Google Associate Cloud Engineer (ACE) — Questions 301375

500 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selecteasy

A developer wants to configure a firewall rule to allow HTTP traffic from the internet to a specific Compute Engine instance tagged 'web-server'. Which TWO conditions must be true? (Choose two.)

Select 2 answers
A.The instance must have a public IP address
B.The firewall rule must be of type ingress
C.The firewall rule must be applied to the VPC network
D.The firewall rule must have a target tag of 'web-server'
E.The firewall rule must specify the source IP range 0.0.0.0/0
AnswersB, D

Incoming traffic requires an ingress rule.

Why this answer

Option B is correct because an ingress firewall rule controls incoming traffic to instances. Since the developer wants to allow HTTP traffic from the internet to reach the instance, the rule must be of type ingress to permit inbound connections on port 80.

Exam trap

Google Cloud often tests the misconception that a public IP address is required for internet traffic, but in Google Cloud, traffic can reach instances via Cloud NAT or load balancers without a public IP, and the firewall rule only needs to allow the traffic, not require the instance to have a public IP.

302
MCQhard

A DevOps engineer created a Compute Engine instance with a startup script that installs Apache and configures a website. The startup script runs a command that requires a service account with roles/storage.objectViewer to download assets from Cloud Storage. The instance is created with the default compute service account. The startup script fails. Upon inspection, the engineer finds that the service account cannot download the assets. What is the most likely cause?

A.The OAuth scopes on the instance do not include https://www.googleapis.com/auth/devstorage.read_only.
B.A firewall rule is blocking the startup script from reaching the Cloud Storage API.
C.The startup script is not running as the service account.
D.The service account lacks the IAM role roles/storage.objectViewer on the bucket.
AnswerD

The default compute engine service account has project editor role, but that may not include specific bucket permissions if bucket-level IAM is used. Explicitly granting the objectViewer role is required.

Why this answer

Option D is correct because the default compute service account does not have storage.objectViewer by default; it must be granted. Option A is wrong because firewall rules don't affect API calls. Option B is wrong because the default compute service account typically has project editor, which includes storage.admin, so it's not a scope issue.

Option C is wrong because OAuth scopes only affect user credentials, not service accounts.

303
MCQhard

A company is extending its on-premises network to Google Cloud using a Cloud VPN tunnel with dynamic routing (BGP). They have set up a Cloud Router in the VPN region. Which additional step is required for the Cloud Router to exchange routes with the on-premises router?

A.Create a static route for the on-premises network on the VPC
B.Configure a BGP session on the Cloud Router with the on-premises router's ASN and IP address
C.Assign an external IP address to the Cloud Router
D.Enable the IP forwarding feature on the VPN gateway
AnswerB

A BGP session is required to exchange routes. Cloud Router does not automatically peer without configuration.

Why this answer

For a Cloud VPN with dynamic routing (BGP), the Cloud Router must have a BGP session configured with the on-premises router. This session requires the on-premises router's ASN and its BGP peer IP address to exchange routes. Without this explicit BGP session configuration, the Cloud Router cannot establish a peering relationship or advertise/learn routes dynamically.

Exam trap

The trap here is that candidates often think Cloud Routers need an external IP (Option C) because they confuse Cloud Router with a physical router, but Cloud Routers are software-defined and communicate over the VPN tunnel using internal IPs.

How to eliminate wrong answers

Option A is wrong because creating a static route for the on-premises network on the VPC is unnecessary when using dynamic routing (BGP); BGP automatically exchanges routes, and static routes would conflict or be redundant. Option C is wrong because Cloud Routers do not require an external IP address; they operate within the VPC and communicate with the on-premises router via the VPN tunnel's internal IP addresses. Option D is wrong because IP forwarding is a VM-level setting (for instances acting as routers) and is not relevant to a Cloud VPN gateway; the VPN gateway inherently forwards traffic based on the routing table and BGP-learned routes.

304
MCQhard

A Cloud Build pipeline builds a container image and pushes it to Artifact Registry. The next step needs to deploy the image to Cloud Run. The pipeline runs as the Cloud Build service account. What minimum permission does the Cloud Build SA need for the deployment step?

A.`roles/run.admin` only.
B.`roles/run.admin` and `roles/iam.serviceAccountUser` on the Cloud Run runtime service account.
C.`roles/owner` to ensure all necessary permissions are covered.
D.`roles/cloudbuild.builds.editor` on the Cloud Run project.
AnswerB

run.admin manages Cloud Run services. iam.serviceAccountUser (which grants `iam.serviceAccounts.actAs`) allows the Cloud Build SA to configure which SA Cloud Run runs as — both are required.

Why this answer

The Cloud Build service account needs `roles/run.admin` to deploy services to Cloud Run, but it also requires `roles/iam.serviceAccountUser` on the Cloud Run runtime service account (the identity the Cloud Run service runs as) because the deployment step impersonates that runtime service account to create or update the service. Without the `iam.serviceAccountUser` permission, the deployment fails with a permission denied error, even if the Cloud Build SA has full Cloud Run admin rights.

Exam trap

Google Cloud often tests the nuance that deploying to Cloud Run requires not just Cloud Run permissions but also the ability to impersonate the runtime service account, leading candidates to incorrectly choose `roles/run.admin` alone.

How to eliminate wrong answers

Option A is wrong because `roles/run.admin` alone does not grant the Cloud Build service account the ability to impersonate the Cloud Run runtime service account; the `iam.serviceAccountUser` role is required on that runtime service account for the deployment to succeed. Option C is wrong because `roles/owner` is overly permissive and violates the principle of least privilege; the minimum permissions are `roles/run.admin` and `roles/iam.serviceAccountUser` on the runtime service account, not full project ownership. Option D is wrong because `roles/cloudbuild.builds.editor` only allows managing Cloud Build builds, not deploying to Cloud Run; it does not include any Cloud Run or IAM impersonation permissions.

305
Multi-Selecteasy

A company is implementing cost optimization for their Google Cloud resources. Which two practices are recommended? (Choose two.)

Select 2 answers
A.Keep all resources in a single region to avoid data transfer costs.
B.Always use premium-tier networking for all traffic.
C.Use committed use discounts for predictable workloads.
D.Use preemptible VMs for all batch jobs irrespective of fault tolerance.
E.Delete unused static external IP addresses.
AnswersC, E

CUDs provide significant discounts for stable usage.

Why this answer

Committed use discounts (CUDs) are recommended for cost optimization because they provide significant discounts (up to 70% for vCPUs and memory) in exchange for a commitment to use a minimum level of resources (e.g., 1-year or 3-year term) for predictable workloads. This aligns costs with actual usage patterns, reducing waste from on-demand pricing. Deleting unused static external IP addresses is also recommended because each static IP incurs a small hourly charge (e.g., $0.005/hour for a regional IP) even when not attached to a resource, so removing them eliminates unnecessary costs.

Exam trap

The trap here is that candidates often assume 'single region' avoids all data transfer costs (ignoring cross-zone charges) or that preemptible VMs are safe for any batch job, but the ACE exam tests the nuance that preemptible VMs require fault tolerance and that static IPs have ongoing costs even when idle.

306
MCQmedium

A startup is building a web application using Cloud Run. They want to deploy multiple independent services that can communicate with each other internally, but each service should be deployed and scaled independently. Which deployment strategy should they use?

A.Create multiple Cloud Run services and use internal endpoints for communication
B.Deploy the application to App Engine Standard Environment
C.Use a single GKE cluster with multiple deployments and services
D.Deploy a single Cloud Run service with multiple containers
AnswerA

Each Cloud Run service is independent and can communicate via internal URLs.

Why this answer

Cloud Run natively supports deploying multiple independent services, each with its own URL and scaling configuration. Internal communication between these services can be achieved using Cloud Run's built-in internal endpoints (e.g., using the `run.app` domain with internal traffic routing), which avoids exposing services to the public internet. This approach allows each service to scale independently based on its own request load, meeting the startup's requirement for independent deployment and scaling.

Exam trap

Google Cloud often tests the misconception that Cloud Run supports multiple containers per service (like a pod in Kubernetes), but Cloud Run services are single-container per revision, and multiple containers require separate services or a different platform like Cloud Run for Anthos.

How to eliminate wrong answers

Option B is wrong because App Engine Standard Environment is a fully managed platform that deploys a single application as a monolithic service; it does not natively support deploying multiple independent services that scale independently within the same project without using additional modules or services, which adds complexity and does not match the requirement for independent scaling. Option C is wrong because using a single GKE cluster with multiple deployments and services introduces the overhead of managing a Kubernetes cluster (node pools, networking, etc.) and is overkill for a simple web application; Cloud Run abstracts away cluster management entirely, making it a simpler and more cost-effective choice for independent services. Option D is wrong because a single Cloud Run service can only run one container per revision; multiple containers within a single service would share the same scaling behavior and cannot be deployed or scaled independently, which directly contradicts the requirement.

307
Matchingmedium

Match each IAM role to its typical access level.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Read-only access to resources

Read and modify resources

Full access including IAM management

Read access to browse the hierarchy

Read access to IAM policies

Why these pairings

IAM roles define permissions in GCP.

308
MCQmedium

A company is deploying a public-facing web application on Compute Engine behind a global HTTP(S) Load Balancer. The company wants to protect the application from common web attacks, such as SQL injection and cross-site scripting (XSS). Which Google Cloud security service should they enable?

A.VPC Service Controls
B.Cloud Armor
C.Cloud IDS
D.Identity and Access Management (IAM)
AnswerB

Cloud Armor offers WAF rules to mitigate web attacks like SQL injection and XSS.

Why this answer

Option C is correct because Cloud Armor provides web application firewall (WAF) capabilities to protect against OWASP Top 10 attacks. Option A is wrong because IAM controls access to resources, not web attacks. Option B is wrong because Cloud IDS is for network-based threat detection.

Option D is wrong because VPC Service Controls prevent data exfiltration but do not filter HTTP traffic.

309
MCQmedium

A DevOps engineer creates a service account for a CI/CD pipeline. The pipeline needs to push container images to Artifact Registry. Which role grants the minimum required permission?

A.Artifact Registry Administrator
B.Artifact Registry Writer
C.Storage Object Creator on the underlying Cloud Storage bucket
D.Artifact Registry Reader
AnswerB

Artifact Registry Writer grants the minimum permissions to push (write) artifacts to existing Artifact Registry repositories — the appropriate role for CI/CD pipelines.

Why this answer

Option B is correct because the Artifact Registry Writer role provides the minimal permissions needed to push container images to Artifact Registry, specifically the `artifactregistry.writer` permission. This role allows writing artifacts without granting broader administrative or read-only access, aligning with the principle of least privilege.

Exam trap

Google Cloud often tests the misconception that Artifact Registry is just a wrapper around Cloud Storage, leading candidates to choose Storage Object Creator, but in reality, Artifact Registry uses its own IAM roles and does not expose the underlying bucket for direct permission assignment.

How to eliminate wrong answers

Option A is wrong because Artifact Registry Administrator grants full control over all Artifact Registry resources, including deletion and permission management, which is excessive for a CI/CD pipeline that only needs to push images. Option C is wrong because Artifact Registry does not expose its underlying Cloud Storage bucket directly; permissions must be managed through Artifact Registry roles, not Storage Object Creator, which would not work due to the service's abstraction layer. Option D is wrong because Artifact Registry Reader only allows reading and listing artifacts, not writing or pushing new images.

310
Multi-Selectmedium

You are configuring a VPC with multiple subnets. You need to allow traffic from the internet to a specific instance on port 80, but only if the traffic originates from a set of known IP addresses. Which three resources must be configured? (Choose three.)

Select 3 answers
A.A load balancer with Cloud Armor.
B.A route to the internet gateway.
C.A reserved external IP address for the instance.
D.A Cloud Router.
E.A firewall rule allowing ingress from the IP range to the instance on port 80.
AnswersA, C, E

Cloud Armor can provide IP whitelisting and DDoS protection at the load balancer.

Why this answer

Option A is correct because Cloud Armor is a web application firewall that can be attached to a load balancer to allow or deny traffic based on IP address ranges. This enables you to restrict inbound HTTP traffic on port 80 to only the known IP addresses, while the load balancer distributes traffic to the instance. Without Cloud Armor, a load balancer alone cannot filter by source IP; it relies on backend firewall rules or Cloud Armor policies for such granular access control.

Exam trap

Google Cloud often tests the misconception that a route to the internet gateway alone is sufficient to control inbound traffic, but routes only define the path, not the access policy; you must explicitly configure firewall rules or Cloud Armor to restrict source IPs.

311
MCQeasy

A small business is deploying a web application on Compute Engine and wants to ensure high availability. They have set up two instances in different zones behind a TCP load balancer. What should they also configure to detect and route traffic away from unhealthy instances?

A.Configure a health check on the load balancer.
B.Set a firewall rule to allow traffic only on port 80.
C.Use a global HTTP(S) load balancer instead.
D.Create a snapshot schedule for the persistent disks.
AnswerA

Health checks allow the load balancer to stop sending traffic to unhealthy instances.

Why this answer

A health check is required for the TCP load balancer to monitor the backend instances. It periodically probes the instances on a specified port and path, marking them as unhealthy if they fail to respond. The load balancer then stops routing new traffic to unhealthy instances, ensuring high availability by directing traffic only to healthy backends.

Exam trap

The trap here is that candidates often confuse health checks with firewall rules or backup strategies, thinking that allowing traffic or creating snapshots ensures availability, but only health checks provide the active monitoring needed to detect and route around failures.

How to eliminate wrong answers

Option B is wrong because a firewall rule allowing only port 80 controls network access but does not detect instance health or influence load balancer routing decisions. Option C is wrong because a global HTTP(S) load balancer is designed for HTTP/HTTPS traffic and cannot be used with a TCP load balancer; the question specifies a TCP load balancer, which requires a TCP health check. Option D is wrong because snapshot schedules are for backup and disaster recovery of persistent disks, not for real-time health detection or traffic routing.

312
MCQmedium

You need to tag all Compute Engine VMs in your organization with a `cost-center` tag for billing allocation reports. The tag values must be controlled centrally — only predefined values should be allowed. Which GCP feature enables this?

A.Use Compute Engine labels — configure label keys and restrict values using an org policy.
B.Create Resource Manager Tag keys and values at the org level, then attach tags to VMs.
C.Use network tags on VMs and enforce allowed values via a custom org policy constraint.
D.Require teams to apply specific label values using a Terraform module, and enforce this via code review.
AnswerB

Resource Manager Tags support centrally defined, version-controlled tag keys and enumerated values. IAM roles (tagUser, tagAdmin) control who can create values vs. who can apply tags. Tags integrate with billing reports.

Why this answer

Resource Manager Tags (formerly 'tags' in the Resource Manager API) allow you to create tag keys and predefined tag values at the organization level, then attach those tags to resources like Compute Engine VMs. This ensures that only centrally controlled values can be used, meeting the requirement for controlled billing allocation. Labels, by contrast, are free-form key-value pairs and cannot have their values restricted natively by an org policy.

