Google Associate Cloud Engineer (ACE) — Questions 151225

500 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQmedium

A Cloud Storage bucket contains sensitive PII data. You need to ensure that objects in this bucket are encrypted using a key that your security team controls, and that the key can be revoked if needed to render all data inaccessible. Which encryption option should you use?

A.Use Google-managed encryption keys (default).
B.Configure Customer-Managed Encryption Keys (CMEK) using Cloud KMS.
C.Enable Cloud Storage's built-in server-side encryption with AES-256.
D.Use Customer-Supplied Encryption Keys (CSEK) by embedding the key in each API request.
AnswerB

CMEK with Cloud KMS gives your security team full control: key creation, rotation, and revocation (disable/destroy). Disabling the KMS key renders all data encrypted with it inaccessible — cryptographic shredding.

Why this answer

Option B is correct because Customer-Managed Encryption Keys (CMEK) allow you to control and manage the key used for encrypting Cloud Storage objects via Cloud KMS. This enables key revocation, which immediately renders all data encrypted with that key inaccessible, meeting the security team's requirement for revocable control.

Exam trap

Google Cloud often tests the distinction between CMEK and CSEK, where candidates mistakenly choose CSEK thinking it gives more control, but CMEK is the only option that supports centralized key revocation without changing API call patterns.

How to eliminate wrong answers

Option A is wrong because Google-managed encryption keys (default) are controlled by Google, not your security team, and cannot be revoked by you. Option C is wrong because Cloud Storage's built-in server-side encryption with AES-256 is also Google-managed and does not provide customer-controlled key revocation. Option D is wrong because Customer-Supplied Encryption Keys (CSEK) require embedding the key in each API request, which does not allow centralized key management or revocation; the key is supplied per operation and not stored or managed by Cloud KMS.

152
MCQmedium

Your GKE application's pods are being evicted frequently during periods of high traffic. You notice that pods without resource requests are being evicted first. The nodes are running at ~85% memory utilization. What should you do to reduce pod eviction?

A.Set memory requests and limits for all pods to match their actual memory usage.
B.Increase the node machine type to have more memory.
C.Configure pod disruption budgets (PDBs) to prevent eviction.
D.Enable cluster autoscaler to add nodes before memory pressure occurs.
AnswerA

Pods with requests are classified as Burstable (or Guaranteed if limits equal requests). These are evicted after BestEffort pods. Proper requests also help the scheduler distribute pods evenly, reducing node pressure.

Why this answer

Setting memory requests and limits for all pods to match their actual memory usage ensures that the Kubernetes scheduler can accurately allocate resources and make informed scheduling decisions. Without requests, pods are treated as BestEffort QoS class, making them the first candidates for eviction under memory pressure (when nodes exceed ~85% utilization). By defining requests, pods are classified as Burstable or Guaranteed, which gives them higher priority during eviction and prevents unnecessary disruptions.

Exam trap

Google Cloud often tests the misconception that increasing node resources or adding nodes (autoscaling) solves eviction, when the real issue is the lack of resource requests that determines eviction priority under memory pressure.

How to eliminate wrong answers

Option B is wrong because simply increasing node memory does not address the root cause—pods without requests are still BestEffort and will be evicted first under any memory pressure, regardless of total node capacity. Option C is wrong because PodDisruptionBudgets (PDBs) only protect against voluntary disruptions (e.g., node drains), not involuntary evictions caused by node memory pressure (kubelet eviction). Option D is wrong because Cluster Autoscaler adds nodes only when pods are unschedulable due to resource shortages, not to prevent eviction of already-running pods; memory pressure eviction occurs before autoscaling can react.

153
MCQhard

An organization is deploying a stateful application on Google Kubernetes Engine (GKE). The application requires persistent storage with high read/write performance and must be available across multiple zones for disaster recovery. Which storage solution should they use?

A.Cloud Filestore
B.Regional persistent disk
C.Local SSD
D.Zonal persistent disk
AnswerB

Regional persistent disk replicates across zones, providing high performance and DR.

Why this answer

Regional persistent disks provide synchronous replication across two zones in the same region, ensuring data availability during a zonal failure. They offer high read/write performance suitable for stateful applications and can be attached to GKE pods via PersistentVolumeClaims, meeting the requirement for multi-zone disaster recovery.

Exam trap

Google Cloud often tests the distinction between zonal and regional persistent disks, where candidates mistakenly choose zonal disks for high performance without considering the multi-zone disaster recovery requirement, or they confuse Cloud Filestore's shared file access with the block storage performance needed for stateful applications.

How to eliminate wrong answers

Option A is wrong because Cloud Filestore is a managed NFS file server designed for shared file storage, not block storage, and its performance is lower than persistent disks for high-throughput workloads; it also introduces network latency. Option C is wrong because Local SSDs are ephemeral and tied to a single node, so data is lost if the node or pod is rescheduled, making them unsuitable for stateful applications requiring persistence across zones. Option D is wrong because Zonal persistent disks are confined to a single zone and cannot survive a zonal outage, failing the disaster recovery requirement for multi-zone availability.

154
MCQmedium

You need to ensure that Cloud DLP scans all data uploaded to a specific Cloud Storage bucket and redacts any Social Security Numbers (SSNs) before storing the data. Which Cloud DLP feature and trigger enables this pattern?

A.Enable Cloud DLP auto-redaction on the Cloud Storage bucket via the GCS settings.
B.Configure Pub/Sub notifications on the bucket to trigger a Cloud Function that calls Cloud DLP to redact SSNs before the file is readable.
C.Use Cloud DLP's scheduled inspection job to scan the bucket daily and flag SSNs.
D.Apply an org policy that prevents storing SSNs in Cloud Storage.
AnswerB

The standard pattern: GCS object notification → Pub/Sub → Cloud Function → DLP de-identify job (with SSN infoType + redaction transformation) → store redacted result. The original file can be quarantined or deleted.

Why this answer

Option B is correct because Cloud DLP cannot directly intercept and redact data at the point of upload to Cloud Storage. Instead, you must use Pub/Sub notifications on the bucket to trigger a Cloud Function, which calls the Cloud DLP API to inspect and redact SSNs before the file is stored or made readable. This pattern ensures redaction happens in near real-time as part of the upload pipeline.

Exam trap

Google Cloud often tests the misconception that Cloud DLP can be directly attached to a Cloud Storage bucket for automatic redaction, but in reality, you must orchestrate the inspection and redaction via an event-driven compute service like Cloud Functions.

How to eliminate wrong answers

Option A is wrong because Cloud Storage does not have a native 'auto-redaction' setting; Cloud DLP cannot be directly enabled on a bucket via GCS settings to perform real-time redaction. Option C is wrong because a scheduled inspection job only scans existing data periodically and does not redact data in real-time as it is uploaded, leaving a window where SSNs could be exposed. Option D is wrong because org policies cannot inspect or redact content within files; they only enforce structural constraints (e.g., location, encryption) and cannot prevent the storage of specific data patterns like SSNs.

155
MCQhard

Your security team wants to prevent any user or service account from creating firewall rules that allow ingress from `0.0.0.0/0` (the internet) to any VM in your organization. Which approach enforces this without requiring per-project IAM changes?

A.Grant IAM deny policies that prevent the `compute.firewalls.create` permission across the organization.
B.Apply a hierarchical firewall policy at the organization level with a deny rule for ingress from 0.0.0.0/0, set to take precedence over project rules.
C.Use Security Command Center to detect and alert when 0.0.0.0/0 firewall rules are created.
D.Set the `compute.skipDefaultNetworkCreation` org policy constraint across the organization.
AnswerB

Hierarchical firewall policies at the org level can deny specific traffic patterns before project-level rules are evaluated. A deny rule for 0.0.0.0/0 ingress blocks this traffic organization-wide regardless of project-level firewall rules.

Why this answer

Option B is correct because hierarchical firewall policies at the organization level can include a deny rule for ingress from `0.0.0.0/0` with a priority that takes precedence over any project-level firewall rules. This enforces the restriction globally without requiring per-project IAM changes, as the policy is inherited by all projects in the organization.

Exam trap

Google Cloud often tests the distinction between preventive controls (like hierarchical firewall policies) and detective controls (like Security Command Center alerts), leading candidates to choose a detection-based option when the question explicitly asks for enforcement.

How to eliminate wrong answers

Option A is wrong because denying the `compute.firewalls.create` permission across the organization would block all firewall rule creation, not just those allowing ingress from `0.0.0.0/0`, and it would require per-project IAM changes if not applied at the org level via deny policies. Option C is wrong because Security Command Center can only detect and alert on the creation of such rules, not prevent them; it is a detective control, not a preventive one. Option D is wrong because the `compute.skipDefaultNetworkCreation` org policy constraint only prevents the automatic creation of default networks, not the creation of firewall rules that allow ingress from `0.0.0.0/0`.

156
MCQhard

You are configuring Identity-Aware Proxy (IAP) for a web application running on Compute Engine. Users authenticate through IAP and are granted access based on their email addresses. However, some users report that they are prompted to sign in multiple times during the same session. What is the most likely cause?

A.The backend service is missing the IAP session cookie validation.
B.The users are accessing the application via different browsers.
C.The backend service does not support HTTPS.
D.The IAP session timeout is set too low.
AnswerD

IAP session timeout determines how long the authentication session lasts; a short timeout causes frequent prompts.

Why this answer

Option A is correct because IAP has a configurable session timeout; if set too low, users will need to re-authenticate frequently. Option B (HTTPS) is required for IAP but not the cause. Option C (different browsers) is not a common cause.

Option D (cookie validation) is handled by IAP.

157
MCQmedium

You need to design a solution where a Cloud Function is triggered by HTTP requests from the internet, but it must also privately access a Cloud SQL instance that has no public IP. The Cloud Function should not expose the Cloud SQL instance to public traffic. Which configuration enables this?

A.Enable a public IP on the Cloud SQL instance and restrict access using Cloud SQL authorized networks.
B.Configure a Serverless VPC Access connector and attach it to the Cloud Function to access Cloud SQL via private IP.
C.Use Cloud SQL Auth Proxy on a Compute Engine VM as a jump host between the function and the database.
D.Deploy the Cloud Function in the same project as Cloud SQL; same-project resources can access each other privately by default.
AnswerB

Serverless VPC Access lets Cloud Functions reach VPC resources over private RFC 1918 addresses. The Cloud SQL instance stays private-IP-only, meeting the isolation requirement.

Why this answer

Option B is correct because a Serverless VPC Access connector allows a Cloud Function to connect to a Cloud SQL instance via its private IP, enabling private network communication without exposing the database to the internet. The connector bridges the serverless environment to a VPC, and the Cloud SQL instance must have private IP enabled. This satisfies the requirement of private access while the function itself remains publicly triggerable via HTTP.

Exam trap

Google Cloud often tests the misconception that resources in the same project can communicate privately by default, but the trap here is that Cloud Functions run outside your VPC and require explicit configuration (like a VPC connector) to access private IP resources such as Cloud SQL.

How to eliminate wrong answers

Option A is wrong because enabling a public IP on Cloud SQL and using authorized networks still exposes the instance to the internet, violating the requirement that the Cloud SQL instance should not be exposed to public traffic. Option C is wrong because using a Compute Engine VM as a jump host with Cloud SQL Auth Proxy introduces an unnecessary intermediary that adds latency, complexity, and a potential single point of failure, and is not the recommended or simplest solution for private access from a Cloud Function. Option D is wrong because same-project resources do not automatically have private network access; Cloud Functions run in a Google-managed environment outside your VPC by default, so they cannot reach Cloud SQL private IPs without a VPC connector or similar mechanism.

158
MCQmedium

A startup is building a mobile app backend. Traffic is highly variable: 10 requests/second at night, peaking to 50,000 requests/second during business hours. The backend is stateless. Which compute option best handles this traffic variability with minimal cost and operational effort?

A.Compute Engine managed instance group with autoscaling.
B.Cloud Run with concurrency and max-instances configured.
C.GKE cluster with Horizontal Pod Autoscaler.
D.App Engine Standard environment with automatic scaling.
AnswerB

Cloud Run scales from zero to thousands of instances in seconds, handles 50,000 RPS with automatic provisioning, and costs nothing when idle at night.

Why this answer

Cloud Run is the best choice because it is a fully managed serverless platform that scales from zero to thousands of requests per second automatically, handling the extreme variability from 10 to 50,000 requests/second without provisioning overhead. By configuring concurrency (e.g., 80 concurrent requests per container) and max-instances, you cap costs while Cloud Run's autoscaling adds or removes container instances based on incoming traffic, making it ideal for stateless workloads with minimal operational effort.

Exam trap

Google Cloud often tests the misconception that managed instance groups or GKE are more 'powerful' or 'flexible' for high traffic, but the trap here is ignoring the operational effort and cost of idle resources; candidates overlook that serverless options like Cloud Run can handle 50,000 req/s with proper concurrency tuning and are far simpler for stateless apps.

How to eliminate wrong answers

Option A is wrong because Compute Engine managed instance groups with autoscaling require you to manage virtual machine instances, patches, and scaling policies, leading to higher operational overhead and slower scaling response (minutes vs. seconds) compared to serverless options, and you pay for idle VMs even at low traffic. Option C is wrong because GKE with Horizontal Pod Autoscaler introduces cluster management complexity, node pool scaling delays, and Kubernetes control plane costs, which are unnecessary for a stateless app with variable traffic and increase operational effort. Option D is wrong because App Engine Standard environment, while serverless, has a hard limit of 500 concurrent requests per instance and a maximum of 10,000 requests/second in many regions, making it unable to handle the 50,000 requests/second peak without significant latency or errors, and it requires app to be written in specific supported runtimes.

159
MCQmedium

You need to allow a Cloud Function to write logs to Cloud Logging. The function uses a default service account. What IAM role should you grant to the service account?

A.roles/logging.logWriter
B.roles/cloudfunctions.serviceAgent
C.roles/logging.admin
D.roles/logging.viewer
AnswerA

This role allows writing log entries, appropriate for the function.

