Sample questions
Google Cloud Digital Leader practice questions
A DevOps team wants to adopt GitOps practices for managing their Google Cloud infrastructure. Which combination of tools and practices defines a GitOps approach to cloud infrastructure management?
Trap 1: Manually applying Terraform changes from engineers' local machines…
Manual local applies with wiki documentation is not GitOps. There's no single source of truth (different engineers may have different local state), no automated reconciliation, and documentation diverges from actual state over time.
Trap 2: Using the Google Cloud Console to make infrastructure changes and…
Post-hoc export to Git is backwards GitOps — Git becomes a documentation store rather than the source of truth. Console changes that aren't reviewed via PR bypass governance controls.
Trap 3: GitOps only applies to application code deployment, not to cloud…
GitOps originated in application deployment but has been widely adopted for infrastructure management (infrastructure as code via Terraform, Pulumi, or Kubernetes-native Config Connector). It applies equally to both.
- A
Manually applying Terraform changes from engineers' local machines and documenting changes in a shared wiki
Why wrong: Manual local applies with wiki documentation is not GitOps. There's no single source of truth (different engineers may have different local state), no automated reconciliation, and documentation diverges from actual state over time.
- B
Storing all infrastructure as code (Terraform or Config Connector) in a Git repository, using pull requests for all changes, and automated CI/CD pipelines that apply changes and detect drift from the declared state
This is GitOps. Git repo as truth: ✓. Pull request process for changes: ✓ (provides review, approval, audit trail). Automated reconciliation: ✓ (CI/CD applies changes and detects drift). This pattern makes infrastructure management reproducible, auditable, and collaborative.
- C
Using the Google Cloud Console to make infrastructure changes and exporting the configuration to Git after each change
Why wrong: Post-hoc export to Git is backwards GitOps — Git becomes a documentation store rather than the source of truth. Console changes that aren't reviewed via PR bypass governance controls.
- D
GitOps only applies to application code deployment, not to cloud infrastructure management
Why wrong: GitOps originated in application deployment but has been widely adopted for infrastructure management (infrastructure as code via Terraform, Pulumi, or Kubernetes-native Config Connector). It applies equally to both.
A startup is building an application that sends daily promotional push notifications to millions of mobile users on both iOS and Android devices. Which Google Cloud or Google service most directly provides the infrastructure for sending these mobile push notifications?
Trap 1: Cloud Pub/Sub, which delivers messages to subscribed mobile…
Cloud Pub/Sub is a server-to-server messaging system. Mobile devices are not Pub/Sub subscribers — they use platform-specific push notification infrastructure (FCM, APNs). Pub/Sub could trigger a backend service that then sends via FCM, but Pub/Sub alone doesn't deliver to mobile devices.
Trap 2: Cloud Storage, by writing notification content to buckets that…
Polling Cloud Storage for notifications would require mobile apps to make constant API requests, draining battery and creating high latency. Push notifications are delivered to devices by the platform (FCM/APNs), not pulled by apps.
Trap 3: Cloud Run, by exposing an API that mobile applications call to…
Pull-based notification APIs require mobile apps to poll for messages, which is inefficient. FCM's push model delivers notifications to devices without the app needing to poll — even when the app is not active in the foreground.
- A
Cloud Pub/Sub, which delivers messages to subscribed mobile application instances
Why wrong: Cloud Pub/Sub is a server-to-server messaging system. Mobile devices are not Pub/Sub subscribers — they use platform-specific push notification infrastructure (FCM, APNs). Pub/Sub could trigger a backend service that then sends via FCM, but Pub/Sub alone doesn't deliver to mobile devices.
- B
Firebase Cloud Messaging (FCM), which delivers push notifications to iOS and Android devices through Google's mobile notification infrastructure
FCM is the correct service. It provides the complete push notification pipeline: device token management, message composition, cross-platform delivery (Android via FCM protocol, iOS via APNs), delivery analytics, and topic-based message broadcasting for millions of subscribers. It's the standard Google/Firebase solution for mobile push notifications.
- C
Cloud Storage, by writing notification content to buckets that mobile applications poll for new messages
Why wrong: Polling Cloud Storage for notifications would require mobile apps to make constant API requests, draining battery and creating high latency. Push notifications are delivered to devices by the platform (FCM/APNs), not pulled by apps.
- D
Cloud Run, by exposing an API that mobile applications call to retrieve their pending notifications
Why wrong: Pull-based notification APIs require mobile apps to poll for messages, which is inefficient. FCM's push model delivers notifications to devices without the app needing to poll — even when the app is not active in the foreground.
An organization's leadership wants to foster a 'fail fast' culture to accelerate innovation. A cloud environment directly supports this culture by enabling which specific capability that on-premises infrastructure could not economically provide?
Trap 1: Cloud provides better project management tools for tracking…
Project management tools are available independently of cloud infrastructure. The key enabler is the economic and speed model of on-demand infrastructure provisioning.
Trap 2: Cloud providers guarantee that experiments will succeed because…
Cloud providers don't review or influence customer experiments. Cloud enables faster experimentation by reducing infrastructure friction, not by guaranteeing success.
Trap 3: Cloud includes built-in A/B testing frameworks for all applications.
