gcp interview questions Practice Exam 2025: Latest Questions

You want to use gcloud with a specific project by default for the rest of your terminal session. What should you do?

A developer needs to deploy a containerized web app without managing servers and wants the service to automatically scale to zero when idle. Which Google Cloud product is the best fit?

You need to give a teammate read-only access to view objects in a single Cloud Storage bucket. What is the simplest IAM role to grant at the bucket level?

A Compute Engine VM cannot access the internet. You check that the VM is running and has a private IP. Which configuration is required for outbound internet access from a VM that does NOT have an external IP address?

You are designing a VPC network for three environments (dev, test, prod). Each environment should have clear IP separation and minimal accidental overlap, but you want to avoid managing three separate VPCs. What is the recommended approach?

A stateless API runs on a managed instance group (MIG). You want zero-downtime deployments when rolling out a new VM image. Which MIG update strategy should you use?

Your team needs to run a one-time data import job from Cloud Storage into BigQuery every night. The job is a container you already have, and it should run on a schedule with minimal ops overhead. What should you use?

A Cloud Storage bucket contains sensitive files. You need to ensure that only requests coming from within your VPC can access the bucket, without using public internet. What is the best solution?

A production service runs on multiple Compute Engine instances behind an external HTTP(S) Load Balancer. Users report intermittent 5xx errors. You need to identify whether the errors are coming from the backend instances or the load balancer, and you want request-level visibility. What should you enable/use?

You need to let an on-premises application authenticate to Google Cloud and write objects to a specific Cloud Storage bucket. Company policy forbids storing long-lived service account keys. What should you implement?

You need to create a new Google Cloud project and ensure a teammate can manage only that project’s resources, but not billing accounts or other projects. Which approach is recommended?

You deployed a web app on a Compute Engine VM. You can reach it from inside the VPC, but external users cannot access it on TCP port 443. The VM has an external IP. What is the most likely fix?

You are asked to reduce the blast radius of network changes between development and production workloads, while keeping both in the same organization. What is the best practice?

A team needs to grant a CI/CD system permission to deploy containers to a GKE cluster. They want to avoid using user credentials and avoid storing long-lived keys. What should they use?

You need to deploy a containerized application with automatic scaling based on HTTP traffic, and you don’t want to manage servers. The app should support simple blue/green traffic splitting. Which product best meets these requirements?

A Compute Engine VM in a private subnet (no external IP) must download OS updates from the internet. You want to minimize exposure by avoiding external IPs on VMs. What should you configure?

You want to collect and query application logs from multiple projects in the same organization in one central location. Which approach is recommended?

Your team needs to ensure that all objects uploaded to a specific Cloud Storage bucket are encrypted using a customer-managed key. You also want to control who can use that key. What should you do?

A production app runs on a regional Managed Instance Group (MIG) behind a load balancer. You need to roll out a new VM image with minimal downtime and the ability to automatically replace instances gradually. Which update strategy should you choose?

You created a service account for an application running on a Compute Engine VM. The VM can list objects in a Cloud Storage bucket, but when it tries to upload objects it gets an access denied error. You verified the VM is using the correct service account. What is the most likely cause?

You need to ensure all objects uploaded to a specific Cloud Storage bucket are encrypted with customer-managed encryption keys (CMEK). Uploads that are not encrypted with the approved key should be rejected. What should you do?

A VM instance cannot be reached via SSH from the internet. The VM has an external IP address. You suspect a VPC firewall issue. What is the best first step to diagnose the problem?

Your team created a new Google Cloud project. You need to use gcloud to deploy resources into that project, but you must ensure you don't accidentally deploy into a different existing project. What should you do?

You want to restrict who can create external IP addresses in your organization to reduce data exfiltration risk. You also want this restriction to apply automatically to all new projects created under a specific folder. What should you do?

You are deploying a stateless web application to Compute Engine managed instance groups. A new version should be rolled out gradually, and you must be able to quickly roll back if errors increase. What should you use?