Why this answer

The Cloud Function's default service account needs the `roles/logging.logWriter` role to write logs to Cloud Logging. This role grants the `logging.logEntries.create` permission, which is the minimum required for writing log entries. Without it, the function cannot send logs to Logging, even though it may have other permissions.

Exam trap

Google Cloud often tests the distinction between the Cloud Functions service agent (used for internal orchestration) and the default compute service account (used by the function itself), causing candidates to mistakenly choose `roles/cloudfunctions.serviceAgent` for log writing.

How to eliminate wrong answers

Option B is wrong because `roles/cloudfunctions.serviceAgent` is a predefined role for the Cloud Functions service agent (a Google-managed service account), not for the function's default compute service account; it grants permissions for Cloud Functions to call other services, not to write logs. Option C is wrong because `roles/logging.admin` grants full administrative access to Logging, including deleting logs and configuring sinks, which is excessive and violates the principle of least privilege for a simple log-writing task. Option D is wrong because `roles/logging.viewer` only allows reading logs (via `logging.logEntries.list` and `logging.logs.list`), not writing them.

160
MCQeasy

A startup wants to set up a Google Cloud environment with minimal administrative overhead. They have a small team of developers and need to manage permissions. Which approach should they use for organizing their cloud resources?

A.Create a separate project for each developer.
B.Use a single project with IAM roles at the project level.
C.Create a single project with folders for each team.
D.Create a single organization with multiple projects for each environment.
AnswerB

Simplest approach with low administrative overhead; manages permissions directly.

Why this answer

Option D is correct because a single project with IAM roles is the simplest approach with low administrative overhead for a small team. Option A is incorrect because creating an organization and multiple projects introduces overhead not needed. Option B is incorrect because separate projects for each developer are too many to manage.

Option C is incorrect because folders add complexity; a single project with IAM roles is simpler.

161
MCQeasy

A data analytics team needs to run a Spark job on a schedule. They want to minimize operational overhead and only pay for resources used during job execution. Which service should they use?

A.Create a Dataproc cluster and keep it running for ad-hoc jobs
B.Use Dataproc workflow templates with scheduled execution
C.Provision Compute Engine instances with Spark installed and start/stop them manually
D.Use BigQuery for all analytics
AnswerB

Workflow templates create ephemeral clusters that are deleted after job completion.

Why this answer

Option B is correct because Dataproc workflow templates allow you to define a Spark job as a workflow and schedule its execution using Cloud Scheduler or a cron-like mechanism. This minimizes operational overhead by automatically provisioning a cluster, running the job, and tearing down the cluster when finished, ensuring you only pay for resources used during execution.

Exam trap

Google Cloud often tests the distinction between persistent clusters (always-on) and ephemeral clusters (created on-demand), and the trap here is that candidates may assume any Dataproc usage is cost-effective, overlooking that only workflow templates with scheduled execution enforce automatic teardown.

How to eliminate wrong answers

Option A is wrong because keeping a Dataproc cluster running 24/7 incurs continuous compute costs, even when no jobs are running, which contradicts the requirement to pay only for resources used during job execution. Option C is wrong because manually provisioning and stopping Compute Engine instances with Spark installed introduces significant operational overhead and does not provide automated scheduling or lifecycle management. Option D is wrong because BigQuery is a serverless data warehouse for SQL-based analytics, not a Spark execution environment, and cannot run Spark jobs directly.

162
MCQeasy

You have an Artifact Registry repository for Python packages (`format: python`). A developer needs to publish a new Python package to this repository. Which tool and configuration allows them to publish?

A.Use `pip install` pointing to the Artifact Registry URL to upload the package.
B.Use `twine upload` with the Artifact Registry Python repository URL as the repository target.
C.Use `docker push` to push the Python package as a container layer.
D.Use `gsutil cp` to copy the wheel file to the Artifact Registry bucket.
AnswerB

Twine is the standard Python packaging upload tool. Configured with the Artifact Registry Python repository URL and authenticated via Google Cloud credentials, twine uploads packages directly.

Why this answer

B is correct because `twine` is the standard tool for uploading Python packages to package indices, and Artifact Registry's Python repositories are compatible with the PyPI API. By specifying the Artifact Registry repository URL as the `--repository-url` target in `twine upload`, the developer can authenticate via a service account or OAuth token and publish the package directly.

Exam trap

Google Cloud often tests the distinction between tools for different artifact types (pip vs. twine, docker push vs. gsutil), and the trap here is that candidates may confuse `pip install` (download) with `twine upload` (publish) because both are Python-related commands.

How to eliminate wrong answers

Option A is wrong because `pip install` is used to download and install packages, not to upload or publish them; it has no capability to push artifacts to a repository. Option C is wrong because `docker push` is used to upload container images to a container registry, not Python wheel or source distribution files to a package repository. Option D is wrong because Artifact Registry for Python packages does not expose a GCS bucket interface; `gsutil cp` works only with Cloud Storage buckets, not with the PyPI-compatible API endpoints that Artifact Registry uses.

163
MCQhard

You are managing a GKE cluster that runs a mixed workload: latency-sensitive web services and batch data processing jobs. The batch jobs run for hours and consume significant CPU/memory. During batch peaks, the web services experience CPU throttling. What is the best configuration to prevent batch jobs from impacting web service latency?

A.Set CPU requests and limits on batch job pods to be lower than web service pods.
B.Assign web service pods a higher PriorityClass and run batch jobs on a separate node pool with taints.
C.Use Horizontal Pod Autoscaler for batch jobs so they scale down during peak web traffic.
D.Enable Cluster Autoscaler so new nodes are added when batch jobs demand more resources.
AnswerB

Separate node pools with taints prevent batch pods from running on web-service nodes (hard isolation). PriorityClass ensures web pods preempt batch pods if they ever share resources. Together this prevents batch-induced throttling.

Why this answer

Option B is correct because it uses PriorityClass to ensure web service pods are scheduled and maintained over batch pods during resource contention, while placing batch jobs on a separate node pool with taints isolates their resource consumption. This prevents batch jobs from causing CPU throttling on latency-sensitive web services by guaranteeing that web pods have priority access to CPU cycles and that batch workloads do not share nodes with web pods.

Exam trap

Google Cloud often tests the misconception that resource limits alone (Option A) or autoscaling (Options C and D) can solve resource contention, when in reality priority and isolation mechanisms are required to guarantee QoS for latency-sensitive workloads.

How to eliminate wrong answers

Option A is wrong because setting CPU requests and limits lower on batch pods does not prevent them from consuming CPU when they are scheduled on the same node as web pods; CPU throttling occurs when the node's CPU is oversubscribed, and lower limits only cap the batch pod's usage but do not guarantee that web pods get CPU time first. Option C is wrong because Horizontal Pod Autoscaler (HPA) scales batch pods based on their own metrics (e.g., CPU utilization), not on web traffic; scaling down batch jobs during web peaks would require custom metrics or manual intervention, and HPA does not inherently prioritize web services. Option D is wrong because Cluster Autoscaler adds nodes when pods are unschedulable, but it does not prevent batch jobs from being scheduled on the same nodes as web pods; if batch jobs are already running on nodes with web pods, adding new nodes does not relieve the existing CPU contention on those nodes.

164
MCQeasy

A developer wants to deploy a containerized web application that can scale to zero when not in use, and only pay for request processing time. Which compute service should they choose?

A.App Engine Flexible Environment
B.Cloud Functions
C.Cloud Run
D.Google Kubernetes Engine (GKE)
AnswerC

Cloud Run runs containers and scales to zero when idle.

Why this answer

Cloud Run is the correct choice because it is a managed compute platform that runs containerized applications in a serverless environment, automatically scaling to zero when there are no requests and charging only for the resources used during request processing (billed in 100-millisecond increments). This matches the requirement for a containerized web app that scales to zero and has pay-per-use pricing.

Exam trap

Google Cloud often tests the distinction between serverless compute options: candidates confuse Cloud Functions (for event-driven code) with Cloud Run (for containerized apps), or assume App Engine Flexible can scale to zero when it cannot.

How to eliminate wrong answers

Option A is wrong because App Engine Flexible Environment runs containers but does not scale to zero; it requires at least one instance to be running at all times, leading to continuous costs. Option B is wrong because Cloud Functions is serverless and scales to zero, but it is designed for event-driven functions, not containerized applications; it does not support arbitrary container images. Option D is wrong because Google Kubernetes Engine (GKE) is a Kubernetes orchestration service that can scale down, but it does not scale to zero by default (requires at least one node) and incurs costs for the underlying node pool even when idle.

165
MCQeasy

A team wants to create a consistent backup of a Compute Engine VM's boot disk before applying a major OS patch. The backup should be usable to restore the disk to a new VM if the patch fails. What is the recommended approach?

A.Create a custom VM image from the running instance using `gcloud compute images create`
B.Create a persistent disk snapshot using `gcloud compute disks snapshot`
C.Copy all files to a Cloud Storage bucket using gsutil rsync
D.Enable live migration for the VM — it automatically backs up state before migrations
AnswerB

Disk snapshots capture the disk's exact state. Stopping the VM before snapshotting ensures consistency. Snapshots can restore to a new disk or new VM if needed.

Why this answer

Option B is correct because a persistent disk snapshot captures a point-in-time, crash-consistent backup of the disk, including the boot disk, without requiring the VM to be stopped. Snapshots are the recommended method for backing up persistent disks because they support incremental backups, can be used to create new disks, and are optimized for restore operations to a new VM. This approach ensures the backup is usable for disaster recovery if the OS patch fails.

Exam trap

The trap here is that candidates confuse VM images (used for creating identical instances) with disk snapshots (used for backups), leading them to choose Option A, even though images require the VM to be stopped for consistency and are not designed for point-in-time recovery of a single disk.

How to eliminate wrong answers

Option A is wrong because creating a custom VM image from a running instance requires the instance to be stopped or the image creation process to quiesce the filesystem, which is not a consistent backup method for a live boot disk and is intended for creating reusable templates, not for point-in-time backups. Option C is wrong because using gsutil rsync to copy files to Cloud Storage does not capture the disk's boot sector, partition table, or system state, making it impossible to restore a bootable disk to a new VM; it only copies file-level data. Option D is wrong because live migration is a feature that moves a running VM between hosts without downtime and does not create any backup or snapshot of the disk; it is unrelated to backup creation.

166
Drag & Dropmedium

Order the steps to set up a VPC network with a subnet, firewall rule allowing SSH, and a Compute Engine instance in that subnet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPC and subnet must exist before instance; firewall rule must allow SSH.

167
MCQmedium

You need to enforce that all new Cloud Storage buckets in your organization use Uniform Bucket-Level Access (UBLA) and are created in one of three approved regions: `us-central1`, `us-east1`, or `europe-west1`. What is the most efficient way to enforce both constraints?

A.Write a Cloud Function triggered by bucket creation events to check and delete non-compliant buckets.
B.Apply `storage.uniformBucketLevelAccess` and `gcp.resourceLocations` org policies at the organization level.
C.Create a custom IAM role that removes the `storage.buckets.create` permission for disallowed regions.
D.Use Terraform to provision all buckets and include validation in the Terraform plan step.
AnswerB

These two org policy constraints enforce UBLA and region restrictions declaratively at creation time — no buckets outside the policy are ever created.

Why this answer

Organization policies are the most efficient way to enforce constraints across all new Cloud Storage buckets because they are evaluated at resource creation time by the Cloud Resource Manager. The `storage.uniformBucketLevelAccess` policy enforces UBLA, and `gcp.resourceLocations` restricts the allowed locations, both applied at the organization level to cover all projects without per-bucket overhead.

Exam trap

Google Cloud often tests the distinction between preventive controls (organization policies) and detective/reactive controls (Cloud Functions, Terraform validation), and the trap here is assuming that a post-creation check or a tool-specific validation is sufficient when a native, pre-creation enforcement mechanism exists.

How to eliminate wrong answers

Option A is wrong because a Cloud Function triggered by bucket creation events is reactive and inefficient—it would delete non-compliant buckets after creation, causing unnecessary resource churn and potential data loss, and it cannot prevent the creation in the first place. Option C is wrong because IAM roles control permissions at the API level, not the allowed regions for bucket creation; removing `storage.buckets.create` for disallowed regions is not possible because IAM does not support location-based conditions for the create permission. Option D is wrong because using Terraform with validation in the plan step only enforces compliance within Terraform-managed buckets, but does not prevent non-compliant buckets from being created via the Console, gsutil, or other tools outside Terraform.

168
MCQmedium

A GKE Pod needs to call the Cloud Storage API. The team wants to avoid creating and managing service account key files. What is the recommended approach?

A.Mount a service account JSON key file as a Kubernetes Secret and set GOOGLE_APPLICATION_CREDENTIALS
B.Enable Workload Identity on the GKE cluster and bind a Kubernetes ServiceAccount to a GCP IAM ServiceAccount
C.Rely on the GKE node's Compute Engine service account for all Pod authentication
D.Grant the GKE node pool's service account the Storage Admin role to cover all Pod needs
AnswerB

Workload Identity allows Pods to authenticate to GCP APIs through the GKE metadata server, completely eliminating the need for service account key files.

Why this answer

Workload Identity is the recommended approach because it allows a Kubernetes ServiceAccount in GKE to authenticate as a GCP IAM ServiceAccount without managing or storing any service account key files. This eliminates the security risk of key leakage and simplifies credential rotation. By binding the Kubernetes ServiceAccount to a GCP IAM ServiceAccount, Pods can directly call Cloud Storage APIs using the IAM permissions of the linked service account, with automatic token exchange via the GKE metadata server.

Exam trap

Google Cloud often tests the misconception that the node's Compute Engine service account is sufficient for Pod-level authentication, but the trap here is that this approach lacks Pod-level identity isolation and violates least privilege, whereas Workload Identity provides a secure, keyless, and granular solution.

