Google Associate Cloud Engineer (ACE) — Questions 76150

500 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQmedium

A company is using Cloud Storage to store sensitive data. They want to enforce that objects are automatically deleted after 90 days. Which configuration should they use?

A.Configure Object Lifecycle Management with a Delete action after 90 days.
B.Set a retention policy on the bucket for 90 days.
C.Enable bucket locking with a retention period of 90 days.
D.Enable object versioning and set a lifecycle rule to delete noncurrent versions.
AnswerA

Lifecycle rules can be set to delete objects when they reach a certain age.

Why this answer

Object Lifecycle Management allows you to set rules that automatically perform actions on objects after a specified number of days. By configuring a rule with a Delete action set to trigger after 90 days, objects in the bucket will be automatically removed, meeting the requirement without manual intervention.

Exam trap

Google Cloud often tests the distinction between retention policies (which protect data from deletion) and lifecycle rules (which automate deletion), leading candidates to confuse a retention policy with a deletion policy.

How to eliminate wrong answers

Option B is wrong because a retention policy on a bucket prevents objects from being deleted or overwritten until the retention period expires, which is the opposite of automatically deleting objects after 90 days. Option C is wrong because bucket locking with a retention period enforces a write-once-read-many (WORM) policy that prevents object deletion or modification, not automatic deletion. Option D is wrong because enabling object versioning and setting a lifecycle rule to delete noncurrent versions only removes older versions of objects, not the current live objects, and does not guarantee deletion of all objects after 90 days.

77
MCQhard

A company runs a big data processing pipeline on a Dataproc cluster. To reduce costs, they use a primary cluster with one master node (standard) and 20 worker nodes all using preemptible VMs. Recently, jobs running during peak business hours are failing with 'Task failed' errors. You notice that many preemptible VMs are reclaimed during the middle of these jobs. The jobs are long-running MapReduce tasks that write intermediate results to the cluster's HDFS. What should you do to improve job reliability without significantly increasing costs?

A.Enable graceful decommissioning for the preemptible instances.
B.Increase the number of preemptible worker nodes to 40.
C.Use a higher preemptible instance type (e.g., n1-highmem-2 instead of n1-standard-2).
D.Switch to standard worker nodes with committed use discounts.
AnswerA

Allows Dataproc to handle preemptions gracefully by moving tasks before shutdown.

Why this answer

Option A is correct because enabling graceful decommissioning for preemptible instances allows YARN to handle node loss more gracefully. When a preemptible VM is reclaimed, YARN can wait for running containers to finish before shutting down the node, reducing task failures. This improves job reliability without adding cost, as it leverages existing preemptible VMs more effectively.

Exam trap

Google Cloud often tests the misconception that simply adding more preemptible nodes or upgrading instance types will solve reliability issues, when the real solution is to configure graceful decommissioning to handle preemption gracefully.

How to eliminate wrong answers

Option B is wrong because simply increasing the number of preemptible worker nodes to 40 does not address the root cause of task failures due to VM reclamation; it only spreads the risk but still results in lost intermediate data and failed tasks. Option C is wrong because using a higher preemptible instance type (e.g., n1-highmem-2) does not prevent preemption; it only provides more memory, which does not solve the reliability issue of task failures during reclamation. Option D is wrong because switching to standard worker nodes with committed use discounts would significantly increase costs, contradicting the requirement to not significantly increase costs.

78
MCQhard

Your Dataflow streaming pipeline is consuming messages from Pub/Sub but the pipeline's throughput has dropped significantly. Cloud Monitoring shows the `pubsub/subscription/oldest_unacked_message_age` metric is growing. The pipeline has enough workers. What is the most likely bottleneck, and how should you address it?

A.Increase the number of Dataflow workers to process messages faster.
B.Inspect Dataflow job graph metrics to identify the slow stage, then optimize that stage's logic or address data skew.
C.Increase the Pub/Sub subscription's ack deadline to 600 seconds.
D.Switch from Dataflow to Pub/Sub Lite for lower cost and higher throughput.
AnswerB

The Dataflow job monitoring graph shows per-stage throughput and latency. Identifying the slow stage reveals the root cause (slow transform, external call, skew), enabling targeted optimization.

Why this answer

The growing `oldest_unacked_message_age` metric indicates that messages are not being processed and acknowledged quickly enough, even though the pipeline has enough workers. This points to a bottleneck within a specific stage of the Dataflow pipeline, such as a transformation or grouping operation that is slow or suffering from data skew. Option B is correct because inspecting the job graph metrics (e.g., wall time, backlog, and throughput per stage) allows you to identify the slow stage and then optimize its logic or address data skew, which directly resolves the processing delay.

Exam trap

Google Cloud often tests the misconception that adding more workers or increasing timeouts always solves throughput issues, but the correct approach is to diagnose the specific bottleneck stage using Dataflow's built-in metrics.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the pipeline has enough workers, so adding more workers would not address the root cause of a slow stage or data skew; it could even increase cost without improving throughput. Option C is wrong because increasing the ack deadline to 600 seconds only gives workers more time to process messages but does not fix the underlying bottleneck; it may delay the detection of stuck messages and could lead to duplicate processing if workers fail. Option D is wrong because switching to Pub/Sub Lite does not address a Dataflow pipeline bottleneck; Pub/Sub Lite is designed for lower cost and predictable throughput but does not resolve slow stage logic or data skew within Dataflow.

79
MCQmedium

What action does the condition in the IAM policy restrict the user from performing?

A.Deleting disks that do not start with 'disk-'
B.Performing any action on compute instances
C.Performing any compute.admin action on disks in us-central1-a with names starting with 'disk-'
D.Creating disks in any zone other than us-central1-a
AnswerC

The condition scopes the role to those specific disks, so the user can perform any compute.admin action (e.g., create, delete, modify) on disks matching the pattern.

Why this answer

The condition `resource.name.startsWith('disk-')` combined with the `compute.disks.delete` action and the zone constraint `us-central1-a` restricts the user to deleting only disks whose names begin with 'disk-' in that specific zone. Option C correctly identifies this as the allowed action, meaning the policy restricts the user from performing any `compute.admin` action on disks in `us-central1-a` with names starting with 'disk-' — but the question asks what action the condition restricts the user from performing, so the inverse is true: the user is restricted from performing any `compute.admin` action on disks that do not match the condition (i.e., disks not starting with 'disk-' or in other zones). However, the answer choices frame it as the condition restricting the user from performing the action described in C, which is the exact action the policy allows, making C the correct answer because the policy's condition explicitly permits that action, and the question's phrasing is a trap.

Exam trap

The trap here is that the question asks 'what action does the condition restrict the user from performing?' but the correct answer describes the action the condition allows, exploiting the common confusion between allowed and restricted actions in IAM policy conditions.

How to eliminate wrong answers

Option A is wrong because the policy condition `resource.name.startsWith('disk-')` actually allows deletion of disks starting with 'disk-', not restricts it; the user is restricted from deleting disks that do NOT start with 'disk-', so the statement is reversed. Option B is wrong because the policy only restricts `compute.disks.delete` on disks, not all actions on compute instances; the user can still perform other actions like `compute.instances.list` or `compute.disks.create` on disks that match the condition. Option D is wrong because the policy restricts deletion to disks in `us-central1-a` only, but it does not restrict creating disks in other zones; the `compute.disks.delete` action is zone-scoped, but creation is a separate action not covered by this policy.

80
MCQmedium

A developer needs to forward traffic from their local port 5432 to a PostgreSQL service running in GKE on port 5432, to test database queries locally without exposing the database externally. Which kubectl command achieves this?

A.kubectl expose pod postgres-pod --type=LoadBalancer --port=5432
B.kubectl port-forward svc/postgres-service 5432:5432
C.kubectl tunnel --local=5432 --remote=postgres-service:5432
D.gcloud container ssh postgres-pod --port-forward=5432:5432
AnswerB

`kubectl port-forward` tunnels traffic from localhost:5432 to the cluster service's port 5432 — accessible only from the developer's machine, with no network changes.

Why this answer

Option B is correct because `kubectl port-forward` creates a local tunnel from port 5432 on the developer's machine to the specified service's port 5432 inside the GKE cluster. This allows the developer to connect to the PostgreSQL service as if it were running locally, without exposing it to the internet via a LoadBalancer or Ingress.

Exam trap

Google Cloud often tests the distinction between exposing a service externally (LoadBalancer) and creating a local tunnel (port-forward), and candidates may mistakenly choose a LoadBalancer option thinking it is required for connectivity, ignoring the 'without exposing externally' constraint.

How to eliminate wrong answers

Option A is wrong because `kubectl expose pod postgres-pod --type=LoadBalancer` creates an external LoadBalancer service, which exposes the database to the internet, contradicting the requirement to avoid external exposure. Option C is wrong because `kubectl tunnel` is not a valid kubectl command; the correct command for port forwarding is `kubectl port-forward`. Option D is wrong because `gcloud container ssh` is used to SSH into a GKE node, not to forward ports, and the syntax `--port-forward=5432:5432` is invalid; port forwarding is done via `kubectl port-forward`.

81
Matchingmedium

Match each Compute Engine machine family to its typical workload.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cost-optimized, general-purpose workloads

Balanced performance for general workloads

Compute-optimized for high-performance computing

Memory-optimized for large in-memory databases

GPU-accelerated for graphics and ML

Why these pairings

Machine families are optimized for different resource needs.

82
MCQhard

A company uses VPC Service Controls to protect Cloud Storage. They have a service perimeter that includes the storage API and the project where the stored data resides. Users inside the perimeter can access the data, but users outside cannot. However, a group of users outside the perimeter are able to access the data using a signed URL generated by a service inside the perimeter. Why does this happen?

A.VPC Service Controls do not apply to signed URLs.
B.Signed URLs bypass VPC Service Controls.
C.The service perimeter is misconfigured, missing signed URL restrictions.
D.The users have been granted IAM roles that override the perimeter.
AnswerA

Signed URLs are a separate access method not governed by VPC SC.

Why this answer

VPC Service Controls are designed to restrict access to Google Cloud resources based on the network origin of requests, but they do not evaluate or block requests made using signed URLs. Signed URLs are authenticated via cryptographic signatures, not IAM or network context, so they bypass the perimeter check entirely. This is by design, as signed URLs are intended for temporary, out-of-band access.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls are a universal access control mechanism, when in fact they do not apply to signed URLs or public buckets, leading candidates to incorrectly assume a misconfiguration or override.

How to eliminate wrong answers

Option B is wrong because signed URLs do not 'bypass' VPC Service Controls in a technical sense; rather, VPC Service Controls simply do not apply to signed URL requests, as the access decision is based on the signature, not the requester's network or identity. Option C is wrong because there is no 'signed URL restriction' setting in VPC Service Controls; the service perimeter configuration is correct, and the behavior is expected. Option D is wrong because IAM roles are not the mechanism at play here; signed URLs do not require IAM roles to be granted to the end user, and the perimeter does not evaluate IAM for signed URL requests.

83
MCQmedium

You need to deploy a containerized application to GKE that stores user session data. The application has 3 replicas. Session data must not be lost if a replica is restarted. All replicas share the same session store. Which architecture handles this correctly?

A.Store sessions in each pod's memory; use session affinity on the load balancer to route users to the same pod.
B.Store sessions in Cloud Memorystore (Redis) shared by all replicas.
C.Use an emptyDir volume shared between replicas for session storage.
D.Store sessions in a Cloud SQL table with a connection pool per replica.
AnswerB

Redis is a fast, shared, durable session store. All replicas read/write to the same Redis instance. Pod restarts don't lose sessions since data lives outside the pod.

Why this answer

Option B is correct because Cloud Memorystore (Redis) provides a centralized, persistent, and highly available session store that all replicas can access. This ensures session data survives pod restarts and is shared across all replicas, meeting the requirement for no data loss and shared access.

Exam trap

Google Cloud often tests the misconception that session affinity alone ensures session persistence, but the trap here is that session affinity only routes traffic to the same pod, not that the pod's memory survives restarts, so candidates must recognize that shared external storage is required for data durability.

How to eliminate wrong answers

Option A is wrong because storing sessions in each pod's memory means data is lost if a pod restarts, and session affinity only routes users to the same pod but does not prevent data loss on restart. Option C is wrong because an emptyDir volume is ephemeral and tied to a pod's lifecycle; it is deleted when the pod is deleted or restarted, and it cannot be shared across replicas in different pods. Option D is wrong because while Cloud SQL can persist data, using a connection pool per replica does not address session storage efficiently; sessions are transient and high-frequency, making a relational database like Cloud SQL less suitable than an in-memory store like Redis for performance and cost.

84
Multi-Selectmedium

Which three steps are part of the initial setup for a new Google Cloud project with multiple subnets in a VPC?

Select 3 answers
A.Create a project
B.Enable the Compute Engine API
C.Enable billing
D.Create a VPC network with custom subnets
E.Create firewall rules
AnswersA, B, C

A project is the container for all resources.

Why this answer

Creating a project is the first step in Google Cloud because it serves as the top-level container for all resources, billing, and permissions. Without a project, you cannot provision any services, including VPC networks or Compute Engine instances. This step is mandatory and foundational for organizing and isolating cloud resources.

Exam trap

Google Cloud often tests the order of operations in Google Cloud setup, and the trap here is that candidates confuse the initial prerequisites (project, billing, API) with later configuration steps like creating VPCs or firewall rules.

85
Multi-Selecteasy

Which THREE actions are recommended to ensure the successful operation of a Compute Engine instance running a production workload?

Select 3 answers
A.Enable deletion protection on the instance.
B.Set up a health check and autohealing policy for the instance group.
C.Use a custom VPC with a subnet in a single zone.
D.Configure snapshots with a retention policy.
E.Attach a GPU for machine learning inference.
AnswersA, B, D

Deletion protection prevents accidental deletion of a production instance.

Why this answer

Enabling deletion protection prevents accidental deletion of the instance. Configuring snapshots with a retention policy ensures data backup and recovery. Setting up a health check and autohealing automatically recreates unhealthy instances, improving availability.

Using a single zone subnet (D) reduces fault tolerance, and attaching a GPU (E) is only needed for specific workloads, not a general best practice.

86
Multi-Selecteasy

A new developer is setting up their first Google Cloud project. They need to perform initial project configuration. Which TWO actions are necessary before they can create any resources? (Choose TWO.)

