Google Cloud Digital Leader (GCDL) — Questions 751825

991 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
Multi-Selecthard

A company wants to implement a hybrid cloud architecture connecting their on-premises data center to Google Cloud. They need high bandwidth (10 Gbps), low latency, and a service-level agreement (SLA). Which TWO services can provide dedicated connectivity? (Choose two.)

Select 2 answers
A.HA VPN
B.Cloud CDN
C.Cloud Interconnect (Partner)
D.Cloud Interconnect (Dedicated)
E.Cloud VPN
AnswersC, D

Partner Interconnect provides dedicated connectivity through a supported partner with SLA.

Why this answer

Cloud Interconnect (dedicated or partner) provides high-bandwidth, low-latency connections with SLAs. HA VPN is a VPN alternative but does not offer dedicated bandwidth or SLA for throughput. So the two correct are Cloud Interconnect (Dedicated Interconnect) and Cloud Interconnect (Partner Interconnect).

However, the question asks for services that provide dedicated connectivity with SLA. Both Dedicated Interconnect and Partner Interconnect offer SLAs. HA VPN does not.

So I'll include both types of Interconnect, but since they are the same service, I need to differentiate. Let's list options: A. Cloud VPN, B.

HA VPN, C. Cloud Interconnect (Dedicated), D. Cloud Interconnect (Partner), E.

Cloud CDN. So C and D are correct.

752
MCQeasy

A startup wants to run a containerized web application on Google Cloud without managing the underlying servers or Kubernetes clusters. They expect traffic to vary significantly, and they want to only pay for the resources consumed during request processing. Which Google Cloud compute option should they choose?

A.Compute Engine
B.Google Kubernetes Engine (GKE)
C.App Engine Standard
D.Cloud Run
AnswerD

Cloud Run is serverless, scales to zero, and charges only for request processing time.

Why this answer

Cloud Run is a fully managed serverless platform that runs containers in response to events or HTTP requests, scales to zero, and charges only for resources used during request processing. It abstracts away all infrastructure management.

753
MCQmedium

A development team uses Cloud Build to automatically build, test, and create container images whenever code is pushed to their repository. The resulting Docker images need to be stored securely and made available to their GKE deployment pipelines. Which Google Cloud service stores and manages these container images?

A.Cloud Storage bucket with a `containers/` folder.
B.Artifact Registry
C.Cloud SQL — storing build artifacts in a relational database.
D.Cloud Source Repositories — the code repository stores both source code and container images.
AnswerB

Artifact Registry stores Docker images, Helm charts, and other build artifacts. Cloud Build pushes images here; GKE and Cloud Run pull from here during deployment. It also performs vulnerability scanning.

Why this answer

Artifact Registry is the correct service because it is a fully managed, private container registry designed to store, manage, and secure Docker images and other artifacts. It integrates natively with Cloud Build for pushing images and with GKE for pulling them, supporting vulnerability scanning and IAM-based access control.

Exam trap

The trap here is that candidates confuse Cloud Storage (a generic object store) with a container registry, not realizing that container images require a registry API and metadata management that Artifact Registry provides.

How to eliminate wrong answers

Option A is wrong because Cloud Storage is an object store for arbitrary files, not a container registry; it lacks native Docker Registry API v2 support, image layer deduplication, and vulnerability scanning. Option C is wrong because Cloud SQL is a relational database service for structured data, not designed to store binary container images or serve them via the Docker protocol. Option D is wrong because Cloud Source Repositories is a Git repository hosting service for source code only; it cannot store or serve container images, which require a registry API.

754
MCQhard

A financial services company must comply with regulations requiring data residency within the EU. They want to run workloads on Google Cloud. Which action should they take?

A.Use a multi-region deployment with regions in the US and EU
B.Select a Google Cloud region located in the EU
C.Enable data encryption at rest
D.Use Cloud VPN for connectivity
AnswerB

Choosing an EU region keeps data within the EU.

Why this answer

Selecting a region within the EU ensures data stays within that geographic boundary, meeting data residency requirements.

755
Multi-Selectmedium

A company wants to set up cost controls and analysis. They need to receive notifications when spending exceeds certain thresholds, and also be able to run custom queries on billing data. Which TWO actions should they take? (Choose 2)

Select 2 answers
A.Create a budget and set alert thresholds
B.Set up a Pub/Sub topic for billing alerts
C.Activate the Cost Management dashboard
D.Enable billing export to Cloud Storage
E.Enable billing export to BigQuery
AnswersA, E

Budgets with alerts notify when spending reaches specified percentages.

Why this answer

To receive notifications at thresholds, they need to create a budget and set alerts. To run custom queries, they should enable billing export to BigQuery.

756
MCQeasy

A traditional newspaper company is seeing declining print subscriptions and wants to transform its business model. Which cloud capability most directly enables the company to reach new digital audiences and create personalized content experiences at scale?

A.Replacing all physical printing equipment with equivalent virtual machines in the cloud
B.Using cloud analytics and content delivery networks to personalize articles for each reader and distribute content globally in real time
C.Storing archived newspaper editions in cloud object storage to reduce on-premises storage costs
D.Training existing journalists to use cloud-based email and word processing tools
AnswerB

This is true digital transformation — using cloud-native capabilities (big data, CDN, ML-driven personalization) to create entirely new customer experiences and revenue models that weren't possible with physical media.

Why this answer

Option B is correct because cloud analytics and content delivery networks (CDNs) directly enable the newspaper to analyze reader behavior and preferences at scale, then deliver personalized content globally with low latency. This combination allows the company to reach new digital audiences and create tailored experiences that drive engagement and subscription growth, which is the core of transforming a print business to a digital-first model.

Exam trap

Google Cloud often tests the misconception that any cloud migration (like moving storage or VMs) constitutes digital transformation, when in fact the key is using cloud-native services (analytics + CDN) to enable new business capabilities like personalization and global reach.

How to eliminate wrong answers

Option A is wrong because replacing physical printing equipment with virtual machines in the cloud does not address reaching digital audiences or personalizing content; it merely shifts the same print production process to a virtual environment, which is irrelevant to digital transformation. Option C is wrong because storing archived editions in cloud object storage only reduces on-premises storage costs and does not enable real-time content personalization or global distribution to new audiences. Option D is wrong because training journalists to use cloud-based email and word processing tools improves internal productivity but does not provide the analytics or content delivery infrastructure needed to reach new digital audiences or create personalized experiences at scale.

757
MCQeasy

An organization wants to ensure its data is encrypted at rest and in transit by default on Google Cloud. Which statement is correct?

A.Customers must use CMEK to encrypt data at rest.
B.Only data in transit is encrypted by default.
C.Encryption is optional and must be enabled by the customer.
D.Data is encrypted at rest and in transit by default.
AnswerD

Google Cloud automatically encrypts data at rest and in transit for most services.

Why this answer

Google Cloud encrypts data at rest and in transit by default for many services, with customer-managed keys optional.

758
MCQmedium

A financial services firm must keep sensitive data on-premises due to regulatory requirements but wants to use Google Cloud's AI/ML services for analytics on that data. Which deployment model should they adopt?

A.Private cloud (on-premises only)
B.Multi-cloud (AWS + Azure + Google Cloud)
C.Public cloud (Google Cloud only)
D.Hybrid cloud (on-premises + Google Cloud)
AnswerD

Hybrid cloud keeps sensitive data on-prem while using cloud services via secure interconnect.

Why this answer

Hybrid cloud connects on-premises infrastructure to Google Cloud, allowing data to remain on-prem while leveraging cloud AI/ML services via secure connections. Public cloud would move data off-prem, private cloud is on-prem only, multi-cloud is about multiple public clouds.

759
MCQhard

A retail company migrated its e-commerce platform to Google Cloud. During a flash sale, the application experiences high latency. The architecture uses managed instance groups with autoscaling based on CPU utilization. The database is Cloud SQL with read replicas. What is the MOST likely cause of the latency?

A.Autoscaling is not triggered because CPU utilization is below threshold
B.Insufficient Cloud SQL storage capacity
C.SSL/TLS encryption is causing overhead
D.Cloud SQL connection limit is reached
AnswerD

Cloud SQL has a maximum number of connections; autoscaling can create many instances that exhaust connections, causing latency.

Why this answer

Database connection pooling is often misconfigured during autoscaling, leading to connection exhaustion and increased latency.

760
MCQeasy

A company wants to reduce its carbon footprint by using cloud infrastructure powered by renewable energy. Which Google Cloud sustainability commitment is most relevant?

A.Net zero emissions by 2025
B.100% renewable energy match
C.Carbon offset program
D.Carbon-free energy by 2025
AnswerB

Google has matched 100% of its electricity consumption with renewable energy since 2017.

Why this answer

Google Cloud matches 100% of its global electricity consumption with renewable energy purchases.

761
MCQeasy

A company needs to send messages between different microservices in a decoupled way. When one service publishes an event, multiple downstream services should receive and process it independently. Which Google Cloud service enables this publish-subscribe messaging pattern?

A.Cloud Tasks
B.Cloud Pub/Sub
C.Cloud Scheduler
D.Eventarc
AnswerB

Pub/Sub supports multiple subscriptions per topic, allowing many services to independently receive every published message. It's the GCP-native pub-sub messaging backbone for event-driven architectures.

Why this answer

Cloud Pub/Sub is the correct choice because it is Google Cloud's fully managed, asynchronous messaging service designed specifically for the publish-subscribe pattern. It allows a publisher service to emit events to a topic, and multiple subscriber services can independently pull or push those messages from that topic, ensuring decoupled and reliable communication.

Exam trap

The trap here is that candidates may confuse Eventarc (which handles event ingestion from Google sources) with Cloud Pub/Sub (the core messaging backbone), or mistakenly think Cloud Tasks or Cloud Scheduler can serve as a general pub/sub system when they are designed for different use cases like task queuing and scheduled jobs.

How to eliminate wrong answers

Option A is wrong because Cloud Tasks is a task queue service for managing the execution of discrete tasks (like HTTP requests) with retry logic, not a pub/sub messaging system for broadcasting events to multiple independent subscribers. Option C is wrong because Cloud Scheduler is a cron job service for scheduling single, recurring tasks or HTTP calls at specified times, not for real-time event-driven messaging between services. Option D is wrong because Eventarc is a service for routing events from Google Cloud sources (e.g., Cloud Storage, BigQuery) to targets via CloudEvents, but it relies on Cloud Pub/Sub as its underlying transport and is not the core pub/sub messaging service itself.

762
MCQmedium

A retail company uses Google Cloud to run an online store. They have a security requirement that all API calls to Cloud Storage must come from the company's on-premises network only. Which Google Cloud security feature should they implement?

