CCNA Planning And Configuring A Cloud Solution Questions

75 of 103 questions · Page 1/2 · Planning And Configuring A Cloud Solution topic · Answers revealed

1
MCQeasy

A company needs to store 50 TB of access logs that are rarely accessed (once a year) and must be retained for 7 years. Which storage option is the most cost-effective?

A.Nearline Storage
B.Regional persistent disk
C.Archive Storage
D.Coldline Storage
AnswerC

Archive Storage has the lowest cost for data accessed less than once a year and with a 365-day minimum.

Why this answer

Archive Storage is the most cost-effective option for data that is accessed less than once a year and must be retained for 7 years. It offers the lowest storage cost among Google Cloud storage classes, specifically designed for long-term, infrequently accessed data with a 365-day minimum storage duration and a higher retrieval cost, which is acceptable given the rare access pattern.

Exam trap

Google Cloud often tests the distinction between Coldline and Archive storage by making candidates assume 'cold' is the cheapest, but Archive Storage is the true lowest-cost tier for data accessed less than once a year, with a longer minimum storage duration and higher retrieval fees.

How to eliminate wrong answers

Option A (Nearline Storage) is wrong because it is optimized for data accessed less than once a month, not once a year, and has a 30-day minimum storage duration, making it more expensive for 7-year retention. Option B (Regional persistent disk) is wrong because it is a block storage solution for high-performance compute instances, not designed for archival log storage, and would be prohibitively expensive for 50 TB of rarely accessed data. Option D (Coldline Storage) is wrong because it is designed for data accessed less than once a quarter (90-day minimum storage duration), which is more frequent than once a year, and its storage cost is higher than Archive Storage.

2
MCQmedium

A team is selecting the right Compute Engine machine family for a machine learning training workload that is GPU-bound. The workload runs for 6 hours at a time and tolerates interruption. Which combination maximizes GPU access at lowest cost?

A.N2-standard machine with a custom GPU attached as a standard on-demand VM
B.A2 or A3 (accelerator-optimized) Spot VM with NVIDIA GPU
C.E2-highcpu Spot VM — more vCPUs provide equivalent GPU-like parallelism
D.C3 (compute-optimized) on-demand VM — best for numerically intensive workloads
AnswerB

A2/A3 machines include NVIDIA A100/H100 GPUs designed for ML training. Using Spot VM pricing for fault-tolerant 6-hour jobs reduces cost by up to 91%.

Why this answer

Option B is correct because A2 and A3 Spot VMs are purpose-built for GPU-bound ML training workloads, offering direct access to NVIDIA GPUs (e.g., A100, H100) at the lowest cost due to Spot pricing (60-91% discount). The workload's 6-hour duration and interruption tolerance make Spot VMs ideal, as they can be preempted but provide maximum GPU utilization for the price.

Exam trap

Google Cloud often tests the misconception that any VM family can be made GPU-capable by attaching a GPU, ignoring that only specific families (A2, A3, G2) support GPU attachment and that Spot VMs are the only cost-effective choice for interruptible workloads.

How to eliminate wrong answers

Option A is wrong because N2-standard machines are general-purpose and lack the high-bandwidth GPU interconnect (e.g., NVLink) needed for efficient GPU-bound training; attaching a custom GPU as an on-demand VM incurs higher cost without interruption tolerance benefits. Option C is wrong because E2-highcpu Spot VMs are CPU-optimized and do not support attached GPUs, so they cannot provide GPU access at all, let alone maximize it. Option D is wrong because C3 on-demand VMs are compute-optimized for CPU-intensive tasks, not GPU-bound workloads, and on-demand pricing is significantly higher than Spot, failing the 'lowest cost' requirement.

3
Multi-Selecthard

A company is setting up a CI/CD pipeline using Cloud Build to build container images and deploy to Cloud Run. Which THREE components are required for a fully automated pipeline? (Choose 3)

Select 3 answers
A.IAM roles for Cloud Build
B.Cloud Run
C.Container Registry or Artifact Registry
D.Cloud Build triggers
E.Cloud Source Repositories
AnswersA, C, D

Cloud Build needs permissions to push to registry and deploy to Cloud Run.

Why this answer

Cloud Build needs a trigger (e.g., on git push), a container registry to store images, and appropriate IAM roles for Cloud Build to deploy. Cloud Source Repositories and Cloud Run are optional; GitHub and other deployment targets are possible.

4
MCQmedium

Your company uses BigQuery for analytics. Users frequently run queries against a large, date-partitioned table containing sales data. The table has 10 TB of data and is partitioned by the 'order_date' column. Queries often filter on the 'customer_id' and 'region' columns in addition to the date range. You observe that queries are slow and expensive, even when scanning only a few partitions. Which optimization should you implement first?

A.Enable clustering on the 'customer_id' and 'region' columns.
B.Create materialized views for common queries.
C.Create views for each combination of filters.
D.Change partitioning to use ingestion time instead of 'order_date'.
AnswerA

Clustering organizes data for efficient filtering, reducing scanned data per query.

Why this answer

Clustering on 'customer_id' and 'region' organizes the data within each partition based on these filter columns, allowing BigQuery to perform block-level pruning and skip irrelevant data even when scanning only a few partitions. This directly addresses the slowness and cost by reducing the amount of data read per query, without requiring additional storage or maintenance overhead.

Exam trap

Google Cloud often tests the misconception that partitioning alone is sufficient for all filter optimization, but the trap here is that clustering is needed to optimize queries that filter on non-partition columns within already-selected partitions.

How to eliminate wrong answers

Option B is wrong because materialized views precompute and store query results, which can speed up repeated queries but do not optimize the underlying data layout for arbitrary filters on 'customer_id' and 'region'; they also incur storage costs and maintenance complexity. Option C is wrong because creating views for each combination of filters does not reduce the amount of data scanned—views are just saved queries and do not change how BigQuery reads the underlying table; this approach would be impractical and offer no performance benefit. Option D is wrong because changing partitioning to ingestion time (e.g., _PARTITIONTIME) would not improve query performance for filters on 'customer_id' and 'region'; it would only change how partitions are defined, and since queries already filter on 'order_date', the current partitioning is appropriate—ingestion time partitioning is typically used when no natural date column exists.

5
MCQmedium

A global web application serves static assets (images, JavaScript, CSS) from a Cloud Storage bucket via an HTTPS load balancer. Users in Asia report slow load times compared to users in the US where the bucket resides. What is the most effective solution?

A.Move the Cloud Storage bucket to a multi-region bucket in Asia
B.Enable Cloud CDN on the load balancer backend pointing to the Cloud Storage bucket
C.Replicate the Cloud Storage bucket to multiple regions using storage transfer
D.Use Cloud Interconnect to provide dedicated bandwidth to Asian users
AnswerB

Cloud CDN caches content at Google's global edge PoPs. Asian users receive cached assets from the nearest edge location, drastically reducing latency without changing the origin.

Why this answer

Option B is correct because enabling Cloud CDN on the load balancer backend that points to the Cloud Storage bucket caches static assets at Google's globally distributed edge caches. This reduces latency for Asian users by serving content from a nearby point of presence (PoP) rather than from the origin bucket in the US, without requiring any bucket relocation or replication.

Exam trap

Google Cloud often tests the misconception that moving or replicating storage to a closer region is the best way to reduce latency, when in fact edge caching (Cloud CDN) is the most effective and cost-efficient solution for static content served globally.

How to eliminate wrong answers

Option A is wrong because moving the bucket to a multi-region bucket in Asia does not solve the latency problem for users outside Asia; it only shifts the origin location, and multi-region buckets still serve from a single geographic set of regions, not from edge caches. Option C is wrong because replicating the bucket to multiple regions using storage transfer creates separate copies of data, but the load balancer would still need to route requests to the nearest bucket, which requires additional configuration (e.g., multi-region backend buckets or DNS-based routing) and does not provide the automatic edge caching benefits of Cloud CDN. Option D is wrong because Cloud Interconnect provides dedicated private connectivity between on-premises networks and Google Cloud, not between end users and Google Cloud; it does not improve latency for general internet users in Asia accessing a public web application.

6
MCQmedium

A team deploys an application with sensitive internal APIs on GKE. The APIs should be reachable from other GKE services in the cluster and from on-premises systems via VPN, but not from the public internet. Which load balancer configuration meets this?

A.Global external Application Load Balancer with Cloud Armor blocking non-VPN IPs
B.Internal Application Load Balancer with a VPC-private IP
C.A ClusterIP Service with an external IP range allowlist
D.NodePort Service with VPC firewall rules restricting access to VPN IP ranges
AnswerB

Internal ALBs receive a private RFC 1918 IP reachable within the VPC and connected networks (VPN, Interconnect). The service is never exposed to the public internet.

Why this answer

An Internal Application Load Balancer (HTTP/HTTPS) with a VPC-private IP is correct because it exposes the APIs only within the VPC network, making them reachable from other GKE services in the cluster and from on-premises systems via VPN (which extends the VPC), while blocking all public internet traffic by design. This load balancer operates at Layer 7 and uses an internal IP address that is not routable from the internet, satisfying the requirement without relying on additional access controls.

Exam trap

Google Cloud often tests the misconception that a ClusterIP Service can be made externally accessible with an allowlist, but ClusterIP is strictly cluster-internal and cannot be reached from on-premises systems via VPN without additional components like a proxy or ingress.

How to eliminate wrong answers

Option A is wrong because a Global external Application Load Balancer is inherently internet-facing, and while Cloud Armor can block non-VPN IPs, the load balancer itself still has a public IP and is exposed to the internet, violating the requirement that APIs should not be reachable from the public internet. Option C is wrong because a ClusterIP Service is only reachable within the same Kubernetes cluster (not from on-premises systems via VPN) and does not support external IP range allowlisting; it has no external IP at all. Option D is wrong because a NodePort Service exposes the application on a high port on every node's external IP, and while VPC firewall rules can restrict access to VPN IP ranges, the service is still bound to the node's public IP addresses, making it reachable from the internet if the firewall is misconfigured or bypassed, and it does not provide Layer 7 load balancing.

7
MCQhard

A company has a Compute Engine instance in the us-west1 region that does not have a public IP address. The instance is part of a VPC network that has a Cloud NAT gateway configured in the us-east1 region. The Cloud NAT gateway is configured to allow all traffic from the VPC subnet. The VPC has a default route (0.0.0.0/0) pointing to the default internet gateway. Firewall rules allow all egress traffic. The instance is unable to download updates from the internet. What is the most likely cause of this problem?

A.The instance's firewall rules block egress traffic to port 80.
B.The Cloud NAT gateway is in a different region than the instance.
C.The instance's service account does not have the compute.instances.update permission.
D.The VPC does not have a route for the instance's subnet to the internet gateway.
AnswerB

Correct. Cloud NAT is region-scoped; instances can only use NAT gateways in the same region.

Why this answer

Cloud NAT is regional. An instance in us-west1 cannot use a Cloud NAT gateway in us-east1 because NAT is only applied to instances in the same region. The instance's traffic destined for the internet is not translated, so it cannot reach external hosts without a public IP.

8
MCQmedium

You are designing a solution for a retail application that needs to store customer shopping cart data. The cart data is accessed frequently during active sessions and must survive for at least 30 days even without activity. Each cart entry is small (< 1 KB) and identified by a user ID. The solution must support microsecond read latency and be horizontally scalable. Which GCP storage service best meets these requirements?

A.Cloud Firestore in Datastore mode
B.Cloud Bigtable
C.Cloud SQL (PostgreSQL)
D.Cloud Memorystore (Redis)
AnswerB

Bigtable delivers sub-millisecond (microsecond range) latency for key-value reads, scales horizontally, and persists data durably — ideal for the cart use case with a user ID row key.

Why this answer

Cloud Bigtable is correct because it is a fully managed, scalable NoSQL database designed for large analytical and operational workloads, offering consistent sub-10ms latency and horizontal scaling. For small (<1 KB) entries accessed with microsecond read latency, Bigtable's key-value model and high throughput make it ideal, and its data persists indefinitely (beyond 30 days) with no automatic expiration. It supports high-frequency access patterns typical of active shopping cart sessions.

Exam trap

The trap here is that candidates often choose Cloud Memorystore (Redis) for its microsecond latency, overlooking that it is an in-memory cache with volatile data that does not guarantee persistence for 30 days without activity, whereas Bigtable provides durable, persistent storage with similar latency for small key-value entries.

How to eliminate wrong answers

Option A is wrong because Cloud Firestore in Datastore mode is a document/NoSQL database with eventual consistency and higher read latency (typically tens of milliseconds), not microsecond-level, and it is optimized for mobile/web apps with real-time sync, not for high-throughput key-value access with strict latency requirements. Option C is wrong because Cloud SQL (PostgreSQL) is a relational database with ACID transactions but cannot achieve microsecond read latency due to disk-based storage and SQL overhead, and it is not horizontally scalable (requires manual sharding or read replicas). Option D is wrong because Cloud Memorystore (Redis) is an in-memory cache that provides microsecond latency but does not guarantee data persistence beyond 30 days without activity; Redis data can be evicted or lost on node failure unless configured with persistence (AOF/RDB), which adds latency and complexity, and it is not designed as a durable primary store for long-term survival.

9
MCQeasy

The company wants to change the storage class of these log files to Nearline to reduce costs while still retaining the ability to access them without restoration fees. Which command should be used?

A.gsutil cp -s NEARLINE gs://my-bucket/logs/*.log
B.gsutil rewrite -s NEARLINE gs://my-bucket/logs/*.log
C.gsutil setmeta -s NEARLINE gs://my-bucket/logs/*.log
D.gsutil mv -s NEARLINE gs://my-bucket/logs/*.log
AnswerB

Rewrite changes the storage class of objects in place.

Why this answer

Option B is correct because the `gsutil rewrite` command is specifically designed to change the storage class of existing objects without incurring restoration fees. It rewrites the object metadata to the new storage class (Nearline) while keeping the object in place, and the operation does not require retrieving the object from cold storage, so no restoration charges apply.

Exam trap

The trap here is that candidates confuse `gsutil rewrite` with `gsutil cp` or `gsutil mv`, assuming any command with `-s` can change storage class, but only `rewrite` avoids restoration fees by modifying the object in place without creating a new copy.

How to eliminate wrong answers

Option A is wrong because `gsutil cp` copies objects, which would create new objects with the Nearline storage class but leave the original objects unchanged, resulting in duplicate objects and unnecessary costs. Option C is wrong because `gsutil setmeta` is used to set custom metadata on objects, not to change the storage class; the `-s` flag is not valid for this command. Option D is wrong because `gsutil mv` moves objects, which effectively copies and then deletes the original, incurring restoration fees if the original is in a cold storage class like Nearline, and it does not change the storage class of the existing object in place.

