Google Cloud Digital Leader (GCDL) — Questions 175

507 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQeasy

A startup has deployed a Node.js application on Cloud Run. They are seeing a higher-than-expected bill for Cloud Run usage. The application is accessed by users worldwide, and traffic patterns show occasional spikes. They want to reduce costs while maintaining performance. They currently have no concurrency management and use the default Cloud Run settings. What should they do first?

A.Implement a caching layer with Cloud CDN.
B.Move the application to Compute Engine with a smaller machine type.
C.Set a maximum number of concurrent requests per container instance to reduce over-provisioning.
D.Reduce the container memory limit to the minimum required.
AnswerC

Increasing concurrency allows a single instance to handle multiple requests, reducing the number of instances needed and lowering costs.

Why this answer

Option C is correct because Cloud Run bills for CPU time during request processing, and the default setting allows unlimited concurrent requests per container instance. By setting a maximum concurrency, you prevent a single instance from being overwhelmed during traffic spikes, which reduces the number of instances needed and avoids over-provisioning. This directly lowers costs while maintaining performance by ensuring each instance handles only its optimal load.

Exam trap

The trap here is that candidates confuse reducing memory limits (Option D) with concurrency management, but memory reduction does not control the number of simultaneous requests hitting an instance, which is the root cause of over-provisioning in serverless billing.

How to eliminate wrong answers

Option A is wrong because implementing Cloud CDN adds caching for static content but does not address the core issue of over-provisioning from unlimited concurrency; it also incurs additional CDN costs. Option B is wrong because moving to Compute Engine with a smaller machine type abandons Cloud Run's serverless scaling and introduces fixed costs, manual scaling, and potential performance degradation during spikes. Option D is wrong because reducing the container memory limit to the minimum required may cause out-of-memory errors or increased cold starts, and it does not control the number of concurrent requests per instance, which is the primary driver of over-provisioning.

2
MCQeasy

A startup is building a web application and wants to protect it from common web attacks like SQL injection and cross-site scripting. Which Google Cloud product provides web application firewall (WAF) capabilities?

A.Cloud Firewall, which controls network-level traffic based on IP and port rules
B.Cloud Armor, which provides WAF rules to detect and block SQL injection, XSS, and other OWASP Top 10 attacks
C.VPC Service Controls, which prevent data exfiltration from Google Cloud services
D.Security Command Center, which detects security misconfigurations across Google Cloud resources
AnswerB

Cloud Armor is Google Cloud's WAF. It includes preconfigured rule sets for OWASP Top 10 vulnerabilities including SQL injection and XSS, and operates at the application layer (Layer 7) where it can inspect HTTP requests. It also provides DDoS protection.

Why this answer

Cloud Armor is Google Cloud's web application firewall (WAF) service that provides pre-configured rules to detect and block common web attacks, including SQL injection and cross-site scripting (XSS), as well as other OWASP Top 10 threats. It integrates with Cloud Load Balancing and allows you to create custom security policies with rate limiting, IP allow/deny lists, and managed rule sets. This makes it the correct choice for protecting a web application at the application layer.

Exam trap

The trap here is confusing network-layer firewalls (Cloud Firewall) with application-layer WAFs (Cloud Armor), leading candidates to choose Option A because both contain 'Firewall' in the name, but they operate at completely different layers of the OSI model.

How to eliminate wrong answers

Option A is wrong because Cloud Firewall operates at the network layer (Layer 3/4) controlling traffic based on IP addresses, ports, and protocols, and does not inspect application-layer payloads for SQL injection or XSS. Option C is wrong because VPC Service Controls are designed to prevent data exfiltration by creating perimeters around Google Cloud services, not to inspect HTTP/HTTPS traffic for web attacks. Option D is wrong because Security Command Center is a security management and vulnerability detection platform that identifies misconfigurations and threats across resources, but it does not provide inline WAF rule enforcement to block malicious requests in real time.

3
Multi-Selectmedium

A retail company is migrating its e-commerce platform to Google Cloud to improve scalability and reduce operational overhead. Which TWO benefits of cloud technology are most directly realized in this scenario?

Select 2 answers
A.Long-term contracts guarantee lower prices for multi-year commitments.
B.Automatic scalability adjusts resources based on demand.
C.Pay-as-you-go pricing eliminates upfront infrastructure costs.
D.Dedicated hardware is provisioned for the company exclusively.
E.Full control over physical servers ensures security compliance.
AnswersB, C

Correct: Autoscaling handles variable traffic without manual intervention.

Why this answer

Option A (Pay-as-you-go pricing) allows the company to pay only for resources used, avoiding upfront costs. Option D (Automatic scalability) enables the platform to handle traffic spikes without manual provisioning. Option B (On-premises control) is not a cloud benefit; option C (Dedicated hardware) is not typical of cloud; option E (Long-term contracts) is not a benefit.

4
MCQmedium

A company uses Cloud CDN to deliver static content. They notice that some content is being served stale despite a TTL of 1 hour. What should they check to ensure content is always fresh?

A.Verify that the origin server sets appropriate Cache-Control headers (e.g., max-age=3600).
B.Enable cache invalidation for all objects daily.
C.Increase the TTL in the CDN configuration to 24 hours.
D.Use Cloud Storage as the origin and set caching to 'public'.
AnswerA

Cloud CDN respects the Cache-Control header from the origin; if it is missing or set to a lower value, content may become stale sooner.

Why this answer

Option A is correct because Cloud CDN relies on the Cache-Control: max-age directive from the origin server to determine how long content should be considered fresh. If the origin does not set max-age=3600 (or a comparable value), Cloud CDN may serve stale content even if the CDN TTL is configured to 1 hour, as the CDN respects the origin's cache headers by default. Ensuring the origin sets appropriate Cache-Control headers guarantees that Cloud CDN caches content for the intended duration.

Exam trap

Google Cloud often tests the misconception that CDN TTL settings alone control freshness, when in reality the origin's Cache-Control headers are authoritative unless overridden by explicit CDN policies like 'cache modes' or 'origin override'.

How to eliminate wrong answers

Option B is wrong because daily cache invalidation is a reactive, manual process that does not prevent stale content between invalidations; it also incurs cost and latency, and does not address the root cause of stale serving due to missing or incorrect Cache-Control headers. Option C is wrong because increasing the TTL to 24 hours would make the problem worse by extending the time stale content is served, rather than ensuring freshness. Option D is wrong because setting caching to 'public' in Cloud Storage only affects browser caching, not Cloud CDN's edge caching behavior; Cloud CDN still requires proper Cache-Control headers from the origin to honor freshness.

5
MCQmedium

What is horizontal scaling, and how does it differ from vertical scaling?

A.Horizontal scaling adds CPU/memory to existing servers; vertical scaling adds more servers.
B.Horizontal scaling adds more instances to distribute load; vertical scaling increases the size of existing instances.
C.Horizontal scaling is for databases only; vertical scaling is for web servers.
D.Horizontal scaling requires application downtime; vertical scaling is always online.
AnswerB

Horizontal: add more VMs/containers (scale out). Vertical: upgrade to a larger VM with more CPU/RAM (scale up). Cloud autoscaling is primarily horizontal.

Why this answer

Horizontal scaling (scale-out) adds more instances (e.g., additional virtual machines or containers) to distribute the workload across multiple nodes, improving fault tolerance and capacity. Vertical scaling (scale-up) increases the resources (CPU, RAM, storage) of an existing instance, often hitting hardware limits and requiring downtime. Option B correctly captures this distinction.

Exam trap

Cisco often tests the common misconception that horizontal scaling means adding resources to a single server (like upgrading RAM), when in fact it means adding more servers to share the load.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: horizontal scaling adds more servers, not CPU/memory to existing servers, while vertical scaling adds resources to a single server. Option C is wrong because horizontal and vertical scaling apply to all types of workloads (databases, web servers, etc.), not exclusively to one or the other. Option D is wrong because horizontal scaling typically requires no downtime (instances can be added or removed live), while vertical scaling often requires a reboot or downtime to resize the instance.

6
MCQmedium

A global airline wants to use cloud technology to improve the passenger experience from booking through arrival. Which combination of cloud capabilities best supports a holistic digital transformation of the end-to-end passenger journey?

A.Moving the airline's reservation system to a cloud-hosted virtual machine to reduce hardware refresh costs
B.Using machine learning for personalized offers, real-time data streaming for flight updates, and mobile apps for seamless self-service across all journey touchpoints
C.Deploying cloud-based email servers for internal airline communications
D.Using cloud storage to back up passenger booking records offsite
AnswerB

This represents true end-to-end transformation: ML personalizes every interaction, streaming data keeps passengers informed in real time, and mobile-first design removes friction at every step — together creating a fundamentally better passenger experience.

Why this answer

Option B is correct because it combines three cloud-native capabilities—machine learning for personalized offers, real-time data streaming for flight updates, and mobile apps for self-service—that together address every phase of the passenger journey from booking to arrival. This holistic approach leverages cloud elasticity, event-driven architectures (e.g., Apache Kafka for streaming), and AI/ML inference at scale, enabling real-time personalization and seamless omnichannel experiences that a simple lift-and-shift or isolated storage solution cannot achieve.

Exam trap

Google Cloud often tests the misconception that any cloud migration (like lift-and-shift or isolated storage) constitutes digital transformation, when in fact true transformation requires integrating multiple cloud-native services (ML, streaming, mobile) to reimagine the end-to-end customer journey.

How to eliminate wrong answers

Option A is wrong because moving a reservation system to a cloud-hosted virtual machine (IaaS) is a lift-and-shift migration that reduces hardware costs but does not transform the passenger experience; it lacks the real-time data streaming, ML personalization, and self-service mobile capabilities needed for end-to-end digital transformation. Option C is wrong because deploying cloud-based email servers for internal communications is a back-office productivity improvement that has no direct impact on the passenger journey from booking through arrival. Option D is wrong because using cloud storage for offsite backup of booking records addresses data resilience and compliance, but does not provide the interactive, real-time, or personalized services required to improve the passenger experience across all touchpoints.

7
MCQmedium

A company runs a web application on Google Kubernetes Engine (GKE) that experiences sudden traffic spikes. The operations team notices that the application's response time increases significantly during these spikes despite having Horizontal Pod Autoscaler (HPA) configured. They want to ensure consistent performance. What should they do?

A.Increase the CPU request limit for all pods.
B.Configure the HPA to use custom metrics based on request latency.
C.Create multiple node pools with different machine types.
D.Manually scale the deployment during expected spikes.
AnswerB

Custom metrics like request latency allow the HPA to scale pods based on actual application performance, improving responsiveness during spikes.

Why this answer

Option B is correct because configuring the HPA to use custom metrics based on request latency allows the autoscaler to react directly to the application's performance degradation. Unlike CPU-based metrics, which may not reflect actual user-facing latency during traffic spikes, custom metrics like request latency provide a more accurate signal for scaling decisions, ensuring consistent response times.

Exam trap

Google Cloud often tests the misconception that CPU-based HPA is sufficient for all scaling scenarios, but the trap here is that CPU metrics do not capture application-level performance degradation caused by request latency or queue buildup during traffic spikes.

How to eliminate wrong answers

Option A is wrong because increasing the CPU request limit does not improve scaling responsiveness; it only changes the threshold at which the HPA triggers, potentially delaying scaling and not addressing the root cause of latency spikes. Option C is wrong because creating multiple node pools with different machine types addresses node-level resource diversity but does not solve the pod-level scaling issue; the HPA still needs appropriate metrics to scale pods effectively. Option D is wrong because manually scaling the deployment during expected spikes is not a scalable or automated solution; it contradicts the purpose of using HPA and increases operational overhead, especially for unpredictable traffic patterns.

8
MCQmedium

A company runs a customer-facing web application with a published SLA of 99.95% monthly availability. In the past month, the application experienced two outages: a 12-minute outage and a 7-minute outage. Did the company meet its SLA?

A.No — the company missed the SLA because any outage automatically constitutes an SLA breach
B.Yes — 99.95% availability in a 30-day month allows approximately 21.6 minutes of downtime; total outage of 19 minutes is within the budget, meaning the SLA was met
C.The answer cannot be determined without knowing the cause of the outages
D.No — two separate outages in one month always constitute an SLA breach regardless of duration
AnswerB

The math confirms the SLA was met. 30 days × 1,440 minutes = 43,200 minutes. 0.05% × 43,200 = 21.6 minutes allowed. 12 + 7 = 19 minutes actual downtime. 19 < 21.6, so the SLA is met. However, the remaining buffer is only 2.6 minutes — the team should treat this as a reliability concern.

Why this answer

Option B is correct because the SLA of 99.95% monthly availability permits a maximum downtime of approximately 21.6 minutes in a 30-day month (total minutes in month × (1 - 0.9995) = 43,200 × 0.0005 = 21.6 minutes). The combined outage of 19 minutes (12 + 7) is within this budget, so the SLA was met. This calculation assumes a 30-day month; if the month had 31 days, the allowable downtime would be about 22.3 minutes, still exceeding 19 minutes.

Exam trap

The trap here is that candidates mistakenly think any downtime or multiple outages automatically violate an SLA, ignoring the mathematical allowance built into the 99.95% target.

How to eliminate wrong answers

Option A is wrong because not every outage automatically breaches an SLA; SLAs define a specific availability percentage that allows a calculated amount of downtime. Option C is wrong because SLA compliance is determined solely by the total duration of downtime relative to the allowed budget, not by the root cause of the outages. Option D is wrong because multiple outages do not inherently breach an SLA; only the cumulative downtime relative to the allowed threshold matters.

9
MCQhard

A company is moving a regulated workload to Google Cloud and must ensure that their encryption keys are stored in a hardware security module (HSM) that meets FIPS 140-2 Level 3 validation. Which Google Cloud key management option satisfies this requirement?

A.Cloud KMS software-backed keys, which are managed by Google and stored in Google's secure key management infrastructure
B.Customer-supplied encryption keys (CSEK), where the customer provides the key with each API request
C.Cloud HSM, which stores and manages keys in FIPS 140-2 Level 3 validated hardware security modules
D.Secret Manager, which stores API keys and credentials with automatic rotation
AnswerC

Cloud HSM specifically addresses the FIPS 140-2 Level 3 requirement. Keys generated and stored in Cloud HSM never leave the HSM in plaintext form, and all cryptographic operations occur within the certified hardware. This is the correct answer for workloads requiring hardware-backed key storage at the highest FIPS level.

Why this answer

Cloud HSM is the correct choice because it provides a dedicated HSM service that stores and manages encryption keys in FIPS 140-2 Level 3 validated hardware security modules. This directly meets the regulatory requirement for a hardware security module with that specific validation level, as opposed to software-backed or customer-supplied key options.

Exam trap

The trap here is that candidates often confuse Cloud KMS software-backed keys (which are FIPS 140-2 Level 1) with Cloud HSM (Level 3), or they assume that any Google-managed key service automatically meets high-level FIPS validation, ignoring the specific Level 3 requirement for hardware-based protection.