A.IAM conditions with source IP constraint
B.VPC Service Controls
C.Cloud Armor
D.Identity-Aware Proxy (IAP)
AnswerB

VPC Service Controls create perimeters to limit access to services like Cloud Storage from approved VPCs or IP ranges.

Why this answer

VPC Service Controls allow you to define perimeters that restrict access to Google Cloud services from specified VPC networks or IP ranges. Cloud Armor is for DDoS and WAF. IAM conditions are for attribute-based access control within a policy.

Identity-Aware Proxy protects web applications, not storage APIs.

763
MCQeasy

A company's employees use Google Workspace for email, documents, and collaboration. The IT team wants to require all employees to use a physical security key (like a YubiKey) as their second authentication factor when signing in — eliminating phishing-vulnerable SMS and authenticator app codes. Which Google Workspace security capability supports this requirement?

A.Google Workspace Advanced Protection Program, which enforces hardware security key requirements for high-risk users
B.Google Workspace 2-Step Verification policy configured to require hardware security keys (FIDO2/WebAuthn) for all employees, making it impossible to sign in without a physical key
C.Google Cloud Identity-Aware Proxy, which enforces hardware key authentication for all Google Workspace apps
D.Cloud Armor, which blocks sign-in attempts that don't come from corporate IP addresses, eliminating the need for 2FA
AnswerB

Google Workspace administrators can configure the 2SV enrollment and method requirements in the Admin Console. Setting the policy to require security keys (and disabling other 2SV methods) enforces hardware key use organization-wide. Hardware keys are phishing-resistant because they cryptographically verify the site they're authenticating to.

Why this answer

Option B is correct because Google Workspace's 2-Step Verification policy allows administrators to enforce the use of hardware security keys (FIDO2/WebAuthn) as the sole second factor. This policy can be configured to require a physical security key for all employees, effectively blocking sign-ins that use SMS or authenticator app codes, which are vulnerable to phishing. The policy directly meets the IT team's requirement to eliminate phishing-vulnerable authentication methods.

Exam trap

Google Cloud often tests the distinction between a user-level program (Advanced Protection Program) and an organization-wide policy (2-Step Verification policy), leading candidates to choose Option A because it mentions hardware security keys, but they miss that it is not a blanket enforcement for all employees.

How to eliminate wrong answers

Option A is wrong because the Advanced Protection Program is designed for high-risk users (e.g., executives, IT admins) and enforces hardware security keys, but it is not a policy that can be applied to all employees by default; it requires manual enrollment per user. Option C is wrong because Cloud Identity-Aware Proxy (IAP) controls access to applications based on identity and context, but it does not enforce hardware key authentication for Google Workspace apps themselves; it is used for securing access to custom or cloud-hosted apps behind a load balancer. Option D is wrong because Cloud Armor is a web application firewall and DDoS protection service that filters traffic based on IP addresses or other criteria, but it does not enforce multi-factor authentication or eliminate the need for 2FA; it cannot replace a second authentication factor.

764
MCQhard

A gaming company uses Google Cloud to run a multiplayer game. They use Compute Engine VMs with GPUs for game servers. During peak hours, latency increases. They want to automatically add more game server instances based on the number of concurrent players. Which scaling approach should they use?

A.Use Cloud Load Balancing to distribute traffic and add more VM instances manually.
B.Use Cloud Functions to spin up new game server VMs when player count exceeds a threshold.
C.Pre-provision a fixed number of VMs with GPUs to handle peak load at all times.
D.Create a managed instance group with autoscaling based on a custom metric representing concurrent players.
AnswerD

Autoscaling with a custom metric allows dynamic scaling based on player count.

Why this answer

Utilizing a custom metric (number of concurrent players) with managed instance groups and autoscaling is the best approach. Cloud Load Balancing distributes traffic but does not scale based on custom metrics.

765
MCQmedium

A financial services company needs to migrate its on-premises data center to Google Cloud to reduce operational overhead and improve scalability. They have a mix of legacy and modern applications. Which approach should they use to minimize migration risk while accelerating their digital transformation?

A.Rewrite all applications as cloud-native microservices before migration.
B.Use Anthos to manage applications across on-premises and Google Cloud, enabling gradual migration.
C.Migrate everything to Google Kubernetes Engine (GKE) immediately.
D.Lift and shift all applications to Compute Engine as-is.
AnswerB

Anthos provides a consistent hybrid platform, allowing incremental migration and modernization.

Why this answer

Anthos provides a consistent platform to run applications on-premises and in Google Cloud, enabling gradual migration without rewrite. Lift-and-shift (option A) might not address legacy issues; option B increases costs and complexity; option D is too slow for transformation goals.

766
MCQhard

A company uses Cloud SQL for MySQL and needs to migrate to a PostgreSQL-compatible database that offers improved performance for AI workloads (e.g., vector embeddings). Which Google Cloud database is MOST suitable?

A.Cloud SQL for PostgreSQL
B.Cloud Spanner
C.AlloyDB
D.Bigtable
AnswerC

AlloyDB is PostgreSQL-compatible and includes AI-optimized features like vector search.

Why this answer

AlloyDB is a PostgreSQL-compatible database that is optimized for high performance and features like vector embeddings for AI, making it ideal for this migration.

767
MCQhard

A large enterprise is migrating its on-premises data center to Google Cloud. They need a dedicated, low-latency, and highly available connection between their on-premises network and their VPC. Which networking service should they use?

A.Cloud CDN
B.Cloud Interconnect
C.Cloud VPN
D.Cloud Load Balancing
AnswerB

Provides dedicated, low-latency connections with high availability SLAs.

Why this answer

Cloud Interconnect provides dedicated, high-bandwidth, low-latency connections with SLAs. Cloud VPN is over the public internet and may not meet strict latency/availability requirements. Load Balancing and CDN are not for connectivity to on-premises.

768
Multi-Selecthard

A data analyst runs the above query on Google BigQuery. Which TWO statements correctly describe how cloud technology is transforming business in this scenario?

Select 2 answers
A.The results are delivered in real-time as data is ingested
B.The query required dedicated GPU clusters
C.The ability to analyze petabytes of data without provisioning servers
D.The cloud provider automatically encrypts data at rest and in transit
E.The pay-per-query model reduces costs compared to maintaining an on-premises data warehouse
AnswersC, E

BigQuery is a serverless data warehouse, eliminating the need for hardware management.

Why this answer

Option C is correct because Google BigQuery is a serverless data warehouse that automatically scales to handle petabytes of data without requiring users to provision or manage any servers. This eliminates the operational overhead of capacity planning and infrastructure management, directly demonstrating how cloud technology abstracts physical hardware and enables on-demand analytics at massive scale.

Exam trap

Google Cloud often tests the misconception that 'serverless' means 'real-time' or that cloud analytics require specialized hardware like GPUs, when in fact serverless services like BigQuery abstract infrastructure entirely and use distributed CPU-based compute for analytical workloads.

769
MCQhard

A security engineer wants to block malicious traffic patterns at the edge of Google's network before it reaches their application. Which service should they configure?

A.VPC firewall rules
B.Cloud DNS
C.Cloud CDN
D.Cloud Armor
AnswerD

Cloud Armor provides WAF capabilities to block malicious traffic at the edge.

Why this answer

Cloud Armor is a web application firewall (WAF) and DDoS protection service that works with Cloud Load Balancing to filter traffic based on IP addresses, geo-location, and Layer 7 attributes. Cloud CDN caches content, Cloud DNS resolves domain names, and VPC firewall rules protect at the instance level, not at the edge.

770
Multi-Selecteasy

A company stores sensitive customer data in Cloud Storage buckets. The security team wants to ensure that only authorized users can access the data, and access is logged for audit. Which two practices should they implement? (Choose two.)

Select 2 answers
A.Use Storage Transfer Service to replicate data to a secured bucket.
B.Apply IAM conditions to restrict access based on user attributes like IP address or time of day.
C.Use Cloud Audit Logs to record all access attempts.
D.Set up Private Google Access to restrict access to the bucket.
E.Enable default encryption on all buckets using CMEK.
AnswersB, C

IAM conditions allow fine-grained access control based on attributes, enhancing security.

Why this answer

Option B is correct because IAM conditions allow fine-grained, attribute-based access control, such as restricting access to Cloud Storage buckets based on the requester's IP address or time of day, ensuring only authorized users can access the data under specific contexts. Option C is correct because Cloud Audit Logs record all access attempts (including successful and denied requests) to the bucket, providing the necessary audit trail for security and compliance.

Exam trap

Google Cloud often tests the distinction between data protection (encryption) and access control (IAM), leading candidates to mistakenly choose encryption options like CMEK when the question asks about restricting access and logging.

771
MCQhard

Refer to the exhibit. A DevOps engineer notices that the alert fires even when there is only a single 5-second spike of errors that lasts for one minute. What is the most likely cause?

A.The trigger count is set to 1, so a single minute of high rate fires the alert
B.The alignment period is too short (60s)
C.The threshold value (5) is too low
D.The trigger count is set to 2, so two consecutive periods are needed
AnswerA

With trigger count 1, any single period above threshold triggers the alert.

Why this answer

Option C is correct because the trigger count is 1, meaning the alert fires after just one alignment period (1 minute) with a rate above threshold. A single 5-second spike can cause a high rate during that minute, triggering the alert. Option A is incorrect because the alignment period is 60s, which is appropriate.

Option B is incorrect because the threshold value is set, but the question is about the trigger firing on a single spike. Option D is incorrect because the trigger count is 1, not 2.

772
MCQmedium

A DevOps team wants to adopt GitOps practices for managing their Google Cloud infrastructure. Which combination of tools and practices defines a GitOps approach to cloud infrastructure management?

A.Manually applying Terraform changes from engineers' local machines and documenting changes in a shared wiki
B.Storing all infrastructure as code (Terraform or Config Connector) in a Git repository, using pull requests for all changes, and automated CI/CD pipelines that apply changes and detect drift from the declared state
C.Using the Google Cloud Console to make infrastructure changes and exporting the configuration to Git after each change
D.GitOps only applies to application code deployment, not to cloud infrastructure management
AnswerB

This is GitOps. Git repo as truth: ✓. Pull request process for changes: ✓ (provides review, approval, audit trail). Automated reconciliation: ✓ (CI/CD applies changes and detects drift). This pattern makes infrastructure management reproducible, auditable, and collaborative.

Why this answer

Option B is correct because GitOps is defined by using a Git repository as the single source of truth for declarative infrastructure, with pull requests driving changes and automated CI/CD pipelines reconciling the actual state with the declared state. This approach enforces version control, auditability, and drift detection, which are core to managing Google Cloud infrastructure at scale with tools like Terraform or Config Connector.

Exam trap

The trap here is that candidates may confuse GitOps with simply storing code in Git (Option A) or think it only applies to applications (Option D), when in fact GitOps requires automated reconciliation and pull-request-driven workflows for infrastructure as code.

