Google Cloud Digital Leader (GCDL) — Questions 826900

991 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQmedium

A company uses App Engine Standard environment for a Python web app. During a traffic spike, they notice increased latency. They want to improve performance without changing code. What should they do?

A.Configure manual scaling with a larger machine type
B.Migrate to App Engine Flexible Environment
C.Increase the maximum idle instances in automatic scaling settings
D.Enable Cloud CDN in front of the app
AnswerC

More idle instances reduce cold starts and improve latency during spikes.

Why this answer

Increasing the number of automatic scaling instances or enabling min instances can reduce cold start latency. Changing machine type is not available in Standard. Moving to Flex is a bigger change.

Using Cloud CDN caches static content but not dynamic.

827
MCQeasy

A company wants to innovate quickly by leveraging machine learning without building models from scratch. Which Google Cloud service allows them to use pre-trained models via APIs?

A.BigQuery ML
B.AI Platform
C.Cloud Vision API
D.AutoML
AnswerC

Cloud Vision API offers pre-trained models via simple API calls.

Why this answer

Cloud Vision API is correct because it provides pre-trained machine learning models via REST APIs, allowing the company to integrate image recognition capabilities (e.g., label detection, OCR, face detection) without building or training any models. This directly meets the requirement of leveraging ML without building from scratch, as the API abstracts all model training and deployment.

Exam trap

Google Cloud often tests the distinction between 'pre-trained APIs' and 'custom model training services'—candidates mistakenly choose AutoML because they think 'no building from scratch' means no coding, but AutoML still requires training a custom model, not using a pre-trained one.

How to eliminate wrong answers

Option A is wrong because BigQuery ML enables users to create and train custom ML models using SQL queries on data in BigQuery, but it does not provide pre-trained models via APIs—it requires building models from scratch. Option B is wrong because AI Platform is a managed service for training, deploying, and scaling custom ML models, but it does not offer pre-trained models via APIs; it is designed for custom model workflows. Option D is wrong because AutoML allows users to train custom models on their own data with minimal ML expertise, but it still requires training a model from scratch rather than using pre-trained models via APIs.

828
MCQeasy

A startup's website becomes unexpectedly popular and traffic spikes 50x within minutes. The application is hosted on Google Cloud. Which Google Cloud product automatically increases the number of application instances in response to this traffic spike without manual intervention?

A.Cloud Monitoring, which detects the traffic spike and sends an alert to the operations team to manually scale up
B.Managed Instance Groups with autoscaling (for VMs) or Cloud Run (for containers), which automatically provision additional instances based on traffic load without manual intervention
C.Cloud Load Balancing, which distributes traffic evenly across existing instances to handle the spike
D.Cloud Billing, which automatically increases the spending limit when traffic spikes occur
AnswerB

This is correct. MIG autoscaling monitors CPU/request metrics and automatically adds instances when load increases, then removes them when load drops. Cloud Run scales automatically to any number of container instances in seconds. Both handle the 50x spike scenario automatically.

Why this answer

Managed Instance Groups (MIGs) with autoscaling and Cloud Run both automatically adjust the number of running instances or container replicas based on real-time metrics like CPU utilization, request rate, or latency. When traffic spikes 50x, the autoscaler detects the increased load and provisions new VMs or container instances without any manual intervention, ensuring the application remains responsive. This is the only option that provides automatic, infrastructure-level scaling in response to load.

Exam trap

The GCDL exam often tests the misconception that load balancing alone handles spikes, but candidates must remember that load balancers distribute traffic only to existing instances — autoscaling is required to add capacity.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring only collects metrics and sends alerts; it does not automatically scale instances — scaling requires a separate service like MIG autoscaler or Cloud Run. Option C is wrong because Cloud Load Balancing distributes traffic across existing instances but does not create new instances; it relies on an autoscaler to add capacity. Option D is wrong because Cloud Billing manages budgets and spending limits, not instance provisioning; it has no mechanism to scale application instances.

829
MCQeasy

A developer wants to deploy a containerized web application that can scale to zero when not in use, and only pay for actual request processing time. Which Google Cloud compute service should the developer use?

A.Cloud Functions
B.Cloud Run
C.Compute Engine
D.Google Kubernetes Engine (GKE)
AnswerB

Cloud Run is the correct service: it runs containers, scales to zero, and charges per request.

Why this answer

Cloud Run is a serverless container runtime that scales to zero and charges per request, ideal for containerized apps with variable traffic. Cloud Functions is for smaller code snippets, not containers. Compute Engine runs VMs continuously, and GKE requires at least one node.

830
MCQeasy

A company wants to optimize Cloud Storage costs for a bucket containing 100 TB of access logs. The logs from the last 7 days are frequently analyzed; logs from 8–90 days are occasionally reviewed; logs older than 90 days are archived for compliance but rarely accessed. What is the most cost-effective storage class configuration?

A.Store all 100 TB in Standard storage for consistent access performance.
B.Configure lifecycle rules: Standard (0-7 days) → Nearline (8-90 days) → Archive (90+ days).
C.Delete all logs older than 7 days to minimize storage costs.
D.Store all logs in Archive storage since most are rarely accessed.
AnswerB

Lifecycle Management automatically transitions objects between storage classes as they age. Standard for active logs, Nearline for occasional review, Archive for compliance retention — each class priced for its access pattern.

Why this answer

Option B is correct because it aligns the storage class with the access patterns of the logs: Standard for frequently accessed recent data, Nearline for occasional access, and Archive for rarely accessed compliance data. This minimizes costs by using cheaper storage for older data while maintaining performance for active analysis. Lifecycle rules automate the transition, ensuring no manual intervention is needed.

Exam trap

Google Cloud often tests the misconception that Archive storage is always the cheapest option, ignoring the retrieval costs and latency for frequently accessed data, leading candidates to choose Option D.

