Sample questions
Google Professional Cloud Architect practice questions
Which THREE factors should be considered when choosing a Google Cloud region for deploying a low-latency application serving global users? (Choose three.)
Trap 1: Pricing differences between regions due to variations in compute…
Cost is a factor but not among the top three when low latency is critical.
Trap 2: Number of zones in the region to ensure high availability.
Most regions have three zones; difference is minimal.
- A
Proximity to your user base to minimize network latency.
Closer regions reduce round-trip time.
- B
Availability of the specific Google Cloud services required by the application.
Not all services are in all regions.
- C
Pricing differences between regions due to variations in compute and storage costs.
Why wrong: Cost is a factor but not among the top three when low latency is critical.
- D
Compliance with data residency requirements (e.g., GDPR, CCPA).
Data must stay within specific geographic boundaries.
- E
Number of zones in the region to ensure high availability.
Why wrong: Most regions have three zones; difference is minimal.
A company has a requirement to store application logs for 7 years for compliance. They are using Cloud Logging. What is the most cost-effective way to retain logs?
Trap 1: Set the log bucket retention to 7 years
Log retention in Cloud Logging incurs costs and is more expensive than Cloud Storage.
Trap 2: Export logs to BigQuery and run scheduled queries to delete old data
BigQuery storage and queries are more costly for long-term archival.
Trap 3: Use Cloud Logging's default retention and rely on backups
Default retention is 30 days, insufficient for 7 years.
- A
Set the log bucket retention to 7 years
Why wrong: Log retention in Cloud Logging incurs costs and is more expensive than Cloud Storage.
- B
Export logs to Cloud Storage with Object Lifecycle management to delete after 7 years
Cloud Storage is cost-effective for long-term retention with lifecycle rules.
- C
Export logs to BigQuery and run scheduled queries to delete old data
Why wrong: BigQuery storage and queries are more costly for long-term archival.
- D
Use Cloud Logging's default retention and rely on backups
Why wrong: Default retention is 30 days, insufficient for 7 years.
A company is migrating a legacy monolithic application to Google Cloud. The application runs on a single VM and uses a local MySQL database. The goal is to minimize changes to the application code while improving availability. Which strategy should the company use?
Trap 1: Use a managed instance group for the application VM and store the…
The database is still a single point of failure unless you manually configure replication.
Trap 2: Re-architect the application into microservices and use Cloud Run…
This requires significant code changes and is not minimal effort.
Trap 3: Containerize the application and deploy on Google Kubernetes Engine…
Requires code changes and Cloud Spanner is not MySQL-compatible.
- A
Use a managed instance group for the application VM and store the database on a persistent disk attached to the primary instance.
Why wrong: The database is still a single point of failure unless you manually configure replication.
- B
Re-architect the application into microservices and use Cloud Run for stateless components.
Why wrong: This requires significant code changes and is not minimal effort.
- C
Lift and shift the VM to Compute Engine, and migrate the database to Cloud SQL with a failover replica.
Minimal code changes, uses managed database with high availability.
- D
Containerize the application and deploy on Google Kubernetes Engine (GKE) with Cloud Spanner as the database.
Why wrong: Requires code changes and Cloud Spanner is not MySQL-compatible.
A financial services company is designing a multi-tier application on Google Cloud. The application must meet PCI DSS compliance, with data encrypted at rest and in transit. They plan to use Cloud SQL for PostgreSQL for transactional data and Cloud Storage for archival data. Which TWO actions should the architect take to meet compliance requirements?
Trap 1: Configure client-side encryption in the application code
Client-side encryption is not a recommended architecture pattern for Cloud SQL and would add complexity.
Trap 2: Rely on Google-managed default encryption for all data
Default encryption does not meet PCI DSS requirements for key management control.
Trap 3: Use Cloud HSM with a key generated outside of Google Cloud
Cloud HSM is a key management service, but the question asks for actions specifically for encryption at rest and in transit; CMEK already covers this.
- A
Configure client-side encryption in the application code
Why wrong: Client-side encryption is not a recommended architecture pattern for Cloud SQL and would add complexity.
- B
Rely on Google-managed default encryption for all data
Why wrong: Default encryption does not meet PCI DSS requirements for key management control.
