Google Associate Cloud Engineer (ACE) — Questions 901975

991 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

A DevOps team needs to grant a CI/CD service account the ability to create secrets in Secret Manager. Which role should be assigned?

A.roles/secretmanager.admin
B.roles/secretmanager.secretCreator
C.roles/secretmanager.secretAccessor
D.roles/secretmanager.viewer
AnswerA

Admin role includes permission to create secrets.

Why this answer

The roles/secretmanager.admin role grants full control, including creating secrets. roles/secretmanager.secretCreator does not exist; the admin role includes create permission.

902
MCQmedium

A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?

A.An ingress allow rule for port 443 from 0.0.0.0/0 targeting the 'web-server' tag, relying on the implied deny for other traffic
B.An ingress allow rule for port 443 and a separate egress deny rule for all other ports
C.An ingress deny rule for all ports from 0.0.0.0/0, plus an ingress allow for port 443 with lower priority
D.A Cloud Armor policy allowing only HTTPS requests to port 443
AnswerA

GCP's implied deny-all ingress rule (priority 65535) blocks all traffic not explicitly allowed. A single allow rule for port 443 is all that's needed.

Why this answer

Option A is correct because Google Cloud VPC firewall rules are stateful and have an implicit deny for all traffic that is not explicitly allowed. An ingress allow rule for TCP port 443 from 0.0.0.0/0 applied to instances with the 'web-server' tag permits inbound HTTPS traffic, and the implicit deny blocks all other inbound traffic without needing additional rules.

Exam trap

Google Cloud often tests the misconception that you need explicit deny rules or that egress rules affect inbound traffic, but the key trap here is that candidates may think they need to add a deny rule for other ports, not realizing the implicit deny already blocks everything not allowed.

How to eliminate wrong answers

Option B is wrong because egress deny rules are not needed for inbound traffic control; the implicit deny already blocks all other inbound traffic, and adding an egress deny rule is irrelevant and could interfere with outbound responses. Option C is wrong because an ingress deny rule for all ports from 0.0.0.0/0 would block the HTTPS traffic even if a lower-priority allow rule exists, as deny rules take precedence over allow rules in Google Cloud VPC firewall evaluation. Option D is wrong because Cloud Armor is a web application firewall (WAF) that operates at the HTTP/HTTPS layer, not a VPC firewall rule; it cannot replace the network-level firewall rule required to allow inbound traffic to the instances.

903
MCQeasy

You need to check the CPU and memory utilization of all pods running in the `production` namespace. Which command provides this information?

A.`kubectl describe pods -n production`
B.`kubectl top pods -n production`
C.`kubectl get pods -n production -o wide`
D.`kubectl logs -n production --all-pods`
AnswerB

kubectl top pods shows live CPU and memory consumption per pod. `-n production` filters to the production namespace.

Why this answer

The `kubectl top pods` command retrieves real-time CPU and memory utilization metrics from the metrics server for pods in a specified namespace. This is the correct tool for monitoring resource usage, as it directly queries the resource metrics API.

Exam trap

Google Cloud often tests the distinction between commands that show pod status/configuration (`describe`, `get`) versus those that show live resource metrics (`top`), leading candidates to confuse descriptive output with performance data.

How to eliminate wrong answers

Option A is wrong because `kubectl describe pods` shows configuration details, events, and status, but not real-time CPU or memory utilization metrics. Option C is wrong because `kubectl get pods -o wide` displays pod IPs and node assignments, not resource utilization data. Option D is wrong because `kubectl logs` retrieves container logs for debugging, not CPU or memory metrics.

904
MCQmedium

A security analyst needs to retrieve all Cloud Logging entries with severity ERROR or higher across all resource types in the current project. Which log query correctly filters these entries?

A.severity >= ERROR AND timestamp > now() - 24h
B.severity="ERROR" AND resource.type="gce_instance"
C.severity >= "ERROR"
D.logName="projects/my-project/logs/stderr" AND severity > "WARNING"
AnswerC

`severity >= "ERROR"` correctly matches all entries at ERROR and above across all resource types. The time range is set separately via the console time picker.

Why this answer

Option C is correct because Cloud Logging's query language supports comparison operators like `>=` for severity levels, where `ERROR` is a recognized severity level. The query `severity >= "ERROR"` retrieves all entries with severity ERROR, CRITICAL, ALERT, or EMERGENCY, as these are considered higher severity than ERROR. This matches the requirement to filter for severity ERROR or higher across all resource types without restricting the time range or resource type.

Exam trap

Google Cloud often tests the nuance that severity values must be quoted strings and that comparison operators like `>=` work on the underlying numeric severity levels, not on string lexicographic order, leading candidates to mistakenly use unquoted values or incorrect operators like `>`.

How to eliminate wrong answers

Option A is wrong because `severity >= ERROR` uses an unquoted severity value, which is invalid syntax; severity values must be quoted strings (e.g., `"ERROR"`). Option B is wrong because it restricts results to only `gce_instance` resource type, while the requirement is to retrieve entries across all resource types. Option D is wrong because it filters by a specific log name (`stderr`) and uses `severity > "WARNING"`, which excludes ERROR-level entries (since ERROR is not greater than WARNING in the severity hierarchy; ERROR is higher than WARNING, but the operator `>` is not standard for severity comparison in Cloud Logging, and the query also incorrectly limits to a single log stream).

905
MCQmedium

A team wants to enable Compute Engine API in their project using gcloud. Which command should they run?

A.gcloud compute enable api
B.gcloud services list --enabled
C.gcloud api enable compute
D.gcloud services enable compute.googleapis.com
AnswerD

Correct command.

Why this answer

The command 'gcloud services enable compute.googleapis.com' enables the Compute Engine API.

906
MCQeasy

A developer needs to create a Cloud Storage bucket that stores data for only 30 days and then automatically deletes it. Which feature should be used to achieve this?

A.Object versioning
B.Requester pays
C.Object lifecycle management
D.Bucket lock
AnswerC

Lifecycle rules can delete objects after 30 days.

Why this answer

Object lifecycle management rules can automatically delete objects after a specified age. Bucket lock is for retention compliance, not deletion. Versioning keeps multiple versions.

Requester pays shifts costs.

907
Drag & Dropmedium

Order the steps to configure a Cloud Load Balancer (HTTP/S) in front of a Compute Engine instance group.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Instance group and health check must exist before backend service; then frontend components.

908
MCQmedium

A security engineer needs to ensure that all VMs in a subnet use Private Google Access to reach Google APIs without external IP addresses. What must be enabled?

A.A firewall rule allowing egress to 0.0.0.0/0.
B.VPC Flow Logs on the subnet.
C.Cloud NAT on the VPC.
D.Private Google Access on the subnet.
AnswerD

Enabling Private Google Access on the subnet allows VMs to reach Google APIs without external IPs.

Why this answer

Private Google Access on a subnet allows VMs with only internal IP addresses to reach Google APIs and services through the default internet gateway.

909
MCQhard

A company uses Cloud DNS for internal DNS resolution. They recently added a new VPC and need to ensure that instances in this VPC can resolve private DNS names that are hosted in another project. What must be configured?

A.Use Cloud DNS inbound server policy to forward queries to the other VPC.
B.Export the private zone as a public zone and create a delegation.
C.Set up a DNS peering zone between the new VPC and the VPC that hosts the private zone.
D.Create a Private DNS zone in the new project with forwarding to the on-premises DNS.
AnswerC

DNS peering allows the new VPC to query private zones from the source VPC.

Why this answer

Option C is correct because Cloud DNS peering allows a VPC in one project to resolve private DNS names hosted in a private zone in another project without requiring the zones to be shared or exported. DNS peering establishes a direct query path between the peered VPCs, enabling the new VPC to resolve names in the private zone as if they were local, while the zone remains private and managed in its original project.

Exam trap

The trap here is that candidates confuse DNS peering with inbound/outbound server policies, mistakenly thinking that forwarding policies are needed for inter-VPC resolution, when in fact peering directly connects DNS namespaces without requiring external forwarding.

How to eliminate wrong answers

Option A is wrong because Cloud DNS inbound server policy is used to forward DNS queries from on-premises networks to Cloud DNS, not to forward queries between VPCs in different projects. Option B is wrong because exporting a private zone as a public zone would expose internal DNS records to the internet, violating security requirements and not providing a secure resolution path for internal instances. Option D is wrong because creating a new Private DNS zone with forwarding to on-premises DNS does not enable resolution of private DNS names hosted in another project; it would only forward queries to an on-premises resolver, not to the target private zone.

910
MCQhard

A company has multiple firewall rules. Rule A (priority 1000) allows TCP 80 from 0.0.0.0/0. Rule B (priority 500) denies TCP 80 from 10.0.0.0/8. An instance with IP 10.0.0.1 tries to connect to TCP 80. What happens?

A.The result depends on the order of creation.
B.Traffic is allowed because Rule A allows all sources.
C.Both rules are applied and traffic is allowed.
D.Traffic is denied because Rule B has higher priority.
AnswerD

Rule B's priority 500 is lower numerically than 1000, so it takes precedence and denies.

Why this answer

Firewall rules are evaluated in order of priority (lower number = higher priority). Rule B with priority 500 will be evaluated first and denies the traffic, so Rule A is not applied.

911
MCQeasy

Your company runs a critical web application on a single Compute Engine instance. The application is not containerized and the team lacks DevOps experience. Management requires high availability for this application with minimal disruption to operations and low cost. The application serves dynamic content and uses a MySQL database running on the same instance. You need to design a solution. Which option should you choose?

A.Create a snapshot of the instance, create an instance template, and set up a managed instance group with a load balancer.
B.Migrate the application to Cloud Storage and use a global HTTP(S) load balancer.
C.Deploy the application to App Engine and use traffic splitting between versions.
D.Containerize the application using Cloud Run and configure traffic splitting.
AnswerA

Enables high availability with automated failover and scaling, using existing VM image.