How to eliminate wrong answers

Option A is wrong because manually applying Terraform changes from local machines bypasses version control and automation, violating the GitOps principle of using Git as the single source of truth and eliminating audit trails and drift detection. Option C is wrong because making changes via the Google Cloud Console and exporting to Git afterward is a reactive, post-hoc approach that does not enforce declarative state management or prevent configuration drift, and it lacks the pull-request-based change workflow central to GitOps. Option D is wrong because GitOps is explicitly applicable to cloud infrastructure management, not just application code deployment; tools like Terraform and Config Connector are designed to manage infrastructure declaratively via Git-driven workflows.

773
MCQhard

A multinational corporation uses Cloud Identity-Aware Proxy (IAP) to secure access to applications. They notice that some users outside the corporate network can still reach the applications. What is the most likely misconfiguration?

A.IAP is set to 'allUsers' instead of 'allAuthenticatedUsers'.
B.The firewall rules allow ingress from 0.0.0.0/0.
C.IAP is not enabled on the backend service.
D.The OAuth 2.0 client ID is misconfigured.
AnswerA

allUsers includes unauthenticated users, allowing anyone to access the application.

Why this answer

Option A is correct because setting IAP to 'allUsers' allows unauthenticated access from any user on the internet, bypassing IAP's authentication and authorization checks. IAP should be configured with 'allAuthenticatedUsers' or a more specific set of principals to enforce identity verification before granting access to the application.

Exam trap

Google Cloud often tests the distinction between 'allUsers' (anyone, including unauthenticated users) and 'allAuthenticatedUsers' (any authenticated Google identity), which is a common source of confusion for candidates who assume IAP always requires authentication regardless of the IAM setting.

How to eliminate wrong answers

Option B is wrong because firewall rules allowing ingress from 0.0.0.0/0 are not the root cause; IAP works by intercepting requests at the Google Cloud load balancer level, and firewall rules do not affect IAP's authentication enforcement. Option C is wrong because if IAP were not enabled on the backend service, no IAP authentication would occur at all, but the question states that some users can still reach the applications, implying IAP is partially working. Option D is wrong because a misconfigured OAuth 2.0 client ID would cause authentication failures for all users, not allow some external users to bypass IAP.

774
Multi-Selectmedium

A company is designing a disaster recovery (DR) strategy. Their primary site is in the us-central1 region. They need to minimize data loss (low RPO) and restore quickly (low RTO) for a critical database. Which TWO approaches should they consider?

Select 2 answers
A.Use multi-homing to route traffic to multiple regions
B.Take periodic snapshots and restore in another region
C.Use active-active setup across two regions with synchronous replication
D.Set up a warm standby replica in a secondary region
E.Configure a global load balancer with failover
AnswersC, D

Synchronous replication provides low RPO, and active-active allows failover with minimal downtime.

Why this answer

A warm standby replica in another region provides low RPO (data loss) and low RTO (restore time) because the database is continuously replicated and can be promoted quickly. Scheduled backups have higher RPO (data loss between backups) and RTO (time to restore). Multi-homing DNS and static IP association do not address database DR.

775
MCQmedium

A company is migrating its on-premises workloads to Google Cloud and wants to understand the total cost of ownership (TCO) savings. Which costs are typically LOWER in the cloud compared to on-premises?

A.Compute instance costs
B.Hardware purchase and data centre costs
C.Software licensing fees
D.Network egress charges
AnswerB

Cloud eliminates upfront hardware purchases and reduces data centre operational costs.

Why this answer

Cloud eliminates hardware purchase costs (CAPEX) and reduces data centre costs (power, cooling, maintenance). Compute costs may be similar or higher depending on usage, but overall TCO is often lower due to elimination of overhead. Software licensing depends on the agreement.

776
MCQmedium

A developer needs to run a small piece of Python code that processes a message from Pub/Sub and stores the result in Firestore. The code runs infrequently (a few hundred times per day) and takes less than a second to execute. Which compute service is most cost-effective and simple to manage?

A.Cloud Functions
B.Cloud Run
C.Compute Engine with preemptible VM
D.App Engine Standard Environment
AnswerA

Cloud Functions is serverless, event-driven, and charges per invocation. It is perfect for short, infrequent tasks triggered by Pub/Sub.

Why this answer

Cloud Functions is serverless and event-driven, ideal for infrequent short-lived tasks triggered by Pub/Sub. It scales to zero and charges only per invocation. App Engine and Cloud Run require a container or runtime, and Compute Engine requires a running VM.

777
MCQhard

An organization's digital transformation initiative is failing to deliver expected outcomes despite significant cloud technology investment. A review reveals that business units operate in silos, processes remain unchanged, and employees resist new ways of working. Which factor is most likely the root cause of the failure?

A.The organization chose the wrong cloud provider for its technical workloads
B.The cloud services selected are not technically advanced enough to deliver transformation outcomes
C.Insufficient change management, cultural resistance, and siloed operations are preventing the organization from realizing technology benefits
D.The organization is spending too much on cloud services, leaving insufficient budget for transformation
AnswerC

This is the root cause. Digital transformation requires aligning people, processes, and technology. When the human and organizational dimensions are neglected, even the best technology investments fail to produce outcomes. Change management and breaking down silos are prerequisites for transformation success.

Why this answer

Option C is correct because the failure stems from organizational and cultural factors—siloed operations, unchanged processes, and employee resistance—which are classic symptoms of inadequate change management. Cloud technology alone cannot drive transformation; it must be paired with process reengineering and cultural adoption. The GCDL framework emphasizes that digital transformation is as much about people and processes as it is about technology.

Exam trap

Google Cloud often tests the misconception that technology selection or budget is the primary driver of transformation success, when in reality, organizational change management and cultural alignment are the critical enablers.

How to eliminate wrong answers

Option A is wrong because choosing a different cloud provider would not address the root cause of siloed operations, unchanged processes, or cultural resistance; the technical workloads are not the issue here. Option B is wrong because the problem is not the technical sophistication of the cloud services—even advanced services like AWS Lambda or Azure Functions cannot overcome organizational inertia or lack of process change. Option D is wrong because the budget allocation is not the root cause; the organization has already invested significantly in cloud technology, but the failure is due to how it is adopted and integrated, not the amount spent.

778
MCQmedium

A manufacturing company wants to improve product quality by analyzing sensor data from 10,000 factory machines in real-time to detect defects before they occur. Previously, this was impossible due to the massive compute requirements. Which cloud capability makes this feasible?

A.Cloud storage allowing all sensor data to be stored cheaply.
B.On-demand access to massive compute resources and AI/ML services for real-time data processing.
C.Cloud-based email and collaboration tools for factory staff.
D.Migration of the company's ERP system to the cloud.
AnswerB

Cloud's elastic compute and managed ML services allow the company to process 10,000 machines' sensor streams simultaneously using resources that would be unaffordable to own, enabling real-time predictive quality control.

Why this answer

Option B is correct because the core challenge is the massive compute requirement for real-time analysis of 10,000 machines' sensor data. Cloud providers offer on-demand access to elastic compute resources (e.g., AWS EC2 Auto Scaling, Azure VM Scale Sets) and AI/ML services (e.g., AWS SageMaker, Azure Machine Learning) that can scale horizontally to process streaming data in near real-time, enabling defect prediction that was previously infeasible with on-premises fixed-capacity infrastructure.

Exam trap

The GCDL exam often tests the misconception that 'storage solves everything' or that generic cloud services (like email or ERP migration) are sufficient, when the specific bottleneck is compute and AI processing power for real-time analytics.

How to eliminate wrong answers

Option A is wrong because while cloud storage (e.g., Amazon S3, Azure Blob Storage) provides cheap, scalable storage for sensor data, it does not address the compute-intensive requirement for real-time processing and defect detection; storing data alone cannot analyze it. Option C is wrong because cloud-based email and collaboration tools (e.g., Microsoft 365, Google Workspace) are productivity applications unrelated to high-throughput sensor data processing or machine learning inference. Option D is wrong because migrating an ERP system to the cloud (e.g., SAP on AWS) improves business process management and data centralization but does not provide the specialized compute and AI/ML services needed for real-time sensor analytics.

779
MCQmedium

A company needs to store petabytes of time-series IoT sensor data and query it with single-digit millisecond latency at millions of reads per second. The data has a simple key-value structure with timestamps. Which Google Cloud database is MOST appropriate?

A.BigQuery
B.Cloud Spanner
C.Cloud Bigtable
D.Firestore
AnswerC

Bigtable is the correct choice: wide-column NoSQL, designed for time-series and IoT workloads, single-digit ms latency, and scales to millions of QPS with additional nodes.

Why this answer

Cloud Bigtable is designed for exactly this use case — petabyte-scale, low-latency (single-digit ms), high-throughput NoSQL storage for time-series, IoT, and financial data. It scales horizontally by adding nodes. BigQuery is optimised for analytics (seconds-to-minutes latency), Cloud SQL is for OLTP (limited to tens of thousands of QPS), and Firestore is for document data with hierarchical structure.

780
MCQmedium

A retailer experiences traffic spikes during holiday sales. They want to ensure their website can handle the load without performance degradation. Which cloud characteristic is most relevant?

A.Reliability
B.Security
C.Cost optimisation
D.Scalability
AnswerD

Scalability enables handling increased traffic by adding resources.

Why this answer

Scalability (specifically vertical and horizontal scaling) allows the system to handle increased load by adding resources.

781
MCQmedium

An organization wants to enforce that all Compute Engine VMs in a project are created with a specific set of tags (e.g., 'env=prod') and with a specific service account. Which Google Cloud policy tool should they use?

A.Organization policies (constraints)
B.Cloud Audit Logs
C.Cloud Asset Inventory
D.Cloud IAM conditions
AnswerA

Organization policies allow you to set constraints on resource creation, such as required labels or service accounts.

Why this answer

Organization policies (using constraints) can enforce rules on resource creation, such as requiring certain labels or service accounts. For example, a constraint can require that all VMs have a specific label or use a specific service account.

782
Multi-Selecthard

An organization needs to ensure that data stored in Cloud Storage is encrypted at rest using keys that are rotated every 30 days. They also need to audit who accesses the keys and when. Which THREE services should they use? (Choose 3)

Select 3 answers
A.Cloud HSM
B.Cloud Audit Logs
C.Secret Manager
D.Cloud Storage
E.Cloud KMS
AnswersB, D, E

Logs key access events.

Why this answer

Cloud KMS manages key rotation. Cloud Audit Logs record key access. Cloud Storage stores the data.

Cloud HSM can be used but is not required for the scenario.

