Sample questions
Google Associate Cloud Engineer practice questions
A team's Cloud Build pipeline must: (1) run unit tests, (2) build a Docker image only if tests pass, (3) push the image to Artifact Registry. Which cloudbuild.yaml structure correctly enforces this sequential dependency?
Trap 1: Use `waitFor` with step IDs to create a dependency graph between…
`waitFor` is used when steps should run in parallel or out of order — for a simple sequential pipeline, steps already run in order without `waitFor`.
Trap 2: Define the steps in three separate cloudbuild.yaml files and chain…
Using multiple YAML files and Cloud Composer adds unnecessary complexity — sequential steps in a single cloudbuild.yaml are sufficient.
Trap 3: Set `parallel: false` at the top level of cloudbuild.yaml to…
There is no `parallel: false` setting in cloudbuild.yaml — steps run sequentially by default.
- A
Define all three steps in a single `steps` list — they run sequentially by default and stop on failure
Cloud Build steps execute sequentially by default. If any step fails (non-zero exit), the build stops and subsequent steps don't run — enforcing the test-before-build-before-push dependency.
- B
Use `waitFor` with step IDs to create a dependency graph between all three steps
Why wrong: `waitFor` is used when steps should run in parallel or out of order — for a simple sequential pipeline, steps already run in order without `waitFor`.
- C
Define the steps in three separate cloudbuild.yaml files and chain them with Cloud Composer
Why wrong: Using multiple YAML files and Cloud Composer adds unnecessary complexity — sequential steps in a single cloudbuild.yaml are sufficient.
- D
Set `parallel: false` at the top level of cloudbuild.yaml to enforce sequential execution
Why wrong: There is no `parallel: false` setting in cloudbuild.yaml — steps run sequentially by default.
A team needs a database backup job to run every day at 2 AM UTC. The job calls an HTTP endpoint to trigger the backup. The endpoint requires no complex orchestration — just a timed HTTP call. Which GCP service handles this most simply?
Trap 1: Cloud Tasks with a daily task enqueued by a Cloud Function
Cloud Tasks handles task queuing and delivery but requires something to enqueue the task on schedule — more complex than Cloud Scheduler for a simple timed HTTP call.
Trap 2: Cloud Composer DAG running at 2 AM UTC
Cloud Composer (managed Airflow) is designed for complex multi-step data pipelines — it's overengineered for a single scheduled HTTP call.
Trap 3: Cloud Run Jobs triggered by a Cloud Monitoring alert at 2 AM
Cloud Monitoring alerts respond to metric thresholds, not time-based schedules — Cloud Scheduler is the right tool for time-based job triggering.
- A
Cloud Tasks with a daily task enqueued by a Cloud Function
Why wrong: Cloud Tasks handles task queuing and delivery but requires something to enqueue the task on schedule — more complex than Cloud Scheduler for a simple timed HTTP call.
- B
Cloud Scheduler with an HTTP target pointing to the backup endpoint
Cloud Scheduler sends a configured HTTP request to the backup endpoint at 2 AM UTC daily — the exact use case it's designed for, requiring minimal setup.
- C
Cloud Composer DAG running at 2 AM UTC
Why wrong: Cloud Composer (managed Airflow) is designed for complex multi-step data pipelines — it's overengineered for a single scheduled HTTP call.
- D
Cloud Run Jobs triggered by a Cloud Monitoring alert at 2 AM
Why wrong: Cloud Monitoring alerts respond to metric thresholds, not time-based schedules — Cloud Scheduler is the right tool for time-based job triggering.
A team wants to receive an email alert when the average CPU utilization of VMs in a managed instance group exceeds 80% for more than 5 minutes. What should they create in Cloud Monitoring?
Trap 1: A dashboard with a CPU utilization chart
Dashboards display metrics visually but do not send notifications — they require a human to observe the chart.
Trap 2: A log-based metric filter for high-CPU events
Log-based metrics extract numeric values from log entries — CPU utilization is a time-series metric, not a log-based event.
Trap 3: An uptime check targeting the managed instance group
Uptime checks verify that an endpoint is reachable and returns an expected response — they don't monitor resource utilization metrics.
- A
A dashboard with a CPU utilization chart
Why wrong: Dashboards display metrics visually but do not send notifications — they require a human to observe the chart.
