50 Google Cloud Professional Cloud Architect Practice Questions: Question Bank 2025

A startup runs a stateless containerized web API and expects unpredictable traffic spikes. They want to minimize operational overhead while supporting automatic scaling and rolling updates. Which Google Cloud solution is most appropriate?

A company must ensure that only approved, compliant VM images can be deployed across multiple projects. They also need an audit trail of image usage. What is the best approach on Google Cloud?

An enterprise wants to connect its on-premises network to Google Cloud with high availability. They require that the connection continues even if a single edge location becomes unavailable. Which design best meets this requirement?

A team needs to store and serve user-uploaded images globally with low latency. The images are frequently read but rarely updated, and the team wants a highly durable, managed solution. What should they use?

A company needs to ensure that a new microservice can access only a specific Pub/Sub subscription and write logs. They want to follow least privilege. What is the best approach?

A data processing pipeline writes results to Cloud Storage. The business requires that objects older than 30 days are automatically removed, while objects newer than 30 days must remain accessible. What should you implement?

An application running on GKE must call a third-party API that only allows requests from a static, allowlisted IP address. The workloads also need outbound internet access. What is the recommended solution?

A platform team manages infrastructure as code and wants a controlled promotion process from development to staging to production. They need policy checks and approvals before applying changes in production. Which approach best meets these requirements?

A multi-tenant SaaS stores customer data in BigQuery. Some tenants require that their data be encrypted with tenant-specific keys that the provider can revoke independently. The solution must minimize application changes. What should you do?

A global customer-facing application uses Cloud Spanner and must meet an aggressive RTO and RPO in case of a regional outage. The team wants the database to continue serving reads and writes automatically during a region failure. What is the best design choice?

A startup is building a stateless web API on Google Cloud Run and wants to keep container images private. They need a simple way to store and manage these images with minimal operational overhead. What should they use?

A security team needs to ensure that any new Cloud Storage bucket created in a project is not publicly accessible. They also want to centrally enforce this without relying on developers to remember settings. What is the recommended approach?

A team is getting intermittent 502 errors from a global external HTTP(S) Load Balancer in front of a Managed Instance Group. The backends appear healthy most of the time, but error rates spike during deployments. What is the best first step to reduce user impact during rolling updates?

An enterprise needs a hybrid network design. Their on-premises data center connects to Google Cloud using Dedicated Interconnect. They require segmentation so that only specific VPCs can reach on-prem resources and want centralized control over routing. Which design best meets the requirement?

A company processes sensitive healthcare data and must ensure that only approved Google-managed encryption keys are used, and that data cannot be decrypted outside their defined boundary. They also want to reduce the risk of insider access to their data by Google personnel. What is the best solution?

A data engineering team runs nightly Spark jobs. The workload is highly variable: some nights require 5x more compute than others. They want to minimize operational effort and pay only for resources used while keeping compatibility with open-source Spark APIs. What should you recommend?

A platform team wants to standardize how application teams deploy infrastructure across multiple projects. They need an approval workflow, the ability to preview changes, and an auditable history of what was deployed. What approach best fits these requirements?

A microservices application on GKE experiences occasional latency spikes due to a single downstream dependency. The team wants to prevent cascading failures and improve resilience without changing application code significantly. What should they implement?

A global company must enforce data residency so that certain datasets remain in the EU. They also want to prevent accidental access to those datasets from projects outside the EU business unit, even by privileged identities. Which combination best addresses these needs?

A payment processing service runs across two regions in active-active mode behind a global HTTP(S) Load Balancer. The backend uses Cloud SQL, and the business requires an RPO near zero and automatic regional failover. Which architecture is most appropriate?

A startup deploys a stateless API on Cloud Run. It must allow only a partner company's on-prem IP range to call the API over HTTPS. The startup wants minimal operational overhead and does not want to manage client certificates. What should you do?

A company wants a simple way to grant a contractor access to only one Cloud Storage bucket for 2 days. The contractor should not have broader project permissions, and access should automatically expire. What is the best approach?

You need to deploy infrastructure repeatedly across dev, test, and prod with minimal drift and the ability to peer review changes before applying. What is the recommended approach?

A retail company ingests clickstream events into BigQuery from multiple regions. They need near-real-time dashboards and also want to minimize the cost of running repeated aggregations on the raw events. What should you recommend?

An application stores customer documents in Cloud Storage and processes them with Cloud Run jobs. Due to compliance, documents must be encrypted with customer-managed keys, and access to decrypt should be tightly controlled and auditable. What design best meets the requirement?

A team is migrating a monolithic application to microservices on GKE. They want a controlled rollout strategy that gradually shifts traffic to a new version and allows quick rollback if errors increase. Which solution is most appropriate?