How to eliminate wrong answers

Option A is wrong because mounting a JSON key file as a Kubernetes Secret reintroduces the management and security burden of static keys, which the team explicitly wants to avoid, and violates the principle of keyless authentication. Option C is wrong because relying on the GKE node's Compute Engine service account grants the same permissions to all Pods on the node, violating the principle of least privilege and making it impossible to scope permissions per Pod. Option D is wrong because granting the node pool's service account the Storage Admin role is an overly permissive approach that also applies to all Pods on the node, and it still uses the node's identity rather than a Pod-specific identity, failing to provide fine-grained access control.

169
MCQmedium

A team's Cloud Build pipeline must: (1) run unit tests, (2) build a Docker image only if tests pass, (3) push the image to Artifact Registry. Which cloudbuild.yaml structure correctly enforces this sequential dependency?

A.Define all three steps in a single `steps` list — they run sequentially by default and stop on failure
B.Use `waitFor` with step IDs to create a dependency graph between all three steps
C.Define the steps in three separate cloudbuild.yaml files and chain them with Cloud Composer
D.Set `parallel: false` at the top level of cloudbuild.yaml to enforce sequential execution
AnswerA

Cloud Build steps execute sequentially by default. If any step fails (non-zero exit), the build stops and subsequent steps don't run — enforcing the test-before-build-before-push dependency.

Why this answer

Option A is correct because Cloud Build executes steps in a `steps` list sequentially by default, and any step that exits with a non-zero status (e.g., test failure) immediately stops the entire pipeline. This enforces the required dependency: unit tests must pass before the Docker image is built, and the image must be built before it is pushed to Artifact Registry.

Exam trap

Google Cloud often tests the misconception that you must explicitly use `waitFor` to enforce step dependencies, when in fact Cloud Build runs steps in a list sequentially by default and stops on failure.

How to eliminate wrong answers

Option B is wrong because using `waitFor` with step IDs is unnecessary; Cloud Build already runs steps in a list sequentially by default, and adding explicit `waitFor` only adds redundant configuration without changing behavior. Option C is wrong because Cloud Composer is a workflow orchestration service for Apache Airflow, not designed for chaining Cloud Build pipelines; it would add unnecessary complexity and cost for a simple sequential dependency. Option D is wrong because there is no `parallel: false` top-level field in cloudbuild.yaml; Cloud Build controls parallelism via `waitFor` and step ordering, not a global flag.

170
MCQmedium

A developer accidentally assigned the 'roles/editor' role to a user for a project. After revoking the role, the user still has permissions to modify resources. What is the most likely reason?

A.The user is a member of a group that still has editor role.
B.The user has been granted owner role through another binding.
C.The role revocation takes up to 24 hours to propagate.
D.The user has a more specific role that grants the same permissions.
AnswerA

Group membership persists after direct role revocation, so the user retains permissions via the group.

Why this answer

The most likely reason is that the user is a member of a Google Group that still has the 'roles/editor' role assigned at the project level. In Google Cloud IAM, permissions are inherited from group memberships, and revoking a role from a user directly does not remove permissions granted through group bindings. The user's effective permissions are the union of all roles assigned directly and indirectly via groups.

Exam trap

Google Cloud often tests the misconception that IAM changes have a propagation delay, but in Google Cloud, IAM policy updates are near-instantaneous, and the real cause of lingering permissions is almost always inherited access through groups or resource hierarchy.

How to eliminate wrong answers

Option B is wrong because if the user had been granted the 'roles/owner' role through another binding, they would have even broader permissions than editor, but the question states the user still has 'permissions to modify resources'—owner is a superset, but the scenario does not indicate the user has owner-level access (e.g., billing or project deletion). Option C is wrong because IAM role revocations in Google Cloud are effective within seconds, not up to 24 hours; the 24-hour propagation delay is a common misconception that applies to DNS changes, not IAM policy updates. Option D is wrong because a more specific role (e.g., a custom role with only modify permissions) would not grant the same broad 'modify resources' capability as the editor role unless it explicitly includes those permissions; the editor role is a predefined role with a wide set of permissions, and a more specific role would typically be narrower, not broader.

171
MCQhard

A team is using Terraform to manage infrastructure in Google Cloud. After running terraform apply, they receive an error: 'Error 409: Resource already exists'. The team needs to resolve this without deleting and recreating the resource. What should they do?

A.Run 'terraform refresh' to update the state file.
B.Import the existing resource into Terraform state with 'terraform import'.
C.Set the 'create_before_destroy' lifecycle rule on the resource.
D.Change the resource name in the Terraform configuration.
AnswerB

Importing tells Terraform to adopt the existing resource into its state.

Why this answer

Option B is correct because the 'Error 409: Resource already exists' indicates that the resource was created outside of Terraform or the state file lost track of it. Running 'terraform import' brings the existing resource under Terraform management by adding its current attributes to the state file, allowing subsequent operations without deletion or recreation.

Exam trap

Google Cloud often tests the misconception that 'terraform refresh' can fix state mismatches for missing resources, but it only syncs attributes for resources already in state, not imports new ones.

How to eliminate wrong answers

Option A is wrong because 'terraform refresh' only updates the state file with current real-world attributes of resources already tracked in state; it cannot add a resource that is missing from state. Option C is wrong because 'create_before_destroy' is a lifecycle meta-argument that controls the order of creation and destruction during updates, not a mechanism to resolve a state mismatch or import an existing resource. Option D is wrong because changing the resource name in the configuration would cause Terraform to attempt creating a new resource with the new name, leaving the existing resource unmanaged and still causing a conflict if the original name is reused elsewhere.

172
MCQmedium

A microservices application has intermittent high latency. The team wants to identify which specific service-to-service call in the request chain is causing the slowdown. Which Cloud Operations tool is designed for this?

A.Cloud Monitoring Metrics Explorer
B.Cloud Logging log viewer
C.Cloud Trace
D.Cloud Profiler
AnswerC

Cloud Trace instruments requests as they flow through services, recording each span's duration and parent-child relationships, making it ideal for pinpointing latency in distributed systems.

Why this answer

Cloud Trace is designed to capture latency data for individual service-to-service calls in a distributed request chain. It provides end-to-end tracing by collecting trace spans from each microservice, allowing you to pinpoint which specific call is causing the slowdown. This makes it the correct tool for identifying the exact service-to-service latency bottleneck.

Exam trap

Google Cloud often tests the distinction between tools that monitor aggregate metrics (Cloud Monitoring) versus tools that trace individual request paths (Cloud Trace), and the trap here is that candidates confuse Cloud Profiler's code-level profiling with distributed tracing, leading them to pick D instead of C.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring Metrics Explorer aggregates metrics like CPU, memory, and request counts, but it does not trace individual request paths or provide per-call latency breakdowns across services. Option B is wrong because Cloud Logging log viewer collects and filters log entries, but it lacks the distributed tracing context needed to correlate spans and measure latency for each service-to-service hop. Option D is wrong because Cloud Profiler continuously analyzes CPU and memory usage of running code to identify performance hotspots within a single service, but it does not trace request flows or measure network latency between services.

173
MCQhard

Your on-premises data center needs a dedicated, private connection to GCP with a guaranteed 10 Gbps bandwidth and SLA-backed availability. Internet-based VPN is not acceptable due to compliance requirements. Which connectivity option should you choose?

A.Cloud VPN with multiple tunnels for redundancy
B.Cloud Interconnect Dedicated (10 Gbps)
C.Partner Interconnect via a carrier partner
D.Cloud Router with BGP peering over the public internet
AnswerB

Dedicated Interconnect provides a private 10 Gbps or 100 Gbps circuit directly to Google's network via co-location facilities. Traffic never traverses the public internet, meeting compliance requirements with SLA-backed availability.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and GCP, offering up to 10 Gbps per circuit with a 99.99% SLA. Since internet-based VPN is not acceptable due to compliance requirements, this option meets the need for dedicated bandwidth and SLA-backed availability without traversing the public internet.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming Partner Interconnect can also provide a dedicated 10 Gbps connection, but Partner Interconnect is a shared connection through a carrier and does not offer the same dedicated bandwidth or SLA guarantees.

How to eliminate wrong answers

Option A is wrong because Cloud VPN uses the public internet and cannot guarantee 10 Gbps bandwidth or meet compliance requirements that prohibit internet-based connectivity. Option C is wrong because Partner Interconnect relies on a carrier partner's network and typically offers lower bandwidth options (e.g., 50 Mbps to 10 Gbps) with a shared infrastructure, not a dedicated 10 Gbps circuit with the same SLA as Dedicated Interconnect. Option D is wrong because Cloud Router with BGP peering over the public internet is still an internet-based VPN solution, which is explicitly not acceptable due to compliance requirements.

174
Drag & Dropmedium

Order the steps to attach a persistent disk to a running Compute Engine instance and format/mount it.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Disk must exist and be attached before formatting and mounting.

175
MCQmedium

A team wants to configure a Cloud Scheduler job to invoke a Cloud Run service endpoint every hour using HTTP POST. The Cloud Run service requires authentication. How should the Scheduler job be configured to authenticate?

A.Include a Bearer token in the Authorization header of the scheduled HTTP request
B.Configure the Cloud Scheduler job with OIDC authentication using a service account that has Cloud Run Invoker permission
C.Make the Cloud Run service publicly accessible and use Cloud Armor to restrict access to Cloud Scheduler IPs
D.Configure an API key for the Cloud Run service and include it in the scheduled request URL
AnswerB

Cloud Scheduler supports OIDC token authentication — it generates a short-lived token for the configured service account and sends it with each request. The service account needs Cloud Run Invoker on the target service.

Why this answer

Cloud Scheduler can authenticate to Cloud Run using OIDC (OpenID Connect) by attaching a service account to the job. The scheduler obtains an OIDC token for that service account and includes it as a Bearer token in the Authorization header. The service account must have the `run.invoker` IAM role on the Cloud Run service to authorize the invocation.

Exam trap

Google Cloud often tests the distinction between OIDC and OAuth 2.0 in Cloud Scheduler, and the trap here is that candidates mistakenly think a static Bearer token or an API key can be used for Cloud Run authentication, when in fact only OIDC (or OAuth 2.0 for Google APIs) is supported for service-to-service invocation.

How to eliminate wrong answers

Option A is wrong because a static Bearer token (e.g., a long-lived personal access token) is not a supported authentication method for Cloud Scheduler; Cloud Scheduler uses OIDC or OAuth 2.0 access tokens, not arbitrary tokens. Option C is wrong because making the Cloud Run service publicly accessible defeats the purpose of requiring authentication, and Cloud Armor cannot restrict access based on Cloud Scheduler IPs since Cloud Scheduler uses a dynamic IP range that is not reliably scoped. Option D is wrong because Cloud Run does not support API key authentication; API keys are used for Google Cloud APIs (e.g., Maps), not for invoking Cloud Run services.

176
MCQmedium

A network security team wants to capture metadata about all TCP flows entering and leaving VMs in a specific subnet — source IP, destination IP, port, and bytes transferred — for security analysis. Which GCP feature collects this data?

A.Cloud Armor security policies with logging enabled
B.VPC Flow Logs enabled on the subnet
C.Cloud Packet Mirroring — captures all traffic for deep packet inspection
D.Firewall Rules Logging on each firewall rule
AnswerB

VPC Flow Logs record sampled flow metadata (source/destination IPs, ports, protocol, bytes) for all traffic in the subnet — sent to Cloud Logging for analysis or export.

Why this answer

VPC Flow Logs capture metadata (source/destination IP, port, protocol, bytes transferred) for all TCP (and UDP/ICMP) flows entering and leaving VM instances in a subnet. This feature is specifically designed for network monitoring and security analysis, recording flow-level logs without inspecting packet payloads. Enabling VPC Flow Logs on the subnet directly meets the requirement to collect the specified metadata for all TCP flows.

Exam trap

Google Cloud often tests the distinction between metadata-only logging (VPC Flow Logs) and full-packet capture (Cloud Packet Mirroring), causing candidates to mistakenly choose Packet Mirroring when only flow metadata is required.

How to eliminate wrong answers

Option A is wrong because Cloud Armor security policies with logging only log HTTP(S) requests that are evaluated against the policy, not all TCP flows at the subnet level, and they focus on application-layer traffic, not network flow metadata like bytes transferred. Option C is wrong because Cloud Packet Mirroring copies entire packets (including payloads) for deep packet inspection, which is overkill for metadata-only collection and incurs higher cost and complexity; it does not natively produce aggregated flow metadata. Option D is wrong because Firewall Rules Logging logs only connections that match a firewall rule (allow or deny), not all TCP flows in the subnet, and it records connection metadata but not bytes transferred per flow.

177
MCQeasy

A project was accidentally deleted. A GCP administrator realizes the mistake 3 days later. What is the maximum time window in which the project can be restored?

A.24 hours — projects are permanently deleted after one day
B.7 days — projects enter a one-week soft-delete period
C.30 days — projects can be restored using `gcloud projects undelete` within this window
D.Projects are permanently deleted immediately and cannot be recovered
AnswerC

Deleted projects remain recoverable for 30 days. `gcloud projects undelete [PROJECT_ID]` or the Console's Resource Manager page can restore the project during this period.

Why this answer

Option C is correct because Google Cloud projects have a 30-day soft-delete period after deletion. During this window, the project can be recovered using the `gcloud projects undelete` command or the Cloud Resource Manager API, restoring all associated resources and configurations.

Exam trap

The trap here is that candidates may confuse the 30-day project soft-delete period with shorter retention windows for other GCP services (like 7-day backup retention for Cloud SQL or 24-hour snapshot deletion), leading them to underestimate the recovery window.

How to eliminate wrong answers

Option A is wrong because projects are not permanently deleted after 24 hours; the soft-delete period is 30 days, not one day. Option B is wrong because the recovery window is 30 days, not 7 days; the 7-day figure might be confused with the retention period for some other GCP resources like Cloud SQL backups. Option D is wrong because projects are not permanently deleted immediately; they enter a recoverable soft-delete state for 30 days before permanent deletion.