- C
Enable customer-managed encryption keys (CMEK) on Cloud SQL and Cloud Storage
CMEK provides control over key management required for PCI DSS.
- D
Use VPC Service Controls to restrict data access
VPC Service Controls prevent data exfiltration and help meet compliance.
- E
Use Cloud HSM with a key generated outside of Google Cloud
Why wrong: Cloud HSM is a key management service, but the question asks for actions specifically for encryption at rest and in transit; CMEK already covers this.
A company is migrating its on-premises workloads to Google Cloud. They have strict compliance requirements that all data at rest must be encrypted with customer-managed encryption keys (CMEK). Which Google Cloud service should they use to manage the lifecycle of these keys?
Trap 1: Secret Manager
Secret Manager stores secrets, not key lifecycle management.
Trap 2: Cloud External Key Manager (Cloud EKM)
Cloud EKM is for managing keys outside Google Cloud.
Trap 3: Cloud Hardware Security Module (Cloud HSM)
Cloud HSM provides hardware-backed keys but management is still done via Cloud KMS.
- A
Secret Manager
Why wrong: Secret Manager stores secrets, not key lifecycle management.
- B
Cloud External Key Manager (Cloud EKM)
Why wrong: Cloud EKM is for managing keys outside Google Cloud.
- C
Cloud Key Management Service (Cloud KMS)
Cloud KMS is the correct service for managing CMEK.
- D
Cloud Hardware Security Module (Cloud HSM)
Why wrong: Cloud HSM provides hardware-backed keys but management is still done via Cloud KMS.
A company wants to optimize their cloud spending on Google Cloud. They have a mix of workloads including batch processing, real-time analytics, and web serving. Which TWO strategies should they implement to reduce costs without significant architectural changes? (Choose two.)
Trap 1: Use sustained use discounts for short-lived instances.
Sustained use discounts apply automatically, but short-lived instances may not benefit as much.
Trap 2: Right-size all Compute Engine instances by analyzing utilization…
Requires changes to instance types and may involve downtime.
Trap 3: Migrate all web serving workloads to Cloud Functions to benefit…
Significant architectural change and may not be suitable for all web serving.
- A
Use sustained use discounts for short-lived instances.
Why wrong: Sustained use discounts apply automatically, but short-lived instances may not benefit as much.
- B
Use preemptible VMs for batch processing jobs that are fault-tolerant.
Preemptible VMs are cost-effective for fault-tolerant workloads.
- C
Purchase committed use discounts for 1-year or 3-year terms for stable workloads.
Provides significant discounts without changing architecture.
- D
Right-size all Compute Engine instances by analyzing utilization metrics.
Why wrong: Requires changes to instance types and may involve downtime.
- E
Migrate all web serving workloads to Cloud Functions to benefit from pay-per-use pricing.
Why wrong: Significant architectural change and may not be suitable for all web serving.
An organization wants to enforce that all Compute Engine VMs are created with specific disk encryption keys. Which policy mechanism should they use?
Trap 1: IAM roles with compute.diskEncryptionKey permissions
Controls who can set keys, not which keys are used.
Trap 2: VPC Service Controls
For controlling data exfiltration, not disk encryption policies.
Trap 3: Cloud Scheduler to check compliance
Reactive, not preventive.
- A
Organization policies with constraints/compute.restrictDiskEncryptionKeyTypes
Enforces allowed encryption key types at the org level.
- B
IAM roles with compute.diskEncryptionKey permissions
Why wrong: Controls who can set keys, not which keys are used.
- C
VPC Service Controls
Why wrong: For controlling data exfiltration, not disk encryption policies.
- D
Cloud Scheduler to check compliance
Why wrong: Reactive, not preventive.
A company is designing a highly available architecture for a stateful application on Compute Engine. They need to protect against zonal failures. Which THREE steps should they take?
Trap 1: Store session state in memory
Not durable; lost on failure.
Trap 2: Use a single zone instance group
Single zone is not HA.
- A
Store session state in memory
Why wrong: Not durable; lost on failure.
- B
Use a global load balancer with health checks
Distributes traffic and fails over.
- C
Use a single zone instance group
Why wrong: Single zone is not HA.
