CCNA Ace Setup Environment Questions

75 of 88 questions · Page 1/2 · Ace Setup Environment topic · Answers revealed

1
MCQmedium

A company wants to manage multiple GCP projects with different configurations (e.g., different regions and accounts) on the same workstation. Which gcloud feature should they use to switch between these configurations?

A.Environment variables
B.gcloud init each time
C.Configuration profiles
D.Multiple gcloud installations
AnswerC

Correct.

Why this answer

Configuration profiles allow setting different sets of properties (project, region, account) and switching between them with 'gcloud config configurations activate'.

2
MCQeasy

What is the basic role that grants full control over all resources in a GCP project?

A.Editor
B.Owner
C.Viewer
D.Admin
AnswerB

Correct.

Why this answer

The Owner role (roles/owner) grants full access, including the ability to manage roles and billing.

3
MCQmedium

An organization needs to separate development, staging, and production environments using the GCP resource hierarchy. Which approach is most effective?

A.Create folders for dev, staging, and prod under the organization, then place projects in each folder
B.Use labels on projects to denote environment, but keep all in one folder
C.Create separate projects for each environment without folders
D.Create a single project and use separate VPC networks per environment
AnswerA

Correct: Folders provide logical grouping and policy inheritance.

Why this answer

Using folders under the organization node allows isolating environments, and organization policies can be applied at the folder level for governance.

4
MCQmedium

You are a project owner and need to grant a colleague the ability to create and manage Compute Engine instances, but restrict them from deleting any resources. Which IAM role should you assign?

A.roles/compute.admin
B.roles/compute.securityAdmin
C.roles/compute.viewer
D.roles/compute.instanceAdmin.v1
AnswerD

This role allows create and manage but not delete.

Why this answer

The Compute Instance Admin role (roles/compute.instanceAdmin.v1) allows full management of instances including create, modify, and start/stop, but not delete. The Compute Admin role allows deletion. The Viewer role only allows read access.

The Security Admin role is for managing security policies.

5
MCQhard

An organization has multiple Google Cloud projects and wants to enforce a policy that all Compute Engine instances must use a specific set of approved machine types. Which tool should be used to implement this constraint?

A.Organization policies
B.IAM custom roles
C.VPC Service Controls
D.Cloud Scheduler
AnswerA

Organization policies allow hierarchical enforcement of constraints like allowed machine types.

Why this answer

Organization policies are used to enforce constraints across projects, folders, or the entire organization. The constraint 'compute.constraints.allowMachineTypes' can be set to restrict machine types. IAM roles control access, not resource configuration.

Cloud Scheduler is for cron jobs. VPC Service Controls is for data exfiltration prevention.

6
MCQeasy

An engineer needs to create a new GCP project using the Cloud SDK. They have already installed and initialized gcloud with a user account that has Billing Account Administrator and Project Creator roles. Which command creates the project 'my-new-project'?

A.gcloud config set project my-new-project
B.gcloud projects create my-new-project
C.gcloud alpha projects create my-new-project
D.gcloud init my-new-project
AnswerB

Correct command.

Why this answer

The correct command to create a project is 'gcloud projects create'. It creates a new project with the specified ID.

7
MCQmedium

An organization wants to manage GCP resources for multiple teams using a hierarchy of folders and projects. They need to apply a uniform policy that restricts the regions where VM instances can be created across all projects in a folder. Which approach should they use?

A.Apply an organization policy with the `compute.allowedExternalIpAccess` constraint
B.Apply an organization policy with the `compute.restrictResourceCreation` constraint
C.Set an IAM policy on the folder that denies compute.instances.create permission in disallowed regions
D.Use gcloud config set compute/region and enforce with a script
AnswerB

This constraint allows restricting resource creation to specific regions and is applied at the folder or project level.

Why this answer

Organization policies (with constraints) are applied at the folder or project level to enforce restrictions across all resources within that node. IAM policies control access, not configuration restrictions.

8
MCQmedium

You need to list all projects in your organization using the gcloud CLI. Which command is correct?

A.gcloud compute projects list
B.gcloud config list
C.gcloud projects list
D.gcloud resource-manager projects list
AnswerC

Correct command.

Why this answer

'gcloud projects list' lists projects accessible to the authenticated user. To list all projects in an organization, you need the --filter or use organizations. But 'gcloud projects list' with appropriate permissions shows all projects.

The other commands are incorrect: 'gcloud config list' shows config, 'gcloud compute projects list' doesn't exist, 'gcloud resource-manager projects list' is not a command.

9
Multi-Selectmedium

A team wants to export GCP billing data for detailed analysis using SQL. Which three steps are necessary? (Choose THREE)

Select 3 answers
A.Enable Cloud Billing API
B.Create a Cloud Storage bucket
C.Create a BigQuery dataset
D.Set up billing export in the Cloud Console
E.Enable BigQuery API
AnswersC, D, E

Correct: The export writes to a dataset you create.

Why this answer

Billing export to BigQuery requires enabling BigQuery, creating a dataset, and configuring the export from billing.

10
Multi-Selectmedium

A developer wants to use Cloud Shell for managing GCP resources. Which three statements about Cloud Shell are true? (Choose THREE.)

Select 3 answers
A.It allows unlimited session duration without any timeout
B.It can be used only for projects that have billing enabled
C.It provides a web-based terminal in the GCP Console
D.It provides 5 GB of persistent disk storage in the user's home directory
E.It has gcloud, kubectl, and terraform pre-installed
AnswersC, D, E

Cloud Shell is accessible via the Cloud Console.

