Google Associate Cloud Engineer (ACE) — Questions 751825

991 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQmedium

A team is building a real-time multiplayer game backend requiring low-latency state synchronization between players worldwide. Session data must persist for the duration of a game (up to 2 hours) but doesn't need long-term storage. Which managed service best fits?

A.Cloud SQL for PostgreSQL with connection pooling
B.Cloud Memorystore for Redis
C.Cloud Bigtable
D.Cloud Firestore in Native mode
AnswerB

Memorystore provides sub-millisecond in-memory storage with built-in TTL support for expiring game sessions — ideal for real-time, ephemeral state.

Why this answer

Cloud Memorystore for Redis is the best fit because it provides an in-memory data store with sub-millisecond latency, ideal for real-time state synchronization in a multiplayer game. Redis supports data structures like sets and sorted sets for leaderboards or session state, and its optional persistence (RDB/AOF) can cover the 2-hour game duration without needing long-term storage. This aligns with the requirement for low-latency, ephemeral session data that must survive only the game session.

Exam trap

Google Cloud often tests the distinction between in-memory caches (Redis) and persistent databases (Cloud SQL, Bigtable, Firestore), where candidates mistakenly choose a database with real-time features (like Firestore) without recognizing that its latency and consistency model are insufficient for sub-millisecond state synchronization.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for PostgreSQL is a relational database with disk-based storage, incurring higher latency (typically 5-10 ms) unsuitable for real-time state synchronization, and connection pooling does not address the fundamental latency or in-memory performance need. Option C is wrong because Cloud Bigtable is a wide-column NoSQL database optimized for large-scale analytical workloads (e.g., time-series data) with high throughput but not sub-millisecond latency for frequent read/write operations in a real-time game; it also requires a cluster and is overkill for ephemeral session data. Option D is wrong because Cloud Firestore in Native mode is a document database with real-time listeners but has higher latency (typically 10-100 ms) and is designed for persistent, scalable app data, not for ultra-low-latency, short-lived session state; its eventual consistency model can also cause synchronization issues in a fast-paced game.

752
MCQmedium

You need to transfer 50 TB of data from an AWS S3 bucket to Cloud Storage. The data must be transferred within 48 hours, and the network bandwidth between AWS and GCP is limited to 1 Gbps. Which GCP service manages this transfer efficiently?

A.Use `gsutil -m cp` from a Compute Engine VM in the same region as the destination bucket.
B.Use Storage Transfer Service to set up an S3-to-GCS transfer job.
C.Download from S3 and re-upload to GCS using a local machine with high bandwidth.
D.Use BigQuery Data Transfer Service to move S3 data to GCS.
AnswerB

Storage Transfer Service natively supports AWS S3 as a source. It manages parallelism, retries, filtering, and scheduling for large cross-cloud transfers — purpose-built for this use case.

Why this answer

Storage Transfer Service is the correct choice because it is a managed service designed specifically for moving large datasets from external cloud providers (like AWS S3) to Google Cloud Storage. It handles the transfer asynchronously, can parallelize connections to maximize throughput, and is ideal for the 50 TB / 48-hour constraint given a 1 Gbps link (theoretical max ~5.4 TB/day, but with parallelism and retries, STS can approach line rate). It eliminates the need for an intermediate VM or manual scripting.

Exam trap

The trap here is that candidates assume a Compute Engine VM with `gsutil -m cp` is the simplest approach, but they overlook that Storage Transfer Service is a fully managed, scalable solution that offloads orchestration and retry logic, making it the only viable option for meeting a strict time constraint with limited bandwidth.

How to eliminate wrong answers

Option A is wrong because using `gsutil -m cp` from a Compute Engine VM introduces a single point of failure, requires managing the VM's lifecycle, and the VM's network egress from AWS is still limited by the same 1 Gbps pipe; moreover, the VM adds latency and cost without any throughput advantage over a managed service. Option C is wrong because downloading to a local machine and re-uploading is impractical for 50 TB (local bandwidth is often far lower than 1 Gbps, and the process is manual, error-prone, and violates the 48-hour SLA). Option D is wrong because BigQuery Data Transfer Service is designed for loading data into BigQuery tables, not for moving raw objects into Cloud Storage; it cannot write to a GCS bucket as a destination.

753
MCQmedium

You want to use Kustomize to manage environment-specific Kubernetes configurations (dev, staging, prod) from a single base set of manifests. How does Kustomize achieve environment customization without duplicating YAML files?

A.Kustomize duplicates all YAML files per environment, then applies find-and-replace on values.
B.Kustomize uses overlays that patch a shared base: environment-specific differences are expressed as patches without duplicating base manifests.
C.Kustomize uses Helm charts with values files per environment for templating.
D.Kustomize requires a separate Git branch per environment where manifests are committed.
AnswerB

The base contains common YAML (Deployment, Service, etc.). Overlays per environment contain only what differs (image tag, replicas, ConfigMap values) as patches. kubectl apply -k applies them merged.

Why this answer

Kustomize uses a base set of Kubernetes manifests and applies environment-specific overlays that contain patches. These patches modify only the differences (e.g., replicas, image tags, namespaces) without copying or altering the original base YAML files. This approach avoids duplication and keeps the base clean, with each overlay representing a distinct environment.

Exam trap

Google Cloud often tests the distinction between Kustomize's overlay/patch model and Helm's templating approach, so the trap is assuming any configuration management tool uses find-and-replace or requires separate branches.

How to eliminate wrong answers

Option A is wrong because Kustomize does not duplicate YAML files per environment; it uses a layered overlay model with patches, not find-and-replace. Option C is wrong because Helm charts use templating with values files, which is a different tool; Kustomize is template-free and relies on pure YAML patching. Option D is wrong because Kustomize does not require separate Git branches; it manages environments within the same repository using overlay directories.

754
Multi-Selectmedium

You are managing a Cloud Run service that has two revisions: v1 (serving 100% traffic) and v2 (new revision). You want to shift 10% of traffic to v2 gradually. Which TWO steps should you take? (Choose two.)

Select 2 answers
A.Run gcloud run services update-traffic SERVICE_NAME --to-revisions v2=10
B.Run gcloud run services update-traffic SERVICE_NAME --to-latest
C.Run gcloud run services update-traffic SERVICE_NAME --to-revisions v1=90,v2=10
D.Run gcloud run deploy --image gcr.io/project/v2 --no-traffic
E.Run gcloud run revisions list to confirm revision names
AnswersA, C

This command updates traffic to send 10% to v2, leaving the rest (90%) to the latest ready revision (v1 if no other revisions defined).

Why this answer

To split traffic, you need to create a traffic configuration that assigns percentages to revisions. Options B and D are correct.

755
MCQhard

Your GKE cluster has a node pool that you want to enable autoscaling on. The initial node count is 3, and you want the cluster to scale between 1 and 10 nodes. Which command should you use?

A.gcloud container clusters update my-cluster --enable-autoscaling --min-nodes 1 --max-nodes 10 --region us-central1
B.gcloud container clusters update my-cluster --enable-autoscaling --min-size 1 --max-size 10 --region us-central1
C.gcloud container node-pools update my-pool --cluster=my-cluster --enable-autoscaling --min-nodes 1 --max-nodes 10 --region us-central1
D.gcloud container node-pools update my-pool --cluster=my-cluster --autoscaling --min 1 --max 10 --region us-central1
AnswerC

This command correctly updates the node pool with autoscaling and min/max nodes.

Why this answer

The correct command is gcloud container node-pools update with --enable-autoscaling and the min and max node flags. The cluster name and region/zone are required.

756
MCQmedium

A production GKE cluster is running low on node resources. Pods are in Pending state because no node has sufficient CPU or memory. Without deleting existing Pods, what is the fastest way to resolve this?

A.Resize the node pool to add more nodes: `gcloud container clusters resize`
B.Delete existing Pods to free resources for the Pending Pods
C.Change the Pending Pods' resource requests to zero
D.Upgrade the Kubernetes control plane version
AnswerA

`gcloud container clusters resize [CLUSTER] --node-pool=[POOL] --num-nodes=[N]` adds nodes immediately. If cluster autoscaler is enabled, it will do this automatically when Pods are Pending.

Why this answer

Option A is correct because resizing the node pool with `gcloud container clusters resize` immediately adds more nodes to the cluster, providing additional CPU and memory capacity. This allows the scheduler to place pending Pods without modifying or deleting existing workloads, making it the fastest solution that preserves running Pods.

Exam trap

Google Cloud often tests the misconception that upgrading the control plane or modifying Pod specs can resolve resource shortages, when in fact only adding nodes or reducing existing Pod resource usage addresses the capacity issue.

How to eliminate wrong answers

Option B is wrong because deleting existing Pods disrupts running workloads and does not guarantee that freed resources will be sufficient for pending Pods; it also violates the constraint of not deleting existing Pods. Option C is wrong because changing resource requests to zero bypasses Kubernetes resource guarantees, leading to potential resource starvation and unpredictable scheduling behavior, and it requires modifying Pod specs which is not a fast or safe resolution. Option D is wrong because upgrading the control plane version does not add compute resources; it updates the Kubernetes API server and controller manager but does not affect node capacity or scheduling of pending Pods.

757
MCQmedium

Instead of granting IAM roles to 50 individual developer email addresses, a team wants to manage access by team membership. When a developer joins or leaves, access updates automatically. What is the recommended approach?

A.Create a service account shared by all developers on the team
B.Grant IAM roles to a Google Group containing all team members
C.Create a GCP project per developer and use cross-project IAM bindings
D.Use Cloud Identity-Aware Proxy to manage team membership
AnswerB

Google Groups are supported as IAM principals. Roles granted to a group apply to all members. Membership changes in Google Groups are reflected in GCP access immediately.

Why this answer

Option B is correct because Google Groups act as identity containers that can be granted IAM roles at the project or resource level. When developers are added to or removed from the group, their IAM permissions automatically update without requiring manual role changes for each individual user. This aligns with the principle of least privilege and simplifies access management at scale.

Exam trap

The trap here is that candidates often confuse service accounts with user identities or think that Cloud IAP can manage IAM roles, when in fact IAP only controls access to applications and not to GCP resource-level permissions.

How to eliminate wrong answers

Option A is wrong because sharing a service account among multiple developers violates security best practices — service accounts are intended for application-to-application authentication, not for individual user access, and sharing credentials eliminates audit trails and non-repudiation. Option C is wrong because creating a GCP project per developer introduces unnecessary overhead and complexity; cross-project IAM bindings still require managing individual identities and do not leverage group-based membership for automatic updates. Option D is wrong because Cloud Identity-Aware Proxy (IAP) controls access to applications at the HTTP/S layer, not to GCP IAM roles or resources; it does not replace IAM role management for cloud infrastructure permissions.

758
MCQeasy

What is the primary benefit of using a Google-managed SSL certificate for an HTTPS Load Balancer?

A.It is free of charge.
B.It automatically renews the certificate before expiration.
C.It can be used with any type of load balancer.
D.It provides stronger encryption than self-managed certificates.
AnswerB

Google-managed certificates handle provisioning and renewal automatically.