How to eliminate wrong answers

Option A is wrong because storing all 100 TB in Standard storage is unnecessarily expensive for logs older than 7 days that are rarely accessed. Option C is wrong because deleting logs older than 7 days violates compliance requirements and loses data that may be needed for audits or occasional review. Option D is wrong because storing all logs in Archive storage would cause high retrieval costs and latency for the frequently accessed last 7 days of logs, making it impractical for active analysis.

831
MCQmedium

A company has a production database running on Cloud SQL. They need to perform maintenance on the primary instance without downtime. Which feature allows this?

A.Read replicas with failover
B.Database import/export
C.Multi-region deployment
D.Automated backups
AnswerA

Read replicas can be promoted, allowing maintenance on the primary without downtime.

Why this answer

Read replicas with failover allow you to promote a read replica to a new primary instance in the event of a planned maintenance or failure, enabling zero-downtime operations. Cloud SQL uses this feature to redirect traffic seamlessly by updating the DNS record to point to the promoted replica, ensuring the database remains available during maintenance.

Exam trap

Google Cloud often tests the misconception that automated backups or multi-region deployment alone provide high availability, but the key is that only read replicas with failover offer a hot standby that can be promoted without downtime.

How to eliminate wrong answers

Option B is wrong because database import/export is a data migration tool (e.g., using mysqldump or pg_dump) that requires downtime for consistent snapshots and does not provide automatic failover or continuous availability. Option C is wrong because multi-region deployment in Cloud SQL is not a built-in feature; Cloud SQL supports regional instances only, and true multi-region failover requires external configurations like cross-region replication with additional services. Option D is wrong because automated backups create point-in-time recovery snapshots but do not provide a standby instance for failover; backups are for data restoration, not for maintaining uptime during maintenance.

832
MCQmedium

A company runs a batch processing workload every night that can tolerate interruptions. The workload runs on Compute Engine VMs and takes 2 hours to complete. They want to reduce costs. Which VM pricing model should they use?

A.Preemptible VMs
B.Committed use discounts
C.Sole-tenant nodes
D.Sustained use discounts
AnswerA

Preemptible VMs are ideal for fault-tolerant, interruptible batch workloads at a fraction of the cost.

Why this answer

Preemptible VMs offer significant cost savings (up to 80% discount) but can be terminated at any time. Since the workload is batch and can tolerate interruptions, this is the most cost-effective choice.

833
Multi-Selecthard

Which THREE are required to achieve HIPAA compliance on Google Cloud?

Select 3 answers
A.Sign a Business Associate Agreement (BAA) with Google
B.Enable Cloud Audit Logs for tracking access to ePHI
C.Use only GCP services that are covered under the BAA
D.Use a dedicated project for all PHI workloads
E.Configure multi-factor authentication for all users
AnswersA, B, C

Correct: A BAA is required for HIPAA compliance.

Why this answer

Option A is correct because HIPAA requires covered entities and their business associates to have a written agreement that establishes the permitted and required uses of protected health information (PHI). Google Cloud provides a standard Business Associate Agreement (BAA) that customers must sign to contractually bind Google to HIPAA obligations, including safeguarding ePHI and reporting breaches. Without a signed BAA, Google is not legally liable as a business associate under HIPAA, making this a foundational requirement for compliance.

Exam trap

Google Cloud often tests the misconception that HIPAA requires dedicated infrastructure (like a separate project) or specific security controls (like MFA), when in fact HIPAA focuses on contractual agreements (BAA), data access logging, and using only services that are contractually covered under the BAA.

834
MCQmedium

A startup is deploying a containerised web application on Google Cloud. They want to minimise operational overhead and only pay for the resources consumed when requests are being processed. The application should automatically scale to zero when idle. Which compute service should they choose?

A.App Engine Standard
B.Cloud Run
C.Google Kubernetes Engine (GKE)
D.Compute Engine
AnswerB

Cloud Run is serverless, scales to zero, and bills only for the time requests are handled.

Why this answer

Cloud Run is a fully managed serverless container platform that scales to zero when idle and charges only for request processing time. App Engine is also serverless but requires a runtime environment and does not scale to zero as gracefully. Compute Engine and GKE require provisioning instances even if idle.

835
MCQeasy

Which cloud computing characteristic is defined by the NIST as the ability for a consumer to provision computing capabilities automatically without requiring human interaction with each service provider?

A.Measured service
B.Resource pooling
C.Rapid elasticity
D.On-demand self-service
AnswerD

Correct definition: consumers can unilaterally provision capabilities automatically without requiring human interaction.

Why this answer

On-demand self-service allows users to provision resources automatically, without needing manual approval or interaction with Google Cloud staff.

836
MCQeasy

A global e-commerce platform needs to serve content with low latency to users worldwide. They want to cache static content at edge locations near users. Which Google Cloud service should they use?

A.Cloud DNS
B.Cloud CDN
C.Cloud Armor
D.Cloud Storage
AnswerB

Cloud CDN caches content at Google's edge locations for low-latency delivery.

Why this answer

Cloud CDN uses Google's global edge network to cache static content, reducing latency by serving from locations close to users. Cloud Armor is for security. Cloud DNS is for domain resolution.

Cloud Storage alone does not cache at edges.

837
MCQeasy

A company is deciding whether to store a large video archive (hundreds of terabytes, accessed perhaps twice per year for legal holds) in Google Cloud. Which Cloud Storage class is designed for this infrequently accessed, long-term archival use case?

A.Standard storage, which provides the lowest latency and highest availability for frequently accessed data
B.Archive storage, which offers the lowest storage cost for data accessed less than once per year, accepting higher retrieval costs and latency for infrequent access
C.Nearline storage, for data accessed approximately once per month
D.Coldline storage, for data accessed approximately once per quarter
AnswerB

Archive storage is specifically designed for the described use case: massive data volumes, very infrequent access (legal holds qualify as rare events). The trade-off — higher retrieval cost and latency — is acceptable when access is measured in times per year rather than times per day.