While Google Cloud has services like Firebase A/B Testing for mobile apps, cloud doesn't include universal A/B testing for all applications. The fail-fast enablement is about infrastructure economics.
- A
Cloud provides better project management tools for tracking experiments.
Why wrong: Project management tools are available independently of cloud infrastructure. The key enabler is the economic and speed model of on-demand infrastructure provisioning.
- B
Cloud's on-demand provisioning allows teams to spin up and tear down experiment environments in minutes, making the cost of a failed experiment near-zero.
Experiments that fail on cloud cost only the hours they ran. On-premises, failed experiments wasted weeks of procurement effort and hardware budget. Cloud makes failure cheap, enabling faster learning.
- C
Cloud providers guarantee that experiments will succeed because Google engineers review them.
Why wrong: Cloud providers don't review or influence customer experiments. Cloud enables faster experimentation by reducing infrastructure friction, not by guaranteeing success.
- D
Cloud includes built-in A/B testing frameworks for all applications.
Why wrong: While Google Cloud has services like Firebase A/B Testing for mobile apps, cloud doesn't include universal A/B testing for all applications. The fail-fast enablement is about infrastructure economics.
A company's on-premises applications occasionally need more compute capacity than their own infrastructure can provide (during seasonal peaks). They want to use cloud resources to handle the overflow traffic while keeping base workloads on-premises. Which cloud architectural pattern describes this?
Trap 1: Cloud migration — moving workloads from on-premises to cloud…
Cloud migration is a permanent move. Cloud bursting is a dynamic, temporary use of cloud capacity for overflow, with base workloads remaining on-premises.
Trap 2: Multi-cloud — using multiple cloud providers for redundancy.
Multi-cloud uses multiple cloud providers simultaneously. Cloud bursting extends on-premises to one cloud provider during peaks.
Trap 3: Disaster recovery — using cloud as a failover site when on-premises…
Disaster recovery activates cloud resources when on-premises fails (unplanned). Cloud bursting extends capacity during planned peak periods — a capacity management pattern, not a recovery pattern.
- A
Cloud migration — moving workloads from on-premises to cloud permanently.
Why wrong: Cloud migration is a permanent move. Cloud bursting is a dynamic, temporary use of cloud capacity for overflow, with base workloads remaining on-premises.
- B
Cloud bursting — using cloud capacity to handle overflow when on-premises resources are exhausted.
Cloud bursting dynamically extends on-premises capacity with cloud resources during peaks. It's an elastic hybrid pattern where cloud supplements (not replaces) on-premises infrastructure.
- C
Multi-cloud — using multiple cloud providers for redundancy.
Why wrong: Multi-cloud uses multiple cloud providers simultaneously. Cloud bursting extends on-premises to one cloud provider during peaks.
- D
Disaster recovery — using cloud as a failover site when on-premises fails.
Why wrong: Disaster recovery activates cloud resources when on-premises fails (unplanned). Cloud bursting extends capacity during planned peak periods — a capacity management pattern, not a recovery pattern.
A digital media company hosts video content globally. They want to reduce origin server load and deliver content faster to viewers worldwide. Their current architecture routes all viewer requests directly to the origin servers in `us-central1`, causing high latency for viewers in Asia and Europe. Which Google Cloud networking capability addresses this?
Trap 1: Deploy identical origin servers in every Google Cloud region…
Replicating full origin servers in every region is operationally expensive and complex to synchronize. CDN achieves the same performance benefit by caching at edge PoPs without full origin replication.
Trap 2: Use Cloud VPN to route viewer traffic through a direct tunnel to…
VPN creates encrypted tunnels between networks — it doesn't cache content or improve CDN-style performance. VPN adds overhead rather than reducing latency.
Trap 3: Increase the origin servers' network bandwidth to handle more…
More bandwidth on the origin doesn't reduce geographic latency for distant viewers. CDN fundamentally solves the distance problem by moving content closer to users.
- A
Deploy identical origin servers in every Google Cloud region globally.
Why wrong: Replicating full origin servers in every region is operationally expensive and complex to synchronize. CDN achieves the same performance benefit by caching at edge PoPs without full origin replication.
- B
Enable Cloud CDN to cache video content at Google's global edge PoPs, serving viewers from the nearest location.
Cloud CDN caches video content at edge PoPs globally. Asian viewers receive content from nearby PoPs (not us-central1), reducing latency significantly and offloading origin servers.
- C
Use Cloud VPN to route viewer traffic through a direct tunnel to the origin servers.
Why wrong: VPN creates encrypted tunnels between networks — it doesn't cache content or improve CDN-style performance. VPN adds overhead rather than reducing latency.
- D
Increase the origin servers' network bandwidth to handle more simultaneous viewer connections.
Why wrong: More bandwidth on the origin doesn't reduce geographic latency for distant viewers. CDN fundamentally solves the distance problem by moving content closer to users.
A security audit finds that a company's application service accounts have been granted broad IAM roles (e.g., Storage Admin on the entire project) when they only need to read specific Cloud Storage buckets. The auditor recommends following the principle of least privilege. What is the most precise way to implement this for the Cloud Storage use case?
Trap 1: Grant the Storage Admin role at the project level but add a…
IAM conditions can restrict by resource name or time, but starting with Storage Admin (which includes delete and create bucket permissions) and trying to narrow it is harder and more error-prone than starting with a minimal role at the resource level.