- B
An alerting policy with a CPU utilization threshold condition
Alerting policies evaluate metric conditions continuously and send notifications via configured channels when thresholds are breached for the specified duration.
- C
A log-based metric filter for high-CPU events
Why wrong: Log-based metrics extract numeric values from log entries — CPU utilization is a time-series metric, not a log-based event.
- D
An uptime check targeting the managed instance group
Why wrong: Uptime checks verify that an endpoint is reachable and returns an expected response — they don't monitor resource utilization metrics.
A Go service is consuming significantly more CPU than expected. The team suspects an inefficient function but doesn't know which one. Which Cloud Operations tool identifies CPU hotspots in production code?
Trap 1: Cloud Debugger
Cloud Debugger captures application state at a specific code location (like a breakpoint) without stopping execution — it doesn't profile CPU usage across functions.
Trap 2: Cloud Trace
Cloud Trace tracks end-to-end request latency across services — it doesn't reveal which internal functions are consuming CPU.
Trap 3: Cloud Monitoring custom dashboards
Custom dashboards display aggregate metrics like total CPU — they cannot drill into which specific code functions are responsible.
- A
Cloud Debugger
Why wrong: Cloud Debugger captures application state at a specific code location (like a breakpoint) without stopping execution — it doesn't profile CPU usage across functions.
- B
Cloud Trace
Why wrong: Cloud Trace tracks end-to-end request latency across services — it doesn't reveal which internal functions are consuming CPU.
- C
Cloud Profiler
Cloud Profiler samples production applications continuously with minimal overhead, generating flame graphs that show exactly which functions are most CPU-intensive.
- D
Cloud Monitoring custom dashboards
Why wrong: Custom dashboards display aggregate metrics like total CPU — they cannot drill into which specific code functions are responsible.
A network team is creating a new VPC and must decide between auto mode and custom mode. Why would they choose custom mode?
Trap 1: Auto mode VPCs cost more per subnet than custom mode
VPC networking costs are based on traffic and peering, not the VPC mode — auto and custom mode have the same pricing structure.
Trap 2: Auto mode VPCs cannot be used with GKE clusters
GKE clusters can be deployed in both auto mode and custom mode VPCs.
Trap 3: Custom mode VPCs support more IP addresses per subnet than auto mode
The VPC mode doesn't restrict subnet IP capacity — both modes support the same CIDR sizes.
- A
Auto mode VPCs cost more per subnet than custom mode
Why wrong: VPC networking costs are based on traffic and peering, not the VPC mode — auto and custom mode have the same pricing structure.
- B
Custom mode allows full control over which regions have subnets and what CIDR ranges are used
In custom mode, the team creates subnets explicitly, choosing regions and CIDRs. This avoids CIDR conflicts with on-premises networks and prevents unnecessary subnet sprawl.
- C
Auto mode VPCs cannot be used with GKE clusters
Why wrong: GKE clusters can be deployed in both auto mode and custom mode VPCs.
- D
Custom mode VPCs support more IP addresses per subnet than auto mode
Why wrong: The VPC mode doesn't restrict subnet IP capacity — both modes support the same CIDR sizes.
A company organizes its GCP projects by business unit — Finance, Engineering, and Sales. Which resource is best suited to group these projects while applying shared IAM policies to all projects in each group?
Trap 1: Apply labels to each project to identify the business unit
Labels are key-value metadata for billing and filtering — they do not support IAM policy inheritance.
Trap 2: Apply resource tags to each project for policy enforcement
Tags can be used with conditional IAM policies but are more complex to manage than Folders for this use case.
Trap 3: Create a Shared VPC host project for each business unit
Shared VPC is a networking feature for sharing subnets — it does not group projects for IAM or policy purposes.
- A
Apply labels to each project to identify the business unit
Why wrong: Labels are key-value metadata for billing and filtering — they do not support IAM policy inheritance.
- B
Apply resource tags to each project for policy enforcement
Why wrong: Tags can be used with conditional IAM policies but are more complex to manage than Folders for this use case.
- C
Create GCP Folders for each business unit and add the relevant projects
Folders are the right level in the GCP hierarchy for grouping projects by business unit. IAM and Org Policies set on a Folder cascade to all child projects.
- D
Create a Shared VPC host project for each business unit
Why wrong: Shared VPC is a networking feature for sharing subnets — it does not group projects for IAM or policy purposes.