10
MCQmedium

A data science team needs a VM with 96 vCPUs and 624 GB of RAM. No predefined GCP machine type matches these exact specifications. What is the recommended approach?

A.Select the closest larger predefined N2 machine type
B.Create a custom machine type with exactly 96 vCPUs and 624 GB RAM
C.Split the workload across multiple smaller VMs and coordinate manually
D.Contact Google Cloud support to request a new predefined machine type
AnswerB

Custom machine types allow specifying exact vCPU and RAM combinations, avoiding resource waste while meeting exact requirements.

Why this answer

Option B is correct because Google Cloud allows you to create custom machine types when predefined machine types do not meet your exact requirements. Custom machine types let you specify the exact number of vCPUs (up to 96) and memory (up to 624 GB) for a VM, providing flexibility without over-provisioning resources.

Exam trap

The trap here is that candidates may assume predefined machine types are the only option, overlooking the custom machine type feature that GCP provides for exact resource matching.

How to eliminate wrong answers

Option A is wrong because selecting the closest larger predefined N2 machine type would result in over-provisioning resources, leading to unnecessary costs and potential performance inefficiencies. Option C is wrong because splitting the workload across multiple smaller VMs introduces complexity, coordination overhead, and may not be feasible for workloads that require a single large memory address space or high vCPU count. Option D is wrong because Google Cloud does not create new predefined machine types on demand for individual requests; custom machine types are the designed solution for such scenarios.

11
MCQhard

A company is designing a globally distributed application with a web tier and a database tier that requires low-latency communication within the same region but can tolerate eventual consistency across regions. The database must be fully managed and scale globally. Which combination of networking and database is most appropriate?

A.Global VPC with Cloud Spanner
B.Global VPC with Cloud Bigtable
C.VPC peering with Cloud SQL
D.Shared VPC with Cloud Datastore
AnswerB

Cloud Bigtable is a globally distributed NoSQL database with eventual consistency, low latency, and fully managed.

Why this answer

Cloud Bigtable is a fully managed, globally scalable NoSQL database that provides low-latency access within a region and eventual consistency across regions, making it ideal for the described workload. A Global VPC allows the web and database tiers to communicate privately and with low latency within the same region, while Bigtable's native replication handles cross-region eventual consistency without application complexity.

Exam trap

Google Cloud often tests the distinction between strong consistency (Spanner) and eventual consistency (Bigtable) in globally distributed systems, and the trap here is assuming that 'fully managed and scale globally' always means Spanner, ignoring the explicit requirement for eventual consistency.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner offers strong consistency across regions, not eventual consistency, and its global synchronous replication adds latency and cost that are unnecessary for a system that tolerates eventual consistency. Option C is wrong because Cloud SQL is a regional database that does not scale globally or support cross-region replication for eventual consistency, and VPC peering does not create a single global network for low-latency intra-region communication. Option D is wrong because Cloud Datastore (Firestore in Datastore mode) is a regional NoSQL database that does not natively support global scaling with eventual consistency across regions, and Shared VPC is designed for multi-project networking within an organization, not for global low-latency communication.

12
MCQhard

An organization with multiple teams needs to provision separate, isolated environments (e.g., development, test, production) while sharing common services like Cloud NAT and VPC firewall rules. Which VPC networking pattern is most suitable?

A.Network Service Tiers (Premium vs Standard)
B.Shared VPC (XPN)
C.VPC Network Peering between team VPCs
D.Single VPC with per-team firewall rules
AnswerB

Shared VPC allows central network administration and isolated service projects with shared resources.

Why this answer

Shared VPC (XPN) allows an organization to create a single, centrally managed VPC network that hosts common services like Cloud NAT and firewall rules, while enabling multiple project teams to provision their own isolated environments (dev, test, prod) within that same VPC. This pattern meets the requirement for separate, isolated environments with shared services without needing individual VPCs for each team.

Exam trap

The trap here is that candidates often confuse VPC Network Peering with Shared VPC, thinking peering provides shared services, but peering only connects networks without allowing shared NAT or centralized firewall rules.

How to eliminate wrong answers

Option A is wrong because Network Service Tiers (Premium vs Standard) control the quality of network transit and egress pricing, not the isolation or sharing of VPC resources like Cloud NAT or firewall rules. Option C is wrong because VPC Network Peering connects separate VPCs but does not allow them to share a single Cloud NAT or a common set of firewall rules; each VPC would need its own NAT and firewall configuration. Option D is wrong because a single VPC with per-team firewall rules does not provide the separate, isolated environments (e.g., separate projects or VPCs) that the question requires; it only offers logical isolation within one network, which is insufficient for true environment separation.

13
MCQeasy

A developer wants to deploy a containerized application that can scale to zero when not in use and only pay for resources consumed during request processing. Which compute option should they choose?

A.App Engine Flexible Environment
B.Cloud Run
C.Compute Engine with managed instance groups
D.Google Kubernetes Engine
AnswerB

Cloud Run scales to zero when not in use.

Why this answer

Cloud Run is a fully managed serverless compute platform that automatically scales your containerized applications from zero instances up to handle traffic, and scales back down to zero when there are no requests. You only pay for the resources (CPU, memory, and networking) consumed during request processing, with no charges when the service is idle. This makes it the ideal choice for the described use case of scaling to zero and pay-per-request billing.

Exam trap

Google Cloud often tests the misconception that 'containerized' implies Kubernetes or Compute Engine, but the key differentiator here is the requirement to 'scale to zero' and 'pay only for request processing,' which is a serverless property unique to Cloud Run among the listed options.

How to eliminate wrong answers

Option A is wrong because App Engine Flexible Environment runs containers on managed VMs that cannot scale to zero; it requires at least one instance to be running at all times, incurring costs even when idle. Option C is wrong because Compute Engine with managed instance groups requires at least one running VM instance to serve traffic; while you can configure autoscaling to a minimum of one, it cannot scale to zero instances, and you pay for the underlying VMs regardless of request volume. Option D is wrong because Google Kubernetes Engine (GKE) with Autopilot or Standard mode requires at least one node to run pods; even with cluster autoscaling, you cannot scale to zero nodes, and you incur costs for the node infrastructure even when no requests are being processed.

14
MCQmedium

A Compute Engine instance cannot connect to a Cloud SQL (MySQL) instance using the private IP address. Both are in the same Google Cloud VPC network. What is the most likely cause?

A.The Cloud SQL instance is not in the same region.
B.The Compute Engine instance lacks an external IP address.
C.The VPC network is not peered with the Cloud SQL service.
D.The firewall rule does not allow ingress on port 3306.
AnswerC

Private IP for Cloud SQL requires a VPC peering between the consumer VPC and the Cloud SQL service network.

Why this answer

When a Compute Engine instance cannot connect to a Cloud SQL instance using a private IP address within the same VPC network, the most likely cause is that the VPC network is not peered with the Cloud SQL service. Cloud SQL uses a separate, Google-managed VPC for its instances, and private connectivity requires a VPC peering connection between the customer's VPC and the Cloud SQL service's VPC. Without this peering, the private IP address of the Cloud SQL instance is not routable from the Compute Engine instance, even if both are in the same VPC network.

Exam trap

The trap here is that candidates often assume that being in the same VPC network guarantees private IP connectivity, but Cloud SQL requires explicit VPC peering with the Google-managed service network, not just co-location in the same VPC.

How to eliminate wrong answers

Option A is wrong because Cloud SQL instances can connect to Compute Engine instances across regions within the same VPC network using private IP, as long as VPC peering is configured; region mismatch is not a direct cause of connectivity failure. Option B is wrong because a Compute Engine instance does not need an external IP address to connect to Cloud SQL via private IP; private connectivity relies on internal routing and VPC peering, not external IPs. Option D is wrong because firewall rules for ingress on port 3306 are relevant for public IP connections or when using the Cloud SQL proxy, but for private IP connections within a peered VPC, the default firewall rules allow internal traffic; the issue is routing, not firewall filtering.

15
MCQhard

A financial trading platform must support globally distributed, strongly consistent SQL transactions at thousands of writes per second, with no downtime for planned maintenance. Which GCP database service meets all these requirements?

A.Cloud SQL with synchronous read replicas
B.Cloud Bigtable
C.Cloud Firestore
D.Cloud Spanner
AnswerD

Cloud Spanner uniquely combines externally consistent ACID transactions, horizontal write scalability, SQL support, and a 99.999% SLA — all required for financial trading platforms.

Why this answer

Cloud Spanner is the only GCP database service that provides globally distributed, strongly consistent SQL transactions with horizontal scaling, supporting thousands of writes per second. It uses synchronous replication across regions and TrueTime-based clock synchronization to ensure external consistency, while also offering 99.999% availability with no planned downtime for maintenance.

Exam trap

The trap here is that candidates often confuse Cloud Spanner's global strong consistency with Cloud SQL's regional strong consistency, or mistakenly think that NoSQL services like Bigtable or Firestore can support SQL transactions and global writes at scale.

How to eliminate wrong answers

Option A is wrong because Cloud SQL with synchronous read replicas is not globally distributed; it is a single-region service with read replicas that do not support writes, and it cannot scale to thousands of writes per second without downtime for maintenance. Option B is wrong because Cloud Bigtable is a NoSQL wide-column database that does not support SQL transactions or strong consistency across regions; it is designed for high-throughput analytical workloads, not transactional SQL. Option C is wrong because Cloud Firestore is a NoSQL document database that does not support SQL transactions; it provides strong consistency only within a single region and cannot handle thousands of writes per second globally with SQL semantics.

16
MCQmedium

What action does the condition in the IAM policy restrict the user from performing?

A.Deleting disks that do not start with 'disk-'
B.Performing any action on compute instances
C.Performing any compute.admin action on disks in us-central1-a with names starting with 'disk-'
D.Creating disks in any zone other than us-central1-a
AnswerC

The condition scopes the role to those specific disks, so the user can perform any compute.admin action (e.g., create, delete, modify) on disks matching the pattern.

Why this answer

The condition `resource.name.startsWith('disk-')` combined with the `compute.disks.delete` action and the zone constraint `us-central1-a` restricts the user to deleting only disks whose names begin with 'disk-' in that specific zone. Option C correctly identifies this as the allowed action, meaning the policy restricts the user from performing any `compute.admin` action on disks in `us-central1-a` with names starting with 'disk-' — but the question asks what action the condition restricts the user from performing, so the inverse is true: the user is restricted from performing any `compute.admin` action on disks that do not match the condition (i.e., disks not starting with 'disk-' or in other zones). However, the answer choices frame it as the condition restricting the user from performing the action described in C, which is the exact action the policy allows, making C the correct answer because the policy's condition explicitly permits that action, and the question's phrasing is a trap.

Exam trap

The trap here is that the question asks 'what action does the condition restrict the user from performing?' but the correct answer describes the action the condition allows, exploiting the common confusion between allowed and restricted actions in IAM policy conditions.

How to eliminate wrong answers

Option A is wrong because the policy condition `resource.name.startsWith('disk-')` actually allows deletion of disks starting with 'disk-', not restricts it; the user is restricted from deleting disks that do NOT start with 'disk-', so the statement is reversed. Option B is wrong because the policy only restricts `compute.disks.delete` on disks, not all actions on compute instances; the user can still perform other actions like `compute.instances.list` or `compute.disks.create` on disks that match the condition. Option D is wrong because the policy restricts deletion to disks in `us-central1-a` only, but it does not restrict creating disks in other zones; the `compute.disks.delete` action is zone-scoped, but creation is a separate action not covered by this policy.

17
MCQhard

A data warehouse team queries a 10 TB BigQuery table containing billions of events with a date column. Most queries filter by a date range (e.g., last 30 days). Without any partitioning, queries scan the full 10 TB every time. Which BigQuery feature eliminates unnecessary data scanning for date-range queries?

A.BigQuery table clustering on the date column
B.Creating a materialized view for the last 30 days
C.Date/timestamp partitioned table on the date column
D.Increasing BigQuery slot reservations for faster full-table scans
AnswerC

Partitioning by date divides the table into daily (or monthly) segments. Queries with date range filters only scan the relevant partitions, avoiding full table scans and reducing cost.

Why this answer

Partitioning a BigQuery table by the date column allows the query engine to prune entire partitions that fall outside the specified date range, so only the relevant partitions (e.g., last 30 days) are scanned instead of the full 10 TB. This directly reduces data scanned and cost, making option C the correct choice for eliminating unnecessary scanning in date-range queries.

Exam trap

Google Cloud often tests the distinction between partitioning (physical data separation) and clustering (logical sorting within a table), leading candidates to mistakenly choose clustering as a cost-saving measure when only partitioning actually prunes data at the storage level.

How to eliminate wrong answers

Option A is wrong because clustering sorts data within a table but does not physically separate data into partitions; queries still scan all blocks unless combined with partitioning, so it does not eliminate full-table scans on its own. Option B is wrong because a materialized view stores precomputed results but still requires the base table to be scanned for incremental refreshes unless the view is also partitioned, and it adds storage and maintenance overhead without solving the core scanning issue. Option D is wrong because increasing slot reservations only allocates more compute resources for faster processing of full-table scans; it does not reduce the amount of data scanned, so it fails to address the root problem of scanning 10 TB unnecessarily.

18
MCQmedium

A mobile app needs a managed database to store user profiles with flexible nested structures that evolve frequently — new fields are added without schema migrations. Which GCP database service is most appropriate?

A.Cloud SQL for PostgreSQL
B.Cloud Bigtable
C.Cloud Firestore
D.Cloud Spanner
AnswerC

Cloud Firestore stores data as flexible JSON documents with nested fields, supporting schema evolution without migrations. It's purpose-built for mobile/web app backends.

Why this answer

Cloud Firestore is a NoSQL document database that supports flexible, nested data structures and automatically handles schema evolution. New fields can be added to documents at any time without requiring migrations, making it ideal for user profiles that change frequently. It also provides real-time synchronization and offline support, which are common requirements for mobile apps.

Exam trap

The trap here is that candidates often confuse Cloud Firestore with Cloud Bigtable, assuming both are NoSQL and therefore interchangeable, but Bigtable is designed for flat, wide-column data and lacks support for nested documents and real-time queries.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for PostgreSQL is a relational database that requires a fixed schema; adding new fields would require ALTER TABLE migrations, which contradicts the requirement for flexible, evolving nested structures. Option B is wrong because Cloud Bigtable is a wide-column NoSQL database optimized for high-throughput, low-latency analytical workloads (e.g., time-series, IoT), not for storing complex nested documents with frequent schema changes. Option D is wrong because Cloud Spanner is a globally distributed relational database that enforces strong schema constraints and ACID transactions; while it supports some schema changes, it is not designed for flexible nested structures and would require migrations for new fields.

