Google Associate Cloud Engineer (ACE) — Questions 826900

991 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQeasy

A developer needs to creare a Cloud Storage bucket with the storage class that automatically moves objects to a lower-cost storage class after 30 days. Which storage class should be used?

A.Coldline
B.Autoclass
C.Standard
D.Nearline
AnswerB

Why this answer

Autoclass is a feature that automatically transitions objects to appropriate storage classes based on access patterns. The other options require manual lifecycle rules.

827
MCQeasy

A developer wants to create a Compute Engine instance with the default Debian 11 image, a 50 GB boot disk, and in a specific subnet. Which command should be used?

A.gcloud compute instances create my-vm --image debian-11 --boot-disk-size 50 --subnet my-subnet
B.gcloud compute instances create my-vm --image-family debian-11 --image-project debian-cloud --disk-size 50GB --subnet my-subnet
C.gcloud compute instances create my-vm --image-family debian-11 --image-project debian-cloud --boot-disk-size 50GB --subnet my-subnet
D.gcloud compute instances create my-vm --image-family debian-11 --boot-disk-size 50 --subnet my-subnet
AnswerC

Correct. This uses the appropriate flags and values.

Why this answer

The command 'gcloud compute instances create' with flags --image-family, --image-project, --boot-disk-size, and --subnet correctly creates the instance with the specified configuration.

828
MCQmedium

A company has a managed instance group (MIG) with a fixed number of instances. They want to add an autoscaling policy that scales based on CPU utilization, with a target utilization of 60%. Which command should be used to update the MIG?

A.gcloud compute instance-groups managed set-autoscaling my-mig --region us-central1 --max-num-replicas 10 --target-cpu-utilization 0.6
B.gcloud compute instance-groups managed update my-mig --autoscaling --cpu-utilization 60
C.gcloud compute instance-groups managed configure-autoscaling my-mig --region us-central1 --target-cpu-utilization 0.6
D.gcloud compute instance-groups managed set-autoscaling my-mig --zone us-central1-a --max-num-replicas 10 --target-cpu-utilization 60
AnswerA

Correct. This sets autoscaling with CPU target utilization of 60%.

Why this answer

The 'gcloud compute instance-groups managed set-autoscaling' command configures autoscaling for a MIG with the specified target CPU utilization.

829
MCQmedium

An organization is running a batch job that processes sensitive data. The job writes output to a Cloud Storage bucket. The security team requires that all data at rest be encrypted with a customer-managed key. Which key type should be used?

A.Cloud HSM
B.Default encryption (Google-managed)
C.Customer-supplied encryption keys (CSEK)
D.Cloud KMS CMEK
AnswerD

CMEK provides customer control over keys via Cloud KMS.

Why this answer

Cloud KMS CMEK (Customer-Managed Encryption Keys) is the correct choice because it allows the organization to control and manage the encryption keys used to protect data at rest in Cloud Storage, meeting the security team's requirement for customer-managed keys. CMEK keys are created and managed in Cloud KMS, and you can control key rotation, access, and lifecycle, ensuring compliance with regulatory mandates for customer-managed encryption.

Exam trap

Google Cloud often tests the distinction between key types (CMEK, CSEK, Google-managed) and key protection methods (Cloud HSM, Cloud KMS), so the trap here is confusing Cloud HSM (a key protection option) with a key type, or thinking CSEK is still the recommended customer-managed approach for Cloud Storage.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module service that provides a FIPS 140-2 Level 3 certified environment for key operations, but it is a key hosting option for CMEK keys, not a key type itself; the question asks for the key type, not the key protection method. Option B is wrong because Default encryption (Google-managed) uses Google-managed keys, which do not satisfy the requirement for customer-managed keys, as the organization cannot control or audit the key material. Option C is wrong because Customer-supplied encryption keys (CSEK) are used for client-side encryption where the customer provides the key directly in API calls, but CSEK is deprecated and not recommended for Cloud Storage; moreover, CSEK keys are not managed through Cloud KMS and do not provide the same level of integration, auditing, or lifecycle management as CMEK.

830
Matchingmedium

Match each Google Cloud service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Object storage for unstructured data

Serverless data warehouse for analytics

Asynchronous messaging service

Event-driven serverless compute

Managed relational database service

Why these pairings

These are core GCP services with distinct use cases.

831
MCQmedium

A company runs an App Engine Standard application with multiple versions. They want to gradually roll out new features by sending a small percentage of traffic to a new version. How should they implement this?

A.Deploy the new version and delete the old version
B.Use Cloud Load Balancing to distribute traffic between versions
C.Create a new service for the new version and use a custom domain
D.Use App Engine's traffic splitting feature to assign a percentage of traffic to the new version
AnswerD

Traffic splitting is natively supported by App Engine for gradual rollouts.

Why this answer

App Engine Standard provides built-in traffic splitting, allowing you to assign a percentage of incoming requests to different versions of the same service. This is the simplest and most direct way to gradually roll out a new feature by sending a small percentage of traffic to the new version without needing external load balancers or additional services.

Exam trap

The trap here is that candidates may confuse App Engine's internal traffic splitting with external Cloud Load Balancing, thinking they need to set up a separate load balancer when App Engine already provides this capability natively for version-level traffic distribution.

How to eliminate wrong answers

Option A is wrong because deleting the old version would immediately send 100% of traffic to the new version, which defeats the purpose of a gradual rollout. Option B is wrong because Cloud Load Balancing is used for distributing traffic across different services or regions, not for splitting traffic between versions of the same App Engine service; App Engine's traffic splitting handles this internally. Option C is wrong because creating a new service for the new version and using a custom domain would require separate scaling and routing, and it does not provide the fine-grained percentage-based traffic splitting between versions within the same service that the question requires.

832
MCQmedium

A team is using Cloud Deployment Manager to define infrastructure as code. They need to ensure that a Cloud Storage bucket is created before a Compute Engine instance that uses the bucket. How should they accomplish this?

A.Use a dependsOn metadata annotation in the instance template
B.Set a dependency using the 'dependsOn' field in the instance resource definition
C.Reference the bucket's selfLink in the instance template metadata
D.Create the bucket and instance in separate deployments and run them sequentially
AnswerB

dependsOn in the resource definition ensures the bucket is created first.

Why this answer

In Cloud Deployment Manager, you can define explicit dependencies between resources using the `dependsOn` field within the resource definition. This ensures that the Cloud Storage bucket is fully created before the Compute Engine instance that references it, preventing race conditions or deployment failures. The `dependsOn` field accepts a list of resource names or selfLinks, and Deployment Manager waits for the depended-on resource to reach a DONE state before creating the dependent resource.

Exam trap

Google Cloud often tests the misconception that simply referencing a resource's attribute (like selfLink) in another resource's configuration automatically creates a dependency, but in Deployment Manager, dependencies must be explicitly declared with `dependsOn`.

How to eliminate wrong answers

Option A is wrong because `dependsOn` is not a metadata annotation; metadata annotations in Deployment Manager are used for arbitrary key-value pairs, not for resource dependency ordering. Option C is wrong because referencing the bucket's selfLink in instance template metadata does not create an implicit dependency; Deployment Manager does not automatically infer dependencies from metadata references — you must explicitly declare them with `dependsOn`. Option D is wrong because creating the bucket and instance in separate deployments and running them sequentially is an unnecessary manual workaround that defeats the purpose of using a single declarative template; Deployment Manager natively supports intra-template dependencies with `dependsOn`.

833
MCQmedium

A team's application emits a custom business metric (orders per minute) via its code. They want to display this metric on a Cloud Monitoring dashboard and alert when it drops below 50 orders per minute. What must be done first?

A.Enable the Custom Metrics feature flag in the GCP Console under Cloud Monitoring settings
B.Instrument the application to write the metric to the Cloud Monitoring API using a client library or OpenTelemetry
C.Create a log-based metric that extracts the orders value from application logs
D.Custom metrics require BigQuery — store values in BigQuery and link it to Cloud Monitoring
AnswerB

The application must emit the custom metric to Cloud Monitoring via the Monitoring API, client library (e.g., google-cloud-monitoring), or OpenTelemetry SDK. Once flowing, it appears in Metrics Explorer.

Why this answer

Option B is correct because Cloud Monitoring requires metrics to be explicitly ingested via its API or through OpenTelemetry. Custom metrics are not automatically available; the application must be instrumented to write the metric data (e.g., using the `cloud.google.com/go/monitoring` client library or OpenTelemetry exporter) to the Cloud Monitoring API. Without this step, the metric does not exist in Cloud Monitoring for dashboards or alerts.

Exam trap

Google Cloud often tests the misconception that custom metrics require a feature flag or a separate storage service like BigQuery, when in reality the only prerequisite is instrumenting the application to send data to the Cloud Monitoring API.

How to eliminate wrong answers

Option A is wrong because there is no 'Custom Metrics feature flag' in Cloud Monitoring settings; custom metrics are enabled by default once you write data via the API, and no toggle is required. Option C is wrong because a log-based metric extracts values from existing log entries, but the question states the metric is emitted via code, not logs — creating a log-based metric would require the application to first write logs, which is an unnecessary extra step and not the direct method for a custom metric. Option D is wrong because custom metrics do not require BigQuery; Cloud Monitoring stores custom metric data natively in its time-series database, and BigQuery integration is optional for long-term analysis, not a prerequisite.

834
MCQmedium

You need to grant a user the ability to create and manage Compute Engine instances in a specific project. You want to follow the principle of least privilege. Which IAM role should you assign?

A.roles/compute.admin
B.roles/compute.instanceAdmin.v1
C.roles/editor
D.roles/owner
AnswerB

Correct: least privilege for instance management.

Why this answer

roles/compute.instanceAdmin.v1 provides full control over Compute Engine instances but not other services. roles/editor is broader. roles/owner is too permissive. roles/compute.admin includes all compute resources, not just instances.

835
MCQmedium

A data analyst wants to import a SQL dump file from a Cloud Storage bucket into an existing Cloud SQL database. Which command should they use?

A.gcloud sql instances import my-instance gs://my-bucket/dump.sql --database=mydb
B.gcloud sql import sql my-instance gs://my-bucket/dump.sql --database=mydb
C.gcloud sql import csv my-instance gs://my-bucket/dump.sql --database=mydb
D.gcloud sql databases import my-instance gs://my-bucket/dump.sql
AnswerB

Correct syntax for importing SQL dump.

Why this answer

The correct command is 'gcloud sql import sql <instance> gs://<bucket>/<file> --database=<db>'. This imports a SQL dump file. The other commands either use wrong syntax or wrong import type (csv for CSV files).

836
MCQmedium

Refer to the exhibit. You have set up an HTTP load balancer with this health check. Your backend instances are running a web server on port 80, and the /health endpoint returns 200 OK. However, the health check marks all instances as unhealthy. What is the most likely cause?

A.The unhealthyThreshold is too low
B.The health check port is 80 but the web server is on port 80
C.The checkIntervalSec is too high
D.The requestPath is /healthz but the application does not have that endpoint
AnswerD

Correct. The health check path must match the application's health endpoint.

