50 Google Cloud Professional DevOps Engineer Practice Questions: Question Bank 2025

You are bootstrapping a new Google Cloud organization. Security requires that no projects can be created unless they inherit mandatory labels, specific enabled APIs, and a baseline set of IAM bindings. Which approach best enforces this at scale with minimal manual effort?

Your team is building a CI pipeline for a containerized service deployed to Cloud Run. They want fast feedback and consistent builds across developers and the build system, and they want to reduce "works on my machine" issues. What is the best approach?

A service has an SLO of 99.9% availability measured over 30 days. After an incident, leadership asks whether the team should freeze feature releases. Which SRE concept should you use to make this decision objectively?

You operate multiple GKE clusters. You want to ensure only approved container images are deployed, and you need an auditable policy enforced at admission time without modifying application code. Which solution best meets the requirement?

A Cloud Run service is experiencing intermittent high latency. You need to identify whether the slowness is due to downstream dependencies and pinpoint where time is being spent across services. What should you implement first?

You need to roll out a risky change to a production API on GKE while minimizing blast radius. You want the ability to quickly stop the rollout based on real user metrics such as error rate and latency. Which deployment strategy is most appropriate?

Your org requires strict separation of duties: developers can deploy to staging, but only the release automation service account may deploy to production. You also want approvals recorded and tied to a specific build artifact. Which approach best satisfies this?

A global application uses Cloud Load Balancing in front of multiple backends. During traffic spikes, some users see elevated latency. You suspect one backend region is unhealthy or overloaded. What is the most effective first step to reduce user impact automatically?

You need to create an alert for a service’s availability SLI (successful requests / total requests). The SRE team wants alerts to trigger only when the burn rate indicates the error budget will be exhausted soon, reducing alert fatigue. What alerting approach should you implement?

A team wants to standardize resource hierarchy and billing across environments. They need a simple structure that supports separating dev/test/prod for access control and cost tracking while remaining easy to manage. Which organization structure is the best starting point?

You are bootstrapping a new Google Cloud organization. Security requires that no resources can be created outside approved regions, and the restriction must apply consistently to all current and future projects. What should you do?

A Cloud Build pipeline intermittently fails when pulling base images from Artifact Registry due to insufficient permissions. Builds run under the default Cloud Build service account. What is the best practice fix?

Your service owners want on-call to focus on actionable pages. You need to reduce alert noise by ensuring alerts trigger only when user-visible behavior is affected. Which approach best aligns with SRE practices?

Multiple teams deploy to projects in the same organization. You need a scalable way to ensure every project has a baseline set of mandatory logs exported to a centralized logging project. What should you implement?

You are moving to trunk-based development. You want every merge to the main branch to automatically deploy to a staging environment, run integration tests, and then require an explicit approval before deploying to production. Which solution best fits Google Cloud managed CI/CD?

A GKE-based API is experiencing increased latency during peak traffic. You need to determine whether the issue is application latency, node resource pressure, or a downstream dependency. What is the best monitoring strategy using Google Cloud operations tools?

Your org has separate folders for dev, staging, and prod. You must ensure production projects cannot disable Cloud Audit Logs and cannot allow public IP addresses on newly created Compute Engine VMs. How should you enforce this at scale?

You manage a microservices platform with frequent releases. Leadership wants a quantitative way to decide if the org should slow feature delivery due to reliability issues. What SRE mechanism should you implement?

A Terraform-based deployment uses Cloud Build. The pipeline occasionally creates partial infrastructure when a step fails, leaving dangling resources and making retries unsafe. You need a robust design that supports safe retries and consistent environments. What should you do?

A globally distributed service uses Cloud Load Balancing and multiple backends. Users in one geography report high tail latency (p99) while average latency looks normal. You need to optimize performance and pinpoint where p99 is coming from. What is the best approach?

Your organization is rolling out a new Google Cloud Organization and wants to ensure consistent project creation. Only a central platform team should be able to create projects, and every new project must automatically have required labels and a standard set of enabled APIs. What is the best approach?

A service deployed on Cloud Run has an SLO of 99.9% availability. Over the past hour, Monitoring shows 0.2% of requests returned 5xx. What should you do next according to SRE principles?

You need to create an alert that notifies on-call when the rate of HTTP 500 responses for a service exceeds 1% over 5 minutes. The service runs on GKE with an Envoy-based ingress exporting metrics. What should you alert on?

Your CI/CD pipeline builds container images and deploys to GKE. Security requires that only signed images are deployed, and the signature must be verified at admission time in the cluster. What is the best solution on Google Cloud?

You operate a multi-region, active-active service behind a global HTTP(S) load balancer. Users report sporadic high latency. You want to quickly isolate whether latency is concentrated in a single region, a specific backend service, or a subset of clients. What monitoring approach is most effective?