Select 2 answers
A.Create a custom IAM role.
B.Set up Identity Platform.
C.Create a VPC network.
D.Enable billing for the project.
E.Enable the Cloud Billing API.
AnswersD, E

Billing must be linked to the project to use billable services.

Why this answer

Options B and D are correct because billing must be enabled, and the Cloud Billing API must be enabled to associate the project with a billing account. Option A is wrong because a VPC is not required before creating resources; many resources can be created without a VPC (e.g., Cloud Storage). Option C is wrong because Identity Platform is a separate service, not a prerequisite.

Option E is wrong because IAM roles are assigned automatically; no custom role is needed.

87
MCQmedium

An operations team wants to count how many times the string 'PaymentFailure' appears in application logs per minute and alert when it exceeds 10 occurrences. Cloud Monitoring doesn't have a native metric for this log pattern. What is the correct approach?

A.Create a Cloud Monitoring custom metric and write values via the application's exception handler
B.Create a log-based metric in Cloud Logging with a filter matching 'PaymentFailure', then alert on it in Cloud Monitoring
C.Export logs to BigQuery and run a scheduled query counting PaymentFailure entries
D.Enable Cloud Trace and look for PaymentFailure in trace annotations
AnswerB

Log-based metrics automatically count (or extract values from) log entries matching a filter. The resulting time-series metric is immediately usable in Cloud Monitoring alerting policies.

Why this answer

Option B is correct because Cloud Logging log-based metrics allow you to define a filter (e.g., `textPayload:"PaymentFailure"`) that counts matching log entries in real time, and Cloud Monitoring can directly create an alerting policy on that metric with a threshold of 10 occurrences per minute. This approach avoids custom code, external exports, or additional services, and it leverages the native integration between Cloud Logging and Cloud Monitoring.

Exam trap

Google Cloud often tests the distinction between native log-based metrics (which require no code or external services) and custom metrics or export-based solutions, leading candidates to overcomplicate the answer by choosing BigQuery or custom code.

How to eliminate wrong answers

Option A is wrong because creating a custom metric via the application's exception handler requires modifying application code and introduces latency and reliability issues, whereas a log-based metric is serverless and automatically counts log entries without code changes. Option C is wrong because exporting logs to BigQuery and running a scheduled query adds unnecessary complexity, cost, and delay (minutes to hours) compared to near-real-time log-based metrics. Option D is wrong because Cloud Trace is designed for distributed tracing of request latency, not for counting log patterns; it does not provide a metric for the frequency of a string in logs.

88
MCQmedium

A developer reports that a Cloud Function is failing with '403 Forbidden' when calling the BigQuery API. The function's service account has the BigQuery Data Viewer role. What is a likely additional requirement that may be missing?

A.The Cloud Function must be deployed in the same region as the BigQuery dataset
B.The BigQuery API may not be enabled in the Cloud Functions' project
C.Cloud Functions cannot call BigQuery — it must use Dataflow or BigQuery scheduled queries instead
D.The service account needs the BigQuery Admin role instead of Data Viewer to make API calls
AnswerB

Even with the correct IAM role, API calls fail if the target API isn't enabled. Enabling the BigQuery API (`bigquery.googleapis.com`) in the project is a prerequisite.

Why this answer

The 403 Forbidden error indicates that the Cloud Function's service account lacks the necessary permissions to call the BigQuery API. Even with the correct IAM role (BigQuery Data Viewer), the BigQuery API must be explicitly enabled in the project where the Cloud Function is running, as Google Cloud requires APIs to be activated per project before they can be used. Without enabling the API, any API call from the function will be rejected with a 403, regardless of IAM roles.

Exam trap

Google Cloud often tests the distinction between IAM permissions and API enablement, trapping candidates who assume a 403 always means a missing IAM role rather than a disabled API.

How to eliminate wrong answers

Option A is wrong because Cloud Functions and BigQuery datasets can be in different regions; cross-region access is supported via the BigQuery API, and region mismatch does not cause a 403 error. Option C is wrong because Cloud Functions can directly call the BigQuery API using client libraries or REST requests; Dataflow or scheduled queries are alternative tools, not mandatory replacements. Option D is wrong because the BigQuery Data Viewer role is sufficient for read-only API calls like queries; the 403 is not due to insufficient IAM permissions but because the API itself is not enabled.

89
MCQeasy

You want to receive email notifications when your GCP project's billing reaches 50%, 80%, and 100% of a monthly budget. Which GCP feature should you configure?

A.Cloud Monitoring alerting policies on billing metrics.
B.Cloud Billing Budget with alert thresholds at 50%, 80%, and 100%.
C.Set a project spending limit in the Cloud Console billing settings.
D.Enable billing export to BigQuery and create a scheduled query that sends alert emails.
AnswerB

Cloud Billing Budgets support multiple percentage-based alert thresholds. Notifications are sent via email to billing account contacts or via Pub/Sub when each threshold is crossed.

Why this answer

Option B is correct because Cloud Billing Budgets allow you to set a budget amount for a GCP project and define alert threshold percentages (e.g., 50%, 80%, 100%). When the actual cost or forecasted cost reaches any threshold, Cloud Billing automatically sends email notifications to Billing Administrators and users you specify. This is the native, purpose-built feature for budget-based billing alerts.

Exam trap

The trap here is that candidates may confuse Cloud Monitoring alerting policies (which can monitor billing metrics but require manual setup for percentage thresholds) with the simpler, built-in Cloud Billing Budget feature that directly supports percentage-based email alerts.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring alerting policies can monitor billing metrics exported to Cloud Monitoring, but they do not natively support percentage-based budget thresholds or automatic email notifications for budget milestones without custom configuration. Option C is wrong because setting a project spending limit in the Cloud Console billing settings only caps the spend (and disables the project if exceeded), but it does not provide alert notifications at specific percentage thresholds. Option D is wrong because enabling billing export to BigQuery and creating a scheduled query that sends alert emails is a complex, custom workaround; it is not a built-in feature for simple threshold-based email alerts and requires additional scripting and infrastructure.

90
MCQhard

A data warehouse team queries a 10 TB BigQuery table containing billions of events with a date column. Most queries filter by a date range (e.g., last 30 days). Without any partitioning, queries scan the full 10 TB every time. Which BigQuery feature eliminates unnecessary data scanning for date-range queries?

A.BigQuery table clustering on the date column
B.Creating a materialized view for the last 30 days
C.Date/timestamp partitioned table on the date column
D.Increasing BigQuery slot reservations for faster full-table scans
AnswerC

Partitioning by date divides the table into daily (or monthly) segments. Queries with date range filters only scan the relevant partitions, avoiding full table scans and reducing cost.

Why this answer

Partitioning a BigQuery table by the date column allows the query engine to prune entire partitions that fall outside the specified date range, so only the relevant partitions (e.g., last 30 days) are scanned instead of the full 10 TB. This directly reduces data scanned and cost, making option C the correct choice for eliminating unnecessary scanning in date-range queries.

Exam trap

Google Cloud often tests the distinction between partitioning (physical data separation) and clustering (logical sorting within a table), leading candidates to mistakenly choose clustering as a cost-saving measure when only partitioning actually prunes data at the storage level.

How to eliminate wrong answers

Option A is wrong because clustering sorts data within a table but does not physically separate data into partitions; queries still scan all blocks unless combined with partitioning, so it does not eliminate full-table scans on its own. Option B is wrong because a materialized view stores precomputed results but still requires the base table to be scanned for incremental refreshes unless the view is also partitioned, and it adds storage and maintenance overhead without solving the core scanning issue. Option D is wrong because increasing slot reservations only allocates more compute resources for faster processing of full-table scans; it does not reduce the amount of data scanned, so it fails to address the root problem of scanning 10 TB unnecessarily.

91
MCQmedium

A mobile app needs a managed database to store user profiles with flexible nested structures that evolve frequently — new fields are added without schema migrations. Which GCP database service is most appropriate?

A.Cloud SQL for PostgreSQL
B.Cloud Bigtable
C.Cloud Firestore
D.Cloud Spanner
AnswerC

Cloud Firestore stores data as flexible JSON documents with nested fields, supporting schema evolution without migrations. It's purpose-built for mobile/web app backends.

Why this answer

Cloud Firestore is a NoSQL document database that supports flexible, nested data structures and automatically handles schema evolution. New fields can be added to documents at any time without requiring migrations, making it ideal for user profiles that change frequently. It also provides real-time synchronization and offline support, which are common requirements for mobile apps.

Exam trap

The trap here is that candidates often confuse Cloud Firestore with Cloud Bigtable, assuming both are NoSQL and therefore interchangeable, but Bigtable is designed for flat, wide-column data and lacks support for nested documents and real-time queries.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for PostgreSQL is a relational database that requires a fixed schema; adding new fields would require ALTER TABLE migrations, which contradicts the requirement for flexible, evolving nested structures. Option B is wrong because Cloud Bigtable is a wide-column NoSQL database optimized for high-throughput, low-latency analytical workloads (e.g., time-series, IoT), not for storing complex nested documents with frequent schema changes. Option D is wrong because Cloud Spanner is a globally distributed relational database that enforces strong schema constraints and ACID transactions; while it supports some schema changes, it is not designed for flexible nested structures and would require migrations for new fields.

92
MCQhard

A team must choose between Cloud Pub/Sub and Cloud Tasks for a use case where jobs must be delivered to a single HTTP endpoint, each job executed at most once, with rate limiting to 10 requests per second, and with retry on failure. Which service is the better fit and why?

A.Cloud Pub/Sub — it supports rate-limited push subscriptions and at-most-once delivery
B.Cloud Tasks — it provides rate limiting, at-most-once delivery via deduplication, and targeted HTTP dispatch
C.Cloud Pub/Sub with a Dataflow consumer applying rate limiting
D.Both are equivalent for this use case — choose based on cost
AnswerB

Cloud Tasks allows explicit rate control (max_dispatches_per_second), task deduplication for at-most-once delivery, and targeted HTTP endpoint dispatch — exactly this use case.

Why this answer

Cloud Tasks is the better fit because it is designed for targeted HTTP dispatch to a single endpoint, supports rate limiting (max bursts per second), and provides at-most-once delivery via task deduplication (based on a unique task ID). Cloud Pub/Sub push subscriptions do not offer built-in rate limiting and guarantee at-least-once delivery, not at-most-once.

Exam trap

Google Cloud often tests the misconception that Cloud Pub/Sub can handle rate-limited push subscriptions, but in reality, rate limiting is a feature of Cloud Tasks, not Cloud Pub/Sub push subscriptions.

How to eliminate wrong answers

Option A is wrong because Cloud Pub/Sub push subscriptions do not support rate limiting (they rely on flow control at the subscriber side, not server-side rate limiting) and guarantee at-least-once delivery, not at-most-once. Option C is wrong because adding Dataflow introduces unnecessary complexity and cost; Cloud Tasks already provides native rate limiting and targeted HTTP dispatch without requiring an additional processing layer. Option D is wrong because the two services are not equivalent: Cloud Pub/Sub is a pub/sub messaging system with at-least-once delivery and no built-in rate limiting for push endpoints, while Cloud Tasks is a task queue designed for exactly this use case with rate limiting and at-most-once semantics.

93
MCQmedium

A GKE cluster hosts both a public-facing web application and an internal data processing service. The data processing service should only accept traffic from the web application Pods, not from the internet. Which Kubernetes feature enforces this policy?

A.A VPC firewall rule blocking external traffic to the data service's Node IPs
B.Kubernetes NetworkPolicy restricting ingress to the data service to only Pods with the web app label
C.IAP (Identity-Aware Proxy) configured on the data service
D.Using a private ClusterIP Service for the data service — it's automatically private
AnswerB

NetworkPolicies provide Pod-level firewall rules based on Pod label selectors. A policy on the data service allowing only ingress from the web app's Pod labels enforces the required isolation.

Why this answer

Kubernetes NetworkPolicy is the native Kubernetes resource that controls traffic flow at the IP address or port level (OSI layer 3 or 4). By defining an ingress rule that allows traffic only from Pods with a specific label (e.g., 'app: web-app'), you can restrict access to the data processing service exclusively to the web application Pods, regardless of whether the service is exposed via ClusterIP, NodePort, or LoadBalancer. This is the correct and recommended approach for pod-level network segmentation within a cluster.

Exam trap

Google Cloud often tests the misconception that a ClusterIP Service is inherently private and restricts access to only certain Pods, but in reality, ClusterIP only limits external exposure; any Pod in the cluster can reach it unless a NetworkPolicy explicitly denies or allows traffic based on labels.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules operate at the infrastructure level (VM/node network interfaces) and cannot distinguish traffic between Pods on the same node or across nodes within the cluster; they would block all external traffic to the node's IPs but would not prevent other Pods (or even the web app Pods) from reaching the data service if it's exposed via NodePort. Option C is wrong because IAP (Identity-Aware Proxy) is a Google Cloud service for controlling access to applications based on user identity and context, not for pod-to-pod network traffic within a GKE cluster; it operates at the application layer and requires an HTTPS load balancer, not a Kubernetes-native policy. Option D is wrong because a private ClusterIP Service is only private in the sense that it is not exposed outside the cluster, but any Pod within the cluster can still reach it by default; it does not restrict which Pods can initiate connections to the service.

94
MCQhard

A team needs to export all Cloud Logging entries from a production GCP project to a BigQuery dataset for long-term analysis and compliance. The export must be near-real-time and include future log entries automatically. Which approach achieves this?

A.Schedule a daily Cloud Function to query the Logging API and write results to BigQuery
B.Create a log sink (Log Router) that routes all logs from the project to the BigQuery dataset
C.Use BigQuery Data Transfer Service to pull logs from Cloud Logging on a schedule
D.Enable VPC Flow Logs and stream them directly to BigQuery
AnswerB

Log sinks continuously route matching log entries to BigQuery in near-real-time. Once configured, future entries are exported automatically without manual steps.

Why this answer

Option B is correct because a log sink (Log Router) in Cloud Logging can be configured to route log entries in near-real-time to a BigQuery dataset. This approach automatically includes all future log entries without requiring any scheduled jobs or manual intervention, making it ideal for long-term analysis and compliance.

Exam trap

The trap here is that candidates may confuse BigQuery Data Transfer Service with a general-purpose data ingestion tool, but it does not support Cloud Logging as a source, leading them to choose option C instead of the correct log sink approach.

