Azure Interview Questions

Azure Virtual Machine is a scalable, on-demand compute resource provided by Microsoft Azure. It allows you to run an OS of your choice (Windows, Linux) in the cloud without having to buy and maintain the physical hardware.

Azure Active Directory is Microsoft's cloud-based identity and access management service. It helps your employees sign in and access internal resources as well as external services like Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Azure provides several core storage services: Blob Storage (for unstructured data like images/videos), File Storage (for fully managed SMB file shares), Queue Storage (for reliable messaging between application components), and Table Storage (for NoSQL structured data).

An Azure Virtual Network is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as VMs, to securely communicate with each other, the internet, and on-premises networks.

An Availability Set protects applications from hardware failures within a single data center by deploying VMs across different fault and update domains. An Availability Zone protects applications from entire data center failures by deploying VMs across separate, physically isolated data centers within the same Azure region.

A Network Security Group is used to filter network traffic to and from Azure resources in an Azure Virtual Network. An NSG contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

Azure Cosmos DB is Microsoft's fully managed NoSQL database for modern app development. It offers single-digit millisecond response times, automatic and instant scalability, and guarantees speed at any scale natively replicating data globally.

Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. ExpressRoute connections do not go over the public Internet, offering higher reliability, faster speeds, and lower latencies.

Azure Functions is a code-first serverless compute service used to execute arbitrary code based on events. Azure Logic Apps is a designer-first integration service used to create automated workflows linking various apps and services via pre-built connectors with little to no code.

Availability Zones. By deploying the application across multiple Availability Zones within an Azure region, I ensure that my resources are physically separated across independent data centers, protecting the application from single data center failures.

Azure Functions. It is a serverless compute service that allows me to run event-triggered code (like a blob storage upload trigger) without having to explicitly provision or manage infrastructure, and I only pay for the exact compute time used.

Azure Blob Storage using the 'Cool' or 'Archive' access tier. Blob Storage is perfect for unstructured data, and selecting Cool (for infrequent access) or Archive (for rare access, long-term backup) significantly reduces storage costs.

The 'Reader' role. In Azure RBAC, the Reader built-in role grants users the ability to view all resources in the scope they are assigned to, but prevents them from making any changes, creating new resources, or deleting existing ones.

An Azure Load Balancer. I would configure a public Load Balancer to accept incoming traffic on port 80 and distribute it across the backend pool consisting of my three Virtual Machines, ensuring high availability and better performance.

Azure SQL Database. It is a fully managed Platform as a Service (PaaS) database engine that handles most database management functions such as upgrading, patching, backups, and monitoring without user involvement.

I would use a Network Security Group (NSG). I would create an NSG, attach it to the Virtual Machine's subnet or network interface, and create an inbound security rule that allows port 22 (SSH) only from my office IP address, with a lower priority number than the default deny rule.

Azure Cost Management and Billing. Specifically, I would create a Budget within Cost Management, set the target monthly amount, and configure an Alert rule to trigger an email notification when the actual or forecasted spend exceeds the 80% threshold.

Azure Resource Manager (ARM) templates or Bicep. Both allow me to define my infrastructure declaratively in code, ensuring that deployments are consistent, repeatable, and easily version-controlled.

Azure App Service. It is a fully managed HTTP-based service for hosting web applications, REST APIs, and mobile back ends. I can simply deploy my Node.js code, and Azure handles the underlying server maintenance, load balancing, and auto-scaling.

I would configure Global VNet Peering. VNet peering seamlessly connects two Azure virtual networks. Because they are in different regions, it's Global VNet Peering. Once peered, the virtual networks appear as one for connectivity purposes, allowing VMs to communicate using their private IP addresses securely without needing a VPN gateway.

I would configure the Horizontal Pod Autoscaler (HPA). The HPA automatically updates a workload resource (like a Deployment or StatefulSet), scaling the number of pods up or down based on observed CPU utilization or custom memory metrics, ensuring the application handles the load spikes effectively.

I would use Managed Identities for Azure resources. I would enable a System-assigned Managed Identity on the Azure VM. Then, I would grant that specific Managed Identity read access (Get, List) within the Azure Key Vault's access policies. The application can then request an ephemeral token from Azure AD to access the Key Vault without storing any secrets locally.

Azure Cosmos DB is the ideal choice. To achieve globally distributed reads with low latency, I would replicate the data across all Azure regions where my users are located. By utilizing 'Session' or 'Eventual' consistency levels, Cosmos DB serves reads extremely fast, fulfilling the single-digit millisecond latency requirement globally.

I would use Azure Front Door. It is a global layer 7 load balancer and Content Delivery Network (CDN) that provides global routing based on performance (lowest latency to the user). It also continuously monitors backend health, guaranteeing automatic failover to the next healthy region if the primary region goes offline.

