Google Associate Cloud Engineer (ACE) — Questions 175

500 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQmedium

You need to run a database migration script once before deploying a new version of an application to GKE. The migration must complete before any application pods start. Which Kubernetes feature enables this pattern?

A.A Kubernetes CronJob scheduled to run the migration before deployment.
B.A Kubernetes init container in the Pod spec that runs the migration script.
C.A readiness probe that runs the migration script before marking the pod as ready.
D.A Kubernetes Job that runs the migration, with the Deployment configured to start only after the Job completes.
AnswerB

Init containers run and must complete successfully before the main containers start. This guarantees the migration runs exactly once per pod before the app starts.

Why this answer

Init containers run sequentially before the main application containers in a Pod start, ensuring the migration script completes before any application pods become ready. This guarantees the migration runs exactly once per Pod lifecycle, which aligns with the requirement that the migration must finish before deployment.

Exam trap

Google Cloud often tests the distinction between init containers and Jobs, where candidates mistakenly think a Job can be used as a prerequisite for a Deployment without additional custom controllers or hooks.

How to eliminate wrong answers

Option A is wrong because a CronJob runs on a schedule, not as a prerequisite for Pod startup, and cannot guarantee completion before application pods start. Option C is wrong because a readiness probe only checks if a pod is ready to serve traffic; it does not run scripts before the main container starts, and running a migration in a probe would be unreliable and could cause probe failures. Option D is wrong because a Kubernetes Job runs independently of a Deployment; the Deployment does not automatically wait for a Job to complete unless custom orchestration (e.g., using a hook or manual sequencing) is implemented, which is not a built-in feature.

2
MCQmedium

A GKE Deployment is running 3 replicas and receiving steady traffic. A junior engineer runs `kubectl scale deployment api-service --replicas=0` to 'stop it temporarily'. What happens to traffic during and after this command?

A.Traffic is paused and queued by the Service until replicas are restored
B.All Pods are terminated immediately; the Service has no backends and requests fail until replicas are restored
C.GKE detects the replica count is 0 and automatically restores it to maintain high availability
D.The Deployment is paused but Pods continue running until the next rollout
AnswerB

`scale --replicas=0` terminates all Pods. The Service loses all endpoints and incoming traffic fails. Running `kubectl scale --replicas=3` restores the Pods.

Why this answer

When you scale a Deployment to 0 replicas, `kubectl` immediately terminates all Pods. The associated Kubernetes Service continues to exist but has no healthy endpoints, so any traffic directed to the Service’s ClusterIP or external load balancer will be dropped or result in a connection refusal (TCP RST) or HTTP 503. Traffic is not queued or buffered; it simply fails until new Pods are created by scaling the Deployment back up.

Exam trap

Google Cloud often tests the misconception that Kubernetes Services can queue or buffer traffic during scaling events, when in reality they are stateless and rely on real-time endpoint availability.

How to eliminate wrong answers

Option A is wrong because Kubernetes Services do not queue or buffer traffic; they rely on real-time endpoint discovery via the EndpointSlice controller, and with zero endpoints, packets are either rejected or blackholed. Option C is wrong because GKE does not automatically restore a Deployment’s replica count; the user explicitly set `--replicas=0`, and Kubernetes respects that desired state without any built-in high-availability override. Option D is wrong because scaling to 0 immediately terminates Pods; the Deployment is not paused, and Pods do not continue running — `kubectl scale` directly modifies the `spec.replicas` field, triggering a rollout that deletes all Pods.

3
MCQmedium

An organization needs to set up a new Google Cloud project with restricted access to only approved IP ranges for SSH into VMs. Which Google Cloud service should be used?

A.Cloud Armor
B.Cloud NAT
C.VPC Firewall Rules
D.Identity-Aware Proxy (IAP) TCP forwarding
AnswerC

Firewall rules can restrict inbound SSH to specific source IP ranges.

Why this answer

VPC Firewall Rules (Option C) are the correct choice because they allow you to restrict inbound SSH (TCP port 22) traffic to specific source IP ranges by defining ingress rules at the VPC network level. This directly enforces IP-based access control for SSH into VM instances without additional services or proxies.

Exam trap

The trap here is that candidates often confuse Cloud Armor (a WAF for HTTP/S) with network-layer firewall rules, or assume IAP TCP forwarding is for IP whitelisting when it actually uses identity-based access, not source IP restrictions.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects HTTP/HTTPS traffic at the Google Cloud Armor edge, not SSH traffic at the VM level; it cannot filter SSH connections. Option B is wrong because Cloud NAT provides outbound internet access for private VMs via source network address translation, but it does not control inbound SSH access or restrict source IPs. Option D is wrong because Identity-Aware Proxy (IAP) TCP forwarding enables SSH access without public IPs by tunneling through IAP, but it does not restrict access to approved IP ranges; instead, it uses identity and context-based access, not source IP filtering.

4
MCQeasy

A load balancer is routing traffic to a VM where the application process has crashed, but the VM itself is still running. What prevents the load balancer from continuing to send traffic to this instance?

A.A VPC firewall rule blocking traffic to the VM
B.An HTTP health check configured on the backend service
C.A Cloud Armor security policy blocking the crashed instance's IP
D.The instance group autoscaling policy detecting the failure
AnswerB

HTTP health checks probe the application port. A crashed application fails the probe, causing the load balancer to stop directing traffic to that VM until it recovers.

Why this answer

The load balancer uses an HTTP health check to periodically probe the application on the VM. When the application process crashes, the health check fails (e.g., returns a non-2xx status code or times out), and the load balancer automatically stops routing new traffic to that unhealthy instance. This is the standard mechanism in Google Cloud for detecting application-level failures, as opposed to infrastructure-level failures.

Exam trap

The trap here is that candidates confuse infrastructure-level health (VM running) with application-level health (process responding), and assume autoscaling or firewall rules handle this, when in fact only a properly configured health check can detect a crashed application process.

How to eliminate wrong answers

Option A is wrong because a VPC firewall rule would block traffic at the network layer, but the question states the VM is still running and the application has crashed—firewall rules do not detect application crashes. Option C is wrong because Cloud Armor security policies filter traffic based on IP addresses, geographic regions, or layer 7 attributes, not based on the health of the application process on a VM. Option D is wrong because the instance group autoscaling policy reacts to overall load metrics (e.g., CPU utilization, requests per second) and may replace unhealthy instances, but it does not directly prevent the load balancer from sending traffic to a crashed instance—that is the health check's role.

5
MCQeasy

A company needs to store 50 TB of access logs that are rarely accessed (once a year) and must be retained for 7 years. Which storage option is the most cost-effective?

A.Nearline Storage
B.Regional persistent disk
C.Archive Storage
D.Coldline Storage
AnswerC

Archive Storage has the lowest cost for data accessed less than once a year and with a 365-day minimum.

Why this answer

Archive Storage is the most cost-effective option for data that is accessed less than once a year and must be retained for 7 years. It offers the lowest storage cost among Google Cloud storage classes, specifically designed for long-term, infrequently accessed data with a 365-day minimum storage duration and a higher retrieval cost, which is acceptable given the rare access pattern.

Exam trap

Google Cloud often tests the distinction between Coldline and Archive storage by making candidates assume 'cold' is the cheapest, but Archive Storage is the true lowest-cost tier for data accessed less than once a year, with a longer minimum storage duration and higher retrieval fees.

How to eliminate wrong answers

Option A (Nearline Storage) is wrong because it is optimized for data accessed less than once a month, not once a year, and has a 30-day minimum storage duration, making it more expensive for 7-year retention. Option B (Regional persistent disk) is wrong because it is a block storage solution for high-performance compute instances, not designed for archival log storage, and would be prohibitively expensive for 50 TB of rarely accessed data. Option D (Coldline Storage) is wrong because it is designed for data accessed less than once a quarter (90-day minimum storage duration), which is more frequent than once a year, and its storage cost is higher than Archive Storage.

6
MCQmedium

Your company runs a microservices application on Google Kubernetes Engine (GKE) with a shared VPC. The security team requires that all pod-to-pod traffic be encrypted using TLS. Additionally, you need to restrict which pods can communicate with each other. The application uses a service mesh with Istio. You have enabled Istio mTLS in STRICT mode, but you notice that some pods are still able to communicate with other pods without TLS. You have verified that all pods have the Istio sidecar injected. What should you do to fix the issue?

A.Enable VPC Flow Logs to identify the unencrypted traffic.
B.Restart all pods to force re-injection of the sidecar.
C.Apply a Kubernetes Network Policy to deny all non-mTLS traffic.
D.Ensure that the GKE cluster has the Istio add-on enabled for all node pools.
AnswerC

Network Policies can restrict traffic to only that going through the sidecar, ensuring mTLS is used.

Why this answer

Option C is correct because Istio mTLS in STRICT mode only enforces encryption between sidecars that are properly configured and have discovered each other via the Istio control plane. However, if a pod bypasses the sidecar (e.g., by using a hostNetwork or a non-sidecar port), or if the sidecar is not enforcing the policy due to a misconfiguration, plaintext traffic can still flow. Applying a Kubernetes Network Policy that explicitly denies all non-mTLS traffic (e.g., by blocking TCP port 80 and allowing only port 443 or the Istio mTLS port) provides a defense-in-depth layer that blocks any unencrypted communication at the network layer, regardless of sidecar behavior.

Exam trap

Google Cloud often tests the misconception that Istio mTLS alone is sufficient to enforce encryption at all layers, but the trap here is that sidecar injection and STRICT mode do not cover traffic that bypasses the sidecar (e.g., via hostNetwork or non-mesh ports), so a Network Policy is needed as a fallback enforcement mechanism.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs only capture metadata about network flows (source, destination, ports, packets) and cannot inspect payload content to determine if TLS is used; they cannot enforce encryption or block traffic. Option B is wrong because restarting pods does not change the underlying Istio configuration or sidecar behavior; if the sidecar is already injected and mTLS is in STRICT mode, a restart will not fix a misconfiguration or a bypass scenario. Option D is wrong because the Istio add-on for GKE node pools is a legacy feature that installs Istio system components; it does not control per-pod mTLS enforcement or fix the issue of pods communicating without TLS when sidecars are already present.

7
MCQhard

A team deploys a Cloud Run service that must access resources in a private VPC (a private Cloud SQL instance and a Redis instance on Memorystore). The Cloud Run service has no public IP connectivity requirements for these resources. What must be configured?

A.Enable VPC Service Controls around Cloud Run to connect it to the VPC
B.Configure a Serverless VPC Access connector and specify it in the Cloud Run service deployment
C.Assign an external IP to the Cloud SQL and Memorystore instances — Cloud Run can reach them via public internet
D.Cloud Run automatically connects to any VPC resource in the same project via project-level networking
AnswerB

Serverless VPC Access connectors create a bridge between Cloud Run and the VPC network. The connector is specified with `--vpc-connector` at deploy time, enabling private IP access to Cloud SQL and Memorystore.

Why this answer

Cloud Run is a serverless compute platform that runs in a Google-managed VPC, not the customer's VPC. To access private resources like Cloud SQL and Memorystore (Redis) within a customer VPC, you must configure a Serverless VPC Access connector. This connector bridges the serverless environment to the specified VPC, enabling private, internal IP communication without public internet exposure.

Exam trap

Google Cloud often tests the misconception that serverless services like Cloud Run can natively reach VPC resources without explicit configuration, or that VPC Service Controls provide connectivity rather than security boundaries.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are a security perimeter mechanism that prevents data exfiltration, not a connectivity method for Cloud Run to reach VPC resources. Option C is wrong because assigning external IPs to Cloud SQL and Memorystore would expose them to the public internet, violating the requirement for no public IP connectivity and introducing security risks. Option D is wrong because Cloud Run does not automatically connect to VPC resources; it runs in a Google-managed network and requires explicit configuration (e.g., Serverless VPC Access or Direct VPC) to access private VPC resources.

8
MCQhard

An organization needs to deploy a batch job that runs every hour on Compute Engine. The job requires a VM with 16 vCPUs and 64 GB of memory. The job takes approximately 20 minutes to complete. The team wants to minimize costs while ensuring the job completes reliably. Which deployment strategy should they use?

A.Use spot VMs with a restart policy configured in the instance template
B.Use committed use discounts for the VM
C.Create an always-on VM and use sustained-use discounts
D.Use preemptible VMs and accept the risk of termination
AnswerA

Spot VMs are cheaper than preemptible and can be restarted if terminated.

Why this answer

Option A (sustained-use discount) is for always-on VMs, not suitable for hourly jobs. Option B (preemptible VMs) are cheaper but can be terminated, risking job failure. Option D (committed use discounts) require 1- or 3-year commitments, which is overkill.

Option C (spot VMs with a restart policy) is correct: Spot VMs are similar to preemptible but more affordable, and configuring a restart policy ensures the job resumes if interrupted.

9
MCQmedium

A GKE node pool has auto-repair enabled. A node becomes unresponsive (not ready) for 10 minutes. What action does GKE's auto-repair feature take?

A.GKE alerts the team and waits for manual intervention
B.GKE drains the node, recreates it, and rejoins it to the cluster automatically
C.GKE terminates the node permanently and adds a replacement from the node pool's minimum size
D.GKE migrates all Pods to other nodes but leaves the unresponsive node running
AnswerB

GKE auto-repair drains the unhealthy node (evicting Pods while respecting PDBs), recreates it from the node pool configuration, and reconnects it to the cluster.

Why this answer

B is correct because GKE's auto-repair feature periodically performs health checks on nodes. When a node is in a 'NotReady' state for the default timeout of 10 minutes, GKE automatically initiates a repair: it drains the node (evicting pods gracefully), recreates it from the node pool's instance template, and rejoins it to the cluster. This ensures minimal disruption without requiring manual intervention.

Exam trap

The trap here is that candidates often confuse auto-repair with auto-scaling or manual node recovery, assuming the node is permanently deleted or that the cluster waits for human action, when in fact GKE's auto-repair is a fully automated, non-destructive replacement process that preserves node identity.

How to eliminate wrong answers

Option A is wrong because auto-repair is designed to be fully automated; it does not wait for manual intervention—it triggers the repair process after the 10-minute 'NotReady' threshold. Option C is wrong because GKE does not permanently terminate the node; it recreates the node using the same instance template, and the node pool's minimum size is irrelevant to the repair action (the node is replaced, not permanently removed). Option D is wrong because GKE does not leave the unresponsive node running; it drains the node and then recreates it, fully replacing the unhealthy node.

10
MCQmedium

A team is selecting the right Compute Engine machine family for a machine learning training workload that is GPU-bound. The workload runs for 6 hours at a time and tolerates interruption. Which combination maximizes GPU access at lowest cost?

