Google Associate Cloud Engineer (ACE) — Questions 676750

991 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

A team wants proactive alerting if their public HTTPS endpoint returns a non-2xx HTTP status code or becomes unreachable — before users report it. Which Cloud Monitoring capability provides this?

A.A log-based alert on 5xx error log entries
B.An uptime check with an HTTP status code condition
C.A Cloud Armor rule blocking 5xx responses
D.A metric alert on instance CPU exceeding 90%
AnswerB

Uptime checks actively probe the endpoint from multiple locations, alert on non-2xx status codes, and detect outages even during zero-traffic periods.

Why this answer

An uptime check with an HTTP status code condition is the correct choice because Cloud Monitoring’s uptime checks are specifically designed to proactively verify that a public HTTPS endpoint is reachable and returns a successful HTTP status (e.g., 2xx). When the check detects a non-2xx status or a timeout/unreachable condition, it can trigger an alert before users are impacted. This is the only option that directly monitors endpoint availability and HTTP response codes from an external perspective.

Exam trap

Google Cloud often tests the distinction between proactive monitoring (uptime checks) and reactive logging (log-based alerts), trapping candidates who assume that log entries for 5xx errors are sufficient for early detection, when in fact they require the error to already occur and be logged.

How to eliminate wrong answers

Option A is wrong because a log-based alert on 5xx error log entries is reactive—it only fires after a 5xx response has been logged, and it cannot detect unreachable endpoints (e.g., DNS failures or connection timeouts) that never generate a log entry. Option C is wrong because Cloud Armor is a web application firewall that blocks or filters traffic based on rules, not a monitoring tool; it does not generate proactive alerts about endpoint status. Option D is wrong because a metric alert on instance CPU exceeding 90% monitors compute resource utilization, not the HTTP endpoint’s availability or response status, so it would not detect a non-2xx or unreachable condition.

677
MCQhard

A company's security team wants to enforce that all service account keys in production projects are rotated every 30 days and prevent creation of keys that never expire. Which single solution should they implement?

A.Use Cloud Audit Logs to detect keys older than 30 days and manually delete them.
B.Set the organization policy constraint iam.disableServiceAccountKeyCreation.
C.Set the organization policy constraint iam.restrictServiceAccountKeyExpiryHours to 720 hours and use the Service Account Key Manager to schedule automatic rotation.
D.Use IAM conditions to require that key creation only succeeds if an expiration time is set.
AnswerC

The constraint enforces maximum key lifetime, and the Key Manager can rotate keys automatically, ensuring rotation without manual effort.

Why this answer

Option C is correct because the organization policy constraint `iam.restrictServiceAccountKeyExpiryHours` enforces a maximum key lifetime (720 hours = 30 days), and the Service Account Key Manager can automate rotation before expiry. This combination ensures all service account keys are rotated every 30 days and prevents creation of keys that never expire, meeting both requirements with a single solution.

Exam trap

Google Cloud often tests the distinction between detection (Audit Logs) and enforcement (organization policy constraints), and candidates mistakenly choose a logging-based solution because they overlook the requirement to 'prevent creation' of non-expiring keys.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide visibility into key age, not enforcement; manual deletion is not a scalable or reliable solution and does not prevent creation of non-expiring keys. Option B is wrong because `iam.disableServiceAccountKeyCreation` completely blocks creation of all service account keys, which is too restrictive and does not allow legitimate key creation with expiration. Option D is wrong because IAM conditions cannot enforce key expiration during creation; they control access to resources based on attributes but do not interact with service account key properties like expiry time.

678
MCQmedium

A team's Cloud Storage bucket has fine-grained access control (ACLs) enabled. They want to switch to a simpler model where IAM policies alone control access, and object-level ACLs are ignored. What should they enable?

A.Enable Uniform Bucket-Level Access (UBLA) on the bucket
B.Delete all ACLs on each object and set them to 'authenticated-read'
C.Enable VPC Service Controls on the bucket
D.Set the bucket's default object ACL to `projectPrivate` and apply it to all objects
AnswerA

UBLA disables object ACLs and enforces IAM-only access control — simplifying the permission model to bucket-level IAM policies for all objects.

Why this answer

Option A is correct because enabling Uniform Bucket-Level Access (UBLA) on the bucket disables object-level ACLs and enforces IAM policies as the sole access control mechanism. This simplifies management by ignoring any existing ACLs on objects, ensuring that only bucket-level IAM permissions are evaluated for access decisions.

Exam trap

Google Cloud often tests the distinction between modifying ACLs (which does not change the access control model) and enabling UBLA (which fundamentally switches the model), so candidates may incorrectly think that deleting ACLs or changing default ACLs is sufficient to ignore object-level ACLs.

How to eliminate wrong answers

Option B is wrong because deleting ACLs on each object does not disable ACL evaluation; the bucket still has fine-grained access control enabled, and IAM policies will not override object-level ACLs unless UBLA is enabled. Option C is wrong because VPC Service Controls are used to restrict access to Google Cloud services from specific VPC networks or IP ranges, not to switch from ACL-based to IAM-based access control. Option D is wrong because setting the default object ACL to `projectPrivate` only affects new objects and does not ignore existing object-level ACLs; it also does not disable ACL evaluation for the bucket.

679
MCQeasy

A startup wants to grant developers the ability to create and manage Compute Engine instances, but prevent them from deleting instances or changing firewall rules. Which IAM approach should they use?

A.Create a custom role with permissions for instance management but without compute.instances.delete.
B.Assign the roles/compute.instanceAdmin.v1 role.
C.Assign the roles/compute.instanceOperator role.
D.Assign the roles/compute.admin role.
AnswerA

A custom role can be tailored to include only the required permissions, avoiding unintended capabilities.

Why this answer

Option A is correct because creating a custom role allows the startup to grant fine-grained permissions for instance management (e.g., compute.instances.create, compute.instances.start, compute.instances.stop) while explicitly omitting compute.instances.delete and any firewall-related permissions like compute.firewalls.update or compute.firewalls.delete. This ensures developers can manage instances but cannot delete them or alter firewall rules, meeting the exact requirement.

Exam trap

Google Cloud often tests the distinction between predefined roles that sound similar (like instanceAdmin.v1 vs. a non-existent instanceOperator) and the need for custom roles when predefined roles do not match the exact permission set required.

How to eliminate wrong answers

Option B is wrong because roles/compute.instanceAdmin.v1 includes compute.instances.delete and compute.firewalls.update, which would allow developers to delete instances and change firewall rules, violating the requirement. Option C is wrong because roles/compute.instanceOperator does not exist as a predefined role in Google Cloud IAM; this is a distractor that misleads candidates into thinking there is a role with limited permissions. Option D is wrong because roles/compute.admin grants full administrative access to all Compute Engine resources, including deleting instances and modifying firewall rules, which is far too permissive.

680
Multi-Selecteasy

Which TWO practices help ensure the reliability of a Cloud Functions deployment? (Choose two.)

Select 2 answers
A.Deploy functions in a single region to minimize latency.
B.Configure a VPC connector for all functions.
C.Set maximum instances to 1 to avoid resource contention.
D.Use Cloud Tasks to decouple function invocations.
E.Implement retry policies for background functions.
AnswersD, E

Cloud Tasks provides retries and scheduling.

Why this answer

Option D is correct because Cloud Tasks decouples function invocations by queuing requests and delivering them asynchronously, which improves reliability by handling spikes in traffic without dropping requests and providing automatic retries on failure. Option E is correct because implementing retry policies for background functions (e.g., Cloud Functions triggered by Pub/Sub or Cloud Storage) ensures that transient failures are automatically retried, increasing the overall reliability of the deployment.

Exam trap

Google Cloud often tests the misconception that limiting concurrency (e.g., max instances = 1) improves reliability, when in fact it reduces fault tolerance and increases latency under load.

681
MCQmedium

A team uses Cloud Build to build Docker images and push them to Artifact Registry. The cloudbuild.yaml has a step that requires a secret API key to call an external service during build. How should the secret be provided securely?

A.Pass the API key as a build substitution variable in the gcloud builds submit command
B.Reference the API key from Secret Manager using the availableSecrets field in cloudbuild.yaml
C.Store the API key in a Cloud Storage bucket and download it in a build step
D.Hardcode the API key in the cloudbuild.yaml and store it in the source repository
AnswerB

Cloud Build's `availableSecrets.secretManager` configuration retrieves the secret value at build time and makes it available as an environment variable, without logging the value.

Why this answer

Option B is correct because Cloud Build's `availableSecrets` field allows you to securely inject secrets from Secret Manager into build steps as environment variables or files, without exposing them in the build configuration or logs. This approach ensures the API key is encrypted at rest and in transit, and access can be controlled via IAM permissions, making it the only secure method among the options.

Exam trap

Google Cloud often tests the misconception that substitution variables are secure because they are 'variables,' but they are actually passed as plain text and can be logged, whereas `availableSecrets` is the only method that guarantees the secret is never exposed in the build configuration or logs.

How to eliminate wrong answers

Option A is wrong because substitution variables are passed as plain text in the `gcloud builds submit` command and can be visible in build logs or command history, violating security best practices. Option C is wrong because storing the API key in a Cloud Storage bucket and downloading it in a build step exposes the key to potential unauthorized access if the bucket is misconfigured, and the key is still visible in the build step's command or logs. Option D is wrong because hardcoding the API key in `cloudbuild.yaml` and storing it in the source repository makes the key accessible to anyone with repository access, and it can be exposed in version control history or build logs.

682
MCQeasy

A developer needs to upload a large number of files from their local machine to a Cloud Storage bucket. Which command should they use?

A.gcloud storage ls gs://my-bucket
B.gsutil cp /local/dir/* gs://my-bucket/
C.gcloud storage buckets create gs://my-bucket
D.gsutil rsync -r /local/dir gs://my-bucket/
AnswerB

Correctly uploads files from local directory to bucket.

Why this answer

gsutil cp is the correct command for uploading files. Option B is correct. Option A creates a bucket; C lists files; D syncs a directory but is overkill for simple upload.

683
MCQhard

A Cloud SQL for MySQL instance needs to be created with the following requirements: MySQL 8.0, db-n1-standard-2 tier, in us-central1, with root password 'secret'. Which command meets these requirements?

A.gcloud compute instances create my-instance --database-version MYSQL_8_0 --tier db-n1-standard-2 --region us-central1 --root-password secret
B.gcloud sql instances create my-instance --database-version MYSQL8 --tier n1-standard-2 --region us-central1 --password secret
C.gcloud sql instances create my-instance --database-version MYSQL_8_0 --tier db-n1-standard-2 --region us-central1 --root-password secret
D.gcloud sql instances create my-instance --database-version MYSQL_8_0 --machine-type db-n1-standard-2 --region us-central1 --root-password secret
AnswerC

Correct. All flags are correct.

Why this answer

The 'gcloud sql instances create' command with --database-version, --tier, --region, and --root-password correctly creates the instance.

684
MCQhard

A regulated financial company must ensure that all GCP API calls made by employees are logged with full request and response payloads for audit purposes. Which combination of Cloud Audit Log types captures this?