19
MCQhard

A team must choose between Cloud Pub/Sub and Cloud Tasks for a use case where jobs must be delivered to a single HTTP endpoint, each job executed at most once, with rate limiting to 10 requests per second, and with retry on failure. Which service is the better fit and why?

A.Cloud Pub/Sub — it supports rate-limited push subscriptions and at-most-once delivery
B.Cloud Tasks — it provides rate limiting, at-most-once delivery via deduplication, and targeted HTTP dispatch
C.Cloud Pub/Sub with a Dataflow consumer applying rate limiting
D.Both are equivalent for this use case — choose based on cost
AnswerB

Cloud Tasks allows explicit rate control (max_dispatches_per_second), task deduplication for at-most-once delivery, and targeted HTTP endpoint dispatch — exactly this use case.

Why this answer

Cloud Tasks is the better fit because it is designed for targeted HTTP dispatch to a single endpoint, supports rate limiting (max bursts per second), and provides at-most-once delivery via task deduplication (based on a unique task ID). Cloud Pub/Sub push subscriptions do not offer built-in rate limiting and guarantee at-least-once delivery, not at-most-once.

Exam trap

Google Cloud often tests the misconception that Cloud Pub/Sub can handle rate-limited push subscriptions, but in reality, rate limiting is a feature of Cloud Tasks, not Cloud Pub/Sub push subscriptions.

How to eliminate wrong answers

Option A is wrong because Cloud Pub/Sub push subscriptions do not support rate limiting (they rely on flow control at the subscriber side, not server-side rate limiting) and guarantee at-least-once delivery, not at-most-once. Option C is wrong because adding Dataflow introduces unnecessary complexity and cost; Cloud Tasks already provides native rate limiting and targeted HTTP dispatch without requiring an additional processing layer. Option D is wrong because the two services are not equivalent: Cloud Pub/Sub is a pub/sub messaging system with at-least-once delivery and no built-in rate limiting for push endpoints, while Cloud Tasks is a task queue designed for exactly this use case with rate limiting and at-most-once semantics.

20
MCQhard

An enterprise requires a private connection between its on-premises data center and Google Cloud VPC that does NOT traverse the public internet and provides dedicated 10 Gbps bandwidth. Which connectivity option meets these requirements?

A.Cloud VPN with high-availability configuration
B.Partner Interconnect
C.Dedicated Interconnect
D.Direct Peering
AnswerC

Dedicated Interconnect provides a direct physical connection from the enterprise data center to Google's network at 10 Gbps or 100 Gbps, with no public internet traversal.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and Google Cloud VPC, offering bandwidth up to 10 Gbps per circuit (or 100 Gbps with multiple circuits) without traversing the public internet. This meets the requirement for a private connection with dedicated 10 Gbps bandwidth, as it uses a colocation facility and a Google-supported router.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming both offer dedicated bandwidth, but Partner Interconnect relies on a third-party provider's network and may not guarantee the same level of isolation or dedicated 10 Gbps per circuit.

How to eliminate wrong answers

Option A is wrong because Cloud VPN uses IPSec tunnels over the public internet, which cannot provide dedicated 10 Gbps bandwidth and does not guarantee a private connection that avoids the public internet. Option B is wrong because Partner Interconnect offers bandwidth up to 10 Gbps but relies on a third-party service provider's network, not a direct dedicated connection, and may involve shared infrastructure. Option D is wrong because Direct Peering is a direct connection to Google's edge network but is not a private connection to a VPC; it uses BGP peering over the public internet and does not support dedicated bandwidth guarantees or SLA-backed private connectivity.

21
MCQmedium

You are designing a GKE cluster for a workload that requires high-memory instances (768 GB RAM) for in-memory analytics. Standard machine types in GCP don't offer this configuration. Which machine family should you select for the node pool?

A.N2 machine family with custom vCPU and memory configuration
B.Memory-optimized (M1 or M2) machine family
C.Compute-optimized (C2) machine family
D.Accelerator-optimized (A2) machine family
AnswerB

M1 (m1-megamem, m1-ultramem) and M2 (m2-megamem, m2-ultramem, m2-hypermem) are purpose-built for high-memory workloads, offering configurations well above 768 GB RAM.

Why this answer

The M1 and M2 memory-optimized machine families are specifically designed for workloads requiring large amounts of RAM, such as in-memory analytics, with configurations offering up to 12 TB of memory. Standard machine types like N2 do not provide 768 GB RAM instances, making memory-optimized families the correct choice for this high-memory requirement.

Exam trap

Google Cloud often tests the misconception that custom machine types (like N2) can be scaled arbitrarily for memory, but GCP imposes hard limits on custom configurations (e.g., max 624 GB for N2), making memory-optimized families the only viable option for RAM-intensive workloads like 768 GB in-memory analytics.

How to eliminate wrong answers

Option A is wrong because N2 machine families, even with custom vCPU and memory configurations, are limited to a maximum of 624 GB RAM (with 224 vCPUs), which cannot meet the 768 GB requirement. Option C is wrong because compute-optimized (C2) machine families prioritize high CPU performance over memory, offering a maximum of 60 GB RAM per instance, far below the needed 768 GB. Option D is wrong because accelerator-optimized (A2) machine families are designed for GPU-intensive workloads like machine learning, not for high-memory analytics, and their maximum RAM is 340 GB (with GPUs), insufficient for 768 GB.

22
MCQmedium

A company has a VPC with several Compute Engine instances that only have internal IPs. These instances need to download updates from the internet. What is the recommended method to provide internet access without assigning external IPs to each instance?

A.Use VPC Network Peering with a public network.
B.Set up a Cloud VPN gateway to route traffic to on-premises.
C.Place the instances behind an external HTTP(S) load balancer.
D.Configure Cloud NAT in the same region and subnet.
AnswerD

Cloud NAT provides outbound internet access for private instances.

Why this answer

Cloud NAT (Network Address Translation) allows instances with only internal IPs to initiate outbound connections to the internet, while preventing inbound connections from the internet. It translates the internal IPs to a shared external IP address, enabling secure internet access without assigning external IPs to each instance. This is the recommended method for providing internet access to private instances in Google Cloud.

Exam trap

Google Cloud often tests the misconception that an external load balancer can provide outbound internet access, but it only handles inbound traffic; candidates confuse inbound load balancing with outbound NAT.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering connects two VPC networks, but does not provide internet access; it only allows private communication between the peered networks. Option B is wrong because Cloud VPN is used for secure connectivity to on-premises networks, not for general internet access; it would route traffic to on-premises, not to the internet. Option C is wrong because an external HTTP(S) load balancer is designed to distribute incoming traffic from the internet to backend instances, not to provide outbound internet access for those instances; it does not perform source NAT for outbound connections.

23
MCQmedium

Refer to the exhibit. A user 'admin@example.com' attempts to create a Compute Engine instance but fails with a permission error. Which permission is missing?

A.compute.instances.get
B.iam.serviceAccounts.actAs
C.compute.instances.create
D.compute.instances.setServiceAccount
AnswerB

This permission is required to use a service account during instance creation and is not in the given roles.

Why this answer

The error occurs because when a user creates a Compute Engine instance with a service account, they need the `iam.serviceAccounts.actAs` permission on that service account. This permission allows the user to impersonate the service account and delegate its identity to the instance. Without it, the creation fails even if the user has `compute.instances.create`.

Exam trap

Google Cloud often tests the `iam.serviceAccounts.actAs` permission as a hidden requirement, trapping candidates who assume that `compute.instances.create` alone is sufficient for instance creation with a service account.

How to eliminate wrong answers

Option A is wrong because `compute.instances.get` is a read-only permission for viewing instance details, not required for creation. Option C is wrong because `compute.instances.create` is necessary but not sufficient; the user likely already has it, as the error is about the service account delegation, not the instance creation itself. Option D is wrong because `compute.instances.setServiceAccount` is used to change the service account on an existing instance, not to authorize the initial attachment during creation.

24
MCQmedium

A team deploys an application on GKE and needs it to be accessible at https://api.company.com with automatic TLS certificate provisioning. They use a Global external Application Load Balancer. What handles the TLS certificate?

A.The GKE cluster automatically generates a self-signed TLS certificate for the domain
B.A Google-managed SSL certificate attached to the load balancer's HTTPS target proxy
C.Cloud DNS automatically provisions a TLS certificate when a domain is added
D.cert-manager in GKE automatically obtains Let's Encrypt certificates for the Ingress
AnswerB

Google-managed SSL certificates are provisioned automatically and renewed before expiry. They're attached to the load balancer's target HTTPS proxy — zero manual certificate management.

Why this answer

A Global external Application Load Balancer uses an HTTPS target proxy to terminate TLS. To automatically provision and renew TLS certificates for a custom domain, you attach a Google-managed SSL certificate to that target proxy. Google manages the entire lifecycle, including domain verification via Cloud DNS, so no manual certificate generation or third-party tools are needed.

Exam trap

The trap here is that candidates confuse the Kubernetes Ingress resource (which can use cert-manager) with the Global external Application Load Balancer's HTTPS target proxy, which requires a Google-managed SSL certificate attached directly to the proxy, not a Kubernetes-native certificate solution.

How to eliminate wrong answers

Option A is wrong because GKE clusters do not automatically generate self-signed certificates for custom domains; self-signed certificates are only used for internal cluster communication or when explicitly configured, and they would not be trusted by public clients. Option C is wrong because Cloud DNS is a DNS service that manages domain records but does not provision TLS certificates; certificate provisioning is handled by Certificate Authority Service or Google-managed SSL certificates, not by Cloud DNS itself. Option D is wrong because cert-manager is a Kubernetes add-on that can obtain Let's Encrypt certificates, but it is not automatically deployed or managed by GKE; the question specifies a Global external Application Load Balancer, which uses an HTTPS target proxy, not a Kubernetes Ingress, so cert-manager is not the native or required solution.

25
MCQmedium

A startup needs to send transactional emails (order confirmations, password resets) from their GCP-hosted application. Which GCP service handles high-volume email delivery?

A.Cloud Tasks with an email delivery queue
B.A third-party email delivery service such as SendGrid or Mailgun, integrated via API
C.Cloud Pub/Sub with an email topic subscriber
D.Cloud Functions triggered by Gmail API webhooks
AnswerB

GCP doesn't include a native email service. Transactional email is handled by third-party providers (SendGrid, Mailgun, Mailchimp) accessed via their APIs from GCP-hosted applications.

Why this answer

B is correct because GCP does not provide a native high-volume transactional email service. Third-party email delivery services like SendGrid or Mailgun are designed specifically for this purpose, offering dedicated SMTP relays, APIs, and reputation management to ensure reliable delivery of transactional emails such as order confirmations and password resets.

Exam trap

Google Cloud often tests the misconception that GCP provides a built-in email delivery service, leading candidates to choose Cloud Tasks or Pub/Sub, but these are generic messaging services that require integration with a dedicated email provider to actually send emails.

How to eliminate wrong answers

Option A is wrong because Cloud Tasks is a distributed task queue for asynchronous work execution, not an email delivery service; it cannot send emails directly and would still require an external email provider. Option C is wrong because Cloud Pub/Sub is a messaging service for event ingestion and distribution, not an email delivery mechanism; it would need a subscriber that integrates with an email service. Option D is wrong because Cloud Functions triggered by Gmail API webhooks are designed to react to incoming Gmail events, not to send high-volume transactional emails, and the Gmail API has strict sending limits and is not intended for programmatic bulk email.

26
MCQmedium

A financial application requires all database transactions to be durable even if the primary Cloud SQL instance fails mid-transaction. The RPO (Recovery Point Objective) must be near-zero. Which Cloud SQL feature achieves this?

A.Cloud SQL read replica with synchronous replication
B.Cloud SQL High Availability with synchronous standby replica in a different zone
C.Cloud SQL with automated daily backups and point-in-time recovery
D.Cloud Spanner — it automatically replicates synchronously across zones
AnswerB

Cloud SQL HA uses synchronous replication — each transaction is written to both primary and standby before commit acknowledgment. Primary failure results in zero data loss (near-zero RPO).

Why this answer

Cloud SQL High Availability (HA) uses a synchronous standby replica in a different zone to ensure that every write is committed to both the primary and standby before acknowledging the transaction. This provides near-zero RPO because if the primary fails mid-transaction, the standby has the exact same data and can take over without data loss.

Exam trap

Google Cloud often tests the distinction between synchronous replication (used in HA for near-zero RPO) and asynchronous replication (used in read replicas for read scaling), leading candidates to mistakenly choose read replicas for durability requirements.

How to eliminate wrong answers

Option A is wrong because Cloud SQL read replicas use asynchronous replication, which means transactions can be committed on the primary before being replicated, leading to potential data loss if the primary fails mid-transaction. Option C is wrong because automated daily backups and point-in-time recovery provide durability but with a recovery point objective (RPO) of up to several minutes or hours, not near-zero; they do not protect against mid-transaction failures. Option D is wrong because while Cloud Spanner does provide synchronous replication across zones, it is a different service (not Cloud SQL) and the question specifically asks for a Cloud SQL feature.

27
MCQmedium

A Cloud Run service calls external third-party APIs that have rate limits. Under burst traffic, the service spawns many concurrent instances, each making direct API calls, causing rate limit errors. What GCP pattern reduces API call volume without adding infrastructure?

A.Set Cloud Run max-concurrency to 1 so each instance handles one request
B.Cache third-party API responses in Cloud Memorystore (Redis) with appropriate TTL
C.Enable Cloud CDN on the Cloud Run service to cache outbound requests
D.Migrate to Cloud Functions with a lower default concurrency limit
AnswerB

Caching API responses in Redis means many Cloud Run instances read from cache instead of calling the third-party API separately — dramatically reducing outbound API call volume.

Why this answer

Caching third-party API responses in Cloud Memorystore (Redis) with an appropriate TTL reduces the number of outbound API calls by serving cached data to multiple concurrent Cloud Run instances. This directly addresses rate-limit errors without adding new infrastructure, as Memorystore is a managed in-memory cache that integrates seamlessly with Cloud Run via a VPC connector.

Exam trap

The trap here is that candidates confuse caching inbound responses (Cloud CDN) with caching outbound API responses (a pattern using Memorystore or similar), leading them to select Cloud CDN even though it cannot cache server-to-server calls.

How to eliminate wrong answers

Option A is wrong because setting max-concurrency to 1 forces each instance to handle only one request at a time, which reduces concurrency but does not reduce the total number of API calls—each request still triggers a direct call, so rate limits are still hit under burst traffic. Option C is wrong because Cloud CDN caches responses to inbound client requests (e.g., static assets), not outbound API calls from the service to external third parties; it cannot intercept or cache server-to-server HTTP requests. Option D is wrong because migrating to Cloud Functions with lower default concurrency does not reduce API call volume—it merely changes the compute platform while still allowing each function invocation to make direct API calls, and Cloud Functions has no built-in mechanism to deduplicate or cache outbound requests.

