50 Cloud Architect Practice Questions: Question Bank 2025

A startup is building an internal web app that must be reachable only from the corporate network. The team wants to avoid managing VPN appliances and prefers an identity-based approach for access control. What should they implement?

You need to give a vendor temporary access to upload objects to a specific Cloud Storage bucket path. The vendor must not be able to list other objects in the bucket and the access should expire automatically. What is the best approach?

A team is deploying a stateless containerized API and wants Google Cloud to handle scaling based on request volume with minimal infrastructure management. The service must support HTTPS and custom domains. Which product should they choose?

Your organization wants to ensure that new projects cannot create public Cloud Storage buckets. You want a centrally enforced preventive control across projects in an organization. What should you use?

A company runs a 3-tier application on Compute Engine. Database traffic must never traverse the public internet, and the database should not have external IPs. The web tier must be reachable from the internet. What design best meets these requirements?

A data engineering team ingests events from mobile apps into Pub/Sub and writes them to BigQuery. They need near-real-time dashboards and also want to replay the last 7 days of events if a pipeline bug is discovered. What should they do?

Your company operates workloads across multiple Google Cloud projects. The security team needs a centralized view of IAM policy changes and admin activity across the organization for auditing. What is the recommended approach?

A Compute Engine managed instance group (MIG) is serving traffic behind an HTTP(S) load balancer. Users report intermittent 502 errors during deployments. The team uses a rolling update but instances sometimes receive traffic before the application is ready. What should you change to reduce these errors?

A regulated enterprise must ensure that sensitive data in Cloud Storage is not exfiltrated to unauthorized projects or the public internet, even if IAM permissions are accidentally broadened. They also need to allow access from specific approved services within their organization. What is the best control to add?

You are designing a multi-region active-active architecture for a customer-facing web application. Requirements: support regional failures with minimal user impact, keep writes consistent for user profiles, and avoid running a complex database replication layer on VMs. Which approach best meets these goals?

Your team wants developers to deploy Cloud Run services from CI without storing long-lived service account keys. The CI system supports OIDC tokens. What is the recommended approach?

A new product will store customer-submitted images and must automatically create thumbnails and extract metadata when new objects arrive. The team wants minimal operations overhead. Which architecture best meets the requirement?

A team frequently needs to find which service account performed specific actions across multiple projects during incident reviews. They want a single place to query historical activity. What should they do?

A company runs a critical internal application on Compute Engine managed instance groups (MIGs). Traffic must be routed only to healthy instances, and deployments should gradually shift traffic while monitoring error rates. Which Google Cloud components best support this?

A data platform ingests streaming events and stores them for analytics. Analysts need near real-time dashboards with low-latency queries, and the pipeline should handle bursts without manual scaling. Which solution is most appropriate?

Your organization wants to restrict the creation of external IP addresses across all projects, with a documented exception process for a small set of approved projects. What is the best approach?

A team is troubleshooting intermittent 502 errors from a global external HTTP(S) load balancer to a backend service running on GKE. They suspect unhealthy backend pods during rollouts. What is the most effective first step?

A company has a monolithic application on Compute Engine. They want to reduce operational overhead and improve deployment velocity by moving to a managed container platform while keeping request-based scaling. The app is stateless and exposes HTTP endpoints. What should you recommend?

A regulated enterprise must keep encryption keys in a device they control and requires Google Cloud services to use those keys for encrypting data at rest. They also want to minimize changes to applications. Which solution best meets this requirement?

A mission-critical service must meet an internal SLO of 99.99% availability. It runs in a single region today on GKE and depends on Cloud SQL. You need an architecture that can tolerate a full regional outage with minimal data loss and automated failover. What should you design?

Your team needs to provide developers a shared environment where they can quickly spin up standard application stacks (VPC, GKE, Cloud SQL, logging) with guardrails. The platform team wants to control allowed regions and required labels, and they want a repeatable, auditable process. What should you implement?

A security team wants to reduce the blast radius of compromised credentials. They require that service account keys are not used, and workloads must use short-lived credentials. The applications run on GKE and Cloud Run. What is the recommended approach?

You operate a customer-facing web application on Managed Instance Groups (MIGs) behind an external HTTP(S) Load Balancer. During a regional outage, you must continue serving traffic with minimal manual intervention. The database layer is already globally resilient. What should you do for the compute layer?

A data science team stores raw datasets in Cloud Storage. They want to ensure that no objects are deleted or overwritten for 30 days after upload to meet an internal retention requirement. What is the simplest native approach?

A company uses BigQuery for analytics. Multiple teams run ad-hoc queries that sometimes scan entire tables and cause unpredictable costs and performance issues. You need to improve governance without blocking analysts. What should you do?

