Practice PCA Manage and provision cloud infrastructure questions with full explanations on every answer.
Start practicing
Manage and provision cloud infrastructure — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is deploying a new application on Compute Engine. They need to ensure that the application can automatically recover from a zone failure. What is the best approach?
2An organization has multiple projects in Google Cloud and wants to centralize logging and monitoring for all projects. They need to aggregate logs from all projects into a single project for analysis. Which approach should they use?
3A developer needs to deploy a containerized application on Google Kubernetes Engine (GKE) with minimal operational overhead. They want to automatically scale the number of pods based on CPU utilization. Which GKE feature should they use?
4A company is deploying a web application on Compute Engine behind a global HTTP(S) load balancer. They want to restrict access to only traffic from specific IP ranges. Which load balancer feature should they use?
5A company has a production database running on Cloud SQL. They need to ensure high availability with automatic failover in the event of a zone outage. What should they do?
6A developer wants to store and retrieve non-relational data with flexible schema and automatic scaling. Which Google Cloud service should they use?
7A company wants to migrate on-premises workloads to Google Cloud. They need to assess the existing infrastructure, plan the migration, and track progress. Which tool should they use?
8A company is using Cloud Storage to store sensitive data. They need to enforce that objects are deleted exactly 30 days after creation. Which object lifecycle rule should they configure?
9Which TWO options are valid ways to connect an on-premises network to a VPC in Google Cloud? (Choose two.)
10Which THREE components are required to set up a private connection between an on-premises network and a VPC using Cloud VPN? (Choose three.)
11Which TWO statements about Google Cloud VPC networks are true? (Choose two.)
12A developer runs the command above. The instance is created successfully, but cannot be reached via HTTP from the internet. What is the most likely cause?
13An administrator creates a GKE cluster with the command above. After deployment, the cluster has 3 nodes, but the node pool autoscaler never scales up even under load. What is the most likely reason?
14A company runs a critical application on Compute Engine instances in a managed instance group (MIG) across three zones in us-central1. The application uses a Cloud Spanner database. Recently, the application experienced increased latency and timeouts during peak hours. The operations team noticed that the MIG's CPU utilization is consistently above 80% during peak hours, and the autoscaler is configured to scale based on CPU utilization with a target of 60%. However, the autoscaler is not adding new instances quickly enough, causing performance degradation. The team also observed that new instances take over 5 minutes to become healthy and serve traffic. The health check is a simple TCP check on port 8080. The application startup script downloads large configuration files from Cloud Storage. What should the team do to improve the autoscaling response time and reduce latency?
15A startup is deploying a microservices application on Google Kubernetes Engine (GKE) with a regional cluster. They have services that need to communicate with each other and also with external APIs. The cluster uses VPC-native routing. They have enabled Cloud NAT to allow outbound internet access for nodes without external IPs. However, the development team reports that some pods cannot reach the external APIs, while others can. All pods are in the same namespace and are not using any network policies. The pods that fail have the annotation 'cloud.google.com/gke-nat-ips' set to a list of static IP addresses. The pods that work do not have this annotation. What is the most likely cause of the failure?
16A company is migrating its on-premises application to Google Cloud. The application requires low-latency access to a shared filesystem that can be mounted by multiple Compute Engine instances across different zones. Which storage solution should they use?
17An organization has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They launched a Compute Engine instance in subnet-a with an internal IP 10.0.1.2 and a public IP. They want the instance to only allow HTTPS traffic from the internet. Which firewall rule should they create?
18A developer needs to programmatically create and manage Compute Engine instances. Which Google Cloud service should they use to authenticate and authorize service accounts?
19A company deploys a web application on Compute Engine behind a Global HTTPS Load Balancer. They need to restrict access to the application based on the client's IP address. Which Google Cloud service should they use?
20An organization uses Cloud SQL for MySQL in a production environment. They need to ensure high availability with automatic failover in case of a zonal failure. Which configuration should they use?
21Which TWO statements are true about Google Cloud VPC networks? (Select exactly 2.)