Why this answer

Option A is correct because it leverages a Managed Instance Group (MIG) with an instance template created from a snapshot, which provides auto-healing and auto-scaling for high availability without requiring containerization or DevOps expertise. Combined with a load balancer, this solution distributes traffic across healthy instances, meeting the high-availability requirement with minimal operational overhead and low cost, as MIGs only charge for running instances.

Exam trap

The trap here is that candidates may assume containerization (Option D) is always the best path to high availability, but the question explicitly states the team lacks DevOps experience, making containerization a high-risk, high-effort choice that violates the 'minimal disruption' and 'low cost' requirements.

How to eliminate wrong answers

Option B is wrong because Cloud Storage is a static object store and cannot serve dynamic content or run a MySQL database, making it unsuitable for this application. Option C is wrong because App Engine requires application code to be deployed in a specific runtime environment and does not support running a MySQL database on the same instance; it also introduces a learning curve for a team lacking DevOps experience. Option D is wrong because containerizing the application with Cloud Run requires Docker knowledge and DevOps skills, which the team lacks, and Cloud Run does not natively support a MySQL database running in the same container or instance.

912
Drag & Dropmedium

Order the steps to set up a Cloud IAM policy that grants a user the 'roles/compute.admin' role on a specific project.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Policy binding is applied via gcloud; verification and testing follow.

913
MCQmedium

You need to create a log-based metric that counts the number of errors in your application logs. What must you do first in Cloud Logging?

A.Create an alerting policy with a condition
B.Create a log sink that exports logs to BigQuery
C.Define a filter that matches the error logs
D.Install the Logging agent on your VMs
AnswerC

You define a filter to select the logs, then create the metric based on that filter.

Why this answer

In Cloud Logging, a log-based metric is based on a filter. You define the filter using the logging query language to match the logs you want to count, then create the metric from that filter.

914
MCQmedium

A global web application needs HTTPS traffic routed to backend services in multiple regions, directing each user to the nearest healthy endpoint. Which load balancer type should be used?

A.Regional external Network Load Balancer
B.Global external Application Load Balancer
C.Regional internal Application Load Balancer
D.Regional internal TCP/UDP load balancer
AnswerB

This load balancer uses Google's global anycast network to route HTTPS traffic to the nearest healthy backend across multiple regions.

Why this answer

The Global external Application Load Balancer (ALB) is the correct choice because it provides cross-regional load balancing for HTTPS traffic, routing each user to the nearest healthy backend based on anycast IP and client location. This is essential for a global web application requiring low latency and high availability across multiple regions.

Exam trap

Google Cloud often tests the distinction between global and regional load balancers, and the trap here is that candidates may confuse a regional external Network Load Balancer (which handles TCP/UDP traffic but not HTTPS) with a global Application Load Balancer, overlooking the requirement for HTTPS termination and cross-regional routing.

How to eliminate wrong answers

Option A is wrong because a Regional external Network Load Balancer operates at Layer 4 (TCP/UDP) and cannot terminate HTTPS or perform content-based routing, and it is confined to a single region, not global. Option C is wrong because a Regional internal Application Load Balancer is designed for internal traffic within a VPC and cannot handle external HTTPS traffic or route globally. Option D is wrong because a Regional internal TCP/UDP load balancer is a Layer 4 internal load balancer that does not support HTTPS termination, content-based routing, or global anycast routing.

915
MCQhard

Your Cloud Run service is receiving a sudden spike in traffic. You want to ensure that the number of concurrent requests per container instance does not exceed 10 to avoid overloading the backend. Which configuration should you set?

A.Set --timeout to 10 seconds
B.Set --concurrency to 10
C.Set --max-instances to 10
D.Set --cpu-throttling to true
AnswerB

Correct: concurrency limits the number of simultaneous requests per container instance.

Why this answer

Cloud Run allows setting the maximum number of concurrent requests per container instance via the --concurrency flag or the concurrency field in the YAML. The default is 80; setting it to 10 limits each instance to 10 concurrent requests.

916
MCQeasy

A retail company has a customer-facing web application that runs on a legacy architecture. The application consists of a PHP frontend and a MySQL database that must be co-located on the same virtual machine due to hardcoded configuration paths. The company is migrating to Google Cloud. They want to minimize operational overhead and ensure the application is resilient to a single zone failure. Additionally, they need to apply critical OS security patches monthly without causing downtime. The application's traffic is predictable, with peak load during business hours. The company has a small IT team with limited Kubernetes expertise. They are willing to use managed services but want to keep the application architecture as simple as possible. The existing application is not containerized and uses a specific Linux distribution. They have already tested the application on Compute Engine and confirmed it works on Debian 10. The database is approximately 50 GB and needs to be durable. They also need to ensure that the application can recover quickly if an instance fails. Which deployment strategy should they use? (Choose the best option.)

A.Deploy the application on a managed instance group with at least two instances, each in different zones, behind a TCP load balancer. Use a shared persistent disk for the database mounted on both instances and configure the application to use the same database path. Use rolling replacement for patching.
B.Deploy the application in a GKE cluster with a single pod and a persistent volume claim for the database, using a LoadBalancer service. Use node auto-upgrades for patching.
C.Deploy the application on a managed instance group with at least two instances, each in different zones, behind a TCP load balancer. Use a regional persistent disk for the database and attach it to the primary instance; use a startup script to mount the disk and start the application. Use rolling updates for patching by updating the instance template and performing a rolling replacement.
D.Deploy the application on a single Compute Engine instance in a single zone. Use snapshots for backup and a Cloud Load Balancer with a health check pointing to the instance.
AnswerC

Provides zonal resilience, regional disk for durability, and rolling updates for zero-downtime patching.

Why this answer

Option C provides zonal resilience via a managed instance group across zones, uses a regional persistent disk for durability (can be attached to a new instance in case of failure), and rolling updates allow zero-downtime patching. Option A has no zonal resilience. Option B uses a shared persistent disk that cannot be attached read-write to multiple instances.

Option D requires containerization and Kubernetes expertise, which the company lacks.

917
MCQhard

A company runs a global web application with a Cloud SQL (MySQL) database in the us-east1 region. To improve read performance for users in Europe, they want to offload read traffic to a replica in europe-west1. The replica must be kept in sync with the primary within seconds. Which Cloud SQL configuration should be used?

A.Enable automatic failover to a replica in europe-west1
B.Create a cross-region read replica in europe-west1
C.Configure Cloud SQL for multi-region deployment
D.Create an external replica in europe-west1
AnswerB

Why this answer

Cross-region replication using a Cloud SQL read replica is the correct approach. External replicas are for on-premises or other clouds; failover replicas are for high availability within the same region; multi-region is not a Cloud SQL option (it's for Cloud Storage or Spanner).

918
Multi-Selectmedium

A company wants to deploy a stateless web application on Google Cloud. The application should automatically scale based on CPU utilization and distribute traffic across instances. Which TWO services can meet these requirements?

Select 2 answers
A.App Engine Standard Environment
B.Cloud Functions
C.Cloud Run
D.Google Kubernetes Engine with Horizontal Pod Autoscaler
E.Compute Engine managed instance group with autoscaling
AnswersD, E

HPA scales pods based on CPU (or custom metrics).

Why this answer

Compute Engine managed instance groups (MIGs) with autoscaling based on CPU utilization can handle this. Also, GKE with Horizontal Pod Autoscaler scales pods based on CPU. Cloud Run scales automatically but does not offer CPU-based autoscaling (scales based on request concurrency).

Cloud Functions scales based on concurrency. App Engine Standard also scales automatically based on load but not CPU-based.

919
MCQeasy

What is the purpose of creating a Cloud NAT gateway?

A.To enable private instances to reach the internet for updates and patches.
B.To allow VPN connections to on-premises networks.
C.To provide a static IP address for inbound traffic.
D.To provide DNS resolution for VPC networks.
AnswerA

Cloud NAT enables outbound internet access for private instances.

Why this answer

Cloud NAT allows instances without external IP addresses to access the internet for outbound connections, while preventing inbound connections from the internet.

920
MCQmedium

An engineer needs to enable autoscaling on an existing node pool in a GKE cluster. Which command should they use?

A.gcloud compute instance-groups set-autoscaling
B.kubectl autoscale node-pool
C.gcloud container clusters update
D.gcloud container node-pools update --enable-autoscaling
AnswerD

Why this answer

'gcloud container node-pools update' with '--enable-autoscaling' enables autoscaling. 'gcloud container clusters update' updates cluster-level settings, not node pools. 'kubectl autoscale' is for workloads, not node pools. 'gcloud compute instance-groups' is not used for GKE node pools.

921
MCQmedium

You want to enable the Kubernetes Engine API for your project using the command line. Which gcloud command should you use?

A.gcloud services enable container.googleapis.com
B.gcloud container clusters create my-cluster
C.gcloud config set project my-project
D.gcloud auth login
AnswerA

Correct command to enable the API.

Why this answer

'gcloud services enable container.googleapis.com' enables the required API. 'gcloud auth login' authenticates. 'gcloud config set' sets project. 'gcloud container clusters create' creates a cluster but doesn't enable the API.

922
Multi-Selectmedium

A company runs a web application on Compute Engine instances behind a load balancer. They want to automatically scale the number of instances based on CPU utilization. Which two resources must they create? (Choose TWO.)

Select 2 answers
A.Cloud Storage bucket
B.Cloud SQL instance
C.Managed instance group (MIG) with autoscaling policy
D.Cloud Function
E.Instance template
AnswersC, E

The MIG manages the instances and the autoscaling policy scales based on CPU.

Why this answer

To auto-scale Compute Engine instances, you need an instance template (to define the VM configuration) and a managed instance group (MIG) with an autoscaling policy. Option A and D are correct. Option B is a Cloud Function, not relevant; C is a Cloud Storage bucket; E is Cloud SQL.

923
MCQmedium

A team needs to give a third-party vendor read-only access to specific Cloud Storage objects for 48 hours. The vendor uses an AWS account (not a Google account). What is the most secure way to grant this temporary access?

