CCNA Setting up a cloud solution environment Questions

23 of 98 questions · Page 2/2 · Setting up a cloud solution environment · Answers revealed

76
MCQhard

A service account from project A needs to read a BigQuery dataset in project B. The service account is granted roles/bigquery.dataViewer at the project B level. Yet the access is denied. What additional step is needed?

A.Enable the BigQuery API on project A
B.Grant the service account roles/bigquery.jobUser on project A
C.Grant the service account roles/bigquery.user on project B
D.Add the service account to the dataset's ACL in BigQuery
AnswerD

Dataset ACL can override project-level roles, requiring explicit grant.

Why this answer

D is correct because BigQuery datasets use Access Control Lists (ACLs) in addition to IAM policies. Even though the service account has the roles/bigquery.dataViewer IAM role at the project B level, this role grants access to list datasets and read metadata, but does not automatically grant access to the actual data within a dataset. The dataset's ACL must explicitly include the service account to allow reading the tables and views.

This is a common requirement when cross-project access is needed, as IAM roles at the project level do not propagate to dataset-level ACLs unless the dataset is configured to inherit permissions.

Exam trap

Google Cloud often tests the misconception that IAM roles at the project level are sufficient for cross-project data access, when in fact BigQuery datasets require explicit ACL entries for the service account to read data.

How to eliminate wrong answers

Option A is wrong because enabling the BigQuery API on project A is not required for the service account to read data in project B; the API must be enabled on the project where the dataset resides (project B), and it is likely already enabled. Option B is wrong because roles/bigquery.jobUser on project A grants permission to run jobs (e.g., queries) in project A, but does not grant read access to the dataset in project B; the service account needs data access in project B, not job execution rights in project A. Option C is wrong because roles/bigquery.user on project B allows listing datasets and running jobs, but does not grant read access to the actual data in the dataset; it is a higher-level role that still requires dataset-level ACLs for data access.

77
MCQmedium

A GCP project administrator needs to share read-only access to all resources in the project with an external auditor who has a Gmail account (auditor@gmail.com). What should the admin do?

A.Create a service account for the auditor and share the JSON key file
B.Grant the Viewer role to auditor@gmail.com in the project's IAM policy
C.Add auditor@gmail.com as a project billing admin to give them read-only access
D.Create a Cloud Identity account for the auditor — Gmail accounts cannot access GCP projects
AnswerB

GCP IAM supports Gmail accounts as principals. Granting Viewer to auditor@gmail.com gives read-only access to all project resources using their Google identity.

Why this answer

Granting the Viewer (roles/viewer) role to auditor@gmail.com in the project's IAM policy is correct because it provides read-only access to all resources in the project without requiring a Cloud Identity account. Gmail accounts are supported as Google Accounts and can be added directly to IAM policies, allowing them to authenticate and access resources via the GCP Console or APIs.

Exam trap

Google Cloud often tests the misconception that external users with Gmail accounts cannot be added to GCP IAM policies, leading candidates to incorrectly choose the Cloud Identity option, but in reality, any Google Account (including @gmail.com) can be granted IAM roles directly.

How to eliminate wrong answers

Option A is wrong because service accounts are intended for applications and automated workloads, not for individual users; sharing a JSON key file with a person is a security risk and violates best practices for user authentication. Option C is wrong because the Billing Admin role (roles/billing.admin) grants full billing management permissions, not read-only access to project resources, and it does not provide Viewer-level access to compute, storage, or other services. Option D is wrong because Gmail accounts are valid Google Accounts that can be used directly in IAM policies without needing a Cloud Identity account; Cloud Identity is for organizations that want to manage users without Gmail addresses.

78
MCQeasy

A startup creates its first Google Cloud project. Before deploying any paid resources, what must be linked to the project?

A.A Cloud Identity domain
B.An Organization resource node
C.A billing account
D.A Shared VPC host project
AnswerC

Every project that uses paid GCP services must have a billing account linked. Without it, resource creation for paid services will fail.

Why this answer

A billing account must be linked to a Google Cloud project before deploying any paid resources because Google Cloud requires a valid payment method to be associated with the project to track and charge for resource usage. Without a billing account, the project is in a 'billing-enabled' state and can only use free-tier or always-free resources, but any paid service will fail to provision.

