Google Associate Cloud Engineer (ACE) — Questions 451500

500 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQhard

Your organization has a hybrid cloud environment with an on-premises data center connected to Google Cloud via Cloud VPN. The VPN tunnel uses BGP with Cloud Router for dynamic routing. You need to increase the throughput between on-premises and GCP to support a new batch processing workload that transfers 20 Gbps of data. The on-premises gateway hardware supports multiple IPsec tunnels and ECMP (Equal-Cost Multi-Path). You want to maximize throughput without changing the existing on-premises equipment or network topology. Which solution should you implement?

A.Replace Cloud VPN with Dedicated Interconnect.
B.Enable Cloud NAT for the VPN tunnel.
C.Upgrade the Cloud VPN gateway to a larger size.
D.Create additional VPN tunnels to the same Cloud Router, enabling ECMP across them.
AnswerD

Adds more tunnels to increase bandwidth without hardware replacement.

Why this answer

Option D is correct because creating additional VPN tunnels to the same Cloud Router and enabling ECMP allows the on-premises gateway to distribute traffic across multiple IPsec tunnels, effectively aggregating bandwidth up to the supported limit (e.g., 3 Gbps per tunnel, with up to 4 tunnels for 12 Gbps, or more with higher limits). This leverages the existing on-premises hardware's support for multiple tunnels and ECMP without requiring topology changes, and Cloud Router automatically handles BGP multipath to load-balance traffic across the tunnels.

Exam trap

The trap here is that candidates assume upgrading the VPN gateway (Option C) increases throughput, but Cloud VPN gateways are fixed at 3 Gbps per tunnel, and the only way to scale is via multiple tunnels with ECMP, not a single larger gateway.

How to eliminate wrong answers

Option A is wrong because Dedicated Interconnect requires physical cross-connects and changes to on-premises equipment or topology, contradicting the requirement to not change existing equipment or topology. Option B is wrong because Cloud NAT provides outbound internet connectivity for private instances and does not affect VPN throughput or load balancing. Option C is wrong because Cloud VPN gateway size (e.g., Classic VPN vs.

HA VPN) does not have a 'larger size' option; HA VPN already supports up to 3 Gbps per tunnel, and scaling throughput requires multiple tunnels with ECMP, not a single gateway upgrade.

452
MCQhard

A company wants to deploy a globally distributed, multi-tier application with strict low-latency communication between the web and database tiers. The database must be fully managed and able to survive a regional outage with automatic failover. Which combination is most appropriate?

A.Cloud Run (multi-region) and Cloud SQL (cross-region replica with manual failover)
B.Compute Engine regional managed instance group and Cloud SQL (regional with automatic failover)
C.App Engine (standard) and Cloud Datastore (multi-region)
D.Cloud Run (multi-region) and Cloud Spanner (multi-region)
AnswerD

Cloud Spanner provides automatic failover across regions with strong consistency, and Cloud Run can be deployed globally for low latency.

Why this answer

Cloud Run (multi-region) provides a serverless compute layer that can automatically route traffic across regions for low-latency access, while Cloud Spanner (multi-region) offers a fully managed, globally distributed relational database with synchronous replication and automatic failover, ensuring strong consistency and regional outage survival without manual intervention. This combination meets the strict low-latency communication and automatic failover requirements for a multi-tier application.

Exam trap

Google Cloud often tests the distinction between zonal and regional resilience, where candidates mistakenly assume that Cloud SQL's regional automatic failover (which covers zonal outages) is sufficient for a regional outage, but the question explicitly requires survival of a regional outage, which demands a multi-region database like Spanner.

How to eliminate wrong answers

Option A is wrong because Cloud SQL cross-region replica requires manual failover, not automatic, and does not provide the synchronous replication needed for strict low-latency communication across regions. Option B is wrong because Cloud SQL regional with automatic failover only survives a zonal outage, not a regional outage, and the compute layer (regional MIG) is also zonal, not multi-region. Option C is wrong because Cloud Datastore (multi-region) is a NoSQL database that does not support the relational database requirements implied by a multi-tier application with a database tier, and App Engine standard has limitations on runtime and scaling that may not suit low-latency inter-tier communication.

453
MCQmedium

A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?

A.An ingress allow rule for port 443 from 0.0.0.0/0 targeting the 'web-server' tag, relying on the implied deny for other traffic
B.An ingress allow rule for port 443 and a separate egress deny rule for all other ports
C.An ingress deny rule for all ports from 0.0.0.0/0, plus an ingress allow for port 443 with lower priority
D.A Cloud Armor policy allowing only HTTPS requests to port 443
AnswerA

GCP's implied deny-all ingress rule (priority 65535) blocks all traffic not explicitly allowed. A single allow rule for port 443 is all that's needed.

Why this answer

Option A is correct because Google Cloud VPC firewall rules are stateful and have an implicit deny for all traffic that is not explicitly allowed. An ingress allow rule for TCP port 443 from 0.0.0.0/0 applied to instances with the 'web-server' tag permits inbound HTTPS traffic, and the implicit deny blocks all other inbound traffic without needing additional rules.

Exam trap

Google Cloud often tests the misconception that you need explicit deny rules or that egress rules affect inbound traffic, but the key trap here is that candidates may think they need to add a deny rule for other ports, not realizing the implicit deny already blocks everything not allowed.

How to eliminate wrong answers

Option B is wrong because egress deny rules are not needed for inbound traffic control; the implicit deny already blocks all other inbound traffic, and adding an egress deny rule is irrelevant and could interfere with outbound responses. Option C is wrong because an ingress deny rule for all ports from 0.0.0.0/0 would block the HTTPS traffic even if a lower-priority allow rule exists, as deny rules take precedence over allow rules in Google Cloud VPC firewall evaluation. Option D is wrong because Cloud Armor is a web application firewall (WAF) that operates at the HTTP/HTTPS layer, not a VPC firewall rule; it cannot replace the network-level firewall rule required to allow inbound traffic to the instances.

454
MCQeasy

You need to check the CPU and memory utilization of all pods running in the `production` namespace. Which command provides this information?

A.`kubectl describe pods -n production`
B.`kubectl top pods -n production`
C.`kubectl get pods -n production -o wide`
D.`kubectl logs -n production --all-pods`
AnswerB

kubectl top pods shows live CPU and memory consumption per pod. `-n production` filters to the production namespace.

Why this answer

The `kubectl top pods` command retrieves real-time CPU and memory utilization metrics from the metrics server for pods in a specified namespace. This is the correct tool for monitoring resource usage, as it directly queries the resource metrics API.

Exam trap

Google Cloud often tests the distinction between commands that show pod status/configuration (`describe`, `get`) versus those that show live resource metrics (`top`), leading candidates to confuse descriptive output with performance data.

How to eliminate wrong answers

Option A is wrong because `kubectl describe pods` shows configuration details, events, and status, but not real-time CPU or memory utilization metrics. Option C is wrong because `kubectl get pods -o wide` displays pod IPs and node assignments, not resource utilization data. Option D is wrong because `kubectl logs` retrieves container logs for debugging, not CPU or memory metrics.

455
MCQmedium

A security analyst needs to retrieve all Cloud Logging entries with severity ERROR or higher across all resource types in the current project. Which log query correctly filters these entries?

A.severity >= ERROR AND timestamp > now() - 24h
B.severity="ERROR" AND resource.type="gce_instance"
C.severity >= "ERROR"
D.logName="projects/my-project/logs/stderr" AND severity > "WARNING"
AnswerC

`severity >= "ERROR"` correctly matches all entries at ERROR and above across all resource types. The time range is set separately via the console time picker.

Why this answer

Option C is correct because Cloud Logging's query language supports comparison operators like `>=` for severity levels, where `ERROR` is a recognized severity level. The query `severity >= "ERROR"` retrieves all entries with severity ERROR, CRITICAL, ALERT, or EMERGENCY, as these are considered higher severity than ERROR. This matches the requirement to filter for severity ERROR or higher across all resource types without restricting the time range or resource type.

Exam trap

Google Cloud often tests the nuance that severity values must be quoted strings and that comparison operators like `>=` work on the underlying numeric severity levels, not on string lexicographic order, leading candidates to mistakenly use unquoted values or incorrect operators like `>`.

How to eliminate wrong answers

Option A is wrong because `severity >= ERROR` uses an unquoted severity value, which is invalid syntax; severity values must be quoted strings (e.g., `"ERROR"`). Option B is wrong because it restricts results to only `gce_instance` resource type, while the requirement is to retrieve entries across all resource types. Option D is wrong because it filters by a specific log name (`stderr`) and uses `severity > "WARNING"`, which excludes ERROR-level entries (since ERROR is not greater than WARNING in the severity hierarchy; ERROR is higher than WARNING, but the operator `>` is not standard for severity comparison in Cloud Logging, and the query also incorrectly limits to a single log stream).

456
Drag & Dropmedium

Order the steps to configure a Cloud Load Balancer (HTTP/S) in front of a Compute Engine instance group.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Instance group and health check must exist before backend service; then frontend components.

457
MCQhard

A company uses Cloud DNS for internal DNS resolution. They recently added a new VPC and need to ensure that instances in this VPC can resolve private DNS names that are hosted in another project. What must be configured?