Why this answer

Google-managed certificates automatically provision and renew SSL/TLS certificates, reducing manual effort and preventing expiration issues.

759
MCQmedium

A developer accidentally committed a service account key JSON file to a public GitHub repository. The key was valid for a service account with broad Editor permissions. What should you do FIRST?

A.Remove the committed file from Git history using `git filter-branch` or BFG Repo Cleaner.
B.Immediately delete or disable the service account key in the Cloud Console or via gcloud.
C.Make the GitHub repository private to hide the exposed key.
D.Reduce the service account's permissions to limit the blast radius.
AnswerB

Revoking the key immediately stops any ongoing or future unauthorized use. This is the highest-priority action — stop the bleeding first, then investigate.

Why this answer

Option B is correct because the immediate priority is to revoke the exposed credential to prevent unauthorized access. Deleting or disabling the service account key in the Cloud Console or via `gcloud iam service-accounts keys delete` ensures the key is invalidated within minutes, stopping any attacker from using it to authenticate with Google Cloud APIs. This aligns with the principle of least privilege and incident response best practices: contain the breach before remediation.

Exam trap

Google Cloud often tests the misconception that removing the file from Git history (Option A) is sufficient, but the key remains valid and usable by anyone who already has it, so revocation must come first.

How to eliminate wrong answers

Option A is wrong because removing the file from Git history does not invalidate the already-exposed key; an attacker who has already cloned the repository or accessed the commit can still use the key until it is revoked. Option C is wrong because making the repository private does not revoke the key or prevent attackers who have already seen the public commit from using it; the key remains valid. Option D is wrong because reducing the service account's permissions does not immediately stop an attacker who already has the key from using its current Editor permissions; the key must be disabled first to cut off access.

760
MCQeasy

You created a Cloud Run service from source code using gcloud run deploy --source . --region us-central1 --platform managed. Where can you view the build logs and runtime logs?

A.In Cloud Logging (Logs Explorer) under the Cloud Run resource.
B.In Cloud Build history page.
C.In the Cloud Run service details page under 'Logs' tab.
D.In Cloud Monitoring dashboards.
AnswerA

Cloud Logging aggregates logs from Cloud Run.

Why this answer

Cloud Run logs are sent to Cloud Logging. You can view them in the Logs Explorer.

761
MCQhard

A company runs a multi-tier web application on Compute Engine: a frontend instance group (us-east1) and a backend instance group (us-east1) that stores data on persistent disks. They recently experienced a zone failure in us-east1-b, causing all instances in that zone to go down. The application was unavailable for 2 hours. The team is now required to design a solution that provides high availability across multiple zones within the us-east1 region and minimizes data loss. The frontend is stateless, but the backend holds critical state data on persistent disks. The team considers: (A) Migrate backend to use regional persistent disks and distribute backend instances across zones using a regional MIG. (B) Use a zonal MIG in us-east1-b with snapshots to another zone. (C) Move the entire application to a single zone in us-central1 with more resources. (D) Use Cloud SQL for backend data and keep Compute Engine instances in a single zone. Which option best meets the requirements?

A.Replace backend Compute Engine instances with Cloud SQL for data storage and keep frontend as is
B.Move all instances to a single zone in us-central1 with larger machine types
C.Keep the backend in a zonal MIG in us-east1-b but take hourly snapshots of persistent disks to a different zone
D.Use regional persistent disks for backend data and deploy a regional managed instance group for backend instances across us-east1-a and us-east1-b
AnswerD

Regional persistent disks are replicated across zones; regional MIG provides auto-healing and distribution.

Why this answer

Option D is correct because it uses regional persistent disks (which replicate data synchronously across two zones in the same region) combined with a regional managed instance group (MIG) that distributes backend instances across us-east1-a and us-east1-b. This architecture ensures that if one zone fails, the backend instances in the other zone can immediately attach the same regional persistent disk, minimizing data loss and providing high availability without requiring manual snapshot recovery.

Exam trap

Google Cloud often tests the distinction between zonal and regional resources; the trap here is that candidates may think snapshots or backups are sufficient for high availability, but they fail to recognize that snapshots do not provide automatic failover or near-zero data loss, which is only achievable with synchronous replication like regional persistent disks.

How to eliminate wrong answers

Option A is wrong because replacing backend Compute Engine instances with Cloud SQL does not address the requirement to minimize data loss from persistent disks; Cloud SQL is a managed database service, not a direct replacement for stateful application data stored on persistent disks, and it introduces a different data storage paradigm that may not support the existing application architecture. Option B is wrong because moving all instances to a single zone in us-central1 does not provide high availability across multiple zones within us-east1; it actually reduces availability by consolidating into one zone and ignores the requirement to stay within us-east1. Option C is wrong because keeping the backend in a zonal MIG in us-east1-b with hourly snapshots to another zone does not provide high availability; snapshots are point-in-time backups and cannot be used to instantly failover, resulting in up to one hour of data loss and significant recovery time, which fails the 'minimizes data loss' requirement.

762
Multi-Selectmedium

A company wants to manage multiple Google Cloud projects and enforce consistent security policies across all of them. Which TWO resources should they use? (Choose two.)

Select 2 answers
A.Cloud Audit Logs
B.Organization policies
C.Shared VPC
D.Folders
E.Labels
AnswersB, D

Organization policies enforce constraints across all projects in the organization.

Why this answer

Organization policies are used to enforce constraints across projects. Folders allow grouping projects and applying common IAM policies.

763
MCQhard

Your company wants to track costs per department. Each department has its own project. You need to set up a budget alert in the billing account for each project. What is the most efficient approach?

A.Use Billing Export to BigQuery and create custom alerts using Cloud Monitoring.
B.Create one budget per project by selecting the project in the 'Scoped to' field.
C.Create a budget for each project by manually enabling billing for each project.
D.Create a single budget for the entire billing account and rely on labels.
AnswerB

Efficient: budgets can be scoped to projects.

Why this answer

You can create budgets at the billing account level with scoped projects. This allows one budget per project. Creating budgets per project individually is manual.

Using labels requires tagging resources. Billing export to BigQuery is for analysis, not alerts.

764
Multi-Selecthard

A company is migrating a legacy monolithic application to GKE. The application consists of multiple microservices that need to communicate with each other. The team wants to manage traffic routing, implement canary deployments, and provide SSL termination. Which three Google Cloud services should they consider using together? (Choose three.)

Select 3 answers
A.Cloud NAT
B.Cloud Endpoints
C.Cloud CDN
D.Cloud Load Balancing
E.Cloud Armor
AnswersB, C, D

Can manage API traffic, implement canary deployments, and handle routing.

Why this answer

To manage traffic routing, canary deployments, and SSL termination in GKE, a common pattern is to use Cloud Load Balancing (for SSL and traffic routing), GKE Ingress (often with an Ingress controller like NGINX or GKE Ingress), and Cloud CDN for caching. Alternatively, using Cloud Endpoints for API management. The combination of Cloud Load Balancing, Cloud CDN, and Cloud Endpoints can provide the required features.

Option A, C, and D are correct. Cloud NAT is for outbound internet access, and Cloud Armor is for security.

765
MCQeasy

An engineer is tasked with creating a new VPC network for a production environment. The company requires the VPC to support multiple regions and allow custom IP address ranges for each subnet. Which VPC network mode should the engineer use?

A.Shared VPC
B.Custom mode VPC
C.Auto mode VPC
D.Legacy mode VPC
AnswerB

Custom mode allows you to define subnets with custom IP CIDR ranges per region, giving full control.

Why this answer

Custom mode VPC allows full control over subnets, including custom IP ranges per region. Auto mode creates subnets in each region with predefined IP ranges, which may not meet production requirements. Shared VPC is for sharing across projects, not for a single project's network.

766
Multi-Selectmedium

A company is setting up a new Google Cloud environment. They need to ensure that they can manage billing across multiple projects and have a hierarchical resource structure. Which TWO statements are correct about the Google Cloud resource hierarchy?

Select 2 answers
A.Each billing account can be linked to only one project.
B.A project must always belong to a folder or organization.
C.Resources are organized hierarchically with Organization, Folders, Projects, and Resources.
D.Each project must belong to a folder.
E.IAM policies can be inherited from a folder to projects within it.
AnswersC, E

This is the correct hierarchical structure.

Why this answer

Options A and D are correct. Option A correctly describes the hierarchy. Option D correctly states that IAM policies can be inherited from folders.

Option B is false because billing accounts can be linked to multiple projects. Option C is false because projects do not have to belong to a folder. Option E is false because projects can exist without a folder or organization if using a standalone billing account.

767
Multi-Selecthard

A company has multiple Google Cloud projects and needs to connect VPCs in different regions privately without traversing the public internet or using VPN tunnels. Which two Google Cloud networking solutions can accomplish this requirement?

Select 2 answers
A.VPC Peering
B.Private Google Access
C.Cloud NAT
D.Cloud VPN
E.Shared VPC
AnswersA, E

Direct private connectivity between VPC networks, supports cross-region peering.

Why this answer

Options A and C are correct. VPC Peering (A) allows direct peering between VPCs across regions without internet. Shared VPC (C) allows centralized management and connectivity between host and service projects.

Option B (Cloud NAT) is for outbound internet access. Option D (Cloud VPN) uses the public internet. Option E (Private Google Access) allows on-premises access to Google APIs.

768
Multi-Selecthard

An engineer needs to create a service account and grant it the ability to impersonate other service accounts. Which two permissions are required? (Choose 2)

Select 2 answers
A.iam.serviceAccounts.setIamPolicy
B.resourcemanager.projects.setIamPolicy
C.iam.serviceAccounts.getAccessToken
D.iam.serviceAccounts.actAs
E.iam.serviceAccounts.create
AnswersD, E

This permission is included in roles/iam.serviceAccountUser and allows impersonation.

Why this answer

The roles/iam.serviceAccountUser role allows impersonation, and the roles/iam.serviceAccountAdmin role allows creating service accounts.

769
MCQmedium

An application receives the error 'Permission denied on resource project [PROJECT_ID] (or it may not exist)' when making an API call with a service account. The service account has the correct IAM role. What else might be missing?

A.The service account needs the Project Owner role to make any API calls
B.The relevant GCP API is not enabled in the project
C.The service account needs to be in the same organization as the project
D.The service account email must be explicitly allow-listed in the API's configuration
AnswerB

GCP requires the API to be enabled before any service account or user can use it. The error 'or it may not exist' refers to the resource being unreachable because the API is disabled.

Why this answer

The error 'Permission denied on resource project [PROJECT_ID] (or it may not exist)' typically occurs when the service account has the correct IAM role but the API being called is not enabled for the project. Even with proper IAM permissions, GCP requires that the specific API (e.g., Compute Engine API, Cloud Storage API) be enabled in the project before any API calls can succeed. Enabling the API activates the service and allows the service account to use it.