22Which THREE are best practices for managing secrets (e.g., API keys, passwords) in Google Cloud? (Select exactly 3.)
23Your company runs a stateful web application on Compute Engine instances in a managed instance group (MIG) with autoscaling based on CPU utilization. The application maintains session state in memory on each instance. Recently, users have been experiencing session timeouts and data loss during scaling events. Additionally, the application's performance degrades under load due to frequent database queries for session data. You need to design a solution that ensures session persistence, improves performance, and minimizes application changes. The application is written in Java and uses Tomcat. Which of the following should you do?
24A company is migrating a legacy monolithic application to Google Cloud. The application runs on a single VM and uses a local MySQL database. The goal is to minimize changes to the application code while improving availability. Which strategy should the company use?
25A company is designing a highly available web application on Google Cloud. The application consists of stateless compute instances behind a global HTTP(S) Load Balancer. The compute instances must be able to handle sudden spikes in traffic. Which TWO strategies should the company implement? (Choose two.)
26A company wants to enable a new DevOps team to have read-only access to logs in the default Cloud Logging bucket for their project, but prevent them from modifying log views or creating linked datasets in BigQuery. Which two IAM roles should be granted to the team?
27A company runs an e-commerce platform on Google Cloud. The application is deployed on Google Kubernetes Engine (GKE) with a regional cluster (us-central1, three zones). The frontend service is exposed via an HTTP Load Balancer with Cloud CDN. Recently, during a flash sale, users experienced high latency and occasional 502 errors. The backend service is a Java application that reads from Cloud Spanner. The team has observed that Spanner CPU utilization averaged 65% during the sale, with a few spikes to 80%. The number of frontend pods was auto-scaled to 50, each running on n1-standard-2 nodes. The node pool is set to autoscale up to 100 nodes. The errors appear to correlate with periods of high CPU on the nodes, but not always. What is the most likely cause and recommended action?
28Drag and drop the steps to migrate a Compute Engine VM to a different region using a snapshot into the correct order.
29Drag and drop the steps to configure IAM roles for a service account to access Cloud Storage from a Compute Engine instance into the correct order.
30Match each GCP storage service to its typical use case.
31Match each GCP monitoring/logging tool to its purpose.
32A developer needs to pass a startup script to a Compute Engine instance during creation. Which method should be used to ensure the script runs on first boot?
33A company has Compute Engine instances in us-east1-a and us-east1-b zones. They want to allow communication between these instances with minimal latency and no additional cost. What is the best networking approach?
34A Cloud Router BGP session is flapping. The logs show 'Interface flapping due to changes in the underlying network'. What is the most likely cause?
35Which TWO actions are required to allow a private GKE cluster to pull container images from Artifact Registry in the same project?
36Which THREE factors should be considered when selecting a machine series for a Compute Engine instance running a memory-intensive batch job?
37Which TWO statements are true about Cloud Load Balancing?
38Refer to the exhibit. A user reports that the instance 'batch-vm' is unavailable. Based on the output, what is the most likely cause of the unavailability?
39Refer to the exhibit. A Cloud Deployment Manager deployment fails with the error 'Resource 'my-firewall' already exists'. What is the most likely cause?
40Refer to the exhibit. A user (ops@example.com) is unable to create a new VPC network in the project. What should the administrator verify first?
41A company wants to provision multiple similar environments (dev, test, prod) with consistent networking configurations. Which approach is a best practice for infrastructure as code?
42A Cloud Function fails to connect to a Cloud SQL instance. The Cloud SQL instance has a private IP. What should the developer check?
43A company uses Shared VPC. A project admin in a service project tries to create a subnet in the shared VPC network but receives a permission denied error. What is the most likely cause?
44When creating a Compute Engine instance from a custom image stored in another project, which gcloud flag is required?
45A web application running on Compute Engine behind a global HTTP(S) load balancer experiences high latency during traffic spikes. Which quick fix would best address this issue without changing the architecture?
46An organization needs to audit all changes to network firewall rules in a GCP project. Which service should be used to capture these changes?