A.Use Cloud DNS inbound server policy to forward queries to the other VPC.
B.Export the private zone as a public zone and create a delegation.
C.Set up a DNS peering zone between the new VPC and the VPC that hosts the private zone.
D.Create a Private DNS zone in the new project with forwarding to the on-premises DNS.
AnswerC

DNS peering allows the new VPC to query private zones from the source VPC.

Why this answer

Option C is correct because Cloud DNS peering allows a VPC in one project to resolve private DNS names hosted in a private zone in another project without requiring the zones to be shared or exported. DNS peering establishes a direct query path between the peered VPCs, enabling the new VPC to resolve names in the private zone as if they were local, while the zone remains private and managed in its original project.

Exam trap

The trap here is that candidates confuse DNS peering with inbound/outbound server policies, mistakenly thinking that forwarding policies are needed for inter-VPC resolution, when in fact peering directly connects DNS namespaces without requiring external forwarding.

How to eliminate wrong answers

Option A is wrong because Cloud DNS inbound server policy is used to forward DNS queries from on-premises networks to Cloud DNS, not to forward queries between VPCs in different projects. Option B is wrong because exporting a private zone as a public zone would expose internal DNS records to the internet, violating security requirements and not providing a secure resolution path for internal instances. Option D is wrong because creating a new Private DNS zone with forwarding to on-premises DNS does not enable resolution of private DNS names hosted in another project; it would only forward queries to an on-premises resolver, not to the target private zone.

458
MCQeasy

Your company runs a critical web application on a single Compute Engine instance. The application is not containerized and the team lacks DevOps experience. Management requires high availability for this application with minimal disruption to operations and low cost. The application serves dynamic content and uses a MySQL database running on the same instance. You need to design a solution. Which option should you choose?

A.Create a snapshot of the instance, create an instance template, and set up a managed instance group with a load balancer.
B.Migrate the application to Cloud Storage and use a global HTTP(S) load balancer.
C.Deploy the application to App Engine and use traffic splitting between versions.
D.Containerize the application using Cloud Run and configure traffic splitting.
AnswerA

Enables high availability with automated failover and scaling, using existing VM image.

Why this answer

Option A is correct because it leverages a Managed Instance Group (MIG) with an instance template created from a snapshot, which provides auto-healing and auto-scaling for high availability without requiring containerization or DevOps expertise. Combined with a load balancer, this solution distributes traffic across healthy instances, meeting the high-availability requirement with minimal operational overhead and low cost, as MIGs only charge for running instances.

Exam trap

The trap here is that candidates may assume containerization (Option D) is always the best path to high availability, but the question explicitly states the team lacks DevOps experience, making containerization a high-risk, high-effort choice that violates the 'minimal disruption' and 'low cost' requirements.

How to eliminate wrong answers

Option B is wrong because Cloud Storage is a static object store and cannot serve dynamic content or run a MySQL database, making it unsuitable for this application. Option C is wrong because App Engine requires application code to be deployed in a specific runtime environment and does not support running a MySQL database on the same instance; it also introduces a learning curve for a team lacking DevOps experience. Option D is wrong because containerizing the application with Cloud Run requires Docker knowledge and DevOps skills, which the team lacks, and Cloud Run does not natively support a MySQL database running in the same container or instance.

459
Drag & Dropmedium

Order the steps to set up a Cloud IAM policy that grants a user the 'roles/compute.admin' role on a specific project.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Policy binding is applied via gcloud; verification and testing follow.

460
MCQmedium

A global web application needs HTTPS traffic routed to backend services in multiple regions, directing each user to the nearest healthy endpoint. Which load balancer type should be used?

A.Regional external Network Load Balancer
B.Global external Application Load Balancer
C.Regional internal Application Load Balancer
D.Regional internal TCP/UDP load balancer
AnswerB

This load balancer uses Google's global anycast network to route HTTPS traffic to the nearest healthy backend across multiple regions.

Why this answer

The Global external Application Load Balancer (ALB) is the correct choice because it provides cross-regional load balancing for HTTPS traffic, routing each user to the nearest healthy backend based on anycast IP and client location. This is essential for a global web application requiring low latency and high availability across multiple regions.

Exam trap

Google Cloud often tests the distinction between global and regional load balancers, and the trap here is that candidates may confuse a regional external Network Load Balancer (which handles TCP/UDP traffic but not HTTPS) with a global Application Load Balancer, overlooking the requirement for HTTPS termination and cross-regional routing.

How to eliminate wrong answers

Option A is wrong because a Regional external Network Load Balancer operates at Layer 4 (TCP/UDP) and cannot terminate HTTPS or perform content-based routing, and it is confined to a single region, not global. Option C is wrong because a Regional internal Application Load Balancer is designed for internal traffic within a VPC and cannot handle external HTTPS traffic or route globally. Option D is wrong because a Regional internal TCP/UDP load balancer is a Layer 4 internal load balancer that does not support HTTPS termination, content-based routing, or global anycast routing.

461
MCQeasy

A retail company has a customer-facing web application that runs on a legacy architecture. The application consists of a PHP frontend and a MySQL database that must be co-located on the same virtual machine due to hardcoded configuration paths. The company is migrating to Google Cloud. They want to minimize operational overhead and ensure the application is resilient to a single zone failure. Additionally, they need to apply critical OS security patches monthly without causing downtime. The application's traffic is predictable, with peak load during business hours. The company has a small IT team with limited Kubernetes expertise. They are willing to use managed services but want to keep the application architecture as simple as possible. The existing application is not containerized and uses a specific Linux distribution. They have already tested the application on Compute Engine and confirmed it works on Debian 10. The database is approximately 50 GB and needs to be durable. They also need to ensure that the application can recover quickly if an instance fails. Which deployment strategy should they use? (Choose the best option.)

A.Deploy the application on a managed instance group with at least two instances, each in different zones, behind a TCP load balancer. Use a shared persistent disk for the database mounted on both instances and configure the application to use the same database path. Use rolling replacement for patching.
B.Deploy the application in a GKE cluster with a single pod and a persistent volume claim for the database, using a LoadBalancer service. Use node auto-upgrades for patching.
C.Deploy the application on a managed instance group with at least two instances, each in different zones, behind a TCP load balancer. Use a regional persistent disk for the database and attach it to the primary instance; use a startup script to mount the disk and start the application. Use rolling updates for patching by updating the instance template and performing a rolling replacement.
D.Deploy the application on a single Compute Engine instance in a single zone. Use snapshots for backup and a Cloud Load Balancer with a health check pointing to the instance.
AnswerC

Provides zonal resilience, regional disk for durability, and rolling updates for zero-downtime patching.

Why this answer

Option C provides zonal resilience via a managed instance group across zones, uses a regional persistent disk for durability (can be attached to a new instance in case of failure), and rolling updates allow zero-downtime patching. Option A has no zonal resilience. Option B uses a shared persistent disk that cannot be attached read-write to multiple instances.

Option D requires containerization and Kubernetes expertise, which the company lacks.

462
MCQmedium

A team needs to give a third-party vendor read-only access to specific Cloud Storage objects for 48 hours. The vendor uses an AWS account (not a Google account). What is the most secure way to grant this temporary access?

A.Create a GCP service account for the vendor and share the JSON key file with 48-hour expiry
B.Generate a Signed URL for the specific objects with a 48-hour expiration
C.Use Workload Identity Federation with AWS as the identity provider for the vendor
D.Make the objects publicly readable and share the direct Cloud Storage URL
AnswerB

Signed URLs provide time-limited, cryptographically secured access to specific objects — no GCP account required. Access automatically expires after 48 hours.

Why this answer

Option B is correct because a Signed URL provides time-bound, read-only access to specific Cloud Storage objects without requiring the vendor to have a Google account. The URL embeds authentication information and expires after 48 hours, ensuring temporary access while maintaining security by not exposing broader permissions or credentials.

Exam trap

Google Cloud often tests the misconception that sharing a service account key file is acceptable for temporary access, but the trap here is that Signed URLs are the only option that combines time-bound, object-specific, and credential-free access for external users without a Google account.

How to eliminate wrong answers

Option A is wrong because sharing a GCP service account JSON key file violates the principle of least privilege and creates a long-lived credential that could be leaked or misused; even with a 48-hour expiry, the key file itself is a static secret that must be securely transmitted and stored. Option C is wrong because Workload Identity Federation is designed for workloads running in AWS to impersonate a GCP service account, but it requires the vendor to configure an AWS IAM role and trust relationship, which is overly complex for simple read-only object access and does not inherently limit access to 48 hours without additional token expiration controls. Option D is wrong because making objects publicly readable exposes them to anyone on the internet, not just the vendor, and provides no time-bound access control, violating security best practices.

463
Drag & Dropmedium

Arrange the steps to set up a Cloud Function triggered by a Cloud Storage bucket event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Bucket must exist; function must be deployed before triggering event.

464
MCQeasy

A developer wants to see the details of a specific GKE Pod including its events, container status, and resource requests/limits. Which kubectl command provides this?

A.kubectl get pod [POD_NAME] -o wide
B.kubectl describe pod [POD_NAME]
C.kubectl inspect pod [POD_NAME]
D.kubectl get pod [POD_NAME] -o json
AnswerB

`kubectl describe pod` provides full Pod details: container state, resource requests/limits, QoS class, scheduling events, probes, volumes, and the events section showing recent cluster activity for the Pod.