Why this answer

The health check is configured with requestPath /healthz, but the application only serves /health. This mismatch causes the health check to receive a non-200 response, marking instances unhealthy.

837
MCQhard

A DevOps engineer needs to deploy a containerized microservice to Cloud Run that processes messages from Pub/Sub. The service must authenticate to Google Cloud APIs using a service account. Which Cloud Run deployment command should they use to ensure the service uses a specific service account?

A.gcloud run deploy my-service --image gcr.io/my-project/my-image --service-account my-sa@my-project.iam.gserviceaccount.com --platform managed
B.gcloud run deploy my-service --image gcr.io/my-project/my-image --account my-sa@my-project.iam.gserviceaccount.com
C.gcloud run deploy my-service --image gcr.io/my-project/my-image --impersonate-service-account my-sa@my-project.iam.gserviceaccount.com
D.gcloud run deploy my-service --image gcr.io/my-project/my-image
AnswerA

Correctly sets the service account for the Cloud Run service.

Why this answer

Cloud Run supports the --service-account flag to attach a specific service account. The --image flag specifies the container image. The other options either use incorrect flags (--account is for gcloud CLI user, not service account) or miss required flags.

838
MCQmedium

During a gcloud CLI session, a developer runs `gcloud config list` and sees the output shows `project = old-project`. They need to work in `new-project`. Which sequence of commands correctly switches projects and verifies the change?

A.gcloud projects activate new-project; gcloud config list
B.gcloud config set project new-project; gcloud config list
C.gcloud auth login --project=new-project; gcloud config list
D.export GCLOUD_PROJECT=new-project; gcloud config list
AnswerB

`gcloud config set project` updates the active project and `gcloud config list` confirms the new setting — a clean, targeted approach.

Why this answer

Option B is correct because `gcloud config set project new-project` updates the active project in the local CLI configuration, and `gcloud config list` then displays the current configuration, confirming the change. This is the standard method to switch the working project for subsequent gcloud commands.

Exam trap

Google Cloud often tests the distinction between environment variables and configuration file settings, trapping candidates who think setting `GCLOUD_PROJECT` will update the output of `gcloud config list`.

How to eliminate wrong answers

Option A is wrong because `gcloud projects activate new-project` is not a valid gcloud command; the correct command to switch projects is `gcloud config set project`. Option C is wrong because `gcloud auth login --project=new-project` authenticates the user and optionally sets a project during login, but it does not reliably change the project for the current session if a project is already configured; the `--project` flag is only a one-time override and does not persist in the config. Option D is wrong because `export GCLOUD_PROJECT=new-project` sets an environment variable that overrides the project for the current shell session, but `gcloud config list` still reads from the local configuration file and will show the old project unless the config is also updated; the environment variable is not reflected in `gcloud config list` output.

839
MCQmedium

An internal web application running on GKE must be accessible only to employees who are authenticated with the company's Google Workspace account — without exposing it to the internet or using a VPN. Which GCP service provides identity-based access without a VPN?

A.VPC Service Controls creating a perimeter around the GKE cluster
B.Cloud Identity-Aware Proxy (IAP) configured on the load balancer in front of the GKE service
C.Firebase Authentication SDK integrated into the web application frontend
D.Cloud Armor with a Google Workspace IP allowlist
AnswerB

IAP enforces Google identity authentication at the load balancer layer. Users must sign in with an authorized Google account — rejecting all unauthenticated requests before they reach the application.

Why this answer

Cloud Identity-Aware Proxy (IAP) is the correct choice because it enforces identity-based access control at the application layer, verifying that users are authenticated via Google Workspace before allowing traffic to reach the GKE service through an HTTPS load balancer. This eliminates the need for a VPN or public internet exposure by leveraging Google's global infrastructure to authenticate and authorize each request based on the user's identity and context.

Exam trap

The trap here is that candidates often confuse network-level controls (VPC Service Controls, Cloud Armor IP allowlists) with identity-based access, or they assume client-side authentication (Firebase) is sufficient for server-side access control, missing that IAP is the only service that combines identity verification with network edge enforcement without a VPN.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls creates perimeters to prevent data exfiltration and restrict access based on network context, but it does not provide per-user authentication or authorization for individual HTTP requests; it operates at the VPC network boundary, not the application layer. Option C is wrong because Firebase Authentication SDK is designed for client-side user authentication in web and mobile apps, but it does not integrate with GKE's ingress or load balancer to control access at the network edge, and it would require exposing the application to the internet for the SDK to function. Option D is wrong because Cloud Armor with a Google Workspace IP allowlist is not feasible, as Google Workspace does not publish a static or predictable set of IP addresses for all employee connections; employees may connect from various networks, including home or mobile, making IP-based allowlisting ineffective for identity-based access.

840
Multi-Selecthard

Your Cloud Run service has a new revision that you want to gradually shift traffic to. You want to send 10% of traffic to the new revision and 90% to the current one. Which TWO steps are required? (Choose TWO.)

Select 2 answers
A.Set a new default URL for the new revision.
B.Delete the old revision.
C.Create the new revision by updating the service with a new image tag.
D.Enable VPC ingress for the new revision.
E.Use gcloud run services update-traffic to set traffic percentages.
AnswersC, E

Updating the service creates a new revision.

Why this answer

You first create the new revision (by updating the service) and then modify traffic percentages.

841
MCQeasy

You have a Compute Engine VM that is running a critical application. You need to change its machine type from n1-standard-4 to n2-standard-8. What is the correct procedure?

A.Stop the instance, then use gcloud compute instances set-machine-type, then start the instance
B.Use gcloud compute instances update --machine-type n2-standard-8 while the instance is running
C.Delete the instance and create a new one with the desired machine type
D.Use gcloud compute instances resize --machine-type n2-standard-8 without stopping
AnswerA

This is the correct procedure: stop, change machine type, start.

Why this answer

To change the machine type of a VM, you must stop the instance first, then use the gcloud compute instances set-machine-type command, and finally start the instance again.

842
MCQmedium

A company wants to use Customer-Managed Encryption Keys (CMEK) for encrypting data in a Cloud Storage bucket. They have created a key in Cloud KMS. Which step is required when creating the bucket to use CMEK?

A.Specify the key using the --kms-key flag in gsutil mb.
B.Use the --encryption-key flag in gcloud compute instances create.
C.No additional steps; Cloud Storage automatically uses CMEK if a key exists in the project.
D.Enable CMEK by setting the bucket's IAM policy.
AnswerA

Correct: --kms-key specifies the Cloud KMS key for CMEK.

Why this answer

To use CMEK on a bucket, the '--default-encryption-key' flag is used during 'gsutil mb' or 'gcloud storage buckets create'. The key must be specified as the resource name.

843
MCQmedium

A team deploys a containerized service to Cloud Run. After deployment, requests are timing out after 60 seconds. The service sometimes needs 3 minutes to process certain long-running requests. What should the team adjust?

A.Increase the minimum number of instances to reduce cold starts
B.Increase the Cloud Run request timeout to at least 180 seconds
C.Set concurrency to 1 to ensure each instance handles only one request at a time
D.Switch to Cloud Run Jobs instead of Cloud Run Services
AnswerB

Cloud Run's default request timeout is 60 seconds. For requests needing up to 3 minutes, the timeout must be explicitly increased (up to 3600 seconds via the console or `--timeout` flag).

Why this answer

Cloud Run has a default request timeout of 60 seconds. Since the service requires up to 3 minutes (180 seconds) for certain long-running requests, the timeout must be increased to at least 180 seconds. This is configured via the `--timeout` flag or the `timeout_seconds` field in the YAML configuration, and the maximum allowed value is 60 minutes (3600 seconds).

Exam trap

Google Cloud often tests the distinction between timeout-related issues and scaling or concurrency issues, so candidates mistakenly choose options that address cold starts or concurrency when the real problem is a hard timeout limit.

How to eliminate wrong answers

Option A is wrong because increasing the minimum number of instances reduces cold start latency but does not affect the request timeout; the 60-second timeout will still terminate long-running requests. Option C is wrong because setting concurrency to 1 limits the number of concurrent requests per instance but does not extend the request timeout; the request will still be terminated after 60 seconds. Option D is wrong because Cloud Run Jobs are designed for batch workloads that run to completion, not for handling HTTP requests; switching to Jobs would break the service's HTTP endpoint functionality.

844
MCQmedium

A company recently deployed a web application on a managed instance group (MIG) behind a regional external HTTP(S) load balancer. The application is a Python Flask app running on Compute Engine VMs. After a code update that caused increased response times under load, users report intermittent 503 errors. You examine the load balancer logs and see that the backend instances are periodically marked as unhealthy. The health check is configured to query the /health endpoint every 5 seconds with a healthy threshold of 2 and a timeout of 1 second. The application's /health endpoint returns 200 OK, but sometimes takes up to 1.5 seconds to respond. What is the most likely cause of the health check failures?

A.The instances are overloaded and failing health checks intermittently.
B.The health check response timeout is too low for the application's increased response time.
C.The health check firewall rule is missing or misconfigured.
D.The health check is checking the wrong port.
AnswerB

Timeout of 1 second causes false negatives when response takes 1.5 seconds.

Why this answer

The health check is configured with a timeout of 1 second, but the /health endpoint now takes up to 1.5 seconds to respond due to the code update. Since the health check waits only 1 second for a response, any request that takes longer than that will be considered a failure, causing the backend to be marked unhealthy and triggering 503 errors. This is a classic mismatch between health check timeout and application response time.

Exam trap

Google Cloud often tests the distinction between a health check timing out versus the instance being truly unhealthy—candidates may incorrectly attribute intermittent 503s to overload (Option A) rather than recognizing that the health check timeout value is the direct cause when the endpoint response time exceeds it.

How to eliminate wrong answers

Option A is wrong because while overloaded instances can cause health check failures, the specific evidence here is that the /health endpoint itself takes up to 1.5 seconds to respond, which directly exceeds the 1-second timeout—overload is a possible symptom but not the root cause. Option C is wrong because a missing or misconfigured firewall rule would cause health checks to fail consistently (all probes would time out or be dropped), not intermittently with some successful responses. Option D is wrong because the health check is configured to query the /health endpoint on the correct port (default HTTP 80 or the port the app listens on), and the logs show that the endpoint does respond, just slowly—so the port is not the issue.

845
MCQmedium

A developer receives a "Permission 'cloudfunctions.functions.call' denied" error when trying to invoke a Cloud Function from another service. What is the most likely cause?

A.The service account of the caller lacks the Cloud Functions Invoker role.
B.The function is not deployed to the correct region.
C.The Cloud Function has a CORS misconfiguration.
D.The VPC connector is not configured correctly.
AnswerA

IAM permissions are required to invoke a function.

Why this answer

The error 'Permission cloudfunctions.functions.call denied' indicates that the Identity and Access Management (IAM) policy does not grant the caller the required permission to invoke the function. The Cloud Functions Invoker role (roles/cloudfunctions.invoker) specifically allows the `cloudfunctions.functions.call` permission, which is necessary for HTTP-triggered functions. Without this role on the caller's service account, any invocation attempt will be denied, regardless of other configurations.

