CCNA Planning and configuring a cloud solution Questions

28 of 103 questions · Page 2/2 · Planning and configuring a cloud solution · Answers revealed

76
Multi-Selecteasy

A company is migrating an on-premises MySQL database to Cloud SQL. Which TWO steps are necessary for setting up ongoing replication from on-premises to Cloud SQL? (Choose 2)

Select 2 answers
A.Set up a Dataflow pipeline to stream changes.
B.Use pg_dump to export the database.
C.Enable binary logging on the on-premises MySQL server.
D.Create a Cloud SQL instance to be the replica.
E.Establish a Cloud VPN connection between on-premises and Google Cloud.
AnswersC, D

Binary logs are needed for replication.

Why this answer

Option C is correct because MySQL's native replication relies on binary logs (binlogs) to capture all changes on the primary server. Enabling binary logging on the on-premises MySQL server is essential to generate the change stream that Cloud SQL will read and apply for ongoing replication.

Exam trap

The trap here is that candidates confuse 'ongoing replication' with 'one-time migration' and select a dump tool (Option B) or a generic streaming service (Option A), missing that MySQL replication specifically requires binary logs and a Cloud SQL replica instance.

77
MCQmedium

A team runs Apache Kafka on self-managed VMs for event streaming but wants to reduce operational overhead. Which GCP-native service is the managed alternative to Kafka for pub/sub messaging at scale?

A.Cloud Pub/Sub — Google's managed pub/sub messaging service
B.Cloud Bigtable — a managed wide-column store for streaming data
C.Cloud Dataflow — the GCP managed streaming processing service
D.Cloud Storage — use GCS notification events as a message queue
AnswerA

Cloud Pub/Sub is the native GCP alternative to self-managed Kafka — fully managed, globally available, and scales to millions of messages/second without operational overhead.

Why this answer

Cloud Pub/Sub is the correct answer because it is Google Cloud's fully managed, scalable pub/sub messaging service that provides at-least-once delivery and supports both push and pull subscriptions, making it the direct managed alternative to self-managed Apache Kafka. It eliminates the operational overhead of managing Kafka clusters on VMs while offering similar event streaming capabilities with automatic scaling and global availability.

Exam trap

Google Cloud often tests the distinction between a messaging/queue service (Pub/Sub) and a data processing service (Dataflow) or a storage service (Bigtable, Cloud Storage), so candidates mistakenly choose Dataflow because it 'processes streaming data' or Bigtable because it 'handles streaming data,' missing that the question asks for a managed alternative to Kafka's pub/sub messaging, not for processing or storage.

How to eliminate wrong answers

Option B is wrong because Cloud Bigtable is a managed NoSQL wide-column database optimized for low-latency read/write access to large volumes of streaming data, not a pub/sub messaging system; it lacks the topic-based publish-subscribe model and message retention semantics of Kafka. Option C is wrong because Cloud Dataflow is a managed stream and batch processing service (based on Apache Beam) that processes data from sources like Pub/Sub, but it is not a messaging or queue service itself. Option D is wrong because Cloud Storage with GCS notification events provides object change notifications that can be used as a simple event trigger, but it does not offer the durable, ordered, partitioned message log, configurable retention, or pub/sub semantics required for a Kafka alternative.

78
MCQmedium

A web application uses a managed instance group. Traffic spikes sharply between 9 AM and 5 PM and drops to near zero overnight. Which autoscaling metric most directly triggers scale-out before user experience degrades?

A.Average CPU utilization of instances in the group
B.Pub/Sub subscription queue depth
C.HTTP load balancing serving capacity (requests per second per instance)
D.Disk I/O throughput
AnswerC

This metric reflects actual HTTP request load and triggers scaling before instances become saturated, providing the most responsive scale-out for web workloads.

Why this answer

HTTP load balancing serving capacity (requests per second per instance) is the most direct metric because it measures the actual user-facing load on each instance. When traffic spikes, this metric rises immediately, triggering scale-out before instances become saturated and response times degrade. CPU utilization can lag behind the spike due to queuing or async processing, making it less responsive for sharp traffic patterns.

Exam trap

The trap here is that candidates assume CPU utilization is the universal autoscaling metric, but the ACE exam specifically tests that for web applications with sharp traffic spikes, the HTTP load balancing serving capacity metric provides the fastest and most direct signal to prevent user experience degradation.

How to eliminate wrong answers

Option A is wrong because average CPU utilization can be a lagging indicator—instances may queue requests before CPU spikes, and some workloads (e.g., I/O-bound or async) don't correlate tightly with user-facing load, so scale-out may occur too late. Option B is wrong because Pub/Sub subscription queue depth measures backlog of asynchronous messages, not direct user requests; it is suitable for event-driven or worker-based autoscaling, not for a web application serving live traffic. Option D is wrong because disk I/O throughput is a storage-level metric unrelated to request handling capacity; it would only be relevant for data-intensive batch jobs, not for scaling a web frontend.

79
MCQhard

You are designing a data pipeline that reads from Cloud Storage, transforms data, and writes to BigQuery. The pipeline must process data exactly when new files land (event-driven), handle files up to 5 GB, and complete within 10 minutes. Which approach best meets these requirements?

A.Configure a Cloud Storage Pub/Sub notification → Cloud Function that launches a Dataflow job for each new file.
B.Use a Cloud Scheduler cron job that scans Cloud Storage every minute and processes new files with Dataflow.
C.Use Cloud Functions triggered by GCS events to read and transform the 5 GB file directly.
D.Use BigQuery Data Transfer Service to load files from Cloud Storage on a schedule.
AnswerA

GCS object notifications to Pub/Sub trigger a Cloud Function that launches a Dataflow job. Dataflow handles files up to 5 GB within 10 minutes using parallel workers, and the event-driven architecture processes files exactly when they land.

Why this answer

Option A is correct because Cloud Storage Pub/Sub notifications provide event-driven triggers for each new file, and launching a Dataflow job via a Cloud Function allows processing of up to 5 GB files within the 10-minute window. Dataflow’s autoscaling and streaming capabilities handle large files efficiently, while the Cloud Function acts as a lightweight orchestrator without processing the data itself.