178
MCQhard

A public API receives global traffic but has been targeted by both volumetric DDoS attacks and SQL injection attempts in HTTP request parameters. Which single GCP service provides protection against both threats?

A.VPC firewall rules with deny rules for known attacker IPs
B.Cloud NAT to hide backend IP addresses
C.Cloud Armor security policies on the load balancer
D.Identity-Aware Proxy (IAP) to require authentication before accessing the API
AnswerC

Cloud Armor provides both volumetric DDoS protection at Google's global edge and WAF rules (including preconfigured OWASP protection for SQL injection) — addressing both attack types from a single service.

Why this answer

Cloud Armor security policies, when attached to a Google Cloud HTTPS Load Balancer, provide both Layer 7 DDoS protection (via pre-configured WAF rules like 'modsecurity-crs' to block SQL injection) and volumetric DDoS defense (via rate limiting and adaptive protection). This makes it the single GCP service that directly addresses both threats mentioned in the question.

Exam trap

Google Cloud often tests the distinction between network-layer security (VPC firewall rules) and application-layer security (Cloud Armor WAF), leading candidates to mistakenly choose VPC firewall rules because they think 'deny rules' can block attacks, but they cannot inspect HTTP payloads for SQL injection.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules operate at Layer 3/4 and cannot inspect HTTP request parameters for SQL injection patterns; they also rely on static IP deny lists, which are ineffective against volumetric DDoS attacks that use many distributed source IPs. Option B is wrong because Cloud NAT only provides outbound connectivity with source NAT for private instances and does not inspect or filter inbound HTTP traffic, so it cannot block SQL injection or DDoS attacks targeting the public API. Option D is wrong because Identity-Aware Proxy (IAP) enforces authentication and authorization at the application layer but does not provide any DDoS mitigation or SQL injection detection capabilities.

179
MCQmedium

A platform engineer is deploying a Kubernetes Job that processes a batch of records. The Job should run 10 parallel workers, each processing a subset of records, and complete when all workers finish successfully. Which Job spec configuration achieves this?

A.Set replicas: 10 in the Job spec
B.Set parallelism: 10 and completions: 10 in the Job spec
C.Create 10 separate Job objects — one per worker
D.Set concurrency: 10 in the Job spec
AnswerB

`parallelism: 10` runs up to 10 Pods simultaneously. `completions: 10` requires 10 successful completions total. Together they create a parallel batch Job.

Why this answer

Option B is correct because in Kubernetes, a Job's `parallelism` field specifies the number of Pods that can run concurrently, and `completions` specifies the total number of successful Pod completions required for the Job to be considered finished. Setting both to 10 ensures exactly 10 Pods run in parallel, each processing a subset of records, and the Job completes only when all 10 have succeeded.

Exam trap

Google Cloud often tests the distinction between Deployment fields (like `replicas`) and Job-specific fields (like `parallelism` and `completions`), trapping candidates who confuse the two or assume `replicas` applies to Jobs.

How to eliminate wrong answers

Option A is wrong because `replicas` is not a valid field in a Kubernetes Job spec; it is used in Deployments and StatefulSets to maintain a desired number of Pods, not to control parallel execution or completion count. Option C is wrong because creating 10 separate Job objects would result in 10 independent Jobs, each with its own lifecycle and status, rather than a single Job that tracks overall completion; this approach lacks coordination and does not guarantee that the batch is considered complete only when all workers finish. Option D is wrong because `concurrency` is not a valid field in a Kubernetes Job spec; it is a concept used in other systems (e.g., database connection pools) but not in the Job API, where parallelism controls concurrent Pod execution.

180
Multi-Selectmedium

Which TWO actions should a Cloud Engineer take to deploy a containerized application on Cloud Run with a custom domain and SSL certificate automatically provisioned? (Choose two.)

Select 2 answers
A.Enable automatic SSL certificate provisioning
B.Create a self-managed SSL certificate in Cloud Load Balancing
C.Configure Serverless VPC Access to handle DNS
D.Create an external HTTPS load balancer in front of Cloud Run
E.Map a custom domain to the Cloud Run service in the Cloud Run console
AnswersA, E

Cloud Run automatically manages SSL when you map a domain; but you must ensure the 'automatic' option is enabled (it is by default).

Why this answer

Option A is correct because Cloud Run's managed SSL feature automatically provisions and renews a Google-managed SSL certificate for the custom domain when you map it to the service. This eliminates the need for manual certificate management and is the simplest way to achieve HTTPS with a custom domain.

Exam trap

Google Cloud often tests the misconception that you need a load balancer or self-managed certificate for custom domains on serverless services, but Cloud Run's built-in domain mapping and managed SSL eliminate those requirements.

181
MCQhard

You are on-call and receive a PagerDuty alert: `Cloud SQL CPU utilization > 90% for 15 minutes`. Checking `pg_stat_activity`, you find 200 connections with many in `idle` state and 15 queries running for > 5 minutes each. The long queries are table scans on a 500 GB unindexed table. What should you do IMMEDIATELY to restore service, and what is the root cause fix?

A.Restart the Cloud SQL instance to clear all connections and queries.
B.Terminate the long-running table scan queries immediately, then add indexes on the frequently queried columns as the root cause fix.
C.Increase Cloud SQL's CPU to a larger machine type to handle the current load.
D.Reduce `max_connections` to prevent new connections from adding load.
AnswerB

pg_terminate_backend(pid) kills the specific long-running queries to restore CPU. Adding indexes addresses the root cause: full table scans due to missing indexes.

Why this answer

Option B is correct because terminating the long-running table scans immediately stops the CPU-intensive queries, restoring service. The root cause is the missing index on the 500 GB table, which forces sequential scans and high CPU usage. Adding indexes on frequently queried columns eliminates the need for full table scans, preventing recurrence.

Exam trap

Google Cloud often tests the distinction between immediate mitigation (terminating bad queries) and root cause fix (adding indexes), tempting candidates to choose a scaling or restart option that avoids addressing the fundamental indexing problem.

How to eliminate wrong answers

Option A is wrong because restarting the Cloud SQL instance kills all connections and queries indiscriminately, but the long-running scans will resume on restart if the root cause (missing index) is not addressed, and it causes unnecessary downtime. Option C is wrong because increasing CPU only masks the symptom; the unindexed scans will still consume excessive CPU on a larger machine, and it does not fix the underlying query performance issue. Option D is wrong because reducing max_connections does not stop the already-running long queries; it only prevents new connections, leaving the CPU-hogging scans active and service degraded.

182
MCQeasy

A development team stores Docker images in Artifact Registry. A new team member needs to pull images to their local machine using Docker. Which command authenticates Docker to pull from a specific Artifact Registry repository in us-central1?

A.docker login us-central1-docker.pkg.dev --username=_json_key --password-stdin < key.json
B.gcloud auth configure-docker us-central1-docker.pkg.dev
C.kubectl create secret docker-registry artifactregistry --server=us-central1-docker.pkg.dev
D.gcloud artifacts docker auth --region=us-central1
AnswerB

This command configures Docker's credential helper to use gcloud credentials for the specified Artifact Registry endpoint — no key file needed if the user is authenticated with `gcloud auth login`.

Why this answer

Option B is correct because `gcloud auth configure-docker` is the official Google Cloud command that configures Docker to authenticate to Artifact Registry. When you specify the registry location (e.g., `us-central1-docker.pkg.dev`), it updates Docker's configuration file with the appropriate credential helper, enabling Docker to automatically obtain and refresh short-lived access tokens for pulling images from that specific repository.

Exam trap

The trap here is that candidates confuse `gcloud artifacts` (which manages artifact metadata) with `gcloud auth configure-docker` (which sets up Docker authentication), or they mistakenly think a static JSON key file with `docker login` is the correct approach for Artifact Registry.

How to eliminate wrong answers

Option A is wrong because `docker login` with a JSON key file is used for Docker Hub or self-managed registries, not for Artifact Registry; Artifact Registry requires a credential helper (gcloud) to handle token-based authentication, and using a static key file bypasses the short-lived token mechanism and is not the supported method. Option C is wrong because `kubectl create secret docker-registry` creates a Kubernetes secret for pulling images in a cluster, not for authenticating Docker on a local machine; it is a cluster-side operation, not a client-side authentication command. Option D is wrong because `gcloud artifacts docker auth` is not a valid command; the correct gcloud command for Docker authentication is `gcloud auth configure-docker`, and `gcloud artifacts` subcommands are for managing artifacts, not configuring Docker authentication.

183
Multi-Selectmedium

A systems administrator needs to grant a group of external auditors read-only access to all resources in a GCP project, except for Cloud Storage buckets that contain sensitive data. The auditors should not be able to view the contents of those buckets. Which two IAM policies should the administrator implement? (Choose two.)

Select 2 answers
A.Assign the roles/viewer role at the project level.
B.Assign the roles/storage.objectViewer role at the project level.
C.Assign the roles/viewer role at the project level and create an IAM deny rule to deny storage.objects.list and storage.objects.get on the sensitive buckets.
D.Assign the roles/storage.admin role at the project level.
E.Assign the roles/storage.objectViewer role on the sensitive buckets with a deny condition.
AnswersA, C

Roles/viewer provides read-only access to all resources except for data access in some services.

Why this answer

Option A is correct because the roles/viewer role at the project level grants read-only access to all resources in the project, including Cloud Storage buckets, but it does not grant access to the objects within those buckets. This provides the auditors with the broad read-only access they need, except for the sensitive buckets where object-level access must be explicitly denied.

Exam trap

Google Cloud often tests the distinction between bucket-level and object-level permissions, and the trap here is that candidates mistakenly think roles/viewer alone blocks object access, when in fact it grants storage.objects.list and storage.objects.get, so an explicit deny rule is required to prevent viewing bucket contents.

184
Multi-Selecthard

A developer needs to allow a CI/CD system to deploy applications to Cloud Run. The CI/CD system uses a service account. Which two roles should be granted to that service account?

Select 2 answers
A.roles/cloudbuild.builds.builder
B.roles/run.invoker
C.roles/iam.serviceAccountUser
D.roles/run.admin
E.roles/storage.objectViewer
AnswersC, D

Allows service account to act as the Cloud Run runtime service account.

Why this answer

To deploy Cloud Run services, the service account needs roles/run.admin to create and manage services, and roles/iam.serviceAccountUser to act as the runtime service account. Options A and C are correct. Options B, D, E are insufficient or unrelated.

185
MCQhard

Refer to the exhibit. An engineer runs this command and sees the output. The instance is unable to reach the internet. What is the most likely reason?

A.VPC firewall rules are blocking egress traffic.
B.The instance needs a Cloud NAT gateway for outbound connectivity.
C.The instance does not have a public IP address.
D.The subnetwork is misconfigured.
AnswerC

The output shows no accessConfigs, confirming no external IP.

Why this answer

The instance cannot reach the internet because it lacks a public IP address. In Google Cloud, an instance without an external IP address cannot initiate outbound connections to the internet unless a Cloud NAT or a VM with a public IP is used as a proxy. The command output likely shows that the instance only has an internal IP, confirming this as the root cause.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is always required for internet access, but the trap here is that an instance with a public IP can directly reach the internet without NAT, so the absence of a public IP is the primary issue.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules are stateful and allow egress traffic by default; unless explicitly blocked, they would not prevent outbound connectivity. Option B is wrong because Cloud NAT is not required for instances with a public IP; it is only needed for instances without one to access the internet. Option D is wrong because a misconfigured subnetwork would affect internal routing or IP allocation, but the instance still has a valid internal IP and the subnet is correctly assigned; the issue is the lack of a public IP, not subnet configuration.

186
MCQeasy

Which service should be used to manage billing budgets and alerts?

A.Cloud Monitoring
B.Cloud Billing Budgets
C.Cloud Billing Reports
D.Cloud Logging
AnswerB

This service allows creating budget thresholds and alerts.

Why this answer

Cloud Billing Budgets is the correct service because it is specifically designed to allow you to set spending limits (budgets) on your Google Cloud projects, billing accounts, or folders, and to configure alerts (e.g., email notifications or Pub/Sub messages) when actual or forecasted costs exceed those thresholds. This directly addresses the requirement to manage billing budgets and alerts, whereas other services focus on monitoring infrastructure performance or logging operational data.

Exam trap

Google Cloud often tests the distinction between 'monitoring' (Cloud Monitoring) and 'billing alerts' (Cloud Billing Budgets), leading candidates to incorrectly choose Cloud Monitoring because they associate 'alerts' with performance monitoring rather than cost management.

How to eliminate wrong answers

Option A (Cloud Monitoring) is wrong because it is a service for collecting metrics, uptime checks, and alerting on infrastructure performance (e.g., CPU usage, latency), not for managing billing budgets or cost-based alerts. Option C (Cloud Billing Reports) is wrong because it provides historical cost analysis and export capabilities (e.g., BigQuery exports) but does not allow you to set proactive budget thresholds or trigger alerts when spending exceeds limits. Option D (Cloud Logging) is wrong because it is a service for storing, searching, and analyzing log data from applications and services (e.g., using Logs Explorer), not for managing financial budgets or cost alerts.

187
MCQhard

A Cloud Run service requires access to a private Cloud SQL instance in the same VPC. The Cloud SQL instance is not publicly accessible. How should the Cloud Run service connect to Cloud SQL without using the Cloud SQL Auth Proxy separately?

A.Use the Cloud SQL public IP with SSL required — Cloud Run can reach public IPs
B.Configure the Cloud Run service with `--add-cloudsql-instances` to connect via the built-in Auth Proxy
C.Deploy a separate Cloud SQL Auth Proxy container in the same Cloud Run service as a sidecar
D.Enable Serverless VPC Access connector to route Cloud Run traffic to the private Cloud SQL IP
AnswerB

Cloud Run natively integrates with Cloud SQL via the `--add-cloudsql-instances` flag. This configures a Unix socket via Cloud SQL Auth Proxy, providing secure, authenticated connectivity without public IPs.