A.Create a GCP service account for the vendor and share the JSON key file with 48-hour expiry
B.Generate a Signed URL for the specific objects with a 48-hour expiration
C.Use Workload Identity Federation with AWS as the identity provider for the vendor
D.Make the objects publicly readable and share the direct Cloud Storage URL
AnswerB

Signed URLs provide time-limited, cryptographically secured access to specific objects — no GCP account required. Access automatically expires after 48 hours.

Why this answer

Option B is correct because a Signed URL provides time-bound, read-only access to specific Cloud Storage objects without requiring the vendor to have a Google account. The URL embeds authentication information and expires after 48 hours, ensuring temporary access while maintaining security by not exposing broader permissions or credentials.

Exam trap

Google Cloud often tests the misconception that sharing a service account key file is acceptable for temporary access, but the trap here is that Signed URLs are the only option that combines time-bound, object-specific, and credential-free access for external users without a Google account.

How to eliminate wrong answers

Option A is wrong because sharing a GCP service account JSON key file violates the principle of least privilege and creates a long-lived credential that could be leaked or misused; even with a 48-hour expiry, the key file itself is a static secret that must be securely transmitted and stored. Option C is wrong because Workload Identity Federation is designed for workloads running in AWS to impersonate a GCP service account, but it requires the vendor to configure an AWS IAM role and trust relationship, which is overly complex for simple read-only object access and does not inherently limit access to 48 hours without additional token expiration controls. Option D is wrong because making objects publicly readable exposes them to anyone on the internet, not just the vendor, and provides no time-bound access control, violating security best practices.

924
Drag & Dropmedium

Arrange the steps to set up a Cloud Function triggered by a Cloud Storage bucket event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Bucket must exist; function must be deployed before triggering event.

925
MCQhard

An engineer created a VPC with a subnet in us-central1 and enabled Private Google Access on that subnet. Compute Engine instances in that subnet can reach Google APIs and services using internal IPs. However, the instances cannot reach external IP addresses on the internet. What should the engineer configure to allow internet access while minimizing cost and management overhead?

A.Create a Cloud NAT gateway using a Cloud Router
B.Disable Private Google Access and assign external IPs to the instances
C.Add a NAT instance (a Compute Engine VM configured as a NAT gateway)
D.Create a Cloud VPN tunnel to a third-party NAT service
AnswerA

Correct: Cloud NAT provides outbound internet access for private instances.

Why this answer

Since the instances need to access the internet (not just Google APIs), a Cloud NAT is the appropriate solution. It allows outbound internet traffic from private instances without assigning external IPs. Private Google Access only covers Google APIs.

A NAT gateway instance would be more expensive and require management. A VPN is unnecessary.

926
MCQeasy

A developer wants to see the details of a specific GKE Pod including its events, container status, and resource requests/limits. Which kubectl command provides this?

A.kubectl get pod [POD_NAME] -o wide
B.kubectl describe pod [POD_NAME]
C.kubectl inspect pod [POD_NAME]
D.kubectl get pod [POD_NAME] -o json
AnswerB

`kubectl describe pod` provides full Pod details: container state, resource requests/limits, QoS class, scheduling events, probes, volumes, and the events section showing recent cluster activity for the Pod.

Why this answer

B is correct because `kubectl describe pod` provides a comprehensive view of a pod, including its events (e.g., scheduling, pulling images), container status (e.g., waiting, running, terminated with reasons), and resource requests/limits (CPU and memory). This command aggregates detailed information from the Kubernetes API, making it the standard tool for debugging pod issues.

Exam trap

Google Cloud often tests the distinction between `get` and `describe`, where candidates mistakenly think `-o wide` or `-o json` provides the same event and status detail, but only `describe` automatically includes pod events and presents container status in a human-readable summary.

How to eliminate wrong answers

Option A is wrong because `kubectl get pod -o wide` only shows additional node and IP information, not events, container status details, or resource requests/limits. Option C is wrong because `kubectl inspect` is not a valid kubectl command; the correct verb for detailed inspection is `describe` or `get -o yaml/json`. Option D is wrong because `kubectl get pod -o json` outputs the raw JSON representation of the pod object, which includes resource requests/limits and container status but does not include pod events (which are a separate API resource) and is less human-readable than `describe`.

927
Multi-Selectmedium

A company wants to ensure that a Compute Engine instance can access only a specific Cloud Storage bucket and no other resources in the project. Which TWO steps should the engineer take? (Select 2 correct answers)

Select 2 answers
A.Grant the roles/storage.admin role at the bucket level.
B.Grant the roles/storage.objectViewer role at the project level to the service account.
C.Use the default Compute Engine service account.
D.Attach the service account to the Compute Engine instance at creation.
E.Create a custom service account.
AnswersD, E

Attaching the service account enables the instance to use its permissions.

Why this answer

To restrict an instance to a specific bucket, create a custom service account with the Storage Object Viewer role only on that bucket (via IAM binding on the bucket), then attach that service account to the instance. Granting role at project level is too broad. Using the default service account gives broader permissions.

928
MCQhard

An organization uses Secret Manager to store database credentials. A new application runs on Compute Engine and needs to access a secret. The application uses the default compute engine service account. What is the most secure way to grant access to the secret?

A.Hardcode the secret in the application configuration file
B.Create a new service account with the secretAccessor role, create a key, and store it on the instance
C.Grant the roles/editor role to the default compute engine service account
D.Grant the roles/secretmanager.secretAccessor role to the compute engine default service account
AnswerD

Correct: least privilege access via IAM.

Why this answer

The most secure approach is to grant the secretmanager.secretAccessor role to the compute engine service account. This avoids downloading keys or hardcoding secrets. The role provides access to secrets without granting broader permissions.

929
MCQeasy

An organization with multiple Google Cloud projects wants to centralize network administration by having a single VPC network that hosts shared services and allows project teams to create their own resources in separate projects that can connect to the shared VPC. Which Google Cloud feature should they use?

A.Cloud VPN
B.VPC Service Controls
C.VPC Network Peering
D.Shared VPC
AnswerD

Shared VPC enables central administration of a VPC across multiple projects.

Why this answer

Option A is correct because Shared VPC allows an organization to create a VPC in a host project and attach service projects to it. Option B is wrong because VPC Network Peering connects whole VPCs, not individual projects. Option C is wrong because VPC Service Controls focuses on data exfiltration prevention.

Option D is wrong because Cloud VPN is for connecting networks.

930
Drag & Dropmedium

Arrange the steps to create a Cloud SQL MySQL instance, configure a database, and connect using the Cloud SQL Proxy.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Instance first, then database; proxy provides secure connectivity.

931
MCQmedium

A startup's GCP project has a project ID of 'my-startup-prod' and a project number of '123456789012'. An API call requires the project number, not the project ID. How can the project number be retrieved quickly?

A.The project number is always the same as the last 12 digits of the project ID
B.Run `gcloud projects describe my-startup-prod` and look for the projectNumber field
C.Run `gcloud config get-value project-number`
D.The project number appears in the URL bar of the GCP Console — it's the number after /project/
AnswerB

`gcloud projects describe [PROJECT_ID]` outputs the project's metadata including `projectNumber`, `projectId`, `name`, and `lifecycleState`.

Why this answer

Option B is correct because the `gcloud projects describe` command retrieves detailed metadata about a GCP project, including the `projectNumber` field, which is a unique numeric identifier assigned by Google Cloud. This is the standard method to quickly obtain the project number when only the project ID is known, as the project number is not derivable from the project ID.

Exam trap

The trap here is that candidates confuse the project ID with the project number, assuming they are interchangeable or derivable from each other, and may incorrectly think a simple `gcloud config` command or URL inspection is sufficient.

How to eliminate wrong answers

Option A is wrong because the project number is not derived from the project ID; it is a separate, immutable numeric identifier assigned at project creation, and the project ID can be any string of letters, digits, and hyphens. Option C is wrong because `gcloud config get-value project-number` is not a valid command; the correct command to get the current project's number would involve `gcloud projects describe` or `gcloud config get-value project`, which returns the project ID, not the number. Option D is wrong because while the project number may appear in the GCP Console URL (e.g., as a query parameter or path segment), it is not consistently displayed in the URL bar for all pages, and relying on the URL is not a reliable or quick method compared to using the CLI.

932
MCQmedium

A DevOps team wants to be notified in Slack when a specific error log appears in Cloud Logging. They set up a log-based alert with a notification channel to a Slack webhook. However, notifications are not arriving. What is the most likely cause?

A.The notification channel is not configured to use a Pub/Sub topic
B.The log-based alert is not using a valid metric threshold
C.The log query is case-sensitive and mismatched
D.The Slack webhook URL is outdated
AnswerA

Why this answer

Slack webhooks require a Pub/Sub topic as an intermediary for Cloud Monitoring notifications. Direct Slack integration via webhook is not supported; you must use a Pub/Sub topic with a push subscription to Slack.

933
MCQmedium

A company wants to track costs by department and project. They have multiple GCP projects used by different teams. Which feature should they use to categorize costs?

A.Budgets and alerts
B.Labels
C.Billing export to BigQuery
D.Custom IAM roles
AnswerB

Labels allow cost attribution by department, project, etc.

Why this answer

Labels are key-value pairs that can be attached to resources and are used to organize and track costs. Budget alerts notify when spending exceeds thresholds. Billing export sends data to BigQuery.

Custom roles are for IAM permissions.

934
MCQeasy

A company's application currently runs on a single Compute Engine VM with a persistent disk. The application serves read-heavy traffic and the single VM is becoming a bottleneck. The application is stateless. Which change provides the most immediate horizontal scalability improvement?

A.Upgrade the existing VM to a larger machine type (vertical scaling).
B.Create a Managed Instance Group from the VM and configure autoscaling with a load balancer.
C.Add more persistent disks to the existing VM to handle more I/O.
D.Enable live migration on the existing VM so it can move between hosts.
AnswerB

A MIG with autoscaling adds VM instances on demand. A load balancer distributes incoming requests across all instances, providing true horizontal scalability.

Why this answer

Option B is correct because creating a Managed Instance Group (MIG) from the existing VM and configuring autoscaling with a load balancer directly addresses the read-heavy, stateless bottleneck by distributing traffic across multiple VM instances. This provides immediate horizontal scalability, as new instances are automatically provisioned or terminated based on load, without requiring any application changes.