47A company wants to minimize egress costs for data transferred between Compute Engine instances in the same region but different zones. What is the best practice?
48A developer wants to automate the creation of a Google Cloud project with a specific VPC and firewall rules. Which tool should they use?
49An organization needs to ensure that only Compute Engine instances with a specific label can access a Cloud Storage bucket. Which policy type should be used?
50A company runs a web application on Compute Engine with an HTTP Load Balancer. Users report intermittent 502 Bad Gateway errors. What is the most likely cause?
51A company wants to migrate an on-premises Oracle database to Google Cloud. They need high availability and want to minimize application changes. Which service should they use?
52A DevOps engineer notices that a GKE cluster has nodes that are frequently preempted. They want to reduce costs but maintain resilience. What should they do?
53An organization requires that all Compute Engine instances in a project must have a specific tag for firewall rule compliance. How can they enforce this?
54A company is migrating a monolithic application to microservices on Google Cloud. They need to manage service-to-service authentication and authorization. Which service should they use?
55A security team wants to audit all IAM role assignments in an organization. They need a historical record of changes. Which tool should they use?
56Which TWO features help reduce costs for batch processing workloads on Compute Engine?
57Which THREE are valid methods to connect an on-premises network to a Google Cloud VPC?
58Which THREE are best practices for designing a highly available application on Compute Engine?
59Refer to the exhibit. What is the effect of this IAM policy on a Cloud Storage bucket?
60Refer to the exhibit. A developer wants to SSH into instance-1 from their local machine. Which command should they use?
61Refer to the exhibit. Which statement is true about this Deployment Manager template?
62A company has two VPC networks in the same project: vpc-a (us-central1) and vpc-b (us-east1). They want to allow communication between instances in these VPCs using internal IPs. Which action should they take?
63An organization is migrating a MySQL database to Cloud SQL. They require automatic failover with zero data loss in the event of a zone outage. Which configuration should they use?
64A company uses a Shared VPC hosted in a common project (host project) to centralize network management. A service project team needs to create a Compute Engine instance with a specific static internal IP address from the Shared VPC subnet. What IAM permissions should be granted to the service project's Compute Engine default service account?
65A developer needs to grant public read access to all objects in a Cloud Storage bucket named 'my-public-assets'. What is the simplest way to achieve this?
66A team manages a GKE cluster with node pools using different machine types. They plan to upgrade the cluster to a new Kubernetes version. What is the safest upgrade strategy to minimize application downtime?
67A company has Compute Engine instances that need to access the internet for updates but should not be reachable from the internet. They also need to access Google APIs and services like Cloud Storage. Which configuration meets these requirements?
68An administrator is configuring firewall rules in a VPC. Two rules apply to the same traffic: rule 1 allows ingress from 0.0.0.0/0 on TCP 80, rule 2 denies ingress from 10.0.0.0/8 on TCP 80. Rule 1 has priority 1000, rule 2 has priority 500. What is the effective behavior for traffic from 10.0.0.1?
69A company is experiencing high latency in their VPC. They enabled VPC Flow Logs to capture metadata but need to analyze the logs for traffic patterns. Which Google Cloud service should they use to query and analyze VPC Flow Logs?
70An organization wants to enforce a policy that prohibits the creation of Cloud Storage buckets with uniform bucket-level access disabled. What should they use?
71Which TWO IAM predefined roles grant read-only access to Cloud Storage objects but not the ability to list buckets?
72Which TWO are best practices when designing a VPC network for a multi-tier application in Google Cloud?
73Which THREE are valid Google Cloud Dedicated Interconnect connection options?
74A developer notices that web-server-1 is preemptible. They want to ensure their application remains available even if this instance is terminated. What should they do?
75An organization policy at the organization level restricts project creation to only Project Creator role holders. The exhibit shows the IAM policy for the organization. A member of the group pm-team@example.com attempts to create a project but receives a permission denied error. What is the most likely cause?
76A user runs the gsutil command shown in the exhibit and gets an AccessDenied error. The user is not authenticated with gcloud. What should the user do first?