Exam trap

Google Cloud often tests the distinction between IAM permission errors and network/configuration errors, so candidates mistakenly choose CORS or VPC options because they think invocation failures are always due to networking or browser restrictions, but the specific error message points directly to a missing IAM role.

How to eliminate wrong answers

Option B is wrong because deploying to the wrong region would cause a 'function not found' or routing error, not a permission denied error; the IAM check occurs before regional routing. Option C is wrong because CORS misconfiguration affects browser-based cross-origin requests by blocking HTTP responses, not the underlying IAM authorization; the error message explicitly references a permission denial, not a CORS header issue. Option D is wrong because VPC connector misconfiguration would cause network connectivity failures (e.g., timeouts or unreachable endpoints) but does not affect IAM permission checks; the error is about authorization, not network access.

846
MCQhard

A healthcare company uses GCP to store sensitive patient data in Cloud Storage buckets. Their security policy requires that all data access be logged and that any attempt to access data from outside the corporate network is blocked. They have implemented VPC Service Controls to create a service perimeter around the projects containing the buckets. They have also enabled Data Access audit logs. However, during an audit, they find that a few access attempts from an IP address outside the corporate network succeeded. The logs show that the requests were made using service account credentials. The service account has the storage.objectViewer role on the bucket. The VPC Service Controls perimeter is configured to block all access from outside the perimeter, but the logs show that some requests were allowed. What is the most likely reason?

A.The VPC Service Controls perimeter was configured with an access level that permits certain IP ranges.
B.The bucket is outside the service perimeter.
C.The service account is a member of the perimeter.
D.The VPC Service Controls perimeter does not block requests made by service accounts.
AnswerA

Access levels can allow traffic from specific IPs, so if the external IP is in an allowed range, the request succeeds.

Why this answer

Option A is correct because VPC Service Controls can be configured with access levels that define allowed client IP ranges. If the access level permits the IP addresses from which the service account requests originated, those requests would be allowed even though they come from outside the corporate network. The logs confirm that the requests used service account credentials, and the storage.objectViewer role grants read access, so the only remaining control that could have been bypassed is the VPC Service Controls perimeter — and an overly permissive access level is the most likely cause.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls blocks all traffic from outside the perimeter unconditionally, but the trap here is that access levels can create exceptions that allow specific IP ranges, including non-corporate IPs, to bypass the block.

How to eliminate wrong answers

Option B is wrong because if the bucket were outside the service perimeter, VPC Service Controls would not apply at all, and the question states the perimeter is configured around the projects containing the buckets, so the buckets are inside the perimeter. Option C is wrong because service accounts are not 'members' of a service perimeter; VPC Service Controls perimeters define boundaries around projects, not individual identities, and service accounts inside the perimeter are still subject to the same ingress/egress rules. Option D is wrong because VPC Service Controls does block requests made by service accounts when those requests originate from outside the perimeter, unless an access level or other exception is explicitly configured.

847
Multi-Selectmedium

A company has a Cloud SQL for MySQL instance that needs to be replicated to a different region for disaster recovery. Which two actions should they take? (Choose TWO.)

Select 2 answers
A.Configure an external replica from the primary instance.
B.Enable binary logging on the primary instance.
C.Create a read replica of the primary instance in the target region.
D.Ensure the replica is in a different region and promote it to primary during failover.
E.Set up a failover replica in the same zone.
AnswersC, D

Read replica can be placed in a different region for DR.

Why this answer

To set up cross-region replication for Cloud SQL, you create a read replica in the desired region and enable cross-region replication. Option A and D are correct. Option B is for on-premises replication; C is for internal replication; E is not needed.

848
MCQmedium

You create a new Google Cloud project using the Cloud Console. After creating the project, you need to enable the Compute Engine API. What is the correct command to do this using the Cloud Shell?

A.gcloud projects enable compute.googleapis.com
B.gcloud compute enable compute.googleapis.com
C.gcloud api enable compute
D.gcloud services enable compute.googleapis.com
AnswerD

Correct. This enables the Compute Engine API.

Why this answer

The gcloud services enable command is used to enable APIs for a project. The correct syntax is 'gcloud services enable compute.googleapis.com'.

849
MCQmedium

A gaming company's GKE cluster uses a mix of node pools: a standard on-demand pool for stateful database pods, and a Spot VM pool for compute-intensive but fault-tolerant game simulation pods. The simulation pods occasionally get preempted. How should the Deployment be configured to route simulation pods to the Spot pool only?

A.Set podAffinity to prefer nodes where Spot pods are running
B.Add a nodeSelector: cloud.google.com/gke-spot: 'true' to the simulation Deployment spec
C.Set requests.cpu and requests.memory to very high values — GKE will route them to Spot nodes
D.Name the simulation Deployment with a 'spot-' prefix — GKE routes prefixed deployments to Spot pools
AnswerB

GKE automatically labels Spot VMs with `cloud.google.com/gke-spot: 'true'`. A nodeSelector with this label ensures simulation Pods are scheduled only on Spot nodes.

Why this answer

Option B is correct because GKE uses the node label `cloud.google.com/gke-spot` to identify Spot VMs. Adding a `nodeSelector` with that exact key-value pair ensures the simulation Deployment is scheduled exclusively on Spot nodes, which is the intended behavior for fault-tolerant, preemptible workloads.

Exam trap

The trap here is that candidates may confuse `nodeSelector` with `podAffinity` or assume GKE uses naming conventions or resource requests to determine node pool placement, when in fact it relies on node labels and taints.

How to eliminate wrong answers

Option A is wrong because `podAffinity` influences scheduling based on pod relationships, not node types; it would not restrict pods to Spot nodes. Option C is wrong because setting high resource requests does not route pods to Spot nodes; it only affects scheduling based on available capacity, and GKE does not use resource requests to determine node pool type. Option D is wrong because GKE does not route deployments to Spot pools based on naming conventions; node selection is controlled by labels, taints, and tolerations, not prefixes.

850
MCQmedium

A company has a Cloud Run service that needs to access a Cloud SQL database. What is the recommended way to connect securely?

A.Use Cloud SQL Proxy by adding the Cloud SQL instance connection name to the Cloud Run service
B.Use a public IP for the Cloud SQL instance and whitelist the Cloud Run service's IP
C.Store database credentials in environment variables
D.Use VPC peering to connect Cloud Run to Cloud SQL
AnswerA

Cloud SQL Proxy provides secure access via private IP or Unix socket.

Why this answer

Cloud Run can use the Cloud SQL Proxy via a sidecar container or the built-in Cloud SQL connection using Unix sockets when the Cloud SQL client libraries are used. The recommended way is to use the Cloud SQL proxy (sidecar) or the Cloud SQL connector.

851
MCQmedium

A developer is deploying a containerized application on Cloud Run. The application needs to be invoked by external HTTPS requests without requiring authentication. Which flag should be included in the 'gcloud run deploy' command?

A.--invoker=public
B.--allow-unauthenticated
C.--ingress=internal
D.--no-allow-unauthenticated
AnswerB

Correct flag to allow unauthenticated invocations from the internet.

Why this answer

The --allow-unauthenticated flag makes the Cloud Run service publicly accessible. By default, Cloud Run requires authentication via IAM. Adding this flag grants the 'run.invoker' role to allUsers.

852
Multi-Selectmedium

A company needs to deploy a web application on Google Cloud that requires high availability across multiple regions. Select TWO services that can help achieve this.

Select 2 answers
A.Global HTTP(S) Load Balancing
B.Cloud VPN
C.Cloud SQL with cross-region replication
D.Cloud NAT
E.Cloud CDN
AnswersA, C

Distributes traffic across regional backends for high availability.

Why this answer

Global HTTP(S) Load Balancing distributes traffic across regions, and Cloud SQL with cross-region replication provides database redundancy. Compute Engine instances in multiple regions serve traffic, and load balancing handles failover.

853
Multi-Selectmedium

A development team wants to deploy a containerized microservice that requires GPU acceleration for inference. They want to minimize cost while maintaining the ability to scale to zero when not in use. Which two services meet these requirements? (Choose TWO.)

Select 2 answers
A.Cloud Run
B.Cloud Functions with GPU
C.GKE Standard cluster with GPU node pool and cluster autoscaler
D.Compute Engine with GPUs in a managed instance group
E.GKE Autopilot cluster
AnswersC, E

GKE Standard can scale GPU node pools to zero when no pods request GPUs, minimizing cost.

Why this answer

Option C is correct because GKE Standard with a GPU node pool and cluster autoscaler allows the cluster to scale down to zero nodes when no pods require GPU resources, minimizing cost. The cluster autoscaler automatically removes idle nodes and adds GPU nodes only when GPU-accelerated pods are scheduled, meeting the requirement for scaling to zero.

Exam trap

Cisco often tests the misconception that serverless services like Cloud Run or Cloud Functions can support GPUs, but in reality, GPU acceleration is only available in container orchestration platforms like GKE or Compute Engine-based solutions.

854
MCQmedium

A company is deploying a stateful application on Google Kubernetes Engine (GKE) that requires persistent storage. Each pod needs its own dedicated persistent disk that is not shared. Which Kubernetes resource should be used to manage the deployment?

A.Job with PersistentVolume
B.DaemonSet with hostPath volumes
C.Deployment with PersistentVolumeClaim template
D.StatefulSet with volumeClaimTemplates
AnswerD

StatefulSet creates unique PersistentVolumeClaims for each pod, ensuring dedicated persistent storage.

Why this answer

Option D is correct because a StatefulSet with volumeClaimTemplates is designed for stateful applications where each pod requires its own dedicated PersistentVolume (PV) that is not shared. The volumeClaimTemplates automatically generate a unique PersistentVolumeClaim (PVC) for each pod replica, ensuring each pod gets a separate, stable persistent disk that persists across rescheduling. This matches the requirement for a stateful application on GKE where pods need dedicated, non-shared storage.

Exam trap

Google Cloud often tests the distinction between Deployments and StatefulSets, and the trap here is that candidates mistakenly choose a Deployment with a PVC template, not realizing that Deployments treat all pods as interchangeable and would share the same PVC, violating the 'dedicated disk per pod' requirement.

How to eliminate wrong answers

Option A is wrong because a Job is used for batch or one-time tasks, not for managing a long-running stateful application, and a PersistentVolume alone does not provide per-pod dedicated storage without a PVC. Option B is wrong because a DaemonSet runs one pod per node, typically for cluster-level services like logging or monitoring, and hostPath volumes use the node's local filesystem, which does not provide dedicated, persistent storage that survives pod rescheduling across nodes. Option C is wrong because a Deployment with a PersistentVolumeClaim template would share the same PVC across all replicas, leading to shared storage and potential data corruption, whereas the requirement is for each pod to have its own dedicated disk.

855
MCQmedium

An engineer creates a firewall rule allowing ingress on port 8080 from source range 10.0.0.0/8 with priority 1000. Another rule denies ingress on port 8080 from source range 10.0.0.0/24 with priority 500. What is the effective behavior for traffic from 10.0.0.1?