Exam trap

The trap here is that candidates confuse vertical scaling (Option A) with horizontal scaling, or think that adding more disks (Option C) or enabling live migration (Option D) can solve a compute bottleneck, when only distributing the load across multiple instances (Option B) provides true horizontal scalability.

How to eliminate wrong answers

Option A is wrong because upgrading to a larger machine type (vertical scaling) increases the capacity of a single VM but does not eliminate the single point of failure or the bottleneck from a single instance; it also has an upper limit and does not provide horizontal scalability. Option C is wrong because adding more persistent disks to the existing VM increases I/O capacity but does not distribute the read traffic across multiple VMs, leaving the single VM as the bottleneck for CPU and network resources. Option D is wrong because enabling live migration allows the VM to move between hosts for maintenance without downtime, but it does not increase compute capacity or distribute traffic, so it offers no scalability improvement.

935
MCQhard

An engineer needs to give a data analyst access to run BigQuery queries but prevent them from viewing or modifying data in Cloud Storage. The analyst should be able to create new datasets. Which IAM role should the engineer assign at the project level?

A.roles/storage.objectViewer
B.roles/bigquery.dataEditor
C.roles/bigquery.dataOwner
D.roles/bigquery.user
AnswerB

Correct.

Why this answer

The role roles/bigquery.dataEditor allows creating datasets and querying data, but does not grant any Cloud Storage permissions.

936
MCQmedium

Your organization uses Cloud Storage for storing backups. You want to automatically delete backup objects that are older than 30 days to control costs. You also want objects between 7 and 30 days old to use Nearline storage class for lower cost. Which Cloud Storage feature manages both requirements in a single configuration?

A.Write a Cloud Function that runs daily, lists objects, and deletes or moves old ones.
B.Configure Object Lifecycle Management rules on the bucket with `SetStorageClass` and `Delete` actions.
C.Set a bucket-level retention policy of 30 days and manually change storage classes.
D.Use Cloud Scheduler to trigger `gsutil` commands that move and delete old objects.
AnswerB

OLM supports multiple rules per bucket. SetStorageClass at age 7 moves objects to Nearline; Delete at age 30 removes them. This is fully managed with no code required.

Why this answer

Option B is correct because Object Lifecycle Management rules in Cloud Storage allow you to define conditions (e.g., object age) and actions (e.g., SetStorageClass to Nearline, Delete) in a single configuration. This automates both the transition of objects aged 7–30 days to Nearline storage and the deletion of objects older than 30 days, without custom code or manual intervention.

Exam trap

Google Cloud often tests the misconception that custom code or external schedulers are required for automated object management, when in fact Cloud Storage's built-in lifecycle management can handle both storage class transitions and deletions in a single, cost-effective configuration.

How to eliminate wrong answers

Option A is wrong because writing a Cloud Function that runs daily to list, delete, or move objects introduces unnecessary complexity, potential execution failures, and additional costs; lifecycle rules achieve the same result natively without custom code. Option C is wrong because a bucket-level retention policy prevents object deletion or modification before the retention period ends, which conflicts with the requirement to delete objects older than 30 days, and manually changing storage classes does not automate the process. Option D is wrong because using Cloud Scheduler to trigger gsutil commands is a manual, brittle approach that requires maintaining scripts and handling errors, whereas lifecycle rules are a declarative, serverless feature built into Cloud Storage.

937
MCQeasy

You are designing an application that needs to process exactly once each message published to a topic, even if the consumer fails partway through and restarts. Which GCP service provides built-in exactly-once processing semantics with Pub/Sub?

A.Cloud Functions subscribed to the Pub/Sub topic with idempotent logic.
B.Dataflow with Pub/Sub as the source using the Beam SDK.
C.BigQuery Subscriptions connected directly to the Pub/Sub topic.
D.Cloud Run with a Pub/Sub push subscription and database deduplication table.
AnswerB

Dataflow's Beam runner provides exactly-once processing semantics over Pub/Sub by checkpointing and deduplicating based on message IDs.

Why this answer

Dataflow with Pub/Sub as the source using the Beam SDK provides built-in exactly-once processing semantics because it leverages the Beam engine's checkpointing and the Pub/Sub source's snapshot-based deduplication. Dataflow tracks each message's unique ID and ensures that even if a worker fails and restarts, the message is not reprocessed, guaranteeing exactly-once delivery within the pipeline.

Exam trap

Google Cloud often tests the misconception that Pub/Sub itself provides exactly-once delivery, but Pub/Sub only guarantees at-least-once; the exactly-once semantics must be implemented by the consumer, and Dataflow is the only GCP service that offers this built-in for Pub/Sub sources.

How to eliminate wrong answers

Option A is wrong because Cloud Functions subscribed to Pub/Sub with idempotent logic relies on the developer to implement idempotency manually; Cloud Functions itself does not provide built-in exactly-once semantics, and Pub/Sub delivery is at-least-once by default. Option C is wrong because BigQuery Subscriptions deliver messages in near-real-time but do not guarantee exactly-once processing; they use at-least-once delivery and deduplication is handled by BigQuery's best-effort mechanisms, not by the subscription itself. Option D is wrong because Cloud Run with a Pub/Sub push subscription and a database deduplication table requires custom application logic to handle deduplication; Pub/Sub push subscriptions deliver messages at-least-once, and Cloud Run does not provide built-in exactly-once processing.

938
MCQeasy

You need to monitor the uptime of an external HTTPS endpoint that is critical to your application. Which Google Cloud service should you use to create an uptime check?

A.Cloud Monitoring
B.Cloud Debugger
C.Cloud Trace
D.Cloud Logging
AnswerA

Cloud Monitoring includes uptime checks for verifying endpoint availability.

Why this answer

Cloud Monitoring provides uptime checks that can monitor HTTP, HTTPS, and TCP endpoints from multiple locations.

939
MCQmedium

You need to allow a third-party auditing company to view all resources and IAM policies across your GCP organization without being able to modify anything. Which role should you grant, and at which level?

A.Grant `roles/viewer` on each individual project the auditor needs to access.
B.Grant `roles/iam.securityReviewer` at the organization level.
C.Grant `roles/owner` at the organization level with a time-limited condition.
D.Create a custom role with only `*.get` and `*.list` permissions and grant it at the org level.
AnswerB

Security Reviewer at the org level grants `getIamPolicy` and read access to security-relevant resources across all projects, purpose-built for audit use cases.

Why this answer

Option B is correct because `roles/iam.securityReviewer` at the organization level grants read-only access to all IAM policies and resources across all projects in the organization, exactly meeting the requirement for a third-party auditor to view without modification. This role includes permissions like `iam.roles.get`, `iam.policies.get`, and `resourcemanager.projects.get`, which are scoped organization-wide when assigned at the org level.

Exam trap

The trap here is that candidates often choose `roles/viewer` (Option A) thinking it provides read-only access, but it does not include permissions to read IAM policies, which is a critical requirement for auditing security configurations.

How to eliminate wrong answers

Option A is wrong because granting `roles/viewer` on each individual project does not provide visibility into IAM policies at the organization level, and it requires manual assignment per project, which is inefficient and incomplete for auditing across the entire org. Option C is wrong because `roles/owner` grants full administrative control, including the ability to modify resources and IAM policies, which violates the 'view only' requirement; a time-limited condition does not remove modify permissions. Option D is wrong because creating a custom role with only `*.get` and `*.list` permissions is unnecessary and risky—`roles/iam.securityReviewer` already provides the precise read-only access needed, and custom roles may inadvertently miss required permissions or introduce misconfiguration.

940
MCQmedium

A Cloud SQL production instance experiences a spike in connections during business hours, causing 'too many connections' errors. The application uses 50 microservices each maintaining 10 connections. What is the recommended solution to reduce connection count without rewriting the application?

A.Increase the Cloud SQL instance's max_connections database flag to 10,000
B.Deploy a connection pooler (e.g., PgBouncer) between the microservices and Cloud SQL
C.Enable Cloud SQL HA — the standby will handle the connection overflow
D.Add a read replica — microservices can connect to the replica instead of the primary
AnswerB

PgBouncer multiplexes thousands of application connections through a small pool of database connections, dramatically reducing the actual connections Cloud SQL handles.

Why this answer

Option B is correct because deploying a connection pooler like PgBouncer between the microservices and Cloud SQL allows many application connections to be multiplexed over a smaller number of actual database connections. This directly reduces the total connection count on the Cloud SQL instance without requiring any application code changes, as the pooler transparently manages the connection lifecycle and reuses idle connections.

Exam trap

Google Cloud often tests the misconception that increasing a resource limit (like max_connections) is a valid solution to connection overload, when in fact it masks the problem and can cause resource exhaustion, whereas connection pooling is the correct architectural fix.

How to eliminate wrong answers

Option A is wrong because increasing max_connections to 10,000 does not reduce the number of connections; it merely raises the limit, which can lead to memory exhaustion and degraded performance on the Cloud SQL instance, as each connection consumes memory and CPU overhead. Option C is wrong because Cloud SQL HA (high availability) uses a standby instance that does not accept connections for read/write traffic; it only takes over during failover and does not help with connection overflow during normal operations. Option D is wrong because adding a read replica does not reduce the connection count on the primary instance; microservices would still need to connect to the primary for writes, and read replicas have their own connection limits, so the underlying issue of too many connections is not addressed.

941
MCQmedium

You need to create a snapshot of a persistent disk attached to a running Compute Engine instance. The disk is used by a production database; you want minimal impact. What should you do?

A.Detach the disk, create the snapshot, then reattach.
B.Create the snapshot while the instance is running; snapshots are always consistent.
C.Use gcloud compute disks snapshot without stopping; data will be consistent.
D.Stop the instance, create the snapshot using gcloud compute disks snapshot, then restart the instance.
AnswerD

Stopping ensures data consistency with minimal risk.

Why this answer

Creating a snapshot of a disk in use is possible, but for data consistency, it's recommended to stop the instance or at least freeze the filesystem. However, the question says 'minimal impact', so the best practice is to stop the instance. But the correct answer reflects that snapshots can be taken from attached disks, but for database consistency, stop is recommended.

