Google Associate Cloud Engineer (ACE) — Questions 976991

991 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
Multi-Selectmedium

A company is deploying a stateless web application on Compute Engine. The application is served by a managed instance group with autoscaling behind an HTTP(S) load balancer. To minimize instance startup time and ensure that the application is ready to serve traffic as soon as an instance is created, which two steps should the company take? (Choose two.)

Select 2 answers
A.Increase the initial delay for the load balancer health check to 5 minutes.
B.Configure a startup script in the instance template that installs dependencies and starts the application.
C.Set the managed instance group's autohealing to replace unhealthy instances based on the load balancer health check.
D.Use a container-optimized OS and deploy the application as a Docker container via the startup script.
E.Create a custom machine image that includes the application and all dependencies.
AnswersD, E

Container-optimized OS with a Docker container can start quickly if the image is cached.

Why this answer

Option A (custom image) includes the application and dependencies, eliminating the need to install them at boot. Option C (container-optimized OS) allows the application to run as a Docker container, which can start quickly if the image is cached. Option B (startup script) adds time for installation.

Option D (autohealing) addresses health, not startup time. Option E (increase health check delay) increases time to serve traffic.

977
MCQhard

An e-commerce platform sees a 20x traffic spike every Black Friday. The rest of the year traffic is low and stable. The team wants to minimize costs during normal periods while handling the annual peak without manual intervention. Which architecture achieves this?

A.Pre-provision 20x capacity year-round to guarantee Black Friday performance
B.Managed instance group with autoscaling + scheduled scaling pre-warming before Black Friday
C.Deploy on Cloud SQL — it scales compute automatically for traffic spikes
D.Add 20 manual VMs on Black Friday and delete them afterward each year
AnswerB

MIG autoscaling handles demand-based scale-out automatically. Scheduled scaling policies can pre-warm additional capacity hours before the known Black Friday spike — combining reactive and proactive scaling.

Why this answer

Option B is correct because it combines managed instance group autoscaling for normal low-cost operation with scheduled scaling to pre-warm capacity before the Black Friday spike, ensuring seamless handling of the 20x traffic surge without manual intervention. This approach uses the 'autoscaler' and 'scheduled scaling' features in Google Cloud to dynamically adjust resources based on load, while pre-warming prevents cold-start latency during the peak.

Exam trap

Google Cloud often tests the misconception that database services like Cloud SQL can automatically scale compute for traffic spikes, but in reality, Cloud SQL requires manual vertical scaling or read replicas and does not handle web-tier traffic spikes natively.

How to eliminate wrong answers

Option A is wrong because pre-provisioning 20x capacity year-round incurs massive unnecessary costs, violating the requirement to minimize costs during normal periods. Option C is wrong because Cloud SQL does not automatically scale compute resources for traffic spikes; it supports read replicas and vertical scaling but requires manual intervention or configuration changes, and it is a database service, not a compute solution for handling web traffic. Option D is wrong because manually adding and deleting 20 VMs each year introduces manual intervention and operational overhead, contradicting the requirement for no manual intervention, and does not provide automated scaling for the spike.

978
MCQmedium

A Cloud Run service needs to be updated to increase CPU and memory limits. Which command should the engineer use?

A.gcloud functions deploy
B.gcloud run deploy
C.gcloud run revisions update
D.gcloud run services update
AnswerD

Why this answer

'gcloud run services update' allows updating service configuration including CPU and memory. 'gcloud run revisions update' does not exist; revisions are immutable. 'gcloud run deploy' is used for initial deployment or updating to a new revision, but 'update' is the correct command for modifying an existing service's configuration.

979
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to reduce egress costs when transferring large amounts of data from Compute Engine to Cloud Storage in the same region?

Select 2 answers
A.Use internal IP addresses for the Compute Engine instances.
B.Use a regional Cloud Storage bucket in the same region as the instances.
C.Set up a VPN between the instances and Cloud Storage.
D.Use a multi-regional Cloud Storage bucket.
E.Configure a Cloud NAT gateway.
AnswersA, B

Internal IP traffic within the same region is free.

Why this answer

Option A is correct because using internal IP addresses for Compute Engine instances ensures that traffic to Cloud Storage stays within Google's internal network, avoiding internet egress charges. When instances communicate with Cloud Storage using external IPs, the traffic is routed over the public internet, incurring egress costs. Internal IPs keep the data transfer on Google's backbone, which is free for same-region transfers.

Exam trap

Google Cloud often tests the misconception that using a multi-regional bucket in the same region reduces costs, but the trap here is that multi-regional buckets incur higher egress charges due to replication across zones, and candidates may overlook that internal IPs are the key to avoiding internet egress fees.