A.Traffic is denied only if the source is exactly 10.0.0.1; otherwise allowed.
B.Traffic is denied because the deny rule has a higher priority (lower number).
C.Traffic is allowed because the allow rule covers a larger range.
D.Traffic is allowed because both rules match and the default is to allow.
AnswerB

Correct: The deny rule (priority 500) takes precedence over the allow rule (priority 1000).

Why this answer

Firewall rules are evaluated in order of priority; lower numbers have higher priority. The deny rule (priority 500) has higher priority than the allow rule (priority 1000), so traffic from 10.0.0.1 (within 10.0.0.0/24) will be denied.

856
MCQhard

A DevOps team uses Terraform to manage GCP infrastructure and wants to store Terraform state in a shared location that all team members can access securely, with state locking to prevent concurrent modifications. Which backend configuration achieves this?

A.gcs backend storing state in a Cloud Storage bucket
B.gcp backend storing state in a BigQuery table
C.remote backend connected to a Cloud SQL database
D.local backend with a path shared over Cloud Filestore
AnswerA

The `gcs` backend stores Terraform state in a Cloud Storage bucket and supports state locking via GCS object lock, enabling safe concurrent team usage.

Why this answer

The `gcs` backend is the correct choice because it stores Terraform state in a Google Cloud Storage bucket, which provides secure, shared access via IAM policies and supports state locking natively through object versioning and write-preconditions. This ensures that only one team member can modify the state at a time, preventing conflicts and corruption.

Exam trap

The trap here is that candidates confuse the `gcp` provider (which manages GCP resources) with a backend name, or assume that any shared filesystem (like Cloud Filestore) can provide locking, ignoring that Terraform requires atomic, server-side locking which only object storage backends like `gcs` or `s3` provide natively.

How to eliminate wrong answers

Option B is wrong because BigQuery is a data warehouse for analytics, not a state storage backend; it lacks native state locking and is not designed for the atomic write operations Terraform requires. Option C is wrong because the `remote` backend in Terraform is specifically for Terraform Cloud or Terraform Enterprise, not for connecting to a Cloud SQL database, which would require custom scripting and does not support built-in state locking. Option D is wrong because the `local` backend stores state on the local filesystem; sharing a path over Cloud Filestore does not provide state locking, as NFS does not support the atomic file locks Terraform needs, leading to race conditions and state corruption.

857
MCQhard

A GCP organization has 150 projects. A new security policy requires all projects to enable the Security Command Center API. What is the most efficient way to enable this API across all projects without manually visiting each project?

A.Manually enable the API in each of the 150 projects via the Cloud Console
B.Use a gcloud script to iterate over all projects and enable the API for each
C.Enable the API at the organization level — it inherits down to all projects
D.Create an organization policy enabling all APIs on all projects
AnswerB

Scripting with `gcloud projects list | xargs` or Terraform with `google_project_service` for each project enables the API across all 150 projects efficiently and repeatably.

Why this answer

Option B is correct because the gcloud command-line tool allows you to script the enabling of the Security Command Center API across all projects efficiently. Using `gcloud services enable securitycenter.googleapis.com --project=<project_id>` in a loop over the list of projects automates the task without manual intervention, leveraging the Cloud SDK's programmatic access to the Service Usage API.

Exam trap

Google Cloud often tests the misconception that organization-level settings automatically propagate API enablement to all projects, but in GCP, APIs must be explicitly enabled per project, and organization policies only enforce constraints, not service activation.

How to eliminate wrong answers

Option A is wrong because manually enabling the API in each of 150 projects via the Cloud Console is time-consuming and error-prone, contradicting the requirement for the 'most efficient' method. Option C is wrong because enabling an API at the organization level does not automatically inherit down to all projects; APIs must be enabled per project, and organization-level settings only control policies, not service enablement. Option D is wrong because organization policies cannot enable APIs; they enforce constraints (e.g., resource restrictions) via the Organization Policy Service, not service activation, and there is no policy to enable all APIs.

858
MCQeasy

A GKE pod's container is frequently crashing and restarting. You need to view the logs from the previous container instance (before the last crash) to diagnose the crash cause. Which command retrieves these logs?

A.`kubectl logs POD_NAME`
B.`kubectl logs POD_NAME --previous`
C.`kubectl describe pod POD_NAME`
D.`kubectl get events --field-selector reason=OOMKilled`
AnswerB

--previous retrieves logs from the terminated previous container instance — exactly what's needed to see what happened before the crash.

Why this answer

Option B is correct because the `--previous` flag in `kubectl logs` retrieves logs from the previous instance of a container in a pod, which is exactly what you need when the current container has crashed and restarted. This allows you to see the logs that led to the crash, even though the container is now running a new instance.

Exam trap

The trap here is that candidates often confuse `kubectl logs` with `kubectl describe` or `kubectl get events`, thinking those commands provide log output, when in fact only `kubectl logs` retrieves container logs and the `--previous` flag is the specific mechanism to access logs from a crashed instance.

How to eliminate wrong answers

Option A is wrong because `kubectl logs POD_NAME` only shows logs from the currently running container instance, not from the previous crashed instance, so it would not show the crash cause. Option C is wrong because `kubectl describe pod POD_NAME` shows pod metadata, status, and events, but does not retrieve container logs; it cannot show the log output from the previous container instance. Option D is wrong because `kubectl get events --field-selector reason=OOMKilled` only filters for Out-Of-Memory kill events, which is too narrow and may miss other crash reasons; it also does not retrieve the actual container logs needed for diagnosis.

859
MCQhard

An organization wants to enable Data Access audit logs for all Cloud Storage buckets in a project. Which step is necessary?

A.Use gcloud logging to create a log sink for Cloud Storage.
B.Enable Data Access logs in each bucket's settings.
C.Configure an organization policy or IAM audit config to enable Data Access logs for Cloud Storage.
D.Add an IAM binding with the roles/logging.admin role to a user.
AnswerC

Data Access audit logs are enabled via IAM audit config at the project or organization level, specifying which services to audit.

Why this answer

Data Access audit logs must be enabled at the organization or project level using IAM audit config, and can be scoped to specific services like Cloud Storage.

860
MCQhard

A developer is using Cloud Shell and wants to ensure that their gcloud configuration persists after the Cloud Shell session ends. They have set the compute and access settings using `gcloud config set`. What should they do to keep these settings for future sessions?

A.They need to create a startup script to apply the settings each time
B.The settings are automatically preserved because Cloud Shell's home directory persists
C.They must run `gcloud config configurations save default` before ending the session
D.They must use `gcloud config set --persist` flag
AnswerB

Cloud Shell provides persistent storage of 5GB, and gcloud configurations are stored in ~/.config/gcloud.

Why this answer

gcloud configurations are stored in the user's home directory and persist across Cloud Shell sessions because the $HOME directory is persistent (with 5GB of persistent disk storage). No additional action is needed.

861
MCQmedium

An engineer wants to deploy a Python function that processes messages from a Pub/Sub topic. The function should be triggered whenever a message is published to the topic. Which command should the engineer use to deploy the function?

A.gcloud functions deploy my-function --runtime python39 --trigger-http --entry-point main --region=us-central1
B.gcloud functions deploy my-function --runtime python39 --trigger-topic my-topic --entry-points main --region=us-central1
C.gcloud functions deploy my-function --runtime python39 --trigger-topic my-topic --entry-point main --region=us-central1
D.gcloud functions deploy my-function --runtime python39 --trigger-bucket my-bucket --entry-point main --region=us-central1
AnswerC

Correct: --trigger-topic specifies the Pub/Sub topic.

Why this answer

To deploy a Cloud Function triggered by a Pub/Sub topic, use gcloud functions deploy with --trigger-topic. Option C is correct. Option A uses --trigger-http for HTTP triggers.

Option B uses --trigger-topic but misspells --entry-point as --entry-points. Option D uses --trigger-bucket for Cloud Storage events.

862
MCQmedium

An organization needs to import a SQL dump file from a Cloud Storage bucket into an existing Cloud SQL for PostgreSQL instance. Which command should they use?

A.gcloud sql export sql my-instance gs://bucket/dump.sql
B.gcloud sql import sql my-instance gs://bucket/dump.sql --database=mydb
C.gcloud sql instances import my-instance gs://bucket/dump.sql
D.gcloud sql import csv my-instance gs://bucket/dump.sql --database=mydb
AnswerB

Correct: imports SQL dump into specified database.

Why this answer

The correct command is gcloud sql import sql. Option D is correct. Option A is for exporting; B uses incorrect subcommand; C is for importing CSV, not SQL dump.

863
Multi-Selecthard

A company is using Cloud Functions (2nd gen) to process high-volume events from Pub/Sub. The function needs to write results to a Cloud Storage bucket. The security team requires that the function uses a service account with the least privilege. Which THREE roles should the engineer assign to the function's service account? (Choose 3)

Select 3 answers
A.roles/cloudfunctions.invoker
B.roles/iam.serviceAccountUser
C.roles/pubsub.publisher
D.roles/pubsub.subscriber
E.roles/storage.objectCreator
AnswersA, D, E

Allows the Cloud Function to be invoked by the Pub/Sub push.

Why this answer

The service account needs permissions to pull messages from Pub/Sub (roles/pubsub.subscriber), write to Cloud Storage (roles/storage.objectCreator), and be able to invoke the function (roles/cloudfunctions.invoker) if the function is triggered via HTTP; however, for event-driven functions, the trigger is Pub/Sub, so the invoker role might not be needed. But to be safe, the invoker role allows the function to be called. The correct three are the essential ones: Pub/Sub subscriber, Cloud Storage object creator, and Cloud Functions invoker (for the function to be invoked by the event).

Actually, for event-driven functions, the Pub/Sub subscription can push to the function without the invoker role if the function's auth is set to allow unauthenticated invocations, but best practice is to use a service account. However, the invoker role is often required when the function uses a service account for authentication. The typical least privilege roles are: roles/pubsub.subscriber (to acknowledge messages), roles/storage.objectCreator (to write objects), and roles/cloudfunctions.invoker (to allow the Pub/Sub push to invoke the function).

Alternatively, roles/iam.serviceAccountUser might be needed to attach the service account. But based on common exam questions, the three are: pubsub.subscriber, storage.objectCreator, cloudfunctions.invoker.

864
MCQhard

An organization needs to allow a third-party SIEM tool to ingest audit logs from their Google Cloud organization. The SIEM tool should only have read access to logs. Which IAM role should be granted?

A.roles/logging.configWriter
B.roles/logging.admin
C.roles/logging.viewer
D.roles/logging.privateLogViewer
AnswerC

Provides read-only access to log entries.

Why this answer

The roles/logging.viewer role grants read-only access to all logs in the Google Cloud organization, including audit logs, which is exactly what the third-party SIEM tool requires. This role allows the SIEM to ingest logs without the ability to modify or delete them, ensuring the principle of least privilege is maintained.

Exam trap

Google Cloud often tests the distinction between roles/logging.viewer and roles/logging.privateLogViewer, where candidates mistakenly choose the latter thinking it is required for audit logs, but privateLogViewer is only needed for logs containing sensitive data like Access Transparency logs, not standard audit logs.

