Back to Google Professional Cloud Architect questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Google Professional Cloud Architect practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCA
exam code
Google Cloud
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related PCA topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

Refer to the exhibit. A team wants to grant the ability to run queries (but not modify) on BigQuery datasets to a new set of users who have email addresses in the 'example.com' domain. What is the simplest way to achieve this?

Exhibit

Refer to the exhibit.

Cloud IAM policy:

```json
{
  "bindings": [
    {
      "role": "roles/bigquery.dataViewer",
      "members": [
        "user:alice@example.com",
        "domain:example.com"
      ]
    },
    {
      "role": "roles/bigquery.dataEditor",
      "members": [
        "serviceAccount:sa@project.iam.gserviceaccount.com"
      ]
    }
  ]
}
```
Question 2hardmultiple choice
Full question →

The exhibit shows a command to create a Compute Engine instance. The instance is intended to run a web server that needs to access Cloud Storage buckets using its service account. However, the web server fails to read from a storage bucket. What is the most likely cause?

Exhibit

Refer to the exhibit.

gcloud compute instances create my-instance \
    --zone=us-central1-a \
    --machine-type=n1-standard-4 \
    --image-family=ubuntu-2004-lts \
    --image-project=ubuntu-os-cloud \
    --boot-disk-size=50GB \
    --boot-disk-type=pd-ssd \
    --scopes=cloud-platform \
    --service-account=my-sa@project.iam.gserviceaccount.com \
    --tags=http-server,https-server
Question 3mediummultiple choice
Full question →

The exhibit shows a Cloud Storage bucket IAM policy. A developer (admin@example.com) wants to upload a file to the bucket but gets a permission denied error. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:admin@example.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "serviceAccount:my-sa@project.iam.gserviceaccount.com"
      ]
    }
  ]
}
Question 4hardmultiple choice
Full question →

Refer to the exhibit. A user creates a snapshot of a persistent disk. Later, they want to create a new VM from this snapshot in the same project but in a different region (europe-west1). Which step is missing or incorrect?

Network Topology
gcloud compute instances listfilter='name:my-instance'format='value(name,zone,status,networkInterfaces[0].networkIP,disks[0].deviceName)'zone=us-central1format='value(name,sizeGb,type,users)'gcloud compute snapshots listfilter='sourceDisk:my-instance-disk'format='value(name,sourceDisk,diskSizeGb,creationTimestamp)'source-disk=my-instance-disksource-disk-zone=us-central1asyncNAME ZONE STATUS NETWORK_IP DEVICE_NAMEmy-instance us-central1 RUNNING 10.128.0.2 my-instance-diskmy-instance-disk 100 pd-standard us-central1-a/instances/my-instanceNo snapshots found.Output:Operation [operation-12345] is running...
Question 5hardmultiple choice
Full question →

Refer to the exhibit. A Cloud Deployment Manager deployment fails with the error 'Resource 'my-firewall' already exists'. What is the most likely cause?

Exhibit

resources:
- name: my-firewall
  type: compute.v1.firewall
  properties:
    network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default
    allowed:
    - IPProtocol: tcp
      ports: ['80','443']
    sourceRanges: ['0.0.0.0/0']
- name: my-instance
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: https://www.googleapis.com/compute/v1/projects/my-project/zones/us-central1-a/machineTypes/n1-standard-1
    networkInterfaces:
    - network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default
      accessConfigs:
      - name: External NAT
        type: ONE_TO_ONE_NAT
Question 6hardmultiple choice
Full question →

Refer to the exhibit. All five nginx pods are scheduled on the same node (default-pool-1). What is the most likely reason?

Network Topology
zone us-central1-anum-nodes=3enable-autoscalingmin-nodes=1max-nodes=10machine-type=e2-standard-2scopes=cloud-platformkubectl run nginximage=nginxreplicas=5requests=cpu=500mlimits=cpu=1kubectl get pods -o widekubectl get nodesNAME STATUS ROLES AGE VERSIONgke-my-cluster-default-pool-1 Ready node 15m v1.28gke-my-cluster-default-pool-2 Ready node 15m v1.28gke-my-cluster-default-pool-3 Ready node 15m v1.28
Question 7hardmultiple choice
Read the full NAT/PAT explanation →