Why this answer

B is correct because `kubectl describe pod` provides a comprehensive view of a pod, including its events (e.g., scheduling, pulling images), container status (e.g., waiting, running, terminated with reasons), and resource requests/limits (CPU and memory). This command aggregates detailed information from the Kubernetes API, making it the standard tool for debugging pod issues.

Exam trap

Google Cloud often tests the distinction between `get` and `describe`, where candidates mistakenly think `-o wide` or `-o json` provides the same event and status detail, but only `describe` automatically includes pod events and presents container status in a human-readable summary.

How to eliminate wrong answers

Option A is wrong because `kubectl get pod -o wide` only shows additional node and IP information, not events, container status details, or resource requests/limits. Option C is wrong because `kubectl inspect` is not a valid kubectl command; the correct verb for detailed inspection is `describe` or `get -o yaml/json`. Option D is wrong because `kubectl get pod -o json` outputs the raw JSON representation of the pod object, which includes resource requests/limits and container status but does not include pod events (which are a separate API resource) and is less human-readable than `describe`.

465
MCQeasy

An organization with multiple Google Cloud projects wants to centralize network administration by having a single VPC network that hosts shared services and allows project teams to create their own resources in separate projects that can connect to the shared VPC. Which Google Cloud feature should they use?

A.Cloud VPN
B.VPC Service Controls
C.VPC Network Peering
D.Shared VPC
AnswerD

Shared VPC enables central administration of a VPC across multiple projects.

Why this answer

Option A is correct because Shared VPC allows an organization to create a VPC in a host project and attach service projects to it. Option B is wrong because VPC Network Peering connects whole VPCs, not individual projects. Option C is wrong because VPC Service Controls focuses on data exfiltration prevention.

Option D is wrong because Cloud VPN is for connecting networks.

466
Drag & Dropmedium

Arrange the steps to create a Cloud SQL MySQL instance, configure a database, and connect using the Cloud SQL Proxy.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Instance first, then database; proxy provides secure connectivity.

467
MCQmedium

A startup's GCP project has a project ID of 'my-startup-prod' and a project number of '123456789012'. An API call requires the project number, not the project ID. How can the project number be retrieved quickly?

A.The project number is always the same as the last 12 digits of the project ID
B.Run `gcloud projects describe my-startup-prod` and look for the projectNumber field
C.Run `gcloud config get-value project-number`
D.The project number appears in the URL bar of the GCP Console — it's the number after /project/
AnswerB

`gcloud projects describe [PROJECT_ID]` outputs the project's metadata including `projectNumber`, `projectId`, `name`, and `lifecycleState`.

Why this answer

Option B is correct because the `gcloud projects describe` command retrieves detailed metadata about a GCP project, including the `projectNumber` field, which is a unique numeric identifier assigned by Google Cloud. This is the standard method to quickly obtain the project number when only the project ID is known, as the project number is not derivable from the project ID.

Exam trap

The trap here is that candidates confuse the project ID with the project number, assuming they are interchangeable or derivable from each other, and may incorrectly think a simple `gcloud config` command or URL inspection is sufficient.

How to eliminate wrong answers

Option A is wrong because the project number is not derived from the project ID; it is a separate, immutable numeric identifier assigned at project creation, and the project ID can be any string of letters, digits, and hyphens. Option C is wrong because `gcloud config get-value project-number` is not a valid command; the correct command to get the current project's number would involve `gcloud projects describe` or `gcloud config get-value project`, which returns the project ID, not the number. Option D is wrong because while the project number may appear in the GCP Console URL (e.g., as a query parameter or path segment), it is not consistently displayed in the URL bar for all pages, and relying on the URL is not a reliable or quick method compared to using the CLI.

468
MCQeasy

A company's application currently runs on a single Compute Engine VM with a persistent disk. The application serves read-heavy traffic and the single VM is becoming a bottleneck. The application is stateless. Which change provides the most immediate horizontal scalability improvement?

A.Upgrade the existing VM to a larger machine type (vertical scaling).
B.Create a Managed Instance Group from the VM and configure autoscaling with a load balancer.
C.Add more persistent disks to the existing VM to handle more I/O.
D.Enable live migration on the existing VM so it can move between hosts.
AnswerB

A MIG with autoscaling adds VM instances on demand. A load balancer distributes incoming requests across all instances, providing true horizontal scalability.

Why this answer

Option B is correct because creating a Managed Instance Group (MIG) from the existing VM and configuring autoscaling with a load balancer directly addresses the read-heavy, stateless bottleneck by distributing traffic across multiple VM instances. This provides immediate horizontal scalability, as new instances are automatically provisioned or terminated based on load, without requiring any application changes.

Exam trap

The trap here is that candidates confuse vertical scaling (Option A) with horizontal scaling, or think that adding more disks (Option C) or enabling live migration (Option D) can solve a compute bottleneck, when only distributing the load across multiple instances (Option B) provides true horizontal scalability.

How to eliminate wrong answers

Option A is wrong because upgrading to a larger machine type (vertical scaling) increases the capacity of a single VM but does not eliminate the single point of failure or the bottleneck from a single instance; it also has an upper limit and does not provide horizontal scalability. Option C is wrong because adding more persistent disks to the existing VM increases I/O capacity but does not distribute the read traffic across multiple VMs, leaving the single VM as the bottleneck for CPU and network resources. Option D is wrong because enabling live migration allows the VM to move between hosts for maintenance without downtime, but it does not increase compute capacity or distribute traffic, so it offers no scalability improvement.

469
MCQmedium

Your organization uses Cloud Storage for storing backups. You want to automatically delete backup objects that are older than 30 days to control costs. You also want objects between 7 and 30 days old to use Nearline storage class for lower cost. Which Cloud Storage feature manages both requirements in a single configuration?

A.Write a Cloud Function that runs daily, lists objects, and deletes or moves old ones.
B.Configure Object Lifecycle Management rules on the bucket with `SetStorageClass` and `Delete` actions.
C.Set a bucket-level retention policy of 30 days and manually change storage classes.
D.Use Cloud Scheduler to trigger `gsutil` commands that move and delete old objects.
AnswerB

OLM supports multiple rules per bucket. SetStorageClass at age 7 moves objects to Nearline; Delete at age 30 removes them. This is fully managed with no code required.

Why this answer

Option B is correct because Object Lifecycle Management rules in Cloud Storage allow you to define conditions (e.g., object age) and actions (e.g., SetStorageClass to Nearline, Delete) in a single configuration. This automates both the transition of objects aged 7–30 days to Nearline storage and the deletion of objects older than 30 days, without custom code or manual intervention.

Exam trap

Google Cloud often tests the misconception that custom code or external schedulers are required for automated object management, when in fact Cloud Storage's built-in lifecycle management can handle both storage class transitions and deletions in a single, cost-effective configuration.

How to eliminate wrong answers

Option A is wrong because writing a Cloud Function that runs daily to list, delete, or move objects introduces unnecessary complexity, potential execution failures, and additional costs; lifecycle rules achieve the same result natively without custom code. Option C is wrong because a bucket-level retention policy prevents object deletion or modification before the retention period ends, which conflicts with the requirement to delete objects older than 30 days, and manually changing storage classes does not automate the process. Option D is wrong because using Cloud Scheduler to trigger gsutil commands is a manual, brittle approach that requires maintaining scripts and handling errors, whereas lifecycle rules are a declarative, serverless feature built into Cloud Storage.

470
MCQeasy

You are designing an application that needs to process exactly once each message published to a topic, even if the consumer fails partway through and restarts. Which GCP service provides built-in exactly-once processing semantics with Pub/Sub?

A.Cloud Functions subscribed to the Pub/Sub topic with idempotent logic.
B.Dataflow with Pub/Sub as the source using the Beam SDK.
C.BigQuery Subscriptions connected directly to the Pub/Sub topic.
D.Cloud Run with a Pub/Sub push subscription and database deduplication table.
AnswerB

Dataflow's Beam runner provides exactly-once processing semantics over Pub/Sub by checkpointing and deduplicating based on message IDs.

Why this answer

Dataflow with Pub/Sub as the source using the Beam SDK provides built-in exactly-once processing semantics because it leverages the Beam engine's checkpointing and the Pub/Sub source's snapshot-based deduplication. Dataflow tracks each message's unique ID and ensures that even if a worker fails and restarts, the message is not reprocessed, guaranteeing exactly-once delivery within the pipeline.

Exam trap

Google Cloud often tests the misconception that Pub/Sub itself provides exactly-once delivery, but Pub/Sub only guarantees at-least-once; the exactly-once semantics must be implemented by the consumer, and Dataflow is the only GCP service that offers this built-in for Pub/Sub sources.

How to eliminate wrong answers

Option A is wrong because Cloud Functions subscribed to Pub/Sub with idempotent logic relies on the developer to implement idempotency manually; Cloud Functions itself does not provide built-in exactly-once semantics, and Pub/Sub delivery is at-least-once by default. Option C is wrong because BigQuery Subscriptions deliver messages in near-real-time but do not guarantee exactly-once processing; they use at-least-once delivery and deduplication is handled by BigQuery's best-effort mechanisms, not by the subscription itself. Option D is wrong because Cloud Run with a Pub/Sub push subscription and a database deduplication table requires custom application logic to handle deduplication; Pub/Sub push subscriptions deliver messages at-least-once, and Cloud Run does not provide built-in exactly-once processing.

471
MCQmedium

You need to allow a third-party auditing company to view all resources and IAM policies across your GCP organization without being able to modify anything. Which role should you grant, and at which level?

