gcp interview questions Advanced Practice Exam: Hard Questions 2025

Your organization uses a Shared VPC with a host project and multiple service projects. A new team must deploy Compute Engine instances in a service project into a subnet in the host project, but they must not be able to create, modify, or delete any subnets, routes, or firewall rules in the host project. What is the best approach to grant the minimum required permissions?

You are asked to design a resource hierarchy for a company with two environments (prod and non-prod) and three teams (app, data, security). The requirement is to: 1) centrally enforce organization-wide constraints (e.g., disallow external IPs by default), 2) allow security to manage IAM policies and audit logs across all projects, and 3) allow teams to independently manage budgets and quotas per environment. Which hierarchy best meets these requirements with least operational overhead?

A legacy application running on a single VM uses a local filesystem for state and must be migrated quickly to Google Cloud with minimal code changes. The application needs high availability across zones, and you must avoid data corruption during zone failures. Which design best meets the requirement?

A GKE workload in a private cluster must access a third-party API on the public internet. The security team forbids public IPs on nodes and requires that all egress be identifiable and restrictable. You also need to ensure the API provider can allowlist a stable set of source IPs. What should you implement?

A production HTTP(S) Load Balancer is returning intermittent 502/503 errors after a new backend deployment. You notice that some backend VMs are marked healthy and others unhealthy, but CPU and memory look normal. The application listens on port 8080, while the health check is configured for port 80. What is the most likely fix?

A team is using Terraform to create projects and enable APIs. The first apply intermittently fails with errors indicating the API is not enabled when subsequent resources are created. You need a robust approach that avoids flaky deployments and reduces manual retries. What should you do?

You must grant an on-premises automation system access to upload objects to a single Cloud Storage bucket. Security policy requires: no user-managed keys, ability to rotate credentials without downtime, and minimal permissions. What is the best solution?

A stateful VM running a database on a persistent disk must undergo host maintenance with minimal downtime. You are allowed a brief restart but must keep the same VM name and internal IP for dependent systems. What is the best approach?

Your company requires that no Compute Engine VM in the organization can be created with an external IP, except in a specific 'bastion' project. You need an enforceable control that teams cannot bypass with IAM. What should you implement?

An application deployed across multiple zones uses Managed Instance Groups (MIGs). During a traffic spike, instances are created but fail shortly after boot. Logs show the app cannot reach a required Google API endpoint, yet the instances have no external IPs. The subnet has no Cloud NAT. You must keep instances private and restore functionality quickly. What should you do?