Interview Prep

80 questions with visual answers, click to reveal

Showing 80 of 80

Explain the OSI model and its 7 layers Junior Network

A reference model that splits networking into seven layers, each handles one concern and talks to the layer above/below.

L7 Application HTTP, DNS

L6 Presentation

L5 Session

L4 Transport TCP/UDP

L3 Network IP

L2 Data Link MAC

L1 Physical bits

Layer	PDU
4–7	Data / segments
3	Packet
2	Frame
1	Bits

What's the difference between TCP and UDP? Junior Network

TCP

Connection-oriented
Reliable, ordered
Retransmits
Web, SSH, email

UDP

Connectionless
Best-effort
Low overhead
DNS, VoIP, gaming

Pick TCPWhen correctness > latencyPick UDPWhen speed & simplicity win

What is a subnet mask? Junior Network

A bitmask that splits an IP into network vs host portions. AND with IP → network address.

Example10.1.2.3 /24 → network 10.1.2.0 Mask /24255.255.255.0, 256 addresses (254 usable hosts)

Notation	Hosts (approx)
/16	65k
/24	254
/28	14

What is DNS and how does it work? Junior Network

DNS maps human-readable names to IPs (and other records). Hierarchical, distributed database.

Client→Resolver→Root→TLD→Auth NS

A/AAAAIPv4 / IPv6 addressCNAMEAlias to another nameTTLCache lifetime

What is DHCP? Junior Network

Dynamic Host Configuration Protocol, automates IP assignment and options (gateway, DNS, lease time).

Discover→Offer→Request→Ack (DORA)

UDP ports67 server, 68 clientLeaseTime-bound; renew before expiry

What are private IP ranges? Junior Network

RFC 1918 ranges not routable on the public internet, reused behind NAT.

Range	CIDR
10.0.0.0 – 10.255.255.255	10.0.0.0/8
172.16.0.0 – 172.31.255.255	172.16.0.0/12
192.168.0.0 – 192.168.255.255	192.168.0.0/16

WhyConserves public IPv4; isolate internal nets

What is ARP? Junior Network

Address Resolution Protocol, maps IP → MAC on the same L2 segment.

Need IP X→Broadcast ARP who-has→Owner replies MAC→Cache entry

LayerBetween L2 and L3Security noteSpoofing possible, use protections

What is a VLAN? Junior Network

Virtual LAN, logical broadcast domain on switches without rewiring. Tagged with 802.1Q VLAN ID on trunks.

Switch

VLAN 10
HR

VLAN 20
Eng

BenefitSegmentation, smaller broadcast domains

Name 5 well-known ports Junior Network

Port	Protocol
22	SSH
53	DNS
80	HTTP
443	HTTPS
25	SMTP

Range0–1023 well-known; 1024–49151 registered

What is HTTP vs HTTPS? Junior DevOps

HTTP

Plaintext L7 protocol. Port 80 default. Fast to debug, insecure on untrusted networks.

→

HTTPS

HTTP over TLS. Port 443. Encryption + server identity (certs) + integrity.

TLSRecord layer encrypts application data

What is a VPC in GCP? Junior Cloud

Virtual Private Cloud, your private software-defined network in Google Cloud: subnets, routes, firewall, connectivity to on-prem and other VPCs.

VPC (global resource)

Subnet (region)SubnetSubnet

ScopeVPC spans regions; subnets are regional

What is NAT? Junior Network

Network Address Translation, many private hosts share one (or few) public IPs. Rewrites src/dst IP:port in packets.

Private 10.x→NAT device→Public IP→Internet

SNATOutbound source rewriteDNATInbound to port forward

What is a firewall? Junior Network

A policy engine that permits or denies traffic based on rules (IP, port, protocol, identity, app).

Type	Inspects
Stateful	Tracks sessions (TCP/UDP flows)
Stateless	Each packet in isolation
WAF / L7	HTTP headers, URLs

Default stanceDeny-all + explicit allow is safest

What is a MAC address? Junior Network

Media Access Control, 48-bit (usually) hardware address on NICs. Unique per interface; used for L2 delivery on Ethernet.

Formataa:bb:cc:dd:ee:ff (hex octets)vs IPMAC flat/L2; IP hierarchical/L3

Switches learn MAC → port via source frames.