Trap 2: Create a custom IAM role that combines all permissions from all…
Starting from all permissions and removing dangerous ones is the opposite of least privilege — it's more likely to leave excessive permissions than starting from a minimal set and adding only what's needed.
Trap 3: Use the same broad Storage Admin role but rotate the service…
Key rotation reduces credential exposure time but doesn't address the core problem: the service account has far more permissions than it needs. A compromised credential within the 90-day window still has full Storage Admin access. Least privilege reduces blast radius; rotation reduces exposure duration — both are needed, but least privilege must be addressed first.
- A
Grant the Storage Admin role at the project level but add a condition that limits it to specific operations
Why wrong: IAM conditions can restrict by resource name or time, but starting with Storage Admin (which includes delete and create bucket permissions) and trying to narrow it is harder and more error-prone than starting with a minimal role at the resource level.
- B
Grant Storage Object Viewer (read-only) at the specific bucket level for each service account that needs read access — not at the project level
This is the most precise least-privilege implementation. Storage Object Viewer grants read access to objects within a bucket. Binding it at the bucket level (not project) means the service account can only read from that specific bucket — not create buckets, not access other buckets, not delete objects. This minimizes blast radius if the service account is compromised.
- C
Create a custom IAM role that combines all permissions from all predefined roles but removes the most dangerous ones
Why wrong: Starting from all permissions and removing dangerous ones is the opposite of least privilege — it's more likely to leave excessive permissions than starting from a minimal set and adding only what's needed.
- D
Use the same broad Storage Admin role but rotate the service account key every 90 days to reduce the window of exposure
Why wrong: Key rotation reduces credential exposure time but doesn't address the core problem: the service account has far more permissions than it needs. A compromised credential within the 90-day window still has full Storage Admin access. Least privilege reduces blast radius; rotation reduces exposure duration — both are needed, but least privilege must be addressed first.
A development team uses Cloud Build to automatically build, test, and create container images whenever code is pushed to their repository. The resulting Docker images need to be stored securely and made available to their GKE deployment pipelines. Which Google Cloud service stores and manages these container images?
Trap 1: Cloud Storage bucket with a `containers/` folder.
Docker images cannot be stored in Cloud Storage as plain files — they use a specific registry protocol (OCI/Docker). Artifact Registry implements the required container registry API.
Trap 2: Cloud SQL — storing build artifacts in a relational database.
Cloud SQL is a relational database for structured data. Container images are binary artifacts stored in a registry service like Artifact Registry, not a database.
Trap 3: Cloud Source Repositories — the code repository stores both source…
Cloud Source Repositories is a Git-based source code repository. Container images (built artifacts) are stored in Artifact Registry, not source code repositories.
- A
Cloud Storage bucket with a `containers/` folder.
Why wrong: Docker images cannot be stored in Cloud Storage as plain files — they use a specific registry protocol (OCI/Docker). Artifact Registry implements the required container registry API.
- B
Artifact Registry
Artifact Registry stores Docker images, Helm charts, and other build artifacts. Cloud Build pushes images here; GKE and Cloud Run pull from here during deployment. It also performs vulnerability scanning.
- C
Cloud SQL — storing build artifacts in a relational database.
Why wrong: Cloud SQL is a relational database for structured data. Container images are binary artifacts stored in a registry service like Artifact Registry, not a database.
- D
Cloud Source Repositories — the code repository stores both source code and container images.
Why wrong: Cloud Source Repositories is a Git-based source code repository. Container images (built artifacts) are stored in Artifact Registry, not source code repositories.
A startup wants to launch a new product globally within 2 weeks. If it relied on traditional on-premises infrastructure, provisioning servers would take 6–8 weeks. By using the public cloud, the startup can launch on time. Which cloud benefit does this scenario illustrate?
Trap 1: Economies of scale — the cloud provider has more purchasing power…
Economies of scale is a cloud benefit, but it relates to cost efficiency, not speed of deployment. The scenario specifically highlights the speed advantage.
Trap 2: Geographic reach — the cloud provider has data centers in more…
Geographic reach is relevant to global availability but the primary benefit illustrated here is the speed of provisioning, not the number of available regions.
Trap 3: Reliability — cloud providers have better uptime SLAs than…
Reliability (SLAs) is a cloud benefit but doesn't explain why the startup can launch in 2 weeks instead of 6–8 weeks.
- A
Economies of scale — the cloud provider has more purchasing power than the startup.
Why wrong: Economies of scale is a cloud benefit, but it relates to cost efficiency, not speed of deployment. The scenario specifically highlights the speed advantage.
- B
Speed and agility — cloud resources are provisioned in minutes, enabling faster time-to-market.
Cloud's on-demand provisioning eliminates the 6–8 week hardware procurement cycle, allowing the startup to go from idea to global deployment in days.
- C
Geographic reach — the cloud provider has data centers in more regions.
Why wrong: Geographic reach is relevant to global availability but the primary benefit illustrated here is the speed of provisioning, not the number of available regions.
- D
Reliability — cloud providers have better uptime SLAs than on-premises servers.
Why wrong: Reliability (SLAs) is a cloud benefit but doesn't explain why the startup can launch in 2 weeks instead of 6–8 weeks.
