Google Associate Cloud Engineer (ACE) — Questions 526600

991 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQeasy

An organization wants to separate its development and production environments using Google Cloud resource hierarchy. What is the recommended approach?

A.Create a single project and use separate VPC networks for dev and prod.
B.Create two separate organizations, one for dev and one for prod.
C.Create two projects under the same folder and use labels to differentiate dev and prod.
D.Create two folders under the organization node, one for dev and one for prod.
AnswerD

Folders are the correct way to organize projects within an organization for environment separation.

Why this answer

Using folders under the organization node to separate environments is the recommended practice. Folders provide isolation and allow for separate IAM policies and organization policies.

527
MCQhard

A team manages multiple Kubernetes Engine clusters across different projects. They need to enforce that all clusters have the same security policies, including private cluster settings and workload identity. Which approach is most scalable?

A.Use Cloud Asset Inventory to compare configurations and alert on differences.
B.Retrieve cluster configuration for each cluster using gcloud container clusters describe and apply changes manually.
C.Use Config Connector with deployment scripts to manage cluster resources as Kubernetes custom resources.
D.Use Terraform with a module that defines the standard cluster configuration, and apply it to each project.
AnswerD

Terraform provides infrastructure-as-code for consistent, scalable deployment.

Why this answer

Option D is correct because Terraform, combined with a reusable module, provides an Infrastructure as Code (IaC) approach that enforces consistent cluster configurations across multiple projects declaratively. This method is scalable as it allows you to define the standard security policies (private cluster settings, Workload Identity) once in a module and apply it to any number of clusters, ensuring drift is prevented and changes are auditable.

Exam trap

The trap here is that candidates may confuse monitoring tools (Cloud Asset Inventory) or Kubernetes-native tools (Config Connector) with true IaC enforcement, overlooking that Terraform's declarative, module-based approach is the only option that provides scalable, automated, and consistent policy application across multiple projects.

How to eliminate wrong answers

Option A is wrong because Cloud Asset Inventory is a monitoring and alerting tool, not a configuration enforcement mechanism; it can detect differences but cannot automatically apply or remediate policies, making it reactive rather than proactive and less scalable for enforcement. Option B is wrong because manually retrieving and applying configurations with gcloud commands is error-prone, time-consuming, and does not scale across multiple clusters and projects, as it lacks automation and version control. Option C is wrong because Config Connector manages Google Cloud resources as Kubernetes custom resources, but it requires a Kubernetes cluster to run and is primarily designed for managing resources within a single project or from a central cluster, not for enforcing identical policies across multiple independent clusters in different projects.

528
Multi-Selecteasy

Which TWO actions should be taken to reduce latency for users accessing a global application hosted on Compute Engine? (Choose two.)

Select 2 answers
A.Use a single region with more instances.
B.Deploy instances in multiple regions behind a global load balancer.
C.Enable Cloud Armor to filter traffic.
D.Use Cloud Interconnect for connectivity.
E.Use Cloud CDN with the backend bucket.
AnswersB, E

Routes users to closest healthy backend.

Why this answer

Deploying instances in multiple regions behind a global load balancer (Option B) reduces latency by directing user traffic to the closest healthy backend, minimizing network round-trip time. Using Cloud CDN with a backend bucket (Option E) caches static content at edge locations worldwide, serving users from a nearby cache and offloading origin requests. Together, these actions ensure both dynamic and static content are delivered with minimal latency across a global user base.

Exam trap

The trap here is that candidates often confuse 'scaling up' (more instances in one region) with 'scaling out' (multi-region deployment) and overlook that Cloud CDN is specifically for static content caching, not dynamic requests—though the question does not specify content type, the combination of B and E is the standard best practice for global latency reduction.

529
MCQmedium

Your application exposes a REST API that external partners consume. You need rate limiting per partner (API key), usage analytics, and developer portal for onboarding. Traffic is currently 1,000 requests/day but expected to grow to 10M/day within a year. Which GCP service best fits these requirements?

A.Cloud Endpoints with Extensible Service Proxy
B.Apigee API Management
C.Cloud Armor with rate limiting rules
D.API Gateway with a backend Cloud Run service
AnswerB

Apigee provides all required features: per-key rate limiting, built-in developer portal for partner onboarding, detailed API analytics, and scales to billions of requests.

Why this answer

Apigee API Management is correct because it provides built-in rate limiting per API key (via quota policies), detailed analytics dashboards for usage tracking, and a developer portal for partner onboarding and key management. Unlike simpler API gateways, Apigee is designed for enterprise-grade API management at scale, handling growth from 1,000 to 10M requests/day with features like monetization, traffic management, and security policies.

Exam trap

Google Cloud often tests the distinction between a simple API gateway (like Cloud Endpoints or API Gateway) and a full API management platform (Apigee), where the presence of a developer portal and per-partner analytics is the key differentiator, not just rate limiting or traffic growth.

How to eliminate wrong answers

Option A is wrong because Cloud Endpoints with Extensible Service Proxy (ESP) is a lightweight API gateway that lacks a built-in developer portal and advanced analytics; it relies on Google Cloud's operations suite for basic metrics and does not offer per-partner rate limiting via API keys without custom code. Option C is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service that can rate-limit by IP address, not by API key or partner, and it provides no developer portal or usage analytics per partner. Option D is wrong because API Gateway with a backend Cloud Run service is a managed gateway that supports rate limiting and basic analytics but lacks a developer portal for partner onboarding and is designed for simpler use cases, not the enterprise-grade API management and analytics required for 10M requests/day.

530
MCQhard

A company has a Cloud Storage bucket that stores sensitive files. They want to ensure that objects are automatically deleted after 30 days to comply with data retention policies. Additionally, they need to keep a copy of all object deletions for audit purposes. Which combination of bucket settings should they use?

A.Enable bucket lock and use object holds
B.Enable object versioning and set a retention policy with a retention period of 30 days
C.Enable a lifecycle rule with condition 'Age: 30 days' and action 'Delete'
D.Enable object versioning and add a lifecycle rule with condition 'Age: 30 days' and action 'Delete' for the current version
AnswerD

Versioning retains noncurrent versions when objects are deleted, providing an audit trail. The lifecycle rule deletes current versions after 30 days, and the noncurrent versions remain (or can be deleted later with a separate rule). This combination meets both requirements.

Why this answer

Cloud Storage lifecycle management can automatically delete objects after 30 days using a SetStorageClass or Delete action with an Age condition. Object versioning enables keeping deleted or overwritten versions (noncurrent versions). By combining lifecycle rules to delete noncurrent versions after a period (e.g., 0 days) or simply keeping them, you can audit deletions.

However, the question says 'keep a copy of all object deletions for audit purposes' – versioning retains noncurrent versions when objects are deleted or overwritten. Lifecycle rules can be set to expire the noncurrent versions after a longer period, but for audit purposes, you would keep them indefinitely or for a long period. The simplest is to enable versioning and set a lifecycle rule to delete objects after 30 days; deleted objects become noncurrent versions and are retained until a lifecycle rule removes them.

To keep a copy, you might not delete noncurrent versions. The correct answer: enable versioning and add a lifecycle rule with condition Age:30 and action Delete for current objects. Noncurrent versions will remain unless a separate rule deletes them.

For audit, you may also set a rule to delete noncurrent versions after a longer period, but the question asks for 'which combination' – the combination that achieves both requirements is versioning + lifecycle rule to delete current objects after 30 days. The deleted objects become noncurrent versions, which are retained (so audit copy is kept). If they need to keep the deletion records forever, they should not delete noncurrent versions.

Among options, the one that includes versioning and a lifecycle rule that deletes objects after 30 days is correct. Option D includes versioning and lifecycle rule: 'Delete object after 30 days' – that's it. Option A is 'Object versioning' only – no deletion.

Option B is 'Bucket lock' – not for automatic deletion. Option C is 'Lifecycle rule to delete objects after 30 days' without versioning – then when deleted, there is no version history. So D is best.

531
Drag & Dropmedium

Order the steps to set up a Cloud Storage bucket with uniform bucket-level access and make objects publicly readable.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Uniform access must be set at bucket creation; after upload, permissions apply to all objects.

532
MCQmedium

A team is deploying a Cloud Function that requires a private environment variable containing an API key. They want the key stored securely and automatically injected at runtime. Which approach follows GCP best practices?

A.Hardcode the API key in the function source code
B.Pass the API key as a plain-text environment variable in the function configuration
C.Store the key in Secret Manager and reference it as a secret environment variable in the function deployment
D.Store the API key in a Cloud Storage bucket and download it at function startup
AnswerC

Cloud Functions support secret environment variables backed by Secret Manager. The secret value is injected at runtime, never stored in plain text in the function config.

Why this answer

Option C is correct because Secret Manager is the GCP-native service designed to securely store API keys and other sensitive data. By referencing a secret as an environment variable in the Cloud Function deployment configuration, the key is automatically decrypted and injected at runtime without exposing it in source code or configuration files. This follows the principle of least privilege and ensures the secret is encrypted at rest and in transit.

Exam trap

Google Cloud often tests the misconception that storing secrets in Cloud Storage with fine-grained ACLs is sufficient, but the trap here is that Secret Manager is the only service that provides automatic encryption, versioning, and audit logging for secrets without requiring custom code.

How to eliminate wrong answers

Option A is wrong because hardcoding the API key in source code exposes it in version control systems, logs, and build artifacts, violating security best practices. Option B is wrong because passing the API key as a plain-text environment variable in the function configuration stores it unencrypted in the deployment metadata and can be viewed in the Cloud Console or API responses. Option D is wrong because storing the key in a Cloud Storage bucket requires additional code to download and parse the file at startup, introduces latency, and risks exposing the key if bucket permissions are misconfigured or if the bucket is publicly accessible.

533
MCQhard

A developer created a Cloud Function with HTTP trigger. When they send a POST request to the function's URL, they get a 403 Forbidden error. The function is deployed with --allow-unauthenticated flag? What is the most likely cause?

A.The function uses a runtime that does not support HTTP triggers
B.The function does not have the Cloud Functions Invoker role for allUsers
C.The function is not deployed in the correct region
D.The function URL is malformed
AnswerB

Without the invoker role for unauthenticated users, IAM returns 403.

Why this answer

The --allow-unauthenticated flag only allows unauthenticated invocations for Cloud Functions (v1) if IAM policy is also set. However, for Cloud Functions (2nd gen) and Cloud Run, --allow-unauthenticated sets the IAM policy. The 403 error often means the function does not have the allUsers invoker role.

The developer may have omitted the --allow-unauthenticated flag or used a different flag. The function URL is correct; missing region causes a different error. Wrong runtime would cause a different error.

534
MCQeasy

A team's GKE application is running out of memory due to a memory leak. Pods are restarting with OOMKilled status. As an immediate measure before a code fix is available, what kubectl action provides the most insight into which container is leaking?

A.kubectl get events --field-selector=reason=OOMKilling
B.kubectl top pods --containers -n [NAMESPACE]
C.kubectl delete pod [POD_NAME] -- force=true to clear the memory leak
D.gcloud container clusters describe [CLUSTER] --memory-usage
AnswerB

`kubectl top pods --containers` shows real-time CPU and memory consumption per container, helping identify which container is consuming the most memory — essential for diagnosing leaks.