A.N2-standard machine with a custom GPU attached as a standard on-demand VM
B.A2 or A3 (accelerator-optimized) Spot VM with NVIDIA GPU
C.E2-highcpu Spot VM — more vCPUs provide equivalent GPU-like parallelism
D.C3 (compute-optimized) on-demand VM — best for numerically intensive workloads
AnswerB

A2/A3 machines include NVIDIA A100/H100 GPUs designed for ML training. Using Spot VM pricing for fault-tolerant 6-hour jobs reduces cost by up to 91%.

Why this answer

Option B is correct because A2 and A3 Spot VMs are purpose-built for GPU-bound ML training workloads, offering direct access to NVIDIA GPUs (e.g., A100, H100) at the lowest cost due to Spot pricing (60-91% discount). The workload's 6-hour duration and interruption tolerance make Spot VMs ideal, as they can be preempted but provide maximum GPU utilization for the price.

Exam trap

Google Cloud often tests the misconception that any VM family can be made GPU-capable by attaching a GPU, ignoring that only specific families (A2, A3, G2) support GPU attachment and that Spot VMs are the only cost-effective choice for interruptible workloads.

How to eliminate wrong answers

Option A is wrong because N2-standard machines are general-purpose and lack the high-bandwidth GPU interconnect (e.g., NVLink) needed for efficient GPU-bound training; attaching a custom GPU as an on-demand VM incurs higher cost without interruption tolerance benefits. Option C is wrong because E2-highcpu Spot VMs are CPU-optimized and do not support attached GPUs, so they cannot provide GPU access at all, let alone maximize it. Option D is wrong because C3 on-demand VMs are compute-optimized for CPU-intensive tasks, not GPU-bound workloads, and on-demand pricing is significantly higher than Spot, failing the 'lowest cost' requirement.

11
Multi-Selecthard

A company is planning a hybrid cloud setup connecting their on-premises network to Google Cloud. They have a single data center with limited bandwidth. They need low latency and high reliability for their application traffic. Which TWO services should they consider? (Choose TWO.)

Select 2 answers
A.VPC Network Peering
B.Direct Peering
C.Dedicated Interconnect
D.Cloud VPN with dynamic routing
E.Carrier Peering
AnswersC, D

Provides a dedicated, high-bandwidth, low-latency physical connection.

Why this answer

Options A and D are correct. Dedicated Interconnect provides a direct physical connection with low latency and high reliability; Cloud VPN can serve as a cost-effective backup or for less critical traffic. Option B is wrong because Carrier Peering is less reliable than Dedicated Interconnect.

Option C is wrong because Direct Peering is for Google services, not for VPC connectivity. Option E is wrong because VPC Network Peering is for connecting VPCs, not for on-premises connectivity.

12
MCQeasy

What is the correct order of the Google Cloud resource hierarchy from highest to lowest level?

A.Folder → Organization → Project → Resources
B.Organization → Folder → Project → Resources
C.Project → Folder → Organization → Resources
D.Organization → Project → Folder → Resources
AnswerB

The correct hierarchy is Organization at the top, followed by Folders, Projects, and individual Resources.

Why this answer

The Google Cloud resource hierarchy is structured from highest to lowest as Organization, Folder, Project, and Resources. The Organization node is the root, allowing centralized policy management; Folders group projects under departments or teams; Projects are the base-level containers for services and APIs; Resources (like Compute Engine instances) reside within projects. Option B correctly reflects this top-down inheritance of IAM policies and access control.

Exam trap

The trap here is that candidates often confuse the hierarchy with a typical filesystem tree, mistakenly thinking Projects are the top level, but the Organization node is the root that enables enterprise-grade policy control.

How to eliminate wrong answers

Option A is wrong because it places Folder above Organization, but the Organization is the top-level node in the hierarchy, not a Folder. Option C is wrong because it reverses the order, placing Project above Folder and Organization, whereas Projects are always children of Folders or the Organization. Option D is wrong because it places Project above Folder, but Folders are a higher-level grouping mechanism that can contain multiple projects, so the correct order is Organization → Folder → Project → Resources.

13
Multi-Selecthard

A company is setting up a CI/CD pipeline using Cloud Build to build container images and deploy to Cloud Run. Which THREE components are required for a fully automated pipeline? (Choose 3)

Select 3 answers
A.IAM roles for Cloud Build
B.Cloud Run
C.Container Registry or Artifact Registry
D.Cloud Build triggers
E.Cloud Source Repositories
AnswersA, C, D

Cloud Build needs permissions to push to registry and deploy to Cloud Run.

Why this answer

Cloud Build needs a trigger (e.g., on git push), a container registry to store images, and appropriate IAM roles for Cloud Build to deploy. Cloud Source Repositories and Cloud Run are optional; GitHub and other deployment targets are possible.

14
MCQmedium

Your company uses BigQuery for analytics. Users frequently run queries against a large, date-partitioned table containing sales data. The table has 10 TB of data and is partitioned by the 'order_date' column. Queries often filter on the 'customer_id' and 'region' columns in addition to the date range. You observe that queries are slow and expensive, even when scanning only a few partitions. Which optimization should you implement first?

A.Enable clustering on the 'customer_id' and 'region' columns.
B.Create materialized views for common queries.
C.Create views for each combination of filters.
D.Change partitioning to use ingestion time instead of 'order_date'.
AnswerA

Clustering organizes data for efficient filtering, reducing scanned data per query.

Why this answer

Clustering on 'customer_id' and 'region' organizes the data within each partition based on these filter columns, allowing BigQuery to perform block-level pruning and skip irrelevant data even when scanning only a few partitions. This directly addresses the slowness and cost by reducing the amount of data read per query, without requiring additional storage or maintenance overhead.

Exam trap

Google Cloud often tests the misconception that partitioning alone is sufficient for all filter optimization, but the trap here is that clustering is needed to optimize queries that filter on non-partition columns within already-selected partitions.

How to eliminate wrong answers

Option B is wrong because materialized views precompute and store query results, which can speed up repeated queries but do not optimize the underlying data layout for arbitrary filters on 'customer_id' and 'region'; they also incur storage costs and maintenance complexity. Option C is wrong because creating views for each combination of filters does not reduce the amount of data scanned—views are just saved queries and do not change how BigQuery reads the underlying table; this approach would be impractical and offer no performance benefit. Option D is wrong because changing partitioning to ingestion time (e.g., _PARTITIONTIME) would not improve query performance for filters on 'customer_id' and 'region'; it would only change how partitions are defined, and since queries already filter on 'order_date', the current partitioning is appropriate—ingestion time partitioning is typically used when no natural date column exists.

15
MCQhard

A company is setting up a multi-project environment in Google Cloud with centralized billing. They need to separate development, staging, and production projects. They require that all projects have a specific set of APIs enabled (Compute Engine, Cloud Storage, Cloud SQL) and that only certain users can create projects. Additionally, the security team mandates that service accounts in one project cannot access resources in another project unless explicitly allowed. Which combination of steps should the administrator take to meet these requirements?

A.Use Google Cloud's Resource Manager to create projects under a folder, assign Billing Account User role to developers, and configure firewall rules to block cross-project traffic.
B.Create an organization, set up folder hierarchy (development, staging, production), assign Project Creator role at the folder level, and use Organization policies to restrict service account cross-project access.
C.Create a single project with multiple VPC networks, use IAM roles to separate access, and disable Cloud SQL API in development.
D.Create separate billing accounts for each environment, use Shared VPC to connect projects, and assign Project Owner role to all users.
AnswerB

This provides hierarchical control, limits project creation to folders, and enforces service account isolation via Organization policies.

Why this answer

Option A is correct because it leverages Organization and folder hierarchy for environment separation, assigns Project Creator at the folder level to control project creation, and uses Organization policies to restrict cross-project service account access. Option B is incorrect because a single project cannot separate environments, and disabling APIs does not meet the requirement. Option C is incorrect because Billing Account User role does not grant project creation permission, and firewall rules do not control service account access.

Option D is incorrect because separate billing accounts add unnecessary complexity, Shared VPC is for network connectivity, and Project Owner is too permissive.

16
MCQhard

You need to set an organization policy that prevents any project from creating Cloud SQL instances with a public IP address. The constraint you need is `sql.restrictPublicIp`. What type of constraint is this, and how do you enable it?

A.List constraint — add `CLOUD_SQL_INSTANCE` to the `deniedValues` list.
B.Boolean constraint — set `enforce: true` in the organization policy.
C.Custom constraint — define a CEL expression that evaluates the Cloud SQL instance's IP configuration.
D.List constraint — add `0.0.0.0/0` to the `deniedValues` list.
AnswerB

Boolean constraints have two states: enforced or not enforced. Setting enforce: true on sql.restrictPublicIp prevents public IP assignment on any Cloud SQL instance within the policy's scope.

Why this answer

Option B is correct because `sql.restrictPublicIp` is a boolean constraint in Google Cloud Organization Policies. Boolean constraints have a simple `enforce: true` or `enforce: false` setting, and setting it to `true` prevents projects from creating Cloud SQL instances with public IP addresses. This is the standard method to enforce this restriction across the organization.

Exam trap

The trap here is that candidates confuse boolean constraints with list constraints, thinking they need to specify denied values like IP ranges, when in fact the boolean constraint simply toggles enforcement on or off.

How to eliminate wrong answers

Option A is wrong because `sql.restrictPublicIp` is not a list constraint; list constraints use `deniedValues` or `allowedValues` lists for resources like allowed external IPs, but this constraint is boolean. Option C is wrong because custom constraints require a CEL expression and are used for policies not covered by built-in constraints, but `sql.restrictPublicIp` is a built-in boolean constraint, so no custom definition is needed. Option D is wrong because adding `0.0.0.0/0` to `deniedValues` is a list constraint approach for VPC firewall rules or similar, not for Cloud SQL public IP restriction, and the constraint type is boolean, not list.

17
MCQmedium

A team is creating a new GCP project for a sensitive workload. They need to ensure the project is linked to the correct billing account, placed in the correct folder, and has specific APIs enabled — all reproducibly. They want to automate this via Infrastructure as Code. Which approach is most appropriate?

A.Use a gcloud script with `gcloud projects create`, `gcloud beta billing projects link`, and `gcloud services enable`.
B.Use Terraform with `google_project`, `google_project_service`, and billing account linkage resources.
C.Use Cloud Console to manually create the project, then document the steps in a runbook.
D.Use Cloud Deployment Manager with a Python template to create the project.
AnswerB

Terraform provides declarative, idempotent, state-tracked project bootstrapping covering folder placement, billing linkage, and API enablement in a single plan/apply.

Why this answer

Option B is correct because Terraform is an Infrastructure as Code (IaC) tool that allows you to define the entire project setup—including folder placement, billing account linkage, and API enablement—in declarative configuration files. This ensures reproducibility, version control, and automation, which aligns with the requirement for a sensitive workload that must be set up consistently every time.

Exam trap

Google Cloud often tests the distinction between imperative scripting (gcloud) and declarative IaC (Terraform), where candidates mistakenly choose gcloud because it seems simpler, but fail to recognize that reproducibility and state management are the key requirements for sensitive workloads.

How to eliminate wrong answers

Option A is wrong because while gcloud commands can create a project and link billing, a script is imperative and less reproducible than declarative IaC; it also lacks built-in state management and drift detection, making it error-prone for sensitive workloads. Option C is wrong because manually creating the project via Cloud Console and documenting steps in a runbook is not automated and introduces human error, violating the reproducibility requirement. Option D is wrong because Cloud Deployment Manager, while capable of IaC, is a Google-specific tool that is less portable and has a smaller community compared to Terraform; it also requires Python templates, adding complexity without the multi-cloud benefits of Terraform.

18
MCQmedium

A team's Cloud Storage bucket containing backups has been accidentally made publicly readable. A monitoring alert fires. What is the fastest way to remove public access?

A.Delete the bucket and recreate it with correct permissions
B.Remove the 'allUsers' IAM binding from the bucket using the Console or gcloud/gsutil
C.Enable VPC Service Controls around Cloud Storage to block all external access
D.Apply a Cloud Armor policy to Cloud Storage to block external IPs
AnswerB

Removing the `allUsers:objectViewer` binding immediately revokes public read access without affecting the data or other users' access.

Why this answer

Removing the `allUsers` and `allAuthenticatedUsers` IAM bindings from the bucket removes public access. Alternatively, enabling 'Uniform bucket-level access' and removing the public policy achieves the same. For speed, `gsutil iam ch -d allUsers:objectViewer gs://[BUCKET]` or using the Console's Permissions tab is fastest.

19
MCQeasy

A developer is using Cloud Build to deploy a containerized application to Cloud Run. The deployment fails with an error 'Permission denied' when pulling the container from Container Registry. What is the most likely cause?

A.The Cloud Build service account lacks the Cloud Run Invoker role.
B.The Cloud Run service agent does not have the Cloud Run Invoker role.
C.The Container Registry is not configured to work with Cloud Run.
D.The Cloud Build service account lacks the Storage Object Viewer role on the container registry bucket.
AnswerD

To pull images, Cloud Build needs read access to Container Registry (which uses Cloud Storage).

Why this answer

Option C is correct because Cloud Build needs the Storage Object Viewer role to pull images from Container Registry. Option A is wrong because the Cloud Run service agent is for runtime, not build time. Option B is wrong because Cloud Run Invoker is for invoking services.

Option D is wrong because Container Registry Service Agent is a different role but not typically granted to Cloud Build.

20
MCQmedium

A company wants to monitor the CPU utilization of their Compute Engine instances and receive an alert if utilization exceeds 80% for 5 minutes. Which services should they combine?

A.Cloud Functions and Cloud Tasks.
B.Cloud Audit Logs and Cloud Storage.
C.Cloud Monitoring and Cloud Pub/Sub.
D.Cloud Logging and Cloud Functions.
AnswerC

Cloud Monitoring collects metrics and sends alerts; Pub/Sub can be used for notifications.

Why this answer

Cloud Monitoring collects CPU utilization metrics from Compute Engine instances and can evaluate them against a threshold-based alerting policy. When the condition (CPU > 80% for 5 minutes) is met, the alert fires and sends a notification to a Cloud Pub/Sub topic, which can then trigger downstream actions such as sending emails or invoking serverless functions. This combination provides the metric ingestion, alert evaluation, and event-driven notification pipeline required for the use case.

Exam trap

Google Cloud often tests the distinction between logging (Cloud Logging) and monitoring (Cloud Monitoring) — the trap here is that candidates confuse log-based metrics with native system metrics, assuming Cloud Logging can evaluate CPU thresholds when it can only parse log entries, not numeric time-series data.

