Google Cloud Digital Leader (GCDL) — Questions 676750

991 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

A company stores sensitive healthcare data in Google Cloud and must comply with HIPAA. They are using Cloud Storage and BigQuery. Which of the following is the customer responsible for under the shared responsibility model?

A.Physical security of data centers
B.Implementing IAM policies to restrict access to healthcare data
C.Hardware maintenance of storage servers
D.Network infrastructure security
AnswerB

Customer controls IAM policies for access management.

Why this answer

Under the shared responsibility model, the customer is responsible for access management (IAM), encryption of data at rest and in transit, and configuring firewall rules. Google is responsible for the physical security of data centers, hypervisor, and network infrastructure.

677
MCQhard

A team notices that their Compute Engine instances are consistently running at low CPU utilization. They want to reduce costs by receiving recommendations to resize or stop idle VMs. Which service provides these recommendations?

A.Cost Management dashboard
B.Cloud Scheduler
C.Active Assist
D.Cloud Monitoring
AnswerC

Active Assist's Recommender analyzes usage patterns and suggests rightsizing or stopping idle resources to save costs.

Why this answer

Active Assist includes Recommender, which provides cost optimization recommendations such as rightsizing VMs, identifying idle resources, and suggesting committed use discounts.

678
MCQeasy

A team uses Google Workspace (Gmail, Docs, Sheets) for their daily work. They do not manage any servers or software installation — Google maintains everything. Which cloud service model does Google Workspace represent?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Database as a Service (DBaaS)
AnswerC

Google Workspace delivers fully managed productivity applications over the internet. No infrastructure, OS, or application management by the user — just data and user configuration.

Why this answer

Google Workspace is a classic example of Software as a Service (SaaS) because users access applications like Gmail, Docs, and Sheets via a web browser without managing the underlying infrastructure, operating systems, or software installations. Google handles all maintenance, security patching, and uptime, which aligns with the SaaS model where the provider delivers fully functional software over the internet. Unlike IaaS or PaaS, the end-user does not control the runtime environment or deploy custom code on the platform.

Exam trap

The GCDL exam often tests the misconception that any cloud service involving 'platform' or 'infrastructure' terms must be PaaS or IaaS, but the trap here is that Google Workspace is a fully managed application suite, not a platform for building or hosting custom code, so candidates mistakenly select PaaS when they see 'Google' and think of App Engine.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) provides virtualized computing resources like virtual machines, storage, and networks, where the user manages the OS and applications — Google Workspace users do not provision or manage any virtual servers. Option B is wrong because Platform as a Service (PaaS) offers a runtime environment for developers to deploy custom applications without managing the underlying infrastructure, but Google Workspace delivers ready-to-use applications, not a development platform. Option D is wrong because Database as a Service (DBaaS) specifically provides managed database instances (e.g., Cloud SQL, Amazon RDS), whereas Google Workspace is a suite of end-user productivity applications, not a database service.

679
MCQhard

A company uses Google Cloud across 5 teams, 20 projects, and 3 regions. They want to enforce a standard that all resources include specific labels (e.g., `team`, `environment`, `cost-center`) for cost attribution and governance. What is the most scalable way to enforce this labeling standard?

A.Send monthly reminders to all teams via email to add labels to their resources.
B.Enforce labeling through IaC templates with required label variables in CI/CD pipelines, and use Cloud Asset Inventory to audit compliance.
C.Manually add labels to all existing and new resources through the Cloud Console.
D.Grant only project owners permission to create resources, and rely on them to enforce labeling.
AnswerB

IaC templates with required label variables prevent deployment of unlabeled resources. CI/CD policy gates reject non-compliant configurations. Cloud Asset Inventory provides ongoing audit of label compliance across all projects.

Why this answer

Option B is correct because it combines Infrastructure as Code (IaC) templates with required label variables in CI/CD pipelines to enforce labeling at resource creation time, and uses Cloud Asset Inventory to audit and detect non-compliant resources. This approach is scalable across 5 teams, 20 projects, and 3 regions because it automates enforcement and provides continuous compliance monitoring without manual intervention.

Exam trap

The trap here is that candidates may choose a manual or human-dependent option (like A or D) because they underestimate the scale and automation requirements of a multi-team, multi-project environment, failing to recognize that only IaC with automated auditing provides scalable enforcement.

How to eliminate wrong answers

Option A is wrong because sending monthly reminders is a manual, reactive process that does not prevent non-compliant resources from being created, and it does not scale across multiple teams and projects. Option C is wrong because manually adding labels through the Cloud Console is error-prone, does not scale to 20 projects and 3 regions, and cannot enforce labeling on new resources automatically. Option D is wrong because relying solely on project owners to enforce labeling is not scalable or auditable; it depends on human compliance and does not provide automated enforcement or detection of violations.

680
Multi-Selectmedium

Which TWO statements about Cloud Identity-Aware Proxy (IAP) are correct?

Select 2 answers
A.IAP encrypts data at rest by default
B.IAP can be used to protect access to Compute Engine VMs via SSH and RDP without a VPN
C.IAP only works with Google Cloud applications
D.IAP uses the identity of the user and the context of the request to decide whether to allow access
E.IAP requires using a third-party identity provider
AnswersB, D

IAP allows SSH/RDP without public IPs or VPNs.

Why this answer

Option B is correct because Cloud IAP enables identity-based access to Compute Engine instances via SSH and RDP without requiring a VPN or bastion host. IAP uses the user's identity and request context to create a secure tunnel, forwarding traffic to the instance over HTTPS and verifying the user's credentials before allowing the connection.

Exam trap

Google Cloud often tests the misconception that IAP is limited to Google Cloud services or that it requires a third-party identity provider, when in fact IAP supports hybrid access and can use Google-managed identities without external IdPs.

681
Multi-Selecthard

A large enterprise wants to enforce the principle of least privilege for its cloud resources. The security team needs to audit all IAM policy changes across the organization and ensure that custom roles are used where predefined roles are too permissive. Which three Google Cloud services or features should be combined to achieve this? (Choose three.)

Select 3 answers
A.IAM Recommender
B.Cloud Key Management Service
C.Cloud Audit Logs
D.Organization Policies
E.Security Command Center
AnswersA, C, D

IAM Recommender analyzes usage and suggests least-privilege roles, helping to reduce over-privileged access.

Why this answer

Cloud Audit Logs track IAM policy changes. Organization policies can enforce constraints like restricting the use of predefined roles. IAM Recommender provides recommendations to reduce permissions.

Cloud Asset Inventory can also be used for IAM policy auditing. Security Command Center is for threat detection, not IAM auditing. Policy Analyzer helps understand access, but the combination of Audit Logs, Organization Policies, and IAM Recommender is most direct.

682
MCQmedium

A CTO explains to her board that moving to cloud reduces the company's 'total cost of ownership' compared to running an on-premises data center. Which cost category is most commonly underestimated in on-premises TCO calculations?

A.Hardware acquisition costs, which are typically overestimated in on-premises environments
B.IT staff labor costs for ongoing maintenance, patching, hardware replacement, and operations, which are frequently underestimated in on-premises TCO
C.Software licensing costs, which are always higher on-premises than in the cloud
D.Internet bandwidth costs, which are negligible on-premises
AnswerB

Labor is the most underestimated cost in on-premises TCO. Hardware maintenance, OS patching, firmware updates, capacity planning, hardware failure response, data center cooling management — these represent substantial ongoing costs that are often not fully attributed to infrastructure when comparing against cloud.

Why this answer

Option B is correct because on-premises TCO calculations frequently underestimate the labor costs associated with ongoing IT staff tasks such as applying security patches, performing hardware replacements, managing firmware updates, and handling day-to-day operations. These operational expenses (OpEx) accumulate over the lifecycle of the data center and often exceed the initial capital expenditure (CapEx) for hardware, making them a critical but overlooked component in total cost of ownership comparisons with cloud providers like AWS, Azure, or GCP.

Exam trap

The GCDL exam often tests the misconception that hardware acquisition costs are the primary driver of on-premises TCO, when in reality the underestimated labor for ongoing maintenance and operations is the most common blind spot in TCO comparisons.

How to eliminate wrong answers

Option A is wrong because hardware acquisition costs are typically a well-understood and accurately estimated capital expense in on-premises TCO, not overestimated; the common mistake is underestimating ongoing operational costs, not hardware. Option C is wrong because software licensing costs are not always higher on-premises; many enterprise licenses (e.g., Microsoft SQL Server, Oracle) can be more expensive in the cloud due to bring-your-own-license (BYOL) restrictions or per-core pricing models, and the statement is an absolute that ignores licensing portability and hybrid scenarios. Option D is wrong because internet bandwidth costs are not negligible on-premises; they can be significant for data center connectivity, especially for high-throughput or geographically distributed workloads, and cloud providers often charge egress fees that make bandwidth a non-trivial cost factor.

683
MCQmedium

Google operates its data centers using 100% renewable energy and has committed to running all operations on carbon-free energy 24/7 by 2030. How does this sustainability posture benefit a company that migrates its workloads to Google Cloud?

A.Companies must purchase separate carbon offset credits to claim sustainability benefits from using Google Cloud.
B.The company's Scope 2 carbon emissions decrease because Google's infrastructure runs on renewable energy and operates more efficiently than typical enterprise data centers.
C.Only companies that purchase the Google Cloud Carbon Footprint add-on receive sustainability benefits.
D.Sustainability benefits are only available in specific geographic regions where Google has solar farms.
AnswerB

Google's 100% renewable energy commitment means customer workloads run on clean energy. Hyperscale data center efficiency also means less energy per compute unit vs. typical on-premises data centers.

Why this answer

Option B is correct because when a company migrates workloads to Google Cloud, it inherits Google's carbon-free energy procurement for its infrastructure. This directly reduces the company's Scope 2 emissions (indirect emissions from purchased electricity) since Google's data centers are powered by 100% renewable energy and operate with industry-leading efficiency (e.g., average PUE of 1.10). The company does not need to purchase separate offsets or add-ons to realize this benefit.

Exam trap

The trap here is that candidates may think sustainability benefits require additional purchases or are regionally restricted, when in fact Google's global renewable energy matching and efficiency gains automatically reduce a customer's Scope 2 emissions without extra steps.

How to eliminate wrong answers

Option A is wrong because Google Cloud customers automatically benefit from Google's renewable energy matching without purchasing separate carbon offset credits; Google matches 100% of its global electricity consumption with renewable energy annually. Option C is wrong because the Google Cloud Carbon Footprint tool is a free feature that provides visibility into gross carbon emissions, but the sustainability benefit (reduced Scope 2 emissions) exists regardless of using that tool. Option D is wrong because Google's renewable energy matching is global—it applies across all regions where Google Cloud operates, not only in regions with solar farms, through the use of renewable energy certificates (RECs) and power purchase agreements (PPAs).