Why this answer

Option B is correct because `kubectl top pods --containers` shows per-container CPU and memory usage for each pod in the namespace. This allows you to identify which specific container within a pod is consuming excessive memory and triggering the OOMKilled status, even before a code fix is deployed. It provides immediate, real-time insight into resource consumption at the container level, which is essential for diagnosing a memory leak in a multi-container pod.

Exam trap

Google Cloud often tests the misconception that cluster-level or event-based commands (like `kubectl get events` or `gcloud container clusters describe`) provide container-level resource diagnostics, when in fact only `kubectl top` with the `--containers` flag gives per-container memory usage in real time.

How to eliminate wrong answers

Option A is wrong because `kubectl get events --field-selector=reason=OOMKilling` only shows that an OOMKill event occurred, but does not reveal which specific container within the pod leaked memory; it lacks the granularity needed to pinpoint the leaking container. Option C is wrong because `kubectl delete pod --force=true` merely terminates the pod, which does not provide any diagnostic insight into which container caused the memory leak; it is a destructive action that removes the evidence without analysis. Option D is wrong because `gcloud container clusters describe` does not support a `--memory-usage` flag; cluster-level description commands provide static configuration metadata, not real-time per-container memory metrics.

535
MCQeasy

A developer needs to create a Cloud Storage bucket with the 'Nearline' storage class in the 'us-east1' region for storing data that is accessed less than once a month. Which command should be used?

A.gcloud storage buckets create my-bucket --storage-class nearline --location us-east1
B.gsutil mb -c nearline -l us-east1 gs://my-bucket
C.gcloud mb --class nearline --region us-east1 gs://my-bucket
D.gsutil mb --storage-class nearline --location us-east1 gs://my-bucket
AnswerB

Correct. -c nearline sets the storage class, -l us-east1 sets the region.

Why this answer

The 'gsutil mb' command creates a bucket with the specified storage class and location. The -c flag sets the storage class, and -l sets the region.

536
MCQhard

Your organization uses VPC Service Controls to protect BigQuery and Cloud Storage. A data pipeline service account needs to read from a protected Cloud Storage bucket and write results to a protected BigQuery dataset. Both resources are in the same perimeter. The service account is outside the perimeter (it runs in a Cloud Run service in a different project). How do you grant the pipeline access?

A.Add the Cloud Run project to the VPC Service Controls perimeter.
B.Create an Ingress Rule in the VPC-SC perimeter that allows the service account from the external project to access the specific BigQuery and Storage resources.
C.Grant the service account `roles/bigquery.admin` and `roles/storage.admin` to bypass the perimeter restrictions.
D.Move the Cloud Run service into a VPC and set up VPC peering to the perimeter VPC.
AnswerB

Ingress rules in VPC Service Controls allow fine-grained external access: specify the source identity (SA), source project, and which services/resources can be accessed inside the perimeter.

Why this answer

Option B is correct because VPC Service Controls (VPC-SC) allow you to define ingress rules that grant access to protected resources from identities outside the perimeter. In this scenario, the service account running in Cloud Run is outside the perimeter, so an ingress rule must explicitly permit that service account to access the specific BigQuery dataset and Cloud Storage bucket. This approach maintains the security boundary while enabling the required data pipeline access.

Exam trap

Google Cloud often tests the misconception that IAM roles can override VPC Service Controls, but the trap here is that VPC-SC operates independently of IAM and requires explicit ingress or egress rules for cross-perimeter access.

How to eliminate wrong answers

Option A is wrong because adding the entire Cloud Run project to the VPC-SC perimeter would extend the security boundary to include all resources in that project, which is overly permissive and may violate security policies. Option C is wrong because granting `roles/bigquery.admin` and `roles/storage.admin` does not bypass VPC-SC restrictions; VPC-SC enforces access controls at the network layer, and IAM roles alone cannot override perimeter boundaries. Option D is wrong because moving the Cloud Run service into a VPC and setting up VPC peering does not address VPC-SC restrictions; VPC peering operates at the network level and does not grant access to resources protected by VPC-SC.

537
Multi-Selectmedium

A DevOps engineer wants to set up budget alerts for a GCP project so that the finance team is notified when costs reach 50% and 90% of the budget. Which two configurations are required? (Choose TWO.)

Select 2 answers
A.Enable billing export to BigQuery
B.Create a budget in the Cloud Billing console
C.Set up a Cloud Function to monitor billing
D.Configure alert thresholds at 50% and 90%
E.Assign the roles/billing.admin IAM role to the finance team
AnswersB, D

You must create a budget and define the amount and scope.

Why this answer

To set up a budget alert with thresholds, you need to create a budget (specifying the amount and scope) and then set alert thresholds (percentages). The budget can also include Pub/Sub notifications, but the question asks for required configurations.

538
Multi-Selecthard

A DevOps engineer is responsible for deploying a new microservice to GKE. They need to expose the service externally on a static IP address and scale based on HTTP request load. Which THREE resources must be created? (Choose 3 correct answers.)

Select 3 answers
A.Ingress
B.Deployment
C.Service (type LoadBalancer)
D.ConfigMap
E.HorizontalPodAutoscaler
AnswersB, C, E

A Deployment defines the desired state of the pods and manages rolling updates.

Why this answer

To expose a microservice externally with a static IP and load-based scaling, you typically create a Deployment, a Service of type LoadBalancer (which provisions a TCP load balancer with a static IP), and a HorizontalPodAutoscaler to scale based on CPU (or custom metrics). Ingress is not required if using LoadBalancer, but it's another option. ConfigMap is not needed for this.

539
MCQmedium

Microservices in a GKE cluster need to discover each other by name without using public DNS. Service A calls Service B at `http://service-b.production.svc.cluster.local`. Which GCP/Kubernetes feature provides this internal DNS resolution?

A.Cloud DNS private zone configured for the cluster's namespace
B.Kubernetes cluster DNS (CoreDNS) resolving Service names within the cluster
C.Anthos Service Mesh — required for service-to-service DNS
D.A custom /etc/hosts entry on each Pod
AnswerB

CoreDNS (the default in-cluster DNS server) automatically creates records for every Service in the format `[service].[namespace].svc.cluster.local`, enabling service-to-service discovery.

Why this answer

Kubernetes cluster DNS, typically implemented by CoreDNS, is the built-in mechanism that resolves Service names like `service-b.production.svc.cluster.local` to the corresponding ClusterIP. This allows Pods to discover each other by name without relying on external or public DNS. CoreDNS runs as a Deployment in the kube-system namespace and automatically creates DNS records for every Service based on its name and namespace.

Exam trap

The trap here is that candidates confuse Cloud DNS (a GCP-managed DNS service for VPCs) with Kubernetes cluster DNS, or assume that a service mesh like Anthos is necessary for internal service discovery, when in fact CoreDNS provides this capability out of the box in any standard GKE cluster.

How to eliminate wrong answers

Option A is wrong because Cloud DNS private zones are used for resolving custom domain names within a VPC network, not for Kubernetes internal Service DNS; the cluster's internal DNS is handled entirely by CoreDNS within the cluster. Option C is wrong because Anthos Service Mesh (based on Istio) provides traffic management, security, and observability, but it is not required for basic service-to-service DNS resolution; CoreDNS works independently of any service mesh. Option D is wrong because manually editing /etc/hosts on each Pod is impractical, does not scale, and would require constant updates as Services are added or removed; Kubernetes DNS automates this resolution dynamically.

540
MCQeasy

A developer deployed a new version of a Compute Engine instance but the startup script fails to run. The developer needs to debug the startup script. Which step should be taken first?

A.RDP into the instance and check the system logs.
B.Check the instance's metadata for startup script errors.
C.Recreate the instance with a new image.
D.Review the serial port 1 output in the Google Cloud console.
AnswerD

Serial port 1 displays boot and startup script logs.

Why this answer

Serial port 1 output in the Google Cloud console captures the instance's serial console logs, including startup script execution output and any errors. This is the first and most direct step to debug a failing startup script because it shows the script's stdout, stderr, and any system messages during boot, without requiring network access or additional tools.

Exam trap

The trap here is that candidates confuse checking instance metadata (which stores the script) with viewing execution logs (serial port output), or they assume RDP/SSH is available when the script failure may prevent those services from starting.

How to eliminate wrong answers

Option A is wrong because Compute Engine instances typically run Linux, not Windows, so RDP is not applicable; even for Windows instances, RDP may not be available if the startup script fails before the network stack is ready. Option B is wrong because the instance's metadata stores the startup script content and configuration, not runtime errors or execution logs; checking metadata will not show why the script failed. Option C is wrong because recreating the instance with a new image does not help debug the existing script failure; it would only reset the environment without revealing the root cause.

541
Multi-Selecthard

A team is deploying a containerized microservice on GKE. They want to ensure the service is externally accessible via a stable IP address and can automatically scale the number of pods based on CPU utilization. Which TWO actions should they perform?

Select 2 answers
A.Expose the deployment using kubectl expose deployment my-service --type=LoadBalancer
B.Set the service type as ClusterIP
C.Create a Cluster Autoscaler on the GKE cluster
D.Create a HorizontalPodAutoscaler targeting the deployment with kubectl autoscale deployment my-service --cpu-percent=80 --min=1 --max=10
E.Expose the deployment using kubectl expose deployment my-service --type=NodePort
AnswersA, D

Creates a LoadBalancer service with a stable external IP.

Why this answer

To expose the service externally with a stable IP, use a LoadBalancer service type. To autoscale pods based on CPU, create a HorizontalPodAutoscaler. NodePort only exposes on node IPs, not stable external.

ClusterIP is internal. Cluster autoscaler scales nodes, not pods.

542
MCQmedium

A Cloud Function needs to be triggered whenever a message is published to a Pub/Sub topic. Which 'gcloud functions deploy' command flag is required to set the trigger?

A.--trigger-topic
B.--trigger-http
C.--trigger-event
D.--trigger-bucket
AnswerA

Correct flag for Pub/Sub trigger.

Why this answer

The --trigger-topic flag configures a Cloud Function to be triggered by Pub/Sub messages.

543
MCQeasy

You need to add an IAM binding for a user to a project using the gcloud command. Which command should you use?

A.gcloud projects add-iam-policy-binding
B.gcloud iam service-accounts add-iam-policy-binding
C.gcloud projects set-iam-policy
D.gcloud iam roles update
AnswerA

Correct command to add a binding.

Why this answer

The command `gcloud projects add-iam-policy-binding <project-id> --member user:<email> --role <role>` adds an IAM policy binding to a project.

544
MCQmedium

A team member accidentally deleted a GCP project. You need to recover it. What must be true for a successful recovery within the 30-day window?

A.The project can be restored only if billing was disabled prior to deletion.
B.The project can be restored within 30 days if you have the necessary permissions and the billing account is active.
C.The billing account must be re-associated after undeletion.
D.The project can be restored only if it was deleted by the owner.
AnswerB

Correct: undelete is possible with proper IAM role and active billing.

Why this answer

A deleted project can be restored within 30 days only if the billing account is still active and you have ownership. The project must be undeleted via the Cloud Console or API. Billing must be enabled; if billing was disabled before deletion, you must re-enable it first.