77A company wants to deploy a standard VM image with pre-installed software across multiple projects. Which Google Cloud solution should they use to automate this process?
78A company has a production GKE cluster with a node pool using n1-standard-4 machine types. They need to change to e2-standard-4 without downtime. Which approach should be taken?
79A company runs a service on Cloud Run that needs to access a Cloud SQL instance via private IP. Both are in the same VPC network. The service cannot connect to the database. What is the most likely cause?
80A team wants to allow a service account to be used only on specific Compute Engine VMs. Which IAM condition should be applied to the service account's roles?
81A company is migrating hundreds of on-premises VMs to Compute Engine. They want to minimize manual effort and downtime. Which service should they use?
82An organization's security policy requires that all Compute Engine VMs have Shielded VM features enabled. How can this be enforced at the organization level?
83A developer wants to deploy a stateless web application that automatically scales based on HTTP traffic. The application should be cost-effective and require minimal configuration. Which compute option is best?
84A company uses Terraform to manage Google Cloud infrastructure. They want to store the Terraform state file in a remote backend with state locking to prevent concurrent modifications. Which Google Cloud service supports this natively?
85A company has a global web application deployed across multiple regions. They use an external HTTPS Load Balancer with backend services in us-central1 and europe-west1. They want users to be routed to the closest healthy backend. Which load balancing configuration is required?
86Which TWO of the following are valid ways to deploy a Cloud Function? (Choose two.)
87Which THREE of the following are best practices when using Deployment Manager to manage infrastructure? (Choose three.)
88A company has a Cloud SQL for PostgreSQL instance that is experiencing high latency. They suspect a connection pooling issue. Which TWO configurations should be checked? (Choose two.)
89What will happen to this instance during a Google-initiated maintenance event?
90What does the condition in this IAM policy do?
91What is the networking mode of this GKE cluster?
92A company runs a batch processing job that runs daily and can handle interruptions. The job runs on a single Compute Engine instance. Which machine configuration is the most cost-effective?
93A Cloud Run service frequently fails with 502 errors when making requests to a backend service running on Compute Engine. The two services are in the same VPC network. The Cloud Run service is configured with a VPC connector. What is the most likely cause?
94A company runs a stateful application on Google Kubernetes Engine (GKE) that requires persistent storage and low-latency access across multiple zones. The application needs to perform well even during zonal failures. Which storage solution should they use?
95A user wants to store a database password that will be used by a Compute Engine instance. What is the most secure and manageable approach?
96A company has two VPC networks in the same project: 'vpc-prod' and 'vpc-dev'. They want to allow communication between instances in both VPCs. What is the simplest method?
97A global e-commerce site uses an external HTTPS load balancer with a backend service pointing to a managed instance group. Some users report 503 errors during peak traffic. The backend instances are healthy and not overloaded. What is the most likely cause?
98A service account needs to be able to start and stop Compute Engine instances in a specific project. Which IAM role should be assigned at the project level?
99A team uses Cloud Build to build container images and deploy to Cloud Run. They want to automate deployments whenever a new image is pushed to Container Registry. What is the best approach?
100A company is migrating a large on-premises SQL Server database to Cloud SQL for SQL Server. The database is 2 TB in size and must have minimal downtime. Which approach should they use?
101Which TWO methods can be used to restrict inbound traffic to a Compute Engine instance to only specific IP addresses without relying on instance-level firewall rules? (Choose 2)
102Which TWO are required to allow on-premises hosts to access Google APIs using internal IP addresses (Private Google Access)? (Choose 2)
103Which THREE are required to configure Workload Identity for a GKE cluster? (Choose 3)
104A company runs a microservices application on Google Kubernetes Engine (GKE). Each service is deployed as a Deployment with resource requests and limits. After deploying a new version of a service, the pods start crashing with OOMKilled. The team increased the memory limits in the Deployment manifest, but the pods still crash after a few minutes. The cluster has cluster autoscaling enabled. The node pool has sufficient capacity. What is the most likely cause of the issue?