783
MCQmedium

A company uses Google Cloud and has a compliance requirement to store certain data only within the European Union and ensure it cannot be accessed from outside the EU, even by Google operations personnel. Which Google Cloud offering specifically addresses this level of data sovereignty?

A.Selecting EU regions for all resources in the Cloud Console.
B.Sovereign Controls offerings (e.g., T-Systems Sovereign Cloud) or Assured Workloads with data residency and personnel access controls.
C.VPC Service Controls — they prevent data from leaving the VPC boundary.
D.Cloud Armor — it blocks requests originating from outside the EU.
AnswerB

Sovereign Controls provide the strictest sovereignty: EU-only data residency enforced contractually, local support operations model restricting Google personnel access, and audit controls — meeting the highest regulatory standards.

Why this answer

Option B is correct because Sovereign Controls offerings (such as T-Systems Sovereign Cloud) and Assured Workloads with data residency and personnel access controls are specifically designed to meet strict data sovereignty requirements. These solutions ensure that data remains within the EU and that Google operations personnel cannot access it, addressing both geographic storage and access restrictions mandated by compliance frameworks like GDPR.

Exam trap

The trap here is that candidates often confuse geographic storage (selecting EU regions) with full data sovereignty, failing to realize that personnel access controls are required to prevent internal Google staff from accessing data from outside the EU.

How to eliminate wrong answers

Option A is wrong because simply selecting EU regions for resources ensures data is stored in the EU, but it does not prevent Google operations personnel from accessing the data from outside the EU, as Google retains administrative access. Option C is wrong because VPC Service Controls restrict data exfiltration by creating security perimeters around VPC resources, but they do not enforce geographic data residency or block access by Google personnel; they focus on preventing unauthorized data movement within Google Cloud. Option D is wrong because Cloud Armor is a web application firewall that filters incoming traffic based on IP addresses or geographic regions, but it does not control data storage location or restrict access by internal Google operations staff; it only blocks external requests at the network edge.

784
MCQmedium

A CISO asks why Google Cloud's security model is described as a 'defense-in-depth' approach. Which explanation best describes this concept in the context of Google Cloud's infrastructure security?

A.Defense in depth means that Google uses a single, very strong encryption algorithm to protect all customer data
B.Defense in depth means security is implemented as multiple independent layers — physical security, hardware attestation, network encryption, hypervisor isolation, and application-level IAM — so that bypassing any single layer does not compromise the entire system
C.Defense in depth means Google deploys security controls only at the network perimeter, creating a strong outer boundary
D.Defense in depth means customers are responsible for all security layers, with Google providing only the physical infrastructure
AnswerB

This correctly describes defense in depth. Google's infrastructure security has independent layers: secure physical facilities, Titan security chips for hardware attestation, hypervisor isolation between tenants, encrypted network traffic, and IAM at the application layer. An attacker must bypass all relevant layers simultaneously — dramatically harder than defeating a single control.

Why this answer

Option B is correct because Google Cloud's defense-in-depth model implements security at multiple independent layers: physical security (e.g., tamper-evident cages), hardware attestation (e.g., Titan chips verifying boot integrity), network encryption (e.g., mTLS between all services), hypervisor isolation (e.g., gVisor or KVM-based sandboxing), and application-level IAM (e.g., Cloud IAM policies). This layered approach ensures that if an attacker bypasses one layer, other layers remain intact to protect the system, aligning with the core principle of defense in depth.

Exam trap

The trap here is that candidates often confuse defense in depth with a single strong control (like encryption) or a perimeter-only approach, failing to recognize that Google Cloud's model requires multiple independent layers that each provide a distinct security function.

How to eliminate wrong answers

Option A is wrong because defense in depth is not about a single encryption algorithm; it relies on multiple overlapping controls, not a single strong mechanism. Option C is wrong because defense in depth extends beyond the network perimeter to include internal controls like hypervisor isolation and IAM, not just a strong outer boundary. Option D is wrong because Google Cloud's shared responsibility model means Google secures the infrastructure (physical, hardware, network, hypervisor), while customers secure their data and access; defense in depth applies to Google's layers, not solely customer responsibility.

785
Multi-Selecthard

A company runs a microservices application on Google Kubernetes Engine (GKE) and wants to reduce costs by using preemptible nodes for stateless workloads. However, they need to ensure that critical stateful workloads are not disrupted. Which two actions should they take?

Select 2 answers
A.Taint the regular node pool and use tolerations for stateful pods
B.Use a single node pool with a mix of regular and preemptible VMs
C.Set pod priority class to 'high' for stateful workloads
D.Create a separate node pool for preemptible VMs and use tolerations for stateless pods
E.Use node affinity rules to schedule stateful pods on regular nodes
AnswersA, D

Taints on regular nodes with tolerations on stateful pods ensure they run only on those nodes.

Why this answer

To protect stateful workloads, use node pools with regular VMs and taint them to prevent preemptible pods from scheduling. For stateless workloads, use a separate node pool with preemptible VMs and add tolerations to the pods. Affinity rules or priority classes can also help but are not the primary method.

786
Multi-Selecthard

A company wants to comply with GDPR and needs to ensure that personal data stored in Cloud Storage is encrypted at rest using customer-managed keys (CMEK). They also want to control access at the bucket level using IAM conditions. Which THREE steps should they take? (Choose 3)

Select 3 answers
A.Create a key ring and encryption key in Cloud KMS
B.Create the bucket with the default encryption type set to 'Customer-managed key' and specify the key
C.Use gsutil iam to set bucket-level IAM conditions
D.Enable Data Loss Prevention (DLP) API
E.Grant the Cloud Storage service account the Cloud KMS CryptoKey Encrypter/Decrypter role
AnswersA, B, E

CMEK requires a customer-managed key in Cloud KMS.

Why this answer

To use CMEK, you need to create a key ring and key in Cloud KMS, then configure the bucket to use that key. IAM conditions can be used to restrict access based on attributes. Also, you need to grant the Cloud Storage service account the Encrypter/Decrypter role.

787
MCQmedium

An organization uses Google Cloud Identity and Access Management (IAM). A new employee is a data engineer who needs to read BigQuery datasets and run queries but should NOT be able to create new datasets, delete tables, or modify IAM policies. Which IAM role should be assigned?

A.`roles/bigquery.admin`
B.`roles/bigquery.dataViewer` (with `roles/bigquery.jobUser` if needed to run queries)
C.`roles/viewer` (project-level Viewer)
D.`roles/bigquery.dataEditor`
AnswerB

dataViewer grants read-only access to datasets. jobUser allows creating and running query jobs. Together they provide read + query capability without write, delete, or admin access.

Why this answer

Option B is correct because the `roles/bigquery.dataViewer` role grants read access to BigQuery datasets and their contents, while `roles/bigquery.jobUser` allows the user to run query jobs. Together, they satisfy the requirement to read datasets and run queries without permitting dataset creation, table deletion, or IAM policy modification.

Exam trap

The trap here is that candidates often assume the project-level `roles/viewer` (Option C) is sufficient for running queries, but it lacks the `bigquery.jobs.create` permission, causing query execution to fail even though the user can see the data.

How to eliminate wrong answers

Option A is wrong because `roles/bigquery.admin` grants full administrative control over BigQuery resources, including creating and deleting datasets, tables, and modifying IAM policies, which exceeds the required permissions. Option C is wrong because the project-level `roles/viewer` role provides read-only access to all resources in the project, but it does not include the `bigquery.jobs.create` permission needed to run queries, so the user would be unable to execute query jobs. Option D is wrong because `roles/bigquery.dataEditor` allows editing existing datasets and tables (e.g., inserting, updating, deleting data), but it does not include the `bigquery.jobs.create` permission for running queries, and it still permits modifications that the user should not be allowed to perform.

788
Multi-Selectmedium

A company wants to ensure data encryption at rest using customer-managed keys for Cloud SQL and Cloud Storage. Which TWO actions must they take? (Choose 2)

Select 2 answers
A.Create a key ring and cryptographic key in Cloud KMS
B.Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the service accounts
C.Enable CMEK in the project settings
D.Configure Cloud SQL and Cloud Storage to use the CMEK key
E.Upload a custom key to Cloud HSM
AnswersA, D

Keys must be created in Cloud KMS before use.

Why this answer

Create a key ring and key in Cloud KMS, then configure each service to use that key (CMEK).

789
MCQmedium

An SRE team has a monthly error budget of 43 minutes (99.9% SLO). In the first week of the month, a deployment causes a 50-minute outage. What should the SRE team do for the remainder of the month, and why?

A.Immediately deploy a hotfix to restore features that were rolled back during the outage.
B.Freeze feature deployments for the rest of the month, focus on reliability improvements, and investigate the deployment process that caused the outage.
C.Negotiate with stakeholders to increase the SLO to 99.5% to get more error budget.
D.Continue deploying features normally — the outage was a one-time event and won't happen again.
AnswerB

Budget exhausted = feature freeze. SRE teams use budget exhaustion as a signal to pause new features and focus on root cause analysis and reliability improvements before resuming velocity.

Why this answer

The team has already consumed more than the entire monthly error budget (50 minutes used vs. 43 minutes allowed). To avoid violating the 99.9% SLO for the rest of the month, they must freeze feature deployments and focus on reliability improvements. This is a core SRE practice: when the error budget is exhausted, the team shifts from feature velocity to stability, investigating the root cause and hardening the deployment process.

Exam trap

The GCDL exam often tests the misconception that you can 'negotiate' or 'increase' the SLO to fix an error budget deficit, but increasing the SLO actually tightens the budget, and the correct response is to halt feature deployments until the next budget window.

How to eliminate wrong answers

Option A is wrong because deploying a hotfix to restore rolled-back features would introduce further change risk when the error budget is already negative, potentially causing additional downtime and SLO violations. Option C is wrong because negotiating to increase the SLO to 99.5% (which actually reduces the error budget to ~21.6 minutes per month) would make the situation worse, not better; the team needs more error budget, not less. Option D is wrong because continuing normal deployments ignores the fact that the error budget is exhausted; treating a 50-minute outage as a one-time event is a common fallacy that ignores the statistical reality of SLOs and the need to preserve remaining budget for unforeseen incidents.

790
MCQeasy

Which Google Cloud service is a fully managed, serverless data warehouse for analytics with built-in ML capabilities (e.g., BigQuery ML)?

A.Cloud SQL
B.Firestore
C.Cloud Spanner
D.BigQuery
AnswerD

BigQuery is the correct answer: serverless data warehouse with integrated ML.

Why this answer

BigQuery is a serverless data warehouse that supports standard SQL, scales automatically, and includes BigQuery ML for creating ML models using SQL.

791
MCQmedium

A retail company experiences huge traffic spikes during Black Friday and slow periods otherwise. They want to avoid over-provisioning servers and reduce costs. Which cloud feature directly addresses this need?

