cost-effective way to store the data based on patterns it detects.

#19. Your company recently had a security breach, where data was accessed from an S3 bucket that was accidentally left open to the public. You need to ensure all S3 buckets in the account block public access. What is the fastest and most efficient way to do this?

From the S3 portal, block public access for all buckets in the account. This would be the fastest and most efficient way to accomplish the requirements in the scenario.

#20. You’re architecting a web application that lets users create and share eBooks. You expect it to be extremely popular, as you’re getting the backing of several big influencers. Your user base will be global, and will need to scale over time as the audience grows. The application also needs to be highly available and resilient, withstanding regional failures. How would you architect the application to meet these requirements?

Use Route 53 to route traffic across regions, and then use an Application Load Balancer with an Auto Scaling Group to route traffic and scale within a single region.

It is possible to use Route 53 in combination with an Application Load Balancer to distribute traffic globally across regions, and then also distribute it within regions. The Auto Scaling Group would also meet the scaling requirements mentioned in the question.

#21. A video sharing website uses an RDS MySQL database in one Availability Zone. Most website traffic is from users viewing videos. At times, those users complain about the speed of the application. Also, you need to make the application highly available across two regions. What should you do?

Create a read replica in a second region for the read traffic.

The scenario in the question is actually the ideal use case for a read replica.

By creating a read replica, the users who are only viewing videos (read-only traffic) can be directed to the replica, thereby reducing the load on the primary database.

Read replicas can also be cross-region, which would fulfill the requirements in the question.

#22. A mission-critical application has been having performance issues, and you need to view performance data with a granularity of 1 second. What should you do?

Enable CloudWatch high resolution metrics.

With CloudWatch high resolution metrics, you can drill into metrics with a granularity of 1 second. With Standard resolution, you can only get granularity of 1 minute.

#23. A financial services company must adhere to strict regulations around where their compute resources and data can live. As such, production resources should only be created in us-west-1 and us-west-2. The company uses AWS Organizations, and has accounts for Dev, Test and Prod. How can you enforce this rule on the Prod account with the least amount of administrative overhead?

Service Control Policies allow you to manage permissions in an AWS organization. This reduces the administrative overhead of managing privileges for an entire account.

Apply a Service Control Policy to the Prod account denying permissions to create resources outside of us-west-1 and us-west-2.

#24. You are developing a Lambda function that processes text from log files as they’re uploaded to S3. While testing the function, you notice it takes a long time to run, even on relatively small log files. What is the most likely problem?

The Lambda function has not been allocated enough memory.

Lambda memory size can range from 128 MB to 10,240 MB, and it is configurable. This value also affects the CPU resources.

If you notice poor performance on the function, a very likely cause is too little memory.

#25. An application runs across five EC2 instances, fronted by an Application Load Balancer. You need to preserve session data for users, making sure the requests are routed to the same instance. How can you accomplish this?

By enabling Sticky Sessions on the target group.

Enabling sticky sessions on the target group will set a cookie that enables future requests to be routed to the same instance.

What's next?

How did you do?!

Did you get 25/25 correct? If so, I'd say you should stop studying and start interviewing!

Two tips to remember:

1. Prepare, prepare and prepare some more
2. Don’t forget to be yourself. Let your enthusiasm shine through!

Didn't get them all? Got tripped up on some? Don't sweat it, I'm here to help.

If you want to fast-track your cloud architect interview prep and get as much hands-on practice as you can, check out my AWS Certified Solutions Architect training course.

Either way, I hope these interview questions help you land that $100K+ job as a Cloud Architect.

Good luck, you got this!