50 gcp interview questions Practice Questions: Question Bank 2025

You need to create an isolated environment for a new application team so they can manage resources independently and receive their own billing reports. What should you do first?

You need to grant a teammate the ability to view logs for all resources in a project but not modify any resources. Which IAM role is the best fit?

You deployed an application on a Compute Engine VM that should be reachable from the internet on TCP port 8080. The VM has an external IP, but users cannot connect. What is the most likely fix?

Your team wants to use Cloud Storage as a simple place to store build artifacts. They need object versioning to recover overwritten files. What should you do?

You need to deploy a stateless containerized web service with automatic scaling based on HTTP traffic and minimal operations overhead. Which service should you choose?

Your company wants to enforce that only resources in approved regions can be created in a set of projects. What is the recommended approach?

A Compute Engine VM suddenly becomes unresponsive. You want to investigate why and be alerted if it happens again. What should you do?

You have a batch process that runs nightly and writes results to Cloud Storage. The process must not be disrupted by a single-zone failure, but it does not need multi-region disaster recovery. Which deployment option best meets the requirement?

You want to allow an application running on a GKE cluster in Project A to read objects from a Cloud Storage bucket in Project B without using long-lived service account keys. What is the best approach?

Your company uses a Shared VPC. A service project’s VM cannot reach a Cloud SQL instance using a private IP. The VM and Cloud SQL instance are in different projects but intended to communicate over the shared network. What is the most likely missing configuration?

You need to quickly verify which Google Cloud project your gcloud CLI is currently targeting before deploying resources. What should you do?

You are deploying a new VM and want it to be reachable via a stable public IP address even after stopping/starting the VM. What should you do?

A VM needs to call Google APIs (for example, write logs) without using service account keys. What is the recommended approach?

Your application is deployed on a Managed Instance Group (MIG) behind an external HTTP(S) Load Balancer. Users in one region report high latency. You want to reduce latency without changing the app. What should you do?

A developer reports they can list objects in a Cloud Storage bucket but cannot upload new objects. They are using the correct project and bucket name. What is the most likely IAM issue?

You deployed a containerized web app to Cloud Run. It deploys successfully, but requests fail with a 503 and logs show the container never starts listening. What is the most likely cause?

A Compute Engine VM cannot access the internet. The VM has no external IP, and you want to keep it that way. The subnet has a default route to the internet gateway. What should you configure?

You need to rotate a database password used by an application running on Compute Engine. You want centralized secret storage with audit logging and the ability to control access via IAM. What should you use?

Your team needs to ensure that all newly created projects automatically have a set of required APIs enabled and specific IAM bindings applied. You want a scalable, policy-driven approach. What should you do?

You are troubleshooting intermittent 502 errors from an external HTTP(S) Load Balancer to a backend service running on a MIG. Health checks show healthy, but backend logs show connections are being closed early during peak traffic. What is the best next step to validate whether backend capacity is the issue?

You need to quickly view which Google Cloud APIs are enabled in a project and enable a missing API required by a deployment. What is the recommended approach?

A Cloud Storage bucket must not be publicly accessible. You want to prevent accidental public access via ACLs or IAM permissions. What should you do?

You deployed an application to Cloud Run and need to test it quickly from your laptop. The service is configured to allow unauthenticated invocations. What is the simplest way to get the service URL?

Your team wants to standardize resource naming and automatically apply labels (for cost allocation) whenever new projects are created. Which approach best fits Google Cloud best practices?

A VM in a private subnet must access Google APIs (such as Cloud Storage) without having an external IP address. What should you configure?

You are troubleshooting a GKE workload that cannot reach an external HTTPS endpoint. DNS resolves correctly, but connections time out. Other pods in the cluster can reach the same endpoint. What is the most likely cause?

You need to grant a vendor temporary access to upload objects into a single Cloud Storage bucket. They must not be able to list other buckets in the project or modify IAM. What is the best solution?

A new project has been created under your organization. You want to ensure no one can create external IP addresses for VMs in this project. What should you use?

You are designing a solution where an on-premises system publishes events that must be processed by multiple independent services on Google Cloud. Each service should receive its own copy of every event, and services may be added later without changing the publisher. Which architecture is most appropriate?

Your security team requires that VM instances do not use downloaded service account keys. Applications running on GCE must authenticate to Google APIs securely with minimal operational overhead. What should you do?

You need to allow a third-party auditor to view only BigQuery job history and dataset metadata in a project for two weeks. They must not be able to read table data. What should you do?

You deployed a new application version to a managed instance group (MIG) with an instance template update. You want to replace instances gradually to reduce risk, while keeping the group size constant. Which MIG update strategy should you use?

A developer accidentally deleted a critical object in a Cloud Storage bucket. You want to minimize the impact of accidental deletions going forward and allow recovery of previous versions. What should you enable on the bucket?

You need to create separate environments (dev, test, prod) with strong isolation. Each environment must have its own budgets and IAM boundaries, but should still be managed under a single organization. What is the recommended structure?

Your Cloud Run service must call a private internal API hosted on a Compute Engine VM that does not have an external IP. The VM is in a shared VPC subnet. What should you configure to allow Cloud Run to reach the VM privately?

A new VM in your project cannot access the internet, but it can reach other VMs in the same subnet. The VM has no external IP. You already created a Cloud NAT gateway. What is the most likely missing configuration?

You want to deploy a containerized application to GKE. The app has variable, bursty traffic and should scale pods based on CPU utilization. Which feature should you configure?

Your team needs to troubleshoot intermittent 500 errors from an internal HTTP(S) load balancer backend service. You want to correlate request logs with backend latency and response codes. What should you enable or use?

A security team requires that no service account keys can be created in a set of production projects, but existing workloads must continue to use service accounts via metadata-based credentials. What is the best approach?

You are migrating an on-premises application to Compute Engine. The application uses a licensing scheme tied to a stable MAC address and requires the VM to keep its internal IP after restarts. You also need to protect the VM from accidental deletion. What should you do?

You need to quickly inspect which account and project your Cloud Shell session is currently using before running any gcloud commands. What should you do?

Your team wants all new Cloud Storage buckets in a project to be created with uniform bucket-level access (UBLA) enabled by default to simplify permissions management. What should you do?

A VM in a private subnet has no external IP and must download packages from the internet during startup. You want to keep inbound access blocked while allowing outbound internet access. What should you configure?

Your company uses separate projects for dev, test, and prod. A security requirement states that only a centralized security project can host Cloud KMS keys, and application projects must use those keys for CMEK. What is the recommended approach?

A web application running on Compute Engine is deployed using a managed instance group (MIG). You want the group to automatically add or remove instances based on average CPU utilization. What should you configure?

A Cloud Run service intermittently returns 500 errors. You need to identify whether the failures are tied to a recent revision and inspect request logs quickly. What should you do?

You need to migrate a small on-premises MySQL database to Cloud SQL for MySQL with minimal downtime. The database is actively used, and you need to keep it in sync during cutover. What should you use?

A team wants to ensure that only approved VM images can be used to create instances in a project. What is the best way to enforce this at scale?

A Cloud Storage bucket contains log files that must be deleted automatically after 30 days. You want a managed solution without running cron jobs. What should you configure?

You deployed an application to a GKE cluster. Users report intermittent connectivity failures to a specific service, but pods appear healthy. You suspect DNS resolution issues inside the cluster. What should you check first?