A.Grant `roles/viewer` on each individual project the auditor needs to access.
B.Grant `roles/iam.securityReviewer` at the organization level.
C.Grant `roles/owner` at the organization level with a time-limited condition.
D.Create a custom role with only `*.get` and `*.list` permissions and grant it at the org level.
AnswerB

Security Reviewer at the org level grants `getIamPolicy` and read access to security-relevant resources across all projects, purpose-built for audit use cases.

Why this answer

Option B is correct because `roles/iam.securityReviewer` at the organization level grants read-only access to all IAM policies and resources across all projects in the organization, exactly meeting the requirement for a third-party auditor to view without modification. This role includes permissions like `iam.roles.get`, `iam.policies.get`, and `resourcemanager.projects.get`, which are scoped organization-wide when assigned at the org level.

Exam trap

The trap here is that candidates often choose `roles/viewer` (Option A) thinking it provides read-only access, but it does not include permissions to read IAM policies, which is a critical requirement for auditing security configurations.

How to eliminate wrong answers

Option A is wrong because granting `roles/viewer` on each individual project does not provide visibility into IAM policies at the organization level, and it requires manual assignment per project, which is inefficient and incomplete for auditing across the entire org. Option C is wrong because `roles/owner` grants full administrative control, including the ability to modify resources and IAM policies, which violates the 'view only' requirement; a time-limited condition does not remove modify permissions. Option D is wrong because creating a custom role with only `*.get` and `*.list` permissions is unnecessary and risky—`roles/iam.securityReviewer` already provides the precise read-only access needed, and custom roles may inadvertently miss required permissions or introduce misconfiguration.

472
MCQmedium

A Cloud SQL production instance experiences a spike in connections during business hours, causing 'too many connections' errors. The application uses 50 microservices each maintaining 10 connections. What is the recommended solution to reduce connection count without rewriting the application?

A.Increase the Cloud SQL instance's max_connections database flag to 10,000
B.Deploy a connection pooler (e.g., PgBouncer) between the microservices and Cloud SQL
C.Enable Cloud SQL HA — the standby will handle the connection overflow
D.Add a read replica — microservices can connect to the replica instead of the primary
AnswerB

PgBouncer multiplexes thousands of application connections through a small pool of database connections, dramatically reducing the actual connections Cloud SQL handles.

Why this answer

Option B is correct because deploying a connection pooler like PgBouncer between the microservices and Cloud SQL allows many application connections to be multiplexed over a smaller number of actual database connections. This directly reduces the total connection count on the Cloud SQL instance without requiring any application code changes, as the pooler transparently manages the connection lifecycle and reuses idle connections.

Exam trap

Google Cloud often tests the misconception that increasing a resource limit (like max_connections) is a valid solution to connection overload, when in fact it masks the problem and can cause resource exhaustion, whereas connection pooling is the correct architectural fix.

How to eliminate wrong answers

Option A is wrong because increasing max_connections to 10,000 does not reduce the number of connections; it merely raises the limit, which can lead to memory exhaustion and degraded performance on the Cloud SQL instance, as each connection consumes memory and CPU overhead. Option C is wrong because Cloud SQL HA (high availability) uses a standby instance that does not accept connections for read/write traffic; it only takes over during failover and does not help with connection overflow during normal operations. Option D is wrong because adding a read replica does not reduce the connection count on the primary instance; microservices would still need to connect to the primary for writes, and read replicas have their own connection limits, so the underlying issue of too many connections is not addressed.

473
MCQhard

An organization requires that all Compute Engine instances be created with a specific service account that has minimal permissions. They also want to prevent users from creating instances with a different service account. Which IAM policy should they implement?

A.Organization policy with constraint compute.disableUserServiceAccountCreation
B.IAM condition that restricts instances to only use the authorized service account
C.Custom role with permission compute.instances.setServiceAccount only for authorized users
D.Organization policy with constraint compute.setServiceAccount
AnswerD

This constraint restricts the set of service accounts that can be used when creating instances.

Why this answer

The organization policy constraint `compute.setServiceAccount` is the correct choice because it allows administrators to restrict which service accounts can be used when creating Compute Engine instances. By setting this constraint to only permit a specific service account, users are prevented from launching instances with any other service account, ensuring minimal permissions are enforced at the organization level.

Exam trap

The trap here is that candidates confuse the organization policy constraint `compute.setServiceAccount` with the IAM permission `compute.instances.setServiceAccount`, thinking that restricting the permission is sufficient, when in fact the organization policy is required to block creation with unauthorized service accounts at the resource hierarchy level.

How to eliminate wrong answers

Option A is wrong because `compute.disableUserServiceAccountCreation` is not a valid organization policy constraint; the correct constraint name is `compute.setServiceAccount`. Option B is wrong because IAM conditions can restrict actions based on resource attributes but cannot globally enforce which service account is used at instance creation time across all users; they are applied per IAM policy binding, not as an organization-wide block. Option C is wrong because a custom role with `compute.instances.setServiceAccount` permission only controls who can change the service account on an existing instance, not prevent creation with a different service account; it does not enforce a specific service account at creation.

474
MCQmedium

Your GKE cluster nodes are running an older kernel version with a known vulnerability. You need to update all nodes to use the latest node image with the patched kernel without any downtime. The cluster has a Surge Upgrade configuration of `max-surge: 1, max-unavailable: 0`. What happens during the node upgrade?

A.GKE terminates all nodes simultaneously and creates new ones — brief downtime occurs.
B.GKE provisions one new node, drains one old node, deletes it, and repeats — zero downtime.
C.GKE upgrades nodes in-place by applying a kernel patch without rescheduling pods.
D.Two nodes are upgraded simultaneously (one being the surge node and one old node going offline).
AnswerB

max-surge: 1 provisions one extra node. max-unavailable: 0 ensures old nodes are drained (pods rescheduled) before removal. The process repeats node by node with no pod disruption.

Why this answer

Option B is correct because the surge upgrade configuration `max-surge: 1, max-unavailable: 0` ensures that GKE first provisions one new node (the surge node) before draining and deleting an old node. This rolling update process maintains the desired capacity at all times, resulting in zero downtime for applications.

Exam trap

Google Cloud often tests the misconception that `max-surge` and `max-unavailable` control the number of nodes upgraded simultaneously, when in fact `max-surge` controls the extra nodes provisioned and `max-unavailable` controls how many nodes can be unavailable at any time, and candidates confuse this with parallel upgrades.

How to eliminate wrong answers

Option A is wrong because GKE does not terminate all nodes simultaneously; the surge configuration explicitly prevents that by keeping one extra node available during the upgrade. Option C is wrong because GKE does not perform in-place kernel patching on running nodes; it replaces nodes with new images via node pool upgrades. Option D is wrong because the surge upgrade does not take two nodes offline at once; only one old node is drained at a time while the surge node handles the workload, and `max-unavailable: 0` means no old node goes offline before the new one is ready.

475
MCQhard

A company has an e-commerce application deployed on Compute Engine instances in a managed instance group (MIG) behind an external HTTP load balancer. The application stores session data in an in-memory cache on each instance. Recently, the team noticed that users are being logged out unexpectedly and losing their shopping cart contents. The MIG is configured with autoscaling based on CPU utilization. The team suspects the issue is related to session persistence. They have considered the following options: A) Switch to an internal TCP/UDP load balancer with session affinity; B) Enable sticky sessions (session affinity) on the existing load balancer; C) Move session storage to a centralized service like Memorystore; D) Increase the instance size and disable autoscaling. Which solution permanently resolves the issue while maintaining scalability and fault tolerance?

A.Switch to an internal TCP/UDP load balancer with session affinity
B.Increase the instance size and disable autoscaling
C.Enable sticky sessions (session affinity) on the existing load balancer
D.Move session storage to a centralized service like Memorystore
AnswerD

Centralized session storage decouples sessions from instances, ensuring persistence across scaling and failures.

Why this answer

Option D is correct because storing session data in a centralized service like Memorystore (Redis) decouples session state from individual Compute Engine instances. This ensures that any instance in the managed instance group can serve any user request without losing session data, even as the MIG autoscales up or down. This approach permanently resolves the issue while maintaining scalability and fault tolerance, as Memorystore provides a highly available, in-memory data store that persists across instance lifecycle events.

Exam trap

The trap here is that candidates often think sticky sessions (session affinity) alone will fix session persistence, but they overlook that autoscaling and instance failures still cause data loss when sessions are stored locally—only a centralized external store like Memorystore provides true persistence and fault tolerance.

How to eliminate wrong answers

Option A is wrong because switching to an internal TCP/UDP load balancer would make the application inaccessible from the internet (external users), and session affinity alone does not solve the problem when instances are terminated or added by autoscaling—the session data is still lost if the instance goes down. Option B is wrong because increasing instance size and disabling autoscaling removes scalability and fault tolerance, and does not address the root cause: session data stored in local memory is lost on instance restart or termination. Option C is wrong because enabling sticky sessions (session affinity) on the existing load balancer only pins a user to a specific instance, but if that instance is terminated during autoscaling (scale-in) or fails, the session data is still lost; it does not provide a durable, shared session store.

476
MCQmedium

A startup builds a serverless REST API using Cloud Functions (2nd gen). Each function invocation runs for 200ms on average, processes 5 million requests per day, and uses 256 MB memory. Approximately how should they estimate monthly Cloud Functions costs?