Exam trap

Google Cloud often tests the misconception that an Organization resource node is required for billing, but in reality, a project can be created under no organization (standalone) and still have a billing account attached, so the trap is confusing organizational hierarchy with billing prerequisites.

How to eliminate wrong answers

Option A is wrong because a Cloud Identity domain is used for managing users and groups with identity federation, but it is not a prerequisite for deploying paid resources; a project can exist without a Cloud Identity domain. Option B is wrong because an Organization resource node is a top-level container for projects under an organization, but it is not required for a standalone project; a project can be created without an organization node, and billing can still be attached. Option D is wrong because a Shared VPC host project is used to share VPC networks across multiple projects, but it is not required for a single project to deploy paid resources; billing is independent of VPC sharing.

79
MCQeasy

A developer's gcloud command fails with 'PROJECT_ID is not set'. They need to confirm the currently active configuration — project, account, and default region. Which command shows this?

A.gcloud info
B.gcloud config list
C.gcloud auth status
D.gcloud projects describe --current
AnswerB

`gcloud config list` displays the active configuration: project, account, region, zone, and any other set properties. It's the quickest way to verify the current context.

Why this answer

Option B, `gcloud config list`, is correct because it displays the currently active configuration's core properties: project, account, and region (and zone if set). This directly answers the need to confirm the active project ID, account, and default region, and is the standard command for troubleshooting configuration issues like 'PROJECT_ID is not set'.

Exam trap

The trap here is that candidates confuse `gcloud info` (which shows verbose SDK details) with `gcloud config list` (which shows the active configuration's settings), or they incorrectly assume `gcloud projects describe --current` is a valid shortcut to fetch the current project's metadata.

How to eliminate wrong answers

Option A is wrong because `gcloud info` shows detailed information about the SDK installation, including paths, versions, and network settings, but it does not present the active configuration's project, account, and region in a concise, focused list. Option C is wrong because `gcloud auth status` only verifies the authentication state of the current account (e.g., whether credentials are valid) and does not display the project ID or default region. Option D is wrong because `gcloud projects describe --current` is not a valid command; `gcloud projects describe` requires a project ID or number as an argument, and there is no `--current` flag to infer the active project from the configuration.

80
MCQmedium

A developer accidentally exposed their gcloud application default credentials (ADC) file. They need to immediately revoke these credentials. Which command revokes the active application default credentials?

A.gcloud auth revoke [ACCOUNT_EMAIL]
B.gcloud auth application-default revoke
C.Delete the ~/.config/gcloud/application_default_credentials.json file manually
D.gcloud config unset auth/application_default_credentials
AnswerB

This command specifically revokes the application default credentials (the ADC file used by client libraries), not the standard gcloud CLI credentials.

Why this answer

Option B is correct because `gcloud auth application-default revoke` is the specific command designed to revoke the Application Default Credentials (ADC) that were set via `gcloud auth application-default login`. This command invalidates the OAuth 2.0 refresh token stored in the ADC file, ensuring the credentials can no longer be used for authentication to Google Cloud APIs.

Exam trap

Google Cloud often tests the distinction between user credentials (`gcloud auth`) and application credentials (`gcloud auth application-default`), and the trap here is that candidates mistakenly think deleting the file or using a general revoke command is sufficient, overlooking the need to explicitly revoke the OAuth refresh token server-side.

How to eliminate wrong answers

Option A is wrong because `gcloud auth revoke [ACCOUNT_EMAIL]` revokes user account credentials used for gcloud CLI operations, not the separate Application Default Credentials (ADC) file. Option C is wrong because simply deleting the file does not revoke the underlying OAuth 2.0 refresh token; the token remains valid until it expires or is explicitly revoked via the command, leaving a potential security gap. Option D is wrong because `gcloud config unset auth/application_default_credentials` unsets a configuration property that does not exist; ADC is managed via a credentials file, not a gcloud config property, so this command has no effect on revoking the credentials.