28
MCQmedium

A company needs to run a batch processing workload that processes 10 TB of data nightly. The job runs for 4 hours and can tolerate interruption with checkpointing. Cost must be minimized. Which Compute Engine pricing model is most appropriate for the batch VMs?

A.On-demand VM pricing with committed use discounts (1-year CUD)
B.Spot VMs (preemptible pricing)
C.Sustained use discounts applied automatically to long-running VMs
D.Standard on-demand pricing with no special configuration
AnswerB

Spot VMs cost up to 91% less than on-demand. For batch jobs with checkpointing that can tolerate interruption, this is the maximum cost optimization available.

Why this answer

Spot VMs (preemptible pricing) are the most cost-effective choice for batch workloads that are fault-tolerant and can handle interruptions via checkpointing. Since the job runs for only 4 hours nightly and can resume from checkpoints, Spot VMs offer up to 60-91% cost savings over on-demand pricing without requiring any commitment.

Exam trap

The trap here is that candidates may think sustained use discounts (Option C) are automatic and sufficient for any long-running workload, but they fail to realize that a 4-hour nightly job does not accumulate enough monthly usage to trigger significant discounts, making Spot VMs the clear winner for cost minimization.

How to eliminate wrong answers

Option A is wrong because committed use discounts (1-year CUD) require a 1-year commitment and are designed for steady-state workloads, not a short 4-hour nightly batch job; they would lock in cost without flexibility and are more expensive than Spot VMs for this use case. Option C is wrong because sustained use discounts automatically apply to VMs that run for a significant portion of a month (over 25%), but a 4-hour nightly job totals only ~120 hours per month, which is well below the threshold for meaningful discounts, and they cannot match Spot VM savings. Option D is wrong because standard on-demand pricing with no special configuration is the most expensive option and ignores the workload's tolerance for interruption, missing the opportunity to use Spot VMs for drastic cost reduction.

29
MCQmedium

Your team is planning a GKE cluster for a microservices application. Some services process sensitive payment data and must run on dedicated nodes that no other workloads can access. The rest of the application can share nodes. How should you configure the cluster?

A.Use separate GKE clusters: one for payment services and one for everything else.
B.Apply taints to the dedicated node pool and tolerations to payment service pod specs.
C.Use Kubernetes NetworkPolicy to restrict network access between payment pods and other pods.
D.Set resource requests and limits so payment services consume all resources on their nodes.
AnswerB

Taints prevent regular pods from being scheduled on payment nodes. Tolerations in payment pod specs allow scheduling there. This achieves workload isolation within a single cluster.

Why this answer

Option B is correct because taints on dedicated node pools prevent pods without matching tolerations from being scheduled on those nodes, ensuring that only payment service pods (which include the corresponding tolerations) can run on the dedicated nodes. This isolates sensitive workloads at the node level without requiring separate clusters, which would add operational overhead and complexity.

Exam trap

Google Cloud often tests the misconception that network policies (Option C) provide workload isolation, when in fact they only control east-west traffic and do not prevent co-location of pods on the same node, which is the core requirement for dedicated node isolation.

How to eliminate wrong answers

Option A is wrong because using separate clusters for payment services and other workloads introduces unnecessary management overhead, cross-cluster networking complexity, and defeats the purpose of node-level isolation when a single cluster with taints and tolerations can achieve the same goal more efficiently. Option C is wrong because Kubernetes NetworkPolicy controls network traffic between pods but does not prevent non-payment pods from being scheduled on the same node as payment pods, leaving the sensitive data vulnerable to side-channel attacks or resource contention. Option D is wrong because setting resource requests and limits to consume all node resources does not prevent other pods from being scheduled on the same node; it only guarantees resource availability for payment pods, and the scheduler can still place non-payment pods on those nodes if resources are available.

30
MCQmedium

A startup wants to minimize egress costs for a web service that exclusively serves customers within Europe. Which network service tier is most cost-effective?

A.Premium Tier
B.Standard Tier
C.Economy Tier
D.Free Tier
AnswerB

Standard Tier routes traffic through the public internet, offering lower egress costs. It's suitable for services with regional traffic patterns where Google's global backbone is unnecessary.

Why this answer

Standard Tier uses Google's network with egress traffic routed over the internet, which is significantly cheaper than Premium Tier's SLA-backed, low-latency global network. Since the service exclusively serves customers within Europe, the higher cost of Premium Tier is unnecessary, making Standard Tier the most cost-effective choice for minimizing egress costs.

Exam trap

Google Cloud often tests the misconception that 'Standard' implies lower performance or reliability, but the trap here is that candidates overlook the cost savings for region-specific workloads and incorrectly assume Premium Tier is always better for production services.

How to eliminate wrong answers

Option A is wrong because Premium Tier uses Google's premium-grade network with higher egress pricing, designed for global, latency-sensitive traffic, and is not cost-effective for a Europe-only service. Option C is wrong because there is no 'Economy Tier' in Google Cloud networking; the available tiers are Premium and Standard. Option D is wrong because there is no 'Free Tier' for network egress; Google Cloud offers a free tier for certain compute and storage resources, but egress traffic always incurs costs.

31
MCQmedium

You need persistent shared file storage for a legacy application running on multiple Compute Engine VMs that requires POSIX-compliant file system access (NFS). The workload is I/O intensive with files up to 100 GB. Which GCP storage service should you use?

A.Cloud Storage FUSE mounted on each VM
B.Cloud Filestore (NFS)
C.Persistent Disk attached in ReadWriteMany mode to all VMs
D.Local SSD on each VM with rsync synchronization between VMs
AnswerB

Filestore is a fully managed NFS service with POSIX compliance. Multiple VMs can mount the same Filestore instance simultaneously, providing true shared read/write file access with high performance.

Why this answer

Cloud Filestore provides a fully managed NFS server that supports POSIX-compliant file access, making it the correct choice for a legacy application requiring NFS. It can handle I/O-intensive workloads with large files (up to 100 GB) by offering high throughput and low-latency access from multiple Compute Engine VMs simultaneously.

Exam trap

The trap here is that candidates often confuse Cloud Storage FUSE with a true POSIX file system, overlooking its lack of native NFS support and performance limitations for I/O-intensive workloads, while also mistakenly thinking Persistent Disk can be attached in ReadWriteMany mode to multiple VMs.

How to eliminate wrong answers

Option A is wrong because Cloud Storage FUSE presents an object storage bucket as a file system, but it does not provide true POSIX compliance (e.g., it lacks support for file locking, hard links, and consistent directory operations) and can suffer from performance issues with I/O-intensive workloads and large files. Option C is wrong because Persistent Disk cannot be attached in ReadWriteMany mode to multiple VMs; it only supports ReadWriteOnce (single writer) or ReadOnlyMany (multiple readers), so it cannot serve as shared writable storage for multiple VMs. Option D is wrong because Local SSDs are ephemeral and tied to a single VM, and rsync synchronization between VMs introduces data consistency issues, latency, and complexity, failing to provide the persistent, POSIX-compliant shared file system required.

32
MCQmedium

You need to design a solution where a Cloud Function is triggered by HTTP requests from the internet, but it must also privately access a Cloud SQL instance that has no public IP. The Cloud Function should not expose the Cloud SQL instance to public traffic. Which configuration enables this?

A.Enable a public IP on the Cloud SQL instance and restrict access using Cloud SQL authorized networks.
B.Configure a Serverless VPC Access connector and attach it to the Cloud Function to access Cloud SQL via private IP.
C.Use Cloud SQL Auth Proxy on a Compute Engine VM as a jump host between the function and the database.
D.Deploy the Cloud Function in the same project as Cloud SQL; same-project resources can access each other privately by default.
AnswerB

Serverless VPC Access lets Cloud Functions reach VPC resources over private RFC 1918 addresses. The Cloud SQL instance stays private-IP-only, meeting the isolation requirement.

Why this answer

Option B is correct because a Serverless VPC Access connector allows a Cloud Function to connect to a Cloud SQL instance via its private IP, enabling private network communication without exposing the database to the internet. The connector bridges the serverless environment to a VPC, and the Cloud SQL instance must have private IP enabled. This satisfies the requirement of private access while the function itself remains publicly triggerable via HTTP.

Exam trap

Google Cloud often tests the misconception that resources in the same project can communicate privately by default, but the trap here is that Cloud Functions run outside your VPC and require explicit configuration (like a VPC connector) to access private IP resources such as Cloud SQL.

How to eliminate wrong answers

Option A is wrong because enabling a public IP on Cloud SQL and using authorized networks still exposes the instance to the internet, violating the requirement that the Cloud SQL instance should not be exposed to public traffic. Option C is wrong because using a Compute Engine VM as a jump host with Cloud SQL Auth Proxy introduces an unnecessary intermediary that adds latency, complexity, and a potential single point of failure, and is not the recommended or simplest solution for private access from a Cloud Function. Option D is wrong because same-project resources do not automatically have private network access; Cloud Functions run in a Google-managed environment outside your VPC by default, so they cannot reach Cloud SQL private IPs without a VPC connector or similar mechanism.

33
MCQmedium

A startup is building a mobile app backend. Traffic is highly variable: 10 requests/second at night, peaking to 50,000 requests/second during business hours. The backend is stateless. Which compute option best handles this traffic variability with minimal cost and operational effort?

A.Compute Engine managed instance group with autoscaling.
B.Cloud Run with concurrency and max-instances configured.
C.GKE cluster with Horizontal Pod Autoscaler.
D.App Engine Standard environment with automatic scaling.
AnswerB

Cloud Run scales from zero to thousands of instances in seconds, handles 50,000 RPS with automatic provisioning, and costs nothing when idle at night.

Why this answer

Cloud Run is the best choice because it is a fully managed serverless platform that scales from zero to thousands of requests per second automatically, handling the extreme variability from 10 to 50,000 requests/second without provisioning overhead. By configuring concurrency (e.g., 80 concurrent requests per container) and max-instances, you cap costs while Cloud Run's autoscaling adds or removes container instances based on incoming traffic, making it ideal for stateless workloads with minimal operational effort.

Exam trap

Google Cloud often tests the misconception that managed instance groups or GKE are more 'powerful' or 'flexible' for high traffic, but the trap here is ignoring the operational effort and cost of idle resources; candidates overlook that serverless options like Cloud Run can handle 50,000 req/s with proper concurrency tuning and are far simpler for stateless apps.

How to eliminate wrong answers

Option A is wrong because Compute Engine managed instance groups with autoscaling require you to manage virtual machine instances, patches, and scaling policies, leading to higher operational overhead and slower scaling response (minutes vs. seconds) compared to serverless options, and you pay for idle VMs even at low traffic. Option C is wrong because GKE with Horizontal Pod Autoscaler introduces cluster management complexity, node pool scaling delays, and Kubernetes control plane costs, which are unnecessary for a stateless app with variable traffic and increase operational effort. Option D is wrong because App Engine Standard environment, while serverless, has a hard limit of 500 concurrent requests per instance and a maximum of 10,000 requests/second in many regions, making it unable to handle the 50,000 requests/second peak without significant latency or errors, and it requires app to be written in specific supported runtimes.

34
MCQhard

Your on-premises data center needs a dedicated, private connection to GCP with a guaranteed 10 Gbps bandwidth and SLA-backed availability. Internet-based VPN is not acceptable due to compliance requirements. Which connectivity option should you choose?

A.Cloud VPN with multiple tunnels for redundancy
B.Cloud Interconnect Dedicated (10 Gbps)
C.Partner Interconnect via a carrier partner
D.Cloud Router with BGP peering over the public internet
AnswerB

Dedicated Interconnect provides a private 10 Gbps or 100 Gbps circuit directly to Google's network via co-location facilities. Traffic never traverses the public internet, meeting compliance requirements with SLA-backed availability.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and GCP, offering up to 10 Gbps per circuit with a 99.99% SLA. Since internet-based VPN is not acceptable due to compliance requirements, this option meets the need for dedicated bandwidth and SLA-backed availability without traversing the public internet.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming Partner Interconnect can also provide a dedicated 10 Gbps connection, but Partner Interconnect is a shared connection through a carrier and does not offer the same dedicated bandwidth or SLA guarantees.

How to eliminate wrong answers

Option A is wrong because Cloud VPN uses the public internet and cannot guarantee 10 Gbps bandwidth or meet compliance requirements that prohibit internet-based connectivity. Option C is wrong because Partner Interconnect relies on a carrier partner's network and typically offers lower bandwidth options (e.g., 50 Mbps to 10 Gbps) with a shared infrastructure, not a dedicated 10 Gbps circuit with the same SLA as Dedicated Interconnect. Option D is wrong because Cloud Router with BGP peering over the public internet is still an internet-based VPN solution, which is explicitly not acceptable due to compliance requirements.

35
Multi-Selecthard

An organization is designing a VPC network with connectivity to an on-premises network via Cloud VPN. They have multiple projects that need to share the VPN. Which three steps are required to implement this using Shared VPC? (Choose three.)

Select 3 answers
A.Attach the service project to the host project.
B.Create a Cloud VPN gateway in the host project.
C.Configure the VPN tunnels in the host project.
D.Enable the Shared VPC feature in the service project.
E.Create a Cloud Router in the service project.
AnswersA, B, C

Service projects must be attached to the host project to use shared resources.

Why this answer

Option A is correct because attaching the service project to the host project is a fundamental step in Shared VPC. This attachment allows the service project to use the host project's VPC network resources, including the Cloud VPN gateway and tunnels, enabling centralized connectivity without duplicating VPN infrastructure.

Exam trap

Google Cloud often tests the misconception that Shared VPC configuration steps are performed in the service project, but in reality, all networking resources (VPN gateway, tunnels, Cloud Router) must be created in the host project, and the service project is only attached to consume those resources.

36
MCQhard

Based on the exhibit, which type of traffic will successfully reach the instance?

A.HTTPS traffic (port 443) from the internet
B.All inbound traffic
C.HTTP traffic from the internet (port 80)
D.No traffic; the deny-all rule takes effect
AnswerC

The allow rule matches HTTP from any source and applies to the instance.

Why this answer

Option C is correct because the exhibit shows a security group rule allowing inbound HTTP traffic (port 80) from 0.0.0.0/0, which permits any source on the internet to reach the instance on that port. Security groups in Google Cloud are stateful, so the corresponding outbound return traffic is automatically allowed. No other rule permits HTTPS or all traffic, and the implicit deny-all rule blocks anything not explicitly allowed.

