CCNA Ace Planning Configuring Questions

13 of 88 questions · Page 2/2 · Ace Planning Configuring topic · Answers revealed

76
Multi-Selectmedium

A company is deploying a multi-region application on Compute Engine and needs to configure network security. Which two steps should they take to restrict access to only required traffic? (Choose 2)

Select 2 answers
A.Configure Shared VPC to isolate network traffic
B.Delete the default allow rules that allow all traffic
C.Use Cloud NAT to allow inbound traffic from the internet
D.Use service accounts to restrict traffic between instances
E.Create ingress firewall rules that allow traffic from specific source IP ranges and apply them using network tags
AnswersD, E

Service accounts can be used in firewall rules to allow traffic based on identity.

Why this answer

Firewall rules by default deny all ingress; you need to allow specific traffic by source IP or service account. Tags help apply rules to specific VMs. Shared VPC is for cross-project networking.

Cloud NAT is for outbound internet. Using default allow rules would be too permissive.

77
MCQeasy

A developer needs to creare a Cloud Storage bucket with the storage class that automatically moves objects to a lower-cost storage class after 30 days. Which storage class should be used?

A.Coldline
B.Autoclass
C.Standard
D.Nearline
AnswerB

Why this answer

Autoclass is a feature that automatically transitions objects to appropriate storage classes based on access patterns. The other options require manual lifecycle rules.

78
Multi-Selectmedium

A company needs to deploy a web application on Google Cloud that requires high availability across multiple regions. Select TWO services that can help achieve this.

Select 2 answers
A.Global HTTP(S) Load Balancing
B.Cloud VPN
C.Cloud SQL with cross-region replication
D.Cloud NAT
E.Cloud CDN
AnswersA, C

Distributes traffic across regional backends for high availability.

Why this answer

Global HTTP(S) Load Balancing distributes traffic across regions, and Cloud SQL with cross-region replication provides database redundancy. Compute Engine instances in multiple regions serve traffic, and load balancing handles failover.

79
Multi-Selectmedium

A development team wants to deploy a containerized microservice that requires GPU acceleration for inference. They want to minimize cost while maintaining the ability to scale to zero when not in use. Which two services meet these requirements? (Choose TWO.)

Select 2 answers
A.Cloud Run
B.Cloud Functions with GPU
C.GKE Standard cluster with GPU node pool and cluster autoscaler
D.Compute Engine with GPUs in a managed instance group
E.GKE Autopilot cluster
AnswersC, E

GKE Standard can scale GPU node pools to zero when no pods request GPUs, minimizing cost.

Why this answer

Option C is correct because GKE Standard with a GPU node pool and cluster autoscaler allows the cluster to scale down to zero nodes when no pods require GPU resources, minimizing cost. The cluster autoscaler automatically removes idle nodes and adds GPU nodes only when GPU-accelerated pods are scheduled, meeting the requirement for scaling to zero.

Exam trap

Cisco often tests the misconception that serverless services like Cloud Run or Cloud Functions can support GPUs, but in reality, GPU acceleration is only available in container orchestration platforms like GKE or Compute Engine-based solutions.

80
Multi-Selecthard

A company is using Cloud Functions (2nd gen) to process high-volume events from Pub/Sub. The function needs to write results to a Cloud Storage bucket. The security team requires that the function uses a service account with the least privilege. Which THREE roles should the engineer assign to the function's service account? (Choose 3)

Select 3 answers
A.roles/cloudfunctions.invoker
B.roles/iam.serviceAccountUser
C.roles/pubsub.publisher
D.roles/pubsub.subscriber
E.roles/storage.objectCreator
AnswersA, D, E

Allows the Cloud Function to be invoked by the Pub/Sub push.

Why this answer

The service account needs permissions to pull messages from Pub/Sub (roles/pubsub.subscriber), write to Cloud Storage (roles/storage.objectCreator), and be able to invoke the function (roles/cloudfunctions.invoker) if the function is triggered via HTTP; however, for event-driven functions, the trigger is Pub/Sub, so the invoker role might not be needed. But to be safe, the invoker role allows the function to be called. The correct three are the essential ones: Pub/Sub subscriber, Cloud Storage object creator, and Cloud Functions invoker (for the function to be invoked by the event).

Actually, for event-driven functions, the Pub/Sub subscription can push to the function without the invoker role if the function's auth is set to allow unauthenticated invocations, but best practice is to use a service account. However, the invoker role is often required when the function uses a service account for authentication. The typical least privilege roles are: roles/pubsub.subscriber (to acknowledge messages), roles/storage.objectCreator (to write objects), and roles/cloudfunctions.invoker (to allow the Pub/Sub push to invoke the function).

Alternatively, roles/iam.serviceAccountUser might be needed to attach the service account. But based on common exam questions, the three are: pubsub.subscriber, storage.objectCreator, cloudfunctions.invoker.

81
MCQmedium

A team is setting up a new project and wants to estimate the monthly cost of running a Compute Engine VM with 4 vCPUs, 16 GB memory, and a 100 GB persistent disk, using the Google Cloud Pricing Calculator. The VM will run for 12 hours every day for a month. Which discount type will automatically apply to reduce the cost based on usage?

A.Preemptible VM discount
B.Sustained use discount
C.Committed use discount
D.Free tier discount
AnswerB

Sustained use discounts automatically apply for sustained usage over a month.