A.Admin Activity logs only
B.Admin Activity logs + Data Access logs (DATA_READ and DATA_WRITE)
C.VPC Flow Logs + Cloud Monitoring metrics
D.System event logs + Data Access logs
AnswerB

Enabling both Admin Activity and Data Access audit logs provides complete coverage of all API calls — Admin Activity for configuration changes, Data Access for read/write operations including payload data.

Why this answer

Admin Activity logs capture administrative actions like creating or modifying resources, but not the data within API calls. Data Access logs (DATA_READ and DATA_WRITE) capture the request and response payloads for API calls that read or write data, which is required for full audit logging. Together, they cover both the administrative context and the data-level payloads mandated for regulated financial companies.

Exam trap

Google Cloud often tests the misconception that Admin Activity logs alone are sufficient for audit compliance, when in fact they omit the data-level payloads that regulated audits require, and candidates may overlook the need to explicitly enable Data Access logs with full payload inclusion.

How to eliminate wrong answers

Option A is wrong because Admin Activity logs only record metadata about resource configuration changes (e.g., who created a VM), not the full request/response payloads of API calls that access or modify data. Option C is wrong because VPC Flow Logs capture network metadata (source/destination IP, ports, protocol) but not the application-layer payloads of API calls, and Cloud Monitoring metrics provide aggregated performance data, not audit logs. Option D is wrong because System event logs capture Google Cloud system events (e.g., instance preemption) and do not include API request/response payloads; Data Access logs alone would miss the administrative actions that are also required for a complete audit trail.

685
MCQmedium

You want to create a snapshot of a persistent disk named 'my-disk' in zone us-central1-a. Which command should you use?

A.gcloud compute snapshots create my-snapshot --source-disk my-disk --zone us-central1-a
B.gcloud compute disks snapshot my-disk --snapshot-names my-snapshot --zone us-central1-a
C.gcloud compute images create my-snapshot --source-disk my-disk --zone us-central1-a
D.gcloud compute disks create-snapshot my-disk --snapshot-name my-snapshot --zone us-central1-a
AnswerB

This creates a snapshot of the disk with the given name.

Why this answer

The gcloud compute disks snapshot command creates a snapshot of the specified disk. You need to provide the disk name and zone.

686
MCQmedium

A BigQuery table in a data pipeline receives daily data loads. To control storage costs, the team wants table data older than 180 days to be automatically deleted at the table level, not the dataset level. How should this be configured?

A.Set a dataset-level default table expiration of 180 days in the dataset properties
B.Use a Cloud Scheduler job to run a DELETE statement on rows older than 180 days nightly
C.Configure partition expiration on a date-partitioned table to expire partitions after 180 days
D.Set a table-level TTL using BigQuery's TTL API with a 180-day value
AnswerC

For date-partitioned tables, partition expiration automatically deletes partitions older than the specified number of days — the most efficient and zero-maintenance approach for time-series data.

Why this answer

Option C is correct because BigQuery's partition expiration feature allows you to automatically delete entire partitions from a date-partitioned table after a specified number of days. By setting the partition expiration to 180 days, all data in partitions older than 180 days is dropped at the table level, meeting the requirement without affecting other tables in the dataset.

Exam trap

Google Cloud often tests the distinction between dataset-level defaults and table-level partition expiration, and the trap here is that candidates confuse dataset-level table expiration (which deletes entire tables) with the requirement to delete only old rows within a single table.

How to eliminate wrong answers

Option A is wrong because dataset-level default table expiration applies to all tables in the dataset, not just the specific table, and it deletes entire tables, not rows or partitions. Option B is wrong because using a Cloud Scheduler job to run a DELETE statement incurs query costs and does not automatically delete data at the table level; it also requires ongoing maintenance and does not leverage BigQuery's native storage management. Option D is wrong because BigQuery does not have a 'TTL API' for tables; the correct mechanism for automatic deletion of old data is partition expiration on partitioned tables.

687
MCQhard

A team builds a GKE application that processes healthcare data. Regulatory requirements mandate that data in transit between GKE nodes must be encrypted. GKE is running on GCP. What provides encrypted node-to-node traffic within the cluster?

A.GCP automatically encrypts all VM-to-VM traffic in transit within its network
B.GKE node traffic is unencrypted by default — mTLS must be manually configured on every Pod
C.Enable VPC Flow Logs — they activate encryption for logged traffic
D.Install a TLS termination proxy on each GKE node — it encrypts intranode traffic
AnswerA

Google Cloud encrypts data in transit between physical boundaries and virtual machines using encryption at the Google network layer. GKE node-to-node traffic within GCP is covered by this encryption.

Why this answer

GCP automatically encrypts all VM-to-VM traffic in transit at the network layer, including traffic between GKE nodes, using a combination of MACsec (IEEE 802.1AE) and IPsec. This encryption is enabled by default for all traffic within a VPC and between VPCs, without any configuration required. Therefore, node-to-node traffic within a GKE cluster is already encrypted, satisfying the regulatory requirement.

Exam trap

The trap here is that candidates assume Kubernetes traffic is unencrypted by default and that they must manually configure mTLS or a proxy, overlooking that GCP's underlying network infrastructure already provides encryption for all VM-to-VM traffic in transit.

How to eliminate wrong answers

Option B is wrong because GKE node traffic is not unencrypted by default; GCP encrypts all VM-to-VM traffic at the network layer, so no manual mTLS configuration is needed for node-to-node encryption. Option C is wrong because VPC Flow Logs are used for network monitoring and logging, not for enabling encryption; they capture metadata about traffic but do not activate encryption. Option D is wrong because installing a TLS termination proxy on each GKE node is unnecessary and would only encrypt traffic at the application layer, not the underlying node-to-node traffic, which is already encrypted by GCP's infrastructure.

688
MCQeasy

A developer wants to deploy a containerized application to Cloud Run that should be publicly accessible over the internet. The container image is stored in Container Registry. Which gcloud command should they use?

A.gcloud run deploy my-service --image gcr.io/my-project/my-image --region us-central1 --platform cloud-run --allow-unauthenticated
B.gcloud run deploy my-service --image gcr.io/my-project/my-image --region us-central1 --platform managed --allow-unauthenticated
C.gcloud run deploy my-service --image gcr.io/my-project/my-image --region us-central1 --platform gke --allow-unauthenticated
D.gcloud run deploy my-service --image gcr.io/my-project/my-image --region us-central1 --platform managed
AnswerB

Correct: deploys to Cloud Run (fully managed) and makes it publicly accessible.

Why this answer

The correct command includes --allow-unauthenticated to grant public access, --region, --image, and --platform managed. Option C is correct. Option A missing --allow-unauthenticated; B uses wrong platform flag; D uses --platform gke which is for GKE.

689
MCQeasy

You need to grant a user the ability to view audit logs for a project but not modify any resources. Which predefined IAM role should you assign?

A.roles/iam.securityReviewer
B.roles/owner
C.roles/viewer
D.roles/logging.viewer
AnswerD

Correct: This role grants read access to all logs, including audit logs, without modification permissions.

Why this answer

The roles/logging.viewer role provides read-only access to logs, including audit logs. roles/iam.securityReviewer provides read access to IAM policies but not logs. roles/viewer is too broad. roles/owner is administrative.

690
MCQeasy

You need to choose between Cloud Storage storage classes for a dataset used in BigQuery for ad-hoc analysis. The data is queried approximately once per month. Which storage class minimizes storage cost while maintaining query availability?

A.Standard storage class
B.Nearline storage class
C.Coldline storage class
D.Archive storage class
AnswerB

Nearline is optimized for data accessed roughly once per month: lower storage cost than Standard with a retrieval fee. It balances storage cost savings against monthly access frequency appropriately.

Why this answer

Nearline storage class is the best choice because it offers the lowest storage cost for data accessed less than once a month (30-day minimum storage duration) while still providing sub-second access for BigQuery queries. Standard storage has no minimum duration but is more expensive for infrequent access, while Coldline and Archive have lower storage costs but impose higher retrieval costs and longer access times that are unsuitable for ad-hoc BigQuery queries.

Exam trap

Google Cloud often tests the misconception that 'cheapest storage class' always minimizes total cost, but the trap here is that Archive and Coldline have hidden retrieval costs and minimum storage durations that make them more expensive for data accessed even occasionally, and they cannot be queried directly by BigQuery without prior restoration.

How to eliminate wrong answers

Option A is wrong because Standard storage class has no minimum storage duration but is the most expensive per GB, making it cost-inefficient for data queried only once per month. Option C is wrong because Coldline storage class has a 90-day minimum storage duration and higher retrieval costs, which would increase total cost for data accessed monthly and is not optimized for query availability in BigQuery. Option D is wrong because Archive storage class has a 365-day minimum storage duration and the highest retrieval costs, plus data must be restored before querying, making it unsuitable for ad-hoc BigQuery analysis that requires immediate availability.

691
MCQmedium

A batch processing job runs on preemptible VMs in a managed instance group. The job frequently fails due to preemption. Which design change would most effectively improve the job's resilience?

A.Use committed use discounts (1-year or 3-year).
B.Add GPUs to the instances.
C.Use sole-tenant nodes.
D.Use a managed instance group with distribution across multiple zones and enable autoscaling.
AnswerD

Distributing across zones reduces the chance of all instances being preempted simultaneously; autoscaling replaces failed instances.

Why this answer

Option D is correct because distributing the managed instance group across multiple zones and enabling autoscaling ensures that when preemptible VMs are terminated in one zone, the autoscaler can provision replacement VMs in another zone that still has capacity. This architecture leverages the fact that preemption events are often zone-specific, so multi-zone distribution combined with autoscaling provides resilience without requiring persistent resources.

Exam trap

Google Cloud often tests the misconception that committed use discounts or sole-tenant nodes provide preemption protection, when in fact they only affect pricing or hardware isolation, not the preemptible VM lifecycle.

How to eliminate wrong answers

Option A is wrong because committed use discounts (1-year or 3-year) reduce cost for sustained usage but do not prevent or mitigate preemption; preemptible VMs can still be terminated at any time regardless of commitments. Option B is wrong because adding GPUs to instances increases cost and does not address the root cause of preemption; GPUs do not make VMs less likely to be preempted. Option C is wrong because sole-tenant nodes dedicate physical servers to a single project, but preemptible VMs on those nodes are still subject to preemption; sole-tenant nodes do not provide any preemption protection.

692
MCQmedium

A security team wants to audit all Data Access attempts in a project for a specific Cloud Storage bucket, including who accessed which object and when. Which configuration is required?

A.Configure VPC Flow Logs on the VPC network
B.Set up Cloud Monitoring alerts on the bucket
C.Enable Admin Activity audit logs for Cloud Storage in the project
D.Enable Data Access audit logs for Cloud Storage in the project's IAM audit config
AnswerD

Correct: Data Access audit logs capture object-level access.

Why this answer

Data Access audit logs must be enabled for Cloud Storage at the project level via IAM audit config. Admin Activity logs are always enabled but only record configuration changes, not data access. VPC Flow Logs record network metadata, not object-level access.

Cloud Monitoring does not provide audit logs.

693
MCQhard

An organization uses Organization Policies to restrict the use of certain IAM roles. The security team wants to audit all modifications to IAM policies across the organization, including at the project level. Which log type should be enabled and analyzed?