980
MCQmedium

A company runs a batch analytics workload on Compute Engine that runs for 3 hours every night. The workload is fault-tolerant and can be disrupted. Which pricing model should the engineer use to minimize cost?

A.Committed use discounts
B.Spot VMs
C.Preemptible VMs
D.Sustained use discounts
AnswerC

Preemptible VMs cost much less and are perfect for fault-tolerant batch jobs that can be interrupted.

Why this answer

Preemptible VMs are significantly cheaper than regular VMs and can be terminated at any time, suitable for fault-tolerant batch workloads. They are ideal for short-lived, interruptible jobs.

981
MCQeasy

A developer wants to verify which IAM roles they currently have on a specific GCP project before requesting additional access. Which gcloud command lists the IAM policy for a project?

A.gcloud iam roles list --project=[PROJECT_ID]
B.gcloud projects get-iam-policy [PROJECT_ID]
C.gcloud auth list --project=[PROJECT_ID]
D.gcloud iam service-accounts get-iam-policy [PROJECT_ID]
AnswerB

This command returns the full IAM policy for the project in YAML or JSON format, showing all current member-role bindings.

Why this answer

The correct command to retrieve the IAM policy for a GCP project is `gcloud projects get-iam-policy [PROJECT_ID]`. This command returns the complete IAM policy bindings (roles and members) for the specified project, allowing the developer to see which roles they currently have. It directly queries the Cloud Resource Manager API to fetch the project-level IAM policy.

Exam trap

Google Cloud often tests the distinction between listing roles (available role definitions) and getting the IAM policy (actual role bindings), so candidates mistakenly choose `gcloud iam roles list` thinking it shows their assigned roles.

How to eliminate wrong answers

Option A is wrong because `gcloud iam roles list` lists predefined or custom roles available in the organization or project, not the bindings of those roles to principals. Option C is wrong because `gcloud auth list` displays the currently active authenticated accounts and their status, not the IAM policy for a project. Option D is wrong because `gcloud iam service-accounts get-iam-policy` retrieves the IAM policy for a specific service account, not for the project itself.

982
MCQmedium

A team's CI/CD pipeline authenticates to GCP using Application Default Credentials (ADC). The pipeline runs on a GCE VM with a service account attached. Which credential source does the ADC use when running on a GCE VM?

A.The GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to a JSON key file
B.The VM's attached service account credentials via the instance metadata server
C.The developer's personal Google account used during `gcloud auth login`
D.A randomly selected service account from the project's service accounts list
AnswerB

ADC on GCE automatically uses the service account attached to the VM through the instance metadata server (metadata.google.internal/computeMetadata/v1/instance/service-accounts/) — no key file needed.

Why this answer

On a GCE VM, Application Default Credentials (ADC) automatically uses the credentials from the VM's attached service account by querying the instance metadata server at the link-local address 169.254.169.254. This is the default behavior when no environment variable or other credential source is explicitly configured, making option B correct.

Exam trap

Google Cloud often tests the misconception that ADC always requires an explicit credential file or that it uses the gcloud user login, when in fact on GCE VMs it transparently uses the attached service account via the metadata server.

How to eliminate wrong answers

Option A is wrong because the GOOGLE_APPLICATION_CREDENTIALS environment variable is a manual override that ADC checks first, but it is not the default source on a GCE VM; the question describes a pipeline running on a GCE VM with a service account attached, and ADC will use the metadata server unless that variable is set. Option C is wrong because a developer's personal Google account from `gcloud auth login` is used for user-level authentication in gcloud CLI, not for ADC on a VM; ADC on a GCE VM does not consult user credentials from gcloud. Option D is wrong because ADC does not randomly select a service account; it uses the specific service account attached to the VM instance, which is obtained from the instance metadata server, not from a project-wide list.

983
MCQhard

A team has a streaming pipeline built with Apache Beam that reads from Cloud Pub/Sub and writes transformed data to BigQuery. Which GCP service executes this pipeline with managed autoscaling?

A.Cloud Composer
B.Cloud Dataflow
C.Cloud Dataproc
D.Cloud Data Fusion
AnswerB

Cloud Dataflow is the managed execution environment for Apache Beam pipelines. It autoscales workers for both streaming and batch jobs.

Why this answer

Cloud Dataflow is the correct service because it is a fully managed, autoscaling service specifically designed to execute Apache Beam pipelines. It handles the reading from Cloud Pub/Sub and writing to BigQuery, automatically scaling worker resources based on the pipeline's processing demands.