What is the difference between a hub, switch, and router? Junior Network

Device	Layer	Behavior
Hub	L1	Repeats to all ports, collision domain
Switch	L2	Frames to MAC destination, per-port collision domains
Router	L3	Routes between IP subnets

TodayHubs obsolete; L3 switches blur L2/L3

What is ICMP? Junior Network

Internet Control Message Protocol, diagnostics and errors for IP (not for app data like TCP payloads).

pingEcho request/reply (Type 8/0)tracerouteTTL exceeded / port unreachableNoteOften filtered by firewalls

What is IPv6 and why do we need it? Junior Network

128-bit addresses, vastly larger space than IPv4; simplifies some features (SLAAC, larger headers options).

IPv4

32-bit; NAT-heavy; dotted decimal

→

IPv6

128-bit; hex groups; end-to-end possible

CoexistDual-stack or tunneling during migration

What is a CDN? Junior DevOps

Content Delivery Network, edge caches close to users; origin shielded; lower latency for static assets.

User→Edge PoP→Cache hit?→Origin if miss

Good forImages, video, JS/CSS, API at edge

What is a load balancer? Junior DevOps

Distributes traffic across healthy backends, improves capacity and availability.

Clients

Load balancer (VIP)

S1S2S3

AlgorithmsRound-robin, least conn, weighted, hash

What is a proxy vs reverse proxy? Junior DevOps

Forward proxy

Sits near clients. Outbound web filter, anonymity, corporate egress.

Reverse proxy

Sits in front of servers. TLS termination, routing, caching (e.g. Ingress).

SeesForward: many clients one egress; Reverse: many clients one entry VIP

How does NAT work? Draw it. Mid Network

NAT maintains a translation table: (private IP:port) ↔ (public IP:port). Outbound packets get SNAT; return traffic matches the session.

10.0.0.5:4444

NAT / GW 203.0.113.1

Internet sees 203.0.113.1:9001

Inside	Outside
10.0.0.5:4444	203.0.113.1:9001

Explain the TCP 3-way handshake Mid Network

Synchronizes sequence numbers and confirms both sides can send/receive before data transfer.

SYN (seq=x)→SYN-ACK (ack=x+1, seq=y)→ACK (ack=y+1)

Why 3Prevents stale duplicate connectionsStateAfter ACK: ESTABLISHED

What is BGP and why is it important? Mid Network

Border Gateway Protocol, inter-domain routing on the internet. ASes exchange prefixes and path attributes (AS-PATH, communities).

eBGPBetween autonomous systemsiBGPInside one ASPolicyTraffic engineering, prepending, communities

Explain TLS handshake steps Mid DevOps

ClientHello→ServerHello + cert→Key exchange→Finished

Phase	Purpose
Negotiate	Cipher suites, TLS version, extensions
Authenticate	Server (and optionally client) cert
Keys	ECDHE → shared secret → session keys

What is the difference between static and dynamic routing? Mid Network

Static

Admin-configured routes
Predictable, low overhead
Poor scaling / failover

Dynamic

Protocols learn topology
Adapts to failures
OSPF, BGP, etc.

How do GCP firewall rules work? Mid Cloud

Stateful VPC firewall, rules match direction, priority, targets (tags, SA, CIDR), and Layer 4 (and FQDN/region tags in some policies).

ImpliedDeny ingress, allow egress (can override)PriorityLower number = evaluated firstHierarchyOrg/folder policies can enforce guardrails

Explain Cloud NAT and when to use it Mid Cloud

Managed SNAT for VMs without public IPs to reach the internet (outbound). Inbound initiated from internet not allowed without LB or IAP.

Private VM→Cloud NAT GW→Public IP pool→Internet

Use whenEgress updates, APIs; no direct inbound

What are the different GCP load balancer types? Mid Cloud

LB	Scope	Layer
External HTTP(S)	Global / regional	L7
Internal HTTP(S)	Regional	L7
TCP/UDP Network	External or internal	L4 pass-through
Proxy vs passthrough	,	SSL proxy, TCP proxy

How does Docker bridge networking work? Mid DevOps

Default bridge creates a Linux bridge; containers get veth pairs; docker0 (or custom bridge) SNATs outbound via host IP.

c1c2c3

veth

docker0 bridge

Host eth0 NAT

What is 802.1Q trunking? Mid Network

Tags Ethernet frames with a 4-byte VLAN tag (TPID + TCI) so multiple VLANs share one physical trunk between switches.