Why this answer

Cloud Shell provides a browser-based terminal with persistent 5GB home directory, and comes pre-installed with common tools like gcloud, kubectl, and terraform. It also includes a code editor.

11
Multi-Selecthard

You are designing a resource hierarchy for a company with three departments: Engineering, Sales, and HR. Each department should have its own projects, and policies should be applied at the department level. Which THREE steps should you take? (Choose three.)

Select 3 answers
A.Create a folder for each department
B.Use labels to separate departments
C.Create an organization node
D.Create a project for each department
E.Apply IAM policies at the project level only
AnswersA, C, D

Folders allow grouping projects per department.

Why this answer

Create an organization node (if not already present). Under it, create a folder for each department. Then create projects within each folder.

Apply IAM policies at the folder level.

12
MCQmedium

A developer wants to authenticate to GCP from their local machine using their own user account to run gcloud commands that interact with a project. They have already installed the Cloud SDK. Which command should they use to authenticate with their Google account?

A.gcloud init
B.gcloud auth activate-service-account
C.gcloud auth login
D.gcloud auth application-default login
AnswerC

This command opens a browser for OAuth authentication with the user's Google account.

Why this answer

`gcloud auth login` authenticates using a user account (OAuth 2.0) and is appropriate for interactive use. `gcloud auth application-default login` is for application credentials.

13
Multi-Selectmedium

You are setting up a new GCP project for a microservices application. You need to select which APIs to enable. Which THREE APIs are likely required? (Choose 3)

Select 3 answers
A.storage.googleapis.com
B.cloudbuild.googleapis.com
C.container.googleapis.com
D.compute.googleapis.com
E.bigquery.googleapis.com
AnswersB, C, D

Often used for building container images.

Why this answer

For a microservices application on Kubernetes, you need the Kubernetes Engine API (container.googleapis.com), and often the Cloud Build API (cloudbuild.googleapis.com) for CI/CD and Compute Engine API (compute.googleapis.com) as a dependency for GKE. Cloud Storage API is not necessarily required unless using Cloud Storage. BigQuery is for analytics.

14
MCQmedium

You want to set up a budget alert for a GCP project. You need to receive a notification when the forecasted cost exceeds $1000 and when the actual cost exceeds $1000. Which budget amount should you set?

A.$2000
B.$1000
C.$100
D.$500
AnswerB

Correct. The budget amount is $1000, and you can set alert thresholds on forecasted and actual costs.

Why this answer

You set a budget amount of $1000. Then you can set alert thresholds at 50% (for forecasted) and 100% (for actual). However, the question asks for the budget amount, which should be $1000.

15
MCQmedium

A company wants to set up a budget alert at 50% and 90% of their projected monthly spending. Which service should they use?

A.Cloud Billing budgets
B.Cost breakdown reports
C.Cloud Scheduler
D.Cloud Monitoring alerts
AnswerA

Correct.

Why this answer

Cloud Billing budgets allow setting budget amounts and alerts at specified thresholds.

16
MCQeasy

A new engineer needs to set up the gcloud CLI on their local machine and authenticate with a user account. Which command should they run after installing the SDK?

A.gcloud init
B.gcloud auth application-default login
C.gcloud config set account
D.gcloud auth login
AnswerA

Correct: gcloud init runs authentication and sets default project/region in a single command.

Why this answer

The 'gcloud init' command initializes the SDK, sets properties, and runs auth login. Alternatively, 'gcloud auth login' only authenticates without setting project/defaults.

17
MCQhard

An engineer tries to delete a project using the Cloud Console but the option is greyed out. The engineer has the Project Owner role. What is the most likely reason?

A.The engineer does not have proper permissions
B.The billing account is disabled
C.The project has active resources
D.The billing account is still linked to the project
AnswerD

Correct: the billing account must be unlinked or disabled first.

Why this answer

To delete a project, billing must be disabled first. The project might have an active billing account.

18
MCQmedium

A company wants to track costs for each department by using labels on resources. What is the next step after labeling resources to view costs per label?

A.View billing reports filtered by label
B.Export billing to Cloud Storage and analyze
C.Create a billing account budget
D.Use the Cost Table in Cloud Console
AnswerA

Correct: Billing reports allow filtering by labels to see costs per department.

Why this answer

Labels are key-value pairs attached to resources. To view cost breakdown, you can use billing reports or export to BigQuery and query by label.

19
MCQeasy

You are using Cloud Shell and need to access a file you created two weeks ago. What is the persistence behavior of Cloud Shell home directories?

A.Cloud Shell home directories are stored in Cloud Storage and are always available.
B.Cloud Shell home directories persist for 30 days after last use.
C.Cloud Shell home directories are temporary and are deleted after each session.
D.Cloud Shell home directories persist across sessions, with 5 GB of storage.
AnswerD

Correct: persistent 5 GB home.

Why this answer

Cloud Shell provides 5 GB of persistent home storage backed by Cloud Filestore or persistent disk. It persists across sessions, even if Cloud Shell is idle. However, it is not backed up; if the instance is reset, data may be lost.

But under normal use, data persists.

20
MCQmedium

A company has multiple Google Cloud projects and wants to track costs by department. They have already applied labels to resources with key 'department'. What is the next step to view costs grouped by department?