Exam trap

Google Cloud often tests the distinction between labels (free-form, no value restriction) and Resource Manager Tags (centrally controlled, predefined values), leading candidates to mistakenly choose labels because they are more commonly used for metadata.

How to eliminate wrong answers

Option A is wrong because Compute Engine labels are free-form key-value pairs; while you can use an org policy to restrict label keys, you cannot natively restrict label values to a predefined set using an org policy alone. Option C is wrong because network tags are used for firewall rules and networking, not for billing or resource metadata, and there is no native org policy constraint to enforce allowed values on network tags. Option D is wrong because relying on a Terraform module and code review does not provide a centrally enforced, programmatic control mechanism; it depends on human compliance and can be bypassed.

313
MCQeasy

A batch data processing job runs nightly for 4 hours and can tolerate interruption because it saves progress checkpoints every 15 minutes. Which VM option offers the greatest cost reduction?

A.Custom machine type VM with reduced memory
B.Spot VM
C.Sole-tenant node VM
D.Shielded VM
AnswerB

Spot VMs are available at up to 91% discount and are ideal for batch workloads that tolerate interruption and implement checkpointing.

Why this answer

Spot VMs offer significant cost reduction (up to 60-91% discount) compared to standard VMs, making them ideal for fault-tolerant, interruptible batch workloads. Since the job saves checkpoints every 15 minutes, it can resume from the last checkpoint if preempted, fully leveraging the cost benefit of Spot VMs.

Exam trap

Google Cloud often tests the misconception that custom machine types or sole-tenant nodes are cost-saving options, but the trap here is that Spot VMs are the only option that directly leverages preemptible pricing for interruptible workloads, while other options either increase cost or provide no cost benefit.

How to eliminate wrong answers

Option A is wrong because reducing memory on a custom machine type does not provide the same magnitude of cost savings as Spot VMs, and the question specifically asks for the greatest cost reduction. Option C is wrong because sole-tenant nodes are designed for dedicated hardware compliance or licensing requirements, and they are more expensive than standard VMs, offering no cost reduction. Option D is wrong because Shielded VMs provide security features (secure boot, vTPM, integrity monitoring) but do not reduce cost; they may even add a slight premium.

314
MCQeasy

You want to ensure that all Cloud Storage buckets in your organization require customer-managed encryption keys (CMEK). What is the most efficient way to enforce this?

A.Use Cloud Audit Logs to monitor for non-compliant buckets.
B.Create an Organization Policy with constraint 'storage.requireCustomerManagedEncryption'.
C.Use a service account to encrypt all objects with CMEK.
D.Set a bucket policy on each bucket to require CMEK.
AnswerB

Organization Policy can enforce CMEK requirement on all buckets in the organization.

Why this answer

Option B is correct because the Organization Policy constraint 'storage.requireCustomerManagedEncryption' is a centralized, scalable way to enforce CMEK across all Cloud Storage buckets in the organization. This policy is applied at the organization or folder level and automatically prevents the creation of new buckets without CMEK, while also blocking updates to existing non-compliant buckets. It is the most efficient method as it requires no per-bucket configuration or ongoing monitoring.

Exam trap

Google Cloud often tests the distinction between monitoring (Audit Logs) and enforcement (Organization Policies), and the trap here is that candidates may think monitoring is sufficient for compliance, when in fact only a proactive policy constraint can prevent non-compliant resources from being created.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide post-hoc visibility into bucket creation and configuration changes; they do not enforce or prevent non-compliant buckets from being created. Option C is wrong because using a service account to encrypt objects with CMEK does not enforce the requirement at the bucket level—objects can still be uploaded with Google-managed encryption keys if the service account is not used, and it does not prevent creation of buckets without CMEK. Option D is wrong because setting a bucket policy on each bucket is not scalable and does not prevent the creation of new buckets without CMEK; it also requires manual or scripted application to every existing and future bucket, which is inefficient and error-prone.

315
MCQmedium

Two GCP projects, A and B, have VPC peering configured. Project A is peered with B, and Project B is peered with Project C. Can VMs in Project A reach VMs in Project C through Project B?

A.Yes — VPC peering automatically enables transitive routing through intermediate peered networks
B.No — VPC peering is non-transitive; A and C must be directly peered to communicate
C.Yes — if Project B has IP forwarding enabled, it acts as a router between A and C
D.It depends on the firewall rules in Project B's VPC
AnswerB

VPC peering in GCP does not support transitive routing. Project A's peering with B gives A access to B's VPC only — not to networks B is peered with (like C).

Why this answer

Option B is correct because VPC peering in Google Cloud is non-transitive. This means that if Project A is peered with Project B and Project B is peered with Project C, traffic from Project A cannot flow through Project B to reach Project C. Each peering connection is a direct, point-to-point link, and there is no routing of traffic across multiple peered networks unless explicitly configured with a separate mechanism like a VPN or a third-party appliance.

Therefore, VMs in Project A and Project C must be directly peered to communicate.

Exam trap

Google Cloud often tests the misconception that VPC peering behaves like a traditional router or switch, where traffic can be forwarded through intermediate networks, but in Google Cloud, VPC peering is strictly non-transitive, and candidates must remember that direct peering is required for communication between non-adjacent VPCs.

How to eliminate wrong answers

Option A is wrong because VPC peering does not automatically enable transitive routing; it is explicitly non-transitive by design in Google Cloud, and traffic cannot hop through an intermediate peered network. Option C is wrong because IP forwarding on instances in Project B does not enable transitive routing across VPC peering; IP forwarding is used for instances acting as routers or NAT gateways, but VPC peering itself does not support transitive routing regardless of IP forwarding settings. Option D is wrong because the issue is not about firewall rules; even if firewall rules in Project B allow all traffic, the fundamental non-transitive nature of VPC peering prevents communication between A and C through B.

316
MCQmedium

A cost-conscious team notices their GKE cluster's node pools have consistently high memory utilization (>90%) while CPU remains at 30%. Pods are occasionally OOMKilled. What should they do to balance resource efficiency and stability?

A.Switch node pool machine type to a memory-optimized series (e.g., m2-ultramem) and ensure Pod memory requests are accurate
B.Increase CPU limits for all Pods to use the available CPU capacity
C.Enable vertical pod autoscaling (VPA) set to Recreate mode as the only change
D.Reduce the number of replica Pods to lower memory consumption
AnswerA

Memory-optimized machine types provide more RAM per vCPU, directly addressing the memory bottleneck. Accurate Pod requests let the scheduler pack Pods efficiently and let the autoscaler add the right type of capacity.

Why this answer

Option A is correct because the team has a memory-bound workload (high memory utilization, low CPU, OOMKills). Switching to a memory-optimized machine series (e.g., m2-ultramem) provides a higher memory-to-CPU ratio, directly addressing the memory pressure. Ensuring accurate Pod memory requests allows the scheduler to place Pods efficiently and prevents overcommitment, balancing resource efficiency with stability.

Exam trap

Google Cloud often tests the misconception that vertical scaling (VPA) alone can fix memory pressure without considering the node's physical resource ratio, leading candidates to pick Option C and overlook the need for a memory-optimized machine type.

How to eliminate wrong answers

Option B is wrong because increasing CPU limits does not address memory pressure or OOMKills; it wastes CPU capacity that is already underutilized and may cause unnecessary throttling or scheduling inefficiencies. Option C is wrong because enabling VPA in Recreate mode as the only change will adjust CPU and memory requests based on historical usage, but it does not change the underlying machine type's memory-to-CPU ratio; the node pool may still lack sufficient memory capacity, leading to continued OOMKills or failed VPA recommendations. Option D is wrong because reducing replica Pods lowers overall memory consumption but also reduces application throughput and availability; it does not fix the root cause of memory inefficiency per Pod and may violate stability or SLA requirements.

317
MCQeasy

A developer runs `gcloud projects list` and receives the error: `ERROR: (gcloud.projects.list) PERMISSION_DENIED: The caller does not have permission`. The developer has the Viewer role on several projects. What is the most likely cause?

A.The developer does not have multi-factor authentication enabled.
B.The developer lacks `resourcemanager.projects.list` at the organization or folder level.
C.The gcloud SDK is outdated and must be updated.
D.The developer's account has been suspended by the billing administrator.
AnswerB

Project Viewer only grants permissions within the project. Listing all projects requires the permission at a higher hierarchy level.

Why this answer

The `gcloud projects list` command requires the `resourcemanager.projects.list` permission, which is granted at the organization or folder level, not at the individual project level. Even with the Viewer role on several projects, the developer lacks this specific permission at the resource hierarchy level above the projects, causing the PERMISSION_DENIED error.

Exam trap

Google Cloud often tests the misconception that project-level roles like Viewer are sufficient for listing projects, when in reality the `resourcemanager.projects.list` permission must be granted at a higher level in the resource hierarchy.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is an account security feature that does not affect API permissions or gcloud command authorization; it is unrelated to IAM permission errors. Option C is wrong because an outdated gcloud SDK would typically cause version mismatch errors or deprecation warnings, not a PERMISSION_DENIED error, which is an IAM authorization issue. Option D is wrong because a suspended account would result in an authentication error (e.g., 'Account is disabled') or a billing-related error, not a permission denied error for a specific API call.

318
MCQeasy

A company is using Cloud Run for a stateless application. The application sometimes fails with HTTP 503 errors when traffic spikes. Which action should the team take to improve reliability?

A.Configure a liveness probe with a higher initial delay.
B.Increase the maximum number of container instances.
C.Use Cloud Functions instead of Cloud Run.
D.Enable HTTP load balancing with Cloud CDN.
AnswerB

Increasing the max instances allows more concurrent requests, reducing 503s.

Why this answer

HTTP 503 errors during traffic spikes indicate that Cloud Run is scaling out but hitting the maximum number of container instances limit, causing new requests to be rejected. Increasing the maximum number of container instances allows Cloud Run to spin up more concurrent containers to handle the burst, directly improving reliability under load.

Exam trap

The trap here is that candidates confuse liveness probes (which check container health) with scaling mechanisms, or assume that adding a CDN or switching to Cloud Functions will magically absorb traffic spikes, when the root cause is simply hitting the instance cap.

How to eliminate wrong answers

Option A is wrong because a liveness probe with a higher initial delay only affects when the container is considered healthy after startup; it does not address capacity limits during traffic spikes. Option C is wrong because Cloud Functions has similar or stricter concurrency and scaling limits, and switching to it would not inherently solve capacity-related 503 errors. Option D is wrong because HTTP load balancing with Cloud CDN caches static content but does not increase the backend's ability to handle more concurrent requests; the 503 originates from Cloud Run's instance cap, not from network-level congestion.

319
MCQmedium

A team wants to automatically restart any GKE Pod that fails a liveness probe three consecutive times. The probe should check HTTP GET /healthz on port 8080, starting after 30 seconds and checking every 10 seconds. Which Pod spec configuration implements this?

A.readinessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 3
B.livenessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 3
C.startupProbe: httpGet: path: /healthz port: 8080 failureThreshold: 3
D.lifecycle: postStart: httpGet: path: /healthz port: 8080
AnswerB

livenessProbe with the correct httpGet, timing, and failureThreshold configuration will restart the container after 3 consecutive failures — exactly the described behavior.

Why this answer

Option B is correct because a livenessProbe with an HTTP GET on /healthz at port 8080, configured with initialDelaySeconds: 30, periodSeconds: 10, and failureThreshold: 3, will cause the kubelet to restart the Pod after three consecutive failed checks. This directly matches the requirement to restart on liveness probe failures, as liveness probes are specifically designed to determine if a container should be restarted.

Exam trap

Google Cloud often tests the distinction between readinessProbe and livenessProbe, trapping candidates who confuse 'restart on failure' with 'stop sending traffic on failure'.

How to eliminate wrong answers

Option A is wrong because it uses a readinessProbe, which only controls whether the Pod receives traffic from Services, not whether the container is restarted; readiness probes do not trigger restarts on failure. Option C is wrong because a startupProbe is used to delay other probes until the application has started, and it does not cause restarts after the initial startup phase; it also lacks the required initialDelaySeconds and periodSeconds. Option D is wrong because lifecycle hooks like postStart execute a command or HTTP request once after container creation, not as a recurring health check, and they cannot be configured with failure thresholds or periodic checks.

320
MCQeasy

You need to deploy a new version of an App Engine standard environment application. The new version should receive 10% of traffic while the current version continues to receive 90%. Which command achieves this?

A.`gcloud app deploy --version=v2 --no-promote`
B.`gcloud app services set-traffic default --splits v1=0.9,v2=0.1`
C.`gcloud app versions migrate v2`
D.`gcloud app deploy --version=v2 --promote --stop-previous-version`
AnswerB

This command splits traffic between v1 (90%) and v2 (10%) for the default service — precisely the canary deployment pattern required.

Why this answer

Option B is correct because the `gcloud app services set-traffic` command explicitly splits traffic between versions of an App Engine service. By specifying `--splits v1=0.9,v2=0.1`, you direct 90% of requests to version v1 and 10% to version v2, without deploying a new version or promoting it. This is the standard method for gradual traffic migration in App Engine standard environment.

Exam trap

Google Cloud often tests the distinction between deploying a version (`deploy`), migrating all traffic (`migrate`), and splitting traffic (`set-traffic`), so the trap here is that candidates confuse `--no-promote` with traffic splitting, thinking it allocates a percentage of traffic when it actually just deploys without routing any traffic to the new version.

How to eliminate wrong answers

Option A is wrong because `gcloud app deploy --version=v2 --no-promote` deploys version v2 but does not split traffic; it leaves all traffic on the default version (v1), so v2 receives 0% of traffic. Option C is wrong because `gcloud app versions migrate v2` migrates all traffic to version v2 (100%), not a 10% split. Option D is wrong because `gcloud app deploy --version=v2 --promote --stop-previous-version` deploys v2, promotes it to receive all traffic, and stops the previous version, resulting in 100% traffic to v2, not a 10/90 split.

321
MCQmedium

A team needs a GKE cluster named 'prod-cluster' in the us-central1 region with cluster autoscaling enabled, scaling between 3 and 10 nodes. Which command achieves this?

A.gcloud container clusters create prod-cluster --region=us-central1 --num-nodes=3 --enable-autoscaling --min-nodes=3 --max-nodes=10
B.gcloud kubernetes clusters create prod-cluster --location=us-central1 --autoscale=3:10
C.gcloud container cluster create prod-cluster --zone=us-central1 --scaling=3-10
D.kubectl create cluster prod-cluster --region=us-central1 --autoscale --min=3 --max=10
AnswerA

This command creates a regional GKE cluster with the node autoscaler configured to scale between 3 and 10 nodes. `--region` creates a regional (multi-zone) cluster.