How to eliminate wrong answers

Option A is wrong because Cloud Functions and Cloud Tasks are serverless compute and task orchestration services, not designed for metric collection or threshold-based alerting; they lack native monitoring of CPU utilization. Option B is wrong because Cloud Audit Logs record administrative actions and access events, not system metrics like CPU utilization, and Cloud Storage is an object store with no alerting capability for real-time metrics. Option D is wrong because Cloud Logging ingests log data, not time-series metrics, and Cloud Functions alone cannot evaluate metric thresholds over a sliding window; the alerting logic must be handled by Cloud Monitoring's alerting policies.

21
MCQmedium

A GCP project needs to allow outbound internet access from VMs that have only private IP addresses, without exposing those VMs to inbound internet traffic. Which GCP service provides this?

A.Cloud VPN connecting the VPC to the internet
B.Cloud NAT configured on the VPC's Cloud Router
C.A VPC firewall rule allowing egress to 0.0.0.0/0 on all ports
D.An internal load balancer with internet routing enabled
AnswerB

Cloud NAT provides outbound internet connectivity for VMs with private IPs through NAT translation, while keeping them unreachable from inbound internet traffic.

Why this answer

Cloud NAT (Network Address Translation) is the correct service because it allows VMs with only private IP addresses to initiate outbound connections to the internet while preventing any inbound connections from the internet. It works by translating the private source IP addresses of outbound packets to a set of ephemeral public IP addresses managed by Google, using the VPC's Cloud Router to dynamically allocate NAT IPs and ports. This meets the requirement of outbound-only internet access without exposing the VMs to inbound traffic.

Exam trap

The trap here is that candidates confuse egress firewall rules (which only permit traffic to leave) with the need for a NAT gateway to provide a routable public source IP for return traffic, leading them to incorrectly select the firewall rule option.

How to eliminate wrong answers

Option A is wrong because Cloud VPN creates an encrypted tunnel to an on-premises network or another cloud, not to the public internet; it does not provide outbound internet access for private VMs. Option C is wrong because a VPC firewall rule allowing egress to 0.0.0.0/0 only permits traffic to leave the VPC, but without a public IP or NAT, the VMs have no routable source IP for internet responses to return, so outbound traffic fails. Option D is wrong because an internal load balancer operates within the VPC and does not provide internet routing; it distributes traffic among backend VMs but cannot translate private IPs to public ones for outbound internet access.

22
MCQeasy

A DevOps team notices that a Compute Engine instance running a critical application has been terminated unexpectedly. The team wants to ensure the instance restarts automatically if it stops. Which configuration should they use?

A.Configure a startup script that checks for termination and restarts the instance.
B.Set the 'On host maintenance' policy to 'Migrate VM instance'.
C.Enable the 'Automatic restart' flag on the instance template.
D.Create a firewall rule to allow health check traffic from the load balancer.
AnswerC

Enabling automatic restart causes Compute Engine to restart the instance if it terminates for a non-user-initiated reason.

Why this answer

Option C is correct because enabling the 'Automatic restart' flag on the instance template ensures that Compute Engine automatically restarts the VM if it terminates due to a non-user-initiated failure (e.g., hardware failure, system crash). This is the native mechanism for automatic recovery without requiring external scripts or manual intervention.

Exam trap

Google Cloud often tests the distinction between 'Automatic restart' (for infrastructure failures) and managed instance group autohealing (for application-level health), leading candidates to confuse the two or incorrectly choose a startup script as a restart mechanism.

How to eliminate wrong answers

Option A is wrong because a startup script runs only when the instance boots, but it cannot detect termination events or trigger a restart; it would require an external monitoring system to restart the VM, which is not a built-in Compute Engine feature. Option B is wrong because the 'On host maintenance' policy (Migrate VM instance) controls behavior during host maintenance events (e.g., live migration), not automatic restart after unexpected termination. Option D is wrong because firewall rules for health check traffic are used by load balancers to determine instance health, but they do not cause an instance to restart; they only allow or deny traffic.

23
MCQhard

A GCP organization mandates that all new Cloud SQL instances must require SSL/TLS for connections. No exceptions are allowed. Which enforcement mechanism ensures this across all projects in the organization?

A.Rely on database administrators to manually enable SSL on each new Cloud SQL instance
B.Use Security Command Center to detect SSL-disabled instances and alert the team
C.Set a Cloud Monitoring alert for new Cloud SQL instances and auto-remediate via Cloud Functions
D.Apply the org policy constraint `constraints/sql.requireSsl` at the organization level to enforce SSL on all Cloud SQL instances
AnswerD

The `constraints/sql.requireSsl` organization policy constraint prevents Cloud SQL instances from being created or modified to allow non-SSL connections — enforced across all projects automatically.

Why this answer

Option D is correct because the organization policy constraint `constraints/sql.requireSsl` is a native, enforceable policy that can be applied at the organization level in GCP. Once set, it prevents the creation of any Cloud SQL instance that does not require SSL/TLS, and it also blocks any attempt to disable SSL on existing instances. This ensures 100% compliance across all projects without relying on manual intervention or reactive detection.

Exam trap

Google Cloud often tests the distinction between preventive controls (org policies) and detective/reactive controls (Security Command Center, Cloud Monitoring), and the trap here is that candidates choose a reactive option (B or C) thinking it 'enforces' compliance, when only a preventive org policy can block non-compliant resource creation entirely.

How to eliminate wrong answers

Option A is wrong because relying on manual enablement by database administrators is error-prone and violates the 'no exceptions' mandate; it does not enforce the policy programmatically. Option B is wrong because Security Command Center can only detect and alert on non-compliant instances after they are created, but it cannot prevent creation or enforce SSL; this is a detective control, not a preventive one. Option C is wrong because Cloud Monitoring alerts and Cloud Functions auto-remediation are reactive and can have a delay, allowing non-compliant instances to exist temporarily; they also cannot block the initial creation of an instance without SSL.

24
MCQeasy

You have pushed a new container image to Artifact Registry. The image is tagged `us-central1-docker.pkg.dev/my-project/my-repo/app:v2.0`. You need to deploy this specific image version to Cloud Run in production. Which command deploys this exact image?

A.`gcloud run deploy app --image us-central1-docker.pkg.dev/my-project/my-repo/app:v2.0 --region us-central1`
B.`gcloud run services update app --tag v2.0 --region us-central1`
C.`docker push us-central1-docker.pkg.dev/my-project/my-repo/app:v2.0` followed by a Cloud Run auto-deploy.
D.`gcloud run deploy app --image app:v2.0 --region us-central1`
AnswerA

This command deploys the exact image version specified by the full Artifact Registry path and tag. --region specifies the Cloud Run deployment region.

Why this answer

Option A is correct because the `gcloud run deploy` command with the `--image` flag explicitly specifies the exact container image URI from Artifact Registry, including the tag `v2.0`. This ensures that Cloud Run deploys that precise version of the image, and the `--region` flag targets the correct regional service. The full URI is required because Cloud Run must pull the image from the exact repository path and tag.

Exam trap

Google Cloud often tests the requirement to use the full image URI (including registry, project, repository, and tag) versus a short name, and the misconception that `docker push` or service update commands can trigger a deployment directly.

How to eliminate wrong answers

Option B is wrong because `gcloud run services update` with `--tag` does not exist; the `--tag` flag is used with `gcloud run deploy` to assign a traffic tag, not to specify an image version. Option C is wrong because `docker push` only uploads the image to the registry; it does not trigger a Cloud Run deployment, and there is no automatic 'auto-deploy' mechanism unless a Cloud Build trigger is configured separately. Option D is wrong because `--image app:v2.0` is a relative reference that omits the full registry path (`us-central1-docker.pkg.dev/my-project/my-repo/`), which Cloud Run requires to locate the image in Artifact Registry; without the full URI, the command will fail or pull from the wrong source.

25
MCQmedium

A global web application serves static assets (images, JavaScript, CSS) from a Cloud Storage bucket via an HTTPS load balancer. Users in Asia report slow load times compared to users in the US where the bucket resides. What is the most effective solution?

A.Move the Cloud Storage bucket to a multi-region bucket in Asia
B.Enable Cloud CDN on the load balancer backend pointing to the Cloud Storage bucket
C.Replicate the Cloud Storage bucket to multiple regions using storage transfer
D.Use Cloud Interconnect to provide dedicated bandwidth to Asian users
AnswerB

Cloud CDN caches content at Google's global edge PoPs. Asian users receive cached assets from the nearest edge location, drastically reducing latency without changing the origin.

Why this answer

Option B is correct because enabling Cloud CDN on the load balancer backend that points to the Cloud Storage bucket caches static assets at Google's globally distributed edge caches. This reduces latency for Asian users by serving content from a nearby point of presence (PoP) rather than from the origin bucket in the US, without requiring any bucket relocation or replication.

Exam trap

Google Cloud often tests the misconception that moving or replicating storage to a closer region is the best way to reduce latency, when in fact edge caching (Cloud CDN) is the most effective and cost-efficient solution for static content served globally.

How to eliminate wrong answers

Option A is wrong because moving the bucket to a multi-region bucket in Asia does not solve the latency problem for users outside Asia; it only shifts the origin location, and multi-region buckets still serve from a single geographic set of regions, not from edge caches. Option C is wrong because replicating the bucket to multiple regions using storage transfer creates separate copies of data, but the load balancer would still need to route requests to the nearest bucket, which requires additional configuration (e.g., multi-region backend buckets or DNS-based routing) and does not provide the automatic edge caching benefits of Cloud CDN. Option D is wrong because Cloud Interconnect provides dedicated private connectivity between on-premises networks and Google Cloud, not between end users and Google Cloud; it does not improve latency for general internet users in Asia accessing a public web application.

26
MCQmedium

An infrastructure team uses Terraform to manage GCP resources including API enablement. Which Terraform resource enables a GCP API for a project, equivalent to `gcloud services enable`?

A.google_project_iam_binding with the serviceusage.services.enable permission
B.google_project_service with the desired service endpoint
C.google_service_account with enabled_services block
D.google_project with the services argument listing all required APIs
AnswerB

`google_project_service` enables a GCP service API for the specified project. Example: `service = "sqladmin.googleapis.com"` enables the Cloud SQL Admin API.

Why this answer

The `google_project_service` resource is the direct Terraform equivalent of `gcloud services enable`, as it explicitly enables a specified GCP service API for a given project. This resource takes the service endpoint (e.g., `compute.googleapis.com`) and handles the enablement lifecycle, including dependency tracking and disabling on destroy.

Exam trap

Google Cloud often tests the distinction between IAM permissions (who can enable APIs) and the actual API enablement action, leading candidates to confuse `google_project_iam_binding` with the correct resource for enabling services.

How to eliminate wrong answers

Option A is wrong because `google_project_iam_binding` manages IAM roles and permissions, not API enablement; the `serviceusage.services.enable` permission controls who can enable APIs, but the resource itself does not enable them. Option C is wrong because `google_service_account` creates and manages service accounts, and there is no `enabled_services` block in that resource — API enablement is unrelated to service account configuration. Option D is wrong because `google_project` does not have a `services` argument; API enablement is handled by the separate `google_project_service` resource, and listing services in the project resource would be invalid syntax.

27
MCQmedium

A company is running a Cloud SQL for MySQL instance that experiences high read traffic. They want to offload read queries to reduce load on the primary instance. Which action should they take?

A.Enable automatic storage increase on the primary instance
B.Increase the machine type of the primary instance
C.Create one or more read replicas and direct read queries to them
D.Change the instance to use private IP only
AnswerC

Read replicas handle read traffic, reducing load on the primary.

Why this answer

Creating one or more read replicas allows you to offload read queries from the primary Cloud SQL for MySQL instance. Read replicas are asynchronous replicas that can serve read traffic, reducing load on the primary and improving overall read throughput. This is the correct approach for scaling read-heavy workloads without modifying the primary instance.

Exam trap

Google Cloud often tests the distinction between scaling up (increasing machine type) and scaling out (adding read replicas), where candidates mistakenly choose vertical scaling for read offloading instead of horizontal read replication.

How to eliminate wrong answers

Option A is wrong because enabling automatic storage increase only prevents out-of-disk errors by expanding storage, it does not offload read queries or reduce CPU/memory load from reads. Option B is wrong because increasing the machine type of the primary instance scales up the primary itself but does not offload read traffic; it may temporarily improve performance but does not distribute the read load. Option D is wrong because changing to private IP only affects network connectivity and security, not read query distribution or load reduction.

28
MCQmedium

A team deploys an application with sensitive internal APIs on GKE. The APIs should be reachable from other GKE services in the cluster and from on-premises systems via VPN, but not from the public internet. Which load balancer configuration meets this?

A.Global external Application Load Balancer with Cloud Armor blocking non-VPN IPs
B.Internal Application Load Balancer with a VPC-private IP
C.A ClusterIP Service with an external IP range allowlist
D.NodePort Service with VPC firewall rules restricting access to VPN IP ranges
AnswerB

Internal ALBs receive a private RFC 1918 IP reachable within the VPC and connected networks (VPN, Interconnect). The service is never exposed to the public internet.

Why this answer

An Internal Application Load Balancer (HTTP/HTTPS) with a VPC-private IP is correct because it exposes the APIs only within the VPC network, making them reachable from other GKE services in the cluster and from on-premises systems via VPN (which extends the VPC), while blocking all public internet traffic by design. This load balancer operates at Layer 7 and uses an internal IP address that is not routable from the internet, satisfying the requirement without relying on additional access controls.

Exam trap

Google Cloud often tests the misconception that a ClusterIP Service can be made externally accessible with an allowlist, but ClusterIP is strictly cluster-internal and cannot be reached from on-premises systems via VPN without additional components like a proxy or ingress.

How to eliminate wrong answers

Option A is wrong because a Global external Application Load Balancer is inherently internet-facing, and while Cloud Armor can block non-VPN IPs, the load balancer itself still has a public IP and is exposed to the internet, violating the requirement that APIs should not be reachable from the public internet. Option C is wrong because a ClusterIP Service is only reachable within the same Kubernetes cluster (not from on-premises systems via VPN) and does not support external IP range allowlisting; it has no external IP at all. Option D is wrong because a NodePort Service exposes the application on a high port on every node's external IP, and while VPC firewall rules can restrict access to VPN IP ranges, the service is still bound to the node's public IP addresses, making it reachable from the internet if the firewall is misconfigured or bypassed, and it does not provide Layer 7 load balancing.

29
MCQhard

A company has a Compute Engine instance in the us-west1 region that does not have a public IP address. The instance is part of a VPC network that has a Cloud NAT gateway configured in the us-east1 region. The Cloud NAT gateway is configured to allow all traffic from the VPC subnet. The VPC has a default route (0.0.0.0/0) pointing to the default internet gateway. Firewall rules allow all egress traffic. The instance is unable to download updates from the internet. What is the most likely cause of this problem?

A.The instance's firewall rules block egress traffic to port 80.
B.The Cloud NAT gateway is in a different region than the instance.
C.The instance's service account does not have the compute.instances.update permission.
D.The VPC does not have a route for the instance's subnet to the internet gateway.
AnswerB

Correct. Cloud NAT is region-scoped; instances can only use NAT gateways in the same region.

