Introduction
ASP.NET Core interviews often focus on how applications behave in real production environments. Instead of asking only about syntax, interviewers want to know how you handle slow APIs, large data sets, async issues, and external dependencies. This article covers commonly asked ASP.NET Core interview questions based on real-world performance scenarios, explained with simple examples and ideal answers to help you respond confidently.
Let’s look at those below.
1. Your API works fine locally but is slow in production. What do you check first?
Example
Locally, the API returns data in 200 ms using a small database.
In production, the same API takes 5 seconds because the table has lakhs of records and runs over a network.
Explanation
I start by investigating database queries and measuring where the execution time is actually spent. Since production involves more data and network latency, I enable logging to pinpoint whether the bottleneck is a slow query, a configuration issue, or a resource constraint before attempting a fix.
In addition to logging, I analyze the execution plan of the queries to see if the database is struggling with missing indexes or inefficient joins. Often, a query that works instantly on a local machine with 10 rows becomes a disaster in production when it’s forced to scan 10 million rows. I also check for resource contention, such as high CPU usage or memory pressure on the database server, which can slow down even simple requests.
Finally, I look for network chatter, where the application makes too many separate trips to the database. Over a local connection, 50 small queries might take 50 ms total, but over a production network with higher latency, those same 50 trips could easily take several seconds. By consolidating these into a single query using projections or eager loading, I can significantly reduce the overall response time.
2. You used async/await, but the API is still slow. Why?
Example
The API uses async methods, but inside the code it calls .Result on a database query.
Under load, requests start waiting for each other and the API becomes slow.
Explanation
While async and await are designed to improve scalability, they only help during I/O-bound tasks—like waiting for the database—by freeing up the server's threads to handle other work. If you use blocking calls like .Result or .Wait() anywhere in code, you create a "Sync-over-Async" bottleneck. This forces a thread to sit idle and wait, which leads to thread-pool starvation where the API stops responding because no threads are left to handle new requests.
The fix is to ensure the entire call chain is asynchronous, meaning you never "block" the thread while waiting for data. Additionally, if the API is performing CPU-heavy work—like processing large amounts of data in memory—async will not make that part faster because the CPU is actually busy, not just waiting. I ensure that all database calls use await and avoid any code that stops a thread from moving on to the next task.
3. Your API returns thousands of records. How do you improve performance?
Example
A GET /users API returns 50,000 user records in one response, making the API slow and the UI unresponsive.
Explanation
Returning thousands of records in a single response is a major performance issue because it consumes significant amounts of memory and bandwidth on both the server and the client. To improve this, I implement server-side pagination and filtering so the API only delivers a small, manageable chunk of data at a time. I also use projections to return only the specific fields required by the UI, rather than the entire database object, which significantly reduces the payload size.
4. Your API calls another API. What if that API fails?
Example
An order API depends on a third-party payment service.
If the payment service is slow or down, the order API keeps waiting and eventually fails.
Explanation
When an API depends on a third-party service, you are dependent on their uptime and speed. If that external service becomes slow or goes down, your own API will "hang" while waiting for a response, eventually exhausting its resources and failing. To prevent this, I never allow an external call to run indefinitely; instead, I implement timeouts and retry policies to handle failures gracefully without crashing the application.
To build a resilient system, external failures should be treated as an expected event rather than an exception. By using a library like Polly, you can define a "Circuit Breaker" that stops calling the failing service for a short period, allowing it to recover. These calls should also be wrapped in a try-catch block to return a meaningful, user-friendly error message or a fallback result rather than letting the entire request time out or crash.
By adding these safeguards, you ensure that one slow dependency does not cause a cascading failure across the entire platform. The API remains responsive and provides clear feedback to the user, even when external partners are struggling.
5. How do you prevent sensitive data from being returned in API responses?
Example
A user table contains fields like password hashes, internal flags, and audit data.
Returning the full entity exposes sensitive information.
Explanation
Returning database entities directly is a major security risk because it often exposes sensitive fields such as password hashes, internal administrative flags, or private audit data that the end user should never see. Even if the UI does not display these fields, they are still sent over the network in the JSON response, where they can be intercepted or viewed through browser developer tools.
To prevent these data leaks, I always use Data Transfer Objects (DTOs) or ViewModels to strictly control exactly which pieces of information leave the server.
The fundamental rule of secure API design is: the database schema is for the server, and the DTO is for the client. By keeping them separate, you ensure that adding a sensitive internal column to the database in the future will not accidentally expose it through the API.
Conclusion
In this article, we explored how small patterns in EF Core and async code can lead to major bottlenecks in production. Performance-related questions are common in interviews because they test your ability to handle real-world scale, data security, and external dependencies.
By mastering these simple fixes, you demonstrate that you do not just write code that works locally, but code that is resilient and efficient in real-world production environments.
I hope this helps.