CCNA Ace Deploying Implementing Questions

75 of 124 questions · Page 1/2 · Ace Deploying Implementing topic · Answers revealed

1
Multi-Selectmedium

You need to create a Cloud Storage bucket with a retention policy that prevents object deletion for 30 days. Which TWO steps are necessary?

Select 2 answers
A.Enable Object Versioning on the bucket.
B.Set the bucket's default event-based hold.
C.Lock the retention policy using gsutil retention lock gs://my-bucket.
D.Set an IAM policy to prevent deletion.
E.Set a retention policy using gsutil retention set 30d gs://my-bucket.
AnswersC, E

Locking makes the policy permanent.

Why this answer

You must set a retention policy on the bucket using gsutil retention set, and then lock the retention policy to make it permanent (otherwise it can be removed). Option B and D are correct.

2
Multi-Selecthard

An engineer needs to create a Cloud Storage bucket for storing sensitive financial data that must be encrypted at rest using a customer-managed encryption key (CMEK) stored in Cloud KMS. Which two actions are required? (Choose TWO.)

Select 2 answers
A.Use gcloud storage buckets create with --encryption-key flag pointing to the KMS key.
B.Create a key ring and cryptographic key in Cloud KMS.
C.Use gsutil mb -o default_encryption_key=...
D.Grant the Cloud Storage service account the Cloud KMS CryptoKey Encrypter/Decrypter role.
E.Set default encryption on the bucket using gsutil defaulte encryption set.
AnswersA, B

Correct flag to specify CMEK during bucket creation.

Why this answer

To use CMEK for Cloud Storage, you need to create a key ring and key in Cloud KMS, and then specify the key when creating the bucket via the --encryption-key flag. Option A and D are correct. Option B (gsutil) does not support CMEK; C is for granting access to the service account; E is for default encryption, not CMEK.

3
MCQhard

An engineer is configuring a GKE cluster and wants to enable Horizontal Pod Autoscaling (HPA) for a deployment named 'web-frontend'. The deployment currently has 3 replicas. The engineer wants to automatically scale the number of pods based on CPU utilization, targeting 50% average CPU utilization. Which command should the engineer run?

A.gcloud container clusters autoscale web-frontend --target-cpu-utilization=0.5 --min-nodes=3 --max-nodes=10
B.kubectl autoscale deployment web-frontend --max-cpu=50 --min=3 --max=10
C.kubectl autoscale deployment web-frontend --cpu-percent=50 --min=3 --max=10
D.kubectl autoscale deployment web-frontend --cpu=50 --min=3 --max=10
AnswerC

Correct kubectl command.

Why this answer

The correct command is kubectl autoscale deployment web-frontend --cpu-percent=50 --min=3 --max=10. This creates an HPA that scales between 3 and 10 replicas based on CPU. Option A is correct.

Option B uses wrong flag --cpu. Option C uses --target-cpu-utilization which is for gcloud, not kubectl. Option D uses --max-cpu which is invalid.

4
MCQmedium

After deploying a Kubernetes Deployment named 'web-app', a developer wants to expose it externally on a static IP address. Which kubectl command should they use?

A.kubectl create service clusterip web-app --tcp=80:8080
B.gcloud compute forwarding-rules create web-app --port=80
C.kubectl expose deployment web-app --type=LoadBalancer --port=80 --target-port=8080
D.kubectl expose deployment web-app --type=NodePort --port=80
AnswerC

This creates a LoadBalancer service that provisions an external IP (static if reserved).

Why this answer

kubectl expose creates a service. To get an external load balancer with a static IP, the service type must be LoadBalancer. The --type flag specifies the service type.

5
MCQmedium

You have a managed instance group (MIG) with instances that need to run a startup script to configure monitoring agents. You created the instance template without a startup script. Which action should you take to add the startup script?

A.Use gcloud compute instances add-metadata to add the startup script to each running instance.
B.Delete the MIG and recreate it with a new template; you cannot change the template of an existing MIG.
C.Edit the existing instance template and add the startup script under 'metadata'.
D.Create a new instance template with the startup script, then update the MIG to use the new template via a rolling update.
AnswerD

This is the correct approach: create a new template and update the MIG.

Why this answer

Instance templates are immutable; you cannot modify them. You must create a new instance template with the startup script and update the MIG to use it via rolling update or by setting the template.

6
MCQhard

An engineer needs to migrate a large on-premises database to Cloud SQL for PostgreSQL. The database is 500 GB and can tolerate a few hours of downtime. The migration must minimize manual intervention. Which approach should the engineer use?

A.Use Database Migration Service (DMS)
B.Use pg_dump to export and pg_restore to import
C.Use gcloud sql import to import a dump file
D.Set up a Compute Engine instance to run pg_dump and then gcloud sql import
AnswerA

DMS automates migration with minimal downtime.

Why this answer

Database Migration Service supports homogeneous migrations (including PostgreSQL to Cloud SQL) and automates the process. It supports continuous replication and minimal downtime. The others are not ideal: pg_dump requires manual steps and downtime; gcloud sql import is for file import; Compute Engine with pg_dump involves manual steps.

7
MCQhard

You are managing a Cloud Functions deployment that processes messages from a Pub/Sub topic. You need to ensure the function can read messages from the topic and acknowledge them. Which IAM role should you assign to the function's service account?

A.roles/pubsub.publisher
B.roles/pubsub.subscriber
C.roles/pubsub.viewer
D.roles/iam.serviceAccountUser
AnswerB

Subscriber role allows pulling and acknowledging messages.

Why this answer

The Pub/Sub Subscriber role (roles/pubsub.subscriber) grants permission to pull messages and acknowledge them. The function's service account needs this role on the topic or subscription.

8
MCQhard

A DevOps engineer needs to create a GKE cluster with 3 nodes per zone in us-central1-a and us-central1-b, with nodes of type e2-standard-2. The cluster should be regional. Which command is correct?

A.gcloud container clusters create my-cluster --region us-central1 --node-locations us-central1-a,us-central1-b --num-nodes 3 --machine-type e2-standard-2
B.gcloud container clusters create my-cluster --region us-central1 --machine-type e2-standard-2
C.gcloud container clusters create my-cluster --zone us-central1-a --region us-central1 --num-nodes 3 --machine-type e2-standard-2
D.gcloud container clusters create my-cluster --zone us-central1-a --num-nodes 3 --machine-type e2-standard-2
AnswerA

Correct: regional cluster with specific node locations and node count.

Why this answer

A regional cluster is created by specifying --region (not --zone). Option D is correct. Option A uses --zone (zonal); B uses --region but missing --num-nodes; C uses both zone and region incorrectly.

9
MCQmedium

An administrator needs to create a Cloud SQL for PostgreSQL instance with 16 vCPUs and 60 GB of memory. Which tier should they specify?

A.db-custom-16-60
B.db-custom-16-61440
C.db-n1-standard-16
D.db-custom-16-60000
AnswerB

Correct custom tier format.

Why this answer

Cloud SQL tiers follow the pattern db-custom-#vcpus-#memoryMB. 16 vCPUs and 60 GB (61440 MB) uses db-custom-16-61440.

10
MCQmedium

A developer wants to deploy a containerized application on Google Cloud that automatically scales to zero when not in use and charges only for request processing time. The application is stateless and can be triggered by HTTP requests. Which compute option meets these requirements?

