Azure interview questions covering compute, storage, networking, identity, monitoring, security, App Service, AKS, Functions, and cost.
Microsoft Azure is a cloud platform that provides compute, storage, databases, networking, analytics, AI, identity, security, monitoring, and DevOps services. In interviews, explain Azure as a platform for building and operating applications without owning all physical infrastructure, while still requiring good design for security, reliability, and cost.
Microsoft Entra ID is Azure cloud identity and access service. It manages users, groups, applications, service principals, conditional access, single sign-on, and enterprise identity integration. It is central to Azure security because most Azure access decisions start with identity.
An Azure subscription is a billing and management boundary for Azure resources. It is associated with an Entra tenant and can contain many resource groups. Subscriptions are commonly separated by environment, business unit, workload, or compliance boundary.
az account list --output table
az account set --subscription "Production Subscription"A resource group is a logical container for related Azure resources. It helps with lifecycle management, permissions, tags, deployments, and cleanup. Resources in a group can live in different regions, but the resource group metadata has its own region.
az group create --name rg-orders-prod --location eastusManagement groups organize subscriptions into a hierarchy for governance. Policies, access controls, and compliance rules can be applied at a management group and inherited by child subscriptions. They are useful for enterprise-scale Azure environments.
Azure Policy enforces or audits rules across resources, such as allowed regions, required tags, SKU restrictions, or security settings. Policy helps governance at scale and can deny, audit, append, or deploy configuration automatically.
Azure Role-Based Access Control assigns permissions to users, groups, managed identities, or service principals at scopes such as management group, subscription, resource group, or resource. Use least privilege and avoid broad Owner access.
az role assignment create \
--assignee user@example.com \
--role Reader \
--resource-group rg-orders-prodManaged identities let Azure resources authenticate to Azure services without storing credentials in code. System-assigned identities are tied to one resource, while user-assigned identities are standalone and reusable. They are commonly used with Key Vault, Storage, SQL, and Event Hubs.
An Azure Virtual Network, or VNet, is a private network boundary for Azure resources. It supports subnets, private IPs, routing, network security groups, peering, VPN, ExpressRoute, private endpoints, and network isolation.
az network vnet create \
--resource-group rg-orders-prod \
--name vnet-orders \
--address-prefix 10.10.0.0/16 \
--subnet-name app \
--subnet-prefix 10.10.1.0/24Network Security Groups, or NSGs, filter inbound and outbound traffic using rules. They can be associated with subnets or network interfaces. NSGs are not full firewalls; they are packet filtering controls for network access.
Azure Firewall is a managed network security service for filtering traffic with network, application, and threat intelligence rules. It is useful for centralized egress control, hub-and-spoke networks, and regulated environments.
Application Gateway is a layer 7 load balancer for HTTP and HTTPS traffic. It supports path-based routing, host-based routing, TLS termination, Web Application Firewall, and backend health probes. It is commonly used for web apps and APIs.
Azure Load Balancer distributes TCP and UDP traffic at layer 4. It is used for low-level network load balancing, internal services, and high-throughput scenarios. For HTTP-specific routing, Application Gateway or Front Door may be better.
Azure App Service is a managed platform for hosting web apps and APIs. It supports multiple runtimes, deployment slots, scaling, custom domains, TLS, managed identities, and integration with monitoring. It is a good choice when you want managed hosting without operating VMs or Kubernetes.
Deployment slots are separate live environments, such as staging and production, under one App Service app. You can deploy to staging, warm it up, verify it, and swap it into production. Slots reduce deployment risk but require careful configuration of slot-specific settings.
az webapp deployment slot create \
--resource-group rg-orders-prod \
--name orders-api \
--slot stagingAzure Functions is a serverless compute service for event-driven code. Functions can be triggered by HTTP requests, timers, queues, blobs, Event Grid, Event Hubs, and more. They are useful for glue code, background jobs, integrations, and bursty workloads.
Azure Kubernetes Service, or AKS, is a managed Kubernetes service. Azure manages the control plane, while teams manage node pools, workloads, networking, scaling, security, and upgrades. AKS is useful for containerized systems that need Kubernetes flexibility.
az aks create \
--resource-group rg-platform \
--name aks-prod \
--node-count 3 \
--enable-managed-identityAzure Container Apps is a managed container platform for running microservices and jobs without managing Kubernetes directly. It supports scaling to zero, revisions, Dapr integration, ingress, and event-driven autoscaling through KEDA.
Use Azure Virtual Machines when you need full OS control, custom software, legacy workloads, specialized agents, or lift-and-shift migrations. VMs give control but require patching, monitoring, backup, security hardening, and scaling design.
Virtual Machine Scale Sets manage groups of identical VMs with autoscaling and rolling upgrades. They are useful for workloads that need VM-level control but must scale horizontally behind a load balancer.
Azure Blob Storage stores unstructured object data such as images, videos, backups, logs, exports, and documents. It supports hot, cool, cold, and archive tiers, lifecycle policies, private endpoints, and event integration.
az storage container create \
--account-name examplestorage \
--name uploads \
--auth-mode loginAzure Files provides managed SMB and NFS file shares. It is useful for shared file storage, lift-and-shift apps, and hybrid scenarios. It differs from Blob Storage because it behaves like a file share rather than object storage.
Azure Queue Storage is a simple message queue for decoupling components. It is useful for background work and asynchronous processing. For advanced messaging, ordering, sessions, topics, and dead-lettering, Azure Service Bus is often better.
Azure Service Bus is an enterprise messaging service with queues and topics. It supports dead-letter queues, sessions, duplicate detection, scheduled messages, transactions, and pub/sub patterns. It is better than Storage Queues for complex messaging workflows.