Exam trap

The trap here is that candidates often confuse Cloud Dataproc (which runs Spark) with Cloud Dataflow (which runs Beam), not realizing that Beam pipelines require Dataflow for managed autoscaling, while Dataproc requires manual cluster sizing or separate autoscaling policies.

How to eliminate wrong answers

Option A is wrong because Cloud Composer is a managed workflow orchestration service based on Apache Airflow, not a stream processing engine; it can trigger Dataflow jobs but does not execute Beam pipelines directly. Option C is wrong because Cloud Dataproc is a managed Spark and Hadoop service that can run batch or stream processing but does not natively execute Apache Beam pipelines with managed autoscaling; it requires manual cluster management or separate autoscaling configuration. Option D is wrong because Cloud Data Fusion is a fully managed data integration service for building ETL/ELT pipelines using a visual interface, but it does not execute Apache Beam pipelines and does not provide managed autoscaling for Beam-based streaming jobs.

984
MCQmedium

An engineer wants to ensure that no one in their organization can create VMs with public IP addresses. Which Google Cloud tool should they use to enforce this restriction?

A.Organization policies
B.Labels
C.IAM roles
D.Quotas
AnswerA

Correct.

Why this answer

Organization policies (Org Policies) allow setting constraints at the organization, folder, or project level to restrict configurations.

985
MCQeasy

A new engineer needs to enable the Compute Engine API for a project using the gcloud command-line tool. Which command should they run?

A.gcloud compute enable-api
B.gcloud projects enable compute.googleapis.com
C.gcloud api enable compute
D.gcloud services enable compute.googleapis.com
AnswerD

This is the standard command to enable the Compute Engine API.

Why this answer

The correct command to enable an API is `gcloud services enable`, specifying the service name. For Compute Engine the service name is `compute.googleapis.com`.

986
MCQmedium

A company wants to set up a cost-effective disaster recovery solution for a critical application running on Compute Engine. The primary region is us-east1. The recovery point objective (RPO) is 1 hour, and recovery time objective (RTO) is 4 hours. Which strategy is most cost-effective?

A.Regular backups to Cloud Storage with automated scripts to restore in a different region
B.Use managed instance groups in two regions with autoscaling
C.Cross-region replica of persistent disks using snapshot schedules every hour
D.Active-active multi-region deployment with HTTP load balancer
AnswerC

Snapshot schedules allow frequent, incremental backups suitable for DR.

Why this answer

Option C is the most cost-effective because it uses snapshot schedules to create cross-region replicas of persistent disks every hour, meeting the 1-hour RPO without requiring always-on compute resources. This approach minimizes costs by only storing incremental snapshots in Cloud Storage, while automated restore procedures can spin up instances in the secondary region within the 4-hour RTO.

Exam trap

Google Cloud often tests the misconception that active-active or multi-region instance groups are always the best for disaster recovery, but the trap here is that for cost-effectiveness with moderate RPO/RTO, a snapshot-based replication strategy is more appropriate than maintaining always-on infrastructure.

How to eliminate wrong answers

Option A is wrong because regular backups to Cloud Storage with automated scripts require manual or custom automation for restore, which can introduce delays and complexity, and the RTO of 4 hours may be exceeded if scripts fail or need debugging; also, backups are not inherently cross-region replicas, so additional configuration is needed to meet the RPO. Option B is wrong because managed instance groups in two regions with autoscaling keep compute resources running in both regions, incurring continuous costs for idle instances in the secondary region, which is not cost-effective for a disaster recovery solution that only needs to activate during failover. Option D is wrong because active-active multi-region deployment with HTTP load balancer requires always-on compute and networking resources in both regions, leading to higher operational costs than a standby or backup-based approach, and it is overkill for the given RPO and RTO requirements.

987
MCQhard

A regulated company requires a log of all actions taken by Google support engineers when they access customer GCP environments during support cases. Which Cloud Audit Log type captures this?

A.Admin Activity audit logs
B.Data Access audit logs with Google-initiated access filter
C.Access Transparency logs
D.System event audit logs with personnel filter
AnswerC

Access Transparency logs specifically record actions by Google employees when they access customer data and GCP environments, providing accountability for Google-side access.

Why this answer

Access Transparency logs are the correct choice because they specifically capture actions taken by Google support engineers when accessing customer data or configurations in GCP. These logs provide near real-time records of Google-initiated access, which is required for regulated companies to audit support personnel activities. Admin Activity logs only record administrative actions by customers, not Google personnel, while Data Access logs with Google-initiated access filter are not a valid log type in Cloud Audit Logs.

Exam trap

The trap here is that candidates confuse 'Data Access logs' with 'Access Transparency logs,' assuming a filter can isolate Google-initiated actions, but Access Transparency is a separate, dedicated log type specifically for Google personnel access, not a subset of Data Access logs.