684
MCQeasy

A company wants to send transactional emails (receipts, password resets) and marketing emails at scale from their application. Which approach is recommended when using Google Cloud?

A.Use Gmail to manually send all transactional emails.
B.Integrate a third-party email delivery service (e.g., SendGrid, Mailgun) with the GCP application.
C.Use BigQuery to store and send emails directly to customers.
D.Deploy an SMTP server on Compute Engine and send emails directly from GCP IP addresses.
AnswerB

Third-party email services provide the deliverability, API access, bounce handling, and analytics needed for transactional email at scale. Google Cloud doesn't include a native email sending service.

Why this answer

Option B is correct because Google Cloud does not provide a native transactional email service, so integrating a dedicated third-party email delivery service like SendGrid or Mailgun is the recommended approach. These services handle deliverability, reputation management, and compliance with email standards (e.g., SPF, DKIM, DMARC), which are critical for high-volume transactional and marketing emails. Using GCP's native services like Cloud Functions or App Engine to send emails directly would rely on SMTP relays that often have strict sending limits and poor deliverability.

Exam trap

The GCDL exam often tests the misconception that GCP provides a built-in email sending service (like AWS SES) or that a self-managed SMTP server on Compute Engine is a viable solution, ignoring the critical importance of IP reputation and deliverability at scale.

How to eliminate wrong answers

Option A is wrong because Gmail is designed for personal or small-scale use, not for programmatic, high-volume transactional email; it has strict sending limits (e.g., 500 recipients per day for free accounts) and lacks APIs for automated bulk sending. Option C is wrong because BigQuery is a data warehouse for analytics, not an email delivery service; it has no SMTP or API capabilities to send emails directly to customers. Option D is wrong because sending emails directly from GCP IP addresses via a self-managed SMTP server on Compute Engine leads to poor deliverability, as GCP IP ranges are often blacklisted by major email providers (e.g., Gmail, Outlook) due to past abuse, and managing reputation, SPF/DKIM/DMARC, and bounce handling is complex and unreliable at scale.

685
MCQhard

A global fintech company needs a database that can handle financial transactions across 50+ countries with consistent, ACID-compliant operations, SQL queries, and automatic global replication with no downtime for maintenance. Which Google Cloud database service meets all these requirements?

A.Cloud SQL (PostgreSQL)
B.Cloud Spanner
C.Cloud Bigtable
D.Firestore
AnswerB

Cloud Spanner provides ACID transactions, SQL support, and automatic global replication across multiple regions with 99.999% availability. It's designed for exactly this global financial transaction use case.

Why this answer

Cloud Spanner is the only Google Cloud database that provides ACID-compliant transactions, full SQL support, and automatic synchronous global replication with no downtime for maintenance. It is designed for horizontally scalable, globally distributed applications that require strong consistency across regions, making it the ideal choice for a fintech company operating in 50+ countries.

Exam trap

The GCDL exam often tests the misconception that Cloud SQL can be made globally consistent with replication, but Cloud SQL replicas are read-only and asynchronous, so they cannot provide the strong ACID writes across regions that Cloud Spanner offers.

How to eliminate wrong answers

Option A is wrong because Cloud SQL (PostgreSQL) is a single-region, single-write database that does not support automatic global replication or horizontal scaling across multiple regions; it requires manual failover and downtime for major maintenance. Option C is wrong because Cloud Bigtable is a NoSQL, wide-column database that does not support SQL queries or ACID transactions across rows; it is designed for high-throughput analytical workloads, not transactional financial operations. Option D is wrong because Firestore is a NoSQL document database that does not support SQL queries and provides only eventual consistency in multi-region mode, not the strong ACID consistency required for financial transactions.

686
MCQmedium

An analytics team needs to create dashboards and visualizations from data stored in BigQuery. They want a free solution that integrates natively. Which tool should they use?

A.Cloud Dataflow
B.Looker Studio
C.Looker
D.Google Sheets
AnswerB

Looker Studio is free and integrates natively with BigQuery.

Why this answer

Looker Studio (formerly Data Studio) is a free visualization tool that connects to BigQuery. Looker is a paid BI platform. Dataflow is for processing, and Sheets is not native.

687
MCQhard

An engineer is setting up budgets and alerts to manage costs. They want to receive a notification when forecasted spend exceeds 80% of the budget amount. Which step is required to enable forecast-based alerts?

A.Enable billing export to BigQuery and set up a scheduled query
B.Select 'Forecasted spend' as the alert threshold type in the budget configuration
C.Create a Cloud Function that checks current spend every hour
D.Use the Cost Management API to query forecast data
AnswerB

This is the correct way to enable forecast-based alerts.

Why this answer

In the budget alert configuration, you can set alert thresholds based on actual or forecasted spend. To alert on forecasted spend, you must select the 'Forecasted spend' option when defining the threshold rules.

688
MCQhard

A security audit finds that a company's application service accounts have been granted broad IAM roles (e.g., Storage Admin on the entire project) when they only need to read specific Cloud Storage buckets. The auditor recommends following the principle of least privilege. What is the most precise way to implement this for the Cloud Storage use case?

A.Grant the Storage Admin role at the project level but add a condition that limits it to specific operations
B.Grant Storage Object Viewer (read-only) at the specific bucket level for each service account that needs read access — not at the project level
C.Create a custom IAM role that combines all permissions from all predefined roles but removes the most dangerous ones
D.Use the same broad Storage Admin role but rotate the service account key every 90 days to reduce the window of exposure
AnswerB

This is the most precise least-privilege implementation. Storage Object Viewer grants read access to objects within a bucket. Binding it at the bucket level (not project) means the service account can only read from that specific bucket — not create buckets, not access other buckets, not delete objects. This minimizes blast radius if the service account is compromised.

Why this answer

Option B is correct because it grants the minimal required permission (Storage Object Viewer) at the specific bucket level, adhering to the principle of least privilege. This ensures the service account can only read objects in that bucket and cannot perform any other storage operations, even accidentally. Granting roles at the resource level (bucket) rather than the project level eliminates unnecessary broad access.

Exam trap

The trap here is that candidates often think project-level roles with conditions are sufficient, but conditions do not restrict the scope of resources the role applies to—only the actions or attributes—so the role still applies to all resources in the project.

How to eliminate wrong answers

Option A is wrong because granting Storage Admin at the project level, even with a condition, still grants the role's full permissions (including delete and update) on all buckets in the project, violating least privilege. Option C is wrong because creating a custom role by combining all permissions from predefined roles and removing 'dangerous' ones is imprecise and error-prone; the correct approach is to start with the minimal permissions needed (e.g., storage.objects.get) rather than removing from a broad set. Option D is wrong because rotating keys does not reduce the permissions granted; the service account still retains the overly broad Storage Admin role, which is the core security issue.

689
MCQeasy

A start-up wants to quickly build and deploy a web application using managed services to avoid operational overhead. They need a serverless compute platform that automatically scales and charges only for execution time. Which Google Cloud service should they use?

A.Cloud Functions
B.Cloud Run
C.Compute Engine
D.Google Kubernetes Engine (GKE)
AnswerB

Cloud Run is serverless, auto-scaling, and charges per execution, ideal for web apps.

Why this answer

Cloud Run is a serverless compute platform that runs containers, auto-scales, and charges per execution. Compute Engine is IaaS, Kubernetes Engine is container orchestration (not serverless), and Cloud Functions is also serverless but for event-driven functions, not full web apps with containers.

690
Drag & Dropmedium

Drag and drop the steps to enable and use Cloud Audit Logs for a project into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First navigate to audit logs, then select services and log types, save, and finally view the logs.

691
MCQmedium

A company wants to scan its Cloud Storage buckets for sensitive data like credit card numbers and social security numbers. Which service should they use?

A.Security Command Center
B.Sensitive Data Protection
C.reCAPTCHA Enterprise
D.Web Risk API
AnswerB

Sensitive Data Protection (DLP API) can discover and classify sensitive data.

Why this answer

Sensitive Data Protection (DLP API) is used to inspect and de-identify sensitive data. Security Command Center is for vulnerabilities. Web Risk API checks URLs against threat lists. reCAPTCHA is for bot protection.

692
MCQeasy

What does 'durability' mean for cloud storage services, and how is it different from 'availability'?

A.Durability and availability are the same thing — both measure how often data can be accessed.
B.Durability measures the probability data won't be lost; availability measures the percentage of time data can be accessed — a service can be temporarily unavailable while data remains durable.
C.Durability refers to network speed; availability refers to storage capacity.
D.High availability automatically guarantees high durability, so both terms describe the same SLA.
AnswerB

Data can be physically safe (11-nine durability) but temporarily inaccessible during maintenance or outage (lower availability). These are orthogonal properties that storage services optimize for independently.

Why this answer

Durability measures the probability that stored data will not be lost or corrupted over time, typically expressed as a percentage (e.g., 99.999999999% for Amazon S3). Availability measures the percentage of time a service is operational and accessible, often defined in SLAs (e.g., 99.99% uptime). A service can be temporarily unavailable (e.g., due to maintenance) while the data remains intact and durable, so they are distinct concepts.

Exam trap

The GCDL exam often tests the misconception that durability and availability are interchangeable or that one automatically implies the other, so candidates must remember that a service can be down (low availability) yet still preserve all data (high durability).

How to eliminate wrong answers

Option A is wrong because it incorrectly equates durability and availability, ignoring that durability focuses on data integrity against loss/corruption while availability focuses on uptime and accessibility. Option C is wrong because durability has nothing to do with network speed; it is about data persistence, and availability is about uptime, not storage capacity. Option D is wrong because high availability does not guarantee high durability; for example, a replicated system can be highly available but still lose data if replication is asynchronous or if a catastrophic failure occurs before replication completes.

693
MCQeasy

A developer wants to label resources with key-value pairs to track cost by team. Which GCP feature should they use?

A.Tags
B.Labels
C.Folders
D.Organization policy tags
AnswerB

Labels are key-value pairs used for cost attribution and filtering.

Why this answer

Labels are key-value metadata that can be applied to resources for cost tracking and filtering.

694
Multi-Selecthard

An organization needs to collect and analyze real-time clickstream data from millions of users. The data is ingested via HTTP POST requests. The solution must be serverless, scale automatically, and allow for real-time analytics with sub-second latency. Which THREE Google Cloud services should be combined to achieve this? (Select three.)

Select 3 answers
A.BigQuery
B.Cloud Storage
C.Cloud Load Balancing
D.Cloud Run
E.Cloud Pub/Sub
AnswersC, D, E

Distributes incoming HTTP requests.

Why this answer

Cloud Load Balancing distributes incoming HTTP requests across Cloud Run instances, which process the data and publish to Pub/Sub. Dataflow can read from Pub/Sub for real-time streaming analytics. Cloud Storage is not suitable for real-time analytics.

BigQuery is for near-real-time but not sub-second; Dataflow provides sub-second latency for streaming.