545
Multi-Selectmedium

An organization wants to migrate on-premises databases to Cloud SQL. They have a PostgreSQL database and a MySQL database. They require high availability with automatic failover and regional resilience. Which THREE steps should they take?

Select 3 answers
A.Use gcloud sql import sql to import data into the Cloud SQL instances after creation
B.Create a Cloud SQL instance for MySQL with --tier=db-standard-1 and --zone=us-central1-a
C.Create a Cloud SQL instance for MySQL with --availability-type=regional and --database-version=MYSQL_8_0
D.Create a Cloud SQL instance for PostgreSQL with --availability-type=regional and --database-version=POSTGRES_15
E.Create a Cloud SQL instance for PostgreSQL with --zone=us-central1-a and --secondary-zone=us-central1-c
AnswersA, C, D

Correct step to import SQL dumps into Cloud SQL.

Why this answer

For HA with automatic failover, create Cloud SQL instances in a primary and secondary zone configuration (HA configuration). For PostgreSQL, database-version should be POSTGRES_15 (any supported). For MySQL, MYSQL_8_0.

Import data using gcloud sql import sql or gcloud sql import csv. Option D (PostgreSQL) and E (MySQL) are correct. Option A is correct for importing.

Option B is unnecessary (Cloud SQL automatically creates databases? Actually you need to create them separately, but the question asks for steps to migrate and achieve HA). Option C is incorrect because standard tier is not HA; HA requires enterprise or enterprise plus tier.

546
MCQhard

An organization has strict security policies requiring that all Compute Engine instances use OS Login for SSH access instead of metadata-based SSH keys. Which two actions must be taken to enforce this for all new instances? (Choose two.)

A.Remove all SSH keys from project metadata
B.Use 'gcloud compute ssh' with the --tunnel-through-iap flag
C.Set metadata 'enable-oslogin=FALSE' at the instance level
D.Set metadata 'block-project-ssh-keys=TRUE' at the instance level
E.Set metadata 'enable-oslogin=TRUE' at the project level
AnswerA, E

Ensures no metadata-based keys exist; OS Login then becomes the only method.

Why this answer

To enforce OS Login, you enable it at the project level project-wide (enabled by a specific metadata key) and ensure instances have no metadata-based SSH keys. The other options are incorrect.

547
Multi-Selecteasy

Which TWO of the following are valid ways to grant IAM roles to a service account for accessing a Cloud Storage bucket? (Select 2 correct answers)

Select 2 answers
A.Use gcloud projects set-iam-policy with a policy file that includes the binding.
B.Use gcloud storage buckets add-iam-policy-binding to grant the role directly on the bucket.
C.Use gcloud iam roles create to assign the role to the service account.
D.Use gcloud projects add-iam-policy-binding to grant the role at the project level.
E.Use gcloud iam service-accounts add-iam-policy-binding.
AnswersB, D

This adds a new IAM binding on the bucket for the member.

Why this answer

IAM roles can be granted at the bucket level using gcloud storage buckets add-iam-policy-binding (or gsutil iam ch) or at the project level which applies to all buckets in the project. The other options are incorrect: gcloud iam roles create creates a custom role definition, not a grant; gcloud iam service-accounts add-iam-policy-binding grants roles on the service account itself; and gcloud projects set-iam-policy replaces the entire policy, not a granular add.

548
MCQmedium

You want to allow a vendor to upload files to a specific Cloud Storage bucket in your project without creating a GCP account for them. The upload URL should expire after 24 hours. Which mechanism should you use?

A.Create a GCP service account for the vendor and share the key JSON file.
B.Generate a Signed URL with a 24-hour expiration for the specific bucket path.
C.Make the Cloud Storage bucket publicly writable and share the bucket URL.
D.Add the vendor's email to the bucket's IAM policy with Storage Object Creator role.
AnswerB

Signed URLs provide authenticated, time-limited, no-account-required access to Cloud Storage. The vendor can upload directly using the URL until expiration.

Why this answer

Option B is correct because a signed URL allows time-limited, permissionless access to a specific Cloud Storage object or bucket path without requiring a GCP identity. The URL is cryptographically signed using a service account key, and the 24-hour expiration is set via the `expires` parameter. This meets the requirement of allowing the vendor to upload files without creating a GCP account.

Exam trap

Google Cloud often tests the distinction between identity-based access (IAM) and resource-based access (signed URLs), and the trap here is that candidates may confuse adding an email to IAM (which still requires a Google identity) with the truly identity-free, time-limited access provided by a signed URL.

How to eliminate wrong answers

Option A is wrong because creating a GCP service account and sharing the key JSON file effectively gives the vendor a GCP identity, which contradicts the requirement of not creating a GCP account for them; it also introduces long-term credential management risks. Option C is wrong because making the bucket publicly writable allows anyone on the internet to upload files indefinitely, which violates the 24-hour expiration requirement and poses a severe security risk. Option D is wrong because adding the vendor's email to the bucket's IAM policy requires the vendor to have a GCP account (or a Google account) to authenticate, which directly contradicts the requirement of not creating a GCP account for them.

549
Multi-Selecthard

Your organization uses GCP organizations with multiple folders. You need to assign a team the ability to create projects only in a specific folder. Which THREE steps should you take? (Choose 3)

Select 2 answers
A.Ensure the team has the role roles/resourcemanager.folderViewer on the organization.
B.Grant the role roles/resourcemanager.projectCreator at the organization level.
C.Grant the team the roles/resourcemanager.folderAdmin role on the folder.
D.Optionally apply an organization policy to restrict which folders can contain projects.
E.Grant the role roles/resourcemanager.projectCreator on the specific folder to the team.
AnswersD, E

Can enforce that projects only exist under specific folders.

Why this answer

To restrict project creation to a specific folder, you grant the roles/resourcemanager.projectCreator role at the folder level. Additionally, you may need to grant the role on the organization for the folder to exist. Also, setting an organization policy to constrain where projects can be created (e.g., gcp.resourceLocations) is optional but recommended.

Granting at organization level would give access to all folders. Creating a custom role is unnecessary.

550
Multi-Selecteasy

An engineer wants to view the current IAM policy for a project. Which TWO commands will accomplish this?

Select 2 answers
A.gcloud projects get-iam-policy my-project --format json
B.gcloud resource-manager folders get-iam-policy my-folder
C.gcloud iam service-accounts get-iam-policy my-sa@my-project.iam.gserviceaccount.com
D.gcloud projects get-iam-policy my-project
E.gcloud projects get-ancestors-iam-policy my-project
AnswersA, D

Adding --format json outputs the policy in JSON format, which is also valid.

Why this answer

The gcloud projects get-iam-policy command retrieves the IAM policy for a project. The gcloud projects get-ancestors-iam-policy retrieves policies from ancestors, not the project itself. The other commands are for different purposes.

551
MCQhard

Your application running on GKE is experiencing intermittent 500 errors. You want to create an alert that fires when the 99th percentile latency exceeds 2 seconds OR when the error rate (5xx responses) exceeds 1% of all requests over a 5-minute window. You have Cloud Monitoring configured with the application exporting metrics via OpenTelemetry. What should you create in Cloud Monitoring?

A.Two separate alerting policies — one for latency and one for error rate — each with their own notification channel.
B.A single alerting policy with two conditions (p99 latency and error rate) joined with OR logic.
C.A log-based alert using Cloud Logging to detect 5xx response codes in access logs.
D.An SLO with error budget burn rate alerts configured in Cloud Monitoring.
AnswerB

Cloud Monitoring alerting policies support multi-condition policies with AND/OR combiners. A single OR-combined policy fires when either condition breaches its threshold.

Why this answer

Option B is correct because Cloud Monitoring alerting policies support multiple conditions combined with AND/OR logic, allowing you to trigger a single alert when either the 99th percentile latency exceeds 2 seconds or the error rate exceeds 1% over a 5-minute window. This directly matches the requirement without needing separate policies or relying on log-based detection.

Exam trap

Google Cloud often tests the distinction between metric-based alerts and log-based alerts, and the trap here is that candidates may choose a log-based alert (Option C) because they associate error detection with logs, but the question explicitly states metrics are exported via OpenTelemetry, making metric-based alerts the correct and more efficient choice.

How to eliminate wrong answers

Option A is wrong because creating two separate alerting policies would result in two independent alerts, which is unnecessary and less manageable; Cloud Monitoring supports multiple conditions in a single policy with OR logic, making this approach inefficient. Option C is wrong because a log-based alert using Cloud Logging would only detect 5xx errors from access logs, but the question specifies that metrics are exported via OpenTelemetry, so a metric-based alert is more appropriate and avoids log parsing latency. Option D is wrong because an SLO with error budget burn rate alerts is designed for tracking service-level objectives over longer periods (e.g., 30 days), not for real-time threshold-based alerting on latency and error rate over a 5-minute window.

552
MCQeasy

A startup wants to run a small, event-driven application that processes files uploaded to Cloud Storage. The function should be triggered by object finalize events and should have a maximum execution time of 10 minutes. Which compute option is most cost-effective and easy to manage?

A.Compute Engine with a startup script
B.App Engine Standard
C.Cloud Run jobs
D.Cloud Functions (Gen 2)
AnswerD

Gen 2 Cloud Functions supports event triggers from Cloud Storage and has a maximum timeout of 60 minutes, fitting the 10-minute requirement. It is serverless and cost-effective.

Why this answer

Cloud Functions (Gen 2) can be triggered by Cloud Storage events and supports longer timeouts (up to 60 minutes). It is serverless and cost-effective for event-driven workloads. Cloud Run also works but requires running a container; Cloud Functions is simpler for single-purpose functions.

553
MCQeasy

A team is building a mobile app backend that requires real-time data synchronization across devices and offline support. The data model is simple and document-based. Which database service should they use?

A.Cloud Bigtable
B.BigQuery
C.Cloud SQL
D.Firestore
AnswerD

Firestore is optimized for mobile apps with real-time listeners, offline data persistence, and automatic multi-device synchronization.

Why this answer

Firestore is a NoSQL document database that provides real-time synchronization, offline support, and is designed for mobile and web apps. It integrates with Firebase SDKs.

554
MCQmedium

You have a Compute Engine VM instance that is currently running. You need to resize it to a different machine type. What must you do first?

A.Stop the instance, then use gcloud compute instances set-machine-type, then start the instance.
B.Use gcloud compute instances update --machine-type while the instance is running.
C.Detach all disks, change machine type, then reattach disks.
D.Create a snapshot of the disk and use it to create a new instance with the desired machine type.
AnswerA

Correct procedure: stop the instance, change machine type, start.

Why this answer

Changing the machine type requires the VM to be in a stopped state. You must stop the instance, change the machine type, then start it.

555
MCQmedium

Your company runs a critical web application on Google Kubernetes Engine (GKE) with a regional cluster. The application uses a Cloud SQL instance for database. Recently, users have been experiencing intermittent connection timeouts. The application logs show database connection errors, but the Cloud SQL instance's CPU and memory usage are low. The GKE cluster and Cloud SQL are in the same region. You notice that the Cloud SQL instance is configured with a private IP address. What is the most likely cause of the timeouts?