81
Matchingmedium

Match each Google Cloud service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Object storage for unstructured data

Serverless data warehouse for analytics

Asynchronous messaging service

Event-driven serverless compute

Managed relational database service

Why these pairings

These are core GCP services with distinct use cases.

82
MCQmedium

During a gcloud CLI session, a developer runs `gcloud config list` and sees the output shows `project = old-project`. They need to work in `new-project`. Which sequence of commands correctly switches projects and verifies the change?

A.gcloud projects activate new-project; gcloud config list
B.gcloud config set project new-project; gcloud config list
C.gcloud auth login --project=new-project; gcloud config list
D.export GCLOUD_PROJECT=new-project; gcloud config list
AnswerB

`gcloud config set project` updates the active project and `gcloud config list` confirms the new setting — a clean, targeted approach.

Why this answer

Option B is correct because `gcloud config set project new-project` updates the active project in the local CLI configuration, and `gcloud config list` then displays the current configuration, confirming the change. This is the standard method to switch the working project for subsequent gcloud commands.

Exam trap

Google Cloud often tests the distinction between environment variables and configuration file settings, trapping candidates who think setting `GCLOUD_PROJECT` will update the output of `gcloud config list`.

How to eliminate wrong answers

Option A is wrong because `gcloud projects activate new-project` is not a valid gcloud command; the correct command to switch projects is `gcloud config set project`. Option C is wrong because `gcloud auth login --project=new-project` authenticates the user and optionally sets a project during login, but it does not reliably change the project for the current session if a project is already configured; the `--project` flag is only a one-time override and does not persist in the config. Option D is wrong because `export GCLOUD_PROJECT=new-project` sets an environment variable that overrides the project for the current shell session, but `gcloud config list` still reads from the local configuration file and will show the old project unless the config is also updated; the environment variable is not reflected in `gcloud config list` output.

83
MCQhard

A GCP organization has 150 projects. A new security policy requires all projects to enable the Security Command Center API. What is the most efficient way to enable this API across all projects without manually visiting each project?

A.Manually enable the API in each of the 150 projects via the Cloud Console
B.Use a gcloud script to iterate over all projects and enable the API for each
C.Enable the API at the organization level — it inherits down to all projects
D.Create an organization policy enabling all APIs on all projects
AnswerB

Scripting with `gcloud projects list | xargs` or Terraform with `google_project_service` for each project enables the API across all 150 projects efficiently and repeatably.

Why this answer

Option B is correct because the gcloud command-line tool allows you to script the enabling of the Security Command Center API across all projects efficiently. Using `gcloud services enable securitycenter.googleapis.com --project=<project_id>` in a loop over the list of projects automates the task without manual intervention, leveraging the Cloud SDK's programmatic access to the Service Usage API.

Exam trap

Google Cloud often tests the misconception that organization-level settings automatically propagate API enablement to all projects, but in GCP, APIs must be explicitly enabled per project, and organization policies only enforce constraints, not service activation.

How to eliminate wrong answers

Option A is wrong because manually enabling the API in each of 150 projects via the Cloud Console is time-consuming and error-prone, contradicting the requirement for the 'most efficient' method. Option C is wrong because enabling an API at the organization level does not automatically inherit down to all projects; APIs must be enabled per project, and organization-level settings only control policies, not service enablement. Option D is wrong because organization policies cannot enable APIs; they enforce constraints (e.g., resource restrictions) via the Organization Policy Service, not service activation, and there is no policy to enable all APIs.

84
MCQmedium

Refer to the exhibit. A user runs `gcloud compute instances list` in Cloud Shell and gets the output 'Listed 0 items.' The user expects to see the VM they just created via the Console. What is the most likely cause?

A.The VM was created in a different region
B.The Cloud Shell is in a different project
C.The VM is stopping
D.The user does not have compute.instances.list permission
AnswerB

Cloud Shell uses the configured project, which might not be the same as the Console project.

Why this answer

The `gcloud compute instances list` command lists VM instances in the currently configured project (set via `gcloud config set project`). If the Cloud Shell is pointing to a different project than the one where the VM was created via the Console, the command will return 'Listed 0 items' even though the VM exists. This is the most likely cause because the user expects to see the VM but the command is scoped to a different project context.