Your organization must ensure that only approved container images are deployed to production GKE clusters. The security team also wants evidence of policy enforcement. What architecture best meets these requirements?

A global retailer is migrating to Google Cloud and wants a standardized resource hierarchy that supports separation of duties, centralized networking, and consolidated billing across business units. What is the recommended high-level design?

A microservices platform on GKE experiences intermittent latency spikes. Metrics show that new pods sometimes take a long time to start and pull images, especially during scale-out events. You want to reduce cold-start time with minimal operational overhead. What should you do?

You manage a multi-project environment. A compliance requirement states that only specific Google-managed services may be used, and any attempt to enable unapproved APIs should be blocked. How can you enforce this centrally?

A mission-critical workload runs on Compute Engine and uses Persistent Disks. You need the ability to recover from accidental file corruption introduced by an application deployment, with the shortest recovery time and minimal data loss. What should you do?

Your organization runs several internal web apps on Compute Engine. The security team requires that every new VM automatically receives the latest approved security agent and baseline OS settings, and that deployments are repeatable across projects. What should you do?

You need to provide private access from on-premises to Google APIs (for example, Cloud Storage) without sending traffic over the public internet. Your connectivity is via Cloud VPN. What is the recommended approach?

A team wants to enforce organization-wide restrictions so that no one can create external IP addresses on Compute Engine VMs in any project. What should you use?

Your batch jobs are running on Compute Engine and periodically fail because they run out of disk space during peak processing. You want an operational approach that detects this condition early and alerts the on-call engineer. What should you do?

Your company stores sensitive audit logs in a dedicated project. Only the security team should access them, and no one (including project owners) should be able to modify or delete the logs. What is the best approach?

You are migrating a legacy three-tier application to Google Cloud. The app requires a stable internal VIP for the middle tier that multiple front ends will call, and you want automatic health checking and instance replacement. Which solution best fits?

A data engineering team runs an hourly Dataflow pipeline that reads from Pub/Sub and writes aggregated results to BigQuery. During traffic spikes, BigQuery streaming inserts become a bottleneck, and the pipeline falls behind. You need to improve throughput and keep the pipeline near real-time. What should you do?

Your organization is adopting GitOps. You need a controlled process to deploy Kubernetes manifests to GKE across dev, staging, and prod, with approvals and the ability to roll back to a known good state. What should you implement?

You must design a multi-project environment with a shared VPC host project. App teams in service projects need to create their own internal load balancers and managed instance groups, but must not be able to change shared subnets, routes, or firewall rules. What is the best IAM design?

A global ecommerce platform runs active-active across two regions on GKE. The database is Cloud Spanner. Requirements: automatic regional failover, minimal user-visible downtime, and protection against zone failures. Which architecture best meets these requirements?

Your company wants a standardized way to deploy a VPC, subnets, firewall rules, and a few IAM bindings across many projects. The solution must be repeatable, reviewable, and support automated rollbacks if a change fails. What should you use?

A security team needs to ensure that public IP addresses cannot be assigned to any VM in a specific folder, including projects created in the future. What is the most effective approach?

You need to grant a third-party auditor time-limited, read-only access to BigQuery datasets in a single project. The auditor must not be able to view data in other projects. What should you do?

A data engineering team runs a nightly pipeline that reads from Cloud Storage, transforms data, and writes to BigQuery. The pipeline occasionally fails midway, leaving partial results. They want the pipeline to be idempotent and easier to recover without reprocessing all data. What should they do?

Your organization uses a hub-and-spoke network with multiple projects. A new spoke project must privately access Google APIs (like Cloud Storage and BigQuery) without using public IPs. Which design best meets this requirement?

A platform team manages several microservices on GKE across dev, test, and prod. They want to promote the same container image through environments and have an auditable deployment history with controlled rollouts. What should they implement?

A latency-sensitive global application serves users from multiple regions. The backend is deployed in several regions and can handle traffic independently. You need a single anycast IP, automated failover, and protection against DDoS. Which solution should you choose?

A team wants to reduce operational overhead for a web API that experiences unpredictable bursts. The API is stateless, uses HTTP, and must scale to zero when idle. It also needs to access a Cloud SQL database securely. What is the best deployment approach?

A regulated enterprise must ensure that only approved VM images are used across all projects. They also need centralized attestation and policy enforcement during VM creation. What is the best approach?

A mission-critical service runs on GKE and uses Cloud Storage and Pub/Sub. During an incident, the team had limited visibility into which changes preceded the outage and struggled to correlate Kubernetes events, application logs, and cloud audit activity. You need an architecture that improves end-to-end observability and change traceability with minimal operational burden. What should you do?