A GKE Pod needs to call the Cloud Storage API. The team wants to avoid creating and managing service account key files. What is the recommended approach?
Trap 1: Mount a service account JSON key file as a Kubernetes Secret and…
This works but requires managing key files — rotation, secure storage, and risk of key leakage. It's the pattern Workload Identity is designed to replace.
Trap 2: Rely on the GKE node's Compute Engine service account for all Pod…
Using the node's service account grants all Pods on the node identical GCP permissions — this violates the principle of least privilege.
Trap 3: Grant the GKE node pool's service account the Storage Admin role to…
Granting broad roles to the node service account over-provisions permissions for all Pods on those nodes, violating least privilege.
- A
Mount a service account JSON key file as a Kubernetes Secret and set GOOGLE_APPLICATION_CREDENTIALS
Why wrong: This works but requires managing key files — rotation, secure storage, and risk of key leakage. It's the pattern Workload Identity is designed to replace.
- B
Enable Workload Identity on the GKE cluster and bind a Kubernetes ServiceAccount to a GCP IAM ServiceAccount
Workload Identity allows Pods to authenticate to GCP APIs through the GKE metadata server, completely eliminating the need for service account key files.
- C
Rely on the GKE node's Compute Engine service account for all Pod authentication
Why wrong: Using the node's service account grants all Pods on the node identical GCP permissions — this violates the principle of least privilege.
- D
Grant the GKE node pool's service account the Storage Admin role to cover all Pod needs
Why wrong: Granting broad roles to the node service account over-provisions permissions for all Pods on those nodes, violating least privilege.
A company runs a stable production workload on 20 n2-standard-8 VMs that run continuously year-round. Which pricing commitment maximizes cost savings on these VMs?
Trap 1: Sustained use discounts (automatically applied)
Sustained use discounts apply automatically for VMs running more than 25% of a month, but their maximum savings (30% for N2) are lower than 3-year CUDs.
Trap 2: 1-year committed use discount (CUD)
1-year CUDs offer approximately 37% discount — better than SUDs, but less than 3-year CUDs.
Trap 3: Switching to Spot VMs
Spot VMs offer deep discounts but can be preempted at any time — they are not suitable for stable production workloads that must run continuously.
- A
Sustained use discounts (automatically applied)
Why wrong: Sustained use discounts apply automatically for VMs running more than 25% of a month, but their maximum savings (30% for N2) are lower than 3-year CUDs.
- B
1-year committed use discount (CUD)
Why wrong: 1-year CUDs offer approximately 37% discount — better than SUDs, but less than 3-year CUDs.
- C
3-year committed use discount (CUD)
3-year CUDs for N2 VMs offer up to 57% discount compared to on-demand pricing — the highest available discount for stable, continuously-running workloads.
- D
Switching to Spot VMs
Why wrong: Spot VMs offer deep discounts but can be preempted at any time — they are not suitable for stable production workloads that must run continuously.
An organization has a policy requiring all new GCP projects to be created within specific folders and linked to approved billing accounts only. Which combination of features enforces this at scale?
Trap 1: IAM deny policies on the organization + VPC Service Controls
IAM deny policies block specific actions, and VPC Service Controls limit API access — neither directly constrains where new projects can be created or which billing accounts they can use.
Trap 2: Cloud Asset Inventory alerts + manual review of new projects
Asset Inventory can detect non-compliant projects after creation, but doesn't prevent them — reactive, not preventive.
Trap 3: Requiring multi-factor authentication for all project creators
MFA controls authentication strength — it doesn't enforce where projects are created or which billing accounts they use.
- A
IAM deny policies on the organization + VPC Service Controls
Why wrong: IAM deny policies block specific actions, and VPC Service Controls limit API access — neither directly constrains where new projects can be created or which billing accounts they can use.
- B
Organization policies to restrict allowed billing accounts + granting Project Creator role only at approved folder level
The `billing.allowedBillingAccounts` org policy restricts which billing accounts can be used. Scoping the Project Creator role to specific folders ensures new projects land in the right place.
- C
Cloud Asset Inventory alerts + manual review of new projects
Why wrong: Asset Inventory can detect non-compliant projects after creation, but doesn't prevent them — reactive, not preventive.
- D
Requiring multi-factor authentication for all project creators
Why wrong: MFA controls authentication strength — it doesn't enforce where projects are created or which billing accounts they use.