A.Admin Activity audit logs
B.System Event audit logs
C.Data Access audit logs (READ)
D.Data Access audit logs (WRITE)
AnswerA

Correct: Admin Activity logs capture all API calls that modify configuration or metadata, including IAM policy changes.

Why this answer

Admin Activity audit logs record all modifications to IAM policies. Data Access logs record reads of data, not policy changes. To audit IAM policy changes, Admin Activity logs must be enabled and analyzed.

694
MCQhard

A company has multiple projects under an organization. They want to enforce that all service accounts created in any project must use the naming prefix 'sa-'. Which policy should be used?

A.VPC Service Controls
B.Organization policy using a custom constraint
C.Project-level IAM condition
D.Cloud Audit Logs
AnswerB

Custom organization policies can enforce naming patterns.

Why this answer

An organization policy with a custom constraint is the correct approach because it allows you to define a specific rule (e.g., all service accounts must start with 'sa-') that is enforced across all projects in the organization. Custom constraints use the Resource Manager API's `constraints/*` format and are evaluated at resource creation time, making them ideal for naming conventions that must be applied universally.

Exam trap

Google Cloud often tests the distinction between 'enforcement' (organization policies) and 'monitoring' (audit logs) or 'access control' (IAM conditions), leading candidates to confuse a naming convention policy with a logging or access control mechanism.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are designed to protect data within VPCs by controlling exfiltration, not to enforce naming conventions on service accounts. Option C is wrong because project-level IAM conditions control access based on attributes like resource name or timestamp, but they cannot enforce a naming prefix at creation time—they only restrict access to existing resources. Option D is wrong because Cloud Audit Logs record actions for auditing and monitoring, but they do not enforce any policies or prevent non-compliant resources from being created.

695
MCQeasy

A data analyst needs to run complex analytical queries on a large dataset (10 TB) stored in Cloud Storage. They want to use a serverless query engine that charges based on the amount of data processed. Which Google Cloud service should they use?

A.Cloud SQL
B.BigQuery
C.Bigtable
D.Dataproc
AnswerB

BigQuery is serverless and ideal for analytical queries on large datasets with pay-per-query pricing.

Why this answer

BigQuery is a serverless data warehouse that charges based on queries processed (on-demand) or flat-rate. It can query external data in Cloud Storage via federated queries.

696
MCQmedium

A team stores sensitive configuration files in Cloud Storage that internal services download at startup. External partners occasionally need time-limited access to specific files without creating GCP accounts. Which feature grants temporary access without modifying bucket permissions?

A.Make the specific files publicly readable and share the direct URL
B.Generate a Signed URL for the specific files with the required expiration time
C.Create a temporary GCP service account for the partner and share its JSON key
D.Enable uniform bucket-level access and create a public IAM binding for 24 hours
AnswerB

Signed URLs are cryptographically signed, time-limited URLs that grant access to specific Cloud Storage objects. Partners access the file via the URL without needing GCP credentials.

Why this answer

Option B is correct because Signed URLs provide time-limited, granular access to specific Cloud Storage objects without altering the underlying bucket permissions. The partner receives a URL that embeds authentication information and an expiration time, enabling secure, temporary downloads without requiring a GCP account or IAM role.

Exam trap

Google Cloud often tests the distinction between Signed URLs (object-level, temporary, no IAM changes) and Signed Policy Documents (form uploads) or public access, trapping candidates who confuse 'temporary access' with 'making objects public' or 'creating temporary credentials.'

How to eliminate wrong answers

Option A is wrong because making files publicly readable grants unrestricted access to anyone with the URL, violating the requirement for time-limited access and potentially exposing sensitive data indefinitely. Option C is wrong because creating a temporary service account and sharing its JSON key violates security best practices (key exposure risk) and requires the partner to manage GCP credentials, which contradicts the 'without creating GCP accounts' requirement. Option D is wrong because enabling uniform bucket-level access and creating a public IAM binding grants broad, time-limited access to the entire bucket, not specific files, and still requires modifying bucket-level permissions, which the question explicitly forbids.

697
Multi-Selecthard

You are designing a disaster recovery plan for a stateful application running on Compute Engine. You need to create crash-consistent backups of persistent disks every hour and store them in a different region for at least 30 days. Which TWO steps should you take? (Choose two.)

Select 2 answers
A.Stop the VM before taking each snapshot
B.Copy the snapshot to a different region using gcloud compute snapshots create --source-snapshot --region
C.Use gcloud compute images create to create a custom image from the snapshot, then export to a different region
D.Create a snapshot schedule using gcloud compute resource-policies
E.Use gcloud compute snapshots create with the --source-disk flag while the VM is running
AnswersA, B

Stopping the VM ensures crash consistency.

Why this answer

Snapshots are stored in regional locations, but can be moved using image creation. You need to stop the instance for crash consistency, then create snapshots. To store in a different region, you can create a disk from the snapshot in the new region or use image sharing.

The correct combination: stop the instance, create a snapshot, then copy or store the snapshot in the target region.

698
MCQhard

A team is using Cloud Shell to manage resources. They notice that their home directory is persistent across sessions, but they want to ensure that configuration files and scripts are also available after they stop and restart Cloud Shell. What should they do?

A.Use gcloud config configurations and save scripts in a Cloud Storage bucket
B.Create a startup script that runs every time Cloud Shell starts
C.Store files in /tmp
D.Store files in the home directory (~)
AnswerD

The home directory persists across Cloud Shell sessions.

Why this answer

Cloud Shell's home directory persists 5 GB of data. As long as files are stored in the home directory ($HOME), they will persist across sessions.

699
MCQmedium

You are deploying a stateful application to GKE that requires each pod to have its own dedicated persistent disk, and each disk must persist data even if the pod is rescheduled to a different node. Which Kubernetes object type should you use?

A.Deployment with a shared PersistentVolumeClaim mounted by all pods.
B.StatefulSet with volumeClaimTemplates to provision individual PVCs per pod.
C.DaemonSet with a hostPath volume on each node.
D.Deployment with an emptyDir volume for each pod.
AnswerB

StatefulSets with volumeClaimTemplates create a unique PVC for each pod replica. The PVC persists through pod rescheduling, giving each pod its own dedicated, durable persistent disk.

Why this answer

A StatefulSet with volumeClaimTemplates is the correct choice because it automatically provisions a unique PersistentVolumeClaim (PVC) for each pod replica, ensuring each pod gets its own dedicated persistent disk. When a pod is rescheduled to a different node, the PVC remains bound to its original PersistentVolume (PV), allowing the new pod to mount the same disk and retain the data. This meets the requirement for both per-pod dedicated storage and data persistence across rescheduling events.

Exam trap

The trap here is that candidates often choose a Deployment with a shared PVC (Option A) because they think 'shared storage' is simpler, but they overlook the requirement for each pod to have its own dedicated disk, which a shared volume cannot provide.

How to eliminate wrong answers

Option A is wrong because a Deployment with a shared PersistentVolumeClaim mounted by all pods would cause all replicas to write to the same disk, leading to data corruption and failing the requirement for each pod to have its own dedicated persistent disk. Option C is wrong because a DaemonSet with a hostPath volume on each node ties the data to a specific node's filesystem, so if a pod is rescheduled to a different node, the data is lost or inaccessible, violating the persistence requirement. Option D is wrong because a Deployment with an emptyDir volume for each pod creates ephemeral storage that is deleted when the pod terminates, so data does not persist across rescheduling events.

700
Multi-Selectmedium

A company is deploying a microservice on Cloud Run. They want to ensure that the service can handle high traffic spikes by allowing multiple concurrent requests per container instance. They also want to minimize cold starts. Which two settings should they configure? (Choose two.)

Select 2 answers
A.Set the timeout to 900 seconds
B.Set CPU always on to true
C.Set min-instances to a value greater than 0 (e.g., 1)
D.Set max-instances to a high value
E.Set concurrency to a value higher than 1 (e.g., 80)
AnswersC, E

Keeps at least one instance always running, eliminating cold starts for baseline traffic.

Why this answer

Setting concurrency to a higher value (e.g., 80) allows each container instance to handle multiple requests simultaneously, improving throughput. Setting min-instances to a value greater than 0 keeps instances warm to reduce cold starts. Max-instances limits scaling but does not help with cold starts.

CPU always on keeps CPU allocated but does not directly affect cold starts. Timeout affects request duration, not concurrency or cold starts.

701
Multi-Selecthard

A DevOps engineer is creating a GKE cluster for a production workload that requires high availability and resilience to zone failures. They also need to deploy a stateless application that can scale based on CPU usage. Which two actions should they take? (Choose two.)

Select 2 answers
A.Enable node auto-repair on the node pool
B.Create a zonal cluster in a single zone
C.Set the deployment replicas to 1
D.Enable horizontal pod autoscaling on the deployment with CPU target utilization
E.Create a regional cluster with nodes in multiple zones
AnswersD, E

HPA automatically scales pods based on CPU usage, meeting the scaling requirement.

Why this answer

A regional cluster spans multiple zones, providing high availability. An HPA scales pods based on CPU. A zonal cluster is not highly available.

Node auto-repair is for node health, not resilience to zone failure. Using a deployment with replicas is good, but the question asks for actions related to cluster creation and scaling.

702
MCQmedium

A payment service publishes an event to a message queue every time a transaction completes. Multiple downstream services (inventory, analytics, email) must each process every event independently. Which messaging pattern and GCP service best supports this?

A.Cloud Tasks with one queue per downstream service
B.Cloud Pub/Sub with one subscription per downstream service on a shared topic
C.Cloud Storage event notifications with three separate buckets
D.Directly calling each downstream service's API synchronously from the payment service
AnswerB

Pub/Sub's fan-out model: one topic, multiple subscriptions. Each subscription receives every message independently, decoupling the payment service from each consumer.

Why this answer

Cloud Pub/Sub with a single topic and one subscription per downstream service is the correct pattern because it implements a fan-out messaging model where each subscriber receives an independent copy of every published message. This ensures that inventory, analytics, and email services each process every transaction event without interference, while Pub/Sub handles at-least-once delivery and automatic scaling.

Exam trap

Google Cloud often tests the distinction between Cloud Tasks (point-to-point task execution) and Cloud Pub/Sub (fan-out messaging), and the trap here is that candidates confuse 'multiple queues' with 'multiple subscriptions,' failing to recognize that Pub/Sub’s topic-subscription model is the native GCP solution for independent event processing.

How to eliminate wrong answers

Option A is wrong because Cloud Tasks is designed for reliable task execution with a single queue per worker, not for fan-out to multiple independent consumers; using one queue per service would require the payment service to publish the same event to multiple queues, duplicating effort and breaking the decoupled pattern. Option C is wrong because Cloud Storage event notifications are triggered by object changes in a bucket and cannot reliably fan out the same event to multiple independent services without complex workarounds; they also lack the at-least-once delivery guarantees and subscription-level acknowledgment that Pub/Sub provides. Option D is wrong because directly calling each downstream service's API synchronously from the payment service creates tight coupling, increases latency (the payment service must wait for all responses), and introduces a single point of failure—if one service is slow or down, the entire transaction processing is blocked.

703
MCQhard

You are managing a Cloud SQL for PostgreSQL instance. You need to import a SQL dump file stored in a Cloud Storage bucket. The file is 10GB. Which command should you use?