How to eliminate wrong answers

Option A is wrong because Admin Activity audit logs record actions performed by customers or authorized users within a GCP project (e.g., creating resources), not actions taken by Google support engineers. Option B is wrong because Data Access logs capture API calls that read or modify customer data, but there is no 'Google-initiated access filter' as a distinct log type; Access Transparency logs are the dedicated mechanism for Google-initiated access. Option D is wrong because System event audit logs record GCP system events (e.g., VM live migrations), not personnel actions, and there is no 'personnel filter' in Cloud Audit Logs.

988
MCQmedium

A company wants to run a stateless HTTP web application that experiences highly variable traffic, including periods of zero traffic. The application is packaged as a Docker container. The team wants to minimize operational overhead and pay only for resources consumed during request processing. Which Google Cloud compute service is the best fit?

A.Cloud Functions
B.Cloud Run
C.GKE Standard
D.Compute Engine with managed instance group
AnswerB

Cloud Run runs containers, scales to zero, and charges per request, ideal for variable traffic.

Why this answer

Cloud Run is serverless, scales to zero, charges per request, and runs containers from container images. Cloud Functions is for event-driven functions, not full web apps. GKE Standard and Compute Engine require managing servers and do not scale to zero.

989
Drag & Dropmedium

Arrange the steps to create a Cloud Pub/Sub topic, subscription, and publish a message.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Topic and subscription must exist before publishing; pull retrieves messages.

990
MCQmedium

An application running on Compute Engine needs to be accessible from the internet on port 443. The instance has an internal IP only. Which steps are necessary to allow internet traffic?

A.Use Cloud Load Balancing with an HTTPS load balancer to forward traffic to the instance
B.Configure a VPN from the internet to the VPC
C.Create a Cloud NAT gateway and a firewall rule allowing ingress on port 443
D.Assign an external IP to the VM and create a firewall rule allowing ingress from 0.0.0.0/0 on port 443
AnswerA

An external HTTPS load balancer can route internet traffic to internal instances without exposing them directly.

Why this answer

An internal-only VM cannot be reached directly from the internet. You need to use a Cloud NAT for outbound traffic, but for inbound traffic, you must either assign an external IP to the VM or use a load balancer. The most secure and scalable approach is to use an external HTTPS load balancer.

991
MCQhard

A team is designing a data pipeline: Cloud Storage → Pub/Sub → Dataflow → BigQuery. They expect 50 GB of data per hour. Dataflow jobs must automatically scale workers based on pipeline backlog. Which Dataflow feature provides automatic horizontal scaling of worker VMs?

A.Vertical scaling — Dataflow automatically increases worker machine types under load
B.Dataflow Horizontal Autoscaling — automatically adds/removes workers based on pipeline lag
C.GKE cluster autoscaler — Dataflow runs on GKE and inherits its autoscaling
D.Cloud Monitoring alerting policy that triggers worker additions via gcloud
AnswerB

Dataflow's horizontal autoscaler monitors pipeline backlog and adjusts the number of worker VMs to maintain throughput — enabled by default for streaming and configurable for batch.

Why this answer

Dataflow Horizontal Autoscaling is the correct feature because it automatically adds or removes worker VMs based on the pipeline's backlog (lag), which directly matches the requirement for automatic horizontal scaling. This feature uses the Cloud Monitoring service to track the number of unprocessed elements and adjusts worker count accordingly, ensuring efficient resource usage without manual intervention.

Exam trap

Google Cloud often tests the distinction between horizontal and vertical scaling, and candidates may confuse Dataflow's autoscaling with GKE cluster autoscaler, not realizing Dataflow manages its own worker fleet independently of GKE.

How to eliminate wrong answers

Option A is wrong because vertical scaling increases the machine type (e.g., more vCPUs or memory) of existing workers, not the number of workers, and Dataflow does not automatically change machine types under load; it relies on horizontal scaling. Option C is wrong because Dataflow does not run on GKE by default; it uses its own managed service for worker VMs, and the GKE cluster autoscaler is irrelevant unless the pipeline is explicitly configured to run on a GKE cluster, which is not the standard deployment. Option D is wrong because while Cloud Monitoring can trigger alerts, it does not directly add workers; Dataflow Horizontal Autoscaling is the built-in mechanism that handles scaling automatically, and using a custom alerting policy to invoke gcloud commands would be an external, non-native approach that contradicts the requirement for automatic scaling.

Page 13

Page 14 of 14

Google Associate Cloud Engineer ACE Questions 976–991 | Page 14/14 | Courseiva