A.Auto-scaling based on CPU utilization
B.Purchasing committed use discounts
C.Load balancing across regions
D.Manual scaling with reserve instances
AnswerA

Auto-scaling automatically adjusts compute resources to match demand, reducing waste.

Why this answer

Auto-scaling based on CPU utilization dynamically adjusts the number of server instances in response to real-time demand. During Black Friday traffic spikes, it automatically adds capacity, and during slow periods, it scales down to reduce costs. This directly addresses the need to avoid over-provisioning while maintaining performance.

Exam trap

Google Cloud often tests the misconception that load balancing alone solves capacity issues, but candidates must recognize that load balancing distributes existing traffic and does not add or remove servers—only auto-scaling handles dynamic provisioning.

How to eliminate wrong answers

Option B is wrong because purchasing committed use discounts requires a long-term commitment to a fixed amount of resources, which does not help with dynamic traffic spikes and can lead to over-provisioning during slow periods. Option C is wrong because load balancing across regions distributes traffic but does not automatically adjust the total number of servers; it works best with auto-scaling but alone cannot prevent over-provisioning. Option D is wrong because manual scaling with reserved instances requires human intervention to add or remove capacity, which is too slow to handle sudden Black Friday spikes and still involves upfront commitment that wastes resources during slow times.

792
MCQmedium

A company's application stores sensitive customer information in Cloud Storage. A security audit finds that one bucket has 'allUsers' access granted (making it publicly accessible on the internet). The security team wants to prevent this from happening in the future. Which control prevents public access from being granted to Cloud Storage buckets?

A.Enable Cloud Armor on all Cloud Storage buckets to block public internet access
B.Apply the 'storage.publicAccessPrevention' organization policy constraint, which prevents allUsers and allAuthenticatedUsers from being granted in Cloud Storage IAM policies organization-wide
C.Enable VPC Service Controls around Cloud Storage to prevent public internet access
D.Configure Cloud Monitoring to alert the security team when a bucket is made public so they can revert it
AnswerB

Public Access Prevention is the correct control. Applied as an org policy, it makes it impossible to grant allUsers or allAuthenticatedUsers access to any bucket in the organization. Attempts to set such policies are rejected by the API. This is the definitive preventive control for accidental public bucket exposure.

Why this answer

Option B is correct because the 'storage.publicAccessPrevention' organization policy constraint is a Google Cloud IAM constraint that, when enforced at the organization, folder, or project level, prevents any IAM policy binding that grants access to 'allUsers' or 'allAuthenticatedUsers' on Cloud Storage buckets. This is a preventive control that blocks the action before it can occur, directly addressing the security team's requirement to prevent public access from being granted in the future.

Exam trap

Google Cloud often tests the distinction between preventive, detective, and corrective controls, and the trap here is that candidates confuse VPC Service Controls (which restrict network-level access) with IAM policy controls (which govern identity-based access), leading them to choose option C instead of the correct preventive IAM constraint.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service for HTTP(S) load balancers, not a service that can be applied to Cloud Storage buckets or block IAM-based public access. Option C is wrong because VPC Service Controls create a security perimeter around Google Cloud services to prevent data exfiltration over the internet, but they do not prevent a bucket from being made publicly accessible via IAM policy changes; they restrict access from outside the perimeter but do not block the 'allUsers' grant itself. Option D is wrong because Cloud Monitoring alerts are a detective control, not a preventive control; they notify the team after the public access has already been granted, which does not prevent the incident from happening.

793
MCQhard

An organization has multiple projects in Google Cloud. They want to enforce a policy that prevents the creation of Compute Engine instances with more than 8 vCPUs in any project under a specific folder, except for a few exempted projects. How can they achieve this with minimal overhead?

A.Use organization policy with tags: define a tag 'exempt' and attach it to exempted projects; set the policy condition to apply unless the resource has the tag.
B.Use IAM conditions with a custom role to deny creation of large instances.
C.Create a folder for exempted projects and apply a allow policy to that folder.
D.Apply a custom organization policy at the folder level without tags, and add exceptions in each project individually.
AnswerA

Tags allow conditional policies; they can be added to specific projects without restructuring the hierarchy.

Why this answer

Using organization policy constraints with tags allows conditional enforcement. By attaching a tag to exempted projects and using conditions in the policy, they can apply the restriction to most projects while allowing exceptions.

794
MCQmedium

A company wants to ensure that only API calls from within a specific VPC can access their Cloud Storage buckets, even if the bucket is public. Which Google Cloud feature should they use?

A.VPC firewall rules
B.Cloud Armor
C.IAM conditions
D.VPC Service Controls
AnswerD

VPC Service Controls enable API perimeters to restrict access to services like Cloud Storage.

Why this answer

VPC Service Controls allow creating perimeters that restrict access to Google Cloud services to trusted VPCs and IP ranges.

795
MCQmedium

A Virtual Private Cloud (VPC) in Google Cloud provides network isolation. What does 'network isolation' mean in this context, and why is it important?

A.Network isolation means the VPC blocks all internet access — resources cannot communicate with external services.
B.VPC provides a logically isolated private network where resources are separated from other customers' networks by default, preventing unauthorized cross-customer traffic.
C.Network isolation means all traffic within the VPC is automatically encrypted.
D.A VPC requires dedicated physical hardware separate from other customers to ensure isolation.
AnswerB

VPCs create private network boundaries. Customer A's VMs and customer B's VMs cannot see each other's network traffic even though they share physical infrastructure — logical isolation is enforced at the network layer.

Why this answer

Option B is correct because a Google Cloud VPC provides a logically isolated private network within the shared Google Cloud infrastructure. This isolation ensures that resources in one customer's VPC cannot directly communicate with resources in another customer's VPC by default, preventing unauthorized cross-customer traffic. This is achieved through software-defined networking (SDN) constructs like virtual firewalls and routing tables, not through physical separation.

Exam trap

The GCDL exam often tests the misconception that 'network isolation' implies physical separation or automatic encryption, leading candidates to choose options D or C, when in fact it refers to logical isolation via software-defined networking.

How to eliminate wrong answers

Option A is wrong because network isolation does not block all internet access; VPCs can be configured with Cloud NAT, external IP addresses, or VPNs to allow controlled outbound or inbound internet connectivity. Option C is wrong because network isolation does not automatically encrypt traffic; encryption requires additional measures like TLS/SSL or VPC Flow Logs with encryption at rest, and traffic within a VPC is not encrypted by default. Option D is wrong because a VPC does not require dedicated physical hardware; it uses logical isolation via software-defined networking on shared physical infrastructure, as per Google Cloud's multi-tenant design.

796
Multi-Selecthard

A company needs to run a Hadoop/Spark workload on Google Cloud. They must use existing YARN applications and need to optimise for cost by using preemptible VMs for task nodes. Which three services should they use?

Select 3 answers
A.Compute Engine
B.Cloud Dataproc
C.Cloud Storage
D.BigQuery
E.Dataflow
AnswersA, B, C

Cloud Dataproc runs on Compute Engine instances.

Why this answer

Cloud Dataproc is the managed Hadoop/Spark service on GCP. It supports master and worker nodes; worker nodes can be preemptible. Compute Engine is the underlying compute.

Cloud Storage is used for data (HDFS replacement) and staging. BigQuery is not Hadoop/Spark; Dataflow is Apache Beam; Persistent Disk is used for HDFS but not required if using Cloud Storage.

797
Multi-Selectmedium

A financial services company needs to restrict access to its Cloud Storage buckets containing sensitive customer data. The company wants to prevent data exfiltration by ensuring that only authorized VMs in specific VPCs can access the buckets, and that data cannot be copied to unauthorized locations. Which two Google Cloud services should be used together? (Choose two.)

Select 2 answers
A.VPC Service Controls
B.Private Google Access
C.Cloud Armor
D.Identity-Aware Proxy (IAP)
E.Cloud NAT
AnswersA, B

VPC Service Controls allow you to define perimeters that restrict access to Cloud Storage to authorized VPCs.

Why this answer

VPC Service Controls create perimeters around Google Cloud resources like Cloud Storage, preventing data exfiltration to unauthorized networks. Cloud Armor provides DDoS protection and WAF capabilities but does not restrict data access. Cloud NAT is for outbound connectivity, not data exfiltration prevention.

Identity-Aware Proxy (IAP) is for application-level access, not storage-level restrictions.

798
MCQeasy

Which Google Cloud service allows you to run code in response to events (e.g., file upload to Cloud Storage) without provisioning servers?

A.Cloud Functions
B.App Engine
C.Compute Engine
D.Google Kubernetes Engine
AnswerA

Cloud Functions automatically triggers code on events like Cloud Storage changes.

Why this answer

Cloud Functions is a serverless event-driven compute service that executes code in response to events. Compute Engine and GKE require servers. App Engine is for web apps, not event-driven functions.

799
MCQmedium

A company is migrating its on-premises Oracle database to Google Cloud. They want to minimize licensing costs and use a fully managed database service with high availability. Which database should they choose?

A.Cloud SQL for MySQL
B.Cloud Spanner
C.Bare Metal Solution for Oracle
D.Cloud SQL for PostgreSQL
AnswerD

PostgreSQL is a robust open-source database with many features similar to Oracle; Cloud SQL offers fully managed HA at lower cost.

Why this answer

Cloud SQL for PostgreSQL is a fully managed, cost-effective alternative to Oracle, with built-in high availability (regional replicas) and no licensing fees.

800
MCQmedium

A company runs a web application on Compute Engine instances behind a managed instance group with autoscaling based on CPU utilization. After a marketing campaign, traffic spikes and the autoscaler adds instances quickly, but the application becomes slow. What is the most likely cause?

A.Autoscaler uses CPU utilization but the application is memory-bound
B.Instances are in different zones causing inter-zone latency
C.Autoscaling cooldown period is too short
D.Health check interval is too long
AnswerA

If the application is memory-bound, adding instances based on CPU does not help; the bottleneck remains memory.

Why this answer

The autoscaler adds instances based on CPU utilization, but if the application is memory-bound, adding more instances does not alleviate memory pressure. Each new instance still runs the same memory-intensive workload, so CPU may remain low while memory is exhausted, causing slowdowns. The autoscaler fails to address the actual bottleneck, leading to poor performance despite scaling out.

Exam trap

The trap here is that candidates assume CPU utilization is always the correct metric for scaling, but the question tests the understanding that autoscaling only works well when the chosen metric matches the actual bottleneck of the application.

How to eliminate wrong answers

Option B is wrong because managed instance groups with autoscaling can span multiple zones, but inter-zone latency within the same region is negligible (typically <1ms) and would not cause significant slowdowns. Option C is wrong because a cooldown period that is too short would cause the autoscaler to add instances too aggressively, not make the application slow; it might lead to over-provisioning or thrashing, but not directly to performance degradation. Option D is wrong because a health check interval that is too long delays detection of unhealthy instances, but does not cause the application to become slow; it affects availability, not performance under load.