695
MCQhard

A company is migrating a legacy monolithic application to Google Cloud. The app has unpredictable traffic patterns and requires custom runtime dependencies (e.g., specific Python libraries with native extensions). The team wants to minimise operational overhead and avoid managing servers. Which compute option is MOST suitable?

A.Google Kubernetes Engine (GKE)
B.App Engine Flexible Environment
C.Cloud Run
D.Cloud Functions
AnswerB

App Engine Flexible Environment supports custom runtimes (Docker containers), provides automatic scaling, and requires no server management, making it suitable for a monolithic web app with custom dependencies.

Why this answer

App Engine Flexible Environment allows custom runtimes (via Docker containers) and can serve web applications. It scales based on traffic but does not scale to zero (minimum 1 instance). Cloud Run also supports custom containers, scales to zero, and is simpler for request-driven apps.

However, App Engine Flexible provides a PaaS environment with automatic scaling and built-in services, which may be easier for a legacy monolith. Cloud Functions is for small code snippets, GKE requires cluster management. The best answer depends on the need for custom runtime and minimising ops.

App Engine Flexible supports custom runtimes and provides managed scaling without server management, making it a good fit. Actually, Cloud Run also supports custom containers and scales to zero, but App Engine Flexible is more traditional PaaS for web apps. The question states 'minimise operational overhead and avoid managing servers' — both Cloud Run and App Engine Flex achieve that.

However, App Engine Flexible has a minimum of 1 instance (no scale-to-zero) but is designed for web apps with unpredictable traffic. Cloud Run is also suitable. The 'correct' answer here is App Engine Flexible because it is a PaaS explicitly for web apps with custom runtimes, and many exam questions align with that.

However, to be more accurate, Cloud Run is also valid. I'll go with App Engine Flexible as the answer.

696
Matchingmedium

Match each Google Cloud serverless compute option to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Event-driven, short-lived functions

Container-based, scales to zero

Platform as a Service (PaaS) with automatic scaling

Orchestration of services and APIs

Event routing and management service

Why these pairings

These are serverless compute options in Google Cloud.

697
MCQmedium

A company wants to assign metadata to resources for cost allocation reporting. They need to categorize resources by environment (production, staging, development) and team (engineering, marketing). They also need to use this metadata in billing exports. Which approach should they take?

A.Use folder names.
B.Use labels.
C.Use network tags.
D.Use organization policy tags.
AnswerB

Labels are designed for cost allocation and are included in billing exports.

Why this answer

Labels are key-value pairs that can be applied to resources and are included in billing exports for cost attribution. Tags are used for network firewall rules, not cost allocation.

698
MCQmedium

A company wants to run a batch job that processes large files (up to 100 TB each) using a custom Linux executable. The job runs once a month and takes about 12 hours. They want to minimise cost. Which compute option should they choose?

A.Compute Engine with preemptible VMs
B.Compute Engine with standard VMs
C.Cloud Run
D.App Engine Flexible Environment
AnswerA

Preemptible VMs are cost-effective for fault-tolerant batch jobs that can handle interruptions.

Why this answer

Compute Engine Preemptible VMs offer deep discounts (up to 60-90% off) and are suitable for fault-tolerant batch jobs. Preemptible VMs can be terminated at any time, but since the job can be restarted, it's cost-effective. Persistent disks are required for data.

Cloud Run has a timeout limit of 60 minutes. GKE with Spot VMs is also an option but adds overhead. Standard Compute Engine is more expensive.

699
MCQeasy

A mid-sized logistics company runs its core tracking application on a single on-premises server. The application is critical for real-time package tracking and customer notifications. Recently, during a regional power outage, the server went down for 6 hours, causing significant customer dissatisfaction and loss of revenue. The company wants to move to Google Cloud to improve availability and disaster recovery. They have a limited IT team with minimal cloud experience and a tight budget. The application is a monolithic Java application that currently runs on a Linux server with a MySQL database. The company needs a solution that minimizes operational overhead and provides automatic failover across regions. Which course of action should they take?

A.Refactor the application to run on App Engine and use Cloud SQL with a cross-region replica for failover.
B.Lift and shift the application to a single Compute Engine VM and use a Cloud SQL instance in the same region.
C.Deploy the application on Compute Engine with a regional managed instance group and use Cloud SQL with high availability.
D.Containerize the application and run it on Google Kubernetes Engine with a multi-cluster setup across regions.
AnswerC

Correct: This provides automatic failover across zones and managed database, balancing cost and operational overhead.

Why this answer

Option C is correct because it provides automatic failover across regions using a regional managed instance group (MIG) for the Compute Engine VMs and Cloud SQL with high availability (HA). The regional MIG distributes instances across multiple zones within a region, and Cloud SQL HA uses synchronous replication to a standby in a different zone, ensuring automatic failover without requiring application refactoring. This minimizes operational overhead for a small IT team with limited cloud experience and fits a tight budget by avoiding complex container orchestration or multi-cluster setups.

Exam trap

Google Cloud often tests the misconception that cross-region replicas provide automatic failover, but in reality, they require manual promotion, whereas Cloud SQL HA within a region provides automatic failover with synchronous replication.

How to eliminate wrong answers

Option A is wrong because refactoring the monolithic Java application to run on App Engine would require significant code changes and operational overhead, which the company's limited IT team cannot handle, and cross-region replicas for Cloud SQL do not provide automatic failover (they require manual promotion). Option B is wrong because a single Compute Engine VM and a Cloud SQL instance in the same region offer no cross-region failover; a regional power outage would still take down the application, defeating the disaster recovery goal. Option D is wrong because containerizing the application and running it on Google Kubernetes Engine with a multi-cluster setup across regions introduces high complexity and operational overhead, which is unsuitable for a team with minimal cloud experience and a tight budget.

700
Multi-Selectmedium

An organization wants to achieve a zero-trust security model on Google Cloud. Which TWO Google Cloud security capabilities support this goal? (Choose TWO.)

Select 2 answers
A.VPC firewalls
B.BeyondCorp Enterprise
C.Cloud Armor
D.Cloud Key Management Service (KMS)
E.Identity and Access Management (IAM)
AnswersB, E

BeyondCorp implements zero-trust access to applications.

Why this answer

BeyondCorp enables zero-trust by verifying identity and context before granting access, and IAM provides fine-grained access control. Cloud Armor is for DDoS protection, Cloud KMS for encryption keys, and VPC firewalls for network security.

701
MCQmedium

A developer wants to trigger a serverless function whenever a new object is uploaded to a Cloud Storage bucket. Which Google Cloud service should they use?

A.Cloud Functions
B.Cloud Run
C.App Engine
D.Dataflow
AnswerA

Cloud Functions natively supports Cloud Storage triggers via the 'google.storage.object.finalize' event.

Why this answer

Cloud Functions is an event-driven serverless compute service that can be triggered by Cloud Storage events such as object finalise/create. Cloud Run can also be triggered by events via Eventarc, but Cloud Functions is the simpler choice for small code snippets triggered by events. Dataflow and App Engine are not designed for event-triggered functions from Cloud Storage.

702
MCQmedium

An organization wants to tag resources with environment (dev/staging/prod) and cost center (e.g., 'marketing', 'engineering') for cost allocation and filtering in billing reports. Which feature should they use?

A.Organization policy tags
B.Folders
C.Network tags
D.Labels
AnswerD

Labels are designed for cost attribution and filtering; they appear in billing export and Cost Management tools.

Why this answer

Labels are key-value pairs that can be attached to resources and are used for billing cost allocation, filtering in cost reports, and resource grouping. Tags are for organization policy enforcement and network firewall rules.

703
MCQeasy

Which term describes a physical or conceptual object (like a factory machine, building, or supply chain) that is represented as a digital model in the cloud, allowing simulation and analysis without touching the physical object?

A.Virtual machine — a software-based simulation of a computer.
B.Digital twin — a real-time digital model of a physical object or system updated by sensor data.
C.Container — a lightweight application packaging format.
D.Microservice — a small, independently deployable application component.
AnswerB

Digital twins mirror physical entities in real time. Cloud IoT and AI enable continuous data ingestion from sensors and simulation capabilities that power manufacturing, infrastructure, and logistics optimization.

Why this answer

A digital twin is a virtual representation of a physical object or system—such as a factory machine, building, or supply chain—that is continuously updated with real-time sensor data. This model lives in the cloud, enabling simulation, monitoring, and analysis without needing to interact with the physical asset. The key differentiator is the bidirectional data flow between the physical and digital worlds, which allows predictive maintenance and optimization.

Exam trap

Google Cloud often tests the distinction between a digital twin and a virtual machine, trapping candidates who confuse 'virtual representation of a physical object' with 'virtualization of computing resources.'

How to eliminate wrong answers

Option A is wrong because a virtual machine is a software-based emulation of a physical computer, not a representation of a physical object like a machine or building; it abstracts hardware resources rather than mirroring a specific real-world entity. Option C is wrong because a container is a lightweight, portable packaging format for applications and their dependencies, designed for consistent deployment across environments, not for modeling physical assets. Option D is wrong because a microservice is a small, independently deployable component of a larger application architecture, focused on business logic, not on creating a digital replica of a physical system.

704
MCQeasy

A company's security policy requires all employees to verify their identity using more than just a password when accessing Google Cloud resources. What security feature enforces this requirement?

A.Password complexity requirements — enforcing long, complex passwords.
B.Multi-factor authentication (MFA) / Two-step verification (2SV).
C.IP allowlisting — only allowing access from office IP addresses.
D.Session timeout — automatically logging out users after 30 minutes of inactivity.
AnswerB

MFA requires a second factor beyond the password — physical security keys, TOTP apps, or other verifiers. Even if a password is stolen, the second factor prevents unauthorized access.

Why this answer

Multi-factor authentication (MFA) / Two-step verification (2SV) is the correct answer because it explicitly requires users to provide two or more verification factors (e.g., something you know, something you have, something you are) to access Google Cloud resources. This directly enforces the policy of verifying identity beyond just a password, as MFA/2SV adds an additional layer of security by requiring a second factor such as a time-based one-time password (TOTP) from an authenticator app, a hardware security key (e.g., FIDO2), or a push notification. Google Cloud Identity Platform supports this via security key enforcement and 2SV policies, ensuring that password compromise alone is insufficient for access.

Exam trap

The trap here is that candidates confuse 'stronger authentication' with 'stronger passwords' (Option A) or 'access restrictions' (Option C), failing to recognize that the core requirement is adding an independent second factor, not just hardening the single password factor.

How to eliminate wrong answers

Option A is wrong because password complexity requirements only enforce stronger passwords (e.g., length, character types) but do not add a second verification factor; they still rely solely on something you know, which does not meet the 'more than just a password' requirement. Option C is wrong because IP allowlisting restricts access based on network origin (e.g., office IP addresses) but does not verify the user's identity beyond the password; it is a network-level control, not an authentication factor. Option D is wrong because session timeout automatically ends an inactive session after a set period (e.g., 30 minutes) but does not require any additional identity verification beyond the initial password-based login; it addresses session management, not authentication strength.