Exam trap

Google Cloud often tests the misconception that Cloud Functions can handle large data processing tasks directly, but the trap here is ignoring the 9-minute timeout and 2 GB memory limit, which make them unsuitable for files over a few hundred megabytes.

How to eliminate wrong answers

Option B is wrong because Cloud Scheduler cron jobs introduce polling latency (up to 1 minute) and are not truly event-driven, potentially missing the 10-minute completion requirement if files arrive between scans. Option C is wrong because Cloud Functions have a 9-minute timeout and 2 GB memory limit, making them incapable of processing a 5 GB file directly within the required time and resource constraints. Option D is wrong because BigQuery Data Transfer Service is designed for scheduled, batch loads from Cloud Storage, not event-driven processing triggered by new file arrivals, and it lacks the transformation capabilities needed for the pipeline.

80
MCQeasy

A company needs to store structured data with strong consistency and global distribution for a global user base. Which Google Cloud database service is best suited?

A.Bigtable
B.Cloud Spanner
C.Cloud SQL
D.Firestore
AnswerB

Cloud Spanner is a globally distributed, strongly consistent database.

Why this answer

Cloud Spanner is the correct choice because it provides strong consistency, horizontal scalability, and global distribution via synchronous replication across regions. It supports SQL queries and ACID transactions, making it ideal for structured data that requires both consistency and global access.

Exam trap

The trap here is that candidates often confuse Firestore's multi-region mode with strong global consistency, not realizing that Firestore sacrifices consistency for availability in that configuration, while Cloud Spanner is the only option that guarantees strong consistency across globally distributed regions.

How to eliminate wrong answers

Option A is wrong because Bigtable is a NoSQL wide-column database designed for high-throughput, low-latency analytical workloads, not for strong consistency across global regions (it offers eventual consistency). Option C is wrong because Cloud SQL is a regional relational database that cannot natively replicate across multiple global regions with strong consistency. Option D is wrong because Firestore is a NoSQL document database that offers strong consistency only within a single region; its multi-region mode provides eventual consistency, not the strong consistency required for global distribution.

81
MCQeasy

Your web application serves users globally. Static assets (images, JS, CSS) are stored in Cloud Storage. Users in Asia report slow load times for these assets. The application origin is in `us-central1`. What is the most cost-effective way to improve static asset performance for Asian users?

A.Replicate the Cloud Storage bucket to an Asia region and update DNS to route Asian users to the regional bucket.
B.Enable Cloud CDN on the Cloud Storage bucket's load balancer backend.
C.Deploy Cloud Run instances in Asia regions to serve the static assets.
D.Increase the Cloud Storage bucket's replication factor to improve throughput.
AnswerB

Cloud CDN caches static assets at Google's global edge PoPs. Asian users receive cached content from a nearby PoP, reducing round-trip latency to us-central1 dramatically.

Why this answer

Cloud CDN uses Google's global edge cache network to serve static assets from locations close to users, reducing latency for Asian users without requiring bucket replication or additional compute. It is the most cost-effective solution because it leverages existing Cloud Storage as the origin and only charges for cache egress and operations, avoiding the overhead of managing regional buckets or compute instances.

Exam trap

Google Cloud often tests the misconception that moving data closer to users requires replicating the storage or deploying compute in multiple regions, when in fact a global CDN is the simplest and most cost-effective solution for static content delivery.

How to eliminate wrong answers

Option A is wrong because replicating the Cloud Storage bucket to an Asia region and updating DNS adds complexity and cost for storage and egress, and DNS-based routing does not provide the same low-latency edge caching as Cloud CDN. Option C is wrong because deploying Cloud Run instances in Asia regions to serve static assets is over-engineered and more expensive than using Cloud CDN, as Cloud Run is designed for compute workloads, not static asset delivery. Option D is wrong because Cloud Storage buckets do not have a configurable 'replication factor' to improve throughput; throughput is handled by the underlying infrastructure, and increasing it does not address geographic latency.

82
MCQmedium

An organization is running a batch job that processes sensitive data. The job writes output to a Cloud Storage bucket. The security team requires that all data at rest be encrypted with a customer-managed key. Which key type should be used?

A.Cloud HSM
B.Default encryption (Google-managed)
C.Customer-supplied encryption keys (CSEK)
D.Cloud KMS CMEK
AnswerD

CMEK provides customer control over keys via Cloud KMS.

Why this answer

Cloud KMS CMEK (Customer-Managed Encryption Keys) is the correct choice because it allows the organization to control and manage the encryption keys used to protect data at rest in Cloud Storage, meeting the security team's requirement for customer-managed keys. CMEK keys are created and managed in Cloud KMS, and you can control key rotation, access, and lifecycle, ensuring compliance with regulatory mandates for customer-managed encryption.

Exam trap

Google Cloud often tests the distinction between key types (CMEK, CSEK, Google-managed) and key protection methods (Cloud HSM, Cloud KMS), so the trap here is confusing Cloud HSM (a key protection option) with a key type, or thinking CSEK is still the recommended customer-managed approach for Cloud Storage.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module service that provides a FIPS 140-2 Level 3 certified environment for key operations, but it is a key hosting option for CMEK keys, not a key type itself; the question asks for the key type, not the key protection method. Option B is wrong because Default encryption (Google-managed) uses Google-managed keys, which do not satisfy the requirement for customer-managed keys, as the organization cannot control or audit the key material. Option C is wrong because Customer-supplied encryption keys (CSEK) are used for client-side encryption where the customer provides the key directly in API calls, but CSEK is deprecated and not recommended for Cloud Storage; moreover, CSEK keys are not managed through Cloud KMS and do not provide the same level of integration, auditing, or lifecycle management as CMEK.

83
MCQmedium

A team is using Cloud Deployment Manager to define infrastructure as code. They need to ensure that a Cloud Storage bucket is created before a Compute Engine instance that uses the bucket. How should they accomplish this?