How to eliminate wrong answers

Option A is wrong because roles/logging.configWriter grants write access to log configurations (e.g., creating log sinks and exclusions), not read-only access to logs, and would allow the SIEM to modify logging infrastructure. Option B is wrong because roles/logging.admin provides full administrative control over logging, including the ability to delete logs and modify log buckets, which exceeds the required read-only access. Option D is wrong because roles/logging.privateLogViewer grants read access to private log entries (e.g., those containing sensitive data like Access Transparency logs), which is more permissive than needed and could expose data the SIEM should not see; the standard roles/logging.viewer is sufficient for audit logs.

865
Multi-Selecthard

Which THREE configurations are required to enable Private Google Access for Compute Engine instances in a custom VPC subnet? (Select 3 correct answers)

Select 3 answers
A.Create a Cloud Router to advertise routes to Google.
B.Create a subnet with the --enable-private-ip-google-access flag.
C.Create a VPC network.
D.Launch Compute Engine instances in the subnet.
E.Configure Cloud NAT to route traffic to Google APIs.
AnswersB, C, D

Private Google Access must be enabled on the subnet.

Why this answer

Private Google Access is enabled on a subnet. Instances in that subnet can reach Google APIs using internal IPs. It does not require Cloud NAT, Cloud VPN, or internet access.

The three required elements are: a VPC network, a subnet with Private Google Access enabled, and instances in that subnet.

866
MCQmedium

A Cloud SQL instance's disk is at 95% capacity. The application is experiencing write failures. You need to resolve this immediately with no downtime. What should you do?

A.Take a snapshot of the instance, create a new larger instance from the snapshot, then update the connection string.
B.Increase the disk size via the Cloud SQL console or `gcloud sql instances patch` — this occurs with no instance restart.
C.Delete old database tables to free up space.
D.Switch the instance to SSD storage, which has higher throughput and allows more writes.
AnswerB

Cloud SQL disk increases are online operations. `gcloud sql instances patch INSTANCE --storage-size=NEW_SIZE` resizes the disk without restarting or interrupting the instance.

Why this answer

Option B is correct because Cloud SQL supports dynamic disk resizing without requiring an instance restart. When you increase the disk size via the console or `gcloud sql instances patch`, the change takes effect immediately, allowing the database to continue serving writes without downtime. This directly resolves the write failures caused by disk-full conditions.

Exam trap

The trap here is that candidates often assume any disk change requires a restart or migration, but Cloud SQL's online disk resize is a key differentiator that allows immediate resolution without downtime.

How to eliminate wrong answers

Option A is wrong because taking a snapshot and creating a new instance introduces significant downtime while the snapshot is taken, the new instance is provisioned, and the connection string is updated — violating the 'no downtime' requirement. Option C is wrong because deleting tables is a destructive, time-consuming operation that may not free enough space quickly, and it risks data loss; it also does not address the root cause of insufficient disk capacity. Option D is wrong because switching to SSD storage requires recreating the instance or migrating data, which causes downtime, and SSD does not increase disk capacity — it only improves I/O performance, so it would not resolve the disk-full write failures.

867
MCQmedium

Refer to the exhibit. A user runs `gcloud compute instances list` in Cloud Shell and gets the output 'Listed 0 items.' The user expects to see the VM they just created via the Console. What is the most likely cause?

A.The VM was created in a different region
B.The Cloud Shell is in a different project
C.The VM is stopping
D.The user does not have compute.instances.list permission
AnswerB

Cloud Shell uses the configured project, which might not be the same as the Console project.

Why this answer

The `gcloud compute instances list` command lists VM instances in the currently configured project (set via `gcloud config set project`). If the Cloud Shell is pointing to a different project than the one where the VM was created via the Console, the command will return 'Listed 0 items' even though the VM exists. This is the most likely cause because the user expects to see the VM but the command is scoped to a different project context.

Exam trap

Google Cloud often tests the distinction between project-level scope and regional scope, trapping candidates who assume region mismatch is the cause when the real issue is the Cloud Shell being configured to a different project.

How to eliminate wrong answers

Option A is wrong because the `gcloud compute instances list` command by default lists instances across all regions in the current project; a region mismatch would not cause 'Listed 0 items' unless the instance was in a different project. Option C is wrong because a VM in 'stopping' state is still listed by `gcloud compute instances list` (it appears with status 'STOPPING'), so it would not result in zero items. Option D is wrong because if the user lacked `compute.instances.list` permission, the command would return a permission denied error, not 'Listed 0 items'.

868
MCQmedium

A security team wants to ensure that all Compute Engine instances in a project are created with a specific custom service account attached. What is the most effective way to enforce this?

A.Use a firewall rule to block instances without the required service account.
B.Enable Shielded VMs on the project.
C.Create a custom role with `compute.instances.create` and assign it to all users.
D.Configure an organization policy with the constraint `compute.setServiceAccount` to restrict the service accounts that can be used.
AnswerD

This org policy constraint ensures instances are created only with specified service accounts.

Why this answer

Using an organization policy with a constraint on `compute.requireOsLogin` is unrelated. The best approach is to use a custom IAM role that includes the `compute.instances.create` permission with a condition requiring the service account, or use an organization policy with the `constraints/compute.setServiceAccount` constraint to enforce that instances use a specific service account.

869
MCQeasy

Which command is used to view the current IAM policy for a Google Cloud project in JSON format?

A.gcloud compute instances get-iam-policy [INSTANCE]
B.gcloud organizations get-iam-policy [ORG_ID]
C.gcloud projects get-iam-policy [PROJECT_ID] --format json
D.gcloud iam service-accounts get-iam-policy [SERVICE_ACCOUNT]
AnswerC

Correct command.

Why this answer

The 'gcloud projects get-iam-policy' command retrieves the IAM policy for a project. The '--format json' flag outputs it in JSON. The other options are for other resources or wrong scope.

870
MCQhard

A company uses Cloud SQL with Customer-Managed Encryption Keys (CMEK). The security team wants to rotate the encryption key. What is the impact on the Cloud SQL instance?

A.The instance becomes unavailable until the key rotation is complete.
B.All data in the instance is re-encrypted immediately.
C.The instance must be stopped and restarted after the key rotation.
D.There is no impact; the instance automatically uses the new key version.
AnswerC

Cloud SQL requires a restart to begin using the new key version.

Why this answer

When rotating a CMEK for Cloud SQL, the instance must be restarted to use the new key version. Data remains encrypted at all times.

871
MCQmedium

Your application writes structured JSON logs to stdout from a Cloud Run service. You want to query logs in Cloud Logging to find all requests where the `user_id` field equals `12345`. Which log query syntax finds these entries?

A.`textPayload:"user_id:12345"`
B.`jsonPayload.user_id="12345"`
C.`resource.labels.user_id="12345"`
D.`labels.user_id="12345"`
AnswerB

Cloud Run parses JSON stdout as structured logs in jsonPayload. Field-level queries like jsonPayload.user_id="12345" filter log entries by specific JSON field values.

Why this answer

Option B is correct because Cloud Logging uses the `jsonPayload` field to access structured JSON fields in log entries. When your application writes structured JSON logs to stdout, Cloud Run automatically parses them and stores the fields under `jsonPayload`. The query `jsonPayload.user_id="12345"` directly matches the `user_id` field within that JSON payload.

Exam trap

Google Cloud often tests the distinction between `jsonPayload` for structured logs and `textPayload` for unstructured logs, and candidates mistakenly use `textPayload` or confuse `resource.labels` with application-level JSON fields.

How to eliminate wrong answers

Option A is wrong because `textPayload` is used for unstructured text logs, not structured JSON; the syntax `textPayload:"user_id:12345"` would search for that literal string in the text payload, not the JSON field. Option C is wrong because `resource.labels` refers to labels on the monitored resource (e.g., Cloud Run service name, revision), not the application's JSON payload fields. Option D is wrong because `labels` in Cloud Logging refer to user-defined metadata labels on the log entry itself, not the structured JSON fields from the application output.

872
MCQmedium

A financial application requires a relational database with automatic failover to a standby in a different zone, with minimal configuration overhead. Which Cloud SQL configuration provides this?

A.Cloud SQL with a read replica in a different zone
B.Cloud SQL with High Availability (HA) configuration
C.Cloud Spanner multi-region instance
D.Two separate Cloud SQL instances with application-level failover logic
AnswerB

Cloud SQL HA creates an automatic failover replica in a different zone. Failover is automatic and requires no manual intervention.

Why this answer

Cloud SQL's High Availability (HA) configuration provides automatic failover to a standby instance in a different zone using synchronous replication and a regional persistent disk. This meets the requirement for minimal configuration overhead because it is a built-in feature that requires no application-level logic or manual intervention.

Exam trap

Google Cloud often tests the misconception that a read replica can serve as a failover target, but read replicas use asynchronous replication and require manual promotion, making them unsuitable for automatic failover with minimal configuration.

How to eliminate wrong answers

Option A is wrong because a read replica is designed for read scaling, not automatic failover; it requires manual promotion and does not provide synchronous replication for zero data loss. Option C is wrong because Cloud Spanner is a globally distributed, horizontally scalable database that introduces significant configuration overhead and cost, not a minimal-configuration relational database for a single-region failover requirement. Option D is wrong because managing two separate Cloud SQL instances with application-level failover logic adds significant configuration overhead and defeats the purpose of minimal configuration, as it requires custom code for health checks, replication, and failover coordination.

873
MCQeasy

A small business has a single Google Cloud project with a few Compute Engine instances running a web application. The instances are all in the same VPC and subnet. The security team wants to ensure that only HTTP (port 80) and HTTPS (port 443) traffic from the public internet is allowed to the instances, and that all other inbound traffic is blocked. They have already configured Cloud Armor for the load balancer. However, they notice that SSH traffic (port 22) is still reaching the instances from the internet, even though they do not have any explicit firewall rules allowing SSH. The project was just created and uses the default VPC network. What should they do to resolve this?

A.Create a VPC firewall rule with priority 1000 to deny ingress on port 22 from 0.0.0.0/0.
B.Configure a route to drop traffic destined to the instances on port 22.
C.Remove the SSH public key from the instance metadata.
D.Disable or delete the default-allow-ssh firewall rule in the VPC.
AnswerD

This rule allows SSH from anywhere; disabling it stops SSH traffic from the internet.

Why this answer

Option B is correct because the default VPC includes a default-allow-ssh firewall rule that allows SSH traffic from any source (0.0.0.0/0) on port 22. Disabling this rule will block SSH traffic. Option A is incorrect because creating a deny rule with a lower priority does not override the existing allow rule (allow rules take precedence if a matching allow rule exists).

Option C is incorrect because removing SSH keys does not block network traffic. Option D is incorrect because routes control packet forwarding, not firewall filtering.

874
Multi-Selecteasy

A developer wants to deploy a Cloud Run service from source code in a local directory. Which two commands or steps are necessary? (Choose two.)

Select 2 answers
A.Run gcloud builds submit --tag gcr.io/my-project/my-image .
B.Run gcloud functions deploy my-function --source . --runtime nodejs16
C.Run gcloud app deploy --source .
D.Run gcloud run deploy --source . --region=us-central1
E.Run gcloud run deploy --image=gcr.io/my-project/my-image --region=us-central1
AnswersA, D

This builds a container image and pushes it to Container Registry, which can then be used with gcloud run deploy --image.