705
Multi-Selectmedium

A company wants to store encryption keys for encrypting data at rest in Cloud Storage, and also needs to automatically rotate the keys every 30 days. Additionally, they require an audit log of key usage. Which TWO services should they use? (Choose two.)

Select 2 answers
A.Cloud HSM
B.Secret Manager
C.Cloud KMS
D.Cloud Audit Logs
E.Cloud Storage
AnswersC, D

Correct. Cloud KMS manages keys and supports automatic rotation.

Why this answer

Cloud KMS allows creating and managing keys with automatic rotation (via rotation period). Cloud Audit Logs can be configured to log every use of the key (Data Access audit logs). Secret Manager is for secrets, not encryption keys.

Cloud HSM provides hardware-backed keys but is part of Cloud KMS. Cloud Storage itself does not manage key rotation.

706
Multi-Selectmedium

A company is deploying a microservices architecture on Google Cloud and wants to ensure secure communication between services. Which THREE measures should they implement? (Choose THREE.)

Select 3 answers
A.Configure firewall rules to allow only necessary traffic
B.Enable VPC Flow Logs to capture network metadata
C.Assign public IP addresses to all services
D.Use a service mesh with mutual TLS (mTLS) between services
E.Use the same service account for all services
AnswersA, B, D

Firewall rules enforce network segmentation.

Why this answer

Using service mesh (e.g., Anthos Service Mesh) enables mTLS between services. Configuring firewall rules restricts network traffic. Enabling VPC Flow Logs helps monitor and audit traffic.

707
MCQmedium

A company uses Cloud Storage to store sensitive data. They want to enforce that all objects uploaded are encrypted with a customer-managed key that they can rotate and control. What should they configure?

A.Use customer-supplied encryption keys (CSEK) for each upload.
B.Use Cloud HSM to generate a key and import it to Cloud KMS.
C.Set default encryption on the bucket to use a CMEK key from Cloud KMS.
D.Enable default encryption with a Google-managed key.
AnswerC

CMEK uses customer-managed keys in Cloud KMS.

Why this answer

Customer-Managed Encryption Keys (CMEK) allow customers to manage their own keys using Cloud KMS.

708
MCQmedium

An e-commerce company experiences unpredictable traffic spikes. They need to ensure their web application automatically scales out during high demand and scales in when demand drops, paying only for resources used. Which cloud benefit best describes this?

A.Economies of scale
B.Broad network access
C.Elasticity
D.Reliability
AnswerC

Elasticity is the ability to scale resources up/down automatically.

Why this answer

Elasticity allows resources to automatically scale up and down based on demand, optimizing cost and performance.

709
MCQeasy

An operations team wants to receive an automated alert when their web application's HTTP error rate exceeds 5% for more than 5 minutes. Which Google Cloud product is used to configure this type of metric-based alert?

A.Cloud Logging, by configuring a log-based metric and email notification
B.Cloud Monitoring, by creating an alerting policy on the HTTP error rate metric with a 5-minute evaluation window and notification channel
C.Cloud Trace, by setting a trace sampling threshold for error requests
D.Security Command Center, by configuring a finding for high error rates
AnswerB

Cloud Monitoring is the correct service. An alerting policy specifies: the metric to watch (HTTP error rate), the threshold (5%), the evaluation window (5 minutes), and the notification channel (email, PagerDuty, Slack, etc.). This is a core Cloud Monitoring capability.

Why this answer

Cloud Monitoring is the correct service because it is purpose-built for creating alerting policies based on metrics like HTTP error rates. You can define a condition that triggers when the error rate exceeds 5% for a specified evaluation window (e.g., 5 minutes) and route the alert through a notification channel (e.g., email, Slack). This directly matches the requirement for a metric-based alert with a time-based threshold.

Exam trap

Google Cloud often tests the misconception that Cloud Logging can directly send alerts, but in reality, Cloud Logging only stores logs and log-based metrics; the alerting policy must always be configured in Cloud Monitoring.

How to eliminate wrong answers

Option A is wrong because Cloud Logging is used for storing and querying log data, not for creating metric-based alerts on HTTP error rates; while log-based metrics can be created, the alert itself must be configured in Cloud Monitoring, and Cloud Logging does not natively support email notification channels for alerts. Option C is wrong because Cloud Trace is a distributed tracing tool for analyzing request latency and performance, not for monitoring error rates or triggering alerts based on percentage thresholds. Option D is wrong because Security Command Center is a security and risk management service that provides findings for vulnerabilities and threats, not for operational metric-based alerting on web application error rates.

710
MCQmedium

A company wants to store backup data that will be accessed infrequently (once a quarter) and can tolerate a retrieval time of several hours. The data is critical but regulatory compliance requires it to be retained for 10 years. Which Cloud Storage class is MOST cost-effective?

A.Standard
B.Coldline
C.Nearline
D.Archive
AnswerD

Archive storage is the lowest-cost option for long-term retention with retrieval times of hours, suitable for infrequent access.

Why this answer

Archive storage is the cheapest storage class, ideal for long-term backup with retrieval times in hours. Standard is for frequently accessed data, Nearline for monthly, Coldline for quarterly. Archive is the best choice for data accessed less than once a year.

711
MCQmedium

What is 'infrastructure as code' (IaC), and what problem does it solve compared to manually configuring cloud resources through a web console?

A.IaC is a programming language specifically for writing cloud applications.
B.IaC defines infrastructure in version-controlled code files, enabling reproducible, automated, and consistent environment provisioning versus error-prone manual console configuration.
C.IaC is a tool that automatically discovers and documents existing cloud infrastructure.
D.IaC requires writing custom Python scripts for every cloud resource type.
AnswerB

IaC makes infrastructure reproducible (apply the same code to get the same result), version-controlled (track changes like software), automated (CI/CD pipelines), and consistent (no manual variation).

Why this answer

Infrastructure as Code (IaC) is the practice of managing and provisioning cloud resources through machine-readable definition files (e.g., YAML, JSON, HCL) rather than through manual processes like clicking in a web console. The core problem it solves is eliminating the error-prone, inconsistent, and non-reproducible nature of manual configuration by enabling version-controlled, automated, and repeatable deployments. Tools like Terraform, AWS CloudFormation, and Azure Resource Manager (ARM) templates are common IaC implementations that enforce desired state configuration and drift detection.

Exam trap

Google Cloud often tests the misconception that IaC is a specific tool or scripting language, rather than a methodology for reproducible infrastructure management, leading candidates to confuse it with automation scripts or discovery tools.

How to eliminate wrong answers

Option A is wrong because IaC is not a programming language for writing cloud applications; it is a methodology for defining and managing infrastructure resources using declarative or imperative configuration files. Option C is wrong because IaC does not automatically discover and document existing infrastructure; that is the function of tools like AWS Config or Terraformer, which are used for reverse-engineering or inventory, not for defining infrastructure from scratch. Option D is wrong because IaC does not require custom Python scripts for every resource type; it typically uses domain-specific languages (e.g., HCL for Terraform, YAML for CloudFormation) or configuration files that abstract away the need for scripting each resource individually.

712
MCQmedium

An organization needs to comply with HIPAA for storing healthcare data in Google Cloud. Which of the following is a customer responsibility?

A.Implementing IAM policies to control access to PHI
B.Physical security of Google data centers
C.Patching the hypervisor
D.Obtaining SOC 2 certification for Google Cloud
AnswerA

IAM configuration is the customer's responsibility.

Why this answer

Under the shared responsibility model, the customer is responsible for configuring access controls (IAM) and encrypting PHI appropriately.

713
MCQhard

A company wants to ensure that sensitive data (credit card numbers, SSNs) stored in BigQuery is automatically identified and protected. They also want ongoing scanning to detect if any new data violates their data governance policies. Which Google Cloud service provides these capabilities?

A.Security Command Center — it scans BigQuery for sensitive data automatically.
B.Cloud Data Loss Prevention (Cloud DLP) with BigQuery inspection jobs.
C.Cloud Monitoring custom dashboards with SQL queries that search for PII patterns.
D.Cloud Audit Logs — they record all BigQuery queries and can identify when sensitive columns are accessed.
AnswerB

Cloud DLP natively scans BigQuery tables to identify sensitive data using built-in and custom infoTypes. Scheduled jobs provide continuous governance monitoring; de-identification transforms protect identified data.

Why this answer

Cloud DLP with BigQuery inspection jobs is the correct choice because it provides both automated identification of sensitive data (such as credit card numbers and SSNs) within BigQuery tables and ongoing scanning capabilities via scheduled inspection jobs. Cloud DLP uses built-in infoType detectors to match patterns like credit card numbers (Luhn check) and SSNs, and can trigger actions or alerts when new data violates governance policies.

Exam trap

The trap here is that candidates confuse Security Command Center's broad security scanning with Cloud DLP's specific data-level inspection, or assume that logging or monitoring tools can perform content analysis without specialized pattern-matching engines.

How to eliminate wrong answers

Option A is wrong because Security Command Center does not natively scan BigQuery for sensitive data; it provides security posture and threat detection for cloud resources, not data-level inspection. Option C is wrong because Cloud Monitoring custom dashboards with SQL queries cannot automatically identify PII patterns; they rely on manual query construction and lack the built-in pattern matching and classification capabilities of Cloud DLP. Option D is wrong because Cloud Audit Logs record access and query activity, not the content of the data; they cannot identify or protect sensitive data within BigQuery tables.

714
MCQhard

A multinational corporation must store and process data subject to GDPR. They need to ensure that personal data of EU residents remains within the EU. Which Google Cloud feature should they use?

A.Organization policies with location restrictions
B.Cloud Audit Logs
C.Cloud KMS
D.VPC Service Controls
AnswerA

Organization policies can restrict resource creation to specific regions (e.g., EU) to enforce data residency.

Why this answer

Data residency constraints in Google Cloud allow organizations to specify where data is stored by using organization policies and choosing specific regions. This ensures data does not leave the EU.

715
Multi-Selecthard

Which THREE of the following are common benefits of adopting a cloud infrastructure compared to on-premises? (Choose 3)

Select 3 answers
A.Ability to scale globally in minutes
B.Elimination of all security vulnerabilities
C.Pay-as-you-go pricing model
D.Complete transfer of security responsibility to the provider
E.Elimination of upfront capital expenses
AnswersA, C, E

Cloud providers have global infrastructure that can be provisioned quickly.

Why this answer

Option A is correct because cloud infrastructure enables rapid global scaling by provisioning resources across multiple geographic regions within minutes, leveraging automated orchestration and APIs. This is a fundamental advantage over on-premises setups, which require lengthy procurement, shipping, and manual configuration to expand capacity.

Exam trap

Google Cloud often tests the shared responsibility model by presenting options that imply a complete transfer of security liability, leading candidates to mistakenly select Option D, when in fact the customer retains critical security duties.