A.Compute Engine with managed instance groups
B.Cloud Functions
C.Cloud Run
D.Google Kubernetes Engine (GKE) with cluster autoscaling
AnswerC

Cloud Run scales to zero, charges only for request duration, and supports HTTP-triggered containers. It is the best fit.

Why this answer

Cloud Run is a fully managed serverless platform that scales to zero and charges per request. It is ideal for stateless HTTP-triggered containers. Compute Engine and GKE do not scale to zero (idle resources incur cost).

Cloud Functions is also serverless but is for event-driven code, not containerized apps.

11
MCQmedium

A company wants to migrate an on-premises MySQL database to Cloud SQL. They need to import an existing SQL dump file stored in a Cloud Storage bucket. Which command should they use?

A.gcloud compute ssh my-instance --command='mysql < dump.sql'
B.gcloud sql import sql my-instance gs://my-bucket/dump.sql --database=mydb
C.gcloud sql databases create mydb --instance=my-instance --import=gs://my-bucket/dump.sql
D.gsutil cp gs://my-bucket/dump.sql | mysql -h my-instance -u root -p
AnswerB

Correct command and flags.

Why this answer

gcloud sql import sql is the correct command to import a SQL dump file into a Cloud SQL instance. The command specifies the instance, the bucket path, and the database name.

12
MCQeasy

An engineer wants to create a Compute Engine instance with a specific machine type, a custom network subnet, and a startup script. Which gcloud command correctly creates such an instance?

A.gcloud compute instances create my-vm --machine-type=n1-standard-2 --subnet=my-subnet --startup-script='echo Hello'
B.gcloud compute instances create my-vm --machine-type=n1-standard-2 --subnet my-subnet --metadata startup-script='echo Hello'
C.gcloud compute instances create my-vm --machine-type=n1-standard-2 --subnet=my-subnet --metadata startup-script='echo Hello'
D.gcloud compute instances create my-vm --machine-type=n1-standard-2 --network=my-subnet --metadata startup-script='echo Hello'
AnswerC

Correct flags and syntax.

Why this answer

The 'gcloud compute instances create' command with flags --machine-type, --subnet, and --metadata startup-script is the standard way to create a VM with those specifications.

13
Multi-Selectmedium

A company wants to deploy a web application that receives high traffic and requires automatic scaling based on CPU usage, with zero-downtime deployments. The application is containerized. Which TWO services should be considered? (Choose 2 correct answers.)

Select 2 answers
A.App Engine Standard Environment
B.Compute Engine with autoscaling
C.Cloud Run
D.Google Kubernetes Engine with Horizontal Pod Autoscaler
E.Managed Instance Groups
AnswersC, D

Cloud Run automatically scales containers based on incoming requests (including CPU) and supports gradual rollouts.

Why this answer

GKE with Horizontal Pod Autoscaler (HPA) and Cloud Run both support containerized applications and automatic scaling based on CPU. Cloud Run is simpler for stateless containers. GKE provides more control.

Managed Instance Groups are for VMs, not containers. App Engine Standard is for specific runtimes.

14
MCQhard

A team is using Terraform to manage Google Cloud resources. They want to store the Terraform state file in a Cloud Storage bucket to enable collaboration. Which Terraform backend configuration should be used?

A.provider "google" { backend "gcs" { bucket = "my-tf-state" } }
B.terraform { backend "cloud-storage" { bucket = "my-tf-state" path = "prod" } }
C.terraform { backend "gcs" { bucket = "my-tf-state" folder = "prod" } }
D.terraform { backend "gcs" { bucket = "my-tf-state" prefix = "prod" } }
AnswerD

Correct. This configures the GCS backend with the specified bucket and prefix.

Why this answer

The 'gcs' backend in Terraform stores state in a Cloud Storage bucket. The 'bucket' attribute specifies the bucket name, and 'prefix' is optional for folder structure.

15
MCQeasy

Which gcloud command creates a regional GKE cluster named 'my-cluster' with 3 nodes per zone in the 'us-central1' region?

A.gcloud container clusters create my-cluster --zone us-central1 --num-nodes 3
B.gcloud container clusters create my-cluster --zone us-central1-a --num-nodes 3
C.gcloud container clusters create my-cluster --region us-central1 --nodes 3
D.gcloud container clusters create my-cluster --region us-central1 --num-nodes 3
AnswerD

Correct: --region creates a regional cluster.

Why this answer

To create a regional cluster, use --region (not --zone). The --num-nodes flag sets nodes per zone.

16
MCQeasy

A company wants to create a Cloud Storage bucket to store archival data that is accessed infrequently (less than once a year). The data must be stored at the lowest possible cost. Which storage class should they choose?

A.Archive
B.Coldline
C.Nearline
D.Standard
AnswerA

Archive is the lowest-cost class for long-term archival data accessed less than once a year.

Why this answer

Archive storage class is the lowest-cost option for long-term archival data accessed less than once a year. Nearline and Coldline have higher retrieval costs but are for data accessed less frequently than standard, not as low as Archive. Standard is for frequently accessed data.

17
MCQeasy

Which kubectl command lists all pods in the current namespace?

A.kubectl list pods
B.kubectl describe pods
C.kubectl get pods
D.kubectl get all
AnswerC

Correct command.

Why this answer

The command 'kubectl get pods' lists all pods. 'kubectl get all' includes services, deployments, etc. 'kubectl describe pods' shows detailed info. 'kubectl list pods' is invalid.

18
MCQmedium

A team is using Terraform to deploy infrastructure. They want to ensure that the Terraform state file is encrypted at rest using a customer-managed encryption key (CMEK). What should they configure?

A.Use a Cloud Storage bucket with CMEK enabled by default; no Terraform configuration needed
B.Set the encryption block in the google_storage_bucket resource
C.Set the kms_key argument in the google provider block
D.Set the kms_key argument in the terraform backend block
AnswerB

The bucket resource can specify default_kms_key_name to enable CMEK.

Why this answer

To use CMEK with GCS backend, the bucket must be configured with a default KMS key. The Terraform configuration does not specify encryption directly; it's set on the bucket itself. The google_backend block does not have a kms_key argument. provider block does not set encryption.

The correct approach is to create a bucket with encryption set using google_kms_key.

19
MCQhard

An organization needs to deploy a containerized web application on Google Kubernetes Engine (GKE) and expose it to the internet with a static IP address. The cluster is regional, with 3 nodes. Which sequence of kubectl commands achieves this?

A.kubectl create deployment web --image=web:v1; kubectl expose deployment web --type=LoadBalancer --port=80; then reserve a regional static IP with gcloud compute addresses create web-ip --region us-central1 and assign it via annotation.
B.kubectl create deployment web --image=web:v1 --replicas=3; kubectl expose deployment web --type=NodePort --port=80; then use gcloud compute addresses create web-ip --global; kubectl patch service web -p '{"spec":{"loadBalancerIP":"<IP>"}}'
C.gcloud compute addresses create web-ip --global; then kubectl create deployment web --image=web:v1; kubectl expose deployment web --type=LoadBalancer --port=80; then patch service to set loadBalancerIP.
D.gcloud compute addresses create web-ip --region=us-central1; kubectl create deployment web --image=web:v1; kubectl expose deployment web --type=LoadBalancer --port=80 --load-balancer-ip=web-ip
AnswerD

Reserve a regional static IP and use --load-balancer-ip flag when exposing the deployment. This is the correct method.