How to eliminate wrong answers

Option A is wrong because Cloud KMS software-backed keys are stored in Google's secure key management infrastructure but are not backed by a dedicated HSM, and they do not meet FIPS 140-2 Level 3 validation (they meet Level 1). Option B is wrong because Customer-Supplied Encryption Keys (CSEK) are provided by the customer with each API request and are not stored in a Google-managed HSM; they are used for client-side encryption and do not satisfy the requirement for HSM-based key storage. Option D is wrong because Secret Manager is designed for storing secrets like API keys and passwords, not for managing encryption keys in an HSM, and it does not provide FIPS 140-2 Level 3 validated hardware security modules.

10
MCQeasy

A company wants to optimize their Google Cloud spending. They have baseline compute workloads that run continuously 24/7 for at least one year. Which pricing option provides the greatest savings for these stable, long-running workloads?

A.Spot VMs — up to 91% savings over on-demand pricing.
B.Committed Use Discounts (CUDs) — 1-year or 3-year commitment for up to 55% savings.
C.On-demand pricing — pay per minute with no commitment.
D.Sustained Use Discounts — automatically applied to all running VMs.
AnswerB

CUDs are the optimal pricing for stable, continuous workloads. 1-year CUD = ~37% savings, 3-year CUD = ~55% savings. Since the workload runs 24/7 indefinitely, the commitment is fully utilized.

Why this answer

Committed Use Discounts (CUDs) are ideal for stable, long-running workloads because they offer significant savings (up to 55% for 1-year or 3-year commitments) in exchange for a predictable resource usage commitment. Since the workloads run continuously 24/7 for at least one year, a 1-year CUD directly matches this usage pattern and provides the greatest savings among the listed options for such non-preemptible, always-on VMs.

Exam trap

Cisco often tests the misconception that Spot VMs offer the highest savings for any workload, but the trap here is that candidates overlook the critical requirement of workload stability and the risk of preemption, which makes Spot VMs unsuitable for continuous 24/7 operations.

How to eliminate wrong answers

Option A is wrong because Spot VMs (preemptible VMs) can be terminated by Google at any time with a 30-second notice, making them unsuitable for stable, long-running workloads that require continuous availability. Option C is wrong because on-demand pricing offers no discount and is the most expensive option for 24/7 workloads, as it charges per minute without any commitment-based savings. Option D is wrong because Sustained Use Discounts are automatic discounts for running VMs for a significant portion of the month, but they provide at most 30% savings for full-month usage, which is less than the up to 55% savings from CUDs for a 1-year commitment.

11
MCQmedium

An enterprise wants to give its business intelligence team a governed analytics platform where data models are defined centrally with version-controlled semantic definitions, and all reports are guaranteed to use the same business metric definitions. Which Google Cloud product is designed for this governed BI use case?

A.Looker Studio, Google's free self-service data visualization tool
B.Looker, with its LookML semantic layer for centrally governed, version-controlled metric definitions used consistently across all reports
C.BigQuery, where analysts write shared SQL queries stored in the project
D.Vertex AI, which provides a model registry for governing ML model definitions
AnswerB

Looker's LookML semantic layer is precisely designed for governed analytics. Data engineers define business logic (what 'revenue' means, how to join tables) in LookML, which is version-controlled in Git. All Looker reports query through this layer, ensuring consistent definitions. This is the differentiated capability versus Looker Studio.

Why this answer

Looker is the correct choice because it provides a governed analytics platform with its LookML semantic layer. LookML allows data models to be defined centrally with version control, ensuring that all reports and dashboards use the same business metric definitions consistently. This directly addresses the enterprise's need for a governed BI solution where semantic definitions are managed and versioned.

Exam trap

Google Cloud often tests the distinction between a governed semantic layer (Looker) and a simple visualization tool (Looker Studio) or a data warehouse (BigQuery), trapping candidates who confuse data storage with BI governance.

How to eliminate wrong answers

Option A is wrong because Looker Studio is a free self-service visualization tool that lacks a centralized, version-controlled semantic layer for governing metric definitions; it relies on direct data source connections without enforced consistency. Option C is wrong because BigQuery is a data warehouse for running SQL queries, not a BI platform with a semantic modeling layer; shared SQL queries in a project do not provide version-controlled, governed metric definitions across reports. Option D is wrong because Vertex AI is a machine learning platform with a model registry for governing ML models, not a BI tool for governing business metric definitions in analytics.

12
MCQmedium

An enterprise's security team is implementing a strategy to protect against 'credential stuffing' attacks — where attackers use lists of username/password combinations from previous data breaches to try to log in to the company's applications. Which authentication control most effectively mitigates this threat?

A.Requiring longer, more complex passwords to make credentials harder to guess
B.Multi-Factor Authentication (MFA/2SV), which requires a second verification factor beyond the password that attackers don't have even when they possess the stolen credentials
C.Encrypting passwords in the company's database using bcrypt to prevent the stolen passwords from being usable
D.Implementing HTTPS on the login page to prevent credentials from being intercepted in transit
AnswerB

MFA is the definitive defense against credential stuffing. The stolen credentials work for the first factor (password), but the attack fails at the second factor (authenticator app TOTP, push notification, hardware security key). Attackers would need both the credentials AND access to the user's second factor device — a much higher bar.

Why this answer

Multi-Factor Authentication (MFA/2SV) is the most effective control against credential stuffing because it requires an additional verification factor (e.g., a one-time code from an authenticator app, a hardware token, or a biometric) that the attacker does not possess, even if they have valid username/password pairs from a breach. This renders the stolen credentials useless for authentication, as the attacker cannot complete the second factor challenge. In Google Cloud, this is commonly enforced via Identity Platform or Cloud Identity with security keys or TOTP.

Exam trap

Cisco often tests the misconception that password hashing (like bcrypt) or encryption protects against credential stuffing, but candidates must recognize that the attacker already has the plaintext passwords from a prior breach, so hashing the database is irrelevant to this attack vector.

How to eliminate wrong answers

Option A is wrong because requiring longer, more complex passwords does not prevent credential stuffing; attackers already have the exact passwords from breaches, so complexity does not stop them from using those stolen credentials. Option C is wrong because encrypting passwords with bcrypt protects the database from offline cracking, but in a credential stuffing attack, the attacker already possesses the plaintext passwords from a previous breach and does not need to crack the database. Option D is wrong because HTTPS protects credentials in transit from interception, but credential stuffing uses stolen credentials that the attacker already has, so encrypting the login channel does not prevent the attacker from submitting them.

13
MCQeasy

A startup needs to run a web application with unpredictable traffic. They want to avoid over-provisioning and only pay for resources used. Which cloud benefit best addresses this need?

A.Built-in security
B.Pay-as-you-go pricing
C.Global reach and low latency
D.Managed services
AnswerB

Pay-as-you-go allows paying only for what you use, ideal for unpredictable traffic.

Why this answer

Pay-as-you-go pricing (Option B) directly matches the startup's need to avoid over-provisioning and pay only for resources consumed. This cloud pricing model allows resources to scale up and down automatically based on traffic, with billing tied to actual usage (e.g., compute hours, data transfer). It eliminates the capital expense of idle capacity, which is critical for unpredictable workloads.

Exam trap

Google Cloud often tests the misconception that 'managed services' automatically include pay-as-you-go pricing, but managed services (e.g., Amazon RDS) still require selecting a pricing model (on-demand vs. reserved) and do not guarantee avoidance of over-provisioning.

How to eliminate wrong answers

Option A is wrong because built-in security addresses data protection and compliance, not cost optimization or resource scaling based on demand. Option C is wrong because global reach and low latency improve user experience via edge locations (e.g., CDN), but do not affect how the startup pays for or provisions compute resources. Option D is wrong because managed services reduce operational overhead (e.g., patching, backups) but still require selecting a pricing model; they do not inherently prevent over-provisioning or ensure pay-per-use billing.

14
MCQmedium

A company plans to run a batch processing job every night for 2 hours. They want to minimize costs while ensuring the job completes within a 4-hour window. Which pricing model should they choose?

A.On-demand pricing
B.Preemptible VM instances
C.Committed use discounts
D.Sustained use discounts
AnswerB

Preemptible VMs cost significantly less and are suitable for fault-tolerant batch jobs.

Why this answer

Preemptible VM instances (B) are ideal for fault-tolerant, short-lived batch jobs that can handle interruptions. They offer significantly lower cost than on-demand instances, and because the job runs for only 2 hours within a 4-hour window, it can be restarted if preempted, ensuring completion at minimal expense.

Exam trap

Google Cloud often tests the misconception that sustained use discounts are the best for any long-running workload, but the trap here is that the 2-hour nightly job does not accumulate enough monthly usage to trigger significant sustained use discounts, making preemptible VMs the correct cost-minimizing choice for interruptible batch jobs.

How to eliminate wrong answers

Option A is wrong because on-demand pricing is the most expensive option and does not offer cost optimization for a batch job that can tolerate interruptions. Option C is wrong because committed use discounts require a 1- or 3-year commitment, which is excessive for a nightly 2-hour job and does not align with the flexible, short-duration nature of the workload. Option D is wrong because sustained use discounts apply automatically to on-demand instances running for a significant portion of a month (e.g., over 25%), but a 2-hour nightly job totals only about 60 hours per month, which is well below the threshold for meaningful discounts.

15
MCQeasy

A company's application is called 'stateless' because it doesn't store any user session data in the application server's memory. Each request contains all necessary information. Why is statelessness important for cloud scalability?

A.Stateless applications use less storage because they don't store any data.
B.Stateless applications can be scaled horizontally without session loss because any instance can handle any request — enabling easy addition/removal of instances.
C.Stateless applications are more secure because they don't remember who the user is.
D.Stateless applications eliminate the need for databases since no data is stored.
AnswerB

No local session state means any server can handle any user's request. Add an instance and it's immediately useful; remove one and no user loses their session. This is the foundation of horizontal cloud scalability.

Why this answer

Statelessness is critical for cloud scalability because it enables horizontal scaling: any instance can process any request without needing to recall previous interactions. Since no session data is stored locally, new instances can be added or removed dynamically without risk of session loss, allowing the application to handle fluctuating loads efficiently. This aligns with the cloud's elasticity model, where resources are provisioned on demand.

Exam trap

Cisco often tests the misconception that statelessness means 'no data is stored anywhere,' leading candidates to pick Option D, but the correct understanding is that data is stored externally, not on the application server itself.

How to eliminate wrong answers

Option A is wrong because stateless applications don't necessarily use less storage; they still store data externally (e.g., in databases or caches), and the claim conflates memory usage with storage. Option C is wrong because statelessness does not inherently improve security; it simply means no session state is kept on the server, but authentication tokens (e.g., JWT) are still sent with each request and can be compromised. Option D is wrong because stateless applications still require databases or external storage for persistent data; eliminating databases would break data durability and consistency.

16
MCQeasy

Google Cloud bills Compute Engine VMs per second (after a 1-minute minimum). A batch job runs for exactly 3 minutes and 47 seconds. How many minutes does Google Cloud charge for?

A.4 minutes (rounded up to the nearest minute).
B.Exactly 3 minutes and 47 seconds of compute time.
C.1 hour (traditional cloud billing minimum).
D.5 minutes (rounded up to the nearest 5-minute interval).
AnswerB

Per-second billing means the charge is for exactly 227 seconds (3 min 47 sec). No per-hour or per-minute rounding inflates the cost.

Why this answer

Google Cloud Compute Engine bills per second after a 1-minute minimum. Since the job runs for 3 minutes and 47 seconds, the total billable time is exactly 3 minutes and 47 seconds — no rounding up to the nearest minute or any other interval. Option B correctly reflects this per-second billing model.

Exam trap

Google Cloud often tests the misconception that cloud providers always round up to the nearest minute or hour, but Google Cloud's per-second billing after a 1-minute minimum is a specific exception that candidates must recall precisely.

How to eliminate wrong answers

Option A is wrong because it assumes rounding up to the nearest minute, but Google Cloud bills per second after the first minute, so 3 minutes and 47 seconds is not rounded to 4 minutes. Option C is wrong because it references a traditional 1-hour minimum billing model, which Google Cloud does not use for Compute Engine VMs — they use a 1-minute minimum with per-second billing thereafter. Option D is wrong because it suggests rounding to the nearest 5-minute interval, which is not part of Google Cloud's billing policy for Compute Engine.

17
MCQhard

A company uses BigQuery for analytics and needs to enforce row-level security based on user department. Only users from the 'Sales' department should see rows where department = 'Sales'. Which BigQuery feature should they use?

A.Custom IAM roles with fine-grained permissions
B.Column-level security with classification tags
C.Authorized views with a WHERE clause
D.Row-level access policies using a filter on the department column
AnswerD

Row-level access policies restrict which rows users can see based on conditions.

Why this answer

Option B is correct because BigQuery row-level access policies allow filtering rows based on conditions. Option A is wrong because column-level security hides columns, not rows. Option C is wrong because authorized views are for sharing data across projects.

Option D is wrong because IAM roles are for access control at the table/dataset level, not row-level.

18
MCQmedium

A company runs many containerized microservices that need orchestration — automatic scheduling, scaling, self-healing, and rolling updates. They want a managed service so they don't maintain the control plane themselves. Which Google Cloud service is purpose-built for this?

A.Cloud Run
B.Google Kubernetes Engine (GKE)
C.Cloud Composer
D.Compute Engine with managed instance groups
AnswerB

GKE is Google's managed Kubernetes service. It handles the control plane (API server, scheduler, etcd) and optionally the node infrastructure (Autopilot mode) while providing full Kubernetes orchestration capabilities.

Why this answer

Google Kubernetes Engine (GKE) is a managed Kubernetes service that provides automatic orchestration, scaling, self-healing, and rolling updates for containerized microservices. It fully manages the Kubernetes control plane, including the API server, etcd, and scheduler, so the customer does not have to maintain them. This makes GKE the purpose-built solution for the described requirements.

Exam trap

Cisco often tests the distinction between serverless container platforms (Cloud Run) and full container orchestration (GKE), where candidates mistakenly choose Cloud Run because it also runs containers, but it lacks the orchestration features like manual scaling, self-healing, and rolling updates that GKE provides.

How to eliminate wrong answers

Option A is wrong because Cloud Run is a serverless compute platform for stateless containers that abstracts away the underlying infrastructure, but it does not provide the full orchestration capabilities (e.g., manual scaling, self-healing at the pod level, or rolling updates) that Kubernetes offers; it is designed for event-driven or request-based workloads, not for managing a fleet of microservices with complex scheduling. Option C is wrong because Cloud Composer is a managed Apache Airflow service for workflow orchestration and data pipeline scheduling, not for container orchestration; it manages DAGs and task dependencies, not container lifecycles. Option D is wrong because Compute Engine with managed instance groups provides auto-scaling and self-healing for VMs, but it lacks native container orchestration features like automatic scheduling, rolling updates, and service discovery; it requires additional tooling (e.g., Kubernetes or Nomad) to achieve the same level of container management.

19
MCQeasy

A company's cloud team is asked to demonstrate that their infrastructure changes are repeatable and auditable. They use Terraform configuration files committed to a Git repository to define all cloud resources. Which operational practice does this exemplify?