Exam trap

Google Cloud often tests the distinction between project-level scope and regional scope, trapping candidates who assume region mismatch is the cause when the real issue is the Cloud Shell being configured to a different project.

How to eliminate wrong answers

Option A is wrong because the `gcloud compute instances list` command by default lists instances across all regions in the current project; a region mismatch would not cause 'Listed 0 items' unless the instance was in a different project. Option C is wrong because a VM in 'stopping' state is still listed by `gcloud compute instances list` (it appears with status 'STOPPING'), so it would not result in zero items. Option D is wrong because if the user lacked `compute.instances.list` permission, the command would return a permission denied error, not 'Listed 0 items'.

85
MCQmedium

A team is migrating from Google Container Registry (gcr.io) to Artifact Registry. Existing automation scripts use `gcr.io/my-project/myimage`. To avoid updating all scripts immediately, which Artifact Registry feature allows gcr.io-addressed pulls to work with Artifact Registry backends?

A.Artifact Registry has no gcr.io compatibility — all scripts must be updated immediately
B.Enable the gcr.io compatibility redirect in Artifact Registry settings so gcr.io URLs route to Artifact Registry
C.Use a Cloud DNS private zone to redirect gcr.io to Artifact Registry
D.Both Container Registry and Artifact Registry can be active simultaneously with no configuration
AnswerB

Artifact Registry supports a gcr.io compatibility mode where requests to gcr.io/[PROJECT]/[IMAGE] are served from Artifact Registry — allowing gradual script migration.

Why this answer

Option B is correct because Artifact Registry offers a gcr.io compatibility redirect feature that automatically routes requests originally targeting `gcr.io/my-project/myimage` to the corresponding Artifact Registry repository. This allows existing automation scripts to continue using the old `gcr.io` hostname without modification, while the underlying storage and image management are handled by Artifact Registry. The redirect is configured at the project level and works transparently for pull operations, eliminating the need for immediate script updates.

Exam trap

Google Cloud often tests the misconception that DNS manipulation (like Cloud DNS private zones) can solve hostname redirection for external services, but in reality, Google-managed hostnames like `gcr.io` cannot be overridden with private DNS, and the correct solution is the built-in Artifact Registry redirect feature.

How to eliminate wrong answers

Option A is wrong because Artifact Registry does provide gcr.io compatibility via a redirect feature, so scripts do not need to be updated immediately. Option C is wrong because Cloud DNS private zones cannot redirect external hostnames like `gcr.io` to Artifact Registry; DNS resolution for `gcr.io` is managed by Google and cannot be overridden with private zones, and this approach would not handle the authentication or routing required for container pulls. Option D is wrong because while both registries can be active simultaneously, no configuration is needed only if you manually push images to both; the gcr.io compatibility redirect specifically requires enabling the feature to make `gcr.io` pulls work with Artifact Registry backends without script changes.

86
MCQmedium

A company wants to ensure that all IAM users in a project must use two-factor authentication. Which Google Cloud service should be used?

A.Cloud Identity
B.Identity Platform
C.Cloud IAM
D.Cloud Audit Logs
AnswerA

Cloud Identity provides user management and security policies like 2SV.

Why this answer

Cloud Identity is the correct service because it provides identity-as-a-service (IDaaS) that allows administrators to enforce security policies, including requiring two-factor authentication (2FA) for all IAM users. By enabling 2FA at the Cloud Identity level, every user authenticating through Google Cloud's identity layer must complete a second factor (e.g., TOTP via Google Authenticator or a security key) before accessing any Google Cloud resources. This policy applies globally across all projects in the organization, ensuring consistent enforcement without needing to configure per-user or per-project settings.

Exam trap

The trap here is that candidates confuse Cloud IAM (which handles authorization) with Cloud Identity (which handles authentication and MFA enforcement), leading them to incorrectly select Cloud IAM because they think 'IAM' covers all identity-related settings.

How to eliminate wrong answers

Option B is wrong because Identity Platform is a customer-facing authentication service for applications (e.g., adding sign-in to a web app), not for enforcing 2FA on internal IAM users accessing Google Cloud resources. Option C is wrong because Cloud IAM manages permissions (who has access to what) but does not handle authentication methods or enforce multi-factor authentication policies. Option D is wrong because Cloud Audit Logs records who did what and when, but it cannot enforce or require two-factor authentication; it is a logging and monitoring service, not an identity or policy enforcement service.

