Skip to main content

GCP Interview Questions (50+ Detailed Q&A)

1. Compute & GKE

Answer:
  • GCE: IaaS. Raw VM. You manage OS, patch, scaling script.
  • App Engine: PaaS. Code focus. Standard (Sandbox) vs Flexible (Docker).
  • Cloud Run: Serverless Containers. Scale to zero. Protocol: HTTP/Knative.
Decision Matrix:Use Case Comparison:
ServiceBest ForScale to ZeroCold StartCost
Cloud RunAPIs, webhooks, microservicesYes~1sPay per request
App Engine StdWeb apps (Python, Node, Go)Yes~100msPay per instance-hour
App Engine FlexCustom runtimes, background workersNo~2minPay per instance-hour
GCEDatabases, legacy apps, full controlNoNonePay per VM-hour
GKEComplex microservices, stateful appsNoNonePay per node
Example Scenarios:
  • Cloud Run: REST API with sporadic traffic (100 req/day)
  • App Engine: Production web app with steady traffic
  • GCE: PostgreSQL database, Redis cache
  • GKE: 50+ microservices with service mesh
Answer: Both are spare capacity (~91% off).
  • Preemptible: Old. Max 24h life.
  • Spot: New. No max duration. Variable price. Behavior: Google terminates with 30s notice.
Answer:
  • Standard: You manage Nodes (Upgrades, Packing). Pay per Node.
  • Autopilot: Fully managed. Google manages Nodes. Pay per Pod (CPU/RAM). Locked down security (No privileged containers).
Answer: GCP differentiator. VM works continue running even while Google updates host hardware/software. VM is moved to new host without reboot.
Answer: FaaS. Event-driven (Pub/Sub trigger, Storage trigger). Single purpose code. v1 vs v2 (v2 built on Cloud Run).
Answer:
  • N1/N2: General Purpose.
  • E2: Cost optimized (Dynamic resource mgmt).
  • C2: Compute (Gaming/AdTech).
  • M2: Memory (SAP HANA).
Answer:
  • MIG (Managed): Scalable, Auto-healing, Identical VMs (Template).
  • Unmanaged: Different VMs grouped. For legacy LB.
Answer: Hardened VM. Secure Boot (Signature check). vTPM. Integrity Monitoring.
Answer: Dedicated hardware host. Compliance (PCI/HIPAA) requiring physical isolation.
Answer: AWS Lambda = 1 req/instance. Cloud Run = 80 req/instance (Default). Better utilization, lower cold starts.

2. Storage & Database

Answer:
  • Standard: Hot.
  • Nearline: 30 days. Backup.
  • Coldline: 90 days. DR.
  • Archive: 365 days. Tape replacement.
  • Autoclass: Auto-move based on access.
Answer:
  • Cloud SQL: MySQL/PG/SQL Server. Regional. Vertical scale.
  • Spanner: Global SQL. Horizontal scale. Strong consistency. Expensive.
  • Bigtable: NoSQL Wide-column (HBase). IoT/TimeSeries. High throughput.
Answer: Serverless Data Warehouse. Separation of Compute (Dremel) and Storage (Colossus). Columnar. Network: Petabit bisectional bandwidth (Jupiter).
Answer:
  • Native: Modern, document, real-time sync.
  • Datastore: Old mode compatibility.
Answer: Strong global consistency (even for list operations). Unlike AWS S3 (which used to be eventual).
Answer:
  • Partition: Physical split (Day/Hour). Reduces cost (Scans less).
  • Cluster: Sorting within partition. Faster filter/agg.
Answer: Managed Redis or Memcached. In-memory cache. VPC connected.
Answer:
  • pd-standard: HDD.
  • pd-balanced: SSD (Best value).
  • pd-ssd: High IOPS.
  • Local SSD: Physically attached, ephemeral (Lost on stop). Super fast.
Answer: Serverless migration to Cloud SQL. Uses replication. Minimal downtime.
Answer: Managed NFS. Shared file system for GCE/GKE.