How to eliminate wrong answers

Option A is wrong because scheduling a daily Cloud Function to query the Logging API and write results to BigQuery introduces latency (up to 24 hours) and is not near-real-time; it also requires custom code to handle pagination and deduplication. Option C is wrong because BigQuery Data Transfer Service does not support Cloud Logging as a source; it is designed for transferring data from services like Google Ads, Amazon S3, or Teradata, not for streaming log entries. Option D is wrong because VPC Flow Logs only capture network traffic metadata, not all Cloud Logging entries (e.g., application logs, audit logs), and they cannot be streamed directly to BigQuery without an intermediary sink or export.

95
MCQhard

A company runs a batch processing workload on Compute Engine that completes in 30 minutes. The workload is CPU-intensive and runs once daily. The company wants to minimize costs while maintaining performance. Which of the following is the most cost-effective compute option?

A.Use a preemptible custom machine type with 4 vCPUs and 8 GB memory.
B.Use a sole-tenant node with a machine type that matches the workload.
C.Use an N1 standard-4 machine without discounts.
D.Purchase a 1-year committed use discount for the appropriate machine type.
AnswerA

Preemptible instances are significantly cheaper and suitable for fault-tolerant batch jobs.

Why this answer

A preemptible custom machine type with 4 vCPUs and 8 GB memory is the most cost-effective option because the workload is batch, CPU-intensive, fault-tolerant (runs once daily and can be restarted), and completes in 30 minutes — well within the 24-hour maximum preemptible VM lifetime. Preemptible instances offer up to 80% cost savings over standard instances, and a custom machine type avoids paying for unused resources, making this the cheapest viable compute option.

Exam trap

The trap here is that candidates assume committed use discounts (CUDs) are always the cheapest option, but they fail to recognize that preemptible instances are significantly cheaper for short, fault-tolerant batch workloads that do not require sustained usage.

How to eliminate wrong answers

Option B is wrong because sole-tenant nodes are designed for workloads requiring physical server isolation (e.g., licensing or compliance), which adds significant cost without any performance benefit for a standard batch job. Option C is wrong because an N1 standard-4 machine without discounts is a standard (on-demand) instance, which costs more than a preemptible instance for the same vCPU and memory capacity, and the workload is fault-tolerant so preemptible is appropriate. Option D is wrong because a 1-year committed use discount (CUD) requires a financial commitment for a full year, which is not cost-effective for a workload that runs only once daily for 30 minutes; the savings from CUDs are outweighed by the much lower cost of preemptible instances for such a short, infrequent job.

96
MCQhard

Your organization policy at the root level sets `gcp.resourceLocations` to allow only `us-central1` and `us-east1`. A business unit needs to deploy resources in `europe-west1` for GDPR compliance. How can you grant this exception without affecting other business units?

A.Create a separate GCP organization for the business unit and configure its own resource location policy.
B.Set a `gcp.resourceLocations` policy on the business unit's folder with `inheritFromParent: false`, allowing `us-central1`, `us-east1`, and `europe-west1`.
C.Add a `europe-west1` exception to the root org policy using the `exceptions` field.
D.Remove the `gcp.resourceLocations` org policy from the root and apply it to each business unit's folder individually.
AnswerB

Setting inheritFromParent: false and specifying the allowed locations at the folder level overrides the root org policy for that folder's projects only, without affecting other business units.

Why this answer

Option B is correct because Organization Policies support hierarchical inheritance, and setting `inheritFromParent: false` on the business unit's folder allows you to override the root-level `gcp.resourceLocations` constraint. This enables you to define a custom list of allowed locations (including `europe-west1`) for that specific folder without affecting other business units, as the policy is scoped to that folder only.

Exam trap

Google Cloud often tests the misconception that you can add exceptions to list constraints like `gcp.resourceLocations` using an exceptions field, but in reality, list constraints only support allow or deny lists with inheritance override, not per-value exceptions.

How to eliminate wrong answers

Option A is wrong because creating a separate GCP organization is unnecessary overhead and violates the principle of least privilege; you can achieve the exception with folder-level policy inheritance. Option C is wrong because the `gcp.resourceLocations` constraint does not support an `exceptions` field; exceptions are not a feature of this specific constraint type. Option D is wrong because removing the root-level policy would remove the baseline restriction for all business units, forcing you to reapply policies to every folder, which is inefficient and error-prone.

97
MCQhard

An enterprise requires a private connection between its on-premises data center and Google Cloud VPC that does NOT traverse the public internet and provides dedicated 10 Gbps bandwidth. Which connectivity option meets these requirements?

A.Cloud VPN with high-availability configuration
B.Partner Interconnect
C.Dedicated Interconnect
D.Direct Peering
AnswerC

Dedicated Interconnect provides a direct physical connection from the enterprise data center to Google's network at 10 Gbps or 100 Gbps, with no public internet traversal.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and Google Cloud VPC, offering bandwidth up to 10 Gbps per circuit (or 100 Gbps with multiple circuits) without traversing the public internet. This meets the requirement for a private connection with dedicated 10 Gbps bandwidth, as it uses a colocation facility and a Google-supported router.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming both offer dedicated bandwidth, but Partner Interconnect relies on a third-party provider's network and may not guarantee the same level of isolation or dedicated 10 Gbps per circuit.

How to eliminate wrong answers

Option A is wrong because Cloud VPN uses IPSec tunnels over the public internet, which cannot provide dedicated 10 Gbps bandwidth and does not guarantee a private connection that avoids the public internet. Option B is wrong because Partner Interconnect offers bandwidth up to 10 Gbps but relies on a third-party service provider's network, not a direct dedicated connection, and may involve shared infrastructure. Option D is wrong because Direct Peering is a direct connection to Google's edge network but is not a private connection to a VPC; it uses BGP peering over the public internet and does not support dedicated bandwidth guarantees or SLA-backed private connectivity.

98
MCQmedium

You are designing a GKE cluster for a workload that requires high-memory instances (768 GB RAM) for in-memory analytics. Standard machine types in GCP don't offer this configuration. Which machine family should you select for the node pool?

A.N2 machine family with custom vCPU and memory configuration
B.Memory-optimized (M1 or M2) machine family
C.Compute-optimized (C2) machine family
D.Accelerator-optimized (A2) machine family
AnswerB

M1 (m1-megamem, m1-ultramem) and M2 (m2-megamem, m2-ultramem, m2-hypermem) are purpose-built for high-memory workloads, offering configurations well above 768 GB RAM.

Why this answer

The M1 and M2 memory-optimized machine families are specifically designed for workloads requiring large amounts of RAM, such as in-memory analytics, with configurations offering up to 12 TB of memory. Standard machine types like N2 do not provide 768 GB RAM instances, making memory-optimized families the correct choice for this high-memory requirement.

Exam trap

Google Cloud often tests the misconception that custom machine types (like N2) can be scaled arbitrarily for memory, but GCP imposes hard limits on custom configurations (e.g., max 624 GB for N2), making memory-optimized families the only viable option for RAM-intensive workloads like 768 GB in-memory analytics.

How to eliminate wrong answers

Option A is wrong because N2 machine families, even with custom vCPU and memory configurations, are limited to a maximum of 624 GB RAM (with 224 vCPUs), which cannot meet the 768 GB requirement. Option C is wrong because compute-optimized (C2) machine families prioritize high CPU performance over memory, offering a maximum of 60 GB RAM per instance, far below the needed 768 GB. Option D is wrong because accelerator-optimized (A2) machine families are designed for GPU-intensive workloads like machine learning, not for high-memory analytics, and their maximum RAM is 340 GB (with GPUs), insufficient for 768 GB.

99
MCQeasy

A deployment pipeline runs `kubectl logs` to capture output from a crashed Pod's previous container instance. Which flag retrieves logs from the previous (terminated) container instance rather than the current one?

A.kubectl logs api-pod --terminated
B.kubectl logs api-pod --previous
C.kubectl logs api-pod --all-containers --since-crash
D.kubectl describe pod api-pod | grep -A 50 'Last State'
AnswerB

`--previous` (or `-p`) retrieves logs from the last terminated container instance — essential for debugging containers that crash on startup.

Why this answer

The `--previous` flag in `kubectl logs` retrieves logs from the previous (terminated) container instance of a Pod. This is essential for debugging crashes where the current container has restarted, as the logs from the failed instance are preserved and accessible only with this flag.

Exam trap

Google Cloud often tests the `--previous` flag as the only way to access logs from a terminated container, and candidates mistakenly choose `--terminated` or `--since-crash` because they sound plausible but do not exist in the kubectl command syntax.

How to eliminate wrong answers

Option A is wrong because `--terminated` is not a valid flag for `kubectl logs`; the correct flag is `--previous`. Option C is wrong because `--all-containers` streams logs from all containers in the Pod, and `--since-crash` is not a valid flag; there is no `--since-crash` option in kubectl. Option D is wrong because `kubectl describe pod` shows the 'Last State' field with exit details but does not retrieve the actual log output from the terminated container; it only provides metadata about the previous termination.

100
MCQmedium

You are reviewing a GCP project's IAM policy and find that the `allUsers` principal has `storage.objectViewer` on a Cloud Storage bucket. The bucket contains internal documentation. What are the security implications, and what should you do?

A.This is acceptable if the bucket has Uniform Bucket-Level Access enabled; UBLA encrypts the data.
B.Any person on the internet can read the internal documents; remove the `allUsers` binding immediately and restrict access to authorized identities.
C.This is a read-only permission so it's acceptable — attackers can't modify the documents.
D.Enable Cloud Armor on the bucket to restrict access to your corporate IP range.
AnswerB

allUsers grants unauthenticated public access. Internal documentation should never be public. Removing the binding and enabling Public Access Prevention prevents re-introduction of this misconfiguration.

Why this answer

Option B is correct because granting `storage.objectViewer` to `allUsers` makes the bucket's objects publicly readable by anyone on the internet, including anonymous users. This violates the principle of least privilege and exposes internal documentation to unauthorized access. The immediate remediation is to remove the `allUsers` binding and replace it with specific, authenticated identities (e.g., service accounts or Google Groups) that require access.

Exam trap

The trap here is that candidates might think read-only permissions are safe or that UBLA automatically secures a bucket, but Cisco tests that `allUsers` with any IAM role (even read-only) on a bucket containing sensitive data is a critical security risk that must be removed immediately.

How to eliminate wrong answers

Option A is wrong because Uniform Bucket-Level Access (UBLA) does not encrypt data; it enforces IAM-based access control instead of ACLs, but it does not prevent public access when `allUsers` is granted. Option C is wrong because read-only permissions are not acceptable for internal documents; data confidentiality is breached regardless of write access, and attackers can exfiltrate sensitive information. Option D is wrong because Cloud Armor is a web application firewall for HTTP(S) load balancers, not a service that can be directly applied to Cloud Storage buckets; it cannot restrict access to a bucket's objects.

101
MCQmedium

You have a GCP organization with hundreds of projects. You need to find all projects that have the `compute.googleapis.com` API enabled. Which approach provides the most efficient way to query this across all projects?

A.Write a script that runs `gcloud services list --enabled` for each project ID returned by `gcloud projects list`.
B.Use Cloud Asset Inventory to search for `serviceusage.googleapis.com/Service` assets with state `ENABLED` and name matching `compute.googleapis.com`.
C.Check the Cloud Console's API library for each project manually.
D.Query Cloud Billing export data in BigQuery for projects with Compute Engine line items.
AnswerB

CAI indexes all GCP resource states organization-wide. A single `gcloud asset search-all-resources` or `analyzeOrgPolicy` call returns all matching assets across all projects without iterating.

Why this answer

Cloud Asset Inventory provides a scalable, API-driven way to query resources across all projects in an organization without iterating over each project. By searching for `serviceusage.googleapis.com/Service` assets with `state: ENABLED` and `name: compute.googleapis.com`, you can retrieve the exact list of projects with the Compute Engine API enabled in a single, efficient query. This avoids the latency and quota limitations of scripting against each project individually.

Exam trap

The trap here is that candidates assume the most straightforward scripting approach (Option A) is efficient, but Cisco tests whether you recognize that Cloud Asset Inventory is purpose-built for cross-project resource discovery without per-project API calls.

How to eliminate wrong answers

Option A is wrong because iterating over hundreds of projects with `gcloud services list --enabled` is inefficient, slow, and can hit API rate limits; it also requires scripting and error handling for each project. Option C is wrong because manually checking the Cloud Console's API library for each project is impractical and error-prone for hundreds of projects, offering no automation or scalability. Option D is wrong because Cloud Billing export data in BigQuery shows cost line items, not API enablement status; a project might have Compute Engine line items from legacy usage even if the API is currently disabled, or the API could be enabled without incurring costs.

102
MCQmedium

Your company uses Google Workspace for email. You need to set up GCP for a new team that includes contractors who use non-Google email addresses. Which identity solution allows contractors to authenticate to GCP without a Google Workspace license?

A.Issue each contractor a Gmail account and add it directly to IAM.
B.Provision contractor accounts using Cloud Identity Free, independent of Google Workspace.
C.Create service accounts for each contractor and share the key JSON files.
D.Add contractor email addresses as external users and grant them project-level IAM roles.
AnswerB

Cloud Identity Free provides managed Google accounts without Workspace productivity apps. Contractors get GCP-only identities under your organization's domain, with centralized management and SSO support.

Why this answer

Cloud Identity Free provides identity management for users without requiring a Google Workspace license. It allows contractors with non-Google email addresses to authenticate to GCP using their existing email as a Google account, enabling IAM role assignment without additional licensing costs. This is the correct solution because it decouples identity from Google Workspace, supporting external users while maintaining centralized access control.

Exam trap

The trap here is that candidates confuse 'external user' (which requires a pre-existing Google identity) with the ability to create a new Google identity via Cloud Identity Free, leading them to incorrectly select Option D, which fails because GCP IAM does not automatically create Google accounts from arbitrary email addresses.

How to eliminate wrong answers

Option A is wrong because issuing each contractor a Gmail account violates the requirement to use their existing non-Google email addresses and introduces unnecessary overhead, as Gmail accounts are personal and not designed for enterprise identity management. Option C is wrong because service accounts are intended for applications and automated workloads, not for individual human users; sharing key JSON files creates a severe security risk with no ability to enforce MFA or revoke access granularly. Option D is wrong because adding contractor email addresses as external users (e.g., via Google Groups or direct IAM) without a Cloud Identity or Workspace license does not create a Google account for them; they would be unable to authenticate because GCP IAM requires a Google identity (either a Google account or a Cloud Identity managed account) to sign in.