Native VLANUntagged on trunk, must align both endsAccess portSingle VLAN, usually untagged to host

Explain the DHCP DORA process Mid Network

Discover→Offer→Request→Acknowledge

Msg	Who
D	Client broadcast, need IP
O	Server(s) propose lease
R	Client picks server/address
A	Server confirms + options

What is VPC Peering vs Shared VPC? Mid Cloud

VPC Peering

Two VPCs connect privately. Separate admins; no transitive peering; non-overlapping RFC1918.

Shared VPC

Host project owns network; service projects attach subnets. Centralized network admin.

How does Cloud VPN work? Mid Cloud

IPsec tunnels between GCP HA VPN gateway and peer (on-prem or other cloud). Traffic encrypted over internet; routes via Cloud Router (BGP) or static.

GCP VPC↔VPN GW↔Internet↔Peer GW↔On-prem

What are Kubernetes Service types? Mid DevOps

Type	Reachability
ClusterIP	Internal only (default)
NodePort	HostPort range on nodes
LoadBalancer	Cloud LB + external IP
ExternalName	CNAME to external DNS

kube-proxyiptables/IPVS rules to backends

How does DNS resolution work step by step? Mid Network

Stub resolver→Recursive resolver→Cache?→Iterative to authoritative

RecursiveDoes full chase for clientAuthoritativeAnswers for its zone only

What is Cloud Armor? Mid Cloud

Edge security policy for HTTP(S) Load Balancing, WAF rules, IP allow/deny lists, rate limiting, bot management, adaptive protection.

Internet→GLB→Cloud Armor→Backends

What is the difference between L4 and L7 load balancing? Mid DevOps

L4

IP + TCP/UDP ports. Fast, transparent. No HTTP routing or cookies.

L7

Understands HTTP, host/path headers, TLS, redirects, WAF integration.

Explain GCP network tiers Mid Cloud

Tier	Path
Premium	Google global backbone, enters/exits near users
Standard	ISP paths for egress; lower cost, less predictable

Pick PremiumLatency-sensitive, global users

What is Private Google Access? Mid Cloud

Lets VMs with only private IPs reach Google APIs and services (e.g. GCS, BigQuery) via Google’s private connectivity, no public internet for those calls.

Enable onSubnet settingvs PSCPGA is for Google APIs; PSC is for published services

What is ARP spoofing and how to prevent it? Mid Network

Attacker sends fake ARP replies so victims map gateway IP to attacker MAC, MITM risk on L2.

MitigationsDynamic ARP inspection, 802.1X, port security, segmentationHigher layermTLS, always verify TLS certs

How does encapsulation work? Mid Network

Each layer wraps payload with its header; peer strips on receive. MTU shrinks as headers stack (e.g. IPsec, GRE).

Eth hdr | IP hdr | TCP hdr | Data

Outer frame carries inner packet

What is a Cloud Router? Mid Cloud

Managed BGP speaker, exchanges routes with Cloud VPN, Cloud Interconnect, or partner attachments; creates dynamic routes in VPC.

Peer BGP↔Cloud Router→VPC route table

Explain Kubernetes Ingress Mid DevOps

API object + controller that programs an L7 proxy (e.g. GCE, nginx, GKE Ingress) with host/path rules to Services.

Client→Ingress / LB→Service:port→Pod endpoints

IngressClassSelects which controller implements

What is mTLS? Mid DevOps

Mutual TLS, both client and server present certificates; strong service identity for east-west traffic (common in service mesh).

TLS

Usually server-only cert

mTLS

Client cert + server cert

What is CIDR and why replace classful? Mid Network

Classless Inter-Domain Routing, prefix length /n defines network size flexibly; ended waste of Class A/B/C rigid boundaries.

Old	Issue
Classful	Only 3 sizes; routing tables exploded
CIDR	Aggregate routes (supernetting)

Design a VPC for a multi-team org on GCP Senior Cloud

Use Shared VPC: host project for networking; each team = service project with subnets in agreed regions. Central firewall policies + hierarchical guardrails.

