Do you want to learn how to master the technical part of the AWS solutions architect interview or cloud architect interview? If so, this blog is for you.
Today we’re going to talk about how to master the technical component of the cloud architect interview or AWS solutions architect interview. As hiring managers, we want to find strong, capable individuals that can competently perform the job and improve the quality of their team. How to gauge that competency is not based on the number of years of experience you have, or the number of certifications you have, but it’s based on the technical interview.
It’s not just your technical capabilities that are judged in the technical interview, though! -We learn your level of competency, and to a certain degree we can measure your soft skills. We can check your emotional intelligence by the way you respond to these technical interview questions. We can check your communication skills, as well as your sales skills because you’re effectively going to be selling yourself to the hiring manager. So a hiring manager learns a lot in this interview.
Hiring Managers accomplish this by asking open-ended cloud architect interview questions. We don’t ask multiple choice or fill in the blank style questions, because anyone can basically memorize responses to these. The reason they’re open-ended is because as an architect you must be able to interact with customers, ask the right questions, look at the customer’s business, legal, technical, and regulatory requirements, and then design a solution.
So let’s dig into the example interview questions and possible responses.
Question 1. “How do you secure a VPC?”
We want to know if someone truly understands security, vs. just learning a security term.
- For example, when I ask that question and someone’s answer is “use a NACL and a security group”, I know they’ve read a book or passed an exam, but I know they don’t understand
- But if someone replies: “You secure your VPC in layers. A firewall at the edge of your network to keep a strong perimeter and keep outsiders out behind the firewall. Using IDS, IPS system, to see what’s going on if there’s an intrusion. And if there is an intrusion thwart the intrusion as it occurs. Use some DDoS protection outside of your domain and then inside of your domain, keep unwanted traffic out of your subnets within a Network Keep unwanted traffic out of your servers with the security group, add a host-based firewall and anti-malware protection to your servers. Then add components such as IAM, then locking down your systems to make sure they don’t have any unnecessary services and patching for vulnerabilities (“server hardening”), and etc.”
When I hear that from a candidate, I know they understand security. If it’s only the name of a service, I know they passed an exam.
During these interviews, it is up to you to show that you’re competent. Show some depth of knowledge to show that you understand it, and you’ll be hired because it’s very hard to find qualified people that can answer questions like this.
Question 2. “When an organization wants to use cloud as a disaster recovery site, what are the options, and what are the strengths and weaknesses of each option?”
This question gives us good information about the person’s architectural abilities.
There really are four options with regards to using the cloud for disaster recovery, and each one of these has strengths and weaknesses.
- First option is a completely cold standby. You put machine images of your servers in the remote location, and periodically send your data there to the remote Advantage of this is that it’s super cheap. Disadvantage is it’s going to take a long time to come back to service, should you have a primary failure.
- Second option is when you make machine images of your web layer and your application layer, but you keep a standby database that’s active and receiving the information to be Advantage of that is you still have a slow fail-over, but it’s much faster because your data is always up to date.
- Third option is to basically replicate your environment but use very small instances in the disaster recovery site placing them in an auto scaling group. By using an auto scaling group, they know that if their primary site fails all the traffic through DNS will be shifted to your disaster recovery site and the systems will scale out and you’ll have more computing Disadvantages with this approach, it takes 20 to 60 minutes for your systems to auto-scale thus it’s not the fastest”.
- Fourth option is this. You can just run a standby everything, a complete hot standby. Whatever you have in location A, you have it in the location The only time it’ll take is for DNS to detect one site down. It will reroute your traffic to the other one.
This type of answer shows extreme depth of knowledge, and that’s how I know that someone’s an architect, and that’s how I know someone can design systems.
Question 3. “When should you use a direct connection, and when should you use a VPN?”
This question gives us an indication if someone understands networking, or at least components of networking.
- A direct connection is not exactly a wire but logically it’s a wire between two locations, but the latency is going to be consistent. You’re going to be guaranteed to have the performance of that entire
- If an organization needs guaranteed bandwidth and guaranteed consistent latency, they must use a direct connection. If a candidate explains that direct connection is just for performance and he/she couldn’t explain why performance is mentioned, a hiring manager knows that they’ve passed an exam but don’t understand the
- The right answer should be: “You use VPN when you want to make it easy to create one connection to multiple sites, because the Internet’s there, you use the VPN because it’s cheaper, and because you’ve got the flexibility via VPN and everybody for the most part has internet access. You can create connections on demand, it’s very easy to connect to multiple remote The downside is you’re dependent upon internet bandwidth and latency, which is not guaranteed”.
That way you show your understanding of the VPN and the direct connect concept.
Question 4. “You’ve got a main site, hosted in the cloud and there are 10 remote sites. The 10 remote sites need to talk to the cloud as well as to talk to each other. How could you do this? What are your architectural approaches? “
This question will show if the person understands cloud networking.
There are three approaches – each one of them has different strengths.
- First approach. Create VPN connections between the cloud and each remote site and that would work
- Second approach. Set up VPC peering, so locations can all peer with each other. If everybody needs to connect to everybody, you’re going to have to fully mesh VPC peers. Advantages of this option are that everyone has a connection to everyone, should something happen in a central place everybody could still talk to everybody else that they need Also, the performance is better because you’re never more than one hop away. Disadvantages are that when you’re fully meshed you will have an incredible number of peers and they add up rapidly because the number of peers increases dramatically.
- Remember, the formula to determine the peers is N times N minus one divided by two. Example – you have 3 VPCs that need to peer with each other it’s no big
- Thus 3 x (3 -1) = 6; Then 6/2 = In the current example, you have 10 locations, thus 10 x (10-1)= 90; Then 90/2=45. By going from 3 to 10 locations, the number of connections really went up.
- Third Using CloudHub. CloudHub is a way to create a hub and spoke VPN connection, in the AWS environment. It allows for the organizations to still talk to each other through the hub and spoke just like a traditional environment.
If the candidate only addresses the third approach, then I know they’ve only learned a service and passed an exam.
Question 5. “What functions are achieved by IPSec?”
This question shows if the candidate understands IPSec. If they do, they will know all the amazing things that IPSec does beyond just encryption.
- If they only know encryption, I know they’ve probably passed a certification exam. That is still good, but I know they don’t really understand
- The right answer is: “IPSec provides the ability to authenticate each remote end to prevent man in the middle attacks where someone presents to be someone else, and that it can ensure the integrity of your data because it uses a hashing algorithm.
Since you know there’s data integrity if you’ve got a message going from point A to point B, someone can send someone an electronic payment for a hundred dollars and have it changed to a million dollars, because you can verify that nothing has been changed.
The last thing that comes out of IPSec is something called non-repudiation. Effectively there’s a record of the message, so if this person orders something from this person and then receives it, this person can’t say after the fact, “I didn’t order” because that’s the non- repudiation.
With IPSec, you can authenticate, you have the ability to determine message integrity, and you have the ability to verify that messages are sent and provide a non- repudiation environment. In addition to the encryption, and the ability to tunnel private IP addresses, private traffic, and private routing information over a public network.
Make sure to stay tuned for more content from Go Cloud Careers, and more interview preparation articles. This week we focused heavily on the network, but the network is part of the cloud. Just remember the cloud is nothing more than a virtualized network in a virtualized data center.
Cloud Architect Career Development Program
We’ll send you a nice letter once per week. No spam.