Why this answer

Cloud NAT is regional. An instance in us-west1 cannot use a Cloud NAT gateway in us-east1 because NAT is only applied to instances in the same region. The instance's traffic destined for the internet is not translated, so it cannot reach external hosts without a public IP.

30
MCQmedium

A security review identifies that service account JSON key files are stored on multiple developer laptops, posing a data exfiltration risk. What is the recommended remediation?

A.Rotate the key files every 90 days and redistribute them securely
B.Encrypt the JSON key files using Cloud KMS before distributing
C.Remove the key files and use service account impersonation or Workload Identity for workloads that need GCP access
D.Store the key files in Secret Manager and retrieve them at application startup
AnswerC

Eliminating key files is the recommended approach. GCE VMs use attached service accounts; GKE uses Workload Identity; external systems use Workload Identity Federation — no downloadable keys needed.

Why this answer

Option C is correct because storing service account JSON key files on developer laptops creates a persistent credential that can be exfiltrated. The recommended remediation is to remove these static keys entirely and instead use service account impersonation (via the `iamcredentials.googleapis.com` API) or Workload Identity (for GKE or GCE workloads) to obtain short-lived access tokens. This eliminates the long-lived secret and follows Google's principle of using federated identity rather than distributing static keys.

Exam trap

Google Cloud often tests the misconception that moving a secret to a more secure storage (like Secret Manager or encryption) is sufficient, when the correct answer requires eliminating the static credential entirely through impersonation or workload identity federation.

How to eliminate wrong answers

Option A is wrong because rotating keys every 90 days does not address the fundamental risk of storing static credentials on laptops; the keys remain exfiltratable between rotations and still represent a persistent attack surface. Option B is wrong because encrypting the JSON key files with Cloud KMS does not remove the static credential from the laptop; the encrypted file still contains the key material that can be decrypted by anyone with access to the encryption key, and the distribution process remains a risk. Option D is wrong because storing the key files in Secret Manager and retrieving them at startup still requires the application to possess a long-lived static credential (the JSON key) at runtime, which can be exfiltrated from memory or disk; the goal is to eliminate the static key entirely, not just move its storage location.

31
MCQmedium

An organization needs to ensure that only images from their approved Container Registry (gcr.io/approved-project) can be deployed on GKE clusters in their organization. Which GCP control enforces this?

A.A VPC firewall rule blocking pulls from unauthorized registries
B.Binary Authorization with a policy requiring attestation from the approved registry
C.Cloud Armor rules blocking container pull requests from external sources
D.Manually reviewing all Docker images before deployment
AnswerB

Binary Authorization enforces image deployment policies on GKE clusters — it can require cryptographic attestations from approved registries and block non-compliant images at deploy time.

Why this answer

Binary Authorization enforces deployment-time policies that require images to be signed by trusted authorities. By configuring a policy that requires attestations from the approved registry (gcr.io/approved-project), only images from that registry can be deployed on GKE clusters, directly meeting the requirement.

Exam trap

The trap here is that candidates confuse network-level controls (firewalls, Cloud Armor) with deployment-time policy enforcement, mistakenly believing that blocking network traffic to unauthorized registries is equivalent to restricting which images can be deployed.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules control network traffic at layers 3 and 4 (IP/port), not application-layer operations like container image pulls; they cannot inspect the registry URL in a pull request. Option C is wrong because Cloud Armor is a web application firewall (WAF) that protects against HTTP/S attacks, not a mechanism to restrict container image sources; it operates at the edge, not on GKE node-to-registry traffic. Option D is wrong because manual review is a procedural control, not a GCP technical control; it is error-prone, unscalable, and does not provide automated enforcement at deployment time.

32
MCQhard

A GKE cluster hosts multiple teams' workloads in separate namespaces. One team's pods should not be able to make API calls to Google Cloud services (e.g., they should not call BigQuery or Cloud Storage). The pods currently use the node's service account via the Compute Engine metadata server. How do you restrict these specific pods from accessing GCP APIs while allowing other pods on the same node to continue using GCP APIs?

A.Apply a Kubernetes NetworkPolicy in the team's namespace blocking egress to `169.254.169.254` (the metadata server).
B.Revoke all IAM roles from the node's service account.
C.Set `automountServiceAccountToken: false` on the restricted team's pods.
D.Use a Kubernetes ResourceQuota to limit the team's namespace API access.
AnswerA

The GCE metadata server at 169.254.169.254 is how pods obtain GCP credentials. Blocking egress to this IP prevents those pods from getting any GCP access tokens, while other namespaces remain unaffected.

Why this answer

Option A is correct because the Compute Engine metadata server (169.254.169.254) is the endpoint that provides the node's service account credentials to pods. By applying a Kubernetes NetworkPolicy that blocks egress to this IP in the team's namespace, you prevent those pods from reaching the metadata server, thus denying them access to GCP APIs. Other pods on the same node are unaffected because NetworkPolicy is namespace-scoped and does not apply to them.

Exam trap

Google Cloud often tests the misconception that `automountServiceAccountToken: false` blocks all cloud API access, but it only affects the Kubernetes API token, not the Compute Engine metadata server which provides cloud credentials.

How to eliminate wrong answers

Option B is wrong because revoking all IAM roles from the node's service account would block ALL pods on that node from accessing GCP APIs, not just the restricted team's pods. Option C is wrong because setting `automountServiceAccountToken: false` only prevents the Kubernetes API service account token from being mounted into the pod; it does not affect the pod's ability to reach the Compute Engine metadata server to obtain the node's service account credentials. Option D is wrong because a ResourceQuota limits resource consumption (CPU, memory, etc.) and cannot restrict network access to specific IP addresses or APIs.

33
MCQeasy

A Compute Engine VM's boot disk is nearly full and the application is failing. You want to snapshot the disk first (for safety), then resize it online. What is the correct sequence of gcloud commands?

A.Stop the VM, resize the disk, take a snapshot, restart the VM.
B.Snapshot the disk, resize the disk with `gcloud compute disks resize`, then grow the filesystem within the VM.
C.Resize the disk with `gcloud compute instances set-disk-auto-delete` to automatically expand the disk.
D.Create a new larger disk, attach it as a secondary disk, and move data using rsync.
AnswerB

Snapshot first for safety → resize disk (online, no stop needed) → resize filesystem inside the VM with resize2fs. This is the correct, safe sequence.

Why this answer

Option B is correct because you must snapshot the disk first to ensure data safety before making changes, then resize the disk using `gcloud compute disks resize` (which works on a running VM with live resize enabled), and finally grow the filesystem inside the VM to utilize the additional space. This sequence avoids downtime and preserves a recovery point.

Exam trap

The trap here is that candidates assume a VM must be stopped before resizing a boot disk, but Google Cloud supports live resize for most disk types, making the snapshot-then-resize-then-grow sequence the correct online approach.

How to eliminate wrong answers

Option A is wrong because stopping the VM is unnecessary for a live resize and introduces downtime; also, taking the snapshot after resizing would capture the resized disk, not the original state for safety. Option C is wrong because `gcloud compute instances set-disk-auto-delete` controls whether a disk is deleted when the instance is deleted, not disk resizing or expansion. Option D is wrong because creating a new disk and using rsync is a valid migration approach but is not the correct sequence for resizing an existing boot disk online as specified in the question.

34
MCQmedium

A GCP project uses labels extensively for cost attribution across teams. A finance team member needs to add a 'cost-center' label to an existing Compute Engine VM. Which gcloud command applies the label?

A.gcloud compute instances update my-vm --add-label=cost-center=finance-ops
B.gcloud compute instances add-labels my-vm --labels=cost-center=finance-ops --zone=us-central1-a
C.gcloud label add --resource=my-vm --key=cost-center --value=finance-ops
D.gcloud compute instances set-labels my-vm --labels=cost-center=finance-ops
AnswerB

`gcloud compute instances add-labels` is the correct command for adding labels to an existing VM, using `--labels=key=value` syntax.

Why this answer

Option B is correct because the `gcloud compute instances add-labels` command is the specific gcloud command designed to add labels to an existing Compute Engine VM. It requires the `--labels` flag with key-value pairs and the `--zone` flag to specify the VM's location, which is necessary for the API call to succeed.

Exam trap

The trap here is that candidates confuse `add-labels` with `set-labels`, assuming both can add a label, but `set-labels` replaces all existing labels, which is a destructive operation that can silently remove other labels.

How to eliminate wrong answers

Option A is wrong because `gcloud compute instances update` does not support an `--add-label` flag; the correct subcommand for adding labels is `add-labels`. Option C is wrong because `gcloud label add` is not a valid gcloud command; labels are managed through resource-specific commands like `gcloud compute instances add-labels`. Option D is wrong because `gcloud compute instances set-labels` replaces all existing labels on the VM with the specified labels, rather than adding a single label to the existing set, which would remove any other labels already applied.

35
MCQeasy

A developer wants to use Cloud Shell to create a Compute Engine VM but receives an error 'API not enabled'. What should the developer do first?

A.Switch to a different region
B.Enable the Compute Engine API
C.Use gcloud auth login
D.Increase project quota
AnswerB

The Compute Engine API must be enabled before creating VMs.

Why this answer

The error 'API not enabled' indicates that the Compute Engine API has not been activated for the developer's Google Cloud project. Cloud Shell uses the gcloud CLI, which requires the Compute Engine API to be enabled before it can create VM instances. The correct first step is to enable the Compute Engine API via the Cloud Console or the `gcloud services enable compute.googleapis.com` command.

Exam trap

Google Cloud often tests the distinction between authentication (gcloud auth login) and API enablement, trapping candidates who confuse user-level permissions with project-level service activation.

How to eliminate wrong answers

Option A is wrong because switching regions does not enable the required API; the error is about API access, not regional availability. Option C is wrong because `gcloud auth login` authenticates the user but does not enable the API; the API must be enabled at the project level regardless of authentication. Option D is wrong because increasing the project quota addresses resource limits, not the fundamental requirement of having the API enabled; the API must be enabled before any quota increase would be relevant.

36
MCQmedium

You are designing a solution for a retail application that needs to store customer shopping cart data. The cart data is accessed frequently during active sessions and must survive for at least 30 days even without activity. Each cart entry is small (< 1 KB) and identified by a user ID. The solution must support microsecond read latency and be horizontally scalable. Which GCP storage service best meets these requirements?

A.Cloud Firestore in Datastore mode
B.Cloud Bigtable
C.Cloud SQL (PostgreSQL)
D.Cloud Memorystore (Redis)
AnswerB

Bigtable delivers sub-millisecond (microsecond range) latency for key-value reads, scales horizontally, and persists data durably — ideal for the cart use case with a user ID row key.

Why this answer

Cloud Bigtable is correct because it is a fully managed, scalable NoSQL database designed for large analytical and operational workloads, offering consistent sub-10ms latency and horizontal scaling. For small (<1 KB) entries accessed with microsecond read latency, Bigtable's key-value model and high throughput make it ideal, and its data persists indefinitely (beyond 30 days) with no automatic expiration. It supports high-frequency access patterns typical of active shopping cart sessions.

Exam trap

The trap here is that candidates often choose Cloud Memorystore (Redis) for its microsecond latency, overlooking that it is an in-memory cache with volatile data that does not guarantee persistence for 30 days without activity, whereas Bigtable provides durable, persistent storage with similar latency for small key-value entries.

How to eliminate wrong answers

Option A is wrong because Cloud Firestore in Datastore mode is a document/NoSQL database with eventual consistency and higher read latency (typically tens of milliseconds), not microsecond-level, and it is optimized for mobile/web apps with real-time sync, not for high-throughput key-value access with strict latency requirements. Option C is wrong because Cloud SQL (PostgreSQL) is a relational database with ACID transactions but cannot achieve microsecond read latency due to disk-based storage and SQL overhead, and it is not horizontally scalable (requires manual sharding or read replicas). Option D is wrong because Cloud Memorystore (Redis) is an in-memory cache that provides microsecond latency but does not guarantee data persistence beyond 30 days without activity; Redis data can be evicted or lost on node failure unless configured with persistence (AOF/RDB), which adds latency and complexity, and it is not designed as a durable primary store for long-term survival.

37
MCQmedium

A team wants to deploy a container image at 'gcr.io/myproject/api:v2' as a Cloud Run service named 'api-service' in us-east1, accessible without authentication. Which command is correct?

A.gcloud run deploy api-service --image=gcr.io/myproject/api:v2 --region=us-east1 --allow-unauthenticated
B.gcloud run create api-service --image=gcr.io/myproject/api:v2 --zone=us-east1 --public
C.gcloud cloud-run deploy api-service --container=gcr.io/myproject/api:v2 --region=us-east1
D.gcloud run deploy --name=api-service --image=gcr.io/myproject/api:v2 --region=us-east1 --no-auth
AnswerA

This is the correct syntax for deploying a Cloud Run service with public access. `--allow-unauthenticated` enables unauthenticated invocations.

Why this answer

Option A is correct because it uses the `gcloud run deploy` command with the `--image` flag to specify the container image, `--region=us-east1` to target the correct region, and `--allow-unauthenticated` to make the service publicly accessible without authentication. This matches the exact requirements for deploying a Cloud Run service with public access.

Exam trap

Google Cloud often tests the distinction between `gcloud run deploy` and `gcloud run create`, and the use of `--allow-unauthenticated` versus `--no-auth`, to catch candidates who confuse command syntax or flag names.

How to eliminate wrong answers

Option B is wrong because `gcloud run create` is not a valid command; the correct command is `gcloud run deploy`. Additionally, Cloud Run uses `--region` (not `--zone`) and `--allow-unauthenticated` (not `--public`). Option C is wrong because `gcloud cloud-run deploy` is not a valid command (the correct service is `gcloud run deploy`), and `--container` is not a valid flag for `gcloud run deploy`; the correct flag is `--image`.

Option D is wrong because `--no-auth` is not a valid flag; the correct flag to allow unauthenticated access is `--allow-unauthenticated`.

38
MCQeasy

The company wants to change the storage class of these log files to Nearline to reduce costs while still retaining the ability to access them without restoration fees. Which command should be used?

A.gsutil cp -s NEARLINE gs://my-bucket/logs/*.log
B.gsutil rewrite -s NEARLINE gs://my-bucket/logs/*.log
C.gsutil setmeta -s NEARLINE gs://my-bucket/logs/*.log
D.gsutil mv -s NEARLINE gs://my-bucket/logs/*.log
AnswerB

Rewrite changes the storage class of objects in place.

Why this answer

Option B is correct because the `gsutil rewrite` command is specifically designed to change the storage class of existing objects without incurring restoration fees. It rewrites the object metadata to the new storage class (Nearline) while keeping the object in place, and the operation does not require retrieving the object from cold storage, so no restoration charges apply.