A company currently spends $200,000 annually on data center costs (hardware, power, cooling, staff). After migrating to Google Cloud, their cloud bill is $120,000 annually, but they also save $50,000 in data center costs they no longer pay. What is their net annual savings from the migration?
Trap 1: $30,000 (cloud cost increase of $120K minus the $50K DC savings)
This incorrectly treats cloud costs as an addition rather than a replacement for data center costs.
Trap 2: $50,000 (only the data center cost savings count)
The full comparison is $200K previously vs. $120K now. The total savings is $80K, not just the $50K partial DC savings figure.
Trap 3: $120,000 (the entire cloud bill is savings)
The cloud bill is a cost, not a saving. The saving is the difference between what was previously spent ($200K) and what is now spent ($120K).
- A
$30,000 (cloud cost increase of $120K minus the $50K DC savings)
Why wrong: This incorrectly treats cloud costs as an addition rather than a replacement for data center costs.
- B
$80,000 annual savings ($200,000 previous cost minus $120,000 cloud cost)
Total previous cost: $200,000 data center. Total new cost: $120,000 cloud. Net annual savings = $200,000 - $120,000 = $80,000 (the $50K DC savings is part of the $200K → cloud shift).
- C
$50,000 (only the data center cost savings count)
Why wrong: The full comparison is $200K previously vs. $120K now. The total savings is $80K, not just the $50K partial DC savings figure.
- D
$120,000 (the entire cloud bill is savings)
Why wrong: The cloud bill is a cost, not a saving. The saving is the difference between what was previously spent ($200K) and what is now spent ($120K).
A company stores its data in Google Cloud. The security team asks: can Google employees access our customer data without our knowledge or consent? What does Google's commitment ensure?
Trap 1: Google employees have unrestricted access to all customer data as…
Google explicitly limits and logs personnel access to customer data. Access is tightly controlled, needs business justification, and is logged in Access Transparency.
Trap 2: Google uses customer data to train its global AI models to improve…
Google contractually commits that it does not use customer data to train AI models or for advertising. Customer data belongs to the customer.
Trap 3: Customer data stored in Google Cloud is automatically accessible by…
Government access requires legal process (court orders, etc.). Google has a government transparency report and commits to challenging overbroad requests. Data is not 'automatically accessible' by governments.
- A
Google employees have unrestricted access to all customer data as part of the infrastructure service agreement.
Why wrong: Google explicitly limits and logs personnel access to customer data. Access is tightly controlled, needs business justification, and is logged in Access Transparency.
- B
Google commits that customer data is not accessed without authorization, with access logged via Access Transparency and governed by contractual data processing commitments.
Google's contractual commitments (Cloud Data Processing Addendum), Access Transparency logging, and technical controls ensure customer data is only accessed for authorized purposes, with full auditability.
- C
Google uses customer data to train its global AI models to improve services.
Why wrong: Google contractually commits that it does not use customer data to train AI models or for advertising. Customer data belongs to the customer.
- D
Customer data stored in Google Cloud is automatically accessible by government agencies on request.
Why wrong: Government access requires legal process (court orders, etc.). Google has a government transparency report and commits to challenging overbroad requests. Data is not 'automatically accessible' by governments.
A global fintech company needs a database that can handle financial transactions across 50+ countries with consistent, ACID-compliant operations, SQL queries, and automatic global replication with no downtime for maintenance. Which Google Cloud database service meets all these requirements?
Trap 1: Cloud SQL (PostgreSQL)
Cloud SQL is a regional database — it doesn't automatically replicate globally. Cross-region failover is supported but not automatic global distribution with consistent transactions.
Trap 2: Cloud Bigtable
Bigtable is a NoSQL database (key-value) optimized for high-throughput non-transactional workloads. It doesn't support ACID transactions or SQL queries.
Trap 3: Firestore
Firestore supports ACID transactions and global distribution but is a NoSQL document database — it lacks full SQL query capabilities required for financial reporting and complex joins.
- A
Cloud SQL (PostgreSQL)
Why wrong: Cloud SQL is a regional database — it doesn't automatically replicate globally. Cross-region failover is supported but not automatic global distribution with consistent transactions.
- B
Cloud Spanner
Cloud Spanner provides ACID transactions, SQL support, and automatic global replication across multiple regions with 99.999% availability. It's designed for exactly this global financial transaction use case.
- C
Cloud Bigtable
Why wrong: Bigtable is a NoSQL database (key-value) optimized for high-throughput non-transactional workloads. It doesn't support ACID transactions or SQL queries.
- D
Firestore
Why wrong: Firestore supports ACID transactions and global distribution but is a NoSQL document database — it lacks full SQL query capabilities required for financial reporting and complex joins.
A company architect is explaining cloud network connectivity options to executives. She distinguishes between using the public internet to connect to cloud services versus using a dedicated private connection. What is the primary advantage of a dedicated private connection over the public internet for enterprise workloads?
Trap 1: Dedicated connections are always free, while public internet…
Dedicated connections are not free — they involve significant costs for port fees and provisioning. However, they can reduce egress costs at high data volumes while providing superior performance.
Trap 2: Dedicated connections provide stronger encryption because the…
The public internet supports strong encryption (TLS/HTTPS). The advantage of dedicated connections is performance and reliability, not encryption strength.