Why this answer

Sustained use discounts automatically apply for VMs that run for a significant portion of a month. Committed use discounts require a commitment. Preemptible discounts are for short-lived VMs.

Free tier is limited.

82
MCQeasy

A developer needs to create a Cloud Storage bucket that stores data for only 30 days and then automatically deletes it. Which feature should be used to achieve this?

A.Object versioning
B.Requester pays
C.Object lifecycle management
D.Bucket lock
AnswerC

Lifecycle rules can delete objects after 30 days.

Why this answer

Object lifecycle management rules can automatically delete objects after a specified age. Bucket lock is for retention compliance, not deletion. Versioning keeps multiple versions.

Requester pays shifts costs.

83
MCQhard

A company runs a global web application with a Cloud SQL (MySQL) database in the us-east1 region. To improve read performance for users in Europe, they want to offload read traffic to a replica in europe-west1. The replica must be kept in sync with the primary within seconds. Which Cloud SQL configuration should be used?

A.Enable automatic failover to a replica in europe-west1
B.Create a cross-region read replica in europe-west1
C.Configure Cloud SQL for multi-region deployment
D.Create an external replica in europe-west1
AnswerB

Why this answer

Cross-region replication using a Cloud SQL read replica is the correct approach. External replicas are for on-premises or other clouds; failover replicas are for high availability within the same region; multi-region is not a Cloud SQL option (it's for Cloud Storage or Spanner).

84
MCQmedium

A company runs a containerized web application on Google Kubernetes Engine (GKE). The application experiences unpredictable traffic spikes. The team wants to minimize costs by scaling down to zero when idle, but also needs to handle burst traffic quickly. Which GKE mode should they choose?

A.Cloud Run
B.Compute Engine with managed instance groups and autoscaling
C.GKE Standard with node auto-provisioning
D.GKE Autopilot
AnswerA

Cloud Run scales to zero, supports containerized apps, and handles burst traffic via automatic scaling.

Why this answer

GKE Autopilot is fully managed and scales based on per-pod resource requests, but does not scale to zero. Cloud Run scales to zero and handles burst traffic quickly. Cloud Functions is serverless but not containerized.

Compute Engine with managed instance groups requires always-on VMs.

85
Multi-Selectmedium

A company runs a critical application on Compute Engine that requires static IP addresses and must be highly available across zones. The application uses a stateful backend. Which TWO steps should the engineer take to meet these requirements? (Choose 2)

Select 2 answers
A.Configure an external TCP/UDP load balancer with a static IP address
B.Assign each VM a static external IP address
C.Use a managed instance group with multiple zones enabled
D.Use Cloud DNS with geo-routing
E.Use a single-zone managed instance group with a snapshot schedule
AnswersA, C

Load balancer provides a static IP and health checks for high availability.

Why this answer

To achieve high availability across zones with static IPs, a managed instance group with a multi-zone configuration (A) can distribute instances across zones. A load balancer (B) provides a static IP and routes traffic to healthy instances. Stateful workloads can use persistent disks or other state preservation strategies.

86
MCQmedium

A company runs a batch analytics workload on Compute Engine that runs for 3 hours every night. The workload is fault-tolerant and can be disrupted. Which pricing model should the engineer use to minimize cost?

A.Committed use discounts
B.Spot VMs
C.Preemptible VMs
D.Sustained use discounts
AnswerC

Preemptible VMs cost much less and are perfect for fault-tolerant batch jobs that can be interrupted.

Why this answer

Preemptible VMs are significantly cheaper than regular VMs and can be terminated at any time, suitable for fault-tolerant batch workloads. They are ideal for short-lived, interruptible jobs.

87
MCQmedium

A company wants to run a stateless HTTP web application that experiences highly variable traffic, including periods of zero traffic. The application is packaged as a Docker container. The team wants to minimize operational overhead and pay only for resources consumed during request processing. Which Google Cloud compute service is the best fit?

A.Cloud Functions
B.Cloud Run
C.GKE Standard
D.Compute Engine with managed instance group
AnswerB

Cloud Run runs containers, scales to zero, and charges per request, ideal for variable traffic.

Why this answer

Cloud Run is serverless, scales to zero, charges per request, and runs containers from container images. Cloud Functions is for event-driven functions, not full web apps. GKE Standard and Compute Engine require managing servers and do not scale to zero.

88
MCQmedium

An application running on Compute Engine needs to be accessible from the internet on port 443. The instance has an internal IP only. Which steps are necessary to allow internet traffic?

A.Use Cloud Load Balancing with an HTTPS load balancer to forward traffic to the instance
B.Configure a VPN from the internet to the VPC
C.Create a Cloud NAT gateway and a firewall rule allowing ingress on port 443
D.Assign an external IP to the VM and create a firewall rule allowing ingress from 0.0.0.0/0 on port 443
AnswerA

An external HTTPS load balancer can route internet traffic to internal instances without exposing them directly.

Why this answer

An internal-only VM cannot be reached directly from the internet. You need to use a Cloud NAT for outbound traffic, but for inbound traffic, you must either assign an external IP to the VM or use a load balancer. The most secure and scalable approach is to use an external HTTPS load balancer.

← PreviousPage 2 of 2 · 88 questions total

Ready to test yourself?

Try a timed practice session using only Ace Planning Configuring questions.