103
MCQmedium

A company has a VPC with several Compute Engine instances that only have internal IPs. These instances need to download updates from the internet. What is the recommended method to provide internet access without assigning external IPs to each instance?

A.Use VPC Network Peering with a public network.
B.Set up a Cloud VPN gateway to route traffic to on-premises.
C.Place the instances behind an external HTTP(S) load balancer.
D.Configure Cloud NAT in the same region and subnet.
AnswerD

Cloud NAT provides outbound internet access for private instances.

Why this answer

Cloud NAT (Network Address Translation) allows instances with only internal IPs to initiate outbound connections to the internet, while preventing inbound connections from the internet. It translates the internal IPs to a shared external IP address, enabling secure internet access without assigning external IPs to each instance. This is the recommended method for providing internet access to private instances in Google Cloud.

Exam trap

Google Cloud often tests the misconception that an external load balancer can provide outbound internet access, but it only handles inbound traffic; candidates confuse inbound load balancing with outbound NAT.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering connects two VPC networks, but does not provide internet access; it only allows private communication between the peered networks. Option B is wrong because Cloud VPN is used for secure connectivity to on-premises networks, not for general internet access; it would route traffic to on-premises, not to the internet. Option C is wrong because an external HTTP(S) load balancer is designed to distribute incoming traffic from the internet to backend instances, not to provide outbound internet access for those instances; it does not perform source NAT for outbound connections.

104
MCQhard

An organization policy at the organization level sets `constraints/compute.requireOsLogin` to enforced (true) on all projects. A specific project needs an exception — VMs there should not require OS Login. How can this exception be configured?

A.Removing the VM from the VPC will bypass the organization policy
B.Set a project-level organization policy overriding `compute.requireOsLogin` to not enforced (if the constraint allows override)
C.Grant the VM's service account the OS Login Admin role to bypass the policy
D.Move the project to a folder that doesn't inherit the organization policy
AnswerB

If the constraint supports project-level override, setting the policy to `not enforced` at the project level creates an exception for that project, overriding the inherited org-level policy.

Why this answer

Option B is correct because organization policies can be overridden at a lower level (project, folder) if the constraint's `inheritFromParent` setting allows it. The `compute.requireOsLogin` boolean constraint supports per-project override, so setting it to `false` at the project level exempts that project's VMs from requiring OS Login while the organization-level policy remains enforced for all other projects.

Exam trap

Google Cloud often tests the misconception that organization policies are absolute and cannot be overridden at lower levels, but many boolean constraints explicitly allow per-project or per-folder overrides when configured correctly.

How to eliminate wrong answers

Option A is wrong because removing a VM from its VPC does not bypass the organization policy; the policy applies to all VMs in the project regardless of VPC membership, and a VM without a VPC cannot function. Option C is wrong because granting the VM's service account the OS Login Admin role does not bypass the `compute.requireOsLogin` policy; that role only allows managing OS Login settings on instances, not overriding the enforcement of OS Login itself. Option D is wrong because moving the project to a folder that doesn't inherit the organization policy is not possible—organization policies at the organization level are inherited by all folders and projects unless explicitly excluded via a policy with `inheritFromParent: false`, and a project cannot be moved outside the organization hierarchy.

105
MCQmedium

Your organization has multiple GCP projects and wants to implement least privilege access for operations teams. Each operations team manages a specific set of projects. You have created custom roles that grant permissions to start and stop Compute Engine instances, view logs, and monitor resources. You are using Google Groups to assign roles to users. Recently, a user from the network operations team was able to modify firewall rules in a project managed by the compute operations team, causing a security incident. During the root cause analysis, you discover that the user is a member of both the network operations group and the compute operations group. The compute operations group is assigned a custom role that does not include firewall permissions. The network operations group is assigned a role that includes firewall admin permissions. How should you redesign the IAM structure to prevent cross-team access while maintaining required permissions?

A.Create a separate project for each team and use VPC Service Controls to isolate.
B.Use IAM conditions to restrict the network operations role to only the network team's projects.
C.Implement organization policies to deny firewall modifications unless a specific condition is met.
D.Remove the user from the network operations group.
AnswerB

IAM conditions can scope role use to specific projects, preventing role abuse in other projects.

Why this answer

Option B is correct because IAM conditions allow you to restrict the network operations team's firewall admin permissions to only their designated projects, preventing a user who is a member of both groups from using those permissions in the compute operations team's projects. This enforces least privilege by scoping the role's effectiveness based on resource attributes, without requiring project-level separation or removing the user from necessary groups.

Exam trap

The trap here is that candidates think removing the user from the group (Option D) or using organization policies (Option C) solves the problem, but they fail to recognize that IAM conditions can scope permissions to specific projects or resources without altering group membership or applying blanket restrictions.

How to eliminate wrong answers

Option A is wrong because creating separate projects and using VPC Service Controls does not address the cross-team access issue; the user would still be a member of both groups and could inherit permissions across projects if roles are assigned at the organization or folder level. Option C is wrong because organization policies deny or allow actions broadly across all projects, and they cannot conditionally restrict permissions based on group membership or project ownership; they are not a substitute for IAM conditions. Option D is wrong because removing the user from the network operations group would break their legitimate need to manage firewall rules in their own projects, violating the principle of least privilege by over-restricting access.

106
MCQeasy

A team has a Docker container image locally and wants to push it to Google Artifact Registry. They've already authenticated Docker with GCP. The registry host is 'us-central1-docker.pkg.dev'. Which commands correctly tag and push the image?

A.docker tag myimage us-central1-docker.pkg.dev/myproject/myrepo/myimage:v1 && docker push us-central1-docker.pkg.dev/myproject/myrepo/myimage:v1
B.gcloud artifacts docker push myimage --location=us-central1 --repository=myrepo
C.docker push gcr.io/myproject/myimage:v1
D.gcloud container images push myimage:v1 --region=us-central1
AnswerA

This correctly tags the local image with the full Artifact Registry path and pushes it. The format is `[REGION]-docker.pkg.dev/[PROJECT]/[REPO]/[IMAGE]:[TAG]`.

Why this answer

Option A is correct because it uses the standard Docker CLI workflow: first tagging the local image with the full Artifact Registry path (including the registry host, project, repository, and image name with tag), then pushing it. Since the team has already authenticated Docker with GCP, the `docker push` command will authenticate via the Docker credential helper and upload the image to the specified Artifact Registry repository.

Exam trap

Google Cloud often tests the distinction between Google Container Registry (gcr.io) and Artifact Registry (LOCATION-docker.pkg.dev), and candidates mistakenly use gcr.io commands or syntax for Artifact Registry, or assume gcloud commands can replace standard Docker CLI commands for pushing images.

How to eliminate wrong answers

Option B is wrong because `gcloud artifacts docker push` is not a valid command; the correct gcloud command for pushing Docker images is `gcloud artifacts docker upload`, but even that requires a different syntax and does not use `--location` and `--repository` flags in the way shown. Option C is wrong because it pushes to `gcr.io` (Google Container Registry), not to Artifact Registry (`us-central1-docker.pkg.dev`), and the registry host must match the target Artifact Registry location. Option D is wrong because `gcloud container images push` is a command for Google Container Registry (gcr.io), not Artifact Registry, and the `--region` flag is not valid for that command.

107
MCQmedium

Refer to the exhibit. A user 'admin@example.com' attempts to create a Compute Engine instance but fails with a permission error. Which permission is missing?

A.compute.instances.get
B.iam.serviceAccounts.actAs
C.compute.instances.create
D.compute.instances.setServiceAccount
AnswerB

This permission is required to use a service account during instance creation and is not in the given roles.

Why this answer

The error occurs because when a user creates a Compute Engine instance with a service account, they need the `iam.serviceAccounts.actAs` permission on that service account. This permission allows the user to impersonate the service account and delegate its identity to the instance. Without it, the creation fails even if the user has `compute.instances.create`.

Exam trap

Google Cloud often tests the `iam.serviceAccounts.actAs` permission as a hidden requirement, trapping candidates who assume that `compute.instances.create` alone is sufficient for instance creation with a service account.

How to eliminate wrong answers

Option A is wrong because `compute.instances.get` is a read-only permission for viewing instance details, not required for creation. Option C is wrong because `compute.instances.create` is necessary but not sufficient; the user likely already has it, as the error is about the service account delegation, not the instance creation itself. Option D is wrong because `compute.instances.setServiceAccount` is used to change the service account on an existing instance, not to authorize the initial attachment during creation.

108
MCQmedium

A team deploys an application on GKE and needs it to be accessible at https://api.company.com with automatic TLS certificate provisioning. They use a Global external Application Load Balancer. What handles the TLS certificate?

A.The GKE cluster automatically generates a self-signed TLS certificate for the domain
B.A Google-managed SSL certificate attached to the load balancer's HTTPS target proxy
C.Cloud DNS automatically provisions a TLS certificate when a domain is added
D.cert-manager in GKE automatically obtains Let's Encrypt certificates for the Ingress
AnswerB

Google-managed SSL certificates are provisioned automatically and renewed before expiry. They're attached to the load balancer's target HTTPS proxy — zero manual certificate management.

Why this answer

A Global external Application Load Balancer uses an HTTPS target proxy to terminate TLS. To automatically provision and renew TLS certificates for a custom domain, you attach a Google-managed SSL certificate to that target proxy. Google manages the entire lifecycle, including domain verification via Cloud DNS, so no manual certificate generation or third-party tools are needed.

Exam trap

The trap here is that candidates confuse the Kubernetes Ingress resource (which can use cert-manager) with the Global external Application Load Balancer's HTTPS target proxy, which requires a Google-managed SSL certificate attached directly to the proxy, not a Kubernetes-native certificate solution.

How to eliminate wrong answers

Option A is wrong because GKE clusters do not automatically generate self-signed certificates for custom domains; self-signed certificates are only used for internal cluster communication or when explicitly configured, and they would not be trusted by public clients. Option C is wrong because Cloud DNS is a DNS service that manages domain records but does not provision TLS certificates; certificate provisioning is handled by Certificate Authority Service or Google-managed SSL certificates, not by Cloud DNS itself. Option D is wrong because cert-manager is a Kubernetes add-on that can obtain Let's Encrypt certificates, but it is not automatically deployed or managed by GKE; the question specifies a Global external Application Load Balancer, which uses an HTTPS target proxy, not a Kubernetes Ingress, so cert-manager is not the native or required solution.

109
MCQeasy

Which command creates a Cloud Storage bucket named 'my-archive-bucket' in the US multi-region using the modern gcloud CLI?

A.gcloud storage mk gs://my-archive-bucket --location=US
B.gcloud storage buckets create gs://my-archive-bucket --location=US
C.gcloud cloud-storage create my-archive-bucket --region=US
D.gsutil mk -l US gs://my-archive-bucket
AnswerB

This is the correct modern syntax. `gcloud storage buckets create` followed by the `gs://` bucket URI and `--location` creates the bucket in the US multi-region.

Why this answer

Option B is correct because the modern gcloud CLI uses the `gcloud storage buckets create` command to create a Cloud Storage bucket, and the `--location=US` flag specifies the US multi-region. This command is part of the newer, unified `gcloud storage` command group that replaces the older `gsutil` tool for bucket management.

Exam trap

Google Cloud often tests the distinction between the modern `gcloud storage` command group and the legacy `gsutil` tool, and candidates may mistakenly choose a `gsutil` command or an invalid `gcloud` subcommand when the question explicitly requires the modern CLI.

How to eliminate wrong answers

Option A is wrong because `gcloud storage mk` is not a valid command; the correct subcommand is `gcloud storage buckets create`. Option C is wrong because `gcloud cloud-storage create` is not a valid gcloud command; the correct command group is `gcloud storage buckets`. Option D is wrong because `gsutil mk` is the older, legacy tool, and the question explicitly asks for the 'modern gcloud CLI'.

110
MCQmedium

A GKE node pool has an autoscaler configured with min=2, max=10 nodes. After a sustained traffic surge, the cluster scaled to 10 nodes. Traffic drops overnight to its normal level, but the cluster remains at 10 nodes after 4 hours. What is the most likely reason?

A.Cluster autoscaler only scales down once per day
B.Pods have a PodDisruptionBudget preventing eviction, or nodes are still within the scale-down cooldown period
C.The max node count prevents scale-down — setting max=10 locks the cluster at 10 nodes
D.Cloud Monitoring alerts are pausing the autoscaler to investigate the traffic drop
AnswerB

Cluster autoscaler delays scale-down to avoid premature removal of needed capacity. PodDisruptionBudgets that prevent Pod eviction also block node removal.

Why this answer

Option B is correct because the cluster autoscaler will not scale down nodes that are hosting pods protected by a PodDisruptionBudget (PDB) that prevents eviction, or if the nodes are still within the scale-down cooldown period (default 10 minutes after a scale-up). Since the cluster scaled up to 10 nodes during the traffic surge, the autoscaler must wait for the cooldown to expire and for all pods to be safely evictable before removing nodes. If any pods have a PDB that blocks eviction (e.g., requiring at least 3 replicas), the autoscaler cannot terminate the underlying nodes, keeping the cluster at 10 nodes even after traffic drops.

Exam trap

Google Cloud often tests the misconception that the autoscaler's max node count prevents scale-down, when in fact the max only caps scale-up, and scale-down is blocked by cooldown periods or PodDisruptionBudgets.

How to eliminate wrong answers

Option A is wrong because the cluster autoscaler does not have a 'once per day' scale-down limit; it evaluates scale-down continuously, subject to cooldown periods and other constraints. Option C is wrong because the max node count (10) only sets an upper bound on scaling up, not a lock; the autoscaler can scale down to the min node count (2) when utilization is low. Option D is wrong because Cloud Monitoring alerts do not pause the autoscaler; the autoscaler operates independently based on resource utilization metrics, and alerts are for notification, not control.

111
MCQmedium

A startup needs to send transactional emails (order confirmations, password resets) from their GCP-hosted application. Which GCP service handles high-volume email delivery?

A.Cloud Tasks with an email delivery queue
B.A third-party email delivery service such as SendGrid or Mailgun, integrated via API
C.Cloud Pub/Sub with an email topic subscriber
D.Cloud Functions triggered by Gmail API webhooks
AnswerB

GCP doesn't include a native email service. Transactional email is handled by third-party providers (SendGrid, Mailgun, Mailchimp) accessed via their APIs from GCP-hosted applications.