- D
Use persistent disks with regional persistent disks
Replicates data across zones.
- E
Use a managed instance group across multiple zones
Distributes instances across zones.
An organization uses Cloud Deployment Manager to manage infrastructure as code. They need to ensure that changes to production resources are reviewed and approved before deployment. What should they do?
Trap 1: Use Cloud Scheduler to run deployment configs and review logs after…
No review/approval process.
Trap 2: Create a Cloud Deployment Manager preview deployment and manually…
Preview is for review, but doesn't enforce approval workflow across team.
Trap 3: Use Cloud Build with a trigger on a branch that requires pull…
This works for source code but not for Deployment Manager deployments directly; Cloud Build can run DM, but approval is on source, not deployment.
- A
Use Cloud Scheduler to run deployment configs and review logs after deployment
Why wrong: No review/approval process.
- B
Integrate Cloud Deployment Manager with Cloud Build and add a manual approval step in the Cloud Build pipeline
Cloud Build can have approval gates, requiring manual sign-off before proceeding with deployment.
- C
Create a Cloud Deployment Manager preview deployment and manually approve it
Why wrong: Preview is for review, but doesn't enforce approval workflow across team.
- D
Use Cloud Build with a trigger on a branch that requires pull request approval before merging
Why wrong: This works for source code but not for Deployment Manager deployments directly; Cloud Build can run DM, but approval is on source, not deployment.
A company runs a web application on Compute Engine behind an HTTP load balancer. They want to improve reliability by implementing failover across two regions. Which TWO actions should they take?
Trap 1: Configure DNS-based failover using Cloud DNS with health checks.
DNS failover is slower and less reliable than load balancer-based failover.
Trap 2: Use an internal load balancer to route traffic between regions.
Internal load balancers handle internal traffic and are not suitable for external user traffic.
Trap 3: Use a regional external HTTP load balancer with a multi-region…
Regional load balancers only serve traffic within one region; they cannot failover across regions.
- A
Deploy a global external HTTP load balancer with backends in both regions.
Global load balancer automatically routes to healthy backends, providing cross-region failover.
- B
Configure a backend service with a failover policy pointing to primary and secondary backends.
Failover policy in backend service allows automatic redirection to secondary region.
- C
Configure DNS-based failover using Cloud DNS with health checks.
Why wrong: DNS failover is slower and less reliable than load balancer-based failover.
- D
Use an internal load balancer to route traffic between regions.
Why wrong: Internal load balancers handle internal traffic and are not suitable for external user traffic.
- E
Use a regional external HTTP load balancer with a multi-region backend.
Why wrong: Regional load balancers only serve traffic within one region; they cannot failover across regions.
A company deploys a microservices application on Google Kubernetes Engine (GKE). Pods in one deployment are frequently OOMKilled. The team sets memory requests and limits, but pods still crash. What is the most likely remaining cause?
Trap 1: CPU requests are too low, causing throttling and eventual crash.
CPU throttling does not cause OOMKill; it slows the pod but memory is the issue.
Trap 2: The node pool is too small, causing memory pressure on the node.
Node memory pressure can cause pod eviction, but if limits are set, pods are killed due to limit, not node pressure.
Trap 3: Memory limits are set higher than the node's allocatable memory.
The scheduler will not place a pod with limits exceeding node capacity, so this would prevent scheduling, not cause crashes.
- A
CPU requests are too low, causing throttling and eventual crash.
Why wrong: CPU throttling does not cause OOMKill; it slows the pod but memory is the issue.
- B
The node pool is too small, causing memory pressure on the node.
Why wrong: Node memory pressure can cause pod eviction, but if limits are set, pods are killed due to limit, not node pressure.
- C
Memory limits are set higher than the node's allocatable memory.
Why wrong: The scheduler will not place a pod with limits exceeding node capacity, so this would prevent scheduling, not cause crashes.
- D
The application has a memory leak that eventually exceeds the limit.
A memory leak causes continuous memory growth until the limit is hit, resulting in OOMKill.
A company deploys a critical application on Google Kubernetes Engine (GKE) and wants to ensure high availability during cluster upgrades. Which TWO practices should they follow?