A.Run gcloud billing accounts list and parse the output
B.Set up a budget alert with department labels
C.Enable billing export to BigQuery and run a query
D.Go to Billing > Reports and filter by 'department' label
AnswerD

Correct. The Reports page allows filtering by labels.

Why this answer

Costs can be viewed in the Cloud Console under Billing > Reports. You can filter by labels to see costs grouped by label values.

21
MCQhard

Your organization wants to enforce that all Compute Engine instances are created only in us-central1 and europe-west1. You need to implement this constraint across all projects in the organization. What should you do?

A.Apply an organization policy with constraint gcp.resourceLocations to allow only us-central1 and europe-west1.
B.Use VPC Service Controls to restrict access to Compute Engine API from other regions.
C.Use labels to tag instances and run a script to delete non-compliant ones.
D.Create an IAM policy denying the compute.instances.create permission in all other regions.
AnswerA

Correct: org policy constraint restricts allowed locations.

Why this answer

Organization policies can enforce constraints on resource locations. The constraint 'gcp.resourceLocations' restricts allowed locations. You set this at the organization level so it applies to all projects.

IAM roles don't enforce location. VPC Service Controls control data exfiltration, not location restrictions. Labels don't enforce location.

22
Multi-Selecthard

A startup wants to control costs across multiple GCP projects. They want to track spending by department and set budget alerts. Which THREE actions should they take?

Select 3 answers
A.Assign labels to resources indicating department
B.Use Cloud Monitoring to track costs
C.Enable billing export to BigQuery
D.Create separate billing accounts for each department
E.Set up a budget with threshold alerts in the billing account
AnswersA, C, E

Correct.

Why this answer

Using labels, budgets, and billing export enables tracking and alerts.

23
MCQhard

A company wants to grant a contractor read-only access to all Compute Engine instances in a specific project, but no other resources. Which IAM role should be assigned?

A.roles/compute.instanceAdmin.v1
B.roles/viewer
C.roles/compute.viewer
D.roles/iam.securityReviewer
AnswerC

Correct: This role grants read-only access to Compute Engine resources only.

Why this answer

Predefined roles like 'compute.viewer' provide read-only access to Compute Engine resources. The basic 'Viewer' role would also grant read access to other services, which is not desired.

24
MCQeasy

A new engineer wants to set up their local environment to interact with Google Cloud. Which command initializes the gcloud CLI and configures the project, region, and zone?

A.gcloud auth login
B.gcloud auth application-default login
C.gcloud init
D.gcloud config set project my-project
AnswerC

Correct. Initializes and configures defaults.

Why this answer

The 'gcloud init' command initializes the SDK, sets default project, region, and zone interactively. 'gcloud auth login' only handles authentication. 'gcloud config set' sets individual properties but doesn't initialize. 'gcloud auth application-default login' is for application default credentials.

25
MCQhard

After creating a new GCP project, an engineer attempts to delete it using `gcloud projects delete PROJECT_ID` but receives an error. What is the most likely cause?

A.The project still has running resources (e.g., VM instances)
B.The IAM policy prevents deletion
C.The project ID is invalid
D.The project is linked to a billing account that must be disabled first
AnswerD

The billing account must be disabled before project deletion is allowed.

Why this answer

A project cannot be deleted if it has a billing account attached. The billing account must be disabled (disassociated) first.

26
MCQeasy

A company wants to organize its Google Cloud resources. They have multiple departments (Engineering, Finance, Marketing) and want to apply common policies at the department level. Which resource hierarchy level should they use to create folders for each department?

A.Organization node
B.Folder
C.Resource
D.Project
AnswerB

Folders are used to group projects and apply policies.

Why this answer

Folders under an organization node allow grouping projects and applying policies at that level.

27
Multi-Selectmedium

An organization wants to set up a budget alert for a GCP project. Which TWO options can be configured as alert thresholds?

Select 2 answers
A.50% of budget
B.Actual cost equals budget
C.Forecasted spend exceeds budget
D.Custom amount
E.Per-service cost exceeds $100
AnswersA, C

Percentage thresholds like 50% are commonly used.

Why this answer

When creating a budget alert, you can set alert thresholds at spending amounts or percentages (e.g., 50%, 90%, 100%) of the budget. You can also set alerts based on forecasted spend. 'Custom amount' and 'per-service' are not standard threshold types.

28
MCQhard

You are setting up billing for a new GCP project. You want to receive an alert when the projected cost for the month exceeds 80% of your budget. You also want to be notified if the actual cost reaches 100%. Which budget alert thresholds should you set?

A.Set a single alert at 100% and use the 'forecast' option to get projected cost alerts
B.Set a single alert at 80% and another at 100%
C.Set alerts at 50%, 80%, and 100%
D.Set a single alert at 80% for projected cost; GCP automatically alerts at 100%
AnswerB

Correct. You can set multiple alert thresholds, and 80% and 100% are valid choices.

Why this answer

Budget alerts can be set at specific percentages, but only whole numbers are allowed. Typically, you set alerts at 80% and 100%. The 80% alert is for projected cost, and 100% is for actual cost.

29
MCQmedium

You need to delete a GCP project, but the deletion fails with an error. What is the most likely cause?

A.The project has IAM policies attached
B.The project still has active resources such as Compute Engine instances
C.The project is in a folder
D.The project's billing account is still linked
AnswerD

Billing must be disabled before a project can be deleted.

Why this answer

GCP requires that billing be disabled before a project can be deleted. If billing is still active, deletion will fail.