716
MCQeasy

A company wants to run a batch job that processes large log files stored in Cloud Storage every night. The job typically runs for 2 hours on a single VM with 16 vCPUs and 64 GB of memory. They want to minimize costs. Which compute option is BEST?

A.Compute Engine with preemptible VMs
B.Cloud Run
C.Compute Engine with Sole-tenant nodes
D.Compute Engine with standard VMs
AnswerA

Preemptible VMs are much cheaper and suitable for batch jobs that can resume.

Why this answer

Preemptible VMs offer significant cost savings (up to 60-91% discount) for fault-tolerant batch jobs that can handle interruptions.

717
MCQhard

A healthcare provider wants to use AI to analyze unstructured medical records — scanned documents with handwritten notes and printed text — to extract diagnosis codes for billing. Which combination of Google Cloud AI products most directly addresses this document understanding use case?

A.BigQuery ML and Looker Studio, to analyze and visualize the extracted diagnosis codes
B.Document AI and Vision API, which together handle OCR, layout understanding, and information extraction from scanned documents with handwritten and printed text
C.Vertex AI Pipelines and Cloud Dataflow, to orchestrate machine learning training jobs on document data
D.Cloud Translation API and Natural Language API, to translate and analyze the text content of medical records
AnswerB

Document AI is Google's specialized service for intelligent document processing — it handles complex documents with mixed handwritten and printed content, extracts structured fields, and has specialized healthcare parsers. Vision API provides foundational OCR capabilities. Together they address the document understanding pipeline from raw scan to extracted structured data.

Why this answer

Option B is correct because Document AI is purpose-built for extracting structured information (like diagnosis codes) from unstructured documents, including both handwritten and printed text, using OCR and layout understanding. The Vision API complements this by providing advanced OCR capabilities for scanned images, together forming a direct solution for the healthcare provider's document understanding use case.

Exam trap

The trap here is that candidates may confuse general-purpose AI services (like Translation API or Natural Language API) with specialized document understanding tools, or assume that any ML pipeline tool (like Vertex AI Pipelines) can directly extract data from scanned documents without OCR and layout analysis.

How to eliminate wrong answers

Option A is wrong because BigQuery ML and Looker Studio are analytics and visualization tools, not designed for OCR or information extraction from scanned documents; they would require already-extracted data. Option C is wrong because Vertex AI Pipelines and Cloud Dataflow orchestrate ML training and data processing pipelines, not direct document understanding or extraction from scanned medical records. Option D is wrong because Cloud Translation API and Natural Language API handle translation and text analysis, but they lack OCR capabilities for handwritten notes and cannot extract structured diagnosis codes from scanned documents.

718
MCQhard

A company's SRE team sets an SLO of 99.5% monthly availability for a non-critical internal tool. A business stakeholder argues the target should be 99.99%. The SRE team pushes back. Which SRE argument best supports keeping the 99.5% target?

A.Higher SLOs are always more expensive to achieve and the company cannot afford cloud infrastructure that provides 99.99% availability
B.For a non-critical internal tool, 99.99% reliability requires disproportionate engineering investment (redundancy, 24/7 on-call, chaos testing) compared to its business value; 99.5% matches the actual reliability need while preserving engineering capacity for higher-value work
C.Google Cloud cannot provide 99.99% availability for any service, so the SLO must be kept lower
D.The team should set 99.5% now and plan to increase it to 99.99% next quarter when the tool becomes more popular
AnswerB

This is the SRE argument. Reliability is not free — achieving 99.99% requires architectural complexity, 24/7 on-call readiness, and ongoing reliability engineering. For an internal tool, this investment would consume engineering time that could build features users value more. The SLO should match what the business actually needs, not maximize reliability for its own sake.

Why this answer

Option B correctly applies the SRE principle of aligning SLOs with business value. For a non-critical internal tool, the cost of achieving 99.99% availability—including redundant infrastructure, 24/7 on-call rotations, and chaos engineering—far exceeds the marginal benefit over 99.5%. This preserves engineering capacity for higher-value work, which is a core tenet of Google's SRE approach to error budgets and cost-benefit analysis.

Exam trap

Google Cloud often tests the misconception that higher SLOs are always better or that cloud providers universally guarantee high availability, when the correct SRE approach is to set SLOs based on the actual user experience and business impact, not arbitrary targets.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes higher SLOs are always more expensive; the real issue is disproportionate cost relative to business value, not absolute affordability. Option C is wrong because Google Cloud does offer services with 99.99% availability (e.g., Cloud Spanner multi-region configurations), so the statement is factually incorrect. Option D is wrong because it suggests a planned future increase without justification; SLOs should be set based on current reliability needs and error budget policy, not arbitrary future popularity.

719
MCQmedium

A company wants to set up a hybrid cloud connection between its on-premises data center and Google Cloud VPC with a dedicated, high-bandwidth, low-latency link. Which service should they use?

A.Cloud VPN
B.Cloud CDN
C.Cloud NAT
D.Cloud Interconnect
AnswerD

Cloud Interconnect provides dedicated, high-bandwidth, low-latency connections between on-premises networks and Google Cloud.

Why this answer

Cloud Interconnect provides dedicated physical connections between on-premises and Google Cloud. HA VPN is a low-cost alternative but uses the public internet and offers lower bandwidth. Cloud CDN is for content delivery.

Cloud NAT is for outbound connectivity.

720
MCQmedium

A company is evaluating Total Cost of Ownership (TCO) for migrating from on-premises to Google Cloud. Which cost is typically reduced or eliminated in the cloud?

A.Software subscription fees
B.Cloud storage costs
C.Internet bandwidth costs
D.Data center facility and hardware maintenance costs
AnswerD

Cloud provider manages physical infrastructure, eliminating these costs.

Why this answer

On-premises costs like data center facility, power, cooling, and hardware maintenance are eliminated in the cloud, as the provider manages the infrastructure.

721
MCQmedium

What is the difference between RTO (Recovery Time Objective) and RPO (Recovery Point Objective) in disaster recovery planning?

A.RTO is the time to back up data; RPO is the time to restore it.
B.RTO is the maximum acceptable downtime duration; RPO is the maximum acceptable data loss measured in time.
C.RTO and RPO are both measured in bytes — the maximum data that can be lost during recovery.
D.RTO is the number of replicas required; RPO is the geographic distance between backup sites.
AnswerB

RTO: 'How long can we be down?' RPO: 'How much data can we afford to lose?' These two objectives drive backup frequency and recovery architecture design.

Why this answer

Option B is correct because RTO (Recovery Time Objective) defines the maximum acceptable duration of downtime after a disaster, while RPO (Recovery Point Objective) defines the maximum acceptable amount of data loss measured in time (e.g., the age of the last backup). These are key metrics in disaster recovery planning that directly influence the choice of backup frequency, replication strategy, and failover architecture in cloud environments like GCDL.

Exam trap

Google Cloud often tests the distinction between time-based and data-based metrics, trapping candidates who confuse RTO with backup duration or RPO with recovery speed, especially when options mix units like bytes or geographic distance.

How to eliminate wrong answers

Option A is wrong because RTO is not the time to back up data; it is the target time to restore service after a disaster, and RPO is not the time to restore data but the maximum acceptable data loss window (e.g., how far back in time recovery can go). Option C is wrong because RTO and RPO are measured in time (seconds, minutes, hours), not in bytes; data loss in bytes is a separate metric (e.g., maximum tolerable data loss in volume). Option D is wrong because RTO is not the number of replicas required; replica count is a design decision influenced by RTO/RPO but not the definition, and RPO is not geographic distance; distance affects latency and replication lag but is not the objective itself.

722
MCQeasy

Which GCP support plan provides 15-minute response time for P1 incidents and a Technical Account Manager (TAM)?

A.Enhanced
B.Premium
C.Standard
D.Basic
AnswerB

Premium includes 15-minute response for P1 and a TAM.

Why this answer

Premium Support offers the fastest response times and a TAM.

723
Multi-Selectmedium

Which TWO statements correctly describe Cloud Run scaling behavior?

Select 2 answers
A.The maximum number of instances can be set to 'default' which is unlimited.
B.You can set a minimum number of instances to ensure zero cold starts.
C.You can define a target concurrency to control how many requests each container instance handles.
D.The number of container instances can be scaled to zero when there is no traffic.
E.Autoscaling uses CPU and memory utilization to make decisions.
AnswersC, D

Container concurrency setting controls the maximum number of concurrent requests per instance.

Why this answer

Option C is correct because Cloud Run allows you to set a target concurrency (the number of simultaneous requests a single container instance can handle). This is a key scaling parameter that controls how many requests are routed to each instance before Cloud Run spins up additional instances. By default, concurrency is set to 80, but you can adjust it up to 1000 or set it to 1 for sequential processing.

Exam trap

Google Cloud often tests the misconception that Cloud Run uses CPU or memory utilization for autoscaling, when in fact it uses request concurrency as the primary metric, and candidates may incorrectly select Option E because they associate autoscaling with resource metrics from other services.

724
MCQhard

A company is evaluating whether to adopt a multi-cloud strategy (using two or more cloud providers for different workloads). An engineer lists the following arguments: (1) resilience against a single cloud provider outage, (2) negotiating leverage on pricing, (3) using best-of-breed services from each provider. A cloud architect cautions that multi-cloud also introduces significant challenges. What is the most significant operational challenge of a multi-cloud approach?

A.Multi-cloud requires purchasing separate hardware for each cloud provider's environment
B.Significantly increased operational complexity: teams need expertise in multiple providers' tools, security models, and APIs, while governance, monitoring, and cost management must span inconsistent environments
C.Cloud providers refuse to allow customers to use competing providers simultaneously
D.Multi-cloud makes it impossible to use any managed services because applications must be portable across providers
AnswerB

This is the primary challenge. Every cloud provider has different services, CLIs, IAM systems, networking models, pricing, and monitoring tools. Maintaining expertise and governance across multiple providers dramatically increases the operational burden and requires larger, more specialized teams. The benefits must be weighed against this real cost.

Why this answer

Option B is correct because multi-cloud environments inherently increase operational complexity. Teams must master distinct APIs, security models (e.g., IAM policies differ between AWS and GCP), monitoring tools (e.g., CloudWatch vs. Cloud Monitoring), and cost management consoles.

Governance and compliance must be enforced consistently across heterogeneous platforms, which often requires custom tooling or third-party solutions, making day-to-day operations significantly more challenging than a single-cloud approach.

Exam trap

The trap here is that candidates may underestimate operational complexity and instead focus on perceived hardware or vendor lock-in issues, but the GCDL exam emphasizes that managing multiple distinct cloud environments is the primary operational challenge.