3. Networking

Answer: GCP VPC is Global (Subnets in any region). AWS is Regional. Simplifies cross-region communication (Private IP by default).
Answer:
  • External HTTP(S): Global (Anycast IP). Layer 7.
  • Internal HTTP(S): Regional (Envoy proxies).
  • Network (TCP/UDP): Pass-through or Proxy.
Answer: WAF (Web App Firewall). DDoS protection. IP Blacklist. Geo-blocking. SQLi rules. Attached to Global LB.
Answer: Edge caching. Integrated with Load Balancer. Static assets.
Answer:
  • VPN: over Internet (IPSec). 3 Gbps. Cheap.
  • Interconnect: Physical cable. Dedicated (SLA) or Partner. 10G/100G. Expensive.
  • Peering: Direct connection to Google Network (Workspace/Youtube), not GCP private IP.
Answer: Access services (managed or internal) via private Endpoint IP in your VPC. No VPC Peering needed.
Answer: Organization pattern. 1 Host Project (Network Admin). X Service Projects. Departments share the network but manage their resources.
Answer: Record sample of network flows (IP, Port, Protocol) for debugging/audit.
Answer: Stateful. Distributed (Enforced at instance level). Tag based. Priority rules.
Answer: Outbound internet access for Private VMs. “One to many” address translation.

4. IAM & Security

Answer: Org -> Folder -> Project -> Resource. Policies inherit downwards.
Answer:
  • Primitive: Owner, Editor, Viewer (Too broad, avoid).
  • Predefined: roles/storage.objectViewer (Google managed).
  • Custom: You pick permissions.
Answer: Identity for Machines. Has an email. Can use Keys (JSON) or Workload Identity (K8s).
Answer: AWS/Azure/GitHub Actions authenticate to GCP without Service Account Keys. Exchanges OIDC Token for GCP Token.
Answer: Zero Trust. Access VMs (SSH/RDP) or Web Apps via HTTPS without VPN. Verifies Cloud Identity.
Answer: Security Perimeter. Prevents data exfiltration (Copying from my bucket to personal bucket).
Answer: Manage Cryptographic Keys (Create, Rotate, Disable). Symmetric/Asymmetric.
Answer: Store passwords/API keys. Versioned. Better than Env vars.
Answer: Who did What, Where, When. Admin Activity (Always on). Data Access (Optional, High volume).
Answer: SCC: Native security/risk dashboard. Forseti: Open source tool to monitor inventory and enforce policy.

5. Operations & Tools

Answer: Logging + Monitoring + Trace + Debugger + Profiler.
Answer: Serverless CI/CD. Steps define Docker container executions. cloudbuild.yaml.
Answer:
  • DM: GCP native (YAML/Python).
  • Terraform: Multi-cloud, Standard. (Recommended).
Answer: Correcting K8s clusters anywhere (GCP, AWS, On-prem) via single pane of glass.
Answer: Global Async Messaging. At-least-once delivery. Push or Pull subscriptions.
Answer: ETL pipeline. Batch and Streaming unified. Fully managed autoscaling.
Answer: Managed Hadoop/Spark. Lift and shift migration.
Answer: Spend based (Commit $10/h) or Resource based (Commit 100 CPUs). 1 or 3 year term.
Answer: Managed Cron jobs.
Answer: Unified ML platform. AutoML + Custom Training + MLOps.

6. GCP Medium Level Questions

Answer: Connect two VPC networks privately.
gcloud compute networks peerings create peer-ab \
    --network=network-a \
    --peer-network=network-b
Use cases: Multi-project connectivity, hybrid cloud.
Answer: Allows private instances to access internet without public IPs.
gcloud compute routers nats create my-nat \
    --router=my-router \
    --region=us-central1 \
    --nat-all-subnet-ip-ranges
Answer: DDoS protection and WAF for Load Balancers.
gcloud compute security-policies create my-policy
gcloud compute security-policies rules create 1000 \
    --security-policy=my-policy \
    --expression="origin.region_code == 'US'" \
    --action=allow
Answer: Create granular permissions.
title: "Custom Storage Admin"
description: "Custom role for storage"
stage: "GA"
includedPermissions:
- storage.buckets.create
- storage.buckets.delete
- storage.objects.create

gcloud iam roles create customStorageAdmin \
    --project=PROJECT_ID \
    --file=role.yaml
Answer: Identity for applications.
# Create
gcloud iam service-accounts create my-sa

# Grant role
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:my-sa@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/storage.admin"

# Create key
gcloud iam service-accounts keys create key.json \
    --iam-account=my-sa@PROJECT_ID.iam.gserviceaccount.com
Answer: Regional HA with automatic failover.
gcloud sql instances create my-instance \
    --database-version=POSTGRES_14 \
    --tier=db-n1-standard-2 \
    --region=us-central1 \
    --availability-type=REGIONAL
Features: Automatic failover, synchronous replication.
Answer: Globally distributed, horizontally scalable SQL database.When to use: Global applications, strong consistency, unlimited scale.
CREATE TABLE Users (
    UserId INT64 NOT NULL,
    Name STRING(100),
) PRIMARY KEY (UserId);
Answer: Improve query performance and reduce costs.
CREATE TABLE dataset.table
PARTITION BY DATE(timestamp)
AS SELECT * FROM source_table;