30
MCQeasy

You need to install the Google Cloud SDK on a Linux machine. Which command should you use to add the Cloud SDK distribution URI as a package source?

A.curl https://sdk.cloud.google.com | bash
B.gcloud init
C.sudo apt-get install google-cloud-sdk
D.echo 'deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main' | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
AnswerD

This adds the Cloud SDK repository correctly.

Why this answer

The Cloud SDK installation guide for Linux uses echo to add the URI to /etc/apt/sources.list.d/google-cloud-sdk.list.

31
MCQmedium

An engineer needs to enable the Compute Engine API for a project using the gcloud command line. Which command should they run?

A.gcloud compute instances enable-api
B.gcloud services list --enabled
C.gcloud api enable compute
D.gcloud services enable compute.googleapis.com
AnswerD

Correct command to enable the Compute Engine API.

Why this answer

The command 'gcloud services enable compute.googleapis.com' enables the Compute Engine API for the current project. The other options either list services or are incorrect.

32
MCQmedium

You want to use gcloud CLI to set the default project to 'my-project' and the default compute zone to 'us-central1-a'. Which two gcloud config commands should you run?

A.gcloud config configurations set project my-project and gcloud config configurations set zone us-central1-a
B.gcloud config set project my-project and gcloud config set compute/zone us-central1-a
C.gcloud config set project my-project and gcloud config set zone us-central1-a
D.gcloud projects set my-project and gcloud compute zones set us-central1-a
AnswerB

Correct syntax for setting project and compute zone.

Why this answer

The commands are 'gcloud config set project my-project' and 'gcloud config set compute/zone us-central1-a'.

33
MCQhard

A junior engineer accidentally deleted a project. Later, they realize they need to restore it. What must be true for project deletion to be reversible?

A.The user must have the Owner role at the organization level
B.The billing account must have been disabled before deletion
C.The project must be within the first 7 days of creation
D.The project must not have any active resources
AnswerB

Correct: Deleting a project requires disabling billing; after deletion, the project can be recovered within 30 days.

Why this answer

Deleted projects are retained for 30 days and can be recovered if the billing account is not disabled. However, deletion requires billing to be disabled first as a safety measure.

34
Multi-Selectmedium

An engineer needs to enable the Cloud Build API and the Kubernetes Engine API for a project. Which TWO commands should they run?

Select 3 answers
A.gcloud services enable cloudbuild.googleapis.com
B.gcloud services enable container.googleapis.com
C.gcloud services enable compute.googleapis.com
D.gcloud services enable kubernetes-engine.googleapis.com
E.gcloud services enable cloudbuild.googleapis.com --project=my-project
AnswersA, B, E

Enables Cloud Build API.

Why this answer

To enable APIs, use 'gcloud services enable' with the service name. For Cloud Build, it's cloudbuild.googleapis.com. For Kubernetes Engine, it's container.googleapis.com.

The other options are incorrect.

35
MCQmedium

An engineer needs to enable the Compute Engine API for a project using the CLI. Which command should they run?

A.gcloud compute enable
B.gcloud services enable compute
C.gcloud api enable compute.googleapis.com
D.gcloud services enable compute.googleapis.com
AnswerD

Correct: This enables the Compute Engine API.

Why this answer

The 'gcloud services enable' command enables APIs in a project. The service name for Compute Engine is compute.googleapis.com.

36
MCQeasy

Your organization has multiple Google Cloud projects. You want to separate development and production environments. Which resource hierarchy structure is recommended?

A.Create two separate organizations.
B.Use labels on projects to differentiate environments.
C.Use a single project with separate VPC networks.
D.Use folders under the organization node to separate dev and prod projects.
AnswerD

Folders provide logical grouping and policy inheritance.

Why this answer

Using folders under an organization node allows grouping projects by environment. Folders support IAM policies and org policies, enabling environment separation. Projects alone cannot nest; folders provide the logical grouping.

37
Multi-Selectmedium

An administrator needs to create a custom IAM role that allows listing projects and viewing billing accounts. Which TWO permissions should be included?

Select 2 answers
A.billing.accounts.list
B.billing.accounts.create
C.resourcemanager.projects.create
D.resourcemanager.projects.list
E.resourcemanager.projects.delete
AnswersA, D

Correct.

Why this answer

resourcemanager.projects.list and billing.accounts.list allow these actions.

38
MCQmedium

An administrator wants to set up a budget alert that triggers at 50%, 90%, and 100% of the monthly spending limit. What is the correct way to configure this?

A.Create a budget with a single threshold of 100% and rely on Cloud Monitoring
B.Use Cloud Billing reports to manually track
C.Create three separate budgets, each with a single threshold
D.Create one budget with three threshold rules: 50%, 90%, 100%
AnswerD

Correct: A single budget supports multiple threshold rules.

Why this answer

Budget alerts can have multiple threshold rules with different percentages. You can create a single budget with three threshold rules.

39
MCQmedium

A developer needs to authenticate to Google Cloud from their local machine to run application code that reads from Cloud Storage. They use a service account. Which gcloud command should they use to obtain application credentials?

A.gcloud auth login
B.gcloud config set account service-account@project.iam.gserviceaccount.com
C.gcloud auth application-default login
D.gcloud auth activate-service-account --key-file=KEY_FILE
AnswerD

Correct command for service account.

Why this answer

The command 'gcloud auth application-default login' obtains user credentials for Application Default Credentials (ADC). For a service account, they would use 'gcloud auth activate-service-account' or set the GOOGLE_APPLICATION_CREDENTIALS environment variable.