How to eliminate wrong answers

Option A is wrong because multi-cloud does not require purchasing separate hardware; cloud providers abstract the underlying infrastructure, and customers interact via APIs and virtualized resources. Option C is wrong because cloud providers do not prohibit customers from using competing providers; multi-cloud is a common and supported architecture. Option D is wrong because multi-cloud does not make managed services impossible; applications can use provider-specific managed services (e.g., GCP Cloud SQL, AWS RDS) while abstracting portability via containers or service meshes, though portability is not a strict requirement.

725
MCQeasy

A cloud architect is reviewing logs from a production incident. She wants to search all log entries across multiple Google Cloud projects for error messages containing a specific string. Which Google Cloud product enables centralized log searching and analysis across an entire organization?

A.Cloud Monitoring, which provides metric dashboards and alerting
B.Cloud Logging, which centralizes logs from all Google Cloud services and projects and supports powerful filtering and search queries across an organization
C.BigQuery, by exporting logs to a dataset and running SQL queries to find matching error entries
D.Cloud Trace, which provides distributed request tracing for latency analysis
AnswerB

Cloud Logging is the correct answer. It aggregates logs from all sources (Compute Engine, Cloud Run, GKE, App Engine, etc.) across all projects into a centralized store. Its query language allows searching for specific text strings, error levels, time ranges, and resource attributes across the entire organization.

Why this answer

Cloud Logging (formerly Stackdriver Logging) is the Google Cloud service designed to ingest, store, and analyze log data from all Google Cloud services and projects. It supports centralized log aggregation across an entire organization via aggregated sinks and the Logs Explorer, enabling powerful filtering and search queries (e.g., using the `textPayload` or `jsonPayload` fields) to find specific error strings across multiple projects without needing to export data elsewhere.

Exam trap

Google Cloud often tests the distinction between native log search (Cloud Logging) and log export/analysis (BigQuery), tempting candidates to choose BigQuery because they know SQL, but the question specifically asks for a product that enables centralized searching without requiring an export step.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring focuses on metrics, dashboards, and alerting based on time-series data, not on searching raw log entries for specific error strings. Option C is wrong because while BigQuery can query exported logs via SQL, it is not a native centralized log search tool; it requires an additional export step and does not provide real-time log searching across the organization without manual setup. Option D is wrong because Cloud Trace is designed for distributed request tracing and latency analysis, not for searching log entries for error messages.

726
MCQhard

A financial services company must store and process sensitive customer data that is subject to GDPR and PCI DSS. They need to ensure that data is encrypted at rest and in transit, and that encryption keys are managed by a hardware security module (HSM) that is FIPS 140-2 Level 3 certified. Which Google Cloud service should they use for key management?

A.Cloud Hardware Security Module (Cloud HSM)
B.Cloud External Key Manager (Cloud EKM)
C.Secret Manager
D.Cloud Key Management Service (Cloud KMS)
AnswerA

Cloud HSM offers dedicated HSM, FIPS 140-2 Level 3, and customer-managed keys.

Why this answer

Cloud HSM provides dedicated HSM hardware, FIPS 140-2 Level 3 certification, and allows customers to manage their own keys. Cloud KMS is software-based and only offers Level 1 validation. Cloud EKM uses external key management but the question asks for a Google-managed HSM option.

Secret Manager is for storing secrets, not key management with HSM.

727
MCQhard

A financial services firm's board asks the CTO to quantify the business value of the company's three-year cloud transformation program. The CTO presents metrics including: 40% faster product launches, 60% reduction in unplanned downtime, and 25% reduction in infrastructure cost. Which framework best describes what these metrics collectively represent?

A.Return on investment calculated purely from infrastructure cost reduction
B.A balanced view of transformation value spanning speed-to-market, operational resilience, and cost efficiency — collectively representing total business value delivered
C.A technical benchmark comparing on-premises versus cloud infrastructure performance
D.Compliance metrics demonstrating that the transformation met regulatory requirements
AnswerB

This is the correct framing. Digital transformation creates value across multiple dimensions simultaneously. Speed (40% faster launches) creates revenue opportunities; reliability (60% less downtime) protects existing revenue; cost efficiency (25% savings) improves margins. Together they capture the full picture.

Why this answer

Option B is correct because the three metrics collectively provide a balanced view of business value from a cloud transformation: speed-to-market (40% faster product launches), operational resilience (60% reduction in unplanned downtime), and cost efficiency (25% reduction in infrastructure cost). This aligns with the GCDL framework's emphasis on measuring total business value beyond just financial ROI, capturing how cloud enables agility, reliability, and cost optimization simultaneously.

Exam trap

The GCDL exam often tests the misconception that cloud transformation value is purely financial (like ROI from cost savings), when in fact the GCDL framework requires a balanced view including speed, resilience, and cost — candidates who focus only on cost reduction will incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because it incorrectly narrows the value to only infrastructure cost reduction, ignoring the significant business impacts of faster product launches and reduced downtime, which are core to cloud transformation benefits. Option C is wrong because these metrics are not technical benchmarks comparing on-premises vs. cloud performance (e.g., latency, throughput, or IOPS); they are business outcome metrics that measure transformation value, not raw infrastructure comparisons. Option D is wrong because none of the metrics address compliance or regulatory requirements (e.g., GDPR, SOC 2, or PCI DSS); they focus on operational and financial outcomes, not adherence to standards.

728
MCQhard

A company runs a multi-tenant SaaS application on Google Cloud where each customer's data must be strictly isolated from other customers'. A security architect is evaluating approaches: (A) logical isolation using application-level tenant IDs in a shared database, (B) IAM-based separation using separate service accounts per tenant, or (C) infrastructure-level isolation with separate Google Cloud projects per tenant. Which approach provides the strongest isolation guarantee?

A.Logical isolation using application-level tenant IDs, because it is the most cost-efficient and sufficient for regulated workloads
B.Separate Google Cloud projects per tenant, which provides the strongest isolation: separate IAM boundaries, separate resource namespaces, separate audit logs, and no shared database instances with other tenants
C.IAM-based separation using separate service accounts per tenant within a shared project, because IAM provides cryptographically enforced access control
D.All three approaches provide equivalent isolation because Google Cloud's hypervisor ensures complete tenant separation at the hardware level
AnswerB

Project-level isolation is the gold standard for multi-tenant isolation. Each project is a completely independent security boundary. Separate IAM means no privilege escalation between tenants. Separate databases mean no shared infrastructure where bugs could leak data. Separate audit logs make compliance reporting per-tenant straightforward.

Why this answer

Option B is correct because separate Google Cloud projects provide the strongest isolation guarantee by creating independent IAM boundaries, resource namespaces, audit logs, and network configurations. This approach ensures that no shared database instances or other resources exist between tenants, eliminating any risk of cross-tenant data leakage through application bugs or misconfigurations. In contrast, logical isolation (A) relies on application-level tenant IDs which can be bypassed by software vulnerabilities, and IAM-based separation (C) still shares the underlying project infrastructure, including the same database and network.

Exam trap

The GCDL exam often tests the misconception that logical isolation (e.g., tenant IDs) or IAM alone is sufficient for multi-tenant data separation, when in reality only infrastructure-level isolation (separate projects) provides the strongest guarantee against cross-tenant data breaches in a shared cloud environment.

How to eliminate wrong answers

Option A is wrong because logical isolation using application-level tenant IDs in a shared database does not provide strong isolation; it is vulnerable to SQL injection, application bugs, or misconfigured queries that could expose one tenant's data to another, and it is not sufficient for regulated workloads that require strict data separation. Option C is wrong because IAM-based separation using separate service accounts per tenant within a shared project still shares the same resource namespace, database instances, and audit logs, meaning a compromised service account or a misconfigured IAM policy could allow cross-tenant access, and IAM does not enforce data-level isolation. Option D is wrong because Google Cloud's hypervisor ensures VM-level isolation but does not provide tenant separation for shared services like Cloud SQL, Cloud Storage, or application-level data; the hypervisor does not isolate data within a shared database or application layer.

729
MCQhard

An organization is designing a multi-region deployment for disaster recovery. They require that the primary and secondary regions be at least 500 miles apart to comply with regulatory requirements. Which pair of Google Cloud regions would satisfy this requirement?

A.asia-east1 and asia-northeast1
B.europe-west1 and europe-west4
C.us-east1 and us-east4
D.us-west1 and us-central1
AnswerD

The distance between Oregon and Iowa exceeds 500 miles.

Why this answer

us-central1 (Iowa) and us-west1 (Oregon) are approximately 1,500 miles apart, meeting the distance requirement.

730
Multi-Selectmedium

A healthcare organization must store patient health records (PHI) in the cloud and comply with HIPAA. They need to ensure data is encrypted at rest by default, maintain access logs, and restrict access to authorized personnel. Which THREE Google Cloud features or services should they use?

Select 3 answers
A.Cloud Audit Logs
B.Identity and Access Management (IAM)
C.VPC Flow Logs
D.Cloud NAT
E.Cloud Key Management Service (Cloud KMS)
AnswersA, B, E

Audit logs track access to resources, required for HIPAA compliance.

Why this answer

HIPAA requires encryption at rest (Cloud KMS provides managed keys), audit logs (Cloud Audit Logs), and access control (IAM). Cloud NAT provides outbound internet access, VPC Flow Logs capture network metadata, not access logs.

731
MCQmedium

A developer deploys a Cloud Function with the command shown. The function needs to process a file upload that typically takes 2 minutes. What is the most likely issue?

A.The memory allocation might be too low if the file is large
B.The runtime python39 is not available
C.The function cannot be triggered by HTTP
D.The timeout is too short for processing a 2-minute upload
AnswerA

256 MB may not be enough for file processing; consider increasing memory.

Why this answer

Option A is correct because the command shown does not specify a memory allocation, so the Cloud Function defaults to 256 MB. If the file being uploaded is large, this low memory can cause the function to run out of memory and fail, even if the timeout is sufficient. Processing a file upload often requires loading the file into memory, making memory a critical resource.

Exam trap

Google Cloud often tests the distinction between explicit and default configurations; the trap here is that candidates see '2-minute upload' and immediately assume timeout is the issue, overlooking that memory is a more subtle and common bottleneck when no memory flag is set.

How to eliminate wrong answers

Option B is wrong because python39 is a valid runtime in Google Cloud Functions, so it is available. Option C is wrong because Cloud Functions can be triggered by HTTP requests, and the command shown deploys an HTTP-triggered function (the default trigger type). Option D is wrong because the default timeout for Cloud Functions is 60 seconds, but it can be set up to 540 seconds (9 minutes) via the --timeout flag; the command does not set a custom timeout, so the default 60 seconds would be too short for a 2-minute upload, but the question asks for the 'most likely' issue, and memory is a more common and subtle problem than timeout, which is explicitly configurable and would cause a clear timeout error.

732
MCQhard

A multinational corporation must comply with data residency requirements that prohibit storing data outside specific geographic regions. They plan to use BigQuery for analytics. How can Google Cloud help enforce this requirement?