Trap 1: Use a single-zone node pool with multiple replicas.
Single-zone node pools are vulnerable to zone failures and may become unavailable during upgrades in that zone.
Trap 2: Enable cluster autoscaling to add nodes during upgrades.
Autoscaling adds nodes based on resource demand, not to maintain availability during upgrades.
Trap 3: Enable regional clusters for multi-zone control plane.
Regional clusters provide high availability for the control plane, but node pools must also be multi-zone for workload availability.
- A
Use a single-zone node pool with multiple replicas.
Why wrong: Single-zone node pools are vulnerable to zone failures and may become unavailable during upgrades in that zone.
- B
Use multiple node pools across different zones within the cluster.
Multi-zone node pools allow pods to be rescheduled in other zones during upgrades.
- C
Configure PodDisruptionBudgets to allow only a small number of pods to be unavailable during upgrades.
PDBs ensure that voluntary disruptions do not bring down too many pods at once.
- D
Enable cluster autoscaling to add nodes during upgrades.
Why wrong: Autoscaling adds nodes based on resource demand, not to maintain availability during upgrades.
- E
Enable regional clusters for multi-zone control plane.
Why wrong: Regional clusters provide high availability for the control plane, but node pools must also be multi-zone for workload availability.
Which TWO of the following are valid methods to securely access Google Cloud APIs from a Compute Engine instance without managing service account keys?
Trap 1: Download a service account key file and store it on the instance
Requires managing key files, which is a security risk.
Trap 2: Grant the appropriate IAM roles to the instance's service account
Roles are necessary but not a method of access; they are permissions.
Trap 3: Use a Cloud KMS key to generate temporary credentials
Cloud KMS is for encryption, not generating credentials.
- A
Download a service account key file and store it on the instance
Why wrong: Requires managing key files, which is a security risk.
- B
Attach a custom service account to the instance using the gcloud command
Custom service account can be attached at creation, no keys needed.
- C
Grant the appropriate IAM roles to the instance's service account
Why wrong: Roles are necessary but not a method of access; they are permissions.
- D
Use a Cloud KMS key to generate temporary credentials
Why wrong: Cloud KMS is for encryption, not generating credentials.
- E
Use the default Compute Engine service account
The default service account is automatically attached; access via metadata server.
A company is deploying a web application on Compute Engine. They want to automatically scale the number of instances based on CPU utilization. Which two components are required to set up autoscaling? (Choose two.)
Trap 1: Cloud Functions
Not related to autoscaling Compute Engine.
Trap 2: Cloud Load Balancing
Not required for autoscaling based on CPU.
Trap 3: Cloud Monitoring
Autoscaler uses built-in metrics, Cloud Monitoring is not required.
- A
Cloud Functions
Why wrong: Not related to autoscaling Compute Engine.
- B
Cloud Load Balancing
Why wrong: Not required for autoscaling based on CPU.
- C
Instance template
Defines the instance configuration for the MIG.
- D
Managed instance group
Manages scaling and instance pool.
- E
Cloud Monitoring
Why wrong: Autoscaler uses built-in metrics, Cloud Monitoring is not required.
A cloud architect is implementing a CI/CD pipeline for a microservices-based application on Google Kubernetes Engine (GKE). The team needs to deploy new versions of the services with zero downtime and the ability to quickly roll back if issues are detected. Which two strategies should the architect consider? (Choose two.)
Trap 1: Shadow deployment
Incorrect: shadow deployment mirrors traffic for testing but does not serve users directly; rollback is not inherent.
Trap 2: Rolling update
Incorrect: rolling updates provide zero downtime but rollback is not instantaneous; requires another update.
Trap 3: A/B testing deployment
Incorrect: A/B testing is for feature comparison, not a deployment strategy with zero downtime and rollback.
- A
Shadow deployment
Why wrong: Incorrect: shadow deployment mirrors traffic for testing but does not serve users directly; rollback is not inherent.
- B
Rolling update
Why wrong: Incorrect: rolling updates provide zero downtime but rollback is not instantaneous; requires another update.
- C
Blue/green deployment
Correct: blue/green allows instant rollback by switching traffic back to the old version.
