Top 10 GCP PCA interview questions and how to answer them in 2026

The 10 questions

1. When do you use a Shared VPC versus a standalone VPC per project?

Shared VPC when a central network team owns IP allocation, firewall policy, and connectivity (Cloud Interconnect, HA VPN) for the whole organization, and individual app teams consume subnets in service projects. Standalone VPC per project when teams are truly independent, have small footprints, and you accept duplicated VPN, NAT, and firewall management. The strong PCA-exam pattern in 2026 is Shared VPC plus a hub-and-spoke topology with Network Connectivity Center for any org above ~30 services. Candidates who answer “VPC peering between every project” lose the round — peering is non-transitive, doesn’t scale, and creates a routing-table nightmare past about a dozen projects.

2. Design IAM for a 50-engineer org. What do you ship first?

Three principles, in order. (1) Groups, never users, on resource roles — bind group:platform-admins@example.com to roles, not individual emails. (2) Predefined roles before custom roles — custom roles are an operational tax (you own permission updates as Google adds APIs); only build them when no predefined role fits and the over-grant is material. (3) Service accounts impersonated, not keyed — iam.serviceAccountTokenCreator + Workload Identity Federation for CI/CD, never long-lived JSON keys on disk. The interviewer wants to hear “no service-account keys” explicitly — key material on disk is the GCP equivalent of leaked AWS access keys and a known compromise vector in 2026.

3. GKE Autopilot or GKE Standard — how do you choose?

Autopilot when the workload fits its constraints (no privileged pods, no host-network daemonsets, no custom kernels, supported GPU shapes only) and you want Google to own node management with per-pod billing. Standard when you need bring-your-own GPUs at scale, Windows node pools, Spot VM cost optimization with custom bin-packing, sidecars that need node-level access, or per-node licensing constraints. The 2026 greenfield default is Autopilot for stateless services and Standard for stateful, ML training, or anything with privileged-pod requirements. Saying “always Autopilot” or “always Standard” in interviews flags missing operational experience — the answer is workload-dependent.

4. Cloud SQL, AlloyDB, Spanner, or BigQuery for a new transactional workload?

Cloud SQL for single-region OLTP under ~10 TB on a managed Postgres or MySQL — the boring, correct default. AlloyDB for Postgres-compatible workloads needing higher write throughput, columnar acceleration for analytical queries on the same data, or AI-vector workloads. Spanner for multi-region strong consistency, horizontal scale beyond a single instance, and global writes with external-consistency guarantees — pay the premium only when you actually need it. BigQuery is not transactional; it is the OLAP destination, not a system of record. The trap answer: “Spanner for everything because it scales.” Spanner is dramatically more expensive than Cloud SQL and overkill for most workloads — hiring managers read it as a candidate who hasn’t had to defend a GCP bill.

5. GCE, GKE, Cloud Run, or App Engine — how do you pick a compute target?

Decision order: Cloud Run first for stateless containerized HTTP/event workloads with bursty traffic and scale-to-zero economics. GKE (Autopilot) for Kubernetes-native services needing sidecars, complex networking, or shared platform components (Istio, Knative-like patterns beyond Cloud Run’s scope). GCE for licensed software, custom kernels, Windows workloads, GPU shapes Cloud Run doesn’t expose, or stateful single-VM legacy. App Engine Standard exists but is now a maintenance target — greenfield builds in 2026 default to Cloud Run, not App Engine. Saying “App Engine because it’s serverless” in 2026 dates you.

6. A BigQuery bill jumped 4× this month. What’s your triage?

Open INFORMATION_SCHEMA.JOBS_BY_PROJECT and group by user_email and destination_table, sorted by total_bytes_billed. Most 4× jumps trace to one of three patterns: a new SELECT * from a wide partitioned table without a partition filter (fix: require partition filter on the table and rewrite the query), a scheduled query that started running hourly instead of daily (fix: throttle and add a cost label), or a materialized view rebuilding on a base table that’s being mutated (fix: change refresh policy). Long-term controls: switch heavy users to BI Engine or BigQuery editions reservations to cap on-demand scan cost, and put budget alerts on the project. “Just buy slots” loses the interview — the answer is diagnose the specific query, then put structural controls in place.

7. Design DR for a tier-1 service. What does GCP let you do that AWS doesn’t?

The unique GCP lever is multi-region Spanner and dual-region Cloud Storage with strong consistency at the global tier — no application-layer replication logic required. For RPO=0 / RTO seconds: Spanner multi-region (e.g., nam-eur-asia1), dual-region GCS for object durability, global HTTPS load balancer with regional backend services in two regions, and a Cloud DNS failover policy. For RPO=minutes / RTO=minutes: Cloud SQL with cross-region read replicas promoted on failover, regional GCS, and a regional load balancer per region with weighted DNS. The trap: applying AWS Aurora Global Database thinking 1:1 to Cloud SQL — cross-region Cloud SQL replicas are asynchronous and require manual promotion. The architect’s honest answer is “Spanner if RPO=0, Cloud SQL with planned manual failover otherwise.”

8. Anthos / GKE Enterprise — when is it actually worth the licensing?

Three scenarios where GKE Enterprise earns its license: (1) regulated hybrid — you must keep workloads on-prem or at the edge under audit and want consistent policy with cloud GKE via Config Sync and Policy Controller. (2) multi-cloud is a hard requirement from a regulator or major customer — you run identical GKE clusters in GCP and AWS/Azure and need one control plane. (3) service-mesh-anchored platform — you’ve standardized on managed Cloud Service Mesh across dozens of services. If none of those apply, you’re paying for a service mesh and policy engine you could run on stock GKE Autopilot with Istio and Kyverno — and hiring managers will press on that. Anthos for the sake of “multi-cloud option” without a regulator demanding it is a budget conversation that ends badly.

9. Walk me through Private Service Connect versus VPC Peering versus Private Google Access.

Three different problems. Private Google Access lets a VM with only an internal IP reach Google APIs (storage.googleapis.com, etc.) without a public route — subnet-level toggle, zero cost. VPC Peering connects two VPCs at the routing layer; transitive routing is not allowed and IP ranges must not overlap — fine for two networks, painful past a handful. Private Service Connect (PSC) exposes a specific service (a Cloud SQL instance, a partner SaaS, a Google API) as a private endpoint inside the consumer’s VPC with its own internal IP — no peering required, no IP overlap concerns. The 2026 preferred pattern is PSC for service-to-service and Network Connectivity Center for hub-and-spoke routing — full-mesh VPC peering is the legacy answer.

10. How much do GCP PCA anchored architect roles pay in 2026?

$140,000–$180,000 in US metros for GCP cloud architect and Google Cloud platform engineer roles requiring the PCA plus 3–5 years of cloud experience. Senior and principal architect roles reach $190,000–$240,000, with another premium in fintech and ML platform shops. The official GCP Professional Cloud Architect page lists the current exam guide and case studies. The BLS reports a 2024 median of $130,390 for computer network architects; PCA-anchored architecture roles cluster meaningfully above that median, and the premium widens when paired with the Professional Cloud Network Engineer or Professional Data Engineer cert.

What these questions test

Every question has a “product-page answer” and an “operational answer.” Interviewers want the operational one — the version that includes the gotcha (Shared VPC over peering past a dozen projects, no service-account keys, Autopilot is workload-dependent, Spanner only when you actually need global consistency, PSC over full-mesh peering, App Engine is a maintenance target). Passing the PCA proves you can pick the right product. Answering these correctly proves you’ve actually defended a GCP bill, a DR posture, and an IAM model in front of a regulator.

Frequently asked questions