A.Use a dependsOn metadata annotation in the instance template
B.Set a dependency using the 'dependsOn' field in the instance resource definition
C.Reference the bucket's selfLink in the instance template metadata
D.Create the bucket and instance in separate deployments and run them sequentially
AnswerB

dependsOn in the resource definition ensures the bucket is created first.

Why this answer

In Cloud Deployment Manager, you can define explicit dependencies between resources using the `dependsOn` field within the resource definition. This ensures that the Cloud Storage bucket is fully created before the Compute Engine instance that references it, preventing race conditions or deployment failures. The `dependsOn` field accepts a list of resource names or selfLinks, and Deployment Manager waits for the depended-on resource to reach a DONE state before creating the dependent resource.

Exam trap

Google Cloud often tests the misconception that simply referencing a resource's attribute (like selfLink) in another resource's configuration automatically creates a dependency, but in Deployment Manager, dependencies must be explicitly declared with `dependsOn`.

How to eliminate wrong answers

Option A is wrong because `dependsOn` is not a metadata annotation; metadata annotations in Deployment Manager are used for arbitrary key-value pairs, not for resource dependency ordering. Option C is wrong because referencing the bucket's selfLink in instance template metadata does not create an implicit dependency; Deployment Manager does not automatically infer dependencies from metadata references — you must explicitly declare them with `dependsOn`. Option D is wrong because creating the bucket and instance in separate deployments and running them sequentially is an unnecessary manual workaround that defeats the purpose of using a single declarative template; Deployment Manager natively supports intra-template dependencies with `dependsOn`.

84
MCQmedium

Refer to the exhibit. You have set up an HTTP load balancer with this health check. Your backend instances are running a web server on port 80, and the /health endpoint returns 200 OK. However, the health check marks all instances as unhealthy. What is the most likely cause?

A.The unhealthyThreshold is too low
B.The health check port is 80 but the web server is on port 80
C.The checkIntervalSec is too high
D.The requestPath is /healthz but the application does not have that endpoint
AnswerD

Correct. The health check path must match the application's health endpoint.

Why this answer

The health check is configured with requestPath /healthz, but the application only serves /health. This mismatch causes the health check to receive a non-200 response, marking instances unhealthy.

85
MCQmedium

A gaming company's GKE cluster uses a mix of node pools: a standard on-demand pool for stateful database pods, and a Spot VM pool for compute-intensive but fault-tolerant game simulation pods. The simulation pods occasionally get preempted. How should the Deployment be configured to route simulation pods to the Spot pool only?

A.Set podAffinity to prefer nodes where Spot pods are running
B.Add a nodeSelector: cloud.google.com/gke-spot: 'true' to the simulation Deployment spec
C.Set requests.cpu and requests.memory to very high values — GKE will route them to Spot nodes
D.Name the simulation Deployment with a 'spot-' prefix — GKE routes prefixed deployments to Spot pools
AnswerB

GKE automatically labels Spot VMs with `cloud.google.com/gke-spot: 'true'`. A nodeSelector with this label ensures simulation Pods are scheduled only on Spot nodes.

Why this answer

Option B is correct because GKE uses the node label `cloud.google.com/gke-spot` to identify Spot VMs. Adding a `nodeSelector` with that exact key-value pair ensures the simulation Deployment is scheduled exclusively on Spot nodes, which is the intended behavior for fault-tolerant, preemptible workloads.

Exam trap

The trap here is that candidates may confuse `nodeSelector` with `podAffinity` or assume GKE uses naming conventions or resource requests to determine node pool placement, when in fact it relies on node labels and taints.

How to eliminate wrong answers

Option A is wrong because `podAffinity` influences scheduling based on pod relationships, not node types; it would not restrict pods to Spot nodes. Option C is wrong because setting high resource requests does not route pods to Spot nodes; it only affects scheduling based on available capacity, and GKE does not use resource requests to determine node pool type. Option D is wrong because GKE does not route deployments to Spot pools based on naming conventions; node selection is controlled by labels, taints, and tolerations, not prefixes.

86
MCQmedium

A financial application requires a relational database with automatic failover to a standby in a different zone, with minimal configuration overhead. Which Cloud SQL configuration provides this?

A.Cloud SQL with a read replica in a different zone
B.Cloud SQL with High Availability (HA) configuration
C.Cloud Spanner multi-region instance
D.Two separate Cloud SQL instances with application-level failover logic
AnswerB

Cloud SQL HA creates an automatic failover replica in a different zone. Failover is automatic and requires no manual intervention.

Why this answer

Cloud SQL's High Availability (HA) configuration provides automatic failover to a standby instance in a different zone using synchronous replication and a regional persistent disk. This meets the requirement for minimal configuration overhead because it is a built-in feature that requires no application-level logic or manual intervention.

Exam trap

Google Cloud often tests the misconception that a read replica can serve as a failover target, but read replicas use asynchronous replication and require manual promotion, making them unsuitable for automatic failover with minimal configuration.

How to eliminate wrong answers

Option A is wrong because a read replica is designed for read scaling, not automatic failover; it requires manual promotion and does not provide synchronous replication for zero data loss. Option C is wrong because Cloud Spanner is a globally distributed, horizontally scalable database that introduces significant configuration overhead and cost, not a minimal-configuration relational database for a single-region failover requirement. Option D is wrong because managing two separate Cloud SQL instances with application-level failover logic adds significant configuration overhead and defeats the purpose of minimal configuration, as it requires custom code for health checks, replication, and failover coordination.

87
MCQmedium

Your application runs on Compute Engine instances behind a regional external HTTP(S) load balancer. Users report intermittent timeouts during periods of high traffic. Health checks show all instances as healthy. Which two configuration parameters should you review first?

A.Check SSL certificate expiration
B.Review connection draining and session affinity settings
C.Increase instance machine type (size)
D.Enable Cloud CDN
AnswerB

Connection draining timeouts and session affinity misconfigurations are common causes of intermittent timeouts under load.