Exam trap

Google Cloud often tests the misconception that IAM roles alone guarantee API access, but the trap here is that candidates overlook the prerequisite of enabling the API service in the project, which is a separate step from assigning IAM permissions.

How to eliminate wrong answers

Option A is wrong because the Project Owner role is not required for making API calls; a service account only needs the specific IAM role granting the necessary permissions, and Project Owner is overly broad and unnecessary. Option C is wrong because service accounts do not need to be in the same organization as the project; they can be created in one project and used in another project within the same or different organization, as long as IAM permissions are granted. Option D is wrong because there is no concept of 'allow-listing' a service account email in an API's configuration; access is controlled entirely through IAM roles and policies, not through an explicit allow list.

770
MCQeasy

A team's GCP project is approaching its monthly budget. They want to receive an email alert when spending reaches 80% and 100% of the $500 monthly budget. Which GCP feature sends these budget alerts?

A.Cloud Monitoring alerting policy on the billing/cost metric
B.A Cloud Scheduler job that queries the Billing API and sends an email when cost exceeds thresholds
C.Cloud Billing budget with alert thresholds set at 80% and 100%
D.Cloud Logging alert on billing cost log entries
AnswerC

Cloud Billing budgets support multiple alert thresholds. When spending crosses each threshold, notifications are automatically sent to configured email recipients.

Why this answer

Option C is correct because Cloud Billing budgets are the native GCP feature designed to monitor spending against a budget and send email alerts when actual or forecasted costs exceed user-defined thresholds (e.g., 80% and 100% of $500). This feature is configured directly in the Cloud Console or via the Billing API and automatically triggers notifications without requiring custom code or additional services.

Exam trap

Google Cloud often tests the distinction between native GCP services (Cloud Billing budgets) and workarounds (Cloud Scheduler + Billing API) to see if candidates recognize the built-in, no-code solution for budget alerts.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring alerting policies cannot directly use billing/cost metrics; billing data is not exposed as a Cloud Monitoring metric, and the 'billing/cost metric' does not exist in the Monitoring API. Option B is wrong because while a Cloud Scheduler job could theoretically query the Billing API and send an email, this is not a built-in GCP feature for budget alerts—it requires custom development, cron management, and is not the recommended or simplest solution. Option D is wrong because Cloud Logging alerts on billing cost log entries are not supported; billing data is not written to Cloud Logging as structured log entries that can trigger alerts, and the Billing budget feature already handles threshold-based notifications natively.

771
MCQmedium

A company runs a batch job every night that processes data from a Cloud Storage bucket and writes results to BigQuery. The job runs on a Compute Engine VM. To minimize costs, what is the best practice for the VM?

A.Use a VM with GPUs for faster processing
B.Use a VM with local SSD for temporary storage
C.Use a standard VM and commit to a 1-year commitment
D.Use a preemptible VM
AnswerD

Why this answer

Preemptible VMs are up to 80% cheaper and can be terminated at any time, which is acceptable for batch jobs that can be checkpointed or restarted from the beginning.

772
MCQeasy

You need to load a CSV file from Cloud Storage into an existing BigQuery table. Which bq command should you use?

A.bq query --source_format=CSV 'SELECT * FROM mydataset.mytable'
B.bq load --source_format=CSV mydataset.mytable gs://mybucket/myfile.csv
C.bq insert mydataset.mytable gs://mybucket/myfile.csv
D.bq import mydataset.mytable gs://mybucket/myfile.csv
AnswerB

This correctly loads the CSV file into the table.

Why this answer

The bq load command loads data into a BigQuery table. You specify the source format (CSV) and the location of the file in Cloud Storage.

773
MCQmedium

A team stores application log archives in a Cloud Storage bucket. Logs older than 90 days should automatically move to Coldline storage, and logs older than 365 days should be deleted. Which feature automates this?

A.Cloud Scheduler jobs that run gsutil rewrite and gsutil rm commands nightly
B.Cloud Storage Object Lifecycle Management rules on the bucket
C.Cloud Pub/Sub notifications triggering a Cloud Function on each object creation
D.Retention policies that lock objects in Coldline after 90 days
AnswerB

Lifecycle rules on the bucket automatically transition objects to Coldline after 90 days and delete them after 365 days — fully managed with no scripts or schedulers required.

Why this answer

Option B is correct because Cloud Storage Object Lifecycle Management rules allow you to automatically transition objects to Coldline storage after 90 days and delete them after 365 days based on object age conditions. This is a native, serverless feature that requires no external compute or scheduling, making it the most efficient and reliable approach for automating tiering and deletion of log archives.

Exam trap

Google Cloud often tests the misconception that custom scheduling or event-driven functions are required for automated data management, when in fact Cloud Storage's native lifecycle management handles age-based transitions and deletions without any additional services.

How to eliminate wrong answers

Option A is wrong because Cloud Scheduler jobs running gsutil rewrite and gsutil rm commands introduce unnecessary complexity, potential for human error, and additional cost for compute resources; lifecycle management handles this natively without custom scripts. Option C is wrong because Cloud Pub/Sub notifications triggering a Cloud Function on each object creation would only fire on new objects, not on existing objects, and would require custom code to implement age-based transitions and deletions, which is less efficient and more error-prone than built-in lifecycle rules. Option D is wrong because retention policies are used to prevent object deletion or modification for a specified period, not to automate transitions or deletions; locking objects in Coldline after 90 days would actually prevent the deletion at 365 days that the requirement specifies.

774
MCQmedium

A team is designing a system where two GCP projects — a shared services project and an application project — need their VMs to communicate using private IPs. Both projects are in the same organization. Which networking option best enables this with centralized network management?

A.VPC Peering between the two projects' VPCs
B.Shared VPC (XPN) with the shared services project as the host
C.Cloud VPN between the two projects' default VPCs
D.Using external IPs with TLS — private IP communication isn't necessary between GCP projects
AnswerB

Shared VPC centralizes network management in the host project while allowing service project VMs to use shared subnets with private IPs — ideal for organization-wide network governance.

Why this answer

Shared VPC (XPN) allows an organization to centrally manage networking across multiple projects from a single host project, enabling VMs in the shared services project and the application project to communicate via private IPs without needing separate peering or VPN configurations. This is the best option because it provides centralized network administration and policy enforcement, which aligns with the requirement for centralized network management.

Exam trap

The trap here is that candidates often choose VPC Peering (Option A) because it seems simpler for connecting two projects, but they overlook the explicit requirement for centralized network management, which Shared VPC uniquely provides by design.

How to eliminate wrong answers

Option A is wrong because VPC Peering requires manual configuration of each peering connection and does not provide centralized network management; each project retains separate administrative control, and routes must be managed individually. Option C is wrong because Cloud VPN is designed for connecting on-premises networks or different VPCs across regions via encrypted tunnels, but it adds complexity and latency for intra-organization communication that can be achieved more simply with Shared VPC. Option D is wrong because using external IPs with TLS violates the requirement for private IP communication and introduces security risks and egress costs, as well as bypassing the centralized management goal.

775
Multi-Selectmedium

An engineer is deploying a Cloud Function that processes files uploaded to a Cloud Storage bucket. The function needs to be triggered by new object creation events. The engineer has already written the function code. Which commands should the engineer run to create the bucket and deploy the function with the correct trigger? (Choose two.)

Select 2 answers
A.gcloud functions deploy my-function --runtime python39 --trigger-bucket my-bucket --entry-point main --region=us-central1
B.gcloud functions deploy my-function --runtime python39 --trigger-http --entry-point main --region=us-central1
C.gcloud functions deploy my-function --runtime python39 --entry-point main --region=us-central1
D.gsutil mb gs://my-bucket
E.gcloud storage buckets create gs://my-bucket --location=us-central1
AnswersA, D

Deploys function triggered by bucket events.

Why this answer

To create a bucket, use gsutil mb. To deploy a Cloud Function triggered by Cloud Storage events, use gcloud functions deploy with --trigger-bucket. Option B and C are correct.

Option A creates a bucket but with wrong command. Option D is missing trigger. Option E is for HTTP trigger.

776
MCQmedium

You notice that a deployment in your GKE cluster is running an outdated image. You need to update the deployment to use the new image 'gcr.io/my-project/my-app:v2'. Which kubectl command should you use?

A.kubectl set image deployment/my-deployment my-app=gcr.io/my-project/my-app:v2
B.kubectl rollout restart deployment my-deployment --image gcr.io/my-project/my-app:v2
C.kubectl update deployment my-deployment --image gcr.io/my-project/my-app:v2
D.kubectl replace deployment my-deployment --image gcr.io/my-project/my-app:v2
AnswerA

This is the correct syntax: kubectl set image deployment/<name> <container>=<image>.

Why this answer

To update the image of a deployment, use 'kubectl set image' specifying the deployment name and the container name:tag.

777
MCQmedium

A team builds a document processing pipeline: files are uploaded to Cloud Storage, then analyzed by Cloud Vision AI, results stored in Firestore, and a confirmation email sent. Each step depends on the previous. Which GCP service orchestrates these sequential, dependent steps reliably?

A.Cloud Pub/Sub with a subscription per step
B.Cloud Tasks with per-step queues
C.Cloud Workflows
D.Cloud Functions chained via HTTP calls
AnswerC

Cloud Workflows orchestrates sequential API calls with conditional logic, error handling, and retries — purpose-built for coordinating dependent multi-step pipelines.

Why this answer

Cloud Workflows is designed to orchestrate sequential, dependent steps with built-in retry, error handling, and state management. It directly models the pipeline as a series of steps where each step's output feeds the next, without requiring manual chaining or intermediate messaging infrastructure.

Exam trap

Google Cloud often tests the distinction between asynchronous messaging (Pub/Sub, Tasks) and synchronous orchestration (Workflows), where candidates mistakenly choose a messaging service for sequential workflows because they focus on 'reliability' rather than 'ordered dependency management'.

How to eliminate wrong answers

Option A is wrong because Cloud Pub/Sub is a publish-subscribe messaging service for asynchronous, decoupled communication, not for orchestrating sequential dependent steps; it would require additional logic to enforce order and handle failures. Option B is wrong because Cloud Tasks is a distributed task queue for executing discrete tasks asynchronously, not for defining a sequential workflow with dependencies; it lacks built-in step sequencing and state management. Option D is wrong because chaining Cloud Functions via HTTP calls creates tight coupling, requires manual error handling and retries, and does not provide a centralized view of the workflow execution or built-in step sequencing.

778
MCQmedium

A company needs to connect their on-premises data center to Google Cloud via a dedicated, high-bandwidth connection with low latency. They anticipate consistent high traffic. Which connectivity option should they use?

A.Carrier Peering
B.Cloud VPN
C.VPC peering
D.Dedicated Interconnect
AnswerD

Why this answer

Dedicated Interconnect provides direct physical connections between on-premises and Google Cloud, offering high bandwidth and low latency. Cloud VPN is over the internet; Carrier Peering is for enterprise customers; VPC peering is for connecting VPCs within Google Cloud.

779
MCQmedium

You need to delete a Google Cloud project. What prerequisite must be met before the project can be deleted?