A.Approximately $0 — all invocations fall within the free tier
B.Estimate based on invocation count, compute time (memory × duration), and networking costs beyond the free tier
C.Approximately the same as a continuously-running e2-medium VM — Cloud Functions and VMs are priced equivalently
D.Fixed monthly rate based on the number of deployed functions, not invocation count
AnswerB

Cloud Functions billing uses three dimensions: invocations, compute time (measured in GB-seconds), and outbound network traffic — all calculated above the monthly free tier.

Why this answer

Option B is correct because Cloud Functions (2nd gen) pricing is based on three components: invocation count, compute time (measured in GB-seconds, which is memory multiplied by duration), and networking egress beyond the free tier. With 5 million requests per day at 200ms each and 256 MB memory, the monthly compute time is approximately 5,000,000 × 0.2 seconds × (256/1024) GB = 250,000 GB-seconds per day, or 7.5 million GB-seconds per month, which far exceeds the free tier of 400,000 GB-seconds per month, so costs will accrue. Additionally, the 150 million invocations per month exceed the free tier of 2 million invocations, and egress traffic will also incur charges beyond the 1 GB free tier.

Exam trap

The trap here is that candidates assume the free tier covers all usage because they underestimate the cumulative effect of high invocation counts and compute time, or they mistakenly think Cloud Functions pricing is similar to VM pricing or a flat per-function fee.

How to eliminate wrong answers

Option A is wrong because the free tier for Cloud Functions (2nd gen) includes only 2 million invocations and 400,000 GB-seconds of compute time per month; 150 million invocations and 7.5 million GB-seconds far exceed these limits, so costs are not approximately $0. Option C is wrong because Cloud Functions and VMs are not priced equivalently; Cloud Functions uses a pay-per-use model based on invocation count, compute time (GB-seconds), and networking, while an e2-medium VM charges for continuous uptime regardless of usage, and the two pricing models are fundamentally different. Option D is wrong because Cloud Functions pricing is based on actual usage metrics (invocations, compute time, networking), not a fixed monthly rate per deployed function; there is no per-function flat fee.

477
MCQmedium

A GKE Deployment must be updated to a new container image version with zero downtime — old Pods should be replaced gradually, not all at once. Which update strategy should be configured?

A.Recreate strategy
B.Blue-green deployment using a separate Deployment and Service selector swap
C.RollingUpdate strategy
D.Canary deployment with a traffic-splitting ingress
AnswerC

RollingUpdate is the default Kubernetes Deployment strategy — it replaces old Pods progressively, ensuring the service remains available throughout the update.

Why this answer

The RollingUpdate strategy is correct because it gradually replaces old Pods with new ones while keeping the Deployment available, ensuring zero downtime. By default, it uses a `maxSurge` of 25% and `maxUnavailable` of 25%, allowing a controlled, incremental rollout that matches the requirement of replacing Pods gradually rather than all at once.

Exam trap

Google Cloud often tests the distinction between Deployment update strategies (Recreate vs. RollingUpdate) and higher-level deployment patterns (blue-green, canary), leading candidates to choose a pattern that is not a native Deployment strategy.

How to eliminate wrong answers

Option A is wrong because the Recreate strategy terminates all existing Pods before creating new ones, causing downtime during the transition. Option B is wrong because a blue-green deployment with a Service selector swap is a valid zero-downtime approach, but it requires a separate Deployment and manual or automated traffic switch, not a single Deployment update strategy as specified in the question. Option D is wrong because a Canary deployment with a traffic-splitting ingress is a more advanced pattern that typically uses an Ingress controller (e.g., with weighted routing) to gradually shift traffic, but it is not a native Deployment update strategy in GKE; the question asks for a strategy configured on the Deployment itself.

478
MCQeasy

You need to verify that a Compute Engine VM in `us-central1` can reach an on-premises server at IP `10.1.2.3` over a Cloud VPN connection. The VPN tunnel appears UP but you're unsure if routing is correct. Which GCP tool can test this connectivity?

A.SSH into the VM and run `ping 10.1.2.3` to test connectivity.
B.Use Network Intelligence Center Connectivity Tests to analyze the path from the VM to the on-premises IP.
C.Review Cloud VPN tunnel metrics in Cloud Monitoring for packet loss.
D.Run `gcloud compute routes list` to verify the route to 10.1.2.3 exists.
AnswerB

Connectivity Tests simulate the network path, checking all routing tables, firewall rules, and VPN configurations. It identifies exactly where and why connectivity is blocked without requiring actual test traffic.

Why this answer

B is correct because Network Intelligence Center Connectivity Tests can analyze the path from a specific source (the Compute Engine VM) to a destination (the on-premises server IP 10.1.2.3) across hybrid connectivity like Cloud VPN. It validates routing, firewall rules, and tunnel health without requiring you to SSH into the VM or run live traffic, making it ideal for diagnosing routing issues when the VPN tunnel is UP but connectivity is uncertain.

Exam trap

The trap here is that candidates assume a live ping from the VM (Option A) is the simplest test, but the question specifically asks for a tool to verify if routing is correct, not just connectivity — and Connectivity Tests provides a detailed path analysis without requiring VM access or generating live traffic.

How to eliminate wrong answers

Option A is wrong because SSH into the VM and running ping tests live connectivity, but if routing is misconfigured, the ping may fail due to asymmetric routing or firewall rules, and it doesn't isolate whether the issue is routing, VPN tunnel, or firewall — plus, you may not have SSH access or the VM may not have ICMP enabled. Option C is wrong because Cloud Monitoring tunnel metrics (e.g., packet loss, throughput) show tunnel health but cannot analyze the specific path from the VM to the on-premises IP or identify routing misconfigurations. Option D is wrong because `gcloud compute routes list` only shows routes in the VPC, not whether the route is actually being used by the VM or if the on-premises network has a return route; it doesn't test end-to-end connectivity or validate firewall rules.

479
MCQmedium

A developer attempts to create a Cloud SQL instance but receives the error: 'API [sqladmin.googleapis.com] not enabled.' What is the correct resolution?

A.Assign the developer the Cloud SQL Admin IAM role
B.Request a quota increase for Cloud SQL in the project
C.Enable the Cloud SQL Admin API via APIs & Services > Library in the Console
D.Create a new project — Cloud SQL is enabled by default in new projects
AnswerC

Navigating to APIs & Services > Library and enabling the Cloud SQL Admin API resolves this error. It can also be done with `gcloud services enable sqladmin.googleapis.com`.

Why this answer

The error 'API [sqladmin.googleapis.com] not enabled' indicates that the Cloud SQL Admin API has not been activated for the project. The correct resolution is to enable the API via APIs & Services > Library in the Google Cloud Console, as this is a prerequisite for creating any Cloud SQL instance. Assigning IAM roles or requesting quota increases does not enable the underlying API service.

Exam trap

Google Cloud often tests the distinction between enabling an API and assigning IAM roles, trapping candidates who think granting permissions automatically activates the underlying service.

How to eliminate wrong answers

Option A is wrong because assigning the Cloud SQL Admin IAM role grants permissions to use the API but does not enable the API itself; the API must be enabled at the project level first. Option B is wrong because a quota increase addresses resource limits, not the activation of the API service; the API must be enabled before any quota can be consumed. Option D is wrong because Cloud SQL is not enabled by default in new projects; each project requires explicit API enablement, and creating a new project would still require enabling the Cloud SQL Admin API.

480
Matchingmedium

Match each Cloud Storage storage class to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequently accessed data

Data accessed less than once a month

Data accessed less than once a quarter

Data accessed less than once a year

Automatically transitions objects to optimal class

Why these pairings

Storage classes balance cost and availability based on access frequency.

481
MCQmedium

Refer to the exhibit. A team has this IAM policy on a Cloud Storage bucket. The bucket contains sensitive data. Which action should the team take immediately?

A.Add a condition to the objectViewer binding to restrict access.
B.Remove allUsers from the objectViewer binding.
C.Remove the entire objectViewer binding.
D.Change the objectViewer role to objectAdmin for allUsers.
AnswerB

Removes public access while keeping the binding for non-public roles.

Why this answer

Option B is correct because the IAM policy grants `allUsers` (anyone on the internet) the `objectViewer` role on the bucket, which allows unauthenticated read access to all objects. Since the bucket contains sensitive data, this is a critical security exposure that must be removed immediately by deleting the `allUsers` principal from the binding.

Exam trap

Google Cloud often tests the misconception that adding conditions or changing roles can mitigate a public access exposure, when the correct immediate action is to remove the `allUsers` or `allAuthenticatedUsers` principal entirely.

How to eliminate wrong answers

Option A is wrong because adding a condition to the `objectViewer` binding does not address the core issue: `allUsers` still has public access. Conditions restrict access based on attributes (e.g., IP address), but they do not remove the fact that unauthenticated users can attempt to read objects. Option C is wrong because removing the entire `objectViewer` binding would also remove legitimate, authenticated users who need read access, which is overly destructive and not the immediate required action.

Option D is wrong because changing the role to `objectAdmin` for `allUsers` would escalate privileges, granting public users write and delete permissions on objects, making the security risk even worse.

482
MCQhard

A company uses Cloud Build to deploy a containerized application to a GKE cluster. The build process runs kubectl commands to apply Kubernetes manifests. The build fails with a 'Permission denied' error when executing kubectl. The Cloud Build service account has been granted roles/container.clusterAdmin and roles/cloudbuild.builds.builder. What is the most likely missing configuration?