Why this answer

You deploy the application, then expose it with a LoadBalancer service. To get a static IP, you must reserve a global static IP address (using gcloud) and assign it via annotation --load-balancer-ip. Option D is correct.

20
MCQeasy

An engineer needs to SSH into a Compute Engine instance using OS Login. What must be enabled first?

A.Create an SSH key and upload to the instance
B.Grant the compute.osLogin role to the user
C.Add SSH keys to the project metadata
D.Enable OS Login in the project metadata
AnswerD

OS Login must be enabled via metadata key 'enable-oslogin=TRUE'.

Why this answer

OS Login must be enabled at the project or instance level using 'gcloud compute project-info add-metadata --enable-oslogin' or similar. Direct SSH key metadata is not needed if OS Login is used.

21
MCQhard

An engineer is using Terraform to manage GCP resources. They want to store the Terraform state file remotely so that the team can collaborate. Which backend configuration should they use?

A.backend "cloud" { bucket = "my-terraform-state" }
B.backend "local" { path = "terraform.tfstate" }
C.backend "consul" { address = "consul.example.com" }
D.backend "gcs" { bucket = "my-terraform-state" }
AnswerD

Correct GCS backend configuration for remote state.

Why this answer

Terraform supports storing state in GCS by using the 'gcs' backend. The bucket must be created before configuration. The 'local' backend stores state locally, which does not enable collaboration. 'cloud' is not a valid backend type. 'consul' is not GCP-native.

22
MCQmedium

A company wants to run a stateful application on Compute Engine with persistent storage that can be attached to another instance in case of failure. Which storage option should they use?

A.Filestore
B.Cloud Storage bucket
C.Persistent Disk
D.Local SSD
AnswerC

Persistent Disk can be detached and reattached to another instance, suitable for stateful failover.

Why this answer

Persistent Disk (PD) is a network-attached block storage that can be detached and reattached to another VM in the same zone. Option A is correct. Option B (Local SSD) is ephemeral; C (Cloud Storage) is object storage; D (Filestore) is file storage but not designed for block-level attachment.

23
MCQmedium

You deployed a Cloud Run service with gcloud run deploy --image gcr.io/my-project/my-image --platform managed --region us-central1 --allow-unauthenticated. Users report intermittent 503 errors. What is the most likely cause?

A.The service is hitting the maximum number of concurrent requests per container instance (default 80) and needs more instances.
B.The region us-central1 does not support Cloud Run.
C.The container image is not compatible with the managed platform.
D.The --allow-unauthenticated flag causes IAM permission errors.
AnswerA

503 errors in Cloud Run often indicate that all instances are at max concurrency and no new instances can be created quickly enough, or max instances limit is reached.

Why this answer

Cloud Run services have a default maximum number of concurrent requests per container instance (default 80). If traffic exceeds that, new instances are created, but if there is a sudden spike or the container takes too long to start, requests may be dropped with 503. Increasing max instances or concurrency settings can help.

24
MCQmedium

A team needs to set up autoscaling for a managed instance group based on CPU utilization. They want the average CPU across the group to stay around 60%. Which autoscaling policy configuration should they use?

A.Set the autoscaling policy to use the target CPU utilization of 60
B.Set the autoscaling policy to use the target CPU utilization of 0.6
C.No autoscaling is needed; MIGs automatically scale based on load
D.Set the autoscaling policy to use the target HTTP load balancing utilization of 60%
AnswerB

Correct: 0.6 corresponds to 60%.

Why this answer

The autoscaling policy uses a target CPU utilization metric. The correct configuration sets the target to 0.6 (60%). Specifying a utilization target of 60 ensures the autoscaler maintains average CPU at 60%.

25
Multi-Selecthard

An organization needs to deploy a containerized application on GKE that requires persistent storage. The storage must be highly available across zones within a region. Which THREE components are required to achieve this?

Select 3 answers
A.VolumeAttachment
B.StatefulSet
C.PersistentVolumeClaim (PVC)
D.PodDisruptionBudget (PDB)
E.Regional Persistent Disk (PD)
AnswersB, D, E

StatefulSet is required for stable network identities and ordered pod management for stateful workloads.

Why this answer

To achieve highly available persistent storage across zones, you need a regional Persistent Disk (PD), a StatefulSet to manage pod identity and ordering, and a PodDisruptionBudget to ensure minimum availability during disruptions. PVC alone is not sufficient. The VolumeAttachment is not relevant.

26
Multi-Selecteasy

A developer wants to deploy a Cloud Function that is triggered by messages in a Pub/Sub topic. Which TWO flags are required in the gcloud functions deploy command?

Select 2 answers
A.--runtime
B.--trigger-topic
C.--timeout
D.--memory
E.--entry-point
AnswersA, B

Required to specify the runtime environment.

Why this answer

For a Pub/Sub-triggered Cloud Function, you must specify --trigger-topic and --runtime. The --entry-point is optional if the function name matches. --memory and --timeout are optional.

27
MCQmedium

A developer wants to create a Compute Engine instance with the container-optimized OS image in the default network. Which command should they use?

A.gcloud compute instances create my-instance --image-family=ubuntu-2004-lts --image-project=ubuntu-os-cloud
B.gcloud compute instances create my-instance --image-family=cos-stable --image-project=cos-cloud
C.gcloud compute instances create my-instance --image-family=cos-stable
D.gcloud compute instances create my-instance --image=cos-stable --image-project=cos-cloud
AnswerB

Correct flags for Container-Optimized OS.

Why this answer

The correct command uses '--image-family=cos-stable' and '--image-project=cos-cloud' to specify the Container-Optimized OS image. Option B uses 'gcloud compute instances create' with the correct flags.

28
MCQhard

A company has a managed instance group (MIG) with an autoscaler based on CPU utilization. The MIG is not scaling up even though CPU utilization is consistently above 80%. The instances are running a batch processing workload that takes several minutes to finish. What is the most likely cause?

A.The autoscaler's cooldown period is set too short
B.The health check is failing on the instances
C.The maximum number of instances is already reached
D.The autoscaler's cooldown period is set too long
AnswerD

A long cooldown delays scaling decisions.

Why this answer

If the cooldown period is too long, the autoscaler may wait unnecessarily before scaling up. Also, the application may take time to show increased CPU. However, the typical cause is the autoscaler's cooldown period preventing rapid scale-up.

29
MCQmedium

A company has a managed instance group (MIG) of web servers behind a load balancer. They want to deploy a new version of the application with zero downtime and the ability to roll back quickly if issues arise. Which update strategy should they use?

A.Delete the MIG and recreate it with the new instance template.
B.Perform a rolling update on the MIG with maxSurge=0 and maxUnavailable=1 to replace instances one by one.
C.Create a new instance template with the updated application, then perform a rolling update on the MIG using the canary update strategy with a target of 10% for the new template. Validate and then promote to 100%.
D.Create a new MIG with the new template and a separate load balancer, then update DNS to point to the new load balancer.
AnswerC

Canary rolling update provides controlled rollout and immediate rollback by stopping the canary.

Why this answer

A rolling update with a canary approach (creating a new version of the instance template, then updating the MIG with a canary deployment) allows incremental rollout and immediate rollback by stopping the canary. Option A (proactive rolling update) is correct. Option B (recreate) causes downtime; C (blue/green with MIG label) requires manual traffic switch; D (rolling update with maxSurge=0 and maxUnavailable=1) allows some downtime.