Azure Table Storage is a NoSQL key-value store for large semi-structured datasets. It uses partition keys and row keys. It is simple and cost-effective, but not designed for rich querying like relational databases.
Azure Cosmos DB is a globally distributed NoSQL database service. It supports multiple APIs, low latency, automatic scaling, partitioning, global replication, and tunable consistency levels. It is powerful but requires careful partition key and RU cost design.
Choose a partition key with high cardinality, even distribution, and alignment with common queries. Poor partition keys create hot partitions, expensive cross-partition queries, and scaling problems.
Good candidate: tenantId or userId for tenant/user-scoped access
Risky candidate: status when most records have status = activeAzure SQL Database is a managed relational database based on SQL Server engine. Azure handles much of the infrastructure, backups, patching, and high availability. It is a good fit for relational workloads that need SQL Server compatibility without managing SQL Server VMs.
Azure Key Vault stores secrets, keys, and certificates. Applications can access it through managed identities and RBAC or access policies. It reduces hard-coded secrets and centralizes secret rotation and auditing.
az keyvault secret set \
--vault-name kv-orders-prod \
--name DbPassword \
--value "replace-with-secure-value"Private Link exposes Azure services through private endpoints inside your virtual network. It reduces public internet exposure for services such as Storage, SQL, Key Vault, and App Service. DNS configuration is a common source of mistakes.
Azure Monitor collects metrics, logs, traces, and alerts from Azure resources and applications. It helps detect incidents, understand performance, and build dashboards. It often works with Log Analytics and Application Insights.
Log Analytics stores and queries logs using Kusto Query Language, or KQL. It is useful for troubleshooting, dashboards, alerting, and security analysis. Cost depends on ingestion volume and retention.
AzureActivity
| where TimeGenerated > ago(1h)
| summarize count() by ResourceGroupApplication Insights provides application performance monitoring. It captures requests, dependencies, exceptions, traces, availability tests, and distributed traces. It is useful for debugging latency, errors, and dependency failures.
Availability Zones are physically separate locations within an Azure region. Zone-redundant architectures can survive a zone failure. Not every service or SKU supports zones, so design must verify service-specific availability options.
Azure Front Door is a global layer 7 entry point for web apps and APIs. It supports global routing, TLS, CDN acceleration, WAF, health probes, and failover across regions. It is often used for internet-facing multi-region applications.
Traffic Manager is DNS-based global traffic routing. It can route by priority, performance, geography, weighted distribution, or endpoint health. Because it is DNS-based, failover depends partly on DNS TTL and client behavior.
Azure Backup protects VMs, files, SQL workloads, and other supported resources. Good backup design defines retention, restore testing, encryption, access controls, and recovery objectives. Backups are only useful if restores are tested.
Azure Site Recovery helps replicate workloads for disaster recovery and orchestrate failover. It is commonly used for VM disaster recovery. It should be tested with recovery plans and clear RPO/RTO expectations.
Azure Cost Management tracks spending, budgets, recommendations, and cost breakdowns by subscription, resource group, tag, service, or department. Use budgets, alerts, tagging, reservations, rightsizing, and shutdown schedules to control cost.
Tags are key-value metadata attached to resources. They help with cost allocation, ownership, environment tracking, automation, and governance. Azure Policy can require tags or inherit them from resource groups.
az resource tag \
--ids /subscriptions/.../resourceGroups/rg-orders-prod \
--tags environment=prod owner=platformARM templates are JSON infrastructure-as-code templates for Azure Resource Manager. Bicep is a cleaner domain-specific language that compiles to ARM templates. Both help deploy repeatable Azure infrastructure.
resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: 'examplestorageacct'
location: resourceGroup().location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
}Terraform can provision Azure resources through the AzureRM provider. It is useful for teams using multi-cloud or Terraform-based workflows. Bicep is Azure-native, while Terraform is broader across providers.
Azure DevOps provides Boards, Repos, Pipelines, Test Plans, and Artifacts. GitHub Actions focuses on automation inside GitHub repositories. Many Azure teams use either; the best choice depends on existing repos, governance, CI/CD needs, and enterprise tooling.
Azure Container Registry stores private container images and artifacts. It integrates with AKS, Container Apps, App Service, managed identities, private endpoints, and image scanning workflows.
Azure API Management provides an API gateway and developer portal. It supports policies, authentication, rate limits, transformations, subscriptions, analytics, and versioning. It is useful when APIs need governance and consistent external access.
Use managed identities, Key Vault, private endpoints, least-privilege RBAC, network segmentation, WAF where needed, logging, Defender for Cloud recommendations, encryption, policy guardrails, and secure CI/CD. Security should be designed into identity, network, data, and operations.
Common mistakes include public exposure of storage or databases, incorrect private DNS for Private Link, overly broad NSG rules, missing route planning in hub-and-spoke networks, no egress control, and assuming a service is private because authentication exists.
Common cost mistakes include oversized VMs, idle dev resources, unattached disks, excessive log ingestion, wrong storage tier, no budgets, missing reservations or savings plans, poor Cosmos DB RU sizing, and no tags for ownership.
Common anti-patterns include using Owner permissions broadly, storing secrets in app settings without Key Vault planning, deploying everything publicly, no tagging, no backup restore tests, unmanaged VM sprawl, and choosing AKS for simple apps that App Service or Container Apps could run.
A practical design can use Front Door or Application Gateway for ingress, App Service or Container Apps for compute, Azure SQL or Cosmos DB for data, Blob Storage for files, Key Vault for secrets, managed identity for access, and Azure Monitor for observability.
User -> Front Door -> App Service
App Service -> Managed Identity -> Key Vault
App Service -> Azure SQL
App Service -> Blob Storage
Logs/Metrics -> Azure Monitor + Log AnalyticsExplore 500+ free tutorials across 20+ languages and frameworks.