Skip to main content

REST & Microservices Interview Questions (50+ Detailed Q&A)

1. REST API Design

Answer:
  1. Client-Server: Separation.
  2. Stateless: Server stores no session.
  3. Cacheable: Client can cache.
  4. Uniform Interface: Standard verbs/paths.
  5. Layered System: LBs/Proxies transparent.
  6. Code on Demand: (Optional) JS.
Answer:
  • GET: Safe. Idempotent.
  • POST: Create. NOT Idempotent.
  • PUT: Replace/Update. Idempotent.
  • PATCH: Partial Update. NOT Idempotent (technically, depending on op).
  • DELETE: Remove. Idempotent.
Answer:
  • 2xx: Success (200 OK, 201 Created, 204 No Content).
  • 3xx: Redirection (301 Moved Perm, 304 Not Modified).
  • 4xx: Client Error (400 Bad Req, 401 Unauth, 403 Forbidden, 404 Not Found, 429 Too Many Reqs).
  • 5xx: Server Error (500 Internal, 502 Bad Gateway, 503 Unavailable).
Answer:
  • SOAP: XML, Strict Contract (WSDL), Transport independent (can use SMTP), Heavy.
  • REST: JSON/XML, HTTP based, Lightweight, Flexible.
Answer: Hypermedia As The Engine Of Application State. Response contains links to next actions. { "id": 1, "links": [{ "rel": "delete", "href": "/1" }] }. Makes API discoverable. Only Root URL needed hardcoded.
Answer:
  • Offset/Limit: skip=10&limit=10. Slow on deep pages (DB scans skipped rows).
  • Cursor: after=cursor_id. Fast. No total count.
Answer:
  • URI Path: /v1/users (Most common).
  • Query Param: ?v=1.
  • Header: Accept-Version: v1.
Answer: Client sends Accept: application/json. Server returns JSON. If Accept: application/xml, server tries XML. Returns 406 Not Acceptable if unsupported.
Answer:
  • PUT /users/1: Requires sending FULL object. Replaces entire resource.
  • PATCH /users/1: Send only { "email": "new" }. Merges.
Answer: Return 202 Accepted immediately. Include Location: /tasks/123. Client polls /tasks/123 until status is “Completed”.

2. Microservices Architecture

Answer:
  • Monolith: Single codebase/deploy. Simple. Scales vertically or cloning. High coupling.
  • Microservices: Independent services. Complex ops. Independent scaling/deploy. Loose coupling.
Answer: Anti-pattern to share DB. Each service owns its data. Others access via API. Ensures Loose Coupling. Challenges: Distributed Transactions, Joint Reporting.
Answer: Single Entry Point. Handles: Auth, Rate Limiting, Routing, SSL Termination, Request aggregation. Tools: Kong, Apigee, AWS API Gateway.
Answer: Services fetch dynamic IP of peers.
  • Client-side: Client queries Registry (Consul/Eureka).
  • Server-side: Client calls LB. LB queries Registry. K8s DNS is Server-side.
Answer: Sequence of local transactions. If step 3 fails, execute Compensating Transactions (Undo) for step 2 and 1 in reverse.
  • Choreography: Event based.
  • Orchestration: Central coordinator.
Answer: Split Write Model (Command) and Read Model (Query). Write to Normalized DB. Sync to Denormalized Read DB (Elasticsearch). Scale Reads independently.
Answer: Store State as sequence of Events (UserCreated, NameChanged). Replay events to restore state. Audit trail built-in.
Answer: Wrap external calls. If failures > threshold, trip breaker. Return fallback response / error immediately. Prevent cascading failure.
Answer: Migrating Monolith to Microservices. Put Gateway in front. Route new functionality to new Service. Gradually extract pieces until Monolith dies.
Answer: Isolate resources (Thread pools). If Service A hangs, it consumes its own pool, leaving Service B pool free.