40
Multi-Selecthard

An engineer needs to choose a location for a new GCP project's resources to maximize availability and minimize latency for users in Europe and Asia. Which three actions should they take? (Choose THREE)

Select 3 answers
A.Use a global load balancer to distribute traffic
B.Set the project default region to us-central1
C.Deploy resources in europe-west1 and asia-east1
D.Use a single zone in europe-west1 for simplicity
E.Enable Cloud CDN to cache content at edge locations
AnswersA, C, E

Correct: Global load balancing routes users to the nearest region.

Why this answer

Using multiple regions, load balancing, and a global resource like Cloud CDN can help achieve high availability and low latency.

41
MCQeasy

An organization wants to separate its development and production environments using Google Cloud resource hierarchy. What is the recommended approach?

A.Create a single project and use separate VPC networks for dev and prod.
B.Create two separate organizations, one for dev and one for prod.
C.Create two projects under the same folder and use labels to differentiate dev and prod.
D.Create two folders under the organization node, one for dev and one for prod.
AnswerD

Folders are the correct way to organize projects within an organization for environment separation.

Why this answer

Using folders under the organization node to separate environments is the recommended practice. Folders provide isolation and allow for separate IAM policies and organization policies.

42
Multi-Selectmedium

A DevOps engineer wants to set up budget alerts for a GCP project so that the finance team is notified when costs reach 50% and 90% of the budget. Which two configurations are required? (Choose TWO.)

Select 2 answers
A.Enable billing export to BigQuery
B.Create a budget in the Cloud Billing console
C.Set up a Cloud Function to monitor billing
D.Configure alert thresholds at 50% and 90%
E.Assign the roles/billing.admin IAM role to the finance team
AnswersB, D

You must create a budget and define the amount and scope.

Why this answer

To set up a budget alert with thresholds, you need to create a budget (specifying the amount and scope) and then set alert thresholds (percentages). The budget can also include Pub/Sub notifications, but the question asks for required configurations.

43
MCQmedium

A team member accidentally deleted a GCP project. You need to recover it. What must be true for a successful recovery within the 30-day window?

A.The project can be restored only if billing was disabled prior to deletion.
B.The project can be restored within 30 days if you have the necessary permissions and the billing account is active.
C.The billing account must be re-associated after undeletion.
D.The project can be restored only if it was deleted by the owner.
AnswerB

Correct: undelete is possible with proper IAM role and active billing.

Why this answer

A deleted project can be restored within 30 days only if the billing account is still active and you have ownership. The project must be undeleted via the Cloud Console or API. Billing must be enabled; if billing was disabled before deletion, you must re-enable it first.

44
Multi-Selecthard

Your organization uses GCP organizations with multiple folders. You need to assign a team the ability to create projects only in a specific folder. Which THREE steps should you take? (Choose 3)

Select 2 answers
A.Ensure the team has the role roles/resourcemanager.folderViewer on the organization.
B.Grant the role roles/resourcemanager.projectCreator at the organization level.
C.Grant the team the roles/resourcemanager.folderAdmin role on the folder.
D.Optionally apply an organization policy to restrict which folders can contain projects.
E.Grant the role roles/resourcemanager.projectCreator on the specific folder to the team.
AnswersD, E

Can enforce that projects only exist under specific folders.

Why this answer

To restrict project creation to a specific folder, you grant the roles/resourcemanager.projectCreator role at the folder level. Additionally, you may need to grant the role on the organization for the folder to exist. Also, setting an organization policy to constrain where projects can be created (e.g., gcp.resourceLocations) is optional but recommended.

Granting at organization level would give access to all folders. Creating a custom role is unnecessary.

45
Multi-Selecthard

A company has multiple GCP projects and wants to enforce a policy that prevents the creation of VMs with public IP addresses. Which three methods can be used to enforce this restriction? (Choose THREE.)

Select 3 answers
A.Create a VPC with no default route to the internet and enforce using network tags
B.Use IAM conditions to allow create only when instances do not have external IPs
C.Create a custom IAM role that denies the `compute.instances.create` permission
D.Use an organization policy constraint `compute.vmExternalIpAccess`
E.Use a custom role with `compute.instances.create` and add a condition that checks for the absence of external IPs
AnswersA, D, E

By requiring VMs to be in a VPC without internet access, you can prevent public IPs from being useful; network tags can enforce firewall rules.

Why this answer

Organization policies (constraint), custom roles with deny permissions, and network tags with firewall rules can all help restrict public IPs. IAM conditions can be used to restrict permissions based on resource properties, but they cannot directly prevent VM creation with public IPs.

46
MCQeasy

Which gcloud command is used to set the default project for a configuration profile?

A.gcloud init
B.gcloud config set project
C.gcloud projects set
D.gcloud projects list
AnswerB

Correct command to set the default project in gcloud configuration.

Why this answer

The command 'gcloud config set project [PROJECT_ID]' sets the default project in the current active configuration. The other commands are for other purposes.

47
MCQmedium

An organization wants to enforce a policy that disables the creation of VMs with external IPs across all projects. Which resource hierarchy level should the policy be attached to for maximum coverage?

A.Project
B.Resource (VM)
C.Organization
D.Folder
AnswerC

Correct: Attaching at the organization level applies to all folders and projects.