Host VPC

Team A subnetTeam B subnetShared services

IPAMNon-overlapping RFC1918 per env (dev/qa/prod)EgressCloud NAT per region; Private Google Access

Your app has 500ms latency spikes, debug it Senior DevOps

Metrics→Trace waterfall→DNS/TLS/LB→DB/queue

Check	Tooling
Network vs app	p95 per hop, connection reuse
K8s	CoreDNS, kube-proxy, CNI
GCP	LB logs, VPC Flow Logs, SRE golden signals

How would you migrate on-prem to GCP? Senior Cloud

Assess→Connectivity→Landing VPC→Wave migrate

NetworkInterconnect + Cloud Router BGP; non-overlap or NATDNSSplit horizon, weighted failoverSafetyParallel run, rollback routes

Design a multi-region HA setup on GCP Senior Architect

Global HTTPS LB → multi-MIG / serverless NEG in ≥2 regions. Spanner or replicated DB; GCS dual-region or multi-region. Health checks drive failover.

Region ARegion B

Global LB + anycast front end

Explain VPC Service Controls Senior Cloud

Security perimeter around Google-managed services, limits data exfil via compromised creds; defines ingress/egress policies to projects/VPCs.

Use withPrivate Google Access, PSC, supported APIsTradeoffMore ops overhead; breaks naive public tooling

How do you troubleshoot a VPN tunnel that keeps dropping? Senior Network

Area	Action
IKE	Match phase1/2 timers, PFS, encryption
BGP	Hold timer, ASN, MD5 off
Path MTU	TCP MSS clamp / reduce packet size
NAT-T	UDP 4500 if behind PAT

LogsCloud Logging VPN / Router; peer device counters

Design network security for a 3-tier app Senior Cloud

Internet → GLB + Armor

Web tier subnet (ingress only)

App tier (no direct ingress)

Data tier (private IP, IAM)

RulesLeast privilege between tiers; PSC or private Service Connect to managed DB

How does GKE networking work under the hood? Senior DevOps

Nodes in VPC subnets; Pod CIDR routes (VPC-native alias IPs). kube-proxy or eBPF dataplane; Ingress/Gateway API → GCLB.

Pod IP→Node routing→VPC→Cloud LB / PSC

DataplaneCalico/Cilium options; Network Policy L3/L4

When would you use Dedicated IC vs Partner IC? Senior Cloud

Dedicated Interconnect

Private fiber to Google POP, highest bandwidth & stability; 10G/100G; longer lead time.

Partner Interconnect

Reach Google via carrier, faster to provision; good when no POP in building.

How do you handle overlapping CIDRs in hybrid? Senior Cloud

Avoid overlap in design. If unavoidable: re-IP one side, or use NAT/custom routes so advertised prefixes don’t collide.

GCPCloud NAT + selective route advertisementDNSSplit views; FQDN to correct target

Explain Private Service Connect Senior Cloud

Private endpoint in consumer VPC to producer service, traffic stays on Google backbone; no public IPs required.

Consumer VPC→PSC forwarding rule→Producer attachment

Design a zero-trust network on GCP Senior Architect

Identity-aware access (IAP), BeyondCorp-style: verify user + device + context every request, no trusted “inside.”

ControlsVPC SC, Org policies, mTLS mesh, IAM ConditionsObservabilityAudit logs, VPC Flow Logs, Chronicle

How to debug packet loss between two VMs in GCP? Senior Cloud

Ping MTR→Firewall rules→Routes / MTU→Flow Logs

Check	Why
MTU 1460	GCE VPC MTU defaults
Tags / SA	Rule target mismatch
ILB as next-hop	Asymmetric paths

What is BGP route advertisement in Cloud Router? Senior Cloud

Cloud Router advertises VPC subnet routes (and custom learned routes) to peer over VPN/Interconnect; learns remote prefixes from peer.

CustomAdvertise specific CIDRs; MED, ASN prepending with peer config

How does Kubernetes NetworkPolicy work? Senior DevOps

L3/L4 rules enforced by CNI, select pods by labels/namespaces; allow ingress/egress to CIDR or pod selectors.

DefaultAllow-all if no policies; first deny needs explicit allowsDNSOften must allow kube-dns explicitly

Design a CDN strategy for global content delivery Senior DevOps

Cache static at edge; short TTL for HTML; versioned asset URLs; origin shield; split live vs VOD.

Cloud CDN+Signed URLs+Brotli / HTTP2

Explain GCP Shared VPC architecture Senior Cloud

Host project owns VPC; standalone projects attach as service projects, use subnets granted by host admin.

Host: VPC + firewall + NAT

Svc Proj ASvc Proj B

How do you size subnets for a large GCP deployment? Senior Cloud

Forecast VMs, GKE nodes, PSC, ILB proxies; reserve for auto-scaling; use secondary ranges for pods/services.