A.Infrastructure as Code (IaC) managed through version control, providing repeatable and auditable infrastructure changes
B.Manual change management, where each infrastructure change is recorded in a spreadsheet for audit purposes
C.Disaster recovery planning, using configuration files to document what needs to be rebuilt after a failure
D.Cost optimization, by defining infrastructure in code to enable automatic right-sizing of resources
AnswerA

This exactly describes IaC + GitOps. Terraform configurations in Git provide repeatability (same config → same infrastructure) and auditability (Git history shows every change, who made it, and when). This is a foundational cloud operations best practice.

Why this answer

By storing Terraform configuration files in a Git repository, the team treats infrastructure definitions as code, enabling version control, peer review, and a complete audit trail of changes. This is the core principle of Infrastructure as Code (IaC), which ensures that every infrastructure change is repeatable because the exact same configuration can be applied multiple times, and auditable because Git history records who changed what and when.

Exam trap

The trap here is that candidates may confuse the operational practice of IaC with its secondary benefits (like disaster recovery or cost optimization), but the question explicitly asks about repeatability and auditability, which are direct outcomes of version-controlled IaC.

How to eliminate wrong answers

Option B is wrong because manual change management via spreadsheets is error-prone, lacks automation, and does not provide the repeatability or audit trail that version-controlled code offers. Option C is wrong because disaster recovery planning is a broader strategy that may use IaC as a tool, but the question specifically asks about the operational practice of using version-controlled Terraform files for repeatable and auditable changes, not just documenting rebuild steps. Option D is wrong because cost optimization is a potential benefit of IaC but not the primary practice being demonstrated; the question focuses on repeatability and auditability, not automatic right-sizing.

20
MCQmedium

A startup needs to build a mobile application backend. They need user authentication, a real-time database that syncs to mobile clients automatically, and serverless functions for business logic — all managed with minimal backend engineering. Which Google Cloud platform provides this integrated mobile/web backend solution?

A.Google Kubernetes Engine (GKE), for containerized backend microservices
B.Firebase, which provides integrated authentication, auto-syncing Firestore database, serverless functions, and hosting — designed for mobile and web backends with minimal engineering overhead
C.BigQuery, for storing and analyzing mobile application user data
D.Cloud Spanner, for globally consistent transactional data storage in the mobile backend
AnswerB

Firebase is purpose-built for this scenario. Authentication, real-time data sync, serverless functions, and hosting are all pre-integrated. The SDK handles real-time data synchronization to mobile clients automatically. It minimizes backend complexity for mobile-first teams.

Why this answer

Firebase is the correct answer because it is a Google Cloud platform specifically designed to provide an integrated mobile/web backend with minimal engineering overhead. It bundles user authentication, a real-time NoSQL database (Firestore) that automatically syncs data to clients, and serverless Cloud Functions for business logic, all managed without requiring backend infrastructure provisioning.

Exam trap

The trap here is that candidates may confuse GKE's microservices capability with a 'managed backend,' but GKE still requires significant DevOps effort, whereas Firebase is purpose-built for zero-ops mobile/web backends with integrated services.

How to eliminate wrong answers

Option A is wrong because Google Kubernetes Engine (GKE) is a container orchestration service for deploying microservices, which requires significant backend engineering to set up and manage authentication, real-time sync, and serverless functions, contradicting the 'minimal backend engineering' requirement. Option C is wrong because BigQuery is a serverless data warehouse for analytical queries on large datasets, not a real-time database with automatic client sync or a platform for authentication and serverless functions. Option D is wrong because Cloud Spanner is a globally distributed, strongly consistent relational database service that requires schema design and backend management, and it does not provide built-in authentication or auto-syncing to mobile clients like Firebase does.

21
MCQmedium

A company's engineering organization wants to share operational knowledge across teams using a 'golden path' — a recommended, pre-configured set of tools, services, and templates that makes the easy path also the correct path. Which Google Cloud concept supports this practice?

A.Create a shared Google Slides presentation documenting best practices for teams to reference.
B.Use Terraform blueprints, organization policies, and Cloud Foundation Toolkit to create pre-configured landing zones that enforce standards automatically.
C.Grant all teams Organization Admin access so they can configure resources however they prefer.
D.Hire a dedicated cloud architect to review every new project's design before it starts.
AnswerB

Landing zones encode organizational standards into reusable Terraform templates and org policies. New projects start on the golden path automatically — security, networking, monitoring, and cost controls are pre-wired.

Why this answer

Option B is correct because the Cloud Foundation Toolkit (CFT) provides Terraform blueprints and pre-configured landing zones that enforce organizational policies and standards automatically. This aligns directly with the 'golden path' concept by making the easy path (using the blueprints) also the correct path (enforcing compliance and best practices through organization policies and automated deployments).

Exam trap

Cisco often tests the misconception that documentation or manual review processes are sufficient for enforcing standards at scale, when in fact automated policy enforcement and pre-configured templates are required for a true 'golden path' implementation.

How to eliminate wrong answers

Option A is wrong because a shared Google Slides presentation is a static, manual documentation approach that does not enforce standards or automate configuration, failing to create a 'golden path' that makes the easy path the correct path. Option C is wrong because granting all teams Organization Admin access removes all guardrails and security boundaries, directly contradicting the goal of enforcing standards and preventing misconfigurations. Option D is wrong because relying on a single architect to review every project creates a bottleneck and does not scale, whereas a 'golden path' should be self-service and automated.

22
MCQhard

A CEO asks why the company should invest in a cloud migration when the existing on-premises infrastructure 'still works fine.' Which business case arguments are MOST relevant to present? (Select the best answer.)

A.The cloud uses newer hardware and newer versions of Linux, which are technically superior.
B.Cloud enables faster innovation and time-to-market, reduces total cost of ownership, and provides access to advanced capabilities (AI, analytics) that improve competitive positioning.
C.Cloud providers have more IT staff than the company, so IT headcount can be reduced immediately.
D.The current infrastructure will eventually fail, so proactive migration avoids future risk.
AnswerB

These are the business outcomes that matter to a CEO: innovation speed (competitive advantage), TCO reduction (financial), and access to AI/ML (new capabilities). All three directly impact business results.

Why this answer

Option B is correct because it directly addresses the CEO's strategic concerns by highlighting cloud's ability to accelerate innovation and time-to-market, reduce total cost of ownership (TCO) through pay-as-you-go pricing and elimination of hardware lifecycle costs, and provide access to advanced capabilities like AI and analytics that on-premises infrastructure cannot easily match. These arguments frame cloud migration as a competitive necessity rather than a mere technology upgrade, which is the core of the business case.

Exam trap

Cisco often tests the distinction between tactical technical arguments (like newer hardware) and strategic business value arguments (like innovation and TCO), trapping candidates who focus on technology features rather than the CEO's perspective on competitive advantage and cost efficiency.

How to eliminate wrong answers

Option A is wrong because it focuses on technical superiority of hardware and OS versions, which is a tactical detail that does not address the CEO's strategic question about business value; newer hardware and Linux versions are not inherently transformative and can be achieved on-premises. Option C is wrong because it oversimplifies IT headcount reduction; cloud providers have more staff, but migration requires retraining, new roles, and often increases operational complexity before any headcount reduction is possible, and immediate reduction is unrealistic. Option D is wrong because it relies on fear of eventual failure, which is a weak argument; proactive migration should be justified by business benefits, not by speculative risk, and on-premises infrastructure can be maintained with proper lifecycle management.

23
MCQmedium

A financial services firm wants to improve disaster recovery without maintaining a second physical data center. They need to replicate data asynchronously and failover quickly. How does cloud transformation help?

A.Setting up a VPC peering to a partner data center
B.Using managed instance groups in the same region
C.Using tape backup stored offsite
D.Creating a replica in another Cloud Region using Cloud Storage and Cloud SQL replicas
AnswerD

Cloud services enable cost-effective, automated cross-region replication for DR.

Why this answer

Option D is correct because it leverages Cloud Storage for durable, asynchronous object replication and Cloud SQL replicas for cross-region database failover. This eliminates the need for a second physical data center while providing quick failover via a standby replica in another region, meeting the requirements for asynchronous replication and rapid recovery.

Exam trap

Google Cloud often tests the misconception that VPC peering or same-region instance groups provide disaster recovery, when in fact they only address network connectivity or high availability within a single region, not cross-region failover.

How to eliminate wrong answers

Option A is wrong because VPC peering connects networks but does not provide data replication or disaster recovery capabilities; it is a networking feature, not a DR solution. Option B is wrong because managed instance groups in the same region do not protect against regional failures; they only provide high availability within a single region, not cross-region disaster recovery. Option C is wrong because tape backup stored offsite is a slow, legacy approach with high recovery time objectives (RTOs) and does not support asynchronous replication or quick failover in a cloud-native manner.

24
MCQmedium

A startup is building an application that sends daily promotional push notifications to millions of mobile users on both iOS and Android devices. Which Google Cloud or Google service most directly provides the infrastructure for sending these mobile push notifications?

A.Cloud Pub/Sub, which delivers messages to subscribed mobile application instances
B.Firebase Cloud Messaging (FCM), which delivers push notifications to iOS and Android devices through Google's mobile notification infrastructure
C.Cloud Storage, by writing notification content to buckets that mobile applications poll for new messages
D.Cloud Run, by exposing an API that mobile applications call to retrieve their pending notifications
AnswerB

FCM is the correct service. It provides the complete push notification pipeline: device token management, message composition, cross-platform delivery (Android via FCM protocol, iOS via APNs), delivery analytics, and topic-based message broadcasting for millions of subscribers. It's the standard Google/Firebase solution for mobile push notifications.

Why this answer

Firebase Cloud Messaging (FCM) is Google's dedicated, scalable infrastructure for delivering push notifications to both iOS and Android devices. It handles device registration, message routing, and platform-specific delivery through Apple Push Notification service (APNs) for iOS and Google's own push service for Android, making it the most direct and appropriate service for this use case.

Exam trap

The trap here is that candidates confuse Cloud Pub/Sub's generic message delivery with mobile push notification delivery, overlooking that FCM is the only service that integrates directly with mobile OS notification systems and handles device-specific routing and delivery guarantees.

How to eliminate wrong answers

Option A is wrong because Cloud Pub/Sub is a message-oriented middleware for asynchronous event ingestion and distribution between services, not designed to deliver push notifications directly to mobile device operating systems; it lacks the device registration and platform-specific delivery mechanisms (APNs, FCM SDK) required for mobile push. Option C is wrong because Cloud Storage is an object storage service for unstructured data; polling a bucket for new messages is inefficient, introduces latency, drains mobile battery, and does not provide the real-time push delivery or device targeting capabilities needed. Option D is wrong because Cloud Run is a serverless compute platform for running containerized applications; while it could host a custom notification API, it does not natively handle push notification delivery to mobile OS-level notification channels and would require building and maintaining the entire push infrastructure, including FCM integration, making it an indirect and incomplete solution.

25
MCQeasy

A developer needs to grant a service account the minimum permissions required to publish messages to a Pub/Sub topic. Which IAM role should they assign?

A.roles/editor
B.roles/pubsub.subscriber
C.roles/pubsub.publisher
D.roles/pubsub.admin
AnswerC

Grants only the permission to publish messages to the topic.

Why this answer

The correct answer is C because the `roles/pubsub.publisher` role grants the minimum permissions required to publish messages to a Pub/Sub topic. This role includes the `pubsub.topics.publish` permission, which allows a service account to send messages to a specific topic without granting any other unnecessary permissions like subscribing or managing the topic.

Exam trap

Google Cloud often tests the distinction between publisher and subscriber roles, and the trap here is that candidates may confuse `roles/pubsub.publisher` with `roles/pubsub.subscriber` or assume a broad role like `roles/editor` is acceptable, overlooking the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because `roles/editor` is a broad, primitive role that grants extensive permissions across many Google Cloud services, far exceeding the minimum required for publishing to a Pub/Sub topic. Option B is wrong because `roles/pubsub.subscriber` grants permissions to pull or push messages from a subscription (e.g., `pubsub.subscriptions.consume`), not to publish messages to a topic. Option D is wrong because `roles/pubsub.admin` grants full administrative control over Pub/Sub resources, including creating, deleting, and modifying topics and subscriptions, which is far more permissive than needed for publishing only.

26
MCQeasy

A small business wants to host a low-traffic website with a single-page application. They have limited budget and no IT staff. Which Google Cloud solution is most cost-effective and easy to manage?

A.Use App Engine Standard Environment
B.Deploy a virtual machine on Compute Engine with a web server
C.Host the static files on Cloud Storage and use Cloud CDN
D.Set up Google Kubernetes Engine cluster
AnswerC

Cloud Storage can host static websites with built-in CDN and no server management.

Why this answer

Option C is correct because hosting static files (HTML, CSS, JS) on Cloud Storage with Cloud CDN provides a serverless, highly scalable, and low-cost solution for a low-traffic single-page application. Cloud Storage serves static content directly without provisioning any virtual machines, and Cloud CDN caches content at edge locations to reduce latency and egress costs. This eliminates the need for any server management, making it ideal for a business with no IT staff.

Exam trap

The trap here is that candidates often assume a web server (Compute Engine) or a platform like App Engine is necessary for any website, overlooking that static hosting on Cloud Storage with CDN is the simplest and cheapest option for single-page applications.

How to eliminate wrong answers

Option A is wrong because App Engine Standard Environment, while serverless, is designed for dynamic applications and incurs costs for always-on instances or scaling, even for low-traffic static sites, making it less cost-effective than pure static hosting. Option B is wrong because deploying a virtual machine on Compute Engine requires manual OS patching, web server configuration, and ongoing maintenance, which contradicts the 'no IT staff' requirement and introduces unnecessary complexity and cost for a static site. Option D is wrong because Google Kubernetes Engine is an orchestration platform for containerized applications, which is overkill and expensive for a simple static website, requiring cluster management and expertise that the business lacks.

27
MCQmedium

A company wants to ensure that no employee can accidentally delete critical data stored in Cloud Storage. They need a solution that protects against accidental deletion even by users with full permissions. Which approach should they use?

A.Enable Object Versioning and set a retention policy
B.Use customer-managed encryption keys
C.Set up Cloud Audit Logs for data access
D.Restrict IAM roles to Viewer only
AnswerA

Versioning keeps deleted objects, and retention policies prevent deletion within a set period.

Why this answer

Object Versioning in Cloud Storage preserves non-current object versions, allowing recovery from accidental overwrites or deletions. A retention policy prevents object deletion (including version deletion) until the retention period expires, even for users with full permissions like `storage.objects.delete`. Together, they provide a defense-in-depth against accidental data loss.

Exam trap

Google Cloud often tests the misconception that IAM roles alone can prevent deletion, but the trap here is that users with full permissions (e.g., `roles/storage.admin`) can delete objects unless a retention policy is applied, which overrides IAM at the bucket level.

How to eliminate wrong answers

Option B is wrong because customer-managed encryption keys (CMEK) protect data at rest but do not prevent deletion; they only control who can decrypt the data. Option C is wrong because Cloud Audit Logs record who performed a deletion but do not prevent it from happening. Option D is wrong because restricting IAM roles to Viewer only would block legitimate users from performing their jobs and does not address the requirement to protect against accidental deletion by users with full permissions.

28
MCQeasy

An organization is planning to adopt cloud services but needs to understand which party is responsible for physical security of the data center. Under the shared responsibility model, who is responsible for physical data center security in a public cloud deployment?