A.The Cloud SQL instance is not configured with automatic failover.
B.The Cloud SQL instance's connection pool size is too small.
C.The GKE cluster is not using a Private Service Connect endpoint to reach Cloud SQL.
D.The GKE cluster's nodes are in a different VPC subnet than the Cloud SQL instance.
AnswerC

Private connectivity to Cloud SQL via private IP requires a Private Service Connect endpoint.

Why this answer

The most likely cause is that the GKE cluster is not using a Private Service Connect endpoint to reach the Cloud SQL instance. When Cloud SQL uses a private IP, it is accessible only through a VPC network that has a Private Service Connect endpoint or a VPC peering connection to the Service Networking API. Without this endpoint, the GKE nodes cannot route traffic to the Cloud SQL private IP, leading to intermittent connection timeouts even though the instance itself is healthy.

Exam trap

Google Cloud often tests the misconception that resources in the same region and VPC can communicate automatically via private IP, but Cloud SQL private IP requires explicit Private Service Connect or VPC peering, not just same-region placement.

How to eliminate wrong answers

Option A is wrong because automatic failover affects high availability during a zonal outage, not intermittent connection timeouts when CPU and memory are low. Option B is wrong because a small connection pool would cause connection refused errors or queueing, not timeouts, and the logs show database connection errors, not pool exhaustion. Option D is wrong because the GKE cluster and Cloud SQL are in the same region, and VPC subnets can be different as long as they are in the same VPC and have proper routing; the real issue is the lack of a Private Service Connect endpoint or VPC peering to expose the Cloud SQL private IP.

556
MCQmedium

A FinOps team wants to analyze daily GCP spending trends, allocate costs by team using labels, and create custom dashboards. Which configuration exports billing data for this analysis?

A.Enable Cloud Monitoring billing metrics and build dashboards in Metrics Explorer
B.Download the monthly billing PDF from the Console and import it into a spreadsheet
C.Enable Cloud Billing data export to BigQuery and query the exported dataset
D.Use the Cloud Billing API to pull cost data into Cloud Firestore nightly
AnswerC

BigQuery billing export provides detailed, near-real-time cost data including resource labels, SKUs, and usage amounts. It's the standard approach for GCP FinOps analysis.

Why this answer

Option C is correct because exporting GCP billing data to BigQuery enables granular, daily cost analysis, label-based allocation, and custom dashboard creation via tools like Looker Studio. BigQuery's SQL interface allows querying detailed cost and usage data, which is essential for the FinOps team's requirements.

Exam trap

Google Cloud often tests the misconception that Cloud Monitoring or simple API pulls are sufficient for detailed cost analysis, but the exam expects candidates to recognize that BigQuery export is the only option that provides the required granularity, label support, and queryability for custom dashboards.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring billing metrics provide only aggregated, pre-defined cost views and lack the granular, label-based cost allocation and custom querying capabilities needed for detailed analysis. Option B is wrong because monthly billing PDFs offer only a high-level summary, not daily granularity or label-based cost breakdowns, and cannot be queried programmatically for custom dashboards. Option D is wrong because Cloud Firestore is a NoSQL document database not designed for cost analytics; using the Cloud Billing API to pull data into Firestore nightly would require custom code, lacks native querying for cost trends, and is not a standard or scalable approach for this use case.

557
Multi-Selecthard

A company has multiple GCP projects and wants to enforce a policy that prevents the creation of VMs with public IP addresses. Which three methods can be used to enforce this restriction? (Choose THREE.)

Select 3 answers
A.Create a VPC with no default route to the internet and enforce using network tags
B.Use IAM conditions to allow create only when instances do not have external IPs
C.Create a custom IAM role that denies the `compute.instances.create` permission
D.Use an organization policy constraint `compute.vmExternalIpAccess`
E.Use a custom role with `compute.instances.create` and add a condition that checks for the absence of external IPs
AnswersA, D, E

By requiring VMs to be in a VPC without internet access, you can prevent public IPs from being useful; network tags can enforce firewall rules.

Why this answer

Organization policies (constraint), custom roles with deny permissions, and network tags with firewall rules can all help restrict public IPs. IAM conditions can be used to restrict permissions based on resource properties, but they cannot directly prevent VM creation with public IPs.

558
MCQeasy

Which gcloud command is used to set the default project for a configuration profile?

A.gcloud init
B.gcloud config set project
C.gcloud projects set
D.gcloud projects list
AnswerB

Correct command to set the default project in gcloud configuration.

Why this answer

The command 'gcloud config set project [PROJECT_ID]' sets the default project in the current active configuration. The other commands are for other purposes.

559
MCQmedium

An organization wants to enforce a policy that disables the creation of VMs with external IPs across all projects. Which resource hierarchy level should the policy be attached to for maximum coverage?

A.Project
B.Resource (VM)
C.Organization
D.Folder
AnswerC

Correct: Attaching at the organization level applies to all folders and projects.

Why this answer

Organization policies can be applied at the organization level to affect all projects and folders underneath. This ensures the policy covers all resources.

560
MCQeasy

Where in the Google Cloud Console can a user view all APIs currently enabled for their project and monitor their usage?

A.Cloud Shell > Active Sessions
B.IAM & Admin > Service Accounts
C.APIs & Services > Dashboard
D.Monitoring > Metrics Explorer
AnswerC

The APIs & Services Dashboard is the central location for viewing enabled APIs, usage metrics, and managing API settings per project.

Why this answer

Option C is correct because the 'APIs & Services > Dashboard' page in the Google Cloud Console provides a centralized view of all enabled APIs for a project, along with real-time usage metrics such as requests per second, error rates, and latency. This dashboard is the primary interface for monitoring API consumption and identifying throttling or quota issues.

Exam trap

The trap here is that candidates confuse the 'APIs & Services > Dashboard' with the 'Monitoring > Metrics Explorer' because both show usage data, but only the Dashboard provides a project-level view of enabled APIs and their aggregate usage in one place.

How to eliminate wrong answers

Option A is wrong because Cloud Shell > Active Sessions shows active terminal sessions in Cloud Shell, not API enablement or usage. Option B is wrong because IAM & Admin > Service Accounts is used to manage service account identities and keys, not to view enabled APIs or their usage metrics. Option D is wrong because Monitoring > Metrics Explorer is a tool for creating custom charts and alerts from Cloud Monitoring metrics, but it does not provide a consolidated list of enabled APIs for the project.

561
MCQhard

A company has a GKE Autopilot cluster and wants to run a stateful application that requires persistent volumes with high read/write throughput. The application is deployed in a single region and does not require multi-region redundancy. Which storage option is the best choice for the persistent volumes?

A.Cloud Filestore (NFS)
B.Compute Engine persistent disks (SSD) using StorageClass 'pd-ssd'
C.Bigtable
D.Cloud Storage FUSE
AnswerB

Persistent disks are the native block storage for GKE and provide high throughput and low latency for stateful workloads.

Why this answer

GKE Autopilot supports persistent volumes via Compute Engine persistent disks (PD) or Cloud Filestore. For high throughput, regional persistent disks (pd-balanced or pd-ssd) offer excellent performance. Cloud Storage is not a persistent volume.

Filestore is file storage but is more expensive and adds network latency. Persistent disks are native and provide the best performance for stateful applications.

562
MCQmedium

A company is deploying a microservices application on Google Kubernetes Engine (GKE). They want to expose their services to the internet using a single external IP address and route traffic based on the request path. Which resource should they use?

A.An Ingress resource
B.A Service of type NodePort
C.A Service of type LoadBalancer for each microservice
D.A Network Endpoint Group (NEG)
AnswerA

Ingress provides path-based routing with a single external IP.

Why this answer

An Ingress resource is the correct choice because it provides HTTP(S) layer 7 routing, allowing you to expose multiple services behind a single external IP address and route traffic based on request paths (e.g., /api to one service, /web to another). This meets the requirement of using one external IP and path-based routing, which a Service alone cannot achieve.

Exam trap

The trap here is that candidates often confuse a Service of type LoadBalancer with an Ingress, thinking that a LoadBalancer can also provide path-based routing, but a LoadBalancer operates at layer 4 (TCP/UDP) and cannot inspect HTTP paths, whereas Ingress operates at layer 7 and is specifically designed for such routing.

How to eliminate wrong answers

Option B is wrong because a Service of type NodePort exposes the service on a static port on each node's IP, but it does not provide a single external IP or path-based routing; it requires additional infrastructure (like an external load balancer) to route traffic. Option C is wrong because a Service of type LoadBalancer for each microservice would create a separate external IP per service, violating the requirement for a single external IP and not supporting path-based routing. Option D is wrong because a Network Endpoint Group (NEG) is a backend resource used with load balancers to specify endpoints (e.g., pods), but it does not itself expose services or route traffic based on request paths; it is a configuration component, not a routing resource.

563
MCQhard

A company manages a production GKE cluster with node auto-upgrade enabled. They want to ensure that during a node upgrade, the workloads are rescheduled gracefully without downtime. What Kubernetes resource should be configured on their Deployments?

A.PodDisruptionBudget
B.HorizontalPodAutoscaler
C.ResourceQuota
D.Node affinity rules
AnswerA

PDB ensures a minimum number of pods remain available during voluntary disruptions.

Why this answer

PodDisruptionBudget (PDB) allows you to specify the minimum available or maximum unavailable pods during voluntary disruptions like node upgrades. Without a PDB, a node upgrade could evict all pods at once, causing downtime. ResourceQuota and HorizontalPodAutoscaler do not control disruption.

564
Multi-Selectmedium

A company wants to automate the response to specific log entries by triggering a Cloud Function. Which THREE components are required? (Choose 3)

Select 3 answers
A.Cloud Function (Pub/Sub trigger)
B.Cloud Logging log sink
C.Pub/Sub topic
D.BigQuery dataset
E.Cloud Monitoring notification channel
AnswersA, B, C

Why this answer

Log entries must be routed to a Pub/Sub topic via a log sink. The Cloud Function subscribes to that topic (triggered by Pub/Sub). The log sink is the exporter, Pub/Sub is the intermediary, and Cloud Function is the action.

A notification channel is for alerts, not triggers. BigQuery is not needed.

565
MCQeasy

A startup's application uses both GCP services and an existing on-premises Kubernetes cluster. They want a single control plane to manage Kubernetes clusters across both environments with consistent policy enforcement. Which Google service provides this?

A.GKE Hub (Fleet management)
B.Anthos (Google Distributed Cloud) for hybrid multi-cluster management
C.Cloud Interconnect — connects on-premises clusters to GCP so they share a control plane
D.Cloud Composer — a managed Kubernetes workflow across environments
AnswerB

Anthos provides a unified management layer for GKE clusters on GCP, on-premises (Anthos on bare metal/VMware), and other clouds — with consistent policy, service mesh, and CI/CD.

Why this answer

Anthos (Google Distributed Cloud) is the correct answer because it provides a unified control plane for managing Kubernetes clusters across on-premises and GCP environments, enabling consistent policy enforcement, configuration, and observability. Anthos uses GKE on-prem and GKE in the cloud, with a centralized Anthos Config Management and Service Mesh for policy and security consistency, directly addressing the hybrid multi-cluster management requirement.