A company uses Pub/Sub to ingest events from thousands of devices. They notice increased message delivery latency and occasional subscriber timeouts. The subscriber is a Compute Engine instance running a single-threaded process that pulls messages. What change most directly improves throughput and reliability?

A healthcare organization must ensure that only approved images can run in production GKE clusters. They also need a verifiable attestation that images were built by their CI system and scanned for vulnerabilities before deployment. What should you implement?

A global SaaS platform uses Cloud Spanner for its primary database. They want to run heavy analytical queries without impacting OLTP performance. The analytical workload can tolerate slightly stale data but must not require ETL exports out of Spanner. What should you recommend?

A fintech company runs mission-critical workloads on Compute Engine managed instance groups (MIGs) across two zones in a region. They need to survive a full regional outage with minimal RTO while ensuring configuration consistency and fast failover. Which architecture best meets these requirements?

Your organization wants to enforce a policy that only approved Google Cloud services can be used in new projects. The policy must be centrally managed and automatically apply to all future projects under a folder. What should you do?

A team runs a stateless web application on a Managed Instance Group (MIG). They need to perform a configuration update that must roll out gradually with the ability to quickly stop if errors increase. What should they use?

You need to run an event-driven function when a file is uploaded to a Cloud Storage bucket. The solution should require minimal operations and scale automatically. What should you use?

Your SRE team wants to reduce alert fatigue. They have many alerts that fire when a metric briefly spikes but self-recovers within a minute. What change is most appropriate?

A financial services company must ensure that objects stored in Cloud Storage cannot be deleted or overwritten for 7 years, even by project owners. The solution must meet regulatory retention requirements. What should you implement?

A media company ingests clickstream events globally and needs to process them in near real time to compute rolling aggregates and write results to an analytics store. The pipeline must handle out-of-order events and provide exactly-once processing semantics where possible. Which architecture is most appropriate?

You are migrating an application to Google Cloud and want a CI/CD pipeline that builds container images, runs tests, and deploys to Cloud Run. The company wants to manage the pipeline configuration as code and trigger on Git commits. Which approach best fits Google Cloud-native services?

Your company wants to reduce costs for a fleet of Compute Engine instances that run fault-tolerant batch processing and can be interrupted without data loss. The workload runs most days but can tolerate preemption. What is the best option?

A company operates a multi-tenant SaaS on GKE. They must ensure that traffic to certain Google APIs (for example, Cloud Storage and BigQuery) cannot be exfiltrated to projects outside of their approved perimeter, even if credentials are stolen. What should they implement?

You run a mission-critical service in two regions (active-active) behind a global HTTP(S) Load Balancer. During a regional outage, some users still experience errors because their sessions are tied to backends in the failing region. You want to improve resilience while keeping latency low. What should you do?

A development team wants to reduce the risk of accidental changes to production resources. They need a simple way to enforce that only a CI/CD service account can deploy to the production project, while developers can still deploy to dev and test projects. What should you do?

You run a stateless web API on Google Kubernetes Engine (GKE) and want to release a new version with minimal risk. You need the ability to gradually shift traffic and quickly roll back if error rates increase. What is the best approach?

A team wants to manage Google Cloud resources using infrastructure as code and ensure consistent provisioning across environments. They prefer a Google-managed service that can deploy and update resources from declarative templates. What should they use?

A healthcare company must encrypt data at rest and centrally control encryption keys for Cloud Storage and BigQuery. They also need the ability to disable keys quickly if a compromise is suspected and to audit key usage. What solution best meets these requirements?

An application running on Compute Engine in a private subnet needs to call Google APIs (e.g., Cloud Storage) without using external IP addresses. The organization prohibits internet egress from these instances. What should you implement?

Your organization requires a clear separation between centrally managed networking and individual application teams. The central team must control VPCs, subnets, and firewall rules, while application teams deploy resources into those networks across multiple projects. What architecture should you choose?

A data analytics platform ingests events into Pub/Sub and processes them using Dataflow. Recently, the pipeline has started lagging with increasing Pub/Sub subscription backlog. You need to reduce end-to-end latency without overprovisioning constantly. What should you do first?

A company wants a repeatable release process across dev, staging, and production. They must ensure that every production deployment is traceable to a specific commit and that only tested artifacts are promoted. Which approach best satisfies these requirements?

A global ecommerce site runs in two regions (active-active) behind a global HTTP(S) load balancer. During a regional outage test, users still experienced errors because some backend instances in the unhealthy region continued receiving traffic briefly. You need faster, more reliable failover behavior at the load balancer. What should you configure?

A financial services firm must demonstrate that administrators cannot directly access sensitive production data stored in BigQuery. Analysts should access only approved views, and all access must be auditable. What is the best design?