SQL Full Stack Developer Interview Questions and Answers — STAR Format (2026)

February 26, 2026 Updated • By Surya Singh • SQL Server • .NET • React • Azure SQL • Interview • Full Stack

This guide covers the complete stack tested in senior full-stack developer interviews: SQL Server and Azure SQL Database on the data tier, .NET 10 REST APIs on the backend, React on the frontend, plus security, performance tuning, and best practices across all layers. Every answer uses STAR format with real project scenarios.

Answers reference Microsoft SQL Server documentation and .NET 10 release notes.

1) A critical report query takes 45 seconds. Walk me through how you'd diagnose and fix it.

What interviewer evaluates: systematic performance investigation, not guessing.

Situation: A monthly compliance report on a financial-services platform was timing out at 45 seconds. The query joined 6 tables across 120 million rows and had been fine until data volume doubled after onboarding a large client.

Task: Reduce query execution time below 3 seconds without schema redesign or application changes.

Action:

• Execution plan analysis: Pulled the actual execution plan in SSMS. Found a clustered index scan on the largest table (Transactions, 80M rows) consuming 72% of the cost. The optimizer was scanning because a key filter used a function on the date column: WHERE YEAR(TransactionDate) = 2025.
• SARGability fix: Rewrote to WHERE TransactionDate >= '2025-01-01' AND TransactionDate < '2026-01-01'. This allowed the existing index to be seeked instead of scanned.
• Missing index: The plan still showed a key lookup. Added a covering index: CREATE INDEX IX_Txn_Date_Status ON Transactions(TransactionDate, Status) INCLUDE (Amount, ClientId). This eliminated the key lookup entirely.
• Statistics update: Statistics on the Transactions table were 3 days stale. Ran UPDATE STATISTICS with FULLSCAN. The optimizer switched from a hash join to a merge join, saving 800ms.
• Parameter sniffing: The stored procedure had a parameter-sniffing problem — the first execution was for a small client (200 rows) and the cached plan was suboptimal for the large client (2M rows). Added OPTION (RECOMPILE) for this specific query since it ran monthly.

Result: Execution time dropped from 45 seconds to 1.2 seconds. Logical reads reduced from 4.2M to 38K. The compliance team stopped escalating timeout tickets.

What separates good from great: Walk through the execution plan systematically. Mention SARGability, covering indexes, statistics, and parameter sniffing — not just "I added an index."

2) How did you migrate from on-premises SQL Server to Azure SQL Database?

What interviewer evaluates: migration planning, risk management, production readiness.

Situation: A SaaS company running SQL Server 2019 on-premises needed to migrate 14 databases (largest: 800 GB) to Azure SQL Database to reduce infrastructure overhead and enable geo-replication for their expanding EU customer base.

Task: I led the migration with a maximum 4-hour maintenance window and zero data loss.

Action:

• Assessment: Ran Azure Migrate and Data Migration Assistant (DMA) against all 14 databases. Found 23 compatibility issues: 8 uses of xp_cmdshell, 6 cross-database queries, 5 linked-server references, and 4 CLR assemblies. Resolved each before migration.
• Architecture decision: Chose Azure SQL Database (not Managed Instance) because we didn't need cross-database queries after refactoring and wanted lower cost. Selected vCore model (8 vCores, Business Critical) for the largest DB and elastic pools for the 13 smaller ones.
• Migration approach: Used Azure Database Migration Service (DMS) in online mode for continuous replication. This allowed us to run both environments in parallel during a 2-week validation period.
• Cutover: During the 4-hour window: stopped application writes, waited for DMS to sync final transactions, validated row counts and checksums on all 14 databases, flipped connection strings via Azure App Configuration, and ran smoke tests.
• Post-migration: Enabled auto-failover group for the EU region (West Europe secondary). Configured Intelligent Performance: automatic tuning for index recommendations and Query Performance Insight for ongoing monitoring.

Result: Migration completed in 3 hours 20 minutes with zero data loss. Monthly infrastructure cost dropped from $12,400 (on-prem licensing + hardware) to $6,800 (Azure). P95 query latency improved 18% due to Azure SQL's SSD-backed storage.