Exam trap

The trap here is that candidates confuse GKE Hub (a fleet management feature) with the full Anthos platform, forgetting that GKE Hub alone does not manage on-premises clusters without Anthos GKE On-Prem.

How to eliminate wrong answers

Option A is wrong because GKE Hub (Fleet management) is a component within Anthos that provides a centralized view and policy management for GKE clusters, but it is not a standalone service that manages both on-premises and GCP clusters with a single control plane; it relies on Anthos for hybrid capabilities. Option C is wrong because Cloud Interconnect provides dedicated network connectivity between on-premises and GCP, but it does not provide a control plane for managing Kubernetes clusters; it is a networking service, not a cluster management service. Option D is wrong because Cloud Composer is a managed Apache Airflow workflow orchestration service, not a Kubernetes cluster management platform; it can run workflows across environments but does not provide a unified control plane or policy enforcement for Kubernetes clusters.

566
Multi-Selectmedium

Your GKE cluster has a node pool that is underutilized. You want to enable cluster autoscaling to automatically adjust the number of nodes based on workload demand. Which TWO steps are required? (Choose two.)

Select 2 answers
A.Upgrade the control plane to the latest version
B.Specify --min-nodes and --max-nodes parameters
C.Run gcloud container clusters update CLUSTER_NAME --node-pool POOL_NAME --enable-autoscaling
D.Set the --autoscaling-profile option to 'optimize-utilization'
E.Run gcloud container node-pools update POOL_NAME --enable-autoscaling --cluster CLUSTER_NAME
AnswersB, E

Minimum and maximum node counts must be set for autoscaling to work.

Why this answer

Cluster autoscaling requires enabling autoscaling on the node pool and updating it with min/max node limits. Options A and C are the correct steps. Option B is for legacy, D is for manual scaling, E is for upgrading.

567
MCQeasy

An engineer needs to monitor the external HTTP availability of a web application hosted on Compute Engine. Which Cloud Monitoring feature should they use?

A.Uptime check
B.Dashboard
C.Metric Explorer
D.Log-based alert
AnswerA

Why this answer

Uptime checks are designed to verify that a resource is accessible and measure response latency from various locations. They can check HTTP/HTTPS/TCP endpoints.

568
MCQhard

A media company ingests 500,000 events per second from IoT sensors and needs to store them for time-series analytics queries that scan billions of rows. Which storage service is most appropriate?

A.Cloud Firestore
B.Cloud SQL for MySQL
C.Cloud Bigtable
D.BigQuery streaming inserts
AnswerC

Bigtable is purpose-built for high-throughput, low-latency NoSQL workloads including IoT time-series. It scales linearly with node count and supports the ingestion rate and query patterns described.

Why this answer

Cloud Bigtable is the most appropriate service because it is a fully managed, scalable NoSQL database designed for high-throughput, low-latency workloads like IoT sensor data ingestion at 500,000 events per second. It supports time-series analytics queries scanning billions of rows via its wide-column storage model and integration with BigQuery for complex analytics, while providing sub-10ms latency for point lookups and efficient range scans.

Exam trap

Google Cloud often tests the misconception that BigQuery streaming inserts are a storage service for high-ingestion workloads, but the trap here is that BigQuery is a data warehouse for analytics, not a low-latency storage system for time-series data, and its streaming limit is far lower than Bigtable's throughput.

How to eliminate wrong answers

Option A is wrong because Cloud Firestore is a document-oriented NoSQL database optimized for mobile and web app real-time synchronization, not for high-ingestion-rate time-series workloads; it has a maximum write rate of 10,000 writes per second per database, far below 500,000 events per second. Option B is wrong because Cloud SQL for MySQL is a relational database with limited horizontal scaling and a maximum of 30,000 queries per second for the highest tier, making it unsuitable for ingesting 500,000 events per second and scanning billions of rows. Option D is wrong because BigQuery streaming inserts are designed for real-time analytics ingestion into a data warehouse, but they have a per-project streaming limit of 100,000 rows per second (default) and are not optimized for sub-second point lookups or high-frequency time-series storage; Bigtable is the correct storage layer before streaming into BigQuery for analytics.

569
MCQmedium

A security team wants to centrally identify misconfigured GCP resources across their organization — such as publicly accessible Cloud Storage buckets, unencrypted disks, and overly permissive firewall rules. Which GCP service provides these findings?

A.Cloud Asset Inventory — query for all resources and write custom checks
B.Security Command Center (SCC) with Security Health Analytics enabled
C.Cloud Monitoring alert policies with metric conditions for firewall rule changes
D.Cloud Logging audit log analysis for admin activity changes
AnswerB

SCC's Security Health Analytics automatically detects and reports security misconfigurations across GCP resources at the organization level — including public buckets, insecure firewall rules, and more.

Why this answer

Security Command Center (SCC) with Security Health Analytics enabled is the correct service because it provides built-in, automated scanning for common misconfigurations such as publicly accessible Cloud Storage buckets, unencrypted disks, and overly permissive firewall rules. Security Health Analytics uses a set of pre-defined detectors (e.g., `PUBLIC_BUCKET_ACL`, `DISK_ENCRYPTION_DISABLED`, `FIREWALL_RULE_OPEN`) to continuously assess resources and surface findings in the SCC dashboard, without requiring custom code or manual queries.

Exam trap

The trap here is that candidates often confuse Cloud Asset Inventory's ability to list all resources with the ability to automatically detect misconfigurations, when in reality it only provides raw resource metadata and requires custom logic to identify security issues.

How to eliminate wrong answers

Option A is wrong because Cloud Asset Inventory is a metadata and history service for querying resource snapshots and changes, but it does not have built-in detectors for security misconfigurations; it requires writing custom checks or exporting data to other tools to identify issues like public buckets or unencrypted disks. Option C is wrong because Cloud Monitoring alert policies with metric conditions can notify on firewall rule changes (e.g., via metric `firewall_rule_count`), but they cannot directly detect the misconfiguration (e.g., overly permissive rules) — they only react to change events, not assess the security posture of the rule itself. Option D is wrong because Cloud Logging audit log analysis for admin activity changes can track who changed a firewall rule or bucket ACL, but it does not evaluate whether the resulting configuration is insecure (e.g., public access or missing encryption); it provides an audit trail, not a security assessment.

570
Drag & Dropmedium

Arrange the steps to deploy a containerized application to Google Kubernetes Engine (GKE) using a Deployment and expose it via a Service.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cluster must exist first; then Deployment, then Service to expose.

571
Multi-Selectmedium

Your company has a production project and a development project. You want to ensure that no one can delete the production project accidentally. Which TWO actions should you take? (Choose 2)

Select 2 answers
A.Apply an organization policy constraint that blocks project deletion.
B.Set a deletion protection policy on the project.
C.Set a budget alert at 100% of projected spend.
D.Remove the Owner role from all users and grant only Editor.
E.Add a label to the project indicating it is production.
AnswersA, B

Org policy can disallow project deletion.

Why this answer

To prevent accidental deletion, you can set a deletion protection policy at the project level. Additionally, using an organization policy constraint 'constraints/resourcemanager.projectDelete' at the folder or organization level can block deletion. Labels don't prevent deletion.

Removing the Owner role from all users would break management. Budget alerts don't prevent deletion.

572
MCQeasy

A developer accidentally grants the Owner role to a test service account on the production project. The team wants to remove only this specific IAM binding without affecting other members' access. Which gcloud command achieves this?

A.gcloud projects set-iam-policy [PROJECT] --member=serviceAccount:[SA] --role=roles/owner
B.gcloud projects remove-iam-policy-binding [PROJECT] --member=serviceAccount:[SA_EMAIL] --role=roles/owner
C.gcloud iam remove-binding --project=[PROJECT] --member=[SA] --role=owner
D.gcloud projects delete-member [PROJECT] --member=serviceAccount:[SA_EMAIL]
AnswerB

`remove-iam-policy-binding` removes the specified member+role binding atomically without affecting any other bindings in the policy.

Why this answer

Option B is correct because `gcloud projects remove-iam-policy-binding` is the precise command to remove a single IAM binding (member-role pair) from a project's policy without affecting other bindings. It takes the project ID, member (service account email), and role as parameters, ensuring only the specified binding is removed. This command modifies the existing policy by removing only that specific entry, leaving all other IAM bindings intact.

Exam trap

Google Cloud often tests the distinction between commands that modify the entire policy (`set-iam-policy`) versus those that surgically remove a single binding (`remove-iam-policy-binding`), and candidates may confuse the valid command syntax or assume a generic `remove-binding` subcommand exists.

How to eliminate wrong answers

Option A is wrong because `gcloud projects set-iam-policy` replaces the entire IAM policy for the project with a new policy file; it does not remove a single binding and would overwrite all existing permissions if used incorrectly. Option C is wrong because `gcloud iam remove-binding` is not a valid gcloud command; the correct verb is `remove-iam-policy-binding` under the `projects` resource, and the role flag should be `roles/owner` not `owner`. Option D is wrong because `gcloud projects delete-member` is not a valid gcloud command; there is no such subcommand for removing a member from a project.

573
MCQmedium

A Cloud Run service is experiencing high latency. You suspect one revision is causing the issue. The service is configured to split traffic 90% to revision A and 10% to revision B. You want to gradually shift traffic back to revision A only. Which command should you use?

A.kubectl set traffic my-service --revision=my-service-00001=100
B.gcloud run services update-traffic my-service --to-revisions=my-service-00001=100
C.gcloud run revisions delete my-service-00002
D.gcloud run services update my-service --set-revision my-service-00001
AnswerB

This sets 100% traffic to revision A (represented by the revision name).

Why this answer

gcloud run services update-traffic allows you to set traffic percentages for revisions. Setting 100% to revision A achieves the goal.

574
MCQhard

A security auditor needs to check whether a specific user (user@company.com) currently has sufficient permissions to delete a Cloud SQL instance in project 'prod-db'. Without making any changes, which tool simulates this check?

A.Run the delete command with `--dry-run` flag to simulate without executing
B.Use the IAM Policy Troubleshooter (Policy Simulator) to check if the permission is granted
C.Inspect the IAM policy with `gcloud projects get-iam-policy` and manually trace inheritance
D.Grant the user the permission temporarily, test the delete, then revoke it
AnswerB

The Policy Troubleshooter evaluates the effective IAM policy for a principal+permission+resource combination and explains whether access is granted or denied — non-destructive and immediate.

Why this answer

The IAM Policy Troubleshooter (Policy Simulator) is the correct tool because it allows you to check whether a specific user has a particular permission (e.g., cloudsql.instances.delete) on a given resource (the Cloud SQL instance in project 'prod-db') without making any changes. It evaluates the effective IAM policy, including all inherited roles and policies, and returns a result indicating whether the permission is granted. This directly addresses the auditor's need to simulate a permission check without executing any action.

Exam trap

Google Cloud often tests the misconception that a dry-run flag or manual policy inspection is sufficient for permission checks, but the trap here is that only the IAM Policy Troubleshooter provides a comprehensive, no-change simulation that evaluates all policy types and inheritance paths, which is essential for security audits.