Why this answer

B is correct because connection draining (drain mode) and session affinity settings directly affect how the load balancer handles in-flight requests and distributes traffic during high load. Connection draining ensures existing connections complete before an instance is removed, preventing abrupt timeouts. Session affinity (sticky sessions) can cause uneven traffic distribution if misconfigured, leading to overloaded instances and intermittent timeouts even when health checks pass.

Exam trap

Google Cloud often tests the misconception that health check status alone guarantees application availability, but candidates must understand that load balancer configuration parameters like connection draining and session affinity can cause timeouts even when all instances are healthy.

How to eliminate wrong answers

Option A is wrong because SSL certificate expiration would cause persistent TLS handshake failures, not intermittent timeouts during high traffic, and health checks would still show instances as healthy. Option C is wrong because increasing instance machine type addresses resource exhaustion on the instances themselves, but the issue is load balancer-level connection handling and traffic distribution, not compute capacity. Option D is wrong because enabling Cloud CDN caches static content at edge locations, which does not resolve intermittent timeouts caused by connection draining or session affinity misconfiguration for dynamic or stateful traffic.

88
MCQmedium

A startup processes uploaded videos — each video upload triggers transcoding that takes 5–30 minutes. Users should get an immediate response after upload, not wait for transcoding. The transcoding system must handle burst uploads. Which architecture fits?

A.Upload the video and synchronously wait for transcoding to complete before responding
B.Publish a transcoding job to Cloud Pub/Sub after upload; respond immediately; workers consume and process jobs asynchronously
C.Use Cloud Spanner to store video metadata and transcode synchronously in a Cloud SQL stored procedure
D.Deploy the transcoding directly in the API server and scale the API server horizontally for bursts
AnswerB

The user gets an instant acknowledgment. Cloud Pub/Sub buffers the jobs. Autoscaling workers consume messages and transcode — decoupled, scalable, and burst-tolerant.

Why this answer

Option B is correct because it decouples the upload from the transcoding process using Cloud Pub/Sub, allowing the API to respond immediately to the user while workers asynchronously process the transcoding jobs. This pattern handles burst uploads by buffering messages in Pub/Sub and scaling workers independently, ensuring no upload is lost even under high load.

Exam trap

Google Cloud often tests the misconception that synchronous processing or scaling the API server alone can handle long-running tasks, but the trap here is that immediate response and burst handling require asynchronous decoupling via a message queue like Pub/Sub, not just horizontal scaling.

How to eliminate wrong answers

Option A is wrong because synchronous waiting for transcoding (5–30 minutes) would block the HTTP response, violating the requirement for an immediate user response and causing timeouts or poor user experience. Option C is wrong because Cloud Spanner is a globally distributed relational database, not a transcoding engine, and running transcoding synchronously in a Cloud SQL stored procedure is impossible—stored procedures cannot perform video processing tasks. Option D is wrong because deploying transcoding directly in the API server would block the request thread for minutes, preventing horizontal scaling from solving the burst issue (each instance would still be tied up per upload), and it couples compute-intensive work with the stateless API layer.

89
MCQhard

Your organization has a hybrid cloud environment with an on-premises data center connected to Google Cloud via Cloud VPN. The VPN tunnel uses BGP with Cloud Router for dynamic routing. You need to increase the throughput between on-premises and GCP to support a new batch processing workload that transfers 20 Gbps of data. The on-premises gateway hardware supports multiple IPsec tunnels and ECMP (Equal-Cost Multi-Path). You want to maximize throughput without changing the existing on-premises equipment or network topology. Which solution should you implement?

A.Replace Cloud VPN with Dedicated Interconnect.
B.Enable Cloud NAT for the VPN tunnel.
C.Upgrade the Cloud VPN gateway to a larger size.
D.Create additional VPN tunnels to the same Cloud Router, enabling ECMP across them.
AnswerD

Adds more tunnels to increase bandwidth without hardware replacement.

Why this answer

Option D is correct because creating additional VPN tunnels to the same Cloud Router and enabling ECMP allows the on-premises gateway to distribute traffic across multiple IPsec tunnels, effectively aggregating bandwidth up to the supported limit (e.g., 3 Gbps per tunnel, with up to 4 tunnels for 12 Gbps, or more with higher limits). This leverages the existing on-premises hardware's support for multiple tunnels and ECMP without requiring topology changes, and Cloud Router automatically handles BGP multipath to load-balance traffic across the tunnels.

Exam trap

The trap here is that candidates assume upgrading the VPN gateway (Option C) increases throughput, but Cloud VPN gateways are fixed at 3 Gbps per tunnel, and the only way to scale is via multiple tunnels with ECMP, not a single larger gateway.

How to eliminate wrong answers

Option A is wrong because Dedicated Interconnect requires physical cross-connects and changes to on-premises equipment or topology, contradicting the requirement to not change existing equipment or topology. Option B is wrong because Cloud NAT provides outbound internet connectivity for private instances and does not affect VPN throughput or load balancing. Option C is wrong because Cloud VPN gateway size (e.g., Classic VPN vs.

HA VPN) does not have a 'larger size' option; HA VPN already supports up to 3 Gbps per tunnel, and scaling throughput requires multiple tunnels with ECMP, not a single gateway upgrade.

90
MCQhard

A company wants to deploy a globally distributed, multi-tier application with strict low-latency communication between the web and database tiers. The database must be fully managed and able to survive a regional outage with automatic failover. Which combination is most appropriate?

A.Cloud Run (multi-region) and Cloud SQL (cross-region replica with manual failover)
B.Compute Engine regional managed instance group and Cloud SQL (regional with automatic failover)
C.App Engine (standard) and Cloud Datastore (multi-region)
D.Cloud Run (multi-region) and Cloud Spanner (multi-region)
AnswerD

Cloud Spanner provides automatic failover across regions with strong consistency, and Cloud Run can be deployed globally for low latency.