Trap 3: Public internet connections have higher bandwidth limits than…
Dedicated connections support very high bandwidth (10 Gbps to 100 Gbps). Consumer internet connections have far lower bandwidth compared to enterprise dedicated circuits.
- A
Dedicated connections are always free, while public internet connections incur data transfer charges
Why wrong: Dedicated connections are not free — they involve significant costs for port fees and provisioning. However, they can reduce egress costs at high data volumes while providing superior performance.
- B
Dedicated private connections provide consistent, predictable bandwidth and lower latency by bypassing public internet congestion and variable routing
This is the primary advantage. By using a private circuit that doesn't traverse the public internet, enterprises get guaranteed bandwidth, predictable latency, and a more reliable connection — critical for applications like database replication, real-time analytics, or mission-critical transactional workloads.
- C
Dedicated connections provide stronger encryption because the public internet uses no encryption
Why wrong: The public internet supports strong encryption (TLS/HTTPS). The advantage of dedicated connections is performance and reliability, not encryption strength.
- D
Public internet connections have higher bandwidth limits than dedicated connections
Why wrong: Dedicated connections support very high bandwidth (10 Gbps to 100 Gbps). Consumer internet connections have far lower bandwidth compared to enterprise dedicated circuits.
A company runs a customer-facing web application with a published SLA of 99.95% monthly availability. In the past month, the application experienced two outages: a 12-minute outage and a 7-minute outage. Did the company meet its SLA?
Trap 1: No — the company missed the SLA because any outage automatically…
SLAs define a specific downtime budget, not a zero-outage requirement. 99.95% allows 21.6 minutes of downtime per 30-day month. Having two outages that total less than this threshold does not breach the SLA.
Trap 2: The answer cannot be determined without knowing the cause of the…
SLA compliance is calculated from duration of unavailability, not cause. The cause of outages is relevant for root cause analysis and prevention, but SLA mathematics only requires total downtime duration.
Trap 3: No — two separate outages in one month always constitute an SLA…
SLAs are calculated on cumulative downtime duration within the measurement period, not on the number of incidents. Multiple short outages that cumulatively fall within the allowed downtime budget do not breach the SLA.
- A
No — the company missed the SLA because any outage automatically constitutes an SLA breach
Why wrong: SLAs define a specific downtime budget, not a zero-outage requirement. 99.95% allows 21.6 minutes of downtime per 30-day month. Having two outages that total less than this threshold does not breach the SLA.
- B
Yes — 99.95% availability in a 30-day month allows approximately 21.6 minutes of downtime; total outage of 19 minutes is within the budget, meaning the SLA was met
The math confirms the SLA was met. 30 days × 1,440 minutes = 43,200 minutes. 0.05% × 43,200 = 21.6 minutes allowed. 12 + 7 = 19 minutes actual downtime. 19 < 21.6, so the SLA is met. However, the remaining buffer is only 2.6 minutes — the team should treat this as a reliability concern.
- C
The answer cannot be determined without knowing the cause of the outages
Why wrong: SLA compliance is calculated from duration of unavailability, not cause. The cause of outages is relevant for root cause analysis and prevention, but SLA mathematics only requires total downtime duration.
- D
No — two separate outages in one month always constitute an SLA breach regardless of duration
Why wrong: SLAs are calculated on cumulative downtime duration within the measurement period, not on the number of incidents. Multiple short outages that cumulatively fall within the allowed downtime budget do not breach the SLA.
A company's data strategy lead explains that their digital transformation is built on a 'data-first culture.' A manager asks what this means practically. Which description best captures what a data-first culture looks like in a cloud-transformed organization?
Trap 1: Only the data science team accesses data, and all business…
Centralizing data access in a single team creates bottlenecks and means most decisions are made without data. A data-first culture democratizes data access so that all decision-makers can use data, not just specialists.
Trap 2: The company collects as much data as possible and stores it…
Data hoarding without use is not a data-first culture — it's a data debt accumulation strategy. Data-first means using data to drive decisions, not just collecting it.
Trap 3: All data is kept confidential from business users to protect…
Restricting data access to senior executives defeats the purpose. A data-first culture requires broad, governed access to relevant data for all decision-makers, with privacy controls applied appropriately rather than as blanket restrictions.
- A
Only the data science team accesses data, and all business decisions are escalated to them for analysis before action
Why wrong: Centralizing data access in a single team creates bottlenecks and means most decisions are made without data. A data-first culture democratizes data access so that all decision-makers can use data, not just specialists.
- B
All business decisions — from executive strategy to daily operational choices — are informed by data evidence, enabled by self-service analytics tools that make data accessible organization-wide, with governance ensuring data quality and trust
This describes a true data-first culture. Decision-making at every level is grounded in evidence. Cloud-based self-service BI tools (like Looker Studio) make this accessible without requiring SQL skills. Data governance ensures the data is trustworthy. This is the cultural and operational transformation, not just a technology deployment.
- C
The company collects as much data as possible and stores it indefinitely in cloud storage, regardless of whether it is used
Why wrong: Data hoarding without use is not a data-first culture — it's a data debt accumulation strategy. Data-first means using data to drive decisions, not just collecting it.