Why this answer

Option A is correct because it uses the `gcloud container clusters create` command with the `--enable-autoscaling` flag, which enables cluster autoscaler for the GKE cluster. The `--min-nodes=3` and `--max-nodes=10` flags define the scaling range, while `--num-nodes=3` sets the initial node count, ensuring the cluster starts with 3 nodes and can scale up to 10 as needed. The `--region=us-central1` specifies a regional cluster, which is appropriate for production workloads requiring high availability across zones.

Exam trap

Google Cloud often tests the distinction between `gcloud container clusters` (correct for GKE) and `gcloud kubernetes clusters` (invalid), as well as the requirement to use `--enable-autoscaling` with separate `--min-nodes` and `--max-nodes` flags instead of shorthand syntax like `--autoscale=3:10`.

How to eliminate wrong answers

Option B is wrong because `gcloud kubernetes clusters create` is not a valid gcloud command; the correct command uses `gcloud container clusters create`. Additionally, `--autoscale=3:10` is not a valid flag; the correct flags are `--enable-autoscaling`, `--min-nodes`, and `--max-nodes`. Option C is wrong because `--zone=us-central1` is invalid since us-central1 is a region, not a zone; a zone would be like `us-central1-a`.

Also, `--scaling=3-10` is not a valid gcloud flag; the correct syntax uses `--enable-autoscaling` with separate min and max flags. Option D is wrong because `kubectl create cluster` is not a valid kubectl command; kubectl is used to manage Kubernetes resources, not to create GKE clusters. Additionally, `--autoscale`, `--min`, and `--max` are not kubectl flags for cluster creation.

322
MCQeasy

A startup wants to host a static website (HTML, CSS, JS) globally with minimal latency and high availability. They expect low traffic initially but want to scale seamlessly. Which solution is most cost-effective and simple?

A.Compute Engine with nginx
B.App Engine standard environment
C.Cloud Functions with HTTP triggers
D.Cloud Storage bucket with Cloud CDN enabled
AnswerD

Static website hosting from a bucket is simple, and CDN provides global low latency.

Why this answer

A Cloud Storage bucket with Cloud CDN enabled is the most cost-effective and simple solution for hosting a static website globally with minimal latency. Cloud Storage natively serves static content (HTML, CSS, JS) without provisioning servers, and Cloud CDN caches content at edge locations worldwide, reducing latency. It scales seamlessly from zero traffic to high demand without manual intervention, and costs are based only on storage and egress, making it ideal for low-traffic startups.

Exam trap

Google Cloud often tests the misconception that static websites require a compute layer (like App Engine or Compute Engine) to serve files, when in fact Cloud Storage with CDN is the simplest and most cost-effective serverless option for static content.

How to eliminate wrong answers

Option A is wrong because Compute Engine with nginx requires managing a virtual machine, which adds operational overhead and cost for idle resources, and does not provide global edge caching without additional configuration. Option B is wrong because App Engine standard environment is designed for dynamic web applications with server-side code, not purely static sites, and incurs costs for always-on instances even at low traffic. Option C is wrong because Cloud Functions with HTTP triggers is intended for event-driven, short-lived compute tasks, not for serving static files efficiently; it would incur per-invocation costs and cold start latency, and lacks built-in global CDN caching for static assets.

323
MCQhard

An e-commerce application has a read-heavy database workload: 95% reads, 5% writes. The primary Cloud SQL instance is experiencing CPU saturation during peak read traffic. What is the most appropriate GCP-native solution that minimizes changes to application code?

A.Enable Cloud SQL high availability; the standby replica will serve read traffic.
B.Create Cloud SQL read replicas and route read queries to the replica endpoint.
C.Scale the primary Cloud SQL instance vertically to a larger machine type.
D.Migrate from Cloud SQL to Cloud Spanner for unlimited horizontal read scalability.
AnswerB

Read replicas receive replicated data from the primary and serve SELECT queries. Application code only needs different connection strings for reads vs. writes — minimal changes.

Why this answer

B is correct because Cloud SQL read replicas are designed to offload read traffic from the primary instance, directly addressing CPU saturation during peak reads without requiring application code changes—simply route SELECT queries to the read replica's IP address. This is the most appropriate GCP-native solution for a read-heavy (95% reads) workload, as it horizontally scales read capacity while keeping writes on the primary.

Exam trap

The trap here is that candidates confuse Cloud SQL HA standby replicas with read replicas, assuming the standby can serve reads, when in fact HA standby replicas are passive and only used for automatic failover.

How to eliminate wrong answers

Option A is wrong because Cloud SQL high availability (HA) uses a standby replica in a different zone that does not serve read traffic; it only provides failover for writes, so it does not offload read queries or reduce CPU on the primary. Option C is wrong because vertical scaling (larger machine type) increases cost and has an upper limit, and it does not leverage the read-heavy nature of the workload; it also requires a brief downtime during the resize. Option D is wrong because migrating to Cloud Spanner introduces significant application code changes (e.g., different query syntax, strong consistency model) and is overkill for a simple read-heavy MySQL/PostgreSQL workload; Spanner is designed for globally distributed, strongly consistent transactions, not for minimizing code changes.

324
MCQhard

Your security team requires that all service accounts in your GCP organization older than 90 days that have not been used must be automatically disabled. They want a fully managed, serverless solution with no persistent infrastructure. Which architecture best meets these requirements?

A.Deploy a Compute Engine VM with a cron job that calls the IAM API nightly.
B.Use Cloud Scheduler to trigger a Cloud Function that queries Cloud Asset Inventory and disables stale service accounts.
C.Configure an org policy that automatically expires service accounts after 90 days.
D.Use Security Command Center to flag and manually disable unused service accounts.
AnswerB

Cloud Scheduler + Cloud Function is fully serverless. Cloud Asset Inventory provides `lastAuthenticatedTime` for service accounts, and the IAM API can disable them programmatically.

Why this answer

Option B is correct because Cloud Scheduler can trigger a serverless Cloud Function on a schedule (e.g., nightly) to query Cloud Asset Inventory for service accounts older than 90 days with no last authentication time, then disable them via the IAM API. This meets the fully managed, serverless requirement with no persistent infrastructure (no VMs or servers to maintain).

Exam trap

Google Cloud often tests the misconception that Organization Policies can enforce time-based lifecycle actions on IAM resources, but they only provide static constraints (e.g., 'constraints/iam.disableServiceAccountCreation'), not dynamic expiration or usage-based disabling.

How to eliminate wrong answers

Option A is wrong because it uses a Compute Engine VM with a cron job, which requires persistent infrastructure (the VM) and is not fully managed or serverless. Option C is wrong because Organization Policies do not support automatic expiration or disabling of service accounts based on age or usage; they enforce constraints on resource locations, domains, or service states, not time-based lifecycle actions. Option D is wrong because Security Command Center (SCC) provides findings and recommendations but does not automatically disable resources; it requires manual intervention, which violates the 'automatically disabled' requirement.

325
MCQeasy

A developer wants to deploy a Cloud Function that processes images uploaded to a Cloud Storage bucket. The function should be triggered automatically when an object is created. What is the best practice for setting up this trigger?

A.Use a Pub/Sub topic and a push subscription to invoke the Cloud Function
B.Create a Cloud Function with a Cloud Storage trigger and specify the bucket and event type
C.Use a Compute Engine instance to watch the bucket and call the function
D.Set up a Cloud Scheduler job to periodically scan the bucket and invoke the function
AnswerB

Cloud Functions natively support Cloud Storage triggers; this is the simplest approach.

Why this answer

Option B is correct because Cloud Functions natively supports Cloud Storage triggers via the `google.storage.object.finalize` event type, which fires when a new object is created in the specified bucket. This is the simplest and most reliable approach, as it eliminates the need for intermediate services and ensures low-latency, event-driven invocation directly from the storage layer.

Exam trap

Google Cloud often tests the misconception that Pub/Sub is required for all event-driven triggers, but Cloud Storage has a direct integration with Cloud Functions that avoids the overhead of an additional messaging layer.

How to eliminate wrong answers

Option A is wrong because using a Pub/Sub topic and push subscription adds unnecessary complexity and latency; Cloud Storage can directly trigger Cloud Functions without an intermediary, and Pub/Sub is typically used for decoupling or fan-out scenarios, not for direct storage events. Option C is wrong because using a Compute Engine instance to poll the bucket introduces compute cost, polling latency, and operational overhead, violating the serverless and event-driven best practices that Cloud Functions are designed for. Option D is wrong because Cloud Scheduler is a cron-based job scheduler for periodic tasks, not for real-time event triggers; it would introduce delays and inefficiency compared to the native event-driven trigger.

326
MCQmedium

An organization has deployed a Compute Engine VM instance running a web server. The web server is not responding to HTTP requests from the internet. The firewall rules allow ingress traffic on port 80 and 443 from any source (0.0.0.0/0). The VM has a public IP address and is in a VPC network with default subnets. What is the most likely cause of the issue?

A.The VM does not have an HTTP health check configured.
B.The web server service is not running on the VM.
C.The VPC network's default firewall rule blocks ingress traffic.
D.The VM is not in the same region as the global load balancer.
AnswerB

If the web server process is not running, it will not respond to HTTP requests.

Why this answer

Option B is correct because the most likely cause of the web server not responding to HTTP requests, despite correct firewall rules and a public IP, is that the web server service (e.g., Apache, Nginx) is not running on the VM. Firewall rules only control network traffic; they do not ensure that the application process is listening on the specified ports. A simple `sudo systemctl status apache2` or `netstat -tlnp` would confirm whether the service is active.

Exam trap

Google Cloud often tests the misconception that firewall rules alone guarantee application availability, when in fact the application service must be running and listening on the correct port.

How to eliminate wrong answers

Option A is wrong because HTTP health checks are used by load balancers to monitor instance health, but they are not required for a standalone VM to respond to HTTP requests; the VM can serve traffic directly without any health check configuration. Option C is wrong because the default VPC firewall rules include an 'allow' rule for ingress traffic on ports 80 and 443 from 0.0.0.0/0, so they do not block the traffic; the issue is not firewall-related. Option D is wrong because a global load balancer is not mentioned in the scenario, and even if one were used, the VM does not need to be in the same region as the load balancer — global load balancers route traffic to backends in any region.

327
MCQhard

You are enabling OS Login for a GCP project to manage SSH access to Compute Engine VMs. A developer cannot SSH to a VM despite having `roles/compute.osLogin` granted. The VM has OS Login enabled. What is the most likely missing configuration?

A.The developer needs `roles/compute.instanceAdmin` in addition to `roles/compute.osLogin`.
B.The VM metadata `enable-oslogin` is not set to `TRUE` at the VM or project level.
C.The developer must generate an SSH key pair and upload the public key to the VM's authorized_keys.
D.The developer's account needs `roles/iam.serviceAccountTokenCreator` to authenticate via SSH.
AnswerB

OS Login is enabled by setting `enable-oslogin=TRUE` in instance or project metadata. Without this metadata key, OS Login is not active on the VM even if the IAM role is granted.

Why this answer

Option B is correct because OS Login requires the VM or project metadata key `enable-oslogin` to be set to `TRUE`. Even if the user has the `roles/compute.osLogin` role, OS Login will not function if this metadata is missing or set to `FALSE`. The metadata enables the OS Login agent on the VM to authenticate users via IAM permissions rather than local SSH keys.

Exam trap

The trap here is that candidates assume granting the IAM role `roles/compute.osLogin` is enough, but they overlook the mandatory metadata flag `enable-oslogin=TRUE` that must be set at the project or VM level to activate the OS Login feature.

How to eliminate wrong answers

Option A is wrong because `roles/compute.instanceAdmin` grants broader management permissions (e.g., start/stop VMs) but is not required for SSH access via OS Login; `roles/compute.osLogin` alone is sufficient when OS Login is enabled. Option C is wrong because OS Login replaces the need for managing SSH keys in `authorized_keys`; authentication is handled by IAM and the OS Login service, not by uploading public keys to the VM. Option D is wrong because `roles/iam.serviceAccountTokenCreator` is used to generate OAuth2 tokens for service accounts, not for SSH authentication; OS Login uses IAM roles and the OS Login API to authorize SSH connections.

328
MCQmedium

You need to store application configuration data that changes infrequently (e.g., feature flags, database connection strings). Multiple services need to read this configuration at startup, and values must never appear in application code or container images. Updates to configuration should not require redeploying services. Which GCP service is most appropriate?

A.Store configuration in environment variables set at deployment time.
B.Use Cloud Secret Manager to store and retrieve configuration at runtime.
C.Store configuration in a Cloud Storage bucket readable by all services.
D.Use Cloud Firestore to store configuration documents that services read on startup.
AnswerB

Secret Manager provides versioned, IAM-controlled secret storage. Services read secrets at startup via API; updates are applied without redeployment by accessing the latest version.

Why this answer

Secret Manager is designed exactly for storing sensitive configuration (connection strings, API keys, feature flags with sensitive values). Secrets can be accessed via API or SDK at runtime without being embedded in code or images. Secret Manager supports versioning, automatic rotation triggers, and IAM-controlled access.

When a secret value changes, services can be configured to reload it without redeployment using Secret Manager's notification integration.

329
MCQeasy

A project manager wants to see how much each GCP service is costing the team this month, broken down by service. Where should they look?

A.IAM & Admin > Quotas
B.Cloud Monitoring > Cost metrics dashboard
C.Billing > Reports (filtered by service)
D.Resource Manager > Project settings > Cost summary
AnswerC

The Billing Reports page shows detailed cost breakdowns by service, SKU, project, and time period — the primary cost analysis tool in GCP.

Why this answer

Option C is correct because the Billing > Reports page in the Google Cloud Console allows you to filter costs by service, SKU, project, and other dimensions. This provides a granular breakdown of monthly spending per GCP service, which is exactly what the project manager needs.

Exam trap

Google Cloud often tests the distinction between cost reporting (Billing > Reports) and quota monitoring (IAM & Admin > Quotas), trapping candidates who confuse usage limits with cost breakdowns.

How to eliminate wrong answers

Option A is wrong because IAM & Admin > Quotas shows resource usage limits and current utilization, not cost breakdowns by service. Option B is wrong because Cloud Monitoring > Cost metrics dashboard displays billing metrics aggregated over time but does not provide a per-service cost breakdown; it is designed for monitoring and alerting on cost trends, not detailed service-level reports. Option D is wrong because Resource Manager > Project settings > Cost summary shows a high-level total cost for the project, not a breakdown by individual GCP service.

330
MCQhard

A Cloud Build pipeline needs to deploy to Cloud Run but the pipeline's service account has only minimal permissions. Rather than granting it Cloud Run Admin, the team wants it to temporarily act as a more privileged deployment service account. Which technique enables this?