Exam trap

Google Cloud often tests the misconception that the implicit deny-all rule blocks all traffic indiscriminately, but candidates must remember that explicit allow rules take precedence and permit matching traffic before the deny rule is evaluated.

How to eliminate wrong answers

Option A is wrong because the security group rules shown only allow TCP port 80 (HTTP), not port 443 (HTTPS); HTTPS traffic would be blocked by the implicit deny-all rule. Option B is wrong because security groups operate on a whitelist model—only explicitly permitted traffic is allowed, and the exhibit does not include a rule allowing all inbound traffic. Option D is wrong because the deny-all rule is the default implicit rule that applies only to traffic not matching an explicit allow rule; since HTTP traffic matches the explicit allow rule on port 80, it is permitted and the deny-all rule does not take effect for that traffic.

37
MCQmedium

Your application runs on GKE and needs to call the Cloud Translation API. You want to follow Google's recommended security practice for service-to-cloud-API authentication within GKE. Which approach should you use?

A.Download a service account key JSON and mount it as a Kubernetes Secret in the pod.
B.Configure Workload Identity to bind the pod's Kubernetes Service Account to a Google Service Account with Translation API access.
C.Grant the GKE node pool's service account `roles/cloudtranslate.user`.
D.Use the GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to a mounted key file.
AnswerB

Workload Identity is the recommended GKE authentication mechanism. No SA keys are created — pods automatically receive short-lived credentials via the mapped Google SA, following least-privilege and eliminating key management.

Why this answer

Workload Identity is Google's recommended approach for authenticating workloads in GKE to Google Cloud APIs. It allows you to bind a Kubernetes Service Account (KSA) to a Google Service Account (GSA), so pods can impersonate the GSA without managing or storing long-lived service account keys. This eliminates the security risk of key exposure and follows the principle of least privilege.

Exam trap

Google Cloud often tests the misconception that mounting a service account key as a Kubernetes Secret is acceptable for production, but the correct answer emphasizes using Workload Identity to avoid managing static keys.

How to eliminate wrong answers

Option A is wrong because downloading a service account key JSON and mounting it as a Kubernetes Secret introduces a long-lived credential that can be leaked or misused, violating Google's recommendation to avoid static keys. Option C is wrong because granting the GKE node pool's service account `roles/cloudtranslate.user` gives all pods on that node pool access to the Translation API, breaking the principle of least privilege and not isolating permissions per workload. Option D is wrong because using the GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to a mounted key file still relies on a static service account key, which is less secure than Workload Identity's token exchange mechanism.

38
Multi-Selectmedium

A company uses preemptible VMs for batch processing. Which TWO best practices should be implemented to improve resilience and manageability? (Choose 2)

Select 2 answers
A.Use persistent disks to store application state.
B.Use instance metadata to pass configuration parameters.
C.Use Cloud Functions to monitor instance termination.
D.Use startup scripts to prepare the instance environment.
E.Use persistent disk snapshots for backup.
AnswersB, D

Metadata allows dynamic configuration without modifying the image.

Why this answer

Option B is correct because instance metadata is a key-value store that can be used to pass configuration parameters to preemptible VMs at boot time. Since preemptible VMs can be terminated at any time, using metadata ensures that new instances can be recreated with the same configuration without manual intervention. This improves manageability by centralizing configuration and resilience by enabling automated re-provisioning.

Exam trap

Google Cloud often tests the misconception that persistent disks or snapshots are needed for resilience with preemptible VMs, but the correct approach is to treat them as stateless and use external storage for state, with metadata and startup scripts for configuration and initialization.

39
MCQhard

A company uses Cloud CDN to accelerate content delivery. They notice that some requests are not being cached, despite the cache-control headers being set correctly. The origin is a Compute Engine instance behind an HTTP load balancer. What is a likely cause?

A.The cache key includes the query string, causing too many variations.
B.The load balancer is using HTTP/2, which disables caching.
C.The content type is not supported by Cloud CDN.
D.The origin returns a Set-Cookie header, which prevents caching by default.
AnswerD

Set-Cookie headers make Cloud CDN skip caching by default.

Why this answer

Cloud CDN will not cache responses that include a Set-Cookie header by default, even if Cache-Control headers are correctly set. This is because Set-Cookie indicates user-specific or session-specific content, and caching it could lead to serving private data to other users. The origin (Compute Engine behind an HTTP load balancer) returning Set-Cookie effectively disables caching for those responses.

Exam trap

The trap here is that candidates often focus on cache-control headers or query strings, but Cisco tests the less obvious behavior that Set-Cookie headers implicitly prevent caching in Cloud CDN, even when other caching directives appear correct.

How to eliminate wrong answers

Option A is wrong because query string variations in the cache key can reduce cache hit ratio but do not prevent caching entirely; Cloud CDN can still cache responses with query strings if the cache key is configured appropriately. Option B is wrong because HTTP/2 does not disable caching; Cloud CDN fully supports HTTP/2 and caching behavior is independent of the HTTP version. Option C is wrong because Cloud CDN supports caching for all standard content types (e.g., text, image, video, application) and does not restrict caching based on content type.

40
MCQeasy

A team needs to run a simple containerized script that processes a batch of files once per night and exits when done — no HTTP endpoint needed. Which GCP service is most appropriate?

A.Cloud Run Services with a timeout set to 24 hours
B.Cloud Run Jobs triggered by Cloud Scheduler
C.Cloud Functions with a 540-second maximum timeout
D.App Engine Standard with a background service
AnswerB

Cloud Run Jobs execute a containerized batch task to completion. Triggered by Cloud Scheduler, they run nightly, process the files, and exit — no HTTP server needed.

Why this answer

Cloud Run Jobs is the correct choice because it is designed for batch workloads that run to completion, with no requirement for an HTTP endpoint. It can handle long-running tasks (up to 24 hours) and can be triggered by Cloud Scheduler for nightly execution, making it ideal for processing files once per night.

Exam trap

Google Cloud often tests the distinction between Cloud Run Services (HTTP-driven, always-on) and Cloud Run Jobs (batch, run-to-completion), leading candidates to incorrectly choose Cloud Run Services for batch workloads due to familiarity with the 'Cloud Run' name.

How to eliminate wrong answers

Option A is wrong because Cloud Run Services are intended for HTTP-driven applications that must handle continuous requests; setting a 24-hour timeout is technically possible but misuses the service, as it is not designed for batch jobs that exit. Option C is wrong because Cloud Functions has a maximum timeout of 540 seconds (9 minutes), which is insufficient for a batch job that may run for hours processing files nightly. Option D is wrong because App Engine Standard with a background service is not designed for short-lived batch tasks; it is meant for long-running background processes within a web application, and it lacks native scheduling integration for one-off nightly jobs.

41
MCQmedium

An engineering team is deciding between App Engine Standard and App Engine Flexible for a Python API. The API has unpredictable traffic, must scale to zero when idle, runs standard Python code with no custom system packages, and requires < 1 second startup time. Which environment is most suitable?

A.App Engine Flexible — it supports Python with custom packages
B.App Engine Standard — it scales to zero, starts in sub-second, and supports standard Python runtimes
C.Both are equivalent — the difference is only in supported languages
D.Neither — use Cloud Run instead for Python APIs
AnswerB

App Engine Standard is designed exactly for this: scale-to-zero, fast cold starts, standard Python runtimes, and no custom system package requirements.

Why this answer

App Engine Standard is the correct choice because it automatically scales to zero instances during idle periods, starts new instances in under a second, and supports standard Python runtimes without custom system packages. The requirement for sub-second startup time and scaling to zero aligns perfectly with Standard's sandboxed, pre-loaded runtime environment, whereas Flexible environment has slower startup times due to VM provisioning and cannot scale to zero.

Exam trap

Google Cloud often tests the misconception that App Engine Flexible is more capable because it supports custom runtimes, leading candidates to overlook the critical requirements of scaling to zero and sub-second startup that only Standard satisfies.

How to eliminate wrong answers

Option A is wrong because App Engine Flexible does not scale to zero instances (it maintains at least one VM) and has startup times of several minutes, failing the <1 second requirement; custom packages are irrelevant since the API uses standard Python code. Option C is wrong because the environments differ significantly in scaling behavior, startup latency, and sandboxing — they are not equivalent. Option D is wrong because Cloud Run can scale to zero and start quickly, but App Engine Standard is equally suitable and is a first-class option for this use case; the question asks which environment is most suitable, and Standard directly meets all criteria without requiring a different service.

42
MCQeasy

Which feature of Cloud SQL provides automated backups and enables point-in-time recovery?

A.All Cloud SQL tiers
B.Only Cloud SQL Enterprise
C.Only Cloud SQL High Availability configuration
D.Only Cloud SQL Enterprise Plus
AnswerA

Both Enterprise and Enterprise Plus support automated backups and binary logging; even the basic tier in older versions supported it.

Why this answer

Cloud SQL provides automated backups and point-in-time recovery (PITR) for all tiers, including Cloud SQL Enterprise, Enterprise Plus, and even the basic (non-HA) configurations. This is because the backup and PITR functionality is a core feature of the Cloud SQL service itself, not tied to a specific tier or high-availability setup. Automated backups are enabled by default, and PITR uses binary log (binlog) files to allow restoration to any point within the backup retention window.

Exam trap

Google Cloud often tests the misconception that advanced features like PITR or automated backups are reserved for higher-tier or HA configurations, when in fact they are available across all Cloud SQL tiers.

How to eliminate wrong answers

Option B is wrong because it incorrectly restricts automated backups and PITR to only the Enterprise tier, while these features are available across all Cloud SQL tiers, including the basic tier. Option C is wrong because it ties the feature to High Availability configuration, but HA only affects instance availability and failover, not backup or PITR capabilities. Option D is wrong because it limits the feature to Enterprise Plus, which is a higher-performance tier, but automated backups and PITR are not exclusive to that tier.

43
Multi-Selecteasy

A company is migrating a legacy application to Google Cloud. The application requires a shared file system that can be mounted by multiple compute instances across different zones for high availability. Which two Google Cloud services can meet this requirement?

Select 2 answers
A.Persistent Disk
B.Cloud Storage FUSE
C.Cloud Run
D.Google Cloud NetApp Volumes
E.Cloud Filestore
AnswersD, E

Correct. Google Cloud NetApp Volumes provides NFS file shares that can be mounted by multiple instances across zones.

Why this answer

Cloud Filestore and Google Cloud NetApp Volumes provide NFS-based file shares that can be mounted by multiple instances across zones. Persistent Disk cannot be attached in read-write mode to multiple instances across zones. Cloud Storage FUSE is not a POSIX-compliant shared file system.

Cloud Run is a compute service, not a storage service.

44
MCQeasy

A company wants to migrate a monolithic application to Google Cloud with minimal changes to the application code. Which compute option is most suitable?

A.Google Kubernetes Engine
B.App Engine (Flexible Environment)
C.Compute Engine
D.Cloud Functions
AnswerC

Provides an IaaS virtual machine that can run the application as-is, with minimal migration effort.

Why this answer

Compute Engine (C) is the most suitable option because it provides Infrastructure as a Service (IaaS) virtual machines that can run the monolithic application with minimal code changes. The application can be migrated by simply lifting and shifting the existing VM or container image to a Compute Engine instance, preserving the OS, runtime, and dependencies without refactoring.

Exam trap

Google Cloud often tests the misconception that 'containerization always means minimal changes,' but the trap here is that GKE and App Engine Flexible Environment still require containerization and potential code adjustments, while Compute Engine allows a true lift-and-shift with zero code changes.

How to eliminate wrong answers

Option A is wrong because Google Kubernetes Engine (GKE) requires containerizing the application and often involves refactoring to fit a microservices architecture, which contradicts the 'minimal changes' requirement. Option B is wrong because App Engine Flexible Environment requires the application to be packaged as a container and adhere to specific runtime constraints, such as handling scaling and health checks, which may necessitate code modifications. Option D is wrong because Cloud Functions is a serverless, event-driven compute service that enforces a stateless, short-lived execution model, which is incompatible with a monolithic application's long-running processes and stateful behavior.

45
MCQmedium

Your application exposes a REST API that external partners consume. You need rate limiting per partner (API key), usage analytics, and developer portal for onboarding. Traffic is currently 1,000 requests/day but expected to grow to 10M/day within a year. Which GCP service best fits these requirements?

A.Cloud Endpoints with Extensible Service Proxy
B.Apigee API Management
C.Cloud Armor with rate limiting rules
D.API Gateway with a backend Cloud Run service
AnswerB

Apigee provides all required features: per-key rate limiting, built-in developer portal for partner onboarding, detailed API analytics, and scales to billions of requests.

Why this answer

Apigee API Management is correct because it provides built-in rate limiting per API key (via quota policies), detailed analytics dashboards for usage tracking, and a developer portal for partner onboarding and key management. Unlike simpler API gateways, Apigee is designed for enterprise-grade API management at scale, handling growth from 1,000 to 10M requests/day with features like monetization, traffic management, and security policies.

Exam trap

Google Cloud often tests the distinction between a simple API gateway (like Cloud Endpoints or API Gateway) and a full API management platform (Apigee), where the presence of a developer portal and per-partner analytics is the key differentiator, not just rate limiting or traffic growth.

How to eliminate wrong answers

Option A is wrong because Cloud Endpoints with Extensible Service Proxy (ESP) is a lightweight API gateway that lacks a built-in developer portal and advanced analytics; it relies on Google Cloud's operations suite for basic metrics and does not offer per-partner rate limiting via API keys without custom code. Option C is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service that can rate-limit by IP address, not by API key or partner, and it provides no developer portal or usage analytics per partner. Option D is wrong because API Gateway with a backend Cloud Run service is a managed gateway that supports rate limiting and basic analytics but lacks a developer portal for partner onboarding and is designed for simpler use cases, not the enterprise-grade API management and analytics required for 10M requests/day.

46
Drag & Dropmedium

Order the steps to set up a Cloud Storage bucket with uniform bucket-level access and make objects publicly readable.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Uniform access must be set at bucket creation; after upload, permissions apply to all objects.

47
MCQmedium

Microservices in a GKE cluster need to discover each other by name without using public DNS. Service A calls Service B at `http://service-b.production.svc.cluster.local`. Which GCP/Kubernetes feature provides this internal DNS resolution?

A.Cloud DNS private zone configured for the cluster's namespace
B.Kubernetes cluster DNS (CoreDNS) resolving Service names within the cluster
C.Anthos Service Mesh — required for service-to-service DNS
D.A custom /etc/hosts entry on each Pod
AnswerB

CoreDNS (the default in-cluster DNS server) automatically creates records for every Service in the format `[service].[namespace].svc.cluster.local`, enabling service-to-service discovery.