- D
Canary deployment
Correct: canary deployments allow gradual traffic shifting and easy rollback if issues are detected.
- E
A/B testing deployment
Why wrong: Incorrect: A/B testing is for feature comparison, not a deployment strategy with zero downtime and rollback.
A global e-commerce platform is experiencing intermittent latency spikes during flash sales. The application is deployed on Google Kubernetes Engine (GKE) with a regional cluster. The architecture includes a frontend service, a product catalog service using Cloud Spanner, and an order processing service using Cloud Pub/Sub. During high load, the catalog service shows increased query latency, and some requests time out. What should the architect prioritize to address the issue?
Trap 1: Use Cloud CDN to cache product catalog responses.
Caching can reduce load but does not address the root cause of Spanner query latency; also product data may be dynamic.
Trap 2: Increase the number of nodes in the GKE node pool.
Scaling nodes may help overall throughput but does not directly fix query performance issues in Cloud Spanner.
Trap 3: Migrate the catalog service from Cloud Spanner to Cloud Bigtable…
Bigtable is optimized for time-series data, not transactional queries with complex filters.
- A
Use Cloud CDN to cache product catalog responses.
Why wrong: Caching can reduce load but does not address the root cause of Spanner query latency; also product data may be dynamic.
- B
Increase the number of nodes in the GKE node pool.
Why wrong: Scaling nodes may help overall throughput but does not directly fix query performance issues in Cloud Spanner.
- C
Enable Cloud Spanner interleaved tables and add secondary indexes for common query filters.
Secondary indexes and interleaved tables optimize query access patterns, reducing latency.
- D
Migrate the catalog service from Cloud Spanner to Cloud Bigtable for better read performance.
Why wrong: Bigtable is optimized for time-series data, not transactional queries with complex filters.
A financial services company is designing a multi-region disaster recovery architecture for a critical application. The application runs on Compute Engine with a stateful backend using Cloud Spanner. The Recovery Time Objective (RTO) is 1 hour, and the Recovery Point Objective (RPO) is 15 minutes. What architecture meets these requirements cost-effectively?
Trap 1: Deploy in one region with scheduled snapshots to Cloud Storage and…
Snapshots have RPO of 1+ hour and recovery time may exceed 1 hour.
Trap 2: Deploy in two regions with active-passive using Cloud Load…
Backup/restore RPO is at least 1 hour, not meeting 15 min RPO.
Trap 3: Use a single region with Cloud SQL for PostgreSQL and enable…
Cloud SQL replicas are asynchronous and RPO may exceed 15 min; failover is manual.
- A
Deploy the application in two regions with active-active traffic load balancing and Cloud Spanner multi-region configuration.
Cloud Spanner multi-region provides synchronous replication with RPO < 15 min and automatic failover meets RTO.
- B
Deploy in one region with scheduled snapshots to Cloud Storage and use persistent disk snapshots for recovery.
Why wrong: Snapshots have RPO of 1+ hour and recovery time may exceed 1 hour.
- C
Deploy in two regions with active-passive using Cloud Load Balancing and Cloud Spanner backup/restore.
Why wrong: Backup/restore RPO is at least 1 hour, not meeting 15 min RPO.
- D
Use a single region with Cloud SQL for PostgreSQL and enable cross-region replication using Cloud SQL replica.
Why wrong: Cloud SQL replicas are asynchronous and RPO may exceed 15 min; failover is manual.
A company is deploying a multi-tier web application on Google Cloud. The application must comply with PCI DSS. Which combination of Google Cloud services should be used to restrict access to the database tier to only the application tier, while also encrypting data at rest and in transit?
Trap 1: Use Cloud Spanner with private IP and SSL/TLS, and enable…
Cloud Spanner is not optimized for typical relational web app workloads and may not meet all PCI DSS requirements easily.
Trap 2: Use Cloud SQL with public IP and SSL/TLS, and enable Google-managed…
Public IP does not restrict network access to only the app tier.
Trap 3: Use Cloud Datastore with secure WebSocket connections and enable…
Cloud Datastore is NoSQL and not appropriate for relational data; WebSocket is not standard for database connections.