How to eliminate wrong answers

Option A is wrong because the `--dry-run` flag is not supported by the `gcloud sql instances delete` command; Cloud SQL does not implement a dry-run mode for deletion operations, and even if it did, it would simulate the deletion action itself, not check permissions. Option C is wrong because manually inspecting the IAM policy with `gcloud projects get-iam-policy` and tracing inheritance is error-prone, time-consuming, and does not account for all policy types (e.g., deny policies, conditional roles, or resource-level policies) that the Policy Troubleshooter evaluates automatically. Option D is wrong because granting the user the permission temporarily, testing the delete, and then revoking it is an insecure and disruptive approach that changes the environment, violates the 'without making any changes' requirement, and could lead to unintended consequences or audit compliance issues.

575
Multi-Selectmedium

An engineer is setting up a new GCP project for a containerized application. They need to enable the required APIs. Which TWO APIs must be enabled to deploy and manage a Kubernetes cluster and build container images?

Select 2 answers
A.compute.googleapis.com
B.bigquery.googleapis.com
C.cloudbuild.googleapis.com
D.container.googleapis.com
E.cloudfunctions.googleapis.com
AnswersC, D

Correct: Cloud Build API.

Why this answer

Kubernetes Engine API and Cloud Build API are needed for cluster management and building images.

576
Multi-Selectmedium

A company needs to audit all actions that modify a Cloud Storage bucket. Which TWO steps should they take to enable this? (Choose 2 answers.)

Select 2 answers
A.Use Log Explorer to filter logs by the Cloud Storage service and the 'data_access' log type.
B.Create a VPC Service Controls perimeter.
C.Enable Admin Activity audit logs for the Cloud Storage service.
D.Assign the roles/logging.viewer role to the security team.
E.Enable Data Access audit logs for the Cloud Storage service in the project's IAM audit config.
AnswersA, E

This allows you to view the logged data modifications.

Why this answer

To audit data access modifications, you need to enable Data Access audit logs for the storage service and then view those logs in Log Explorer. Admin Activity logs record configuration changes (like creating a bucket), but data modifications (like uploading objects) require Data Access logs.

577
MCQmedium

A team discovers their Cloud Logging costs are unexpectedly high. The majority of costs come from verbose DEBUG-level logs from a development service in production. They want to stop storing DEBUG logs without modifying the application. What is the solution?

A.Set the application's log level to INFO — this is the only way to reduce log volume
B.Create a Cloud Logging exclusion filter to discard DEBUG-level log entries from the service
C.Move the development service to a separate GCP project with a lower logging tier
D.Delete old DEBUG log entries manually — Cloud Logging charges for stored volume
AnswerB

Logging exclusion filters (in Log Router) match and discard specified log entries before storage. A filter for `severity=DEBUG` on the resource type drops debug logs without application changes.

Why this answer

Option B is correct because Cloud Logging exclusion filters allow you to discard log entries based on criteria such as severity level, log name, or resource labels before they are ingested and stored. By creating an exclusion filter that matches DEBUG-level log entries from the specific development service, you can stop storing those logs without modifying the application code. This approach directly reduces storage costs because excluded logs are not indexed or retained.

Exam trap

The trap here is that candidates may think modifying the application's log level is the only way to reduce log volume, but Cloud Logging exclusion filters provide a non-invasive, infrastructure-level solution that avoids code changes.

How to eliminate wrong answers

Option A is wrong because setting the application's log level to INFO would require modifying the application code or configuration, which the question explicitly states is not allowed. Option C is wrong because moving the service to a separate GCP project does not reduce log volume; it merely shifts the cost to another project, and Cloud Logging charges are based on ingestion and storage regardless of project. Option D is wrong because deleting old DEBUG log entries manually does not prevent future DEBUG logs from being ingested and stored, and Cloud Logging charges are primarily for ingestion volume, not just stored volume.

578
MCQmedium

A data analytics team runs Apache Spark jobs to process large datasets. They need a managed cluster that provisions quickly, scales dynamically, and integrates with Cloud Storage and BigQuery. Which service should they use?

A.Cloud Dataflow
B.Cloud Dataproc
C.Cloud Composer
D.Cloud Run with a custom Spark container
AnswerB

Cloud Dataproc is the managed Apache Spark/Hadoop service on GCP. It integrates directly with Cloud Storage and BigQuery, and supports ephemeral cluster models for cost efficiency.

Why this answer

Cloud Dataproc is the correct choice because it is a managed Spark and Hadoop service that provisions clusters in under 90 seconds, supports autoscaling, and natively integrates with Cloud Storage (via the gs:// connector) and BigQuery (via the BigQuery Storage API and Spark BigQuery connector). This makes it ideal for teams needing fast, dynamic, and integrated Spark job execution.

Exam trap

The trap here is that candidates confuse Cloud Dataflow (a Beam-based service) with a managed Spark service, or assume Cloud Run can handle dynamic Spark cluster scaling, when in fact only Cloud Dataproc provides the native Spark runtime and auto-scaling cluster management required for this use case.

How to eliminate wrong answers

Option A is wrong because Cloud Dataflow is a unified stream and batch data processing service based on Apache Beam, not Apache Spark, and it does not provide a managed Spark cluster. Option C is wrong because Cloud Composer is a managed Apache Airflow workflow orchestration service, not a compute engine for running Spark jobs; it can trigger Dataproc jobs but does not run Spark itself. Option D is wrong because Cloud Run is a serverless container platform that does not support dynamic cluster scaling for Spark workloads and lacks native integration with Cloud Storage and BigQuery for Spark; running a custom Spark container on Cloud Run would require manual cluster management and does not provide the managed, auto-scaling Spark environment that Dataproc offers.

579
MCQmedium

You need to find all log entries from the past hour where a Compute Engine instance failed to start. Which Cloud Logging query language filter should you use?

A.resource.type="gce_instance" AND severity="ERROR" AND "instance" AND timestamp>="-1h"
B.resource.type="gce_instance" AND severity="ERROR" AND "Could not start instance" AND timestamp>="-1h"
C.resource.type="gce_instance" AND "instance" AND timestamp>="-1h"
D.resource.type="gce_instance" AND severity="ERROR" AND "startup"
AnswerB

This filter targets Compute Engine instances, ERROR severity, a specific error message, and the last hour.

Why this answer

The correct filter combines resource type, severity, and a timestamp range.

580
MCQeasy

Which gcloud CLI command authenticates a developer's local environment with their Google account?

A.gcloud config set account [EMAIL]
B.gcloud auth login
C.gcloud init --authenticate
D.gcloud accounts activate
AnswerB

`gcloud auth login` initiates the OAuth flow, authenticates the user, and stores credentials for subsequent CLI commands.

Why this answer

Option B, `gcloud auth login`, is correct because it initiates the OAuth 2.0 flow to authenticate the gcloud CLI with a user's Google account, storing the resulting credentials locally for subsequent API calls. This command is the standard way to authorize a developer's local environment for the first time or when switching users.

Exam trap

The trap here is that candidates confuse configuration commands (like `gcloud config set account`) with authentication commands, mistakenly thinking setting an account name is sufficient to establish credentials, when in fact it only selects a pre-existing authenticated account.

How to eliminate wrong answers

Option A is wrong because `gcloud config set account [EMAIL]` only sets the active account configuration to an already-authenticated account; it does not perform any authentication or credential acquisition. Option C is wrong because `gcloud init --authenticate` is not a valid gcloud command; `gcloud init` can configure a new environment and optionally trigger authentication, but the `--authenticate` flag does not exist. Option D is wrong because `gcloud accounts activate` is not a valid gcloud command; the correct command to switch between authenticated accounts is `gcloud config set account` or `gcloud auth login` to re-authenticate.

581
MCQeasy

Which gcloud command creates a Compute Engine VM named 'web-01' using the e2-medium machine type in zone us-central1-a?

A.gcloud vm create web-01 --zone=us-central1-a --machine=e2-medium
B.gcloud compute instances create web-01 --zone=us-central1-a --machine-type=e2-medium
C.gcloud instances create web-01 --region=us-central1 --type=e2-medium
D.gcloud compute create-instance web-01 --zone=us-central1-a --size=e2-medium
AnswerB

This is the correct syntax. `gcloud compute instances create` is the command, `--zone` specifies the zone, and `--machine-type` specifies the VM size.

Why this answer

Option B is correct because the `gcloud compute instances create` command is the proper syntax for creating a Compute Engine VM, and it requires the `--machine-type` flag (not `--machine`) to specify the machine type. The zone is specified with `--zone`, and the VM name is provided as a positional argument.

Exam trap

Google Cloud often tests the exact command syntax, and the trap here is that candidates confuse the `gcloud compute instances create` command with shorter, non-existent variants like `gcloud vm create` or `gcloud instances create`, or they use incorrect flag names like `--machine` or `--size` instead of the correct `--machine-type`.

How to eliminate wrong answers

Option A is wrong because `gcloud vm create` is not a valid gcloud command; the correct resource hierarchy is `gcloud compute instances create`. Additionally, the flag for machine type is `--machine-type`, not `--machine`. Option C is wrong because it uses `--region=us-central1` instead of `--zone=us-central1-a`, and zones are required for VM creation (regions are used for regional resources like managed instance groups).

It also uses `--type=e2-medium` instead of `--machine-type=e2-medium`. Option D is wrong because `gcloud compute create-instance` is not a valid command; the correct verb is `instances create`. It also uses `--size=e2-medium` instead of `--machine-type=e2-medium`.

582
MCQeasy

You need to update the container image of a deployment named 'my-app' in GKE to a new version. Which command should you use?

A.kubectl apply -f updated-deployment.yaml
B.kubectl update deployment my-app --image=my-image:v2
C.kubectl edit deployment my-app --image=my-image:v2
D.kubectl set image deployment/my-app my-app-container=my-image:v2
AnswerD

This updates the container named 'my-app-container' to the new image.

Why this answer

kubectl set image updates the image of a deployment.

583
MCQhard

A financial services company needs to run analytics queries on transaction data that arrives in real-time. The queries must return results within 2 seconds and the dataset grows by ~100 GB per day. The company also needs to retain all data for 7 years for regulatory compliance. Which architecture best satisfies these requirements?

A.Write transactions to Cloud Spanner; run analytics queries directly against Spanner.
B.Stream transactions through Pub/Sub → Dataflow → BigQuery; run analytics on BigQuery.
C.Store transactions in Cloud Bigtable and use Dataproc/Spark for analytics queries.
D.Use Cloud SQL for storage and Cloud Dataprep for analytics transformations.
AnswerB

This is the canonical GCP streaming analytics pattern: Pub/Sub for ingestion, Dataflow for transformation, BigQuery for analytics with sub-second to 2-second query performance and 7-year retention.

Why this answer

Option B is correct because it uses Pub/Sub for real-time ingestion, Dataflow for stream processing, and BigQuery for analytics, which can handle 100 GB/day growth and return queries within 2 seconds using BigQuery's columnar storage and automatic sharding. BigQuery's 7-year retention is supported by its time-based partitioning and long-term storage at reduced cost, meeting regulatory compliance without manual intervention.