Why this answer

Kubernetes cluster DNS, typically implemented by CoreDNS, is the built-in mechanism that resolves Service names like `service-b.production.svc.cluster.local` to the corresponding ClusterIP. This allows Pods to discover each other by name without relying on external or public DNS. CoreDNS runs as a Deployment in the kube-system namespace and automatically creates DNS records for every Service based on its name and namespace.

Exam trap

The trap here is that candidates confuse Cloud DNS (a GCP-managed DNS service for VPCs) with Kubernetes cluster DNS, or assume that a service mesh like Anthos is necessary for internal service discovery, when in fact CoreDNS provides this capability out of the box in any standard GKE cluster.

How to eliminate wrong answers

Option A is wrong because Cloud DNS private zones are used for resolving custom domain names within a VPC network, not for Kubernetes internal Service DNS; the cluster's internal DNS is handled entirely by CoreDNS within the cluster. Option C is wrong because Anthos Service Mesh (based on Istio) provides traffic management, security, and observability, but it is not required for basic service-to-service DNS resolution; CoreDNS works independently of any service mesh. Option D is wrong because manually editing /etc/hosts on each Pod is impractical, does not scale, and would require constant updates as Services are added or removed; Kubernetes DNS automates this resolution dynamically.

48
MCQeasy

A startup's application uses both GCP services and an existing on-premises Kubernetes cluster. They want a single control plane to manage Kubernetes clusters across both environments with consistent policy enforcement. Which Google service provides this?

A.GKE Hub (Fleet management)
B.Anthos (Google Distributed Cloud) for hybrid multi-cluster management
C.Cloud Interconnect — connects on-premises clusters to GCP so they share a control plane
D.Cloud Composer — a managed Kubernetes workflow across environments
AnswerB

Anthos provides a unified management layer for GKE clusters on GCP, on-premises (Anthos on bare metal/VMware), and other clouds — with consistent policy, service mesh, and CI/CD.

Why this answer

Anthos (Google Distributed Cloud) is the correct answer because it provides a unified control plane for managing Kubernetes clusters across on-premises and GCP environments, enabling consistent policy enforcement, configuration, and observability. Anthos uses GKE on-prem and GKE in the cloud, with a centralized Anthos Config Management and Service Mesh for policy and security consistency, directly addressing the hybrid multi-cluster management requirement.

Exam trap

The trap here is that candidates confuse GKE Hub (a fleet management feature) with the full Anthos platform, forgetting that GKE Hub alone does not manage on-premises clusters without Anthos GKE On-Prem.

How to eliminate wrong answers

Option A is wrong because GKE Hub (Fleet management) is a component within Anthos that provides a centralized view and policy management for GKE clusters, but it is not a standalone service that manages both on-premises and GCP clusters with a single control plane; it relies on Anthos for hybrid capabilities. Option C is wrong because Cloud Interconnect provides dedicated network connectivity between on-premises and GCP, but it does not provide a control plane for managing Kubernetes clusters; it is a networking service, not a cluster management service. Option D is wrong because Cloud Composer is a managed Apache Airflow workflow orchestration service, not a Kubernetes cluster management platform; it can run workflows across environments but does not provide a unified control plane or policy enforcement for Kubernetes clusters.

49
MCQhard

A media company ingests 500,000 events per second from IoT sensors and needs to store them for time-series analytics queries that scan billions of rows. Which storage service is most appropriate?

A.Cloud Firestore
B.Cloud SQL for MySQL
C.Cloud Bigtable
D.BigQuery streaming inserts
AnswerC

Bigtable is purpose-built for high-throughput, low-latency NoSQL workloads including IoT time-series. It scales linearly with node count and supports the ingestion rate and query patterns described.

Why this answer

Cloud Bigtable is the most appropriate service because it is a fully managed, scalable NoSQL database designed for high-throughput, low-latency workloads like IoT sensor data ingestion at 500,000 events per second. It supports time-series analytics queries scanning billions of rows via its wide-column storage model and integration with BigQuery for complex analytics, while providing sub-10ms latency for point lookups and efficient range scans.

Exam trap

Google Cloud often tests the misconception that BigQuery streaming inserts are a storage service for high-ingestion workloads, but the trap here is that BigQuery is a data warehouse for analytics, not a low-latency storage system for time-series data, and its streaming limit is far lower than Bigtable's throughput.

How to eliminate wrong answers

Option A is wrong because Cloud Firestore is a document-oriented NoSQL database optimized for mobile and web app real-time synchronization, not for high-ingestion-rate time-series workloads; it has a maximum write rate of 10,000 writes per second per database, far below 500,000 events per second. Option B is wrong because Cloud SQL for MySQL is a relational database with limited horizontal scaling and a maximum of 30,000 queries per second for the highest tier, making it unsuitable for ingesting 500,000 events per second and scanning billions of rows. Option D is wrong because BigQuery streaming inserts are designed for real-time analytics ingestion into a data warehouse, but they have a per-project streaming limit of 100,000 rows per second (default) and are not optimized for sub-second point lookups or high-frequency time-series storage; Bigtable is the correct storage layer before streaming into BigQuery for analytics.

50
MCQmedium

A data analytics team runs Apache Spark jobs to process large datasets. They need a managed cluster that provisions quickly, scales dynamically, and integrates with Cloud Storage and BigQuery. Which service should they use?

A.Cloud Dataflow
B.Cloud Dataproc
C.Cloud Composer
D.Cloud Run with a custom Spark container
AnswerB

Cloud Dataproc is the managed Apache Spark/Hadoop service on GCP. It integrates directly with Cloud Storage and BigQuery, and supports ephemeral cluster models for cost efficiency.

Why this answer

Cloud Dataproc is the correct choice because it is a managed Spark and Hadoop service that provisions clusters in under 90 seconds, supports autoscaling, and natively integrates with Cloud Storage (via the gs:// connector) and BigQuery (via the BigQuery Storage API and Spark BigQuery connector). This makes it ideal for teams needing fast, dynamic, and integrated Spark job execution.

Exam trap

The trap here is that candidates confuse Cloud Dataflow (a Beam-based service) with a managed Spark service, or assume Cloud Run can handle dynamic Spark cluster scaling, when in fact only Cloud Dataproc provides the native Spark runtime and auto-scaling cluster management required for this use case.

How to eliminate wrong answers

Option A is wrong because Cloud Dataflow is a unified stream and batch data processing service based on Apache Beam, not Apache Spark, and it does not provide a managed Spark cluster. Option C is wrong because Cloud Composer is a managed Apache Airflow workflow orchestration service, not a compute engine for running Spark jobs; it can trigger Dataproc jobs but does not run Spark itself. Option D is wrong because Cloud Run is a serverless container platform that does not support dynamic cluster scaling for Spark workloads and lacks native integration with Cloud Storage and BigQuery for Spark; running a custom Spark container on Cloud Run would require manual cluster management and does not provide the managed, auto-scaling Spark environment that Dataproc offers.

51
MCQhard

A financial services company needs to run analytics queries on transaction data that arrives in real-time. The queries must return results within 2 seconds and the dataset grows by ~100 GB per day. The company also needs to retain all data for 7 years for regulatory compliance. Which architecture best satisfies these requirements?

A.Write transactions to Cloud Spanner; run analytics queries directly against Spanner.
B.Stream transactions through Pub/Sub → Dataflow → BigQuery; run analytics on BigQuery.
C.Store transactions in Cloud Bigtable and use Dataproc/Spark for analytics queries.
D.Use Cloud SQL for storage and Cloud Dataprep for analytics transformations.
AnswerB

This is the canonical GCP streaming analytics pattern: Pub/Sub for ingestion, Dataflow for transformation, BigQuery for analytics with sub-second to 2-second query performance and 7-year retention.

Why this answer

Option B is correct because it uses Pub/Sub for real-time ingestion, Dataflow for stream processing, and BigQuery for analytics, which can handle 100 GB/day growth and return queries within 2 seconds using BigQuery's columnar storage and automatic sharding. BigQuery's 7-year retention is supported by its time-based partitioning and long-term storage at reduced cost, meeting regulatory compliance without manual intervention.

Exam trap

Google Cloud often tests the distinction between OLTP (Spanner, Cloud SQL) and OLAP (BigQuery) services, and candidates mistakenly choose Spanner for analytics because of its global scale and strong consistency, overlooking that it is not optimized for large-scale analytical queries with strict latency SLAs.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner is designed for transactional (OLTP) workloads with strong consistency, not for large-scale analytics (OLAP); running complex analytics queries directly on Spanner would exceed the 2-second latency requirement and incur high costs due to its node-based pricing and row-oriented storage. Option C is wrong because Cloud Bigtable is a NoSQL wide-column store optimized for high-throughput, low-latency point lookups and time-series data, but it lacks native SQL analytics capabilities; using Dataproc/Spark adds overhead for query parsing and job scheduling, making it difficult to consistently return results within 2 seconds, and Bigtable's storage is not cost-effective for 7 years of retention at 100 GB/day. Option D is wrong because Cloud SQL is a relational database with limited scalability (max ~30 TB per instance) and is not designed for real-time streaming or petabyte-scale analytics; Cloud Dataprep is a data preparation tool for cleaning and transforming data, not for running analytics queries, and it cannot meet the 2-second query latency requirement.

52
MCQeasy

A company wants to migrate an on-premises MySQL database to Cloud SQL with minimal downtime. Which service should they use?

A.Cloud SQL for MySQL
B.Cloud SQL with external replicas
C.Database Migration Service
D.Compute Engine with MySQL installed
AnswerC

Database Migration Service provides minimal downtime migration.

Why this answer

Database Migration Service (DMS) is the correct choice because it is specifically designed to migrate on-premises MySQL databases to Cloud SQL with minimal downtime using continuous replication. It handles schema conversion, data transfer, and ongoing sync until you cut over, ensuring near-zero downtime without manual intervention.

Exam trap

The trap here is that candidates confuse the target service (Cloud SQL for MySQL) with the migration tool, or assume that external replicas can be used for migration, when in fact DMS is the only Google Cloud service purpose-built for minimal-downtime database migrations.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for MySQL is the target service, not a migration tool; selecting it alone does not provide a migration mechanism or minimize downtime. Option B is wrong because Cloud SQL with external replicas is a high-availability or read-scaling feature, not a migration service; it cannot perform the initial data load or continuous replication from an on-premises source. Option D is wrong because Compute Engine with MySQL installed is a manual lift-and-shift approach that requires custom scripting, downtime for data export/import, and lacks automated replication, making minimal downtime difficult to achieve.

53
MCQmedium

A company is using Cloud NAT to allow private instances to access the internet. However, they notice that traffic from different instances appears to come from the same external IP address. What is the reason?

A.Cloud NAT is not configured correctly; traffic should come from different IPs.
B.Cloud NAT uses a single external IP by default unless you specify multiple.
C.The instances are using a shared VPC so NAT IP is shared.
D.Each instance is assigned a unique external IP by Cloud NAT.
AnswerB

Default Cloud NAT uses one external IP; you can add more.

Why this answer

Cloud NAT uses a source network address translation (SNAT) configuration that, by default, maps all outbound traffic from instances in a VPC network to a single external IP address. This is the expected behavior unless you explicitly configure multiple NAT IP addresses in a NAT gateway or use a Cloud Router with custom SNAT settings. Option B correctly identifies that Cloud NAT defaults to a single external IP unless you specify multiple.

Exam trap

Google Cloud often tests the misconception that Cloud NAT should assign unique external IPs per instance (like a public IP on a VM), when in fact the default behavior is SNAT with a single shared IP, and candidates may incorrectly assume a misconfiguration or shared VPC is the cause.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is designed to allow multiple instances to share one or more external IPs; traffic appearing from the same IP is not a misconfiguration but the default behavior. Option C is wrong because a shared VPC does not inherently cause NAT IP sharing—Cloud NAT is configured per VPC network or subnetwork, and the IP sharing is a function of the NAT gateway's IP pool, not the VPC architecture. Option D is wrong because Cloud NAT does not assign unique external IPs to each instance; it performs SNAT so that all outbound traffic from the NAT gateway's configured IP range appears to originate from the same IP (or set of IPs) rather than per-instance.

54
Multi-Selecteasy

A company is implementing cost optimization for their Google Cloud resources. Which two practices are recommended? (Choose two.)

Select 2 answers
A.Keep all resources in a single region to avoid data transfer costs.
B.Always use premium-tier networking for all traffic.
C.Use committed use discounts for predictable workloads.
D.Use preemptible VMs for all batch jobs irrespective of fault tolerance.
E.Delete unused static external IP addresses.
AnswersC, E

CUDs provide significant discounts for stable usage.

Why this answer

Committed use discounts (CUDs) are recommended for cost optimization because they provide significant discounts (up to 70% for vCPUs and memory) in exchange for a commitment to use a minimum level of resources (e.g., 1-year or 3-year term) for predictable workloads. This aligns costs with actual usage patterns, reducing waste from on-demand pricing. Deleting unused static external IP addresses is also recommended because each static IP incurs a small hourly charge (e.g., $0.005/hour for a regional IP) even when not attached to a resource, so removing them eliminates unnecessary costs.

Exam trap

The trap here is that candidates often assume 'single region' avoids all data transfer costs (ignoring cross-zone charges) or that preemptible VMs are safe for any batch job, but the ACE exam tests the nuance that preemptible VMs require fault tolerance and that static IPs have ongoing costs even when idle.

55
Matchingmedium

Match each IAM role to its typical access level.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Read-only access to resources

Read and modify resources

Full access including IAM management

Read access to browse the hierarchy

Read access to IAM policies

Why these pairings

IAM roles define permissions in GCP.

56
MCQeasy

A batch data processing job runs nightly for 4 hours and can tolerate interruption because it saves progress checkpoints every 15 minutes. Which VM option offers the greatest cost reduction?

A.Custom machine type VM with reduced memory
B.Spot VM
C.Sole-tenant node VM
D.Shielded VM
AnswerB

Spot VMs are available at up to 91% discount and are ideal for batch workloads that tolerate interruption and implement checkpointing.

Why this answer

Spot VMs offer significant cost reduction (up to 60-91% discount) compared to standard VMs, making them ideal for fault-tolerant, interruptible batch workloads. Since the job saves checkpoints every 15 minutes, it can resume from the last checkpoint if preempted, fully leveraging the cost benefit of Spot VMs.

Exam trap

Google Cloud often tests the misconception that custom machine types or sole-tenant nodes are cost-saving options, but the trap here is that Spot VMs are the only option that directly leverages preemptible pricing for interruptible workloads, while other options either increase cost or provide no cost benefit.