A.Download the deployment service account's JSON key and store it in Cloud Build secrets
B.Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA
C.Add the Cloud Build SA as an Owner of the project
D.Enable service account delegation in the project's IAM settings
AnswerB

With `roles/iam.serviceAccountTokenCreator` on the target SA, the Cloud Build SA can generate short-lived access tokens to act as the deployment SA — no key files needed.

Why this answer

Option B is correct because it uses IAM service account impersonation, which allows the Cloud Build service account to temporarily assume the identity of a more privileged deployment service account by calling the iam.serviceAccounts.actAs permission. This avoids granting broad Cloud Run Admin permissions directly to the pipeline's service account, adhering to the principle of least privilege. The Token Creator role (roles/iam.serviceAccountTokenCreator) on the deployment service account enables the Cloud Build SA to generate short-lived OAuth2 tokens for impersonation, which are automatically scoped to the deployment SA's permissions.

Exam trap

Google Cloud often tests the distinction between granting a role directly (like Cloud Run Admin) versus using impersonation with the Token Creator role, and the trap here is that candidates confuse storing a JSON key (Option A) with secure, temporary impersonation, or assume that 'delegation' (Option D) is a real IAM feature when it is not.

How to eliminate wrong answers

Option A is wrong because downloading a JSON key and storing it in Cloud Build secrets introduces a long-lived, static credential that violates security best practices (e.g., key rotation, exposure risk) and does not use temporary, auditable impersonation. Option C is wrong because adding the Cloud Build SA as an Owner of the project grants it full, permanent project-level control, which is far more permissive than needed and contradicts the goal of minimal permissions. Option D is wrong because 'service account delegation' is not a standard IAM setting; the correct mechanism is service account impersonation via the actAs permission and Token Creator role, not a project-level delegation toggle.

331
MCQmedium

Your organization mandates that all service-to-service communication within a GKE cluster must be encrypted in transit using mutual TLS (mTLS). The team does not want to manage certificates or modify application code. Which solution meets these requirements?

A.Configure Kubernetes TLS Secrets and mount them as volumes in each pod.
B.Enable Anthos Service Mesh with mTLS policy set to STRICT mode.
C.Use Cloud Armor to enforce TLS between services within the cluster.
D.Enable GKE node-to-node encryption to encrypt all traffic between nodes.
AnswerB

ASM (based on Istio) injects Envoy sidecars that handle mTLS automatically. In STRICT mode, all service-to-service communication requires mTLS. No application code changes needed — the sidecar handles everything.

Why this answer

Anthos Service Mesh (ASM) with mTLS set to STRICT mode enforces mutual TLS between all services in the mesh without requiring any application code changes or manual certificate management. ASM automatically injects Envoy sidecar proxies that handle certificate issuance, rotation, and encryption, meeting the requirement for encrypted service-to-service communication with mTLS.

Exam trap

Google Cloud often tests the distinction between network-layer encryption (node-to-node) and application-layer mTLS (service-to-service), leading candidates to mistakenly choose node-to-node encryption as a solution for service-level mTLS requirements.

How to eliminate wrong answers

Option A is wrong because mounting Kubernetes TLS Secrets as volumes requires manual certificate management and application code changes to load and use the certificates, which violates the 'do not want to manage certificates or modify application code' requirement. Option C is wrong because Cloud Armor is a web application firewall that protects external HTTP(S) traffic at the edge of the GKE cluster, not internal service-to-service traffic within the cluster. Option D is wrong because GKE node-to-node encryption encrypts traffic between nodes at the network layer (IPsec), not at the application layer between individual pods/services, and does not provide mutual TLS authentication between services.

332
MCQeasy

Which GCP service protects internet-facing applications against SQL injection, cross-site scripting (XSS), and other OWASP Top 10 attacks?

A.Cloud Firewall (VPC firewall rules)
B.Cloud Armor WAF with preconfigured OWASP Core Rule Set
C.Security Command Center's Web Security Scanner
D.Cloud Identity-Aware Proxy (IAP)
AnswerB

Cloud Armor's WAF feature includes preconfigured rules for OWASP Top 10 attacks. These rules inspect HTTP request content and block malicious patterns at the load balancer edge.

Why this answer

Cloud Armor WAF with the preconfigured OWASP Core Rule Set (CRS) is specifically designed to protect internet-facing applications from web application attacks, including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. It operates at the edge of Google's network, inspecting HTTP/HTTPS traffic against a set of rules that match known attack patterns, and can be integrated with Cloud Load Balancing to filter malicious requests before they reach the backend.

Exam trap

Google Cloud often tests the distinction between a WAF that inspects application-layer payloads (Cloud Armor) and network-layer firewalls (VPC firewall rules) or identity-based access controls (IAP), leading candidates to confuse perimeter security with application-layer protection.

How to eliminate wrong answers

Option A is wrong because Cloud Firewall (VPC firewall rules) operates at the network layer (L3/L4) and cannot inspect application-layer payloads such as SQL injection or XSS strings; it only filters based on IP addresses, ports, and protocols. Option C is wrong because Security Command Center's Web Security Scanner is a vulnerability scanning tool that identifies security flaws in web applications, not a real-time protection service that blocks attacks in transit. Option D is wrong because Cloud Identity-Aware Proxy (IAP) provides access control based on identity and context, but it does not inspect or filter HTTP request payloads for malicious content like SQL injection or XSS.

333
MCQmedium

A security team needs an inventory of all Compute Engine VM instances across all projects in their GCP organization, including instance names, zones, and status, without logging into each project individually. Which service provides this?

A.Cloud Monitoring — use the metric explorer to list all VM instances
B.Cloud Asset Inventory with an organization-scoped asset search
C.Cloud Resource Manager — list all projects and then query each for VMs
D.BigQuery information_schema views for GCP compute resources
AnswerB

`gcloud asset search-all-resources --scope=organizations/[ORG_ID] --asset-types=compute.googleapis.com/Instance` returns all VMs across all projects in the organization.

Why this answer

Cloud Asset Inventory provides a unified, organization-scoped view of all resources across projects, including Compute Engine VM instances. By using an organization-scoped asset search, the security team can query for all VM instances (e.g., `asset_type = "compute.googleapis.com/Instance"`) without needing to log into each project individually. This service is purpose-built for cross-project resource discovery and inventory management.

Exam trap

The trap here is that candidates confuse Cloud Monitoring's metric explorer with an inventory tool, or assume Cloud Resource Manager can directly query resources across projects, when in fact it only manages project metadata and IAM policies.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring's metric explorer is designed for monitoring metrics and logs, not for listing resource metadata like instance names, zones, and status; it cannot perform a comprehensive inventory of all VM instances across projects. Option C is wrong because Cloud Resource Manager can list projects but cannot directly query each project for VM instances; you would need to write custom scripts using the Compute Engine API per project, which violates the requirement of not logging into each project individually. Option D is wrong because BigQuery information_schema views are for querying BigQuery datasets and tables, not for GCP compute resources; there is no such view for Compute Engine instances.

334
MCQeasy

A small business wants to host a static website (HTML, CSS, JS) on Google Cloud. The site should have high availability and low latency for global users. The team has limited experience with infrastructure management and wants to minimize operational overhead and costs. They already have a custom domain. Which solution should they implement?

A.Use Firebase Hosting with the custom domain and enable Cloud CDN.
B.Store the website on Cloud Storage, point the custom domain to a global HTTP(S) load balancer, and enable Cloud CDN.
C.Package the static files as a container and deploy on Cloud Run with a managed SSL certificate.
D.Deploy the website on a single Compute Engine instance with a static IP and install a web server.
AnswerB

Standard, low-overhead, global solution.

Why this answer

Cloud Storage can host static content and integrate with Cloud CDN for low-latency delivery worldwide. This is serverless, highly available, and cost-effective. Option A is correct because it meets all requirements with minimal management.

Option B (Compute Engine) requires instance management and is overkill. Option C (Cloud Run) is for containerized apps, not ideal for pure static sites. Option D (Firebase Hosting) is also good but redundant with Cloud Storage; however, Cloud Storage with CDN is a standard solution and more flexible for custom domains.

335
MCQmedium

A team wants proactive alerting if their public HTTPS endpoint returns a non-2xx HTTP status code or becomes unreachable — before users report it. Which Cloud Monitoring capability provides this?

A.A log-based alert on 5xx error log entries
B.An uptime check with an HTTP status code condition
C.A Cloud Armor rule blocking 5xx responses
D.A metric alert on instance CPU exceeding 90%
AnswerB

Uptime checks actively probe the endpoint from multiple locations, alert on non-2xx status codes, and detect outages even during zero-traffic periods.

Why this answer

An uptime check with an HTTP status code condition is the correct choice because Cloud Monitoring’s uptime checks are specifically designed to proactively verify that a public HTTPS endpoint is reachable and returns a successful HTTP status (e.g., 2xx). When the check detects a non-2xx status or a timeout/unreachable condition, it can trigger an alert before users are impacted. This is the only option that directly monitors endpoint availability and HTTP response codes from an external perspective.

Exam trap

Google Cloud often tests the distinction between proactive monitoring (uptime checks) and reactive logging (log-based alerts), trapping candidates who assume that log entries for 5xx errors are sufficient for early detection, when in fact they require the error to already occur and be logged.

How to eliminate wrong answers

Option A is wrong because a log-based alert on 5xx error log entries is reactive—it only fires after a 5xx response has been logged, and it cannot detect unreachable endpoints (e.g., DNS failures or connection timeouts) that never generate a log entry. Option C is wrong because Cloud Armor is a web application firewall that blocks or filters traffic based on rules, not a monitoring tool; it does not generate proactive alerts about endpoint status. Option D is wrong because a metric alert on instance CPU exceeding 90% monitors compute resource utilization, not the HTTP endpoint’s availability or response status, so it would not detect a non-2xx or unreachable condition.

336
MCQhard

A company's security team wants to enforce that all service account keys in production projects are rotated every 30 days and prevent creation of keys that never expire. Which single solution should they implement?

A.Use Cloud Audit Logs to detect keys older than 30 days and manually delete them.
B.Set the organization policy constraint iam.disableServiceAccountKeyCreation.
C.Set the organization policy constraint iam.restrictServiceAccountKeyExpiryHours to 720 hours and use the Service Account Key Manager to schedule automatic rotation.
D.Use IAM conditions to require that key creation only succeeds if an expiration time is set.
AnswerC

The constraint enforces maximum key lifetime, and the Key Manager can rotate keys automatically, ensuring rotation without manual effort.

Why this answer

Option C is correct because the organization policy constraint `iam.restrictServiceAccountKeyExpiryHours` enforces a maximum key lifetime (720 hours = 30 days), and the Service Account Key Manager can automate rotation before expiry. This combination ensures all service account keys are rotated every 30 days and prevents creation of keys that never expire, meeting both requirements with a single solution.

Exam trap

Google Cloud often tests the distinction between detection (Audit Logs) and enforcement (organization policy constraints), and candidates mistakenly choose a logging-based solution because they overlook the requirement to 'prevent creation' of non-expiring keys.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide visibility into key age, not enforcement; manual deletion is not a scalable or reliable solution and does not prevent creation of non-expiring keys. Option B is wrong because `iam.disableServiceAccountKeyCreation` completely blocks creation of all service account keys, which is too restrictive and does not allow legitimate key creation with expiration. Option D is wrong because IAM conditions cannot enforce key expiration during creation; they control access to resources based on attributes but do not interact with service account key properties like expiry time.

337
MCQmedium

A team's Cloud Storage bucket has fine-grained access control (ACLs) enabled. They want to switch to a simpler model where IAM policies alone control access, and object-level ACLs are ignored. What should they enable?

A.Enable Uniform Bucket-Level Access (UBLA) on the bucket
B.Delete all ACLs on each object and set them to 'authenticated-read'
C.Enable VPC Service Controls on the bucket
D.Set the bucket's default object ACL to `projectPrivate` and apply it to all objects
AnswerA

UBLA disables object ACLs and enforces IAM-only access control — simplifying the permission model to bucket-level IAM policies for all objects.

Why this answer

Option A is correct because enabling Uniform Bucket-Level Access (UBLA) on the bucket disables object-level ACLs and enforces IAM policies as the sole access control mechanism. This simplifies management by ignoring any existing ACLs on objects, ensuring that only bucket-level IAM permissions are evaluated for access decisions.

Exam trap

Google Cloud often tests the distinction between modifying ACLs (which does not change the access control model) and enabling UBLA (which fundamentally switches the model), so candidates may incorrectly think that deleting ACLs or changing default ACLs is sufficient to ignore object-level ACLs.

How to eliminate wrong answers

Option B is wrong because deleting ACLs on each object does not disable ACL evaluation; the bucket still has fine-grained access control enabled, and IAM policies will not override object-level ACLs unless UBLA is enabled. Option C is wrong because VPC Service Controls are used to restrict access to Google Cloud services from specific VPC networks or IP ranges, not to switch from ACL-based to IAM-based access control. Option D is wrong because setting the default object ACL to `projectPrivate` only affects new objects and does not ignore existing object-level ACLs; it also does not disable ACL evaluation for the bucket.

338
MCQeasy

A startup wants to grant developers the ability to create and manage Compute Engine instances, but prevent them from deleting instances or changing firewall rules. Which IAM approach should they use?

A.Create a custom role with permissions for instance management but without compute.instances.delete.
B.Assign the roles/compute.instanceAdmin.v1 role.
C.Assign the roles/compute.instanceOperator role.
D.Assign the roles/compute.admin role.
AnswerA

A custom role can be tailored to include only the required permissions, avoiding unintended capabilities.

Why this answer

Option A is correct because creating a custom role allows the startup to grant fine-grained permissions for instance management (e.g., compute.instances.create, compute.instances.start, compute.instances.stop) while explicitly omitting compute.instances.delete and any firewall-related permissions like compute.firewalls.update or compute.firewalls.delete. This ensures developers can manage instances but cannot delete them or alter firewall rules, meeting the exact requirement.

Exam trap

Google Cloud often tests the distinction between predefined roles that sound similar (like instanceAdmin.v1 vs. a non-existent instanceOperator) and the need for custom roles when predefined roles do not match the exact permission set required.

How to eliminate wrong answers

Option B is wrong because roles/compute.instanceAdmin.v1 includes compute.instances.delete and compute.firewalls.update, which would allow developers to delete instances and change firewall rules, violating the requirement. Option C is wrong because roles/compute.instanceOperator does not exist as a predefined role in Google Cloud IAM; this is a distractor that misleads candidates into thinking there is a role with limited permissions. Option D is wrong because roles/compute.admin grants full administrative access to all Compute Engine resources, including deleting instances and modifying firewall rules, which is far too permissive.

339
Multi-Selecteasy

Which TWO practices help ensure the reliability of a Cloud Functions deployment? (Choose two.)