A DevOps team monitors a Cloud SQL instance and notices its CPU is consistently above 85% for several hours. The instance handles a critical production database. What should be the team's immediate action?
Trap 1: Enable read replicas to distribute query load
Read replicas help with read-heavy workloads but require application changes to route reads to replicas — not an immediate fix for high CPU on the primary.
Trap 2: Restart the Cloud SQL instance to clear CPU-intensive processes
Restarting clears connections and may temporarily reduce load, but it doesn't address the underlying capacity issue and disrupts the production database.
Trap 3: Delete and recreate the instance with a larger machine type
Deleting and recreating the instance loses all data unless a backup is restored — a destructive and unnecessary approach when Cloud SQL supports in-place resize.
- A
Enable read replicas to distribute query load
Why wrong: Read replicas help with read-heavy workloads but require application changes to route reads to replicas — not an immediate fix for high CPU on the primary.
- B
Scale up the Cloud SQL instance machine type to add more vCPUs
Scaling up the Cloud SQL instance (more CPUs/RAM) immediately provides more compute capacity. For Cloud SQL, this operation involves a brief restart but is the fastest relief for CPU saturation.
- C
Restart the Cloud SQL instance to clear CPU-intensive processes
Why wrong: Restarting clears connections and may temporarily reduce load, but it doesn't address the underlying capacity issue and disrupts the production database.
- D
Delete and recreate the instance with a larger machine type
Why wrong: Deleting and recreating the instance loses all data unless a backup is restored — a destructive and unnecessary approach when Cloud SQL supports in-place resize.
A financial application requires a relational database with automatic failover to a standby in a different zone, with minimal configuration overhead. Which Cloud SQL configuration provides this?
Trap 1: Cloud SQL with a read replica in a different zone
Read replicas serve read traffic but don't automatically failover — manual promotion is required if the primary fails.
Trap 2: Cloud Spanner multi-region instance
Cloud Spanner is a globally distributed NewSQL database — it's overengineered for a single-application HA requirement and significantly more expensive.
Trap 3: Two separate Cloud SQL instances with application-level failover…
Managing failover at the application level adds complexity, risks inconsistency, and is exactly what Cloud SQL HA is designed to eliminate.
- A
Cloud SQL with a read replica in a different zone
Why wrong: Read replicas serve read traffic but don't automatically failover — manual promotion is required if the primary fails.
- B
Cloud SQL with High Availability (HA) configuration
Cloud SQL HA creates an automatic failover replica in a different zone. Failover is automatic and requires no manual intervention.
- C
Cloud Spanner multi-region instance
Why wrong: Cloud Spanner is a globally distributed NewSQL database — it's overengineered for a single-application HA requirement and significantly more expensive.
- D
Two separate Cloud SQL instances with application-level failover logic
Why wrong: Managing failover at the application level adds complexity, risks inconsistency, and is exactly what Cloud SQL HA is designed to eliminate.
A platform team is deploying a multi-tier application on GKE: a frontend Deployment, a backend Deployment, and a Redis StatefulSet. The backend must be reachable by name from the frontend, but not from outside the cluster. Which Kubernetes resource enables internal name-based service discovery?
Trap 1: A NodePort Service for the backend
NodePort exposes the service on a port of every node's IP — it's reachable from outside the cluster, not just internally.
Trap 2: A LoadBalancer Service for the backend
LoadBalancer provisions an external cloud load balancer — exposing the backend publicly, which violates the requirement.
Trap 3: A Kubernetes Ingress resource for the backend
Ingress routes external HTTP/HTTPS traffic into the cluster — it doesn't provide internal service-to-service discovery.
- A
A NodePort Service for the backend
Why wrong: NodePort exposes the service on a port of every node's IP — it's reachable from outside the cluster, not just internally.
- B
A ClusterIP Service for the backend
ClusterIP Services get a stable cluster-internal IP and DNS name. Pods within the cluster resolve the service by name; it's not reachable from outside.
- C
A LoadBalancer Service for the backend
Why wrong: LoadBalancer provisions an external cloud load balancer — exposing the backend publicly, which violates the requirement.
- D
A Kubernetes Ingress resource for the backend
Why wrong: Ingress routes external HTTP/HTTPS traffic into the cluster — it doesn't provide internal service-to-service discovery.