Let's choose the safer answer: stop the instance.

942
Multi-Selecteasy

A Cloud Architect needs to understand the GCP resource hierarchy to set up proper access control. Which three resources are part of the GCP resource hierarchy? (Choose THREE.)

Select 3 answers
A.Billing Account
B.Folder
C.Project
D.Organization
E.Cloud Identity
AnswersB, C, D

Used to group projects.

Why this answer

The GCP resource hierarchy includes Organization, Folder, Project, and Resources (like VMs). Cloud Identity and Billing Account are separate services.

943
MCQhard

An organization requires that all Compute Engine instances be created with a specific service account that has minimal permissions. They also want to prevent users from creating instances with a different service account. Which IAM policy should they implement?

A.Organization policy with constraint compute.disableUserServiceAccountCreation
B.IAM condition that restricts instances to only use the authorized service account
C.Custom role with permission compute.instances.setServiceAccount only for authorized users
D.Organization policy with constraint compute.setServiceAccount
AnswerD

This constraint restricts the set of service accounts that can be used when creating instances.

Why this answer

The organization policy constraint `compute.setServiceAccount` is the correct choice because it allows administrators to restrict which service accounts can be used when creating Compute Engine instances. By setting this constraint to only permit a specific service account, users are prevented from launching instances with any other service account, ensuring minimal permissions are enforced at the organization level.

Exam trap

The trap here is that candidates confuse the organization policy constraint `compute.setServiceAccount` with the IAM permission `compute.instances.setServiceAccount`, thinking that restricting the permission is sufficient, when in fact the organization policy is required to block creation with unauthorized service accounts at the resource hierarchy level.

How to eliminate wrong answers

Option A is wrong because `compute.disableUserServiceAccountCreation` is not a valid organization policy constraint; the correct constraint name is `compute.setServiceAccount`. Option B is wrong because IAM conditions can restrict actions based on resource attributes but cannot globally enforce which service account is used at instance creation time across all users; they are applied per IAM policy binding, not as an organization-wide block. Option C is wrong because a custom role with `compute.instances.setServiceAccount` permission only controls who can change the service account on an existing instance, not prevent creation with a different service account; it does not enforce a specific service account at creation.

944
MCQmedium

Your GKE cluster nodes are running an older kernel version with a known vulnerability. You need to update all nodes to use the latest node image with the patched kernel without any downtime. The cluster has a Surge Upgrade configuration of `max-surge: 1, max-unavailable: 0`. What happens during the node upgrade?

A.GKE terminates all nodes simultaneously and creates new ones — brief downtime occurs.
B.GKE provisions one new node, drains one old node, deletes it, and repeats — zero downtime.
C.GKE upgrades nodes in-place by applying a kernel patch without rescheduling pods.
D.Two nodes are upgraded simultaneously (one being the surge node and one old node going offline).
AnswerB

max-surge: 1 provisions one extra node. max-unavailable: 0 ensures old nodes are drained (pods rescheduled) before removal. The process repeats node by node with no pod disruption.

Why this answer

Option B is correct because the surge upgrade configuration `max-surge: 1, max-unavailable: 0` ensures that GKE first provisions one new node (the surge node) before draining and deleting an old node. This rolling update process maintains the desired capacity at all times, resulting in zero downtime for applications.

Exam trap

Google Cloud often tests the misconception that `max-surge` and `max-unavailable` control the number of nodes upgraded simultaneously, when in fact `max-surge` controls the extra nodes provisioned and `max-unavailable` controls how many nodes can be unavailable at any time, and candidates confuse this with parallel upgrades.

How to eliminate wrong answers

Option A is wrong because GKE does not terminate all nodes simultaneously; the surge configuration explicitly prevents that by keeping one extra node available during the upgrade. Option C is wrong because GKE does not perform in-place kernel patching on running nodes; it replaces nodes with new images via node pool upgrades. Option D is wrong because the surge upgrade does not take two nodes offline at once; only one old node is drained at a time while the surge node handles the workload, and `max-unavailable: 0` means no old node goes offline before the new one is ready.

945
Multi-Selecthard

You are troubleshooting a slow application that uses multiple microservices. You suspect a particular service is causing high latency. Which TWO Google Cloud tools should you use to identify the root cause? (Select 2)

Select 2 answers
A.Cloud Profiler
B.Cloud Logging
C.Cloud Monitoring
D.Cloud Trace
E.Cloud Debugger
AnswersC, D

Metrics and dashboards can show latency per service.

Why this answer

Cloud Trace traces requests across services to pinpoint latency, and Cloud Monitoring can show metrics like request latency and error rates.

946
MCQeasy

An engineer needs to grant a user the ability to create and manage service accounts in a project, but not delete them. Which predefined IAM role should be assigned?

A.roles/iam.serviceAccountAdmin
B.roles/iam.serviceAccountDeleter
C.roles/iam.serviceAccountCreator
D.roles/iam.serviceAccountUser
AnswerA

Correct: includes permissions to create and manage service accounts, but not delete.

Why this answer

The roles/iam.serviceAccountAdmin role grants permissions to create, update, and manage service accounts, but not delete them. roles/iam.serviceAccountUser allows using service accounts but not creating them. roles/iam.serviceAccountCreator is not a predefined role. roles/iam.serviceAccountDeleter does not exist.

947
MCQeasy

Which command creates a Google-managed SSL certificate for the domain 'example.com'?

A.gcloud compute ssl-certificates create my-cert --domains example.com
B.gcloud compute addresses create my-cert --global
C.gcloud compute ssl-policies create my-policy
D.gcloud compute target-https-proxies create my-proxy --ssl-certificates my-cert
AnswerA

Correct command for a Google-managed certificate.

Why this answer

Google-managed certificates are created with 'gcloud compute ssl-certificates create' with the '--domains' flag. The other commands are for different purposes.

948
MCQhard

A developer created a service account with the roles/storage.admin role and wants to use it from a Compute Engine instance without downloading a key file. What is the best practice?

A.Download the service account key and store it on the instance's persistent disk.
B.Use gcloud auth activate-service-account on the instance with the service account email.
C.Attach the service account to the instance using the --service-account flag when creating the instance.
D.Store the service account email in an instance metadata and use gcloud commands.
AnswerC

This enables the instance to use the service account's permissions via the metadata server without any key file.

Why this answer

The best practice is to attach the service account to the Compute Engine instance at creation time using the --service-account flag. This allows the instance to automatically obtain credentials via the metadata server, avoiding the need to download and manage a service account key file. Downloading keys should be avoided due to security risks.

949
MCQhard

A company has an e-commerce application deployed on Compute Engine instances in a managed instance group (MIG) behind an external HTTP load balancer. The application stores session data in an in-memory cache on each instance. Recently, the team noticed that users are being logged out unexpectedly and losing their shopping cart contents. The MIG is configured with autoscaling based on CPU utilization. The team suspects the issue is related to session persistence. They have considered the following options: A) Switch to an internal TCP/UDP load balancer with session affinity; B) Enable sticky sessions (session affinity) on the existing load balancer; C) Move session storage to a centralized service like Memorystore; D) Increase the instance size and disable autoscaling. Which solution permanently resolves the issue while maintaining scalability and fault tolerance?

A.Switch to an internal TCP/UDP load balancer with session affinity
B.Increase the instance size and disable autoscaling
C.Enable sticky sessions (session affinity) on the existing load balancer
D.Move session storage to a centralized service like Memorystore
AnswerD

Centralized session storage decouples sessions from instances, ensuring persistence across scaling and failures.

Why this answer

Option D is correct because storing session data in a centralized service like Memorystore (Redis) decouples session state from individual Compute Engine instances. This ensures that any instance in the managed instance group can serve any user request without losing session data, even as the MIG autoscales up or down. This approach permanently resolves the issue while maintaining scalability and fault tolerance, as Memorystore provides a highly available, in-memory data store that persists across instance lifecycle events.

Exam trap

The trap here is that candidates often think sticky sessions (session affinity) alone will fix session persistence, but they overlook that autoscaling and instance failures still cause data loss when sessions are stored locally—only a centralized external store like Memorystore provides true persistence and fault tolerance.

How to eliminate wrong answers

Option A is wrong because switching to an internal TCP/UDP load balancer would make the application inaccessible from the internet (external users), and session affinity alone does not solve the problem when instances are terminated or added by autoscaling—the session data is still lost if the instance goes down. Option B is wrong because increasing instance size and disabling autoscaling removes scalability and fault tolerance, and does not address the root cause: session data stored in local memory is lost on instance restart or termination. Option C is wrong because enabling sticky sessions (session affinity) on the existing load balancer only pins a user to a specific instance, but if that instance is terminated during autoscaling (scale-in) or fails, the session data is still lost; it does not provide a durable, shared session store.

950
MCQmedium

A startup builds a serverless REST API using Cloud Functions (2nd gen). Each function invocation runs for 200ms on average, processes 5 million requests per day, and uses 256 MB memory. Approximately how should they estimate monthly Cloud Functions costs?

A.Approximately $0 — all invocations fall within the free tier
B.Estimate based on invocation count, compute time (memory × duration), and networking costs beyond the free tier
C.Approximately the same as a continuously-running e2-medium VM — Cloud Functions and VMs are priced equivalently
D.Fixed monthly rate based on the number of deployed functions, not invocation count
AnswerB

Cloud Functions billing uses three dimensions: invocations, compute time (measured in GB-seconds), and outbound network traffic — all calculated above the monthly free tier.

Why this answer

Option B is correct because Cloud Functions (2nd gen) pricing is based on three components: invocation count, compute time (measured in GB-seconds, which is memory multiplied by duration), and networking egress beyond the free tier. With 5 million requests per day at 200ms each and 256 MB memory, the monthly compute time is approximately 5,000,000 × 0.2 seconds × (256/1024) GB = 250,000 GB-seconds per day, or 7.5 million GB-seconds per month, which far exceeds the free tier of 400,000 GB-seconds per month, so costs will accrue. Additionally, the 150 million invocations per month exceed the free tier of 2 million invocations, and egress traffic will also incur charges beyond the 1 GB free tier.