3. Communication Protocols

Answer:
  • gRPC: HTTP/2. Protobuf (Binary). Bidirectional streaming. Strict schema. Fast (Internal).
  • REST: HTTP/1.1. JSON (Text). Request/Response. Flexible. Broad support (External/Browser).
Answer:
  • GraphQL: Client asks for exactly what it needs (No Over-fetching). Single Endpoint. Graph traversal.
  • REST: Fixed response structure. Over/Under-fetching. Multiple Endpoints.
Answer: “Don’t call us, we’ll call you”. Server POSTs payload to Client URL on event. User defined callback.
Answer: Standard HTTP connection kept open. Server pushes text data. Uni-directional.
Answer: TCP Full Duplex. Low latency. Custom protocol. Chat/Gaming.
Answer: Google’s serialization format. Binary, Typed, Schema (.proto). Smaller and faster than JSON.
Answer: Decouples Sender and Receiver. Store and Forward. RabbitMQ (AMQP), Kafka.
Answer:
  • Multiplexing: Single TCP connection for multiple requests. No Head-of-Line blocking.
  • Header Compression: HPACK.
  • Server Push.
Answer: UDP based. Fixes TCP Head-of-Line blocking (Packet loss works better). Faster handshake (0-RTT).
Answer: Header Idempotency-Key: uuid. Server stores key. If request retry comes with same key, return cached response instead of processing payment again.

4. Security & Scaling

Answer:
  • Auth Code: Server-side apps. (Standard).
  • Client Creds: Machine-to-Machine.
  • PKCE: Mobile/SPA (No secret).
Answer: Auth layer on top of OAuth 2.0. Provides ID Token (JWT) with user info. OAuth = Authorization. OIDC = Authentication.
Answer: Limits req/sec per user/IP. Returns 429 Too Many Requests. Headers: X-RateLimit-Remaining.
Answer: Separate API Gateway for each Client type (Web, Mobile, External). Tailored response (Mobile gets smaller image).
Answer: Infra layer for service communication. Sidecar proxies. Features: mTLS (Security), Telemetry, Traffic Splitting without code changes.
Answer: Stop BOLA (Broken Object Level Auth / IDOR). Mass Assignment. Excessive Data Exposure. Rate Limiting.
Answer:
  • ‘None’ algorithm attack.
  • Secret key Brute-force (Weak secret).
  • Replay (Lack of jti / exp).
Answer: Browser security. Preflight OPTIONS. Access-Control-Allow-Origin: domain.com. Access-Control-Allow-Credentials: true (Cookies).
Answer: Scale on CPU/RAM standard. Scale on Custom Metric (Requests/sec, Queue depth) for APIs.
Answer: Trace ID passed in Headers (X-B3-TraceId). Spans created by each service. Visualize Request Lifecycle across microservices (Jaeger/Zipkin).

5. Operations

Answer: Centralized Logs (ELK Stack: Elastic, Logstash, Kibana). Fluentd sidecar ships logs. Essential for debugging distributed systems.
Answer:
  • Liveness: Restart me if dead.
  • Readiness: Don’t send traffic until I’m ready (DB connected).
Answer:
  • Rate Limit: Policy (User tier).
  • Throttling: Protection (Server load high -> Reject everything).
Answer: Major change (Breaking) requires new V2 URL or Media Type. Additive changes (Non-breaking) stay in V1.
Answer: OpenAPI Spec (Swagger). Interactive UI. Client SDK generation. Single source of truth.
Answer: Return 206 Partial Content (rare in JSON). Or returning wrapper { data: ..., errors: [...] } (GraphQL style).
Answer: Offload infra concerns (SSL, Logging, Proxy) to separate container in same Pod. Keep App logic clean.
Answer: Methodology for building SaaS. Config in Env, Backing services attached resources, Stateless processes, Disposability.
Answer: Standard message format shared across services to avoid N*N translation logic.
Answer: Ensuring API Provider honors the contract expected by Consumer (Pact). Prevents breaking changes in Microservices.