- D
All data is kept confidential from business users to protect privacy, with only the CTO having access to analytics
Why wrong: Restricting data access to senior executives defeats the purpose. A data-first culture requires broad, governed access to relevant data for all decision-makers, with privacy controls applied appropriately rather than as blanket restrictions.
A hospital runs a patient records system that must remain on-premises due to strict regulatory data residency requirements. However, they also want to use cloud-based AI for diagnostic imaging analysis. Which cloud deployment model best describes their architecture?
Trap 1: Public cloud — all workloads run in a provider's infrastructure.
Public cloud means all resources are in the cloud provider's infrastructure. The hospital specifically keeps patient records on-premises, so this is not a pure public cloud model.
Trap 2: Private cloud — all workloads run in the hospital's own…
Private cloud means all computing happens in the hospital's owned/managed infrastructure. Using Google Cloud's AI services makes this a hybrid, not a pure private cloud.
Trap 3: Multi-cloud — using multiple public cloud providers simultaneously.
Multi-cloud refers to using multiple different public cloud providers (e.g., both Google Cloud and AWS). This scenario is on-premises + one cloud provider — hybrid, not multi-cloud.
- A
Public cloud — all workloads run in a provider's infrastructure.
Why wrong: Public cloud means all resources are in the cloud provider's infrastructure. The hospital specifically keeps patient records on-premises, so this is not a pure public cloud model.
- B
Private cloud — all workloads run in the hospital's own infrastructure.
Why wrong: Private cloud means all computing happens in the hospital's owned/managed infrastructure. Using Google Cloud's AI services makes this a hybrid, not a pure private cloud.
- C
Hybrid cloud — combining on-premises infrastructure with public cloud services.
Hybrid cloud connects on-premises (patient records, regulatory compliance) with public cloud (AI imaging analysis). This is the textbook hybrid cloud pattern for regulated industries.
- D
Multi-cloud — using multiple public cloud providers simultaneously.
Why wrong: Multi-cloud refers to using multiple different public cloud providers (e.g., both Google Cloud and AWS). This scenario is on-premises + one cloud provider — hybrid, not multi-cloud.
Which term describes the model where the cloud provider is responsible for the security of the cloud infrastructure, while the customer is responsible for security within their own cloud environment (data, applications, access management)?
Trap 1: Zero trust security model
Zero trust is a security philosophy ('never trust, always verify') applied to network access design. It is different from the shared responsibility model, which describes the division of security duties between provider and customer.
Trap 2: Defense in depth strategy
Defense in depth is a security approach using multiple layers of controls. While related to good security practice, it's not the name for the provider/customer responsibility division.
Trap 3: Identity federation model
Identity federation enables using an external identity provider for authentication (SSO). It's a specific security feature, not the framework describing provider vs. customer responsibilities.
- A
Zero trust security model
Why wrong: Zero trust is a security philosophy ('never trust, always verify') applied to network access design. It is different from the shared responsibility model, which describes the division of security duties between provider and customer.
- B
Shared responsibility model
The shared responsibility model defines that Google Cloud secures the infrastructure ('security of the cloud') while customers secure their data and applications ('security in the cloud').
- C
Defense in depth strategy
Why wrong: Defense in depth is a security approach using multiple layers of controls. While related to good security practice, it's not the name for the provider/customer responsibility division.
- D
Identity federation model
Why wrong: Identity federation enables using an external identity provider for authentication (SSO). It's a specific security feature, not the framework describing provider vs. customer responsibilities.
A business intelligence team wants to create interactive dashboards and reports from their BigQuery data without writing code. They need to share reports with stakeholders who don't have GCP accounts. Which Google Cloud tool is most appropriate?
Trap 1: Vertex AI Workbench
Vertex AI Workbench is a managed Jupyter notebook environment for data scientists writing ML/Python code. It's not a BI dashboarding tool for non-technical stakeholders.
Trap 2: Cloud Dataprep by Trifacta
Cloud Dataprep is a visual data preparation and cleaning tool — used to transform data before analysis. It's not a dashboarding or report-sharing tool.
Trap 3: BigQuery Studio
BigQuery Studio provides an integrated SQL and notebook environment for data analysts in GCP — not a shareable dashboard tool for non-technical stakeholders.
- A
Vertex AI Workbench
Why wrong: Vertex AI Workbench is a managed Jupyter notebook environment for data scientists writing ML/Python code. It's not a BI dashboarding tool for non-technical stakeholders.
- B
Looker Studio (formerly Data Studio)
Looker Studio is Google's free BI dashboarding tool with native BigQuery integration. Reports can be shared via link with stakeholders who have no GCP accounts.
- C
Cloud Dataprep by Trifacta
Why wrong: Cloud Dataprep is a visual data preparation and cleaning tool — used to transform data before analysis. It's not a dashboarding or report-sharing tool.
- D
BigQuery Studio
Why wrong: BigQuery Studio provides an integrated SQL and notebook environment for data analysts in GCP — not a shareable dashboard tool for non-technical stakeholders.
A media company currently licenses proprietary software for video editing that costs $50,000 per seat annually. They are considering a cloud-based SaaS alternative at $5,000 per seat annually. Beyond the licensing cost, which additional financial benefits should they consider when calculating total cost of ownership (TCO)?