Why this answer

B is correct because GCP does not provide a native high-volume transactional email service. Third-party email delivery services like SendGrid or Mailgun are designed specifically for this purpose, offering dedicated SMTP relays, APIs, and reputation management to ensure reliable delivery of transactional emails such as order confirmations and password resets.

Exam trap

Google Cloud often tests the misconception that GCP provides a built-in email delivery service, leading candidates to choose Cloud Tasks or Pub/Sub, but these are generic messaging services that require integration with a dedicated email provider to actually send emails.

How to eliminate wrong answers

Option A is wrong because Cloud Tasks is a distributed task queue for asynchronous work execution, not an email delivery service; it cannot send emails directly and would still require an external email provider. Option C is wrong because Cloud Pub/Sub is a messaging service for event ingestion and distribution, not an email delivery mechanism; it would need a subscriber that integrates with an email service. Option D is wrong because Cloud Functions triggered by Gmail API webhooks are designed to react to incoming Gmail events, not to send high-volume transactional emails, and the Gmail API has strict sending limits and is not intended for programmatic bulk email.

112
MCQhard

A production GKE service processes payments and must maintain at least 3 replicas running at all times, even during node upgrades or Pod evictions. How should this be enforced?

A.Set the Deployment replica count to 6 — node upgrades will only affect half at a time
B.Create a PodDisruptionBudget with minAvailable: 3 targeting the payment service Pods
C.Add node affinity rules pinning all 3 replicas to specific long-lived nodes
D.Enable cluster autoscaler with minNodeCount=3 — this preserves Pod availability
AnswerB

A PDB with minAvailable: 3 instructs GKE's node drain process (during upgrades, autoscaler removals) to ensure at least 3 payment service Pods remain running throughout the disruption.

Why this answer

A PodDisruptionBudget (PDB) with `minAvailable: 3` ensures that at least 3 replicas of the payment service remain available during voluntary disruptions like node upgrades or Pod evictions. The Kubernetes scheduler respects the PDB by blocking evictions that would drop the number of healthy Pods below the specified threshold, guaranteeing continuous service availability even when nodes are being drained.

Exam trap

Google Cloud often tests the misconception that increasing replica count or using node-level controls (affinity, autoscaler) alone can guarantee availability during voluntary disruptions, when in fact only a PodDisruptionBudget provides the explicit eviction protection needed.

How to eliminate wrong answers

Option A is wrong because simply setting the replica count to 6 does not enforce availability during node upgrades; node upgrades can still evict all Pods on a node, and without a PDB, the eviction controller may drain all replicas simultaneously, dropping below 3. Option C is wrong because node affinity rules pin Pods to specific nodes, but those nodes themselves can be upgraded or fail, and affinity does not prevent evictions during node maintenance, so availability is not guaranteed. Option D is wrong because cluster autoscaler with `minNodeCount=3` only ensures a minimum number of nodes exist, not that Pods are distributed or protected from eviction; Pods can still be evicted from those nodes during upgrades, and the autoscaler does not enforce a minimum number of running replicas.

113
MCQhard

Your company runs a stateful web application on a managed instance group (MIG) in us-central1 across three zones. The application uses a TCP health check on port 8080. Recently, instances have been recreated frequently due to health check failures, though the application logs show no errors and instances are accessible via SSH. The firewall rules allow traffic from the health check ranges (130.211.0.0/22 and 35.191.0.0/16) to port 8080. You have verified that the application is listening on 0.0.0.0:8080. Which of the following is the most likely cause of the health check failures?

A.The health check is using the HTTP protocol instead of TCP.
B.The MIG's autohealing policy is set to a too-aggressive initial delay.
C.The firewall rule allowing health check probes is not applied to the instances due to missing network tags.
D.The application is only listening on the localhost interface.
AnswerC

Health check probes will be blocked if the firewall rule does not apply to the instances' network tags, even if the rule exists.

Why this answer

Since the application listens on 0.0.0.0, it should respond on all interfaces, but if the firewall is not properly configured for the health check source ranges, probes could be blocked. The firewall rule exists but might not be applied to the correct network tags or target instances. Option B is the most common cause of health check failures in such scenarios.

Option A (wrong protocol) is incorrect because TCP health check uses TCP. Option C (autohealing misconfiguration) would affect behavior but not cause failures. Option D (app listening on wrong interface) is ruled out by listening on 0.0.0.0.

114
MCQhard

Refer to the exhibit. A user attempts to create a Deployment Manager deployment that references a service account. What is the most likely issue?

A.The user does not have deploymentmanager.deployments.create permission
B.The user does not have the roles/iam.serviceAccountUser role on the service account
C.The service account is disabled
D.The service account does not exist
AnswerB

The actAs permission is needed to use a service account in deployments.

Why this answer

When a Deployment Manager deployment references a service account, the user must have the `roles/iam.serviceAccountUser` role on that service account to impersonate it. Without this role, the deployment fails even if the user has `deploymentmanager.deployments.create` permission, because the service account is used to execute the deployment's resources. Option B correctly identifies this missing IAM binding as the most likely issue.

Exam trap

Google Cloud often tests the distinction between having permission to create a deployment versus having permission to use a specific service account within that deployment, leading candidates to mistakenly choose the deployment-level permission error (Option A) instead of the IAM role on the service account (Option B).

How to eliminate wrong answers

Option A is wrong because the user is attempting to create a deployment, and the error would typically be a permissions denial if they lacked `deploymentmanager.deployments.create`, but the question implies the user has that permission and the issue is specifically with the service account reference. Option C is wrong because a disabled service account would produce a different error (e.g., 'service account is disabled'), but the question does not indicate the account is disabled, and the most common issue is missing the `roles/iam.serviceAccountUser` role. Option D is wrong because if the service account did not exist, the error would be a 'not found' or 'does not exist' message, not a permissions-related failure; the question implies the account exists but the user lacks the necessary role to use it.

115
MCQeasy

Refer to the exhibit. After applying this IAM policy to a bucket, what access is granted?

A.Anyone authenticated with a Google account can list and read objects
B.No access is granted because the condition is missing
C.Only users in the same GCP project can read objects
D.Anyone on the internet can list and read objects
AnswerA

'allAuthenticatedUsers' includes all authenticated Google users.

Why this answer

The IAM policy grants the `roles/storage.objectViewer` role to `allAuthenticatedUsers`, which includes any identity authenticated with a Google account (including non-GCP accounts). The condition `resource.name.startsWith('projects/_/buckets/example-bucket/objects/public/')` restricts the grant to objects whose path starts with `public/`, so only those objects can be listed and read. This is why option A is correct.

Exam trap

Google Cloud often tests the distinction between `allUsers` (anyone on the internet, no authentication) and `allAuthenticatedUsers` (requires Google authentication), and candidates frequently confuse the two, thinking `allAuthenticatedUsers` means 'anyone' or 'same project only'.

How to eliminate wrong answers

Option B is wrong because the condition is present and valid; it does not cause the policy to be invalid or grant no access. Option C is wrong because `allAuthenticatedUsers` is not limited to users in the same GCP project; it includes any authenticated Google identity, such as Gmail or Google Workspace accounts. Option D is wrong because `allAuthenticatedUsers` does not include unauthenticated users (i.e., anyone on the internet); it requires authentication with a Google account.

116
MCQmedium

A team needs to roll out a configuration change to a MIG (Managed Instance Group) — updating the instance template to set a new environment variable. They want to validate the change on 1 VM before rolling it out to all 20 VMs. Which MIG update type supports this?

A.Canary update — update 1 VM to the new template, verify, then roll out to all
B.Opportunistic update — the new template applies only when VMs are naturally replaced
C.Recreate update — terminate all 20 VMs and recreate with the new template simultaneously
D.Snapshot the existing VMs and restore 1 with the new environment variable to test
AnswerA

MIG supports canary updates where a targetSize partition runs the new template while the rest run the old template. The team validates the canary VM before proceeding with full rollout.

Why this answer

A canary update in a Managed Instance Group (MIG) allows you to specify a target size (e.g., 1 VM) to update to the new instance template first. After validating the change on that single VM, you can then promote the canary to roll out the new template to the remaining 19 VMs. This matches the requirement to test on 1 VM before full rollout.

Exam trap

Google Cloud often tests the distinction between 'canary' and 'opportunistic' updates, where candidates mistakenly think opportunistic allows manual selection of a single VM to update, but it only applies changes during natural instance replacement.

How to eliminate wrong answers

Option B is wrong because an opportunistic update only applies the new template when existing VMs are stopped or terminated naturally (e.g., by autohealing or manual deletion), not on demand for a single VM test. Option C is wrong because a recreate update terminates all 20 VMs simultaneously and recreates them with the new template, which does not allow a staged validation on just 1 VM. Option D is wrong because snapshotting and restoring a VM does not update the instance template of the MIG; the MIG would still use the old template for any new VMs or managed operations, and this approach bypasses the MIG's update management entirely.

117
MCQmedium

A financial application requires all database transactions to be durable even if the primary Cloud SQL instance fails mid-transaction. The RPO (Recovery Point Objective) must be near-zero. Which Cloud SQL feature achieves this?

A.Cloud SQL read replica with synchronous replication
B.Cloud SQL High Availability with synchronous standby replica in a different zone
C.Cloud SQL with automated daily backups and point-in-time recovery
D.Cloud Spanner — it automatically replicates synchronously across zones
AnswerB

Cloud SQL HA uses synchronous replication — each transaction is written to both primary and standby before commit acknowledgment. Primary failure results in zero data loss (near-zero RPO).

Why this answer

Cloud SQL High Availability (HA) uses a synchronous standby replica in a different zone to ensure that every write is committed to both the primary and standby before acknowledging the transaction. This provides near-zero RPO because if the primary fails mid-transaction, the standby has the exact same data and can take over without data loss.

Exam trap

Google Cloud often tests the distinction between synchronous replication (used in HA for near-zero RPO) and asynchronous replication (used in read replicas for read scaling), leading candidates to mistakenly choose read replicas for durability requirements.

How to eliminate wrong answers

Option A is wrong because Cloud SQL read replicas use asynchronous replication, which means transactions can be committed on the primary before being replicated, leading to potential data loss if the primary fails mid-transaction. Option C is wrong because automated daily backups and point-in-time recovery provide durability but with a recovery point objective (RPO) of up to several minutes or hours, not near-zero; they do not protect against mid-transaction failures. Option D is wrong because while Cloud Spanner does provide synchronous replication across zones, it is a different service (not Cloud SQL) and the question specifically asks for a Cloud SQL feature.

118
MCQeasy

A user needs to view the list of firewall rules in a project but should not be able to create or modify them. Which predefined IAM role should you grant?

A.roles/editor
B.roles/compute.securityAdmin
C.roles/compute.viewer
D.roles/owner
AnswerC

Viewer provides read-only permissions for Compute Engine resources.

Why this answer

The roles/compute.viewer role grants read-only access to Compute Engine resources, including the ability to list firewall rules, without permitting create, update, or delete operations. This aligns with the principle of least privilege for a user who only needs to view firewall configurations.

Exam trap

Google Cloud often tests the distinction between roles/compute.viewer and roles/compute.securityAdmin, where candidates mistakenly choose securityAdmin thinking it is needed for viewing, but it actually grants full write access to firewall rules.

How to eliminate wrong answers

Option A is wrong because roles/editor grants full read/write access to all resources, including the ability to create and modify firewall rules, which exceeds the required permissions. Option B is wrong because roles/compute.securityAdmin specifically allows creating, modifying, and deleting firewall rules and SSL certificates, which is too permissive for a read-only requirement. Option D is wrong because roles/owner provides full administrative access to the project, including all IAM management and resource modifications, far beyond the needed view-only access.

119
MCQmedium

A Cloud Run service calls external third-party APIs that have rate limits. Under burst traffic, the service spawns many concurrent instances, each making direct API calls, causing rate limit errors. What GCP pattern reduces API call volume without adding infrastructure?

A.Set Cloud Run max-concurrency to 1 so each instance handles one request
B.Cache third-party API responses in Cloud Memorystore (Redis) with appropriate TTL
C.Enable Cloud CDN on the Cloud Run service to cache outbound requests
D.Migrate to Cloud Functions with a lower default concurrency limit
AnswerB

Caching API responses in Redis means many Cloud Run instances read from cache instead of calling the third-party API separately — dramatically reducing outbound API call volume.

Why this answer

Caching third-party API responses in Cloud Memorystore (Redis) with an appropriate TTL reduces the number of outbound API calls by serving cached data to multiple concurrent Cloud Run instances. This directly addresses rate-limit errors without adding new infrastructure, as Memorystore is a managed in-memory cache that integrates seamlessly with Cloud Run via a VPC connector.

Exam trap

The trap here is that candidates confuse caching inbound responses (Cloud CDN) with caching outbound API responses (a pattern using Memorystore or similar), leading them to select Cloud CDN even though it cannot cache server-to-server calls.

How to eliminate wrong answers

Option A is wrong because setting max-concurrency to 1 forces each instance to handle only one request at a time, which reduces concurrency but does not reduce the total number of API calls—each request still triggers a direct call, so rate limits are still hit under burst traffic. Option C is wrong because Cloud CDN caches responses to inbound client requests (e.g., static assets), not outbound API calls from the service to external third parties; it cannot intercept or cache server-to-server HTTP requests. Option D is wrong because migrating to Cloud Functions with lower default concurrency does not reduce API call volume—it merely changes the compute platform while still allowing each function invocation to make direct API calls, and Cloud Functions has no built-in mechanism to deduplicate or cache outbound requests.

120
MCQmedium

A new developer tries to create a project using gcloud projects create but receives the error shown in the exhibit. Which action should the administrator take to resolve the issue?

A.Assign the Project Creator role (roles/resourcemanager.projectCreator) to the user.
B.Enable the Cloud Resource Manager API.
C.Assign the Billing Account Creator role to the user.
D.Create the project manually and share the project ID.
AnswerA

This role grants the resourcemanager.projects.create permission required to create projects.

Why this answer

Option B is correct because the error indicates missing resourcemanager.projects.create permission, which is granted by the Project Creator role (roles/resourcemanager.projectCreator). Option A grants permission for billing accounts, not project creation. Option C is a workaround but does not solve the permission issue for the developer.

Option D is incorrect because the error is about permissions, not API enablement; the Cloud Resource Manager API is typically already enabled for the project from which the command is run.