Exam trap

The trap here is that candidates confuse `gsutil rewrite` with `gsutil cp` or `gsutil mv`, assuming any command with `-s` can change storage class, but only `rewrite` avoids restoration fees by modifying the object in place without creating a new copy.

How to eliminate wrong answers

Option A is wrong because `gsutil cp` copies objects, which would create new objects with the Nearline storage class but leave the original objects unchanged, resulting in duplicate objects and unnecessary costs. Option C is wrong because `gsutil setmeta` is used to set custom metadata on objects, not to change the storage class; the `-s` flag is not valid for this command. Option D is wrong because `gsutil mv` moves objects, which effectively copies and then deletes the original, incurring restoration fees if the original is in a cold storage class like Nearline, and it does not change the storage class of the existing object in place.

39
MCQmedium

Your application is deployed on GKE and experiencing increased latency. You suspect a memory leak causing the JVM to run frequent garbage collection cycles. Cloud Monitoring shows high memory usage but you need to understand the garbage collection behavior over time. Which GCP tool provides JVM-level profiling including memory allocation data?

A.Cloud Trace
B.Cloud Profiler with heap profiling enabled for the JVM application.
C.Cloud Monitoring with JVM MBeans metrics exported via the Ops Agent.
D.Error Reporting filtered for OutOfMemoryError exceptions.
AnswerB

Cloud Profiler captures CPU and memory profiles from production JVMs with minimal overhead (<1% CPU impact). Heap profiling shows memory allocation patterns and identifies the source of leaks.

Why this answer

Cloud Profiler with heap profiling enabled captures JVM-level memory allocation data and garbage collection behavior over time, allowing you to identify memory leaks and GC frequency. Unlike generic memory monitoring, it provides per-method allocation snapshots and GC pause analysis specific to the JVM.

Exam trap

Google Cloud often tests the distinction between metric-based monitoring (Cloud Monitoring with MBeans) and profiling (Cloud Profiler), where candidates mistakenly choose Cloud Monitoring because it shows memory usage, but it lacks the allocation-level detail needed to diagnose garbage collection behavior.

How to eliminate wrong answers

Option A is wrong because Cloud Trace is a distributed tracing tool for request latency analysis, not JVM memory profiling; it cannot show garbage collection or heap allocation data. Option C is wrong because Cloud Monitoring with JVM MBeans via the Ops Agent provides metric-based memory usage (e.g., heap usage) but lacks the detailed allocation profiling and GC cycle breakdown that Cloud Profiler's heap profiling offers. Option D is wrong because Error Reporting only aggregates application errors like OutOfMemoryError; it does not provide proactive profiling of memory allocation or garbage collection behavior over time.

40
Multi-Selectmedium

A company wants to deploy a highly available application across two Google Cloud regions for disaster recovery. The application consists of Compute Engine backend instances and a Cloud SQL database. Which THREE components are required to set up this multi-region architecture? (Choose THREE.)

Select 3 answers
A.Cloud SQL for MySQL with cross-region read replica and failover
B.Cloud VPN between regions
C.Cloud DNS with geoproximity and failover routing policy
D.Shared VPC
E.Global external HTTP(S) Load Balancer
AnswersA, C, E

Enables database failover from primary to replica in another region.

Why this answer

Options A, B, and D are correct. External HTTP(S) Load Balancer distributes traffic across regions; Cloud DNS with failover routing health checks endpoints; Cloud SQL for MySQL with cross-region replication provides database failover. Option C is wrong because a shared VPC is for multi-project, not multi-region.

Option E is wrong because a VPN is not needed for multi-region connectivity; Google Cloud internal network is already connected.

41
MCQmedium

A DevOps team deploys a MIG (Managed Instance Group) with autohealing configured. The health check probes `/health` on port 8080 with a 30-second initial delay. After deployment, new VMs are failing the health check and being immediately recreated — causing a restart loop. What is the most likely cause?

A.The health check HTTP path `/health` doesn't exist — the application uses `/healthz`
B.The initial delay is too short — the application hasn't finished starting before the health check probes begin
C.Autohealing is incompatible with autoscaling — they cannot be used together
D.The MIG does not support HTTP health checks — TCP checks must be used instead
AnswerB

A 30-second initial delay may not be enough for slow-starting applications. Increasing `initialDelaySec` gives the app time to start before health checks begin, breaking the restart loop.

Why this answer

Option B is correct because the 30-second initial delay is too short for the application to complete its startup sequence. When the health check begins probing before the application is ready, it immediately fails, causing the MIG autohealing mechanism to treat the VM as unhealthy and recreate it, leading to a restart loop. The initial delay must be set to a value that exceeds the application's typical startup time.

Exam trap

Google Cloud often tests the distinction between health check path errors (which cause persistent failure) and initial delay misconfiguration (which causes a restart loop), trapping candidates who focus on the path mismatch rather than the timing issue.

How to eliminate wrong answers

Option A is wrong because even if the health check path is incorrect, the VM would not be immediately recreated; instead, the health check would consistently fail, but the MIG would not enter a restart loop unless the application eventually becomes healthy after a restart, which is not the case here. Option C is wrong because autohealing and autoscaling are fully compatible in Google Cloud MIGs; they serve different purposes (health-based repair vs. load-based scaling) and can be used together without conflict. Option D is wrong because MIGs fully support HTTP health checks; TCP checks are an alternative but not a requirement, and the issue described is unrelated to the health check protocol.

42
MCQmedium

A data science team needs a VM with 96 vCPUs and 624 GB of RAM. No predefined GCP machine type matches these exact specifications. What is the recommended approach?

A.Select the closest larger predefined N2 machine type
B.Create a custom machine type with exactly 96 vCPUs and 624 GB RAM
C.Split the workload across multiple smaller VMs and coordinate manually
D.Contact Google Cloud support to request a new predefined machine type
AnswerB

Custom machine types allow specifying exact vCPU and RAM combinations, avoiding resource waste while meeting exact requirements.

Why this answer

Option B is correct because Google Cloud allows you to create custom machine types when predefined machine types do not meet your exact requirements. Custom machine types let you specify the exact number of vCPUs (up to 96) and memory (up to 624 GB) for a VM, providing flexibility without over-provisioning resources.

Exam trap

The trap here is that candidates may assume predefined machine types are the only option, overlooking the custom machine type feature that GCP provides for exact resource matching.

How to eliminate wrong answers

Option A is wrong because selecting the closest larger predefined N2 machine type would result in over-provisioning resources, leading to unnecessary costs and potential performance inefficiencies. Option C is wrong because splitting the workload across multiple smaller VMs introduces complexity, coordination overhead, and may not be feasible for workloads that require a single large memory address space or high vCPU count. Option D is wrong because Google Cloud does not create new predefined machine types on demand for individual requests; custom machine types are the designed solution for such scenarios.

43
MCQmedium

A new engineer joins the team and needs access to GCP. The company uses Google Workspace for identity management. The GCP admin needs to add the engineer and grant them access to one project. What is the correct order of steps?

A.Create a service account for the engineer in GCP, then share the key file
B.Create the user in Google Workspace Admin Console, then grant their account IAM roles on the GCP project
C.Create a GCP project for the engineer, then add their personal Gmail as a project owner
D.Create an API key for the engineer in the GCP Console and share it securely
AnswerB

Users are provisioned in Google Workspace/Cloud Identity first. Once the Google account exists, IAM roles can be granted on any GCP project.

Why this answer

Option B is correct because Google Workspace is the identity provider (IdP) for the organization, so the engineer must first be created as a user in the Google Workspace Admin Console. Once the user exists, the GCP admin can then grant IAM roles (e.g., roles/viewer, roles/editor) on the specific project, which maps the Workspace user identity to GCP permissions. This follows the principle that GCP IAM relies on existing identities from the Cloud Identity or Workspace domain, not on separate user creation within GCP.

Exam trap

Google Cloud often tests the misconception that GCP users are created inside the GCP Console itself, when in fact human identities must be provisioned through the organization's identity provider (Google Workspace or Cloud Identity) before they can be assigned IAM roles.

How to eliminate wrong answers

Option A is wrong because service accounts are intended for applications and automated workloads, not for human users; sharing a key file violates security best practices and does not provide proper identity-based access control. Option C is wrong because creating a new project for the engineer is unnecessary and wasteful; the engineer should be added to an existing project, and personal Gmail accounts are not part of the corporate Google Workspace domain, so they cannot be managed centrally. Option D is wrong because API keys are used to authenticate calls to GCP APIs for applications, not to grant human users access to the GCP Console or project resources; they lack identity context and cannot enforce IAM roles.

44
MCQhard

A company is designing a globally distributed application with a web tier and a database tier that requires low-latency communication within the same region but can tolerate eventual consistency across regions. The database must be fully managed and scale globally. Which combination of networking and database is most appropriate?

A.Global VPC with Cloud Spanner
B.Global VPC with Cloud Bigtable
C.VPC peering with Cloud SQL
D.Shared VPC with Cloud Datastore
AnswerB

Cloud Bigtable is a globally distributed NoSQL database with eventual consistency, low latency, and fully managed.

Why this answer

Cloud Bigtable is a fully managed, globally scalable NoSQL database that provides low-latency access within a region and eventual consistency across regions, making it ideal for the described workload. A Global VPC allows the web and database tiers to communicate privately and with low latency within the same region, while Bigtable's native replication handles cross-region eventual consistency without application complexity.

Exam trap

Google Cloud often tests the distinction between strong consistency (Spanner) and eventual consistency (Bigtable) in globally distributed systems, and the trap here is assuming that 'fully managed and scale globally' always means Spanner, ignoring the explicit requirement for eventual consistency.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner offers strong consistency across regions, not eventual consistency, and its global synchronous replication adds latency and cost that are unnecessary for a system that tolerates eventual consistency. Option C is wrong because Cloud SQL is a regional database that does not scale globally or support cross-region replication for eventual consistency, and VPC peering does not create a single global network for low-latency intra-region communication. Option D is wrong because Cloud Datastore (Firestore in Datastore mode) is a regional NoSQL database that does not natively support global scaling with eventual consistency across regions, and Shared VPC is designed for multi-project networking within an organization, not for global low-latency communication.

45
Multi-Selecthard

A company is deploying a global web application using an external HTTPS load balancer with Cloud CDN. Which THREE steps are required for proper configuration? (Choose three.)

Select 3 answers
A.Enable Cloud CDN on the backend bucket
B.Enable Identity-Aware Proxy (IAP)
C.Use an external TCP load balancer
D.Configure a health check for the backend services
E.Use Premium Tier networking
AnswersA, D, E

Cloud CDN must be enabled on the backend bucket to cache content.

Why this answer

A is correct because Cloud CDN must be explicitly enabled on the backend bucket (or backend service) to cache content at Google's edge points of presence. Without this step, the load balancer will forward requests directly to the origin without leveraging CDN caching, defeating the purpose of a global web application.

Exam trap

Google Cloud often tests the distinction between HTTP(S) and TCP load balancers, and candidates mistakenly think a TCP load balancer can serve HTTPS traffic or work with Cloud CDN, but Cloud CDN only works with HTTP(S) load balancers.

46
MCQmedium

You need to prevent developers from creating Compute Engine VMs with external IP addresses in a specific folder. Developers must still be able to create VMs with internal IPs only. Which org policy constraint enforces this?

A.Create a VPC firewall rule blocking all outbound internet traffic.
B.Apply the `compute.vmExternalIpAccess` org policy constraint set to deny all VMs.
C.Remove the `compute.instanceAdmin` role from developers so they cannot configure network interfaces.
D.Configure the default VPC network to use internal-only routes.
AnswerB

This list constraint controls which VMs can have external IPs. An empty or deny-all allowedValues list prevents any VM in the folder from being created with an external IP address.

Why this answer

The `compute.vmExternalIpAccess` organization policy constraint is specifically designed to control whether Compute Engine VMs can be assigned external IP addresses. By setting this constraint to deny all VMs in the folder, developers are prevented from creating VMs with external IPs while still being able to create VMs with only internal IPs. This is the correct, native Google Cloud mechanism for enforcing this requirement at the folder level.

Exam trap

The trap here is that candidates often confuse network-layer controls (firewall rules) with resource-level policies (org policy constraints), leading them to choose a firewall rule instead of the correct org policy constraint that directly governs VM creation.

How to eliminate wrong answers

Option A is wrong because a VPC firewall rule blocks traffic at the network layer, not the creation of VMs with external IPs; developers could still assign an external IP to a VM, and the firewall rule would only block outbound internet traffic after the VM is created. Option C is wrong because removing the `compute.instanceAdmin` role would prevent developers from creating any VMs at all, not just those with external IPs, and it does not selectively restrict external IP assignment. Option D is wrong because configuring the default VPC network to use internal-only routes does not prevent a developer from explicitly assigning an external IP when creating a VM; it only affects routing, not the IP assignment itself.

47
MCQeasy

A developer has a Kubernetes Deployment manifest in a file named 'api-deployment.yaml'. Which command creates the Deployment if it doesn't exist, or updates it if it does?

A.kubectl create -f api-deployment.yaml
B.kubectl run api-deployment.yaml
C.kubectl apply -f api-deployment.yaml
D.kubectl deploy -f api-deployment.yaml
AnswerC

`kubectl apply -f` reads the manifest and creates or updates the resource declaratively — the standard command for deploying from YAML files.

Why this answer

Option C is correct because `kubectl apply -f api-deployment.yaml` uses a declarative approach: it creates the Deployment if it does not exist, or performs a rolling update if it already exists, by applying the desired state defined in the YAML manifest. This command leverages the Kubernetes API's server-side apply logic, merging changes without requiring the resource to be deleted first.

Exam trap

Google Cloud often tests the distinction between `create` (imperative, fails on existing resources) and `apply` (declarative, idempotent), trapping candidates who think `create` can also update or who confuse `run` with `apply`.

How to eliminate wrong answers

Option A is wrong because `kubectl create -f api-deployment.yaml` will fail with an error if the Deployment already exists, as it only creates new resources and does not support updates. Option B is wrong because `kubectl run api-deployment.yaml` is not a valid command; `kubectl run` is used to create a Pod or Deployment from an image, not from a YAML file. Option D is wrong because `kubectl deploy -f api-deployment.yaml` is not a valid kubectl subcommand; the correct verb for updating existing resources is `apply`, not `deploy`.

48
MCQmedium

You need to create a dashboard in Cloud Monitoring that shows: (1) Cloud Run request count per second, (2) Cloud Run p99 latency, (3) GKE pod CPU utilization, and (4) Cloud SQL query duration — all on a single screen. Which Cloud Monitoring feature enables this multi-service overview?