30
MCQhard

An organization needs to deploy a Cloud Function that processes messages from a Pub/Sub topic and writes results to BigQuery. The function must be triggered by every message published to the topic. Which deployment command is correct?

A.gcloud functions deploy process-messages --runtime python310 --trigger-http --entry-point process --region us-central1 --memory 256MB
B.gcloud functions deploy process-messages --runtime python310 --trigger-topic my-topic --entry-point process --region us-central1 --memory 256MB
C.gcloud functions deploy process-messages --runtime python310 --trigger-topic my-topic --entry-point process --region us-central1
D.gcloud functions deploy process-messages --runtime nodejs18 --trigger-topic my-topic --entry-point process --region us-central1 --memory 256MB
AnswerB

Correct: uses Pub/Sub trigger, correct runtime, entry point, region, and memory.

Why this answer

The correct command uses --trigger-topic with the topic name, runtime Python 3.10, entry point, region, and memory. Option D is correct. Option A uses --trigger-http; B uses --trigger-topic but with invalid runtime; C uses --trigger-topic but misses --memory.

31
MCQmedium

An organization wants to deploy a containerized web application on Google Cloud with minimum operational overhead. The application should scale to zero when not in use and only incur costs when serving requests. Which service should they choose?

A.App Engine Flexible Environment
B.Google Kubernetes Engine (GKE)
C.Compute Engine with container-optimized OS
D.Cloud Run
AnswerD

Cloud Run is fully managed, scales to zero, and charges only for request duration. Minimal operational overhead.

Why this answer

Cloud Run is a fully managed serverless platform that scales to zero, charges only for request processing time, and abstracts infrastructure management. GKE requires cluster management and nodes always running. App Engine Flexible requires at least one instance always running.

Compute Engine requires full VM management.

32
Multi-Selecthard

A DevOps engineer is setting up a CI/CD pipeline that deploys a containerized application to Cloud Run. The application source code is in a Cloud Source Repository. Which three steps are required to deploy from source? (Choose THREE.)

Select 3 answers
A.Create a GKE cluster to host the application.
B.Use gcloud run deploy with the --source flag pointing to the source code.
C.Store the built container image in Container Registry.
D.Use gcloud run deploy --image to deploy the container image.
E.Create a Cloud Build trigger that builds the container image from the source repository.
AnswersB, C, E

gcloud run deploy --source builds and deploys directly from source in one step.

Why this answer

To deploy from source to Cloud Run, you can use Cloud Build to build the container image from source, push it to Container Registry, and then deploy to Cloud Run. Option A, C, and D are correct. Option B is for deploying from an existing image; E is not a standard step.

33
MCQmedium

An engineer deployed a container to Cloud Run but the service is not receiving traffic. The engineer checks the logs and finds no errors. The container listens on port 8080. What is the most likely cause of the issue?

A.The container was deployed from source and Cloud Run requires a pre-built image.
B.The container is listening on port 3000 instead of the port Cloud Run expects.
C.The service requires authentication but --allow-unauthenticated was not set.
D.The container does not support concurrent requests.
AnswerB

Cloud Run checks the PORT env var; if the container listens on a different port, health checks fail.

Why this answer

Cloud Run expects the container to listen on the port specified in the PORT environment variable (default 8080). If the container listens on a different port (e.g., 3000), Cloud Run will not route traffic to it. Option A is likely.

Option B: Cloud Run can handle multiple requests per container (concurrency). Option C: Cloud Run requires a container image; source deployment works. Option D: Cloud Run can be invoked without authentication when --allow-unauthenticated is used.

34
Multi-Selectmedium

You need to deploy an application that requires a regional MySQL database with automated backups, high availability, and failover. You also need to store static assets that are publicly accessible. Which TWO Google Cloud services should you use?

Select 2 answers
A.Cloud SQL (MySQL)
B.Cloud Storage
C.Bigtable
D.Cloud Filestore
E.Cloud Spanner
AnswersA, B

Managed MySQL with HA and backups.

Why this answer

Cloud SQL with MySQL provides managed MySQL with high availability (regional) and automated backups. Cloud Storage can host static assets publicly.

35
MCQhard

An engineer is deploying a containerized application on Google Kubernetes Engine (GKE) and needs to expose it to the internet with a static external IP address. The cluster is in a VPC-native configuration. Which approach should the engineer take to meet this requirement?

A.Create a Service of type NodePort and then use a Cloud NAT with a static IP.
B.Create a Service of type ClusterIP and then use a Cloud Load Balancing service with the static IP.
C.Reserve a static external IP address in the same region as the cluster, then create a Service of type LoadBalancer and assign the static IP via the loadBalancerIP field.
D.Create a Service of type NodePort and then create an Ingress resource with a static IP annotation.
AnswerC

Correct method: static IP plus Service type LoadBalancer with loadBalancerIP.

Why this answer

To expose a service with a static external IP on GKE, the engineer should reserve a static external IP address, then create a Service of type LoadBalancer and specify that IP address in the service spec using the loadBalancerIP field. Option A correctly describes this. Option B uses an Ingress, which can also work but typically requires additional configuration (e.g., for static IP).

Option C uses NodePort, which doesn't provide a static external IP by itself. Option D uses ClusterIP, which is internal only.

36
MCQeasy

You want to deploy a Cloud Function triggered by HTTP requests. The function is written in Node.js and the entry point function is named 'helloHttp'. Which command should you use?

A.gcloud functions deploy my-function --runtime nodejs16 --trigger-http --entry-point=helloHttp --region=us-central1
B.gcloud functions deploy --source . --runtime nodejs16 --trigger-http --entry-point=helloHttp
C.gcloud run deploy my-function --source . --runtime nodejs16 --entry-point=helloHttp
D.gcloud functions deploy my-function --runtime nodejs16 --trigger-topic my-topic --entry-point=helloHttp
AnswerA

Correct flags for an HTTP-triggered function.

Why this answer

The correct command specifies the runtime (nodejs16), trigger (--trigger-http), entry point (--entry-point=helloHttp), and region. --trigger-topic is for Pub/Sub, not HTTP.

37
MCQhard

A DevOps engineer is configuring a managed instance group (MIG) for a stateless web application. They want to ensure that when new instances are created via rolling update or autoscaling, a startup script runs to install security patches and deploy the latest application code from a Cloud Storage bucket. What is the BEST way to achieve this?

A.Create a custom image with pre-installed patches and code, and use that image in the template
B.After the MIG is created, use gcloud compute ssh to run the script on each instance
C.Store the script in Cloud Storage and use gcloud compute instances add-metadata on each instance
D.Add the script to the instance template using the metadata key 'startup-script'
AnswerD

This is the recommended approach; the script runs automatically on each new instance.

Why this answer

Using the instance template's metadata key 'startup-script' is the simplest and most reliable method to run custom scripts on instance startup. A custom image requires more maintenance. SSH from Cloud Shell is not automated.

A startup script as part of the instance template is the standard approach.

38
MCQmedium

You need to deploy a Cloud Function that is triggered by HTTP requests. You want to pass configuration parameters to the function at deployment time. Which approach should you use?

A.Store parameters in a Cloud Storage bucket and read them at runtime.
B.Edit the function code to hardcode the parameters.
C.Use the --set-env-vars flag with gcloud functions deploy.
D.Include the parameters in the HTTP request body.
AnswerC

Environment variables can be set at deployment time.