121
MCQmedium

A company needs to run a batch processing workload that processes 10 TB of data nightly. The job runs for 4 hours and can tolerate interruption with checkpointing. Cost must be minimized. Which Compute Engine pricing model is most appropriate for the batch VMs?

A.On-demand VM pricing with committed use discounts (1-year CUD)
B.Spot VMs (preemptible pricing)
C.Sustained use discounts applied automatically to long-running VMs
D.Standard on-demand pricing with no special configuration
AnswerB

Spot VMs cost up to 91% less than on-demand. For batch jobs with checkpointing that can tolerate interruption, this is the maximum cost optimization available.

Why this answer

Spot VMs (preemptible pricing) are the most cost-effective choice for batch workloads that are fault-tolerant and can handle interruptions via checkpointing. Since the job runs for only 4 hours nightly and can resume from checkpoints, Spot VMs offer up to 60-91% cost savings over on-demand pricing without requiring any commitment.

Exam trap

The trap here is that candidates may think sustained use discounts (Option C) are automatic and sufficient for any long-running workload, but they fail to realize that a 4-hour nightly job does not accumulate enough monthly usage to trigger significant discounts, making Spot VMs the clear winner for cost minimization.

How to eliminate wrong answers

Option A is wrong because committed use discounts (1-year CUD) require a 1-year commitment and are designed for steady-state workloads, not a short 4-hour nightly batch job; they would lock in cost without flexibility and are more expensive than Spot VMs for this use case. Option C is wrong because sustained use discounts automatically apply to VMs that run for a significant portion of a month (over 25%), but a 4-hour nightly job totals only ~120 hours per month, which is well below the threshold for meaningful discounts, and they cannot match Spot VM savings. Option D is wrong because standard on-demand pricing with no special configuration is the most expensive option and ignores the workload's tolerance for interruption, missing the opportunity to use Spot VMs for drastic cost reduction.

122
MCQmedium

You deploy a Cloud Function (gen1) that calls an external API. During testing you find the function times out after 60 seconds even though you set `--timeout=540`. You also notice the function logs show execution completing in 45 seconds before the timeout. What is the most likely cause of the external timeout?

A.Cloud Functions gen1 has a hard maximum timeout of 60 seconds regardless of configuration.
B.The HTTP client library used in the function has a default 60-second socket/connection timeout.
C.Cloud VPC restricts outbound connections to 60 seconds.
D.The function's service account lacks permission to make outbound HTTP calls.
AnswerB

Many HTTP client libraries (requests, axios, etc.) have default timeouts shorter than the function timeout. The function timeout controls Cloud Functions' kill signal, not the client library's connection timeout.

Why this answer

Option B is correct because the external API call is timing out due to the HTTP client library's default socket/connection timeout, which is often set to 60 seconds. Even though the Cloud Function's overall timeout is configured to 540 seconds, the HTTP request itself has its own timeout that expires before the function completes. The function logs show execution finishing in 45 seconds, indicating the function code completes, but the external API call fails silently or the response is not received within the client's timeout window.

Exam trap

Google Cloud often tests the distinction between the Cloud Function's execution timeout and the HTTP client library's timeout, leading candidates to incorrectly blame the platform's timeout limit when the actual issue is application-level configuration.

How to eliminate wrong answers

Option A is wrong because Cloud Functions gen1 supports a configurable timeout up to 540 seconds (9 minutes), not a hard 60-second limit. Option C is wrong because Cloud VPC does not impose a 60-second timeout on outbound connections; VPC firewall rules and routes do not enforce such a low-level timeout. Option D is wrong because the function's service account lacking permissions to make outbound HTTP calls would result in an authorization error (e.g., 403 or 401), not a timeout after 60 seconds.

123
MCQmedium

A team's GKE Deployment serves variable traffic — 2 Pods at night, 20 Pods at peak hours. Rather than manually changing replica counts, they want automatic scaling based on CPU utilization (target: 60%). What should they deploy?

A.Vertical Pod Autoscaler (VPA) with CPU target 60%
B.Horizontal Pod Autoscaler (HPA) targeting 60% CPU utilization
C.Cluster Autoscaler with a CPU threshold of 60%
D.Set the Deployment replica count to 20 and rely on resource quotas to limit actual Pod scheduling
AnswerB

HPA monitors CPU utilization and scales replicas up when average CPU exceeds 60% and down when it drops below — exactly the described behavior.

Why this answer

The Horizontal Pod Autoscaler (HPA) is the correct choice because it automatically adjusts the number of Pod replicas in a Deployment based on observed CPU utilization, scaling from 2 to 20 Pods as needed to maintain the target of 60% CPU. HPA works by querying the metrics server for CPU usage and calculating the desired replica count using the formula: desiredReplicas = currentReplicas × (currentMetricValue / targetMetricValue). This directly addresses the requirement for variable traffic without manual intervention.

Exam trap

Google Cloud often tests the distinction between scaling Pod replicas (HPA) versus scaling Pod resources (VPA) versus scaling cluster nodes (Cluster Autoscaler), and the trap here is confusing VPA's resource adjustment with HPA's replica adjustment, especially when the question mentions 'CPU utilization target'.

How to eliminate wrong answers

Option A is wrong because Vertical Pod Autoscaler (VPA) adjusts CPU and memory requests/limits of existing Pods, not the number of replicas; it cannot scale from 2 to 20 Pods based on load. Option C is wrong because Cluster Autoscaler adds or removes nodes from the cluster, not Pod replicas; it operates at the infrastructure level and does not target CPU utilization for Pod scaling. Option D is wrong because setting a fixed replica count of 20 wastes resources during low traffic, and resource quotas only limit total resource consumption, they do not dynamically scale Pods up or down based on CPU utilization.

124
MCQmedium

Your team is planning a GKE cluster for a microservices application. Some services process sensitive payment data and must run on dedicated nodes that no other workloads can access. The rest of the application can share nodes. How should you configure the cluster?

A.Use separate GKE clusters: one for payment services and one for everything else.
B.Apply taints to the dedicated node pool and tolerations to payment service pod specs.
C.Use Kubernetes NetworkPolicy to restrict network access between payment pods and other pods.
D.Set resource requests and limits so payment services consume all resources on their nodes.
AnswerB

Taints prevent regular pods from being scheduled on payment nodes. Tolerations in payment pod specs allow scheduling there. This achieves workload isolation within a single cluster.

Why this answer

Option B is correct because taints on dedicated node pools prevent pods without matching tolerations from being scheduled on those nodes, ensuring that only payment service pods (which include the corresponding tolerations) can run on the dedicated nodes. This isolates sensitive workloads at the node level without requiring separate clusters, which would add operational overhead and complexity.

Exam trap

Google Cloud often tests the misconception that network policies (Option C) provide workload isolation, when in fact they only control east-west traffic and do not prevent co-location of pods on the same node, which is the core requirement for dedicated node isolation.

How to eliminate wrong answers

Option A is wrong because using separate clusters for payment services and other workloads introduces unnecessary management overhead, cross-cluster networking complexity, and defeats the purpose of node-level isolation when a single cluster with taints and tolerations can achieve the same goal more efficiently. Option C is wrong because Kubernetes NetworkPolicy controls network traffic between pods but does not prevent non-payment pods from being scheduled on the same node as payment pods, leaving the sensitive data vulnerable to side-channel attacks or resource contention. Option D is wrong because setting resource requests and limits to consume all node resources does not prevent other pods from being scheduled on the same node; it only guarantees resource availability for payment pods, and the scheduler can still place non-payment pods on those nodes if resources are available.

125
Multi-Selecthard

Which THREE are best practices for monitoring and alerting in Google Cloud?

Select 3 answers
A.Configure budget alerts in Cloud Billing to notify when costs exceed a threshold.
B.Use Cloud Audit Logs to monitor administrative actions and data access.
C.Enable VPC Flow Logs for all subnets to capture all network traffic metadata.
D.Set up alerts based on log-based metrics to detect specific error patterns.
E.Use Cloud Monitoring to create uptime checks for external-facing services.
AnswersB, D, E

Audit logs are essential for security and compliance monitoring.

Why this answer

Option B is correct because Cloud Audit Logs provide a comprehensive record of administrative actions (Admin Activity logs) and data access (Data Access logs) within Google Cloud. Monitoring these logs is a best practice for security, compliance, and operational troubleshooting, as they capture who did what, where, and when across services like IAM, Compute Engine, and Cloud Storage.

Exam trap

Google Cloud often tests the distinction between cost management (budget alerts) and operational monitoring (Cloud Monitoring, log-based metrics, uptime checks), leading candidates to incorrectly include budget alerts as a monitoring best practice.

126
MCQhard

A team runs a Kubernetes Deployment with 3 replicas behind a Service. They want to expose it externally with HTTPS and route traffic based on URL paths (/api → backend service, / → frontend service). Which Kubernetes resource handles path-based routing at Layer 7?

A.A LoadBalancer Service with path routing rules
B.A Kubernetes Ingress resource with path rules
C.A NodePort Service with iptables path routing rules
D.Multiple ClusterIP Services with DNS SRV records for path routing
AnswerB

Ingress resources define HTTP routing rules including path-based routing. On GKE, the Ingress controller provisions a GCP Application Load Balancer with TLS and path rules.

Why this answer

A Kubernetes Ingress resource is the native API object designed for Layer 7 (HTTP/HTTPS) routing, including path-based routing. It allows you to define rules that map URL paths (e.g., /api, /) to different backend Services, and it typically works with an Ingress controller (e.g., NGINX, HAProxy) that terminates TLS and performs the routing. This directly meets the requirement for external HTTPS exposure and path-based traffic splitting.

Exam trap

Google Cloud often tests the misconception that a LoadBalancer Service can handle Layer 7 routing, but in Kubernetes, LoadBalancer Services are strictly Layer 4 and cannot inspect HTTP paths; candidates must remember that path-based routing requires an Ingress resource with a compatible controller.

How to eliminate wrong answers

Option A is wrong because a LoadBalancer Service operates at Layer 4 (TCP/UDP) and cannot perform path-based routing; it only distributes traffic to Pods based on IP and port, not URL paths. Option C is wrong because a NodePort Service also works at Layer 4 and relies on iptables for simple port forwarding, not for Layer 7 path inspection or routing. Option D is wrong because ClusterIP Services are internal-only and DNS SRV records provide service discovery at Layer 4, not path-based routing; they cannot route based on URL paths or terminate HTTPS.

127
MCQmedium

A platform team needs a Kubernetes workload that runs exactly one Pod on every node in a GKE cluster — including nodes added in the future. The workload collects host-level metrics. Which Kubernetes resource type should they use?

A.Deployment with replicas set equal to the node count
B.StatefulSet with one replica per node
C.DaemonSet
D.CronJob running every minute to check and restore missing Pods
AnswerC

DaemonSets guarantee exactly one Pod per matching node, including new nodes added by the cluster autoscaler — purpose-built for node-level workloads like metric collectors.

Why this answer

A DaemonSet ensures that exactly one Pod runs on every node in the cluster, including nodes added after creation. This is the correct resource for host-level metrics collection because it automatically scales with the node pool and guarantees one Pod per node without manual intervention.

Exam trap

Google Cloud often tests the misconception that a Deployment with a fixed replica count can achieve per-node coverage, but candidates fail to realize that DaemonSets are the only resource that automatically scales with the node pool and guarantees one Pod per node without manual replica management.

How to eliminate wrong answers

Option A is wrong because a Deployment with replicas set equal to the node count does not automatically adjust when nodes are added or removed; it requires manual updates to the replica count and does not guarantee one Pod per node. Option B is wrong because a StatefulSet is designed for stateful applications requiring stable network identities and persistent storage, not for running one Pod per node; it does not have a built-in mechanism to schedule one Pod per node. Option D is wrong because a CronJob running every minute to check and restore missing Pods is an inefficient, reactive workaround that introduces unnecessary complexity and latency, and it does not provide the declarative, self-healing guarantee of a DaemonSet.

128
MCQmedium

A team packages their Kubernetes application as a Helm chart. They need to install it into a GKE cluster with the release name 'webapp' in the 'production' namespace, overriding the default image tag to 'v2.1'. Which Helm command achieves this?

A.helm deploy webapp ./chart -n production --set image.tag=v2.1
B.helm install webapp ./chart -n production --set image.tag=v2.1
C.kubectl apply -f helm-chart.yaml -n production --image-tag=v2.1
D.helm apply webapp -n production --chart=./chart --tag=v2.1
AnswerB

`helm install [RELEASE] [CHART]` installs a chart with the given release name. `-n production` targets the namespace. `--set image.tag=v2.1` overrides the chart's default value.

Why this answer

Option B is correct because `helm install` is the standard Helm command to deploy a chart into a cluster, and the `--set` flag overrides default values like `image.tag`. The `-n` flag specifies the namespace, and the release name 'webapp' is given as the first argument. This matches the Helm CLI syntax exactly.

Exam trap

The trap here is that candidates may confuse Helm commands with kubectl or assume a generic 'deploy' verb exists, when Helm strictly uses `install` for first-time deployments and `upgrade` for updates.

How to eliminate wrong answers

Option A is wrong because `helm deploy` is not a valid Helm command; Helm uses `install` or `upgrade`, not `deploy`. Option C is wrong because `kubectl apply` does not process Helm charts; it applies raw Kubernetes manifests, and `--image-tag` is not a valid kubectl flag. Option D is wrong because `helm apply` is not a valid Helm command, and the `--tag` flag is incorrect; Helm uses `--set image.tag=v2.1` to override values.

129
MCQmedium

A company is deploying a global web application that serves users from multiple continents. The application runs on Compute Engine instances in us-central1 and europe-west1. The company wants to provide the lowest latency access to users and support automatic failover if an entire region becomes unavailable. Which load balancing solution should they use?

A.Internal TCP/UDP Load Balancer
B.Regional external TCP/UDP Network Load Balancer
C.Global external HTTP(S) Load Balancer
D.External SSL Proxy Load Balancer (regional)
AnswerC

The global load balancer has a single anycast IP and routes to the closest healthy backend across regions.

Why this answer

Option B is correct because the global external HTTP(S) Load Balancer provides cross-region load balancing with anycast IP, directing users to the nearest healthy backend. Option A is wrong because a regional TCP/UDP load balancer cannot span regions. Option C is wrong because the external TCP proxy load balancer is regional in front but uses SSL, still regional.

Option D is wrong because a network load balancer is regional and not suitable for HTTP.