A.Grant the Cloud Build service account roles/iam.serviceAccountTokenCreator
B.Add the Cloud Build service account to the GKE cluster's RBAC
C.Use a different Cloud Build trigger
D.Enable the Kubernetes Engine API
AnswerB

The service account needs RBAC permissions to run kubectl commands.

Why this answer

The Cloud Build service account has cluster-admin permissions via roles/container.clusterAdmin, but GKE uses Kubernetes RBAC for authorization within the cluster. The service account must be bound to a Kubernetes RBAC role (e.g., cluster-admin) via a ClusterRoleBinding to execute kubectl commands. Without this RBAC binding, the service account is authenticated but not authorized to perform actions, causing the 'Permission denied' error.

Exam trap

Google Cloud often tests the distinction between IAM roles (which control access to GCP APIs) and Kubernetes RBAC (which controls access within the cluster), causing candidates to mistakenly think that granting container.clusterAdmin alone is sufficient for kubectl operations.

How to eliminate wrong answers

Option A is wrong because roles/iam.serviceAccountTokenCreator allows generating OAuth2 access tokens for service accounts, which is unrelated to Kubernetes RBAC permissions needed for kubectl commands. Option C is wrong because the trigger type (e.g., push, pull request) does not affect the service account's permissions within the GKE cluster; the error is authorization-based, not trigger-related. Option D is wrong because the Kubernetes Engine API must already be enabled for the GKE cluster to exist and for Cloud Build to interact with it; the error occurs at the kubectl execution step, not at the API enablement level.

483
MCQhard

A developer is creating a script that uses the Google Cloud SDK to automate resource creation. The script will be run from a CI/CD pipeline. What is the best way to authenticate?

A.Use an OAuth 2.0 client ID
B.Use application default credentials
C.Use the gcloud auth login command with a user account
D.Use a service account key file stored in a secret manager
AnswerD

Service account keys are designed for automated scripts; storing in secret manager adds security.

Why this answer

A service account key stored in a secret manager is the most secure and recommended approach for non-interactive automation. Option D is correct. Options A, B, C are less secure or not suitable for automated pipelines.

484
MCQhard

A company has two on-premises data centers connected via a redundant network. They want to extend their Google Cloud VPC to on-premises using Cloud VPN with dynamic routing (BGP). They need to ensure traffic from on-premises to Google Cloud can fail over to the secondary tunnel if the primary tunnel fails. The VPC has a single region. What should they configure?

A.Use a single Cloud VPN gateway and create two tunnels to separate on-prem VPN devices, each with BGP.
B.Use Cloud Interconnect as the primary and Cloud VPN as the backup.
C.Use a Cloud Router in global dynamic routing mode and set up a single VPN tunnel with BGP.
D.Create two Cloud VPN gateways in the VPC, each with a BGP session to its own on-prem VPN device, both using the same Cloud Router with separate BGP sessions.
AnswerD

Two gateways with BGP sessions allow failover via route advertisements.

Why this answer

Option D is correct because it provides true active/passive failover for on-premises to Google Cloud traffic. By creating two Cloud VPN gateways, each with a BGP session to its own on-premises VPN device, and attaching both sessions to the same Cloud Router, you enable BGP to advertise the same VPC prefixes over both tunnels. The Cloud Router uses BGP path selection (e.g., MED or AS path prepending) to prefer one tunnel as primary; if that tunnel fails, BGP withdraws the route and traffic automatically switches to the secondary tunnel.

This satisfies the requirement for failover without relying on a single gateway or tunnel.

Exam trap

The trap here is that candidates assume a single Cloud VPN gateway with multiple tunnels provides redundancy, but they overlook that the gateway itself is a single point of failure, which is why two separate gateways are required for true failover.

How to eliminate wrong answers

Option A is wrong because using a single Cloud VPN gateway creates a single point of failure; if the gateway itself fails, both tunnels become unavailable, preventing failover. Option B is wrong because Cloud Interconnect is a dedicated, high-bandwidth connection that does not support dynamic failover to Cloud VPN as a backup in the same way; the question specifically requires Cloud VPN with dynamic routing, not a hybrid interconnect/VPN design. Option C is wrong because a single VPN tunnel with BGP provides no redundancy; if the tunnel or its underlying network path fails, all traffic is lost, and global dynamic routing mode does not add failover capability.

485
MCQhard

You are planning a GCP network for a company with offices in three regions: `us-central1`, `europe-west1`, and `asia-east1`. All three regions must communicate with each other, and traffic must NOT traverse the public internet. Each region has its own subnet. Which network design achieves this with the least management overhead?

A.Create three separate VPCs (one per region) and connect them with VPC Network Peering.
B.Use a single global VPC with subnets in each region; traffic between subnets stays on Google's private network.
C.Set up Cloud VPN tunnels between each pair of regions.
D.Use Cloud Interconnect dedicated connections in each region and configure BGP routing between them.
AnswerB

A single GCP VPC is global by design. Subnets in different regions communicate over Google's internal backbone — no special configuration required for private inter-region connectivity.

Why this answer

Option B is correct because a single global VPC allows you to create subnets in multiple regions, and traffic between those subnets stays on Google's private backbone network without traversing the public internet. This design requires no additional connectivity configuration, peering, or VPN tunnels, making it the simplest to manage while meeting all requirements.

Exam trap

The trap here is that candidates often overcomplicate the solution by thinking they need separate VPCs or VPNs for each region, not realizing that a single global VPC inherently supports multi-region subnets with private, Google-managed routing.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering connects separate VPCs but requires explicit peering setup between each pair (three VPCs need three peering connections), and traffic still stays on Google's network, but the management overhead is higher than a single VPC. Option C is wrong because Cloud VPN tunnels require configuring and maintaining VPN gateways and tunnels between each region pair, adding complexity and potential latency, and traffic would traverse the public internet unless using HA VPN with Cloud Router, which still adds overhead. Option D is wrong because Cloud Interconnect is a dedicated physical connection to Google's network, which is overkill for this scenario—it requires on-premises infrastructure, BGP configuration, and is designed for hybrid cloud connectivity, not for inter-region communication within a single cloud environment.

486
MCQmedium

A security team wants to restrict access to a Google Cloud project such that only virtual machines with a specific tag 'web' can connect to a Compute Engine instance on port 443. Which configuration is required?

A.Create a firewall rule allowing egress from instances with tag 'web' to the target instance on port 443.
B.Create a firewall rule allowing ingress from instances with tag 'web' to the target instance on port 443.
C.Set an IAM condition on the instance to only allow calls from instances with tag 'web'.
D.Use Cloud Armor to filter traffic based on tags.
AnswerB

Firewall ingress rules with source tags can restrict traffic based on sender's tags.

Why this answer

Option B is correct because firewall rules in Google Cloud are stateful and control ingress traffic at the network level. To allow only VMs with tag 'web' to connect to the target instance on port 443, you must create an ingress firewall rule that specifies the source tag 'web', the target instance (or its network tag), and the protocol/port tcp:443. This rule permits incoming HTTPS traffic from any VM that has the 'web' tag, regardless of its IP address.

Exam trap

Google Cloud often tests the distinction between ingress and egress firewall rules, and the trap here is that candidates mistakenly choose an egress rule (Option A) because they think of restricting traffic 'from' the source, but the correct direction for controlling incoming connections to a target is ingress.

How to eliminate wrong answers

Option A is wrong because an egress firewall rule controls outbound traffic from the source, not inbound traffic to the target; the question requires restricting incoming connections to the target instance on port 443, which is an ingress direction. Option C is wrong because IAM conditions control identity-based access (who can perform actions on the instance), not network-level traffic filtering based on VM tags; tags are not evaluated in IAM policies for network access. Option D is wrong because Cloud Armor is a web application firewall (WAF) that protects against application-layer attacks and filters based on IP addresses, geographic regions, or custom rules, but it does not filter traffic based on Compute Engine instance tags.

487
MCQmedium

An application uses the S3-compatible API to interact with Cloud Storage. The team needs credentials compatible with HMAC-based S3 authentication. Which credential type does Cloud Storage support for this?

A.Service account JSON key file — it's compatible with the S3 HMAC authentication format
B.HMAC keys created for a service account in Cloud Storage settings
C.Cloud KMS symmetric keys configured for Cloud Storage access
D.An API key generated in the GCP Console for Cloud Storage
AnswerB

Cloud Storage supports HMAC authentication for S3-compatible API access. HMAC keys are created per service account and provide an access key ID + secret for S3 API authentication.

Why this answer

Cloud Storage supports HMAC keys for service accounts to provide S3-compatible authentication. These keys consist of an access key and a secret key, which are used to sign requests using the HMAC-SHA256 algorithm, matching the AWS S3 signature process. This allows applications using the S3 API to authenticate directly against Cloud Storage without needing a JSON key file or OAuth 2.0 tokens.

Exam trap

Google Cloud often tests the distinction between authentication methods (HMAC vs. OAuth 2.0) and encryption keys (KMS vs. HMAC), leading candidates to confuse a JSON key file or an API key with HMAC credentials.