Trap 1: Only the licensing cost difference ($45,000 per seat) matters for…
Licensing cost is one component. Full TCO includes hardware, IT staff, maintenance, facilities, and upgrade costs for on-premises — often significantly higher than the visible licensing fee.
Trap 2: The SaaS option has an internet dependency risk that may cost more…
Internet dependency is a valid consideration but is a risk factor, not a TCO financial component. Most businesses already depend on reliable internet for cloud productivity tools.
Trap 3: The vendor's market capitalization, since larger companies are more…
Vendor financial stability is a procurement risk consideration, not a TCO financial calculation component.
- A
Only the licensing cost difference ($45,000 per seat) matters for the financial comparison.
Why wrong: Licensing cost is one component. Full TCO includes hardware, IT staff, maintenance, facilities, and upgrade costs for on-premises — often significantly higher than the visible licensing fee.
- B
Eliminated hardware costs, reduced IT maintenance staff, no upgrade cycles, and freed facilities costs — all lowering the true on-premises TCO that should be compared against the SaaS subscription.
On-premises TCO includes hardware procurement/refresh, IT admin staff, software maintenance, facilities (power, cooling, space), and upgrade projects. Eliminating these hidden costs makes the SaaS TCO comparison far more favorable.
- C
The SaaS option has an internet dependency risk that may cost more than the savings.
Why wrong: Internet dependency is a valid consideration but is a risk factor, not a TCO financial component. Most businesses already depend on reliable internet for cloud productivity tools.
- D
The vendor's market capitalization, since larger companies are more financially stable.
Why wrong: Vendor financial stability is a procurement risk consideration, not a TCO financial calculation component.
According to the NIST definition of cloud computing, which characteristic allows users to unilaterally provision computing resources such as server time and network storage without requiring human interaction with the service provider?
Trap 1: Broad network access
Broad network access means capabilities are available over the network via standard mechanisms (internet) accessible from various devices. It describes accessibility, not self-provisioning.
Trap 2: Resource pooling
Resource pooling describes the provider's multi-tenant model where physical resources are shared among many customers. It relates to the provider's infrastructure model, not user provisioning capability.
Trap 3: Measured service
Measured service refers to monitoring and metering resource usage for billing and transparency purposes. It describes how consumption is tracked, not how resources are provisioned.
- A
Broad network access
Why wrong: Broad network access means capabilities are available over the network via standard mechanisms (internet) accessible from various devices. It describes accessibility, not self-provisioning.
- B
On-demand self-service
On-demand self-service allows users to provision resources (compute, storage) automatically through a portal or API without human interaction with the provider — core to the cloud experience.
- C
Resource pooling
Why wrong: Resource pooling describes the provider's multi-tenant model where physical resources are shared among many customers. It relates to the provider's infrastructure model, not user provisioning capability.
- D
Measured service
Why wrong: Measured service refers to monitoring and metering resource usage for billing and transparency purposes. It describes how consumption is tracked, not how resources are provisioned.
A company uses two different public cloud providers (AWS for their North American operations and Google Cloud for their European operations) to meet data residency requirements and avoid vendor lock-in. Which deployment model does this represent?
Trap 1: Hybrid cloud
Hybrid cloud combines on-premises infrastructure with public cloud. Using two different public cloud providers (AWS + Google Cloud) is multi-cloud, not hybrid — there's no on-premises component described.
Trap 2: Multi-region
Multi-region typically describes using multiple geographic regions within the same cloud provider. Using two different providers (AWS and Google) is multi-cloud.
Trap 3: Distributed cloud
Distributed cloud extends a public cloud provider's services to edge locations or customer premises — a specific architecture, not the multi-provider strategy described.
- A
Hybrid cloud
Why wrong: Hybrid cloud combines on-premises infrastructure with public cloud. Using two different public cloud providers (AWS + Google Cloud) is multi-cloud, not hybrid — there's no on-premises component described.
- B
Multi-cloud
Multi-cloud is the deliberate use of two or more different public cloud providers. Using AWS for North America and Google Cloud for Europe is a classic multi-cloud strategy.
- C
Multi-region
Why wrong: Multi-region typically describes using multiple geographic regions within the same cloud provider. Using two different providers (AWS and Google) is multi-cloud.
- D
Distributed cloud
Why wrong: Distributed cloud extends a public cloud provider's services to edge locations or customer premises — a specific architecture, not the multi-provider strategy described.
A retail company wants to build a recommendation engine that suggests products to customers based on their browsing history. The team has ML expertise but wants to use Google's pre-built ML infrastructure to train and deploy models at scale without managing compute resources. Which Google Cloud service should they use?
Trap 1: BigQuery ML
BigQuery ML allows training ML models using SQL queries within BigQuery — useful for analysts but limited in the types of models and features. Vertex AI is a complete MLOps platform for more complex model training.
Trap 2: Cloud AI Platform Notebooks (now Vertex AI Workbench)
Vertex AI Workbench provides managed Jupyter notebook environments for ML development — it's an IDE for data scientists, not the full managed training and serving pipeline.
Trap 3: Cloud Dataflow
Dataflow is a managed stream and batch data processing service (Apache Beam), not an ML platform. It's used for ETL and data pipeline work, not model training.