A.The customer, because they own the data stored in the data center
B.A shared responsibility: the cloud provider secures the building exterior while the customer secures the server racks
C.The cloud provider, who is entirely responsible for all physical security of data center facilities and hardware
D.A third-party security company contracted by both the customer and the cloud provider
AnswerC

Physical security is always the cloud provider's responsibility. This includes facility perimeter security, building access controls, environmental controls, and hardware security. It is one of the most clear-cut divisions in the shared responsibility model.

Why this answer

In the cloud shared responsibility model, physical security of data centers — including building access controls, perimeter security, surveillance, and hardware security — is always the sole responsibility of the cloud provider. Customers never have physical access to cloud provider data centers and bear no responsibility for physical security. This is one of the fundamental security benefits of using a public cloud.

29
MCQmedium

A manufacturing company is exploring cloud adoption to improve its supply chain responsiveness. A consultant proposes using machine learning models trained on historical supply chain data to predict component shortages 8 weeks in advance. Which description best characterizes this as a digital transformation use case?

A.This is basic digitization — converting paper purchase orders to electronic format in the cloud
B.This exemplifies digital transformation: cloud-enabled ML creates a predictive capability that fundamentally changes supply chain decision-making from reactive to proactive
C.This is a cost-reduction initiative — moving supply chain software to cheaper cloud servers
D.This is an IT modernization project focused on updating legacy databases to cloud-hosted alternatives
AnswerB

This is precisely digital transformation. The manufacturing company isn't just automating existing tasks — it's creating a new decision-making capability (proactive 8-week predictions vs. reactive shortage responses) that wasn't possible before cloud-scale ML. The competitive advantage created is qualitatively new.

Why this answer

Option B is correct because the use case describes a shift from reactive supply chain management to proactive prediction using cloud-enabled machine learning. This fundamentally changes business processes and decision-making, which is the essence of digital transformation—not merely digitizing existing data or reducing costs.

Exam trap

Google Cloud often tests the distinction between digitization (converting analog to digital) and digital transformation (fundamentally changing business models or processes), so candidates mistakenly pick 'digitization' when the scenario involves new analytical capabilities rather than simple format conversion.

How to eliminate wrong answers

Option A is wrong because digitization refers to converting analog or paper-based processes to digital formats, whereas this scenario uses ML to create new predictive insights, not just electronic records. Option C is wrong because cost reduction is a potential benefit, not the defining characteristic; the core change is a new capability (predictive analytics) that transforms operations. Option D is wrong because IT modernization focuses on updating legacy infrastructure, but this use case introduces a new analytical capability (ML forecasting) that changes how the business responds to shortages, not just where data is stored.

30
MCQmedium

Refer to the exhibit. An operations team configured this Cloud Monitoring alert. They notice that the alert fires, but the associated managed instance group autoscaler does not scale up. What is the most likely reason?

A.The duration of 300 seconds (5 minutes) is too long, and the autoscaler uses a shorter evaluation period.
B.The threshold value of 0.8 is too low.
C.The alignment period of 60 seconds is too short, causing unstable metrics.
D.The filter is missing the project ID, so it applies to all projects.
AnswerA

Autoscaler evaluates metrics over a short window (e.g., 1 minute); a 5-minute sustained threshold in the alert may cause the autoscaler to react differently.

Why this answer

Option A is correct because the autoscaler evaluates metrics over a shorter period than the alert's 300-second duration. The alert fires only after the condition persists for 5 minutes, but the autoscaler may have already scaled down or the metric may have recovered before the alert triggers, causing a mismatch between the alert and the autoscaler's decision logic.

Exam trap

Google Cloud often tests the misconception that a longer alert duration is always better for stability, but here the trap is that the autoscaler's evaluation period is shorter, causing the alert to fire too late for the autoscaler to act.

How to eliminate wrong answers

Option B is wrong because a threshold of 0.8 (80% utilization) is a common and reasonable value for triggering scale-up; lowering it would cause premature scaling, not prevent it. Option C is wrong because a 60-second alignment period is standard and provides stable metrics; shorter periods can cause noise, but the issue here is the duration mismatch, not instability. Option D is wrong because the filter missing the project ID would cause the alert to apply to all projects, potentially causing false positives or scaling issues, but it would not prevent the autoscaler from scaling up when the alert fires.

31
MCQmedium

A logistics company manually tracks shipments using spreadsheets, causing frequent errors and delays in customer notifications. After implementing a cloud-based tracking platform with real-time GPS updates, automated customer notifications, and predictive delivery estimates, customer satisfaction scores increase by 35%. What kind of transformation does this primarily represent?

A.IT infrastructure modernization — replacing on-premises servers with cloud VMs.
B.Customer experience and operational transformation — digitizing manual tracking to provide real-time visibility and automated service.
C.Cost reduction initiative — eliminating the spreadsheet software license fees.
D.Employee productivity transformation — helping logistics coordinators work faster using cloud apps.
AnswerB

Moving from error-prone manual processes to real-time automated tracking fundamentally changes the customer experience and operational model. Cloud enables the real-time data platform and notification infrastructure.

Why this answer

Option B is correct because the scenario describes a shift from manual, error-prone spreadsheet tracking to a cloud-based platform with real-time GPS updates, automated notifications, and predictive analytics. This directly improves both the customer experience (real-time visibility, automated alerts) and operational efficiency (reduced delays, fewer errors), which is the essence of a customer experience and operational transformation. The 35% increase in customer satisfaction scores confirms the primary focus is on enhancing service delivery and internal processes, not just IT infrastructure or cost savings.

Exam trap

Google Cloud often tests the distinction between IT infrastructure modernization and business process transformation, so the trap here is that candidates see 'cloud-based' and immediately think of infrastructure upgrades (Option A), missing that the primary impact is on customer experience and operational workflows, not just the underlying compute or storage.

How to eliminate wrong answers

Option A is wrong because it focuses narrowly on replacing on-premises servers with cloud VMs (IT infrastructure modernization), while the question describes a broader transformation involving digitization of manual workflows, real-time data integration, and automated customer-facing services—not just a server swap. Option C is wrong because it misrepresents the initiative as a cost reduction effort targeting spreadsheet software license fees, which are negligible; the real value comes from eliminating manual errors and delays, not from saving on spreadsheet costs. Option D is wrong because it frames the change solely as employee productivity improvement (helping coordinators work faster), ignoring the significant customer-facing benefits like real-time tracking and automated notifications that drove the 35% satisfaction increase.

32
MCQmedium

A traditional software company sells perpetual licenses for on-premises software. They want to transition to a cloud-based SaaS model. Beyond infrastructure savings, which business model transformation does this shift enable?

A.The company can eliminate all software development costs by using Google's pre-built APIs.
B.The company gains predictable recurring revenue, continuous delivery of updates, and deeper ongoing customer relationships through the subscription model.
C.The company no longer needs sales and marketing because SaaS products sell themselves.
D.Customers automatically upgrade to new versions without any vendor effort.
AnswerB

SaaS subscriptions replace episodic license purchases with predictable MRR/ARR. The cloud model enables continuous deployment, real-time customer usage insights, and subscription tier flexibility.

Why this answer

Option B is correct because transitioning from a perpetual on-premises license model to a cloud-based SaaS model fundamentally shifts the revenue structure from one-time payments to predictable, recurring subscription revenue. This model also enables continuous delivery of updates and patches without requiring customer action, and fosters deeper ongoing customer relationships through usage analytics, support, and feature adoption tracking. The cloud infrastructure allows the vendor to manage, update, and scale the software centrally, which is the core business model transformation beyond just infrastructure savings.

Exam trap

Cisco often tests the misconception that cloud migration automatically eliminates all operational costs or vendor effort, when in reality it shifts the cost structure and requires ongoing investment in development, security, and compliance.

How to eliminate wrong answers

Option A is wrong because moving to SaaS does not eliminate software development costs; the company still develops and maintains its own application logic, and relying on Google's pre-built APIs would only replace specific components (e.g., authentication or storage), not the entire software. Option C is wrong because SaaS products do not sell themselves; sales and marketing remain essential for customer acquisition, onboarding, and retention, though the sales motion may shift from transactional to relationship-based. Option D is wrong because while SaaS enables automatic updates, it still requires vendor effort to develop, test, and deploy new versions; customers do not upgrade themselves, but the vendor pushes updates to the cloud environment, which is a significant operational change but not effortless.

33
MCQmedium

A retail bank's branch staff currently look up customer information in disconnected systems, requiring multiple logins and manual data consolidation before advising customers. A cloud transformation project unifies customer data into a single 360° view platform accessible from any device. What type of transformation does this primarily represent?

A.Infrastructure modernization — replacing old servers with cloud VMs.
B.Business process and customer experience transformation — unifying data to enable better customer service through digital tools.
C.Security transformation — reducing the number of password logins required.
D.Cost reduction initiative — eliminating duplicate software licenses.
AnswerB

Unifying siloed customer data into a 360° view platform changes business processes (how staff work) and improves customer experience (faster, better-informed service). This is digital transformation, not just IT modernization.

Why this answer

Option B is correct because the project unifies fragmented customer data into a single 360° view platform accessible from any device, directly improving how staff serve customers. This is a business process and customer experience transformation, as it eliminates manual data consolidation and multiple logins, enabling faster, more personalized service through digital tools. The cloud enables this by providing a centralized data store and API-driven access, which is the core of transforming customer interactions rather than just upgrading infrastructure.

Exam trap

Google Cloud often tests the distinction between infrastructure-level changes (like moving to VMs) and business-level transformations (like data unification for customer experience), leading candidates to pick 'infrastructure modernization' when the question emphasizes process and access improvements.

How to eliminate wrong answers

Option A is wrong because infrastructure modernization focuses on replacing physical servers with cloud VMs, but the question describes unifying data and improving access, not just moving compute to the cloud. Option C is wrong because security transformation would involve changes like zero-trust architectures or encryption upgrades, not merely reducing password logins as a side effect of data unification. Option D is wrong because cost reduction is a potential benefit, not the primary transformation type; the project's main goal is enabling better customer service through a unified platform, not eliminating software licenses.

34
MCQhard

A company wants to reduce latency for IoT devices located in remote areas with poor connectivity. They need to preprocess data locally before sending it to the cloud. Which architecture should they use?

A.Deploy Cloud CDN to cache responses.
B.Use edge computing devices that run Cloud IoT Edge and preprocess data.
C.Use Cloud IoT Core with MQTT and process data on the server side.
D.Use a VPN to connect devices directly to the cloud.
AnswerB

Edge computing processes data locally and sends only necessary data to the cloud.

Why this answer

Option B is correct because edge computing devices running Cloud IoT Edge allow local preprocessing of data, reducing the volume of data transmitted over poor connectivity links. This architecture minimizes latency by processing data closer to the source, which is critical for IoT devices in remote areas. Cloud IoT Edge extends Google Cloud's data processing capabilities to the edge, enabling real-time insights without constant cloud connectivity.

Exam trap

The trap here is that candidates often confuse edge computing with CDN caching, thinking both reduce latency similarly, but CDN caches responses for repeated requests while edge computing processes data locally to reduce transmission volume.

How to eliminate wrong answers

Option A is wrong because Cloud CDN caches static content at edge locations to reduce latency for web content delivery, but it does not preprocess IoT device data or address local data reduction before cloud transmission. Option C is wrong because Cloud IoT Core with MQTT handles device connectivity and server-side processing, but it still requires sending raw data over the network, which does not reduce latency or bandwidth usage in poor connectivity scenarios. Option D is wrong because a VPN secures the connection but does not preprocess data locally; it still requires all data to traverse the network to the cloud, which is inefficient with poor connectivity.

35
MCQhard

A cloud architect is explaining to executives why they should use managed services (like Cloud SQL, Memorystore, Pub/Sub) instead of running self-managed equivalents on VMs (PostgreSQL on VM, Redis on VM, RabbitMQ on VM). Which argument best captures the strategic rationale for preferring managed services?

A.Managed services are always less expensive than self-managed alternatives on VMs
B.Managed services transfer undifferentiated operational complexity (patching, backups, HA, scaling) to Google, freeing engineering teams to focus on differentiated business logic rather than infrastructure management
C.Managed services guarantee better performance than self-managed deployments in all scenarios
D.Using managed services eliminates the need for any cloud expertise within the engineering team
AnswerB

This is the strategic argument. 'Undifferentiated heavy lifting' — the operational work common to every company running that software — is what managed services absorb. No company's competitive advantage comes from being better at PostgreSQL patch management; it comes from the applications and insights built on top of databases. Managed services free teams for that differentiated work.

Why this answer

Option B correctly captures the strategic rationale because managed services like Cloud SQL, Memorystore, and Pub/Sub offload undifferentiated heavy lifting—such as automated patching, backup management, high-availability failover, and horizontal scaling—to Google Cloud. This allows engineering teams to focus on building and improving application-specific features rather than spending time on infrastructure tasks that do not provide competitive advantage.

Exam trap

Google Cloud often tests the misconception that managed services are universally cheaper or better performing, when in reality the strategic value lies in reducing operational overhead and allowing teams to focus on business-differentiating work, not in cost or raw performance guarantees.

How to eliminate wrong answers

Option A is wrong because managed services are not always less expensive; they often have higher per-unit costs than self-managed VMs, especially at high sustained usage, due to the premium for operational convenience and built-in features. Option C is wrong because managed services do not guarantee better performance in all scenarios; for example, a self-managed PostgreSQL on a dedicated VM with tuned kernel parameters can outperform a shared Cloud SQL instance under certain workloads. Option D is wrong because using managed services does not eliminate the need for cloud expertise; engineers still need to understand networking, IAM, cost optimization, and service-specific configurations to use them effectively.

36
MCQmedium

A media company needs to transcode and store thousands of video files daily, with variable demand. They want to minimize costs while ensuring fast processing. How does cloud transformation help?

A.Using Cloud Transcoder API and Cloud Storage with lifecycle policies
B.Deploying dedicated physical servers in a colocation facility
C.Using batch scripts on a fixed number of on-premise servers
D.Using Cloud Functions to process each video
AnswerA

Cloud Transcoder auto-scales, and Cloud Storage lifecycle moves old files to cheaper tiers, optimizing cost.

Why this answer

Option A is correct because Cloud Transcoder API provides a serverless, scalable transcoding service that automatically handles variable demand, while Cloud Storage with lifecycle policies (e.g., moving files to Nearline or Archive after 30 days) minimizes storage costs. This combination ensures fast processing without provisioning fixed infrastructure, directly addressing the need for cost efficiency and speed under fluctuating workloads.

Exam trap

Google Cloud often tests the misconception that serverless functions like Cloud Functions are a universal solution for all processing tasks, but candidates fail to consider execution timeouts and resource limits that make them impractical for long-running or resource-intensive jobs like video transcoding.

How to eliminate wrong answers

Option B is wrong because deploying dedicated physical servers in a colocation facility requires upfront capital expenditure and manual scaling, failing to handle variable demand cost-effectively or with fast elasticity. Option C is wrong because batch scripts on a fixed number of on-premise servers cannot auto-scale to meet variable demand, leading to either underutilization (waste) or processing bottlenecks (slowdown). Option D is wrong because Cloud Functions have a maximum timeout of 9 minutes (540 seconds) and limited memory (up to 32GB), making them unsuitable for transcoding large video files that often require longer processing times and more resources.

