50 Cloud Engineer Practice Questions: Question Bank 2025

You need to create a new Google Cloud environment for a small team. The team wants to manage billing centrally and isolate resources per department while still allowing shared networking later. What is the recommended resource hierarchy approach?

A web application runs on a Compute Engine VM and needs to access Cloud Storage objects. You want to avoid using long-lived service account keys. What should you do?

You deployed a stateless API to Cloud Run. Traffic spikes occur unpredictably, and you want the platform to automatically add and remove capacity without managing servers. Which feature primarily provides this behavior?

A team wants to troubleshoot an HTTP(S) Load Balancer issue and needs to see how requests are being routed and what response codes are returned. Which Google Cloud feature should they enable?

You need to deploy identical infrastructure (VPC, subnets, firewall rules, and a managed instance group) repeatedly across multiple projects. You want reviews, version control, and repeatable deployments. What should you use?

A Compute Engine instance cannot reach the internet. The instance is in a private subnet with no external IP. The VPC has a default route to the internet gateway, but outbound access still fails. What is the most likely missing component?

You are designing storage for user-uploaded files. Requirements: highly durable, accessed via HTTP, and objects must automatically delete 30 days after upload. Which solution best meets these requirements with minimal operational effort?

Your application writes logs to Cloud Logging. The on-call team wants to be paged only when error logs exceed a threshold over a 5-minute window. What should you implement?

A company uses a shared VPC. The security team wants to ensure that only approved projects can attach VM instances to the shared subnets, and they want the restriction enforced centrally. What should you do?

You need to expose an internal HTTP service running on a managed instance group to internal clients across multiple regions. Requirements: single anycast VIP, internal-only access, and automatic load balancing and health checking. What should you use?

You need to deploy a simple stateless web app to Google Cloud and expose it to the internet. You want the fewest infrastructure components to manage and automatic HTTPS support. What should you use?

A project’s Cloud Storage bucket must be accessible to a specific group of users for object viewing only, and access should be managed through Google Groups. What is the recommended approach?

You created a new project and want to ensure all Cloud Audit Logs are retained and queryable by the security team without granting them broad project access. What should you do?

A company needs a private, low-latency connection from its on-premises data center to Google Cloud. The connection must not traverse the public internet and should support high throughput. What is the best solution?

You deployed an application to a Managed Instance Group (MIG) behind an external HTTP(S) Load Balancer. Users report intermittent 502 errors during deployments. You want to reduce errors by ensuring new instances are ready before receiving traffic. What should you do?

A team needs to run scheduled batch processing every night. The job executes a container for about 15 minutes and should not require server management. The job must run even if no users are active. What should you use?

Your organization wants to prevent users from creating service account keys because keys have been mishandled in the past. You still need workloads to authenticate to Google APIs. What should you do?

A new application must store relational data and requires high availability with automatic failover across zones. The team wants a managed database service with minimal operational work. What should you choose?

You need to allow a third-party CI/CD system running outside Google Cloud to deploy to GCP without storing long-lived service account keys. The third-party system supports OIDC tokens. What is the recommended approach?

A production service on Compute Engine is experiencing occasional latency spikes. You need to identify whether the issue is CPU saturation, disk I/O, or network throughput, and you want alerting when thresholds are exceeded. What should you do?

You need to create separate Google Cloud projects for three departments (Dev, QA, Prod). Billing must be centrally managed, and each department should only be able to view and administer its own resources. What is the recommended approach?

You deployed a new Compute Engine VM and need to confirm it has outbound internet access without exposing it to inbound traffic from the internet. The VM is in a subnet with Private Google Access disabled, and you will not assign a public IP. What should you do?

You need to grant a third-party auditor read-only access to view Cloud Storage objects in a specific bucket for 30 days. They must not list or access other buckets in the project. What is the best approach?

Your application running on a Compute Engine instance must call Google APIs. Security policy forbids downloading service account keys to VMs. What should you do?

A global web application must serve users worldwide with low latency and support blue/green releases. You want to route a small percentage of traffic to a new backend version and quickly roll back if needed. What should you use?