Why this answer

Archive storage is the correct choice because it is specifically designed for data that is accessed less than once per year, offering the lowest storage cost among Google Cloud Storage classes. This aligns perfectly with the use case of a large video archive accessed only twice per year for legal holds, where higher retrieval costs and latency are acceptable trade-offs for long-term preservation.

Exam trap

The GCDL exam often tests the specific access frequency thresholds for each storage class (e.g., Nearline for monthly, Coldline for quarterly, Archive for yearly or less), and the trap here is that candidates may confuse Coldline (quarterly) with Archive (yearly) due to similar names implying 'cold' storage.

How to eliminate wrong answers

Option A is wrong because Standard storage is optimized for frequently accessed data with low latency and high availability, not for infrequently accessed archival data, and would incur unnecessary costs. Option C is wrong because Nearline storage is intended for data accessed approximately once per month, which does not match the twice-per-year access pattern. Option D is wrong because Coldline storage is designed for data accessed approximately once per quarter, still more frequent than the described use case, and would result in higher storage costs than Archive storage.

838
MCQeasy

A web application's homepage loads user-specific data (shopping cart, recent orders) on every visit. The data changes frequently. An engineer suggests caching this data in a Redis cache between the web tier and the database. What is the primary benefit of this caching layer?

A.Caching encrypts data in transit between the web tier and database.
B.Caching reduces database load and improves response times by serving frequently accessed data from fast in-memory storage.
C.Caching permanently stores user data so the database can be deleted.
D.Caching automatically synchronizes data between multiple database replicas.
AnswerB

Redis/Memorystore serves cache hits in microseconds vs. database queries in milliseconds. Fewer DB queries = lower DB load, faster responses, and ability to handle more concurrent users.

Why this answer

Option B is correct because caching user-specific data like shopping carts and recent orders in Redis reduces the load on the primary database by serving frequently accessed data from fast in-memory storage. This improves response times for the web application, as Redis can deliver data in microseconds compared to the millisecond latency of a typical relational database query. The caching layer acts as a temporary, high-speed buffer that offloads read-heavy traffic from the database, which is especially beneficial for data that changes frequently but is read often.

Exam trap

Google Cloud often tests the misconception that caching provides permanent storage or replaces the database, leading candidates to incorrectly select Option C, but the trap here is that caching is a temporary, performance-enhancing layer, not a durable storage solution.

How to eliminate wrong answers

Option A is wrong because caching does not inherently encrypt data in transit; encryption is a separate concern typically handled by TLS/SSL between the web tier and the database, not by the caching layer itself. Option C is wrong because caching is not a permanent storage solution; Redis is an in-memory store that can lose data on restart unless persistence is configured, and the database remains the authoritative source of truth for user data. Option D is wrong because caching does not automatically synchronize data between database replicas; that is the role of database replication mechanisms (e.g., MySQL Group Replication or PostgreSQL streaming replication), not a cache layer.

839
MCQhard

A financial services company must comply with strict data residency regulations. They need to store customer data in a specific geographic region and ensure it never leaves that region. Which Google Cloud feature should they use?

A.VPC Service Controls
B.Cloud IAM
C.Organization Policy with location restrictions
D.Cloud Key Management Service
AnswerC

Organization policies with location constraints enforce resource creation only in permitted regions.

Why this answer

Organization Policy with location restrictions allows admins to restrict resource creation to specific regions, preventing data from being stored elsewhere. VPC Service Controls provide data exfiltration prevention but do not restrict region. IAM controls access, not location.

Cloud KMS manages keys.

840
MCQeasy

A startup wants to run a containerized web application that scales to zero when not in use, and only pay for the time the container is processing requests. Which Google Cloud compute service should they choose?

A.Google Kubernetes Engine (GKE)
B.App Engine Standard Environment
C.Cloud Run
D.Compute Engine with autoscaling
AnswerC

Cloud Run runs containers and scales to zero, ideal for pay-per-use.

Why this answer

Cloud Run is the correct choice because it is a fully managed serverless compute platform that automatically scales your containerized application to zero when there are no incoming requests. You are billed only for the resources consumed during request processing, measured in 100-millisecond increments, which aligns perfectly with the requirement to pay only for active processing time.

Exam trap

The trap here is that candidates often confuse 'scaling to zero' with 'autoscaling' and choose Compute Engine or GKE, not realizing that those services require at least one running instance or node, whereas Cloud Run is the only option that can truly scale down to zero instances when idle.

How to eliminate wrong answers

Option A is wrong because Google Kubernetes Engine (GKE) requires at least one node to run your containers, even if the application is idle, and does not scale to zero; you pay for the underlying node VMs regardless of usage. Option B is wrong because App Engine Standard Environment does not support arbitrary containerized applications; it runs only in a sandboxed runtime environment with specific language runtimes and does not allow you to bring your own Docker container. Option D is wrong because Compute Engine with autoscaling still requires a minimum number of running VM instances (even if set to 1) and does not scale to zero; you are billed for the provisioned VM instances even when no requests are being processed.

841
MCQmedium

A data analytics team uses BigQuery for large-scale queries. They notice that queries are scanning more data than necessary, leading to high costs. Which feature should they implement to reduce the amount of data scanned per query?

A.Materialized views
B.Streaming inserts
C.Partitioning
D.Clustering
AnswerC

Partitioning divides a table into segments based on a column, allowing queries to scan only relevant partitions, reducing cost.

Why this answer

Partitioning divides a table into segments based on a column (e.g., date), allowing BigQuery to prune partitions during query execution. When a query includes a filter on the partitioning column, BigQuery scans only the relevant partitions, significantly reducing the bytes processed and lowering costs.

Exam trap

Google Cloud often tests the distinction between partitioning (which reduces data scanned by pruning entire segments) and clustering (which only reorganizes data within partitions for better compression and filtering, but does not reduce the total data scanned unless combined with partitioning).