A.Use psql command from a Compute Engine instance to connect and import the file.
B.gcloud sql import sql my-instance gs://bucket/file.sql --database=db
C.gcloud sql instances import my-instance gs://bucket/file.sql --database=db
D.gcloud sql import csv my-instance gs://bucket/file.sql --database=db
AnswerB

Correct command for SQL dump import.

Why this answer

gcloud sql import sql is the correct command for importing SQL dumps to Cloud SQL. Option D is correct.

704
MCQeasy

A company wants to deploy a containerized web application on Google Kubernetes Engine (GKE) with minimal operational overhead. They require automatic scaling based on CPU utilization. Which resource should they configure?

A.Cluster autoscaler
B.VerticalPodAutoscaler
C.HorizontalPodAutoscaler
D.Node auto-provisioning
AnswerC

Correctly scales pods based on CPU utilization.

Why this answer

The HorizontalPodAutoscaler (HPA) is the correct resource because it automatically scales the number of pod replicas in a GKE deployment based on observed CPU utilization (or other custom metrics). This directly meets the requirement for automatic scaling with minimal operational overhead, as HPA is a native Kubernetes controller that adjusts replica counts without manual intervention.

Exam trap

Google Cloud often tests the distinction between horizontal scaling (adding/removing pods) and vertical scaling (adjusting pod resources) or infrastructure scaling (adding/removing nodes), leading candidates to confuse the HorizontalPodAutoscaler with the Cluster autoscaler or VerticalPodAutoscaler.

How to eliminate wrong answers

Option A is wrong because the Cluster autoscaler adjusts the number of nodes in the GKE cluster, not the number of pod replicas; it handles infrastructure-level scaling, not application-level scaling based on CPU utilization. Option B is wrong because the VerticalPodAutoscaler (VPA) adjusts CPU and memory requests/limits of existing pods, not the number of replicas; it is designed for right-sizing resource requests, not horizontal scaling. Option D is wrong because Node auto-provisioning is a feature that automatically creates new node pools when the cluster autoscaler cannot scale up due to insufficient resources; it does not directly scale pods based on CPU utilization.

705
MCQhard

Your company's compliance policy requires that all customer data stored in Cloud Storage must be encrypted using keys stored in a Hardware Security Module (HSM). The encryption keys must be managed by your security team and must not be exportable. Which configuration meets these requirements?

A.Use Cloud KMS software keys (protection level: SOFTWARE) with Cloud Storage CMEK.
B.Use Cloud KMS HSM-backed keys (protection level: HSM) with Cloud Storage CMEK.
C.Use Customer-Supplied Encryption Keys (CSEK) managed by your security team.
D.Enable Google-managed encryption with HSM by selecting it in Cloud Storage settings.
AnswerB

HSM protection level keys are generated and stored inside FIPS 140-2 Level 3 HSMs. They are non-exportable by design. CMEK with Cloud KMS HSM keys gives your team control while meeting HSM and non-exportability requirements.

Why this answer

Option B is correct because Cloud KMS HSM-backed keys (protection level: HSM) ensure that encryption keys are stored in a Hardware Security Module, are managed by the security team, and are non-exportable by design. When used with Cloud Storage CMEK, this configuration meets the compliance requirement for HSM-based key storage with full customer control and no key export capability.

Exam trap

Google Cloud often tests the distinction between customer-managed keys (CMEK) and customer-supplied keys (CSEK), where candidates mistakenly think CSEK provides HSM-level protection or that Google-managed encryption can be configured to use an HSM, but neither meets the non-exportable, HSM-backed requirement.

How to eliminate wrong answers

Option A is wrong because Cloud KMS software keys (protection level: SOFTWARE) are stored in software, not in an HSM, and thus do not satisfy the requirement for HSM-based encryption. Option C is wrong because Customer-Supplied Encryption Keys (CSEK) are managed by the customer but are not stored in an HSM; they are supplied by the customer and can be exported, violating the non-exportable requirement. Option D is wrong because Google-managed encryption with HSM is not a selectable setting in Cloud Storage; Google-managed encryption uses Google-owned keys, not customer-managed HSM keys, and does not allow the security team to control or restrict key export.

706
MCQmedium

A developer wants to run a one-time query on a large dataset stored in Cloud Storage using BigQuery without loading the data into a table. Which feature should they use?

A.Use a BigQuery federated query with an external table definition
B.Create a permanent table and load the data using gcloud bq load
C.Use Cloud SQL to query the data via federated query
D.Use gcloud sql import to load data into BigQuery
AnswerA

Federated queries allow querying data directly in Cloud Storage.

Why this answer

BigQuery federated queries allow querying external data sources (like Cloud Storage) directly using external tables or the EXTERNAL_QUERY function. This avoids loading data.

707
MCQhard

An organization wants to use Cloud NAT to allow private Compute Engine instances to access the internet for updates. They have a VPC with a custom subnet and a Cloud Router configured. However, instances cannot reach the internet. What is the most likely cause?

A.The Cloud NAT gateway has not been created on the Cloud Router.
B.The instances do not have external IP addresses.
C.The firewall rules block egress traffic.
D.The subnet does not have Private Google Access enabled.
AnswerA

Correct: A Cloud Router alone does not provide NAT; a NAT gateway must be created on the router.

Why this answer

Cloud NAT requires a Cloud Router and a NAT gateway configuration on the router. If the NAT gateway is not created, instances cannot use NAT. Other issues like missing routes or firewall rules are possible but less likely when Cloud NAT is set up correctly.

708
MCQeasy

An engineer needs to create a GKE cluster with 3 nodes of machine type e2-medium in the us-central1 region. Which command should they use?

A.gcloud container clusters create my-cluster --num-nodes=3 --machine-type=e2-medium --region=us-central1
B.gcloud container clusters create my-cluster --num-nodes=3 --machine-type=e2-medium
C.gcloud container clusters create my-cluster --num-nodes=3 --machine-type=e2-medium --region=us-central1-a
D.gcloud container clusters create my-cluster --num-nodes=3 --machine-type=e2-medium --zone=us-central1-a
AnswerA

Correct regional cluster creation with 3 e2-medium nodes.

Why this answer

The correct command is 'gcloud container clusters create my-cluster --num-nodes=3 --machine-type=e2-medium --region=us-central1'. The --zone flag is for zonal clusters, not regional. The other options either use wrong zone or wrong flags.

709
MCQmedium

An organization has a VPC with subnets in us-central1 and europe-west1. They want to allow traffic from a specific on-premises IP range to reach a Compute Engine instance in europe-west1, but only through a single Cloud VPN tunnel attached to the us-central1 gateway. What configuration is required?

A.Create a route in us-central1 with the on-premises range and next hop set to the VPN tunnel. Add a firewall rule allowing the traffic.
B.Use policy-based routing on the Cloud VPN gateway to route the traffic to europe-west1.
C.Create a static route for the on-premises range in the europe-west1 subnet pointing to the VPN tunnel in us-central1.
D.Configure the VPN tunnel with BGP to advertise the on-premises range to both regions.
AnswerA

This routes traffic through the desired tunnel.

Why this answer

Option A is correct because the VPN tunnel is attached to the us-central1 gateway, and a static route in us-central1 with the on-premises IP range as the destination and the VPN tunnel as the next hop directs traffic from the on-premises network to the VPC. Since the VPC is global, the route applies to all regions, and the Compute Engine instance in europe-west1 is reachable as long as the traffic enters the VPC through the us-central1 tunnel. A firewall rule is required to allow the inbound traffic from the on-premises range to the instance.

Exam trap

The trap here is that candidates assume routes must be created in the same region as the destination instance, but in a global VPC, a route in one region can direct traffic to instances in another region as long as the next hop is valid and the traffic enters through the correct gateway.

How to eliminate wrong answers

Option B is wrong because Cloud VPN does not support policy-based routing; it uses route-based or BGP-based routing, and policy-based routing is not a feature of Cloud VPN gateways. Option C is wrong because a static route in the europe-west1 subnet cannot point to a VPN tunnel in us-central1; routes are global in a VPC, and the next hop must be a resource in the same region as the route's gateway, or the route must be created in the region where the VPN gateway resides. Option D is wrong because BGP advertises routes from the on-premises network to the VPC, not the other way around; advertising the on-premises range via BGP would not control the path through which traffic enters the VPC, and it would not force traffic through the us-central1 tunnel.

710
MCQhard

You are planning a Private Service Connect (PSC) configuration to allow your VPC to access a managed Cloud SQL instance over a private endpoint without exposing traffic to the public internet. What does Private Service Connect provide in this context?

A.PSC creates a VPC peering connection between your VPC and Google's service VPC.
B.PSC provides a private, internal IP endpoint in your VPC that routes to the managed service without traversing the public internet.
C.PSC enables bidirectional private communication between your VPC and the service's VPC, similar to peering.
D.PSC replaces the need for a Serverless VPC Access connector when calling managed services from Cloud Run.
AnswerB

PSC creates a forwarding rule in your VPC with an internal IP. Connections to this IP are routed privately to the managed service (Cloud SQL in this case) entirely within Google's network.

Why this answer

Private Service Connect (PSC) allows you to access Google-managed services (like Cloud SQL) by creating a private, internal IP endpoint within your VPC. This endpoint uses an internal IP address from your VPC's subnet and forwards traffic to the service without ever leaving Google's network, thus avoiding the public internet. Unlike VPC peering, PSC does not require you to manage peering relationships or worry about overlapping IP ranges.

Exam trap

The trap here is that candidates confuse Private Service Connect with VPC peering or assume it provides bidirectional connectivity, when in fact PSC is a unidirectional, endpoint-based model that does not require peering or address space coordination.

How to eliminate wrong answers

Option A is wrong because PSC does not create a VPC peering connection; it uses a Private Service Connect endpoint (a forwarding rule) that maps to a service attachment in the producer's VPC, not a direct peering link. Option C is wrong because PSC provides unidirectional (consumer-to-producer) access, not bidirectional communication; the producer cannot initiate connections back to the consumer's VPC. Option D is wrong because PSC is not a replacement for Serverless VPC Access connector; the connector is used to allow serverless environments (like Cloud Run) to reach resources in a VPC, whereas PSC is for accessing managed services from a VPC.

711
Multi-Selectmedium

A company wants to deploy a new application on Google Cloud that requires a regional managed instance group with automatic scaling based on HTTP load. Which two resources must they create? (Choose TWO.)

Select 2 answers
A.Cloud Run service
B.GKE cluster
C.HTTP(S) Load Balancer
D.Instance template
E.Cloud Function
AnswersC, D

Required to distribute traffic to the MIG and for health checks.

Why this answer

For a regional MIG with HTTP load balancing, you need an instance template (to define VMs) and a load balancer (e.g., HTTP(S) Load Balancer). Option A and D are correct. Option B is for GKE; C is for Cloud Run; E is for Cloud Functions.

712
MCQmedium

Refer to the exhibit. An application running on this instance is unable to write to a Cloud Storage bucket. What is the most likely cause?

A.The application is using the wrong authentication method
B.The access scopes only allow read access to Cloud Storage
C.The Cloud Storage bucket is in a different project
D.The service account does not have the storage.objectAdmin IAM role
AnswerB

The scope is read_only, so write operations are denied regardless of IAM role.

