Professional Cloud Architect · Difficulty

Medium PCA practice questions

Applied — put a concept to work in a realistic situation. 145 medium questions available — no sign-up, always free.

Question 1 of 25

A financial services company must satisfy a regulator's requirement that any access to their data by the cloud provider's support and engineering staff be logged, justified, and subject to explicit customer approval before the access occurs. The compliance team also wants near-real-time visibility into these provider-initiated access events. Which combination of Google Cloud capabilities best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 25

A development team reports that a newly deployed application running on a Compute Engine VM in a custom VPC cannot reach a Cloud SQL instance over a private IP. Before making any changes, they ask you, the architect, how they can programmatically confirm whether the network path and firewall rules actually permit the traffic without generating live application requests. Which Google Cloud approach should you advise them to use first?

Reviewed for accuracy · Report an issue
Question 3 of 25

A development team runs an automated shell script in Cloud Shell to create resources across several projects. The script relies on the default gcloud project configured in the active configuration. During a nightly batch run, resources were accidentally created in the wrong project because a teammate had earlier changed the active gcloud config. As the cloud architect, what should you advise the team to do to make the script safe and unambiguous regardless of the active configuration?

Reviewed for accuracy · Report an issue
Question 4 of 25

A platform team is about to update the autoscaling and machine-type configuration of a production managed instance group via a shell script during a maintenance window. The team lead is nervous about applying an incorrect change and asks you how to let engineers preview exactly what the gcloud command would do—without actually modifying any resources—before running it for real. What do you advise?

Reviewed for accuracy · Report an issue
Question 5 of 25

A developer on your team needs to run a one-off gcloud command to list objects in a Cloud Storage bucket that only a specific service account (data-reader@project.iam.gserviceaccount.com) has permission to access. The developer's own user account has been granted the Service Account Token Creator role on that service account, but no direct access to the bucket. Company policy prohibits creating and downloading service account keys. What is the recommended way for the developer to execute the command using the service account's permissions?

Reviewed for accuracy · Report an issue
Question 6 of 25

A platform team is writing a shell script that runs on a scheduled Compute Engine VM to inventory all VM instances across several projects. The script must extract specific fields (instance name, zone, and machine type) from the gcloud command output and feed them into a downstream tool that only accepts structured input it can parse reliably. The team currently parses the default human-readable table output using tools like grep and awk, but the script breaks whenever gcloud changes column spacing or adds columns. As the architect, what should you advise them to do to make the parsing robust?

Reviewed for accuracy · Report an issue
Question 7 of 25

A development team writes a Bash script that runs 'gcloud compute instances create' as part of a nightly automated job to ensure a set of standard utility VMs exists in a project. Occasionally the job fails because some of the VMs already exist from a previous run, causing the entire script to exit with an error and skip the creation of the remaining VMs. As the cloud architect, what should you advise the team to do to make the automation reliable and idempotent while still using the Cloud SDK?

Reviewed for accuracy · Report an issue
Question 8 of 25

A development team building a batch job that runs on an on-premises VM needs to authenticate to Google Cloud APIs. A junior developer asks you to help them create and download a service account JSON key so the application can call the APIs. Your organization enforces an org policy that blocks service account key creation. As the cloud architect advising the team, what should you recommend they implement for the on-premises workload?

Reviewed for accuracy · Report an issue
Question 9 of 25

A DevOps team has a deployment script that creates a Compute Engine managed instance group and then immediately runs a smoke test against the group's instances. The script frequently fails because the instances are not yet running when the smoke test executes. The team asks you how to make the script reliably proceed only after the instances are fully ready, without hardcoding arbitrary sleep timers. What do you advise?

Reviewed for accuracy · Report an issue
Question 10 of 25

A development team manages all production infrastructure with Terraform, but recent outages were traced to manual changes made directly in the Google Cloud Console that were later overwritten by an automated pipeline. As the cloud architect, you must advise the team on a process that both prevents unreviewed changes from reaching production and surfaces any out-of-band modifications before they cause conflicts. Which recommendation best addresses this?

Reviewed for accuracy · Report an issue
Question 11 of 25

Your operations team currently manages all Google Cloud infrastructure using Deployment Manager templates. Leadership has asked you, as the cloud architect, to advise the team on adopting a widely supported infrastructure-as-code tool that supports multi-cloud state management and a large community module ecosystem, while ensuring the team can programmatically preview changes before applying them. Which recommendation should you give the team?

Reviewed for accuracy · Report an issue
Question 12 of 25

A media company runs a data analytics platform on Google Cloud with a stable baseline of Compute Engine instances that operate 24/7 for at least the next three years. During monthly reporting periods, the workload spikes with additional short-lived instances that run for a few hours. The finance team wants to minimize total compute cost while keeping the architecture simple and avoiding upfront lump-sum payments. Which pricing strategy should the architect recommend?

Reviewed for accuracy · Report an issue
Question 13 of 25

A retail company builds container images in a CI pipeline. Currently, each environment (dev, staging, production) rebuilds the image from source using its own environment-specific Dockerfile. The team frequently discovers that code passing all staging tests fails in production due to subtle differences in the built artifacts. As the architect, what change should you recommend to the SDLC process to eliminate these environment-specific defects?