37
MCQeasy

A company wants to ensure that their confidential data stored in BigQuery cannot be shared outside the company's Google Cloud organization. Which Google Cloud security capability prevents data from being shared with external Google accounts (outside the organization)?

A.Enabling BigQuery data encryption with CMEK to prevent external parties from decrypting shared data
B.The 'Domain Restricted Sharing' organization policy constraint, which prevents IAM policies from granting access to users outside specified trusted domains
C.BigQuery row-level security policies that restrict rows based on user email domain
D.Disabling external IP addresses on all Google Cloud resources to prevent data from leaving the organization's network
AnswerB

Domain Restricted Sharing is the correct control. It's an org policy constraint that makes it impossible to add external users (gmail.com accounts or accounts from other Google Cloud organizations) to any IAM policy in the organization. This prevents accidental or intentional sharing of resources outside the company's domain.

Why this answer

Option B is correct because the 'Domain Restricted Sharing' organization policy constraint (constraints/iam.allowedPolicyMemberDomains) explicitly prevents IAM policies from granting access to principals outside of specified trusted domains. This directly blocks sharing BigQuery data with external Google accounts by enforcing that all IAM members belong to the allowed domains, such as the company's own Google Workspace domain.

Exam trap

The trap here is that candidates often confuse data-at-rest encryption (CMEK) or data filtering (row-level security) with access control, failing to realize that only an organization policy constraint can prevent the initial IAM grant that shares data with external accounts.

How to eliminate wrong answers

Option A is wrong because CMEK (Customer-Managed Encryption Keys) controls encryption at rest but does not prevent data sharing; it only ensures that external parties cannot decrypt the data if they already have access, but it does not block the IAM grant that shares the data. Option C is wrong because BigQuery row-level security policies restrict which rows a user can see within a table based on user attributes like email domain, but they do not prevent the table from being shared with external accounts via IAM; they only filter data after access is granted. Option D is wrong because disabling external IP addresses prevents network-level egress but does not affect data sharing through BigQuery's API or IAM; data can still be shared with external accounts via authorized views, datasets, or IAM roles without any external IP traffic.

38
MCQhard

An organization has multiple projects and wants to aggregate logs from all projects into a single bucket for long-term retention and compliance. What should they do?

A.Use log sinks to route logs to a BigQuery dataset
B.Enable VPC Flow Logs
C.Use Cloud Logging's aggregation view
D.Use log sinks to route logs to a Cloud Storage bucket in a central project
AnswerD

Cloud Storage provides durable, low-cost storage for log retention.

Why this answer

Option D is correct because log sinks in Cloud Logging can route logs from multiple source projects to a centralized Cloud Storage bucket in a separate project. This meets the requirement for long-term retention and compliance, as Cloud Storage provides durable, cost-effective archival storage with lifecycle management policies.

Exam trap

Google Cloud often tests the distinction between log aggregation for querying (aggregation views) versus log routing for centralized storage (log sinks), leading candidates to choose the aggregation view when the requirement is for long-term retention and compliance.

How to eliminate wrong answers

Option A is wrong because routing logs to a BigQuery dataset is optimized for real-time analytics and querying, not for long-term retention and compliance where cost-effective archival storage is needed. Option B is wrong because VPC Flow Logs only capture network traffic metadata within a VPC, not application or system logs from multiple projects, and they do not aggregate logs across projects. Option C is wrong because Cloud Logging's aggregation view is a feature for querying logs across multiple projects in the Logs Explorer, but it does not export or store logs in a centralized bucket for retention and compliance.

39
MCQeasy

A startup is building a read-heavy mobile backend. They want a database that can scale out reads without downtime. Which database service should they choose?

A.Cloud Firestore.
B.Cloud Spanner.
C.Cloud Bigtable.
D.Cloud SQL with read replicas.
AnswerD

Cloud SQL read replicas allow scaling read capacity without downtime, as replicas are created asynchronously and can be promoted if needed.

Why this answer

Cloud SQL with read replicas is the correct choice because it allows you to offload read traffic to one or more read replicas, scaling out reads without downtime. Read replicas are asynchronous replicas of the primary instance, and you can promote them to standalone instances if needed, making this ideal for a read-heavy mobile backend that requires high availability.

Exam trap

Google Cloud often tests the misconception that any NoSQL or globally distributed database is automatically better for scaling reads, when in fact Cloud SQL with read replicas is the simplest, most cost-effective, and downtime-free solution for a read-heavy relational workload.

How to eliminate wrong answers

Option A is wrong because Cloud Firestore is a NoSQL document database designed for real-time sync and mobile/web apps, but it does not support traditional SQL read replicas and its scaling model is not optimized for the same kind of read-heavy relational workload. Option B is wrong because Cloud Spanner is a globally distributed, strongly consistent relational database that scales horizontally, but it is overkill and significantly more expensive for a simple read-heavy mobile backend, and it does not use the same read replica model as Cloud SQL. Option C is wrong because Cloud Bigtable is a wide-column NoSQL database optimized for large analytical and operational workloads (e.g., time-series, IoT), not for transactional read-heavy mobile backends with SQL queries, and it lacks built-in read replica support for scaling reads without downtime.

40
MCQhard

A security team wants to get a comprehensive, organization-wide view of security misconfigurations (such as publicly accessible storage buckets, VMs without firewalls, and IAM overprivilege), vulnerabilities in container images, and active threats across all Google Cloud projects. Which Google Cloud service provides this unified security posture management?

A.Cloud Monitoring — it detects security anomalies through metric analysis.
B.Security Command Center (SCC) — unified security posture management across all GCP projects.
C.Cloud Audit Logs — they show all API calls that could indicate security issues.
D.Cloud DLP — it scans all resources for sensitive data exposure.
AnswerB

SCC provides org-wide asset inventory, misconfiguration findings, vulnerability scanning, threat detection, and compliance posture assessment — the single pane of glass for GCP security.

Why this answer

Security Command Center (SCC) is the correct answer because it is Google Cloud's native, unified security and risk management platform that provides continuous monitoring for misconfigurations (e.g., publicly accessible storage buckets, VMs without firewalls, IAM overprivilege), vulnerability scanning for container images, and threat detection across all projects in an organization. It aggregates findings from services like Cloud Asset Inventory, Web Security Scanner, and Event Threat Detection into a single dashboard, enabling comprehensive security posture management.

Exam trap

Cisco often tests the distinction between a security monitoring service (Cloud Monitoring) and a dedicated security posture management service (Security Command Center), leading candidates to pick Cloud Monitoring because they confuse metric-based anomaly detection with comprehensive security posture assessment.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring is focused on collecting metrics, logs, and events for performance and availability monitoring, not on scanning for security misconfigurations, vulnerabilities, or active threats; it lacks the built-in security findings engine and posture management capabilities of SCC. Option C is wrong because Cloud Audit Logs record API call activity for compliance and forensic analysis but do not actively scan for misconfigurations, vulnerabilities, or provide a unified security posture dashboard; they are a data source, not a management service. Option D is wrong because Cloud DLP specializes in discovering, classifying, and protecting sensitive data (e.g., PII, credit card numbers) using inspection and de-identification techniques, not in assessing security misconfigurations, container vulnerabilities, or active threats across cloud resources.

41
MCQhard

A company's SRE team is debating whether to automate a frequently performed manual operational task. The automation would take 4 weeks of engineering time to build. The manual task takes 30 minutes per occurrence and happens approximately 20 times per month. Using the SRE concept of 'toil,' how should the team approach this decision?

A.Do not automate — the manual task is only 10 hours per month and the 4-week build cost is too high to justify
B.Build the automation: eliminating toil permanently is a core SRE principle, and the 4-week investment pays back within approximately 16 months while freeing engineers for higher-value reliability work indefinitely
C.Hire an additional junior engineer to perform the manual task more efficiently instead of automating
D.The team cannot make this decision without knowing the exact annual salary cost of the engineers who perform the manual task
AnswerB

This is the SRE-aligned answer. Toil elimination is a core SRE value. The math: 10 hours/month saved, 160 hours invested → 16 month payback. But the more important point is that automation eliminates the toil permanently and scales with service growth, while manual toil grows proportionally. SREs should invest in eliminating toil even with moderate payback periods.

Why this answer

Option B is correct because automating toil aligns with the core SRE principle of eliminating repetitive, manual work to free engineers for higher-value reliability tasks. The 4-week build cost is justified: 20 occurrences/month × 0.5 hours = 10 hours/month, so the payback period is 4 weeks × 40 hours/week ÷ 10 hours/month = 16 months, after which the team gains indefinite time savings. This decision does not require exact salary data, as the primary goal is reducing toil, not purely cost optimization.

Exam trap

Cisco often tests the misconception that automation decisions require detailed financial cost analysis (like salary data) rather than the SRE principle of prioritizing toil elimination for long-term reliability gains, leading candidates to pick Option D or A.

How to eliminate wrong answers

Option A is wrong because it incorrectly treats the 4-week build cost as too high without considering the long-term cumulative savings and the SRE principle that eliminating toil permanently is a core goal, not just a cost-benefit analysis. Option C is wrong because hiring an additional junior engineer does not eliminate toil; it merely shifts the manual work to another person, violating the SRE principle of reducing operational overhead and increasing system reliability through automation. Option D is wrong because the decision to automate toil is based on the SRE concept of reducing manual effort and improving reliability, not solely on salary costs; the team can justify automation without exact salary figures by focusing on the toil reduction and long-term engineering productivity gains.

42
Matchingmedium

Match each Google Cloud pricing concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatic discounts for running instances most of the month

Discounts for committing to 1 or 3 years of usage

Short-lived, low-cost instances for batch jobs

Limited free usage of selected GCP services

Committed Use Discounts (abbreviation)

Why these pairings

These are key pricing models in Google Cloud.

43
MCQmedium

A company uses Cloud SQL for MySQL and wants to ensure that data is encrypted at rest using customer-managed keys. They also need to rotate the key every 90 days. What should they do?

A.Use customer-supplied encryption keys (CSEK) with Cloud SQL
B.Use default Google-managed encryption and rotate the key using Cloud KMS
C.Enable CMEK on the Cloud SQL instance and rotate the key in Cloud KMS
D.Bring your own key (BYOK) without using Cloud KMS
AnswerC

Cloud SQL can be configured with a CMEK key from Cloud KMS, and the key can be rotated as needed.

Why this answer

Option C is correct because Cloud SQL supports Customer-Managed Encryption Keys (CMEK) via integration with Cloud KMS. By enabling CMEK on the Cloud SQL instance, you can use a key you create and manage in Cloud KMS, and you can set a rotation period (e.g., 90 days) on that key in Cloud KMS. This ensures data at rest is encrypted with a key you control and that is automatically rotated according to your schedule.

Exam trap

The trap here is that candidates confuse CSEK (Compute Engine/Cloud Storage) with CMEK (Cloud SQL, BigQuery, etc.) and assume any customer-managed key option works for Cloud SQL, or they think default Google-managed keys can be rotated by the customer.

How to eliminate wrong answers

Option A is wrong because Cloud SQL does not support customer-supplied encryption keys (CSEK); CSEK is a feature of Compute Engine and Cloud Storage, not Cloud SQL. Option B is wrong because default Google-managed encryption cannot be rotated by the customer; rotation of Google-managed keys is handled internally by Google and not configurable by the user. Option D is wrong because BYOK without Cloud KMS is not a supported mechanism for Cloud SQL; Cloud SQL requires the use of Cloud KMS to manage customer-managed keys for encryption at rest.

44
MCQmedium

A startup is building a web application and wants to avoid managing servers or operating systems. They need to deploy code quickly and scale automatically. Which cloud service model best meets these requirements?

A.Function as a Service (FaaS)
B.Software as a Service (SaaS)
C.Platform as a Service (PaaS)
D.Infrastructure as a Service (IaaS)
AnswerC

PaaS provides a managed platform for deploying code without server management.

Why this answer

Platform as a Service (PaaS) is the correct choice because it abstracts the underlying infrastructure (servers, OS, storage) while providing a managed platform for deploying and scaling web applications. The startup can focus on writing code and pushing updates without managing operating systems or servers, and PaaS platforms like Google App Engine or AWS Elastic Beanstalk offer automatic scaling based on demand.

Exam trap

Google Cloud often tests the distinction between PaaS and FaaS by making candidates think that FaaS (serverless) is the only way to avoid managing servers, but PaaS also abstracts servers while supporting full web applications with persistent state and longer execution times.

How to eliminate wrong answers

Option A is wrong because Function as a Service (FaaS) is designed for event-driven, stateless functions that run in short bursts, not for deploying a full web application that requires persistent state or long-running processes. Option B is wrong because Software as a Service (SaaS) delivers ready-to-use applications to end users, not a platform for the startup to deploy and manage their own code. Option D is wrong because Infrastructure as a Service (IaaS) provides virtualized servers, storage, and networking, which still requires the startup to manage operating systems, patches, and scaling manually, contradicting the requirement to avoid managing servers or OS.

45
MCQmedium

A company's security policy requires that when an employee is terminated, their access to all cloud resources must be revoked immediately — including any active sessions. Which approach most comprehensively achieves this in a Google Cloud environment integrated with Google Workspace?

A.Manually reviewing and removing the employee's IAM bindings across all Google Cloud projects one by one
B.Disabling the employee's Google Workspace account (which immediately invalidates all active sessions and prevents new authentication), then auditing for and revoking any service account keys they created
C.Changing the employee's password immediately — they can no longer log in with the old password
D.Waiting until the end of the business day to revoke access to avoid disrupting active workflows
AnswerB

This is the comprehensive approach. Disabling the Workspace identity immediately invalidates all active OAuth tokens and prevents new sign-ins — all GCP access based on that identity stops instantly. Auditing for service account keys they created closes the remaining gap (keys are separate credentials not tied to the user account).

Why this answer

Disabling the Google Workspace account immediately invalidates all active sessions and prevents new authentication because Google Cloud IAM relies on the Workspace identity for user-based access. This single action revokes access across all Google Cloud projects and services that use that identity, including Cloud Console, gcloud CLI, and API sessions. Auditing and revoking service account keys the user created is necessary because those keys are not tied to the user's Workspace account and remain valid until explicitly deleted.

Exam trap

Cisco often tests the misconception that changing a password or removing IAM roles is sufficient for immediate session termination, when in fact only disabling the identity account (or revoking tokens) stops active sessions — OAuth tokens are not invalidated by password changes or role removals.

How to eliminate wrong answers

Option A is wrong because manually reviewing and removing IAM bindings across projects is slow, error-prone, and does not terminate active sessions — the user's existing tokens and sessions remain valid until they expire. Option C is wrong because changing the password only prevents new logins; it does not invalidate existing OAuth 2.0 access tokens or refresh tokens, so active sessions and API calls continue until token expiry (typically 1 hour). Option D is wrong because waiting until the end of the business day violates the security policy requirement for immediate revocation and leaves a window for unauthorized access or data exfiltration.

46
MCQhard

A global e-commerce company needs to deliver content to users quickly regardless of location. Which Google Cloud service can cache content at edge locations to reduce latency?