Why this answer

When an instance is created with access scopes, these scopes restrict the API methods that the instance's credentials can use, regardless of the IAM permissions granted to the attached service account. The exhibit shows that the access scopes are set to 'Read Only' for Cloud Storage, which means the application can only call read methods (e.g., storage.objects.get) and cannot perform write operations (e.g., storage.objects.insert). This overrides any IAM role that would otherwise allow write access.

Exam trap

Google Cloud often tests the distinction between IAM permissions and access scopes, trapping candidates who assume that a service account with the correct IAM role can always perform the action, ignoring that access scopes can override those permissions at the instance level.

How to eliminate wrong answers

Option A is wrong because the authentication method (e.g., using a service account key or metadata server) is not the issue; the access scopes are explicitly limiting the API calls. Option C is wrong because Cloud Storage buckets can be accessed from any project as long as the correct IAM permissions and access scopes are in place; cross-project access is not inherently blocked. Option D is wrong because even if the service account had the storage.objectAdmin IAM role, the access scopes would still restrict the API methods to read-only, making the IAM role irrelevant for write operations.

713
MCQeasy

You need to allow SSH access to a Compute Engine instance. Which method is the recommended way to manage SSH keys for multiple users?

A.Add SSH keys to the instance metadata.
B.Use gcloud compute ssh with the --ssh-key-file flag.
C.Enable OS Login and assign IAM roles to users.
D.Create a custom image with preconfigured SSH keys.
AnswerC

OS Login is the recommended method for managing SSH access at scale.

Why this answer

OS Login is the recommended method for managing SSH access to Compute Engine instances, as it links SSH keys to user accounts and integrates with IAM.

714
MCQhard

An organization has multiple GCP projects and wants to centralize billing analysis across all projects. They need to export detailed billing data (e.g., cost per SKU per project) to a BigQuery dataset. Which billing export option should they configure?

A.Export to CSV to Cloud Storage
B.Export to Cloud Billing report
C.Export to a Pub/Sub topic
D.Export detailed billing data to BigQuery
AnswerD

Correct option.

Why this answer

The standard usage cost export to BigQuery provides detailed billing data for analysis.

715
MCQmedium

A Cloud CDN cache is serving stale content after a website update. New files were deployed to Cloud Storage but CDN is still serving the old versions to some users. What is the fastest way to force CDN to serve the updated content?

A.Wait for the CDN TTL to expire — cached content automatically refreshes
B.Run a CDN cache invalidation for the affected URL paths
C.Delete and recreate the Cloud Storage bucket — CDN will detect the new bucket as a fresh origin
D.Disable Cloud CDN temporarily — all users will hit the origin until CDN is re-enabled
AnswerB

`gcloud compute url-maps invalidate-cdn-cache [URL_MAP] --path=[PATH_PATTERN]` immediately purges matching cached content. CDN fetches fresh content on the next request.

Why this answer

Option B is correct because Cloud CDN supports cache invalidation, which immediately removes cached objects from edge caches for specified URL paths. This forces the CDN to fetch fresh content from the origin (Cloud Storage) on the next request, providing the fastest way to serve updated content without waiting for TTL expiry.

Exam trap

Google Cloud often tests the misconception that modifying the origin (e.g., deleting/recreating a bucket) automatically clears the CDN cache, when in fact the CDN cache is independent and requires explicit invalidation or TTL expiry to refresh.

How to eliminate wrong answers

Option A is wrong because waiting for TTL expiry is passive and can take minutes to hours depending on the configured cache duration, which is not the fastest solution. Option C is wrong because deleting and recreating the Cloud Storage bucket does not affect CDN cache; the CDN still holds stale content from the old bucket URL, and the new bucket would require a new CDN configuration. Option D is wrong because disabling Cloud CDN temporarily disrupts service for all users and does not clear the cache; re-enabling it would still serve stale content until TTL expires or invalidation is performed.

716
MCQmedium

You have a BigQuery table with billions of rows. You need to create a new table with the same schema and copy all data from the original table. Which approach is most efficient?

A.Use bq load with an empty file to create the table, then insert data row by row.
B.Export the original table to Cloud Storage as Avro, then load into the new table.
C.Use bq query --destination_table mydataset.newtable 'SELECT * FROM mydataset.original'
D.Use bq cp (copy) command.
AnswerC

This copies data directly without intermediate storage.

Why this answer

Using bq query with SELECT * and a destination table is efficient because BigQuery can copy data without exporting and loading.

717
MCQhard

A company runs a stable production workload on 20 n2-standard-8 VMs that run continuously year-round. Which pricing commitment maximizes cost savings on these VMs?

A.Sustained use discounts (automatically applied)
B.1-year committed use discount (CUD)
C.3-year committed use discount (CUD)
D.Switching to Spot VMs
AnswerC

3-year CUDs for N2 VMs offer up to 57% discount compared to on-demand pricing — the highest available discount for stable, continuously-running workloads.

Why this answer

The 3-year committed use discount (CUD) offers the highest discount rate (up to 57% for compute-optimized machine types) compared to 1-year CUDs (up to 20%) or sustained use discounts (up to 30% for running a VM the entire month). Since the workload runs 20 n2-standard-8 VMs continuously year-round, a 3-year CUD locks in the maximum savings for this predictable, steady-state usage.

Exam trap

Google Cloud often tests the misconception that sustained use discounts are always the best option for long-running workloads, but candidates must recognize that committed use discounts provide significantly higher savings for predictable, continuous usage, especially with a 3-year term.

How to eliminate wrong answers

Option A is wrong because sustained use discounts are automatically applied for running VMs more than 25% of a month, but they max out at 30% discount, which is lower than the 3-year CUD's up to 57% discount. Option B is wrong because a 1-year CUD offers a lower discount (up to 20%) compared to a 3-year CUD, and since the workload runs continuously for multiple years, the longer commitment yields greater savings. Option D is wrong because Spot VMs can be preempted at any time, making them unsuitable for a stable production workload that requires continuous availability and cannot tolerate interruptions.

718
MCQhard

A team is using BigQuery for analytics. They have a constant query workload and want to reduce costs by switching from on-demand pricing to a flat-rate reservation. They have purchased a BigQuery flat-rate reservation. What additional step is required to use the reservation?

A.Enable flat-rate billing in the BigQuery settings
B.Assign the reservation to the desired projects using an assignment
C.No additional steps; flat-rate is automatically applied to all queries
D.Create a new dataset and move all tables into it
AnswerB

Why this answer

The reservation must be assigned to a project, folder, or organization via a reservation assignment. Without assignment, the reservation is not used, and queries continue to be billed on-demand.

719
Matchingmedium

Match each Google Cloud deployment tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Infrastructure-as-code using YAML

Multi-cloud infrastructure provisioning

CI/CD pipeline for building and testing

Command-line tool for managing GCP resources

Web-based UI for managing GCP

Why these pairings

These tools help manage GCP resources programmatically or manually.

720
MCQeasy

A site reliability engineer needs to be notified immediately when the error rate of a production microservice exceeds 5% over a 5-minute window. Which type of alerting policy should be used?

A.Uptime check alert
B.Pub/Sub notification hook
C.Metric threshold alert
D.Log-based alert (log metric trigger)
AnswerC

A metric threshold alert evaluates a metric against a threshold and is ideal for this use case.

Why this answer

A metric threshold alert triggers when a metric crosses a threshold. This scenario requires tracking the error rate metric and alerting when it exceeds 5%.

721
MCQeasy

An engineer needs to deploy a containerized web application that receives HTTP requests and should scale to zero when not in use. The application is stateless and has a lightweight container image. Which Google Cloud compute service should be used?

A.Compute Engine with a single VM
B.Cloud Functions
C.Cloud Run
D.Google Kubernetes Engine (GKE) Standard cluster
AnswerC

Cloud Run scales to zero and is purpose-built for stateless HTTP containers.

Why this answer

Cloud Run is a fully managed serverless platform that scales to zero when no requests are coming in, and bills per request. It is ideal for stateless HTTP-triggered container workloads.

722
Multi-Selecthard

An engineer needs to create a new project and set up the environment. They are using the gcloud command-line tool. Which two commands are required to create a project and link it to a billing account? (Choose TWO.)

Select 2 answers
A.gcloud billing projects link PROJECT_ID --billing-account=BILLING_ACCOUNT_ID
B.gcloud projects create PROJECT_ID
C.gcloud alpha billing accounts create
D.gcloud services enable cloudbilling.googleapis.com
E.gcloud config set project PROJECT_ID
AnswersA, B

This links the project to a billing account.

Why this answer

To create a project and link a billing account, you need to create the project (gcloud projects create) and then link the billing account (gcloud billing projects link).

723
MCQmedium

A platform team needs to categorize GCP resources for policy enforcement (e.g., applying IAM conditions only to resources tagged 'environment:production'). Labels exist but don't support IAM conditions. What feature provides policy-tag-based enforcement?

A.Resource labels — set environment=production on each resource and reference in IAM conditions
B.Resource Manager Tags — attach a tag with key 'environment' and value 'production' and reference it in IAM conditions
C.Cloud Asset Inventory metadata fields — query by label and apply policies
D.Pub/Sub event-driven policy application triggered by label changes
AnswerB

Resource Manager Tags (created in Tag Namespaces) can be attached to resources and referenced in IAM Conditions, enabling attribute-based access control based on resource classification.

Why this answer

Option B is correct because Resource Manager Tags are the GCP feature specifically designed to support IAM conditions for policy enforcement. Unlike resource labels, which are simple key-value pairs used for metadata and billing, Resource Manager Tags can be referenced in IAM condition expressions using the `resource.matchTag` function, enabling fine-grained access control based on tag values such as 'environment:production'.

Exam trap

Google Cloud often tests the distinction between resource labels and Resource Manager Tags, trapping candidates who assume labels can be used in IAM conditions because they are more commonly used for resource organization.

How to eliminate wrong answers

Option A is wrong because resource labels cannot be used in IAM conditions; they are only for metadata, billing, and filtering, not for policy enforcement. Option C is wrong because Cloud Asset Inventory metadata fields are used for asset discovery and inventory, not for real-time policy enforcement via IAM conditions. Option D is wrong because Pub/Sub event-driven policy application is an architectural pattern, not a native GCP feature for tag-based IAM conditions, and label changes do not trigger IAM condition updates.

724
MCQhard

A CI/CD pipeline running outside GCP (on GitHub Actions) needs to authenticate to GCP to push images to Artifact Registry, without storing any long-lived service account key files. Which authentication mechanism achieves this?

A.Store a service account JSON key as a GitHub Actions secret and use it in the workflow
B.Workload Identity Federation with GitHub Actions as the identity provider
C.OAuth 2.0 user credentials from a developer's Google account
D.API keys created for the Artifact Registry service
AnswerB

Workload Identity Federation allows GitHub Actions workflows to authenticate to GCP using the workflow's OIDC token — no service account key file is ever created or stored.

Why this answer

Workload Identity Federation allows a GitHub Actions workflow to exchange a GitHub-issued OIDC token for a GCP access token, enabling authentication to Artifact Registry without storing any long-lived service account keys. This is the recommended approach for non-GCP CI/CD systems because it eliminates the security risk of managing static credentials while still granting fine-grained, short-lived access to GCP resources.