Why this answer

gcloud run deploy with --source builds and deploys from source in one step. Alternatively, you can build a container with Cloud Build and then deploy, but the question asks for necessary steps. The --source flag handles both. gcloud builds submit is needed if you build separately. gcloud run deploy without --source expects a pre-built image. gcloud functions deploy is for Cloud Functions, not Cloud Run.

875
MCQhard

A team is deploying a microservice to Cloud Run that needs to process messages from Pub/Sub. The service should only be invocable by Pub/Sub push deliveries, not by unauthenticated HTTP requests. What should the team do?

A.Deploy with --allow-unauthenticated and set up a Pub/Sub subscription with OIDC token audience
B.Deploy with --no-allow-unauthenticated and create a VPC connector to allow Pub/Sub internal traffic
C.Deploy with --no-allow-unauthenticated and configure the Pub/Sub subscription to use a service account that has the roles/run.invoker role on the Cloud Run service
D.Use Cloud Functions instead, which is more secure for Pub/Sub triggers
AnswerC

This is the correct approach: only authenticated requests are allowed, and Pub/Sub uses a service account to authenticate.

Why this answer

To restrict invocation to only Pub/Sub, the Cloud Run service must require authentication and the Pub/Sub subscription must be configured to use a service account to push. The --no-allow-unauthenticated flag ensures only authenticated requests are accepted, and the Pub/Sub subscription's push endpoint must be set with the service's URL and use a service account with the run.invoker role.

876
MCQmedium

Refer to the exhibit. The Terraform plan above returns the error: Error: "member" is required. What is the issue?

A.The Terraform provider version is outdated.
B.The project ID is incorrect.
C.The member argument must be a service account, not a user.
D.The member argument should be 'member' (singular) not 'members'.
AnswerD

For google_project_iam_member, use 'member' attribute.

Why this answer

The Terraform error 'Error: "member" is required' indicates that the resource block is using the plural argument 'members' instead of the singular 'member'. In the Google Cloud Terraform provider, the google_project_iam_member resource expects a single 'member' argument (e.g., 'user:email@example.com'), not a list. The correct syntax is 'member = "user:email@example.com"', not 'members = ["user:email@example.com"]'.

This is a common syntax error when transitioning from other IAM resources that accept lists.

Exam trap

Google Cloud often tests the subtle difference between singular and plural argument names in Terraform resources (e.g., 'member' vs 'members'), tricking candidates who assume both forms are interchangeable or who confuse IAM member with IAM binding syntax.

How to eliminate wrong answers

Option A is wrong because an outdated provider version would typically cause deprecation warnings or missing features, not a specific error about a required argument name. Option B is wrong because an incorrect project ID would result in an error like 'project not found' or 'permission denied', not a missing 'member' argument. Option C is wrong because the 'member' argument can accept users, service accounts, groups, or domains (e.g., 'user:email', 'serviceAccount:sa@project.iam.gserviceaccount.com'); the error is about the argument name, not the value type.

877
MCQhard

You are setting up a new organization in Google Cloud. You want to restrict the regions where resources can be created to comply with data residency requirements. What should you do?

A.Set an organization policy with a constraint on allowed resource locations
B.Create a service account with limited permissions
C.Set a budget alert that notifies when resources are created outside allowed regions
D.Use IAM roles to restrict which users can create resources in specific regions
AnswerA

Organization policies can enforce location restrictions.

Why this answer

Organization policies allow you to set constraints at the organization, folder, or project level. The 'gcp.resource-locations' constraint can restrict resource locations.

878
MCQmedium

A team is setting up a new project and wants to estimate the monthly cost of running a Compute Engine VM with 4 vCPUs, 16 GB memory, and a 100 GB persistent disk, using the Google Cloud Pricing Calculator. The VM will run for 12 hours every day for a month. Which discount type will automatically apply to reduce the cost based on usage?

A.Preemptible VM discount
B.Sustained use discount
C.Committed use discount
D.Free tier discount
AnswerB

Sustained use discounts automatically apply for sustained usage over a month.

Why this answer

Sustained use discounts automatically apply for VMs that run for a significant portion of a month. Committed use discounts require a commitment. Preemptible discounts are for short-lived VMs.

Free tier is limited.

879
MCQmedium

Your application runs on Compute Engine instances behind a regional external HTTP(S) load balancer. Users report intermittent timeouts during periods of high traffic. Health checks show all instances as healthy. Which two configuration parameters should you review first?

A.Check SSL certificate expiration
B.Review connection draining and session affinity settings
C.Increase instance machine type (size)
D.Enable Cloud CDN
AnswerB

Connection draining timeouts and session affinity misconfigurations are common causes of intermittent timeouts under load.

Why this answer

B is correct because connection draining (drain mode) and session affinity settings directly affect how the load balancer handles in-flight requests and distributes traffic during high load. Connection draining ensures existing connections complete before an instance is removed, preventing abrupt timeouts. Session affinity (sticky sessions) can cause uneven traffic distribution if misconfigured, leading to overloaded instances and intermittent timeouts even when health checks pass.

Exam trap

Google Cloud often tests the misconception that health check status alone guarantees application availability, but candidates must understand that load balancer configuration parameters like connection draining and session affinity can cause timeouts even when all instances are healthy.

How to eliminate wrong answers

Option A is wrong because SSL certificate expiration would cause persistent TLS handshake failures, not intermittent timeouts during high traffic, and health checks would still show instances as healthy. Option C is wrong because increasing instance machine type addresses resource exhaustion on the instances themselves, but the issue is load balancer-level connection handling and traffic distribution, not compute capacity. Option D is wrong because enabling Cloud CDN caches static content at edge locations, which does not resolve intermittent timeouts caused by connection draining or session affinity misconfiguration for dynamic or stateful traffic.

880
Multi-Selecthard

Which THREE options are valid methods to authenticate a service account when making calls to Google Cloud APIs from a Compute Engine instance?

Select 3 answers
A.Using a JSON key file downloaded for the service account.
B.Using a user account's OAuth2 tokens obtained via a web browser.
C.Using an API key generated from the Cloud Console.
D.Using the Compute Engine metadata server to obtain an access token for a custom service account.
E.Using the default service account's automatically provided credentials.
AnswersA, D, E

Service account key files can be used for authentication.

Why this answer

Option A is correct because a JSON key file downloaded for a service account contains the private key necessary to create a signed JWT assertion, which is exchanged for an OAuth 2.0 access token via the Google OAuth 2.0 token endpoint (https://oauth2.googleapis.com/token). This is a standard authentication method for service accounts outside of Google Cloud, but it is also valid from a Compute Engine instance, though less secure than using the metadata server.

Exam trap

Google Cloud often tests the distinction between authentication (proving identity) and authorization (granting permissions), and the trap here is that candidates mistakenly think API keys (Option C) can authenticate a service account, when in fact API keys only identify the project and are not tied to a specific identity.

881
Multi-Selecthard

A company requires that all service account keys be automatically rotated every 90 days. Which two steps should the administrator take to enforce this? (Choose two.)

Select 2 answers
A.Enable the Service Account Key Rotator in the Google Cloud Console.
B.Use IAM to set a condition that keys must have an expiration date.
C.Use the Service Account API to create keys with a custom expiration time.
D.Use an Organization Policy to disable service account key creation.
E.Use a Cloud Function to monitor key age and delete keys older than 90 days.
AnswersC, E

Keys can be created with expiration in the API, enforcing rotation.

Why this answer

Option C is correct because the Service Account API allows creating keys with a custom expiration time, which enforces automatic rotation by ensuring keys are invalid after 90 days. Option E is correct because a Cloud Function can monitor key age and delete keys older than 90 days, providing a programmatic enforcement mechanism. Both approaches ensure keys are rotated automatically without manual intervention.

Exam trap

Google Cloud often tests the misconception that there is a built-in 'auto-rotate' toggle in the console, but in reality, you must use API-level expiration or custom automation like Cloud Functions to enforce rotation.

882
MCQmedium

A Cloud Run service named 'my-service' is currently serving 100% traffic to revision 'rev1'. You deploy a new revision 'rev2' and want to gradually shift traffic so that rev2 receives 10% of requests. Which command should you use?

A.gcloud run services update-traffic my-service --to-revisions=rev2=10,rev1=90
B.gcloud run services update my-service --traffic=rev2=10%
C.gcloud run deploy my-service --image=... --traffic=rev2=10
D.gcloud run revisions update rev2 --traffic=10
AnswerA

This correctly sends 10% to rev2 and 90% to rev1.

Why this answer

gcloud run services update-traffic allows you to set traffic percentages per revision. The syntax is --to-revisions=REVISION=PERCENTAGE.

883
MCQeasy

A developer needs to run an interactive shell inside a running GKE Pod named 'api-pod-7d4f9' in the 'production' namespace to investigate a runtime issue. Which kubectl command opens an interactive shell?

A.kubectl ssh api-pod-7d4f9 -n production
B.kubectl exec -it api-pod-7d4f9 -n production -- /bin/bash
C.kubectl run debug --image=busybox --attach=api-pod-7d4f9
D.gcloud container exec api-pod-7d4f9 --namespace=production -- bash
AnswerB

This command opens an interactive bash shell in the Pod. `-i` keeps stdin open, `-t` allocates a pseudo-TTY, `-n production` targets the correct namespace.

Why this answer

Option B is correct because `kubectl exec -it` attaches an interactive terminal to a running container in a Pod, with `-i` for stdin and `-t` for a TTY. The `-- /bin/bash` launches a Bash shell inside the container, allowing the developer to investigate runtime issues. This is the standard Kubernetes method for interactive shell access.

Exam trap

Google Cloud often tests the distinction between `kubectl exec` (for existing containers) and `kubectl run` (for creating new Pods), and candidates mistakenly choose options that use non-existent commands like `kubectl ssh` or `gcloud container exec`.

How to eliminate wrong answers

Option A is wrong because `kubectl ssh` is not a valid kubectl command; Kubernetes does not use SSH for container access, and this would fail. Option C is wrong because `kubectl run debug --image=busybox --attach=api-pod-7d4f9` creates a new Pod named 'debug' rather than attaching to the existing 'api-pod-7d4f9', and the `--attach` flag is misused (it attaches to the new Pod's logs, not the target Pod). Option D is wrong because `gcloud container exec` is not a valid gcloud command; the correct gcloud command for exec access is `gcloud container clusters get-credentials` followed by `kubectl exec`, and the syntax shown is incorrect.

884
MCQeasy

What is the purpose of the gcloud init command?

A.To create a billing account.
B.To initialize a new project in Google Cloud.
C.To enable APIs for a project.
D.To set up a new gcloud configuration and authenticate.
AnswerD

gcloud init performs initial setup of configuration and authentication.

Why this answer

gcloud init is used to initialize or reinitialize the gcloud environment, including setting default project, authentication, and compute region/zone. It can also create a new configuration profile.