How to eliminate wrong answers

Option A is wrong because materialized views precompute and cache query results for faster performance, but they do not reduce the amount of raw data scanned per query; they may even increase storage costs. Option B is wrong because streaming inserts are used for real-time data ingestion into BigQuery, not for controlling data scan volume during queries. Option D is wrong because clustering sorts data within partitions based on column values, improving query performance and reducing costs only after partitioning is applied; without partitioning, clustering alone does not limit the total data scanned.

842
MCQeasy

A company's cloud environment has grown rapidly and the team is struggling to understand what cloud resources exist across dozens of projects. Which Google Cloud product provides a unified inventory of all cloud assets across an organization's projects and folders?

A.Cloud Billing console, which lists all resources that have incurred charges
B.Cloud Asset Inventory, which provides a searchable, unified inventory of all resources and IAM policies across an organization's projects and folders
C.Google Cloud Console project dashboard, which shows resources within a single project
D.Security Command Center, which lists security vulnerabilities in cloud resources
AnswerB

Cloud Asset Inventory is the correct service. It maintains a complete, searchable catalog of all resources (and their configurations) across the entire organization, supports historical queries, and integrates with policy analysis tools. This is the purpose-built service for organizational resource visibility.

Why this answer

Cloud Asset Inventory is the correct answer because it is the Google Cloud service specifically designed to provide a unified, searchable inventory of all cloud assets (resources and IAM policies) across an organization's projects, folders, and organization nodes. It supports real-time and historical snapshots, enabling teams to discover and track resources as the environment scales. This directly addresses the need to understand what resources exist across dozens of projects.

Exam trap

The GCDL exam often tests the distinction between a unified inventory service (Cloud Asset Inventory) and a security-focused tool (Security Command Center), leading candidates to mistakenly choose the latter because they associate 'inventory' with security asset management.

How to eliminate wrong answers

Option A is wrong because the Cloud Billing console only lists resources that have incurred charges, not a comprehensive inventory of all assets (including free-tier or non-billable resources), and it does not provide a unified view across projects and folders. Option C is wrong because the Google Cloud Console project dashboard shows resources only within a single project, not across dozens of projects and folders as required. Option D is wrong because Security Command Center focuses on security vulnerabilities and threats, not on providing a unified inventory of all cloud assets.

843
MCQmedium

A company's IT team is planning its network architecture for a Google Cloud deployment. They want to ensure that their development, staging, and production environments are completely isolated from each other at the network level. What is the most effective way to achieve this isolation in Google Cloud?

A.Using separate subnets within the same VPC for each environment, with firewall rules blocking cross-subnet traffic
B.Deploying each environment (dev, staging, prod) in separate VPC networks — optionally in separate Google Cloud projects — to achieve complete network isolation with no default connectivity between environments
C.Using different IP address ranges for each environment within the same network
D.Using Cloud IAM to restrict developers from accessing production resources, which achieves the same isolation as network separation
AnswerB

Separate VPCs provide true network isolation. By default, separate VPCs have no connectivity. Traffic between them requires explicit peering, VPN, or Shared VPC configuration. Using separate projects adds IAM-level access control on top of network isolation.

Why this answer

Option B is correct because deploying each environment in separate VPC networks (optionally in separate projects) provides complete network isolation by default. In Google Cloud, VPC networks are isolated entities with no inherent peering or connectivity; traffic between them requires explicit VPC peering or VPN configurations. This ensures that development, staging, and production environments cannot communicate at the network layer unless intentionally connected, meeting the requirement for complete isolation.

Exam trap

The trap here is that candidates assume firewall rules or IAM can achieve the same level of isolation as separate VPCs, but network-level isolation requires separate routing domains, not just access controls or IP address segmentation.

How to eliminate wrong answers

Option A is wrong because using separate subnets within the same VPC still allows routing between subnets by default; firewall rules can block traffic, but they are not a guarantee of complete network isolation (e.g., misconfigurations or implicit routes can bypass them). Option C is wrong because using different IP address ranges within the same network does not provide isolation; all subnets in a VPC can communicate via internal routes unless explicitly blocked, and the network itself is a single broadcast domain. Option D is wrong because Cloud IAM controls access at the identity and resource level, not at the network layer; it cannot prevent network-level connectivity between environments, such as direct IP traffic or lateral movement within the same VPC.

844
MCQhard

A financial services company needs a managed data warehouse that can ingest streaming transaction data in real time AND support complex SQL analytics across years of historical data — all without managing any infrastructure. Which Google Cloud product meets both streaming ingest and analytical query requirements in a single serverless service?

A.Cloud Bigtable for streaming ingest and BigQuery for historical analytics — two separate services
B.BigQuery, which supports real-time streaming ingest via its Storage Write API and large-scale analytical SQL queries across petabytes of data in a single fully managed, serverless service
C.Cloud SQL with read replicas — one instance for streaming writes, read replicas for analytical queries
D.Cloud Dataflow running continuously to process the stream and load to Persistent Disk for SQL queries
AnswerB

BigQuery meets both requirements natively. The Storage Write API (and legacy streaming API) enables sub-minute data availability for analytics. BigQuery's distributed query engine handles analytical SQL across petabytes. No infrastructure to manage, no separate streaming and analytical systems to maintain.

Why this answer

BigQuery is a fully managed, serverless data warehouse that supports real-time streaming ingest via the Storage Write API and enables complex SQL analytics across petabytes of historical data. This single service meets both requirements without any infrastructure management, unlike the other options that require separate services or manual orchestration.

Exam trap

Google Cloud often tests the misconception that streaming ingest and analytical querying require separate services, leading candidates to overlook BigQuery's unified serverless capability in favor of multi-service architectures like Cloud Bigtable plus BigQuery.

How to eliminate wrong answers

Option A is wrong because it proposes two separate services (Cloud Bigtable for streaming and BigQuery for analytics), which violates the requirement for a single serverless service and introduces operational complexity. Option C is wrong because Cloud SQL is a relational database not designed for petabyte-scale analytics or real-time streaming ingest at high throughput, and read replicas do not provide serverless, managed data warehousing. Option D is wrong because Cloud Dataflow is a stream processing service, not a data warehouse, and Persistent Disk is block storage that cannot natively support SQL analytics without additional compute and query engines.