Why this answer

You can set environment variables via --set-env-vars when deploying. Option B is correct.

39
MCQmedium

A company wants to deploy a microservice on GKE. The deployment requires 3 replicas, and the service must be accessible via a fixed public IP address. Which Kubernetes resource should be used to expose the deployment?

A.Service of type LoadBalancer
B.Ingress resource
C.Service of type ClusterIP
D.Service of type NodePort
AnswerA

Creates an external load balancer with a fixed public IP.

Why this answer

A LoadBalancer service provisions a Google Cloud TCP/UDP Load Balancer with a public IP. NodePort exposes on node ports but not a fixed IP. ClusterIP is internal only.

Ingress is a more advanced option but not the simplest for a fixed IP.

40
MCQeasy

A company wants to store backup files that are accessed only a few times per year, with retrieval times of up to a few hours. The files must be stored at the lowest possible cost. Which Cloud Storage storage class should the company use?

A.Coldline
B.Nearline
C.Archive
D.Standard
AnswerC

Archive is the cheapest storage class for long-term backups with retrieval times in hours.

Why this answer

The Archive storage class is the lowest-cost option for long-term storage of data accessed less than once a year, with retrieval times in hours. It is ideal for backups and archival data. Standard is for frequently accessed data.

Nearline is for data accessed once a month. Coldline is for data accessed once a quarter.

41
MCQmedium

A company wants to store archival data that is accessed less than once a year. The data must be preserved for 10 years. Which Cloud Storage storage class is most cost-effective?

A.Archive
B.Standard
C.Nearline
D.Coldline
AnswerA

Archive is the cheapest, designed for data accessed less than once a year.

Why this answer

Archive class is the lowest-cost storage for data accessed less than once a year, with a 365-day minimum storage duration. Coldline is slightly more expensive but for less than once a year, Archive is better.

42
MCQmedium

A developer wants to create a Compute Engine instance with the default Debian 11 image, 50 GB boot disk, in the us-west1-a zone, and attach it to the default VPC subnet. Which command should they run?

A.gcloud compute instances create my-instance --zone=us-west1-a --machine-type=e2-medium --image-family=debian-11 --image-project=debian-cloud --boot-disk-size=50GB --no-address
B.gcloud compute instances create my-instance --zone=us-west1-a --machine-type=e2-medium --image-family=debian-11 --image-project=debian-cloud --boot-disk-size=50 --subnet=default
C.gcloud compute instances create my-instance --zone=us-west1 --machine-type=e2-medium --image-family=debian-10 --image-project=debian-cloud --boot-disk-size=50GB
D.gcloud compute instances create my-instance --zone=us-west1-a --machine-type=e2-medium --image-family=debian-11 --image-project=debian-cloud --boot-disk-size=50GB
AnswerD

This command correctly sets all required parameters and uses the default subnet automatically.

Why this answer

The correct command uses the default subnet (us-west1) and specifies the required parameters. The --subnet default is not necessary if the instance is in the same region as the default subnet, but specifying it is acceptable. The image family 'debian-11' and project 'debian-cloud' are correct.

43
Multi-Selecteasy

A developer is deploying a new application on GKE and needs to configure a HorizontalPodAutoscaler (HPA). Which two resources are required for HPA to work correctly?

Select 2 answers
A.CPU utilization metrics
B.A Service
C.A ConfigMap
D.A Deployment
E.A NodePort service
AnswersA, D

HPA by default uses CPU utilization; custom metrics can be used but CPU is the most common.

Why this answer

HPA requires a deployment (or other scalable resource) and a target metric, usually CPU utilization. The HPA will scale the deployment based on the metric. A ConfigMap and a service are not strictly required for HPA.

44
Multi-Selectmedium

A team is deploying a web application on Cloud Run. The application needs to be available globally with low latency, and the team wants to use a custom domain with an SSL certificate. Which TWO actions are required to achieve this?

Select 2 answers
A.Set the --ingress=all flag on the Cloud Run service
B.Use Cloud CDN to cache content
C.Configure a custom domain mapping on the Cloud Run service
D.Deploy the Cloud Run service in multiple regions and use a multi-regional load balancer
E.Deploy the service as a Cloud Run for Anthos on GKE
AnswersC, D

Required to map the domain to the service.

Why this answer

Cloud Run services are regional; to serve globally, you need a global load balancer (e.g., using an external HTTPS load balancer with serverless NEG). Mapping a custom domain to the service is also required.

45
Multi-Selectmedium

You are using gsutil to upload files to a Cloud Storage bucket. You need to set the storage class of the objects to Nearline. Which TWO methods can you use?

Select 1 answer
A.Use gsutil cp -s nearline file.txt gs://my-bucket.
B.Set the bucket's default storage class to Nearline using gsutil defstorageclass set nearline gs://my-bucket.
C.Use gsutil mv -s nearline file.txt gs://my-bucket.
D.Upload with --storage-class nearline flag on gsutil cp.
AnswersB

This sets default class for future uploads.

Why this answer

You can set the storage class when uploading with -s flag, or change it later with rewrite. Option A sets the default class on the bucket, which applies to newly uploaded objects. Option D with -s flag also works.

46
MCQeasy

An administrator needs to create a Cloud Storage bucket in the US multi-region with the 'nearline' storage class. Which command should they use?

A.gsutil mb -c nearline -l US gs://my-bucket
B.gsutil mb -s nearline -l US gs://my-bucket
C.gsutil mb -c nearline -l US-CENTRAL1 gs://my-bucket
D.gcloud storage buckets create gs://my-bucket --storage-class=nearline --location=US
AnswerA

Correct flags: -c for storage class, -l for location.

Why this answer

gsutil mb creates a bucket. The -c flag sets storage class, -l sets location. The storage class 'nearline' is correct for infrequently accessed data.

47
MCQeasy

A developer needs to SSH into a Compute Engine instance that has OS Login enabled. The developer's Google account is already granted the roles/compute.osLogin role. Which command should the developer use to connect?

A.ssh -i ~/.ssh/google_key user@instance-ip
B.gcloud compute ssh instance-name --zone=us-central1-a
C.gcloud compute instances get-serial-port-output instance-name --zone=us-central1-a
D.gcloud compute connect-to-serial-port instance-name --zone=us-central1-a
AnswerB

gcloud compute ssh uses OS Login automatically when enabled.

Why this answer

When OS Login is enabled, the preferred method is gcloud compute ssh, which uses OS Login by default. Option A is correct. Option B uses SSH with a key but OS Login typically uses gcloud.

Option C uses gcloud compute connect-to-serial-port which is for serial console. Option D uses gcloud compute instances get-serial-port-output.

48
MCQmedium

A team is using Terraform to manage Google Cloud resources. They want to store the Terraform state file in a Cloud Storage bucket with versioning enabled. Which backend configuration should they use?

A.terraform { backend "cloud" { bucket = "my-terraform-state-bucket" prefix = "terraform/state" } }
B.terraform { backend "gcs" { bucket = "my-terraform-state-bucket" prefix = "terraform/state" } }
C.terraform { backend "gcs" { bucket = "gs://my-terraform-state-bucket" prefix = "terraform/state" } }
D.terraform { backend "remote" { hostname = "app.terraform.io" organization = "my-org" workspaces { name = "my-workspace" } } }
AnswerB

Correct backend type and configuration for GCS state storage.