Select 2 answers
A.Deploy functions in a single region to minimize latency.
B.Configure a VPC connector for all functions.
C.Set maximum instances to 1 to avoid resource contention.
D.Use Cloud Tasks to decouple function invocations.
E.Implement retry policies for background functions.
AnswersD, E

Cloud Tasks provides retries and scheduling.

Why this answer

Option D is correct because Cloud Tasks decouples function invocations by queuing requests and delivering them asynchronously, which improves reliability by handling spikes in traffic without dropping requests and providing automatic retries on failure. Option E is correct because implementing retry policies for background functions (e.g., Cloud Functions triggered by Pub/Sub or Cloud Storage) ensures that transient failures are automatically retried, increasing the overall reliability of the deployment.

Exam trap

Google Cloud often tests the misconception that limiting concurrency (e.g., max instances = 1) improves reliability, when in fact it reduces fault tolerance and increases latency under load.

340
MCQmedium

A team uses Cloud Build to build Docker images and push them to Artifact Registry. The cloudbuild.yaml has a step that requires a secret API key to call an external service during build. How should the secret be provided securely?

A.Pass the API key as a build substitution variable in the gcloud builds submit command
B.Reference the API key from Secret Manager using the availableSecrets field in cloudbuild.yaml
C.Store the API key in a Cloud Storage bucket and download it in a build step
D.Hardcode the API key in the cloudbuild.yaml and store it in the source repository
AnswerB

Cloud Build's `availableSecrets.secretManager` configuration retrieves the secret value at build time and makes it available as an environment variable, without logging the value.

Why this answer

Option B is correct because Cloud Build's `availableSecrets` field allows you to securely inject secrets from Secret Manager into build steps as environment variables or files, without exposing them in the build configuration or logs. This approach ensures the API key is encrypted at rest and in transit, and access can be controlled via IAM permissions, making it the only secure method among the options.

Exam trap

Google Cloud often tests the misconception that substitution variables are secure because they are 'variables,' but they are actually passed as plain text and can be logged, whereas `availableSecrets` is the only method that guarantees the secret is never exposed in the build configuration or logs.

How to eliminate wrong answers

Option A is wrong because substitution variables are passed as plain text in the `gcloud builds submit` command and can be visible in build logs or command history, violating security best practices. Option C is wrong because storing the API key in a Cloud Storage bucket and downloading it in a build step exposes the key to potential unauthorized access if the bucket is misconfigured, and the key is still visible in the build step's command or logs. Option D is wrong because hardcoding the API key in `cloudbuild.yaml` and storing it in the source repository makes the key accessible to anyone with repository access, and it can be exposed in version control history or build logs.

341
MCQhard

A regulated financial company must ensure that all GCP API calls made by employees are logged with full request and response payloads for audit purposes. Which combination of Cloud Audit Log types captures this?

A.Admin Activity logs only
B.Admin Activity logs + Data Access logs (DATA_READ and DATA_WRITE)
C.VPC Flow Logs + Cloud Monitoring metrics
D.System event logs + Data Access logs
AnswerB

Enabling both Admin Activity and Data Access audit logs provides complete coverage of all API calls — Admin Activity for configuration changes, Data Access for read/write operations including payload data.

Why this answer

Admin Activity logs capture administrative actions like creating or modifying resources, but not the data within API calls. Data Access logs (DATA_READ and DATA_WRITE) capture the request and response payloads for API calls that read or write data, which is required for full audit logging. Together, they cover both the administrative context and the data-level payloads mandated for regulated financial companies.

Exam trap

Google Cloud often tests the misconception that Admin Activity logs alone are sufficient for audit compliance, when in fact they omit the data-level payloads that regulated audits require, and candidates may overlook the need to explicitly enable Data Access logs with full payload inclusion.

How to eliminate wrong answers

Option A is wrong because Admin Activity logs only record metadata about resource configuration changes (e.g., who created a VM), not the full request/response payloads of API calls that access or modify data. Option C is wrong because VPC Flow Logs capture network metadata (source/destination IP, ports, protocol) but not the application-layer payloads of API calls, and Cloud Monitoring metrics provide aggregated performance data, not audit logs. Option D is wrong because System event logs capture Google Cloud system events (e.g., instance preemption) and do not include API request/response payloads; Data Access logs alone would miss the administrative actions that are also required for a complete audit trail.

342
MCQmedium

A BigQuery table in a data pipeline receives daily data loads. To control storage costs, the team wants table data older than 180 days to be automatically deleted at the table level, not the dataset level. How should this be configured?

A.Set a dataset-level default table expiration of 180 days in the dataset properties
B.Use a Cloud Scheduler job to run a DELETE statement on rows older than 180 days nightly
C.Configure partition expiration on a date-partitioned table to expire partitions after 180 days
D.Set a table-level TTL using BigQuery's TTL API with a 180-day value
AnswerC

For date-partitioned tables, partition expiration automatically deletes partitions older than the specified number of days — the most efficient and zero-maintenance approach for time-series data.

Why this answer

Option C is correct because BigQuery's partition expiration feature allows you to automatically delete entire partitions from a date-partitioned table after a specified number of days. By setting the partition expiration to 180 days, all data in partitions older than 180 days is dropped at the table level, meeting the requirement without affecting other tables in the dataset.

Exam trap

Google Cloud often tests the distinction between dataset-level defaults and table-level partition expiration, and the trap here is that candidates confuse dataset-level table expiration (which deletes entire tables) with the requirement to delete only old rows within a single table.

How to eliminate wrong answers

Option A is wrong because dataset-level default table expiration applies to all tables in the dataset, not just the specific table, and it deletes entire tables, not rows or partitions. Option B is wrong because using a Cloud Scheduler job to run a DELETE statement incurs query costs and does not automatically delete data at the table level; it also requires ongoing maintenance and does not leverage BigQuery's native storage management. Option D is wrong because BigQuery does not have a 'TTL API' for tables; the correct mechanism for automatic deletion of old data is partition expiration on partitioned tables.

343
MCQhard

A team builds a GKE application that processes healthcare data. Regulatory requirements mandate that data in transit between GKE nodes must be encrypted. GKE is running on GCP. What provides encrypted node-to-node traffic within the cluster?

A.GCP automatically encrypts all VM-to-VM traffic in transit within its network
B.GKE node traffic is unencrypted by default — mTLS must be manually configured on every Pod
C.Enable VPC Flow Logs — they activate encryption for logged traffic
D.Install a TLS termination proxy on each GKE node — it encrypts intranode traffic
AnswerA

Google Cloud encrypts data in transit between physical boundaries and virtual machines using encryption at the Google network layer. GKE node-to-node traffic within GCP is covered by this encryption.

Why this answer

GCP automatically encrypts all VM-to-VM traffic in transit at the network layer, including traffic between GKE nodes, using a combination of MACsec (IEEE 802.1AE) and IPsec. This encryption is enabled by default for all traffic within a VPC and between VPCs, without any configuration required. Therefore, node-to-node traffic within a GKE cluster is already encrypted, satisfying the regulatory requirement.

Exam trap

The trap here is that candidates assume Kubernetes traffic is unencrypted by default and that they must manually configure mTLS or a proxy, overlooking that GCP's underlying network infrastructure already provides encryption for all VM-to-VM traffic in transit.

How to eliminate wrong answers

Option B is wrong because GKE node traffic is not unencrypted by default; GCP encrypts all VM-to-VM traffic at the network layer, so no manual mTLS configuration is needed for node-to-node encryption. Option C is wrong because VPC Flow Logs are used for network monitoring and logging, not for enabling encryption; they capture metadata about traffic but do not activate encryption. Option D is wrong because installing a TLS termination proxy on each GKE node is unnecessary and would only encrypt traffic at the application layer, not the underlying node-to-node traffic, which is already encrypted by GCP's infrastructure.

344
MCQeasy

You need to choose between Cloud Storage storage classes for a dataset used in BigQuery for ad-hoc analysis. The data is queried approximately once per month. Which storage class minimizes storage cost while maintaining query availability?

A.Standard storage class
B.Nearline storage class
C.Coldline storage class
D.Archive storage class
AnswerB

Nearline is optimized for data accessed roughly once per month: lower storage cost than Standard with a retrieval fee. It balances storage cost savings against monthly access frequency appropriately.

Why this answer

Nearline storage class is the best choice because it offers the lowest storage cost for data accessed less than once a month (30-day minimum storage duration) while still providing sub-second access for BigQuery queries. Standard storage has no minimum duration but is more expensive for infrequent access, while Coldline and Archive have lower storage costs but impose higher retrieval costs and longer access times that are unsuitable for ad-hoc BigQuery queries.

Exam trap

Google Cloud often tests the misconception that 'cheapest storage class' always minimizes total cost, but the trap here is that Archive and Coldline have hidden retrieval costs and minimum storage durations that make them more expensive for data accessed even occasionally, and they cannot be queried directly by BigQuery without prior restoration.

How to eliminate wrong answers

Option A is wrong because Standard storage class has no minimum storage duration but is the most expensive per GB, making it cost-inefficient for data queried only once per month. Option C is wrong because Coldline storage class has a 90-day minimum storage duration and higher retrieval costs, which would increase total cost for data accessed monthly and is not optimized for query availability in BigQuery. Option D is wrong because Archive storage class has a 365-day minimum storage duration and the highest retrieval costs, plus data must be restored before querying, making it unsuitable for ad-hoc BigQuery analysis that requires immediate availability.

345
MCQmedium

A batch processing job runs on preemptible VMs in a managed instance group. The job frequently fails due to preemption. Which design change would most effectively improve the job's resilience?

A.Use committed use discounts (1-year or 3-year).
B.Add GPUs to the instances.
C.Use sole-tenant nodes.
D.Use a managed instance group with distribution across multiple zones and enable autoscaling.
AnswerD

Distributing across zones reduces the chance of all instances being preempted simultaneously; autoscaling replaces failed instances.

Why this answer

Option D is correct because distributing the managed instance group across multiple zones and enabling autoscaling ensures that when preemptible VMs are terminated in one zone, the autoscaler can provision replacement VMs in another zone that still has capacity. This architecture leverages the fact that preemption events are often zone-specific, so multi-zone distribution combined with autoscaling provides resilience without requiring persistent resources.

Exam trap

Google Cloud often tests the misconception that committed use discounts or sole-tenant nodes provide preemption protection, when in fact they only affect pricing or hardware isolation, not the preemptible VM lifecycle.

How to eliminate wrong answers

Option A is wrong because committed use discounts (1-year or 3-year) reduce cost for sustained usage but do not prevent or mitigate preemption; preemptible VMs can still be terminated at any time regardless of commitments. Option B is wrong because adding GPUs to instances increases cost and does not address the root cause of preemption; GPUs do not make VMs less likely to be preempted. Option C is wrong because sole-tenant nodes dedicate physical servers to a single project, but preemptible VMs on those nodes are still subject to preemption; sole-tenant nodes do not provide any preemption protection.

346
MCQhard

A company has multiple projects under an organization. They want to enforce that all service accounts created in any project must use the naming prefix 'sa-'. Which policy should be used?

A.VPC Service Controls
B.Organization policy using a custom constraint
C.Project-level IAM condition
D.Cloud Audit Logs
AnswerB

Custom organization policies can enforce naming patterns.

Why this answer

An organization policy with a custom constraint is the correct approach because it allows you to define a specific rule (e.g., all service accounts must start with 'sa-') that is enforced across all projects in the organization. Custom constraints use the Resource Manager API's `constraints/*` format and are evaluated at resource creation time, making them ideal for naming conventions that must be applied universally.

Exam trap

Google Cloud often tests the distinction between 'enforcement' (organization policies) and 'monitoring' (audit logs) or 'access control' (IAM conditions), leading candidates to confuse a naming convention policy with a logging or access control mechanism.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are designed to protect data within VPCs by controlling exfiltration, not to enforce naming conventions on service accounts. Option C is wrong because project-level IAM conditions control access based on attributes like resource name or timestamp, but they cannot enforce a naming prefix at creation time—they only restrict access to existing resources. Option D is wrong because Cloud Audit Logs record actions for auditing and monitoring, but they do not enforce any policies or prevent non-compliant resources from being created.

347
MCQmedium

A team stores sensitive configuration files in Cloud Storage that internal services download at startup. External partners occasionally need time-limited access to specific files without creating GCP accounts. Which feature grants temporary access without modifying bucket permissions?

A.Make the specific files publicly readable and share the direct URL
B.Generate a Signed URL for the specific files with the required expiration time
C.Create a temporary GCP service account for the partner and share its JSON key
D.Enable uniform bucket-level access and create a public IAM binding for 24 hours
AnswerB

Signed URLs are cryptographically signed, time-limited URLs that grant access to specific Cloud Storage objects. Partners access the file via the URL without needing GCP credentials.

Why this answer

Option B is correct because Signed URLs provide time-limited, granular access to specific Cloud Storage objects without altering the underlying bucket permissions. The partner receives a URL that embeds authentication information and an expiration time, enabling secure, temporary downloads without requiring a GCP account or IAM role.

Exam trap

Google Cloud often tests the distinction between Signed URLs (object-level, temporary, no IAM changes) and Signed Policy Documents (form uploads) or public access, trapping candidates who confuse 'temporary access' with 'making objects public' or 'creating temporary credentials.'

How to eliminate wrong answers

Option A is wrong because making files publicly readable grants unrestricted access to anyone with the URL, violating the requirement for time-limited access and potentially exposing sensitive data indefinitely. Option C is wrong because creating a temporary service account and sharing its JSON key violates security best practices (key exposure risk) and requires the partner to manage GCP credentials, which contradicts the 'without creating GCP accounts' requirement. Option D is wrong because enabling uniform bucket-level access and creating a public IAM binding grants broad, time-limited access to the entire bucket, not specific files, and still requires modifying bucket-level permissions, which the question explicitly forbids.

348
MCQmedium

You are deploying a stateful application to GKE that requires each pod to have its own dedicated persistent disk, and each disk must persist data even if the pod is rescheduled to a different node. Which Kubernetes object type should you use?

A.Deployment with a shared PersistentVolumeClaim mounted by all pods.
B.StatefulSet with volumeClaimTemplates to provision individual PVCs per pod.
C.DaemonSet with a hostPath volume on each node.
D.Deployment with an emptyDir volume for each pod.
AnswerB

StatefulSets with volumeClaimTemplates create a unique PVC for each pod replica. The PVC persists through pod rescheduling, giving each pod its own dedicated, durable persistent disk.

Why this answer

A StatefulSet with volumeClaimTemplates is the correct choice because it automatically provisions a unique PersistentVolumeClaim (PVC) for each pod replica, ensuring each pod gets its own dedicated persistent disk. When a pod is rescheduled to a different node, the PVC remains bound to its original PersistentVolume (PV), allowing the new pod to mount the same disk and retain the data. This meets the requirement for both per-pod dedicated storage and data persistence across rescheduling events.

Exam trap

The trap here is that candidates often choose a Deployment with a shared PVC (Option A) because they think 'shared storage' is simpler, but they overlook the requirement for each pod to have its own dedicated disk, which a shared volume cannot provide.