Exam trap

The trap here is that candidates often default to storing a service account key as a secret (Option A) because it's a familiar pattern, failing to recognize that Workload Identity Federation is the modern, keyless alternative specifically designed for external CI/CD providers like GitHub Actions.

How to eliminate wrong answers

Option A is wrong because storing a service account JSON key as a GitHub Actions secret still introduces a long-lived, static credential that must be rotated and managed, violating the requirement to avoid storing any long-lived service account key files. Option C is wrong because OAuth 2.0 user credentials from a developer's Google account are tied to a human user, not a CI/CD pipeline, and would require interactive consent flows, making them unsuitable for automated, non-interactive workflows. Option D is wrong because API keys are a simple, static authentication mechanism that do not support fine-grained IAM roles or short-lived tokens, and they are not designed for service-to-service authentication to Artifact Registry; they also cannot be scoped to a specific service account.

725
MCQmedium

You are configuring an uptime check for an HTTPS endpoint that returns a JSON response. The check should validate that the response contains a specific field "status":"ok". Which uptime check option should you use?

A.Enable SSL hostname verification
B.Configure a notification channel
C.Add a content match with a regular expression
D.Create a log-based alert for the endpoint
AnswerC

Content matching allows you to specify a regex or substring to check in the response body.

Why this answer

Uptime checks can validate response content using content matching.

726
MCQhard

A company is using Cloud NAT to allow private Compute Engine instances to access the internet. They notice that traffic from some instances is not being NATed. What is the most likely cause?

A.The instances have external IP addresses assigned.
B.The Cloud Router is not configured correctly.
C.The firewall rules block egress traffic.
D.The instances are in a different region than the Cloud NAT gateway.
AnswerA

Instances with external IPs do not use Cloud NAT; they directly connect using their external IP.

Why this answer

Cloud NAT only applies to instances that do not have external IP addresses. If an instance has an external IP, it will use that IP for outbound traffic and bypass Cloud NAT.

727
MCQmedium

A company wants to allow a junior admin to view project resources and create/modify Cloud Storage buckets but not delete them. Which IAM role should be assigned?

A.roles/storage.objectCreator
B.roles/storage.legacyBucketWriter
C.roles/storage.objectAdmin
D.roles/storage.admin
AnswerB

Legacy bucket writer allows create and update buckets without delete.

Why this answer

The storage.legacyBucketWriter role allows creation and update of buckets without delete permission. Option B is correct. Option A (storage.admin) allows all actions including delete.

Option C (storage.objectAdmin) is for objects, not buckets. Option D (storage.objectCreator) is for object creation only.

728
MCQmedium

A developer wants to deploy a containerized application on Cloud Run from a source code repository, without building a container image manually. The application is written in Node.js and includes a Dockerfile. Which command should the developer use to deploy directly from source?

A.gcloud run deploy --image=gcr.io/my-project/my-image --region=us-central1
B.gcloud app deploy --source .
C.gcloud run deploy my-service --source . --region=us-central1 --platform managed
D.gcloud functions deploy my-function --runtime nodejs14 --trigger-http --source .
AnswerC

Correct: --source tells Cloud Run to build from source and deploy.

Why this answer

Cloud Run supports deploying directly from source using gcloud run deploy with the --source flag. This command automatically builds a container image using Cloud Build and deploys it to Cloud Run. Option B is correct.

Option A uses --image, which expects a pre-built image. Option C is for Cloud Functions. Option D is for App Engine.

729
MCQhard

Refer to the exhibit. An administrator wants to grant a service account read-only access to all Compute Engine instances in a project, but only those with label 'environment=production'. Which IAM policy configuration should be used?

A.roles/compute.instanceAdmin with condition 'resource.labels.environment == "production"'
B.roles/compute.viewer with condition 'resource.labels.environment == "production"'
C.roles/compute.imageUser with condition 'resource.labels.environment == "production"'
D.roles/compute.viewer with condition 'request.host == "production"'
AnswerB

Viewer provides read-only access, condition restricts to production label.

Why this answer

Option B is correct because roles/compute.viewer provides read-only access to Compute Engine resources, and the condition 'resource.labels.environment == "production"' restricts that access to only instances with the specified label. This satisfies the requirement of granting read-only access to production-labeled instances without granting broader permissions.

Exam trap

Google Cloud often tests the distinction between roles that grant read-only access (like roles/compute.viewer) versus roles that grant broader permissions (like roles/compute.instanceAdmin), and the use of correct condition attributes (resource.labels vs. request.host) to filter by resource labels.

How to eliminate wrong answers

Option A is wrong because roles/compute.instanceAdmin grants write permissions (e.g., start, stop, modify instances), which exceeds the required read-only access. Option C is wrong because roles/compute.imageUser only allows listing and using images, not reading instance metadata or configurations, so it does not provide the necessary read-only access to instances. Option D is wrong because 'request.host' is not a valid condition attribute for Compute Engine; the correct attribute for filtering by resource labels is 'resource.labels', and 'request.host' refers to the HTTP host header, which is irrelevant here.

730
Multi-Selectmedium

A company needs to allow a group of external auditors to view Cloud Audit Logs for a project but not modify any resources. Which two steps should be taken? (Choose 2)

Select 2 answers
A.Grant the auditors the roles/iam.securityReviewer role.
B.Create a log sink to forward logs to a bucket the auditors can access.
C.Grant the auditors the roles/logging.viewer role on the project.
D.Grant the auditors the roles/logging.logWriter role.
E.Enable Data Access audit logs.
AnswersB, C

This is an alternative to directly granting view access in Logging; auditors can then access the bucket.

Why this answer

The auditors need the roles/logging.viewer to view logs, and they should be granted access at the project level for the logs to be visible.

731
Multi-Selecthard

Your GKE cluster is running an older version of Kubernetes. You need to upgrade the cluster's control plane and node pools. Which two steps should you perform? (Choose two.)

Select 2 answers
A.Create a new cluster with the desired version and migrate workloads
B.Drain all nodes using kubectl drain before upgrading
C.Manually update the kubelet version on each node
D.Upgrade the cluster's control plane using gcloud container clusters upgrade
E.Upgrade node pools using gcloud container node-pools upgrade
AnswersD, E

The control plane must be upgraded first.

Why this answer

Upgrading a GKE cluster involves upgrading the cluster (control plane) first using gcloud container clusters upgrade, and then upgrading node pools separately (or they can be auto-upgraded). You cannot upgrade nodes without upgrading the control plane first. Draining nodes is not a step for upgrading, it's for maintenance.

732
MCQeasy

Which gcloud command lists all available roles that can be granted on a GCP project, including both predefined and custom roles?

A.`gcloud iam roles list --project=PROJECT_ID`
B.`gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID`
C.`gcloud projects get-iam-policy PROJECT_ID`
D.`gcloud iam roles describe roles/editor`
AnswerB

This queries all roles — predefined and custom — that can be granted on the specified project resource.

Why this answer

Option B is correct because the `gcloud iam list-grantable-roles` command is specifically designed to list all roles (both predefined and custom) that can be granted on a given resource, such as a GCP project. The resource is identified by its canonical name, which for a project is `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID`. This command returns roles that are eligible for binding at that resource level, including those inherited from ancestors.

Exam trap

Google Cloud often tests the distinction between listing roles that *can* be granted (grantable roles) versus listing roles that *are* granted (current bindings), and candidates confuse `gcloud iam roles list` (custom roles only) with the correct command for all grantable roles.

How to eliminate wrong answers

Option A is wrong because `gcloud iam roles list --project=PROJECT_ID` lists only custom roles defined in that project, not predefined roles or roles inherited from the organization. Option C is wrong because `gcloud projects get-iam-policy PROJECT_ID` retrieves the current IAM policy bindings (who has what role), not the list of all available roles that can be granted. Option D is wrong because `gcloud iam roles describe roles/editor` shows details of a single predefined role (Editor), not a list of all grantable roles on a project.

733
MCQhard

A company's Google Kubernetes Engine cluster has experienced a sudden increase in latency. The team suspects a misconfigured node pool is causing resource contention. They want to verify the node's resource usage. Which command or tool should they use?

A.Run 'gcloud container clusters describe cluster-name'.
B.Run 'kubectl top nodes'.
C.Use the Cloud Console Monitoring page to view node metrics.
D.Run 'kubectl describe node node-name'.
AnswerB

This shows CPU and memory usage per node.

Why this answer

B is correct because 'kubectl top nodes' directly displays real-time CPU and memory usage for each node in the cluster, which is the fastest way to identify resource contention causing latency. This command leverages the metrics-server to aggregate resource metrics from kubelets, giving immediate insight into node-level utilization without additional overhead.

Exam trap

The trap here is that candidates confuse 'kubectl describe node' (which shows static capacity and requests) with 'kubectl top nodes' (which shows actual live usage), leading them to choose D when they need real-time utilization data.

How to eliminate wrong answers

Option A is wrong because 'gcloud container clusters describe cluster-name' returns static cluster configuration metadata (e.g., zone, node count, network settings) but does not provide live resource usage metrics. Option C is wrong because the Cloud Console Monitoring page offers historical and aggregated metrics with dashboards, but it is not a direct command-line tool for quick verification; it requires navigating the UI and may have a delay in data ingestion. Option D is wrong because 'kubectl describe node node-name' shows node conditions, capacity, and allocated resources, but it does not show real-time usage; it reports requests and limits, not actual consumption, so it cannot confirm current resource contention.

734
MCQeasy

A security auditor needs read-only access to Compute Engine instance metadata but should not be able to start or stop instances. Which predefined IAM role should be assigned?

A.roles/compute.instanceAdmin.v1
B.roles/compute.admin
C.roles/compute.networkAdmin
D.roles/compute.viewer
AnswerD

Provides read-only access to Compute Engine resources.

Why this answer

The roles/compute.viewer role grants read-only access to Compute Engine resources, including instance metadata, without allowing write operations such as starting or stopping instances. This matches the requirement for read-only metadata access while preventing instance lifecycle changes.

Exam trap

The trap here is that candidates may confuse 'viewer' with broader roles like instanceAdmin.v1, assuming read-only access is sufficient, but fail to recognize that instanceAdmin.v1 includes write permissions for starting/stopping instances.

How to eliminate wrong answers

Option A is wrong because roles/compute.instanceAdmin.v1 includes permissions to start, stop, and modify instances, which exceeds the required read-only access. Option B is wrong because roles/compute.admin provides full administrative control over all Compute Engine resources, including the ability to start and stop instances. Option C is wrong because roles/compute.networkAdmin focuses on network resources (e.g., firewalls, routes) and does not grant access to instance metadata.

735
MCQhard

A team's Cloud SQL for PostgreSQL instance is running out of disk space. Automated storage increase is disabled. A monitoring alert fires at 90% disk usage. What is the fastest safe action to increase storage?

A.Delete old records from the database to free space — no instance changes needed
B.Increase storage capacity using `gcloud sql instances patch --storage-size=[NEW_SIZE]` without downtime
C.Create a new larger Cloud SQL instance and migrate data with Cloud Database Migration Service
D.Enable automatic storage increase and wait — Cloud SQL will expand the disk retroactively
AnswerB

Cloud SQL supports online storage capacity increases via `gcloud sql instances patch --storage-size=[GB]`. The operation completes without instance restart or downtime.