885
MCQeasy

You want to switch between multiple GCP projects frequently using the gcloud CLI. What is the recommended approach?

A.Open separate terminal windows for each project.
B.Run gcloud init every time you switch projects.
C.Use gcloud config set project each time you switch.
D.Create multiple configuration profiles and activate them as needed.
AnswerD

Recommended method.

Why this answer

Configuration profiles (gcloud config configurations) allow you to create named configurations with different project, region, and zone settings. You can activate one with 'gcloud config configurations activate'. Setting individual properties each time is error-prone.

Running gcloud init each time is slow. Using separate terminals isn't efficient.

886
MCQmedium

A team is migrating from Google Container Registry (gcr.io) to Artifact Registry. Existing automation scripts use `gcr.io/my-project/myimage`. To avoid updating all scripts immediately, which Artifact Registry feature allows gcr.io-addressed pulls to work with Artifact Registry backends?

A.Artifact Registry has no gcr.io compatibility — all scripts must be updated immediately
B.Enable the gcr.io compatibility redirect in Artifact Registry settings so gcr.io URLs route to Artifact Registry
C.Use a Cloud DNS private zone to redirect gcr.io to Artifact Registry
D.Both Container Registry and Artifact Registry can be active simultaneously with no configuration
AnswerB

Artifact Registry supports a gcr.io compatibility mode where requests to gcr.io/[PROJECT]/[IMAGE] are served from Artifact Registry — allowing gradual script migration.

Why this answer

Option B is correct because Artifact Registry offers a gcr.io compatibility redirect feature that automatically routes requests originally targeting `gcr.io/my-project/myimage` to the corresponding Artifact Registry repository. This allows existing automation scripts to continue using the old `gcr.io` hostname without modification, while the underlying storage and image management are handled by Artifact Registry. The redirect is configured at the project level and works transparently for pull operations, eliminating the need for immediate script updates.

Exam trap

Google Cloud often tests the misconception that DNS manipulation (like Cloud DNS private zones) can solve hostname redirection for external services, but in reality, Google-managed hostnames like `gcr.io` cannot be overridden with private DNS, and the correct solution is the built-in Artifact Registry redirect feature.

How to eliminate wrong answers

Option A is wrong because Artifact Registry does provide gcr.io compatibility via a redirect feature, so scripts do not need to be updated immediately. Option C is wrong because Cloud DNS private zones cannot redirect external hostnames like `gcr.io` to Artifact Registry; DNS resolution for `gcr.io` is managed by Google and cannot be overridden with private zones, and this approach would not handle the authentication or routing required for container pulls. Option D is wrong because while both registries can be active simultaneously, no configuration is needed only if you manually push images to both; the gcr.io compatibility redirect specifically requires enabling the feature to make `gcr.io` pulls work with Artifact Registry backends without script changes.

887
MCQmedium

A company wants to ensure that all IAM users in a project must use two-factor authentication. Which Google Cloud service should be used?

A.Cloud Identity
B.Identity Platform
C.Cloud IAM
D.Cloud Audit Logs
AnswerA

Cloud Identity provides user management and security policies like 2SV.

Why this answer

Cloud Identity is the correct service because it provides identity-as-a-service (IDaaS) that allows administrators to enforce security policies, including requiring two-factor authentication (2FA) for all IAM users. By enabling 2FA at the Cloud Identity level, every user authenticating through Google Cloud's identity layer must complete a second factor (e.g., TOTP via Google Authenticator or a security key) before accessing any Google Cloud resources. This policy applies globally across all projects in the organization, ensuring consistent enforcement without needing to configure per-user or per-project settings.

Exam trap

The trap here is that candidates confuse Cloud IAM (which handles authorization) with Cloud Identity (which handles authentication and MFA enforcement), leading them to incorrectly select Cloud IAM because they think 'IAM' covers all identity-related settings.

How to eliminate wrong answers

Option B is wrong because Identity Platform is a customer-facing authentication service for applications (e.g., adding sign-in to a web app), not for enforcing 2FA on internal IAM users accessing Google Cloud resources. Option C is wrong because Cloud IAM manages permissions (who has access to what) but does not handle authentication methods or enforce multi-factor authentication policies. Option D is wrong because Cloud Audit Logs records who did what and when, but it cannot enforce or require two-factor authentication; it is a logging and monitoring service, not an identity or policy enforcement service.

888
Multi-Selectmedium

A developer needs to use gcloud CLI to manage multiple projects. They want to switch between configurations quickly. Which three commands are part of managing gcloud configuration profiles? (Choose THREE.)

Select 3 answers
A.gcloud config configurations export
B.gcloud config configurations activate
C.gcloud config configurations list
D.gcloud config configurations create
E.gcloud config set project
AnswersB, C, D

Activates an existing configuration.

Why this answer

gcloud config configurations provides commands to create, activate, and list configurations. The other options are not valid commands.

889
MCQmedium

You are troubleshooting a Pub/Sub subscription that is not receiving messages as fast as they are published. You want to check if there is a backlog of unacknowledged messages for the subscription. What should you use?

A.Check the Cloud Logging logs for the subscription
B.Use gcloud pubsub subscriptions describe and check the ackDeadlineSeconds
C.Check the Cloud Console Pub/Sub dashboard for the topic publish rate
D.Use Cloud Monitoring to view the 'oldest_unacked_message_age' metric
AnswerD

This metric directly indicates the backlog.

Why this answer

Cloud Monitoring has a metric for Pub/Sub subscription backlog (oldest unacknowledged message age or num_undelivered_messages).

890
MCQmedium

An application running on a Compute Engine VM needs to read objects from a Cloud Storage bucket in the same project. What is the recommended authentication approach?

A.Embed a developer's user account credentials in the application configuration file
B.Attach a service account with the Storage Object Viewer role to the VM
C.Create an API key and store it as an environment variable on the VM
D.Grant the VM's IP address access to the bucket using a VPC firewall rule
AnswerB

Service accounts attached to VMs allow applications to authenticate automatically via the metadata server. This eliminates the need to manage credentials directly.

Why this answer

Option B is correct because attaching a service account with the Storage Object Viewer role to the Compute Engine VM is the recommended and secure method for authenticating to Cloud Storage. The VM automatically obtains OAuth 2.0 access tokens for the service account via the metadata server, eliminating the need to manage or embed credentials in the application code.

Exam trap

Google Cloud often tests the misconception that API keys or IP-based firewall rules can control access to Cloud Storage, when in fact Cloud Storage relies solely on IAM roles and OAuth 2.0 tokens for authentication and authorization.

How to eliminate wrong answers

Option A is wrong because embedding a developer's user account credentials in a configuration file violates security best practices, exposes long-lived credentials, and ties the application to an individual user's permissions rather than a dedicated identity. Option C is wrong because API keys are not designed for authenticating as a specific identity; they identify the project making the call, not the caller, and lack the granular access control of IAM roles, making them unsuitable for accessing Cloud Storage objects. Option D is wrong because VPC firewall rules control network traffic at the IP/port level, not access to Cloud Storage objects; Cloud Storage uses IAM permissions for object-level access, and IP-based access control is not supported for bucket operations.

891
MCQmedium

A startup processes uploaded videos — each video upload triggers transcoding that takes 5–30 minutes. Users should get an immediate response after upload, not wait for transcoding. The transcoding system must handle burst uploads. Which architecture fits?

A.Upload the video and synchronously wait for transcoding to complete before responding
B.Publish a transcoding job to Cloud Pub/Sub after upload; respond immediately; workers consume and process jobs asynchronously
C.Use Cloud Spanner to store video metadata and transcode synchronously in a Cloud SQL stored procedure
D.Deploy the transcoding directly in the API server and scale the API server horizontally for bursts
AnswerB

The user gets an instant acknowledgment. Cloud Pub/Sub buffers the jobs. Autoscaling workers consume messages and transcode — decoupled, scalable, and burst-tolerant.

Why this answer

Option B is correct because it decouples the upload from the transcoding process using Cloud Pub/Sub, allowing the API to respond immediately to the user while workers asynchronously process the transcoding jobs. This pattern handles burst uploads by buffering messages in Pub/Sub and scaling workers independently, ensuring no upload is lost even under high load.

Exam trap

Google Cloud often tests the misconception that synchronous processing or scaling the API server alone can handle long-running tasks, but the trap here is that immediate response and burst handling require asynchronous decoupling via a message queue like Pub/Sub, not just horizontal scaling.

How to eliminate wrong answers

Option A is wrong because synchronous waiting for transcoding (5–30 minutes) would block the HTTP response, violating the requirement for an immediate user response and causing timeouts or poor user experience. Option C is wrong because Cloud Spanner is a globally distributed relational database, not a transcoding engine, and running transcoding synchronously in a Cloud SQL stored procedure is impossible—stored procedures cannot perform video processing tasks. Option D is wrong because deploying transcoding directly in the API server would block the request thread for minutes, preventing horizontal scaling from solving the burst issue (each instance would still be tied up per upload), and it couples compute-intensive work with the stateless API layer.

892
MCQmedium

You need to query logs in Cloud Logging to find errors from a specific Compute Engine instance. The instance ID is 'my-instance'. Which query language filter should you use?

A.resource.type="compute.googleapis.com/Instance" AND instance="my-instance" AND severity="ERROR"
B.resource.type="gce_instance" AND resource.labels.instance_id="my-instance" AND severity="ERROR"
C.resource.type="gce_instance" AND resource.labels.instance_id="my-instance" AND severity>=ERROR
D.resource.type="gce_instance" AND labels."instance_id"="my-instance" AND severity="ERROR"
AnswerC

Correctly filters for GCE instance and severity ERROR or higher.

Why this answer

The filter should specify resource.type and resource.labels.instance_id.

893
MCQmedium

A developer is running a batch process on a Compute Engine instance that needs to write logs to Cloud Logging. The instance uses the default Compute Engine service account. What must be done?

A.Ensure the instance's access scopes include logging.write
B.No action needed, the default service account has logging write access
C.Create a custom service account with the required roles
D.Add the Logging Admin role to the service account
AnswerA

Access scopes limit API access; logging.write scope must be set.

Why this answer

The default Compute Engine service account has the `logging.logWriter` role by default, but access scopes act as an additional permission layer on Compute Engine instances. Even if the IAM role is present, the instance must have the `logging.write` access scope enabled to allow the service account to write logs to Cloud Logging. Option A is correct because explicitly setting the access scope ensures the API call to `logging.write` is permitted at the instance level.

Exam trap

Google Cloud often tests the distinction between IAM roles and access scopes, trapping candidates who assume that having the correct IAM role alone is sufficient for a Compute Engine instance to call an API.

How to eliminate wrong answers

Option B is wrong because while the default service account has the `logging.logWriter` IAM role, the instance's access scopes must also include `logging.write`; without it, the API call is blocked at the instance metadata level. Option C is wrong because creating a custom service account is unnecessary—the default service account already has the required IAM role, and the issue is solely about access scopes. Option D is wrong because adding the Logging Admin role (`roles/logging.admin`) grants excessive permissions (e.g., deleting logs) and does not address the access scope restriction; the `logging.logWriter` role is sufficient and already assigned.