87
MCQmedium

An application running on a Compute Engine VM needs to read objects from a Cloud Storage bucket in the same project. What is the recommended authentication approach?

A.Embed a developer's user account credentials in the application configuration file
B.Attach a service account with the Storage Object Viewer role to the VM
C.Create an API key and store it as an environment variable on the VM
D.Grant the VM's IP address access to the bucket using a VPC firewall rule
AnswerB

Service accounts attached to VMs allow applications to authenticate automatically via the metadata server. This eliminates the need to manage credentials directly.

Why this answer

Option B is correct because attaching a service account with the Storage Object Viewer role to the Compute Engine VM is the recommended and secure method for authenticating to Cloud Storage. The VM automatically obtains OAuth 2.0 access tokens for the service account via the metadata server, eliminating the need to manage or embed credentials in the application code.

Exam trap

Google Cloud often tests the misconception that API keys or IP-based firewall rules can control access to Cloud Storage, when in fact Cloud Storage relies solely on IAM roles and OAuth 2.0 tokens for authentication and authorization.

How to eliminate wrong answers

Option A is wrong because embedding a developer's user account credentials in a configuration file violates security best practices, exposes long-lived credentials, and ties the application to an individual user's permissions rather than a dedicated identity. Option C is wrong because API keys are not designed for authenticating as a specific identity; they identify the project making the call, not the caller, and lack the granular access control of IAM roles, making them unsuitable for accessing Cloud Storage objects. Option D is wrong because VPC firewall rules control network traffic at the IP/port level, not access to Cloud Storage objects; Cloud Storage uses IAM permissions for object-level access, and IP-based access control is not supported for bucket operations.

88
Drag & Dropmedium

Order the steps to configure a Cloud Load Balancer (HTTP/S) in front of a Compute Engine instance group.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Instance group and health check must exist before backend service; then frontend components.

89
MCQeasy

An organization with multiple Google Cloud projects wants to centralize network administration by having a single VPC network that hosts shared services and allows project teams to create their own resources in separate projects that can connect to the shared VPC. Which Google Cloud feature should they use?

A.Cloud VPN
B.VPC Service Controls
C.VPC Network Peering
D.Shared VPC
AnswerD

Shared VPC enables central administration of a VPC across multiple projects.

Why this answer

Option A is correct because Shared VPC allows an organization to create a VPC in a host project and attach service projects to it. Option B is wrong because VPC Network Peering connects whole VPCs, not individual projects. Option C is wrong because VPC Service Controls focuses on data exfiltration prevention.

Option D is wrong because Cloud VPN is for connecting networks.

90
MCQmedium

A startup's GCP project has a project ID of 'my-startup-prod' and a project number of '123456789012'. An API call requires the project number, not the project ID. How can the project number be retrieved quickly?

A.The project number is always the same as the last 12 digits of the project ID
B.Run `gcloud projects describe my-startup-prod` and look for the projectNumber field
C.Run `gcloud config get-value project-number`
D.The project number appears in the URL bar of the GCP Console — it's the number after /project/
AnswerB

`gcloud projects describe [PROJECT_ID]` outputs the project's metadata including `projectNumber`, `projectId`, `name`, and `lifecycleState`.

Why this answer

Option B is correct because the `gcloud projects describe` command retrieves detailed metadata about a GCP project, including the `projectNumber` field, which is a unique numeric identifier assigned by Google Cloud. This is the standard method to quickly obtain the project number when only the project ID is known, as the project number is not derivable from the project ID.

Exam trap

The trap here is that candidates confuse the project ID with the project number, assuming they are interchangeable or derivable from each other, and may incorrectly think a simple `gcloud config` command or URL inspection is sufficient.