A.Use Cloud Audit Logs to detect and alert on cross-region data storage
B.Use Cloud Data Loss Prevention to redact cross-region data
C.Use VPC Service Controls to block access to BigQuery APIs from other regions
D.Use BigQuery’s location parameter to set dataset location and enforce via Organization Policy
AnswerD

BigQuery datasets are location-scoped, and Organization Policies like gcp.resourceLocations can restrict allowed locations.

Why this answer

Option D is correct because BigQuery datasets are created with a specific location parameter (e.g., `us-central1` or `EU`), and Google Cloud Organization Policies can be used to restrict where datasets can be created. By defining a constraint like `constraints/bigquery.locationRestriction`, administrators can enforce that datasets must reside only in approved geographic regions, preventing any data from being stored outside those boundaries. This directly addresses data residency requirements without relying on detection or blocking mechanisms that don't control storage location.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls can enforce data residency by blocking cross-region API calls, but in reality, VPC Service Controls control network access, not where data is physically stored, making it ineffective for this requirement.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only record actions after they occur; they cannot prevent data from being stored in a prohibited region, only alert on it after the fact, which fails to enforce a proactive residency requirement. Option B is wrong because Cloud Data Loss Prevention (DLP) is designed to inspect and redact sensitive data (e.g., PII) within content, not to control or restrict the geographic location where data is stored. Option C is wrong because VPC Service Controls block API access from specified networks or identities, but they do not restrict the physical location of data storage; a dataset could still be created in a non-compliant region if the API call originates from an allowed network.

733
MCQhard

An enterprise is planning to migrate its on-premises data center to Google Cloud to avoid a hardware refresh cycle. The migration must minimize application changes. Which migration strategy should they prioritize?

A.Re-architecting applications to use microservices
B.Replacing applications with SaaS
C.Lift and shift (rehost)
D.Refactoring to use managed services like Cloud SQL
AnswerC

Moves applications with minimal changes, avoiding hardware refresh.

Why this answer

Lift and shift (rehost) moves applications as-is to cloud VMs, minimizing changes while avoiding hardware refresh costs.

734
MCQeasy

A company classifies its data into four sensitivity levels: Public, Internal, Confidential, and Restricted. Which type of data would typically be classified as 'Restricted' and require the highest level of security controls?

A.Public press releases and marketing materials published on the company website.
B.Customer Social Security Numbers, payment card numbers, and employee health records.
C.Internal meeting notes and project status reports shared among employees.
D.Product roadmap documents shared only with the product team.
AnswerB

SSNs (PII), payment cards (PCI DSS), and health records (HIPAA PHI) are Restricted data — subject to strict regulations, requiring maximum security controls and access restrictions.

Why this answer

Option B is correct because Restricted data, under Google Cloud's data classification framework, includes personally identifiable information (PII) such as Social Security Numbers, payment card numbers (PCI DSS), and protected health information (PHI). These require the highest security controls, including encryption at rest and in transit, strict IAM policies, and Data Loss Prevention (DLP) API scanning to prevent unauthorized access or leakage.

Exam trap

Google Cloud often tests the distinction between Confidential and Restricted data, where candidates mistakenly assume that any sensitive business document (like a product roadmap) qualifies as Restricted, but Restricted is reserved for data with legal or regulatory compliance requirements (e.g., PII, PHI, PCI).

How to eliminate wrong answers

Option A is wrong because public press releases and marketing materials are classified as Public data, which requires no access controls and is intended for unrestricted distribution. Option C is wrong because internal meeting notes and project status reports are typically classified as Internal data, which may require basic access controls but not the highest security level. Option D is wrong because product roadmap documents shared only with the product team are typically Confidential data, which requires access restrictions but not the stringent controls (e.g., encryption, DLP, audit logging) mandated for Restricted data.

735
MCQeasy

A streaming media company (similar to Netflix or Spotify) uses AI to analyze a user's viewing or listening history and serve personalized content recommendations. Without cloud-scale compute and ML, this personalization would be impossible at scale. What business outcome does this AI-powered personalization primarily drive?

A.Reduced server costs due to more efficient content caching.
B.Increased user engagement and retention through relevant content discovery, driving higher subscription revenue.
C.Elimination of human content curators who previously selected recommendations manually.
D.Reduction in content licensing costs because the AI selects cheaper content to recommend.
AnswerB

Personalization improves content discovery → users find more they like → they consume more and stay longer → lower churn and higher LTV. This is the direct revenue impact of AI-powered recommendation engines.

Why this answer

AI-powered personalization at cloud scale directly increases user engagement by surfacing relevant content, which improves retention and drives subscription revenue. Without cloud-scale compute and ML, the real-time analysis of viewing history and collaborative filtering needed for personalized recommendations would be computationally infeasible for millions of users.

Exam trap

Google Cloud often tests the misconception that AI's primary business value is cost reduction (e.g., cheaper content or fewer employees), when in fact the core driver is revenue growth through improved user engagement and retention.

How to eliminate wrong answers

Option A is wrong because AI personalization does not primarily reduce server costs; in fact, it often increases compute load for inference, and content caching efficiency is a separate infrastructure concern unrelated to recommendation algorithms. Option C is wrong because AI personalization augments, not eliminates, human curators; many platforms still rely on human editorial judgment for quality control and to avoid filter bubbles, and the goal is not cost reduction through job elimination. Option D is wrong because AI personalization aims to recommend content the user will enjoy, not to minimize licensing costs; recommending cheaper content would degrade user experience and engagement, undermining the primary business outcome.

736
MCQmedium

A financial institution is deploying a sensitive workload on Compute Engine and needs to meet PCI DSS compliance. The security team wants to ensure that the virtual machines run on dedicated, single-tenant hardware and that no other customer's VMs share the same host. Which Compute Engine feature should they enable?

A.Confidential VMs
B.Preemptible VMs
C.Sole-tenant nodes
D.Shielded VMs
AnswerC

Sole-tenant nodes guarantee dedicated hardware, meeting PCI DSS requirements for physical separation.

Why this answer

Sole-tenant nodes ensure that VMs from that project are the only ones running on the underlying hardware, providing physical isolation and meeting compliance requirements for dedicated infrastructure.

737
MCQeasy

A hospital network wants to improve patient outcomes by sharing medical records across its 12 hospitals so that any physician can access a patient's complete history. Currently, each hospital has its own isolated system. Which cloud characteristic is most relevant to enabling this cross-hospital data sharing?

A.Cloud elasticity, which allows the hospital to scale up server capacity during peak admission periods
B.Cloud's ubiquitous network access, enabling a secure shared data platform accessible to authorized physicians across all 12 hospital locations through standard internet connectivity
C.Cloud's pay-per-use billing model, which reduces the cost of medical record storage
D.Cloud resource pooling, which allows multiple hospitals to share physical compute resources
AnswerB

Ubiquitous network access (one of NIST's cloud characteristics) is directly applicable. A shared cloud-hosted medical records platform makes patient data accessible to authorized physicians from any hospital location — exactly solving the isolated system problem.

Why this answer

Ubiquitous network access is the cloud characteristic that ensures a secure, shared data platform is accessible to authorized physicians across all 12 hospital locations via standard internet connectivity. This enables seamless cross-hospital data sharing without requiring each hospital to maintain its own isolated system, as the cloud provides consistent network-based access to the centralized medical records.

Exam trap

Google Cloud often tests the distinction between 'resource pooling' (multi-tenancy of infrastructure) and 'ubiquitous network access' (broad network reachability), leading candidates to incorrectly choose resource pooling when the question focuses on cross-location data sharing rather than shared hardware.

How to eliminate wrong answers

Option A is wrong because cloud elasticity addresses scaling compute resources during peak demand, not enabling cross-location data sharing. Option C is wrong because pay-per-use billing reduces storage costs but does not provide the network accessibility needed for sharing records across hospitals. Option D is wrong because resource pooling allows multi-tenancy of physical hardware but does not inherently enable secure, authorized access to a shared data platform from multiple locations.

738
MCQeasy

A company's web service has a Service Level Objective (SLO) of 99.9% monthly availability. In a 30-day month, how many minutes of downtime are allowed before the SLO is violated?

A.~4.3 minutes
B.~43.2 minutes
C.~7.2 hours
D.~8.6 hours
AnswerB

99.9% availability = 0.1% downtime. In a 30-day month (43,200 minutes), 0.1% = 43.2 minutes of allowed downtime — the classic 'three nines' error budget.

Why this answer

The SLO of 99.9% monthly availability means the service can be unavailable for 0.1% of the total monthly time. In a 30-day month, total minutes are 30 × 24 × 60 = 43,200 minutes. 0.1% of 43,200 minutes is 43.2 minutes, so option B is correct.

Exam trap

The trap here is that candidates often confuse 99.9% with 99.99% (four nines) and incorrectly calculate ~4.3 minutes, or they mistakenly compute 0.1% of 30 days in hours (0.072 hours) and then misread it as 7.2 hours.

How to eliminate wrong answers

Option A is wrong because ~4.3 minutes corresponds to 99.99% availability (0.01% of 43,200 minutes), not 99.9%. Option C is wrong because ~7.2 hours (432 minutes) corresponds to 99% availability (1% of 43,200 minutes). Option D is wrong because ~8.6 hours (516 minutes) is not a standard SLO calculation; it might arise from miscomputing 0.1% of 30 days in hours (0.1% of 720 hours = 0.72 hours, not 8.6 hours).

739
Multi-Selecthard

A company with a global user base wants to deploy a web application on Google Cloud that is highly available and resilient to zone failures. The application runs on Compute Engine and uses a stateful backend (e.g., a database). Which THREE design elements should they implement?

Select 3 answers
A.Use a managed database service with automatic failover across zones (e.g., Cloud SQL High Availability)
B.Use a single zone to keep data consistent
C.Use a global HTTP(S) load balancer with the backend configured as a regional (multi-zone) instance group
D.Use preemptible VMs to reduce costs
E.Deploy Compute Engine instances across multiple zones within a region
AnswersA, C, E

Managed HA database replicates data synchronously across zones for failover.

Why this answer

To survive zone failures, deploy across multiple zones, use a regional load balancer to distribute traffic, and use a managed database service like Cloud SQL with high availability (which replicates across zones). A single zone cannot survive failure. Cloud CDN is for static content, not for zone failure resilience.

Preemptible VMs are not suitable for stateful applications.

740
Multi-Selecthard

A company is running a production application on Compute Engine and wants to ensure that if a quota for a resource is exceeded, the engineering team is notified immediately. Which THREE steps should they take? (Choose THREE.)

Select 3 answers
A.Request a quota increase before hitting the limit
B.Create a log-based metric for quota usage and alert on it
C.Use the Cloud Monitoring API to create a quota alert policy
D.Set up a budget alert with a threshold of 100%
E.Configure a notification channel (e.g., Email, Pub/Sub) for the alert
AnswersB, C, E

Quota usage is logged; a log-based metric can trigger an alert.