A.Cloud Storage
B.Cloud CDN
C.Cloud Load Balancing
D.Cloud Interconnect
AnswerB

Cloud CDN uses global edge caches to reduce latency for content delivery.

Why this answer

Cloud CDN (Content Delivery Network) uses Google's globally distributed edge caches to deliver content from the nearest point of presence (PoP) to the user, significantly reducing latency. It integrates with Cloud Load Balancing and Cloud Storage to cache static and dynamic content, accelerating delivery for a global e-commerce platform.

Exam trap

Google Cloud often tests the distinction between services that route traffic (Cloud Load Balancing) and services that cache content (Cloud CDN), leading candidates to confuse load balancing with content delivery.

How to eliminate wrong answers

Option A is wrong because Cloud Storage is an object storage service for storing and retrieving data, not a caching layer; it does not cache content at edge locations to reduce latency. Option C is wrong because Cloud Load Balancing distributes incoming traffic across backend instances but does not cache content; it can be used with Cloud CDN but alone does not provide edge caching. Option D is wrong because Cloud Interconnect provides dedicated network connectivity between on-premises and Google Cloud, reducing latency through direct peering, but it does not cache content at edge locations.

47
MCQeasy

A developer wants to deploy a containerized web application without managing servers, clusters, or Kubernetes configuration. The application should automatically scale to zero when not in use and handle bursts of traffic. Which Google Cloud service is the best fit?

A.Google Kubernetes Engine (GKE)
B.Cloud Run
C.Compute Engine
D.App Engine Standard
AnswerB

Cloud Run is fully managed serverless for containers. No Kubernetes, no cluster management — just deploy the container and Cloud Run handles scaling (including to zero), networking, and infrastructure.

Why this answer

Cloud Run is the best fit because it is a fully managed serverless container platform that automatically scales to zero when idle and scales up to handle traffic bursts, without requiring any server, cluster, or Kubernetes configuration. The developer simply deploys a container image, and Cloud Run handles all infrastructure management, including scaling and load balancing.

Exam trap

The trap here is that candidates often confuse Cloud Run with App Engine Standard, thinking both support containers, but App Engine Standard requires specific language runtimes and does not allow custom container images, while Cloud Run is purpose-built for containerized workloads with automatic zero-scaling.

How to eliminate wrong answers

Option A is wrong because Google Kubernetes Engine (GKE) requires managing a Kubernetes cluster, even with Autopilot mode, and does not automatically scale to zero — at least one node is always running. Option C is wrong because Compute Engine requires managing virtual machines, scaling configurations, and does not scale to zero; you pay for running instances even when idle. Option D is wrong because App Engine Standard does not support arbitrary containerized applications — it requires using specific runtimes and does not allow full container image deployment.

48
Drag & Dropmedium

Drag and drop the steps to set up a Cloud SQL for MySQL instance with a private IP address into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The process requires setting up the VPC first, then creating the Cloud SQL instance with a private IP, and finally connecting from a VM.

49
MCQhard

An operations team has been asked to estimate the annual cost impact of a proposed new cloud architecture. The architecture would replace 50 on-demand n2-standard-4 VMs (running 24/7) with an autoscaling group that averages 10 VMs under normal load but scales to 50 during peak hours (approximately 8 hours per day). Which analytical approach best estimates the cost impact?

A.Assume the autoscaling group always runs at average load (10 VMs) and multiply by the annual hours to get the new cost
B.Model the actual usage pattern: calculate cost for (16 normal hours × 10 VMs) + (8 peak hours × 50 VMs) per day, compare to fixed cost of 50 VMs × 24 hours, and use Google Cloud Pricing Calculator to price the VM type
C.Request a custom quote from Google Cloud sales since pricing for autoscaling groups is negotiated individually
D.The cost will be identical since autoscaling groups use the same VM type as the fixed fleet
AnswerB

This is the correct approach. Per day: 16 × 10 = 160 VM-hours (normal) + 8 × 50 = 400 VM-hours (peak) = 560 VM-hours. Fixed: 50 × 24 = 1,200 VM-hours. Autoscaling uses 53% fewer VM-hours. Pricing Calculator gives the $/VM-hour to calculate actual dollar savings.

Why this answer

Option B is correct because it accurately models the variable usage pattern of the autoscaling group: 16 hours at 10 VMs plus 8 peak hours at 50 VMs per day. This approach then compares the daily cost to the fixed 50 VMs × 24 hours baseline, using the Google Cloud Pricing Calculator to price the n2-standard-4 instance type. This reflects the pay-per-use billing model of Google Compute Engine, where autoscaling does not change per-VM pricing but reduces total cost by running fewer instances during off-peak hours.

Exam trap

The trap here is that candidates assume autoscaling changes the per-VM pricing or requires special negotiation, when in fact it simply adjusts the number of running instances, and the cost impact is purely a function of total VM-hours at the standard on-demand rate.

How to eliminate wrong answers

Option A is wrong because assuming the autoscaling group always runs at the average of 10 VMs ignores the 8 peak hours where it scales to 50 VMs, significantly underestimating the actual cost. Option C is wrong because autoscaling groups use standard on-demand VM pricing; no custom quote is needed, and Google Cloud does not negotiate individual pricing for standard autoscaling configurations. Option D is wrong because the cost is not identical; the autoscaling group runs fewer total VM-hours per day (16×10 + 8×50 = 560 VM-hours) compared to the fixed fleet (24×50 = 1200 VM-hours), resulting in a lower cost despite using the same VM type.

50
MCQhard

A chief digital officer is designing a transformation roadmap. She argues that cloud adoption must be accompanied by organizational changes to be effective. Which organizational change is most critical for realizing the full potential of cloud technology?

A.Replacing all existing employees with new hires who have cloud certifications
B.Shifting from project-based, siloed IT teams to persistent, cross-functional product teams that own services end-to-end — enabling continuous delivery and rapid iteration aligned with cloud-native operating models
C.Moving IT from a cost center to a profit center by charging business units market rates for cloud services
D.Outsourcing all cloud operations to a managed service provider so internal teams can focus on business strategy
AnswerB

This is the foundational organizational change. Product teams (engineering + product + design, owning a service from dev through production) align with cloud-native's microservices, CI/CD, and DevOps principles. They can iterate continuously rather than waiting for quarterly release cycles. Without this structural change, cloud technology's agility benefits are blocked by organizational process bottlenecks.

Why this answer

Option B is correct because cloud-native operating models (e.g., microservices, containers, CI/CD) require persistent, cross-functional product teams that own services end-to-end. This structure enables continuous delivery, rapid iteration, and aligns with DevOps practices, which are essential for leveraging cloud elasticity and automation. Without this organizational shift, technical cloud adoption alone often fails to deliver expected agility and cost efficiencies.

Exam trap

Google Cloud often tests the misconception that cloud adoption is purely a technology migration, when in fact the most critical success factor is the accompanying organizational and cultural shift to product-oriented, cross-functional teams.

How to eliminate wrong answers

Option A is wrong because replacing all employees ignores the need for institutional knowledge and cultural change; cloud success requires upskilling existing teams, not wholesale replacement. Option C is wrong because moving IT to a profit center via chargebacks can create friction and misaligned incentives, but it does not address the fundamental need for cross-functional collaboration and service ownership. Option D is wrong because outsourcing cloud operations to a managed service provider can reduce operational burden, but it does not drive the internal organizational transformation needed for cloud-native development and continuous delivery.

51
MCQmedium

An organization wants to modernize its on-premises applications. The IT team identifies three types of applications: legacy apps that can only move with significant refactoring, custom-built apps that can be containerized and moved as-is, and applications that can be replaced entirely by SaaS solutions. This categorization approach is called what?

A.Disaster recovery planning
B.Application portfolio assessment using migration strategies (the 6 Rs framework)
C.Capacity planning for on-premises servers
D.Software development lifecycle (SDLC) planning
AnswerB

The 6 Rs framework (Rehost, Replatform, Refactor, Repurchase, Retire, Retain) categorizes each application by its appropriate migration approach — the standard framework for cloud migration planning.

Why this answer

The scenario describes categorizing applications based on their migration path: legacy apps requiring refactoring, custom apps suitable for containerization, and apps replaceable by SaaS. This directly aligns with the '6 Rs' framework (Rehost, Replatform, Refactor, Repurchase, Retire, Retain) used in application portfolio assessment for cloud migration. Option B is correct because the 6 Rs provide a structured way to evaluate and classify each application's optimal migration strategy.

Exam trap

Cisco often tests the 6 Rs framework by describing a specific migration scenario and asking for the correct 'R' term; the trap here is confusing 'application portfolio assessment' with generic IT planning terms like capacity planning or SDLC, which are unrelated to migration strategy categorization.

How to eliminate wrong answers

Option A is wrong because disaster recovery planning focuses on backup, failover, and business continuity after migration, not on categorizing applications by their migration approach. Option C is wrong because capacity planning deals with sizing compute, storage, and network resources for on-premises servers, not with classifying applications into migration strategies like refactoring or SaaS replacement. Option D is wrong because SDLC planning covers the phases of software development (requirements, design, coding, testing, deployment), not the categorization of existing applications for cloud migration.

52
MCQmedium

A team deploys microservices on GKE with Horizontal Pod Autoscaler (HPA). They want to scale based on custom metrics from third-party monitoring. What must they do first?

A.Use Cluster Autoscaler.
B.Install the custom metrics API adapter.
C.Enable Cloud Monitoring and configure custom metrics.
D.Use Vertical Pod Autoscaler.
AnswerB

An adapter (e.g., Prometheus adapter, Stackdriver adapter) exposes custom metrics to the HPA via the custom.metrics.k8s.io API.

Why this answer

B is correct because Horizontal Pod Autoscaler (HPA) in GKE relies on the custom.metrics.k8s.io API to retrieve custom metrics from external monitoring systems. To expose these metrics to the HPA, you must install a custom metrics API adapter (e.g., the Prometheus Adapter or Google Cloud's custom-metrics-stackdriver-adapter) that translates the third-party monitoring data into the format the Kubernetes API server expects. Without this adapter, the HPA cannot query the custom metrics and will fail to scale.

Exam trap

Google Cloud often tests the misconception that enabling a monitoring service (like Cloud Monitoring) alone is sufficient for HPA to use custom metrics, when in fact a dedicated API adapter is required to expose those metrics to the Kubernetes control plane.

How to eliminate wrong answers

Option A is wrong because Cluster Autoscaler manages node-level scaling (adding/removing nodes), not pod-level scaling based on custom metrics; it operates independently of HPA and does not expose custom metrics to the Kubernetes API. Option C is wrong because while Cloud Monitoring can ingest custom metrics, simply enabling it and configuring custom metrics does not make them available to the HPA; you still need the custom metrics API adapter to bridge Cloud Monitoring's data into the custom.metrics.k8s.io API. Option D is wrong because Vertical Pod Autoscaler adjusts CPU/memory requests of pods, not replica count, and it does not use custom metrics from third-party monitoring; it relies on resource usage metrics from the metrics-server.

53
MCQeasy

A software team is using Google Cloud and wants to understand the difference between 'scaling up' (vertical scaling) and 'scaling out' (horizontal scaling) for their web application. Which description correctly distinguishes these two approaches?

A.Scaling up adds more servers to handle increased load; scaling out makes each server more powerful by adding CPU and RAM
B.Vertical scaling (scaling up) increases the resources of an individual server (more CPU, RAM), while horizontal scaling (scaling out) adds more servers to distribute load — horizontal scaling is generally preferred in cloud environments for its flexibility and lack of a ceiling
C.Both scaling up and scaling out describe the same approach — adding more cloud resources to handle increased demand
D.Scaling up is only possible in cloud environments; on-premises systems can only scale out
AnswerB

This correctly defines both approaches and notes the cloud preference for horizontal scaling. Cloud autoscaling is built on horizontal scale — adding identical instances behind a load balancer. Vertical scaling is limited by maximum available machine sizes and often requires downtime for resize.

Why this answer

Option B correctly distinguishes vertical scaling (scaling up) as increasing the resources (CPU, RAM) of an existing server, and horizontal scaling (scaling out) as adding more servers to distribute the load. In cloud environments like Google Cloud, horizontal scaling is generally preferred because it offers near-infinite scalability, better fault tolerance, and no single point of failure, unlike vertical scaling which has a hardware ceiling and can cause downtime during upgrades.

Exam trap

Google Cloud often tests the reversal of definitions—candidates mistakenly think 'scaling up' means adding more servers because 'up' sounds like 'more,' but the correct distinction is that 'up' refers to increasing the power of a single server, while 'out' refers to adding more servers.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: scaling up increases server resources, not adds more servers, and scaling out adds more servers, not makes a single server more powerful. Option C is wrong because scaling up and scaling out are fundamentally different approaches—vertical scaling increases capacity of a single node, while horizontal scaling distributes load across multiple nodes. Option D is wrong because scaling up is possible in both cloud and on-premises environments (e.g., adding RAM to a physical server), and on-premises systems can also scale out by adding more physical servers; the statement is factually incorrect.

54
MCQhard

An organization's Chief Digital Officer is building a case for cloud investment by framing it in terms of 'cloud as a strategic asset rather than a cost center.' Which argument most strongly supports this framing?

A.Cloud reduces data center costs, making IT a more efficient cost center rather than a business liability
B.Cloud enables new revenue streams, faster product launches, data-driven competitive differentiation, and innovation capabilities that directly drive business growth — making cloud investment as strategic as R&D or customer acquisition
C.Cloud is always less expensive than on-premises, so it should be viewed as a cost-savings program rather than a strategic investment
D.Cloud providers assume liability for all security breaches, making cloud a risk-reduction tool rather than a strategic enabler
AnswerB

This reframes cloud from cost to value creation. New products built faster on cloud generate revenue. AI/ML capabilities built on cloud drive better decisions. Developer productivity improvements from cloud platforms accelerate innovation. These are the same arguments used for R&D investment — strategic, not operational.

Why this answer

Option B is correct because it directly aligns with the framing of 'cloud as a strategic asset' by highlighting how cloud computing enables new revenue streams, faster product launches, data-driven differentiation, and innovation — all of which drive business growth. This contrasts with viewing cloud purely as a cost center, as it emphasizes competitive advantage and long-term value creation, similar to R&D or customer acquisition investments.

Exam trap

Google Cloud often tests the misconception that cloud's primary value is cost reduction, leading candidates to choose options that emphasize savings or risk transfer, while the correct answer requires recognizing cloud as a driver of business innovation and competitive advantage.

How to eliminate wrong answers

Option A is wrong because it frames cloud investment solely as a cost-reduction measure (reducing data center costs), which reinforces the 'cost center' mindset rather than positioning cloud as a strategic asset. Option C is wrong because it incorrectly claims cloud is always less expensive than on-premises, which is not universally true due to variable costs, data egress fees, and workload-specific pricing; it also reduces cloud to a cost-savings program, contradicting the strategic asset framing. Option D is wrong because it misrepresents cloud providers' liability — in reality, the shared responsibility model means the customer retains liability for data and application security, not the provider; framing cloud as a risk-reduction tool ignores its strategic potential.