Why this answer

Option B is correct because Cloud SQL for PostgreSQL supports online storage resizing without downtime. Using `gcloud sql instances patch --storage-size=[NEW_SIZE]` allows you to increase the allocated disk capacity while the instance remains fully operational, making it the fastest safe action when automated storage increase is disabled.

Exam trap

Google Cloud often tests the misconception that deleting data frees up provisioned storage in managed database services, when in fact the allocated disk size remains unchanged and must be explicitly increased via a resize operation.

How to eliminate wrong answers

Option A is wrong because deleting old records does not release disk space back to the operating system in Cloud SQL PostgreSQL; the space is retained by the database for future writes and does not reduce the provisioned storage size. Option C is wrong because creating a new larger instance and migrating data with Cloud Database Migration Service introduces significant downtime and operational complexity, which is slower and riskier than a simple online storage resize. Option D is wrong because enabling automatic storage increase does not retroactively expand the disk; it only allows future automatic expansions, and the instance is already at 90% usage with no immediate relief.

736
MCQmedium

An application architect is comparing Cloud SQL (PostgreSQL) and Cloud Spanner for a new global e-commerce platform. The platform must serve customers on three continents with <50ms latency for reads and strong consistency for inventory updates. Which service best fits?

A.Cloud SQL with one primary instance and cross-region read replicas
B.Cloud Spanner multi-region configuration
C.Cloud Firestore in multi-region mode
D.Cloud SQL with Cloud Memorystore caching layer for reads
AnswerB

Cloud Spanner multi-region provides strong consistency for writes with globally distributed read replicas for low-latency reads — exactly matching the three-continent, strong-consistency requirement.

Why this answer

Cloud Spanner multi-region configuration is the correct choice because it provides strong global consistency with <50ms read latency across continents, which is essential for an e-commerce platform requiring real-time inventory updates. Spanner uses TrueTime and Paxos-based replication to ensure ACID transactions globally, meeting both the latency and consistency requirements simultaneously.

Exam trap

Google Cloud often tests the misconception that read replicas or caching layers can provide strong consistency globally, but only Spanner's synchronous replication and TrueTime guarantee ACID transactions across continents.

How to eliminate wrong answers

Option A is wrong because Cloud SQL cross-region read replicas are asynchronous, meaning they can serve stale data and do not provide strong consistency for inventory updates across continents. Option C is wrong because Cloud Firestore in multi-region mode offers strong consistency but is designed for NoSQL workloads and lacks the relational capabilities (e.g., joins, transactions) typically needed for complex e-commerce inventory systems. Option D is wrong because Cloud Memorystore caching layer for reads does not solve the strong consistency requirement for writes; it only improves read latency but cannot guarantee that inventory updates are immediately consistent across regions.

737
MCQeasy

Your team uses Cloud Logging to store application logs. You want to create a metric that counts the number of ERROR log entries per service. Which type of log-based metric should you create?

A.Distribution metric
B.Boolean metric
C.Counter metric
D.Gauge metric
AnswerC

Correct: a counter metric counts log entries that match the filter (e.g., severity=ERROR).

Why this answer

Log-based metrics can be counter metrics (count of log entries matching a filter) or distribution metrics. For counting occurrences, a counter metric is appropriate.

738
MCQmedium

A developer needs to make a Cloud Storage bucket publicly readable for all users. Which command should be used to set the appropriate IAM binding?

A.gsutil iam ch allUsers:objectViewer gs://my-bucket
B.gsutil acl ch -u AllUsers:R gs://my-bucket
C.gcloud storage buckets add-iam-policy-binding my-bucket --member allUsers --role roles/storage.objectViewer
D.gsutil iam set public-read gs://my-bucket
AnswerA

Correct. This grants allUsers the objectViewer role (read access).

Why this answer

The 'gsutil iam ch' command with 'allUsers' as the member and 'objectViewer' as the role grants public read access. Alternatively, 'gsutil acl ch' can be used, but modern best practice uses IAM.

739
MCQeasy

A startup runs its application entirely on Cloud Run. They want to use a custom domain (api.mycompany.com) instead of the default Cloud Run URL. Which GCP feature maps a custom domain to a Cloud Run service?

A.Cloud DNS — create a CNAME record pointing to the Cloud Run URL
B.Cloud Run Domain Mappings or a Global Load Balancer with a Serverless NEG
C.Cloud Endpoints with an API gateway configuration
D.Firebase Hosting rewrites to Cloud Run
AnswerB

Cloud Run Domain Mappings provide the simplest path to custom domains with automatic TLS. For advanced routing, a Global Load Balancer with a Serverless Network Endpoint Group (NEG) is used.

Why this answer

Option B is correct because Cloud Run Domain Mappings provide a native, managed way to map a custom domain to a Cloud Run service without additional infrastructure. Alternatively, a Global Load Balancer with a Serverless NEG (Network Endpoint Group) can also route traffic from a custom domain to Cloud Run, offering advanced features like SSL termination and traffic splitting. Both approaches are officially supported by Google Cloud for custom domain mapping.

Exam trap

The trap here is that candidates often assume a simple DNS CNAME record is sufficient, but Cloud Run requires domain ownership verification and SSL certificate management, which only Domain Mappings or a Load Balancer with Serverless NEG provide.

How to eliminate wrong answers

Option A is wrong because a CNAME record in Cloud DNS alone cannot map a custom domain to Cloud Run; Cloud Run requires verification of domain ownership and SSL certificate provisioning, which a simple CNAME does not handle. Option C is wrong because Cloud Endpoints with an API gateway configuration is designed for managing, securing, and monitoring APIs, not for mapping a custom domain to a Cloud Run service; it operates at a higher layer and does not replace the need for domain mapping. Option D is wrong because Firebase Hosting rewrites to Cloud Run are a feature of Firebase Hosting, not a direct GCP feature for mapping a custom domain to Cloud Run; it introduces an unnecessary intermediary and is not the standard approach for a standalone Cloud Run service.

740
MCQhard

A team runs `gcloud organizations list` and sees no output even though they know their company has a GCP organization. What is the most likely cause, and how should they resolve it?

A.The organization does not exist yet; run `gcloud organizations create` to create it.
B.The user lacks org-level IAM permissions such as Organization Viewer.
C.The gcloud SDK does not support the organizations command; use the Cloud Console instead.
D.The project must be linked to the organization using `gcloud projects move`.
AnswerB

Without `resourcemanager.organizations.get` permission at the org level, `gcloud organizations list` returns empty results even if the org exists.

Why this answer

The `gcloud organizations list` command retrieves organizations from the GCP Resource Manager API. If no output is returned despite the organization existing, the most likely cause is that the authenticated user lacks the `resourcemanager.organizations.get` permission, which is granted by roles like Organization Viewer (`roles/resourcemanager.organizationViewer`) or Organization Administrator (`roles/resourcemanager.organizationAdmin`). Without this IAM permission at the organization level, the API call returns an empty list rather than an error, which is a common source of confusion.

Exam trap

The trap here is that candidates assume a missing organization or a command limitation, when in fact the empty output is a deliberate API behavior designed to hide organizations from users without explicit permission, testing the understanding of IAM scoping and the difference between list and describe commands.

How to eliminate wrong answers

Option A is wrong because `gcloud organizations create` is not a valid command; GCP organizations are created automatically when a Google Workspace or Cloud Identity account is set up, not via the gcloud CLI. Option C is wrong because the `gcloud organizations` command is fully supported in the gcloud SDK and uses the Resource Manager API; the Cloud Console is not required. Option D is wrong because linking a project to an organization is unrelated to listing organizations; the issue is about visibility of the organization itself, not project association.

741
MCQmedium

A security engineer needs to ensure that Compute Engine instances in a VPC can only communicate with each other on port 443 and cannot receive traffic from the internet. The VPC has a default network with default firewall rules. What should the engineer do?

A.Create a firewall rule with priority 2000 denying ingress from 0.0.0.0/0 and a rule allowing ingress from 10.0.0.0/16 on port 443 with priority 1000.
B.Create a firewall rule with priority 1000 allowing ingress from 0.0.0.0/0 on port 443 and deny all other traffic.
C.Delete all default firewall rules and create a rule allowing ingress from the VPC's subnet range (e.g., 10.0.0.0/16) on port 443.
D.Modify the default-allow-internal rule to only allow port 443.
AnswerC

Correct: Deleting default rules removes internet ingress and the default allow-all-internal rule. New rule restricts internal communication to port 443.

Why this answer

The default VPC includes default firewall rules that allow ingress from the internet and allow all internal traffic. To restrict communication, the engineer must first delete the default ingress rule that allows all traffic from the internet (allow-ssh, allow-icmp, allow-rdp, and allow-http/https can be deleted), then create a new rule that allows ingress only from the VPC's IP range on port 443. The default internal rule allows all traffic within the network; to restrict to port 443, a new rule with higher priority can override it, or the default rule can be deleted and a new one created.

742
MCQeasy

A team needs a database backup job to run every day at 2 AM UTC. The job calls an HTTP endpoint to trigger the backup. The endpoint requires no complex orchestration — just a timed HTTP call. Which GCP service handles this most simply?

A.Cloud Tasks with a daily task enqueued by a Cloud Function
B.Cloud Scheduler with an HTTP target pointing to the backup endpoint
C.Cloud Composer DAG running at 2 AM UTC
D.Cloud Run Jobs triggered by a Cloud Monitoring alert at 2 AM
AnswerB

Cloud Scheduler sends a configured HTTP request to the backup endpoint at 2 AM UTC daily — the exact use case it's designed for, requiring minimal setup.

Why this answer

Cloud Scheduler is the simplest GCP service for a recurring HTTP call because it is a fully managed cron job service that directly supports HTTP targets. You configure a schedule (e.g., '0 2 * * *' for daily at 2 AM UTC) and point it to the backup endpoint URL. No additional code, queue, or orchestration is needed, making it the most straightforward solution for this use case.

Exam trap

The trap here is that candidates overcomplicate the solution by choosing Cloud Tasks (A) or Cloud Composer (C) because they assume a 'job' requires a queue or orchestration, when Cloud Scheduler's HTTP target is the simplest and most direct fit for a single timed HTTP call.

How to eliminate wrong answers

Option A is wrong because Cloud Tasks is a task queue/distributed execution service, not a scheduler; you would still need Cloud Scheduler or a separate trigger to enqueue the task daily, adding unnecessary complexity. Option C is wrong because Cloud Composer (Apache Airflow) is a full workflow orchestration platform designed for complex, multi-step pipelines with dependencies, not for a simple timed HTTP call — it introduces heavy overhead and cost. Option D is wrong because Cloud Monitoring alerts are for reacting to metric thresholds or system states, not for scheduling recurring actions; using an alert to trigger a job at a fixed time is an incorrect architectural pattern and would require a custom metric or log-based alert, which is convoluted and unreliable for simple cron-like scheduling.

743
MCQeasy

A compliance archive stores legal documents accessed at most once per quarter. Which Cloud Storage class minimizes storage cost while meeting that access pattern?

A.Standard
B.Nearline
C.Coldline
D.Archive
AnswerC

Coldline is ideal for data accessed once per quarter or less. It offers low storage cost with a 90-day minimum storage duration, matching this use case.