Why this answer

Option B is correct because the Cloud Run service can use the `--add-cloudsql-instances` flag, which automatically deploys a built-in Cloud SQL Auth Proxy sidecar container within the same pod. This proxy establishes a secure, encrypted connection to the private Cloud SQL instance using the instance's private IP, without requiring the instance to have a public IP or the user to manage a separate proxy. The proxy authenticates via the service account attached to the Cloud Run service, enabling seamless and secure connectivity.

Exam trap

The trap here is that candidates often confuse Serverless VPC Access connectors with the Cloud SQL Auth Proxy, thinking that VPC connectivity alone is sufficient to reach a private Cloud SQL instance, but they miss that the proxy is required for authentication and encrypted tunneling even within the same VPC.

How to eliminate wrong answers

Option A is wrong because Cloud Run services can reach public IPs, but the Cloud SQL instance is explicitly not publicly accessible, so using a public IP with SSL would fail due to no public endpoint being available. Option C is wrong because deploying a separate Cloud SQL Auth Proxy container as a sidecar is unnecessary and redundant; the built-in proxy via `--add-cloudsql-instances` already handles this automatically without manual sidecar configuration. Option D is wrong because a Serverless VPC Access connector enables Cloud Run to reach resources in a VPC, but it does not provide the authentication and encryption that the Cloud SQL Auth Proxy offers; the connector alone cannot connect to Cloud SQL without additional proxy or private IP configuration.

188
MCQhard

A managed instance group serves production traffic. During a rolling update to a new VM template, 30% of instances become unhealthy (failing health checks). The update has not completed yet. What should the team do to immediately restore service?

A.Delete all unhealthy instances manually; the MIG will recreate them with the old template
B.Pause the rolling update, then roll back using `gcloud compute instance-groups managed rolling-action rollback`
C.Increase the target size of the MIG to dilute the unhealthy instances
D.Disable autohealing temporarily to prevent the MIG from restarting instances
AnswerB

Rolling back the MIG update reverts all instances (including the updated ones) to the previous template version, quickly restoring service.

Why this answer

Option B is correct because the `gcloud compute instance-groups managed rolling-action rollback` command immediately reverts all instances in the managed instance group (MIG) to the previous template, restoring the known-good configuration. Pausing the update first stops the rollout from continuing to affect more instances, and the rollback command then replaces the unhealthy instances with the old template, allowing health checks to pass again.

Exam trap

Google Cloud often tests the misconception that manual deletion or disabling autohealing can fix a failed rolling update, when in fact only a deliberate rollback to the previous template restores the known-good state and ensures health checks pass again.

How to eliminate wrong answers

Option A is wrong because manually deleting unhealthy instances does not guarantee they will be recreated with the old template; the MIG's current instance template is the new one, so autohealing would recreate them with the new template, perpetuating the failure. Option C is wrong because increasing the target size does not fix the underlying health issue; it only adds more instances (potentially also unhealthy if based on the new template) and does not restore service for the existing unhealthy instances. Option D is wrong because disabling autohealing prevents the MIG from replacing unhealthy instances, leaving them in a failed state and not restoring service; it merely stops the system from acting on the health check failures.

189
MCQhard

A service account needs to be able to create snapshots of disks in a specific project and store them in a different project. What is the correct IAM policy configuration?

A.Grant roles/compute.storageAdmin on both projects
B.Grant roles/viewer on both projects
C.Grant roles/compute.snapshotAdmin on the source project and roles/storage.objectAdmin on the target bucket
D.Grant roles/compute.instanceAdmin on the source project and roles/storage.objectAdmin on the target bucket
AnswerC

This provides snapshot creation and storage permissions.

Why this answer

Option C is correct because creating snapshots in one project and storing them in another requires distinct permissions: `roles/compute.snapshotAdmin` on the source project allows the service account to create snapshots, while `roles/storage.objectAdmin` on the target bucket (within the destination project) grants the necessary permissions to write snapshot data into the bucket. This separation follows the principle of least privilege and aligns with the cross-project snapshot workflow.

Exam trap

Google Cloud often tests the misconception that a single role like `compute.storageAdmin` or `compute.instanceAdmin` can handle cross-project snapshot operations, when in fact you need a combination of snapshot-specific and bucket-specific roles.

How to eliminate wrong answers

Option A is wrong because `roles/compute.storageAdmin` is a legacy role that grants broad storage permissions (including disks and images) but does not specifically allow snapshot creation across projects; it also over-provisions access. Option B is wrong because `roles/viewer` only provides read-only access and cannot create snapshots or write to a bucket. Option D is wrong because `roles/compute.instanceAdmin` on the source project allows managing instances but not creating snapshots of disks; snapshot creation requires `compute.snapshots.create` permission, which is not included in the instanceAdmin role.

190
MCQmedium

A Cloud Function (gen2) is triggered by Pub/Sub messages. The function processes each message by calling three external APIs sequentially. The total processing time is 25 seconds per message. The Pub/Sub subscription's ack deadline is 10 seconds. What will happen, and how should you fix it?

A.Pub/Sub will wait indefinitely for the function to acknowledge; no issue occurs.
B.Messages will be redelivered before processing completes; extend the Pub/Sub subscription ack deadline to exceed 25 seconds.
C.The Cloud Function will automatically extend its own ack deadline via the Pub/Sub client library.
D.Increase the Cloud Function's memory to process faster and complete within 10 seconds.
AnswerB

The ack deadline must be longer than the function processing time. Extending it to 30–60 seconds prevents premature redelivery. The minimum ack deadline is 10 seconds, maximum is 600 seconds on a subscription.

Why this answer

The Pub/Sub subscription has a 10-second ack deadline, but the Cloud Function takes 25 seconds to process each message. Since the function does not acknowledge the message within the deadline, Pub/Sub considers the message unacknowledged and redelivers it, causing duplicate processing. The fix is to increase the ack deadline to exceed 25 seconds, ensuring the function has enough time to complete processing and send an acknowledgment.

Exam trap

The trap here is that candidates assume Cloud Functions automatically handle Pub/Sub ack deadlines or that increasing resources speeds up I/O-bound operations, but the exam tests understanding of the explicit ack deadline configuration and the need to match it to processing time.

How to eliminate wrong answers

Option A is wrong because Pub/Sub does not wait indefinitely; it enforces the ack deadline and redelivers messages if no acknowledgment is received within that time. Option C is wrong because the Cloud Function (gen2) does not automatically extend the ack deadline; the Pub/Sub client library can be used to modify the ack deadline programmatically, but this is not automatic and requires explicit code. Option D is wrong because increasing memory does not reduce processing time for sequential external API calls; the bottleneck is network latency and API response times, not compute speed.

191
Multi-Selecthard

An organization is designing a VPC network with connectivity to an on-premises network via Cloud VPN. They have multiple projects that need to share the VPN. Which three steps are required to implement this using Shared VPC? (Choose three.)

Select 3 answers
A.Attach the service project to the host project.
B.Create a Cloud VPN gateway in the host project.
C.Configure the VPN tunnels in the host project.
D.Enable the Shared VPC feature in the service project.
E.Create a Cloud Router in the service project.
AnswersA, B, C

Service projects must be attached to the host project to use shared resources.

Why this answer

Option A is correct because attaching the service project to the host project is a fundamental step in Shared VPC. This attachment allows the service project to use the host project's VPC network resources, including the Cloud VPN gateway and tunnels, enabling centralized connectivity without duplicating VPN infrastructure.

Exam trap

Google Cloud often tests the misconception that Shared VPC configuration steps are performed in the service project, but in reality, all networking resources (VPN gateway, tunnels, Cloud Router) must be created in the host project, and the service project is only attached to consume those resources.

192
MCQhard

Alice is trying to create a Pub/Sub topic in the us-east1 region using the gcloud command-line tool from her local machine. She has the roles/pubsub.editor role. The command fails with a permission denied error. What is the most likely cause?

A.The Pub/Sub API is not enabled for the project.
B.Alice does not have the roles/pubsub.editor role.
C.Alice lacks the iam.serviceAccounts.actAs permission on the Pub/Sub service account.
D.The IAM role assigned to Alice is conditional and only applies to resources in us-central1.
AnswerD

The condition in the binding restricts the role to resources with location 'us-central1', so creating a topic in us-east1 fails.

Why this answer

Option C is correct because the IAM policy shown in the exhibit includes a condition that restricts the pubsub.editor role to only resources with location 'us-central1'. Since Alice is trying to create a topic in us-east1, the condition does not match and she is denied. Option A is incorrect because if the API were disabled, the error would be different.

Option B is incorrect because the Pub/Sub API does not require the actAs permission; that is for service accounts. Option D is incorrect because 'roles/pubsub.editor' is an appropriate role for creating topics.

193
Multi-Selecteasy

A developer needs to set up a Google Cloud environment for a new project. Which TWO actions are required to enable billing and APIs for the project?

Select 2 answers
A.Enable the required APIs using the Cloud Console or gcloud.
B.Configure firewall rules before enabling any APIs.
C.Create a billing account and link it to the project.
D.Set up VPC networks for all regions.
E.Assign IAM roles to all users globally.
AnswersA, C

APIs must be enabled for the services to be used in the project.

Why this answer

Options A and B are correct. Creating a billing account and linking it to the project is necessary for using billable services. Enabling the required APIs per project is also mandatory for service access.

Option C is not required initially; IAM roles are assigned as needed. Option D is not a prerequisite; VPC networks are created per requirements. Option E is incorrect because firewall rules are configured after services are enabled.

194
MCQhard

Based on the exhibit, which type of traffic will successfully reach the instance?

A.HTTPS traffic (port 443) from the internet
B.All inbound traffic
C.HTTP traffic from the internet (port 80)
D.No traffic; the deny-all rule takes effect
AnswerC

The allow rule matches HTTP from any source and applies to the instance.

Why this answer

Option C is correct because the exhibit shows a security group rule allowing inbound HTTP traffic (port 80) from 0.0.0.0/0, which permits any source on the internet to reach the instance on that port. Security groups in Google Cloud are stateful, so the corresponding outbound return traffic is automatically allowed. No other rule permits HTTPS or all traffic, and the implicit deny-all rule blocks anything not explicitly allowed.

Exam trap

Google Cloud often tests the misconception that the implicit deny-all rule blocks all traffic indiscriminately, but candidates must remember that explicit allow rules take precedence and permit matching traffic before the deny rule is evaluated.

How to eliminate wrong answers

Option A is wrong because the security group rules shown only allow TCP port 80 (HTTP), not port 443 (HTTPS); HTTPS traffic would be blocked by the implicit deny-all rule. Option B is wrong because security groups operate on a whitelist model—only explicitly permitted traffic is allowed, and the exhibit does not include a rule allowing all inbound traffic. Option D is wrong because the deny-all rule is the default implicit rule that applies only to traffic not matching an explicit allow rule; since HTTP traffic matches the explicit allow rule on port 80, it is permitted and the deny-all rule does not take effect for that traffic.

195
MCQmedium

A developer reports that a Cloud Run service is returning 503 errors intermittently. Based on the log entry, what is the most likely cause?

A.The service has too few max instances configured.
B.The revision has been deleted.
C.The service's CPU throttling is too aggressive.
D.The service is experiencing cold starts with high latency.
E.The container image has a bug that prevents it from starting quickly.
AnswerD

The log directly states the instance is being started, which is typical of cold starts in Cloud Run.

Why this answer

The log indicates the instance is not ready and is being started, which is characteristic of a cold start. Cold starts occur when a new instance is created to handle incoming requests, causing a startup delay. Too few max instances (A) would lead to request queuing, not necessarily startup logs.

A container bug (B) would show different errors. A deleted revision (D) would show a different error. CPU throttling (E) would not cause a 'being started' message.

196
MCQmedium

A team needs to build a CI/CD pipeline that automatically tests and deploys to GKE when code is pushed to the main branch. Which GCP-native service builds and deploys the code automatically based on source code repository events?

A.Cloud Composer with a Git polling DAG
B.Cloud Build with a trigger configured on the repository's main branch
C.Cloud Run jobs triggered by a Pub/Sub subscription on the repository
D.Cloud Functions triggered by Cloud Source Repositories push events
AnswerB

Cloud Build Triggers monitor repository events and execute build steps defined in cloudbuild.yaml — including running tests and deploying to GKE.

Why this answer

Cloud Build is the correct GCP-native service for building and deploying code automatically based on source code repository events. By configuring a Cloud Build trigger on the main branch, any push to that branch automatically initiates a build and deployment to GKE, fulfilling the CI/CD pipeline requirement without additional orchestration.

Exam trap

Google Cloud often tests the distinction between event-driven compute services (Cloud Functions, Cloud Run) and purpose-built CI/CD services (Cloud Build), leading candidates to mistakenly choose Cloud Functions or Cloud Run because they can be triggered by repository events, even though they lack the integrated build-and-deploy pipeline required for GKE deployments.

How to eliminate wrong answers

Option A is wrong because Cloud Composer is a workflow orchestration service for Apache Airflow, not a CI/CD build-and-deploy service; using a Git polling DAG would be an inefficient, non-native workaround that does not provide event-driven, automated builds. Option C is wrong because Cloud Run jobs are designed for batch or scheduled compute tasks, not for building container images or deploying to GKE; they lack native source-code event triggers and CI/CD capabilities. Option D is wrong because Cloud Functions triggered by Cloud Source Repositories push events can run custom code on a push, but they are not designed to build container images or orchestrate deployments to GKE; they lack the integrated build, test, and deploy pipeline that Cloud Build provides.

197
Multi-Selectmedium

Which TWO statements are correct about deploying an application with an HTTP(S) load balancer on Compute Engine?

Select 2 answers
A.A network load balancer can be used for UDP traffic.
B.A TCP proxy load balancer can only be used for non-HTTP traffic.
C.SSL proxy load balancers cannot terminate HTTPS traffic.
D.Internal load balancers require a proxy instance.
E.An HTTP(S) load balancer requires a backend service with a health check.
AnswersA, E

Network load balancers support UDP.

