Cloud Architect Practice Exam 2025: Latest Questions

A startup runs a stateless web API on Compute Engine managed instance groups (MIGs). They want to deploy new versions with near-zero downtime and the ability to quickly roll back if errors increase. What should they do?

A retailer wants to ensure that only approved VM images can be used to create Compute Engine instances across all projects in an organization. They need centralized governance with the ability to define allowed images. What should they implement?

A team needs to store and retrieve large binary objects (videos and images) with high durability and global access. They want to minimize operational overhead and use native HTTP access. Which Google Cloud service should they choose?

An operations team is frequently asked to prove which user made changes to firewall rules and when. They need a tamper-resistant record of API activity across projects. What should they use?

A SaaS provider runs services in multiple projects. They want a hub-and-spoke network where shared services (such as CI/CD runners and security tooling) reside in a central project, and application projects connect privately without overlapping IPs. They also want to avoid maintaining many VPN tunnels. What is the recommended design?

A data engineering team needs to run nightly ETL that transforms data from Cloud Storage into partitioned analytics tables. They want a serverless approach with minimal infrastructure management and SQL-based transformations. Which approach best fits?

A company needs to grant a vendor temporary access to upload objects to a specific Cloud Storage bucket path. They must prevent the vendor from reading existing objects and ensure access expires automatically. What should you do?

A production microservices platform on GKE experiences intermittent latency spikes. The application team suspects node-level resource pressure and wants to correlate pod resource usage with node CPU/memory and request latency. What is the best next step?

A financial services company is moving sensitive workloads to Google Cloud. They must reduce the risk of data exfiltration from managed services (such as BigQuery and Cloud Storage) to the public internet and to unauthorized projects, while still allowing approved private access from on-premises networks. What should they implement?

A global application requires an active-active setup across two regions. Clients should be routed to the nearest healthy backend, and failover must be automatic if a region becomes unavailable. The solution must provide a single anycast IP and support HTTP(S) traffic. What architecture should you choose?

Your company wants developers to deploy to a GKE cluster using kubectl, but they must not be able to create or modify Kubernetes RBAC roles or cluster-level resources. The security team also wants access to be centrally managed in Google Cloud IAM. What should you do?

A team needs a simple way to provide time-limited access for a third-party auditor to download specific objects from a Cloud Storage bucket without giving them a Google account in your organization. The bucket should remain private otherwise. What should you use?

A SaaS provider runs a multi-tenant API on Cloud Run. They want to ensure one tenant cannot overwhelm the service and impact others, while keeping operational overhead low. What should you implement?

Your organization requires that all new Google Cloud projects automatically enforce: restricted public IP usage on VMs, centralized log sinks, and approved APIs only. You want to implement this at scale with governance and auditability. What is the best approach?

A data engineering team needs to process streaming events from Pub/Sub, perform windowed aggregations, and write results to BigQuery with exactly-once processing semantics as much as possible. They want a managed service with minimal cluster operations. What should you recommend?

A company runs production workloads in two regions. They need to ensure that if a region fails, traffic automatically shifts to the healthy region with minimal downtime. The application is HTTP-based and is deployed on managed instance groups in each region. What should you use?

A security team needs to prevent data exfiltration from BigQuery and Cloud Storage to the public internet, while still allowing access from approved corporate networks and specific Google Cloud projects. The solution must apply to multiple projects and be centrally controlled. What should you implement?

A platform team uses Terraform to provision networking. They notice repeated accidental deletions of critical firewall rules and Cloud Router resources during updates by different teams. They want to reduce risk while still allowing iterative delivery. What should they do?

A fintech company must encrypt data at rest using keys that they control and must be able to rotate keys and audit key usage centrally. They also need to prevent engineers from decrypting data unless explicitly approved. What is the best Google Cloud approach?

Your company is migrating an on-prem monolith to microservices on Google Cloud. A key service requires strong consistency for financial transactions, global availability, and must tolerate regional failures with automatic failover. Latency should be low for users worldwide. Which storage solution best fits these requirements?

Your company runs hundreds of short-lived batch jobs on Compute Engine. Security policy requires that no long-lived service account keys be created or stored on disk, but jobs must authenticate to Google APIs. What should you do?

A development team needs to test a new internal web service running on a GKE cluster. The service must not be publicly accessible, but it must be reachable from the corporate network over private connectivity. What is the best approach?

You are troubleshooting intermittent 5xx errors from a service deployed on a Managed Instance Group (MIG) behind an external HTTP(S) Load Balancer. The errors spike during deployments when new instances are added. You find that instances pass the MIG's autohealing health check but still return errors for the first minute of serving traffic. What should you do?

A data platform team uses Terraform to manage Google Cloud resources across multiple environments (dev, test, prod). They want to avoid storing long-lived service account keys in their CI system while still allowing the CI pipeline to apply Terraform changes. What is the recommended approach?

Your organization needs to allocate and track Google Cloud costs by department across multiple projects, and department owners must be able to view their spend without getting broad administrative permissions. What should you do?