A production GKE cluster is running low on node resources. Pods are in Pending state because no node has sufficient CPU or memory. Without deleting existing Pods, what is the fastest way to resolve this?
Trap 1: Delete existing Pods to free resources for the Pending Pods
Deleting Pods reduces the cluster load but disrupts existing workloads — the question specifically asks for a solution without deleting Pods.
Trap 2: Change the Pending Pods' resource requests to zero
Removing resource requests is a bad practice — it makes scheduling unpredictable and can cause resource contention. It also requires modifying Deployments.
Trap 3: Upgrade the Kubernetes control plane version
Control plane upgrades don't add node capacity and can cause disruption — they don't resolve resource shortfalls.
- A
Resize the node pool to add more nodes: `gcloud container clusters resize`
`gcloud container clusters resize [CLUSTER] --node-pool=[POOL] --num-nodes=[N]` adds nodes immediately. If cluster autoscaler is enabled, it will do this automatically when Pods are Pending.
- B
Delete existing Pods to free resources for the Pending Pods
Why wrong: Deleting Pods reduces the cluster load but disrupts existing workloads — the question specifically asks for a solution without deleting Pods.
- C
Change the Pending Pods' resource requests to zero
Why wrong: Removing resource requests is a bad practice — it makes scheduling unpredictable and can cause resource contention. It also requires modifying Deployments.
- D
Upgrade the Kubernetes control plane version
Why wrong: Control plane upgrades don't add node capacity and can cause disruption — they don't resolve resource shortfalls.
A FinOps team wants to analyze daily GCP spending trends, allocate costs by team using labels, and create custom dashboards. Which configuration exports billing data for this analysis?
Trap 1: Enable Cloud Monitoring billing metrics and build dashboards in…
Cloud Monitoring has some cost metrics but doesn't provide the granular label-based cost allocation data that BigQuery billing export does.
Trap 2: Download the monthly billing PDF from the Console and import it…
Monthly PDFs are summary invoices — they don't provide the granular daily, label-level data needed for FinOps analysis.
Trap 3: Use the Cloud Billing API to pull cost data into Cloud Firestore…
Custom API-based pipelines work but add unnecessary complexity — BigQuery export is the native, direct solution.
- A
Enable Cloud Monitoring billing metrics and build dashboards in Metrics Explorer
Why wrong: Cloud Monitoring has some cost metrics but doesn't provide the granular label-based cost allocation data that BigQuery billing export does.
- B
Download the monthly billing PDF from the Console and import it into a spreadsheet
Why wrong: Monthly PDFs are summary invoices — they don't provide the granular daily, label-level data needed for FinOps analysis.
- C
Enable Cloud Billing data export to BigQuery and query the exported dataset
BigQuery billing export provides detailed, near-real-time cost data including resource labels, SKUs, and usage amounts. It's the standard approach for GCP FinOps analysis.
- D
Use the Cloud Billing API to pull cost data into Cloud Firestore nightly
Why wrong: Custom API-based pipelines work but add unnecessary complexity — BigQuery export is the native, direct solution.
A GKE team is comparing Autopilot and Standard cluster modes for a new project. They want to minimize infrastructure management overhead, automatically right-size node resources, and be billed only for Pod resource requests. Which mode matches these requirements?
Trap 1: GKE Standard — it provides more control over node configuration
GKE Standard requires managing node pools, machine types, and autoscaler settings — the opposite of minimal management overhead.
Trap 2: GKE Standard with cluster autoscaler and node auto-provisioning…
Even with autoscaling enabled, Standard mode requires configuring machine families, node pool settings, and monitoring — more overhead than Autopilot.
Trap 3: Both modes are equivalent in management overhead — Autopilot is…
Autopilot fundamentally removes node-level management responsibility from teams — it's not just a pricing change.
- A
GKE Standard — it provides more control over node configuration
Why wrong: GKE Standard requires managing node pools, machine types, and autoscaler settings — the opposite of minimal management overhead.
- B
GKE Autopilot — managed nodes, automatic right-sizing, and per-Pod billing
Autopilot removes all node management: Google provisions, scales, and optimizes nodes automatically. Billing is based on Pod resource requests — precisely matching the described requirements.
- C
GKE Standard with cluster autoscaler and node auto-provisioning enabled
Why wrong: Even with autoscaling enabled, Standard mode requires configuring machine families, node pool settings, and monitoring — more overhead than Autopilot.