Exam trap

The trap here is that candidates assume the free tier covers all usage because they underestimate the cumulative effect of high invocation counts and compute time, or they mistakenly think Cloud Functions pricing is similar to VM pricing or a flat per-function fee.

How to eliminate wrong answers

Option A is wrong because the free tier for Cloud Functions (2nd gen) includes only 2 million invocations and 400,000 GB-seconds of compute time per month; 150 million invocations and 7.5 million GB-seconds far exceed these limits, so costs are not approximately $0. Option C is wrong because Cloud Functions and VMs are not priced equivalently; Cloud Functions uses a pay-per-use model based on invocation count, compute time (GB-seconds), and networking, while an e2-medium VM charges for continuous uptime regardless of usage, and the two pricing models are fundamentally different. Option D is wrong because Cloud Functions pricing is based on actual usage metrics (invocations, compute time, networking), not a fixed monthly rate per deployed function; there is no per-function flat fee.

951
MCQmedium

A GKE Deployment must be updated to a new container image version with zero downtime — old Pods should be replaced gradually, not all at once. Which update strategy should be configured?

A.Recreate strategy
B.Blue-green deployment using a separate Deployment and Service selector swap
C.RollingUpdate strategy
D.Canary deployment with a traffic-splitting ingress
AnswerC

RollingUpdate is the default Kubernetes Deployment strategy — it replaces old Pods progressively, ensuring the service remains available throughout the update.

Why this answer

The RollingUpdate strategy is correct because it gradually replaces old Pods with new ones while keeping the Deployment available, ensuring zero downtime. By default, it uses a `maxSurge` of 25% and `maxUnavailable` of 25%, allowing a controlled, incremental rollout that matches the requirement of replacing Pods gradually rather than all at once.

Exam trap

Google Cloud often tests the distinction between Deployment update strategies (Recreate vs. RollingUpdate) and higher-level deployment patterns (blue-green, canary), leading candidates to choose a pattern that is not a native Deployment strategy.

How to eliminate wrong answers

Option A is wrong because the Recreate strategy terminates all existing Pods before creating new ones, causing downtime during the transition. Option B is wrong because a blue-green deployment with a Service selector swap is a valid zero-downtime approach, but it requires a separate Deployment and manual or automated traffic switch, not a single Deployment update strategy as specified in the question. Option D is wrong because a Canary deployment with a traffic-splitting ingress is a more advanced pattern that typically uses an Ingress controller (e.g., with weighted routing) to gradually shift traffic, but it is not a native Deployment update strategy in GKE; the question asks for a strategy configured on the Deployment itself.

952
MCQeasy

You need to verify that a Compute Engine VM in `us-central1` can reach an on-premises server at IP `10.1.2.3` over a Cloud VPN connection. The VPN tunnel appears UP but you're unsure if routing is correct. Which GCP tool can test this connectivity?

A.SSH into the VM and run `ping 10.1.2.3` to test connectivity.
B.Use Network Intelligence Center Connectivity Tests to analyze the path from the VM to the on-premises IP.
C.Review Cloud VPN tunnel metrics in Cloud Monitoring for packet loss.
D.Run `gcloud compute routes list` to verify the route to 10.1.2.3 exists.
AnswerB

Connectivity Tests simulate the network path, checking all routing tables, firewall rules, and VPN configurations. It identifies exactly where and why connectivity is blocked without requiring actual test traffic.

Why this answer

B is correct because Network Intelligence Center Connectivity Tests can analyze the path from a specific source (the Compute Engine VM) to a destination (the on-premises server IP 10.1.2.3) across hybrid connectivity like Cloud VPN. It validates routing, firewall rules, and tunnel health without requiring you to SSH into the VM or run live traffic, making it ideal for diagnosing routing issues when the VPN tunnel is UP but connectivity is uncertain.

Exam trap

The trap here is that candidates assume a live ping from the VM (Option A) is the simplest test, but the question specifically asks for a tool to verify if routing is correct, not just connectivity — and Connectivity Tests provides a detailed path analysis without requiring VM access or generating live traffic.

How to eliminate wrong answers

Option A is wrong because SSH into the VM and running ping tests live connectivity, but if routing is misconfigured, the ping may fail due to asymmetric routing or firewall rules, and it doesn't isolate whether the issue is routing, VPN tunnel, or firewall — plus, you may not have SSH access or the VM may not have ICMP enabled. Option C is wrong because Cloud Monitoring tunnel metrics (e.g., packet loss, throughput) show tunnel health but cannot analyze the specific path from the VM to the on-premises IP or identify routing misconfigurations. Option D is wrong because `gcloud compute routes list` only shows routes in the VPC, not whether the route is actually being used by the VM or if the on-premises network has a return route; it doesn't test end-to-end connectivity or validate firewall rules.

953
MCQmedium

A developer attempts to create a Cloud SQL instance but receives the error: 'API [sqladmin.googleapis.com] not enabled.' What is the correct resolution?

A.Assign the developer the Cloud SQL Admin IAM role
B.Request a quota increase for Cloud SQL in the project
C.Enable the Cloud SQL Admin API via APIs & Services > Library in the Console
D.Create a new project — Cloud SQL is enabled by default in new projects
AnswerC

Navigating to APIs & Services > Library and enabling the Cloud SQL Admin API resolves this error. It can also be done with `gcloud services enable sqladmin.googleapis.com`.

Why this answer

The error 'API [sqladmin.googleapis.com] not enabled' indicates that the Cloud SQL Admin API has not been activated for the project. The correct resolution is to enable the API via APIs & Services > Library in the Google Cloud Console, as this is a prerequisite for creating any Cloud SQL instance. Assigning IAM roles or requesting quota increases does not enable the underlying API service.

Exam trap

Google Cloud often tests the distinction between enabling an API and assigning IAM roles, trapping candidates who think granting permissions automatically activates the underlying service.

How to eliminate wrong answers

Option A is wrong because assigning the Cloud SQL Admin IAM role grants permissions to use the API but does not enable the API itself; the API must be enabled at the project level first. Option B is wrong because a quota increase addresses resource limits, not the activation of the API service; the API must be enabled before any quota can be consumed. Option D is wrong because Cloud SQL is not enabled by default in new projects; each project requires explicit API enablement, and creating a new project would still require enabling the Cloud SQL Admin API.

954
Multi-Selectmedium

A company wants to set up a new GCP project and ensure that only approved APIs can be used. Which two steps should they take? (Choose TWO)

Select 2 answers
A.Create a custom role with permissions to enable APIs
B.Use an organization policy to restrict the set of allowed APIs
C.Set a budget to limit API usage costs
D.Assign the Owner role to the project
E.Disable all APIs and enable only the required ones
AnswersB, E

Correct: Organization policies can enforce a whitelist of APIs.

Why this answer

To restrict API usage, you can disable unapproved APIs and use organization policies to enforce restrictions.

955
MCQmedium

Refer to the exhibit. A team has this IAM policy on a Cloud Storage bucket. The bucket contains sensitive data. Which action should the team take immediately?

A.Add a condition to the objectViewer binding to restrict access.
B.Remove allUsers from the objectViewer binding.
C.Remove the entire objectViewer binding.
D.Change the objectViewer role to objectAdmin for allUsers.
AnswerB

Removes public access while keeping the binding for non-public roles.

Why this answer

Option B is correct because the IAM policy grants `allUsers` (anyone on the internet) the `objectViewer` role on the bucket, which allows unauthenticated read access to all objects. Since the bucket contains sensitive data, this is a critical security exposure that must be removed immediately by deleting the `allUsers` principal from the binding.

Exam trap

Google Cloud often tests the misconception that adding conditions or changing roles can mitigate a public access exposure, when the correct immediate action is to remove the `allUsers` or `allAuthenticatedUsers` principal entirely.

How to eliminate wrong answers

Option A is wrong because adding a condition to the `objectViewer` binding does not address the core issue: `allUsers` still has public access. Conditions restrict access based on attributes (e.g., IP address), but they do not remove the fact that unauthenticated users can attempt to read objects. Option C is wrong because removing the entire `objectViewer` binding would also remove legitimate, authenticated users who need read access, which is overly destructive and not the immediate required action.

Option D is wrong because changing the role to `objectAdmin` for `allUsers` would escalate privileges, granting public users write and delete permissions on objects, making the security risk even worse.

956
MCQhard

A company uses Cloud Build to deploy a containerized application to a GKE cluster. The build process runs kubectl commands to apply Kubernetes manifests. The build fails with a 'Permission denied' error when executing kubectl. The Cloud Build service account has been granted roles/container.clusterAdmin and roles/cloudbuild.builds.builder. What is the most likely missing configuration?

A.Grant the Cloud Build service account roles/iam.serviceAccountTokenCreator
B.Add the Cloud Build service account to the GKE cluster's RBAC
C.Use a different Cloud Build trigger
D.Enable the Kubernetes Engine API
AnswerB

The service account needs RBAC permissions to run kubectl commands.

Why this answer

The Cloud Build service account has cluster-admin permissions via roles/container.clusterAdmin, but GKE uses Kubernetes RBAC for authorization within the cluster. The service account must be bound to a Kubernetes RBAC role (e.g., cluster-admin) via a ClusterRoleBinding to execute kubectl commands. Without this RBAC binding, the service account is authenticated but not authorized to perform actions, causing the 'Permission denied' error.

Exam trap

Google Cloud often tests the distinction between IAM roles (which control access to GCP APIs) and Kubernetes RBAC (which controls access within the cluster), causing candidates to mistakenly think that granting container.clusterAdmin alone is sufficient for kubectl operations.

How to eliminate wrong answers

Option A is wrong because roles/iam.serviceAccountTokenCreator allows generating OAuth2 access tokens for service accounts, which is unrelated to Kubernetes RBAC permissions needed for kubectl commands. Option C is wrong because the trigger type (e.g., push, pull request) does not affect the service account's permissions within the GKE cluster; the error is authorization-based, not trigger-related. Option D is wrong because the Kubernetes Engine API must already be enabled for the GKE cluster to exist and for Cloud Build to interact with it; the error occurs at the kubectl execution step, not at the API enablement level.

