Cloud & DevOps Interview Questions for 2026

EC2 provides virtual servers where you manage the OS, scaling, and patching. Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying infrastructure. Lambda charges per invocation and execution time, while EC2 charges per hour or second of uptime regardless of utilization.

S3 Standard is for frequently accessed data. S3 Intelligent-Tiering automatically moves data between tiers. S3 Standard-IA and One Zone-IA are for infrequently accessed data. S3 Glacier and Glacier Deep Archive are for long-term archival with retrieval times from minutes to hours. Choose based on access frequency, retrieval time requirements, and cost constraints.

IAM (Identity and Access Management) controls who can access AWS resources and what actions they can perform. It uses users, groups, roles, and policies. Policies are JSON documents that define permissions. Best practices include using least-privilege access, enabling MFA, using roles instead of long-lived access keys, and never using the root account for daily tasks.

A VPC (Virtual Private Cloud) is an isolated virtual network in AWS. Key components include subnets (public and private), route tables, internet gateways, NAT gateways, security groups (stateful firewalls), and network ACLs (stateless firewalls). Public subnets route to the internet gateway; private subnets use NAT gateways for outbound-only internet access.

VMs virtualize hardware and run a full guest OS, consuming significant resources. Containers share the host OS kernel and isolate only the application and its dependencies, making them lightweight (MBs vs GBs), faster to start (seconds vs minutes), and more resource-efficient. Containers use Linux namespaces and cgroups for isolation.

FROM sets the base image. WORKDIR sets the working directory. COPY/ADD copies files into the image. RUN executes commands during build. ENV sets environment variables. EXPOSE documents the port. CMD/ENTRYPOINT defines the default command. Each instruction creates a layer; minimizing layers and using multi-stage builds reduces image size.

Multi-stage builds use multiple FROM statements in a single Dockerfile. You compile code in a build stage with all development dependencies, then copy only the compiled artifact into a minimal runtime image. This dramatically reduces final image size (e.g., from 1GB to 50MB), reduces attack surface, and keeps build tools out of production images.

Docker provides several network drivers: bridge (default, isolated network on a single host), host (shares host network stack), overlay (multi-host networking for Swarm/Kubernetes), and none (no networking). Containers on the same bridge network can communicate by container name. Port mapping (-p) exposes container ports to the host.

A Pod is one or more containers that share the same network namespace, IP address, and storage volumes. It is the smallest deployable unit because Kubernetes schedules and manages Pods, not individual containers. Co-located containers in a Pod can communicate via localhost. Common patterns include sidecar containers for logging, proxying, or configuration.

A Deployment manages stateless applications with rolling updates and rollbacks. A StatefulSet manages stateful applications with stable network identities, ordered deployment, and persistent storage per Pod. A DaemonSet ensures one Pod runs on every node (or a subset), useful for log collectors, monitoring agents, and node-level services.

Kubernetes Services provide stable endpoints for Pods. ClusterIP exposes internally, NodePort exposes on each node, and LoadBalancer provisions an external load balancer. Services use label selectors to route traffic to matching Pods. CoreDNS provides DNS-based discovery so Pods can connect using service names (e.g., my-service.namespace.svc.cluster.local).

A Service operates at L4 (TCP/UDP), while an Ingress operates at L7 (HTTP/HTTPS). Ingress provides path-based and host-based routing, SSL/TLS termination, and name-based virtual hosting through a single external IP. An Ingress controller (like NGINX or Traefik) implements the Ingress resource. This reduces cost by avoiding one LoadBalancer per service.

A CI/CD pipeline automates the build, test, and deployment process. Typical stages: source (code commit triggers pipeline), build (compile code, build Docker image), test (unit tests, integration tests, security scans), staging (deploy to pre-production), and production (deploy with approval gates). This reduces human error and enables rapid, reliable releases.

Blue-green deployment maintains two identical environments. Traffic switches from blue (current) to green (new) all at once, with instant rollback by switching back. Canary deployment gradually shifts traffic (e.g., 5%, 25%, 50%, 100%) to the new version while monitoring metrics. Canary is lower risk but more complex; blue-green is simpler but requires double the infrastructure.

Key strategies include: immutable deployments (deploy previous image version), feature flags (disable new features without redeploying), database migration rollbacks (backward-compatible migrations), and automated rollbacks triggered by health checks or error rate thresholds. Always ensure database schema changes are forward and backward compatible.

GitOps uses Git as the single source of truth for infrastructure and application configuration. An operator (like ArgoCD or Flux) continuously reconciles the cluster state with the Git repository. Unlike traditional CI/CD where the pipeline pushes changes, GitOps pulls changes. This provides audit trails, easy rollbacks (git revert), and declarative infrastructure.

IaC manages infrastructure through code instead of manual processes. Benefits include version control, repeatability, consistency across environments, peer review via pull requests, and automated testing of infrastructure changes. It eliminates configuration drift and enables disaster recovery by rebuilding infrastructure from code.

Terraform is cloud-agnostic, uses HCL syntax, has a large provider ecosystem, and manages state files. CloudFormation is AWS-native, uses JSON/YAML, integrates deeply with AWS services, and manages state automatically. Terraform offers better multi-cloud support and a plan/apply workflow. CloudFormation has tighter AWS integration and no state file management overhead.

Terraform state tracks the mapping between your configuration and real-world resources. For teams, use remote backends (S3 + DynamoDB for locking, Terraform Cloud) to share state and prevent concurrent modifications. Never commit state files to Git (they may contain secrets). Use state locking to prevent corruption and workspaces to manage multiple environments.

Never store secrets in code or environment variables in plain text. Use secret management tools like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault. In CI/CD, inject secrets at runtime using pipeline-native secret stores (GitHub Secrets, GitLab CI variables). For Kubernetes, use sealed-secrets or external-secrets-operator to sync secrets from a vault.