130
MCQmedium

A Cloud Function must execute automatically every time a new object is written to a specific Cloud Storage bucket. Which trigger type should be configured for the function?

A.HTTP trigger
B.Pub/Sub trigger
C.Cloud Storage trigger (object finalized event)
D.Cloud Scheduler trigger
AnswerC

A Cloud Storage trigger on the `object.finalized` event fires the function immediately when a new object is created in the bucket — no intermediate service needed.

Why this answer

The Cloud Storage trigger (object finalized event) is the correct choice because Cloud Functions natively supports Cloud Storage events via the `google.storage.object.finalize` event type, which fires when a new object is created or an existing object is overwritten in a bucket. This trigger automatically invokes the function without requiring any intermediary service, directly binding the function to the bucket's notification system.

Exam trap

Google Cloud often tests the misconception that Pub/Sub is required for Cloud Storage events, but Cloud Functions directly supports Cloud Storage triggers without needing an explicit Pub/Sub topic, making Option B a common distractor.

How to eliminate wrong answers

Option A is wrong because an HTTP trigger requires an explicit HTTP request to invoke the function, not an automatic reaction to a Cloud Storage event. Option B is wrong because a Pub/Sub trigger would require manually publishing a message to a topic from Cloud Storage, adding unnecessary complexity and latency; Cloud Functions can directly listen to Cloud Storage events without Pub/Sub. Option D is wrong because Cloud Scheduler triggers are used for scheduled, time-based execution (e.g., cron jobs), not for event-driven reactions to object creation in a bucket.

131
MCQeasy

A junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?

A.Editor
B.Owner
C.Viewer
D.Browser
AnswerC

Viewer grants read-only access to all project resources without any modification permissions — the correct minimum role for read-only access.

Why this answer

The Viewer role (roles/viewer) grants read-only access to all GCP resources in a project, including existing and future resources, without allowing any modifications. This is the minimum permissions required for read-only access, as it provides exactly the necessary permissions (e.g., resourcemanager.projects.get, storage.objects.list) without any write or administrative capabilities.

Exam trap

Google Cloud often tests the distinction between Viewer and Browser, where candidates mistakenly choose Browser thinking it is the minimal read-only role, but Browser only provides access to browse the project listing and not to read actual resource data.

How to eliminate wrong answers

Option A is wrong because the Editor role (roles/editor) includes all viewer permissions plus write permissions (e.g., to create, modify, or delete resources), which exceeds the minimum required for read-only access. Option B is wrong because the Owner role (roles/owner) includes all editor permissions plus the ability to manage IAM policies and billing, granting far more than read-only access. Option D is wrong because the Browser role (roles/browser) is a legacy role that provides read-only access to browse the project hierarchy but does not grant read access to all resources (e.g., it lacks permissions to read Compute Engine instances or Cloud Storage objects), making it insufficient for full read-only access.

132
MCQmedium

A Cloud Run service has been running for weeks. A sudden spike in 5xx errors appears in Cloud Monitoring. The team wants to view the actual request logs to identify which endpoint is failing. Where should they look?

A.Cloud Monitoring Metrics Explorer — filter by request_count metric with error status
B.Cloud Logging Logs Explorer — filter by resource type 'cloud_run_revision'
C.Cloud Trace — filter by 5xx response code
D.Cloud Debugger — set a snapshot at the error handler
AnswerB

Cloud Run streams request logs to Cloud Logging automatically. Filtering by `resource.type="cloud_run_revision"` in Logs Explorer shows individual request details including URL path and status codes.

Why this answer

Cloud Logging's Logs Explorer is the correct place to view actual request logs for a Cloud Run service. It allows filtering by resource type 'cloud_run_revision' and by HTTP status codes (e.g., 5xx) to identify which specific endpoint is failing. Cloud Monitoring Metrics Explorer shows aggregated metrics, not individual log entries, so it cannot pinpoint the exact endpoint.

Exam trap

Google Cloud often tests the distinction between aggregated metrics (Cloud Monitoring) and raw logs (Cloud Logging), trapping candidates who think Metrics Explorer can show individual request details when it only provides statistical aggregates.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring Metrics Explorer displays aggregated metrics (e.g., request_count) and cannot show the actual request logs needed to identify the specific failing endpoint. Option C is wrong because Cloud Trace is designed for distributed tracing latency analysis, not for viewing request logs filtered by response code; it does not store or expose full request logs. Option D is wrong because Cloud Debugger is used for inspecting live application state (e.g., variable values) via snapshots, not for viewing historical request logs or error details.

133
MCQmedium

A startup wants to minimize egress costs for a web service that exclusively serves customers within Europe. Which network service tier is most cost-effective?

A.Premium Tier
B.Standard Tier
C.Economy Tier
D.Free Tier
AnswerB

Standard Tier routes traffic through the public internet, offering lower egress costs. It's suitable for services with regional traffic patterns where Google's global backbone is unnecessary.

Why this answer

Standard Tier uses Google's network with egress traffic routed over the internet, which is significantly cheaper than Premium Tier's SLA-backed, low-latency global network. Since the service exclusively serves customers within Europe, the higher cost of Premium Tier is unnecessary, making Standard Tier the most cost-effective choice for minimizing egress costs.

Exam trap

Google Cloud often tests the misconception that 'Standard' implies lower performance or reliability, but the trap here is that candidates overlook the cost savings for region-specific workloads and incorrectly assume Premium Tier is always better for production services.

How to eliminate wrong answers

Option A is wrong because Premium Tier uses Google's premium-grade network with higher egress pricing, designed for global, latency-sensitive traffic, and is not cost-effective for a Europe-only service. Option C is wrong because there is no 'Economy Tier' in Google Cloud networking; the available tiers are Premium and Standard. Option D is wrong because there is no 'Free Tier' for network egress; Google Cloud offers a free tier for certain compute and storage resources, but egress traffic always incurs costs.

134
Multi-Selectmedium

A company wants to allow developers to create Compute Engine instances with a specific set of persistent disk types (e.g., only pd-ssd). Which TWO methods can be used to enforce this? (Choose two.)

Select 2 answers
A.Organization policy with constraint compute.requireShieldedVm
B.VPC custom firewall rules
C.Organization policy with constraint compute.restrictDiskTypes
D.Service account permissions
E.IAM conditions on compute.instances.create
AnswersC, E

This constraint limits the allowed disk types.

Why this answer

Option C is correct because the `compute.restrictDiskTypes` organization policy constraint allows administrators to define a list of allowed persistent disk types (e.g., pd-ssd) at the project, folder, or organization level. When set, any Compute Engine instance creation request that specifies a disk type not on the allowed list will be denied by the policy engine, enforcing the restriction without requiring changes to individual IAM roles or scripts.

Exam trap

Google Cloud often tests the distinction between organization policy constraints (which enforce resource-level attributes like disk type) and IAM roles/permissions (which control whether an action is allowed), leading candidates to mistakenly choose service account permissions (Option D) instead of IAM conditions (Option E) for attribute-based restrictions.

135
MCQhard

A platform team wants to define a formal service level objective (SLO) for their API: 99.9% of requests must succeed (HTTP 2xx) over a 30-day rolling window. Which Cloud Monitoring feature tracks this?

A.Create an alerting policy with a 99.9% threshold on the request success metric
B.Define a Cloud Monitoring SLO with a 99.9% availability target over a 30-day rolling window
C.Build a BigQuery dashboard showing 30-day average success rates from exported logs
D.Set an uptime check target of 99.9% in Cloud Monitoring
AnswerB

Cloud Monitoring SLOs track error budget consumption over a rolling window and alert on burn rate — specifically designed for this use case.

Why this answer

Option B is correct because Cloud Monitoring's SLO feature is specifically designed to track compliance with a formal service level objective, such as 99.9% of requests succeeding over a 30-day rolling window. It automatically calculates the success rate from the selected metric (e.g., request count or latency) and reports the SLO's performance over the defined period, including error budgets and burn rates.

Exam trap

Google Cloud often tests the distinction between an SLO (a formal target with error budgets and burn rates) and a simple threshold alert or uptime check, so candidates mistakenly choose an alerting policy or uptime check because they think any 99.9% threshold tracking qualifies as an SLO.

How to eliminate wrong answers

Option A is wrong because an alerting policy with a 99.9% threshold on the request success metric would trigger an alert when the metric drops below that threshold, but it does not track the SLO over a 30-day rolling window or provide the structured SLO monitoring, error budget, and burn rate analysis that the SLO feature offers. Option C is wrong because building a BigQuery dashboard from exported logs is an indirect, manual approach that lacks the native integration, automatic calculation, and built-in alerting of Cloud Monitoring SLOs; it also requires additional setup and does not provide real-time SLO tracking. Option D is wrong because an uptime check target of 99.9% in Cloud Monitoring measures external availability via synthetic probes (e.g., HTTP GET to a URL), not the actual success rate of all API requests (HTTP 2xx) as defined in the SLO, and it does not track a 30-day rolling window of request-level success.

136
Multi-Selecthard

Which THREE are valid ways to authenticate a user for gcloud commands? (Choose three.)

Select 3 answers
A.API key
B.OAuth2 access token
C.Application Default Credentials
D.Service account key file
E.IdP token
AnswersB, C, D

Used after 'gcloud auth login' or obtained via other means.

Why this answer

Option B is correct because an OAuth2 access token can be used to authenticate gcloud commands by passing it with the `--access-token-file` flag or via the `gcloud auth print-access-token` command. This token is obtained from an authorization server and provides temporary, scoped access to Google Cloud resources without requiring a long-lived credential like a service account key.

Exam trap

Google Cloud often tests the misconception that API keys are a valid authentication method for gcloud commands, but API keys only identify projects and are not accepted by gcloud for user or service account authentication.

137
MCQmedium

A Kubernetes namespace is shared by multiple teams. The platform team wants to ensure no single team's workloads can consume more than 10 CPU cores and 20 GB memory in that namespace. Which Kubernetes resource enforces this constraint?

A.LimitRange — sets per-Pod CPU and memory limits
B.ResourceQuota scoped to the namespace
C.PodDisruptionBudget limiting the number of running Pods
D.Network Policy restricting namespace traffic to avoid resource contention
AnswerB

ResourceQuota enforces aggregate limits on resource consumption within a namespace (e.g., `requests.cpu: 10`, `requests.memory: 20Gi`). API server rejects Pods that would exceed the quota.

Why this answer

ResourceQuota is the Kubernetes resource that enforces aggregate resource consumption limits at the namespace level. By configuring a ResourceQuota with spec.hard.cpu: 10 and spec.hard.memory: 20Gi, the platform team can cap the total CPU and memory usage across all Pods in the namespace, preventing any single team from exceeding those limits.

Exam trap

The trap here is that candidates confuse LimitRange (per-Pod constraints) with ResourceQuota (namespace-level aggregate constraints), leading them to select LimitRange when the question explicitly asks for a resource that enforces a total cap across all workloads.

How to eliminate wrong answers

Option A is wrong because LimitRange sets per-Pod or per-Container default and minimum/maximum resource requests and limits, not an aggregate namespace-wide cap; it cannot prevent the sum of all Pods from exceeding 10 CPU cores and 20 GB memory. Option C is wrong because PodDisruptionBudget limits the number of Pods that can be voluntarily disrupted (e.g., during node maintenance), not the total resource consumption or running Pod count. Option D is wrong because Network Policy controls traffic flow between Pods based on labels and namespaces, not resource usage; it has no mechanism to enforce CPU or memory quotas.

138
MCQmedium

A project has the following IAM bindings: User A has `roles/editor` at the project level, and a folder-level policy denies `roles/editor` to User A. Which effective permission does User A have on the project?

A.User A has Editor permissions because project-level IAM takes precedence over folder-level.
B.User A is denied Editor permissions because IAM Deny policies at a parent resource override allow grants at child resources.
C.User A has no permissions because conflicting policies result in no access.
D.User A has Editor permissions because folder-level policies don't apply to individual projects.
AnswerB

IAM Deny policies, when set at a folder level, prevent the denied permissions from taking effect on all child resources, including the project — even if the project has an allow binding for those permissions. Deny takes precedence over allow.

Why this answer

In Google Cloud, IAM Deny policies at a parent resource (like a folder) override allow bindings at a child resource (like a project). Even though User A has `roles/editor` granted at the project level, the folder-level Deny policy explicitly denies that role, so the effective permission is denial. This follows the principle that Deny policies are evaluated before Allow bindings and take precedence.

Exam trap

Google Cloud often tests the misconception that 'lower-level grants override higher-level denials' or that 'conflicting policies result in no access,' when in fact Deny policies at any level take precedence over Allow bindings at any lower level.

How to eliminate wrong answers

Option A is wrong because it incorrectly claims project-level IAM takes precedence over folder-level; in reality, Deny policies at a parent resource override allow grants at child resources. Option C is wrong because conflicting policies do not result in 'no access' — the Deny policy explicitly overrides the allow, resulting in a clear denial of Editor permissions. Option D is wrong because folder-level policies do apply to all projects within that folder; IAM policies are hierarchical and inherited downward.

139
MCQhard

Refer to the exhibit. A Deployment is applied to a GKE cluster. The cluster has a single node pool with one node of machine type n1-standard-4 (4 vCPUs, 15 GB memory). After a few minutes, only two Pods are running, and one Pod is in Pending state. The node's resource usage shows 70% CPU allocated and 85% memory allocated. What is the most likely cause of the Pending Pod?

A.The node has insufficient CPU because each Pod requests 1 vCPU.
B.The node has not enough IP addresses available.
C.The Pods are pending due to a failed image pull.
D.The node has insufficient memory because each Pod requests 6 GiB.
AnswerD

Two Pods consume 12 GiB, leaving 3 GiB, insufficient for the third Pod's 6 GiB request.

Why this answer

The node has 15 GB memory. Two Pods each request 6 GiB, consuming 12 GiB. Only 3 GiB remains, which is less than the 6 GiB needed for the third Pod.

CPU: two Pods request 1 vCPU each (2 vCPU total), leaving 2 vCPU for the third, which is sufficient. Therefore, insufficient memory is the cause.

140
MCQmedium

A developer creates a Cloud Storage bucket and sets a uniform bucket-level access policy. What is the implication?

A.Only object ACLs are used
B.Bucket permissions override object ACLs
C.Both bucket IAM and object ACLs are used
D.Object ACLs are disabled
AnswerD

UBLA disables object ACLs; all access is via bucket IAM.