957
Multi-Selectmedium

You are configuring a log sink to export logs to Cloud Storage for compliance. Which TWO permissions are required for the sink's destination bucket? (Choose TWO.)

Select 2 answers
A.storage.objectViewer
B.storage.legacyBucketReader
C.storage.objectCreator
D.storage.admin
E.storage.legacyBucketWriter
AnswersA, C

Required to view and manage the objects.

Why this answer

The sink needs storage.objectCreator and storage.objectViewer to write and manage objects.

958
MCQhard

A developer is creating a script that uses the Google Cloud SDK to automate resource creation. The script will be run from a CI/CD pipeline. What is the best way to authenticate?

A.Use an OAuth 2.0 client ID
B.Use application default credentials
C.Use the gcloud auth login command with a user account
D.Use a service account key file stored in a secret manager
AnswerD

Service account keys are designed for automated scripts; storing in secret manager adds security.

Why this answer

A service account key stored in a secret manager is the most secure and recommended approach for non-interactive automation. Option D is correct. Options A, B, C are less secure or not suitable for automated pipelines.

959
MCQmedium

A company runs a containerized web application on Google Kubernetes Engine (GKE). The application experiences unpredictable traffic spikes. The team wants to minimize costs by scaling down to zero when idle, but also needs to handle burst traffic quickly. Which GKE mode should they choose?

A.Cloud Run
B.Compute Engine with managed instance groups and autoscaling
C.GKE Standard with node auto-provisioning
D.GKE Autopilot
AnswerA

Cloud Run scales to zero, supports containerized apps, and handles burst traffic via automatic scaling.

Why this answer

GKE Autopilot is fully managed and scales based on per-pod resource requests, but does not scale to zero. Cloud Run scales to zero and handles burst traffic quickly. Cloud Functions is serverless but not containerized.

Compute Engine with managed instance groups requires always-on VMs.

960
MCQhard

A company has two on-premises data centers connected via a redundant network. They want to extend their Google Cloud VPC to on-premises using Cloud VPN with dynamic routing (BGP). They need to ensure traffic from on-premises to Google Cloud can fail over to the secondary tunnel if the primary tunnel fails. The VPC has a single region. What should they configure?

A.Use a single Cloud VPN gateway and create two tunnels to separate on-prem VPN devices, each with BGP.
B.Use Cloud Interconnect as the primary and Cloud VPN as the backup.
C.Use a Cloud Router in global dynamic routing mode and set up a single VPN tunnel with BGP.
D.Create two Cloud VPN gateways in the VPC, each with a BGP session to its own on-prem VPN device, both using the same Cloud Router with separate BGP sessions.
AnswerD

Two gateways with BGP sessions allow failover via route advertisements.

Why this answer

Option D is correct because it provides true active/passive failover for on-premises to Google Cloud traffic. By creating two Cloud VPN gateways, each with a BGP session to its own on-premises VPN device, and attaching both sessions to the same Cloud Router, you enable BGP to advertise the same VPC prefixes over both tunnels. The Cloud Router uses BGP path selection (e.g., MED or AS path prepending) to prefer one tunnel as primary; if that tunnel fails, BGP withdraws the route and traffic automatically switches to the secondary tunnel.

This satisfies the requirement for failover without relying on a single gateway or tunnel.

Exam trap

The trap here is that candidates assume a single Cloud VPN gateway with multiple tunnels provides redundancy, but they overlook that the gateway itself is a single point of failure, which is why two separate gateways are required for true failover.

How to eliminate wrong answers

Option A is wrong because using a single Cloud VPN gateway creates a single point of failure; if the gateway itself fails, both tunnels become unavailable, preventing failover. Option B is wrong because Cloud Interconnect is a dedicated, high-bandwidth connection that does not support dynamic failover to Cloud VPN as a backup in the same way; the question specifically requires Cloud VPN with dynamic routing, not a hybrid interconnect/VPN design. Option C is wrong because a single VPN tunnel with BGP provides no redundancy; if the tunnel or its underlying network path fails, all traffic is lost, and global dynamic routing mode does not add failover capability.

961
MCQhard

You are planning a GCP network for a company with offices in three regions: `us-central1`, `europe-west1`, and `asia-east1`. All three regions must communicate with each other, and traffic must NOT traverse the public internet. Each region has its own subnet. Which network design achieves this with the least management overhead?

A.Create three separate VPCs (one per region) and connect them with VPC Network Peering.
B.Use a single global VPC with subnets in each region; traffic between subnets stays on Google's private network.
C.Set up Cloud VPN tunnels between each pair of regions.
D.Use Cloud Interconnect dedicated connections in each region and configure BGP routing between them.
AnswerB

A single GCP VPC is global by design. Subnets in different regions communicate over Google's internal backbone — no special configuration required for private inter-region connectivity.

Why this answer

Option B is correct because a single global VPC allows you to create subnets in multiple regions, and traffic between those subnets stays on Google's private backbone network without traversing the public internet. This design requires no additional connectivity configuration, peering, or VPN tunnels, making it the simplest to manage while meeting all requirements.

Exam trap

The trap here is that candidates often overcomplicate the solution by thinking they need separate VPCs or VPNs for each region, not realizing that a single global VPC inherently supports multi-region subnets with private, Google-managed routing.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering connects separate VPCs but requires explicit peering setup between each pair (three VPCs need three peering connections), and traffic still stays on Google's network, but the management overhead is higher than a single VPC. Option C is wrong because Cloud VPN tunnels require configuring and maintaining VPN gateways and tunnels between each region pair, adding complexity and potential latency, and traffic would traverse the public internet unless using HA VPN with Cloud Router, which still adds overhead. Option D is wrong because Cloud Interconnect is a dedicated physical connection to Google's network, which is overkill for this scenario—it requires on-premises infrastructure, BGP configuration, and is designed for hybrid cloud connectivity, not for inter-region communication within a single cloud environment.

962
MCQhard

A team wants to use Cloud Run to deploy a container that processes messages from a Pub/Sub topic. The container is stateless and the workload is expected to have irregular traffic spikes with high concurrency. Which scaling configuration is most appropriate?

A.Set min-instances to 0 and max-instances to 1000 with concurrency of 1
B.Set min-instances to 0 and max-instances to 100 with concurrency of 80
C.Set min-instances to 10 and max-instances to 100 with concurrency of 1
D.Set min-instances to 1 and max-instances to 100 with concurrency of 1
AnswerB

Min-instances 0 allows scaling to zero when idle, max 100 handles spikes, high concurrency maximizes throughput.

Why this answer

Cloud Run can set a maximum number of concurrent requests per container instance. For Pub/Sub processing, setting max-instances can control cost, and the CPU is always allocated during request processing. The key is to allow multiple concurrent requests to handle spikes efficiently.

963
MCQmedium

A security team wants to restrict access to a Google Cloud project such that only virtual machines with a specific tag 'web' can connect to a Compute Engine instance on port 443. Which configuration is required?

A.Create a firewall rule allowing egress from instances with tag 'web' to the target instance on port 443.
B.Create a firewall rule allowing ingress from instances with tag 'web' to the target instance on port 443.
C.Set an IAM condition on the instance to only allow calls from instances with tag 'web'.
D.Use Cloud Armor to filter traffic based on tags.
AnswerB

Firewall ingress rules with source tags can restrict traffic based on sender's tags.

Why this answer

Option B is correct because firewall rules in Google Cloud are stateful and control ingress traffic at the network level. To allow only VMs with tag 'web' to connect to the target instance on port 443, you must create an ingress firewall rule that specifies the source tag 'web', the target instance (or its network tag), and the protocol/port tcp:443. This rule permits incoming HTTPS traffic from any VM that has the 'web' tag, regardless of its IP address.

Exam trap

Google Cloud often tests the distinction between ingress and egress firewall rules, and the trap here is that candidates mistakenly choose an egress rule (Option A) because they think of restricting traffic 'from' the source, but the correct direction for controlling incoming connections to a target is ingress.

How to eliminate wrong answers

Option A is wrong because an egress firewall rule controls outbound traffic from the source, not inbound traffic to the target; the question requires restricting incoming connections to the target instance on port 443, which is an ingress direction. Option C is wrong because IAM conditions control identity-based access (who can perform actions on the instance), not network-level traffic filtering based on VM tags; tags are not evaluated in IAM policies for network access. Option D is wrong because Cloud Armor is a web application firewall (WAF) that protects against application-layer attacks and filters based on IP addresses, geographic regions, or custom rules, but it does not filter traffic based on Compute Engine instance tags.

964
MCQeasy

An engineer needs to create a Compute Engine instance with 4 vCPUs, 16 GB of memory, and a 100 GB boot disk using the Ubuntu 22.04 LTS image. Which gcloud command accomplishes this?

A.gcloud compute instances create my-vm --zone=us-central1-a --machine-type=n1-standard-4 --image-family=ubuntu-2004-lts --boot-disk-size=100GB
B.gcloud compute instances create my-vm --zone=us-central1-a --machine-type=n1-highmem-4 --image-family=ubuntu-minimal-2204-lts --image-project=ubuntu-os-cloud --boot-disk-size=100GB
C.gcloud compute instances create my-vm --zone=us-central1-a --machine-type=n1-standard-4 --image-family=ubuntu-2204-lts --image-project=ubuntu-os-cloud --boot-disk-size=100GB
D.gcloud compute instances create my-vm --zone=us-central1-a --machine-type=e2-standard-4 --image-family=ubuntu-2204-lts --image-project=debian-cloud --boot-disk-size=100GB
AnswerC

Correct machine type, image family, project, and disk size.

Why this answer

The correct command specifies machine-type n1-standard-4 (4 vCPU, 15 GB memory; closest to 16 GB), boot-disk-size 100GB, and image-family ubuntu-2204-lts with image-project ubuntu-os-cloud. Option A is correct. Option B uses wrong image-project; C has wrong image-family; D omits image-project and uses wrong image-family.