A.All IAM members must be removed from the project.
B.All resources in the project must be deleted.
C.The billing account must be disabled for the project.
D.The project must be in the ACTIVE state.
AnswerC

Billing must be disabled before project deletion.

Why this answer

Before deleting a project, you must disable the billing account associated with it. This is to ensure that no outstanding charges occur. The project may still have active resources but billing must be disabled.

The other options are not prerequisites.

780
MCQhard

You need to drain a GKE node for maintenance. The node is running a DaemonSet and some pods with emptyDir volumes. Which kubectl command should you use to safely drain the node without causing errors?

A.kubectl drain node-name --force
B.kubectl drain node-name --ignore-daemonsets --delete-emptydir-data
C.kubectl drain node-name --ignore-daemonsets
D.kubectl cordon node-name && kubectl delete pods --all --grace-period=0
AnswerB

These flags handle DaemonSets and emptyDir volumes, allowing the drain to complete.

Why this answer

The kubectl drain command with --ignore-daemonsets and --delete-emptydir-data flags safely evicts pods while ignoring DaemonSets (which are managed by the node) and allowing deletion of pods with emptyDir volumes.

781
MCQhard

Refer to the exhibit. A user tries to delete the disk 'my-disk' but receives an error. Based on the exhibit, what is the most likely cause?

A.The disk is being used by a snapshot.
B.The disk size must be 0 to delete.
C.The disk is still attached to an instance.
D.The disk is not in the correct project.
AnswerC

The USERS field shows attachment to an instance.

Why this answer

Option C is correct because a disk cannot be deleted while it is attached to a running or stopped instance. In Google Cloud, you must first detach the disk from the instance before deletion. The error message indicates the disk is in use, and the exhibit confirms it is attached to an instance.

Exam trap

Google Cloud often tests the misconception that snapshots or disk size prevent deletion, but the real blocker is the attachment state, which is a common oversight when managing persistent disks.

How to eliminate wrong answers

Option A is wrong because a disk can be deleted even if it has snapshots; snapshots are independent and do not block disk deletion. Option B is wrong because disk size does not need to be 0 for deletion; any size disk can be deleted as long as it is not attached. Option D is wrong because the disk is in the correct project, as shown in the exhibit; the error is not related to project permissions or location.

782
MCQhard

A company wants to use Google Cloud Pricing Calculator to estimate the monthly cost of running a Compute Engine instance for a web server. They plan to use a n2-standard-4 machine with a 100 GB SSD persistent disk and commit to a 1-year term. Which discount type should they include in the estimate?

A.No discount is needed; the price shown is final
B.Committed use discount (1 year)
C.Free tier discount
D.Sustained use discount only
AnswerB

Committed use discounts provide the best savings for a 1-year commitment. They should be selected in the calculator.

Why this answer

Committed use discounts (CUDs) offer significant savings (up to 57% for machine types) in exchange for committing to 1 or 3 years. Sustained use discounts apply automatically for running instances >25% of the month, but CUDs are additional and can be combined. For a 1-year commitment, they should include CUD for the machine type.

783
MCQmedium

Your security team wants to monitor all privileged IAM changes in your GCP organization (e.g., when anyone is granted `roles/owner` or `roles/editor`). They need real-time notifications. Which approach achieves this?

A.Create a Cloud Monitoring alerting policy on the `iam.googleapis.com/SetIamPolicy` log metric.
B.Enable Security Command Center's Event Threat Detection for IAM changes.
C.Run a daily script using `gcloud projects get-iam-policy` and compare with the previous day's output.
D.Use Cloud Asset Inventory with asset feeds to detect IAM policy changes in real-time.
AnswerA, D

A log-based metric that counts `SetIamPolicy` operations with filter on privileged roles, combined with a Cloud Monitoring alert with a notification channel, provides real-time alerting on IAM changes.

Why this answer

Option A is correct because Cloud Monitoring can ingest log-based metrics from the `iam.googleapis.com/SetIamPolicy` audit log entry, and an alerting policy can be configured to trigger in near real-time when that log metric exceeds a threshold. This provides immediate notification of privileged IAM changes such as granting `roles/owner` or `roles/editor`.

Exam trap

The trap here is that candidates may think Cloud Asset Inventory feeds (Option D) provide real-time detection, but asset feeds have a latency of several minutes and are designed for inventory synchronization, not real-time alerting on specific IAM role grants.

How to eliminate wrong answers

Option B is wrong because Security Command Center's Event Threat Detection focuses on threat detection (e.g., compromised credentials, malware) and does not provide real-time alerting for all IAM policy changes; it is not designed for monitoring routine administrative IAM modifications. Option C is wrong because running a daily script using `gcloud projects get-iam-policy` is a batch, non-real-time approach that introduces up to 24 hours of delay, failing the requirement for real-time notifications.

784
MCQmedium

A company is migrating a legacy on-premises application to Google Cloud. The application stores structured transactional data in a relational database. The database currently handles 2,000 transactions per second (TPS) and is expected to grow to 10,000 TPS over the next year. The database size is 500 GB. The application requires strong consistency and the ability to run complex JOIN queries. Which Google Cloud database service should the company choose?

A.Cloud Spanner
B.Cloud SQL for PostgreSQL
C.Cloud Bigtable
D.Cloud Firestore
AnswerB

Cloud SQL provides a fully managed relational database with strong consistency and support for complex queries.

Why this answer

Cloud SQL for PostgreSQL is the correct choice because it provides a fully managed relational database with strong ACID compliance, support for complex JOIN queries, and can scale vertically or via read replicas to handle up to 10,000 TPS with proper configuration. The 500 GB database size is well within Cloud SQL's limits, and PostgreSQL's native support for complex joins meets the application's requirements without the operational overhead of self-managed databases.

Exam trap

Google Cloud often tests the misconception that Cloud Spanner is the only option for strong consistency and high TPS, but the trap here is that the workload is single-region and moderate scale, making Cloud SQL a simpler and more cost-effective choice despite Spanner's global capabilities.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner is designed for globally distributed, horizontally scalable workloads with strong consistency, but it introduces unnecessary complexity and higher cost for a single-region workload that only needs up to 10,000 TPS and 500 GB; it also requires schema changes to use interleaved tables for optimal JOIN performance. Option C is wrong because Cloud Bigtable is a NoSQL wide-column database that does not support SQL JOINs or strong relational consistency, making it unsuitable for structured transactional data requiring complex queries. Option D is wrong because Cloud Firestore is a NoSQL document database designed for mobile and web apps with eventual consistency by default, and it lacks native support for complex JOIN operations or the transactional throughput needed for 10,000 TPS.

785
MCQeasy

You need to create a Cloud Storage bucket with the default storage class for frequently accessed data in the us-west1 region. Which command creates the bucket?

A.gsutil mb -s standard -l us-west1 gs://my-bucket
B.gsutil mb -c standard -l us-west1 gs://my-bucket
C.gsutil mb -l us-west1 gs://my-bucket
D.gcloud storage buckets create --storage-class=standard --location=us-west1 gs://my-bucket
AnswerB

-c standard sets the storage class; -l sets location.

Why this answer

The default storage class is Standard. Command gsutil mb -l us-west1 gs://my-bucket creates a bucket with Standard class in us-west1.

786
MCQhard

A company wants to deploy a containerized application on Cloud Run that is built from source code in a local directory. They want Cloud Run to automatically build the container image using Cloud Build. Which command should be used?

A.gcloud run deploy my-service --source . --region us-central1
B.gcloud app deploy --source .
C.gcloud run deploy my-service --image . --region us-central1
D.gcloud builds submit --tag gcr.io/my-project/my-image . && gcloud run deploy my-service --image gcr.io/my-project/my-image
AnswerA

Correct. --source triggers a build from local source code.

Why this answer

The 'gcloud run deploy' command with --source and --region flags tells Cloud Run to build and deploy from source. Cloud Build is invoked automatically.

787
Multi-Selecthard

A company has a Compute Engine VM instance that needs to access a Cloud Storage bucket. The VM uses a service account with the Storage Object Admin role. However, the VM is unable to upload objects. Which two possible causes should be investigated? (Choose two.)

Select 3 answers
A.The VM's service account does not have the required IAM permission on the bucket
B.A firewall rule is blocking outbound HTTPS traffic
C.The bucket's IAM policy does not include the service account
D.The VM does not have the correct access scopes configured
E.The VM is not in the same region as the bucket
AnswersA, C, D

Why this answer

The service account must have the proper IAM role and the bucket must have appropriate IAM or ACL permissions. The VM's scopes also need to allow Cloud Storage access. VPC firewall rules do not affect API calls to Cloud Storage (over HTTPS).

788
Multi-Selectmedium

A developer wants to automate the creation of a service account and assign it a role using the gcloud command-line tool. Which TWO commands are needed? (Choose 2 answers.)

Select 2 answers
A.gcloud projects add-iam-policy-binding
B.gcloud iam service-accounts keys create
C.gcloud projects set-iam-policy
D.gcloud iam service-accounts create
E.gcloud iam roles create
AnswersA, D

Grants a role to the service account on the project.

Why this answer

First, you create the service account with `gcloud iam service-accounts create`. Then, you grant a role to the service account by adding an IAM policy binding to the project.

789
MCQhard

You need to ensure that a Cloud Run service can only be invoked by specific Cloud Scheduler jobs and not from the public internet, while still receiving HTTP requests. The Cloud Run service currently allows unauthenticated invocations. What configuration changes are required?

A.Add a Cloud Armor security policy to the Cloud Run service blocking all IPs except Cloud Scheduler.
B.Disable unauthenticated invocations on the Cloud Run service, grant `roles/run.invoker` to the Scheduler SA, and configure Scheduler to use OIDC authentication.
C.Deploy the Cloud Run service in a VPC and use a VPC firewall rule to block all traffic except Cloud Scheduler.
D.Add a secret header to Cloud Scheduler requests and validate it in the Cloud Run application code.
AnswerB

This three-step configuration enforces authentication: Cloud Run requires auth tokens, the Scheduler SA has invoker permission, and Scheduler sends OIDC tokens with each request. No other caller can invoke the service.

Why this answer

Option B is correct because Cloud Run services that require authentication must have unauthenticated invocations disabled, and the Cloud Scheduler service account must be granted the `roles/run.invoker` role. Additionally, Cloud Scheduler must be configured to use OIDC authentication, which allows it to present an identity token signed by Google to the Cloud Run service, ensuring only authorized scheduler jobs can invoke the service.

Exam trap

Google Cloud often tests the misconception that IP-based restrictions (like Cloud Armor or VPC firewall rules) can secure serverless services, when in fact serverless services like Cloud Run require IAM-based authentication for secure, identity-aware access control.