Why this answer

Cloud Run (multi-region) provides a serverless compute layer that can automatically route traffic across regions for low-latency access, while Cloud Spanner (multi-region) offers a fully managed, globally distributed relational database with synchronous replication and automatic failover, ensuring strong consistency and regional outage survival without manual intervention. This combination meets the strict low-latency communication and automatic failover requirements for a multi-tier application.

Exam trap

Google Cloud often tests the distinction between zonal and regional resilience, where candidates mistakenly assume that Cloud SQL's regional automatic failover (which covers zonal outages) is sufficient for a regional outage, but the question explicitly requires survival of a regional outage, which demands a multi-region database like Spanner.

How to eliminate wrong answers

Option A is wrong because Cloud SQL cross-region replica requires manual failover, not automatic, and does not provide the synchronous replication needed for strict low-latency communication across regions. Option B is wrong because Cloud SQL regional with automatic failover only survives a zonal outage, not a regional outage, and the compute layer (regional MIG) is also zonal, not multi-region. Option C is wrong because Cloud Datastore (multi-region) is a NoSQL database that does not support the relational database requirements implied by a multi-tier application with a database tier, and App Engine standard has limitations on runtime and scaling that may not suit low-latency inter-tier communication.

91
MCQeasy

Your company runs a critical web application on a single Compute Engine instance. The application is not containerized and the team lacks DevOps experience. Management requires high availability for this application with minimal disruption to operations and low cost. The application serves dynamic content and uses a MySQL database running on the same instance. You need to design a solution. Which option should you choose?

A.Create a snapshot of the instance, create an instance template, and set up a managed instance group with a load balancer.
B.Migrate the application to Cloud Storage and use a global HTTP(S) load balancer.
C.Deploy the application to App Engine and use traffic splitting between versions.
D.Containerize the application using Cloud Run and configure traffic splitting.
AnswerA

Enables high availability with automated failover and scaling, using existing VM image.

Why this answer

Option A is correct because it leverages a Managed Instance Group (MIG) with an instance template created from a snapshot, which provides auto-healing and auto-scaling for high availability without requiring containerization or DevOps expertise. Combined with a load balancer, this solution distributes traffic across healthy instances, meeting the high-availability requirement with minimal operational overhead and low cost, as MIGs only charge for running instances.

Exam trap

The trap here is that candidates may assume containerization (Option D) is always the best path to high availability, but the question explicitly states the team lacks DevOps experience, making containerization a high-risk, high-effort choice that violates the 'minimal disruption' and 'low cost' requirements.

How to eliminate wrong answers

Option B is wrong because Cloud Storage is a static object store and cannot serve dynamic content or run a MySQL database, making it unsuitable for this application. Option C is wrong because App Engine requires application code to be deployed in a specific runtime environment and does not support running a MySQL database on the same instance; it also introduces a learning curve for a team lacking DevOps experience. Option D is wrong because containerizing the application with Cloud Run requires Docker knowledge and DevOps skills, which the team lacks, and Cloud Run does not natively support a MySQL database running in the same container or instance.

92
MCQmedium

A global web application needs HTTPS traffic routed to backend services in multiple regions, directing each user to the nearest healthy endpoint. Which load balancer type should be used?

A.Regional external Network Load Balancer
B.Global external Application Load Balancer
C.Regional internal Application Load Balancer
D.Regional internal TCP/UDP load balancer
AnswerB

This load balancer uses Google's global anycast network to route HTTPS traffic to the nearest healthy backend across multiple regions.

Why this answer

The Global external Application Load Balancer (ALB) is the correct choice because it provides cross-regional load balancing for HTTPS traffic, routing each user to the nearest healthy backend based on anycast IP and client location. This is essential for a global web application requiring low latency and high availability across multiple regions.

Exam trap

Google Cloud often tests the distinction between global and regional load balancers, and the trap here is that candidates may confuse a regional external Network Load Balancer (which handles TCP/UDP traffic but not HTTPS) with a global Application Load Balancer, overlooking the requirement for HTTPS termination and cross-regional routing.

How to eliminate wrong answers

Option A is wrong because a Regional external Network Load Balancer operates at Layer 4 (TCP/UDP) and cannot terminate HTTPS or perform content-based routing, and it is confined to a single region, not global. Option C is wrong because a Regional internal Application Load Balancer is designed for internal traffic within a VPC and cannot handle external HTTPS traffic or route globally. Option D is wrong because a Regional internal TCP/UDP load balancer is a Layer 4 internal load balancer that does not support HTTPS termination, content-based routing, or global anycast routing.

93
Drag & Dropmedium

Arrange the steps to set up a Cloud Function triggered by a Cloud Storage bucket event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Bucket must exist; function must be deployed before triggering event.

94
MCQeasy

A company's application currently runs on a single Compute Engine VM with a persistent disk. The application serves read-heavy traffic and the single VM is becoming a bottleneck. The application is stateless. Which change provides the most immediate horizontal scalability improvement?

A.Upgrade the existing VM to a larger machine type (vertical scaling).
B.Create a Managed Instance Group from the VM and configure autoscaling with a load balancer.
C.Add more persistent disks to the existing VM to handle more I/O.
D.Enable live migration on the existing VM so it can move between hosts.
AnswerB

A MIG with autoscaling adds VM instances on demand. A load balancer distributes incoming requests across all instances, providing true horizontal scalability.

Why this answer

Option B is correct because creating a Managed Instance Group (MIG) from the existing VM and configuring autoscaling with a load balancer directly addresses the read-heavy, stateless bottleneck by distributing traffic across multiple VM instances. This provides immediate horizontal scalability, as new instances are automatically provisioned or terminated based on load, without requiring any application changes.

Exam trap

The trap here is that candidates confuse vertical scaling (Option A) with horizontal scaling, or think that adding more disks (Option C) or enabling live migration (Option D) can solve a compute bottleneck, when only distributing the load across multiple instances (Option B) provides true horizontal scalability.