55
Matchingmedium

Match each Google Cloud DevOps tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Continuous integration/continuous delivery (CI/CD)

Managed continuous delivery for applications

Store and manage container images and packages

Private Git repositories hosted on GCP

Monitoring, logging, and diagnostics suite

Why these pairings

These are key tools in Google Cloud's DevOps pipeline.

56
MCQeasy

A company wants to add location-based features to their mobile app: showing nearby stores, calculating driving routes, and embedding interactive maps. Which Google Cloud platform provides these mapping and location services?

A.Cloud Spanner — it stores geolocation data with ACID transactions.
B.Google Maps Platform
C.Cloud IoT Core — it tracks device locations in real time.
D.BigQuery Geo Viz — it visualizes geographic data on a map.
AnswerB

Google Maps Platform provides APIs for all described use cases: Maps (embed interactive maps), Directions/Routes (routing), Places (nearby stores), Geocoding (address lookup). Available via API key with usage-based pricing.

Why this answer

Google Maps Platform is the correct choice because it provides the specific APIs needed for location-based features: Places API for nearby stores, Directions API for driving routes, and Maps SDK for embedding interactive maps. Cloud Spanner, IoT Core, and BigQuery Geo Viz are not designed to deliver these front-end mapping and routing services.

Exam trap

Google Cloud often tests the misconception that any Google Cloud service that can store or visualize geographic data (like Cloud Spanner or BigQuery Geo Viz) is equivalent to a dedicated mapping platform, but the question specifically asks for the platform that *provides* mapping and location services, not just stores or displays data.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner is a globally distributed relational database service for ACID transactions, not a mapping or location services platform; it can store geolocation data but does not provide APIs for showing nearby stores, calculating routes, or embedding maps. Option C is wrong because Cloud IoT Core is a service for connecting, managing, and ingesting data from IoT devices, and while it can track device locations via telemetry, it does not offer mapping APIs or interactive map embedding. Option D is wrong because BigQuery Geo Viz is a visualization tool for geographic data stored in BigQuery, not a platform that provides real-time location-based features like nearby store lookup or driving route calculation.

57
MCQmedium

Refer to the exhibit. The autoscaler is configured to maintain a target CPU utilization of 0.6. Currently the group has 10 instances, but the autoscaler is not scaling up even though CPU utilization is above 0.8. What is the most likely reason?

A.The maximum number of instances is set to 10
B.The autoscaler is disabled
C.The instance template is misconfigured
D.The autoscaler cooldown period is preventing new instances
AnswerA

If max instances is 10, the autoscaler cannot scale beyond that even if target is higher.

Why this answer

The autoscaler is configured to maintain a target CPU utilization of 0.6, but the current CPU utilization is above 0.8. Despite this, the autoscaler is not scaling up. The most likely reason is that the maximum number of instances is set to 10, and the group has already reached that limit.

In Google Cloud, the autoscaler will not create new instances beyond the configured maximum, even if the target utilization is exceeded.

Exam trap

Google Cloud often tests the misconception that the autoscaler will always scale up when utilization exceeds the target, ignoring the hard limit of the maximum instance count, which is a common configuration oversight.

How to eliminate wrong answers

Option B is wrong because if the autoscaler were disabled, it would not be monitoring CPU utilization at all, and the question states the autoscaler is configured and active (it is not scaling up, not failing to monitor). Option C is wrong because a misconfigured instance template would affect the creation of new instances or their behavior, but it would not prevent the autoscaler from attempting to scale up; the autoscaler would still try to add instances and fail with an error, not remain idle. Option D is wrong because the cooldown period prevents new instances from being added immediately after a scaling event to allow metrics to stabilize, but it does not permanently block scaling; once the cooldown expires, the autoscaler would act if the CPU is still above the target.

58
MCQmedium

A company's application stores user passwords. Their security team says passwords must be stored as hashes, never in plaintext. They want to ensure this requirement is met even if a database is compromised. Why is password hashing (with salt) the correct approach?

A.Hashing passwords allows the application to recover the original password when users forget it.
B.Hashing with salt makes stored passwords irreversible — even if the database is stolen, attackers cannot recover the original passwords without computationally intensive per-user brute force.
C.Storing passwords as hashes allows sharing them between systems for single sign-on.
D.Google Cloud automatically encrypts all database contents, making password hashing unnecessary.
AnswerB

One-way hashing means compromised databases expose only hashes. Salting defeats precomputed attacks. Cracking each individually is computationally expensive, protecting users even after a breach.

Why this answer

Password hashing with salt is the correct approach because it transforms passwords into irreversible digests. Even if the database is compromised, an attacker cannot recover the original passwords without performing a computationally expensive brute-force attack on each salted hash individually. This ensures the plaintext password is never stored or recoverable, meeting the security requirement.

Exam trap

The trap here is that candidates may confuse encryption (which is reversible) with hashing (which is one-way), or assume that cloud encryption alone satisfies the requirement, ignoring the application's own storage logic.

How to eliminate wrong answers

Option A is wrong because hashing is a one-way function; the application cannot recover the original password from the hash — it can only verify a candidate password by re-hashing and comparing. Option C is wrong because password hashes are not designed for sharing between systems for single sign-on; SSO typically uses tokens or federated identity protocols (e.g., SAML, OAuth), not raw password hashes. Option D is wrong because Google Cloud's encryption-at-rest protects data in storage but does not prevent the application from storing plaintext passwords; the requirement is about the application's own storage practice, not infrastructure encryption.

59
MCQeasy

A company wants to use computing resources over the internet without managing physical servers. The cloud provider manages the underlying hardware and virtualization, while the company manages the operating system, middleware, and applications. Which cloud service model does this describe?

A.Software as a Service (SaaS)
B.Infrastructure as a Service (IaaS)
C.Platform as a Service (PaaS)
D.Function as a Service (FaaS)
AnswerB

IaaS provides virtualized compute, storage, and networking. The provider manages physical infrastructure; the customer manages OS, middleware, and applications. Compute Engine is Google's IaaS offering.

Why this answer

This scenario describes Infrastructure as a Service (IaaS) because the cloud provider manages the physical hardware and virtualization layer, while the customer retains control over the operating system, middleware, and applications. In IaaS, the provider offers virtualized computing resources (e.g., virtual machines, storage, networks) via APIs or dashboards, and the customer is responsible for OS patches, application configuration, and middleware management. This matches the given split of responsibilities exactly.

Exam trap

Cisco often tests the distinction between IaaS and PaaS by describing a scenario where the customer manages the OS — many candidates mistakenly choose PaaS because they associate 'platform' with application deployment, but PaaS removes OS management from the customer entirely.

How to eliminate wrong answers

Option A is wrong because Software as a Service (SaaS) delivers fully managed applications to end users, where the provider handles everything including the OS, middleware, and application code — the customer only configures usage settings, not the underlying stack. Option C is wrong because Platform as a Service (PaaS) provides a managed runtime environment where the provider handles the OS and middleware, and the customer only deploys and manages their own application code — the customer does not manage the OS or middleware. Option D is wrong because Function as a Service (FaaS) is a serverless compute model where the provider manages all infrastructure, including the OS and runtime, and the customer only uploads individual functions that execute in stateless containers — the customer has no control over the OS or middleware.

60
MCQhard

A security architect is evaluating Google Cloud's approach to securing customer data against both external attackers and potential internal Google personnel access. She identifies four distinct controls: (1) encryption at rest by default, (2) Access Transparency logs, (3) Customer-Managed Encryption Keys (CMEK), and (4) Access Approval. How do these four controls work together to provide layered data protection?

A.All four controls are redundant and address the same threat — customers only need to enable one of them
B.The four controls form complementary layers: default encryption protects physical storage, CMEK gives cryptographic customer control (revocable), Access Transparency provides visibility into Google personnel access, and Access Approval gives customers veto power — together addressing infrastructure attacks, insider threats, and provider access concerns
C.These controls are only relevant for government or military workloads; commercial enterprises don't need this level of protection
D.CMEK alone provides complete data protection — the other three controls are unnecessary if customer-managed keys are in use
AnswerB

This correctly describes the layered defense. Default encryption: protects against physical media theft. CMEK: customer controls the key — can cryptographically revoke Google's ability to decrypt. Access Transparency: audit trail of provider access. Access Approval: proactive veto before access. Together they provide defense at every layer of the provider access concern.

Why this answer

Option B is correct because these four controls form a defense-in-depth strategy for data protection on Google Cloud. Default encryption at rest secures data on physical storage, CMEK provides cryptographic control with the ability to revoke access, Access Transparency logs offer visibility into Google personnel actions, and Access Approval gives customers the ability to veto access requests. Together, they address threats from infrastructure attacks, insider threats, and provider access concerns, creating a layered security model.

Exam trap

Google Cloud often tests the misconception that encryption alone is sufficient for data protection, ignoring the need for access transparency and approval mechanisms to address insider threats and provider access concerns.

How to eliminate wrong answers

Option A is wrong because the controls are not redundant; each addresses a distinct threat vector (e.g., encryption at rest protects against physical theft, while Access Approval controls administrative access). Option C is wrong because these controls are applicable to all workloads, not just government or military; Google Cloud recommends them for any organization needing compliance or data sovereignty. Option D is wrong because CMEK alone does not provide complete protection; it lacks visibility (Access Transparency) and veto capability (Access Approval) for Google personnel access, and does not cover default encryption for all data.

61
MCQmedium

A cloud operations team wants to ensure that all cloud resources created in their Google Cloud organization comply with company naming standards and required cost allocation labels. Which Google Cloud capability can automatically enforce these standards on resource creation?

A.Cloud Billing reports, which flag resources missing required labels after they are created
B.Organization Policy Service with custom constraints or required label policies that prevent resource creation if naming and label standards are not met
C.Cloud Monitoring alerts that notify the team when non-compliant resources are detected
D.Cloud IAM roles that only grant resource creation permissions to employees who have passed a naming standards training
AnswerB

Organization Policy Service allows defining preventive guardrails at the organization level. Custom organization policy constraints can enforce required labels and naming patterns before resource creation is permitted — blocking non-compliant resources at creation time across all projects and services in the org.

Why this answer

Organization Policy Service with custom constraints or required label policies is correct because it provides a preventive control that blocks resource creation if the resource does not meet defined naming and label standards. This is enforced at the Google Cloud resource hierarchy level before any resource is provisioned, ensuring compliance automatically without relying on post-creation detection or manual processes.

Exam trap

The trap here is that candidates often confuse reactive monitoring or billing tools (like Cloud Monitoring or Cloud Billing reports) with preventive enforcement, not realizing that Organization Policy Service is the only option that blocks non-compliant resource creation at the API level.

How to eliminate wrong answers

Option A is wrong because Cloud Billing reports are a reactive tool that only flag resources missing required labels after they are created, not a preventive enforcement mechanism. Option C is wrong because Cloud Monitoring alerts are also reactive, notifying the team after non-compliant resources already exist, and cannot block creation. Option D is wrong because Cloud IAM roles control who can create resources but cannot enforce naming or label standards on the resources themselves; training is a procedural measure, not a technical enforcement capability.

62
MCQeasy

A company wants to use pre-trained Google AI models to add vision capabilities to their application — specifically to detect objects in images and extract text from scanned documents — without training their own models. Which Google Cloud APIs provide these capabilities?

A.Cloud Vision API for object detection and OCR; Cloud Document AI for structured document extraction.
B.BigQuery ML for both use cases — it trains vision models on image data stored in BigQuery.
C.Vertex AI AutoML Vision — train a custom model on your own images.
D.Cloud Natural Language API for text extraction from images.
AnswerA

Vision API provides image analysis (object detection, OCR, label detection) using pre-trained models. Document AI specializes in extracting structured information from forms and documents. Both require zero ML training.

Why this answer

Option A is correct because Cloud Vision API provides pre-trained models for object detection and OCR (Optical Character Recognition) to extract text from images, while Cloud Document AI specializes in extracting structured data (e.g., fields, tables) from scanned documents. Both services require no custom training, aligning with the company's requirement to use pre-trained Google AI models.

Exam trap

The trap here is that candidates often confuse Cloud Natural Language API with OCR capabilities, or assume BigQuery ML can handle image data, when in fact Google Cloud separates vision and text analysis into distinct APIs with specific pre-trained models.

How to eliminate wrong answers

Option B is wrong because BigQuery ML is designed for creating and executing machine learning models using SQL queries on structured data in BigQuery, not for training vision models on image data; it lacks native support for image processing or object detection. Option C is wrong because Vertex AI AutoML Vision requires users to train custom models on their own labeled images, which contradicts the requirement to use pre-trained models without training. Option D is wrong because Cloud Natural Language API is for analyzing text (e.g., sentiment, entity extraction) and cannot extract text from images; that capability belongs to Cloud Vision API's OCR feature.

63
MCQhard

A platform business (like a marketplace) hosts both buyers and sellers. As more sellers join, the marketplace becomes more valuable to buyers (more choice), and vice versa. Cloud infrastructure that can scale to handle millions of users is essential for this model. What economic concept describes why the platform becomes more valuable as it grows?

A.Economies of scale — lower per-unit costs as production volume increases.
B.Network effects — the platform becomes more valuable to each participant as the total number of participants grows.
C.Monopoly pricing power — larger platforms can charge higher prices.
D.Marginal cost reduction — digital goods can be replicated at near-zero marginal cost.
AnswerB

Network effects make platforms like marketplaces, social networks, and communication tools more valuable as they grow. Cloud provides the elastic infrastructure to scale into these self-reinforcing value dynamics.

Why this answer

The correct answer is B because network effects describe how the value of a platform increases for all participants as the user base grows. In a cloud-hosted marketplace, each new seller adds inventory that attracts more buyers, and each new buyer creates demand that attracts more sellers, creating a positive feedback loop. Cloud infrastructure is essential here because it must elastically scale to support this exponential growth in transactions and data without performance degradation.

Exam trap

Cisco often tests the distinction between network effects and economies of scale, trapping candidates who confuse 'value growth from user base' with 'cost reduction from volume' — both involve growth, but the economic mechanism is fundamentally different.

How to eliminate wrong answers

Option A is wrong because economies of scale refer to cost advantages from increased production volume, not the increase in platform value from user growth; while cloud infrastructure does benefit from economies of scale, the question specifically asks why the platform becomes more valuable, not cheaper to operate. Option C is wrong because monopoly pricing power is a market control concept that may result from dominance but is not the inherent reason a platform gains value as it grows; in fact, many successful platforms compete on value, not price gouging. Option D is wrong because marginal cost reduction (near-zero replication cost) applies to digital goods like software copies, not to the network-driven value increase of a multi-sided platform; cloud infrastructure does have low marginal cost for additional users, but that does not explain why the platform's value to each user rises with more participants.

64
MCQeasy

A startup is building a mobile health app that stores sensitive patient data in Cloud Storage. They want to ensure data is encrypted at rest using a key they manage themselves and rotate monthly. Which encryption approach should they use?

A.Use customer-supplied encryption keys (CSEK)
B.Use default Google-managed encryption keys
C.Use customer-managed encryption keys (CMEK) with Cloud KMS
D.Use server-side encryption with customer-provided keys (SSE-C)
AnswerC

Correct: CMEK allows the customer to manage and rotate keys monthly.