- D
Both modes are equivalent in management overhead — Autopilot is just a pricing model
Why wrong: Autopilot fundamentally removes node-level management responsibility from teams — it's not just a pricing change.
Your organization mandates that all service-to-service communication within a GKE cluster must be encrypted in transit using mutual TLS (mTLS). The team does not want to manage certificates or modify application code. Which solution meets these requirements?
Trap 1: Configure Kubernetes TLS Secrets and mount them as volumes in each…
Manually managing TLS Secrets requires certificate rotation, application code to load certs, and doesn't provide automatic mTLS between services. This requires code changes and significant operational work.
Trap 2: Use Cloud Armor to enforce TLS between services within the cluster.
Cloud Armor is an edge security service (WAF/DDoS protection) for internet-facing load balancers, not for in-cluster service-to-service encryption.
Trap 3: Enable GKE node-to-node encryption to encrypt all traffic between…
Node-to-node encryption encrypts traffic at the node level (host-to-host network layer), not at the application service level. It doesn't provide mTLS between specific services.
- A
Configure Kubernetes TLS Secrets and mount them as volumes in each pod.
Why wrong: Manually managing TLS Secrets requires certificate rotation, application code to load certs, and doesn't provide automatic mTLS between services. This requires code changes and significant operational work.
- B
Enable Anthos Service Mesh with mTLS policy set to STRICT mode.
ASM (based on Istio) injects Envoy sidecars that handle mTLS automatically. In STRICT mode, all service-to-service communication requires mTLS. No application code changes needed — the sidecar handles everything.
- C
Use Cloud Armor to enforce TLS between services within the cluster.
Why wrong: Cloud Armor is an edge security service (WAF/DDoS protection) for internet-facing load balancers, not for in-cluster service-to-service encryption.
- D
Enable GKE node-to-node encryption to encrypt all traffic between nodes.
Why wrong: Node-to-node encryption encrypts traffic at the node level (host-to-host network layer), not at the application service level. It doesn't provide mTLS between specific services.
A developer runs `gcloud projects list` and receives the error: `ERROR: (gcloud.projects.list) PERMISSION_DENIED: The caller does not have permission`. The developer has the Viewer role on several projects. What is the most likely cause?
Trap 1: The developer does not have multi-factor authentication enabled.
MFA state does not cause PERMISSION_DENIED on gcloud commands; it affects login, not API authorization.
Trap 2: The gcloud SDK is outdated and must be updated.
An outdated SDK would typically return version warnings, not a PERMISSION_DENIED error from the API.
Trap 3: The developer's account has been suspended by the billing…
Billing suspension affects resource provisioning, not IAM permission checks for listing resources.
- A
The developer does not have multi-factor authentication enabled.
Why wrong: MFA state does not cause PERMISSION_DENIED on gcloud commands; it affects login, not API authorization.
- B
The developer lacks `resourcemanager.projects.list` at the organization or folder level.
Project Viewer only grants permissions within the project. Listing all projects requires the permission at a higher hierarchy level.
- C
The gcloud SDK is outdated and must be updated.
Why wrong: An outdated SDK would typically return version warnings, not a PERMISSION_DENIED error from the API.
- D
The developer's account has been suspended by the billing administrator.
Why wrong: Billing suspension affects resource provisioning, not IAM permission checks for listing resources.
You have a Kubernetes Deployment running 5 replicas. You need to update the container image with zero downtime, ensuring that at least 4 replicas are always available during the update, and no more than 6 replicas exist at any time. Which Deployment strategy and settings achieve this?
Trap 1: Recreate strategy with `minReadySeconds: 30`.
Recreate terminates all old pods before creating new ones — this causes complete downtime, not zero downtime.
Trap 2: RollingUpdate with `maxUnavailable: 0` and `maxSurge: 2`.
maxSurge: 2 allows up to 7 pods (5 + 2), exceeding the maximum of 6 requirement.
Trap 3: RollingUpdate with `maxUnavailable: 2` and `maxSurge: 1`.
maxUnavailable: 2 means only 3 pods remain available during the update, violating the minimum-4 requirement.
- A
Recreate strategy with `minReadySeconds: 30`.
Why wrong: Recreate terminates all old pods before creating new ones — this causes complete downtime, not zero downtime.