A.Create four separate alerting policies and pin them to a shared alerting page.
B.Create a Cloud Monitoring custom dashboard with chart widgets for each metric across the different services.
C.Use BigQuery to query the metrics export and build a Looker Studio dashboard.
D.Use Cloud Logging to create a log-based dashboard with all four metrics.
AnswerB

Custom dashboards support heterogeneous metric widgets from any GCP service. Each widget is independently configured, creating a unified operational view across Cloud Run, GKE, and Cloud SQL.

Why this answer

Option B is correct because Cloud Monitoring custom dashboards allow you to combine chart widgets from multiple monitored services (Cloud Run, GKE, Cloud SQL) into a single screen. This feature supports heterogeneous metric queries using the Monitoring Query Language (MQL) or metric selectors, enabling a unified view without needing separate tools or exports.

Exam trap

Google Cloud often tests the distinction between monitoring (dashboards) and alerting (policies), and the trap here is assuming that alerting policies can serve as a dashboard or that logging tools can natively display numeric metrics without additional configuration.

How to eliminate wrong answers

Option A is wrong because alerting policies are designed for threshold-based notifications, not for displaying real-time metric data on a dashboard; pinning alerts to a shared page does not create a visual dashboard with time-series charts. Option C is wrong because while BigQuery metrics export can feed Looker Studio, this adds unnecessary complexity and latency, and is not the native Cloud Monitoring feature for a single-screen overview. Option D is wrong because Cloud Logging is for log data, not numeric metrics like request count or latency; log-based dashboards cannot natively chart metric time-series such as p99 latency or CPU utilization.

49
MCQmedium

A billing report shows a Compute Engine VM has been running unused for 3 months. The team wants to stop it to save costs but needs the VM's disk data preserved for potential future use. What should they do?

A.Delete the VM to avoid all compute charges
B.Stop (shut down) the VM — compute charges stop but disk storage charges continue
C.Snapshot the VM disk and delete the VM
D.Set the VM to a smaller machine type to reduce costs
AnswerB

Stopping a VM halts compute billing immediately while preserving all disk data. The team only pays for persistent disk storage until the VM is restarted or the disks are deleted.

Why this answer

Option B is correct because stopping (shutting down) a Compute Engine VM immediately halts all compute charges (vCPU, memory, GPU) while preserving the persistent disk and its data. The disk continues to incur storage costs, which is acceptable since the team wants to retain the data for potential future use. This is the most cost-effective approach that meets the requirement of preserving disk data without paying for idle compute resources.

Exam trap

Google Cloud often tests the misconception that stopping a VM eliminates all costs, but the trap here is that persistent disk storage charges continue even when the VM is stopped, which candidates may overlook when focusing only on compute savings.

How to eliminate wrong answers

Option A is wrong because deleting the VM removes the instance and its attached persistent disks by default, which would destroy the disk data unless a snapshot or disk backup was taken beforehand. Option C is wrong because while snapshotting the disk and deleting the VM does preserve the data, it introduces unnecessary complexity and additional snapshot storage costs; stopping the VM is simpler and directly meets the goal without extra steps. Option D is wrong because resizing to a smaller machine type reduces but does not eliminate compute charges, and the VM would still be running unused, wasting resources; the goal is to stop compute charges entirely.

50
MCQhard

An organization with multiple teams needs to provision separate, isolated environments (e.g., development, test, production) while sharing common services like Cloud NAT and VPC firewall rules. Which VPC networking pattern is most suitable?

A.Network Service Tiers (Premium vs Standard)
B.Shared VPC (XPN)
C.VPC Network Peering between team VPCs
D.Single VPC with per-team firewall rules
AnswerB

Shared VPC allows central network administration and isolated service projects with shared resources.

Why this answer

Shared VPC (XPN) allows an organization to create a single, centrally managed VPC network that hosts common services like Cloud NAT and firewall rules, while enabling multiple project teams to provision their own isolated environments (dev, test, prod) within that same VPC. This pattern meets the requirement for separate, isolated environments with shared services without needing individual VPCs for each team.

Exam trap

The trap here is that candidates often confuse VPC Network Peering with Shared VPC, thinking peering provides shared services, but peering only connects networks without allowing shared NAT or centralized firewall rules.

How to eliminate wrong answers

Option A is wrong because Network Service Tiers (Premium vs Standard) control the quality of network transit and egress pricing, not the isolation or sharing of VPC resources like Cloud NAT or firewall rules. Option C is wrong because VPC Network Peering connects separate VPCs but does not allow them to share a single Cloud NAT or a common set of firewall rules; each VPC would need its own NAT and firewall configuration. Option D is wrong because a single VPC with per-team firewall rules does not provide the separate, isolated environments (e.g., separate projects or VPCs) that the question requires; it only offers logical isolation within one network, which is insufficient for true environment separation.

51
MCQmedium

A team uses Cloud Shell for all GCP CLI operations. A developer notices that files they create in Cloud Shell's home directory persist between sessions, but files in other directories do not. What explains this behavior?

A.Cloud Shell saves all files to Cloud Storage automatically
B.Only $HOME (~) has persistent 5 GB storage; other directories use ephemeral container storage
C.Cloud Shell stores files in Firestore, which only retains home directory paths
D.Files outside $HOME are deleted after 24 hours automatically
AnswerB

Cloud Shell allocates 5 GB of persistent disk mounted at the home directory. All other paths are in the container's ephemeral filesystem, which resets between sessions.

Why this answer

Cloud Shell provides each user with a persistent 5 GB home directory ($HOME) backed by Cloud Storage. Files created outside this directory reside in the container's ephemeral storage, which is discarded when the Cloud Shell session ends or is restarted. This design ensures user configurations and scripts are preserved while maintaining a clean, temporary environment for other operations.

Exam trap

The trap here is that candidates may assume Cloud Shell behaves like a traditional persistent VM where all files survive, or they may confuse the persistent home directory with automatic full-disk backup, leading them to choose option A or D.

How to eliminate wrong answers

Option A is wrong because Cloud Shell does not automatically save all files to Cloud Storage; only the $HOME directory is backed by persistent storage, and users must explicitly copy files elsewhere if they want them saved. Option C is wrong because Cloud Shell uses Cloud Storage (specifically a persistent disk mounted as the home directory), not Firestore, which is a NoSQL document database and not used for file storage in this context. Option D is wrong because files outside $HOME are not deleted after a fixed 24-hour period; they are removed when the Cloud Shell container is recycled or the session ends, which can happen sooner than 24 hours depending on inactivity or manual restart.

52
MCQmedium

A Cloud Run service needs to access a database password at runtime. Where should the password be stored according to GCP security best practices?

A.As a plain-text environment variable in the Cloud Run service configuration
B.In a Cloud Storage bucket accessible to the service account
C.In Secret Manager, referenced as a mounted secret or accessed via the API at runtime
D.Baked into the container image at build time
AnswerC

Secret Manager stores secrets encrypted, with IAM access control and full audit trails. Cloud Run can reference secrets as environment variables or volume mounts without exposing the value in configuration.

Why this answer

Secret Manager is the GCP-native service designed to securely store sensitive data like database passwords. It provides encryption at rest and in transit, fine-grained access control via IAM, and supports both mounting secrets as volumes and accessing them via the API at runtime. This aligns with GCP security best practices by avoiding exposure of secrets in plain text, configuration files, or container images.

Exam trap

Google Cloud often tests the misconception that environment variables are secure for secrets because they are not visible in the source code, but the trap here is that environment variables are still exposed in the runtime environment and logs, making them insecure for sensitive data.

How to eliminate wrong answers

Option A is wrong because storing a password as a plain-text environment variable exposes it in the Cloud Run console, logs, and any process that can read environment variables, violating the principle of least privilege and secure secret management. Option B is wrong because Cloud Storage buckets are designed for object storage, not secret management; they lack built-in encryption key rotation, audit logging for secret access, and fine-grained access control specific to secrets, and storing a password there would require additional complexity to secure it. Option D is wrong because baking secrets into a container image at build time embeds them in the image layers, making them accessible to anyone with image pull access and preventing rotation without rebuilding and redeploying the image.

53
MCQmedium

A developer frequently switches between three GCP projects and accounts throughout the day. They want to avoid rerunning `gcloud init` each time. Which gcloud feature lets them save and switch between pre-configured project/account/region combinations?

A.gcloud environments — a built-in workspace manager
B.gcloud named configurations created with `gcloud config configurations create`
C.Separate gcloud installations — one per project
D.A .gcloudrc file in each project directory that gcloud reads automatically
AnswerB

Named configurations save a full context (account, project, region, zone). `gcloud config configurations activate [NAME]` instantly switches between them.

Why this answer

Option B is correct because `gcloud config configurations` allow a developer to create, save, and switch between named sets of gcloud properties (project, account, region, zone) without re-running `gcloud init`. Each configuration stores its own active account, project ID, and default compute region/zone, and can be activated instantly with `gcloud config configurations activate <name>`, making it ideal for frequent context switching between multiple GCP projects and accounts.

Exam trap

The trap here is that candidates may confuse `gcloud config configurations` with a non-existent feature like 'gcloud environments' or assume that gcloud supports per-directory configuration files (like `.env` files), when in fact it relies on explicit named configurations stored globally.

How to eliminate wrong answers

Option A is wrong because `gcloud environments` is not a real gcloud feature; the correct mechanism for managing multiple sets of properties is `gcloud config configurations`, not a built-in workspace manager. Option C is wrong because maintaining separate gcloud installations for each project is unnecessary and inefficient; gcloud is designed to handle multiple projects and accounts within a single installation using configurations. Option D is wrong because gcloud does not automatically read a `.gcloudrc` file from project directories; it uses the active configuration (or the default configuration) and does not support per-directory property files.

54
Multi-Selecteasy

Which two actions are required to allow a user to create a Cloud Storage bucket using gcloud?

Select 2 answers
A.Set up billing
B.Create a service account
C.Assign the user roles/storage.admin
D.Enable the Cloud Storage API
E.Assign the user roles/storage.objectAdmin
AnswersC, D

Storage admin includes bucket create permission.

Why this answer

Option C is correct because the `roles/storage.admin` IAM role includes the `storage.buckets.create` permission, which is required to create a Cloud Storage bucket using the gcloud command. Without this role, the user will receive a permission denied error even if other prerequisites like billing are configured.

Exam trap

Google Cloud often tests the distinction between bucket-level permissions (e.g., `storage.buckets.create`) and object-level permissions (e.g., `storage.objects.create`), leading candidates to mistakenly choose `roles/storage.objectAdmin` because it sounds like it covers all storage administration.

55
MCQhard

A managed instance group (MIG) is configured with autohealing using a health check. During a rolling update, several VMs become unhealthy before the new application version starts responding to health checks. The MIG deletes and recreates these VMs repeatedly, causing a deployment loop. How should you fix this?

A.Disable autohealing during rolling updates by removing the health check.
B.Increase the `initialDelaySec` in the autohealing policy to give VMs time to start before health checks are evaluated.
C.Switch from rolling update to canary update to reduce the number of affected VMs.
D.Reduce the health check interval and timeout to detect unhealthy VMs faster.
AnswerB

initialDelaySec defines how long the MIG waits after VM creation before starting health check evaluation. Setting it longer than startup time prevents deletion of healthy VMs that are still initializing.

Why this answer

Option B is correct because increasing `initialDelaySec` in the autohealing policy gives the new application version sufficient time to start and become healthy before the health check begins evaluating the VM. This prevents the MIG from prematurely marking VMs as unhealthy during the rolling update, breaking the deployment loop where VMs are repeatedly deleted and recreated.

Exam trap

The trap here is that candidates often confuse autohealing health checks with load balancer health checks, assuming that reducing intervals or timeouts will speed up recovery, when in fact it exacerbates the deployment loop by triggering autohealing before the new version is ready.

How to eliminate wrong answers

Option A is wrong because disabling autohealing entirely removes the ability to recover from genuine failures during the update, leaving the MIG vulnerable to stuck deployments without automatic recovery. Option C is wrong because switching to a canary update does not address the root cause—the health check timing—and can still result in a deployment loop if the new version is slow to start. Option D is wrong because reducing the health check interval and timeout would make the problem worse by evaluating health more aggressively, increasing the likelihood of premature unhealthy detection and loop amplification.

56
MCQeasy

A GCP project has three service accounts. A developer wants to list all service accounts in the project using the gcloud CLI. Which command is correct?

A.gcloud service-accounts list
B.gcloud iam list service-accounts
C.gcloud iam service-accounts list
D.gcloud projects list-service-accounts
AnswerC

This is the correct command to list all service accounts in the active project.

Why this answer

Option C is correct because the `gcloud iam service-accounts list` command is the standard gcloud CLI command to list all service accounts in a GCP project. It uses the IAM API to retrieve the service accounts associated with the current project (or a specified project via the `--project` flag). This command is part of the `gcloud iam` group, which manages IAM resources, and the `service-accounts` sub-group specifically handles service account operations.

Exam trap

Google Cloud often tests the exact hierarchical structure of gcloud commands, and the trap here is that candidates may confuse the `gcloud iam` subcommand syntax (where the resource type comes before the verb) with other command groups (like `gcloud compute` where the verb often comes first), leading them to choose Option B or D.

How to eliminate wrong answers

Option A is wrong because `gcloud service-accounts list` is not a valid gcloud command; the correct command structure requires the `iam` group before `service-accounts`. Option B is wrong because `gcloud iam list service-accounts` uses an incorrect subcommand order — the verb `list` must come after the resource type `service-accounts`, not before. Option D is wrong because `gcloud projects list-service-accounts` does not exist; the `gcloud projects` command group is for managing project metadata, not for listing service accounts.

57
Multi-Selecthard

Which THREE configurations are required to allow a Compute Engine instance in VPC A (without external IP) to send emails through a third-party SMTP server on the internet? (Choose three.)

Select 3 answers
A.A Cloud NAT gateway attached to VPC A.
B.A route for the default internet gateway (0.0.0.0/0).
C.A firewall rule allowing egress traffic to the SMTP server's IP and port.
D.A VPC firewall rule allowing ingress from the SMTP server.
E.An external IP address on the instance.
AnswersA, B, C

Enables outbound internet access for instances without external IP.

Why this answer

Option A is correct because a Cloud NAT gateway allows instances without external IP addresses to initiate outbound connections to the internet, translating their private IPs to a public IP for the SMTP server. Without Cloud NAT, the instance in VPC A cannot reach the third-party SMTP server on the internet because it lacks a public IP and the VPC has no outbound internet path.

Exam trap

Google Cloud often tests the misconception that an instance without an external IP cannot reach the internet at all, but Cloud NAT provides outbound-only connectivity without a public IP on the instance, and candidates may incorrectly think ingress rules are needed for outbound traffic.