What separates good from great: Show the assessment phase (compatibility issues found), the architecture decision (why SQL DB vs Managed Instance), and post-migration optimization — not just "we migrated."

3) How do you design a production-grade REST API with .NET 10?

What interviewer evaluates: API design maturity, middleware understanding, operational readiness.

Situation: An insurance platform needed a new claims API serving 200 requests/second at peak, consumed by a React SPA, a mobile app, and three partner integrations.

Task: Design and build a .NET 10 REST API with versioning, authentication, rate limiting, and observability from day one.

Action:

• Project structure: Vertical slice architecture — each feature (Claims, Policies, Documents) had its own folder with endpoint, handler, validator, and DTO. No shared "Services" folder that becomes a dumping ground.
• Middleware pipeline: Exception handler → CORS → Authentication (JWT via Entra ID) → Authorization (policy-based RBAC) → Rate limiting (fixed-window, 100 req/min per client) → Response compression → Endpoints. Order matters — rate limiting before authorization prevents auth-bypass abuse.
• Versioning: URL-based versioning (/api/v1/claims) using Asp.Versioning. Each version had its own DTO set. Deprecated v1 endpoints returned Sunset header with deprecation date.
• Validation: FluentValidation for request DTOs. All validation errors returned RFC 7807 Problem Details JSON. No unstructured error strings.
• Data access: EF Core 10 with compiled queries for hot paths. Read replicas for reporting endpoints via read-only connection string. Pagination enforced on all list endpoints (max 100 items).
• Observability: OpenTelemetry with traces and metrics exported to Application Insights. Custom metrics: requests by version, auth failures by client, and DB query duration by endpoint.
• Health checks: /health/live (app running) and /health/ready (DB + downstream dependencies reachable). Kubernetes probes pointed to these.

Result: API handled 280 req/s at peak with P95 latency of 120ms. Zero unplanned outages in 8 months. The versioning strategy allowed us to deprecate v1 over 6 months without breaking any consumer.

What separates good from great: Explain middleware ordering rationale, versioning strategy, and observability — not just "I used .NET."

4) How do you handle state management and performance in a large React application?

What interviewer evaluates: frontend architecture judgment, performance discipline.

Situation: The insurance platform's React SPA had grown to 140 components. The claims dashboard was re-rendering 800+ times on initial load, causing a 4.2-second Time to Interactive on mid-range devices.

Task: Reduce TTI below 2 seconds and establish scalable state management patterns.

Action:

• Profiling: Used React DevTools Profiler to identify the render waterfall. Root cause: a top-level Redux store update on every WebSocket message triggered re-renders of the entire component tree.
• State architecture: Split state into three tiers: (1) Server state — moved to React Query (TanStack Query) with stale-while-revalidate caching. This eliminated 60% of Redux usage. (2) UI state — local component state with useState/useReducer. (3) Global app state — kept a slim Zustand store for auth, theme, and feature flags only.
• Memoization: Wrapped expensive list renders with React.memo and stable key props. Used useMemo for filtered/sorted datasets. Added useCallback for event handlers passed to child components.
• Code splitting: Lazy-loaded the claims detail page, document viewer, and admin panel with React.lazy + Suspense. Reduced initial bundle from 1.8 MB to 640 KB.
• Virtualization: Claims list (often 500+ items) switched to react-window. Only 20 rows rendered in the DOM at any time.

Result: TTI dropped from 4.2s to 1.6s. Re-renders on the dashboard reduced from 800+ to 12 on initial load. Lighthouse performance score went from 42 to 91.

What separates good from great: Show the profiling tool, the state-tier separation rationale, and concrete before/after numbers — not just "I used React Query."

5) How do you implement security at the database layer?

What interviewer evaluates: defense-in-depth thinking for data protection.

Situation: A healthcare platform storing PHI (Protected Health Information) in Azure SQL needed to pass a HIPAA audit. The auditor flagged three gaps: no column-level encryption, no row-level access control, and DBA access to plaintext sensitive data.

Task: Implement database-layer security controls that satisfied HIPAA requirements without degrading application performance by more than 5%.