- A
Use Cloud Spanner with private IP and SSL/TLS, and enable Google-managed encryption keys
Why wrong: Cloud Spanner is not optimized for typical relational web app workloads and may not meet all PCI DSS requirements easily.
- B
Use Cloud SQL with public IP and SSL/TLS, and enable Google-managed encryption keys
Why wrong: Public IP does not restrict network access to only the app tier.
- C
Use Cloud Datastore with secure WebSocket connections and enable customer-managed encryption keys
Why wrong: Cloud Datastore is NoSQL and not appropriate for relational data; WebSocket is not standard for database connections.
- D
Use Cloud SQL with private IP and SSL/TLS, and enable Cloud Key Management Service (KMS) to create a key ring and customer-managed encryption key (CMEK)
Private IP isolates the database, SSL/TLS encrypts in transit, CMEK encrypts at rest with customer-managed keys.
A startup is developing a real-time analytics dashboard that ingests data from IoT devices. The data volume is unpredictable but can spike to millions of events per second. The dashboard must display near real-time aggregations with sub-second latency. Which Google Cloud architecture should the architect recommend?
Trap 1: Ingest via Cloud IoT Core directly to Cloud Bigtable, then query…
Cloud IoT Core is for device management, not high-volume event ingestion; direct write to Bigtable may lack stream processing.
Trap 2: Ingest via Cloud Pub/Sub, process with Cloud Dataproc, store in…
Cloud Dataproc (Hadoop/Spark) has higher latency for streaming; Cloud Storage is not optimized for sub-second queries.
Trap 3: Ingest via Cloud Pub/Sub, store raw data in Cloud Storage, and use…
Cloud SQL is not designed for high write throughput or sub-second aggregations on large datasets.
- A
Ingest via Cloud IoT Core directly to Cloud Bigtable, then query with BigQuery.
Why wrong: Cloud IoT Core is for device management, not high-volume event ingestion; direct write to Bigtable may lack stream processing.
- B
Ingest via Cloud Pub/Sub, process with Cloud Dataproc, store in Cloud Storage, and query with BigQuery.
Why wrong: Cloud Dataproc (Hadoop/Spark) has higher latency for streaming; Cloud Storage is not optimized for sub-second queries.
- C
Ingest via Cloud Pub/Sub, store raw data in Cloud Storage, and use Cloud SQL for aggregations.
Why wrong: Cloud SQL is not designed for high write throughput or sub-second aggregations on large datasets.
- D
Ingest via Cloud Pub/Sub, process with Cloud Dataflow, store in Cloud Bigtable, and query from the dashboard.
This combination handles high ingest rates, stream processing, and low-latency queries.
A company is migrating its on-premises application to Google Cloud. The application requires low-latency access to a shared filesystem that can be mounted by multiple Compute Engine instances across different zones. Which storage solution should they use?
Trap 1: Create a Persistent Disk and attach it to all instances.
Persistent Disk is block storage and cannot be attached to multiple instances across zones for shared access.
Trap 2: Attach Local SSD to each instance and replicate data between them.
Local SSD is ephemeral and cannot be shared across instances, replication would add complexity and latency.
Trap 3: Use Cloud Storage FUSE to mount a bucket on each instance.
Cloud Storage is object storage and does not provide POSIX semantics required for shared filesystem.
- A
Provision a Filestore instance and mount it on the instances.
Filestore provides a managed NFS filesystem that can be mounted by multiple VMs across zones for low-latency shared access.
- B
Create a Persistent Disk and attach it to all instances.
Why wrong: Persistent Disk is block storage and cannot be attached to multiple instances across zones for shared access.
- C
Attach Local SSD to each instance and replicate data between them.
Why wrong: Local SSD is ephemeral and cannot be shared across instances, replication would add complexity and latency.
- D
Use Cloud Storage FUSE to mount a bucket on each instance.
Why wrong: Cloud Storage is object storage and does not provide POSIX semantics required for shared filesystem.
A multinational corporation operates in multiple regions and must comply with GDPR. They use Cloud Load Balancing to distribute traffic across regional backends. Their security team wants to block traffic from specific countries (e.g., non-EU countries) at the edge. What should they use?
Trap 1: Configure Cloud CDN to serve content only to EU-based users.
Cloud CDN does not have geo-blocking capabilities.