845
MCQhard

An online retailer stores product images in a Cloud Storage bucket. Current access patterns: images uploaded once and read frequently for 30 days, then accessed rarely after 90 days, and must be retained for 7 years for compliance. Which storage class transition strategy minimizes cost while meeting requirements?

A.Upload to Nearline, lifecycle rule to Archive at 30 days
B.Upload to Standard, lifecycle rule to Nearline at 30 days, then to Archive at 90 days
C.Upload to Standard, lifecycle rule to Nearline at 30 days, then to Coldline at 90 days
D.Upload to Standard, lifecycle rule to Coldline at 30 days, then to Archive at 90 days
AnswerB

Nearline is cost-effective for infrequent access; Archive is cheapest for long-term retention.

Why this answer

Start in Standard for frequent reads, then transition to Nearline after 30 days (lower cost for infrequent access), then to Archive after 90 days for long-term retention at lowest cost.

846
MCQeasy

Which IAM concept defines what actions a user can perform on a resource?

A.Permissions
B.Authentication
C.Authorization
D.Roles
AnswerC

Authorization determines what actions are permitted.

Why this answer

Authorization defines what actions are allowed. Authentication verifies identity. Roles and permissions are part of authorization.

The question asks for the concept that defines actions.

847
MCQeasy

A developer needs to add machine learning capabilities to their application without training models from scratch. Which Google Cloud service provides pre-trained models via API?

A.Vertex AI
B.AI Platform Training
C.Cloud Vision API
D.Cloud AutoML
AnswerC

Cloud Vision API provides pre-trained models for image recognition via API.

Why this answer

Cloud Vision API offers pre-trained models for image analysis accessible via API, allowing developers to integrate ML without training.

848
MCQhard

An organization wants to ensure that Google Cloud services used by its employees cannot be used to exfiltrate data to a competitor's Google Cloud project. For example, they want to prevent copying data from their Cloud Storage bucket to a Storage bucket owned by a competitor. Which Google Cloud security control most directly prevents this type of insider data exfiltration?

A.IAM permissions that restrict users from accessing competitor projects
B.Cloud DLP, by scanning and redacting sensitive data before it can be stored
C.VPC Service Controls, which create a security perimeter around Google Cloud APIs so data cannot be moved to projects outside the defined perimeter
D.Organization Policy constraints that prevent resource creation in competitor accounts
AnswerC

VPC Service Controls are precisely designed for this. A service perimeter defines which projects can exchange data with each other. Even if a user has valid credentials, the API enforces that data cannot be read from inside the perimeter and written outside it — blocking the insider exfiltration pattern described.

Why this answer

VPC Service Controls (C) directly prevent data exfiltration by creating a security perimeter around Google Cloud APIs. This perimeter blocks any data movement to resources outside the defined perimeter, such as a competitor's Cloud Storage bucket, regardless of the user's IAM permissions. It works at the API layer, intercepting requests that attempt to copy data to an unauthorized project.

Exam trap

The trap here is that candidates often confuse IAM permissions with network-level controls, assuming that restricting IAM access to competitor projects is sufficient, but VPC Service Controls are the only mechanism that enforces a boundary at the API layer regardless of user identity.

How to eliminate wrong answers

Option A is wrong because IAM permissions control access to resources within a project, but they do not prevent a user with legitimate access to a source bucket from copying data to a destination bucket in a different project if the user has permissions on that destination. Option B is wrong because Cloud DLP scans and redacts sensitive data but does not block the transfer of data to an external project; it only modifies the content. Option D is wrong because Organization Policy constraints can restrict resource creation in competitor accounts, but they do not prevent data exfiltration from existing resources to already-created competitor projects.

849
MCQeasy

A developer wants to estimate the monthly cost of running a Kubernetes cluster with 3 nodes of n1-standard-4 in the us-central1 region before provisioning. Which tool should the developer use?

A.Billing export to BigQuery
B.Active Assist recommendations
C.Google Cloud Pricing Calculator
D.Cost Management dashboard
AnswerC

The Pricing Calculator is designed for pre-deployment cost estimation.

Why this answer

The Google Cloud Pricing Calculator is used to estimate costs for various services before deployment.

850
MCQmedium

A data analytics team needs to process streaming data from thousands of IoT devices in real time. They want to ingest the data, process it (e.g., windowed aggregations), and then load it into BigQuery for analysis. Which Google Cloud service should they use for the stream processing step?

A.BigQuery
B.Cloud Pub/Sub
C.Cloud Dataproc
D.Cloud Dataflow
AnswerD

Dataflow provides stream processing with exactly-once semantics, windowing, and direct BigQuery integration.

Why this answer

Dataflow is a fully managed, serverless service for stream and batch data processing, based on Apache Beam. It can handle real-time streaming data, perform windowed aggregations, and write to BigQuery.

851
MCQhard

A company's application is composed of 15 microservices. When a performance issue occurs, the team struggles to determine which service is causing latency since request traces span multiple services. Which Google Cloud service helps identify which specific service in a microservices chain is causing slowdowns?

A.Cloud Logging — search logs for error messages across all 15 services.
B.Cloud Trace — captures distributed request traces showing end-to-end latency across all microservices.
C.Cloud Monitoring dashboards — create per-service CPU utilization graphs.
D.Security Command Center — scan for misconfigurations causing performance issues.
AnswerB

Cloud Trace shows the complete request journey: which service was called, in what order, and how long each call took. The Gantt-chart view immediately reveals the latency culprit service.

Why this answer

Cloud Trace is designed specifically for distributed tracing in microservices architectures. It captures end-to-end latency data for each request as it traverses multiple services, allowing you to pinpoint which service in the chain is introducing the most delay. This directly addresses the problem of identifying the specific service causing slowdowns in a 15-service application.