Why this answer

When uniform bucket-level access is enabled on a Cloud Storage bucket, all access control is managed exclusively through IAM policies at the bucket level. Object ACLs are disabled, meaning individual object permissions cannot be set or evaluated. This ensures consistent access control across all objects in the bucket.

Exam trap

Google Cloud often tests the misconception that uniform bucket-level access 'overrides' or 'takes precedence over' object ACLs, when in fact it completely disables them, making any ACL-related operations invalid.

How to eliminate wrong answers

Option A is wrong because object ACLs are not used at all when uniform bucket-level access is enabled; they are disabled, not the sole mechanism. Option B is wrong because bucket IAM permissions do not 'override' object ACLs; instead, object ACLs are completely disabled and ignored. Option C is wrong because both bucket IAM and object ACLs are not used together; uniform bucket-level access disables object ACLs entirely.

141
MCQmedium

You need persistent shared file storage for a legacy application running on multiple Compute Engine VMs that requires POSIX-compliant file system access (NFS). The workload is I/O intensive with files up to 100 GB. Which GCP storage service should you use?

A.Cloud Storage FUSE mounted on each VM
B.Cloud Filestore (NFS)
C.Persistent Disk attached in ReadWriteMany mode to all VMs
D.Local SSD on each VM with rsync synchronization between VMs
AnswerB

Filestore is a fully managed NFS service with POSIX compliance. Multiple VMs can mount the same Filestore instance simultaneously, providing true shared read/write file access with high performance.

Why this answer

Cloud Filestore provides a fully managed NFS server that supports POSIX-compliant file access, making it the correct choice for a legacy application requiring NFS. It can handle I/O-intensive workloads with large files (up to 100 GB) by offering high throughput and low-latency access from multiple Compute Engine VMs simultaneously.

Exam trap

The trap here is that candidates often confuse Cloud Storage FUSE with a true POSIX file system, overlooking its lack of native NFS support and performance limitations for I/O-intensive workloads, while also mistakenly thinking Persistent Disk can be attached in ReadWriteMany mode to multiple VMs.

How to eliminate wrong answers

Option A is wrong because Cloud Storage FUSE presents an object storage bucket as a file system, but it does not provide true POSIX compliance (e.g., it lacks support for file locking, hard links, and consistent directory operations) and can suffer from performance issues with I/O-intensive workloads and large files. Option C is wrong because Persistent Disk cannot be attached in ReadWriteMany mode to multiple VMs; it only supports ReadWriteOnce (single writer) or ReadOnlyMany (multiple readers), so it cannot serve as shared writable storage for multiple VMs. Option D is wrong because Local SSDs are ephemeral and tied to a single VM, and rsync synchronization between VMs introduces data consistency issues, latency, and complexity, failing to provide the persistent, POSIX-compliant shared file system required.

142
MCQmedium

A distributed database running on GKE requires stable, persistent hostnames (pod-0, pod-1, pod-2) and ordered startup/shutdown for proper cluster initialization. Pods must retain their identity across restarts. Which Kubernetes resource is designed for this?

A.Deployment with pod affinity rules
B.StatefulSet with a headless Service
C.DaemonSet with a unique hostname label on each node
D.ReplicaSet with a fixed replica count
AnswerB

StatefulSets provide stable Pod names (pod-0, pod-1...), stable DNS via headless Services, ordered deployment, and PVC retention across restarts — the standard choice for stateful clustered applications.

Why this answer

StatefulSet is the correct resource because it provides stable, unique network identifiers (e.g., pod-0, pod-1, pod-2) via a headless Service, ordered startup and shutdown (pod-0 starts first, pod-2 terminates first), and persistent pod identity that survives restarts. These features are essential for distributed databases like Cassandra or ZooKeeper that require consistent hostnames and initialization order.

Exam trap

Google Cloud often tests the misconception that a Deployment with a fixed number of replicas can provide stable identities, but Deployments treat pods as interchangeable and do not preserve hostnames or startup order, making StatefulSet the only correct choice for stateful workloads requiring persistent identity.

How to eliminate wrong answers

Option A is wrong because a Deployment with pod affinity rules does not guarantee stable hostnames or ordered startup/shutdown; pods get random names and can be created or terminated in any order, which breaks cluster initialization for stateful applications. Option C is wrong because a DaemonSet runs exactly one pod per node and uses node hostnames, not stable pod hostnames like pod-0, and it does not provide ordered startup/shutdown or persistent pod identity across restarts. Option D is wrong because a ReplicaSet with a fixed replica count does not assign stable, predictable hostnames or enforce ordered startup/shutdown; pods are ephemeral and can be replaced with different names, losing identity.

143
MCQhard

An application running on Compute Engine writes logs to a local file. The operations team wants to centralize these logs in Cloud Logging with minimal code changes. What is the recommended approach?

A.Use Cloud Scheduler to tail the log file and send entries to Logging.
B.Install and configure the Cloud Logging agent on the instance.
C.Set up a scheduled cron job to upload the log file via gcloud logging write.
D.Modify the application to use the Cloud Logging client library.
AnswerB

Agent can tail log files and send entries to Cloud Logging.

Why this answer

Option B is correct because the Cloud Logging agent automatically collects local log files and sends them to Cloud Logging without code changes. Option A requires code changes. Option C and D are manual and not recommended.

144
MCQeasy

A company has a set of Compute Engine instances in a VPC that need outbound internet access for updates, but they do not have public IP addresses. The instances are running in a subnet with Private Google Access enabled. Which service should the company use to provide internet access?

A.Private Google Access
B.A default route to the internet gateway
C.Cloud NAT
D.Cloud VPN
AnswerC

Cloud NAT translates private IPs to a set of external IPs, enabling outbound internet access.

Why this answer

Option A is correct because Cloud NAT allows private instances to access the internet while blocking inbound connections. Option B is wrong because Private Google Access only enables access to Google APIs and services, not general internet. Option C is wrong because Cloud VPN provides secure connectivity to on-premises, not internet.

Option D is wrong because a default gateway with an internet gateway is not available in VPC without a NAT.

145
MCQhard

You are designing an environment where a CI/CD pipeline running in GitHub Actions needs to deploy Cloud Run services without storing any long-lived service account keys. Your organization's security policy prohibits downloading SA keys. Which approach meets these requirements?

A.Create a service account key, base64-encode it, and store it as a GitHub Actions secret.
B.Use Workload Identity Federation to allow GitHub Actions to impersonate a service account using OIDC tokens.
C.Grant the GitHub Actions runner VM's default service account the necessary roles.
D.Use Cloud Build triggers instead of GitHub Actions to avoid key management.
AnswerB

WIF exchanges the GitHub OIDC token for a short-lived GCP credential. No SA key is created or stored anywhere.

Why this answer

Workload Identity Federation allows GitHub Actions to exchange OIDC tokens from GitHub's identity provider for Google Cloud service account impersonation, eliminating the need to download and store long-lived service account keys. This approach satisfies the security policy by using short-lived, automatically rotated tokens that are valid for only one hour, and it integrates directly with GitHub's OIDC provider without requiring any secret key material.

Exam trap

Google Cloud often tests the misconception that you can rely on the runner VM's default service account in GitHub Actions, but GitHub-hosted runners are not GCP VMs, so that service account is irrelevant and the runner has no inherent GCP identity.

How to eliminate wrong answers

Option A is wrong because it violates the security policy by creating a long-lived service account key and storing it as a GitHub secret, which is exactly what the policy prohibits. Option C is wrong because the GitHub Actions runner VM's default service account is not used when running in GitHub-hosted runners; the runner is ephemeral and not associated with a GCP VM, so granting roles to that default service account has no effect. Option D is wrong because it avoids the problem rather than solving it; the requirement is to deploy from GitHub Actions, and switching to Cloud Build does not address the need to use GitHub Actions without keys.

146
MCQeasy

A project is being decommissioned. You need to delete it but want to ensure there is a 30-day window during which the deletion can be cancelled if needed. What happens when you delete a GCP project?

A.The project is immediately and permanently deleted along with all resources.
B.The project enters a 30-day pending deletion period; resources are inaccessible but the project can be restored within this window.
C.The project is archived but billing continues for 30 days before final deletion.
D.All resources are deleted immediately but the project ID is reserved for 90 days.
AnswerB

Project deletion is a soft-delete with a 30-day grace period. `gcloud projects undelete PROJECT_ID` cancels the deletion and restores access. After 30 days, deletion is permanent.

Why this answer

When you delete a GCP project, it enters a 30-day pending deletion period. During this time, all resources are inaccessible, but the project and its data can be fully restored if needed. This ensures a safety window before permanent deletion, aligning with the requirement for a 30-day cancellation window.

Exam trap

Google Cloud often tests the misconception that deletion is immediate and irreversible, leading candidates to choose Option A, but GCP's 30-day soft-delete period is a key differentiator that must be remembered for the ACE exam.

How to eliminate wrong answers

Option A is wrong because GCP does not immediately and permanently delete a project; it enforces a 30-day pending deletion period to allow recovery. Option C is wrong because the project is not archived; it is placed in a pending deletion state, and billing stops immediately upon deletion, not continued for 30 days. Option D is wrong because resources are not deleted immediately; they remain recoverable during the 30-day window, and the project ID is not reserved for 90 days—it becomes available after the 30-day period or upon permanent deletion.

147
Multi-Selectmedium

A team is deploying a stateful application on GKE that requires each pod to have its own persistent disk. Which TWO Kubernetes resources are essential for this deployment? (Choose two.)

Select 2 answers
A.Deployment
B.ConfigMap
C.StatefulSet
D.Ingress
E.PersistentVolumeClaim (PVC)
AnswersC, E

StatefulSet provides stable identities and storage for stateful applications.

Why this answer

A StatefulSet is essential because it provides stable, unique network identifiers and ordered, graceful deployment and scaling for stateful applications, ensuring each pod maintains its identity and persistent storage binding across rescheduling. A PersistentVolumeClaim (PVC) is required to request and bind a persistent disk to each pod, enabling the pod to retain its data independently of other pods in the set.

Exam trap

Google Cloud often tests the misconception that a Deployment can handle stateful workloads with persistent storage, but the trap is that a Deployment does not guarantee stable pod identities or ordered PVC binding, causing data loss or identity conflicts when pods are rescheduled.

148
MCQhard

You are deploying a Cloud Run service revision that should initially receive 0% of traffic (for testing via a direct URL), while the existing revision continues to serve 100% of production traffic. Which `gcloud run deploy` flag achieves this?

A.`--no-traffic`
B.`--traffic=0`
C.`--revision-suffix=canary` with no traffic configuration
D.`--min-instances=0 --max-instances=0`
AnswerA

--no-traffic deploys the new revision without diverting any production traffic to it. The revision is accessible via its unique revision URL for testing without affecting live users.

Why this answer

The `--no-traffic` flag on `gcloud run deploy` deploys a new revision but directs 0% of traffic to it, leaving the existing revision serving 100% of production traffic. This allows you to test the new revision via its direct URL without impacting live users. It is the correct and explicit way to achieve a zero-traffic deployment in Cloud Run.

Exam trap

The trap here is that candidates confuse traffic routing with instance scaling, assuming `--min-instances=0` or a bare `--traffic=0` would prevent traffic, when in fact Cloud Run requires explicit traffic management via `--no-traffic` or the `--traffic` flag with a revision identifier.

How to eliminate wrong answers

Option B is wrong because `--traffic=0` is not a valid flag; `gcloud run deploy` uses `--no-traffic` or `--traffic` with a revision name and percentage (e.g., `--traffic=new-revision=0`) but not a bare `=0`. Option C is wrong because `--revision-suffix=canary` only names the revision; without a traffic flag, the new revision automatically receives 100% of traffic by default, defeating the requirement. Option D is wrong because `--min-instances=0 --max-instances=0` controls instance scaling (allowing zero idle instances) but does not affect traffic routing; the new revision would still receive traffic unless explicitly prevented.

149
MCQmedium

A GKE Deployment runs a web application with 6 replicas across a 3-node cluster. To ensure no two replicas land on the same node (maximizing availability), which Pod spec configuration should be applied?

A.Set podAntiAffinity with requiredDuringSchedulingIgnoredDuringExecution and topologyKey: kubernetes.io/hostname
B.Set podAffinity with requiredDuringSchedulingIgnoredDuringExecution and topologyKey: kubernetes.io/hostname
C.Set topologySpreadConstraints with maxSkew: 1 and topologyKey: kubernetes.io/hostname
D.Set nodeSelector to a specific node for each replica
AnswerA

This hard anti-affinity rule prevents the scheduler from placing a Pod on a node that already runs a Pod matching the selector — guaranteeing one replica per node.

Why this answer

Option A is correct because `podAntiAffinity` with `requiredDuringSchedulingIgnoredDuringExecution` and `topologyKey: kubernetes.io/hostname` forces the scheduler to place each replica on a different node. This ensures that no two pods of the same Deployment run on the same Kubernetes node, maximizing availability by preventing a single node failure from taking down more than one replica.

Exam trap

Google Cloud often tests the distinction between `podAffinity` and `podAntiAffinity` — the trap here is that candidates confuse the two, or assume `topologySpreadConstraints` provides the same hard guarantee as anti-affinity, when it only enforces even distribution, not strict separation.

How to eliminate wrong answers

Option B is wrong because `podAffinity` attracts pods to the same node, which would cause replicas to co-locate, reducing availability. Option C is wrong because `topologySpreadConstraints` with `maxSkew: 1` distributes pods evenly across nodes but does not guarantee that no two replicas land on the same node; it only ensures a balanced distribution, which could still allow multiple replicas on one node if the cluster has fewer nodes than replicas. Option D is wrong because setting `nodeSelector` to a specific node for each replica is not dynamic and would require manual management; it also cannot guarantee anti-affinity across all replicas without complex scripting, and it violates the declarative nature of Kubernetes scheduling.

150
MCQeasy

Refer to the exhibit. A developer tries to create a new project using the command `gcloud projects create my-project --name="My Project"` and receives the error 'Project ID my-project already exists.' What should the developer do?

A.Enable the Cloud Resource Manager API
B.Use a different project ID
C.Delete the existing project with the same ID
D.Use the --organization flag
AnswerB

Project IDs must be globally unique; a different ID will work.

Why this answer

Project IDs are globally unique. The developer must choose a different project ID. Option C is correct.

Options A, B, D are not appropriate or would cause issues.

Page 1

Page 2 of 7

Page 3

All pages