965
MCQmedium

An application uses the S3-compatible API to interact with Cloud Storage. The team needs credentials compatible with HMAC-based S3 authentication. Which credential type does Cloud Storage support for this?

A.Service account JSON key file — it's compatible with the S3 HMAC authentication format
B.HMAC keys created for a service account in Cloud Storage settings
C.Cloud KMS symmetric keys configured for Cloud Storage access
D.An API key generated in the GCP Console for Cloud Storage
AnswerB

Cloud Storage supports HMAC authentication for S3-compatible API access. HMAC keys are created per service account and provide an access key ID + secret for S3 API authentication.

Why this answer

Cloud Storage supports HMAC keys for service accounts to provide S3-compatible authentication. These keys consist of an access key and a secret key, which are used to sign requests using the HMAC-SHA256 algorithm, matching the AWS S3 signature process. This allows applications using the S3 API to authenticate directly against Cloud Storage without needing a JSON key file or OAuth 2.0 tokens.

Exam trap

Google Cloud often tests the distinction between authentication methods (HMAC vs. OAuth 2.0) and encryption keys (KMS vs. HMAC), leading candidates to confuse a JSON key file or an API key with HMAC credentials.

How to eliminate wrong answers

Option A is wrong because a service account JSON key file is used for OAuth 2.0-based authentication, not for HMAC-based S3 authentication; it contains a private key for signing JWT tokens, not an HMAC access/secret key pair. Option C is wrong because Cloud KMS symmetric keys are used for encryption and decryption of data at rest, not for authentication or signing S3 API requests. Option D is wrong because an API key is a simple identifier used for quota and access control in GCP APIs, but it does not support the HMAC signing mechanism required for S3-compatible authentication.

966
MCQmedium

An engineer deployed a new version of their application on GKE using a Deployment. Users report that the new version has a bug. The engineer wants to quickly revert to the previous version. How can they achieve this?

A.Scale the deployment to zero and then scale back up
B.Run kubectl delete deployment and re-apply the old manifest
C.Run kubectl rollout undo deployment/<deployment-name>
D.Run kubectl rollout history deployment/<deployment-name>
AnswerC

Rolls back to the previous revision with minimal downtime.

Why this answer

Kubernetes Deployments support rollbacks using 'kubectl rollout undo'. The command automatically reverts to the previous revision. Deleting and recreating the Deployment would require re-creating from the previous manifest. 'kubectl rollout history' shows history but doesn't roll back.

Scaling down then up does not revert the version.

967
Multi-Selecthard

A company wants to organize their GCP resources into a hierarchy to separate development, staging, and production environments. Which THREE resources can be used to create this separation?

Select 3 answers
A.Folders
B.Organization node
C.Billing accounts
D.Projects
E.Labels
AnswersA, B, D

Folders allow grouping projects for environment separation.

Why this answer

GCP resource hierarchy includes Organization, Folders, Projects, and Resources. Folders can be used to group projects (e.g., dev folder, prod folder). Projects are the containers for resources.

Labels are metadata tags but not part of the hierarchy. Billing accounts are separate from the hierarchy. IAM policy is not a resource for separation.

968
Multi-Selectmedium

A company needs to securely store secrets (API keys, passwords) used by applications running on Compute Engine. Which three methods are secure and recommended? (Choose three.)

Select 3 answers
A.Use a third-party secrets vault like HashiCorp Vault running on GKE.
B.Store secrets as environment variables in plain text in the instance metadata.
C.Use Cloud Secret Manager to store and retrieve secrets.
D.Store secrets in a Cloud Storage bucket with fine-grained ACLs and encryption.
E.Encrypt secrets with Cloud KMS and store them in a file on the instance.
AnswersA, C, D

Third-party vaults are secure if properly configured.

Why this answer

Option A is correct because HashiCorp Vault is a widely adopted, enterprise-grade secrets management solution that can be deployed on Google Kubernetes Engine (GKE) to securely store, access, and audit API keys and passwords. It provides dynamic secrets, encryption as a service, and fine-grained access policies, making it a recommended approach for Compute Engine applications when integrated via its API or sidecar patterns.

Exam trap

The trap here is that candidates often assume encrypting secrets with KMS and storing them locally (Option E) is sufficient, but Cisco tests that a dedicated secrets management service (like Cloud Secret Manager or a vault) is always the recommended approach over manual encryption and file storage, even if the file is encrypted.

969
MCQhard

A multinational corporation requires that all GCP resources across multiple projects are tagged with a key-value pair 'environment: production' and 'environment: development'. They want to enforce that any resource created without the appropriate label is automatically denied. How can this be achieved?

A.Use Cloud Asset Inventory to monitor and alert on missing labels.
B.Use IAM conditions to check labels at resource creation.
C.Create a custom IAM role that denies creation without labels.
D.Use an organization policy constraint to require labels.
AnswerD

Organization policy constraints can enforce required labels on resources.

Why this answer

Organization policy constraints like 'compute.googleapis.com/requireLabels' can enforce that certain labels must be present on resources. IAM conditions can restrict access based on labels, but they don't automatically deny creation of unlabeled resources. Cloud Asset Inventory is for monitoring, not enforcement.

Custom roles cannot enforce labeling.

970
Multi-Selectmedium

A company runs a critical application on Compute Engine that requires static IP addresses and must be highly available across zones. The application uses a stateful backend. Which TWO steps should the engineer take to meet these requirements? (Choose 2)

Select 2 answers
A.Configure an external TCP/UDP load balancer with a static IP address
B.Assign each VM a static external IP address
C.Use a managed instance group with multiple zones enabled
D.Use Cloud DNS with geo-routing
E.Use a single-zone managed instance group with a snapshot schedule
AnswersA, C

Load balancer provides a static IP and health checks for high availability.

Why this answer

To achieve high availability across zones with static IPs, a managed instance group with a multi-zone configuration (A) can distribute instances across zones. A load balancer (B) provides a static IP and routes traffic to healthy instances. Stateful workloads can use persistent disks or other state preservation strategies.

971
MCQeasy

A small team is setting up a new Google Cloud project for a web application. They need to ensure that they can manage costs and receive alerts when spending exceeds a threshold. What is the simplest way to achieve this?

A.Export billing data to BigQuery and create custom dashboards.
B.Use the Google Cloud Pricing Calculator to estimate costs and set manual alerts.
C.Create a billing account for each team member and link it to the project.
D.Set up a budget alert in the Google Cloud Console for the project.
AnswerD

Simple, native feature that provides email alerts when threshold is met.

Why this answer

Option C is correct because setting up a budget alert in the Google Cloud Console is simple and provides automated email notifications. Option A is too complex for a small team. Option B adds unnecessary overhead.

Option D only provides estimation, not real alerts.

972
MCQeasy

You need to be notified when the CPU utilization of any Compute Engine instance in your project exceeds 80% for 5 minutes. Which Cloud Monitoring feature should you use?

A.Uptime check
B.Log-based alert
C.Metric threshold alerting policy
D.Dashboard
AnswerC

Correct: metric threshold alerting policies are designed for conditions like CPU > 80% for 5 minutes.

Why this answer

Metric threshold alerting policies allow you to set conditions based on metric values. When the condition (CPU > 80% for 5 minutes) is met, the alert fires and sends notifications via configured channels.

973
MCQhard

A security team wants to prevent every project in the organization from creating VM instances with external IP addresses — without requiring configuration in each individual project. What is the most scalable solution?

A.Create a firewall rule in every project blocking outbound traffic on port 80 and 443
B.Set the organization policy constraint compute.vmExternalIpAccess to Deny All at the organization level
C.Remove the Compute Engine Admin role from all project owners
D.Use Cloud Armor to block all traffic destined for public IPs in the organization
AnswerB

This organization-level constraint prevents external IP assignment across all projects, automatically applying to new projects without manual intervention.

Why this answer

Option B is correct because the organization policy constraint `compute.vmExternalIpAccess` can be applied at the organization level to deny all VM instances from having external IP addresses, enforcing this rule across all projects without per-project configuration. This is the most scalable approach as it uses Google Cloud's hierarchical policy engine to centrally control resource creation, overriding any project-level settings.

Exam trap

The trap here is that candidates confuse network-level controls (firewall rules, Cloud Armor) with resource-level policies (organization constraints), mistakenly thinking blocking traffic is equivalent to preventing IP assignment, when in fact the constraint operates at the IAM/resource creation layer.

How to eliminate wrong answers

Option A is wrong because firewall rules only control network traffic after a VM is created, not the assignment of external IP addresses during VM creation; blocking ports 80 and 443 does not prevent a VM from having an external IP, and traffic on other ports (e.g., SSH on port 22) would still be allowed. Option C is wrong because removing the Compute Engine Admin role from project owners does not prevent VMs from being created with external IPs by other users or service accounts, and it breaks legitimate administrative workflows without addressing the IP assignment policy. Option D is wrong because Cloud Armor is a web application firewall that protects against DDoS and application-layer attacks, not a tool to control whether VMs are assigned external IPs; it cannot block the creation of VMs with public IPs.

974
MCQeasy

A Cloud Shell user wants to persist Terraform state files across sessions. What is the best approach?

A.Store them in /tmp
B.Store them in a Cloud Storage bucket and mount via gcsfuse
C.Store them on the instance's local SSD
D.Store them in the home directory ($HOME)
AnswerD

Correct: The home directory persists across sessions.

Why this answer

Cloud Shell provides a persistent 5GB home directory. Storing state files there ensures they persist across sessions.

975
MCQmedium

An engineer is setting up Cloud Identity for a new domain. What is a prerequisite for creating a Cloud Identity account?

A.A G Suite account
B.A billing account
C.Domain verification
D.An existing Google Cloud project
AnswerC

Correct: You must verify that you own the domain.

Why this answer

Cloud Identity requires domain verification to prove ownership. This is done via DNS TXT record or other methods.

Page 12

Page 13 of 14

Page 14
Google Associate Cloud Engineer ACE Questions 901–975 | Page 13/14 | Courseiva