- B
RollingUpdate with `maxUnavailable: 1` and `maxSurge: 1`.
maxUnavailable: 1 means at least 4 pods remain available. maxSurge: 1 means at most 6 pods exist simultaneously. This matches both constraints exactly.
- C
RollingUpdate with `maxUnavailable: 0` and `maxSurge: 2`.
Why wrong: maxSurge: 2 allows up to 7 pods (5 + 2), exceeding the maximum of 6 requirement.
- D
RollingUpdate with `maxUnavailable: 2` and `maxSurge: 1`.
Why wrong: maxUnavailable: 2 means only 3 pods remain available during the update, violating the minimum-4 requirement.
What is the purpose of Cloud Audit Logs' Data Access audit logs, and why are they NOT enabled by default for most services?
Trap 1: They record authentication events; they are disabled by default due…
Authentication events are not the primary purpose of Data Access audit logs. Privacy is not the reason for their default-off status — cost is.
Trap 2: They log VM instance creation and deletion; they are disabled by…
VM lifecycle events are captured in Admin Activity audit logs (always enabled), not Data Access logs.
Trap 3: They provide real-time threat detection; they are experimental and…
Data Access audit logs are GA and are for compliance/audit purposes, not real-time threat detection (that's Security Command Center's role).
- A
They record authentication events; they are disabled by default due to privacy regulations.
Why wrong: Authentication events are not the primary purpose of Data Access audit logs. Privacy is not the reason for their default-off status — cost is.
- B
They log API calls that read or write user data; they are off by default due to very high log volume and associated storage costs.
Data Access logs capture every data read/write. On busy services like BigQuery, this generates massive log volume. Enabling them broadly would be cost-prohibitive, so they're opt-in.
- C
They log VM instance creation and deletion; they are disabled by default to avoid noise.
Why wrong: VM lifecycle events are captured in Admin Activity audit logs (always enabled), not Data Access logs.
- D
They provide real-time threat detection; they are experimental and not yet generally available.
Why wrong: Data Access audit logs are GA and are for compliance/audit purposes, not real-time threat detection (that's Security Command Center's role).
A team wants to grant three developers access to view Cloud SQL instance details and connection strings, but not create, delete, or modify any Cloud SQL instances. Which predefined IAM role is the most appropriate?
Trap 1: Cloud SQL Editor
Cloud SQL Editor allows creating, editing, and deleting instances — far more than the read-only access needed.
Trap 2: Cloud SQL Client
Cloud SQL Client grants permission to connect to Cloud SQL databases — it doesn't provide access to view instance configuration details in the Console.
Trap 3: Project Viewer
Project Viewer grants read access to all project resources — it's broader than needed and violates the principle of least privilege.
- A
Cloud SQL Editor
Why wrong: Cloud SQL Editor allows creating, editing, and deleting instances — far more than the read-only access needed.
- B
Cloud SQL Client
Why wrong: Cloud SQL Client grants permission to connect to Cloud SQL databases — it doesn't provide access to view instance configuration details in the Console.
- C
Cloud SQL Viewer
Cloud SQL Viewer (roles/cloudsql.viewer) grants read-only access to Cloud SQL instance details, settings, and connection information without any modification rights.
- D
Project Viewer
Why wrong: Project Viewer grants read access to all project resources — it's broader than needed and violates the principle of least privilege.
A team needs to run a containerized HTTP API that scales to zero when idle and requires zero cluster or server management. Which GCP compute platform is the best fit?
Trap 1: Compute Engine with a managed instance group
Managed instance groups require managing VMs, don't scale to zero, and always incur VM costs.
Trap 2: Google Kubernetes Engine Autopilot
GKE Autopilot manages nodes automatically but still requires a running cluster with associated costs — it doesn't scale to zero.
Trap 3: App Engine Flexible
App Engine Flexible runs on VMs and has a minimum of one instance always running — it doesn't scale to zero.
- A
Compute Engine with a managed instance group
Why wrong: Managed instance groups require managing VMs, don't scale to zero, and always incur VM costs.
- B
Google Kubernetes Engine Autopilot
Why wrong: GKE Autopilot manages nodes automatically but still requires a running cluster with associated costs — it doesn't scale to zero.