105A company runs a critical web application behind an external HTTPS load balancer. The backend consists of a managed instance group of Compute Engine instances. Users report intermittent 502 Bad Gateway errors. The load balancer logs show occasional health check failures for some instances. The instances have a custom health check endpoint that returns a 200 status code only if the application is fully healthy. The application logs do not show any errors, and CPU/memory usage on the instances is normal. What should be the first troubleshooting step to identify the root cause?
106A company is migrating a monolithic e-commerce application to Google Cloud. The application has been refactored into microservices. Most services are stateless and can run on Cloud Run. However, the checkout service requires maintaining session state across multiple requests, and the session data must be available globally for low latency. The application will be deployed in multiple regions to serve a global user base. Which approach should the company take?
107A company is migrating a stateful application to Google Cloud. The application requires persistent disks with low latency and high IOPS for database workloads. They plan to use Compute Engine instances with SSD persistent disks. However, the database performance is lower than expected. Which action should the company take to improve disk performance?
108A DevOps team is deploying a microservices application on Google Kubernetes Engine (GKE). They want to ensure that the pods can securely access Google Cloud APIs (e.g., Cloud Storage) without managing service account keys. Which TWO steps should they take? (Choose two.)
109A company is designing a hybrid network architecture connecting an on-premises data center to Google Cloud. They need high availability (99.99% SLA) and bandwidth up to 10 Gbps. They also need to use their existing MPLS circuits. Which THREE components should they include in the design? (Choose three.)
110Your company runs a critical application on Compute Engine instances in us-central1. The application requires low latency between instances that are all in the same region. You notice that network latency between instances varies and sometimes spikes. You want to ensure consistent low-latency communication. You currently use external IP addresses for communication between instances. What should you do?
111A company is deploying a web application on Google Kubernetes Engine. The application serves HTTP traffic and needs to scale based on CPU utilization. They also need to expose the application to the internet with a single global IP address. They create a Deployment with a HorizontalPodAutoscaler. However, the application is not receiving traffic from the internet. What should they do to expose the application correctly?
112Your company is using Cloud Storage to store sensitive customer data. The security team requires that all objects be encrypted with a customer-managed encryption key (CMEK) and that the key be automatically rotated every 90 days. You need to implement this without changing the application code. You have created a Cloud KMS key ring and a key with rotation period set to 90 days. What additional configuration is required?
113A company runs a batch processing workload on Compute Engine instances. The workload is triggered every hour and runs for about 10 minutes. They want to reduce costs. They currently use preemptible VMs, but they notice that sometimes the workload fails because VMs are preempted before completion. They need a cost-effective solution that ensures the workload completes reliably. What should they do?
114Your organization uses Cloud SQL for MySQL to host a production database. The database size is 500 GB. You need to create a read replica for reporting purposes. The read replica should be in a different region for disaster recovery. You have created the read replica in the us-west1 region. However, the replication lag is higher than expected, sometimes exceeding 5 minutes. What should you do to reduce replication lag?
115A company needs to connect two VPC networks in different Google Cloud regions. The VPCs are in separate projects under the same organization. The connection must use private IP addresses and support high throughput. Which TWO options meet these requirements? (Choose 2.)
116Your company runs a global e-commerce platform on Google Cloud. The application is deployed across multiple regions for low latency. You use Cloud SQL for transactional data and Cloud Spanner for global consistency of inventory. Recently, the operations team reported that the application is experiencing increased latency during peak hours, and the monthly cloud bill has risen significantly. Upon investigation, you find that the Cloud SQL instance is underutilized (CPU < 20%) while Cloud Spanner split utilization is over 80%. The application instances are fronted by a global external HTTPS load balancer. Network egress costs are high. Which course of action would best address both the latency and cost issues?
The Manage and provision cloud infrastructure domain covers the key concepts tested in this area of the PCA exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCA domains — no account required.
The Courseiva PCA question bank contains 116 questions in the Manage and provision cloud infrastructure domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Manage and provision cloud infrastructure domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included