How to eliminate wrong answers

Option A is wrong because the project number is not derived from the project ID; it is a separate, immutable numeric identifier assigned at project creation, and the project ID can be any string of letters, digits, and hyphens. Option C is wrong because `gcloud config get-value project-number` is not a valid command; the correct command to get the current project's number would involve `gcloud projects describe` or `gcloud config get-value project`, which returns the project ID, not the number. Option D is wrong because while the project number may appear in the GCP Console URL (e.g., as a query parameter or path segment), it is not consistently displayed in the URL bar for all pages, and relying on the URL is not a reliable or quick method compared to using the CLI.

91
MCQmedium

You need to allow a third-party auditing company to view all resources and IAM policies across your GCP organization without being able to modify anything. Which role should you grant, and at which level?

A.Grant `roles/viewer` on each individual project the auditor needs to access.
B.Grant `roles/iam.securityReviewer` at the organization level.
C.Grant `roles/owner` at the organization level with a time-limited condition.
D.Create a custom role with only `*.get` and `*.list` permissions and grant it at the org level.
AnswerB

Security Reviewer at the org level grants `getIamPolicy` and read access to security-relevant resources across all projects, purpose-built for audit use cases.

Why this answer

Option B is correct because `roles/iam.securityReviewer` at the organization level grants read-only access to all IAM policies and resources across all projects in the organization, exactly meeting the requirement for a third-party auditor to view without modification. This role includes permissions like `iam.roles.get`, `iam.policies.get`, and `resourcemanager.projects.get`, which are scoped organization-wide when assigned at the org level.

Exam trap

The trap here is that candidates often choose `roles/viewer` (Option A) thinking it provides read-only access, but it does not include permissions to read IAM policies, which is a critical requirement for auditing security configurations.

How to eliminate wrong answers

Option A is wrong because granting `roles/viewer` on each individual project does not provide visibility into IAM policies at the organization level, and it requires manual assignment per project, which is inefficient and incomplete for auditing across the entire org. Option C is wrong because `roles/owner` grants full administrative control, including the ability to modify resources and IAM policies, which violates the 'view only' requirement; a time-limited condition does not remove modify permissions. Option D is wrong because creating a custom role with only `*.get` and `*.list` permissions is unnecessary and risky—`roles/iam.securityReviewer` already provides the precise read-only access needed, and custom roles may inadvertently miss required permissions or introduce misconfiguration.

92
MCQmedium

A developer attempts to create a Cloud SQL instance but receives the error: 'API [sqladmin.googleapis.com] not enabled.' What is the correct resolution?

A.Assign the developer the Cloud SQL Admin IAM role
B.Request a quota increase for Cloud SQL in the project
C.Enable the Cloud SQL Admin API via APIs & Services > Library in the Console
D.Create a new project — Cloud SQL is enabled by default in new projects
AnswerC

Navigating to APIs & Services > Library and enabling the Cloud SQL Admin API resolves this error. It can also be done with `gcloud services enable sqladmin.googleapis.com`.

Why this answer

The error 'API [sqladmin.googleapis.com] not enabled' indicates that the Cloud SQL Admin API has not been activated for the project. The correct resolution is to enable the API via APIs & Services > Library in the Google Cloud Console, as this is a prerequisite for creating any Cloud SQL instance. Assigning IAM roles or requesting quota increases does not enable the underlying API service.

Exam trap

Google Cloud often tests the distinction between enabling an API and assigning IAM roles, trapping candidates who think granting permissions automatically activates the underlying service.

How to eliminate wrong answers

Option A is wrong because assigning the Cloud SQL Admin IAM role grants permissions to use the API but does not enable the API itself; the API must be enabled at the project level first. Option B is wrong because a quota increase addresses resource limits, not the activation of the API service; the API must be enabled before any quota can be consumed. Option D is wrong because Cloud SQL is not enabled by default in new projects; each project requires explicit API enablement, and creating a new project would still require enabling the Cloud SQL Admin API.

93
MCQhard

A developer is creating a script that uses the Google Cloud SDK to automate resource creation. The script will be run from a CI/CD pipeline. What is the best way to authenticate?

A.Use an OAuth 2.0 client ID
B.Use application default credentials
C.Use the gcloud auth login command with a user account
D.Use a service account key file stored in a secret manager
AnswerD

Service account keys are designed for automated scripts; storing in secret manager adds security.