Why this answer

Option A is correct because a network load balancer (external) operates at Layer 4 and can forward UDP traffic, unlike HTTP(S) load balancers which only handle HTTP/HTTPS at Layer 7. This makes it suitable for UDP-based applications such as DNS, gaming, or streaming.

Exam trap

The trap here is that candidates confuse the TCP proxy load balancer's ability to handle HTTP traffic with the HTTP(S) load balancer's Layer 7 capabilities, leading them to incorrectly think TCP proxy is restricted to non-HTTP traffic.

198
MCQmedium

Your application runs on GKE and needs to call the Cloud Translation API. You want to follow Google's recommended security practice for service-to-cloud-API authentication within GKE. Which approach should you use?

A.Download a service account key JSON and mount it as a Kubernetes Secret in the pod.
B.Configure Workload Identity to bind the pod's Kubernetes Service Account to a Google Service Account with Translation API access.
C.Grant the GKE node pool's service account `roles/cloudtranslate.user`.
D.Use the GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to a mounted key file.
AnswerB

Workload Identity is the recommended GKE authentication mechanism. No SA keys are created — pods automatically receive short-lived credentials via the mapped Google SA, following least-privilege and eliminating key management.

Why this answer

Workload Identity is Google's recommended approach for authenticating workloads in GKE to Google Cloud APIs. It allows you to bind a Kubernetes Service Account (KSA) to a Google Service Account (GSA), so pods can impersonate the GSA without managing or storing long-lived service account keys. This eliminates the security risk of key exposure and follows the principle of least privilege.

Exam trap

Google Cloud often tests the misconception that mounting a service account key as a Kubernetes Secret is acceptable for production, but the correct answer emphasizes using Workload Identity to avoid managing static keys.

How to eliminate wrong answers

Option A is wrong because downloading a service account key JSON and mounting it as a Kubernetes Secret introduces a long-lived credential that can be leaked or misused, violating Google's recommendation to avoid static keys. Option C is wrong because granting the GKE node pool's service account `roles/cloudtranslate.user` gives all pods on that node pool access to the Translation API, breaking the principle of least privilege and not isolating permissions per workload. Option D is wrong because using the GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to a mounted key file still relies on a static service account key, which is less secure than Workload Identity's token exchange mechanism.

199
MCQmedium

A GKE node pool needs to be upgraded to a new node version. The cluster has 10 nodes. You need to minimize disruption to running workloads — no more than 2 nodes should be unavailable simultaneously. Which upgrade strategy should you configure?

A.Configure surge upgrade with `max-surge: 0, max-unavailable: 2`.
B.Configure surge upgrade with `max-surge: 10, max-unavailable: 10`.
C.Manually cordon and drain 2 nodes, upgrade them, then repeat.
D.Enable GKE Auto-upgrade with default settings.
AnswerA

max-unavailable: 2 limits simultaneous unavailable nodes to 2, meeting the requirement. max-surge: 0 means no extra nodes are provisioned (workloads are rescheduled as nodes drain sequentially in pairs).

Why this answer

Option A is correct because configuring `max-surge: 0` and `max-unavailable: 2` ensures that during the upgrade, no additional nodes are created (surge), and at most 2 nodes can be unavailable at any time. This directly satisfies the requirement of minimizing disruption by keeping at least 8 nodes available, while allowing the upgrade to proceed in controlled batches.

Exam trap

Google Cloud often tests the distinction between `max-surge` and `max-unavailable` parameters, and the trap here is that candidates may confuse `max-unavailable` with the number of nodes that can be upgraded simultaneously, or incorrectly assume that manual cordon-and-drain is the only way to control disruption, missing that GKE's surge upgrade configuration directly supports this requirement.

How to eliminate wrong answers

Option B is wrong because `max-surge: 10` would create 10 additional nodes, and `max-unavailable: 10` would allow all 10 original nodes to be unavailable simultaneously, which violates the constraint of no more than 2 nodes unavailable. Option C is wrong because manually cordoning and draining 2 nodes, upgrading them, then repeating is a valid approach but not a configured upgrade strategy within GKE's node pool upgrade settings; it requires manual intervention and does not leverage GKE's automated surge upgrade mechanism, making it less efficient and error-prone. Option D is wrong because GKE Auto-upgrade with default settings uses a rolling update with `max-surge: 1` and `max-unavailable: 0` by default, which would only upgrade one node at a time, but the question asks for a configured strategy that minimizes disruption to no more than 2 nodes unavailable, and auto-upgrade does not allow customizing these parameters to achieve the exact constraint.

200
Multi-Selectmedium

A company uses preemptible VMs for batch processing. Which TWO best practices should be implemented to improve resilience and manageability? (Choose 2)

Select 2 answers
A.Use persistent disks to store application state.
B.Use instance metadata to pass configuration parameters.
C.Use Cloud Functions to monitor instance termination.
D.Use startup scripts to prepare the instance environment.
E.Use persistent disk snapshots for backup.
AnswersB, D

Metadata allows dynamic configuration without modifying the image.

Why this answer

Option B is correct because instance metadata is a key-value store that can be used to pass configuration parameters to preemptible VMs at boot time. Since preemptible VMs can be terminated at any time, using metadata ensures that new instances can be recreated with the same configuration without manual intervention. This improves manageability by centralizing configuration and resilience by enabling automated re-provisioning.

Exam trap

Google Cloud often tests the misconception that persistent disks or snapshots are needed for resilience with preemptible VMs, but the correct approach is to treat them as stateless and use external storage for state, with metadata and startup scripts for configuration and initialization.

201
MCQmedium

A security audit found that several Cloud Storage buckets in your project have `allAuthenticatedUsers` in their IAM policy with `storage.objectViewer`. What does `allAuthenticatedUsers` grant, and why is it a security risk?

A.It grants access only to users within your Google Workspace domain — a minor risk if your domain is small.
B.It grants read access to any person with a Google account — effectively near-public access since Google accounts are free to create.
C.It grants access only to Google service accounts, which is acceptable since those are controlled.
D.It grants access to authenticated GCP users in your organization's IAM policy — this is normal for shared resources.
AnswerB

allAuthenticatedUsers means any Google account holder worldwide. Since Google accounts are free, this is nearly equivalent to public access and is inappropriate for internal data.

Why this answer

`allAuthenticatedUsers` is a special IAM member that includes any person authenticated with a Google account, regardless of whether they belong to your organization or domain. Granting `storage.objectViewer` to this group means anyone with a free Google account (e.g., Gmail) can list and read objects in the bucket, making the data effectively public. This is a significant security risk because it exposes sensitive data to a vast, uncontrolled audience.

Exam trap

Google Cloud often tests the distinction between `allAuthenticatedUsers` and `allUsers`, where candidates mistakenly think `allAuthenticatedUsers` is safe because it requires authentication, but the trap is that any Google account (free or otherwise) qualifies, making it nearly as risky as `allUsers` for sensitive data.

How to eliminate wrong answers

Option A is wrong because `allAuthenticatedUsers` is not restricted to a Google Workspace domain; it includes all Google account holders, not just domain users. Option C is wrong because `allAuthenticatedUsers` includes human users with Google accounts, not just service accounts; service accounts are covered by `allUsers` or specific service account emails. Option D is wrong because `allAuthenticatedUsers` is not limited to users in your organization's IAM policy; it encompasses any authenticated Google identity, including external users.

202
MCQmedium

A GKE application Pod needs a sidecar container that proxies all outbound network requests through an audit logger before they reach the internet. Both containers share the same network namespace. Which Kubernetes pattern implements this?

A.Run the audit logger as a separate Deployment and route traffic via a Service
B.Add the audit logger as a second container in the same Pod spec (sidecar pattern)
C.Use a DaemonSet for the audit logger on each node to intercept node-level traffic
D.Add an initContainer to start the audit logger before the main application
AnswerB

Containers in the same Pod share the network namespace — the sidecar can listen on localhost and proxy all traffic before it leaves the Pod's network namespace.

Why this answer

Option B is correct because the sidecar pattern allows two containers to share the same network namespace within a single Pod, enabling the audit logger to intercept all outbound traffic from the application container before it reaches the internet. This is achieved by configuring the application container to route its outbound requests through the sidecar (e.g., via a localhost proxy or iptables rules), ensuring all traffic is logged without external network hops.

Exam trap

Google Cloud often tests the distinction between initContainers and sidecars, where candidates mistakenly choose initContainers because they think 'start before the main app' implies ongoing traffic interception, but initContainers exit after completion and cannot proxy runtime traffic.

How to eliminate wrong answers

Option A is wrong because running the audit logger as a separate Deployment and routing traffic via a Service introduces network latency and a separate IP address, breaking the requirement for the sidecar to intercept traffic within the same network namespace; the application would need to be explicitly configured to use the Service, which is not a transparent proxy. Option C is wrong because a DaemonSet runs a pod on each node for node-level traffic interception (e.g., using eBPF or iptables), but it does not share the same network namespace as the application Pod and cannot intercept per-Pod outbound requests without complex network policies. Option D is wrong because an initContainer runs to completion before the main application starts and cannot persist to proxy ongoing outbound traffic; it is used for setup tasks, not for runtime traffic interception.

203
MCQmedium

A company is using BigQuery for analytics. They notice that queries are slow and expensive. The data is loaded daily into a single table. Which action would most improve performance and reduce cost?

A.Use a flat-rate reservation to improve query concurrency.
B.Denormalize the table to reduce joins.
C.Increase the number of slots available for the project.
D.Partition the table by date and cluster by frequently filtered columns.
AnswerD

Partitioning prunes partitions, clustering improves filter efficiency, reducing scanned data.

Why this answer

Partitioning the table by date allows BigQuery to prune partitions during query execution, scanning only the relevant daily data instead of the entire table. Clustering on frequently filtered columns further reduces the data scanned by sorting data within partitions. This directly reduces both query cost (pay-per-byte) and latency, addressing the core issue of slow, expensive queries on a large daily-loaded table.

Exam trap

Google Cloud often tests the misconception that increasing compute resources (slots or concurrency) is the primary fix for slow queries, when in reality data pruning via partitioning and clustering is the first and most impactful optimization for cost and performance.

How to eliminate wrong answers

Option A is wrong because a flat-rate reservation improves query concurrency and provides predictable slot capacity, but it does not reduce the amount of data scanned per query; slow and expensive queries due to scanning the entire table would persist. Option B is wrong because denormalization reduces joins but does not address the primary issue of scanning a massive single table; it may even increase storage costs and data scanned if not combined with partitioning/clustering. Option C is wrong because increasing slots (via reservations or flex slots) improves query execution speed by providing more parallel processing, but it does not reduce the bytes billed; queries would still scan the entire table, keeping costs high.

204
Matchingmedium

Match each Google Cloud security term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Key management service for encryption

Hardware security module for key storage

Security perimeters to prevent data exfiltration

Web application firewall and DDoS protection

Centralized security and risk management platform

Why these pairings

These services provide security controls in GCP.

205
MCQmedium

A platform admin creates a new GCP project for a team. The team lead's email is teamlead@company.com. The admin needs the team lead to be able to create resources in the project but not manage IAM policies or billing. Which role is most appropriate?

A.Owner
B.Editor
C.Viewer
D.Billing Account Administrator
AnswerB

Editor grants broad create/read/update/delete on GCP resources while excluding IAM policy changes and billing management — matching the requirement precisely.

Why this answer

The Editor role (roles/editor) grants all permissions necessary to create, modify, and delete resources within a GCP project, but explicitly excludes permissions to manage IAM policies (roles/iam.securityAdmin or roles/owner) and billing (roles/billing.admin). This makes it the correct choice for a team lead who needs to deploy and manage resources without having the ability to change access controls or alter billing configurations.

Exam trap

Google Cloud often tests the distinction between resource-level permissions and management-level permissions, and the trap here is that candidates may confuse the Editor role with Owner because both can create resources, but only Owner can manage IAM and billing.

How to eliminate wrong answers

Option A is wrong because the Owner role (roles/owner) includes all Editor permissions plus the ability to manage IAM policies and billing, which violates the requirement that the team lead should not manage IAM or billing. Option C is wrong because the Viewer role (roles/viewer) only allows read-only access to existing resources and does not permit creating any resources. Option D is wrong because the Billing Account Administrator role (roles/billing.admin) manages billing accounts and budgets but does not grant any permissions to create project resources.

206
MCQmedium

A company is migrating a legacy monolithic application to Google Cloud. The application runs on a single VM and contains both the web server and backend processes. The team wants to separate concerns and deploy the web tier on Cloud Run and the backend on Compute Engine. They need to allow the Cloud Run service to initiate HTTPS connections to the backend VM. What is the most secure way to accomplish this?

A.Assign a public IP to the backend VM and configure firewall rules to allow HTTPS from any source
B.Set up a VPN tunnel between Cloud Run and the VPC
C.Use Cloud NAT to provide outbound internet access to Cloud Run
D.Use Serverless VPC Access to connect Cloud Run to the VPC, and keep the VM internal
AnswerD

Serverless VPC Access enables private communication without public exposure.

Why this answer

Option D is correct because Serverless VPC Access creates a direct, private connection between Cloud Run and your VPC, allowing the Cloud Run service to reach the backend VM using its internal IP address. This avoids exposing the VM to the public internet, which is the most secure approach for initiating HTTPS connections between the two tiers.

Exam trap

Google Cloud often tests the misconception that Cloud NAT or public IPs are needed for serverless-to-VM communication, but the correct approach is to use Serverless VPC Access for private, secure connectivity without exposing the backend.

How to eliminate wrong answers

Option A is wrong because assigning a public IP and allowing HTTPS from any source exposes the backend VM to the entire internet, violating the principle of least privilege and creating a significant security risk. Option B is wrong because a VPN tunnel is used to connect external networks (e.g., on-premises) to a VPC, not to connect a serverless service like Cloud Run to a VM within the same VPC. Option C is wrong because Cloud NAT provides outbound internet access for private instances, but Cloud Run already has outbound internet access by default; the issue is inbound connectivity to the backend VM, which Cloud NAT does not address.