Why this answer

The correct backend is 'gcs' with a bucket name and prefix. Option A is correct. Option B uses 'remote' which is for Terraform Cloud; C uses 'cloud' which is not a valid backend; D uses 'gcs' but with the wrong bucket format.

49
MCQmedium

A company wants to deploy a containerized application on Google Cloud that automatically scales to zero when not in use, and they want to minimize operational overhead. They also need to avoid managing any underlying infrastructure such as Kubernetes clusters or VMs. Which service should they use?

A.Google Kubernetes Engine (GKE)
B.App Engine Standard Environment
C.Cloud Run
D.Compute Engine with managed instance groups
AnswerC

Cloud Run scales to zero automatically and is fully managed, requiring no infrastructure management.

Why this answer

Cloud Run is a fully managed serverless platform that can scale to zero when there is no traffic, and it abstracts away infrastructure management. GKE requires managing a cluster, Compute Engine involves managing VMs, and App Engine is also serverless but Cloud Run provides more flexibility with containers and also scales to zero.

50
MCQeasy

Which gcloud command is used to deploy a Cloud Function triggered by HTTP requests?

A.gcloud functions call my-function --data '{"key":"value"}'
B.gcloud run deploy my-function --source . --platform managed
C.gcloud functions deploy my-function --runtime python39 --trigger-http
D.gcloud functions deploy my-function --runtime python39 --trigger-topic my-topic
AnswerC

Correct flags for HTTP trigger.

Why this answer

The command 'gcloud functions deploy' with --trigger-http creates an HTTP-triggered function. --runtime specifies the language runtime. --trigger-topic is for Pub/Sub triggers.

51
MCQmedium

An engineer needs to create a Cloud SQL MySQL instance with 4 vCPUs, 15 GB of RAM, and a root password. The instance should be in the us-east1 region. Which command should the engineer run?

A.gcloud sql instances create my-instance --database-version=MYSQL_8_0 --tier=db-custom-4-15360 --region=us-east1
B.gcloud sql instances create my-instance --database-version=MYSQL_5_7 --tier=db-n1-standard-4 --region=us-east1-a --root-password=myPassword
C.gcloud sql instances create my-instance --database-version=MYSQL_8_0 --tier=db-custom-2-7680 --region=us-east1 --root-password=myPassword
D.gcloud sql instances create my-instance --database-version=MYSQL_8_0 --tier=db-custom-4-15360 --region=us-east1 --root-password=myPassword
AnswerD

Correct flags and values.

Why this answer

The correct command is gcloud sql instances create with --database-version=MYSQL_8_0, --tier=db-custom-4-15360 (4 vCPU, 15 GB RAM), --region=us-east1, and --root-password. Option A has correct flags. Option B uses wrong tier (db-custom-2-7680 is 2 vCPU, 7.5 GB RAM).

Option C is missing --root-password. Option D uses wrong region format (us-east1-a) and wrong tier.

52
MCQmedium

A DevOps engineer needs to deploy a containerized application to Google Kubernetes Engine (GKE) using a Deployment YAML file. The cluster is already created and kubectl is configured. Which command should they use to create the deployment?

A.gcloud container deployments create my-deployment --config deployment.yaml
B.kubectl create -f deployment.yaml
C.kubectl apply -f deployment.yaml
D.kubectl run deployment --image=my-image --restart=Always
AnswerC

Correct. This creates or updates the deployment from the YAML file.

Why this answer

The 'kubectl apply -f' command applies the configuration from a file to create or update resources. 'kubectl create deployment' typically requires inline parameters, not a file.

53
MCQeasy

A developer needs to create a Compute Engine VM with 4 vCPUs, 15 GB of memory, and a Debian 10 boot disk. Which gcloud compute instances create command is correct?

A.gcloud compute instances create my-vm --machine-type=n1-highmem-4 --image-family=debian-10 --image-project=debian-cloud
B.gcloud compute instances create my-vm --machine-type=n1-standard-4 --image-family=debian-10 --image-project=debian-cloud
C.gcloud compute instances create my-vm --machine-type=n1-standard-4 --image-family=ubuntu-1804 --image-project=ubuntu-os-cloud
D.gcloud compute instances create my-vm --machine-type=n1-standard-4
AnswerB

Correct flags for 4 vCPU, 15 GB RAM and Debian 10 image.

Why this answer

The correct command specifies machine-type n1-standard-4 (4 vCPU, 15 GB RAM), image-family debian-10, and image-project debian-cloud. The other options either use wrong machine type, wrong image project, or miss required flags.

54
MCQhard

A team is using Terraform to manage infrastructure. They want to store the Terraform state file remotely in a GCS bucket for team collaboration. Which Terraform backend configuration is correct?

A.terraform { backend "gcs" { bucket = "my-terraform-state" } }
B.terraform { backend "gcs" { bucket = "my-terraform-state" prefix = "terraform/state" } }
C.terraform { backend "storage" { bucket = "my-terraform-state" } }
D.terraform { backend "gcloud" { bucket = "my-terraform-state" } }
AnswerA

Correct backend configuration.

Why this answer

The gcs backend requires the 'bucket' argument. Prefix is optional. The correct syntax uses backend 'gcs' with bucket name.

55
MCQeasy

Which kubectl command is used to view the logs of a specific pod named 'my-pod'?

A.kubectl logs my-pod
B.kubectl exec my-pod -- logs
C.kubectl get pod my-pod
D.kubectl describe pod my-pod
AnswerA

Correct command for logs.

Why this answer

The 'kubectl logs' command streams logs from a pod. 'kubectl describe' shows metadata, 'kubectl get' shows status, and 'kubectl exec' runs commands inside the pod.

56
Multi-Selectmedium

A company wants to set up a Cloud SQL for MySQL instance with automated backups and a read replica for disaster recovery. Which THREE features or configurations should be enabled?

Select 3 answers
A.Enable automated backups
B.Enable binary logging
C.Enable deletion protection on the primary instance
D.Configure the read replica in a different region
E.Assign a public IP address to the read replica
AnswersA, B, D

Automated backups are required for point-in-time recovery and disaster recovery.

Why this answer

Automated backups are enabled by default but must be configured. A read replica requires the binary log to be enabled on the primary. The backup location can be set to multi-regional for DR.

Cross-region replication requires a replica in another region. Point-in-time recovery uses binary logs.

57
MCQhard

A team is using Terraform to manage GCP infrastructure. They want to store the state file in a Cloud Storage bucket with versioning enabled. Which backend configuration is correct?

A.provider "google" { backend "gcs" { bucket = "my-bucket" } }
B.terraform { backend "gcs" { bucket = "my-bucket" prefix = "terraform/state" } }
C.terraform { backend "gcs" { bucket = "my-bucket" versioning = true } }
D.terraform { backend "cloud-storage" { bucket = "my-bucket" } }
AnswerB

Correct syntax for GCS backend.

Why this answer

To use Cloud Storage as a backend, you must specify 'bucket' and optionally 'prefix' for the state file path. The provider block is for the Google provider, not state storage.

58
MCQmedium

You are using Terraform to manage a GKE cluster. After running 'terraform apply', the cluster is created. Later, you manually delete the cluster via the Cloud Console. What should you do next to align your Terraform state with the actual infrastructure?