How to eliminate wrong answers

Option A is wrong because Cloud Armor security policies operate at the HTTP(S) load balancer level and cannot be directly attached to a Cloud Run service that is not behind a load balancer; also, Cloud Scheduler does not have a fixed set of IP addresses, so blocking by IP is impractical. Option C is wrong because Cloud Run services cannot be deployed directly into a VPC; they use VPC connectors for outbound traffic, and VPC firewall rules cannot control inbound traffic to a serverless service like Cloud Run. Option D is wrong because relying on a secret header for authentication is not a secure access control mechanism; it can be easily spoofed and does not leverage Google Cloud's IAM-based authentication, which is the recommended approach.

790
MCQeasy

A media company needs to serve large video files (average 2 GB) to global users with low latency. The files are stored in Cloud Storage. What combination of services delivers the best streaming performance?

A.Cloud Storage in a multi-region bucket with direct public access
B.Cloud Storage + Cloud CDN via a Global Load Balancer backend bucket
C.Upload video files to a Compute Engine VM with nginx serving them directly
D.Cloud Filestore with NFS-mounted streaming
AnswerB

Enabling Cloud CDN on a Cloud Storage backend bucket caches video files at Google's edge PoPs globally, reducing latency and origin bandwidth for geographically distributed users.

Why this answer

Cloud Storage combined with Cloud CDN via a Global Loader Balancer backend bucket is the best choice because it provides edge-caching of large video files, reducing latency for global users. The Global Load Balancer terminates HTTP(S) traffic at the closest point of presence, and Cloud CDN caches content from the multi-region bucket, minimizing origin load and improving streaming performance.

Exam trap

Google Cloud often tests the misconception that direct Cloud Storage access (Option A) is sufficient for global low-latency streaming, but the trap is that without a CDN and load balancer, users experience high latency and the bucket cannot handle global traffic efficiently.

How to eliminate wrong answers

Option A is wrong because a multi-region bucket with direct public access lacks edge caching, meaning every user request hits the bucket directly, increasing latency and egress costs for global streaming. Option C is wrong because serving large video files from a single Compute Engine VM with nginx creates a single point of failure, cannot scale to handle global traffic, and introduces unnecessary latency for users far from the VM's region. Option D is wrong because Cloud Filestore with NFS-mounted streaming is designed for high-performance file shares for compute instances, not for direct internet-facing content delivery; it lacks CDN integration and cannot serve video files with low latency to global users.

791
MCQhard

A company uses Cloud SQL for MySQL to host a database. The database must be accessible from a Compute Engine VM in the same region but in a different VPC network (VPC-A). The company does not want to use public IP addresses or VPN. What should the engineer do to enable connectivity?

A.Export the Cloud SQL instance as a dump and recreate it in VPC-A
B.Set up VPC Network Peering between VPC-A and the VPC where Cloud SQL is deployed, and configure Cloud SQL with a private IP
C.Configure the Cloud SQL instance with a public IP and allow the VM's IP in authorized networks
D.Use Cloud VPN to connect VPC-A to the VPC where Cloud SQL is deployed
AnswerB

VPC Network Peering allows connectivity without VPN, and private IP ensures no public exposure.

Why this answer

Cloud SQL private services access requires the Cloud SQL instance to be in a VPC network. For connectivity across VPCs, VPC Network Peering can be used, as both VPCs are in the same project or across projects. Private services access connects Cloud SQL to a VPC, and peering allows another VPC to access it.

792
MCQeasy

A company wants to deploy a web application on Compute Engine. They expect variable traffic and want to automatically add or remove virtual machine instances based on CPU utilization. What is the recommended approach?

A.Use a single large instance and rely on Cloud Load Balancing
B.Use an unmanaged instance group and manually add or remove instances
C.Use a managed instance group with an autoscaling policy based on CPU utilization
D.Deploy the application on App Engine Standard environment
AnswerC

Managed instance groups with autoscaling automatically adjust instance count based on CPU utilization metrics.

Why this answer

A managed instance group (MIG) with an autoscaling policy based on CPU utilization is the recommended approach because it automatically adjusts the number of VM instances in response to real-time CPU load, ensuring the application can handle variable traffic without manual intervention. This aligns with Google Cloud's best practices for elastic scaling of stateless web applications on Compute Engine.

Exam trap

Google Cloud often tests the distinction between managed and unmanaged instance groups, where candidates mistakenly think unmanaged groups can be autoscaled, but only managed instance groups support autoscaling policies.

How to eliminate wrong answers

Option A is wrong because relying on a single large instance with Cloud Load Balancing does not provide autoscaling; a single instance cannot scale out to handle increased traffic and introduces a single point of failure. Option B is wrong because an unmanaged instance group requires manual addition or removal of instances, which contradicts the requirement for automatic scaling based on CPU utilization. Option D is wrong because App Engine Standard is a fully managed platform that abstracts infrastructure, but the question specifically asks about deploying on Compute Engine, not App Engine.

793
MCQmedium

A team needs to run a containerized HTTP API that scales to zero when idle and requires zero cluster or server management. Which GCP compute platform is the best fit?

A.Compute Engine with a managed instance group
B.Google Kubernetes Engine Autopilot
C.Cloud Run
D.App Engine Flexible
AnswerC

Cloud Run is purpose-built for containerized HTTP services with zero-to-scale autoscaling, no infrastructure management, and per-request billing.

Why this answer

Cloud Run is the best fit because it is a fully managed serverless platform that automatically scales your containerized HTTP API to zero when idle, meaning you pay only for resources used during request processing. It requires no cluster or server management, as it abstracts away the underlying infrastructure entirely, unlike other options that still involve some level of node or instance management.

Exam trap

Google Cloud often tests the distinction between 'scaling to zero' and 'scaling down to a minimum of one' — candidates mistakenly think GKE Autopilot or App Engine Flexible can scale to zero, but only Cloud Run (and Cloud Functions) natively supports true zero-instance scaling without additional configuration.

How to eliminate wrong answers

Option A is wrong because Compute Engine with a managed instance group still requires you to manage virtual machine instances, and while it can scale down, it cannot scale to zero instances (minimum is 1 per zone) and involves server management. Option B is wrong because Google Kubernetes Engine Autopilot, while reducing node management, still requires you to manage a Kubernetes cluster (even if abstracted) and cannot scale to zero pods without manual configuration or third-party tools like KEDA, plus you pay for the cluster control plane. Option D is wrong because App Engine Flexible runs containers but requires at least one instance to be running at all times (cannot scale to zero), and it involves more configuration for custom runtimes compared to Cloud Run's simplicity.

794
MCQmedium

An organisation requires a managed relational database for an online transaction processing (OLTP) application with strong consistency, automated backups, and a 99.95% SLA. The database size is expected to be under 10 TB. Which service meets these requirements at the lowest cost?

A.Bare Metal Solution
B.Cloud Bigtable
C.Cloud SQL
D.Cloud Spanner
AnswerC

Cloud SQL is a managed relational database service with automated backups, strong consistency, and a 99.95% SLA at a reasonable cost for databases under 10 TB.

Why this answer

Cloud SQL provides managed MySQL/PostgreSQL/SQL Server with automated backups, strong consistency, and a 99.95% SLA for zonal deployments. It is cost-effective for databases under 10 TB. Cloud Spanner is more expensive and suited for global scale.

795
MCQeasy

Which IAM role should be granted to a service account to allow it to access a secret stored in Secret Manager?

A.roles/secretmanager.secretAccessor
B.roles/secretmanager.admin
C.roles/iam.serviceAccountUser
D.roles/secretmanager.viewer
AnswerA

This role allows accessing secret values.

Why this answer

The role 'secretmanager.secretAccessor' grants access to read secret versions.

796
Multi-Selecteasy

A company is migrating an on-premises MySQL database to Cloud SQL. Which TWO steps are necessary for setting up ongoing replication from on-premises to Cloud SQL? (Choose 2)

Select 2 answers
A.Set up a Dataflow pipeline to stream changes.
B.Use pg_dump to export the database.
C.Enable binary logging on the on-premises MySQL server.
D.Create a Cloud SQL instance to be the replica.
E.Establish a Cloud VPN connection between on-premises and Google Cloud.
AnswersC, D

Binary logs are needed for replication.

Why this answer

Option C is correct because MySQL's native replication relies on binary logs (binlogs) to capture all changes on the primary server. Enabling binary logging on the on-premises MySQL server is essential to generate the change stream that Cloud SQL will read and apply for ongoing replication.

Exam trap

The trap here is that candidates confuse 'ongoing replication' with 'one-time migration' and select a dump tool (Option B) or a generic streaming service (Option A), missing that MySQL replication specifically requires binary logs and a Cloud SQL replica instance.

797
MCQhard

You are configuring a new project and need to enable the Compute Engine API. However, the command 'gcloud services enable compute.googleapis.com' fails with a permission error. Your user has the role roles/editor on the project. What is the likely cause?

A.The Compute Engine API is already enabled.
B.The user needs to authenticate again.
C.The user does not have the serviceusage.services.enable permission.
D.The project does not have a billing account associated.
AnswerD

Billing is required to enable APIs.

Why this answer

The role roles/editor includes serviceusage.services.enable permission, so it should work. However, if the organization has an org policy 'constraints/compute.restrictResourceCreation' that restricts API usage, it might block. But the most common issue is that the project is new and the billing account is not associated, preventing API enablement.

Editor role has permission, but billing must be active.

798
Multi-Selecteasy

You want to create a monitoring dashboard that shows a time-series chart of CPU utilization for a specific Compute Engine instance. Which THREE components do you need to configure? (Choose three.)

Select 3 answers
A.Choose a time aggregation function (e.g., mean, max)
B.Select the resource type: 'gce_instance' and filter by the instance ID
C.Create a log-based metric for CPU utilization
D.Select the metric: 'compute.googleapis.com/instance/cpu/utilization'
E.Set up a notification channel to send alerts
AnswersA, B, D

Aggregation is needed for the time series.

Why this answer

In Cloud Monitoring, to create a chart you need to select a metric, a resource, and a time aggregation function.

799
MCQmedium

A team runs Apache Kafka on self-managed VMs for event streaming but wants to reduce operational overhead. Which GCP-native service is the managed alternative to Kafka for pub/sub messaging at scale?

A.Cloud Pub/Sub — Google's managed pub/sub messaging service
B.Cloud Bigtable — a managed wide-column store for streaming data
C.Cloud Dataflow — the GCP managed streaming processing service
D.Cloud Storage — use GCS notification events as a message queue
AnswerA

Cloud Pub/Sub is the native GCP alternative to self-managed Kafka — fully managed, globally available, and scales to millions of messages/second without operational overhead.

Why this answer

Cloud Pub/Sub is the correct answer because it is Google Cloud's fully managed, scalable pub/sub messaging service that provides at-least-once delivery and supports both push and pull subscriptions, making it the direct managed alternative to self-managed Apache Kafka. It eliminates the operational overhead of managing Kafka clusters on VMs while offering similar event streaming capabilities with automatic scaling and global availability.

Exam trap

Google Cloud often tests the distinction between a messaging/queue service (Pub/Sub) and a data processing service (Dataflow) or a storage service (Bigtable, Cloud Storage), so candidates mistakenly choose Dataflow because it 'processes streaming data' or Bigtable because it 'handles streaming data,' missing that the question asks for a managed alternative to Kafka's pub/sub messaging, not for processing or storage.