207
Matchingmedium

Match each GCP networking concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual private cloud network

Regional IP address range within a VPC

Outbound internet access for private instances

Distributes traffic across instances

Content delivery network for low-latency delivery

Why these pairings

These are fundamental networking components in GCP.

208
MCQhard

A Cloud KMS key used to encrypt a Cloud Storage bucket's data is being destroyed. What happens to the data in the bucket when the KMS key is destroyed?

A.The data in Cloud Storage is automatically deleted along with the key.
B.The encrypted data becomes permanently inaccessible (cryptographic erasure) since the decryption key no longer exists.
C.Cloud Storage automatically re-encrypts the data using Google-managed keys as a fallback.
D.The key enters a 'disabled' state where data can still be decrypted by Google support.
AnswerB

Without the KMS key, the envelope encryption key protecting the data key cannot be unwrapped. The ciphertext in GCS is permanent but unreadable — effective data deletion without physical deletion.

Why this answer

When a Cloud KMS key is destroyed, the encrypted data in Cloud Storage becomes permanently inaccessible because the cryptographic key material is irrecoverably deleted. This is known as cryptographic erasure: without the key, the ciphertext cannot be decrypted, even though the raw encrypted bytes still exist in the bucket. Cloud Storage does not store a copy of the KMS key, and there is no fallback mechanism to re-encrypt or recover the data.

Exam trap

Google Cloud often tests the misconception that destroying a KMS key triggers automatic data deletion or that Google provides a fallback re-encryption mechanism, when in fact the data remains but is cryptographically erased and unrecoverable.

How to eliminate wrong answers

Option A is wrong because destroying the KMS key does not trigger automatic deletion of the encrypted data objects in Cloud Storage; the objects remain but are unreadable. Option C is wrong because Cloud Storage does not automatically re-encrypt data with Google-managed keys when a customer-managed KMS key is destroyed; the data remains encrypted with the destroyed key and is permanently inaccessible. Option D is wrong because key destruction is irreversible and does not enter a 'disabled' state; Google Support cannot decrypt data after a KMS key is destroyed, as the key material is permanently deleted and no backup exists.

209
MCQhard

Your Cloud SQL for MySQL primary instance in `us-central1` has failed. Cloud SQL HA automatically fails over to the standby. After the failover, your application is experiencing intermittent connection errors. What is the most likely cause and solution?

A.The standby instance has a different IP address; update the connection string.
B.Application connection pools hold stale connections to the failed primary; configure pools to validate connections and reconnect after failure.
C.The standby replica must be manually promoted before it can accept connections.
D.The MySQL binary log is incomplete after failover; run `mysqlcheck` to repair tables.
AnswerB

Stale connection pool entries are the most common cause of post-failover errors. Configuring connection validation on borrow and using the Cloud SQL Auth Proxy (which handles reconnection transparently) resolves this.

Why this answer

Option B is correct because after a Cloud SQL HA failover, the standby instance becomes the new primary with the same IP address, but existing application connections that were established to the old primary are now broken. Connection pools that do not validate connections before reuse will attempt to use these stale connections, causing intermittent errors. Configuring the pool to test connections (e.g., via `SELECT 1` or JDBC `connectionTestQuery`) and automatically reconnect resolves this by discarding dead connections and establishing fresh ones to the new primary.

Exam trap

Google Cloud often tests the misconception that IP addresses change during HA failover, leading candidates to incorrectly choose Option A, but in Cloud SQL HA the VIP remains constant, and the real issue is stale connections in the application pool.

How to eliminate wrong answers

Option A is wrong because Cloud SQL HA failover preserves the same IP address (the VIP is moved to the standby), so updating the connection string is unnecessary and would not fix stale connection pool issues. Option C is wrong because Cloud SQL HA automatically promotes the standby to primary during failover; no manual promotion is required, and the standby accepts connections immediately after failover completes. Option D is wrong because MySQL binary logs are replicated continuously to the standby in HA configurations, so the binary log is not incomplete after failover; `mysqlcheck` is used for table corruption repair, not for connection errors, and is unrelated to the described symptom.

210
MCQmedium

A DevOps team monitors a Cloud SQL instance and notices its CPU is consistently above 85% for several hours. The instance handles a critical production database. What should be the team's immediate action?

A.Enable read replicas to distribute query load
B.Scale up the Cloud SQL instance machine type to add more vCPUs
C.Restart the Cloud SQL instance to clear CPU-intensive processes
D.Delete and recreate the instance with a larger machine type
AnswerB

Scaling up the Cloud SQL instance (more CPUs/RAM) immediately provides more compute capacity. For Cloud SQL, this operation involves a brief restart but is the fastest relief for CPU saturation.

Why this answer

Scaling up the Cloud SQL instance to a larger machine type with more vCPUs directly addresses sustained high CPU utilization by providing additional compute capacity. This is the immediate corrective action for a critical production database because it increases the instance's processing power without requiring architectural changes or downtime (if using a rolling update). Read replicas help with read-heavy workloads but do not reduce CPU load from write operations or complex queries on the primary instance.

Exam trap

Google Cloud often tests the misconception that read replicas can solve all performance issues, but the trap here is that replicas only help with read scaling, not CPU-bound write or compute workloads on the primary instance.

How to eliminate wrong answers

Option A is wrong because enabling read replicas offloads read queries but does not reduce CPU usage from write operations, DDL statements, or complex queries that execute on the primary instance; the primary's CPU would remain high. Option C is wrong because restarting the instance only temporarily clears transient processes; the underlying workload or insufficient capacity will cause CPU to spike again, and restarting a critical production database risks downtime and connection drops. Option D is wrong because deleting and recreating the instance is unnecessarily destructive and causes extended downtime; scaling up the machine type can be done via a rolling update with minimal disruption, whereas recreating requires restoring from backup.

211
MCQmedium

A team wants to grant a contractor the Storage Object Viewer role on a specific bucket path, but only during business hours (Monday–Friday, 9am–5pm local time). Which IAM feature supports these conditions?

A.IAM deny policies scoped to non-business hours
B.IAM Conditions on the role binding
C.VPC Service Controls with a time-based access policy
D.Cloud Scheduler removing and re-adding the IAM binding on a schedule
AnswerB

IAM Conditions allow adding time-based (date/time of day, day of week) and resource-based (resource name prefix) constraints directly to role bindings without modifying the broader IAM policy.

Why this answer

IAM Conditions allow you to define time-based constraints on role bindings using the `request.time` attribute. By setting a condition that restricts access to Monday–Friday, 9am–5pm, the contractor is granted the Storage Object Viewer role only during those hours. This is the native IAM feature designed for such fine-grained, attribute-based access control.

Exam trap

Google Cloud often tests the distinction between IAM Conditions (which are attribute-based and evaluated at runtime) and external scheduling mechanisms like Cloud Scheduler, leading candidates to mistakenly choose the latter as a 'valid' solution despite its lack of native IAM integration and potential for access gaps.

How to eliminate wrong answers

Option A is wrong because IAM deny policies are used to explicitly deny access regardless of other allow policies, but they cannot be scoped to non-business hours in a way that grants access during business hours; they would deny access at all times unless combined with an allow policy, which is not the intended use. Option C is wrong because VPC Service Controls are designed to protect data within a VPC service perimeter based on network context and identity, not to enforce time-based access conditions on IAM roles. Option D is wrong because Cloud Scheduler removing and re-adding IAM bindings on a schedule is an overly complex, error-prone workaround that introduces latency and potential race conditions; it is not an IAM feature and does not provide real-time conditional access.

212
MCQeasy

A user wants to use gcloud to create a Cloud Storage bucket but receives a permission denied error. What is the most likely cause?

A.The bucket name is already taken
B.The user is not authenticated
C.The user does not have storage.buckets.create permission
D.The project does not have billing enabled
AnswerC

Permission denied indicates missing IAM permissions.

Why this answer

C is correct because Cloud Storage uses IAM permissions to control access to bucket creation. The specific permission required is `storage.buckets.create`, which must be granted at the project level. Without this permission, the gcloud command will fail with a permission denied error, even if the user is authenticated and billing is enabled.

Exam trap

Google Cloud often tests the distinction between authentication (who you are) and authorization (what you can do), so the trap here is that candidates may confuse a permission denied error with an authentication failure or a naming conflict.

How to eliminate wrong answers

Option A is wrong because a bucket name being taken results in a '409 Conflict' error, not a permission denied error. Option B is wrong because if the user is not authenticated, gcloud would return an authentication error (e.g., 'ERROR: (gcloud) You do not have permission to access project') or prompt for login, not a generic permission denied. Option D is wrong because billing is not required to create a bucket; it is required for using the bucket (e.g., storing data) but not for the creation API call itself.

213
MCQmedium

A Cloud Identity admin needs to grant a user access to manage billing for a specific GCP project without giving them access to any other projects in the organization. Which role should be assigned at the project level?

A.Billing Account Administrator at the organization level
B.Project Billing Manager on the specific project
C.Editor on the specific project
D.Billing Account User at the billing account level
AnswerB

Project Billing Manager (roles/billing.projectManager) grants the ability to link or unlink a billing account for a single project, with no other project access.

Why this answer

The Project Billing Manager role is the correct choice because it grants permissions to manage billing for a specific GCP project, including viewing billing reports and setting budget alerts, without providing access to other projects. This role is assigned at the project level, ensuring the user's billing management scope is limited to that single project.

Exam trap

The trap here is that candidates often confuse the Project Billing Manager role with the Billing Account User role, mistakenly thinking the latter provides project-level billing management, when in fact it only allows linking projects to a billing account and does not grant billing management permissions for a specific project.

How to eliminate wrong answers

Option A is wrong because the Billing Account Administrator role at the organization level grants full control over the billing account, including the ability to link or unlink projects, which would give the user access to billing for all projects under that billing account, not just the specific one. Option C is wrong because the Editor role on the specific project includes permissions to modify project resources (e.g., compute, storage) beyond billing management, violating the principle of least privilege. Option D is wrong because the Billing Account User role at the billing account level allows the user to link projects to the billing account but does not grant permissions to manage billing for a specific project; it is designed for users who need to associate projects with a billing account, not for project-level billing administration.

214
Multi-Selecteasy

A developer is deploying an HTTP-triggered Cloud Function for a production application. Which TWO configuration options should be applied to ensure security and control costs? (Choose two.)

Select 2 answers
A.Allow unauthenticated invocations
B.Set a maximum instances limit
C.Set minimum instances to 0
D.Configure a custom domain for the function
E.Use a service account to authenticate invocations
AnswersB, E

Maximum instances prevents uncontrolled scaling and cost spikes.

Why this answer

Setting a maximum instances limit (option B) is correct because it prevents uncontrolled scaling of Cloud Functions, which could lead to excessive costs due to high concurrency. By capping the number of concurrent function instances, you ensure that even under heavy load, the function does not scale beyond a predefined budget, directly controlling cost in a production environment.

Exam trap

Google Cloud often tests the misconception that setting minimum instances to 0 is a cost-saving measure, but it is actually the default and does not control costs; the trap is confusing 'minimum instances' with 'maximum instances' for cost control.

215
MCQhard

A company uses Cloud CDN to accelerate content delivery. They notice that some requests are not being cached, despite the cache-control headers being set correctly. The origin is a Compute Engine instance behind an HTTP load balancer. What is a likely cause?

A.The cache key includes the query string, causing too many variations.
B.The load balancer is using HTTP/2, which disables caching.
C.The content type is not supported by Cloud CDN.
D.The origin returns a Set-Cookie header, which prevents caching by default.
AnswerD

Set-Cookie headers make Cloud CDN skip caching by default.

Why this answer

Cloud CDN will not cache responses that include a Set-Cookie header by default, even if Cache-Control headers are correctly set. This is because Set-Cookie indicates user-specific or session-specific content, and caching it could lead to serving private data to other users. The origin (Compute Engine behind an HTTP load balancer) returning Set-Cookie effectively disables caching for those responses.

Exam trap

The trap here is that candidates often focus on cache-control headers or query strings, but Cisco tests the less obvious behavior that Set-Cookie headers implicitly prevent caching in Cloud CDN, even when other caching directives appear correct.

How to eliminate wrong answers

Option A is wrong because query string variations in the cache key can reduce cache hit ratio but do not prevent caching entirely; Cloud CDN can still cache responses with query strings if the cache key is configured appropriately. Option B is wrong because HTTP/2 does not disable caching; Cloud CDN fully supports HTTP/2 and caching behavior is independent of the HTTP version. Option C is wrong because Cloud CDN supports caching for all standard content types (e.g., text, image, video, application) and does not restrict caching based on content type.

216
MCQhard

A platform team is deploying a multi-tier application on GKE: a frontend Deployment, a backend Deployment, and a Redis StatefulSet. The backend must be reachable by name from the frontend, but not from outside the cluster. Which Kubernetes resource enables internal name-based service discovery?

A.A NodePort Service for the backend
B.A ClusterIP Service for the backend
C.A LoadBalancer Service for the backend
D.A Kubernetes Ingress resource for the backend
AnswerB

ClusterIP Services get a stable cluster-internal IP and DNS name. Pods within the cluster resolve the service by name; it's not reachable from outside.

Why this answer

A ClusterIP Service exposes the backend Pods on a stable, internal IP address that is only reachable from within the GKE cluster. The frontend can resolve the backend by the Service's DNS name (e.g., `backend.default.svc.cluster.local`) using the cluster's internal DNS (CoreDNS), enabling name-based service discovery without exposing the backend to external traffic.

Exam trap

Google Cloud often tests the misconception that Ingress is used for internal service discovery, but Ingress is an external-facing layer-7 routing resource that requires a Service (typically ClusterIP or NodePort) to route traffic, and it does not provide internal DNS-based name resolution by itself.