A.Run 'terraform refresh' to automatically update the state.
B.Run 'terraform state rm google_container_cluster.my_cluster' to remove the cluster from state, then decide whether to recreate.
C.Run 'terraform apply' again to recreate the cluster.
D.Run 'terraform destroy' to destroy all resources.
AnswerB

This removes the resource from state, allowing you to apply cleanly.

Why this answer

If a resource is deleted outside Terraform, 'terraform apply' will try to recreate it from the existing state. To update state to reflect the deletion, you must run 'terraform state rm' to remove the resource from state, then optionally apply to recreate if desired.

59
MCQmedium

An organization wants to deploy a containerized web application on GKE. They need the application to be accessible from the internet via a stable IP address. Which service type should they use when exposing the deployment?

A.ClusterIP
B.LoadBalancer
C.NodePort
D.ExternalName
AnswerB

LoadBalancer creates an external load balancer with a static IP.

Why this answer

A LoadBalancer service type provisions a Google Cloud TCP/UDP Load Balancer and assigns a stable external IP address. NodePort exposes on a high port but requires manual setup; ClusterIP is internal only.

60
MCQeasy

A developer needs to create a zonal GKE cluster with 3 nodes of type e2-standard-4 in zone us-central1-a. Which command should they use?

A.gcloud compute instances create my-cluster --zone=us-central1-a --machine-type=e2-standard-4 --num-nodes=3
B.gcloud container clusters create my-cluster --zone=us-central1-a --num-nodes=3 --machine-type=e2-standard-4
C.gcloud container clusters create my-cluster --zone=us-central1-a --num-nodes=1 --machine-type=e2-standard-4
D.gcloud container clusters create my-cluster --region=us-central1 --num-nodes=3 --machine-type=e2-standard-4
AnswerB

This creates a zonal cluster in us-central1-a with 3 e2-standard-4 nodes.

Why this answer

The correct command creates a zonal cluster (single zone) with specified node count and machine type. The --region flag creates a regional cluster, which is not required.

61
Multi-Selectmedium

A developer wants to deploy a containerized application to GKE and expose it externally via a load balancer. Which three kubectl commands are needed? (Choose THREE.)

Select 3 answers
A.kubectl autoscale deployment my-app --cpu-percent=50 --min=1 --max=10
B.kubectl create deployment my-app --image=gcr.io/my-project/my-app
C.kubectl expose deployment my-app --type=LoadBalancer --port=80 --target-port=8080
D.kubectl run my-app --image=gcr.io/my-project/my-app
E.kubectl get service
AnswersB, C, E

Creates a deployment to manage the pod replicas.

Why this answer

To deploy and expose a container in GKE, you can use kubectl create deployment to create the deployment, kubectl expose to create a service of type LoadBalancer, and kubectl get service to verify the external IP. Option B, C, and D are correct. Option A creates a pod directly (not recommended for deployment); E is for scaling.

62
MCQeasy

You want to create a Compute Engine instance with a default machine type of n1-standard-1, using the latest Debian 11 image, with a 50GB boot disk, in the us-central1-a zone. Which gcloud command accomplishes this?

A.gcloud compute instances create my-instance --machine-type=n1-standard-1 --image-family=debian-10 --image-project=debian-cloud --boot-disk-size=50 --zone=us-central1-a
B.gcloud compute instances create my-instance --machine-type=n1-standard-1 --image-family=debian-11 --image-project=debian-cloud --boot-disk-size=50GB --zone=us-central1-a
C.gcloud compute instances create my-instance --machine-type=n1-standard-1 --image-family=debian-11 --image-project=debian-cloud --boot-disk-size=50GB --region=us-central1-a
D.gcloud compute instances create my-instance --machine-type=n1-standard-1 --image-family=debian-11 --image-project=debian-cloud --root-disk-size=50GB --zone=us-central1-a
AnswerB

All flags are correct.

Why this answer

The correct command uses --machine-type, --image-family, --image-project, --boot-disk-size, and --zone. Option A includes all required flags correctly.

63
Multi-Selectmedium

A company wants to migrate an on-premises MySQL database to Cloud SQL with minimal downtime. The database is 500 GB. Which TWO steps should be taken? (Choose 2 correct answers.)

Select 2 answers
A.Create a Cloud SQL instance to serve as the target for the migration.
B.Export the database using gcloud sql export sql, then import to Cloud SQL.
C.Create a Cloud SQL instance and configure it as an external replica of the on-premises database.
D.Use mysqldump to backup the database and restore into Cloud SQL.
E.Use Database Migration Service to create a continuous migration job.
AnswersA, E

You need a target Cloud SQL instance for the DMS migration.

Why this answer

To minimize downtime, you can perform a Database Migration Service (DMS) continuous migration or export/import with a consistent snapshot. DMS supports MySQL and provides continuous sync. Alternatively, you can export the database using mysqldump, then import, but this requires downtime.

However, for minimal downtime, DMS is best. Another approach is to create a read replica then promote, but Cloud SQL does not support external read replicas directly. The correct two are: use DMS for continuous migration, and optionally create a clone for testing, but the question asks for migration steps.

The best two from the options: use DMS migration job and create a Cloud SQL instance.

64
MCQhard

A company's application running on Compute Engine uses a startup script to install software. The script is failing intermittently. The engineer wants to view the startup script output for a specific instance to debug. How can they access the startup script logs?

A.Check the serial console output in Cloud Console
B.Use gcloud compute instances get-serial-port-output
C.SSH into the instance and view /var/log/syslog
D.View the instance's logs in Cloud Logging
AnswerC

Startup script logs are written to syslog.

Why this answer

Startup script output is logged to /var/log/syslog on the VM instance. The engineer can SSH into the instance and check the syslog. Serial console output also shows startup script output but requires access.

Cloud Logging can capture startup script logs if configured, but by default they are not sent. Cloud Console does not show startup script output directly under VM instances details.

65
MCQhard

A developer created a Cloud Function with HTTP trigger. When they send a POST request to the function's URL, they get a 403 Forbidden error. The function is deployed with --allow-unauthenticated flag? What is the most likely cause?

A.The function uses a runtime that does not support HTTP triggers
B.The function does not have the Cloud Functions Invoker role for allUsers
C.The function is not deployed in the correct region
D.The function URL is malformed
AnswerB

Without the invoker role for unauthenticated users, IAM returns 403.

Why this answer

The --allow-unauthenticated flag only allows unauthenticated invocations for Cloud Functions (v1) if IAM policy is also set. However, for Cloud Functions (2nd gen) and Cloud Run, --allow-unauthenticated sets the IAM policy. The 403 error often means the function does not have the allUsers invoker role.

The developer may have omitted the --allow-unauthenticated flag or used a different flag. The function URL is correct; missing region causes a different error. Wrong runtime would cause a different error.

66
MCQeasy

A developer needs to create a Cloud Storage bucket with the 'Nearline' storage class in the 'us-east1' region for storing data that is accessed less than once a month. Which command should be used?

A.gcloud storage buckets create my-bucket --storage-class nearline --location us-east1
B.gsutil mb -c nearline -l us-east1 gs://my-bucket
C.gcloud mb --class nearline --region us-east1 gs://my-bucket
D.gsutil mb --storage-class nearline --location us-east1 gs://my-bucket
AnswerB

Correct. -c nearline sets the storage class, -l us-east1 sets the region.

Why this answer

The 'gsutil mb' command creates a bucket with the specified storage class and location. The -c flag sets the storage class, and -l sets the region.