How to eliminate wrong answers

Option A is wrong because upgrading to a larger machine type (vertical scaling) increases the capacity of a single VM but does not eliminate the single point of failure or the bottleneck from a single instance; it also has an upper limit and does not provide horizontal scalability. Option C is wrong because adding more persistent disks to the existing VM increases I/O capacity but does not distribute the read traffic across multiple VMs, leaving the single VM as the bottleneck for CPU and network resources. Option D is wrong because enabling live migration allows the VM to move between hosts for maintenance without downtime, but it does not increase compute capacity or distribute traffic, so it offers no scalability improvement.

95
MCQeasy

You are designing an application that needs to process exactly once each message published to a topic, even if the consumer fails partway through and restarts. Which GCP service provides built-in exactly-once processing semantics with Pub/Sub?

A.Cloud Functions subscribed to the Pub/Sub topic with idempotent logic.
B.Dataflow with Pub/Sub as the source using the Beam SDK.
C.BigQuery Subscriptions connected directly to the Pub/Sub topic.
D.Cloud Run with a Pub/Sub push subscription and database deduplication table.
AnswerB

Dataflow's Beam runner provides exactly-once processing semantics over Pub/Sub by checkpointing and deduplicating based on message IDs.

Why this answer

Dataflow with Pub/Sub as the source using the Beam SDK provides built-in exactly-once processing semantics because it leverages the Beam engine's checkpointing and the Pub/Sub source's snapshot-based deduplication. Dataflow tracks each message's unique ID and ensures that even if a worker fails and restarts, the message is not reprocessed, guaranteeing exactly-once delivery within the pipeline.

Exam trap

Google Cloud often tests the misconception that Pub/Sub itself provides exactly-once delivery, but Pub/Sub only guarantees at-least-once; the exactly-once semantics must be implemented by the consumer, and Dataflow is the only GCP service that offers this built-in for Pub/Sub sources.

How to eliminate wrong answers

Option A is wrong because Cloud Functions subscribed to Pub/Sub with idempotent logic relies on the developer to implement idempotency manually; Cloud Functions itself does not provide built-in exactly-once semantics, and Pub/Sub delivery is at-least-once by default. Option C is wrong because BigQuery Subscriptions deliver messages in near-real-time but do not guarantee exactly-once processing; they use at-least-once delivery and deduplication is handled by BigQuery's best-effort mechanisms, not by the subscription itself. Option D is wrong because Cloud Run with a Pub/Sub push subscription and a database deduplication table requires custom application logic to handle deduplication; Pub/Sub push subscriptions deliver messages at-least-once, and Cloud Run does not provide built-in exactly-once processing.

96
MCQhard

An organization requires that all Compute Engine instances be created with a specific service account that has minimal permissions. They also want to prevent users from creating instances with a different service account. Which IAM policy should they implement?

A.Organization policy with constraint compute.disableUserServiceAccountCreation
B.IAM condition that restricts instances to only use the authorized service account
C.Custom role with permission compute.instances.setServiceAccount only for authorized users
D.Organization policy with constraint compute.setServiceAccount
AnswerD

This constraint restricts the set of service accounts that can be used when creating instances.

Why this answer

The organization policy constraint `compute.setServiceAccount` is the correct choice because it allows administrators to restrict which service accounts can be used when creating Compute Engine instances. By setting this constraint to only permit a specific service account, users are prevented from launching instances with any other service account, ensuring minimal permissions are enforced at the organization level.

Exam trap

The trap here is that candidates confuse the organization policy constraint `compute.setServiceAccount` with the IAM permission `compute.instances.setServiceAccount`, thinking that restricting the permission is sufficient, when in fact the organization policy is required to block creation with unauthorized service accounts at the resource hierarchy level.

How to eliminate wrong answers

Option A is wrong because `compute.disableUserServiceAccountCreation` is not a valid organization policy constraint; the correct constraint name is `compute.setServiceAccount`. Option B is wrong because IAM conditions can restrict actions based on resource attributes but cannot globally enforce which service account is used at instance creation time across all users; they are applied per IAM policy binding, not as an organization-wide block. Option C is wrong because a custom role with `compute.instances.setServiceAccount` permission only controls who can change the service account on an existing instance, not prevent creation with a different service account; it does not enforce a specific service account at creation.

97
MCQhard

A company has an e-commerce application deployed on Compute Engine instances in a managed instance group (MIG) behind an external HTTP load balancer. The application stores session data in an in-memory cache on each instance. Recently, the team noticed that users are being logged out unexpectedly and losing their shopping cart contents. The MIG is configured with autoscaling based on CPU utilization. The team suspects the issue is related to session persistence. They have considered the following options: A) Switch to an internal TCP/UDP load balancer with session affinity; B) Enable sticky sessions (session affinity) on the existing load balancer; C) Move session storage to a centralized service like Memorystore; D) Increase the instance size and disable autoscaling. Which solution permanently resolves the issue while maintaining scalability and fault tolerance?

A.Switch to an internal TCP/UDP load balancer with session affinity
B.Increase the instance size and disable autoscaling
C.Enable sticky sessions (session affinity) on the existing load balancer
D.Move session storage to a centralized service like Memorystore
AnswerD

Centralized session storage decouples sessions from instances, ensuring persistence across scaling and failures.

Why this answer

Option D is correct because storing session data in a centralized service like Memorystore (Redis) decouples session state from individual Compute Engine instances. This ensures that any instance in the managed instance group can serve any user request without losing session data, even as the MIG autoscales up or down. This approach permanently resolves the issue while maintaining scalability and fault tolerance, as Memorystore provides a highly available, in-memory data store that persists across instance lifecycle events.

Exam trap

The trap here is that candidates often think sticky sessions (session affinity) alone will fix session persistence, but they overlook that autoscaling and instance failures still cause data loss when sessions are stored locally—only a centralized external store like Memorystore provides true persistence and fault tolerance.