801
MCQeasy

A large online retailer operates a microservices-based e-commerce platform on Google Kubernetes Engine (GKE) across multiple zones. The application consists of several stateless services that handle customer traffic, inventory, and order processing. Recently, the company migrated its relational database to Cloud Spanner to achieve global scalability and strong consistency. After the migration, during peak shopping periods (e.g., Black Friday), the application experiences significant performance degradation. The operations team monitors CPU utilization of the pods and finds it consistently below 60% even under heavy load. However, Cloud Spanner metrics show high query latency and increased number of transactions waiting for lock conflicts. The team suspects that the bottleneck is now the database, not the compute. The application is designed to scale horizontally by adding more pod replicas. The team wants to ensure that scaling decisions are based on the actual performance bottleneck. What should they do?

A.Scale the GKE cluster to use larger node instances.
B.Increase the CPU request limit for the pods to allow higher CPU usage.
C.Reduce the number of pods to decrease Spanner load.
D.Modify the Horizontal Pod Autoscaler (HPA) to scale based on a custom metric that reflects Cloud Spanner query latency.
AnswerD

This aligns scaling with the actual bottleneck, increasing pods when Spanner latency rises.

Why this answer

Option D is correct because the Horizontal Pod Autoscaler (HPA) can be configured to scale based on custom metrics, such as Cloud Spanner query latency. Since the bottleneck is the database, scaling pods based on CPU utilization (which remains low) would not resolve the issue; instead, scaling based on Spanner latency ensures that the application adds replicas only when the database can handle more connections, reducing lock contention and improving overall performance.

Exam trap

Google Cloud often tests the misconception that CPU utilization is always the correct metric for scaling, but in this scenario, the bottleneck is the database, so candidates must recognize that custom metrics (like Spanner latency) are needed to scale the application appropriately.

How to eliminate wrong answers

Option A is wrong because scaling the GKE cluster to use larger node instances increases compute resources, but the bottleneck is the database (Cloud Spanner), not CPU or memory; larger nodes would not reduce Spanner query latency or lock conflicts. Option B is wrong because increasing the CPU request limit for pods does not address the database bottleneck; it would allow pods to consume more CPU, but CPU utilization is already below 60%, so this change would not improve Spanner performance and could waste resources. Option C is wrong because reducing the number of pods would decrease the load on Spanner, but it would also reduce the application's ability to handle customer traffic, potentially causing service degradation; the goal is to scale based on the actual bottleneck, not to arbitrarily reduce capacity.

802
MCQeasy

A team uses Terraform to create a VPC as shown. They now need to add a Compute Engine instance in the subnet. Which of the following correctly references the subnet?

A.Set `network = google_compute_subnetwork.subnet.self_link`
B.Set `subnetwork = google_compute_subnetwork.subnet.self_link`
C.Set `subnetwork = google_compute_subnetwork.subnet.name`
D.Set `network = google_compute_network.vpc.name` and `subnetwork = google_compute_network.vpc.self_link`
AnswerB

self_link provides the full URL needed.

Why this answer

Option B is correct because when adding a Compute Engine instance to a subnet in Terraform, you must use the `subnetwork` argument (not `network`) and reference the subnet's `self_link` attribute. The `google_compute_subnetwork` resource's `self_link` provides the full URI required by the instance resource to attach to the correct subnet within the VPC.

Exam trap

Google Cloud often tests the distinction between `network` and `subnetwork` arguments, and the trap here is that candidates confuse the subnet's `name` attribute with its `self_link`, or mistakenly think the `network` argument can accept a subnet reference.

How to eliminate wrong answers

Option A is wrong because it sets `network = google_compute_subnetwork.subnet.self_link`, but the `network` argument expects a VPC network resource (e.g., `google_compute_network.vpc.self_link`), not a subnet self_link; this would cause a configuration error. Option C is wrong because `subnetwork = google_compute_subnetwork.subnet.name` uses only the subnet name, but the instance resource requires the full self_link URI to uniquely identify the subnet across projects or regions. Option D is wrong because it sets `network = google_compute_network.vpc.name` (which is a string name, not a self_link) and `subnetwork = google_compute_network.vpc.self_link` (which is a VPC self_link, not a subnet self_link); both arguments are incorrectly assigned, leading to a mismatch.

803
Multi-Selectmedium

A company wants to reduce its cloud spending by optimizing storage costs for infrequently accessed data. Which THREE Google Cloud storage classes should they consider? (Choose three.)

Select 3 answers
A.Standard
B.Regional
C.Archive
D.Coldline
E.Nearline
AnswersC, D, E

Lowest cost for archival data.

Why this answer

Nearline, Coldline, and Archive are cost-effective storage classes for infrequently accessed data with lower retrieval costs.

804
MCQmedium

A media company needs to stream live video to global viewers with low latency. They also want to protect against DDoS attacks. Which combination of Google Cloud networking services should they use?

A.Cloud Interconnect and Cloud VPN
B.Cloud CDN and Cloud Armor
C.Cloud DNS and Cloud Armor
D.Cloud Load Balancing and Cloud NAT
AnswerB

Cloud CDN accelerates content delivery, and Cloud Armor protects against DDoS.

Why this answer

Cloud CDN caches content at edge locations for low-latency delivery, and Cloud Armor provides DDoS protection and WAF capabilities at the edge.

805
MCQhard

A media company stores video files on-premises and wants to migrate them to Google Cloud for processing and transcoding. The files are accessed by a legacy on-premises application that cannot be modified. Which migration strategy should they use?

A.Use Transfer Appliance to ship data to Google Cloud and set up a VPN for the application to access Cloud Storage via private IP.
B.Migrate the application to run on Compute Engine and access Cloud Storage natively.
C.Use Storage Transfer Service to move data to Cloud Storage, then mount the bucket using Cloud Storage FUSE on the on-premises server.
D.Use gsutil rsync to copy files to Cloud Storage and update the application to use Cloud Storage URLs.
AnswerC

Cloud Storage FUSE allows the on-premises application to access Cloud Storage as a local file system without code changes.

Why this answer

Storage Transfer Service allows transferring data from on-premises to Cloud Storage, while using Cloud Storage FUSE or a VPN can keep the on-premises application accessing the files. The best approach is to use Storage Transfer Service for bulk migration and then configure hybrid access.

806
Multi-Selecteasy

A company wants to monitor the health and performance of their applications running on Google Cloud. Which two Google Cloud services should they use together for comprehensive observability?

Select 2 answers
A.Cloud Monitoring
B.Cloud Profiler
C.Cloud Logging
D.Cloud Debugger
E.Cloud Trace
AnswersA, C

Cloud Monitoring is the primary service for metrics, uptime checks, and alerting.

Why this answer

Cloud Monitoring and Cloud Logging together form the core of Google Cloud's observability stack. Cloud Monitoring collects metrics, uptime checks, and alerting policies, while Cloud Logging ingests, stores, and analyzes log data. Combined, they provide the metrics, logs, and alerting needed to comprehensively monitor application health and performance.

Exam trap

Google Cloud often tests the distinction between observability services (Monitoring + Logging) and specialized tools (Profiler, Debugger, Trace), leading candidates to select all five options or mix debugging/profiling tools with core monitoring.

807
Multi-Selectmedium

A financial services company must comply with strict data residency regulations. Which TWO cloud features help meet compliance requirements?

Select 2 answers
A.Data location controls
B.Open source software
C.Public internet access
D.Single data center footprint
E.Customer-managed encryption keys
AnswersA, E

Enables specifying where data is stored to comply with residency laws.

Why this answer

Data location controls (Option A) allow administrators to explicitly restrict where data is stored and processed, ensuring compliance with data residency regulations that mandate data remain within specific geographic boundaries. Customer-managed encryption keys (Option E) enable the organization to control who has access to the encryption keys, ensuring that even if data is stored in a cloud provider's infrastructure, the provider cannot decrypt it without the customer's permission, which is critical for meeting regulatory requirements.

Exam trap

Google Cloud often tests the misconception that any single data center footprint automatically satisfies data residency, when in fact compliance requires explicit location controls and encryption key management, not just physical location.

808
MCQmedium

A DevOps team wants to automate their software build, test, and deployment process on Google Cloud. They need a service that triggers automatically when code is pushed to a repository, builds container images, runs tests, and deploys to production. Which Google Cloud product orchestrates this CI/CD pipeline?

A.Cloud Composer, Google Cloud's managed Apache Airflow service
B.Cloud Build, Google Cloud's managed CI/CD service that triggers on code pushes, builds images, runs tests, and deploys automatically
C.Cloud Scheduler, which triggers periodic jobs on a cron schedule
D.Eventarc, which routes events from Google Cloud services to Cloud Run functions
AnswerB

Cloud Build is the correct answer. It natively integrates with source repositories, executes multi-step build pipelines (test, build, deploy), builds container images, and deploys to Cloud Run, GKE, or App Engine. It's the primary Google Cloud CI/CD service.

Why this answer

Cloud Build is Google Cloud's managed CI/CD service that directly supports the described workflow: it can be triggered automatically by code pushes to a repository (e.g., Cloud Source Repositories, GitHub, Bitbucket), then execute a series of steps defined in a build configuration file (cloudbuild.yaml) to build container images, run tests, and deploy to production environments such as Google Kubernetes Engine, Cloud Run, or Compute Engine. This makes it the correct choice for orchestrating the entire CI/CD pipeline.

Exam trap

Google Cloud often tests the distinction between event-driven orchestration (Cloud Build) and general-purpose workflow schedulers (Cloud Composer) or event routers (Eventarc), leading candidates to confuse a CI/CD pipeline tool with a scheduling or event-routing service.

How to eliminate wrong answers

Option A is wrong because Cloud Composer is a managed Apache Airflow service designed for workflow orchestration and scheduling of complex pipelines, not for CI/CD triggered by code pushes; it lacks native integration for building container images or deploying to production as part of a code-push event. Option C is wrong because Cloud Scheduler is a cron-based job scheduler that triggers tasks on a time-based schedule, not on code repository events, and it does not provide CI/CD capabilities like building, testing, or deploying. Option D is wrong because Eventarc is an event routing service that delivers events from Google Cloud sources to targets like Cloud Run, but it does not itself build images, run tests, or deploy applications; it is a transport layer, not a CI/CD orchestrator.

809
Multi-Selectmedium

A company needs to reduce costs on Compute Engine instances that run batch jobs for varying durations. They can tolerate interruptions and do not require a specific uptime guarantee. Which TWO instance types or purchasing options should they consider? (Choose 2)

Select 2 answers
A.Sole-tenant nodes
B.Spot VMs
C.Preemptible VMs
D.Committed use discounts
E.Sustained use discounts
AnswersB, C

Spot VMs are the newer version of preemptible VMs with no maximum runtime, ideal for batch and fault-tolerant workloads.