How to eliminate wrong answers

Option B is wrong because Cloud Bigtable is a managed NoSQL wide-column database optimized for low-latency read/write access to large volumes of streaming data, not a pub/sub messaging system; it lacks the topic-based publish-subscribe model and message retention semantics of Kafka. Option C is wrong because Cloud Dataflow is a managed stream and batch processing service (based on Apache Beam) that processes data from sources like Pub/Sub, but it is not a messaging or queue service itself. Option D is wrong because Cloud Storage with GCS notification events provides object change notifications that can be used as a simple event trigger, but it does not offer the durable, ordered, partitioned message log, configurable retention, or pub/sub semantics required for a Kafka alternative.

800
MCQmedium

A company needs to store and serve user-generated content such as images and videos. The data must be accessible globally with low latency. Which Google Cloud storage service should they use?

A.Persistent Disk
B.Cloud Filestore
C.Cloud Storage
D.Local SSD
AnswerC

Cloud Storage is the correct choice for storing and serving user-generated content globally.

Why this answer

Cloud Storage is object storage designed for global accessibility, with low-latency access and multiple storage classes. It supports serving content via CDN integration.

801
MCQmedium

An engineer needs to view the logs generated by a Cloud Run service to troubleshoot a recent deployment. Which service should they use?

A.Cloud Monitoring
B.Cloud Logging
C.Error Reporting
D.Cloud Trace
AnswerB

Correct. Cloud Logging aggregates logs from Cloud Run and other services.

Why this answer

Cloud Logging (formerly Stackdriver Logging) is the unified logging service for Google Cloud. Cloud Run logs are automatically sent to Cloud Logging.

802
MCQhard

A service account from project A needs to read a BigQuery dataset in project B. The service account is granted roles/bigquery.dataViewer at the project B level. Yet the access is denied. What additional step is needed?

A.Enable the BigQuery API on project A
B.Grant the service account roles/bigquery.jobUser on project A
C.Grant the service account roles/bigquery.user on project B
D.Add the service account to the dataset's ACL in BigQuery
AnswerD

Dataset ACL can override project-level roles, requiring explicit grant.

Why this answer

D is correct because BigQuery datasets use Access Control Lists (ACLs) in addition to IAM policies. Even though the service account has the roles/bigquery.dataViewer IAM role at the project B level, this role grants access to list datasets and read metadata, but does not automatically grant access to the actual data within a dataset. The dataset's ACL must explicitly include the service account to allow reading the tables and views.

This is a common requirement when cross-project access is needed, as IAM roles at the project level do not propagate to dataset-level ACLs unless the dataset is configured to inherit permissions.

Exam trap

Google Cloud often tests the misconception that IAM roles at the project level are sufficient for cross-project data access, when in fact BigQuery datasets require explicit ACL entries for the service account to read data.

How to eliminate wrong answers

Option A is wrong because enabling the BigQuery API on project A is not required for the service account to read data in project B; the API must be enabled on the project where the dataset resides (project B), and it is likely already enabled. Option B is wrong because roles/bigquery.jobUser on project A grants permission to run jobs (e.g., queries) in project A, but does not grant read access to the dataset in project B; the service account needs data access in project B, not job execution rights in project A. Option C is wrong because roles/bigquery.user on project B allows listing datasets and running jobs, but does not grant read access to the actual data in the dataset; it is a higher-level role that still requires dataset-level ACLs for data access.

803
MCQhard

An organization wants to enforce that all projects under a specific folder have a set of constraints, such as disabling default network creation and requiring shielded VMs. What is the most efficient way to achieve this?

A.Use Cloud Shell to run scripts in each project.
B.Create IAM roles to restrict default network creation.
C.Use a service account to enforce policies.
D.Apply organization policies at the folder level.
AnswerD

Folder-level policies apply to all projects in that folder.

Why this answer

Organization policies can be applied at the folder level, inheriting to all projects within that folder. This is more efficient than applying per project. Using Cloud Shell is irrelevant.

IAM cannot enforce such constraints. Service accounts are for authentication.

804
MCQmedium

A team runs a Kubernetes CronJob that performs nightly database cleanup. The job runs at 2 AM UTC. This morning, the team notices the job failed at 2 AM but no one was alerted. How should the team configure alerting for CronJob failures?

A.Set `successfulJobsHistoryLimit: 0` — GKE sends an alert when the history is empty
B.Create a log-based metric on CronJob failure events in Cloud Logging and an alerting policy on that metric
C.Set `restartPolicy: Always` on the CronJob's Pod template — it will retry until success
D.Enable GKE's built-in CronJob alerting feature in the cluster's Notifications settings
AnswerB

Kubernetes CronJob failures are logged as events in Cloud Logging. A log-based metric counting failure events, combined with a Cloud Monitoring alerting policy, sends notifications when failures occur.

Why this answer

Option B is correct because Google Cloud Logging captures Kubernetes CronJob failure events, and you can create a log-based metric to count these failures. An alerting policy on that metric then triggers notifications when failures occur, providing a reliable, customizable alerting mechanism that does not depend on job history or restart policies.

Exam trap

The trap here is that candidates assume GKE has a native CronJob alerting toggle or that restart policies alone solve monitoring, when in reality you must explicitly create a log-based metric and alerting policy to detect job failures.

How to eliminate wrong answers

Option A is wrong because setting `successfulJobsHistoryLimit: 0` only removes completed job pods from history; it does not generate any alert and GKE has no built-in alert for an empty history. Option C is wrong because `restartPolicy: Always` is not valid for a CronJob's Pod template (only `Never` or `OnFailure` are allowed) and even if it were, it would retry the pod but not alert on failure. Option D is wrong because GKE does not have a built-in 'CronJob alerting feature' in cluster Notifications settings; cluster Notifications cover node and upgrade events, not CronJob failures.

805
MCQmedium

A web application uses a managed instance group. Traffic spikes sharply between 9 AM and 5 PM and drops to near zero overnight. Which autoscaling metric most directly triggers scale-out before user experience degrades?

A.Average CPU utilization of instances in the group
B.Pub/Sub subscription queue depth
C.HTTP load balancing serving capacity (requests per second per instance)
D.Disk I/O throughput
AnswerC

This metric reflects actual HTTP request load and triggers scaling before instances become saturated, providing the most responsive scale-out for web workloads.

Why this answer

HTTP load balancing serving capacity (requests per second per instance) is the most direct metric because it measures the actual user-facing load on each instance. When traffic spikes, this metric rises immediately, triggering scale-out before instances become saturated and response times degrade. CPU utilization can lag behind the spike due to queuing or async processing, making it less responsive for sharp traffic patterns.

Exam trap

The trap here is that candidates assume CPU utilization is the universal autoscaling metric, but the ACE exam specifically tests that for web applications with sharp traffic spikes, the HTTP load balancing serving capacity metric provides the fastest and most direct signal to prevent user experience degradation.

How to eliminate wrong answers

Option A is wrong because average CPU utilization can be a lagging indicator—instances may queue requests before CPU spikes, and some workloads (e.g., I/O-bound or async) don't correlate tightly with user-facing load, so scale-out may occur too late. Option B is wrong because Pub/Sub subscription queue depth measures backlog of asynchronous messages, not direct user requests; it is suitable for event-driven or worker-based autoscaling, not for a web application serving live traffic. Option D is wrong because disk I/O throughput is a storage-level metric unrelated to request handling capacity; it would only be relevant for data-intensive batch jobs, not for scaling a web frontend.

806
MCQmedium

A developer wants to make objects in a Cloud Storage bucket publicly readable. They want to grant access to allUsers with the objectViewer role. Which command should they use?

A.gsutil acl ch -u AllUsers:R gs://my-bucket
B.gcloud storage buckets add-iam-policy-binding my-bucket --member allUsers --role roles/storage.objectViewer
C.gsutil iam ch allUsers:storage.objectViewer gs://my-bucket
D.gsutil iam ch allUsers:objectViewer gs://my-bucket
AnswerD

Correct: grants objectViewer to allUsers using IAM.

Why this answer

gsutil iam ch grants IAM roles to members. The correct command adds the roles/storage.objectViewer role to allUsers. gsutil acl ch is the legacy ACL method; the question asks for IAM, so iam ch is appropriate.

807
MCQhard

You are designing a data pipeline that reads from Cloud Storage, transforms data, and writes to BigQuery. The pipeline must process data exactly when new files land (event-driven), handle files up to 5 GB, and complete within 10 minutes. Which approach best meets these requirements?

A.Configure a Cloud Storage Pub/Sub notification → Cloud Function that launches a Dataflow job for each new file.
B.Use a Cloud Scheduler cron job that scans Cloud Storage every minute and processes new files with Dataflow.
C.Use Cloud Functions triggered by GCS events to read and transform the 5 GB file directly.
D.Use BigQuery Data Transfer Service to load files from Cloud Storage on a schedule.
AnswerA

GCS object notifications to Pub/Sub trigger a Cloud Function that launches a Dataflow job. Dataflow handles files up to 5 GB within 10 minutes using parallel workers, and the event-driven architecture processes files exactly when they land.

Why this answer

Option A is correct because Cloud Storage Pub/Sub notifications provide event-driven triggers for each new file, and launching a Dataflow job via a Cloud Function allows processing of up to 5 GB files within the 10-minute window. Dataflow’s autoscaling and streaming capabilities handle large files efficiently, while the Cloud Function acts as a lightweight orchestrator without processing the data itself.

Exam trap

Google Cloud often tests the misconception that Cloud Functions can handle large data processing tasks directly, but the trap here is ignoring the 9-minute timeout and 2 GB memory limit, which make them unsuitable for files over a few hundred megabytes.

How to eliminate wrong answers

Option B is wrong because Cloud Scheduler cron jobs introduce polling latency (up to 1 minute) and are not truly event-driven, potentially missing the 10-minute completion requirement if files arrive between scans. Option C is wrong because Cloud Functions have a 9-minute timeout and 2 GB memory limit, making them incapable of processing a 5 GB file directly within the required time and resource constraints. Option D is wrong because BigQuery Data Transfer Service is designed for scheduled, batch loads from Cloud Storage, not event-driven processing triggered by new file arrivals, and it lacks the transformation capabilities needed for the pipeline.

808
MCQeasy

A new developer has just started at your company and has been given access to a project. They need to deploy a Cloud Run service, but they receive an error: 'Permission run.services.create denied.' The developer's IAM role is 'roles/cloudrun.viewer'. What is the most appropriate action to grant the developer the minimum necessary permissions to deploy Cloud Run services?

A.Grant the developer individual permissions: run.services.create and run.services.update.
B.Grant the developer the 'roles/editor' role for the project.
C.Grant the developer the 'roles/run.developer' role.
D.Add the developer to the 'roles/cloudrun.admin' role.
AnswerC

This role has the necessary permissions for deploying and managing Cloud Run services.