How to eliminate wrong answers

Option A is wrong because a Deployment with a shared PersistentVolumeClaim mounted by all pods would cause all replicas to write to the same disk, leading to data corruption and failing the requirement for each pod to have its own dedicated persistent disk. Option C is wrong because a DaemonSet with a hostPath volume on each node ties the data to a specific node's filesystem, so if a pod is rescheduled to a different node, the data is lost or inaccessible, violating the persistence requirement. Option D is wrong because a Deployment with an emptyDir volume for each pod creates ephemeral storage that is deleted when the pod terminates, so data does not persist across rescheduling events.

349
MCQmedium

A payment service publishes an event to a message queue every time a transaction completes. Multiple downstream services (inventory, analytics, email) must each process every event independently. Which messaging pattern and GCP service best supports this?

A.Cloud Tasks with one queue per downstream service
B.Cloud Pub/Sub with one subscription per downstream service on a shared topic
C.Cloud Storage event notifications with three separate buckets
D.Directly calling each downstream service's API synchronously from the payment service
AnswerB

Pub/Sub's fan-out model: one topic, multiple subscriptions. Each subscription receives every message independently, decoupling the payment service from each consumer.

Why this answer

Cloud Pub/Sub with a single topic and one subscription per downstream service is the correct pattern because it implements a fan-out messaging model where each subscriber receives an independent copy of every published message. This ensures that inventory, analytics, and email services each process every transaction event without interference, while Pub/Sub handles at-least-once delivery and automatic scaling.

Exam trap

Google Cloud often tests the distinction between Cloud Tasks (point-to-point task execution) and Cloud Pub/Sub (fan-out messaging), and the trap here is that candidates confuse 'multiple queues' with 'multiple subscriptions,' failing to recognize that Pub/Sub’s topic-subscription model is the native GCP solution for independent event processing.

How to eliminate wrong answers

Option A is wrong because Cloud Tasks is designed for reliable task execution with a single queue per worker, not for fan-out to multiple independent consumers; using one queue per service would require the payment service to publish the same event to multiple queues, duplicating effort and breaking the decoupled pattern. Option C is wrong because Cloud Storage event notifications are triggered by object changes in a bucket and cannot reliably fan out the same event to multiple independent services without complex workarounds; they also lack the at-least-once delivery guarantees and subscription-level acknowledgment that Pub/Sub provides. Option D is wrong because directly calling each downstream service's API synchronously from the payment service creates tight coupling, increases latency (the payment service must wait for all responses), and introduces a single point of failure—if one service is slow or down, the entire transaction processing is blocked.

350
MCQeasy

A company wants to deploy a containerized web application on Google Kubernetes Engine (GKE) with minimal operational overhead. They require automatic scaling based on CPU utilization. Which resource should they configure?

A.Cluster autoscaler
B.VerticalPodAutoscaler
C.HorizontalPodAutoscaler
D.Node auto-provisioning
AnswerC

Correctly scales pods based on CPU utilization.

Why this answer

The HorizontalPodAutoscaler (HPA) is the correct resource because it automatically scales the number of pod replicas in a GKE deployment based on observed CPU utilization (or other custom metrics). This directly meets the requirement for automatic scaling with minimal operational overhead, as HPA is a native Kubernetes controller that adjusts replica counts without manual intervention.

Exam trap

Google Cloud often tests the distinction between horizontal scaling (adding/removing pods) and vertical scaling (adjusting pod resources) or infrastructure scaling (adding/removing nodes), leading candidates to confuse the HorizontalPodAutoscaler with the Cluster autoscaler or VerticalPodAutoscaler.

How to eliminate wrong answers

Option A is wrong because the Cluster autoscaler adjusts the number of nodes in the GKE cluster, not the number of pod replicas; it handles infrastructure-level scaling, not application-level scaling based on CPU utilization. Option B is wrong because the VerticalPodAutoscaler (VPA) adjusts CPU and memory requests/limits of existing pods, not the number of replicas; it is designed for right-sizing resource requests, not horizontal scaling. Option D is wrong because Node auto-provisioning is a feature that automatically creates new node pools when the cluster autoscaler cannot scale up due to insufficient resources; it does not directly scale pods based on CPU utilization.

351
MCQhard

Your company's compliance policy requires that all customer data stored in Cloud Storage must be encrypted using keys stored in a Hardware Security Module (HSM). The encryption keys must be managed by your security team and must not be exportable. Which configuration meets these requirements?

A.Use Cloud KMS software keys (protection level: SOFTWARE) with Cloud Storage CMEK.
B.Use Cloud KMS HSM-backed keys (protection level: HSM) with Cloud Storage CMEK.
C.Use Customer-Supplied Encryption Keys (CSEK) managed by your security team.
D.Enable Google-managed encryption with HSM by selecting it in Cloud Storage settings.
AnswerB

HSM protection level keys are generated and stored inside FIPS 140-2 Level 3 HSMs. They are non-exportable by design. CMEK with Cloud KMS HSM keys gives your team control while meeting HSM and non-exportability requirements.

Why this answer

Option B is correct because Cloud KMS HSM-backed keys (protection level: HSM) ensure that encryption keys are stored in a Hardware Security Module, are managed by the security team, and are non-exportable by design. When used with Cloud Storage CMEK, this configuration meets the compliance requirement for HSM-based key storage with full customer control and no key export capability.

Exam trap

Google Cloud often tests the distinction between customer-managed keys (CMEK) and customer-supplied keys (CSEK), where candidates mistakenly think CSEK provides HSM-level protection or that Google-managed encryption can be configured to use an HSM, but neither meets the non-exportable, HSM-backed requirement.

How to eliminate wrong answers

Option A is wrong because Cloud KMS software keys (protection level: SOFTWARE) are stored in software, not in an HSM, and thus do not satisfy the requirement for HSM-based encryption. Option C is wrong because Customer-Supplied Encryption Keys (CSEK) are managed by the customer but are not stored in an HSM; they are supplied by the customer and can be exported, violating the non-exportable requirement. Option D is wrong because Google-managed encryption with HSM is not a selectable setting in Cloud Storage; Google-managed encryption uses Google-owned keys, not customer-managed HSM keys, and does not allow the security team to control or restrict key export.

352
MCQmedium

An organization has a VPC with subnets in us-central1 and europe-west1. They want to allow traffic from a specific on-premises IP range to reach a Compute Engine instance in europe-west1, but only through a single Cloud VPN tunnel attached to the us-central1 gateway. What configuration is required?

A.Create a route in us-central1 with the on-premises range and next hop set to the VPN tunnel. Add a firewall rule allowing the traffic.
B.Use policy-based routing on the Cloud VPN gateway to route the traffic to europe-west1.
C.Create a static route for the on-premises range in the europe-west1 subnet pointing to the VPN tunnel in us-central1.
D.Configure the VPN tunnel with BGP to advertise the on-premises range to both regions.
AnswerA

This routes traffic through the desired tunnel.

Why this answer

Option A is correct because the VPN tunnel is attached to the us-central1 gateway, and a static route in us-central1 with the on-premises IP range as the destination and the VPN tunnel as the next hop directs traffic from the on-premises network to the VPC. Since the VPC is global, the route applies to all regions, and the Compute Engine instance in europe-west1 is reachable as long as the traffic enters the VPC through the us-central1 tunnel. A firewall rule is required to allow the inbound traffic from the on-premises range to the instance.

Exam trap

The trap here is that candidates assume routes must be created in the same region as the destination instance, but in a global VPC, a route in one region can direct traffic to instances in another region as long as the next hop is valid and the traffic enters through the correct gateway.

How to eliminate wrong answers

Option B is wrong because Cloud VPN does not support policy-based routing; it uses route-based or BGP-based routing, and policy-based routing is not a feature of Cloud VPN gateways. Option C is wrong because a static route in the europe-west1 subnet cannot point to a VPN tunnel in us-central1; routes are global in a VPC, and the next hop must be a resource in the same region as the route's gateway, or the route must be created in the region where the VPN gateway resides. Option D is wrong because BGP advertises routes from the on-premises network to the VPC, not the other way around; advertising the on-premises range via BGP would not control the path through which traffic enters the VPC, and it would not force traffic through the us-central1 tunnel.

353
MCQhard

You are planning a Private Service Connect (PSC) configuration to allow your VPC to access a managed Cloud SQL instance over a private endpoint without exposing traffic to the public internet. What does Private Service Connect provide in this context?

A.PSC creates a VPC peering connection between your VPC and Google's service VPC.
B.PSC provides a private, internal IP endpoint in your VPC that routes to the managed service without traversing the public internet.
C.PSC enables bidirectional private communication between your VPC and the service's VPC, similar to peering.
D.PSC replaces the need for a Serverless VPC Access connector when calling managed services from Cloud Run.
AnswerB

PSC creates a forwarding rule in your VPC with an internal IP. Connections to this IP are routed privately to the managed service (Cloud SQL in this case) entirely within Google's network.

Why this answer

Private Service Connect (PSC) allows you to access Google-managed services (like Cloud SQL) by creating a private, internal IP endpoint within your VPC. This endpoint uses an internal IP address from your VPC's subnet and forwards traffic to the service without ever leaving Google's network, thus avoiding the public internet. Unlike VPC peering, PSC does not require you to manage peering relationships or worry about overlapping IP ranges.

Exam trap

The trap here is that candidates confuse Private Service Connect with VPC peering or assume it provides bidirectional connectivity, when in fact PSC is a unidirectional, endpoint-based model that does not require peering or address space coordination.

How to eliminate wrong answers

Option A is wrong because PSC does not create a VPC peering connection; it uses a Private Service Connect endpoint (a forwarding rule) that maps to a service attachment in the producer's VPC, not a direct peering link. Option C is wrong because PSC provides unidirectional (consumer-to-producer) access, not bidirectional communication; the producer cannot initiate connections back to the consumer's VPC. Option D is wrong because PSC is not a replacement for Serverless VPC Access connector; the connector is used to allow serverless environments (like Cloud Run) to reach resources in a VPC, whereas PSC is for accessing managed services from a VPC.

354
MCQmedium

Refer to the exhibit. An application running on this instance is unable to write to a Cloud Storage bucket. What is the most likely cause?

A.The application is using the wrong authentication method
B.The access scopes only allow read access to Cloud Storage
C.The Cloud Storage bucket is in a different project
D.The service account does not have the storage.objectAdmin IAM role
AnswerB

The scope is read_only, so write operations are denied regardless of IAM role.

Why this answer

When an instance is created with access scopes, these scopes restrict the API methods that the instance's credentials can use, regardless of the IAM permissions granted to the attached service account. The exhibit shows that the access scopes are set to 'Read Only' for Cloud Storage, which means the application can only call read methods (e.g., storage.objects.get) and cannot perform write operations (e.g., storage.objects.insert). This overrides any IAM role that would otherwise allow write access.

Exam trap

Google Cloud often tests the distinction between IAM permissions and access scopes, trapping candidates who assume that a service account with the correct IAM role can always perform the action, ignoring that access scopes can override those permissions at the instance level.

How to eliminate wrong answers

Option A is wrong because the authentication method (e.g., using a service account key or metadata server) is not the issue; the access scopes are explicitly limiting the API calls. Option C is wrong because Cloud Storage buckets can be accessed from any project as long as the correct IAM permissions and access scopes are in place; cross-project access is not inherently blocked. Option D is wrong because even if the service account had the storage.objectAdmin IAM role, the access scopes would still restrict the API methods to read-only, making the IAM role irrelevant for write operations.

355
MCQmedium

A Cloud CDN cache is serving stale content after a website update. New files were deployed to Cloud Storage but CDN is still serving the old versions to some users. What is the fastest way to force CDN to serve the updated content?

A.Wait for the CDN TTL to expire — cached content automatically refreshes
B.Run a CDN cache invalidation for the affected URL paths
C.Delete and recreate the Cloud Storage bucket — CDN will detect the new bucket as a fresh origin
D.Disable Cloud CDN temporarily — all users will hit the origin until CDN is re-enabled
AnswerB

`gcloud compute url-maps invalidate-cdn-cache [URL_MAP] --path=[PATH_PATTERN]` immediately purges matching cached content. CDN fetches fresh content on the next request.

Why this answer

Option B is correct because Cloud CDN supports cache invalidation, which immediately removes cached objects from edge caches for specified URL paths. This forces the CDN to fetch fresh content from the origin (Cloud Storage) on the next request, providing the fastest way to serve updated content without waiting for TTL expiry.

Exam trap

Google Cloud often tests the misconception that modifying the origin (e.g., deleting/recreating a bucket) automatically clears the CDN cache, when in fact the CDN cache is independent and requires explicit invalidation or TTL expiry to refresh.

How to eliminate wrong answers

Option A is wrong because waiting for TTL expiry is passive and can take minutes to hours depending on the configured cache duration, which is not the fastest solution. Option C is wrong because deleting and recreating the Cloud Storage bucket does not affect CDN cache; the CDN still holds stale content from the old bucket URL, and the new bucket would require a new CDN configuration. Option D is wrong because disabling Cloud CDN temporarily disrupts service for all users and does not clear the cache; re-enabling it would still serve stale content until TTL expires or invalidation is performed.

356
MCQhard

A company runs a stable production workload on 20 n2-standard-8 VMs that run continuously year-round. Which pricing commitment maximizes cost savings on these VMs?

A.Sustained use discounts (automatically applied)
B.1-year committed use discount (CUD)
C.3-year committed use discount (CUD)
D.Switching to Spot VMs
AnswerC

3-year CUDs for N2 VMs offer up to 57% discount compared to on-demand pricing — the highest available discount for stable, continuously-running workloads.

Why this answer

The 3-year committed use discount (CUD) offers the highest discount rate (up to 57% for compute-optimized machine types) compared to 1-year CUDs (up to 20%) or sustained use discounts (up to 30% for running a VM the entire month). Since the workload runs 20 n2-standard-8 VMs continuously year-round, a 3-year CUD locks in the maximum savings for this predictable, steady-state usage.

Exam trap

Google Cloud often tests the misconception that sustained use discounts are always the best option for long-running workloads, but candidates must recognize that committed use discounts provide significantly higher savings for predictable, continuous usage, especially with a 3-year term.

How to eliminate wrong answers

Option A is wrong because sustained use discounts are automatically applied for running VMs more than 25% of a month, but they max out at 30% discount, which is lower than the 3-year CUD's up to 57% discount. Option B is wrong because a 1-year CUD offers a lower discount (up to 20%) compared to a 3-year CUD, and since the workload runs continuously for multiple years, the longer commitment yields greater savings. Option D is wrong because Spot VMs can be preempted at any time, making them unsuitable for a stable production workload that requires continuous availability and cannot tolerate interruptions.