How to eliminate wrong answers

Option A is wrong because switching to an internal TCP/UDP load balancer would make the application inaccessible from the internet (external users), and session affinity alone does not solve the problem when instances are terminated or added by autoscaling—the session data is still lost if the instance goes down. Option B is wrong because increasing instance size and disabling autoscaling removes scalability and fault tolerance, and does not address the root cause: session data stored in local memory is lost on instance restart or termination. Option C is wrong because enabling sticky sessions (session affinity) on the existing load balancer only pins a user to a specific instance, but if that instance is terminated during autoscaling (scale-in) or fails, the session data is still lost; it does not provide a durable, shared session store.

98
MCQmedium

A startup builds a serverless REST API using Cloud Functions (2nd gen). Each function invocation runs for 200ms on average, processes 5 million requests per day, and uses 256 MB memory. Approximately how should they estimate monthly Cloud Functions costs?

A.Approximately $0 — all invocations fall within the free tier
B.Estimate based on invocation count, compute time (memory × duration), and networking costs beyond the free tier
C.Approximately the same as a continuously-running e2-medium VM — Cloud Functions and VMs are priced equivalently
D.Fixed monthly rate based on the number of deployed functions, not invocation count
AnswerB

Cloud Functions billing uses three dimensions: invocations, compute time (measured in GB-seconds), and outbound network traffic — all calculated above the monthly free tier.

Why this answer

Option B is correct because Cloud Functions (2nd gen) pricing is based on three components: invocation count, compute time (measured in GB-seconds, which is memory multiplied by duration), and networking egress beyond the free tier. With 5 million requests per day at 200ms each and 256 MB memory, the monthly compute time is approximately 5,000,000 × 0.2 seconds × (256/1024) GB = 250,000 GB-seconds per day, or 7.5 million GB-seconds per month, which far exceeds the free tier of 400,000 GB-seconds per month, so costs will accrue. Additionally, the 150 million invocations per month exceed the free tier of 2 million invocations, and egress traffic will also incur charges beyond the 1 GB free tier.

Exam trap

The trap here is that candidates assume the free tier covers all usage because they underestimate the cumulative effect of high invocation counts and compute time, or they mistakenly think Cloud Functions pricing is similar to VM pricing or a flat per-function fee.

How to eliminate wrong answers

Option A is wrong because the free tier for Cloud Functions (2nd gen) includes only 2 million invocations and 400,000 GB-seconds of compute time per month; 150 million invocations and 7.5 million GB-seconds far exceed these limits, so costs are not approximately $0. Option C is wrong because Cloud Functions and VMs are not priced equivalently; Cloud Functions uses a pay-per-use model based on invocation count, compute time (GB-seconds), and networking, while an e2-medium VM charges for continuous uptime regardless of usage, and the two pricing models are fundamentally different. Option D is wrong because Cloud Functions pricing is based on actual usage metrics (invocations, compute time, networking), not a fixed monthly rate per deployed function; there is no per-function flat fee.

99
MCQhard

You are planning a GCP network for a company with offices in three regions: `us-central1`, `europe-west1`, and `asia-east1`. All three regions must communicate with each other, and traffic must NOT traverse the public internet. Each region has its own subnet. Which network design achieves this with the least management overhead?

A.Create three separate VPCs (one per region) and connect them with VPC Network Peering.
B.Use a single global VPC with subnets in each region; traffic between subnets stays on Google's private network.
C.Set up Cloud VPN tunnels between each pair of regions.
D.Use Cloud Interconnect dedicated connections in each region and configure BGP routing between them.
AnswerB

A single GCP VPC is global by design. Subnets in different regions communicate over Google's internal backbone — no special configuration required for private inter-region connectivity.

Why this answer

Option B is correct because a single global VPC allows you to create subnets in multiple regions, and traffic between those subnets stays on Google's private backbone network without traversing the public internet. This design requires no additional connectivity configuration, peering, or VPN tunnels, making it the simplest to manage while meeting all requirements.

Exam trap

The trap here is that candidates often overcomplicate the solution by thinking they need separate VPCs or VPNs for each region, not realizing that a single global VPC inherently supports multi-region subnets with private, Google-managed routing.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering connects separate VPCs but requires explicit peering setup between each pair (three VPCs need three peering connections), and traffic still stays on Google's network, but the management overhead is higher than a single VPC. Option C is wrong because Cloud VPN tunnels require configuring and maintaining VPN gateways and tunnels between each region pair, adding complexity and potential latency, and traffic would traverse the public internet unless using HA VPN with Cloud Router, which still adds overhead. Option D is wrong because Cloud Interconnect is a dedicated physical connection to Google's network, which is overkill for this scenario—it requires on-premises infrastructure, BGP configuration, and is designed for hybrid cloud connectivity, not for inter-region communication within a single cloud environment.

100
Multi-Selectmedium

A company needs to securely store secrets (API keys, passwords) used by applications running on Compute Engine. Which three methods are secure and recommended? (Choose three.)

Select 3 answers
A.Use a third-party secrets vault like HashiCorp Vault running on GKE.
B.Store secrets as environment variables in plain text in the instance metadata.
C.Use Cloud Secret Manager to store and retrieve secrets.
D.Store secrets in a Cloud Storage bucket with fine-grained ACLs and encryption.
E.Encrypt secrets with Cloud KMS and store them in a file on the instance.
AnswersA, C, D

Third-party vaults are secure if properly configured.

Why this answer

Option A is correct because HashiCorp Vault is a widely adopted, enterprise-grade secrets management solution that can be deployed on Google Kubernetes Engine (GKE) to securely store, access, and audit API keys and passwords. It provides dynamic secrets, encryption as a service, and fine-grained access policies, making it a recommended approach for Compute Engine applications when integrated via its API or sidecar patterns.

Exam trap

The trap here is that candidates often assume encrypting secrets with KMS and storing them locally (Option E) is sufficient, but Cisco tests that a dedicated secrets management service (like Cloud Secret Manager or a vault) is always the recommended approach over manual encryption and file storage, even if the file is encrypted.

101
MCQhard

An e-commerce platform sees a 20x traffic spike every Black Friday. The rest of the year traffic is low and stable. The team wants to minimize costs during normal periods while handling the annual peak without manual intervention. Which architecture achieves this?