Why this answer

The 'roles/run.developer' role grants the minimum necessary permissions to deploy Cloud Run services, including run.services.create and run.services.update, without granting broader project-level access. The developer's current 'roles/cloudrun.viewer' role only allows read-only access, so upgrading to 'roles/run.developer' is the appropriate least-privilege solution.

Exam trap

The trap here is that candidates often confuse 'roles/cloudrun.admin' with the correct role, thinking it is the standard 'admin' role for Cloud Run, but the ACE exam expects knowledge of the newer 'run.developer' role as the least-privilege option for deploying services.

How to eliminate wrong answers

Option A is wrong because granting individual permissions like run.services.create and run.services.update is not a predefined IAM role and would require custom role creation, which is not the most straightforward or recommended approach for a new developer. Option B is wrong because 'roles/editor' grants broad project-level permissions (e.g., to modify all resources), which violates the principle of least privilege and is excessive for deploying only Cloud Run services. Option D is wrong because 'roles/cloudrun.admin' grants full administrative control over Cloud Run resources, including deletion and IAM policy changes, which is more than the minimum necessary permissions for deploying services.

809
MCQeasy

A developer wants to store a database password securely and make it accessible to a Compute Engine instance. Which Google Cloud service should be used?

A.Secret Manager
B.Cloud Storage
C.Cloud Filestore
D.Cloud KMS
AnswerA

Correct: Secret Manager securely stores secrets and provides access control and versioning.

Why this answer

Secret Manager is designed for storing secrets like passwords, API keys, and certificates. Cloud KMS is for encryption key management. Cloud Storage is not secure for secrets.

Cloud Filestore is for file storage.

810
MCQmedium

A GCP project administrator needs to share read-only access to all resources in the project with an external auditor who has a Gmail account (auditor@gmail.com). What should the admin do?

A.Create a service account for the auditor and share the JSON key file
B.Grant the Viewer role to auditor@gmail.com in the project's IAM policy
C.Add auditor@gmail.com as a project billing admin to give them read-only access
D.Create a Cloud Identity account for the auditor — Gmail accounts cannot access GCP projects
AnswerB

GCP IAM supports Gmail accounts as principals. Granting Viewer to auditor@gmail.com gives read-only access to all project resources using their Google identity.

Why this answer

Granting the Viewer (roles/viewer) role to auditor@gmail.com in the project's IAM policy is correct because it provides read-only access to all resources in the project without requiring a Cloud Identity account. Gmail accounts are supported as Google Accounts and can be added directly to IAM policies, allowing them to authenticate and access resources via the GCP Console or APIs.

Exam trap

Google Cloud often tests the misconception that external users with Gmail accounts cannot be added to GCP IAM policies, leading candidates to incorrectly choose the Cloud Identity option, but in reality, any Google Account (including @gmail.com) can be granted IAM roles directly.

How to eliminate wrong answers

Option A is wrong because service accounts are intended for applications and automated workloads, not for individual users; sharing a JSON key file with a person is a security risk and violates best practices for user authentication. Option C is wrong because the Billing Admin role (roles/billing.admin) grants full billing management permissions, not read-only access to project resources, and it does not provide Viewer-level access to compute, storage, or other services. Option D is wrong because Gmail accounts are valid Google Accounts that can be used directly in IAM policies without needing a Cloud Identity account; Cloud Identity is for organizations that want to manage users without Gmail addresses.

811
MCQeasy

A startup creates its first Google Cloud project. Before deploying any paid resources, what must be linked to the project?

A.A Cloud Identity domain
B.An Organization resource node
C.A billing account
D.A Shared VPC host project
AnswerC

Every project that uses paid GCP services must have a billing account linked. Without it, resource creation for paid services will fail.

Why this answer

A billing account must be linked to a Google Cloud project before deploying any paid resources because Google Cloud requires a valid payment method to be associated with the project to track and charge for resource usage. Without a billing account, the project is in a 'billing-enabled' state and can only use free-tier or always-free resources, but any paid service will fail to provision.

Exam trap

Google Cloud often tests the misconception that an Organization resource node is required for billing, but in reality, a project can be created under no organization (standalone) and still have a billing account attached, so the trap is confusing organizational hierarchy with billing prerequisites.

How to eliminate wrong answers

Option A is wrong because a Cloud Identity domain is used for managing users and groups with identity federation, but it is not a prerequisite for deploying paid resources; a project can exist without a Cloud Identity domain. Option B is wrong because an Organization resource node is a top-level container for projects under an organization, but it is not required for a standalone project; a project can be created without an organization node, and billing can still be attached. Option D is wrong because a Shared VPC host project is used to share VPC networks across multiple projects, but it is not required for a single project to deploy paid resources; billing is independent of VPC sharing.

812
MCQhard

An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?

A.Google-managed encryption keys (the default)
B.Customer-managed encryption keys (CMEK) using Cloud KMS
C.Client-side encryption before uploading to Cloud Storage, without using Cloud KMS
D.Shielded VM with vTPM enabled on the storage backend
AnswerB

CMEK keys are created and controlled by the customer in Cloud KMS. GCP encrypts data using these keys, but the customer retains full control — including the ability to revoke access.

Why this answer

Option B is correct because Customer-Managed Encryption Keys (CMEK) with Cloud KMS allow the enterprise to control and manage their own encryption keys, ensuring that Google cannot unilaterally decrypt the data. With CMEK, the encryption keys are stored in Cloud KMS under the customer's control, and Google only has access to the key material for encryption/decryption operations as authorized by the customer. This satisfies the regulatory requirement that the company retains sole control over key material, preventing Google from decrypting data without explicit permission.

Exam trap

The trap here is that candidates often confuse client-side encryption (Option C) as always meeting compliance requirements, but the ACE exam tests that CMEK is the specific Google Cloud service that provides customer-controlled keys with full integration into Cloud Storage's access control and auditing, whereas client-side encryption lacks native key management and audit trails.

How to eliminate wrong answers

Option A is wrong because Google-managed encryption keys are the default where Google generates, stores, and manages the keys, meaning Google can decrypt the data unilaterally, which violates the regulatory mandate. Option C is wrong because client-side encryption before uploading to Cloud Storage, without using Cloud KMS, does not leverage Google's key management infrastructure and may not meet compliance requirements that mandate integration with a managed key service like Cloud KMS for auditing and key rotation; it also places full key management burden on the customer without the controls of CMEK. Option D is wrong because Shielded VM with vTPM is a compute instance security feature that ensures boot integrity and key attestation, not a storage encryption configuration; it does not control encryption keys for Cloud Storage data.

813
MCQeasy

A developer's gcloud command fails with 'PROJECT_ID is not set'. They need to confirm the currently active configuration — project, account, and default region. Which command shows this?

A.gcloud info
B.gcloud config list
C.gcloud auth status
D.gcloud projects describe --current
AnswerB

`gcloud config list` displays the active configuration: project, account, region, zone, and any other set properties. It's the quickest way to verify the current context.

Why this answer

Option B, `gcloud config list`, is correct because it displays the currently active configuration's core properties: project, account, and region (and zone if set). This directly answers the need to confirm the active project ID, account, and default region, and is the standard command for troubleshooting configuration issues like 'PROJECT_ID is not set'.

Exam trap

The trap here is that candidates confuse `gcloud info` (which shows verbose SDK details) with `gcloud config list` (which shows the active configuration's settings), or they incorrectly assume `gcloud projects describe --current` is a valid shortcut to fetch the current project's metadata.

How to eliminate wrong answers

Option A is wrong because `gcloud info` shows detailed information about the SDK installation, including paths, versions, and network settings, but it does not present the active configuration's project, account, and region in a concise, focused list. Option C is wrong because `gcloud auth status` only verifies the authentication state of the current account (e.g., whether credentials are valid) and does not display the project ID or default region. Option D is wrong because `gcloud projects describe --current` is not a valid command; `gcloud projects describe` requires a project ID or number as an argument, and there is no `--current` flag to infer the active project from the configuration.

814
MCQeasy

A company needs to store structured data with strong consistency and global distribution for a global user base. Which Google Cloud database service is best suited?

A.Bigtable
B.Cloud Spanner
C.Cloud SQL
D.Firestore
AnswerB

Cloud Spanner is a globally distributed, strongly consistent database.

Why this answer

Cloud Spanner is the correct choice because it provides strong consistency, horizontal scalability, and global distribution via synchronous replication across regions. It supports SQL queries and ACID transactions, making it ideal for structured data that requires both consistency and global access.

Exam trap

The trap here is that candidates often confuse Firestore's multi-region mode with strong global consistency, not realizing that Firestore sacrifices consistency for availability in that configuration, while Cloud Spanner is the only option that guarantees strong consistency across globally distributed regions.

How to eliminate wrong answers

Option A is wrong because Bigtable is a NoSQL wide-column database designed for high-throughput, low-latency analytical workloads, not for strong consistency across global regions (it offers eventual consistency). Option C is wrong because Cloud SQL is a regional relational database that cannot natively replicate across multiple global regions with strong consistency. Option D is wrong because Firestore is a NoSQL document database that offers strong consistency only within a single region; its multi-region mode provides eventual consistency, not the strong consistency required for global distribution.

815
MCQeasy

Your web application serves users globally. Static assets (images, JS, CSS) are stored in Cloud Storage. Users in Asia report slow load times for these assets. The application origin is in `us-central1`. What is the most cost-effective way to improve static asset performance for Asian users?

A.Replicate the Cloud Storage bucket to an Asia region and update DNS to route Asian users to the regional bucket.
B.Enable Cloud CDN on the Cloud Storage bucket's load balancer backend.
C.Deploy Cloud Run instances in Asia regions to serve the static assets.
D.Increase the Cloud Storage bucket's replication factor to improve throughput.
AnswerB

Cloud CDN caches static assets at Google's global edge PoPs. Asian users receive cached content from a nearby PoP, reducing round-trip latency to us-central1 dramatically.

Why this answer

Cloud CDN uses Google's global edge cache network to serve static assets from locations close to users, reducing latency for Asian users without requiring bucket replication or additional compute. It is the most cost-effective solution because it leverages existing Cloud Storage as the origin and only charges for cache egress and operations, avoiding the overhead of managing regional buckets or compute instances.

Exam trap

Google Cloud often tests the misconception that moving data closer to users requires replicating the storage or deploying compute in multiple regions, when in fact a global CDN is the simplest and most cost-effective solution for static content delivery.

How to eliminate wrong answers

Option A is wrong because replicating the Cloud Storage bucket to an Asia region and updating DNS adds complexity and cost for storage and egress, and DNS-based routing does not provide the same low-latency edge caching as Cloud CDN. Option C is wrong because deploying Cloud Run instances in Asia regions to serve static assets is over-engineered and more expensive than using Cloud CDN, as Cloud Run is designed for compute workloads, not static asset delivery. Option D is wrong because Cloud Storage buckets do not have a configurable 'replication factor' to improve throughput; throughput is handled by the underlying infrastructure, and increasing it does not address geographic latency.