I would implement Azure Storage Lifecycle Management policies. I would create a rule that evaluates the blobs representing the logs; if the 'last modified' date is older than 30 days, the policy automatically moves the blob to the Cool or Archive tier. Finally, the rule can be set to delete the blob entirely after 7 years (2555 days).

I should configure diagnostic settings to send all logs and metrics to a Central Log Analytics Workspace (part of Azure Monitor). Once data is aggregated there, I can use Kusto Query Language (KQL) to perform complex cross-resource queries to correlate events, pinpoint the root cause of the App Service restarts, and set up alert rules based on specific query results.

I would use Azure AD Conditional Access policies. I would create a policy targeting all users, with the Azure Management app as the condition. If the user's location (IP address) is not within the defined 'Trusted Locations' (corporate network), the policy's access control will 'Grant access' but specifically require multi-factor authentication.

Terraform tracks the infrastructure it manages using a State file (typically stored remotely in Azure Storage). This discrepancy usually occurs because of 'Infrastructure Drift'—someone manually created or modified a resource directly in the Azure Portal with the same name, bypassing Terraform. Terraform's state file doesn't know about this manual change, so it attempts to create the resource and throws an error upon finding it already exists.

I must use Azure Service Bus. Because no messages can be lost and the backend worker is slow, I need a robust message broker that supports message queuing, peek-lock semantics, and ordered delivery. Service Bus acts as a shock absorber, holding the messages safely in the queue until the slow backend worker is ready to process them. Event Grid is for reactive, lightweight event routing, not heavy transactional queuing.

The solution is Azure ExpressRoute. ExpressRoute provides a private, dedicated connection to Azure via a connectivity provider. It offers higher reliability, faster speeds (up to 100 Gbps), consistent latencies, and improved security because the traffic never traverses the public internet, satisfying the strict enterprise policy.

I would use multiple Node Pools combined with Taints and Tolerations. I would create one node pool with cheap CPUs and another with expensive GPUs. I'd apply a Taint to the GPU node pool (e.g., hardware=gpu:NoSchedule). Only pods explicitly configured with the matching Toleration in their deployment manifest will be allowed to schedule on the GPU nodes, forcing basic web pods onto the cheaper standard CPU nodes.

A Hub-and-Spoke network topology. I would place the NVA (firewall) in a central Hub VNet. The department VNets act as Spokes, peered to the Hub. I would then configure User Defined Routes (UDRs) on the subnets within the Spoke VNets, forcing all default route traffic (0.0.0.0/0) to be forwarded to the private IP address of the firewall in the Hub VNet for central inspection.

I would ingest the raw IoT telemetry using Azure IoT Hub or Event Hubs. I would store this raw data in Azure Data Lake Storage Gen2 (the Bronze layer). Next, I'd use Azure Synapse Analytics (specifically Spark pools or Azure Databricks) to perform ETL, cleaning and transforming the data into Silver and Gold layers within the Data Lake. Finally, I would load the aggregated Gold data into an Azure Synapse Dedicated SQL Pool, which PowerBI queries directly for high-performance reporting.

For the Azure VMs, I would use Azure Site Recovery (ASR) configured to replicate to the secondary region continuously. ASR provides RPOs of minutes and RTOs of under 2 hours. For the Azure SQL database, I would configure Active Geo-Replication, ensuring asynchronous replication to a readable secondary database in the paired region, which comfortably meets the 5-minute RPO target and allows for immediate failover during a disaster.

I enforces this using Azure Policy. I would create and assign specific policy definitions at the Management Group or Subscription level. One policy would use a 'Deny' effect for any resource creation involving a public IP address. Another policy would evaluate Storage Accounts and 'Deny' creation if 'Secure transfer required' is false, ensuring proactive, centralized compliance tracking and enforcement.

I would utilize App Service Deployment Slots. I would deploy the new code to a 'Staging' slot. The staging slot gets its own URL, allowing me to run integration tests and validate the new build against the live environment. Once testing is successful, I execute a 'Swap' operation. This seamlessly swaps the VIPs of the staging and production slots, resulting in a zero-downtime cutover.

I must use Azure Private Endpoints (Private Link). A Private Endpoint provisions a virtual network interface (NIC) directly into my VNet with a private IP address from my subnet, bringing the storage service into my private network space. Service Endpoints merely optimize traffic routing over the Microsoft backbone but the destination remains a public IP address, which doesn't fulfill the requirement of assigning a private IP to the service.

This is typically caused by a poor Partition Key choice, resulting in 'Cross-Partition Queries'. If my query doesn't include the partition key, Cosmos DB must fan-out and search every single physical partition, drastically increasing latency and RU consumption. To fix it, I must re-evaluate my data access patterns and select a Partition Key that is present in my most frequent queries, ensuring data is distributed evenly and queries hit a single partition (in-partition queries).