Why this answer

A service account key stored in a secret manager is the most secure and recommended approach for non-interactive automation. Option D is correct. Options A, B, C are less secure or not suitable for automated pipelines.

94
MCQhard

A company has two on-premises data centers connected via a redundant network. They want to extend their Google Cloud VPC to on-premises using Cloud VPN with dynamic routing (BGP). They need to ensure traffic from on-premises to Google Cloud can fail over to the secondary tunnel if the primary tunnel fails. The VPC has a single region. What should they configure?

A.Use a single Cloud VPN gateway and create two tunnels to separate on-prem VPN devices, each with BGP.
B.Use Cloud Interconnect as the primary and Cloud VPN as the backup.
C.Use a Cloud Router in global dynamic routing mode and set up a single VPN tunnel with BGP.
D.Create two Cloud VPN gateways in the VPC, each with a BGP session to its own on-prem VPN device, both using the same Cloud Router with separate BGP sessions.
AnswerD

Two gateways with BGP sessions allow failover via route advertisements.

Why this answer

Option D is correct because it provides true active/passive failover for on-premises to Google Cloud traffic. By creating two Cloud VPN gateways, each with a BGP session to its own on-premises VPN device, and attaching both sessions to the same Cloud Router, you enable BGP to advertise the same VPC prefixes over both tunnels. The Cloud Router uses BGP path selection (e.g., MED or AS path prepending) to prefer one tunnel as primary; if that tunnel fails, BGP withdraws the route and traffic automatically switches to the secondary tunnel.

This satisfies the requirement for failover without relying on a single gateway or tunnel.

Exam trap

The trap here is that candidates assume a single Cloud VPN gateway with multiple tunnels provides redundancy, but they overlook that the gateway itself is a single point of failure, which is why two separate gateways are required for true failover.

How to eliminate wrong answers

Option A is wrong because using a single Cloud VPN gateway creates a single point of failure; if the gateway itself fails, both tunnels become unavailable, preventing failover. Option B is wrong because Cloud Interconnect is a dedicated, high-bandwidth connection that does not support dynamic failover to Cloud VPN as a backup in the same way; the question specifically requires Cloud VPN with dynamic routing, not a hybrid interconnect/VPN design. Option C is wrong because a single VPN tunnel with BGP provides no redundancy; if the tunnel or its underlying network path fails, all traffic is lost, and global dynamic routing mode does not add failover capability.

95
MCQeasy

A small team is setting up a new Google Cloud project for a web application. They need to ensure that they can manage costs and receive alerts when spending exceeds a threshold. What is the simplest way to achieve this?

A.Export billing data to BigQuery and create custom dashboards.
B.Use the Google Cloud Pricing Calculator to estimate costs and set manual alerts.
C.Create a billing account for each team member and link it to the project.
D.Set up a budget alert in the Google Cloud Console for the project.
AnswerD

Simple, native feature that provides email alerts when threshold is met.

Why this answer

Option C is correct because setting up a budget alert in the Google Cloud Console is simple and provides automated email notifications. Option A is too complex for a small team. Option B adds unnecessary overhead.

Option D only provides estimation, not real alerts.

96
MCQhard

A security team wants to prevent every project in the organization from creating VM instances with external IP addresses — without requiring configuration in each individual project. What is the most scalable solution?

A.Create a firewall rule in every project blocking outbound traffic on port 80 and 443
B.Set the organization policy constraint compute.vmExternalIpAccess to Deny All at the organization level
C.Remove the Compute Engine Admin role from all project owners
D.Use Cloud Armor to block all traffic destined for public IPs in the organization
AnswerB

This organization-level constraint prevents external IP assignment across all projects, automatically applying to new projects without manual intervention.

Why this answer

Option B is correct because the organization policy constraint `compute.vmExternalIpAccess` can be applied at the organization level to deny all VM instances from having external IP addresses, enforcing this rule across all projects without per-project configuration. This is the most scalable approach as it uses Google Cloud's hierarchical policy engine to centrally control resource creation, overriding any project-level settings.