-- Query specific partition
SELECT * FROM dataset.table
WHERE DATE(timestamp) = '2024-01-01';
Answer: Further optimize partitioned tables.
CREATE TABLE dataset.table
PARTITION BY DATE(timestamp)
CLUSTER BY user_id, country
AS SELECT * FROM source_table;
Answer: Event-driven serverless functions.
// HTTP trigger
exports.helloHttp = (req, res) => {
    res.send('Hello World!');
};

// Pub/Sub trigger
exports.helloPubSub = (message, context) => {
    const data = Buffer.from(message.data, 'base64').toString();
    console.log(data);
};

// Cloud Storage trigger
exports.helloGCS = (file, context) => {
    console.log(`File: ${file.name}`);
};
Answer: Scale to zero, pay per request.
gcloud run deploy my-service \
    --image=gcr.io/PROJECT_ID/image \
    --min-instances=0 \
    --max-instances=100 \
    --concurrency=80
Answer:
  • Autopilot: Fully managed, Google manages nodes.
  • Standard: More control, you manage nodes.
# Autopilot
gcloud container clusters create-auto my-cluster

# Standard
gcloud container clusters create my-cluster \
    --num-nodes=3 \
    --machine-type=n1-standard-2
Answer: Bind Kubernetes service accounts to GCP service accounts.
# Enable on cluster
gcloud container clusters update CLUSTER \
    --workload-pool=PROJECT_ID.svc.id.goog

# Bind accounts
gcloud iam service-accounts add-iam-policy-binding \
    GSA_NAME@PROJECT_ID.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]"
Answer:
displayName: "High CPU Alert"
conditions:
  - displayName: "CPU > 80%"
    conditionThreshold:
      filter: 'resource.type="gce_instance"'
      comparison: COMPARISON_GT
      thresholdValue: 0.8
      duration: 300s
notificationChannels:
  - projects/PROJECT_ID/notificationChannels/CHANNEL_ID
Answer: Export logs to BigQuery, Cloud Storage, or Pub/Sub.
gcloud logging sinks create my-sink \
    bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET \
    --log-filter='resource.type="gce_instance"'
Answer: Content delivery network for low latency.
gcloud compute backend-services update my-backend \
    --enable-cdn \
    --cache-mode=CACHE_ALL_STATIC
Answer:
  • Global HTTP(S): Layer 7, global, URL-based routing
  • Global SSL/TCP: Layer 4, global
  • Regional Network: Layer 4, regional
  • Regional Internal: Layer 4, internal only
Answer: Auto-scaling and auto-healing.
gcloud compute instance-groups managed create my-mig \
    --template=my-template \
    --size=3 \
    --zone=us-central1-a

# Autoscaling
gcloud compute instance-groups managed set-autoscaling my-mig \
    --max-num-replicas=10 \
    --target-cpu-utilization=0.6
Answer: Cron jobs in the cloud.
gcloud scheduler jobs create http my-job \
    --schedule="0 */2 * * *" \
    --uri="https://example.com/api" \
    --http-method=POST
Answer: Store API keys, passwords, certificates.
# Create secret
echo -n "my-secret-value" | gcloud secrets create my-secret \
    --data-file=-

# Access in code
from google.cloud import secretmanager
client = secretmanager.SecretManagerServiceClient()
name = "projects/PROJECT_ID/secrets/my-secret/versions/latest"
response = client.access_secret_version(request={"name": name})
secret = response.payload.data.decode("UTF-8")

7. GCP Advanced Level Questions

Answer: Centralized network management across projects.
# Enable in host project
gcloud compute shared-vpc enable HOST_PROJECT

# Attach service project
gcloud compute shared-vpc associated-projects add SERVICE_PROJECT \
    --host-project=HOST_PROJECT
Use case: Enterprise multi-project architecture.
Answer: Create security perimeters around GCP resources.
gcloud access-context-manager perimeters create my-perimeter \
    --title="Production Perimeter" \
    --resources=projects/PROJECT_ID \
    --restricted-services=storage.googleapis.com,bigquery.googleapis.com
Answer: Enforce governance across organization.
# Disable serial port access
constraint: compute.disableSerialPortAccess
listPolicy:
  allValues: DENY

gcloud resource-manager org-policies set-policy policy.yaml \
    --organization=ORG_ID
Answer: Dedicated physical connection to GCP.
  • Dedicated: 10 Gbps or 100 Gbps
  • Partner: 50 Mbps to 10 Gbps
vs VPN: Lower latency, higher throughput, more expensive.
Answer: Dynamic routing with BGP.
gcloud compute routers create my-router \
    --network=my-network \
    --region=us-central1 \
    --asn=65001
Use case: Hybrid cloud, dynamic route propagation.
Answer: Deploy only trusted container images.
gcloud container binauthz policy import policy.yaml

