# 3 Real Cloud Architect Interview Questions Hiring Managers Actually Ask ## Метаданные - **Канал:** Go Cloud Architects - **YouTube:** https://www.youtube.com/watch?v=jUV21u6OaEM ## Содержание ### [0:00](https://www.youtube.com/watch?v=jUV21u6OaEM) Segment 1 (00:00 - 05:00) Are you looking for Cloud Architect interview questions? If so, this video is for you. Hi, my name is Mike Gibbs, and today we're going to talk about three Cloud Architect interview questions that I usually initially use as a screener. I potentially have a call with the potential architect. I ask these three basic questions. One is a business acumen. Question. One is a basic cloud infrastructure question, and one is another security question. And I use these three questions to determine if I'm going to bring that architect in for an interview. Now, the first question I ask is a business acumen question, because the cloud architect role requires substantial business acumen. And the first question I ask, and I'll tell you why I ask it, is how does an organization's weighted average cost of capital help determine the cost comparison between a private cloud and a public cloud solution? Now, this gives me an incredible amount of knowledge on the amount of business the architect knows, which is going to be critical to create a business case and design the most financially optimal architectures. So here's how I would answer that question. Weighted average cost of capital is the organization's cost of money, and an organization's weighted average cost of capital will therefore have a major impact on a build versus buy versus rent decision. And in cloud computing, we have decisions like, do we host the workload in a private cloud? Do we put in a co-location facility? Do we put it in a public cloud provider? And the decision is not what you would learn in a cloud certification, which is do we spend $400,000 for this server right now, or do we use pay as you go pricing on the cloud? The decision really is, which is cheaper to just buy the server outright, to finance the server, to lease the server or to host it in a cloud provider, and a cloud architect that understands weighted average cost of capital will determine the most cost effective solution. So let's assume we have a weighted average cost of capital at 8%, and we have a $400,000 from server from Dell, which costs approximately $3 million to run on any public cloud provider for approximately four years. We use now that 8% weighted average cost of capital to finance that server. It cost approximately $10,000 per month. Now, if that organization was looking for an operational expense, assuming a 10% residual value of the server, they could lease that server for approximately $9,000 a month. Of course, that organization is free to rent that server on the cloud for $62,500 per month, which is typically what it cost. Now, of course, when you're computing the cost of an infrastructure, it's not just one server. It might be thousands of servers, routers, switches, firewalls, electric, what have you. But in order to be able to actually build a real business case to determine what the right cost for the architecture is, you require a business acumen. And that's why I use that as a screener question. Now, this next question I ask really separates people that understand cloud infrastructure, like how clouds are designed, how clouds work, how they fail, versus the people that have got certifications but don't really know cloud computing. They know how to click the boxes, but they don't know how to design on the cloud. So the question I ask is, why is it practically impossible to achieve true mission critical high availability on a single cloud provider, no matter how many regions and availability zones are used on that cloud provider? Now that gives me so much information. And here's what an answer to that question should sound like. The reason it's near impossible to achieve mission critical high availability on a single cloud provider, no matter how many regions that availability zones are used, is that all of those regions and availability zones are basically hosted by a shared provider with some degree of shared dependencies. And I'll explain what I mean by that, which means any of these dependencies, if they have a problem, can take the entire cloud down and all of its regions and availability zones. The first thing that can take an entire cloud down is a control plane failure. There that orchestrates everything in the cloud, and if that goes down, the entire cloud provider can become unavailable. The next thing is an identity system failure. Modern cloud providers and modern cloud infrastructure is heavily, dependent upon the organization's identity systems. And if any of the organization's IAM systems experiences a major outage, authentication across environments can fail globally, which means our realistically speaking, you're down no matter how many places you are now. Cloud computing is nothing more than many data centers that are running a software layer on top of them, that cloud control plane, what have you. And that means cloud providers are constantly, deploying new softwares on the cloud. ### [5:00](https://www.youtube.com/watch?v=jUV21u6OaEM&t=300s) Segment 2 (05:00 - 10:00) And if the cloud provider has a significant software deployment failure, that could take down any of the regions, any of the cloud. So that's something we have to be concerned about. Now, networking is really where things break and things break fairly easily. So in order for the cloud providers to the cloud availability zones and data centers who talk to each other, they have to have routing between them and networking between them. So that means if the cloud provider has any major kind of routing failure or network failure, the entire cloud, all of its regions and availability zones could become unreachable simultaneously. Now, when we think of a cloud provider, we're dealing with shared infrastructure. Even if regions are isolated, you typically have some kind of global DNS structure, identity infrastructure, API gateways and various things. So any of that in the shared infrastructure can be a problem, which is why sometimes when you see a cloud provider that's going a major region or a major availability zone, and one of that goes down and people have trouble reaching other regions as well. Now, obviously, a serious security event could bring an entire cloud around. And what is the biggest, highest value target in the world? For the most part, it's a cloud provider that hosts