Managing implementation
Drill 19 practice questions focused entirely on Managing implementation for the Google Cloud PCA exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A development team reports that a newly deployed application running on a Compute Engine VM in a custom VPC cannot reach a Cloud SQL instance over a private IP. Before making any changes, they ask you, the architect, how they can programmatically confirm whether the network path and firewall rules actually permit the traffic without generating live application requests. Which Google Cloud approach should you advise them to use first?
A development team runs an automated shell script in Cloud Shell to create resources across several projects. The script relies on the default gcloud project configured in the active configuration. During a nightly batch run, resources were accidentally created in the wrong project because a teammate had earlier changed the active gcloud config. As the cloud architect, what should you advise the team to do to make the script safe and unambiguous regardless of the active configuration?
A platform team is about to update the autoscaling and machine-type configuration of a production managed instance group via a shell script during a maintenance window. The team lead is nervous about applying an incorrect change and asks you how to let engineers preview exactly what the gcloud command would do—without actually modifying any resources—before running it for real. What do you advise?
A development team writes an automation script that repeatedly runs 'gcloud projects add-iam-policy-binding' to grant a service account the roles/storage.objectViewer role across dozens of projects. During a code review, an operations engineer warns that concurrent executions of this command against the same project could silently overwrite each other's changes and lose bindings. As the cloud architect, what should you advise the team to do to make these IAM updates safe under concurrency?
A developer on your team needs to run a one-off gcloud command to list objects in a Cloud Storage bucket that only a specific service account (data-reader@project.iam.gserviceaccount.com) has permission to access. The developer's own user account has been granted the Service Account Token Creator role on that service account, but no direct access to the bucket. Company policy prohibits creating and downloading service account keys. What is the recommended way for the developer to execute the command using the service account's permissions?
A platform team is writing a shell script that runs on a scheduled Compute Engine VM to inventory all VM instances across several projects. The script must extract specific fields (instance name, zone, and machine type) from the gcloud command output and feed them into a downstream tool that only accepts structured input it can parse reliably. The team currently parses the default human-readable table output using tools like grep and awk, but the script breaks whenever gcloud changes column spacing or adds columns. As the architect, what should you advise them to do to make the parsing robust?
A development team writes a Bash script that runs 'gcloud compute instances create' as part of a nightly automated job to ensure a set of standard utility VMs exists in a project. Occasionally the job fails because some of the VMs already exist from a previous run, causing the entire script to exit with an error and skip the creation of the remaining VMs. As the cloud architect, what should you advise the team to do to make the automation reliable and idempotent while still using the Cloud SDK?
A development team building a batch job that runs on an on-premises VM needs to authenticate to Google Cloud APIs. A junior developer asks you to help them create and download a service account JSON key so the application can call the APIs. Your organization enforces an org policy that blocks service account key creation. As the cloud architect advising the team, what should you recommend they implement for the on-premises workload?
A DevOps team has a deployment script that creates a Compute Engine managed instance group and then immediately runs a smoke test against the group's instances. The script frequently fails because the instances are not yet running when the smoke test executes. The team asks you how to make the script reliably proceed only after the instances are fully ready, without hardcoding arbitrary sleep timers. What do you advise?
A development team manages all production infrastructure with Terraform, but recent outages were traced to manual changes made directly in the Google Cloud Console that were later overwritten by an automated pipeline. As the cloud architect, you must advise the team on a process that both prevents unreviewed changes from reaching production and surfaces any out-of-band modifications before they cause conflicts. Which recommendation best addresses this?
Your operations team currently manages all Google Cloud infrastructure using Deployment Manager templates. Leadership has asked you, as the cloud architect, to advise the team on adopting a widely supported infrastructure-as-code tool that supports multi-cloud state management and a large community module ecosystem, while ensuring the team can programmatically preview changes before applying them. Which recommendation should you give the team?
A development team uses Cloud Build to run their CI/CD pipelines. Their build steps need to run integration tests against a Cloud SQL instance and a Memorystore instance that are only reachable through private IP addresses inside their VPC. The default Cloud Build workers cannot reach these private resources. As the architect, what should you advise the team to implement so the builds can connect to the private resources with the least operational overhead?
A development team maintains a single Cloud Build pipeline that must deploy the same application to three GKE clusters (dev, staging, and prod) in different projects. They want to avoid maintaining three separate cloudbuild.yaml files and instead pass the target project ID, cluster name, and image tag at build-submission time without hardcoding values. As the architect, what approach should you advise the team to adopt?
A development team currently uses hand-written shell scripts invoked from a Cloud Build step to promote container images through dev, staging, and production GKE clusters. Promotions are error-prone, lack a consistent approval step, and offer no easy way to roll back to a previously deployed release. As the architect, you must advise the team on a Google Cloud managed service that provides a declarative delivery pipeline with defined promotion sequences between targets, approval gates, and one-command rollback, while minimizing custom scripting. What do you recommend?
A platform engineer keeps a collection of operational bash scripts and gcloud helper aliases that they use daily from Cloud Shell to administer several Google Cloud projects. They report that after a few weeks of inactivity, some files they saved appear to be missing, while others in their home directory remain. They want to understand the behavior so they can reliably store their tooling. Which statement correctly describes Cloud Shell persistence and the recommended practice?
An operations engineer maintains automation scripts that must run gcloud commands against three different projects (dev, staging, prod), each requiring different service account credentials and default regions. The scripts currently break because commands intermittently target the wrong project when multiple team members run them concurrently on a shared jump host. As the architect, what should you advise to make the automation reliably target the correct project and credentials per invocation without relying on the global active configuration?
A development team wrote a shell script that loops over 400 project IDs and runs a gcloud command to enable an API in each one. When they run it, many commands begin failing with HTTP 429 quota errors, and the run takes hours because it processes projects one at a time. They ask you how to make the automation both faster and more resilient without requesting quota increases. What should you advise?
A development team reports that a newly deployed pod on a private GKE cluster is stuck in CrashLoopBackOff. As the cloud architect, you need to guide an on-call engineer who only has access to a browser to inspect the pod's container logs and recent events without provisioning any local tools or bastion host. Which approach should you advise?
A platform team manages all Google Cloud infrastructure with Terraform. Multiple engineers run 'terraform apply' from their laptops against the same configuration, and the team has recently experienced corrupted state and conflicting resource changes when two people apply at the same time. As the cloud architect, what should you recommend to prevent concurrent modifications and enable safe collaboration?
More PCA practice
Keep going with the other Professional Cloud Architect domains, or take a full timed mock exam.
← Back to PCA overview