How to eliminate wrong answers

Option A is wrong because reducing memory on a custom machine type does not provide the same magnitude of cost savings as Spot VMs, and the question specifically asks for the greatest cost reduction. Option C is wrong because sole-tenant nodes are designed for dedicated hardware compliance or licensing requirements, and they are more expensive than standard VMs, offering no cost reduction. Option D is wrong because Shielded VMs provide security features (secure boot, vTPM, integrity monitoring) but do not reduce cost; they may even add a slight premium.

57
MCQeasy

A startup wants to host a static website (HTML, CSS, JS) globally with minimal latency and high availability. They expect low traffic initially but want to scale seamlessly. Which solution is most cost-effective and simple?

A.Compute Engine with nginx
B.App Engine standard environment
C.Cloud Functions with HTTP triggers
D.Cloud Storage bucket with Cloud CDN enabled
AnswerD

Static website hosting from a bucket is simple, and CDN provides global low latency.

Why this answer

A Cloud Storage bucket with Cloud CDN enabled is the most cost-effective and simple solution for hosting a static website globally with minimal latency. Cloud Storage natively serves static content (HTML, CSS, JS) without provisioning servers, and Cloud CDN caches content at edge locations worldwide, reducing latency. It scales seamlessly from zero traffic to high demand without manual intervention, and costs are based only on storage and egress, making it ideal for low-traffic startups.

Exam trap

Google Cloud often tests the misconception that static websites require a compute layer (like App Engine or Compute Engine) to serve files, when in fact Cloud Storage with CDN is the simplest and most cost-effective serverless option for static content.

How to eliminate wrong answers

Option A is wrong because Compute Engine with nginx requires managing a virtual machine, which adds operational overhead and cost for idle resources, and does not provide global edge caching without additional configuration. Option B is wrong because App Engine standard environment is designed for dynamic web applications with server-side code, not purely static sites, and incurs costs for always-on instances even at low traffic. Option C is wrong because Cloud Functions with HTTP triggers is intended for event-driven, short-lived compute tasks, not for serving static files efficiently; it would incur per-invocation costs and cold start latency, and lacks built-in global CDN caching for static assets.

58
MCQhard

An e-commerce application has a read-heavy database workload: 95% reads, 5% writes. The primary Cloud SQL instance is experiencing CPU saturation during peak read traffic. What is the most appropriate GCP-native solution that minimizes changes to application code?

A.Enable Cloud SQL high availability; the standby replica will serve read traffic.
B.Create Cloud SQL read replicas and route read queries to the replica endpoint.
C.Scale the primary Cloud SQL instance vertically to a larger machine type.
D.Migrate from Cloud SQL to Cloud Spanner for unlimited horizontal read scalability.
AnswerB

Read replicas receive replicated data from the primary and serve SELECT queries. Application code only needs different connection strings for reads vs. writes — minimal changes.

Why this answer

B is correct because Cloud SQL read replicas are designed to offload read traffic from the primary instance, directly addressing CPU saturation during peak reads without requiring application code changes—simply route SELECT queries to the read replica's IP address. This is the most appropriate GCP-native solution for a read-heavy (95% reads) workload, as it horizontally scales read capacity while keeping writes on the primary.

Exam trap

The trap here is that candidates confuse Cloud SQL HA standby replicas with read replicas, assuming the standby can serve reads, when in fact HA standby replicas are passive and only used for automatic failover.

How to eliminate wrong answers

Option A is wrong because Cloud SQL high availability (HA) uses a standby replica in a different zone that does not serve read traffic; it only provides failover for writes, so it does not offload read queries or reduce CPU on the primary. Option C is wrong because vertical scaling (larger machine type) increases cost and has an upper limit, and it does not leverage the read-heavy nature of the workload; it also requires a brief downtime during the resize. Option D is wrong because migrating to Cloud Spanner introduces significant application code changes (e.g., different query syntax, strong consistency model) and is overkill for a simple read-heavy MySQL/PostgreSQL workload; Spanner is designed for globally distributed, strongly consistent transactions, not for minimizing code changes.

59
MCQmedium

You need to store application configuration data that changes infrequently (e.g., feature flags, database connection strings). Multiple services need to read this configuration at startup, and values must never appear in application code or container images. Updates to configuration should not require redeploying services. Which GCP service is most appropriate?

A.Store configuration in environment variables set at deployment time.
B.Use Cloud Secret Manager to store and retrieve configuration at runtime.
C.Store configuration in a Cloud Storage bucket readable by all services.
D.Use Cloud Firestore to store configuration documents that services read on startup.
AnswerB

Secret Manager provides versioned, IAM-controlled secret storage. Services read secrets at startup via API; updates are applied without redeployment by accessing the latest version.

Why this answer

Secret Manager is designed exactly for storing sensitive configuration (connection strings, API keys, feature flags with sensitive values). Secrets can be accessed via API or SDK at runtime without being embedded in code or images. Secret Manager supports versioning, automatic rotation triggers, and IAM-controlled access.

When a secret value changes, services can be configured to reload it without redeployment using Secret Manager's notification integration.

60
MCQeasy

You need to choose between Cloud Storage storage classes for a dataset used in BigQuery for ad-hoc analysis. The data is queried approximately once per month. Which storage class minimizes storage cost while maintaining query availability?

A.Standard storage class
B.Nearline storage class
C.Coldline storage class
D.Archive storage class
AnswerB

Nearline is optimized for data accessed roughly once per month: lower storage cost than Standard with a retrieval fee. It balances storage cost savings against monthly access frequency appropriately.

Why this answer

Nearline storage class is the best choice because it offers the lowest storage cost for data accessed less than once a month (30-day minimum storage duration) while still providing sub-second access for BigQuery queries. Standard storage has no minimum duration but is more expensive for infrequent access, while Coldline and Archive have lower storage costs but impose higher retrieval costs and longer access times that are unsuitable for ad-hoc BigQuery queries.

Exam trap

Google Cloud often tests the misconception that 'cheapest storage class' always minimizes total cost, but the trap here is that Archive and Coldline have hidden retrieval costs and minimum storage durations that make them more expensive for data accessed even occasionally, and they cannot be queried directly by BigQuery without prior restoration.

How to eliminate wrong answers

Option A is wrong because Standard storage class has no minimum storage duration but is the most expensive per GB, making it cost-inefficient for data queried only once per month. Option C is wrong because Coldline storage class has a 90-day minimum storage duration and higher retrieval costs, which would increase total cost for data accessed monthly and is not optimized for query availability in BigQuery. Option D is wrong because Archive storage class has a 365-day minimum storage duration and the highest retrieval costs, plus data must be restored before querying, making it unsuitable for ad-hoc BigQuery analysis that requires immediate availability.

61
MCQmedium

A batch processing job runs on preemptible VMs in a managed instance group. The job frequently fails due to preemption. Which design change would most effectively improve the job's resilience?

A.Use committed use discounts (1-year or 3-year).
B.Add GPUs to the instances.
C.Use sole-tenant nodes.
D.Use a managed instance group with distribution across multiple zones and enable autoscaling.
AnswerD

Distributing across zones reduces the chance of all instances being preempted simultaneously; autoscaling replaces failed instances.

Why this answer

Option D is correct because distributing the managed instance group across multiple zones and enabling autoscaling ensures that when preemptible VMs are terminated in one zone, the autoscaler can provision replacement VMs in another zone that still has capacity. This architecture leverages the fact that preemption events are often zone-specific, so multi-zone distribution combined with autoscaling provides resilience without requiring persistent resources.

Exam trap

Google Cloud often tests the misconception that committed use discounts or sole-tenant nodes provide preemption protection, when in fact they only affect pricing or hardware isolation, not the preemptible VM lifecycle.

How to eliminate wrong answers

Option A is wrong because committed use discounts (1-year or 3-year) reduce cost for sustained usage but do not prevent or mitigate preemption; preemptible VMs can still be terminated at any time regardless of commitments. Option B is wrong because adding GPUs to instances increases cost and does not address the root cause of preemption; GPUs do not make VMs less likely to be preempted. Option C is wrong because sole-tenant nodes dedicate physical servers to a single project, but preemptible VMs on those nodes are still subject to preemption; sole-tenant nodes do not provide any preemption protection.

62
MCQmedium

A payment service publishes an event to a message queue every time a transaction completes. Multiple downstream services (inventory, analytics, email) must each process every event independently. Which messaging pattern and GCP service best supports this?

A.Cloud Tasks with one queue per downstream service
B.Cloud Pub/Sub with one subscription per downstream service on a shared topic
C.Cloud Storage event notifications with three separate buckets
D.Directly calling each downstream service's API synchronously from the payment service
AnswerB

Pub/Sub's fan-out model: one topic, multiple subscriptions. Each subscription receives every message independently, decoupling the payment service from each consumer.

Why this answer

Cloud Pub/Sub with a single topic and one subscription per downstream service is the correct pattern because it implements a fan-out messaging model where each subscriber receives an independent copy of every published message. This ensures that inventory, analytics, and email services each process every transaction event without interference, while Pub/Sub handles at-least-once delivery and automatic scaling.

Exam trap

Google Cloud often tests the distinction between Cloud Tasks (point-to-point task execution) and Cloud Pub/Sub (fan-out messaging), and the trap here is that candidates confuse 'multiple queues' with 'multiple subscriptions,' failing to recognize that Pub/Sub’s topic-subscription model is the native GCP solution for independent event processing.

How to eliminate wrong answers

Option A is wrong because Cloud Tasks is designed for reliable task execution with a single queue per worker, not for fan-out to multiple independent consumers; using one queue per service would require the payment service to publish the same event to multiple queues, duplicating effort and breaking the decoupled pattern. Option C is wrong because Cloud Storage event notifications are triggered by object changes in a bucket and cannot reliably fan out the same event to multiple independent services without complex workarounds; they also lack the at-least-once delivery guarantees and subscription-level acknowledgment that Pub/Sub provides. Option D is wrong because directly calling each downstream service's API synchronously from the payment service creates tight coupling, increases latency (the payment service must wait for all responses), and introduces a single point of failure—if one service is slow or down, the entire transaction processing is blocked.

63
MCQhard

You are planning a Private Service Connect (PSC) configuration to allow your VPC to access a managed Cloud SQL instance over a private endpoint without exposing traffic to the public internet. What does Private Service Connect provide in this context?

A.PSC creates a VPC peering connection between your VPC and Google's service VPC.
B.PSC provides a private, internal IP endpoint in your VPC that routes to the managed service without traversing the public internet.
C.PSC enables bidirectional private communication between your VPC and the service's VPC, similar to peering.
D.PSC replaces the need for a Serverless VPC Access connector when calling managed services from Cloud Run.
AnswerB

PSC creates a forwarding rule in your VPC with an internal IP. Connections to this IP are routed privately to the managed service (Cloud SQL in this case) entirely within Google's network.

Why this answer

Private Service Connect (PSC) allows you to access Google-managed services (like Cloud SQL) by creating a private, internal IP endpoint within your VPC. This endpoint uses an internal IP address from your VPC's subnet and forwards traffic to the service without ever leaving Google's network, thus avoiding the public internet. Unlike VPC peering, PSC does not require you to manage peering relationships or worry about overlapping IP ranges.

Exam trap

The trap here is that candidates confuse Private Service Connect with VPC peering or assume it provides bidirectional connectivity, when in fact PSC is a unidirectional, endpoint-based model that does not require peering or address space coordination.

How to eliminate wrong answers

Option A is wrong because PSC does not create a VPC peering connection; it uses a Private Service Connect endpoint (a forwarding rule) that maps to a service attachment in the producer's VPC, not a direct peering link. Option C is wrong because PSC provides unidirectional (consumer-to-producer) access, not bidirectional communication; the producer cannot initiate connections back to the consumer's VPC. Option D is wrong because PSC is not a replacement for Serverless VPC Access connector; the connector is used to allow serverless environments (like Cloud Run) to reach resources in a VPC, whereas PSC is for accessing managed services from a VPC.

64
MCQmedium

An application architect is comparing Cloud SQL (PostgreSQL) and Cloud Spanner for a new global e-commerce platform. The platform must serve customers on three continents with <50ms latency for reads and strong consistency for inventory updates. Which service best fits?

A.Cloud SQL with one primary instance and cross-region read replicas
B.Cloud Spanner multi-region configuration
C.Cloud Firestore in multi-region mode
D.Cloud SQL with Cloud Memorystore caching layer for reads
AnswerB

Cloud Spanner multi-region provides strong consistency for writes with globally distributed read replicas for low-latency reads — exactly matching the three-continent, strong-consistency requirement.

Why this answer

Cloud Spanner multi-region configuration is the correct choice because it provides strong global consistency with <50ms read latency across continents, which is essential for an e-commerce platform requiring real-time inventory updates. Spanner uses TrueTime and Paxos-based replication to ensure ACID transactions globally, meeting both the latency and consistency requirements simultaneously.

Exam trap

Google Cloud often tests the misconception that read replicas or caching layers can provide strong consistency globally, but only Spanner's synchronous replication and TrueTime guarantee ACID transactions across continents.

How to eliminate wrong answers

Option A is wrong because Cloud SQL cross-region read replicas are asynchronous, meaning they can serve stale data and do not provide strong consistency for inventory updates across continents. Option C is wrong because Cloud Firestore in multi-region mode offers strong consistency but is designed for NoSQL workloads and lacks the relational capabilities (e.g., joins, transactions) typically needed for complex e-commerce inventory systems. Option D is wrong because Cloud Memorystore caching layer for reads does not solve the strong consistency requirement for writes; it only improves read latency but cannot guarantee that inventory updates are immediately consistent across regions.

65
MCQeasy

A startup runs its application entirely on Cloud Run. They want to use a custom domain (api.mycompany.com) instead of the default Cloud Run URL. Which GCP feature maps a custom domain to a Cloud Run service?

A.Cloud DNS — create a CNAME record pointing to the Cloud Run URL
B.Cloud Run Domain Mappings or a Global Load Balancer with a Serverless NEG
C.Cloud Endpoints with an API gateway configuration
D.Firebase Hosting rewrites to Cloud Run
AnswerB

Cloud Run Domain Mappings provide the simplest path to custom domains with automatic TLS. For advanced routing, a Global Load Balancer with a Serverless Network Endpoint Group (NEG) is used.

Why this answer

Option B is correct because Cloud Run Domain Mappings provide a native, managed way to map a custom domain to a Cloud Run service without additional infrastructure. Alternatively, a Global Load Balancer with a Serverless NEG (Network Endpoint Group) can also route traffic from a custom domain to Cloud Run, offering advanced features like SSL termination and traffic splitting. Both approaches are officially supported by Google Cloud for custom domain mapping.

Exam trap

The trap here is that candidates often assume a simple DNS CNAME record is sufficient, but Cloud Run requires domain ownership verification and SSL certificate management, which only Domain Mappings or a Load Balancer with Serverless NEG provide.