Why this answer

Quota alerts can be set up via the Cloud Monitoring API or Cloud Console to notify on quota usage thresholds. Budget alerts are for cost, not quota. Requesting quota increase is proactive, not reactive.

Pub/Sub can be used for alerting.

741
MCQmedium

Refer to the exhibit. A security engineer applies this IAM policy. What is the effect?

A.Access is allowed only from the IP address 203.0.113.1.
B.Access is allowed only to resources tagged with 'production'.
C.Access is allowed only with two-factor authentication.
D.Access is allowed only during business hours.
AnswerA

The condition 'request.host' evaluates the source IP address.

Why this answer

The IAM policy shown in the exhibit includes a condition block that uses the `ipAddress` condition key with the `IpAddress` operator set to `203.0.113.1`. This restricts access to only requests originating from that specific IP address. All other conditions or permissions in the policy are effectively overridden by this explicit allow condition, meaning access is denied from any other IP address.

Exam trap

Google Cloud often tests the distinction between a condition that allows only a specific IP versus a condition that allows access only to a specific resource tag or time window, leading candidates to confuse the condition key used (e.g., `ipAddress` vs. `resource.labels`).

How to eliminate wrong answers

Option B is wrong because the policy does not include any condition referencing resource tags (e.g., `resource.labels` or `resource.tag`); it only uses an IP address condition. Option C is wrong because there is no condition for two-factor authentication (e.g., `gcp:multiFactorAuth` or `authn` context); the policy only checks the source IP. Option D is wrong because the policy lacks any time-based condition (e.g., `request.time` or `DateTime`); it does not restrict access to business hours.

742
MCQeasy

Which Google Cloud service provides a unified platform for building, training, and deploying machine learning models at scale?

A.Vertex AI
B.BigQuery ML
C.AutoML
D.Cloud Dataflow
AnswerA

Vertex AI is the correct unified ML platform.

Why this answer

Vertex AI is the unified ML platform covering all stages of ML workflow. AutoML is a component, Dataflow is for data processing, and BigQuery ML runs ML models in SQL.

743
MCQmedium

A company's application experiences traffic spikes every weekday morning when employees log in at 9 AM. The team wants their infrastructure to automatically handle these spikes without manual intervention and without over-provisioning resources all day. Which Google Cloud capability addresses this?

A.Purchase reserved capacity for peak load and configure it to be active only on weekdays.
B.Configure autoscaling on the application's infrastructure to automatically scale up for load and scale down during off-peak hours.
C.Deploy additional VMs manually each weekday morning and terminate them at night.
D.Use Cloud Monitoring to send an email alert when CPU exceeds 80% so the team can manually scale.
AnswerB

Autoscaling monitors metrics (CPU, requests, custom) and automatically adds instances during the morning spike. Scheduled autoscaling can proactively scale before 9 AM. Resources scale down when load decreases.

Why this answer

Option B is correct because Google Cloud's managed instance groups (MIGs) with autoscaling can automatically adjust the number of VM instances based on load metrics (e.g., CPU utilization, requests per second). This handles the 9 AM traffic spike without manual intervention and avoids over-provisioning during off-peak hours by scaling down when demand decreases.

Exam trap

The trap here is that candidates confuse 'reserved capacity' (a billing commitment) with 'autoscaling' (an operational scaling mechanism), or they think manual or alert-based actions satisfy the 'automatic' requirement, but The GCDL exam specifically tests the distinction between automated scaling policies and manual or notification-driven processes.

How to eliminate wrong answers

Option A is wrong because reserved capacity (committed use discounts) is a pricing model for consistent, long-term usage, not a mechanism to dynamically activate resources only on weekdays; it does not automatically handle spikes. Option C is wrong because manually deploying and terminating VMs each weekday contradicts the requirement for 'automatic' handling without manual intervention. Option D is wrong because Cloud Monitoring alerts require human action to scale, which is not automatic and introduces delay, failing the 'without manual intervention' requirement.

744
MCQhard

An organisation must store archival data that is accessed less than once a year. They need the lowest storage cost and can tolerate a retrieval time of several hours. Which Cloud Storage class should they use?

A.Coldline
B.Nearline
C.Standard
D.Archive
AnswerD

Archive is the lowest cost class, with retrieval times typically hours; designed for long-term backup and archival.

Why this answer

Archive storage is the cheapest storage class, designed for data accessed less than once a year with retrieval times in hours.

745
MCQhard

A multinational retail company has an on-premises infrastructure with a mix of Windows and Linux servers. They are planning to migrate their e-commerce platform to Google Cloud to take advantage of scalability and reduce latency. The platform consists of a web frontend (Apache), a backend API (Node.js), and a MySQL database. They want to minimize downtime during the migration. They have a limited budget and need a solution that is cost-effective and quick to implement. The IT team has experience with containers but prefers to avoid managing Kubernetes. Which approach should they take?

A.Use Compute Engine for the web frontend, Cloud Functions for the backend API, and Cloud Spanner for the database.
B.Lift and shift all components to Compute Engine with an autoscaling managed instance group, and migrate the database to Cloud SQL.
C.Containerize all components using GKE, use Cloud SQL for the database, and deploy using a CI/CD pipeline.
D.Migrate the frontend to App Engine Standard, the backend to Cloud Run, and the database to Cloud SQL with read replicas.
AnswerD

App Engine and Cloud Run are serverless, reducing operational overhead. Cloud SQL provides a managed MySQL database with read replicas. This minimizes changes and downtime, fits container experience, and avoids Kubernetes.

Why this answer

Option D is correct because it combines fully managed, serverless services (App Engine Standard for the web frontend and Cloud Run for the backend API) with Cloud SQL for the database, which meets the requirements of minimizing downtime, being cost-effective, and avoiding Kubernetes management. App Engine Standard and Cloud Run automatically scale to zero when not in use, reducing costs, and Cloud SQL with read replicas provides high availability and low-latency reads without complex orchestration. This approach also allows for a gradual migration with minimal disruption, as the existing code can be adapted with minimal changes.

Exam trap

The trap here is that candidates often assume containerization (GKE) is always the best path for modernizing applications, but the question explicitly states the team prefers to avoid managing Kubernetes, making serverless options like App Engine and Cloud Run the correct choice despite their perceived limitations.

How to eliminate wrong answers

Option A is wrong because Cloud Functions is designed for event-driven, short-lived workloads and is not suitable for a persistent backend API that handles synchronous HTTP requests, leading to cold start latency and potential timeouts; Cloud Spanner is a globally distributed, strongly consistent database that is overkill and expensive for a single-region e-commerce platform, especially given the limited budget. Option B is wrong because a lift-and-shift to Compute Engine with managed instance groups does not fully leverage Google Cloud's managed services, resulting in higher operational overhead for patching, scaling, and maintenance, and it does not minimize downtime as effectively as serverless options; it also fails to address the preference to avoid managing Kubernetes. Option C is wrong because GKE requires managing a Kubernetes cluster, which the team explicitly wants to avoid, and while it offers container orchestration, it introduces complexity and cost that are not justified given the limited budget and the simpler serverless alternatives available.

746
Multi-Selectmedium

A company needs to enforce that no project in the organization can create resources outside of the us-central1 region. They also need to allow the Finance team to manage billing for all projects. Which TWO steps should they take?

Select 2 answers
A.Create a separate billing account for each project
B.Use IAM deny policies at the organization node to block resource creation outside us-central1
C.Apply the `gcp.resourceLocations` organization policy constraint at the organization node
D.Create a folder and apply an organization policy constraint to restrict locations at the folder level
E.Grant the Finance team the Billing Account Administrator role on the billing account
AnswersC, E

This constraint restricts which locations can be used for resource creation.

Why this answer

Organization policies can be applied at the organization level to restrict locations. Billing account access is controlled by IAM roles on the billing account, granting the Finance team the Billing Account Administrator role.

747
MCQeasy

A company wants to allow its employees to securely access internal applications without a traditional VPN. They want to use Google's zero-trust security model. Which Google Cloud product should they implement?

A.Cloud VPN
B.BeyondCorp Enterprise
C.Identity-Aware Proxy (IAP)
D.Cloud Armor
AnswerB

BeyondCorp Enterprise implements zero-trust access controls.

Why this answer

BeyondCorp Enterprise is Google's zero-trust access solution that grants access based on user identity and context, not network location. Cloud VPN is traditional VPN. Cloud Armor is WAF.

Identity-Aware Proxy (IAP) is part of BeyondCorp but the broader product is BeyondCorp Enterprise.

748
MCQmedium

A company runs Compute Engine instances for batch processing that are shut down on weekends. They want to automatically reduce costs without committing to a 1-year or 3-year term. Which discount type applies?

A.Sustained use discount
B.Sole-tenant node discounts
C.Preemptible VM discounts
D.Committed use discount
AnswerA

Automatic discount for running instances over 25% of month.

Why this answer

Sustained use discounts automatically apply for instances running more than 25% of a month, with no upfront commitment.

749
Multi-Selecthard

A company wants to minimize its carbon footprint in the cloud. They are evaluating Google Cloud sustainability features. Which THREE practices help reduce environmental impact?

Select 3 answers
A.Use committed use discounts to reserve resources
B.Shift non-urgent compute loads to times when low-carbon energy is available
C.Choose regions with lower carbon intensity
D.Provision VMs with GPUs for general workloads
E.Use the Cloud Carbon Footprint tool to track emissions
AnswersB, C, E

Carbon-intelligent load shifting moves tasks to times with cleaner energy.

Why this answer

Using regional carbon-intelligent load shifting, Cloud Carbon Footprint for reporting, and choosing low-carbon regions align with Google's sustainability goals. VMs with GPUs increase energy use, and committed use discounts encourage resource usage but do not directly reduce carbon.

750
MCQmedium

Refer to the exhibit. What level of access does this IAM policy grant to the members?

A.Permission to create new objects and read existing ones.
B.Full control over objects including create, read, update, and delete.
C.Full control over the bucket including listing and deleting.
D.Read-only access to objects in the bucket.
AnswerD

roles/storage.objectViewer grants read access to objects.

Why this answer

The IAM policy shown grants the `s3:GetObject` action, which provides read-only access to objects in the bucket. It does not include any write or delete permissions, so members can only read existing objects. This matches option D.

Exam trap

Google Cloud often tests the distinction between object-level and bucket-level permissions, tricking candidates into thinking `s3:GetObject` alone allows listing or full control.

How to eliminate wrong answers

Option A is wrong because it includes 'create new objects,' which requires `s3:PutObject` — not present in the policy. Option B is wrong because full control (create, read, update, delete) would require actions like `s3:PutObject`, `s3:DeleteObject`, and `s3:GetObject` — only `s3:GetObject` is granted. Option C is wrong because full bucket control, including listing and deleting, would need `s3:ListBucket` and `s3:DeleteBucket` — neither is in the policy.

Page 9

Page 10 of 14

Page 11
Google Cloud Digital Leader GCDL Questions 676–750 | Page 10/14 | Courseiva