How to eliminate wrong answers

Option A is wrong because a service account JSON key file is used for OAuth 2.0-based authentication, not for HMAC-based S3 authentication; it contains a private key for signing JWT tokens, not an HMAC access/secret key pair. Option C is wrong because Cloud KMS symmetric keys are used for encryption and decryption of data at rest, not for authentication or signing S3 API requests. Option D is wrong because an API key is a simple identifier used for quota and access control in GCP APIs, but it does not support the HMAC signing mechanism required for S3-compatible authentication.

488
Multi-Selectmedium

A company needs to securely store secrets (API keys, passwords) used by applications running on Compute Engine. Which three methods are secure and recommended? (Choose three.)

Select 3 answers
A.Use a third-party secrets vault like HashiCorp Vault running on GKE.
B.Store secrets as environment variables in plain text in the instance metadata.
C.Use Cloud Secret Manager to store and retrieve secrets.
D.Store secrets in a Cloud Storage bucket with fine-grained ACLs and encryption.
E.Encrypt secrets with Cloud KMS and store them in a file on the instance.
AnswersA, C, D

Third-party vaults are secure if properly configured.

Why this answer

Option A is correct because HashiCorp Vault is a widely adopted, enterprise-grade secrets management solution that can be deployed on Google Kubernetes Engine (GKE) to securely store, access, and audit API keys and passwords. It provides dynamic secrets, encryption as a service, and fine-grained access policies, making it a recommended approach for Compute Engine applications when integrated via its API or sidecar patterns.

Exam trap

The trap here is that candidates often assume encrypting secrets with KMS and storing them locally (Option E) is sufficient, but Cisco tests that a dedicated secrets management service (like Cloud Secret Manager or a vault) is always the recommended approach over manual encryption and file storage, even if the file is encrypted.

489
MCQeasy

A small team is setting up a new Google Cloud project for a web application. They need to ensure that they can manage costs and receive alerts when spending exceeds a threshold. What is the simplest way to achieve this?

A.Export billing data to BigQuery and create custom dashboards.
B.Use the Google Cloud Pricing Calculator to estimate costs and set manual alerts.
C.Create a billing account for each team member and link it to the project.
D.Set up a budget alert in the Google Cloud Console for the project.
AnswerD

Simple, native feature that provides email alerts when threshold is met.

Why this answer

Option C is correct because setting up a budget alert in the Google Cloud Console is simple and provides automated email notifications. Option A is too complex for a small team. Option B adds unnecessary overhead.

Option D only provides estimation, not real alerts.

490
MCQhard

A security team wants to prevent every project in the organization from creating VM instances with external IP addresses — without requiring configuration in each individual project. What is the most scalable solution?

A.Create a firewall rule in every project blocking outbound traffic on port 80 and 443
B.Set the organization policy constraint compute.vmExternalIpAccess to Deny All at the organization level
C.Remove the Compute Engine Admin role from all project owners
D.Use Cloud Armor to block all traffic destined for public IPs in the organization
AnswerB

This organization-level constraint prevents external IP assignment across all projects, automatically applying to new projects without manual intervention.

Why this answer

Option B is correct because the organization policy constraint `compute.vmExternalIpAccess` can be applied at the organization level to deny all VM instances from having external IP addresses, enforcing this rule across all projects without per-project configuration. This is the most scalable approach as it uses Google Cloud's hierarchical policy engine to centrally control resource creation, overriding any project-level settings.

Exam trap

The trap here is that candidates confuse network-level controls (firewall rules, Cloud Armor) with resource-level policies (organization constraints), mistakenly thinking blocking traffic is equivalent to preventing IP assignment, when in fact the constraint operates at the IAM/resource creation layer.

How to eliminate wrong answers

Option A is wrong because firewall rules only control network traffic after a VM is created, not the assignment of external IP addresses during VM creation; blocking ports 80 and 443 does not prevent a VM from having an external IP, and traffic on other ports (e.g., SSH on port 22) would still be allowed. Option C is wrong because removing the Compute Engine Admin role from project owners does not prevent VMs from being created with external IPs by other users or service accounts, and it breaks legitimate administrative workflows without addressing the IP assignment policy. Option D is wrong because Cloud Armor is a web application firewall that protects against DDoS and application-layer attacks, not a tool to control whether VMs are assigned external IPs; it cannot block the creation of VMs with public IPs.

491
Multi-Selectmedium

A company is deploying a stateless web application on Compute Engine. The application is served by a managed instance group with autoscaling behind an HTTP(S) load balancer. To minimize instance startup time and ensure that the application is ready to serve traffic as soon as an instance is created, which two steps should the company take? (Choose two.)

Select 2 answers
A.Increase the initial delay for the load balancer health check to 5 minutes.
B.Configure a startup script in the instance template that installs dependencies and starts the application.
C.Set the managed instance group's autohealing to replace unhealthy instances based on the load balancer health check.
D.Use a container-optimized OS and deploy the application as a Docker container via the startup script.
E.Create a custom machine image that includes the application and all dependencies.
AnswersD, E

Container-optimized OS with a Docker container can start quickly if the image is cached.

Why this answer

Option A (custom image) includes the application and dependencies, eliminating the need to install them at boot. Option C (container-optimized OS) allows the application to run as a Docker container, which can start quickly if the image is cached. Option B (startup script) adds time for installation.

Option D (autohealing) addresses health, not startup time. Option E (increase health check delay) increases time to serve traffic.

492
MCQhard

An e-commerce platform sees a 20x traffic spike every Black Friday. The rest of the year traffic is low and stable. The team wants to minimize costs during normal periods while handling the annual peak without manual intervention. Which architecture achieves this?

A.Pre-provision 20x capacity year-round to guarantee Black Friday performance
B.Managed instance group with autoscaling + scheduled scaling pre-warming before Black Friday
C.Deploy on Cloud SQL — it scales compute automatically for traffic spikes
D.Add 20 manual VMs on Black Friday and delete them afterward each year
AnswerB

MIG autoscaling handles demand-based scale-out automatically. Scheduled scaling policies can pre-warm additional capacity hours before the known Black Friday spike — combining reactive and proactive scaling.

Why this answer

Option B is correct because it combines managed instance group autoscaling for normal low-cost operation with scheduled scaling to pre-warm capacity before the Black Friday spike, ensuring seamless handling of the 20x traffic surge without manual intervention. This approach uses the 'autoscaler' and 'scheduled scaling' features in Google Cloud to dynamically adjust resources based on load, while pre-warming prevents cold-start latency during the peak.

Exam trap

Google Cloud often tests the misconception that database services like Cloud SQL can automatically scale compute for traffic spikes, but in reality, Cloud SQL requires manual vertical scaling or read replicas and does not handle web-tier traffic spikes natively.

How to eliminate wrong answers

Option A is wrong because pre-provisioning 20x capacity year-round incurs massive unnecessary costs, violating the requirement to minimize costs during normal periods. Option C is wrong because Cloud SQL does not automatically scale compute resources for traffic spikes; it supports read replicas and vertical scaling but requires manual intervention or configuration changes, and it is a database service, not a compute solution for handling web traffic. Option D is wrong because manually adding and deleting 20 VMs each year introduces manual intervention and operational overhead, contradicting the requirement for no manual intervention, and does not provide automated scaling for the spike.

493
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to reduce egress costs when transferring large amounts of data from Compute Engine to Cloud Storage in the same region?

Select 2 answers
A.Use internal IP addresses for the Compute Engine instances.
B.Use a regional Cloud Storage bucket in the same region as the instances.
C.Set up a VPN between the instances and Cloud Storage.
D.Use a multi-regional Cloud Storage bucket.
E.Configure a Cloud NAT gateway.
AnswersA, B

Internal IP traffic within the same region is free.

Why this answer

Option A is correct because using internal IP addresses for Compute Engine instances ensures that traffic to Cloud Storage stays within Google's internal network, avoiding internet egress charges. When instances communicate with Cloud Storage using external IPs, the traffic is routed over the public internet, incurring egress costs. Internal IPs keep the data transfer on Google's backbone, which is free for same-region transfers.

Exam trap

Google Cloud often tests the misconception that using a multi-regional bucket in the same region reduces costs, but the trap here is that multi-regional buckets incur higher egress charges due to replication across zones, and candidates may overlook that internal IPs are the key to avoiding internet egress fees.

494
MCQeasy

A developer wants to verify which IAM roles they currently have on a specific GCP project before requesting additional access. Which gcloud command lists the IAM policy for a project?

A.gcloud iam roles list --project=[PROJECT_ID]
B.gcloud projects get-iam-policy [PROJECT_ID]
C.gcloud auth list --project=[PROJECT_ID]
D.gcloud iam service-accounts get-iam-policy [PROJECT_ID]
AnswerB

This command returns the full IAM policy for the project in YAML or JSON format, showing all current member-role bindings.

Why this answer

The correct command to retrieve the IAM policy for a GCP project is `gcloud projects get-iam-policy [PROJECT_ID]`. This command returns the complete IAM policy bindings (roles and members) for the specified project, allowing the developer to see which roles they currently have. It directly queries the Cloud Resource Manager API to fetch the project-level IAM policy.

Exam trap

Google Cloud often tests the distinction between listing roles (available role definitions) and getting the IAM policy (actual role bindings), so candidates mistakenly choose `gcloud iam roles list` thinking it shows their assigned roles.