Item	Tip
GKE	/20+ per cluster per region often
Proxy-only	Dedicated subnets for L7 ILB

What are GCP hierarchical firewall policies? Senior Cloud

Org/folder-level policies that apply to VPC networks under them, enforce deny/allow guardrails project teams cannot weaken.

UseMandatory deny egress except NAT, block risky ports

How would you set up service mesh in GKE? Senior DevOps

Managed Anthos Service Mesh or Istio on GKE, sidecar or ambient; mTLS, traffic policies, observability.

Install control plane→Label namespaces→Rollout sidecars→SLO + authz

Explain OSPF areas and when to use multi-area Senior Network

Area 0 backbone; other areas connect through ABRs, contains LSA flooding, speeds SPF, improves stability.

Use multi-areaLarge topology, slow routers, admin boundaries

How do you handle DNS in a hybrid cloud setup? Senior Cloud

Inbound/outbound forwarding zones; Cloud DNS ↔ on-prem BIND with conditional forwarding; split-horizon for private zones.

VM→Metadata DNS→Forwarding / peering

Design network monitoring for a production GCP env Senior Cloud

Signal	Source
Flow logs	VPC sampling / full
LB	Request logs, Armor
Synthetic	Uptime checks
Dashboards	Cloud Monitoring SLO

How does Cloud Interconnect achieve high availability? Senior Cloud

Redundant VLAN attachments in same/different metros; BGP over multiple paths; LAG on-prem where possible.

IC A||IC B→Cloud Router→VPC

Explain container networking in Kubernetes Senior DevOps

Each pod gets an IP (CNI); same-node pods share bridge; cross-node via overlay or routed VPC.

Service

Stable VIP → iptables/IPVS to pod endpoints

kube-dns

Name → ClusterIP

Design a multi-region active-active architecture Principal Architect

Global anycast or geo-DNS → regional LBs; stateless tiers scale horizontally; data layer with conflict-free strategy (CRDT, sharding, or active-passive DB per shard).

DataSpanner / Cockroach / regional primary + async replicaTradeoffWrite latency vs consistency (CAP)

How would you architect networking for 100+ GCP projects? Principal Architect

Few Shared VPCs per environment; folder hierarchy maps to policy; centralized DNS and egress; project factory with CIDR pools.

Org policies→Per-env Shared VPC→PSC hub

Design a global anycast DNS strategy Principal Architect

Authoritative DNS at multiple POPs with same IP anycast; low TTL for failover; health checks steer bad edges.

CombineGeo routing for compliance + anycast for latency

How to achieve sub-100ms latency globally? Principal Architect

Edge compute + cache; keep data near users; avoid cross-region chatter; WebSockets/gRPC keep-alive; premium backbone.

Lever	Action
Read-heavy	CDN + stale-while-revalidate
Write-heavy	Regional cells, async replication

Design a disaster recovery network plan Principal Architect

RTO/RPO drive design: cold/warm/hot DR site; DNS failover; replicate VPC configs as IaC; runbooks for BGP/LB cutover.

Detect→Declare→Shift traffic→Validate

Architect a secure multi-cloud network Principal Architect

Hub transit (cloud router appliance or native) with consistent segmentation; avoid flat peering mesh; centralized logging.

IdentityFederation + workload identity per cloudDataEncrypt in transit (IPsec/MACsec) + KMS strategy

How would you handle 10Tbps DDoS on GCP? Principal Architect

Google edge absorbs volumetric; Cloud Armor rate limits + geo blocks + adaptive protection; origin only sees scrubbed traffic.

AppChallenge auth, cache, autoscale cautiously

Design network segmentation for a regulated industry Principal Architect

PCI/HIPAA-style zones: CDE isolated; jump hosts + IAP; no direct internet to data tier; audit all east-west.

Untrusted

DMZ

Trusted / PHI

Evaluate build vs buy for a global load balancing solution Principal Architect

Buy (GLB + CDN)

Time to value, SRE baked in, vendor limits on advanced L7

Build

Control, custom protocols; ops burden + PoP cost

Design a network architecture for a company going from 10 to 10,000 employees Principal Architect

Start with IdP + SSO; SD-WAN or hub-spoke VPN; split offices into sites; RFC1918 plan; later add ZTNA instead of flat VPN.

Identity→Segmentation→Cloud hub→Governance