Trap 2: Set VPC firewall rules to allow traffic only from EU IP ranges.
VPC firewall rules are regional and not designed for global geo-blocking.
Trap 3: Configure Identity-Aware Proxy (IAP) to require user authentication…
IAP is for application access control, not filtering at the edge.
- A
Configure Cloud CDN to serve content only to EU-based users.
Why wrong: Cloud CDN does not have geo-blocking capabilities.
- B
Use Cloud Armor security policies with geographic-based denylist rules.
Cloud Armor can block traffic from specific countries at the Google Cloud edge.
- C
Set VPC firewall rules to allow traffic only from EU IP ranges.
Why wrong: VPC firewall rules are regional and not designed for global geo-blocking.
- D
Configure Identity-Aware Proxy (IAP) to require user authentication from allowed countries.
Why wrong: IAP is for application access control, not filtering at the edge.
Which THREE are valid methods to protect sensitive data in BigQuery?
Trap 1: Enable customer-managed encryption keys (CMEK) to encrypt sensitive…
CMEK encrypts the entire table, not individual columns.
Trap 2: Use IAM roles to grant access at the dataset level, which…
IAM roles do not provide data masking; they control access to datasets.
- A
Enable customer-managed encryption keys (CMEK) to encrypt sensitive columns.
Why wrong: CMEK encrypts the entire table, not individual columns.
- B
Apply Cloud DLP de-identification transforms during data ingestion.
Cloud DLP can automatically de-identify data before loading into BigQuery.
- C
Create authorized views that query only non-sensitive columns.
Authorized views can share query results without exposing underlying tables.
- D
Use BigQuery column-level security to restrict access to sensitive columns.
Column-level security allows you to restrict access to specific columns.
- E
Use IAM roles to grant access at the dataset level, which automatically masks sensitive data.
Why wrong: IAM roles do not provide data masking; they control access to datasets.
A company is migrating a monolithic application to Google Kubernetes Engine (GKE). The application currently runs on a single Compute Engine instance and stores session state in local memory. The migration must support horizontal scaling and high availability. What should the company do to manage session state in the new architecture?
Trap 1: Use a StatefulSet with a headless service to assign stable network…
StatefulSet does not solve the session state problem; it is for stateful applications requiring stable identities.
Trap 2: Use GKE Ingress with session affinity (sticky sessions) to route…
Sticky sessions can lead to unbalanced load and do not fully solve statelessness.
Trap 3: Store session state in Cloud SQL using a replicated database.
Cloud SQL adds latency and is not designed for high-throughput session caching.
- A
Refactor the application to store session state in Cloud Memorystore for Redis and make the application stateless.
Redis provides a fast, scalable, shared session store that decouples session state from individual pods.
- B
Use a StatefulSet with a headless service to assign stable network identities to pods.
Why wrong: StatefulSet does not solve the session state problem; it is for stateful applications requiring stable identities.
- C
Use GKE Ingress with session affinity (sticky sessions) to route requests to the same pod.
Why wrong: Sticky sessions can lead to unbalanced load and do not fully solve statelessness.
- D
Store session state in Cloud SQL using a replicated database.
Why wrong: Cloud SQL adds latency and is not designed for high-throughput session caching.
Which THREE options are valid strategies for disaster recovery (DR) in Google Cloud?
Trap 1: Store hourly snapshots of Compute Engine disks in the same region.
Snapshots in the same region do not protect against regional disasters.
Trap 2: Enable Cloud CDN to cache static content from multiple origins.
CDN is for caching, not DR for compute or databases.
- A
Store hourly snapshots of Compute Engine disks in the same region.
Why wrong: Snapshots in the same region do not protect against regional disasters.
- B
Deploy a mirrored environment in another region and use Traffic Director to fail over.
Traffic Director can route traffic to the DR environment.
- C
Enable Cloud CDN to cache static content from multiple origins.
Why wrong: CDN is for caching, not DR for compute or databases.
- D
Use a Cloud Storage bucket in a different region with Object Versioning enabled.
Provides geo-redundant storage for data.
- E
Configure a cross-region replica for Cloud SQL and promote it during failover.
Cross-region replica provides DR capability.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.