A Cloud Build pipeline deploys to production using a service account. A recent incident occurred because a developer modified the pipeline configuration in the repo and added overly broad IAM permissions for the deploy step. You need to reduce the risk of privilege escalation through CI/CD. What is the best approach?

Your team is establishing an SLO for a read-heavy internal API. You have reliable request/response logging and metrics. Stakeholders care most about user experience during peak times, and they want to avoid an SLO that is trivially met by low-traffic periods. What is the best SLI/SLO design?

A high-throughput Pub/Sub-to-BigQuery ingestion pipeline occasionally falls behind during traffic spikes. Data must be near-real-time, but occasional delays of a few minutes are acceptable. You want to improve performance and cost efficiency while maintaining reliability. What is the best approach?

You manage hundreds of projects across multiple folders. You need to ensure that external IP addresses are not created except in an approved set of projects. The control must be enforced proactively (prevent creation), not detected later. What is the best solution?

A microservices application on GKE experiences intermittent request failures during deployments. Investigation suggests that pods are being terminated while still serving requests, and some clients are not retrying. You need to reduce error rates during rollouts without significantly slowing deployments. What should you do?

Your organization wants every new project to start with consistent security controls: restricted default network creation, required labels (env, owner), and a mandated log sink to a central logging project. You need an approach that scales and is hard to bypass. What should you implement?

A team wants to reduce blast radius by ensuring application deployments can only modify resources in a single project, while platform admins retain broader access. The team uses Cloud Build for deployments. What is the best practice for permissions?

You run a stateless web service on Cloud Run. During an incident, requests succeed but latency increases. You want to quickly understand if the issue is due to cold starts or downstream dependencies. Which monitoring approach is most appropriate?

You have a GKE service with frequent rollouts. You want to ensure the service does not serve traffic during application startup until it is ready. Which Kubernetes feature should you use?

Your org uses a centralized networking project with Shared VPC. App teams deploy into service projects and must use only approved subnets and firewall rules managed by the network team. How should you structure permissions to support this model?

A CI/CD pipeline needs to deploy to multiple environments (dev, staging, prod). The deployment must require an explicit approval step only for production, and you want a managed, auditable approval control integrated with Google Cloud. What should you use?

Your SRE team is defining SLOs for an internal API. Product owners want to account for planned maintenance windows so SLO compliance isn’t penalized when the service is intentionally unavailable. What is the recommended approach?

You need to monitor a fleet of microservices and want consistent, low-cardinality metrics and logs for alerting and dashboards. Some teams currently add user IDs as metric labels, causing Monitoring performance issues. What should you do?

A latency-sensitive service on GKE is experiencing occasional CPU throttling and unpredictable tail latency. Workloads are bursty but require consistent performance. Which change is most likely to reduce throttling and stabilize latency?

Your organization requires that production deployments are fully automated but must be provably sourced from a trusted build, with protection against tampering and an auditable chain from source to artifact to deployment. Which approach best satisfies this requirement on Google Cloud?

Your team wants to standardize how new Google Cloud projects are created so that every project automatically has required labels, enabled APIs, budget alerts, and default logging sinks. The solution must be repeatable and require minimal manual steps. What should you do?

You want Cloud Logging to be able to write logs into a central logging project from multiple service projects. You have created a log sink in a service project with a destination in the central project, but no logs arrive. What is the most likely missing step?

A service running on Cloud Run has periodic latency spikes, and you suspect cold starts. You want the simplest configuration change that reduces cold starts without changing application code. What should you do?

Your organization requires that only images scanned and approved by security can be deployed to production GKE clusters. You already use Cloud Build and Artifact Registry. What is the best approach to enforce this requirement at deploy time?

You are implementing SLOs for a user-facing API. Your stakeholders care about end-to-end user experience, not internal component behavior. What is the most appropriate SLI to define?

A batch job running on GKE experiences frequent evictions due to node pressure, causing missed deadlines. You want to reduce evictions while still efficiently sharing cluster capacity between batch and critical services. What should you do?

Your team uses Cloud Monitoring and wants to reduce alert fatigue. Currently, you have alerts on many low-level metrics and receive frequent pages that do not impact users. What is the best strategy to improve alerting quality?

You manage multiple environments (dev, staging, prod) with separate projects. You need to ensure production data never leaves the production project and that only a small set of identities can access prod resources. What is the best approach?

Your Cloud Build pipeline deploys to production using a service account that also has broad permissions in several other projects. An auditor requests proof that production deployments are protected against privilege escalation and that changes are approved. What should you implement?

You run a multi-region service behind a global HTTP(S) Load Balancer. During a regional outage, traffic shifts as expected, but the service violates its availability SLO because clients receive intermittent 5xx errors for several minutes. You discover that backends in the unhealthy region were still receiving some traffic. What is the most effective configuration change to reduce this during future incidents?