Exam trap

Google Cloud often tests the distinction between OLTP (Spanner, Cloud SQL) and OLAP (BigQuery) services, and candidates mistakenly choose Spanner for analytics because of its global scale and strong consistency, overlooking that it is not optimized for large-scale analytical queries with strict latency SLAs.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner is designed for transactional (OLTP) workloads with strong consistency, not for large-scale analytics (OLAP); running complex analytics queries directly on Spanner would exceed the 2-second latency requirement and incur high costs due to its node-based pricing and row-oriented storage. Option C is wrong because Cloud Bigtable is a NoSQL wide-column store optimized for high-throughput, low-latency point lookups and time-series data, but it lacks native SQL analytics capabilities; using Dataproc/Spark adds overhead for query parsing and job scheduling, making it difficult to consistently return results within 2 seconds, and Bigtable's storage is not cost-effective for 7 years of retention at 100 GB/day. Option D is wrong because Cloud SQL is a relational database with limited scalability (max ~30 TB per instance) and is not designed for real-time streaming or petabyte-scale analytics; Cloud Dataprep is a data preparation tool for cleaning and transforming data, not for running analytics queries, and it cannot meet the 2-second query latency requirement.

584
MCQmedium

An organization needs to audit all data access (read/write) to a Cloud Storage bucket for compliance. Which type of audit log should they enable?

A.System Event audit logs
B.Access Transparency logs
C.Admin Activity audit logs
D.Data Access audit logs
AnswerD

Data Access audit logs capture read and write operations on resources, such as Cloud Storage objects.

Why this answer

Data Access audit logs record who accessed what data, including read and write operations. Admin Activity logs record changes to configurations, not data access. To enable Data Access logs, they need to configure the audit policy at the organization, folder, or project level for the specific service (storage.googleapis.com).

585
MCQmedium

A Cloud Run service needs to read secrets from Secret Manager. The service is deployed with a custom runtime service account. Which IAM role should be granted to the runtime service account, and on which resource?

A.Grant `roles/secretmanager.admin` on the project.
B.Grant `roles/secretmanager.secretAccessor` on the specific secret resource.
C.Grant `roles/viewer` on the project.
D.Grant `roles/secretmanager.secretVersionManager` on the secret.
AnswerB

secretAccessor on the specific secret resource grants exactly the `secretmanager.versions.access` permission needed to read the secret value, scoped to that one secret only.

Why this answer

The principle of least privilege dictates that the runtime service account should only have the minimum permissions required to access the specific secret. The `roles/secretmanager.secretAccessor` role provides exactly the `secretmanager.versions.access` permission needed to read the secret value, and granting it on the specific secret resource (rather than the project) scopes the permission to that secret only, preventing broader access.

Exam trap

Google Cloud often tests the principle of least privilege by offering broad project-level roles (like `roles/secretmanager.admin`) as distractors, tempting candidates to grant excessive permissions instead of scoping the role to the specific secret resource.

How to eliminate wrong answers

Option A is wrong because `roles/secretmanager.admin` grants full administrative control over all secrets in the project, including creating, updating, and deleting secrets, which violates the principle of least privilege and is unnecessary for a service that only needs to read a secret. Option C is wrong because `roles/viewer` is a basic role that provides read-only access to many Google Cloud resources but does not include the specific `secretmanager.versions.access` permission required to read the secret value from Secret Manager. Option D is wrong because `roles/secretmanager.secretVersionManager` includes permissions to manage secret versions (e.g., add, disable, destroy), which is excessive for a service that only needs to read the secret value.

586
MCQeasy

A company wants to expose a web application running on Compute Engine instances behind a managed instance group. They need a single IP address that distributes incoming HTTP traffic across instances. Which type of load balancer should they use?

A.Internal TCP/UDP Load Balancer
B.External TCP/UDP Network Load Balancer
C.SSL Proxy Load Balancer
D.External HTTP(S) Load Balancer
AnswerD

This is the correct choice for HTTP traffic distribution with a single IP.

Why this answer

Option D is correct because the External HTTP(S) Load Balancer is a regional or global, proxy-based Layer 7 load balancer that provides a single external IP address for distributing incoming HTTP traffic across Compute Engine instances in a managed instance group. It supports HTTP and HTTPS protocols, health checks, and autoscaling, making it ideal for web applications.

Exam trap

The trap here is that candidates often confuse the External HTTP(S) Load Balancer with the External TCP/UDP Network Load Balancer, mistakenly thinking that any load balancer with an external IP can handle HTTP traffic, but the Network Load Balancer lacks Layer 7 features and is not optimized for HTTP workloads.

How to eliminate wrong answers

Option A is wrong because the Internal TCP/UDP Load Balancer is used for internal traffic within a VPC network, not for exposing a web application to the internet. Option B is wrong because the External TCP/UDP Network Load Balancer is a Layer 4 load balancer that forwards traffic based on IP and port, but it does not support HTTP-specific features like URL routing or SSL termination, and it is not the recommended choice for HTTP traffic distribution. Option C is wrong because the SSL Proxy Load Balancer is designed for terminating SSL/TLS connections and forwarding TCP traffic, but it does not handle HTTP protocol inspection or routing, and it is not the standard choice for distributing HTTP traffic.

587
MCQhard

You need to configure a GCP organization so that when new projects are created, a specific set of default IAM bindings is automatically applied (e.g., the security team's group gets Security Reviewer on every new project). Which approach achieves this without requiring manual post-creation steps?

A.Set an org policy constraint that applies default IAM bindings to all new projects.
B.Trigger a Cloud Function via Eventarc on project creation audit log events to automatically apply the IAM bindings.
C.Add the security team's group to the organization's IAM policy with Security Reviewer role — it will inherit to all new projects.
D.Require all project creators to use a Terraform module that includes the IAM binding in its configuration.
AnswerB, C

Eventarc can trigger on Cloud Audit Log events (project.create) and invoke a Cloud Function that applies default IAM bindings via the Resource Manager API — a fully automated, event-driven guardrails pattern.

Why this answer

Option B is correct because it uses Eventarc to capture audit log events for 'google.cloud.resourcemanager.v3.CreateProject' and triggers a Cloud Function that programmatically applies IAM bindings to the new project. This ensures the bindings are applied automatically without manual steps, leveraging serverless event-driven architecture.

Exam trap

Google Cloud often tests the misconception that IAM inheritance from the organization level automatically applies to new projects, but in reality, inheritance only applies to existing resources; new projects do not inherit bindings set at the organization level unless they are created within a folder that has the binding, and even then, the binding is not 'default' for all new projects.

How to eliminate wrong answers

Option A is wrong because org policy constraints (e.g., 'constraints/iam.allowedPolicyMemberDomains') only restrict allowed members or roles, they cannot apply default IAM bindings to new projects. Option C is wrong because adding a group to the organization's IAM policy with a role like Security Reviewer does not automatically propagate that binding to new projects; IAM inheritance applies only to resources within the organization hierarchy (folders, projects) that exist at the time the binding is set, not to future projects. Option D is wrong because requiring a Terraform module does not enforce automatic application; it relies on project creators to use the module, which is not automatic and can be bypassed.

588
MCQeasy

A company wants to migrate an on-premises MySQL database to Cloud SQL with minimal downtime. Which service should they use?

A.Cloud SQL for MySQL
B.Cloud SQL with external replicas
C.Database Migration Service
D.Compute Engine with MySQL installed
AnswerC

Database Migration Service provides minimal downtime migration.

Why this answer

Database Migration Service (DMS) is the correct choice because it is specifically designed to migrate on-premises MySQL databases to Cloud SQL with minimal downtime using continuous replication. It handles schema conversion, data transfer, and ongoing sync until you cut over, ensuring near-zero downtime without manual intervention.

Exam trap

The trap here is that candidates confuse the target service (Cloud SQL for MySQL) with the migration tool, or assume that external replicas can be used for migration, when in fact DMS is the only Google Cloud service purpose-built for minimal-downtime database migrations.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for MySQL is the target service, not a migration tool; selecting it alone does not provide a migration mechanism or minimize downtime. Option B is wrong because Cloud SQL with external replicas is a high-availability or read-scaling feature, not a migration service; it cannot perform the initial data load or continuous replication from an on-premises source. Option D is wrong because Compute Engine with MySQL installed is a manual lift-and-shift approach that requires custom scripting, downtime for data export/import, and lacks automated replication, making minimal downtime difficult to achieve.

589
MCQeasy

A company is deploying a GKE cluster in a new VPC. The cluster nodes need to communicate with a Cloud SQL instance that has a private IP address. The company wants to minimize data transfer costs and avoid using public IPs. What is the most cost-effective configuration?

A.Create a VPC-native cluster with private nodes and configure Private Service Access for Cloud SQL.
B.Create a cluster with public nodes and set up a Cloud VPN tunnel to Cloud SQL.
C.Create a VPC-native cluster with public nodes and whitelist the node IPs in Cloud SQL authorized networks.
D.Create a cluster with public nodes and use Cloud NAT for outbound traffic.
AnswerA

This configuration enables direct private communication between GKE nodes and Cloud SQL over the internal VPC network.

Why this answer

Option B is correct because a VPC-native cluster with private node communication and a Private Service Access connection allows GKE nodes to reach Cloud SQL over the internal network without incurring egress costs or using public IPs. Option A is wrong because using Cloud NAT would not enable connectivity to Cloud SQL's private IP. Option C is wrong because a cluster with public nodes would incur egress costs and security risks.

Option D is wrong because Cloud VPN is unnecessary and adds cost.

590
MCQmedium

A company is using Cloud NAT to allow private instances to access the internet. However, they notice that traffic from different instances appears to come from the same external IP address. What is the reason?

A.Cloud NAT is not configured correctly; traffic should come from different IPs.
B.Cloud NAT uses a single external IP by default unless you specify multiple.
C.The instances are using a shared VPC so NAT IP is shared.
D.Each instance is assigned a unique external IP by Cloud NAT.
AnswerB

Default Cloud NAT uses one external IP; you can add more.

Why this answer

Cloud NAT uses a source network address translation (SNAT) configuration that, by default, maps all outbound traffic from instances in a VPC network to a single external IP address. This is the expected behavior unless you explicitly configure multiple NAT IP addresses in a NAT gateway or use a Cloud Router with custom SNAT settings. Option B correctly identifies that Cloud NAT defaults to a single external IP unless you specify multiple.

Exam trap

Google Cloud often tests the misconception that Cloud NAT should assign unique external IPs per instance (like a public IP on a VM), when in fact the default behavior is SNAT with a single shared IP, and candidates may incorrectly assume a misconfiguration or shared VPC is the cause.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is designed to allow multiple instances to share one or more external IPs; traffic appearing from the same IP is not a misconfiguration but the default behavior. Option C is wrong because a shared VPC does not inherently cause NAT IP sharing—Cloud NAT is configured per VPC network or subnetwork, and the IP sharing is a function of the NAT gateway's IP pool, not the VPC architecture. Option D is wrong because Cloud NAT does not assign unique external IPs to each instance; it performs SNAT so that all outbound traffic from the NAT gateway's configured IP range appears to originate from the same IP (or set of IPs) rather than per-instance.

591
MCQeasy

You want to view recent errors from your Compute Engine instances using Cloud Logging. Which query language statement would you use in the Log Explorer?

