20 Azure Engineer Interview Questions (With Expert Answers)

Why Azure interviews are hard to prepare for

Azure interviews mix conceptual knowledge with hands-on troubleshooting. A recruiter screen might ask what VNet peering is; a technical panel will ask you to design a hub-and-spoke network from scratch and explain every decision. This guide covers both layers.

Core concepts: expected from every candidate

1. What is the difference between NSGs and Azure Firewall?

NSGs (Network Security Groups) are stateful, Layer 3/4 filters applied at the subnet or NIC level. They filter by IP, port, and protocol using Allow/Deny rules with a priority number. Azure Firewall is a fully managed, stateful Layer 4 and Layer 7 firewall service at the VNet perimeter — it supports FQDN filtering, threat intelligence, TLS inspection, and IDPS. NSGs are free and suit basic micro-segmentation; Azure Firewall is paid and suited for centralised, enterprise-grade perimeter control. Strong answer: "I use both — NSGs at the subnet level for east-west traffic control, Azure Firewall at the hub VNet for north-south filtering and egress inspection."

2. Explain VNet peering. Is it transitive?

VNet peering connects two VNets so resources in each can communicate using Microsoft's backbone (no gateway required, low latency). It is NOT transitive — if VNet A peers with VNet B, and VNet B peers with VNet C, traffic from A cannot reach C through B. To enable transitive routing you need either a hub-and-spoke with Azure Firewall or VPN Gateway in the hub, or Azure Virtual WAN. This is one of the most common exam and interview gotchas.

3. What is a Managed Identity, and why use it instead of a service principal with a secret?

A Managed Identity is an Azure AD identity automatically managed by Azure for a resource (like a VM or App Service). It can authenticate to Azure services that support Azure AD auth without storing any credentials in code or config files. Service principals require managing and rotating secrets, which creates security debt. System-assigned Managed Identities are tied to the resource's lifecycle (deleted with the resource); user-assigned are standalone and can be shared across resources. Best practice: always prefer Managed Identity over secrets for Azure-to-Azure authentication.

4. How does Azure RBAC work? What is the scope hierarchy?

RBAC in Azure uses role assignments: a security principal (user, group, service principal, or managed identity) + a role definition (a set of permissions) + a scope. Scope hierarchy is: Management Group → Subscription → Resource Group → Resource. Assignments are inherited downward — a Contributor at subscription level gets Contributor on all resource groups and resources within it. Deny assignments override role assignments and are used by Azure Blueprints. Key built-in roles: Owner (full access + can assign roles), Contributor (full access, no role assignment), Reader (read-only).

5. What are Availability Zones and how do they differ from Availability Sets?

Availability Zones are physically separate datacentres within an Azure region, each with independent power, cooling, and networking. Deploying VMs across zones gives an SLA of 99.99%. Availability Sets are a logical grouping within a single datacentre — VMs are spread across fault domains (separate hardware racks) and update domains (separate maintenance windows), giving 99.95% SLA. Availability Sets do NOT protect against datacentre-level failures. Use Zones for production workloads where maximum resilience matters; Availability Sets where the region has no zone support.

Scenario questions: what separates good from great candidates

6. A VM in a VNet cannot reach a storage account. How do you troubleshoot?

Work through the layers: (1) Check the storage account firewall — is it set to "Selected networks" with the VM's VNet/subnet added, or is there a Service Endpoint configured? (2) Check the NSG on the VM's subnet — is outbound traffic on port 443 allowed to the storage service tag? (3) Check the VM's routing — use Network Watcher's "Next Hop" to verify traffic is going where expected. (4) Check the storage account's Private Endpoint — if one exists, DNS must resolve to the private IP, not the public endpoint. (5) Test with Storage Explorer or az storage blob list from the VM itself to isolate whether it's a network or auth issue.

7. You need to ensure your Azure workload survives a complete region failure. What do you architect?

Multi-region active-passive or active-active depending on the RTO/RPO requirements. For active-passive: deploy primary workload in region A, use Azure Site Recovery for VM replication to region B (RPO ~1 minute, RTO ~15–30 minutes). For databases: geo-redundant backups, or active geo-replication (Azure SQL), or Cosmos DB multi-region writes. For traffic failover: Traffic Manager with geographic or priority routing, pointing to endpoints in both regions. Storage: GRS or GZRS replication. Key interview point: define your RTO and RPO first, then architect backwards from those numbers.

8. How would you reduce Azure costs for a dev/test environment that's only used during business hours?

Start/stop automation using Azure Automation Runbooks or the built-in Dev/Test auto-shutdown on VMs. Right-size VMs using Azure Advisor recommendations. For VMs that must run 24/7, consider Spot VMs (up to 90% discount, but can be evicted — fine for stateless workloads). Dev/Test subscriptions get discounted rates on Windows Server and SQL VMs. Reserved Instances for stable workloads (1- or 3-year commitments, up to 72% savings over pay-as-you-go). Use Azure Cost Management + Billing to set budgets with alert thresholds.

The questions that trip most candidates

9. What is the difference between Azure AD Join and Hybrid Azure AD Join?

Azure AD Join: device is registered only in Azure AD, no on-premises AD. Suits cloud-only or modern management with Intune. Users sign in with Azure AD credentials. Hybrid Azure AD Join: device is joined to both on-premises AD and registered in Azure AD. Required for organisations that still need on-prem GPO, SCCM/MECM, and Kerberos-based authentication alongside modern management. The device must be domain-joined, and Azure AD Connect must sync device objects. Key exam/interview point: Hybrid AAD Join requires line of sight to a domain controller for initial join.

10. How does ExpressRoute differ from a Site-to-Site VPN, and when would you choose each?

Site-to-Site VPN goes over the public internet, encrypted via IPsec/IKE. It's quick to set up, low cost, but bandwidth is limited (max ~10 Gbps with VPN Gateway UltraPerformance SKU) and latency depends on internet conditions. ExpressRoute is a dedicated private connection from your on-premises network to Azure via a connectivity provider, bypassing the public internet entirely. It offers up to 100 Gbps, consistent low latency, and meets compliance requirements that prohibit data traversing the internet. Choose VPN for branch offices, backup connectivity, and budget-constrained environments. Choose ExpressRoute for headquarters, large data transfers, latency-sensitive workloads, and regulated industries (finance, healthcare).

Practice answering these under interview conditions using InterviUni's Azure Engineer mock interview — 20 real questions, scored feedback, and a hire/no-hire verdict.