How to eliminate wrong answers

Option A is wrong because a NodePort Service exposes the backend on a static port on every node's IP address, making it reachable from outside the cluster, which violates the requirement that the backend not be accessible externally. Option C is wrong because a LoadBalancer Service provisions an external cloud load balancer with a public IP, explicitly exposing the backend to the internet or external networks. Option D is wrong because a Kubernetes Ingress resource is an API object that manages external HTTP/S traffic routing to Services, typically requiring an Ingress controller and exposing the backend to external clients; it does not provide internal-only name-based discovery.

217
Multi-Selecthard

Which TWO configurations are required to deploy a stateful workload on a regional managed instance group in Compute Engine? (Choose two.)

Select 2 answers
A.Define a stateful configuration that includes persistent disk
B.Configure a health check for the instance group
C.Assign static internal IPs to each instance
D.Attach a GPU to the instance template
E.Enable autoscaling
AnswersA, B

Stateful configuration ensures that persistent disks are preserved when instances are recreated.

Why this answer

Option A is correct because a stateful workload requires persistent data that survives instance restarts or failures. A stateful configuration in a regional managed instance group (MIG) must include a persistent disk definition to ensure that the disk is preserved and reattached to the new instance when the instance is recreated, maintaining state across instance lifecycle events.

Exam trap

Google Cloud often tests the misconception that autoscaling is required for any managed instance group, but for stateful workloads, autoscaling is typically avoided because it can lead to data loss by automatically terminating instances without preserving their stateful disks.

218
MCQmedium

A team's Cloud Build jobs are consistently failing with 'quota exceeded' errors. Billing is active and the project has available budget. What should the team do?

A.Delete unused projects in the same organization to release global quota
B.Upgrade the billing account to a higher payment tier
C.Request a quota increase for the Cloud Build API in the project settings
D.Use a larger machine type for Cloud Build worker pools
AnswerC

Navigating to IAM & Admin > Quotas (or the Cloud Quotas product) and submitting a quota increase request for Cloud Build resolves this issue.

Why this answer

Option C is correct because Cloud Build quota errors indicate that the project has reached its API rate limit or concurrent build limit, not a billing issue. Quotas are per-project and can be increased by requesting a higher limit from the Cloud Build API quotas page in the Google Cloud Console. Billing being active and having budget means the issue is not financial, so the team must specifically request a quota increase for the Cloud Build API.

Exam trap

The trap here is that candidates confuse billing-related errors (e.g., 'insufficient funds') with quota errors (e.g., 'quota exceeded'), leading them to incorrectly choose billing upgrades or project deletions instead of recognizing that API quotas are a separate, project-level limit that must be explicitly increased.

How to eliminate wrong answers

Option A is wrong because deleting unused projects does not release global quota; quotas are per-project and independent, so removing other projects has no effect on the Cloud Build quota in the affected project. Option B is wrong because upgrading the billing account to a higher payment tier does not affect API quotas; billing tiers relate to payment methods and invoicing, not resource limits. Option D is wrong because using a larger machine type for Cloud Build worker pools changes the compute resources for builds but does not increase the API quota for the number of concurrent builds or API requests; quota errors are about rate limits, not machine size.

219
MCQmedium

A network team is creating a new VPC and must decide between auto mode and custom mode. Why would they choose custom mode?

A.Auto mode VPCs cost more per subnet than custom mode
B.Custom mode allows full control over which regions have subnets and what CIDR ranges are used
C.Auto mode VPCs cannot be used with GKE clusters
D.Custom mode VPCs support more IP addresses per subnet than auto mode
AnswerB

In custom mode, the team creates subnets explicitly, choosing regions and CIDRs. This avoids CIDR conflicts with on-premises networks and prevents unnecessary subnet sprawl.

Why this answer

Custom mode VPCs give the network team full control over the IP address range (CIDR block) and the ability to create subnets in any region, unlike auto mode VPCs which automatically create subnets in every region with a fixed /20 range per region. This is essential when you need to avoid overlapping CIDRs with on-premises networks or other VPCs, or when you want to restrict subnets to specific regions for compliance or cost reasons.

Exam trap

Google Cloud often tests the misconception that auto mode VPCs are more expensive or have IP limitations, when in fact the key differentiator is control over subnet placement and CIDR range, not cost or capacity.

How to eliminate wrong answers

Option A is wrong because auto mode and custom mode VPCs have the same pricing model—there is no cost difference per subnet; both are free to create and use, with charges only for resources like NAT gateways or VPNs. Option C is wrong because auto mode VPCs can be used with GKE clusters; GKE supports both auto and custom mode VPCs, though custom mode is often preferred for more precise subnet control. Option D is wrong because both auto and custom mode VPCs support the same maximum IP address per subnet (the default limit is 256 IPs per subnet, which can be increased via quota request, but the mode does not affect this limit).

220
MCQeasy

A team needs to run a simple containerized script that processes a batch of files once per night and exits when done — no HTTP endpoint needed. Which GCP service is most appropriate?

A.Cloud Run Services with a timeout set to 24 hours
B.Cloud Run Jobs triggered by Cloud Scheduler
C.Cloud Functions with a 540-second maximum timeout
D.App Engine Standard with a background service
AnswerB

Cloud Run Jobs execute a containerized batch task to completion. Triggered by Cloud Scheduler, they run nightly, process the files, and exit — no HTTP server needed.

Why this answer

Cloud Run Jobs is the correct choice because it is designed for batch workloads that run to completion, with no requirement for an HTTP endpoint. It can handle long-running tasks (up to 24 hours) and can be triggered by Cloud Scheduler for nightly execution, making it ideal for processing files once per night.

Exam trap

Google Cloud often tests the distinction between Cloud Run Services (HTTP-driven, always-on) and Cloud Run Jobs (batch, run-to-completion), leading candidates to incorrectly choose Cloud Run Services for batch workloads due to familiarity with the 'Cloud Run' name.

How to eliminate wrong answers

Option A is wrong because Cloud Run Services are intended for HTTP-driven applications that must handle continuous requests; setting a 24-hour timeout is technically possible but misuses the service, as it is not designed for batch jobs that exit. Option C is wrong because Cloud Functions has a maximum timeout of 540 seconds (9 minutes), which is insufficient for a batch job that may run for hours processing files nightly. Option D is wrong because App Engine Standard with a background service is not designed for short-lived batch tasks; it is meant for long-running background processes within a web application, and it lacks native scheduling integration for one-off nightly jobs.

221
MCQmedium

An engineering team is deciding between App Engine Standard and App Engine Flexible for a Python API. The API has unpredictable traffic, must scale to zero when idle, runs standard Python code with no custom system packages, and requires < 1 second startup time. Which environment is most suitable?

A.App Engine Flexible — it supports Python with custom packages
B.App Engine Standard — it scales to zero, starts in sub-second, and supports standard Python runtimes
C.Both are equivalent — the difference is only in supported languages
D.Neither — use Cloud Run instead for Python APIs
AnswerB

App Engine Standard is designed exactly for this: scale-to-zero, fast cold starts, standard Python runtimes, and no custom system package requirements.

Why this answer

App Engine Standard is the correct choice because it automatically scales to zero instances during idle periods, starts new instances in under a second, and supports standard Python runtimes without custom system packages. The requirement for sub-second startup time and scaling to zero aligns perfectly with Standard's sandboxed, pre-loaded runtime environment, whereas Flexible environment has slower startup times due to VM provisioning and cannot scale to zero.

Exam trap

Google Cloud often tests the misconception that App Engine Flexible is more capable because it supports custom runtimes, leading candidates to overlook the critical requirements of scaling to zero and sub-second startup that only Standard satisfies.

How to eliminate wrong answers

Option A is wrong because App Engine Flexible does not scale to zero instances (it maintains at least one VM) and has startup times of several minutes, failing the <1 second requirement; custom packages are irrelevant since the API uses standard Python code. Option C is wrong because the environments differ significantly in scaling behavior, startup latency, and sandboxing — they are not equivalent. Option D is wrong because Cloud Run can scale to zero and start quickly, but App Engine Standard is equally suitable and is a first-class option for this use case; the question asks which environment is most suitable, and Standard directly meets all criteria without requiring a different service.

222
MCQmedium

You notice that your Cloud SQL for PostgreSQL instance's `pg_stat_activity` shows many connections in `idle in transaction` state, and the connection count is near the max_connections limit. Application threads are blocking waiting for connections. What is the most effective solution to manage database connections for a GKE-hosted application?

A.Increase `max_connections` in the Cloud SQL PostgreSQL instance flags.
B.Deploy PgBouncer as a sidecar or deployment to pool connections to Cloud SQL in transaction mode.
C.Switch from Cloud SQL to Cloud Spanner, which has no connection limits.
D.Restart the Cloud SQL instance to clear idle connections.
AnswerB

PgBouncer in transaction pooling mode multiplexes many application connections onto fewer database connections, eliminating idle-in-transaction waste and staying well below max_connections.

Why this answer

PgBouncer is a lightweight connection pooler that can be deployed as a sidecar or separate deployment in GKE to manage connections to Cloud SQL for PostgreSQL. By operating in transaction mode, it holds database connections only for the duration of a transaction, not for the entire client session, which drastically reduces the number of concurrent connections to the database. This directly addresses the `idle in transaction` connections and the near-max_connections issue without requiring application code changes.

Exam trap

Google Cloud often tests the misconception that simply increasing `max_connections` is a safe scaling solution, when in fact it can lead to resource exhaustion and does not address the underlying idle connection problem.

How to eliminate wrong answers

Option A is wrong because increasing `max_connections` only raises the hard limit without solving the root cause of idle connections; it can also degrade database performance due to increased context switching and memory overhead. Option C is wrong because Cloud Spanner is a globally distributed, horizontally scalable database with a different API and consistency model, not a drop-in replacement for PostgreSQL, and it still has connection limits (though higher). Option D is wrong because restarting the instance is a disruptive, temporary fix that kills all connections but does not prevent idle connections from reaccumulating, and it causes downtime for the application.

223
MCQhard

A company runs a batch job on Compute Engine that processes large files from Cloud Storage. The job is taking longer than expected. The instances are using standard persistent disks. Which change would most likely improve I/O performance?

A.Use regional persistent disks instead of zonal.
B.Increase the machine type to have more vCPUs.
C.Add local SSDs to the instances.
D.Replace standard persistent disks with SSD persistent disks.
AnswerD

SSD persistent disks offer better I/O performance.

Why this answer

Standard persistent disks (pd-standard) are backed by HDDs and have lower IOPS and throughput compared to SSD persistent disks (pd-ssd). Since the batch job processes large files from Cloud Storage, the bottleneck is likely disk I/O performance. Upgrading to SSD persistent disks provides higher IOPS and throughput, directly improving I/O performance for read/write operations.

Exam trap

Google Cloud often tests the distinction between persistent disk types (standard vs. SSD) versus disk replication options (zonal vs. regional), leading candidates to mistakenly choose regional disks for performance instead of durability.

How to eliminate wrong answers

Option A is wrong because regional persistent disks provide synchronous replication across two zones for durability, not higher I/O performance; they have the same performance characteristics as zonal persistent disks. Option B is wrong because increasing vCPUs does not improve disk I/O performance; the bottleneck is the disk subsystem, not CPU capacity. Option C is wrong because local SSDs provide high IOPS but are ephemeral and cannot be used for persistent data; the job processes files from Cloud Storage, which requires persistent storage for the batch job's working data.

224
MCQmedium

You have a Kubernetes Deployment running 5 replicas. You need to update the container image with zero downtime, ensuring that at least 4 replicas are always available during the update, and no more than 6 replicas exist at any time. Which Deployment strategy and settings achieve this?

A.Recreate strategy with `minReadySeconds: 30`.
B.RollingUpdate with `maxUnavailable: 1` and `maxSurge: 1`.
C.RollingUpdate with `maxUnavailable: 0` and `maxSurge: 2`.
D.RollingUpdate with `maxUnavailable: 2` and `maxSurge: 1`.
AnswerB

maxUnavailable: 1 means at least 4 pods remain available. maxSurge: 1 means at most 6 pods exist simultaneously. This matches both constraints exactly.

Why this answer

Option B is correct because a RollingUpdate strategy with `maxUnavailable: 1` and `maxSurge: 1` ensures that during the update, at most one replica is taken down (so at least 4 remain available) and at most one extra replica is created above the desired 5 (so no more than 6 exist at any time). This satisfies both constraints while achieving zero downtime.

Exam trap

Google Cloud often tests the interaction between `maxSurge` and `maxUnavailable` by presenting values that seem reasonable but violate the given constraints, and the trap here is assuming that a higher surge or higher unavailable count is safe without calculating the resulting minimum available and maximum total replicas.

How to eliminate wrong answers

Option A is wrong because the Recreate strategy terminates all existing pods before creating new ones, causing downtime and violating the requirement of at least 4 replicas always available. Option C is wrong because `maxSurge: 2` allows up to 7 replicas (5 desired + 2 surge), exceeding the limit of 6 replicas at any time. Option D is wrong because `maxUnavailable: 2` allows up to 2 replicas to be unavailable, which could drop the available count to 3, violating the requirement of at least 4 replicas always available.

225
Multi-Selectmedium

Which THREE steps are part of deploying a containerized application to Google Kubernetes Engine (GKE) using a CI/CD pipeline? (Choose three.)

Select 3 answers
A.Configure Cloud NAT for the cluster
B.Create a Compute Engine instance for the pipeline
C.Apply a Deployment manifest to the cluster
D.Create an instance template for the node pool
E.Push the image to Container Registry
.Build a Docker image from source code
AnswersC, E

The manifest defines the desired state of the application.

Why this answer

A typical CI/CD pipeline for GKE includes: building a container image, pushing it to Container Registry, and applying a Kubernetes manifest to deploy. Option B (create a Compute Engine instance) is not part of GKE deployment; Option C (create an instance template) is for MIGs. Option E (set up Cloud NAT) is for outbound networking, not deployment.

So A, D, and F are correct.

Page 2

Page 3 of 7

Page 4

All pages