How to eliminate wrong answers

Option A is wrong because a CNAME record in Cloud DNS alone cannot map a custom domain to Cloud Run; Cloud Run requires verification of domain ownership and SSL certificate provisioning, which a simple CNAME does not handle. Option C is wrong because Cloud Endpoints with an API gateway configuration is designed for managing, securing, and monitoring APIs, not for mapping a custom domain to a Cloud Run service; it operates at a higher layer and does not replace the need for domain mapping. Option D is wrong because Firebase Hosting rewrites to Cloud Run are a feature of Firebase Hosting, not a direct GCP feature for mapping a custom domain to Cloud Run; it introduces an unnecessary intermediary and is not the standard approach for a standalone Cloud Run service.

66
MCQeasy

A compliance archive stores legal documents accessed at most once per quarter. Which Cloud Storage class minimizes storage cost while meeting that access pattern?

A.Standard
B.Nearline
C.Coldline
D.Archive
AnswerC

Coldline is ideal for data accessed once per quarter or less. It offers low storage cost with a 90-day minimum storage duration, matching this use case.

Why this answer

Coldline storage is designed for data accessed less than once per quarter, offering lower storage costs than Standard or Nearline while still providing millisecond access when needed. For a compliance archive accessed at most once per quarter, Coldline minimizes storage cost without incurring the higher retrieval fees or minimum storage durations of Archive storage.

Exam trap

Google Cloud often tests the misconception that Archive is always the cheapest option for infrequently accessed data, ignoring the minimum storage duration and retrieval costs that can make Coldline more cost-effective for quarterly access patterns.

How to eliminate wrong answers

Option A is wrong because Standard storage is optimized for frequently accessed data (multiple times per month) and has the highest storage cost, making it unsuitable for quarterly access. Option B is wrong because Nearline is intended for data accessed less than once per month, not once per quarter, and its storage cost is higher than Coldline for this access pattern. Option D is wrong because Archive storage, while having the lowest storage cost, imposes a 365-day minimum storage duration and higher retrieval fees, which is excessive for data accessed quarterly and may increase total cost if data is deleted early.

67
MCQhard

A SaaS company serves 200 enterprise customers, each requiring complete data isolation in separate databases. The company needs to provision a new customer database within minutes and manage 200 databases with minimal overhead. Which GCP approach scales most efficiently?

A.200 separate Cloud SQL instances, one per customer
B.A single Cloud SQL instance with a separate schema (database) per customer, provisioned via API automation
C.Storing all customer data in a single shared database with customer_id as a discriminator column
D.Using BigQuery with a separate dataset per customer
AnswerB

A single Cloud SQL instance with per-customer databases (schemas) balances isolation, cost efficiency, and provisioning speed. Automation via API or Terraform enables sub-minute provisioning.

Why this answer

Option B is correct because it uses a single Cloud SQL instance with separate schemas (databases) per customer, which allows you to achieve complete data isolation while minimizing overhead. Provisioning a new schema via API automation takes seconds, and managing 200 schemas on one instance is far more efficient than managing 200 separate instances. This approach scales efficiently because Cloud SQL supports up to 10,000 databases per instance, and you can leverage connection pooling and shared resources without sacrificing isolation.

Exam trap

The trap here is that candidates often confuse 'data isolation' with 'physical separation' and assume separate instances are required, but GCP's Cloud SQL supports logical isolation via separate databases on a single instance, which is far more efficient and still meets the isolation requirement.

How to eliminate wrong answers

Option A is wrong because managing 200 separate Cloud SQL instances introduces massive operational overhead, including patching, backups, and monitoring each instance individually, and it does not scale efficiently for provisioning within minutes. Option C is wrong because storing all customer data in a single shared table with a customer_id discriminator violates the requirement for complete data isolation, as a query error or bug could expose data across customers. Option D is wrong because BigQuery is a data warehouse designed for analytics, not for transactional, low-latency database operations required by a SaaS application, and provisioning a new dataset does not provide the same isolation or performance characteristics as a relational database schema.

68
MCQmedium

A team is building a real-time multiplayer game backend requiring low-latency state synchronization between players worldwide. Session data must persist for the duration of a game (up to 2 hours) but doesn't need long-term storage. Which managed service best fits?

A.Cloud SQL for PostgreSQL with connection pooling
B.Cloud Memorystore for Redis
C.Cloud Bigtable
D.Cloud Firestore in Native mode
AnswerB

Memorystore provides sub-millisecond in-memory storage with built-in TTL support for expiring game sessions — ideal for real-time, ephemeral state.

Why this answer

Cloud Memorystore for Redis is the best fit because it provides an in-memory data store with sub-millisecond latency, ideal for real-time state synchronization in a multiplayer game. Redis supports data structures like sets and sorted sets for leaderboards or session state, and its optional persistence (RDB/AOF) can cover the 2-hour game duration without needing long-term storage. This aligns with the requirement for low-latency, ephemeral session data that must survive only the game session.

Exam trap

Google Cloud often tests the distinction between in-memory caches (Redis) and persistent databases (Cloud SQL, Bigtable, Firestore), where candidates mistakenly choose a database with real-time features (like Firestore) without recognizing that its latency and consistency model are insufficient for sub-millisecond state synchronization.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for PostgreSQL is a relational database with disk-based storage, incurring higher latency (typically 5-10 ms) unsuitable for real-time state synchronization, and connection pooling does not address the fundamental latency or in-memory performance need. Option C is wrong because Cloud Bigtable is a wide-column NoSQL database optimized for large-scale analytical workloads (e.g., time-series data) with high throughput but not sub-millisecond latency for frequent read/write operations in a real-time game; it also requires a cluster and is overkill for ephemeral session data. Option D is wrong because Cloud Firestore in Native mode is a document database with real-time listeners but has higher latency (typically 10-100 ms) and is designed for persistent, scalable app data, not for ultra-low-latency, short-lived session state; its eventual consistency model can also cause synchronization issues in a fast-paced game.

69
Multi-Selecthard

A company has multiple Google Cloud projects and needs to connect VPCs in different regions privately without traversing the public internet or using VPN tunnels. Which two Google Cloud networking solutions can accomplish this requirement?

Select 2 answers
A.VPC Peering
B.Private Google Access
C.Cloud NAT
D.Cloud VPN
E.Shared VPC
AnswersA, E

Direct private connectivity between VPC networks, supports cross-region peering.

Why this answer

Options A and C are correct. VPC Peering (A) allows direct peering between VPCs across regions without internet. Shared VPC (C) allows centralized management and connectivity between host and service projects.

Option B (Cloud NAT) is for outbound internet access. Option D (Cloud VPN) uses the public internet. Option E (Private Google Access) allows on-premises access to Google APIs.

70
MCQmedium

A team is designing a system where two GCP projects — a shared services project and an application project — need their VMs to communicate using private IPs. Both projects are in the same organization. Which networking option best enables this with centralized network management?

A.VPC Peering between the two projects' VPCs
B.Shared VPC (XPN) with the shared services project as the host
C.Cloud VPN between the two projects' default VPCs
D.Using external IPs with TLS — private IP communication isn't necessary between GCP projects
AnswerB

Shared VPC centralizes network management in the host project while allowing service project VMs to use shared subnets with private IPs — ideal for organization-wide network governance.

Why this answer

Shared VPC (XPN) allows an organization to centrally manage networking across multiple projects from a single host project, enabling VMs in the shared services project and the application project to communicate via private IPs without needing separate peering or VPN configurations. This is the best option because it provides centralized network administration and policy enforcement, which aligns with the requirement for centralized network management.

Exam trap

The trap here is that candidates often choose VPC Peering (Option A) because it seems simpler for connecting two projects, but they overlook the explicit requirement for centralized network management, which Shared VPC uniquely provides by design.

How to eliminate wrong answers

Option A is wrong because VPC Peering requires manual configuration of each peering connection and does not provide centralized network management; each project retains separate administrative control, and routes must be managed individually. Option C is wrong because Cloud VPN is designed for connecting on-premises networks or different VPCs across regions via encrypted tunnels, but it adds complexity and latency for intra-organization communication that can be achieved more simply with Shared VPC. Option D is wrong because using external IPs with TLS violates the requirement for private IP communication and introduces security risks and egress costs, as well as bypassing the centralized management goal.

71
MCQmedium

A team builds a document processing pipeline: files are uploaded to Cloud Storage, then analyzed by Cloud Vision AI, results stored in Firestore, and a confirmation email sent. Each step depends on the previous. Which GCP service orchestrates these sequential, dependent steps reliably?

A.Cloud Pub/Sub with a subscription per step
B.Cloud Tasks with per-step queues
C.Cloud Workflows
D.Cloud Functions chained via HTTP calls
AnswerC

Cloud Workflows orchestrates sequential API calls with conditional logic, error handling, and retries — purpose-built for coordinating dependent multi-step pipelines.

Why this answer

Cloud Workflows is designed to orchestrate sequential, dependent steps with built-in retry, error handling, and state management. It directly models the pipeline as a series of steps where each step's output feeds the next, without requiring manual chaining or intermediate messaging infrastructure.

Exam trap

Google Cloud often tests the distinction between asynchronous messaging (Pub/Sub, Tasks) and synchronous orchestration (Workflows), where candidates mistakenly choose a messaging service for sequential workflows because they focus on 'reliability' rather than 'ordered dependency management'.

How to eliminate wrong answers

Option A is wrong because Cloud Pub/Sub is a publish-subscribe messaging service for asynchronous, decoupled communication, not for orchestrating sequential dependent steps; it would require additional logic to enforce order and handle failures. Option B is wrong because Cloud Tasks is a distributed task queue for executing discrete tasks asynchronously, not for defining a sequential workflow with dependencies; it lacks built-in step sequencing and state management. Option D is wrong because chaining Cloud Functions via HTTP calls creates tight coupling, requires manual error handling and retries, and does not provide a centralized view of the workflow execution or built-in step sequencing.

72
MCQhard

Refer to the exhibit. A user tries to delete the disk 'my-disk' but receives an error. Based on the exhibit, what is the most likely cause?

A.The disk is being used by a snapshot.
B.The disk size must be 0 to delete.
C.The disk is still attached to an instance.
D.The disk is not in the correct project.
AnswerC

The USERS field shows attachment to an instance.

Why this answer

Option C is correct because a disk cannot be deleted while it is attached to a running or stopped instance. In Google Cloud, you must first detach the disk from the instance before deletion. The error message indicates the disk is in use, and the exhibit confirms it is attached to an instance.

Exam trap

Google Cloud often tests the misconception that snapshots or disk size prevent deletion, but the real blocker is the attachment state, which is a common oversight when managing persistent disks.

How to eliminate wrong answers

Option A is wrong because a disk can be deleted even if it has snapshots; snapshots are independent and do not block disk deletion. Option B is wrong because disk size does not need to be 0 for deletion; any size disk can be deleted as long as it is not attached. Option D is wrong because the disk is in the correct project, as shown in the exhibit; the error is not related to project permissions or location.

73
MCQeasy

A media company needs to serve large video files (average 2 GB) to global users with low latency. The files are stored in Cloud Storage. What combination of services delivers the best streaming performance?

A.Cloud Storage in a multi-region bucket with direct public access
B.Cloud Storage + Cloud CDN via a Global Load Balancer backend bucket
C.Upload video files to a Compute Engine VM with nginx serving them directly
D.Cloud Filestore with NFS-mounted streaming
AnswerB

Enabling Cloud CDN on a Cloud Storage backend bucket caches video files at Google's edge PoPs globally, reducing latency and origin bandwidth for geographically distributed users.

Why this answer

Cloud Storage combined with Cloud CDN via a Global Loader Balancer backend bucket is the best choice because it provides edge-caching of large video files, reducing latency for global users. The Global Load Balancer terminates HTTP(S) traffic at the closest point of presence, and Cloud CDN caches content from the multi-region bucket, minimizing origin load and improving streaming performance.

Exam trap

Google Cloud often tests the misconception that direct Cloud Storage access (Option A) is sufficient for global low-latency streaming, but the trap is that without a CDN and load balancer, users experience high latency and the bucket cannot handle global traffic efficiently.

How to eliminate wrong answers

Option A is wrong because a multi-region bucket with direct public access lacks edge caching, meaning every user request hits the bucket directly, increasing latency and egress costs for global streaming. Option C is wrong because serving large video files from a single Compute Engine VM with nginx creates a single point of failure, cannot scale to handle global traffic, and introduces unnecessary latency for users far from the VM's region. Option D is wrong because Cloud Filestore with NFS-mounted streaming is designed for high-performance file shares for compute instances, not for direct internet-facing content delivery; it lacks CDN integration and cannot serve video files with low latency to global users.

74
MCQmedium

A team needs to run a containerized HTTP API that scales to zero when idle and requires zero cluster or server management. Which GCP compute platform is the best fit?

A.Compute Engine with a managed instance group
B.Google Kubernetes Engine Autopilot
C.Cloud Run
D.App Engine Flexible
AnswerC

Cloud Run is purpose-built for containerized HTTP services with zero-to-scale autoscaling, no infrastructure management, and per-request billing.

Why this answer

Cloud Run is the best fit because it is a fully managed serverless platform that automatically scales your containerized HTTP API to zero when idle, meaning you pay only for resources used during request processing. It requires no cluster or server management, as it abstracts away the underlying infrastructure entirely, unlike other options that still involve some level of node or instance management.

Exam trap

Google Cloud often tests the distinction between 'scaling to zero' and 'scaling down to a minimum of one' — candidates mistakenly think GKE Autopilot or App Engine Flexible can scale to zero, but only Cloud Run (and Cloud Functions) natively supports true zero-instance scaling without additional configuration.

How to eliminate wrong answers

Option A is wrong because Compute Engine with a managed instance group still requires you to manage virtual machine instances, and while it can scale down, it cannot scale to zero instances (minimum is 1 per zone) and involves server management. Option B is wrong because Google Kubernetes Engine Autopilot, while reducing node management, still requires you to manage a Kubernetes cluster (even if abstracted) and cannot scale to zero pods without manual configuration or third-party tools like KEDA, plus you pay for the cluster control plane. Option D is wrong because App Engine Flexible runs containers but requires at least one instance to be running at all times (cannot scale to zero), and it involves more configuration for custom runtimes compared to Cloud Run's simplicity.

75
Matchingmedium

Match each Google Kubernetes Engine (GKE) concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Smallest deployable unit, one or more containers

Exposes a set of pods as a network service

Declarative update for pods and ReplicaSets

A worker machine in a Kubernetes cluster

Set of nodes managed by the control plane

Why these pairings

These are core Kubernetes objects used in GKE.

Page 1 of 2 · 103 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Planning And Configuring A Cloud Solution questions.