Reviewed for accuracy · Report an issue
Question 14 of 25

A US-based defense contractor is migrating a workload to Google Cloud that must comply with FedRAMP High and IL4 requirements. The security team mandates that the environment enforce data residency in US regions, restrict Google support personnel to US persons, and continuously monitor for configuration drift away from the compliance baseline. They want a Google-managed solution that packages these controls rather than assembling individual org policies and IAM constraints manually. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 15 of 25

A logistics company is building a new fleet-management backend on Google Cloud. The application must store structured shipment records with a well-defined relational schema, support ACID transactions across multiple tables, and serve a moderate but steady workload from a single region. The engineering team wants a fully managed database and expects data to grow to a few hundred gigabytes, with no requirement for global distribution or horizontal write scaling beyond a single primary. Which storage service best meets these requirements at the lowest operational and licensing overhead?

Reviewed for accuracy · Report an issue
Question 16 of 25

A genomics research startup runs nightly batch pipelines that process large datasets on Compute Engine. The jobs are fault-tolerant, can be checkpointed, and can restart if interrupted. They currently run on 200 standard on-demand n2 instances and take about 6 hours. Leadership wants to reduce compute cost as much as possible without missing the 10-hour nightly processing window, and the workload has no strict per-instance uptime requirement. Which compute design best meets these business and technical requirements?

Reviewed for accuracy · Report an issue
Question 17 of 25

A logistics company runs a nightly analytics pipeline composed of several dependent steps: extracting data from Cloud SQL, transforming it with a Dataflow job, loading results into BigQuery, and finally triggering a report-generation Cloud Run service. The steps must execute in strict order, with automatic retries on transient failures and clear visibility into which step failed. The team currently chains these steps with brittle cron jobs and shell scripts that offer no dependency management or observability. As the cloud architect, which Google Cloud service should you recommend to orchestrate this multi-step, dependency-aware workflow?

Reviewed for accuracy · Report an issue
Question 18 of 25

A financial services company runs microservices on GKE and must satisfy an auditor requirement that only container images built and scanned by the approved CI/CD pipeline can be deployed to production clusters. Developers must not be able to run arbitrary or manually pushed images. Which Google Cloud approach best enforces this control at deploy time?

Reviewed for accuracy · Report an issue
Question 19 of 25

A mid-sized company has migrated several projects to Google Cloud. The finance team is frustrated because they only discover budget overruns weeks later when the invoice arrives, and engineering teams have no visibility into their spending until it is too late to react. Leadership wants a process where teams are automatically notified as they approach their monthly spending thresholds, and wants the option to programmatically trigger automated responses (such as capping non-critical workloads) when a threshold is exceeded. Which approach best meets these business process requirements?

Reviewed for accuracy · Report an issue
Question 20 of 25

A large enterprise runs dozens of teams' workloads across several projects in a single Google Cloud organization. The finance department wants to hold each business unit accountable for its actual cloud spend and produce monthly internal invoices per team. Engineering leadership also wants dashboards showing cost trends by application and environment (prod, staging, dev). What is the most effective approach to enable accurate cost allocation and reporting across the organization?

Reviewed for accuracy · Report an issue
Question 21 of 25

A financial services company runs a Cloud Build CI/CD pipeline that deploys to production several times a day. An external auditor requires that every production deployment be traceable to a specific approved change request, and that the identity of the approver, the artifact version, and the timestamp be independently verifiable and retained for seven years. The engineering team wants to satisfy this requirement while keeping deployments fully automated where possible. Which approach best meets the audit and process requirements?

Reviewed for accuracy · Report an issue
Question 22 of 25

A retail company deploys its customer-facing web application to Google Kubernetes Engine several times per day. After a recent release caused a checkout outage that went undetected until customer complaints arrived, the release engineering team wants a deployment strategy that automatically exposes new versions to a small subset of live traffic, monitors error rates and latency against defined thresholds, and rolls back automatically if metrics degrade—without requiring a full duplicate production environment. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 23 of 25

A pharmaceutical company is designing a data platform for clinical trial results. Regulators require that all raw trial data be retained for 15 years and remain retrievable within a few hours if audited. Only the most recent 90 days of data is queried frequently by analysts; older data is accessed at most once or twice a year. The company wants to minimize total storage cost while satisfying the retention and retrievability requirements. Which storage design should the architect recommend?

Reviewed for accuracy · Report an issue
Question 24 of 25

A development team uses Cloud Build to run their CI/CD pipelines. Their build steps need to run integration tests against a Cloud SQL instance and a Memorystore instance that are only reachable through private IP addresses inside their VPC. The default Cloud Build workers cannot reach these private resources. As the architect, what should you advise the team to implement so the builds can connect to the private resources with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 25 of 25

A development team maintains a single Cloud Build pipeline that must deploy the same application to three GKE clusters (dev, staging, and prod) in different projects. They want to avoid maintaining three separate cloudbuild.yaml files and instead pass the target project ID, cluster name, and image tag at build-submission time without hardcoding values. As the architect, what approach should you advise the team to adopt?

Reviewed for accuracy · Report an issue