Why this answer

Organization policies can be applied at the organization level to affect all projects and folders underneath. This ensures the policy covers all resources.

48
Multi-Selectmedium

Your company has a production project and a development project. You want to ensure that no one can delete the production project accidentally. Which TWO actions should you take? (Choose 2)

Select 2 answers
A.Apply an organization policy constraint that blocks project deletion.
B.Set a deletion protection policy on the project.
C.Set a budget alert at 100% of projected spend.
D.Remove the Owner role from all users and grant only Editor.
E.Add a label to the project indicating it is production.
AnswersA, B

Org policy can disallow project deletion.

Why this answer

To prevent accidental deletion, you can set a deletion protection policy at the project level. Additionally, using an organization policy constraint 'constraints/resourcemanager.projectDelete' at the folder or organization level can block deletion. Labels don't prevent deletion.

Removing the Owner role from all users would break management. Budget alerts don't prevent deletion.

49
Multi-Selectmedium

An engineer is setting up a new GCP project for a containerized application. They need to enable the required APIs. Which TWO APIs must be enabled to deploy and manage a Kubernetes cluster and build container images?

Select 2 answers
A.compute.googleapis.com
B.bigquery.googleapis.com
C.cloudbuild.googleapis.com
D.container.googleapis.com
E.cloudfunctions.googleapis.com
AnswersC, D

Correct: Cloud Build API.

Why this answer

Kubernetes Engine API and Cloud Build API are needed for cluster management and building images.

50
Multi-Selectmedium

You need to view the current gcloud configuration settings, including the active account, project, and compute region. Which TWO commands can you use? (Choose two.)

Select 2 answers
A.gcloud config list
B.gcloud config describe
C.gcloud projects list
D.gcloud auth list
E.gcloud info
AnswersA, E

This lists all configuration properties.

Why this answer

gcloud config list displays all configuration properties. gcloud info provides detailed information, including configuration.

51
MCQeasy

Which of the following is true about Cloud Shell?

A.Cloud Shell has 5 GB of persistent home directory storage.
B.Cloud Shell requires installation of gcloud and kubectl manually.
C.Cloud Shell only supports the gcloud CLI, not kubectl.
D.Cloud Shell provides a persistent VM that can run for hours.
AnswerA

The home directory is persistent across sessions.

Why this answer

Cloud Shell provides a temporary virtual machine with 5 GB of persistent home directory storage, and the gcloud, kubectl, and terraform tools are pre-installed. The home directory persists across sessions, but the VM is ephemeral (after 20 minutes of inactivity the VM is terminated, but home directory persists).

52
MCQeasy

A new engineer is setting up their GCP environment for the first time. They have a billing account and need to create a new project for development. What is the correct order of steps?

A.Enable APIs → Create billing account → Create project
B.Create project → Associate billing account → Enable APIs
C.Create project → Enable APIs → Associate billing account
D.Create billing account → Create project → Enable APIs
AnswerD

This is the correct sequence: billing account first, then project creation, then API enablement.

Why this answer

The standard order is to first create the billing account, then create the project and associate it with the billing account, and finally enable the required APIs within that project.

53
MCQmedium

A company wants to track and forecast GCP spending across different departments. They have already set up labels on resources to indicate the department. Which additional step should they take to analyze costs by department in BigQuery?

A.Enable billing export to BigQuery in the Cloud Billing console
B.Use the Cloud Billing API to programmatically fetch cost data and write it to BigQuery
C.Run a scheduled query in BigQuery that calls the Cloud Billing API
D.Create a Cloud Function that captures billing events and inserts them into BigQuery
AnswerA

This automatically exports detailed billing data with labels into BigQuery.

Why this answer

Enabling billing export to BigQuery will stream billing data (including labels) into a BigQuery dataset, allowing custom queries and analysis.

54
MCQmedium

You are managing a project and need to create a custom IAM role that allows only the permissions compute.instances.list and compute.instances.get. What is the correct way to create this role using gcloud?

A.gcloud iam service-accounts create viewer --permissions="compute.instances.list,compute.instances.get"
B.gcloud iam roles create viewer --organization=123456 --permissions="compute.instances.*"
C.gcloud iam roles create viewer --project=my-project --permissions="compute.instances.list,compute.instances.get"
D.gcloud iam custom-roles create viewer --project=my-project --permissions='compute.instances.list,compute.instances.get'
AnswerC

Correct syntax for creating a custom role with specific permissions.

Why this answer

The command 'gcloud iam roles create' is used to create custom roles. The permissions are specified with the --permissions flag.

55
MCQmedium

An engineer is setting up Cloud Shell for the first time. They notice that their home directory persists across sessions. How much storage is allocated to the home directory in Cloud Shell?

A.10 GB
B.1 GB
C.20 GB
D.5 GB
AnswerD

Correct.

Why this answer

Cloud Shell provides 5 GB of persistent home directory storage.

56
Multi-Selecteasy

An organization is setting up a new GCP environment and needs to create a hierarchy that separates development, staging, and production workloads. Which two resources can be used to group projects for this purpose? (Choose TWO.)

Select 2 answers
A.VPC
B.Project
C.Cloud Identity
D.Folder
E.Organization
AnswersB, D

Projects are the container for resources; they can be grouped into folders.

Why this answer

Folders and projects are the key hierarchy elements. Folders can contain projects and other folders, and projects contain resources. Organization is the root node, not used to group projects directly.