58
MCQeasy

A developer wants to deploy a containerized application that can scale to zero when not in use and only pay for resources consumed during request processing. Which compute option should they choose?

A.App Engine Flexible Environment
B.Cloud Run
C.Compute Engine with managed instance groups
D.Google Kubernetes Engine
AnswerB

Cloud Run scales to zero when not in use.

Why this answer

Cloud Run is a fully managed serverless compute platform that automatically scales your containerized applications from zero instances up to handle traffic, and scales back down to zero when there are no requests. You only pay for the resources (CPU, memory, and networking) consumed during request processing, with no charges when the service is idle. This makes it the ideal choice for the described use case of scaling to zero and pay-per-request billing.

Exam trap

Google Cloud often tests the misconception that 'containerized' implies Kubernetes or Compute Engine, but the key differentiator here is the requirement to 'scale to zero' and 'pay only for request processing,' which is a serverless property unique to Cloud Run among the listed options.

How to eliminate wrong answers

Option A is wrong because App Engine Flexible Environment runs containers on managed VMs that cannot scale to zero; it requires at least one instance to be running at all times, incurring costs even when idle. Option C is wrong because Compute Engine with managed instance groups requires at least one running VM instance to serve traffic; while you can configure autoscaling to a minimum of one, it cannot scale to zero instances, and you pay for the underlying VMs regardless of request volume. Option D is wrong because Google Kubernetes Engine (GKE) with Autopilot or Standard mode requires at least one node to run pods; even with cluster autoscaling, you cannot scale to zero nodes, and you incur costs for the node infrastructure even when no requests are being processed.

59
MCQmedium

A GCP organization has recently experienced a credential theft incident involving a service account key. The CISO requires that all service account keys in the organization be inventoried and those older than 90 days be rotated. Which tool identifies old service account keys across all projects?

A.Security Command Center — it audits service account key age automatically
B.Cloud Asset Inventory querying all IAM ServiceAccountKey assets across the organization
C.Cloud Monitoring metric for service account key creation date
D.Manually check each service account in each project's IAM & Admin > Service Accounts page
AnswerB

Cloud Asset Inventory's `gcloud asset search-all-resources --asset-types=iam.googleapis.com/ServiceAccountKey` returns all SA keys with creation timestamps — enabling age-based filtering.

Why this answer

Cloud Asset Inventory (CAI) is the correct tool because it can query all IAM ServiceAccountKey assets across the entire organization, including all projects, using a single API call or gcloud command. This allows you to filter by the `validAfterTime` field to identify keys older than 90 days, meeting the CISO's requirement for a comprehensive, automated inventory without manual per-project inspection.

Exam trap

Google Cloud often tests the misconception that Security Command Center handles IAM key lifecycle audits, when in fact Cloud Asset Inventory is the correct service for querying metadata like key creation dates across all projects.

How to eliminate wrong answers

Option A is wrong because Security Command Center (SCC) does not automatically audit service account key age; it focuses on vulnerability and threat detection, not asset inventory of key creation dates. Option C is wrong because Cloud Monitoring metrics do not expose service account key creation dates; metrics are for performance and usage, not IAM resource metadata. Option D is wrong because manually checking each service account in each project's IAM & Admin page is not a tool and is impractical for an organization-wide inventory, violating the requirement for an automated, scalable solution.

60
MCQmedium

A Compute Engine instance cannot connect to a Cloud SQL (MySQL) instance using the private IP address. Both are in the same Google Cloud VPC network. What is the most likely cause?

A.The Cloud SQL instance is not in the same region.
B.The Compute Engine instance lacks an external IP address.
C.The VPC network is not peered with the Cloud SQL service.
D.The firewall rule does not allow ingress on port 3306.
AnswerC

Private IP for Cloud SQL requires a VPC peering between the consumer VPC and the Cloud SQL service network.

Why this answer

When a Compute Engine instance cannot connect to a Cloud SQL instance using a private IP address within the same VPC network, the most likely cause is that the VPC network is not peered with the Cloud SQL service. Cloud SQL uses a separate, Google-managed VPC for its instances, and private connectivity requires a VPC peering connection between the customer's VPC and the Cloud SQL service's VPC. Without this peering, the private IP address of the Cloud SQL instance is not routable from the Compute Engine instance, even if both are in the same VPC network.

Exam trap

The trap here is that candidates often assume that being in the same VPC network guarantees private IP connectivity, but Cloud SQL requires explicit VPC peering with the Google-managed service network, not just co-location in the same VPC.

How to eliminate wrong answers

Option A is wrong because Cloud SQL instances can connect to Compute Engine instances across regions within the same VPC network using private IP, as long as VPC peering is configured; region mismatch is not a direct cause of connectivity failure. Option B is wrong because a Compute Engine instance does not need an external IP address to connect to Cloud SQL via private IP; private connectivity relies on internal routing and VPC peering, not external IPs. Option D is wrong because firewall rules for ingress on port 3306 are relevant for public IP connections or when using the Cloud SQL proxy, but for private IP connections within a peered VPC, the default firewall rules allow internal traffic; the issue is routing, not firewall filtering.

61
MCQhard

A financial trading platform must support globally distributed, strongly consistent SQL transactions at thousands of writes per second, with no downtime for planned maintenance. Which GCP database service meets all these requirements?

A.Cloud SQL with synchronous read replicas
B.Cloud Bigtable
C.Cloud Firestore
D.Cloud Spanner
AnswerD

Cloud Spanner uniquely combines externally consistent ACID transactions, horizontal write scalability, SQL support, and a 99.999% SLA — all required for financial trading platforms.

Why this answer

Cloud Spanner is the only GCP database service that provides globally distributed, strongly consistent SQL transactions with horizontal scaling, supporting thousands of writes per second. It uses synchronous replication across regions and TrueTime-based clock synchronization to ensure external consistency, while also offering 99.999% availability with no planned downtime for maintenance.

Exam trap

The trap here is that candidates often confuse Cloud Spanner's global strong consistency with Cloud SQL's regional strong consistency, or mistakenly think that NoSQL services like Bigtable or Firestore can support SQL transactions and global writes at scale.

How to eliminate wrong answers

Option A is wrong because Cloud SQL with synchronous read replicas is not globally distributed; it is a single-region service with read replicas that do not support writes, and it cannot scale to thousands of writes per second without downtime for maintenance. Option B is wrong because Cloud Bigtable is a NoSQL wide-column database that does not support SQL transactions or strong consistency across regions; it is designed for high-throughput analytical workloads, not transactional SQL. Option C is wrong because Cloud Firestore is a NoSQL document database that does not support SQL transactions; it provides strong consistency only within a single region and cannot handle thousands of writes per second globally with SQL semantics.

62
MCQeasy

You run `kubectl get pods` and see a pod in `ImagePullBackOff` state. What are the two most common causes of this error?

A.Incorrect image name/tag, or missing pull credentials for a private registry.
B.Insufficient CPU/memory on the node, or the pod's resource requests are too high.
C.The pod's liveness probe is failing, causing the container to restart.
D.The container's entrypoint command is failing, causing the image pull to abort.
AnswerA

These are the two root causes: wrong image reference (404 from registry) or authentication failure (403 from registry). Both result in ImagePullBackOff.

Why this answer

The `ImagePullBackOff` state indicates that the kubelet is unable to pull the container image from the registry. The two most common causes are an incorrect image name or tag (e.g., a typo or a non-existent tag), which results in a `404 Not Found` from the registry, and missing or invalid pull credentials for a private registry, which results in a `401 Unauthorized` or `403 Forbidden` response. Both prevent the image from being downloaded, causing the pod to enter a backoff loop.

Exam trap

Google Cloud often tests the distinction between `ImagePullBackOff` (image retrieval failure) and `CrashLoopBackOff` (container runtime failure) — candidates confuse the two because both involve backoff logic, but the root cause and timing differ.

How to eliminate wrong answers

Option B is wrong because insufficient CPU/memory on the node or high resource requests cause `Pending` or `OutOfcpu`/`OutOfmemory` states, not `ImagePullBackOff`; the image pull itself is not affected by resource constraints. Option C is wrong because a failing liveness probe causes container restarts (CrashLoopBackOff) or pod termination, but does not affect the image pull process; `ImagePullBackOff` occurs before the container even starts. Option D is wrong because a failing entrypoint command causes the container to exit immediately after starting (CrashLoopBackOff), not an image pull failure; the image pull completes successfully before the entrypoint runs.

63
MCQeasy

A company is running a batch processing job on Compute Engine every night. The job usually completes in 2 hours, but recently it has been taking over 4 hours. The CPU utilization on the VM is consistently below 20%. What is the most likely cause?

A.The VM is using a shared-core machine type.
B.The VM's machine type is too small.
C.The VM is running out of memory and swapping to disk.
D.The VM's persistent disk is in a different zone.
AnswerC

Swapping causes high disk I/O and slow performance with low CPU.

Why this answer

The correct answer is C. When CPU utilization is below 20% but job execution time has doubled, the bottleneck is likely I/O, not compute. Swapping to disk occurs when the VM runs out of memory, causing the kernel to page memory to the persistent disk, which is orders of magnitude slower than RAM.

This I/O wait directly increases job duration without raising CPU utilization.

Exam trap

Google Cloud often tests the misconception that low CPU utilization always means the machine is over-provisioned, but the trap here is that I/O-bound workloads (like memory swapping) can cause severe performance degradation while CPU remains idle, leading candidates to incorrectly choose a machine type or disk zone issue.

How to eliminate wrong answers

Option A is wrong because shared-core machine types (e.g., e2-micro) can cause CPU throttling under sustained load, but the symptom would be high CPU credit exhaustion and visible CPU throttling, not consistently low CPU utilization. Option B is wrong because if the machine type were too small, CPU utilization would be high (near 100%) as the job struggles to complete, not below 20%. Option D is wrong because a persistent disk in a different zone than the VM is not supported; Compute Engine requires the disk to be in the same zone as the VM, so this configuration would cause an immediate launch failure, not a gradual performance degradation.

64
MCQhard

A security team wants to prevent authorized users from copying BigQuery query results to a dataset in a different GCP project that is outside the team's security boundary — even if the user has valid IAM permissions. Which control enforces this?

A.IAM deny policies restricting cross-project BigQuery operations
B.VPC Service Controls with a perimeter enclosing BigQuery
C.An organization policy preventing resource creation outside specific projects
D.Cloud Armor rules blocking outbound API requests to BigQuery in other projects
AnswerB

VPC Service Controls enforce context-aware access at the API level — data can't leave the perimeter to external projects regardless of IAM permissions, preventing exfiltration.

Why this answer

VPC Service Controls (VPC-SC) create a security perimeter around Google Cloud services, including BigQuery, that prevents data exfiltration to projects outside the perimeter regardless of IAM permissions. By configuring a service perimeter that includes BigQuery and the authorized project, any attempt to copy query results to a dataset in a project outside the perimeter is blocked, even if the user has valid IAM roles. This enforces a data boundary that overrides IAM-based access.

Exam trap

The trap here is that candidates assume IAM deny policies can block data movement across projects, but VPC Service Controls are the only mechanism that enforces data exfiltration boundaries at the network layer, overriding IAM permissions.

How to eliminate wrong answers

Option A is wrong because IAM deny policies can restrict specific operations but they operate at the IAM level and cannot override valid permissions granted to a user; they also do not provide a network-level data exfiltration control that prevents copying results across projects. Option C is wrong because an organization policy preventing resource creation outside specific projects only controls where new resources can be created, not the movement of existing data or query results between projects. Option D is wrong because Cloud Armor is a web application firewall that protects HTTP(S) traffic, not BigQuery API calls, and it cannot block outbound API requests to BigQuery in other projects.

65
MCQmedium

A team wants to grant three developers access to view Cloud SQL instance details and connection strings, but not create, delete, or modify any Cloud SQL instances. Which predefined IAM role is the most appropriate?

A.Cloud SQL Editor
B.Cloud SQL Client
C.Cloud SQL Viewer
D.Project Viewer
AnswerC

Cloud SQL Viewer (roles/cloudsql.viewer) grants read-only access to Cloud SQL instance details, settings, and connection information without any modification rights.

Why this answer

The Cloud SQL Viewer role (roles/cloudsql.viewer) grants read-only permissions to view Cloud SQL instance details, including connection strings, without allowing any create, delete, or modify operations. This matches the requirement precisely, as it provides the necessary visibility while preventing any changes to the instances.

Exam trap

Google Cloud often tests the distinction between roles that grant operational access (like Cloud SQL Client) versus read-only access (like Cloud SQL Viewer), and the trap here is that candidates may confuse 'Client' with 'Viewer' because both sound like they provide access, but only Viewer grants the ability to see instance details and connection strings without modification permissions.

How to eliminate wrong answers

Option A is wrong because Cloud SQL Editor (roles/cloudsql.editor) includes permissions to create, update, and delete Cloud SQL instances, which exceeds the required read-only access. Option B is wrong because Cloud SQL Client (roles/cloudsql.client) primarily grants permissions to connect to Cloud SQL instances (e.g., using the Cloud SQL Proxy or client libraries) but does not include the ability to view instance metadata or connection strings in the console. Option D is wrong because Project Viewer (roles/viewer) provides read-only access to all resources in the project, which is overly broad and not scoped specifically to Cloud SQL; it also does not grant the precise permissions needed for viewing Cloud SQL instance details and connection strings.

66
MCQhard

A company has just created a Google Cloud organization with multiple folders for different departments. The security team has set up organization policies, including a constraint that disables the creation of external IP addresses for VMs. However, the development team is unable to launch a VM instance because the 'External IP addresses' option is greyed out. They need to create a VM with an external IP for a temporary testing environment. The development team has the Project Owner role on their project. What should the company do to allow the development team to create VMs with external IPs while maintaining security?

A.Create a new folder for temporary testing and apply a policy exemption at the folder level, granting the development team the Organization Policy Administrator role on that folder.
B.Grant the development team the Organization Policy Administrator role on their existing project to allow them to override the policy.
C.Create a separate project outside the organization hierarchy to bypass the constraint.
D.Remove the organization policy constraint for the entire organization to allow external IPs.
AnswerA

Allows exception at a lower level without affecting other parts of the organization.

Why this answer

Option C is correct because creating a new folder and applying a policy exemption at that folder level allows the exception without affecting other parts of the organization. The development team can be granted Organization Policy Administrator on that folder to manage the exemption. Option A is incorrect because it bypasses the organization and undermines security.

Option B is too broad. Option D is incorrect because the Organization Policy Administrator role on the project cannot override an organization-level constraint; exemptions must be applied at a lower level in the hierarchy.

67
MCQmedium

Your Cloud Build pipeline needs to reference environment-specific configuration: `PROJECT_ID`, `REGION`, and `IMAGE_TAG` (generated from the Git commit SHA). Where should you define these values in `cloudbuild.yaml`?