Exam trap

The trap here is that candidates confuse Cloud Logging (which shows error messages) with Cloud Trace (which shows latency timing), or assume CPU utilization graphs (Cloud Monitoring) can pinpoint request-level slowdowns, when only distributed tracing can reveal the exact service in the chain causing the delay.

How to eliminate wrong answers

Option A is wrong because Cloud Logging is for aggregating and searching log entries, not for tracing request latency across services; it cannot show the per-service timing breakdown needed to identify the slowest service. Option C is wrong because Cloud Monitoring dashboards showing per-service CPU utilization can indicate resource pressure but do not trace individual requests across services, so they cannot reveal which service in a specific request chain is causing latency. Option D is wrong because Security Command Center focuses on security misconfigurations and vulnerabilities, not on performance latency or distributed tracing.

852
MCQeasy

What does 'high availability' mean in the context of cloud services, and how is it typically measured?

A.High availability means a system is fast — it responds to requests in under 100 milliseconds.
B.High availability means a system is operational for a very high percentage of time, typically measured as a percentage (e.g., 99.9% uptime).
C.High availability means a system stores data in multiple geographic locations for disaster recovery.
D.High availability requires manual intervention to restart failed services within 30 minutes.
AnswerB

HA is quantified as an uptime percentage over a period. 99.9% = ~8.7 hours downtime/year; 99.99% = ~53 minutes/year. Achieved through redundancy and automatic failover.

Why this answer

High availability (HA) refers to a system's ability to remain operational and accessible for an exceptionally high proportion of time, minimizing downtime. It is typically quantified as a percentage of uptime over a defined period, such as 99.9% ('three nines'), which corresponds to approximately 8.76 hours of downtime per year. This metric is fundamental in cloud service level agreements (SLAs) to guarantee service continuity.

Exam trap

Google Cloud often tests the distinction between high availability (uptime percentage) and related but distinct concepts like disaster recovery (geographic redundancy) or performance (latency), so candidates must focus on the precise definition of availability as operational uptime rather than other operational characteristics.

How to eliminate wrong answers

Option A is wrong because high availability is not about raw speed or low latency; it is about uptime and reliability, not performance metrics like sub-100ms response times. Option C is wrong because while geographic data replication supports disaster recovery, it is a specific strategy for data resilience, not the definition or measurement of high availability itself. Option D is wrong because high availability is designed to be automatic, often using failover clusters or load balancers, and requiring manual intervention within 30 minutes contradicts the goal of minimizing downtime without human action.

853
MCQeasy

A company wants to connect its on-premises data center to Google Cloud securely and with low latency. Which Google Cloud service should they use?

A.Cloud Interconnect
B.Cloud NAT
C.Cloud VPN
D.Cloud CDN
AnswerA

Cloud Interconnect provides dedicated private connections with low latency.

Why this answer

Cloud Interconnect provides dedicated, high-bandwidth connections between on-premises and Google Cloud, offering lower latency and more reliability than VPN.

854
MCQmedium

A company wants to automatically receive a discount for running Compute Engine instances for more than 25% of a month without any upfront commitment. Which discount type applies?

A.Committed use discount
B.CUD (Committed Use Discount)
C.Sustained use discount
D.Preemptible VM discount
AnswerC

These are automatic for usage >25% of month.

Why this answer

Sustained use discounts are automatically applied to Compute Engine instances that run for a significant portion of the month, with no upfront commitment required.

855
MCQeasy

A company needs to audit all actions performed by administrators on their Google Cloud project, including who accessed what resource and when. Which logging feature should they enable?

A.Cloud Monitoring
B.Access Transparency
C.VPC Flow Logs
D.Cloud Audit Logs
AnswerD

Audit logs provide a record of who did what and when.

Why this answer

Cloud Audit Logs record admin activity, data access, and system events for compliance and auditing.

856
MCQhard

A team is using Cloud Build to build container images and push them to Artifact Registry. The build process involves sensitive dependencies that should not be exposed to the internet. The team wants to ensure that all builds execute on a private network without public IP addresses. What should the team configure?

A.Set up Cloud NAT for the Cloud Build workers
B.Configure Artifact Registry with VPC Service Controls
C.Use a private pool in Cloud Build
D.Connect the Cloud Build service account to a shared VPC
AnswerC

Private pools run workers in your VPC with no public IPs, enabling private builds.

Why this answer

Cloud Build supports private pools that provide workers in a customer-managed VPC network, allowing builds to run without public IP addresses and access internal resources. Connecting the project to a shared VPC only enables network access but workers still have public IPs unless private pools are used. Using Artifact Registry VPC-SC perimeters helps secure the registry but not the build workers.

Cloud NAT provides outbound internet but does not remove public IPs from workers.

857
MCQmedium

A company runs a video processing application that triggers a function each time a new video is uploaded to Cloud Storage. The function transcodes the video and stores the result. Which compute service is BEST suited for this event-driven workload?

A.Compute Engine
B.Google Kubernetes Engine (GKE)
C.Cloud Functions
D.Cloud Run
AnswerC

Cloud Functions natively supports Cloud Storage triggers and is ideal for lightweight event-driven processing.

Why this answer

Cloud Functions is designed for event-driven triggers from Cloud Storage (e.g., object finalize). It is lightweight and cost-effective. Cloud Run is for containerized HTTP services.

Compute Engine and GKE are overkill for simple event-driven tasks.

858
Multi-Selecthard

A company uses Cloud Spanner for a global application. They need to ensure high availability and disaster recovery across regions. Which TWO actions should they take? (Choose 2)

Select 2 answers
A.Deploy the database in a single region with backups
B.Schedule regular backups using Cloud Spanner backup feature
C.Configure read replicas in a different region
D.Use Cloud Memorystore to cache database queries
E.Use a multi-region instance configuration
AnswersB, E

Backups protect against data loss and allow point-in-time recovery.

Why this answer

Option B is correct because Cloud Spanner's built-in backup feature allows you to create consistent backups of your database without impacting performance, and these backups can be restored to a different region for disaster recovery. This provides a reliable way to recover from regional failures or data corruption, ensuring high availability and DR across regions.