How to eliminate wrong answers

Option A is wrong because `gcloud iam roles list` lists predefined or custom roles available in the organization or project, not the bindings of those roles to principals. Option C is wrong because `gcloud auth list` displays the currently active authenticated accounts and their status, not the IAM policy for a project. Option D is wrong because `gcloud iam service-accounts get-iam-policy` retrieves the IAM policy for a specific service account, not for the project itself.

495
MCQmedium

A team's CI/CD pipeline authenticates to GCP using Application Default Credentials (ADC). The pipeline runs on a GCE VM with a service account attached. Which credential source does the ADC use when running on a GCE VM?

A.The GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to a JSON key file
B.The VM's attached service account credentials via the instance metadata server
C.The developer's personal Google account used during `gcloud auth login`
D.A randomly selected service account from the project's service accounts list
AnswerB

ADC on GCE automatically uses the service account attached to the VM through the instance metadata server (metadata.google.internal/computeMetadata/v1/instance/service-accounts/) — no key file needed.

Why this answer

On a GCE VM, Application Default Credentials (ADC) automatically uses the credentials from the VM's attached service account by querying the instance metadata server at the link-local address 169.254.169.254. This is the default behavior when no environment variable or other credential source is explicitly configured, making option B correct.

Exam trap

Google Cloud often tests the misconception that ADC always requires an explicit credential file or that it uses the gcloud user login, when in fact on GCE VMs it transparently uses the attached service account via the metadata server.

How to eliminate wrong answers

Option A is wrong because the GOOGLE_APPLICATION_CREDENTIALS environment variable is a manual override that ADC checks first, but it is not the default source on a GCE VM; the question describes a pipeline running on a GCE VM with a service account attached, and ADC will use the metadata server unless that variable is set. Option C is wrong because a developer's personal Google account from `gcloud auth login` is used for user-level authentication in gcloud CLI, not for ADC on a VM; ADC on a GCE VM does not consult user credentials from gcloud. Option D is wrong because ADC does not randomly select a service account; it uses the specific service account attached to the VM instance, which is obtained from the instance metadata server, not from a project-wide list.

496
MCQhard

A team has a streaming pipeline built with Apache Beam that reads from Cloud Pub/Sub and writes transformed data to BigQuery. Which GCP service executes this pipeline with managed autoscaling?

A.Cloud Composer
B.Cloud Dataflow
C.Cloud Dataproc
D.Cloud Data Fusion
AnswerB

Cloud Dataflow is the managed execution environment for Apache Beam pipelines. It autoscales workers for both streaming and batch jobs.

Why this answer

Cloud Dataflow is the correct service because it is a fully managed, autoscaling service specifically designed to execute Apache Beam pipelines. It handles the reading from Cloud Pub/Sub and writing to BigQuery, automatically scaling worker resources based on the pipeline's processing demands.

Exam trap

The trap here is that candidates often confuse Cloud Dataproc (which runs Spark) with Cloud Dataflow (which runs Beam), not realizing that Beam pipelines require Dataflow for managed autoscaling, while Dataproc requires manual cluster sizing or separate autoscaling policies.

How to eliminate wrong answers

Option A is wrong because Cloud Composer is a managed workflow orchestration service based on Apache Airflow, not a stream processing engine; it can trigger Dataflow jobs but does not execute Beam pipelines directly. Option C is wrong because Cloud Dataproc is a managed Spark and Hadoop service that can run batch or stream processing but does not natively execute Apache Beam pipelines with managed autoscaling; it requires manual cluster management or separate autoscaling configuration. Option D is wrong because Cloud Data Fusion is a fully managed data integration service for building ETL/ELT pipelines using a visual interface, but it does not execute Apache Beam pipelines and does not provide managed autoscaling for Beam-based streaming jobs.

497
MCQmedium

A company wants to set up a cost-effective disaster recovery solution for a critical application running on Compute Engine. The primary region is us-east1. The recovery point objective (RPO) is 1 hour, and recovery time objective (RTO) is 4 hours. Which strategy is most cost-effective?

A.Regular backups to Cloud Storage with automated scripts to restore in a different region
B.Use managed instance groups in two regions with autoscaling
C.Cross-region replica of persistent disks using snapshot schedules every hour
D.Active-active multi-region deployment with HTTP load balancer
AnswerC

Snapshot schedules allow frequent, incremental backups suitable for DR.

Why this answer

Option C is the most cost-effective because it uses snapshot schedules to create cross-region replicas of persistent disks every hour, meeting the 1-hour RPO without requiring always-on compute resources. This approach minimizes costs by only storing incremental snapshots in Cloud Storage, while automated restore procedures can spin up instances in the secondary region within the 4-hour RTO.

Exam trap

Google Cloud often tests the misconception that active-active or multi-region instance groups are always the best for disaster recovery, but the trap here is that for cost-effectiveness with moderate RPO/RTO, a snapshot-based replication strategy is more appropriate than maintaining always-on infrastructure.

How to eliminate wrong answers

Option A is wrong because regular backups to Cloud Storage with automated scripts require manual or custom automation for restore, which can introduce delays and complexity, and the RTO of 4 hours may be exceeded if scripts fail or need debugging; also, backups are not inherently cross-region replicas, so additional configuration is needed to meet the RPO. Option B is wrong because managed instance groups in two regions with autoscaling keep compute resources running in both regions, incurring continuous costs for idle instances in the secondary region, which is not cost-effective for a disaster recovery solution that only needs to activate during failover. Option D is wrong because active-active multi-region deployment with HTTP load balancer requires always-on compute and networking resources in both regions, leading to higher operational costs than a standby or backup-based approach, and it is overkill for the given RPO and RTO requirements.

498
MCQhard

A regulated company requires a log of all actions taken by Google support engineers when they access customer GCP environments during support cases. Which Cloud Audit Log type captures this?

A.Admin Activity audit logs
B.Data Access audit logs with Google-initiated access filter
C.Access Transparency logs
D.System event audit logs with personnel filter
AnswerC

Access Transparency logs specifically record actions by Google employees when they access customer data and GCP environments, providing accountability for Google-side access.

Why this answer

Access Transparency logs are the correct choice because they specifically capture actions taken by Google support engineers when accessing customer data or configurations in GCP. These logs provide near real-time records of Google-initiated access, which is required for regulated companies to audit support personnel activities. Admin Activity logs only record administrative actions by customers, not Google personnel, while Data Access logs with Google-initiated access filter are not a valid log type in Cloud Audit Logs.

Exam trap

The trap here is that candidates confuse 'Data Access logs' with 'Access Transparency logs,' assuming a filter can isolate Google-initiated actions, but Access Transparency is a separate, dedicated log type specifically for Google personnel access, not a subset of Data Access logs.

How to eliminate wrong answers

Option A is wrong because Admin Activity audit logs record actions performed by customers or authorized users within a GCP project (e.g., creating resources), not actions taken by Google support engineers. Option B is wrong because Data Access logs capture API calls that read or modify customer data, but there is no 'Google-initiated access filter' as a distinct log type; Access Transparency logs are the dedicated mechanism for Google-initiated access. Option D is wrong because System event audit logs record GCP system events (e.g., VM live migrations), not personnel actions, and there is no 'personnel filter' in Cloud Audit Logs.

499
Drag & Dropmedium

Arrange the steps to create a Cloud Pub/Sub topic, subscription, and publish a message.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Topic and subscription must exist before publishing; pull retrieves messages.

500
MCQhard

A team is designing a data pipeline: Cloud Storage → Pub/Sub → Dataflow → BigQuery. They expect 50 GB of data per hour. Dataflow jobs must automatically scale workers based on pipeline backlog. Which Dataflow feature provides automatic horizontal scaling of worker VMs?

A.Vertical scaling — Dataflow automatically increases worker machine types under load
B.Dataflow Horizontal Autoscaling — automatically adds/removes workers based on pipeline lag
C.GKE cluster autoscaler — Dataflow runs on GKE and inherits its autoscaling
D.Cloud Monitoring alerting policy that triggers worker additions via gcloud
AnswerB

Dataflow's horizontal autoscaler monitors pipeline backlog and adjusts the number of worker VMs to maintain throughput — enabled by default for streaming and configurable for batch.

Why this answer

Dataflow Horizontal Autoscaling is the correct feature because it automatically adds or removes worker VMs based on the pipeline's backlog (lag), which directly matches the requirement for automatic horizontal scaling. This feature uses the Cloud Monitoring service to track the number of unprocessed elements and adjusts worker count accordingly, ensuring efficient resource usage without manual intervention.

Exam trap

Google Cloud often tests the distinction between horizontal and vertical scaling, and candidates may confuse Dataflow's autoscaling with GKE cluster autoscaler, not realizing Dataflow manages its own worker fleet independently of GKE.

How to eliminate wrong answers

Option A is wrong because vertical scaling increases the machine type (e.g., more vCPUs or memory) of existing workers, not the number of workers, and Dataflow does not automatically change machine types under load; it relies on horizontal scaling. Option C is wrong because Dataflow does not run on GKE by default; it uses its own managed service for worker VMs, and the GKE cluster autoscaler is irrelevant unless the pipeline is explicitly configured to run on a GKE cluster, which is not the standard deployment. Option D is wrong because while Cloud Monitoring can trigger alerts, it does not directly add workers; Dataflow Horizontal Autoscaling is the built-in mechanism that handles scaling automatically, and using a custom alerting policy to invoke gcloud commands would be an external, non-native approach that contradicts the requirement for automatic scaling.

Page 6

Page 7 of 7

All pages