816
MCQmedium

A team uses Terraform to manage GCP infrastructure. After running `terraform plan`, they see 15 resources to be created. They want to apply only the Cloud SQL instance (resource name: `google_sql_database_instance.main`) without applying all 15 changes. Which Terraform command targets a specific resource?

A.terraform apply --resource=google_sql_database_instance.main
B.terraform apply -target=google_sql_database_instance.main
C.terraform apply -only=google_sql_database_instance.main
D.terraform plan --filter=google_sql_database_instance.main && terraform apply
AnswerB

The `-target` flag limits apply to the specified resource and its direct dependencies — creating only the Cloud SQL instance from the 15-resource plan.

Why this answer

Option B is correct because Terraform uses the `-target` flag to limit the operation to a specific resource address, allowing you to apply only the `google_sql_database_instance.main` resource without affecting the other 14 resources in the plan. This is the standard Terraform syntax for targeting a single resource during `apply` or `destroy` operations.

Exam trap

Google Cloud often tests the distinction between valid Terraform flags like `-target` and common but invalid flags such as `--resource`, `-only`, or `--filter`, exploiting candidates' familiarity with other tools (e.g., `kubectl` or `gcloud`) that use similar but different syntax.

How to eliminate wrong answers

Option A is wrong because `--resource` is not a valid Terraform flag; Terraform uses `-target` for resource targeting. Option C is wrong because `-only` is not a valid Terraform flag; it does not exist in Terraform's CLI syntax. Option D is wrong because `--filter` is not a valid Terraform flag for `plan`; Terraform does not support filtering resources in `plan` output, and the proposed command chain would not achieve targeted application.

817
MCQeasy

A startup wants to create a new GCP project for development. They've already created a billing account. Which command can they use to create the project?

A.gcloud config set project PROJECT_ID
B.gcloud projects create PROJECT_ID
C.gcloud alpha projects create
D.gcloud resource-manager projects create
AnswerB

Correct: This command creates a new project with the specified ID.

Why this answer

The 'gcloud projects create' command creates a new project. The billing association is separate, but the project can be created without billing immediately.

818
MCQmedium

An engineer needs to create a Compute Engine instance with a specific custom subnet, an Ubuntu 20.04 LTS image, and a 50 GB boot disk. The engineer also wants to run a startup script that installs Apache. Which gcloud command should the engineer use to create this instance?

A.gcloud compute instances create my-instance --machine=e2-medium --image-family=ubuntu-2004-lts --image-project=ubuntu-os-cloud --boot-disk-size=50GB --subnet=my-subnet --zone=us-central1-a --metadata=startup-script='apt-get update && apt-get install -y apache2'
B.gcloud compute instances create my-instance --machine-type=e2-medium --image-family=ubuntu-2004-lts --image-project=ubuntu-os-cloud --boot-disk-size=50GB --subnet=my-subnet --zone=us-central1-a --metadata startup-script='apt-get update && apt-get install -y apache2'
C.gcloud compute instances create my-instance --machine-type=e2-medium --image-family=ubuntu-1804-lts --image-project=ubuntu-os-cloud --boot-disk-size=50GB --subnet=my-subnet --zone=us-central1-a --metadata=startup-script='apt-get update && apt-get install -y apache2'
D.gcloud compute instances create my-instance --machine-type=e2-medium --image=ubuntu-2004-lts --image-project=ubuntu-os-cloud --boot-disk-size=50GB --subnet=my-subnet --zone=us-central1-a --metadata startup-script='apt-get update && apt-get install -y apache2'
AnswerB

Correct flags and values.

Why this answer

The correct command uses gcloud compute instances create with flags --machine-type, --image-family, --image-project, --boot-disk-size, --subnet, and --metadata startup-script. Option A includes all required flags. Option B uses the wrong image (Ubuntu 18.04).

Option C misspells --machine-type as --machine. Option D incorrectly uses --image instead of --image-family.

819
MCQmedium

A developer accidentally exposed their gcloud application default credentials (ADC) file. They need to immediately revoke these credentials. Which command revokes the active application default credentials?

A.gcloud auth revoke [ACCOUNT_EMAIL]
B.gcloud auth application-default revoke
C.Delete the ~/.config/gcloud/application_default_credentials.json file manually
D.gcloud config unset auth/application_default_credentials
AnswerB

This command specifically revokes the application default credentials (the ADC file used by client libraries), not the standard gcloud CLI credentials.

Why this answer

Option B is correct because `gcloud auth application-default revoke` is the specific command designed to revoke the Application Default Credentials (ADC) that were set via `gcloud auth application-default login`. This command invalidates the OAuth 2.0 refresh token stored in the ADC file, ensuring the credentials can no longer be used for authentication to Google Cloud APIs.

Exam trap

Google Cloud often tests the distinction between user credentials (`gcloud auth`) and application credentials (`gcloud auth application-default`), and the trap here is that candidates mistakenly think deleting the file or using a general revoke command is sufficient, overlooking the need to explicitly revoke the OAuth refresh token server-side.

How to eliminate wrong answers

Option A is wrong because `gcloud auth revoke [ACCOUNT_EMAIL]` revokes user account credentials used for gcloud CLI operations, not the separate Application Default Credentials (ADC) file. Option C is wrong because simply deleting the file does not revoke the underlying OAuth 2.0 refresh token; the token remains valid until it expires or is explicitly revoked via the command, leaving a potential security gap. Option D is wrong because `gcloud config unset auth/application_default_credentials` unsets a configuration property that does not exist; ADC is managed via a credentials file, not a gcloud config property, so this command has no effect on revoking the credentials.

820
MCQmedium

You have a Cloud Run service configured with `min-instances: 0`. During load testing you notice the first request after a period of inactivity takes 3–5 seconds instead of the normal 100ms. Subsequent requests are fast. What is causing this, and what is the most cost-effective fix?

A.The Cloud Run service's container image is too large; reduce image size.
B.Set `min-instances: 1` to keep a warm instance running and eliminate the cold start latency.
C.Switch from Cloud Run to GKE, which doesn't have cold starts.
D.Increase Cloud Run's request timeout to 30 seconds to accommodate cold starts.
AnswerB

min-instances: 1 prevents scale-to-zero, keeping a container warm. The first request after inactivity hits a ready instance instead of waiting for container startup.

Why this answer

Cold starts occur when Cloud Run needs to spin up a new container instance from zero. The 3–5 second delay is the container startup time. Setting `min-instances: 1` keeps at least one instance warm at all times, eliminating cold starts for the first request.

This adds a small cost (one always-running instance) but is the most targeted fix. Increasing memory or CPU doesn't directly address cold start if the issue is container initialization time.

821
MCQmedium

A development team needs to create a Cloud Storage bucket that will store sensitive financial data. The bucket must be encrypted with a customer-managed encryption key (CMEK) and must have versioning enabled. Which command correctly creates this bucket?

A.gcloud storage buckets create gs://my-bucket --location=us-central1 --encryption-key=projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key --versioning
B.gsutil mb -c regional -l us-central1 gs://my-bucket
C.gsutil mb -c regional -l us-central1 --cmek=projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key gs://my-bucket
D.gcloud beta storage buckets create gs://my-bucket --cmek=projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key --enable-versioning
AnswerA

This command correctly creates a bucket with CMEK and versioning enabled.

Why this answer

The gcloud storage buckets create command with --encryption-key specifies a CMEK key. The --versioning flag enables versioning. The --default-storage-class flag sets the storage class but is not required for encryption.

822
MCQmedium

A compliance team needs a log of every time a user or service account accessed data in a BigQuery dataset — specifically read operations. Which Cloud Audit Log type captures this?

A.System event audit logs
B.Admin Activity audit logs
C.Data Access audit logs
D.VPC flow logs
AnswerC

Data Access audit logs record API calls that read data — including BigQuery table reads and query executions. They must be explicitly enabled and can generate high log volume.

Why this answer

Data Access audit logs record API calls that read or modify user-provided data, including BigQuery read operations like SELECT queries. Since the requirement is specifically for read operations on user data, Data Access logs are the correct type. Admin Activity logs cover configuration changes, not data reads, and System Event logs cover Google-managed actions, not user-initiated reads.

Exam trap

Google Cloud often tests the distinction between Admin Activity logs (which capture resource configuration changes) and Data Access logs (which capture data reads/writes), leading candidates to mistakenly choose Admin Activity for any 'access' scenario.

How to eliminate wrong answers

Option A is wrong because System event audit logs capture Google Cloud administrative actions that change resource configurations, not user or service account data reads. Option B is wrong because Admin Activity audit logs record operations that modify metadata or configurations (e.g., creating a dataset), not read operations on the data itself. Option D is wrong because VPC flow logs capture network traffic metadata (IP addresses, ports, protocols) at the subnet level, not application-level data access like BigQuery queries.

823
MCQeasy

An engineer wants to create a regional GKE cluster with 3 nodes by default. Which command should be used?

A.gcloud container clusters create my-cluster --zone us-central1-a --num-nodes 3
B.gcloud container clusters create my-cluster --region us-central1 --num-nodes 3
C.gcloud container clusters create my-cluster --region us-central1 --nodes 3
D.gcloud compute clusters create my-cluster --region us-central1 --size 3
AnswerB

Correct. This creates a regional cluster with 3 nodes per zone.

Why this answer

The 'gcloud container clusters create' command with --region (not --zone) creates a regional cluster. --num-nodes specifies the number of nodes per zone.

824
Multi-Selectmedium

A company wants to deploy a stateless microservice on GCP. The service experiences unpredictable traffic bursts and must scale to zero when idle to minimize costs. Which two services meet these requirements?

Select 2 answers
A.Cloud Functions (HTTP trigger)
B.Cloud Run (fully managed)
C.Compute Engine managed instance group with autoscaling
D.App Engine Standard environment
E.Google Kubernetes Engine (GKE) with a managed instance group
AnswersA, B

Scales to zero and handles bursts.

Why this answer

Cloud Run (fully managed) and Cloud Functions (with HTTP trigger) both scale to zero when idle and handle burst traffic. GKE with clusters does not scale to zero (node pool minimum size > 0). Compute Engine MIG can scale down but not to zero (minimum instance count required).

825
Multi-Selectmedium

A company is deploying a multi-region application on Compute Engine and needs to configure network security. Which two steps should they take to restrict access to only required traffic? (Choose 2)

Select 2 answers
A.Configure Shared VPC to isolate network traffic
B.Delete the default allow rules that allow all traffic
C.Use Cloud NAT to allow inbound traffic from the internet
D.Use service accounts to restrict traffic between instances
E.Create ingress firewall rules that allow traffic from specific source IP ranges and apply them using network tags
AnswersD, E

Service accounts can be used in firewall rules to allow traffic based on identity.

Why this answer

Firewall rules by default deny all ingress; you need to allow specific traffic by source IP or service account. Tags help apply rules to specific VMs. Shared VPC is for cross-project networking.

Cloud NAT is for outbound internet. Using default allow rules would be too permissive.

Page 10

Page 11 of 14

Page 12