A.Pre-provision 20x capacity year-round to guarantee Black Friday performance
B.Managed instance group with autoscaling + scheduled scaling pre-warming before Black Friday
C.Deploy on Cloud SQL — it scales compute automatically for traffic spikes
D.Add 20 manual VMs on Black Friday and delete them afterward each year
AnswerB

MIG autoscaling handles demand-based scale-out automatically. Scheduled scaling policies can pre-warm additional capacity hours before the known Black Friday spike — combining reactive and proactive scaling.

Why this answer

Option B is correct because it combines managed instance group autoscaling for normal low-cost operation with scheduled scaling to pre-warm capacity before the Black Friday spike, ensuring seamless handling of the 20x traffic surge without manual intervention. This approach uses the 'autoscaler' and 'scheduled scaling' features in Google Cloud to dynamically adjust resources based on load, while pre-warming prevents cold-start latency during the peak.

Exam trap

Google Cloud often tests the misconception that database services like Cloud SQL can automatically scale compute for traffic spikes, but in reality, Cloud SQL requires manual vertical scaling or read replicas and does not handle web-tier traffic spikes natively.

How to eliminate wrong answers

Option A is wrong because pre-provisioning 20x capacity year-round incurs massive unnecessary costs, violating the requirement to minimize costs during normal periods. Option C is wrong because Cloud SQL does not automatically scale compute resources for traffic spikes; it supports read replicas and vertical scaling but requires manual intervention or configuration changes, and it is a database service, not a compute solution for handling web traffic. Option D is wrong because manually adding and deleting 20 VMs each year introduces manual intervention and operational overhead, contradicting the requirement for no manual intervention, and does not provide automated scaling for the spike.

102
MCQmedium

A company wants to set up a cost-effective disaster recovery solution for a critical application running on Compute Engine. The primary region is us-east1. The recovery point objective (RPO) is 1 hour, and recovery time objective (RTO) is 4 hours. Which strategy is most cost-effective?

A.Regular backups to Cloud Storage with automated scripts to restore in a different region
B.Use managed instance groups in two regions with autoscaling
C.Cross-region replica of persistent disks using snapshot schedules every hour
D.Active-active multi-region deployment with HTTP load balancer
AnswerC

Snapshot schedules allow frequent, incremental backups suitable for DR.

Why this answer

Option C is the most cost-effective because it uses snapshot schedules to create cross-region replicas of persistent disks every hour, meeting the 1-hour RPO without requiring always-on compute resources. This approach minimizes costs by only storing incremental snapshots in Cloud Storage, while automated restore procedures can spin up instances in the secondary region within the 4-hour RTO.

Exam trap

Google Cloud often tests the misconception that active-active or multi-region instance groups are always the best for disaster recovery, but the trap here is that for cost-effectiveness with moderate RPO/RTO, a snapshot-based replication strategy is more appropriate than maintaining always-on infrastructure.

How to eliminate wrong answers

Option A is wrong because regular backups to Cloud Storage with automated scripts require manual or custom automation for restore, which can introduce delays and complexity, and the RTO of 4 hours may be exceeded if scripts fail or need debugging; also, backups are not inherently cross-region replicas, so additional configuration is needed to meet the RPO. Option B is wrong because managed instance groups in two regions with autoscaling keep compute resources running in both regions, incurring continuous costs for idle instances in the secondary region, which is not cost-effective for a disaster recovery solution that only needs to activate during failover. Option D is wrong because active-active multi-region deployment with HTTP load balancer requires always-on compute and networking resources in both regions, leading to higher operational costs than a standby or backup-based approach, and it is overkill for the given RPO and RTO requirements.

103
MCQhard

A team is designing a data pipeline: Cloud Storage → Pub/Sub → Dataflow → BigQuery. They expect 50 GB of data per hour. Dataflow jobs must automatically scale workers based on pipeline backlog. Which Dataflow feature provides automatic horizontal scaling of worker VMs?

A.Vertical scaling — Dataflow automatically increases worker machine types under load
B.Dataflow Horizontal Autoscaling — automatically adds/removes workers based on pipeline lag
C.GKE cluster autoscaler — Dataflow runs on GKE and inherits its autoscaling
D.Cloud Monitoring alerting policy that triggers worker additions via gcloud
AnswerB

Dataflow's horizontal autoscaler monitors pipeline backlog and adjusts the number of worker VMs to maintain throughput — enabled by default for streaming and configurable for batch.

Why this answer

Dataflow Horizontal Autoscaling is the correct feature because it automatically adds or removes worker VMs based on the pipeline's backlog (lag), which directly matches the requirement for automatic horizontal scaling. This feature uses the Cloud Monitoring service to track the number of unprocessed elements and adjusts worker count accordingly, ensuring efficient resource usage without manual intervention.

Exam trap

Google Cloud often tests the distinction between horizontal and vertical scaling, and candidates may confuse Dataflow's autoscaling with GKE cluster autoscaler, not realizing Dataflow manages its own worker fleet independently of GKE.

How to eliminate wrong answers

Option A is wrong because vertical scaling increases the machine type (e.g., more vCPUs or memory) of existing workers, not the number of workers, and Dataflow does not automatically change machine types under load; it relies on horizontal scaling. Option C is wrong because Dataflow does not run on GKE by default; it uses its own managed service for worker VMs, and the GKE cluster autoscaler is irrelevant unless the pipeline is explicitly configured to run on a GKE cluster, which is not the standard deployment. Option D is wrong because while Cloud Monitoring can trigger alerts, it does not directly add workers; Dataflow Horizontal Autoscaling is the built-in mechanism that handles scaling automatically, and using a custom alerting policy to invoke gcloud commands would be an external, non-native approach that contradicts the requirement for automatic scaling.

← PreviousPage 2 of 2 · 103 questions total

Ready to test yourself?

Try a timed practice session using only Planning and configuring a cloud solution questions.