Action:

• Always Encrypted: Enabled Always Encrypted with secure enclaves for SSN and diagnosis columns. Keys stored in Azure Key Vault with application-level access only. DBAs could see ciphertext but not plaintext — satisfying the auditor's #1 concern.
• Row-Level Security: Implemented RLS filter predicates so each clinic's queries automatically returned only their patients. Security policy applied at the database level — no application code changes needed, and no way to bypass via ad-hoc queries.
• Dynamic Data Masking: Applied masking on email and phone columns for support-team roles. They could search and verify but not export full PII.
• TDE + network: Transparent Data Encryption already enabled (Azure SQL default). Added private endpoint to eliminate public internet exposure. Configured Azure SQL Auditing to Log Analytics for all read/write operations on PHI tables.
• Least privilege: Replaced the single db_owner application account with three roles: app_reader, app_writer, and app_admin. The API connected as app_writer; reporting connected as app_reader.

Result: Passed the HIPAA audit with zero findings. Always Encrypted added only 3ms median latency per query (within the 5% budget). RLS prevented a cross-clinic data leak that QA discovered during testing — the policy caught it automatically.

What separates good from great: Show layered security (encryption + RLS + masking + audit + network) and a compliance-driven motivation, not just feature names.

6) How do you secure a .NET REST API end-to-end?

What interviewer evaluates: authentication, authorization, and OWASP awareness.

Situation: The claims API was initially deployed with API-key authentication. After a security review, we needed to upgrade to enterprise-grade auth before opening the API to external partners.

Task: Implement OAuth 2.0 + OIDC authentication, granular authorization, and OWASP Top 10 protections.

Action:

• Authentication: Migrated to Microsoft Entra ID (Azure AD) with OAuth 2.0 authorization code flow for the SPA and client credentials flow for partner integrations. JWT validation in middleware with issuer, audience, and token lifetime checks.
• Authorization: Policy-based authorization with custom IAuthorizationHandler. Policies like CanApproveClaim checked role + department + claim amount threshold. No hardcoded role names in controllers.
• OWASP mitigations: (1) SQL injection — parameterized queries via EF Core (no raw SQL). (2) XSS — output encoding in React + CSP headers. (3) CSRF — SameSite cookies + anti-forgery tokens. (4) Broken access control — authorization on every endpoint, not just the controller level. (5) Security misconfiguration — removed default error pages, disabled TRACE, enforced HTTPS redirect.
• Rate limiting: .NET 10's built-in RateLimiter middleware with per-client fixed-window policies. Partners got higher limits via claims in their JWT.
• Secrets: All secrets in Azure Key Vault. No connection strings in appsettings.json. Managed identity for Key Vault access — no client secrets in config.

Result: Passed a third-party penetration test with zero critical or high findings. Partner onboarding time dropped from 2 weeks (manual API key provisioning) to 2 hours (self-service Entra ID app registration).

What separates good from great: Name specific OWASP items you mitigated. Show that authorization is policy-based, not role-string checks scattered across controllers.

7) Walk me through an end-to-end performance tuning engagement.

What interviewer evaluates: systematic diagnosis across all stack layers.

Situation: An e-commerce platform's checkout flow had P95 latency of 6.8 seconds during peak sales. The team suspected the database, but no one had investigated systematically.

Task: Identify the actual bottlenecks across React frontend, .NET API, and SQL Server, then reduce P95 below 2 seconds.

Action:

• Frontend: Lighthouse audit revealed 2.1s of unnecessary JavaScript bundle execution. Code-split the checkout page, deferred non-critical analytics scripts, and preloaded the payment SDK. Frontend contribution dropped from 2.1s to 0.6s.
• API layer: Distributed tracing (OpenTelemetry) showed the /api/v1/checkout endpoint making 7 sequential database calls. Refactored to 3 parallel calls using Task.WhenAll. Also added Redis caching for product catalog lookups (95% cache hit rate). API contribution dropped from 2.4s to 0.7s.
• Database layer: The inventory-check query was the worst offender — 1.8s due to a table scan on a 40M-row Products table. Added a filtered index on WHERE IsActive = 1 (only 2M active products). Also found 14 missing indexes via the DMV sys.dm_db_missing_index_suggestions — added the top 5 by impact score. DB contribution dropped from 2.3s to 0.5s.
• Connection pooling: Discovered the API was opening new connections per request instead of pooling. Configured EF Core connection pool with Max Pool Size=100. This alone eliminated 200ms of connection-setup overhead.