57
MCQmedium

An engineer wants to authenticate to Google Cloud using their own user credentials and also set up application default credentials for a local development environment. Which sequence of gcloud auth commands should they use?

A.gcloud auth login then gcloud auth application-default login
B.gcloud auth application-default login then gcloud auth login
C.gcloud init then gcloud auth login
D.gcloud auth configure-docker then gcloud auth login
AnswerA

Correct sequence: user credentials first, then ADC.

Why this answer

First, use 'gcloud auth login' to authenticate the gcloud CLI with user credentials. Then, use 'gcloud auth application-default login' to set up application default credentials for local development. The other options are incorrect or reversed.

58
MCQhard

A team is using gcloud configurations to manage multiple projects. They want to create a new configuration for a production project. How can they achieve this?

A.Run 'gcloud init' and select 'Create a new configuration'
B.Run 'gcloud config configurations create prod' then 'gcloud config set project prod-project'
C.Run 'gcloud config set project prod-project' with a flag to create new config
D.Edit the gcloud config file manually
AnswerB

Correct: First create the configuration, then set project within it.

Why this answer

Manage configurations with 'gcloud config configurations create' and then set properties. Switching is done with 'gcloud config configurations activate'.

59
MCQeasy

A developer wants to use gcloud CLI with application default credentials (ADC) to authenticate to Google APIs from their local machine. Which command should they run first?

A.gcloud auth login
B.gcloud init
C.gcloud auth application-default login
D.gcloud config set auth/application_default true
AnswerC

Correct. This sets up Application Default Credentials.

Why this answer

gcloud auth application-default login sets up ADC for the user. This stores credentials that can be used by Google client libraries.

60
MCQhard

A team is using Cloud Shell to manage resources. They notice that their home directory is persistent across sessions, but they want to ensure that configuration files and scripts are also available after they stop and restart Cloud Shell. What should they do?

A.Use gcloud config configurations and save scripts in a Cloud Storage bucket
B.Create a startup script that runs every time Cloud Shell starts
C.Store files in /tmp
D.Store files in the home directory (~)
AnswerD

The home directory persists across Cloud Shell sessions.

Why this answer

Cloud Shell's home directory persists 5 GB of data. As long as files are stored in the home directory ($HOME), they will persist across sessions.

61
MCQhard

An organization has multiple GCP projects and wants to centralize billing analysis across all projects. They need to export detailed billing data (e.g., cost per SKU per project) to a BigQuery dataset. Which billing export option should they configure?

A.Export to CSV to Cloud Storage
B.Export to Cloud Billing report
C.Export to a Pub/Sub topic
D.Export detailed billing data to BigQuery
AnswerD

Correct option.

Why this answer

The standard usage cost export to BigQuery provides detailed billing data for analysis.

62
Multi-Selecthard

An engineer needs to create a new project and set up the environment. They are using the gcloud command-line tool. Which two commands are required to create a project and link it to a billing account? (Choose TWO.)

Select 2 answers
A.gcloud billing projects link PROJECT_ID --billing-account=BILLING_ACCOUNT_ID
B.gcloud projects create PROJECT_ID
C.gcloud alpha billing accounts create
D.gcloud services enable cloudbilling.googleapis.com
E.gcloud config set project PROJECT_ID
AnswersA, B

This links the project to a billing account.

Why this answer

To create a project and link a billing account, you need to create the project (gcloud projects create) and then link the billing account (gcloud billing projects link).

63
Multi-Selectmedium

A company wants to manage multiple Google Cloud projects and enforce consistent security policies across all of them. Which TWO resources should they use? (Choose two.)

Select 2 answers
A.Cloud Audit Logs
B.Organization policies
C.Shared VPC
D.Folders
E.Labels
AnswersB, D

Organization policies enforce constraints across all projects in the organization.

Why this answer

Organization policies are used to enforce constraints across projects. Folders allow grouping projects and applying common IAM policies.

64
MCQhard

Your company wants to track costs per department. Each department has its own project. You need to set up a budget alert in the billing account for each project. What is the most efficient approach?

A.Use Billing Export to BigQuery and create custom alerts using Cloud Monitoring.
B.Create one budget per project by selecting the project in the 'Scoped to' field.
C.Create a budget for each project by manually enabling billing for each project.
D.Create a single budget for the entire billing account and rely on labels.
AnswerB

Efficient: budgets can be scoped to projects.

Why this answer

You can create budgets at the billing account level with scoped projects. This allows one budget per project. Creating budgets per project individually is manual.

Using labels requires tagging resources. Billing export to BigQuery is for analysis, not alerts.

65
MCQmedium

You need to delete a Google Cloud project. What prerequisite must be met before the project can be deleted?

A.All IAM members must be removed from the project.
B.All resources in the project must be deleted.
C.The billing account must be disabled for the project.
D.The project must be in the ACTIVE state.
AnswerC

Billing must be disabled before project deletion.

Why this answer

Before deleting a project, you must disable the billing account associated with it. This is to ensure that no outstanding charges occur. The project may still have active resources but billing must be disabled.

The other options are not prerequisites.

66
MCQhard

You are configuring a new project and need to enable the Compute Engine API. However, the command 'gcloud services enable compute.googleapis.com' fails with a permission error. Your user has the role roles/editor on the project. What is the likely cause?

A.The Compute Engine API is already enabled.
B.The user needs to authenticate again.
C.The user does not have the serviceusage.services.enable permission.
D.The project does not have a billing account associated.
AnswerD

Billing is required to enable APIs.