A.Hardcode the values directly in each build step's `args` field.
B.Use built-in substitutions (`$PROJECT_ID`, `$COMMIT_SHA`) and define custom substitutions (`$_REGION`) in the trigger or `--substitutions` flag.
C.Store all values in Cloud Secret Manager and retrieve them in each build step.
D.Use a `.env` file committed to the repository and source it in build steps.
AnswerB

$PROJECT_ID and $COMMIT_SHA are Cloud Build built-in substitutions. Custom values like REGION use the $_VAR pattern defined in trigger configuration, enabling environment-specific pipelines from a single cloudbuild.yaml.

Why this answer

Option B is correct because Cloud Build provides built-in substitutions like `$PROJECT_ID` and `$COMMIT_SHA` that automatically resolve to the current project ID and the Git commit SHA, respectively. Custom substitutions like `$_REGION` can be defined in the trigger configuration or passed via the `--substitutions` flag, allowing environment-specific values to be injected without hardcoding. This approach keeps the `cloudbuild.yaml` reusable across environments and avoids exposing sensitive or variable data in the build file.

Exam trap

Google Cloud often tests the distinction between built-in and custom substitutions, and the trap here is that candidates assume all environment-specific values must be hardcoded or stored in secrets, overlooking Cloud Build's native substitution mechanism for non-sensitive configuration.

How to eliminate wrong answers

Option A is wrong because hardcoding values in `args` makes the pipeline environment-specific, requiring manual edits for each environment and violating the principle of configuration externalization. Option C is wrong because Cloud Secret Manager is designed for sensitive data (e.g., API keys, passwords), not for non-sensitive environment variables like `PROJECT_ID`, `REGION`, or `IMAGE_TAG`; retrieving secrets in every build step adds unnecessary latency and complexity. Option D is wrong because a `.env` file committed to the repository exposes environment-specific values in version control, creating security risks and maintenance overhead, and Cloud Build does not natively source `.env` files without custom scripting.

68
MCQmedium

You need to grant a third-party monitoring vendor's service account `roles/monitoring.viewer` on your project, but only for the next 90 days. After 90 days, the access should automatically expire. Which IAM feature enables time-limited access?

A.Set a session duration limit in the vendor's service account settings.
B.Add an IAM Condition with a date/time expression that expires the binding after 90 days.
C.Grant the role and set a reminder to manually revoke it in 90 days.
D.Use a temporary service account that is automatically deleted after 90 days via a Cloud Scheduler job.
AnswerB

IAM Conditions support `request.time` comparisons. A condition like `request.time < timestamp('EXPIRY_DATE')` causes the binding to stop granting access after the specified date automatically.

Why this answer

Option B is correct because IAM Conditions allow you to attach a time-based expression to a role binding, such as `request.time < timestamp('2025-01-01T00:00:00Z')`, which automatically revokes the binding after the specified date. This is the native, auditable, and policy-driven way to enforce time-limited access in Google Cloud without manual intervention or resource lifecycle management.

Exam trap

Google Cloud often tests the misconception that session duration limits or service account lifecycle management can enforce time-bound permissions, when in fact only IAM Conditions provide a native, policy-based expiration mechanism for role bindings.

How to eliminate wrong answers

Option A is wrong because session duration limits apply to the maximum time a service account can use a token before re-authentication, not to the overall validity of the IAM role binding; they do not expire the permission itself after 90 days. Option C is wrong because manually revoking access is error-prone, not automated, and violates the requirement for automatic expiration; it is not an IAM feature. Option D is wrong because deleting a service account does not automatically remove its IAM role bindings (orphaned bindings remain), and Cloud Scheduler cannot delete a service account without additional custom logic; this approach is unnecessarily complex and not a built-in IAM feature.

69
MCQeasy

What is the purpose of Cloud Audit Logs' Data Access audit logs, and why are they NOT enabled by default for most services?

A.They record authentication events; they are disabled by default due to privacy regulations.
B.They log API calls that read or write user data; they are off by default due to very high log volume and associated storage costs.
C.They log VM instance creation and deletion; they are disabled by default to avoid noise.
D.They provide real-time threat detection; they are experimental and not yet generally available.
AnswerB

Data Access logs capture every data read/write. On busy services like BigQuery, this generates massive log volume. Enabling them broadly would be cost-prohibitive, so they're opt-in.

Why this answer

Data Access audit logs record every API call that reads or writes user-provided data (e.g., reading a Cloud Storage object or updating a BigQuery table). They are disabled by default because the sheer volume of these operations can generate terabytes of logs per day, leading to significant Cloud Logging storage costs and potential budget overruns. Administrators must explicitly enable them per service or per resource to control cost and log retention.

Exam trap

Google Cloud often tests the misconception that Data Access logs are enabled by default for all services, when in fact they are off by default specifically to prevent runaway storage costs from high-volume user data operations.

How to eliminate wrong answers

Option A is wrong because Data Access logs do not record authentication events; those are captured by Admin Activity logs (for IAM policy changes) and System Event logs (for GCP actions). Option C is wrong because VM instance creation and deletion are recorded by Admin Activity logs, not Data Access logs, and they are enabled by default for free. Option D is wrong because Data Access logs are not experimental—they are GA—and they do not provide real-time threat detection; that is the role of services like Security Command Center or Event Threat Detection.

70
MCQmedium

A company organizes its GCP projects by business unit — Finance, Engineering, and Sales. Which resource is best suited to group these projects while applying shared IAM policies to all projects in each group?

A.Apply labels to each project to identify the business unit
B.Apply resource tags to each project for policy enforcement
C.Create GCP Folders for each business unit and add the relevant projects
D.Create a Shared VPC host project for each business unit
AnswerC

Folders are the right level in the GCP hierarchy for grouping projects by business unit. IAM and Org Policies set on a Folder cascade to all child projects.

Why this answer

C is correct because GCP Folders are the hierarchical resource designed to group projects under an organization node, allowing you to apply shared IAM policies at the folder level that automatically propagate to all projects within that folder. This aligns with the requirement to organize projects by business unit and enforce consistent access controls across each group.

Exam trap

The trap here is that candidates often confuse labels or tags with hierarchical grouping, assuming metadata-based organization can substitute for the IAM inheritance provided by Folders, but only Folders (or Organization nodes) support policy propagation across projects.

How to eliminate wrong answers

Option A is wrong because labels are key-value metadata used for resource organization and cost tracking, but they do not support inheritance of IAM policies across projects. Option B is wrong because resource tags (now called 'tags' in GCP) are used for conditional policy enforcement and network firewall rules, not for hierarchical grouping with IAM policy inheritance. Option D is wrong because a Shared VPC host project allows multiple service projects to share a common VPC network, but it does not group projects for IAM policy inheritance across unrelated projects; it only provides network-level isolation and sharing.

71
MCQeasy

A Cloud Run service handles payment processing. A monitoring alert shows the service is experiencing 3-second P99 latency, up from its normal 200ms. The team wants to find the slowest individual requests in the last hour. Which tool provides per-request latency data?

A.Cloud Monitoring — check the request_latencies metric distribution
B.Cloud Trace — sort traces by latency in the last hour
C.Cloud Logging — filter for requests with duration > 3s
D.Cloud Profiler — view the slowest functions in the last hour
AnswerB

Cloud Trace records individual request traces with full timing breakdown. Sorting by latency in the Trace list immediately surfaces the slowest requests.

Why this answer

Cloud Trace is designed to capture end-to-end latency for individual requests, allowing you to sort and identify the slowest requests in a specific time range. The P99 latency increase indicates a tail-latency problem, and Trace provides per-request granularity to pinpoint the exact slow requests. This makes it the correct tool for finding the slowest individual requests in the last hour.

Exam trap

Google Cloud often tests the distinction between aggregated metrics (Cloud Monitoring) and per-request tracing (Cloud Trace), trapping candidates who assume a metric distribution can identify individual slow requests.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring's request_latencies metric is a distribution (e.g., histogram) that shows aggregated percentiles like P99, not individual request latencies. Option C is wrong because Cloud Logging does not natively include a 'duration' field for HTTP requests unless you explicitly log it; even then, filtering for >3s would show all requests exceeding that threshold, not the slowest ones sorted by latency. Option D is wrong because Cloud Profiler samples function call stacks and CPU/memory usage, not per-request latency data; it identifies slow functions, not slow individual requests.

72
MCQmedium

A developer works across five different GCP projects daily and wants to switch their active project in the gcloud CLI without rerunning `gcloud init`. Which command should they use?

A.gcloud projects switch [PROJECT_ID]
B.gcloud config set project [PROJECT_ID]
C.gcloud auth set-project [PROJECT_ID]
D.gcloud init --project=[PROJECT_ID]
AnswerB

This command updates the `project` property in the current gcloud configuration immediately, without running the full `init` wizard.

Why this answer

The `gcloud config set project [PROJECT_ID]` command updates the `core/project` property in the active gcloud CLI configuration, allowing the developer to switch the active project without re-running `gcloud init`. This is the standard method for changing the project context in the current configuration, which persists across sessions until changed again.

Exam trap

Google Cloud often tests the distinction between `gcloud config set` and `gcloud init`, trapping candidates who think they must reinitialize the CLI to change the active project, when in fact only a property update is needed.

How to eliminate wrong answers

Option A is wrong because `gcloud projects switch` is not a valid gcloud command; the correct verb for switching context is `config set`, not a subcommand under `projects`. Option C is wrong because `gcloud auth set-project` does not exist; authentication and project configuration are separate concerns — `gcloud auth` handles credentials, not project settings. Option D is wrong because `gcloud init --project=[PROJECT_ID]` would reinitialize the entire configuration, which is unnecessary and slower than simply updating the project property; it also overwrites other settings like region and zone, which the developer likely wants to preserve.

73
MCQmedium

A Go service is consuming significantly more CPU than expected. The team suspects an inefficient function but doesn't know which one. Which Cloud Operations tool identifies CPU hotspots in production code?

A.Cloud Debugger
B.Cloud Trace
C.Cloud Profiler
D.Cloud Monitoring custom dashboards
AnswerC

Cloud Profiler samples production applications continuously with minimal overhead, generating flame graphs that show exactly which functions are most CPU-intensive.

Why this answer

Cloud Profiler is the correct tool because it continuously gathers CPU and heap usage data from production services using statistical sampling, then presents a flame graph or call tree that pinpoints which functions consume the most CPU. Unlike debugging or tracing tools, Profiler is designed specifically for identifying performance bottlenecks like CPU hotspots with minimal overhead, making it ideal for diagnosing an inefficient function in a Go service running in production.

Exam trap

Google Cloud often tests the distinction between latency-focused tools (Trace) and resource-usage-focused tools (Profiler), and the trap here is that candidates confuse 'slow function' (latency) with 'CPU-hungry function' (resource consumption), leading them to pick Cloud Trace instead of Cloud Profiler.

How to eliminate wrong answers

Option A is wrong because Cloud Debugger is used for inspecting application state (variables, stack traces) at a specific point in time without stopping the service, but it does not collect or aggregate CPU usage data over time to identify hotspots. Option B is wrong because Cloud Trace focuses on latency analysis of requests and spans, measuring how long operations take, not CPU consumption; it can show slow operations but cannot attribute CPU usage to specific functions. Option D is wrong because Cloud Monitoring custom dashboards display metrics like CPU utilization at the instance or container level, but they cannot drill down into function-level CPU hotspots within the application code.

74
MCQeasy

Which console page would you use to create and manage custom IAM roles?

A.IAM & Admin > Audit Logs
B.IAM & Admin > Roles
C.IAM & Admin > Organization Policies
D.IAM & Admin > Service Accounts
AnswerB

This page is specifically for managing roles.

Why this answer

The IAM & Admin > Roles page in the Google Cloud Console is the dedicated interface for creating, editing, and managing custom IAM roles. Custom roles allow you to define a precise set of permissions that are not available in predefined roles, giving you granular control over access to Google Cloud resources. This page also lists all predefined and custom roles, and allows you to clone, delete, or update role definitions.

Exam trap

Google Cloud often tests the distinction between managing IAM roles (which is done in the Roles page) and managing service accounts (which is done in the Service Accounts page), leading candidates to confuse the two because both involve identity and access management.

How to eliminate wrong answers

Option A is wrong because Audit Logs is used to view and configure audit logs for tracking admin activity, data access, and system events, not for creating or managing IAM roles. Option C is wrong because Organization Policies are used to set constraints on Google Cloud resources at the organization, folder, or project level (e.g., restricting resource locations or disabling service creation), not for defining IAM roles. Option D is wrong because Service Accounts is the page for managing service account identities and their keys, not for creating or managing IAM roles.

75
MCQmedium

A developer accidentally creates a firewall rule allowing all inbound traffic (0.0.0.0/0) on all ports to all instances in a production VPC. The rule has priority 1000. The team has an existing rule allowing only SSH (port 22) from the corporate IP range at priority 999. Which traffic is actually allowed?

A.Only SSH from the corporate range is allowed — the more specific rule takes precedence for all traffic
B.SSH from corporate IP plus all traffic from all IPs — both allow rules match for their respective traffic
C.No traffic is allowed — deny rules override allow rules in GCP
D.All traffic from all IPs is allowed — the priority 1000 allow-all overrides the more specific priority 999 rule
AnswerB

GCP evaluates firewall rules independently. Priority 999 allows corporate SSH. Priority 1000 allows everything else. The allow-all rule represents a critical security vulnerability.

Why this answer

In Google Cloud VPC firewall rules, both allow rules are evaluated independently. The rule at priority 999 allows SSH (TCP port 22) from the corporate IP range, and the rule at priority 1000 allows all traffic from all IPs (0.0.0.0/0) on all ports. Since both rules are allow rules and match the traffic, the result is that SSH traffic from the corporate IP is allowed by the more specific rule, and all other traffic (including SSH from other IPs and all other protocols) is allowed by the broader rule.

There is no implicit deny in GCP firewall rules; only explicit deny rules can block traffic, and no deny rule is present here.

Exam trap

Google Cloud often tests the misconception that a higher-priority (lower number) rule always overrides a lower-priority rule, but in GCP, this only applies when comparing allow vs. deny rules, not between two allow rules.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes that a more specific rule 'takes precedence' over a broader allow rule; in GCP, all matching allow rules are applied, and the more specific rule does not block the broader rule from allowing other traffic. Option C is wrong because it falsely claims that deny rules override allow rules by default; GCP firewall rules are implicitly permissive—if no deny rule matches, traffic is allowed, and there are no deny rules in this scenario. Option D is wrong because it suggests that the priority 1000 rule overrides the priority 999 rule; priority only determines the order of evaluation for conflicting rules (e.g., an allow vs. a deny), but both are allow rules, so both apply to their respective matching traffic.

Page 1 of 7

Page 2

All pages