Result: P95 checkout latency dropped from 6.8s to 1.8s. Conversion rate increased 12% in the week following the fix. The systematic approach (measure each layer, fix the largest contributor first) was adopted as the team's standard performance investigation process.

What separates good from great: Diagnose across ALL layers with numbers, not just the database. Show the tracing tool that revealed the actual bottleneck.

8) What are your best practices for stored procedure design?

What interviewer evaluates: database engineering discipline.

Situation: I inherited a codebase with 340 stored procedures, many written years ago. Common problems: no error handling, implicit transactions, no logging, and "SELECT *" everywhere. A single proc failure silently corrupted data in two tables.

Task: Establish stored procedure standards and remediate the highest-risk procedures.

Action:

• Template: Created a standard proc template with: SET NOCOUNT ON, explicit BEGIN TRY/CATCH with THROW, explicit BEGIN TRAN/COMMIT/ROLLBACK, parameter validation at the top, and a structured error log insert in the CATCH block.
• SELECT discipline: Replaced all SELECT * with explicit column lists. This prevented schema changes from silently breaking downstream consumers and reduced IO for wide tables.
• Transaction scope: Minimized transaction duration — moved read-only operations outside the transaction, used READ COMMITTED SNAPSHOT isolation where appropriate to reduce blocking.
• Idempotency: For data-modification procs called by retryable APIs, added idempotency checks using a request ID parameter and a deduplication table.
• Testing: Built a tSQLt test suite with 120 tests covering the 40 highest-risk procedures. Tests ran in a CI pipeline on every PR touching SQL files.

Result: Silent data corruption incidents dropped from ~2/quarter to zero. The template and CI tests were adopted across 4 teams. New developer onboarding for database work went from 3 weeks to 1 week because the patterns were consistent and documented.

What separates good from great: Show the template pattern, mention idempotency for API-called procs, and describe testing in CI — not just "I use TRY/CATCH."

9) Design a full-stack system for a multi-tenant SaaS application.

What interviewer evaluates: end-to-end architecture across all layers.

Situation: A B2B SaaS startup needed a multi-tenant project management platform. Each tenant had 50–5,000 users, and the largest tenant required data residency in the EU.

Task: Design the full stack: React frontend, .NET API, SQL database, with tenant isolation, scalability, and cost efficiency.

Action:

• Tenant isolation strategy: Chose shared-database, separate-schema for small tenants (cost-efficient) and dedicated Azure SQL Database for enterprise tenants requiring data residency. Tenant ID resolved from JWT claims in a middleware that set the schema context.
• API layer: .NET 10 minimal API with a TenantContext middleware that extracted tenant from the JWT, validated it, and set the EF Core schema dynamically. All queries automatically scoped to the correct tenant — no accidental cross-tenant leaks.
• React frontend: Tenant-branded SPA — each tenant had a custom subdomain (acme.app.com). Theme, logo, and feature flags loaded from a tenant config API on app init. Used React Query for server state with tenant-scoped cache keys.
• Caching: Redis with tenant-prefixed keys. Cache invalidation on write-through pattern. Tenant-specific TTLs (enterprise tenants got longer TTL because their data changed less frequently).
• Auth: Microsoft Entra ID multi-tenant app registration. Each tenant had their own Entra tenant. API validated issuer against a whitelist of registered tenants.
• Observability: All logs, traces, and metrics tagged with tenant_id. Per-tenant dashboards in Grafana. Alert thresholds adjusted per tenant tier (enterprise got stricter SLAs).

Result: Platform scaled from 3 tenants at launch to 45 tenants in 12 months. Largest tenant (3,200 users) had P95 latency of 180ms. Infrastructure cost per tenant averaged $85/month for shared-schema tenants and $340/month for dedicated-database enterprise tenants.