Why this answer

Preemptible VMs can be terminated at any time but are significantly cheaper, suitable for fault-tolerant batch jobs. Spot VMs are similar to preemptible but with no maximum runtime and often lower price. Both are ideal for batch workloads that can handle interruptions.

810
MCQeasy

A business wants to reduce the time to market for new features by enabling developers to provision infrastructure without waiting for IT. Which cloud attribute supports this?

A.Disaster recovery
B.Broad network access
C.High availability
D.On-demand self-service
AnswerD

Self-service enables instant resource provisioning without IT intervention.

Why this answer

On-demand self-service (Option D) is the correct answer because it allows developers to provision infrastructure automatically without requiring human interaction from IT. This cloud attribute, defined by NIST SP 800-145, enables users to unilaterally provision computing resources as needed, directly reducing time to market by eliminating manual approval and setup delays.

Exam trap

Google Cloud often tests the distinction between 'on-demand self-service' and 'broad network access' by presenting scenarios where remote access is confused with automated provisioning, leading candidates to incorrectly choose broad network access.

How to eliminate wrong answers

Option A is wrong because disaster recovery focuses on restoring services after failures, not on enabling rapid provisioning for new features. Option B is wrong because broad network access refers to resource availability over the network via standard protocols (e.g., HTTPS, SSH), not the ability to self-provision infrastructure. Option C is wrong because high availability ensures uptime and fault tolerance through redundancy, but does not address the self-service provisioning workflow that accelerates feature delivery.

811
Multi-Selecthard

A business is considering moving to Google Cloud to accelerate innovation. Which THREE factors contribute to faster innovation in the cloud?

Select 3 answers
A.Access to advanced technologies like AI
B.Global scale for experiments
C.Longer procurement cycles
D.Rapid prototyping with managed services
E.Dedicated physical servers
AnswersA, B, D

Cloud provides cutting-edge AI/ML services without building from scratch.

Why this answer

Option A is correct because Google Cloud provides access to advanced technologies like AI/ML services (e.g., Vertex AI, AutoML, and pre-trained APIs) that would be costly and complex to build on-premises. These services allow businesses to integrate intelligent features into applications without deep expertise, accelerating innovation by reducing development time and enabling experimentation with cutting-edge capabilities.

Exam trap

Google Cloud often tests the misconception that 'dedicated physical servers' or 'longer procurement cycles' are benefits of cloud, when in fact they are inhibitors to innovation that cloud specifically eliminates.

812
MCQeasy

Which characteristic of cloud computing allows a user to provision virtual machines without needing to interact with Google Cloud support or create a ticket?

A.Broad network access
B.Measured service
C.Resource pooling
D.On-demand self-service
AnswerD

On-demand self-service allows users to provision resources automatically without human interaction.

Why this answer

On-demand self-service means users can provision resources automatically without human interaction. The other options are also NIST characteristics but do not specifically address provisioning without manual intervention.

813
MCQeasy

A developer wants to run a small piece of code that resizes images whenever a new image is uploaded to Cloud Storage. The code runs for less than a second and should only be triggered by the upload event. No always-on server is needed. Which Google Cloud service is ideal?

A.A Compute Engine VM that runs continuously, checking for new uploads every minute.
B.Cloud Functions triggered by Cloud Storage object creation events.
C.Cloud Run with a permanent container that listens for uploads.
D.BigQuery scheduled query that processes new uploads daily.
AnswerB

Cloud Functions natively integrates with Cloud Storage events. A function is invoked automatically for each new upload, resizes the image, and terminates — no always-on server needed.

Why this answer

Cloud Functions is the ideal serverless compute service for event-driven, short-lived tasks like image resizing triggered by Cloud Storage uploads. It automatically scales to zero when idle, charges only for execution time (sub-second in this case), and natively binds to Cloud Storage object creation events via the `google.storage.object.finalize` trigger, eliminating the need for any always-on infrastructure.

Exam trap

Google Cloud often tests the distinction between event-driven serverless (Cloud Functions) and container-based serverless (Cloud Run), where candidates mistakenly choose Cloud Run because it 'can run code' without realizing it requires an HTTP endpoint and cannot be directly triggered by Cloud Storage events without an intermediary like Eventarc.

How to eliminate wrong answers

Option A is wrong because a continuously running Compute Engine VM is overkill and cost-inefficient for a sub-second task; it requires manual polling or a custom listener, defeating the serverless, event-driven requirement. Option C is wrong because Cloud Run with a permanent container implies a continuously running service that listens for uploads, which contradicts the 'no always-on server' requirement and incurs idle costs; Cloud Run is designed for HTTP requests, not direct event triggers from Cloud Storage. Option D is wrong because BigQuery scheduled queries are for batch analytics on data already in BigQuery, not for real-time event-driven image processing triggered by Cloud Storage uploads.

814
MCQhard

A data engineer needs to process a continuous stream of clickstream events from multiple sources, aggregate them into 1-minute windows, and write the results to BigQuery for real-time dashboarding. The solution must handle exactly-once processing semantics. Which combination of services should they use?

A.Pub/Sub -> Dataflow -> BigQuery
B.Pub/Sub -> Cloud Functions -> BigQuery
C.Cloud Storage -> Dataflow -> BigQuery
D.Pub/Sub -> Cloud Dataproc -> BigQuery
AnswerA

Dataflow provides exactly-once processing, windowing, and native BigQuery sink, making it ideal for streaming ETL.

Why this answer

Dataflow (Apache Beam) provides exactly-once processing semantics and can read from Pub/Sub, apply windowed aggregations, and write to BigQuery. Pub/Sub is the ingestion layer for streaming events. Cloud Functions and Cloud Run are not designed for stateful windowed aggregations at scale, and Cloud Dataproc (Hadoop/Spark) would require more overhead.

815
MCQmedium

A company uses service accounts to allow their application running on a Compute Engine VM to access Cloud Storage. Which is the most secure way to configure this service account access?

A.Download the service account key JSON file and store it in the application's source code repository.
B.Attach the service account to the Compute Engine VM; the application obtains credentials automatically via the metadata server with no key files needed.
C.Grant all users the Storage Admin role so the application can access Cloud Storage through their credentials.
D.Create a shared service account key file accessible to all VMs via a Cloud Storage bucket.
AnswerB

VM-attached service accounts provide credentials automatically via the GCE metadata server. No key files are created or stored. ADC discovers these credentials automatically.

Why this answer

Option B is correct because attaching a service account to a Compute Engine VM allows the application to automatically obtain short-lived OAuth 2.0 access tokens from the instance metadata server (http://169.254.169.254). This eliminates the need to download, store, or manage any long-lived service account key files, which are a significant security risk. The metadata server provides credentials that are automatically rotated and scoped to the service account's IAM roles, making this the most secure method for accessing Cloud Storage from a VM.

Exam trap

The GCDL exam often tests the misconception that storing keys in a repository or bucket is acceptable for automation, but the trap here is that any long-lived key file, even if stored in a bucket, is less secure than the automatic, short-lived credentials provided by the Compute Engine metadata server.

How to eliminate wrong answers

Option A is wrong because storing a service account key JSON file in the application's source code repository exposes the private key to anyone with repository access, violating the principle of least privilege and creating a persistent credential that can be leaked. Option C is wrong because granting all users the Storage Admin role is a gross over-privilege that violates the principle of least privilege and does not provide a service account for the application; it relies on user credentials which are not designed for automated workloads and introduces unnecessary security exposure. Option D is wrong because placing a shared service account key file in a Cloud Storage bucket still requires managing long-lived private keys, and any VM or user with read access to that bucket can exfiltrate the key, negating the security benefits of using service accounts on Compute Engine.

816
MCQeasy

A company has a stateful application running on Compute Engine. They want to scale horizontally while preserving state. Which configuration should they use?

A.Use Cloud Run with volumes.
B.Unmanaged instance group.
C.Managed instance group with stateful configuration.
D.Managed instance group with autoscaling and no stateful configuration.
AnswerC

Stateful MIGs preserve instance names, disks, and metadata, allowing horizontal scaling while maintaining state.

Why this answer

Option C is correct because a managed instance group (MIG) with stateful configuration preserves instance-specific state (such as disks, hostnames, and metadata) across autohealing and rolling updates. This allows the stateful application to scale horizontally while maintaining its persistent data, as each instance retains its unique state even when the group is resized or instances are recreated.

Exam trap

The trap here is that candidates often assume all managed instance groups automatically preserve state, but without explicit stateful configuration, MIGs treat instances as ephemeral and will delete persistent disks on instance deletion or during rolling updates.

How to eliminate wrong answers

Option A is wrong because Cloud Run is a serverless platform designed for stateless containers; while it supports volumes, they are ephemeral or read-only (e.g., Cloud Storage FUSE or NFS), and Cloud Run does not natively preserve instance-level state across scaling events or container restarts. Option B is wrong because an unmanaged instance group does not provide autohealing, autoscaling, or stateful configuration; it requires manual management and cannot automatically preserve state during horizontal scaling. Option D is wrong because a managed instance group with autoscaling and no stateful configuration treats all instances as stateless; when instances are terminated or recreated, any local state (e.g., data on persistent disks) is lost, making it unsuitable for stateful applications.

817
MCQhard

An organization wants to use Google Cloud's AI/ML services to build a custom image recognition model without managing the underlying infrastructure. Which Google Cloud service should they use?

A.AutoML Vision
B.TensorFlow on Compute Engine
C.Cloud Vision API
D.Vertex AI Workbench
AnswerA

AutoML Vision allows training custom models without managing infrastructure.

Why this answer

AutoML Vision provides a no-code environment to train custom models with minimal ML expertise, while Vertex AI is a full platform requiring more setup.

818
MCQmedium

A company wants to connect its on-premises data center to Google Cloud with a reliable, lower-latency connection that doesn't traverse the public internet, but doesn't need the bandwidth of a full Dedicated Interconnect. Which Google Cloud connectivity product is most appropriate?

A.Cloud VPN, which creates an encrypted IPsec tunnel over the public internet
B.Partner Interconnect, which provides private connectivity through a service provider partner's network — supporting lower bandwidth tiers without requiring a direct physical fiber connection
C.Dedicated Interconnect, which requires provisioning a 10 Gbps or 100 Gbps dedicated physical fiber connection
D.Cloud CDN, which caches content at edge locations close to the on-premises data center
AnswerB

Partner Interconnect is the right solution. It provides the private connectivity (no public internet) and lower latency characteristics of Dedicated Interconnect, but at lower bandwidth tiers (50 Mbps–50 Gbps) through a service provider partner — appropriate for organizations that don't need or justify a full Dedicated Interconnect circuit.