Exam trap

Google Cloud often tests the misconception that read replicas or caching services like Memorystore can provide cross-region disaster recovery, but Cloud Spanner's architecture relies on synchronous multi-region replication and backups, not asynchronous replicas or external caches.

859
MCQmedium

A power utility company collects electricity meter readings from 10 million smart meters every 15 minutes — generating billions of rows of time-series data per year. They need to query this data to detect anomalies and patterns. Which Google Cloud database is optimized for this massive-scale time-series IoT data?

A.Cloud SQL (PostgreSQL)
B.Cloud Bigtable
C.Firestore
D.Cloud Storage (CSV files)
AnswerB

Bigtable is designed for exactly this workload: massive time-series data from IoT devices. Row key (meter_id + timestamp) enables efficient range scans. Handles petabytes with sub-millisecond latency.

Why this answer

Cloud Bigtable is a fully managed, scalable NoSQL database designed for large analytical and operational workloads, making it ideal for ingesting and querying high-throughput time-series data from millions of IoT devices. It supports sub-10ms latency on queries, automatic sharding, and seamless integration with Google Cloud's data analytics ecosystem (e.g., BigQuery, Dataflow), which is critical for detecting anomalies and patterns across billions of rows of meter readings.

Exam trap

The trap here is that candidates confuse 'time-series data' with 'relational data' and choose Cloud SQL (PostgreSQL) for its SQL familiarity, overlooking the need for massive horizontal scalability and high write throughput that only Bigtable provides.

How to eliminate wrong answers

Option A is wrong because Cloud SQL (PostgreSQL) is a relational OLTP database not optimized for the extreme write throughput and horizontal scaling required for billions of time-series rows; it would hit performance bottlenecks and storage limits. Option C is wrong because Firestore is a document-oriented NoSQL database designed for real-time mobile/web apps with moderate write rates, not for massive-scale IoT time-series ingestion and analytical queries. Option D is wrong because Cloud Storage with CSV files lacks native querying capabilities, indexing, and low-latency access needed for real-time anomaly detection; it would require additional services like BigQuery for analysis, adding latency and complexity.

860
MCQmedium

An engineer needs to distribute incoming HTTP traffic across multiple backend VM instances in different regions, with automatic failover and SSL termination. Which load balancing product should they use?

A.Cloud CDN
B.Cloud Load Balancing
C.Cloud NAT
D.Cloud Armor
AnswerB

Cloud Load Balancing offers global HTTP(S) load balancing with anycast IP, SSL offload, and health-based failover.

Why this answer

Cloud Load Balancing (External HTTP(S) Load Balancer) provides global, multi-region load balancing with SSL termination and health checks.

861
MCQeasy

A traditional taxi company is losing market share to ride-sharing apps built on cloud platforms. A digital transformation consultant explains that the ride-sharing companies have a fundamental advantage rooted in their technology architecture. Which cloud-enabled capability most directly explains the ride-sharing companies' competitive advantage?

A.Ride-sharing companies own more vehicles than taxi companies, giving them greater fleet capacity
B.Cloud-enabled real-time matching, dynamic ML-driven pricing, and elastic mobile platforms create an operating model that taxi companies' legacy systems cannot replicate
C.Ride-sharing companies pay lower taxes, giving them a cost advantage over regulated taxi companies
D.Ride-sharing apps are available on smartphones, while taxis require phone calls
AnswerB

The competitive advantage is entirely cloud-powered: real-time GPS matching at scale (impossible without cloud compute), surge pricing driven by ML demand prediction, and mobile apps that create a seamless customer experience. These capabilities require cloud infrastructure and cloud-native development practices.

Why this answer

Option B is correct because ride-sharing companies leverage cloud-native architectures—specifically real-time matching algorithms, machine learning (ML) for dynamic pricing, and elastic mobile platforms—to create an operating model that scales instantly with demand. This cloud-enabled capability allows them to optimize driver-rider pairing and pricing in milliseconds, a level of agility that traditional taxi companies with on-premises legacy systems cannot replicate. The fundamental advantage is not about asset ownership or tax structure but about the architectural ability to process massive real-time data streams and adjust operations dynamically.

Exam trap

The GCDL exam often tests the misconception that a simple frontend feature (like a smartphone app) is the core advantage, when in fact the cloud-native backend—real-time matching, ML pricing, and elastic scaling—is the transformative differentiator.

How to eliminate wrong answers

Option A is wrong because ride-sharing companies typically do not own vehicles; they rely on independent drivers using their own cars, so greater fleet capacity is not a cloud-enabled advantage but a business model choice. Option C is wrong because ride-sharing companies do not inherently pay lower taxes; tax advantages vary by jurisdiction and are not a technology architecture feature, nor do they stem from cloud platforms. Option D is wrong because while smartphone availability is a factor, it is not a cloud-enabled capability—it is a device-level feature; the competitive advantage lies in the cloud backend that processes real-time data, not merely the frontend app.

862
MCQeasy

A data analytics team needs to analyze petabytes of structured data using SQL queries without managing any database infrastructure. Query results must return within seconds for most queries. Which Google Cloud service is designed for this use case?

A.Cloud SQL
B.BigQuery
C.Cloud Bigtable
D.Cloud Spanner
AnswerB

BigQuery is Google's serverless data warehouse, designed for petabyte-scale SQL analytics. It requires no infrastructure management and delivers fast query performance through massive parallelism.

Why this answer

BigQuery is a serverless, highly scalable data warehouse designed for analyzing petabytes of data using SQL without any infrastructure management. Its columnar storage and distributed query engine enable sub-second query performance on large datasets, making it ideal for this use case.