357
Matchingmedium

Match each Google Cloud deployment tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Infrastructure-as-code using YAML

Multi-cloud infrastructure provisioning

CI/CD pipeline for building and testing

Command-line tool for managing GCP resources

Web-based UI for managing GCP

Why these pairings

These tools help manage GCP resources programmatically or manually.

358
MCQmedium

A platform team needs to categorize GCP resources for policy enforcement (e.g., applying IAM conditions only to resources tagged 'environment:production'). Labels exist but don't support IAM conditions. What feature provides policy-tag-based enforcement?

A.Resource labels — set environment=production on each resource and reference in IAM conditions
B.Resource Manager Tags — attach a tag with key 'environment' and value 'production' and reference it in IAM conditions
C.Cloud Asset Inventory metadata fields — query by label and apply policies
D.Pub/Sub event-driven policy application triggered by label changes
AnswerB

Resource Manager Tags (created in Tag Namespaces) can be attached to resources and referenced in IAM Conditions, enabling attribute-based access control based on resource classification.

Why this answer

Option B is correct because Resource Manager Tags are the GCP feature specifically designed to support IAM conditions for policy enforcement. Unlike resource labels, which are simple key-value pairs used for metadata and billing, Resource Manager Tags can be referenced in IAM condition expressions using the `resource.matchTag` function, enabling fine-grained access control based on tag values such as 'environment:production'.

Exam trap

Google Cloud often tests the distinction between resource labels and Resource Manager Tags, trapping candidates who assume labels can be used in IAM conditions because they are more commonly used for resource organization.

How to eliminate wrong answers

Option A is wrong because resource labels cannot be used in IAM conditions; they are only for metadata, billing, and filtering, not for policy enforcement. Option C is wrong because Cloud Asset Inventory metadata fields are used for asset discovery and inventory, not for real-time policy enforcement via IAM conditions. Option D is wrong because Pub/Sub event-driven policy application is an architectural pattern, not a native GCP feature for tag-based IAM conditions, and label changes do not trigger IAM condition updates.

359
MCQhard

A CI/CD pipeline running outside GCP (on GitHub Actions) needs to authenticate to GCP to push images to Artifact Registry, without storing any long-lived service account key files. Which authentication mechanism achieves this?

A.Store a service account JSON key as a GitHub Actions secret and use it in the workflow
B.Workload Identity Federation with GitHub Actions as the identity provider
C.OAuth 2.0 user credentials from a developer's Google account
D.API keys created for the Artifact Registry service
AnswerB

Workload Identity Federation allows GitHub Actions workflows to authenticate to GCP using the workflow's OIDC token — no service account key file is ever created or stored.

Why this answer

Workload Identity Federation allows a GitHub Actions workflow to exchange a GitHub-issued OIDC token for a GCP access token, enabling authentication to Artifact Registry without storing any long-lived service account keys. This is the recommended approach for non-GCP CI/CD systems because it eliminates the security risk of managing static credentials while still granting fine-grained, short-lived access to GCP resources.

Exam trap

The trap here is that candidates often default to storing a service account key as a secret (Option A) because it's a familiar pattern, failing to recognize that Workload Identity Federation is the modern, keyless alternative specifically designed for external CI/CD providers like GitHub Actions.

How to eliminate wrong answers

Option A is wrong because storing a service account JSON key as a GitHub Actions secret still introduces a long-lived, static credential that must be rotated and managed, violating the requirement to avoid storing any long-lived service account key files. Option C is wrong because OAuth 2.0 user credentials from a developer's Google account are tied to a human user, not a CI/CD pipeline, and would require interactive consent flows, making them unsuitable for automated, non-interactive workflows. Option D is wrong because API keys are a simple, static authentication mechanism that do not support fine-grained IAM roles or short-lived tokens, and they are not designed for service-to-service authentication to Artifact Registry; they also cannot be scoped to a specific service account.

360
MCQmedium

A company wants to allow a junior admin to view project resources and create/modify Cloud Storage buckets but not delete them. Which IAM role should be assigned?

A.roles/storage.objectCreator
B.roles/storage.legacyBucketWriter
C.roles/storage.objectAdmin
D.roles/storage.admin
AnswerB

Legacy bucket writer allows create and update buckets without delete.

Why this answer

The storage.legacyBucketWriter role allows creation and update of buckets without delete permission. Option B is correct. Option A (storage.admin) allows all actions including delete.

Option C (storage.objectAdmin) is for objects, not buckets. Option D (storage.objectCreator) is for object creation only.

361
MCQhard

Refer to the exhibit. An administrator wants to grant a service account read-only access to all Compute Engine instances in a project, but only those with label 'environment=production'. Which IAM policy configuration should be used?

A.roles/compute.instanceAdmin with condition 'resource.labels.environment == "production"'
B.roles/compute.viewer with condition 'resource.labels.environment == "production"'
C.roles/compute.imageUser with condition 'resource.labels.environment == "production"'
D.roles/compute.viewer with condition 'request.host == "production"'
AnswerB

Viewer provides read-only access, condition restricts to production label.

Why this answer

Option B is correct because roles/compute.viewer provides read-only access to Compute Engine resources, and the condition 'resource.labels.environment == "production"' restricts that access to only instances with the specified label. This satisfies the requirement of granting read-only access to production-labeled instances without granting broader permissions.

Exam trap

Google Cloud often tests the distinction between roles that grant read-only access (like roles/compute.viewer) versus roles that grant broader permissions (like roles/compute.instanceAdmin), and the use of correct condition attributes (resource.labels vs. request.host) to filter by resource labels.

How to eliminate wrong answers

Option A is wrong because roles/compute.instanceAdmin grants write permissions (e.g., start, stop, modify instances), which exceeds the required read-only access. Option C is wrong because roles/compute.imageUser only allows listing and using images, not reading instance metadata or configurations, so it does not provide the necessary read-only access to instances. Option D is wrong because 'request.host' is not a valid condition attribute for Compute Engine; the correct attribute for filtering by resource labels is 'resource.labels', and 'request.host' refers to the HTTP host header, which is irrelevant here.

362
MCQeasy

Which gcloud command lists all available roles that can be granted on a GCP project, including both predefined and custom roles?

A.`gcloud iam roles list --project=PROJECT_ID`
B.`gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID`
C.`gcloud projects get-iam-policy PROJECT_ID`
D.`gcloud iam roles describe roles/editor`
AnswerB

This queries all roles — predefined and custom — that can be granted on the specified project resource.

Why this answer

Option B is correct because the `gcloud iam list-grantable-roles` command is specifically designed to list all roles (both predefined and custom) that can be granted on a given resource, such as a GCP project. The resource is identified by its canonical name, which for a project is `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID`. This command returns roles that are eligible for binding at that resource level, including those inherited from ancestors.

Exam trap

Google Cloud often tests the distinction between listing roles that *can* be granted (grantable roles) versus listing roles that *are* granted (current bindings), and candidates confuse `gcloud iam roles list` (custom roles only) with the correct command for all grantable roles.

How to eliminate wrong answers

Option A is wrong because `gcloud iam roles list --project=PROJECT_ID` lists only custom roles defined in that project, not predefined roles or roles inherited from the organization. Option C is wrong because `gcloud projects get-iam-policy PROJECT_ID` retrieves the current IAM policy bindings (who has what role), not the list of all available roles that can be granted. Option D is wrong because `gcloud iam roles describe roles/editor` shows details of a single predefined role (Editor), not a list of all grantable roles on a project.

363
MCQhard

A company's Google Kubernetes Engine cluster has experienced a sudden increase in latency. The team suspects a misconfigured node pool is causing resource contention. They want to verify the node's resource usage. Which command or tool should they use?

A.Run 'gcloud container clusters describe cluster-name'.
B.Run 'kubectl top nodes'.
C.Use the Cloud Console Monitoring page to view node metrics.
D.Run 'kubectl describe node node-name'.
AnswerB

This shows CPU and memory usage per node.

Why this answer

B is correct because 'kubectl top nodes' directly displays real-time CPU and memory usage for each node in the cluster, which is the fastest way to identify resource contention causing latency. This command leverages the metrics-server to aggregate resource metrics from kubelets, giving immediate insight into node-level utilization without additional overhead.

Exam trap

The trap here is that candidates confuse 'kubectl describe node' (which shows static capacity and requests) with 'kubectl top nodes' (which shows actual live usage), leading them to choose D when they need real-time utilization data.

How to eliminate wrong answers

Option A is wrong because 'gcloud container clusters describe cluster-name' returns static cluster configuration metadata (e.g., zone, node count, network settings) but does not provide live resource usage metrics. Option C is wrong because the Cloud Console Monitoring page offers historical and aggregated metrics with dashboards, but it is not a direct command-line tool for quick verification; it requires navigating the UI and may have a delay in data ingestion. Option D is wrong because 'kubectl describe node node-name' shows node conditions, capacity, and allocated resources, but it does not show real-time usage; it reports requests and limits, not actual consumption, so it cannot confirm current resource contention.

364
MCQeasy

A security auditor needs read-only access to Compute Engine instance metadata but should not be able to start or stop instances. Which predefined IAM role should be assigned?

A.roles/compute.instanceAdmin.v1
B.roles/compute.admin
C.roles/compute.networkAdmin
D.roles/compute.viewer
AnswerD

Provides read-only access to Compute Engine resources.

Why this answer

The roles/compute.viewer role grants read-only access to Compute Engine resources, including instance metadata, without allowing write operations such as starting or stopping instances. This matches the requirement for read-only metadata access while preventing instance lifecycle changes.

Exam trap

The trap here is that candidates may confuse 'viewer' with broader roles like instanceAdmin.v1, assuming read-only access is sufficient, but fail to recognize that instanceAdmin.v1 includes write permissions for starting/stopping instances.

How to eliminate wrong answers

Option A is wrong because roles/compute.instanceAdmin.v1 includes permissions to start, stop, and modify instances, which exceeds the required read-only access. Option B is wrong because roles/compute.admin provides full administrative control over all Compute Engine resources, including the ability to start and stop instances. Option C is wrong because roles/compute.networkAdmin focuses on network resources (e.g., firewalls, routes) and does not grant access to instance metadata.

365
MCQhard

A team's Cloud SQL for PostgreSQL instance is running out of disk space. Automated storage increase is disabled. A monitoring alert fires at 90% disk usage. What is the fastest safe action to increase storage?

A.Delete old records from the database to free space — no instance changes needed
B.Increase storage capacity using `gcloud sql instances patch --storage-size=[NEW_SIZE]` without downtime
C.Create a new larger Cloud SQL instance and migrate data with Cloud Database Migration Service
D.Enable automatic storage increase and wait — Cloud SQL will expand the disk retroactively
AnswerB

Cloud SQL supports online storage capacity increases via `gcloud sql instances patch --storage-size=[GB]`. The operation completes without instance restart or downtime.

Why this answer

Option B is correct because Cloud SQL for PostgreSQL supports online storage resizing without downtime. Using `gcloud sql instances patch --storage-size=[NEW_SIZE]` allows you to increase the allocated disk capacity while the instance remains fully operational, making it the fastest safe action when automated storage increase is disabled.

Exam trap

Google Cloud often tests the misconception that deleting data frees up provisioned storage in managed database services, when in fact the allocated disk size remains unchanged and must be explicitly increased via a resize operation.

How to eliminate wrong answers

Option A is wrong because deleting old records does not release disk space back to the operating system in Cloud SQL PostgreSQL; the space is retained by the database for future writes and does not reduce the provisioned storage size. Option C is wrong because creating a new larger instance and migrating data with Cloud Database Migration Service introduces significant downtime and operational complexity, which is slower and riskier than a simple online storage resize. Option D is wrong because enabling automatic storage increase does not retroactively expand the disk; it only allows future automatic expansions, and the instance is already at 90% usage with no immediate relief.

366
MCQmedium

An application architect is comparing Cloud SQL (PostgreSQL) and Cloud Spanner for a new global e-commerce platform. The platform must serve customers on three continents with <50ms latency for reads and strong consistency for inventory updates. Which service best fits?

A.Cloud SQL with one primary instance and cross-region read replicas
B.Cloud Spanner multi-region configuration
C.Cloud Firestore in multi-region mode
D.Cloud SQL with Cloud Memorystore caching layer for reads
AnswerB

Cloud Spanner multi-region provides strong consistency for writes with globally distributed read replicas for low-latency reads — exactly matching the three-continent, strong-consistency requirement.

Why this answer

Cloud Spanner multi-region configuration is the correct choice because it provides strong global consistency with <50ms read latency across continents, which is essential for an e-commerce platform requiring real-time inventory updates. Spanner uses TrueTime and Paxos-based replication to ensure ACID transactions globally, meeting both the latency and consistency requirements simultaneously.

Exam trap

Google Cloud often tests the misconception that read replicas or caching layers can provide strong consistency globally, but only Spanner's synchronous replication and TrueTime guarantee ACID transactions across continents.

How to eliminate wrong answers

Option A is wrong because Cloud SQL cross-region read replicas are asynchronous, meaning they can serve stale data and do not provide strong consistency for inventory updates across continents. Option C is wrong because Cloud Firestore in multi-region mode offers strong consistency but is designed for NoSQL workloads and lacks the relational capabilities (e.g., joins, transactions) typically needed for complex e-commerce inventory systems. Option D is wrong because Cloud Memorystore caching layer for reads does not solve the strong consistency requirement for writes; it only improves read latency but cannot guarantee that inventory updates are immediately consistent across regions.

367
MCQeasy

A startup runs its application entirely on Cloud Run. They want to use a custom domain (api.mycompany.com) instead of the default Cloud Run URL. Which GCP feature maps a custom domain to a Cloud Run service?

A.Cloud DNS — create a CNAME record pointing to the Cloud Run URL
B.Cloud Run Domain Mappings or a Global Load Balancer with a Serverless NEG
C.Cloud Endpoints with an API gateway configuration
D.Firebase Hosting rewrites to Cloud Run
AnswerB

Cloud Run Domain Mappings provide the simplest path to custom domains with automatic TLS. For advanced routing, a Global Load Balancer with a Serverless Network Endpoint Group (NEG) is used.

Why this answer

Option B is correct because Cloud Run Domain Mappings provide a native, managed way to map a custom domain to a Cloud Run service without additional infrastructure. Alternatively, a Global Load Balancer with a Serverless NEG (Network Endpoint Group) can also route traffic from a custom domain to Cloud Run, offering advanced features like SSL termination and traffic splitting. Both approaches are officially supported by Google Cloud for custom domain mapping.

Exam trap

The trap here is that candidates often assume a simple DNS CNAME record is sufficient, but Cloud Run requires domain ownership verification and SSL certificate management, which only Domain Mappings or a Load Balancer with Serverless NEG provide.