- A
BigQuery ML
Why wrong: BigQuery ML allows training ML models using SQL queries within BigQuery — useful for analysts but limited in the types of models and features. Vertex AI is a complete MLOps platform for more complex model training.
- B
Vertex AI
Vertex AI is Google's unified ML platform with managed training (GPU/TPU clusters), AutoML, model registry, feature store, and serving endpoints. Teams bring ML expertise; Vertex AI handles infrastructure.
- C
Cloud AI Platform Notebooks (now Vertex AI Workbench)
Why wrong: Vertex AI Workbench provides managed Jupyter notebook environments for ML development — it's an IDE for data scientists, not the full managed training and serving pipeline.
- D
Cloud Dataflow
Why wrong: Dataflow is a managed stream and batch data processing service (Apache Beam), not an ML platform. It's used for ETL and data pipeline work, not model training.
A company needs to send messages between different microservices in a decoupled way. When one service publishes an event, multiple downstream services should receive and process it independently. Which Google Cloud service enables this publish-subscribe messaging pattern?
Trap 1: Cloud Tasks
Cloud Tasks manages task queues for asynchronous, guaranteed delivery to a single worker. It doesn't support the fan-out pattern (one message → multiple independent subscribers).
Trap 2: Cloud Scheduler
Cloud Scheduler creates cron-based scheduled jobs. It doesn't provide a messaging queue or pub-sub pattern for service-to-service communication.
Trap 3: Eventarc
Eventarc routes events from GCP services to Cloud Run and other targets — it's an event routing service built on Pub/Sub. For direct service-to-service messaging patterns, Pub/Sub is the foundational service.
- A
Cloud Tasks
Why wrong: Cloud Tasks manages task queues for asynchronous, guaranteed delivery to a single worker. It doesn't support the fan-out pattern (one message → multiple independent subscribers).
- B
Cloud Pub/Sub
Pub/Sub supports multiple subscriptions per topic, allowing many services to independently receive every published message. It's the GCP-native pub-sub messaging backbone for event-driven architectures.
- C
Cloud Scheduler
Why wrong: Cloud Scheduler creates cron-based scheduled jobs. It doesn't provide a messaging queue or pub-sub pattern for service-to-service communication.
- D
Eventarc
Why wrong: Eventarc routes events from GCP services to Cloud Run and other targets — it's an event routing service built on Pub/Sub. For direct service-to-service messaging patterns, Pub/Sub is the foundational service.
A company's web service has a Service Level Objective (SLO) of 99.9% monthly availability. In a 30-day month, how many minutes of downtime are allowed before the SLO is violated?
Trap 1: ~4.3 minutes
4.3 minutes corresponds to 99.99% (four nines) availability, not 99.9% (three nines). Three nines allows approximately 10× more downtime.
Trap 2: ~7.2 hours
7.2 hours corresponds to approximately 99% availability (two nines). 99.9% is an order of magnitude more restrictive.
Trap 3: ~8.6 hours
8.6 hours is roughly 99% availability. 99.9% availability allows only ~43 minutes of downtime per month.
- A
~4.3 minutes
Why wrong: 4.3 minutes corresponds to 99.99% (four nines) availability, not 99.9% (three nines). Three nines allows approximately 10× more downtime.
- B
~43.2 minutes
99.9% availability = 0.1% downtime. In a 30-day month (43,200 minutes), 0.1% = 43.2 minutes of allowed downtime — the classic 'three nines' error budget.
- C
~7.2 hours
Why wrong: 7.2 hours corresponds to approximately 99% availability (two nines). 99.9% is an order of magnitude more restrictive.
- D
~8.6 hours
Why wrong: 8.6 hours is roughly 99% availability. 99.9% availability allows only ~43 minutes of downtime per month.
A company's application is composed of 15 microservices. When a performance issue occurs, the team struggles to determine which service is causing latency since request traces span multiple services. Which Google Cloud service helps identify which specific service in a microservices chain is causing slowdowns?
Trap 1: Cloud Logging — search logs for error messages across all 15…
Log searching finds errors after they occur but doesn't correlate cross-service request timelines or show which service hop added latency in a distributed trace.
Trap 2: Cloud Monitoring dashboards — create per-service CPU utilization…
CPU graphs show resource utilization but don't correlate individual request flows across services or show which service contributed to a specific slow request.
Trap 3: Security Command Center — scan for misconfigurations causing…
SCC identifies security findings and misconfigurations, not application performance issues or distributed request tracing.
- A
Cloud Logging — search logs for error messages across all 15 services.
Why wrong: Log searching finds errors after they occur but doesn't correlate cross-service request timelines or show which service hop added latency in a distributed trace.
- B
Cloud Trace — captures distributed request traces showing end-to-end latency across all microservices.
Cloud Trace shows the complete request journey: which service was called, in what order, and how long each call took. The Gantt-chart view immediately reveals the latency culprit service.
- C
Cloud Monitoring dashboards — create per-service CPU utilization graphs.
Why wrong: CPU graphs show resource utilization but don't correlate individual request flows across services or show which service contributed to a specific slow request.
- D
Security Command Center — scan for misconfigurations causing performance issues.
Why wrong: SCC identifies security findings and misconfigurations, not application performance issues or distributed request tracing.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.