A.resource.type = "compute.googleapis.com/Instance" AND severity = "ERROR"
B.type = "gce_instance" AND level = "ERROR"
C.resource.type=gce_instance AND severity=error
D.resource.type = "gce_instance" AND severity = "ERROR"
AnswerD

This query correctly filters logs from Compute Engine instances with ERROR severity.

Why this answer

In Cloud Logging, you can filter logs by resource type and severity. The correct syntax uses fields like resource.type and severity.

592
MCQhard

A data engineering team is deploying a streaming Dataflow pipeline that reads from Pub/Sub and writes to BigQuery. They need to ensure that each event is processed exactly once, even in the event of failures. Which Dataflow feature should they use?

A.Enable at-least-once delivery on the Pub/Sub subscription
B.Set the Dataflow pipeline to use the 'exactly_once' parameter in the pipeline options
C.Rely on Dataflow's exactly-once processing guarantees
D.Use Cloud Functions to deduplicate messages before sending to Dataflow
AnswerC

Dataflow ensures exactly-once processing for streaming pipelines using its consistent model.

Why this answer

Dataflow's streaming engine provides built-in exactly-once processing guarantees for sources like Pub/Sub and sinks like BigQuery. This is achieved through a combination of checkpointing, deterministic replay, and idempotent writes, ensuring that each record is processed exactly once even during worker failures or pipeline updates. No additional configuration or external deduplication is required.

Exam trap

Google Cloud often tests the misconception that exactly-once processing requires explicit configuration or external deduplication, when in fact Dataflow provides it as a default behavior for supported sources and sinks.

How to eliminate wrong answers

Option A is wrong because enabling at-least-once delivery on the Pub/Sub subscription would allow duplicate deliveries, which contradicts the requirement for exactly-once processing. Option B is wrong because there is no 'exactly_once' parameter in Dataflow pipeline options; Dataflow's exactly-once behavior is inherent to the service and not controlled by a pipeline option. Option D is wrong because using Cloud Functions to deduplicate messages before sending to Dataflow adds complexity and latency, and Dataflow already handles exactly-once processing natively without needing external deduplication.

593
Multi-Selecthard

An organization has a VPC with several subnets. They want Compute Engine instances in one subnet to have outbound internet access for updates but not be reachable from the internet. The instances have no external IP addresses. Which THREE components must be configured?

Select 3 answers
A.Cloud Router
B.Private Google Access enabled on the subnet
C.An internet gateway attached to the VPC
D.Firewall rule allowing egress traffic to the internet
E.Cloud NAT
AnswersA, D, E

Cloud Router is required to create the NAT gateway and manage dynamic routes.

Why this answer

Cloud NAT allows outbound internet access for private instances. Cloud Router is required to manage NAT gateway routing. The internet gateway is not needed because Cloud NAT provides the translation.

Private Google Access is for Google APIs, not general internet. Firewall rules for ingress from internet are unnecessary since instances have no external IPs.

594
MCQeasy

Your company recently migrated to GCP and you are the new cloud administrator. You need to ensure that only specific members of the DevOps team can perform administrative actions on Compute Engine instances, such as starting, stopping, and resetting instances, but not creating or deleting them. You also want to prevent them from modifying firewall rules or other network settings. The team consists of 10 members. You have already created a custom role with the necessary permissions and assigned it to a Google Group that contains all team members. However, you receive a report that a team member was able to accidentally delete a production instance. Upon investigation, you find that the team member had been granted the roles/compute.instanceAdmin role in addition to your custom role by another administrator. What should be the best course of action to prevent this from happening again while still allowing the team to perform their intended tasks?

A.Remove the compute.instanceAdmin role from the team member and audit all user assignments for role conflicts.
B.Create an organization policy to block deletion of compute instances.
C.Remove the custom role from the team member and keep only the compute.instanceAdmin role.
D.Use IAM conditions on the custom role to enforce that instances can only be stopped during business hours.
AnswerA

This removes the unintended permission and prevents similar issues by auditing.

Why this answer

Option A is correct because the core issue is that the team member had an additional, more permissive role (roles/compute.instanceAdmin) that overrode the restrictions of your custom role. Removing that conflicting role from the specific user and auditing all assignments ensures that only the intended permissions are applied, preventing accidental deletions while preserving the team's ability to start, stop, and reset instances.

Exam trap

Google Cloud often tests the misconception that you can simply 'block' a specific action (like deletion) via a policy or condition, rather than understanding that IAM permissions are additive and the only way to prevent an action is to remove the role that grants it.

How to eliminate wrong answers

Option B is wrong because an organization policy to block deletion of compute instances would prevent all users, including legitimate administrators, from deleting instances, which is overly restrictive and does not address the root cause of conflicting role assignments. Option C is wrong because removing the custom role and keeping only compute.instanceAdmin would grant the team full administrative access, including the ability to create and delete instances and modify firewall rules, which directly violates the requirement to restrict those actions. Option D is wrong because IAM conditions that restrict stopping instances to business hours do not prevent deletion; they address a different constraint and do not resolve the conflict between the custom role and the compute.instanceAdmin role.

595
MCQhard

A developer created a service account for an application running on a Compute Engine instance. The instance was started without specifying the service account. What must the developer do to make the application use the service account?

A.Use gcloud iam service-accounts add-iam-policy-binding to grant the instance access.
B.Stop the instance, update it with the --service-account flag using gcloud compute instances set-service-account, then start it.
C.Use gcloud compute instances add-iam-policy-binding to assign the service account to the instance.
D.Create a new instance with the service account and migrate the application.
AnswerB

Correct: you can attach a service account to an existing instance after stopping.

Why this answer

If an instance is created without a service account, it uses the default compute engine service account. To use a custom service account, the instance must be created with '--service-account' flag. If already running, the instance must be stopped and the service account can be changed (attached) by updating the instance.

The correct approach is to stop the instance, attach the service account, and restart.

596
Multi-Selecteasy

A developer wants to configure a firewall rule to allow HTTP traffic from the internet to a specific Compute Engine instance tagged 'web-server'. Which TWO conditions must be true? (Choose two.)

Select 2 answers
A.The instance must have a public IP address
B.The firewall rule must be of type ingress
C.The firewall rule must be applied to the VPC network
D.The firewall rule must have a target tag of 'web-server'
E.The firewall rule must specify the source IP range 0.0.0.0/0
AnswersB, D

Incoming traffic requires an ingress rule.

Why this answer

Option B is correct because an ingress firewall rule controls incoming traffic to instances. Since the developer wants to allow HTTP traffic from the internet to reach the instance, the rule must be of type ingress to permit inbound connections on port 80.

Exam trap

Google Cloud often tests the misconception that a public IP address is required for internet traffic, but in Google Cloud, traffic can reach instances via Cloud NAT or load balancers without a public IP, and the firewall rule only needs to allow the traffic, not require the instance to have a public IP.

597
MCQmedium

A company needs to run a MongoDB database on Compute Engine. The database requires high-throughput, low-latency storage that can survive VM failures. Which disk type and configuration is most appropriate?

A.SSD persistent disks with snapshots
B.Standard persistent disks with snapshots
C.Extreme persistent disks with snapshots
D.Local SSDs
AnswerA

SSD pd provides high performance, and snapshots help recover data after VM failure.

Why this answer

SSD persistent disks (pd-ssd) provide high IOPS and low latency for databases. For survival of VM failures, the disk should be set to non-deletable or use snapshots. Regional persistent disks replicate data across zones for higher availability, but the question asks for survival of VM failures, which can be achieved with zonal disks if the VM is recreated and the disk is detached.

However, regional persistent disks are better for durability across zone failures. The best answer is pd-ssd with snapshots for backup.

598
MCQhard

A DevOps engineer created a Compute Engine instance with a startup script that installs Apache and configures a website. The startup script runs a command that requires a service account with roles/storage.objectViewer to download assets from Cloud Storage. The instance is created with the default compute service account. The startup script fails. Upon inspection, the engineer finds that the service account cannot download the assets. What is the most likely cause?

A.The OAuth scopes on the instance do not include https://www.googleapis.com/auth/devstorage.read_only.
B.A firewall rule is blocking the startup script from reaching the Cloud Storage API.
C.The startup script is not running as the service account.
D.The service account lacks the IAM role roles/storage.objectViewer on the bucket.
AnswerD

The default compute engine service account has project editor role, but that may not include specific bucket permissions if bucket-level IAM is used. Explicitly granting the objectViewer role is required.

Why this answer

Option D is correct because the default compute service account does not have storage.objectViewer by default; it must be granted. Option A is wrong because firewall rules don't affect API calls. Option B is wrong because the default compute service account typically has project editor, which includes storage.admin, so it's not a scope issue.

Option C is wrong because OAuth scopes only affect user credentials, not service accounts.

599
MCQhard

A company is extending its on-premises network to Google Cloud using a Cloud VPN tunnel with dynamic routing (BGP). They have set up a Cloud Router in the VPN region. Which additional step is required for the Cloud Router to exchange routes with the on-premises router?

A.Create a static route for the on-premises network on the VPC
B.Configure a BGP session on the Cloud Router with the on-premises router's ASN and IP address
C.Assign an external IP address to the Cloud Router
D.Enable the IP forwarding feature on the VPN gateway
AnswerB

A BGP session is required to exchange routes. Cloud Router does not automatically peer without configuration.

Why this answer

For a Cloud VPN with dynamic routing (BGP), the Cloud Router must have a BGP session configured with the on-premises router. This session requires the on-premises router's ASN and its BGP peer IP address to exchange routes. Without this explicit BGP session configuration, the Cloud Router cannot establish a peering relationship or advertise/learn routes dynamically.

Exam trap

The trap here is that candidates often think Cloud Routers need an external IP (Option C) because they confuse Cloud Router with a physical router, but Cloud Routers are software-defined and communicate over the VPN tunnel using internal IPs.

How to eliminate wrong answers

Option A is wrong because creating a static route for the on-premises network on the VPC is unnecessary when using dynamic routing (BGP); BGP automatically exchanges routes, and static routes would conflict or be redundant. Option C is wrong because Cloud Routers do not require an external IP address; they operate within the VPC and communicate with the on-premises router via the VPN tunnel's internal IP addresses. Option D is wrong because IP forwarding is a VM-level setting (for instances acting as routers) and is not relevant to a Cloud VPN gateway; the VPN gateway inherently forwards traffic based on the routing table and BGP-learned routes.

600
Multi-Selecthard

You are deploying a high-traffic web application on GKE. You need to automatically scale the number of pods based on CPU utilization. Which THREE steps are required to set up Horizontal Pod Autoscaling (HPA)?

Select 3 answers
A.Install the metrics-server in the cluster.
B.Enable Stackdriver Monitoring for the cluster.
C.Create a HorizontalPodAutoscaler resource (e.g., via kubectl autoscale).
D.Create a Deployment with resource requests for CPU.
E.Expose the Deployment as a Service of type LoadBalancer.
AnswersA, C, D

Metrics-server collects resource metrics; HPA depends on it.

Why this answer

To use HPA, you need a deployment (or other scalable resource), you need to apply the HPA resource (e.g., via kubectl autoscale), and you must have metrics-server installed to provide metrics. Creating a service is optional.

Page 7

Page 8 of 14

Page 9