How to eliminate wrong answers

Option A is wrong because a CNAME record in Cloud DNS alone cannot map a custom domain to Cloud Run; Cloud Run requires verification of domain ownership and SSL certificate provisioning, which a simple CNAME does not handle. Option C is wrong because Cloud Endpoints with an API gateway configuration is designed for managing, securing, and monitoring APIs, not for mapping a custom domain to a Cloud Run service; it operates at a higher layer and does not replace the need for domain mapping. Option D is wrong because Firebase Hosting rewrites to Cloud Run are a feature of Firebase Hosting, not a direct GCP feature for mapping a custom domain to Cloud Run; it introduces an unnecessary intermediary and is not the standard approach for a standalone Cloud Run service.

368
MCQhard

A team runs `gcloud organizations list` and sees no output even though they know their company has a GCP organization. What is the most likely cause, and how should they resolve it?

A.The organization does not exist yet; run `gcloud organizations create` to create it.
B.The user lacks org-level IAM permissions such as Organization Viewer.
C.The gcloud SDK does not support the organizations command; use the Cloud Console instead.
D.The project must be linked to the organization using `gcloud projects move`.
AnswerB

Without `resourcemanager.organizations.get` permission at the org level, `gcloud organizations list` returns empty results even if the org exists.

Why this answer

The `gcloud organizations list` command retrieves organizations from the GCP Resource Manager API. If no output is returned despite the organization existing, the most likely cause is that the authenticated user lacks the `resourcemanager.organizations.get` permission, which is granted by roles like Organization Viewer (`roles/resourcemanager.organizationViewer`) or Organization Administrator (`roles/resourcemanager.organizationAdmin`). Without this IAM permission at the organization level, the API call returns an empty list rather than an error, which is a common source of confusion.

Exam trap

The trap here is that candidates assume a missing organization or a command limitation, when in fact the empty output is a deliberate API behavior designed to hide organizations from users without explicit permission, testing the understanding of IAM scoping and the difference between list and describe commands.

How to eliminate wrong answers

Option A is wrong because `gcloud organizations create` is not a valid command; GCP organizations are created automatically when a Google Workspace or Cloud Identity account is set up, not via the gcloud CLI. Option C is wrong because the `gcloud organizations` command is fully supported in the gcloud SDK and uses the Resource Manager API; the Cloud Console is not required. Option D is wrong because linking a project to an organization is unrelated to listing organizations; the issue is about visibility of the organization itself, not project association.

369
MCQeasy

A team needs a database backup job to run every day at 2 AM UTC. The job calls an HTTP endpoint to trigger the backup. The endpoint requires no complex orchestration — just a timed HTTP call. Which GCP service handles this most simply?

A.Cloud Tasks with a daily task enqueued by a Cloud Function
B.Cloud Scheduler with an HTTP target pointing to the backup endpoint
C.Cloud Composer DAG running at 2 AM UTC
D.Cloud Run Jobs triggered by a Cloud Monitoring alert at 2 AM
AnswerB

Cloud Scheduler sends a configured HTTP request to the backup endpoint at 2 AM UTC daily — the exact use case it's designed for, requiring minimal setup.

Why this answer

Cloud Scheduler is the simplest GCP service for a recurring HTTP call because it is a fully managed cron job service that directly supports HTTP targets. You configure a schedule (e.g., '0 2 * * *' for daily at 2 AM UTC) and point it to the backup endpoint URL. No additional code, queue, or orchestration is needed, making it the most straightforward solution for this use case.

Exam trap

The trap here is that candidates overcomplicate the solution by choosing Cloud Tasks (A) or Cloud Composer (C) because they assume a 'job' requires a queue or orchestration, when Cloud Scheduler's HTTP target is the simplest and most direct fit for a single timed HTTP call.

How to eliminate wrong answers

Option A is wrong because Cloud Tasks is a task queue/distributed execution service, not a scheduler; you would still need Cloud Scheduler or a separate trigger to enqueue the task daily, adding unnecessary complexity. Option C is wrong because Cloud Composer (Apache Airflow) is a full workflow orchestration platform designed for complex, multi-step pipelines with dependencies, not for a simple timed HTTP call — it introduces heavy overhead and cost. Option D is wrong because Cloud Monitoring alerts are for reacting to metric thresholds or system states, not for scheduling recurring actions; using an alert to trigger a job at a fixed time is an incorrect architectural pattern and would require a custom metric or log-based alert, which is convoluted and unreliable for simple cron-like scheduling.

370
MCQeasy

A compliance archive stores legal documents accessed at most once per quarter. Which Cloud Storage class minimizes storage cost while meeting that access pattern?

A.Standard
B.Nearline
C.Coldline
D.Archive
AnswerC

Coldline is ideal for data accessed once per quarter or less. It offers low storage cost with a 90-day minimum storage duration, matching this use case.

Why this answer

Coldline storage is designed for data accessed less than once per quarter, offering lower storage costs than Standard or Nearline while still providing millisecond access when needed. For a compliance archive accessed at most once per quarter, Coldline minimizes storage cost without incurring the higher retrieval fees or minimum storage durations of Archive storage.

Exam trap

Google Cloud often tests the misconception that Archive is always the cheapest option for infrequently accessed data, ignoring the minimum storage duration and retrieval costs that can make Coldline more cost-effective for quarterly access patterns.

How to eliminate wrong answers

Option A is wrong because Standard storage is optimized for frequently accessed data (multiple times per month) and has the highest storage cost, making it unsuitable for quarterly access. Option B is wrong because Nearline is intended for data accessed less than once per month, not once per quarter, and its storage cost is higher than Coldline for this access pattern. Option D is wrong because Archive storage, while having the lowest storage cost, imposes a 365-day minimum storage duration and higher retrieval fees, which is excessive for data accessed quarterly and may increase total cost if data is deleted early.

371
MCQhard

A healthcare company stores patient data in Cloud Storage. Compliance requires that even GCP (Google) cannot decrypt this data. The company manages encryption keys entirely on their own infrastructure. Which encryption option satisfies this?

A.Customer-Managed Encryption Keys (CMEK) stored in Cloud KMS
B.Customer-Supplied Encryption Keys (CSEK) provided with each API request
C.Google-managed encryption keys (default) with restricted IAM policies
D.Shielded VM with confidential computing for the VMs that access the data
AnswerB

CSEK requires the customer to supply the encryption key with every API request. GCP uses the key transiently and never stores it — Google cannot access data without the customer providing the key each time.

Why this answer

Option B is correct because Customer-Supplied Encryption Keys (CSEK) allow the customer to provide their own AES-256 encryption key with each API request to Cloud Storage. Google does not store the key; it is used only in memory to encrypt/decrypt the data and then discarded, ensuring that even Google cannot access the plaintext. This meets the compliance requirement that the customer retains exclusive control over the encryption keys.

Exam trap

The trap here is that candidates confuse CMEK with CSEK, assuming that managing keys in Cloud KMS gives the customer exclusive control, but CMEK still allows Google to access the key material via the KMS service, whereas CSEK ensures Google never stores the key.

How to eliminate wrong answers

Option A is wrong because Customer-Managed Encryption Keys (CMEK) are stored in Cloud KMS, which means Google manages the key material in a hardware security module (HSM) and can technically decrypt the data if required by law or internal policy. Option C is wrong because Google-managed encryption keys are fully controlled by Google, and restricting IAM policies does not prevent Google from accessing the keys or decrypting the data. Option D is wrong because Shielded VM with confidential computing protects data in use within VM memory, but does not address encryption at rest in Cloud Storage or key management; the data in Cloud Storage would still be encrypted with keys accessible to Google.

372
MCQhard

You are managing Terraform state for a GCP infrastructure project shared by a team of 5 engineers. You need to prevent simultaneous `terraform apply` operations from causing state corruption. What is the recommended backend configuration?

A.Store state locally on each engineer's machine and merge state files manually after each apply.
B.Configure the `gcs` backend in Terraform, pointing to a Cloud Storage bucket with versioning enabled.
C.Use Terraform Cloud (HashiCorp) as the backend for state locking.
D.Use a Cloud Source Repository to store state files with branch-based locking.
AnswerB

The GCS backend stores state remotely with automatic state locking. Concurrent applies are prevented — the second apply fails with a lock error until the first completes. Versioning provides state history for rollback.

Why this answer

Option B is correct because the `gcs` backend with versioning enabled provides both remote state storage and built-in state locking via Cloud Storage's object-level consistency model. When one engineer runs `terraform apply`, the backend acquires a lock by writing a lock file to the bucket; other concurrent operations are blocked until the lock is released, preventing state corruption. Versioning further protects against accidental state deletion or corruption by allowing rollback to previous state versions.

Exam trap

Google Cloud often tests the distinction between a remote backend that supports locking (like `gcs` or `s3`) versus a remote backend that only stores state (like `consul` without locking or a plain HTTP backend), and the trap here is that candidates may think any remote storage (like Cloud Source Repository) or a third-party service (like Terraform Cloud) is equally valid, when the question specifically requires a GCP-native solution with locking.

How to eliminate wrong answers

Option A is wrong because storing state locally on each engineer's machine and manually merging state files is error-prone, does not provide any locking mechanism, and directly contradicts Terraform's recommended practice of using a remote backend for team collaboration. Option C is wrong because Terraform Cloud is a HashiCorp product, not a GCP-native service, and while it does provide state locking, the question specifically asks for a 'recommended backend configuration' within the context of a GCP infrastructure project — the `gcs` backend is the GCP-native solution. Option D is wrong because Cloud Source Repository is a Git repository service, not a Terraform state backend; it does not support state locking or the Terraform state API, and branch-based locking is not a concept Terraform recognizes for state management.

373
MCQhard

A company is deploying a multi-region application on Google Kubernetes Engine (GKE) with clusters in us-central1 and europe-west1. They want to route user traffic to the closest healthy cluster using a global load balancer with SSL termination. Which load balancing service should they use?

A.Internal Load Balancer
B.SSL Proxy Load Balancer
C.External TCP/UDP Network Load Balancer
D.External HTTPS Load Balancer with a global backend service (using NEGs)
AnswerD

This load balancer can route to multiple backends across regions and terminate SSL.

Why this answer

D is correct because the External HTTPS Load Balancer with a global backend service using Network Endpoint Groups (NEGs) provides global anycast IP, SSL termination, and traffic routing to the closest healthy GKE cluster via Google's global network. This meets the requirement for multi-region GKE clusters with automatic failover and low latency.

Exam trap

The trap here is that candidates often confuse regional load balancers (like SSL Proxy or TCP/UDP Network LB) with global ones, mistakenly thinking SSL termination alone is sufficient, but the key requirement for multi-region routing to the closest cluster demands a global load balancer with a global backend service.

How to eliminate wrong answers

Option A is wrong because an Internal Load Balancer is regional and cannot route traffic globally or terminate SSL for external users. Option B is wrong because the SSL Proxy Load Balancer, while supporting SSL termination, is a regional proxy-based load balancer and does not provide global anycast routing to the closest healthy cluster; it is designed for non-HTTP(S) traffic. Option C is wrong because the External TCP/UDP Network Load Balancer is a regional, passthrough load balancer that does not support SSL termination and cannot route traffic to the closest healthy cluster across regions.

374
MCQhard

A SaaS company serves 200 enterprise customers, each requiring complete data isolation in separate databases. The company needs to provision a new customer database within minutes and manage 200 databases with minimal overhead. Which GCP approach scales most efficiently?

A.200 separate Cloud SQL instances, one per customer
B.A single Cloud SQL instance with a separate schema (database) per customer, provisioned via API automation
C.Storing all customer data in a single shared database with customer_id as a discriminator column
D.Using BigQuery with a separate dataset per customer
AnswerB

A single Cloud SQL instance with per-customer databases (schemas) balances isolation, cost efficiency, and provisioning speed. Automation via API or Terraform enables sub-minute provisioning.

Why this answer

Option B is correct because it uses a single Cloud SQL instance with separate schemas (databases) per customer, which allows you to achieve complete data isolation while minimizing overhead. Provisioning a new schema via API automation takes seconds, and managing 200 schemas on one instance is far more efficient than managing 200 separate instances. This approach scales efficiently because Cloud SQL supports up to 10,000 databases per instance, and you can leverage connection pooling and shared resources without sacrificing isolation.

Exam trap

The trap here is that candidates often confuse 'data isolation' with 'physical separation' and assume separate instances are required, but GCP's Cloud SQL supports logical isolation via separate databases on a single instance, which is far more efficient and still meets the isolation requirement.

How to eliminate wrong answers

Option A is wrong because managing 200 separate Cloud SQL instances introduces massive operational overhead, including patching, backups, and monitoring each instance individually, and it does not scale efficiently for provisioning within minutes. Option C is wrong because storing all customer data in a single shared table with a customer_id discriminator violates the requirement for complete data isolation, as a query error or bug could expose data across customers. Option D is wrong because BigQuery is a data warehouse designed for analytics, not for transactional, low-latency database operations required by a SaaS application, and provisioning a new dataset does not provide the same isolation or performance characteristics as a relational database schema.

375
MCQmedium

A team is building a real-time multiplayer game backend requiring low-latency state synchronization between players worldwide. Session data must persist for the duration of a game (up to 2 hours) but doesn't need long-term storage. Which managed service best fits?

A.Cloud SQL for PostgreSQL with connection pooling
B.Cloud Memorystore for Redis
C.Cloud Bigtable
D.Cloud Firestore in Native mode
AnswerB

Memorystore provides sub-millisecond in-memory storage with built-in TTL support for expiring game sessions — ideal for real-time, ephemeral state.

Why this answer

Cloud Memorystore for Redis is the best fit because it provides an in-memory data store with sub-millisecond latency, ideal for real-time state synchronization in a multiplayer game. Redis supports data structures like sets and sorted sets for leaderboards or session state, and its optional persistence (RDB/AOF) can cover the 2-hour game duration without needing long-term storage. This aligns with the requirement for low-latency, ephemeral session data that must survive only the game session.

Exam trap

Google Cloud often tests the distinction between in-memory caches (Redis) and persistent databases (Cloud SQL, Bigtable, Firestore), where candidates mistakenly choose a database with real-time features (like Firestore) without recognizing that its latency and consistency model are insufficient for sub-millisecond state synchronization.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for PostgreSQL is a relational database with disk-based storage, incurring higher latency (typically 5-10 ms) unsuitable for real-time state synchronization, and connection pooling does not address the fundamental latency or in-memory performance need. Option C is wrong because Cloud Bigtable is a wide-column NoSQL database optimized for large-scale analytical workloads (e.g., time-series data) with high throughput but not sub-millisecond latency for frequent read/write operations in a real-time game; it also requires a cluster and is overkill for ephemeral session data. Option D is wrong because Cloud Firestore in Native mode is a document database with real-time listeners but has higher latency (typically 10-100 ms) and is designed for persistent, scalable app data, not for ultra-low-latency, short-lived session state; its eventual consistency model can also cause synchronization issues in a fast-paced game.

Page 4

Page 5 of 7

Page 6

All pages