- C
Cloud Run
Cloud Run is purpose-built for containerized HTTP services with zero-to-scale autoscaling, no infrastructure management, and per-request billing.
- D
App Engine Flexible
Why wrong: App Engine Flexible runs on VMs and has a minimum of one instance always running — it doesn't scale to zero.
A team wants logs from their Python application running on a Compute Engine VM to appear in Cloud Logging. What must be installed on the VM?
Trap 1: Cloud Trace SDK for the Python application
The Cloud Trace SDK instruments applications for distributed tracing — it doesn't forward application logs to Cloud Logging.
Trap 2: Cloud Monitoring agent only
The legacy Cloud Monitoring agent collects metrics only. For logs, the Cloud Logging agent (or the modern Ops Agent which handles both) is required.
Trap 3: No installation needed — GCE VMs automatically stream logs to Cloud…
Compute Engine VMs do not automatically forward application logs. The Ops Agent must be installed and configured.
- A
Cloud Trace SDK for the Python application
Why wrong: The Cloud Trace SDK instruments applications for distributed tracing — it doesn't forward application logs to Cloud Logging.
- B
Ops Agent (Google Cloud's combined logging and monitoring agent)
The Ops Agent collects logs from system files and application log streams and forwards them to Cloud Logging. It must be installed explicitly on Compute Engine VMs.
- C
Cloud Monitoring agent only
Why wrong: The legacy Cloud Monitoring agent collects metrics only. For logs, the Cloud Logging agent (or the modern Ops Agent which handles both) is required.
- D
No installation needed — GCE VMs automatically stream logs to Cloud Logging
Why wrong: Compute Engine VMs do not automatically forward application logs. The Ops Agent must be installed and configured.
An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?
Trap 1: Google-managed encryption keys (the default)
With GMEK, Google creates, stores, and manages encryption keys — the customer has no control over the keys and Google can theoretically access the data.
Trap 2: Client-side encryption before uploading to Cloud Storage, without…
Client-side encryption works technically, but it doesn't use GCP's key management infrastructure — audit logging, key rotation, and IAM-based access control for keys are all missing.
Trap 3: Shielded VM with vTPM enabled on the storage backend
Shielded VM protects VM integrity (boot security) — it doesn't control encryption keys for Cloud Storage objects.
- A
Google-managed encryption keys (the default)
Why wrong: With GMEK, Google creates, stores, and manages encryption keys — the customer has no control over the keys and Google can theoretically access the data.
- B
Customer-managed encryption keys (CMEK) using Cloud KMS
CMEK keys are created and controlled by the customer in Cloud KMS. GCP encrypts data using these keys, but the customer retains full control — including the ability to revoke access.
- C
Client-side encryption before uploading to Cloud Storage, without using Cloud KMS
Why wrong: Client-side encryption works technically, but it doesn't use GCP's key management infrastructure — audit logging, key rotation, and IAM-based access control for keys are all missing.
- D
Shielded VM with vTPM enabled on the storage backend
Why wrong: Shielded VM protects VM integrity (boot security) — it doesn't control encryption keys for Cloud Storage objects.
A load balancer is routing traffic to a VM where the application process has crashed, but the VM itself is still running. What prevents the load balancer from continuing to send traffic to this instance?
Trap 1: A VPC firewall rule blocking traffic to the VM
Firewall rules are static and would block traffic to all instances equally — they don't dynamically respond to application health.
Trap 2: A Cloud Armor security policy blocking the crashed instance's IP
Cloud Armor applies rules to incoming requests from external clients — it doesn't monitor backend instance health.
Trap 3: The instance group autoscaling policy detecting the failure
Autoscaling adjusts instance count based on metrics — it doesn't directly control load balancer routing per instance health.
- A
A VPC firewall rule blocking traffic to the VM
Why wrong: Firewall rules are static and would block traffic to all instances equally — they don't dynamically respond to application health.
- B
An HTTP health check configured on the backend service
HTTP health checks probe the application port. A crashed application fails the probe, causing the load balancer to stop directing traffic to that VM until it recovers.
- C
A Cloud Armor security policy blocking the crashed instance's IP
Why wrong: Cloud Armor applies rules to incoming requests from external clients — it doesn't monitor backend instance health.
- D
The instance group autoscaling policy detecting the failure
Why wrong: Autoscaling adjusts instance count based on metrics — it doesn't directly control load balancer routing per instance health.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.