Exam trap

The trap here is that candidates confuse network-level controls (firewall rules, Cloud Armor) with resource-level policies (organization constraints), mistakenly thinking blocking traffic is equivalent to preventing IP assignment, when in fact the constraint operates at the IAM/resource creation layer.

How to eliminate wrong answers

Option A is wrong because firewall rules only control network traffic after a VM is created, not the assignment of external IP addresses during VM creation; blocking ports 80 and 443 does not prevent a VM from having an external IP, and traffic on other ports (e.g., SSH on port 22) would still be allowed. Option C is wrong because removing the Compute Engine Admin role from project owners does not prevent VMs from being created with external IPs by other users or service accounts, and it breaks legitimate administrative workflows without addressing the IP assignment policy. Option D is wrong because Cloud Armor is a web application firewall that protects against DDoS and application-layer attacks, not a tool to control whether VMs are assigned external IPs; it cannot block the creation of VMs with public IPs.

97
MCQeasy

A developer wants to verify which IAM roles they currently have on a specific GCP project before requesting additional access. Which gcloud command lists the IAM policy for a project?

A.gcloud iam roles list --project=[PROJECT_ID]
B.gcloud projects get-iam-policy [PROJECT_ID]
C.gcloud auth list --project=[PROJECT_ID]
D.gcloud iam service-accounts get-iam-policy [PROJECT_ID]
AnswerB

This command returns the full IAM policy for the project in YAML or JSON format, showing all current member-role bindings.

Why this answer

The correct command to retrieve the IAM policy for a GCP project is `gcloud projects get-iam-policy [PROJECT_ID]`. This command returns the complete IAM policy bindings (roles and members) for the specified project, allowing the developer to see which roles they currently have. It directly queries the Cloud Resource Manager API to fetch the project-level IAM policy.

Exam trap

Google Cloud often tests the distinction between listing roles (available role definitions) and getting the IAM policy (actual role bindings), so candidates mistakenly choose `gcloud iam roles list` thinking it shows their assigned roles.

How to eliminate wrong answers

Option A is wrong because `gcloud iam roles list` lists predefined or custom roles available in the organization or project, not the bindings of those roles to principals. Option C is wrong because `gcloud auth list` displays the currently active authenticated accounts and their status, not the IAM policy for a project. Option D is wrong because `gcloud iam service-accounts get-iam-policy` retrieves the IAM policy for a specific service account, not for the project itself.

98
MCQmedium

A team's CI/CD pipeline authenticates to GCP using Application Default Credentials (ADC). The pipeline runs on a GCE VM with a service account attached. Which credential source does the ADC use when running on a GCE VM?

A.The GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to a JSON key file
B.The VM's attached service account credentials via the instance metadata server
C.The developer's personal Google account used during `gcloud auth login`
D.A randomly selected service account from the project's service accounts list
AnswerB

ADC on GCE automatically uses the service account attached to the VM through the instance metadata server (metadata.google.internal/computeMetadata/v1/instance/service-accounts/) — no key file needed.

Why this answer

On a GCE VM, Application Default Credentials (ADC) automatically uses the credentials from the VM's attached service account by querying the instance metadata server at the link-local address 169.254.169.254. This is the default behavior when no environment variable or other credential source is explicitly configured, making option B correct.

Exam trap

Google Cloud often tests the misconception that ADC always requires an explicit credential file or that it uses the gcloud user login, when in fact on GCE VMs it transparently uses the attached service account via the metadata server.

How to eliminate wrong answers

Option A is wrong because the GOOGLE_APPLICATION_CREDENTIALS environment variable is a manual override that ADC checks first, but it is not the default source on a GCE VM; the question describes a pipeline running on a GCE VM with a service account attached, and ADC will use the metadata server unless that variable is set. Option C is wrong because a developer's personal Google account from `gcloud auth login` is used for user-level authentication in gcloud CLI, not for ADC on a VM; ADC on a GCE VM does not consult user credentials from gcloud. Option D is wrong because ADC does not randomly select a service account; it uses the specific service account attached to the VM instance, which is obtained from the instance metadata server, not from a project-wide list.

← PreviousPage 2 of 2 · 98 questions total

Ready to test yourself?

Try a timed practice session using only Setting up a cloud solution environment questions.