Why this answer

Partner Interconnect is the correct choice because it provides private connectivity between an on-premises data center and Google Cloud via a service provider partner's network, offering lower bandwidth tiers (e.g., 50 Mbps to 10 Gbps) without requiring a direct physical fiber connection. This meets the requirements for a reliable, lower-latency connection that avoids the public internet, while Dedicated Interconnect would be overkill for bandwidth needs below 10 Gbps.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Cloud VPN, assuming that any private connection must be encrypted or that VPN is sufficient for low-latency needs, but the key differentiator is that Partner Interconnect avoids the public internet entirely, providing consistent latency and SLA-backed reliability that IPsec VPNs cannot guarantee.

How to eliminate wrong answers

Option A is wrong because Cloud VPN creates an encrypted IPsec tunnel over the public internet, which does not provide a private connection that avoids the public internet and may introduce higher latency and variability. Option C is wrong because Dedicated Interconnect requires provisioning a minimum of 10 Gbps or 100 Gbps dedicated physical fiber connection, which exceeds the stated need for lower bandwidth and does not fit the 'doesn't need the bandwidth of a full Dedicated Interconnect' requirement. Option D is wrong because Cloud CDN is a content delivery network that caches content at edge locations for improved performance of web content, not a connectivity product for linking an on-premises data center to Google Cloud.

819
MCQhard

A security team wants to ensure that only container images built by their approved CI/CD pipeline can run in their GKE cluster. Images built outside the approved process — even by internal engineers — should be blocked. Which Google Cloud security feature enforces this?

A.Cloud Armor — it blocks unauthorized container images at the load balancer.
B.Binary Authorization — requiring cryptographic attestations for container images before they can be deployed to GKE.
C.Cloud IAM — restricting `container.pods.create` permission to only the CI/CD service account.
D.Artifact Registry vulnerability scanning — blocking images with CVEs from being deployed.
AnswerB

Binary Authorization enforces that only images with valid attestations (created by the approved CI/CD pipeline using Cloud KMS keys) can be deployed to GKE. Unsigned or externally built images are blocked at admission.

Why this answer

Binary Authorization is the correct answer because it enforces deployment-time policy by requiring that container images have a valid cryptographic attestation (e.g., from a trusted CI/CD pipeline) before they can be scheduled on GKE. This ensures that only images built and signed by the approved process are allowed to run, blocking all others regardless of who built them.

Exam trap

The trap here is that candidates confuse access control (IAM) with image provenance enforcement, mistakenly thinking that restricting who can create pods (Option C) is sufficient to block unauthorized images, when in reality a CI/CD service account could still deploy an unsigned image if not prevented by Binary Authorization.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall and DDoS protection service that operates at the load balancer layer, not a container image admission controller; it cannot inspect or block container images at the pod-creation level. Option C is wrong because restricting `container.pods.create` permission to only the CI/CD service account would prevent engineers from directly creating pods, but it would not block images built outside the approved pipeline if those images were pushed to a registry and referenced by a pod created by the CI/CD service account; it controls who can create pods, not which images can be used. Option D is wrong because Artifact Registry vulnerability scanning identifies CVEs in images but does not enforce admission policies; it provides security insights but does not block deployment of images lacking attestations.

820
MCQhard

A large enterprise has 200+ applications and is developing its cloud migration strategy. A cloud architect argues that not all applications should be migrated the same way. Which migration strategy framework best organizes the different approaches for moving applications to cloud?

A.All applications should be completely rewritten as cloud-native microservices for maximum cloud benefit
B.A portfolio-based migration framework (such as the 6 Rs: Rehost, Replatform, Refactor, Repurchase, Retire, Retain) that applies the right migration strategy to each application based on its business value and cloud-readiness
C.Migrate all applications simultaneously during a single weekend cutover to minimize the total migration duration
D.Keep all applications on-premises until a complete cloud-native replacement is built for each one
AnswerB

The 6 Rs framework is the industry-standard answer for enterprise migration portfolio management. Simple internal apps: rehost (lift-and-shift). Commercially available replacements: repurchase. End-of-life apps: retire. Mission-critical legacy: retain. The right strategy for each application maximizes value while managing risk and cost.

Why this answer

Option B is correct because a portfolio-based migration framework like the 6 Rs (Rehost, Replatform, Refactor, Repurchase, Retire, Retain) provides a structured, risk-aware approach to cloud migration. It recognizes that each application has unique business value, technical debt, and cloud-readiness, so a one-size-fits-all strategy would be inefficient or disruptive. This framework aligns migration tactics with business objectives, enabling the enterprise to optimize cost, performance, and operational continuity across a diverse application portfolio.

Exam trap

Google Cloud often tests the misconception that all applications must be fully re-architected (Refactor) to gain cloud benefits, when in reality a balanced portfolio approach using the 6 Rs is more practical and cost-effective for large-scale migrations.

How to eliminate wrong answers

Option A is wrong because completely rewriting all 200+ applications as cloud-native microservices is impractical, costly, and time-consuming; it ignores the reality that many legacy applications may not benefit from microservices and can be migrated more efficiently via rehosting or replatforming. Option C is wrong because migrating all applications simultaneously during a single weekend cutover is extremely high-risk, likely causing widespread outages, data loss, and failed migrations due to the lack of testing and rollback capability; it violates the principle of incremental, validated migration. Option D is wrong because keeping all applications on-premises until a complete cloud-native replacement is built for each one defeats the purpose of cloud migration, delays benefits, and incurs unnecessary maintenance costs; it ignores the possibility of using lift-and-shift (Rehost) or other intermediate strategies to gain immediate cloud advantages.

821
MCQeasy

A company is concerned that employees might accidentally or maliciously upload sensitive personal data (such as credit card numbers or Social Security Numbers) to Cloud Storage buckets. Which Google Cloud product can automatically scan uploaded files and identify sensitive data patterns?

A.Cloud Armor, which inspects incoming HTTP requests for sensitive data patterns
B.Cloud DLP (Data Loss Prevention), which scans Cloud Storage objects for sensitive data types like credit card numbers and SSNs using built-in pattern detection
C.Cloud Logging, which records all file upload events to Cloud Storage
D.Security Command Center, which audits Cloud Storage bucket permissions
AnswerB

Cloud DLP is the correct answer. It has 150+ built-in infoTypes for detecting sensitive data patterns (credit card numbers matching Luhn algorithm, SSN format detection, etc.) and can scan Cloud Storage objects on a scheduled or triggered basis, flagging or de-identifying findings.

Why this answer

Cloud DLP (Data Loss Prevention) is the correct service because it is specifically designed to inspect and classify sensitive data within Cloud Storage objects. It uses built-in detectors (infoTypes) to identify patterns like credit card numbers (Luhn check) and Social Security Numbers, and can trigger automated actions such as redaction or logging when sensitive data is found.

Exam trap

The trap here is confusing a security monitoring or perimeter defense service (Cloud Armor, Security Command Center) with a content-aware data classification service (Cloud DLP), leading candidates to pick a service that audits permissions or logs events rather than one that inspects file contents for sensitive patterns.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects against DDoS and OWASP Top 10 threats by inspecting HTTP/S traffic at the edge, not by scanning stored files for sensitive data patterns. Option C is wrong because Cloud Logging captures and stores audit logs of events (e.g., object uploads) but does not perform content inspection or pattern matching on the uploaded data. Option D is wrong because Security Command Center provides a centralized view of security risks and misconfigurations (e.g., public bucket permissions) but does not scan object contents for sensitive data patterns.

822
MCQhard

A company has a requirement to rotate encryption keys every 90 days. They are using Cloud KMS to manage keys for Cloud Storage. What is the correct way to achieve key rotation with minimal impact to existing encrypted objects?

A.Manually rotate the key every 90 days by generating a new key version.
B.Enable automatic rotation on the key with a 90-day period.
C.Use Cloud HSM to generate a new key and update the bucket default encryption.
D.Create a new key and re-encrypt all existing objects using the new key.
AnswerB

Automatic rotation creates new key versions; old data remains accessible.

Why this answer

Cloud KMS supports automatic rotation based on a schedule. When a key is rotated, a new version is created, and new data is encrypted with the new version while old data remains decryptable with the old version.

823
MCQeasy

A company wants to store archival data that must be retained for 10 years. The data is accessed less than once a year. Which Cloud Storage class is the most cost-effective?

A.Standard Storage
B.Nearline Storage
C.Coldline Storage
D.Archive Storage
AnswerD

Archive storage is the cheapest for data accessed less than once a year.

Why this answer

Archive Storage is the most cost-effective option for data that must be retained for 10 years and is accessed less than once a year. This class offers the lowest storage cost among Google Cloud Storage classes, specifically designed for long-term preservation of data that is rarely accessed, with a minimum storage duration of 365 days and higher retrieval costs that are acceptable given the infrequent access pattern.

Exam trap

Google Cloud often tests the misconception that 'Coldline' is the cheapest storage class, but Archive Storage is actually the lowest-cost option for long-term retention with very infrequent access, and candidates may overlook the minimum storage duration and retrieval cost trade-offs.

How to eliminate wrong answers

Option A is wrong because Standard Storage is optimized for frequently accessed data with no minimum storage duration and higher per-GB storage costs, making it cost-prohibitive for 10-year archival retention. Option B is wrong because Nearline Storage is designed for data accessed less than once a month, with a 30-day minimum storage duration and higher storage costs than Archive Storage, making it less cost-effective for data accessed less than once a year. Option C is wrong because Coldline Storage is intended for data accessed less than once a quarter, with a 90-day minimum storage duration and storage costs that are still higher than Archive Storage, so it is not the most cost-effective for 10-year archival with annual access.

824
Drag & Dropmedium

Drag and drop the steps to deploy a containerized application to Google Kubernetes Engine (GKE) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The correct sequence starts with containerizing the app, creating a cluster, defining the deployment, applying it, and exposing it as a service.

825
MCQmedium

A startup wants to minimize upfront costs and shift from capital expenditure to operational expenditure. Which cloud pricing model enables this transformation?

A.Pay-as-you-go
B.Reserved instances
C.Committed use discounts
D.Sustained use discounts
AnswerA

Pay-as-you-go eliminates upfront costs, shifting to OpEx.

Why this answer

Option B is correct because pay-as-you-go allows customers to pay only for what they use without upfront commitments, converting CapEx to OpEx. Reserved instances (A) require upfront commitment, committed use discounts (C) also involve commitments, and sustained use discounts (D) are automatic but still based on usage.

Page 10

Page 11 of 14

Page 12
Google Cloud Digital Leader GCDL Questions 751–825 | Page 11/14 | Courseiva