Why this answer

Coldline storage is designed for data accessed less than once per quarter, offering lower storage costs than Standard or Nearline while still providing millisecond access when needed. For a compliance archive accessed at most once per quarter, Coldline minimizes storage cost without incurring the higher retrieval fees or minimum storage durations of Archive storage.

Exam trap

Google Cloud often tests the misconception that Archive is always the cheapest option for infrequently accessed data, ignoring the minimum storage duration and retrieval costs that can make Coldline more cost-effective for quarterly access patterns.

How to eliminate wrong answers

Option A is wrong because Standard storage is optimized for frequently accessed data (multiple times per month) and has the highest storage cost, making it unsuitable for quarterly access. Option B is wrong because Nearline is intended for data accessed less than once per month, not once per quarter, and its storage cost is higher than Coldline for this access pattern. Option D is wrong because Archive storage, while having the lowest storage cost, imposes a 365-day minimum storage duration and higher retrieval fees, which is excessive for data accessed quarterly and may increase total cost if data is deleted early.

744
MCQhard

A healthcare company stores patient data in Cloud Storage. Compliance requires that even GCP (Google) cannot decrypt this data. The company manages encryption keys entirely on their own infrastructure. Which encryption option satisfies this?

A.Customer-Managed Encryption Keys (CMEK) stored in Cloud KMS
B.Customer-Supplied Encryption Keys (CSEK) provided with each API request
C.Google-managed encryption keys (default) with restricted IAM policies
D.Shielded VM with confidential computing for the VMs that access the data
AnswerB

CSEK requires the customer to supply the encryption key with every API request. GCP uses the key transiently and never stores it — Google cannot access data without the customer providing the key each time.

Why this answer

Option B is correct because Customer-Supplied Encryption Keys (CSEK) allow the customer to provide their own AES-256 encryption key with each API request to Cloud Storage. Google does not store the key; it is used only in memory to encrypt/decrypt the data and then discarded, ensuring that even Google cannot access the plaintext. This meets the compliance requirement that the customer retains exclusive control over the encryption keys.

Exam trap

The trap here is that candidates confuse CMEK with CSEK, assuming that managing keys in Cloud KMS gives the customer exclusive control, but CMEK still allows Google to access the key material via the KMS service, whereas CSEK ensures Google never stores the key.

How to eliminate wrong answers

Option A is wrong because Customer-Managed Encryption Keys (CMEK) are stored in Cloud KMS, which means Google manages the key material in a hardware security module (HSM) and can technically decrypt the data if required by law or internal policy. Option C is wrong because Google-managed encryption keys are fully controlled by Google, and restricting IAM policies does not prevent Google from accessing the keys or decrypting the data. Option D is wrong because Shielded VM with confidential computing protects data in use within VM memory, but does not address encryption at rest in Cloud Storage or key management; the data in Cloud Storage would still be encrypted with keys accessible to Google.

745
MCQhard

A team is using Terraform to manage Google Cloud resources. They want to store the Terraform state file in a Cloud Storage bucket to enable collaboration. The bucket is in project 'state-project'. Which backend configuration should they use?

A.terraform { backend "gcs" { bucket = "state-project-tfstate" prefix = "prod" } }
B.terraform { backend "cloud" { bucket = "my-bucket" } }
C.terraform { backend "remote" { hostname = "app.terraform.io" organization = "my-org" workspaces { name = "prod" } } }
D.terraform { backend "s3" { bucket = "my-bucket" key = "prod/terraform.tfstate" region = "us-east1" } }
AnswerA

Correct GCS backend configuration.

Why this answer

To store Terraform state in GCS, use the 'gcs' backend with bucket name and optional prefix. Option A is correct. Option B uses 'remote' backend incorrectly.

Option C uses 's3' backend for AWS. Option D uses 'cloud' backend which is not valid.

746
MCQmedium

A team is using Terraform to manage Google Cloud infrastructure. They want to store Terraform state files in a remote backend that supports locking to prevent concurrent modifications. Which backend should they use?

A.Cloud Storage
B.Cloud Source Repositories
C.Cloud Shell
D.Cloud Bigtable
AnswerA

GCS is a supported backend for Terraform state with locking capabilities.

Why this answer

Google Cloud Storage (GCS) is the recommended backend for Terraform on GCP. It supports state locking via object versioning and a lock mechanism (using the state lock table in a GCS bucket). Cloud Shell is not a backend.

Cloud Source Repositories is for source code. Bigtable is for NoSQL workloads.

747
MCQhard

You are managing Terraform state for a GCP infrastructure project shared by a team of 5 engineers. You need to prevent simultaneous `terraform apply` operations from causing state corruption. What is the recommended backend configuration?

A.Store state locally on each engineer's machine and merge state files manually after each apply.
B.Configure the `gcs` backend in Terraform, pointing to a Cloud Storage bucket with versioning enabled.
C.Use Terraform Cloud (HashiCorp) as the backend for state locking.
D.Use a Cloud Source Repository to store state files with branch-based locking.
AnswerB

The GCS backend stores state remotely with automatic state locking. Concurrent applies are prevented — the second apply fails with a lock error until the first completes. Versioning provides state history for rollback.

Why this answer

Option B is correct because the `gcs` backend with versioning enabled provides both remote state storage and built-in state locking via Cloud Storage's object-level consistency model. When one engineer runs `terraform apply`, the backend acquires a lock by writing a lock file to the bucket; other concurrent operations are blocked until the lock is released, preventing state corruption. Versioning further protects against accidental state deletion or corruption by allowing rollback to previous state versions.

Exam trap

Google Cloud often tests the distinction between a remote backend that supports locking (like `gcs` or `s3`) versus a remote backend that only stores state (like `consul` without locking or a plain HTTP backend), and the trap here is that candidates may think any remote storage (like Cloud Source Repository) or a third-party service (like Terraform Cloud) is equally valid, when the question specifically requires a GCP-native solution with locking.

How to eliminate wrong answers

Option A is wrong because storing state locally on each engineer's machine and manually merging state files is error-prone, does not provide any locking mechanism, and directly contradicts Terraform's recommended practice of using a remote backend for team collaboration. Option C is wrong because Terraform Cloud is a HashiCorp product, not a GCP-native service, and while it does provide state locking, the question specifically asks for a 'recommended backend configuration' within the context of a GCP infrastructure project — the `gcs` backend is the GCP-native solution. Option D is wrong because Cloud Source Repository is a Git repository service, not a Terraform state backend; it does not support state locking or the Terraform state API, and branch-based locking is not a concept Terraform recognizes for state management.

748
MCQhard

A company is deploying a multi-region application on Google Kubernetes Engine (GKE) with clusters in us-central1 and europe-west1. They want to route user traffic to the closest healthy cluster using a global load balancer with SSL termination. Which load balancing service should they use?

A.Internal Load Balancer
B.SSL Proxy Load Balancer
C.External TCP/UDP Network Load Balancer
D.External HTTPS Load Balancer with a global backend service (using NEGs)
AnswerD

This load balancer can route to multiple backends across regions and terminate SSL.

Why this answer

D is correct because the External HTTPS Load Balancer with a global backend service using Network Endpoint Groups (NEGs) provides global anycast IP, SSL termination, and traffic routing to the closest healthy GKE cluster via Google's global network. This meets the requirement for multi-region GKE clusters with automatic failover and low latency.

Exam trap

The trap here is that candidates often confuse regional load balancers (like SSL Proxy or TCP/UDP Network LB) with global ones, mistakenly thinking SSL termination alone is sufficient, but the key requirement for multi-region routing to the closest cluster demands a global load balancer with a global backend service.

How to eliminate wrong answers

Option A is wrong because an Internal Load Balancer is regional and cannot route traffic globally or terminate SSL for external users. Option B is wrong because the SSL Proxy Load Balancer, while supporting SSL termination, is a regional proxy-based load balancer and does not provide global anycast routing to the closest healthy cluster; it is designed for non-HTTP(S) traffic. Option C is wrong because the External TCP/UDP Network Load Balancer is a regional, passthrough load balancer that does not support SSL termination and cannot route traffic to the closest healthy cluster across regions.

749
MCQmedium

A team is creating a managed instance group (MIG) for a stateless web application. They need to ensure that instances are automatically replaced if they become unhealthy and that new instances are rolled out gradually with no downtime during updates. Which set of configurations should they use?

A.Create a MIG without health check; set rolling update with maxSurge=1 and maxUnavailable=0.
B.Create a MIG with a health check for autohealing; set rolling update with maxSurge=0 and maxUnavailable=1.
C.Create a MIG with a health check configured for autohealing; set rolling update with maxSurge=1 and maxUnavailable=0.
D.Create a MIG without health check; set rolling update with maxSurge=0 and maxUnavailable=1.
AnswerC

Autohealing replaces unhealthy instances; rolling update with maxSurge>0 and maxUnavailable=0 ensures no downtime.

Why this answer

To replace unhealthy instances, enable autohealing with a health check. For gradual updates with no downtime, use a rolling update with maxSurge set to a positive value (e.g., 1) and maxUnavailable set to 0. Option A correctly specifies both.

Option B uses maxUnavailable=1 which allows some downtime. Option C sets maxSurge=0 which prevents new instances from being created before old ones are deleted, causing downtime. Option D omits autohealing.

750
MCQhard

A SaaS company serves 200 enterprise customers, each requiring complete data isolation in separate databases. The company needs to provision a new customer database within minutes and manage 200 databases with minimal overhead. Which GCP approach scales most efficiently?

A.200 separate Cloud SQL instances, one per customer
B.A single Cloud SQL instance with a separate schema (database) per customer, provisioned via API automation
C.Storing all customer data in a single shared database with customer_id as a discriminator column
D.Using BigQuery with a separate dataset per customer
AnswerB

A single Cloud SQL instance with per-customer databases (schemas) balances isolation, cost efficiency, and provisioning speed. Automation via API or Terraform enables sub-minute provisioning.

Why this answer

Option B is correct because it uses a single Cloud SQL instance with separate schemas (databases) per customer, which allows you to achieve complete data isolation while minimizing overhead. Provisioning a new schema via API automation takes seconds, and managing 200 schemas on one instance is far more efficient than managing 200 separate instances. This approach scales efficiently because Cloud SQL supports up to 10,000 databases per instance, and you can leverage connection pooling and shared resources without sacrificing isolation.

Exam trap

The trap here is that candidates often confuse 'data isolation' with 'physical separation' and assume separate instances are required, but GCP's Cloud SQL supports logical isolation via separate databases on a single instance, which is far more efficient and still meets the isolation requirement.

How to eliminate wrong answers

Option A is wrong because managing 200 separate Cloud SQL instances introduces massive operational overhead, including patching, backups, and monitoring each instance individually, and it does not scale efficiently for provisioning within minutes. Option C is wrong because storing all customer data in a single shared table with a customer_id discriminator violates the requirement for complete data isolation, as a query error or bug could expose data across customers. Option D is wrong because BigQuery is a data warehouse designed for analytics, not for transactional, low-latency database operations required by a SaaS application, and provisioning a new dataset does not provide the same isolation or performance characteristics as a relational database schema.

Page 9

Page 10 of 14

Page 11