Why this answer

Cloud Key Management Service (Cloud KMS) with a customer-managed encryption key (CMEK) allows customers to control and rotate keys. CSEK is deprecated and less flexible. SSE-C is not available in Cloud Storage.

Default encryption is Google-managed and cannot be rotated by the customer.

65
MCQeasy

A retail company experiences heavy traffic during holiday sales and low traffic at other times. Which cloud computing characteristic is most beneficial for handling this variable workload?

A.Broad network access
B.High availability
C.Elasticity
D.Pay-as-you-go pricing
AnswerC

Elasticity automatically adjusts resources to match workload changes.

Why this answer

Option A is correct because elasticity allows resources to scale up and down automatically based on demand. Option B is wrong because pay-as-you-go is a pricing model, not a scaling characteristic. Option C is wrong because high availability focuses on uptime, not scaling.

Option D is wrong because broad network access is about accessibility via the internet.

66
MCQmedium

A company stores encryption keys in Cloud KMS to protect sensitive data. What does Cloud KMS provide that standard application-layer encryption does not?

A.Faster encryption performance because Google's hardware is optimized for cryptographic operations.
B.Centralized key lifecycle management with IAM-controlled access, audit logs, rotation policies, and optional HSM-backed key protection.
C.The ability to encrypt data without any performance impact on the application.
D.Free unlimited encryption for all data stored in Google Cloud.
AnswerB

Cloud KMS provides key governance: who can use which key is IAM-controlled and audited; keys can be automatically rotated; HSM protection ensures keys never leave secure hardware. These are enterprise security requirements that application-layer encryption cannot provide.

Why this answer

Cloud KMS provides centralized key lifecycle management, including IAM-based access control, audit logging, automatic key rotation, and optional HSM-backed key protection. Standard application-layer encryption typically embeds keys within the application code or configuration, lacking these governance and security controls. This separation of key management from application logic is a core security best practice.

Exam trap

The trap here is that candidates assume Cloud KMS is just a faster or cheaper way to do encryption, when the real value is the centralized governance, auditability, and HSM-backed security that standard application-layer encryption lacks.

How to eliminate wrong answers

Option A is wrong because Cloud KMS does not inherently provide faster encryption performance; in fact, using a remote key management service can introduce network latency compared to local encryption, and Google's hardware optimization is not a primary benefit over application-layer encryption. Option C is wrong because any encryption, including Cloud KMS, introduces some performance overhead due to cryptographic operations and network calls; it cannot be completely free of performance impact. Option D is wrong because Cloud KMS is not free; it has a pay-per-use pricing model based on key operations and storage, and there is no unlimited free tier for encryption.

67
MCQeasy

A company is migrating its on-premises applications to Google Cloud. The security team requires that all data be encrypted both in transit and at rest. Which approach meets these requirements with minimal operational overhead?

A.Use HTTPS for all traffic and enable default encryption at rest with Google-managed keys.
B.Implement a third-party encryption tool for both transit and at rest.
C.Set up a VPN between on-premises and Google Cloud and rely on that for encryption.
D.Restrict physical access to Google Cloud data centers.
AnswerA

Google Cloud encrypts data at rest by default; HTTPS provides encryption in transit.

Why this answer

Option A is correct because HTTPS provides encryption in transit using TLS, and default encryption at rest with Google-managed keys encrypts data stored in Google Cloud services like Cloud Storage and Compute Engine disks without requiring any manual key management. This approach meets the security requirements with minimal operational overhead since Google handles key rotation and lifecycle management automatically.

Exam trap

Google Cloud often tests the misconception that a VPN alone satisfies both encryption in transit and at rest requirements, but candidates must remember that VPNs only cover transit encryption and do not address data at rest within the cloud provider's infrastructure.

How to eliminate wrong answers

Option B is wrong because implementing a third-party encryption tool introduces additional complexity, cost, and operational overhead for both transit and at rest encryption, which contradicts the requirement for minimal operational overhead. Option C is wrong because a VPN only encrypts traffic between on-premises and Google Cloud but does not provide encryption at rest for data stored within Google Cloud services. Option D is wrong because restricting physical access to data centers addresses physical security but does not provide any encryption for data in transit or at rest.

68
MCQhard

An architect is evaluating trade-offs between using Google Cloud's global network backbone for application traffic versus routing traffic over the public internet. She notes that Google's global network is one of the largest private networks in the world. What is the primary performance advantage of routing application traffic over Google's private backbone?

A.Google's private backbone uses faster optical fiber than public internet service providers
B.Traffic on Google's private backbone avoids public internet congestion and variable routing, providing consistently lower latency and higher throughput for traffic between regions and to users near Google PoPs
C.Google's private backbone is free for customers while public internet egress incurs data transfer charges
D.Using Google's backbone eliminates the need for application-level TLS encryption because the network is inherently secure
AnswerB

This correctly identifies the advantage. Public internet traffic traverses multiple autonomous systems with variable congestion. Google's backbone provides a direct, high-quality path between regions. Applications using Cloud CDN or global load balancers benefit from traffic entering Google's network early and staying on the backbone.

Why this answer

Option B is correct because Google's private backbone is a dedicated, software-defined network that uses Google's own fiber infrastructure and BGP routing policies to keep traffic entirely within Google's controlled environment. This avoids the unpredictable congestion, packet loss, and variable routing paths of the public internet, resulting in consistently lower latency and higher throughput for traffic between Google Cloud regions and to users near Google Points of Presence (PoPs).

Exam trap

Google Cloud often tests the misconception that 'private network' means 'free' or 'inherently secure,' leading candidates to pick cost or security options, when the real advantage is performance through congestion avoidance and deterministic routing.

How to eliminate wrong answers

Option A is wrong because while Google's backbone uses high-quality fiber, the primary performance advantage is not simply faster optical fiber—public ISPs also use modern fiber; the key difference is the private, controlled routing that avoids internet congestion. Option C is wrong because Google's private backbone is not free; customers still pay for egress traffic, though routing over the backbone may reduce costs compared to internet routing in some scenarios, but cost is not the primary performance advantage. Option D is wrong because using Google's backbone does not eliminate the need for TLS encryption; the network is physically and logically isolated but does not provide application-layer security, and data in transit should still be encrypted to protect against internal threats and meet compliance requirements.

69
MCQeasy

A non-profit organization wants to reduce IT overhead so they can focus on their mission. They currently manage their own email server, file storage, and website. What cloud approach best supports this transformation?

A.Upgrading their on-premise hardware to faster servers
B.Creating a hybrid cloud with a VPN to their data center
C.Migrating their applications to virtual machines in Compute Engine
D.Replacing on-premise services with Google Workspace, Cloud Storage, and App Engine
AnswerD

Managed services reduce operational overhead as Google handles infrastructure.

Why this answer

Option D is correct because it fully eliminates IT overhead by replacing self-managed services with fully managed cloud alternatives: Google Workspace handles email and collaboration, Cloud Storage provides scalable file storage without server management, and App Engine runs the website with automatic scaling and zero infrastructure maintenance. This aligns with the goal of reducing IT overhead to focus on the mission.

Exam trap

The trap here is that candidates often confuse 'migrating to VMs' (Option C) with 'going serverless' — VMs still require OS patching and capacity planning, whereas fully managed services like App Engine and Workspace eliminate that overhead entirely.

How to eliminate wrong answers

Option A is wrong because upgrading on-premise hardware still requires the organization to manage, patch, and maintain physical servers, which does not reduce IT overhead. Option B is wrong because a hybrid cloud with a VPN still requires managing the on-premise data center and its servers, adding complexity rather than reducing overhead. Option C is wrong because migrating to virtual machines in Compute Engine still requires the organization to manage operating systems, patches, and scaling, which does not eliminate the overhead of server administration.

70
MCQeasy

A retail company is experiencing unpredictable traffic spikes. Which cloud characteristic allows them to automatically add resources during peak demand and remove them when demand drops?

A.Global reach
B.Elasticity
C.High availability
D.Pay-as-you-go
AnswerB

Elasticity enables automatic scaling of resources to match demand.

Why this answer

Option A is correct because elasticity refers to the ability to automatically scale resources up and down based on demand. High availability (B) focuses on uptime, global reach (C) is about geographic distribution, and pay-as-you-go (D) is a pricing model.

71
MCQeasy

A small business runs a single Linux server on-premises for file storage and a simple static website. They experience frequent power outages causing server downtime, and they want to improve availability with minimal cost and management overhead. They have limited IT staff. What should they do?

A.Implement a load balancer across two on-premises servers
B.Use Cloud Storage for the static website and Cloud Filestore for file storage
C.Migrate to a single Compute Engine VM in Google Cloud
D.Use a third-party colocation facility
AnswerB

Cloud Storage offers automatic replication and high availability for static content; Cloud Filestore provides managed NFS storage with redundancy, reducing downtime risk.

Why this answer

Option B is correct because Cloud Storage provides highly available static website hosting with automatic replication, and Cloud Filestore offers managed file storage, both requiring minimal management. Option A still has a single point of failure. Option C requires additional hardware and doesn't eliminate power issues.

Option D adds cost without reducing management overhead.

72
MCQeasy

Which Google Cloud feature provides reports on how Google processes government requests for customer data and how often Google challenges overly broad requests?

A.Cloud Audit Logs — they record all API calls including government data requests.
B.Google's Transparency Report — publishing data about government requests and legal compliance.
C.Security Command Center — it alerts when government agencies access customer data.
D.Access Transparency logs — they record every time any external entity accesses customer data.
AnswerB

Google's Transparency Report (transparency.google/reports) details government data requests by country, compliance rates, and legal challenges. It provides verifiable evidence of Google's approach to data requests.

Why this answer

Google's Transparency Report is the correct answer because it specifically publishes data on government requests for user data, including how Google processes these requests and how often it challenges overly broad or legally questionable demands. This report is designed to provide public visibility into government actions, not to log individual API calls or access events.

Exam trap

Cisco often tests the distinction between internal access logs (Access Transparency) and external government request reporting (Transparency Report), so the trap here is confusing operational audit trails with public transparency reporting about legal demands.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs record API calls made within a Google Cloud project, not government data requests to Google as a company; they are for internal auditing of customer resources. Option C is wrong because Security Command Center is a security and risk management platform that detects threats and vulnerabilities in cloud resources, not a tool for reporting on government requests for customer data. Option D is wrong because Access Transparency logs record every time a Google Cloud employee or support engineer accesses customer data, not external government entities; they are about internal access, not government requests.

73
MCQeasy

The principle of least privilege is a fundamental security concept applied to IAM in Google Cloud. Which statement best describes this principle?

A.All users should have read-only access to prevent accidental changes.
B.Users and services should be granted only the minimum permissions required for their specific function, nothing more.
C.Administrators should have full access so they can respond to any emergency quickly.
D.All employees should share the same IAM role to simplify permission management.
AnswerB

Least privilege limits access to what's actually needed. A developer deploying Cloud Run doesn't need BigQuery admin access. Minimizing permissions reduces the impact of credential compromise.

Why this answer

Option B is correct because the principle of least privilege in Google Cloud IAM dictates that identities (users, groups, or service accounts) should be granted only the permissions necessary to perform their intended tasks. This minimizes the attack surface and limits the blast radius of a compromised credential. In Google Cloud, this is implemented by assigning predefined or custom roles with the exact set of permissions required, rather than using broad roles like Owner or Editor.

Exam trap

Google Cloud often tests the misconception that 'least privilege' means 'everyone gets read-only' or that 'administrators need full access for emergencies,' but the correct interpretation is granular, role-specific permissions with temporary elevation for break-glass scenarios.

How to eliminate wrong answers

Option A is wrong because read-only access is not universally appropriate; some users or services need write, create, or delete permissions to perform their functions, and enforcing read-only for all would break operational workflows. Option C is wrong because granting administrators full access at all times violates least privilege; emergency access should be obtained through just-in-time (JIT) or break-glass mechanisms, such as using Google Cloud's Access Approval or temporary privilege elevation, not standing permissions. Option D is wrong because sharing the same IAM role across all employees ignores the need for role-based access control (RBAC); different job functions require different permissions, and a single role would either over-permission some users or under-permission others, creating security or operational gaps.

74
MCQhard

A company runs batch processing jobs using preemptible VMs to reduce costs. They need to ensure these jobs can scale out significantly during peak hours. Which Compute Engine pricing model should they combine with autoscaling to optimize cost for these workloads?

A.Preemptible VMs with no further discounts.
B.Sole-tenant nodes.
C.Sustained use discounts.
D.Committed use discounts.
AnswerC

Sustained use discounts automatically apply for running standard VMs over a month; they can be combined with preemptible VMs for baseline and burst capacity.

Why this answer

C is correct because sustained use discounts automatically apply to preemptible VMs running for a significant portion of a month, reducing costs further without any upfront commitment. Autoscaling ensures that as demand increases, more preemptible VMs are launched, and the sustained use discount kicks in for the cumulative usage across the month, optimizing cost for bursty, fault-tolerant workloads.

Exam trap

The trap here is that candidates often assume preemptible VMs cannot be combined with any discounts, or they mistakenly choose committed use discounts thinking they provide the best savings, without realizing that sustained use discounts are automatic and better suited for variable, autoscaled workloads.

How to eliminate wrong answers

Option A is wrong because preemptible VMs already offer a lower base price, but combining them with sustained use discounts provides additional automatic savings for extended usage, so 'no further discounts' misses this optimization. Option B is wrong because sole-tenant nodes are dedicated physical servers for compliance or licensing needs, not a pricing model, and they increase cost rather than reducing it for scalable batch jobs. Option D is wrong because committed use discounts require a 1- or 3-year upfront commitment for a specific amount of vCPUs and memory, which is inflexible for autoscaling workloads that need to scale out significantly during peak hours.

75
MCQeasy

What does 'serverless computing' mean, and what does a developer NOT have to manage when using serverless services?

A.Serverless means no code is needed — the cloud provider writes the application logic automatically.
B.Serverless means developers don't provision or manage servers, OS, or scaling — they only write and deploy code.
C.Serverless computing only works for batch jobs that run overnight.
D.Serverless is a type of on-premises architecture where servers are hidden from developers.
AnswerB

In serverless, the cloud provider handles all infrastructure: servers, OS, scaling, patching, and capacity. Developers focus purely on application logic.

Why this answer

Serverless computing is a cloud execution model where the cloud provider dynamically manages the allocation and provisioning of servers. The developer writes and deploys code (functions) without needing to provision, configure, or scale underlying servers, operating systems, or runtime environments. Option B correctly captures this: developers only write and deploy code, while the provider handles infrastructure management.

Exam trap

Cisco often tests the misconception that 'serverless' means 'no servers at all' or 'no code needed,' leading candidates to pick Option A, when in fact servers exist but are abstracted from the developer.

How to eliminate wrong answers

Option A is wrong because serverless does not mean 'no code is needed'; developers still write application logic, and the cloud provider does not automatically generate it. Option C is wrong because serverless computing is not limited to batch jobs; it supports event-driven, real-time, and synchronous workloads (e.g., API backends, data processing). Option D is wrong because serverless is a cloud-native architecture, not an on-premises one; servers are abstracted from developers but still exist in the provider's data centers.

Page 1 of 7

Page 2

All pages