# Attestation
gcloud beta container binauthz attestations create \
    --artifact-url=gcr.io/PROJECT_ID/image@sha256:DIGEST \
    --attestor=my-attestor
Answer: Single load balancer across multiple clusters.
apiVersion: networking.gke.io/v1
kind: MultiClusterIngress
metadata:
  name: my-mci
spec:
  template:
    spec:
      backend:
        serviceName: my-service
        servicePort: 80
Answer: Automatically adjust CPU/memory requests.
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: my-vpa
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: my-deployment
  updatePolicy:
    updateMode: "Auto"
Answer: Managed Apache Airflow for workflows.
from airflow import DAG
from airflow.operators.bash import BashOperator

dag = DAG('my_dag', schedule_interval='@daily')

task = BashOperator(
    task_id='my_task',
    bash_command='echo "Hello"',
    dag=dag
)
Answer: Unified batch and streaming data processing.
import apache_beam as beam

with beam.Pipeline() as p:
    (p
     | beam.io.ReadFromText('gs://bucket/input.txt')
     | beam.Map(lambda x: x.upper())
     | beam.io.WriteToText('gs://bucket/output.txt'))
Answer: Guarantee message order with ordering keys.
from google.cloud import pubsub_v1

publisher = pubsub_v1.PublisherClient()
topic_path = publisher.topic_path('PROJECT_ID', 'TOPIC')

future = publisher.publish(
    topic_path,
    b'Message data',
    ordering_key='user-123'
)
Answer: Handle failed message processing.
gcloud pubsub subscriptions create my-subscription \
    --topic=my-topic \
    --dead-letter-topic=dead-letter-topic \
    --max-delivery-attempts=5
Answer: Asynchronous task execution with rate limiting.
from google.cloud import tasks_v2

client = tasks_v2.CloudTasksClient()
parent = client.queue_path('PROJECT_ID', 'LOCATION', 'QUEUE')

task = {
    'http_request': {
        'http_method': tasks_v2.HttpMethod.POST,
        'url': 'https://example.com/api',
    }
}

client.create_task(request={'parent': parent, 'task': task})
Answer: CI/CD with automated builds.
# cloudbuild.yaml
steps:
  - name: 'gcr.io/cloud-builders/docker'
    args: ['build', '-t', 'gcr.io/$PROJECT_ID/image', '.']
  - name: 'gcr.io/cloud-builders/docker'
    args: ['push', 'gcr.io/$PROJECT_ID/image']
  - name: 'gcr.io/cloud-builders/gcloud'
    args: ['run', 'deploy', 'my-service', '--image', 'gcr.io/$PROJECT_ID/image']
Answer: Next-gen container and package registry.
# Create repository
gcloud artifacts repositories create my-repo \
    --repository-format=docker \
    --location=us-central1

# Push image
docker tag my-image us-central1-docker.pkg.dev/PROJECT_ID/my-repo/my-image
docker push us-central1-docker.pkg.dev/PROJECT_ID/my-repo/my-image
Answer: Continuous CPU and memory profiling.
import googlecloudprofiler

googlecloudprofiler.start(
    service='my-service',
    service_version='1.0.0',
    verbose=3
)
Answer: Distributed tracing for latency analysis.
from google.cloud import trace_v1

client = trace_v1.TraceServiceClient()
project_id = 'PROJECT_ID'

trace = {
    'project_id': project_id,
    'spans': [...]
}
client.patch_traces(project_id=project_id, traces={'traces': [trace]})
Answer: 1-year or 3-year commitments for 57% discount.
gcloud compute commitments create my-commitment \
    --region=us-central1 \
    --plan=12-month \
    --resources=vcpu=100,memory=400GB
Answer: Up to 80% discount, can be terminated anytime.
gcloud compute instances create my-instance \
    --preemptible \
    --maintenance-policy=TERMINATE
Use case: Batch jobs, fault-tolerant workloads.
Answer:
# Traffic Director for global load balancing
apiVersion: networking.gke.io/v1
kind: MultiClusterService
metadata:
  name: my-service
spec:
  template:
    spec:
      selector:
        app: my-app
      ports:
      - port: 80
  clusters:
  - link: "us-central1/my-cluster"
  - link: "europe-west1/my-cluster"
Benefits: Low latency, high availability, disaster recovery.