A team needs to run a containerized batch job nightly. The job runs for 10–20 minutes, requires no inbound traffic, and should minimize operational overhead. What is the best solution?

You manage a Managed Instance Group (MIG) serving traffic behind an external HTTP(S) Load Balancer. During a rolling update, users report intermittent 502 errors. Instance health checks are passing, but the application needs 90 seconds after boot before it can accept traffic. What should you do?

A security team requires that sensitive data in a Cloud Storage bucket is encrypted using a customer-managed encryption key (CMEK). They also need to ensure only that specific key can be used for new objects in the bucket. What should you do?

You must allow a Compute Engine VM in Project A to read objects from a Cloud Storage bucket in Project B. The VM should use its own attached service account, and you want to avoid using service account keys. What is the correct setup?

Your company wants to automate VM creation with Terraform and store the Terraform state in Cloud Storage. The security requirement is: only a dedicated CI/CD service account can read/write the state, state must be protected from accidental deletion, and you must be able to recover previous versions. What should you do?

You need to ensure every new project created in your organization has the same required labels (e.g., cost_center, owner) and disallows external IPs on new VM instances unless explicitly exempted. What is the recommended approach?

A team wants to authenticate to Google Cloud from a CI/CD system running outside Google Cloud without using long-lived service account keys. Which solution should you recommend?

You need to quickly host a static marketing website (HTML/CSS/JS) with a global HTTP(S) endpoint and low operational overhead. What should you use?

A Compute Engine VM cannot reach the internet. The VM is in a custom VPC subnet with private RFC1918 addresses only. Firewall rules allow egress, but there is no Cloud NAT configured. What is the most likely fix?

Your application in one project needs to read objects from a Cloud Storage bucket in another project. You must follow least privilege and avoid granting broad roles at the project level. What should you do?

You are deploying a stateful application that requires a stable network identity and persistent storage per replica. The team wants Kubernetes-managed scaling and updates. Which GKE resource should you use?

You need to collect application logs from Cloud Run services and create an alert when error logs exceed a threshold over 5 minutes. What is the recommended solution?

A finance application must ensure that only compliant VM images are used for new instances. The security team provides a golden image and wants to prevent users from using arbitrary public images. What should you implement?

Your company uses a shared VPC. A service project’s VM instances need to access a private IP Cloud SQL instance in the host project. Connectivity fails even though the VM can reach other private resources. What is the most likely required change?

You need a simple way to run a containerized batch task every night that pulls from Cloud Storage and writes results back to Cloud Storage. You want minimal infrastructure management. What should you use?

You need to use Cloud Shell to administer resources in a newly created project, but gcloud commands fail with permission errors. You can open Cloud Shell successfully. What is the most likely cause?

A team wants all newly created Compute Engine VMs in a project to have the same default labels (for example, cost-center and environment). What is the recommended approach?

You have a stateless web application running on Compute Engine managed instance groups (MIGs). You want the group to automatically replace unhealthy VMs. Which feature should you configure?

You need a VM in Project A to read objects from a Cloud Storage bucket in Project B. You must follow least privilege and avoid using user credentials. What should you do?

Your organization requires that all traffic from VMs to Google APIs stays on Google’s network and does not use external IP addresses. What should you configure?

Your application writes logs using a custom JSON format. You want to create logs-based metrics and set alerts when the error field exceeds a threshold. What is the best approach?

You are deploying a containerized internal API to Cloud Run. It must only be reachable from within your VPC by workloads such as GKE and Compute Engine. What should you do?

Your team uses Terraform and wants a safe workflow to manage changes to production Google Cloud resources. You need a reviewable plan and controlled apply. What is the recommended practice?

A compliance requirement states that database administrators must not be able to decrypt customer data. The application should handle encryption and decryption, and encryption keys must be centrally managed with audit logs. What should you use?

You need to troubleshoot intermittent connectivity from a VM to an internal TCP service running on another VM in the same VPC. You suspect firewall rules or routing issues. Which combination of tools is most appropriate?