Why this answer

The role roles/editor includes serviceusage.services.enable permission, so it should work. However, if the organization has an org policy 'constraints/compute.restrictResourceCreation' that restricts API usage, it might block. But the most common issue is that the project is new and the billing account is not associated, preventing API enablement.

Editor role has permission, but billing must be active.

67
MCQhard

An organization wants to enforce that all projects under a specific folder have a set of constraints, such as disabling default network creation and requiring shielded VMs. What is the most efficient way to achieve this?

A.Use Cloud Shell to run scripts in each project.
B.Create IAM roles to restrict default network creation.
C.Use a service account to enforce policies.
D.Apply organization policies at the folder level.
AnswerD

Folder-level policies apply to all projects in that folder.

Why this answer

Organization policies can be applied at the folder level, inheriting to all projects within that folder. This is more efficient than applying per project. Using Cloud Shell is irrelevant.

IAM cannot enforce such constraints. Service accounts are for authentication.

68
MCQeasy

A startup wants to create a new GCP project for development. They've already created a billing account. Which command can they use to create the project?

A.gcloud config set project PROJECT_ID
B.gcloud projects create PROJECT_ID
C.gcloud alpha projects create
D.gcloud resource-manager projects create
AnswerB

Correct: This command creates a new project with the specified ID.

Why this answer

The 'gcloud projects create' command creates a new project. The billing association is separate, but the project can be created without billing immediately.

69
MCQmedium

You need to grant a user the ability to create and manage Compute Engine instances in a specific project. You want to follow the principle of least privilege. Which IAM role should you assign?

A.roles/compute.admin
B.roles/compute.instanceAdmin.v1
C.roles/editor
D.roles/owner
AnswerB

Correct: least privilege for instance management.

Why this answer

roles/compute.instanceAdmin.v1 provides full control over Compute Engine instances but not other services. roles/editor is broader. roles/owner is too permissive. roles/compute.admin includes all compute resources, not just instances.

70
MCQmedium

You create a new Google Cloud project using the Cloud Console. After creating the project, you need to enable the Compute Engine API. What is the correct command to do this using the Cloud Shell?

A.gcloud projects enable compute.googleapis.com
B.gcloud compute enable compute.googleapis.com
C.gcloud api enable compute
D.gcloud services enable compute.googleapis.com
AnswerD

Correct. This enables the Compute Engine API.

Why this answer

The gcloud services enable command is used to enable APIs for a project. The correct syntax is 'gcloud services enable compute.googleapis.com'.

71
MCQhard

A developer is using Cloud Shell and wants to ensure that their gcloud configuration persists after the Cloud Shell session ends. They have set the compute and access settings using `gcloud config set`. What should they do to keep these settings for future sessions?

A.They need to create a startup script to apply the settings each time
B.The settings are automatically preserved because Cloud Shell's home directory persists
C.They must run `gcloud config configurations save default` before ending the session
D.They must use `gcloud config set --persist` flag
AnswerB

Cloud Shell provides persistent storage of 5GB, and gcloud configurations are stored in ~/.config/gcloud.

Why this answer

gcloud configurations are stored in the user's home directory and persist across Cloud Shell sessions because the $HOME directory is persistent (with 5GB of persistent disk storage). No additional action is needed.

72
MCQhard

You are setting up a new organization in Google Cloud. You want to restrict the regions where resources can be created to comply with data residency requirements. What should you do?

A.Set an organization policy with a constraint on allowed resource locations
B.Create a service account with limited permissions
C.Set a budget alert that notifies when resources are created outside allowed regions
D.Use IAM roles to restrict which users can create resources in specific regions
AnswerA

Organization policies can enforce location restrictions.

Why this answer

Organization policies allow you to set constraints at the organization, folder, or project level. The 'gcp.resource-locations' constraint can restrict resource locations.

73
MCQeasy

What is the purpose of the gcloud init command?

A.To create a billing account.
B.To initialize a new project in Google Cloud.
C.To enable APIs for a project.
D.To set up a new gcloud configuration and authenticate.
AnswerD

gcloud init performs initial setup of configuration and authentication.

Why this answer

gcloud init is used to initialize or reinitialize the gcloud environment, including setting default project, authentication, and compute region/zone. It can also create a new configuration profile.

74
MCQeasy

You want to switch between multiple GCP projects frequently using the gcloud CLI. What is the recommended approach?

A.Open separate terminal windows for each project.
B.Run gcloud init every time you switch projects.
C.Use gcloud config set project each time you switch.
D.Create multiple configuration profiles and activate them as needed.
AnswerD

Recommended method.

Why this answer

Configuration profiles (gcloud config configurations) allow you to create named configurations with different project, region, and zone settings. You can activate one with 'gcloud config configurations activate'. Setting individual properties each time is error-prone.

Running gcloud init each time is slow. Using separate terminals isn't efficient.

75
Multi-Selectmedium

A developer needs to use gcloud CLI to manage multiple projects. They want to switch between configurations quickly. Which three commands are part of managing gcloud configuration profiles? (Choose THREE.)

Select 3 answers
A.gcloud config configurations export
B.gcloud config configurations activate
C.gcloud config configurations list
D.gcloud config configurations create
E.gcloud config set project
AnswersB, C, D

Activates an existing configuration.

Why this answer

gcloud config configurations provides commands to create, activate, and list configurations. The other options are not valid commands.

Page 1 of 2 · 88 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ace Setup Environment questions.