I would deploy Azure Application Gateway with the Web Application Firewall (WAF) tier enabled. Application Gateway handles the Layer 7 load balancing (routing based on URL paths) and TLS/SSL termination natively. The integrated WAF adds the necessary security layer by inspecting incoming HTTP requests against OWASP core rule sets to proactively block SQL injection, XSS, and other common web vulnerabilities before they hit the backend.

I would implement an Azure SQL Database Elastic Pool model paired with the Shard Map Manager. Each tenant gets their own logical database (ensuring strict data isolation and schema flexibility per tenant), but all 10,000 databases are housed within an Elastic Pool. This allows them to share a larger, pre-provisioned pool of eDTUs/vCores, drastically reducing costs compared to individual databases, while the framework handles connection routing and cross-database queries dynamically.

I would leverage Azure Arc. By attaching all external (AWS, GCP, on-prem) Kubernetes clusters to Azure Arc, they become projected as resources within the Azure Resource Manager (ARM). I would then use Azure Policy for Kubernetes to enforce governance (e.g., preventing privileged containers) universally across the fleet. For CD, I would implement GitOps via Arc extension to automatically sync and deploy application manifests from a central GitHub repository to every cluster simultaneously.

I would deploy an Azure Virtual WAN architecture with a Secured Virtual Hub. Within the Hub, I'd deploy Azure Firewall Premium (for TLS inspection and IDPS). Crucially, I would configure Virtual Hub Routing Intent and Routing Policies to force all 'Private Traffic' (VNet-to-VNet and Branch-to-VNet) to traverse through the Azure Firewall next-hop. Virtual WAN automates the complex BGP route propagation, ensuring continuous, scalable east-west inspection without manual UDR management.

I would use Azure Virtual Machine Scale Sets using specialized HPC VM sizes (like the HB or HC series). To achieve microsecond latency for inter-node communication, I must deploy them into a single Proximity Placement Group and enable InfiniBand networking. To handle the bursty nature and keep costs down without manual intervention, I would utilize Azure Batch as the orchestration engine, which allows me to specify the required job, dynamically spinning up the InfiniBand-enabled Spot VMs, running the compute, and terminating them immediately upon completion.

I would implement the Azure Schema Registry (often integrated with Event Hubs but applicable conceptually). Producers must register their Avro/JSON schemas in the registry. The CI/CD pipelines for producers enforce schema evolution rules (e.g., ensuring backward compatibility). Downstream consumers fetch the schema from the registry to deserialize the payloads robustly. This strongly couples the loosely coupled asynchronous system, preventing schema drift and runtime serialization failures at an enterprise scale.

I would implement Chaos Engineering protocols using Azure Chaos Studio. Instead of waiting for a real outage, I would create a Chaos Experiment to intentionally inject faults. For instance, I would use the tool to simulate extreme network latency, artificially spike CPU on specific nodes, or simulate an entire Availability Zone going down. By executing this during controlled game days, I can observe if the implemented Circuit Breakers and fallback mechanisms trigger correctly, preventing cascading failures before they affect production users.

I would establish Azure AD (Entra ID) B2B collaboration. For the acquired company's on-prem AD, I could use Azure AD Connect to sync their identities. Alternatively, and more cleanly for the external SAML IdP, I would configure Azure AD as the central identity broker by setting up a Federation Trust with their SAML/WS-Fed IdP. When their users attempt to access the App Service, Azure AD intercepts the request, redirects to their IdP for authentication, and processes the returned SAML token, granting access via seamless SSO without requiring duplicate identity creation.

Cosmos DB must be utilized, but with strict 'Strong Consistency' configured globally. This provides linearizability guarantees; a read is guaranteed to return the most recent committed version of an item. Because this physically forces synchronous replication across the planet, it drastically impacts write latency and RU costs. To mitigate UX issues, optimistic concurrency control via ETags is still required, but I would implement sophisticated compensating transactions/retry logic at the application layer to handle the inevitable physical latency limitations of light speed during contentious writes.

I would design and implement an Azure Landing Zone strategy driven by Bicep Modules and Azure Deployment Environments. The platform team produces pre-approved, highly opinionated, and security-hardened Bicep modules (the paved road). We would configure Azure Deployment Environments, allowing developers to self-serve requested environments (e.g., a 'Microservices Sandbox') directly through a developer portal. Because the environments use pre-approved templates and enforce Azure Policies implicitly, security is shifted left, and developers get instantaneous, compliant infrastructure.

Raw Azure billing lacks Kubernetes context. I would deploy an advanced Kubernetes-native FinOps tool like Kubecost or OpenCost into the AKS clusters. These tools ingest the cluster's metrics (via Prometheus) alongside Azure retail pricing APIs. This provides granular visibility into the cost of individual deployments, namespaces, or labels (e.g., identifying that the 'analytics' namespace uses 60% of GPU resources). I can then export these contextualized metrics back into Power BI dashboards to perform accurate showbacks and enforce departmental chargebacks based on actual workload consumption.