894
MCQmedium

A monitoring alert fires at 3 AM — the team's GKE Pods are being evicted. Investigation shows node memory is at 98%. Pods without resource requests are being evicted first. What is the long-term fix to prevent evictions?

A.Set higher memory limits on the Pods being evicted
B.Add explicit memory requests (and optionally limits) to all Pod specs
C.Disable node-level eviction by modifying kubelet configuration
D.Add more nodes to the cluster to increase available memory
AnswerB

Pods without requests have BestEffort QoS and are evicted first. Setting memory requests elevates Pods to Burstable QoS. Matching requests and limits creates Guaranteed QoS — the most eviction-resistant class.

Why this answer

B is correct because setting explicit memory requests ensures the Kubernetes scheduler can accurately place Pods on nodes with sufficient resources, preventing the node from being overcommitted. Without requests, Pods are treated as burstable or best-effort, making them the first candidates for eviction under the kubelet's Quality of Service (QoS) classes when node memory pressure hits 98%. This is a long-term fix because it enforces proper resource governance at the scheduling level, not just a reactive measure.

Exam trap

Google Cloud often tests the misconception that raising limits or adding capacity is the fix, but the real issue is the absence of requests, which prevents the scheduler from making informed placement decisions and leaves Pods in the lowest QoS class.

How to eliminate wrong answers

Option A is wrong because raising memory limits without adjusting requests does not improve scheduling accuracy; limits only cap usage, but the Pod still lacks a guaranteed reservation, so it remains in a lower QoS class and is still evicted first under pressure. Option C is wrong because disabling kubelet eviction (via --eviction-hard or --eviction-soft flags) would allow the node to run out of memory entirely, leading to system OOM kills or node instability, which is not a valid long-term fix. Option D is wrong because adding nodes only distributes the load temporarily; without requests, new Pods will still be placed without guarantees, and the same eviction pattern will recur on any node under memory pressure.

895
MCQeasy

An engineer needs to create a Compute Engine VM instance with the following specifications: 4 vCPUs, 16 GB memory, running the latest Debian 11 image, a 50 GB boot disk, and attached to a specific subnet. Which command should be used?

A.gcloud compute instances create my-vm --machine-type=n1-standard-4 --image-family=debian-11 --image-project=debian-cloud --boot-disk-size=50GB --subnet=my-subnet --zone=us-central1-a
B.gcloud compute instances create my-vm --machine-type=n1-standard-4 --image-family=debian-11 --image-project=debian-cloud --boot-disk-size=50GB --subnet=my-subnet
C.gcloud compute instances create my-vm --machine-type=custom-4-16384 --image-family=debian-11 --image-project=debian-cloud --boot-disk-size=50GB --subnet=my-subnet --zone=us-central1-a
D.gcloud compute instances create my-vm --machine-type=n1-standard-4 --image-family=debian-11 --image-project=debian --boot-disk-size=50GB --subnet=my-subnet --zone=us-central1-a
AnswerA

Correct. The image-family 'debian-11' and image-project 'debian-cloud' are correct. Machine type, disk size, subnet, and zone are all specified correctly.

Why this answer

The required flags are: --machine-type (or --custom-cpu/--custom-memory), --image-family and --image-project for the image, --boot-disk-size, --subnet, and --zone. The correct command includes all these. Option D is correct.

Option A misspells 'debian' and uses wrong project. Option B uses 'debian-11' image-family but the correct family is 'debian-11' and project is 'debian-cloud'? Actually 'debian-11' image-family exists, but the project is 'debian-cloud' not 'debian'. Option C uses wrong machine-type format (custom should be 'custom-4-16384' or 'n1-standard-4' etc).

The question expects standard machine type n1-standard-4.

896
MCQmedium

Your organization uses Cloud Identity to manage users. A new employee joins and needs access to a GCP project. What is the correct sequence to grant access?

A.Grant the user an IAM role directly; Cloud Identity is not required.
B.Create a service account for the user and grant roles to the service account.
C.Add the user to Cloud Identity, then grant the appropriate IAM role in the project.
D.Add the user to a Cloud Identity group, then grant the group an IAM role.
AnswerC

Correct sequence.

Why this answer

First, you add the user to Cloud Identity (if not already there). Then, in the GCP project, you grant an IAM role to the user. Cloud Identity provides the user account; IAM grants permissions.

You cannot skip adding to Cloud Identity.

897
Multi-Selectmedium

A company uses Cloud Armor to protect an HTTP Load Balancer. They want to allow traffic only from specific IP ranges (198.51.100.0/24 and 203.0.113.0/24) and block common web attacks like SQL injection and XSS. Which TWO actions should they take?

Select 2 answers
A.Set up Cloud NAT to provide outbound internet access for the instances.
B.Configure VPC firewall rules on the subnet to allow only the IP ranges.
C.Enable predefined WAF rules (e.g., OWASP Top 10) in the Cloud Armor security policy.
D.Create a Cloud Armor security policy with an allow rule for the IP ranges and a default deny rule for all other traffic.
E.Enable Cloud CDN to cache static content from the backend.
AnswersC, D

WAF rules block common web attacks like SQL injection and XSS.

Why this answer

Option A creates a security policy with an allow rule for the IP ranges and a deny rule for all other traffic, which is necessary to restrict access. Option C enables WAF rules in Cloud Armor, which blocks common web attacks. Option B (Cloud CDN caching) does not affect access control.

Option D (VPC firewall rules at instance level) is not relevant because Cloud Armor works at the load balancer. Option E (Cloud NAT) is for outbound traffic, not inbound security.

898
MCQmedium

A developer has an App Engine Standard application ready to deploy. The app.yaml file is in the current working directory. Which command deploys the application?

A.gcloud app create --config=app.yaml
B.gcloud app deploy
C.gcloud appengine deploy app.yaml
D.gcloud run deploy --platform=appengine
AnswerB

`gcloud app deploy` reads the app.yaml in the current directory, builds the application, and deploys it to App Engine Standard.

Why this answer

The `gcloud app deploy` command is the correct way to deploy an App Engine Standard application when the `app.yaml` file is present in the current working directory. This command automatically detects the configuration file and uploads the application code to the specified App Engine service, handling the deployment process including staging, versioning, and traffic migration.

Exam trap

The trap here is that candidates confuse `gcloud app deploy` with `gcloud app create` or Cloud Run commands, or they misremember the exact subcommand syntax, leading them to choose invalid options like `gcloud appengine deploy`.

How to eliminate wrong answers

Option A is wrong because `gcloud app create` is used to create a new App Engine application (project) in a region, not to deploy code; it does not accept a `--config` flag for deployment. Option C is wrong because `gcloud appengine deploy` is not a valid gcloud command; the correct subcommand is `gcloud app deploy`, and the syntax `app.yaml` as an argument is not required when it is in the current directory. Option D is wrong because `gcloud run deploy` is used for Cloud Run services, not App Engine; the `--platform=appengine` flag is invalid as Cloud Run does not support that platform.

899
MCQhard

Your organization has a hybrid cloud environment with an on-premises data center connected to Google Cloud via Cloud VPN. The VPN tunnel uses BGP with Cloud Router for dynamic routing. You need to increase the throughput between on-premises and GCP to support a new batch processing workload that transfers 20 Gbps of data. The on-premises gateway hardware supports multiple IPsec tunnels and ECMP (Equal-Cost Multi-Path). You want to maximize throughput without changing the existing on-premises equipment or network topology. Which solution should you implement?

A.Replace Cloud VPN with Dedicated Interconnect.
B.Enable Cloud NAT for the VPN tunnel.
C.Upgrade the Cloud VPN gateway to a larger size.
D.Create additional VPN tunnels to the same Cloud Router, enabling ECMP across them.
AnswerD

Adds more tunnels to increase bandwidth without hardware replacement.

Why this answer

Option D is correct because creating additional VPN tunnels to the same Cloud Router and enabling ECMP allows the on-premises gateway to distribute traffic across multiple IPsec tunnels, effectively aggregating bandwidth up to the supported limit (e.g., 3 Gbps per tunnel, with up to 4 tunnels for 12 Gbps, or more with higher limits). This leverages the existing on-premises hardware's support for multiple tunnels and ECMP without requiring topology changes, and Cloud Router automatically handles BGP multipath to load-balance traffic across the tunnels.

Exam trap

The trap here is that candidates assume upgrading the VPN gateway (Option C) increases throughput, but Cloud VPN gateways are fixed at 3 Gbps per tunnel, and the only way to scale is via multiple tunnels with ECMP, not a single larger gateway.

How to eliminate wrong answers

Option A is wrong because Dedicated Interconnect requires physical cross-connects and changes to on-premises equipment or topology, contradicting the requirement to not change existing equipment or topology. Option B is wrong because Cloud NAT provides outbound internet connectivity for private instances and does not affect VPN throughput or load balancing. Option C is wrong because Cloud VPN gateway size (e.g., Classic VPN vs.

HA VPN) does not have a 'larger size' option; HA VPN already supports up to 3 Gbps per tunnel, and scaling throughput requires multiple tunnels with ECMP, not a single gateway upgrade.

900
MCQhard

A company wants to deploy a globally distributed, multi-tier application with strict low-latency communication between the web and database tiers. The database must be fully managed and able to survive a regional outage with automatic failover. Which combination is most appropriate?

A.Cloud Run (multi-region) and Cloud SQL (cross-region replica with manual failover)
B.Compute Engine regional managed instance group and Cloud SQL (regional with automatic failover)
C.App Engine (standard) and Cloud Datastore (multi-region)
D.Cloud Run (multi-region) and Cloud Spanner (multi-region)
AnswerD

Cloud Spanner provides automatic failover across regions with strong consistency, and Cloud Run can be deployed globally for low latency.

Why this answer

Cloud Run (multi-region) provides a serverless compute layer that can automatically route traffic across regions for low-latency access, while Cloud Spanner (multi-region) offers a fully managed, globally distributed relational database with synchronous replication and automatic failover, ensuring strong consistency and regional outage survival without manual intervention. This combination meets the strict low-latency communication and automatic failover requirements for a multi-tier application.

Exam trap

Google Cloud often tests the distinction between zonal and regional resilience, where candidates mistakenly assume that Cloud SQL's regional automatic failover (which covers zonal outages) is sufficient for a regional outage, but the question explicitly requires survival of a regional outage, which demands a multi-region database like Spanner.

How to eliminate wrong answers

Option A is wrong because Cloud SQL cross-region replica requires manual failover, not automatic, and does not provide the synchronous replication needed for strict low-latency communication across regions. Option B is wrong because Cloud SQL regional with automatic failover only survives a zonal outage, not a regional outage, and the compute layer (regional MIG) is also zonal, not multi-region. Option C is wrong because Cloud Datastore (multi-region) is a NoSQL database that does not support the relational database requirements implied by a multi-tier application with a database tier, and App Engine standard has limitations on runtime and scaling that may not suit low-latency inter-tier communication.

Page 11

Page 12 of 14

Page 13
Google Associate Cloud Engineer ACE Questions 826–900 | Page 12/14 | Courseiva