many enterprises data. So any kind of major attack on a cloud provider can bring down the cloud and its customers. And you should be rest assured that people are constantly trying to break into cloud providers. No, cloud providers are great at what they do, but you know you want to build an architecture that survives any of these kinds of failures. And that's why, realistically speaking, if you need true high availability, you'll do what 98% of enterprises do, which is either hybrid cloud or hybrid multi-cloud, because true resilience requires eliminating any single point of failure, not just spreading them across zones. Now, the question three that I'm going to ask is this is a basic security question. Now, when you're in the cloud, we basically need to migrate towards zero trust, especially the way that clouds are designed and the way systems are shared. So I usually use a zero trust question to see if the Cloud Architect has the potential basics of security. And I like to say, what does it take to design a zero trust architecture for a modern enterprise? And I want people to tell me that zero trust is an architecture philosophy built on a single core principle. Never trust and always verify. So that means we're going to need a multifaceted approach to design a true zero trust architecture solution. So let me describe what that takes. The first thing we're going to need is a very strong identity foundation. Because in zero trust identity becomes the new perimeter. You have to verify everything that you're doing. So that means we need some kind of very strong authentication approach. Things like Fido resistant multi-factor authentication, for example. And we're going to need some intelligence in our identity strategy. When I say intelligence, I'm usually referring to context aware, like, you're coming in at the wrong time of the day, from the wrong location, with the wrong device, that kind of thing. And we typically need some strong identity lifecycle management in terms of credentials and other things. So identity being strong is going to be critical in a zero trust architecture. Now architecture, we really want to, you know, stay by that principle of least privilege. Users and systems should only receive the permissions that are going to be required for their specific role. Again, this is not new, but it's a framework of many things. In zero trust, we are very concerned about the security of every device. We don't want to trust anything, so we want to know what comes on our system. So, access decisions are part of the security policy. So if someone wants to log in, plug their device in, we should be doing device compliance checks, make sure that they're compliant and that the right devices make sure that those, devices themselves have some point of endpoint detection and response systems on there. Make sure the devices are who they claim to be by, say, verifying the devices certificate. For example. Now, in a zero trust architecture, we want a micro segment. And what do I mean by that? If a hacker gets attached to this server, they shouldn't be able to go laterally to this server for example. So we want to segment those networks. And that means segmenting your cloud into multiple VPCs potentially without peering or routing between them. That means separating subnets via ACLs. That means, segmenting things with firewalls, segmenting things with security groups, segmenting things with VLANs, for example, in a private cloud. So the key is making sure that we limit the blast radius. So if something happens here it can't go here and contaminate the entire environment. At least that's what we're building for IT. Workloads should only communicate with explicitly allowed systems now on a zero trust environment, or can continually see monitoring things. Trust is never permanent. We can't just put a device there and think it's great. We have to constantly be making access decisions on how the devices and users what have you are behaving. ### [10:00](https://www.youtube.com/watch?v=jUV21u6OaEM&t=600s) Segment 3 (10:00 - 12:00) So we should be looking at their behavior, for example, and running out of Linux on that. We should be very understanding and consisting of the various threat intelligence feeds. What are the threats coming at us, at us? And are we being exploited by them? We should be running anomaly detection inside of our systems. Especially AI helps here to make sure that things aren't happening. That shouldn't be happening. And obviously data is going to be critical in any security architecture. Obviously zero trust architecture as well. So data must be secured wherever it's at. And that means we need a good data privacy architecture. And whether that's things like data privacy techniques like minimization, tokenization obviously what have you, whether it's encryption of the data at rest in transit and potentially even while it's being compute, let's say homomorphic encryption, it means being able to classify the data, catalog the data, implement the right data loss prevention strategies to protect data from exfiltrating our system. And when implemented correctly, zero trust will really reduce the blast radius of breaches and really improve our overall security posture. So these are three basic cloud architects got interview questions that I usually use as a screener to determine if I should have a bigger conversation with the architect. Now, if you're looking for your first architect job, maybe a cloud architect, an enterprise architect, a security architect, an AI architect, for example, I hold a free architecture webinar twice per week where I'll talk about the various architectural roles. I'll talk about what we do in those the skills that you need on those roles. For example, I'll talk about even how to get employers to come to you so you don't have to send a whole bunch of applications and get auto rejected on this free webinar. Now you can sign up for these free architecture webinars in the description of this video. These webinars are on zoom, so we can have a face to face conversation. You can ask me any questions you want. And on these free architecture webinars will do anything I can to assist you in your architecture career now. I hope you enjoyed this video and if you did give it a like, subscribe to our channel and hit the bell to be notified of new videos to assist you and your architecture career. This is Mike Gibbs signing off from now, and I'll see you in the next video or hopefully zoom webinar by. --- *Источник: https://ekstraktznaniy.ru/video/30135*