A team deployed the Terraform configuration shown in the exhibit. They observe that Cloud NAT is not translating traffic from the private subnet as expected. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
resource "google_compute_router_nat" "nat" {
  name   = "my-nat"
  router = google_compute_router.router.name
  region = "us-central1"
  nat_ip_allocate_option = "AUTO_ONLY"
  source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
  subnetworks {
    name                    = google_compute_subnetwork.private.self_link
    source_ip_ranges_to_nat = ["PRIMARY_IP_RANGE"]
  }
  log_config {
    enable = true
    filter = "ERRORS_ONLY"
  }
}
```
Question 8hardmultiple choice
Full question →

You are running a Kubernetes cluster in GKE with the default node pool configuration shown in the exhibit. Your application requires high disk I/O performance. You notice that the application is experiencing high latency for disk operations. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ gcloud container clusters describe my-cluster --region us-central1
...
nodePools:
- config:
    diskSizeGb: 100
    diskType: pd-standard
    imageType: COS_CONTAINERD
    machineType: n1-standard-2
    oauthScopes:
    - https://www.googleapis.com/auth/devstorage.read_only
  initialNodeCount: 3
  management:
    autoRepair: true
    autoUpgrade: true
  name: default-pool
...
```
Question 9mediummultiple choice
Full question →

Refer to the exhibit. This is an IAM policy for a BigQuery dataset. What does the policy allow?

Exhibit

{
  "bindings": [
    {
      "role": "roles/bigquery.dataViewer",
      "members": [
        "user:alice@example.com"
      ]
    },
    {
      "role": "roles/bigquery.jobUser",
      "members": [
        "group:analysts@example.com"
      ]
    }
  ]
}
Question 10easymultiple choice
Full question →

Refer to the exhibit. A DevOps engineer created this Terraform configuration to deploy a Compute Engine instance. After applying, they notice the instance is not accessible from the internet. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
resource "type" "name" {
  project = "my-project"
  name    = "example-instance"
  machine_type = "e2-medium"
  zone         = "us-central1-a"
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
      size  = 10
      type  = "pd-standard"
    }
  }
  network_interface {
    network = "default"
    access_config {
      // Ephemeral public IP
    }
  }
}
```
Question 11hardmultiple choice
Full question →

Refer to the exhibit. An architect created a VM instance using the above command. After the instance starts, the architect tries to access the nginx default page from the internet but gets a timeout. What is the most likely reason?

Exhibit

Refer to the exhibit.

gcloud compute instances create my-instance \
  --zone=us-central1-a \
  --machine-type=e2-micro \
  --image-family=debian-11 \
  --image-project=debian-cloud \
  --boot-disk-size=20GB \
  --boot-disk-type=pd-standard \
  --network-interface=subnet=default,no-address \
  --metadata=startup-script='#! /bin/bash
    sudo apt-get update
    sudo apt-get install -y nginx
    sudo systemctl enable nginx
    sudo systemctl start nginx'
Question 12hardmultiple choice
Full question →

You are investigating a Vertex AI Workbench instance (instance-2) that is showing UNHEALTHY status. Based on the exhibit, what is the most likely cause of the issue?

Network Topology
project=my-projectlocation=us-central1Refer to the exhibit.NAME STATE HEALTH UPDATE_TIMEinstance-1 RUNNING HEALTHY 2025-02-15T10:30:00Zinstance-2 RUNNING UNHEALTHY 2025-02-15T10:35:00Z...health:state: UNHEALTHYreasons:- type: CONTAINER_CREATE_FAILED
Question 13easymultiple choice
Full question →

Refer to the exhibit. A user (ops@example.com) is unable to create a new VPC network in the project. What should the administrator verify first?

Exhibit

{
  "bindings": [
    {
      "role": "roles/compute.viewer",
      "members": [
        "user:ops@example.com"
      ]
    }
  ]
}
Question 14hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. The log entry is from Cloud Logging for a VPC subnetwork. What is the most likely cause of this error?

Exhibit

{
  "resource": {
    "type": "gce_subnetwork",
    "labels": {
      "subnetwork_name": "default",
      "region": "us-central1"
    }
  },
  "severity": "ERROR",
  "textPayload": "Packet from 10.0.0.1:12345 to 10.0.0.2:80 dropped by firewall policy 'default-deny-ingress'."
}
Question 15easymultiple choice
Full question →

Refer to the exhibit. What is the primary benefit of the `--preemptible` flag in this command?

Exhibit

```
gcloud compute instances create my-instance \
    --zone=us-central1-a \
    --machine-type=e2-medium \
    --image-family=debian-10 \
    --image-project=debian-cloud \
    --preemptible
```

These PCA practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCA questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.