What separates good from great: Explain the tenant isolation trade-off (shared vs dedicated), show how tenant context flows through all layers, and give cost-per-tenant numbers.

10) How do you handle CI/CD and database deployments safely?

What interviewer evaluates: deployment discipline across application and database layers.

Situation: The team was deploying database changes manually via SSMS scripts. A missed ALTER TABLE caused a 2-hour outage when the API started throwing 500 errors because a column it expected didn't exist yet.

Task: Implement automated, safe database deployments alongside application deployments.

Action:

• Database project: Migrated all schema objects into a SQL Database Project (SSDT/SDK-style). Schema changes tracked in Git alongside application code. Every PR included both API and database changes.
• Migration strategy: Used EF Core migrations for schema changes, with a pre-deployment validation step that ran the migration against a staging database clone before touching production.
• Deployment order: Database changes always deployed before application changes (expand-and-contract pattern). New columns added as nullable first → deploy app that uses them → backfill data → add NOT NULL constraint in next release. This prevented the exact outage we had before.
• Pipeline: Azure DevOps pipeline: build → unit tests → deploy DB to staging → integration tests → deploy API to staging → smoke tests → manual approval gate → deploy DB to prod → deploy API to prod → health check.
• Rollback: Every migration had a corresponding down-migration. Pipeline included a rollback stage that could be triggered within 30 minutes of deployment. Database backups taken automatically before each production deployment.

Result: Zero deployment-related outages in 10 months after implementing this pipeline. Deployment frequency increased from biweekly to daily. Average deployment time: 12 minutes (including staging validation).

What separates good from great: Explain the expand-and-contract pattern, the deployment order (DB before app), and the rollback strategy.

Rapid-fire interview practice — STAR answers

60-second verbal answers. Practice out loud.

From real experience

"In 8+ years across financial services, healthcare, e-commerce, and SaaS, I've found that the interviews where I scored highest were the ones where I traced a problem through all layers of the stack. Saying 'I optimized a query' is fine. Saying 'I traced a 6.8-second checkout to three bottlenecks — 2.1s frontend bundle, 2.4s sequential DB calls, and 1.8s table scan — and fixed each with code splitting, Task.WhenAll, and a filtered index, reducing P95 to 1.8s' is what gets you the offer."

"For SQL-heavy roles specifically, execution plan literacy is the #1 differentiator. I've interviewed 40+ candidates for senior database positions. Fewer than 20% could read an actual execution plan and identify the operator consuming the most resources. Practice with real plans from your production workloads — not textbook examples."
— Surya Singh, Azure Solutions Architect & AI Engineer, 8+ years in enterprise full-stack development

Common interview mistakes to avoid

• Saying "I added an index" without explaining the execution plan analysis that led to that decision.
• Talking about security without mentioning specific OWASP items or compliance frameworks (HIPAA, SOC 2, PCI-DSS).
• Describing React performance fixes without profiling data (Lighthouse scores, render counts, bundle sizes).
• Ignoring the database in system design answers — the data tier is usually the bottleneck.
• Giving .NET API answers without discussing middleware ordering, versioning, or observability.
• Claiming "I optimized performance" without before/after metrics for latency, throughput, or resource usage.
• Describing deployment processes without rollback strategy or the expand-and-contract pattern for schema changes.

Frequently asked questions

Related interview guides

• .NET Interview Questions and Answers: Complete Guide for 2025
• C# Async Programming Interview Guide: Master Async/Await Patterns
• Azure Cloud Architecture Interview Guide: Design Patterns and Best Practices
• AI/ML Engineer Interview Questions — STAR Format Guide
• Azure AI Deployment Interview Preparation

Surya Singh

Azure Solutions Architect & AI Engineer

Microsoft-certified Azure Solutions Architect with 8+ years in enterprise software, cloud architecture, and AI/ML deployment. I build production AI systems and write about what actually works—based on shipping code, not theory.

• Microsoft Certified: Azure Solutions Architect Expert
• Built 20+ production AI/ML pipelines on Azure
• 8+ years in .NET, C#, and cloud-native architecture

LinkedInTwitter/XAbout Me