67
Multi-Selecthard

A DevOps engineer is responsible for deploying a new microservice to GKE. They need to expose the service externally on a static IP address and scale based on HTTP request load. Which THREE resources must be created? (Choose 3 correct answers.)

Select 3 answers
A.Ingress
B.Deployment
C.Service (type LoadBalancer)
D.ConfigMap
E.HorizontalPodAutoscaler
AnswersB, C, E

A Deployment defines the desired state of the pods and manages rolling updates.

Why this answer

To expose a microservice externally with a static IP and load-based scaling, you typically create a Deployment, a Service of type LoadBalancer (which provisions a TCP load balancer with a static IP), and a HorizontalPodAutoscaler to scale based on CPU (or custom metrics). Ingress is not required if using LoadBalancer, but it's another option. ConfigMap is not needed for this.

68
Multi-Selecthard

A team is deploying a containerized microservice on GKE. They want to ensure the service is externally accessible via a stable IP address and can automatically scale the number of pods based on CPU utilization. Which TWO actions should they perform?

Select 2 answers
A.Expose the deployment using kubectl expose deployment my-service --type=LoadBalancer
B.Set the service type as ClusterIP
C.Create a Cluster Autoscaler on the GKE cluster
D.Create a HorizontalPodAutoscaler targeting the deployment with kubectl autoscale deployment my-service --cpu-percent=80 --min=1 --max=10
E.Expose the deployment using kubectl expose deployment my-service --type=NodePort
AnswersA, D

Creates a LoadBalancer service with a stable external IP.

Why this answer

To expose the service externally with a stable IP, use a LoadBalancer service type. To autoscale pods based on CPU, create a HorizontalPodAutoscaler. NodePort only exposes on node IPs, not stable external.

ClusterIP is internal. Cluster autoscaler scales nodes, not pods.

69
MCQmedium

A Cloud Function needs to be triggered whenever a message is published to a Pub/Sub topic. Which 'gcloud functions deploy' command flag is required to set the trigger?

A.--trigger-topic
B.--trigger-http
C.--trigger-event
D.--trigger-bucket
AnswerA

Correct flag for Pub/Sub trigger.

Why this answer

The --trigger-topic flag configures a Cloud Function to be triggered by Pub/Sub messages.

70
Multi-Selectmedium

An organization wants to migrate on-premises databases to Cloud SQL. They have a PostgreSQL database and a MySQL database. They require high availability with automatic failover and regional resilience. Which THREE steps should they take?

Select 3 answers
A.Use gcloud sql import sql to import data into the Cloud SQL instances after creation
B.Create a Cloud SQL instance for MySQL with --tier=db-standard-1 and --zone=us-central1-a
C.Create a Cloud SQL instance for MySQL with --availability-type=regional and --database-version=MYSQL_8_0
D.Create a Cloud SQL instance for PostgreSQL with --availability-type=regional and --database-version=POSTGRES_15
E.Create a Cloud SQL instance for PostgreSQL with --zone=us-central1-a and --secondary-zone=us-central1-c
AnswersA, C, D

Correct step to import SQL dumps into Cloud SQL.

Why this answer

For HA with automatic failover, create Cloud SQL instances in a primary and secondary zone configuration (HA configuration). For PostgreSQL, database-version should be POSTGRES_15 (any supported). For MySQL, MYSQL_8_0.

Import data using gcloud sql import sql or gcloud sql import csv. Option D (PostgreSQL) and E (MySQL) are correct. Option A is correct for importing.

Option B is unnecessary (Cloud SQL automatically creates databases? Actually you need to create them separately, but the question asks for steps to migrate and achieve HA). Option C is incorrect because standard tier is not HA; HA requires enterprise or enterprise plus tier.

71
MCQhard

An organization has strict security policies requiring that all Compute Engine instances use OS Login for SSH access instead of metadata-based SSH keys. Which two actions must be taken to enforce this for all new instances? (Choose two.)

A.Remove all SSH keys from project metadata
B.Use 'gcloud compute ssh' with the --tunnel-through-iap flag
C.Set metadata 'enable-oslogin=FALSE' at the instance level
D.Set metadata 'block-project-ssh-keys=TRUE' at the instance level
E.Set metadata 'enable-oslogin=TRUE' at the project level
AnswerA, E

Ensures no metadata-based keys exist; OS Login then becomes the only method.

Why this answer

To enforce OS Login, you enable it at the project level project-wide (enabled by a specific metadata key) and ensure instances have no metadata-based SSH keys. The other options are incorrect.

72
Multi-Selecthard

You are deploying a high-traffic web application on GKE. You need to automatically scale the number of pods based on CPU utilization. Which THREE steps are required to set up Horizontal Pod Autoscaling (HPA)?

Select 3 answers
A.Install the metrics-server in the cluster.
B.Enable Stackdriver Monitoring for the cluster.
C.Create a HorizontalPodAutoscaler resource (e.g., via kubectl autoscale).
D.Create a Deployment with resource requests for CPU.
E.Expose the Deployment as a Service of type LoadBalancer.
AnswersA, C, D

Metrics-server collects resource metrics; HPA depends on it.

Why this answer

To use HPA, you need a deployment (or other scalable resource), you need to apply the HPA resource (e.g., via kubectl autoscale), and you must have metrics-server installed to provide metrics. Creating a service is optional.

73
MCQmedium

A developer is using Cloud Functions with HTTP trigger. The function needs to process a request payload and return a response. What is the correct way to send a JSON response from the function?

A.response.end(JSON.stringify({ 'status': 'ok' }))
B.return { 'status': 'ok' }
C.context.done(null, { 'status': 'ok' })
D.res.send({ 'status': 'ok' })
AnswerD

Correct: sends a JSON response.

Why this answer

In Cloud Functions (Node.js runtime), the response is sent via the res (response) object. The correct method is res.send() or res.json(). res.send() can send JSON directly.

74
MCQmedium

An organization wants to use Cloud Storage to host a static website. The bucket name must match the domain name. They already own the domain 'example.com' and want to serve the site from 'www.example.com'. Which bucket name should they create?

A.example.com
B.www_example_com
C.example-com-bucket
D.www.example.com
AnswerD

Correct: bucket named after the subdomain.

Why this answer

To host a website with a custom domain using Cloud Storage, you must use a bucket name that matches the domain (or subdomain). For 'www.example.com', the bucket must be named 'www.example.com'. For the apex domain, it would be 'example.com'.

75
Multi-Selecthard

A data engineering team wants to create a Cloud Storage bucket for storing sensitive analytics data. They require encryption at rest with customer-managed keys (CMEK) and want to restrict access to a specific service account. Which three steps are necessary?

Select 3 answers
A.Set the bucket's default encryption to use the KMS key
B.Enable uniform bucket-level access
C.Grant the service account roles/storage.objectAdmin on the bucket
D.Create a service account and download its JSON key
E.Create a Cloud KMS key ring and key in the same region as the bucket
AnswersA, C, E

Configure bucket to use the KMS key for encryption.

Why this answer

To use CMEK, you must create a Cloud KMS key ring and key, then configure the bucket to use that key. Access is controlled via IAM; granting the service account roles/storage.objectAdmin allows full object management. Note: The KMS key must be in the same region as the bucket.

Page 1 of 2 · 124 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ace Deploying Implementing questions.