Exam trap

The GCDL exam often tests the distinction between OLTP (Cloud SQL, Cloud Spanner) and OLAP (BigQuery) services, and candidates may confuse Bigtable's NoSQL scalability with SQL analytics capabilities.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a managed relational database for OLTP workloads, not designed for petabyte-scale analytics or sub-second queries on massive datasets. Option C is wrong because Cloud Bigtable is a NoSQL wide-column database optimized for low-latency read/write operations on time-series or IoT data, not for complex SQL analytics on structured data. Option D is wrong because Cloud Spanner is a globally distributed relational database with strong consistency for transactional workloads, not a serverless analytics solution for petabyte-scale SQL queries.

863
Multi-Selectmedium

A company is migrating a legacy application to Google Cloud. The application has variable traffic and requires reliable, low-latency database access. The team wants to minimize operational overhead. Which TWO services should they consider for the database tier? (Choose two.)

Select 2 answers
A.Cloud SQL
B.Cloud Spanner
C.Cloud Bigtable
D.Firestore
E.Self-managed MySQL on Compute Engine
AnswersA, B

Managed MySQL, PostgreSQL, SQL Server with minimal ops.

Why this answer

Cloud SQL provides managed relational databases with automatic failover and replication. Cloud Spanner provides globally distributed, strongly consistent database with automatic sharding. Both reduce operational overhead.

864
MCQmedium

A company's analytics team wants to enable business users to create their own reports and dashboards from a governed set of BigQuery data, without writing SQL. At the same time, the data engineering team must maintain centralized control over how key metrics (like 'revenue' or 'active users') are defined. Which Google Cloud product architecture best meets both requirements?

A.Looker Studio connected directly to BigQuery, allowing each business user to create their own metric definitions
B.Looker with LookML semantic layer: data engineers centrally govern metric definitions in LookML, business users create self-service reports through Looker's interface using those governed definitions — no SQL required
C.Sharing BigQuery query templates with business users and training them to modify them for their reports
D.Building a custom web application that wraps BigQuery APIs and presents data to business users
AnswerB

Looker's LookML semantic layer is precisely designed for this dual requirement. Engineers write LookML once; it becomes the source of truth for metric definitions. Business users explore and report using a visual interface that always queries through LookML — guaranteed consistency, no SQL needed.

Why this answer

Option B is correct because Looker with LookML provides a semantic layer where data engineers centrally define governed metric definitions (e.g., 'revenue' as SUM(price * quantity) with specific filters). Business users can then create self-service reports and dashboards via Looker's drag-and-drop interface without writing SQL, ensuring consistency and control over key metrics.

Exam trap

The trap here is that candidates may think Looker Studio (formerly Data Studio) is sufficient for self-service reporting, but they overlook the critical requirement for a governed semantic layer (LookML) to enforce centralized metric definitions, which Looker Studio alone does not provide.

How to eliminate wrong answers

Option A is wrong because Looker Studio connected directly to BigQuery allows each business user to create their own metric definitions, which violates the requirement for centralized control over how key metrics are defined. Option C is wrong because sharing BigQuery query templates and training users to modify them still requires users to write or edit SQL, and it does not provide a governed semantic layer to enforce consistent metric definitions. Option D is wrong because building a custom web application that wraps BigQuery APIs is a heavy engineering effort that duplicates functionality already provided by Looker's semantic layer, and it does not inherently enforce centralized metric governance without additional custom logic.

865
MCQhard

A developer tries to create a new Compute Engine instance in the us-central1 region but receives an error 'Quota 'CPUS' exceeded. Limit: 24.0'. What should the developer do to resolve this?

A.Wait for the quota to reset automatically
B.Use a different machine family with lower CPU count
C.Delete unused instances in other regions
D.Request a quota increase for CPUs in us-central1
AnswerD

This directly addresses the quota limit.

Why this answer

The error indicates a resource quota (CPU limit) has been reached. The correct action is to request a quota increase in the Cloud Console for the specific region and resource type (CPUs).

866
MCQmedium

A company currently runs its applications in a co-location data centre with a 5-year contract for hardware. They are considering migrating to Google Cloud to avoid the upcoming hardware refresh cycle. Which business driver is most directly addressed by this migration?

A.Scalability
B.Cost optimisation (avoiding CAPEX)
C.Agility
D.Innovation (AI/ML access)
AnswerB

Migrating to cloud avoids the capital expense of replacing hardware.

Why this answer

Hardware refresh avoidance is a key migration motivation, shifting from CAPEX to OPEX. Agility, scalability, and innovation are also benefits but not the primary driver for this specific scenario.

867
MCQeasy

A developer wants to deploy a containerized web application that automatically scales to zero when not in use, and they want to minimize operational overhead. Which compute service should they use?

A.Google Kubernetes Engine (GKE)
B.Compute Engine
C.Cloud Run
D.App Engine Flexible Environment
AnswerC

Cloud Run abstracts infrastructure, scales to zero, and charges only for resources used during request processing.

Why this answer

Cloud Run is a serverless compute platform that executes containers in a fully managed environment, automatically scaling from zero to thousands of requests per second. It is ideal for containerized stateless applications that need to scale down to zero. Google Kubernetes Engine (GKE) does not scale to zero, Compute Engine requires VM management, and App Engine Flexible does not support custom containers that scale to zero as seamlessly.

868
Multi-Selecthard

An organization wants to ensure that all projects in their GCP organization have consistent IAM policies. They also need to restrict the use of external IP addresses on Compute Engine instances for security. Which TWO tools should they use? (Choose TWO.)

Select 2 answers
A.Use an organization policy constraint 'compute.vmExternalIpAccess' at the organization level
B.Apply a deny IAM policy to each project individually
C.Set a quota for external IP addresses per project
D.Use network tags to block external IPs
E.Define IAM policies at the organization level
AnswersA, E

This constraint restricts external IP usage on VMs; it can be set at organization or folder level.

Why this answer

Organization policies can enforce restrictions like disabling external IP addresses across the entire organization. IAM policies at the organization level can set baseline access controls inherited by all projects.

869
MCQhard

A company has a Premium support plan. They experience a critical production outage and need immediate assistance. What is the guaranteed response time for a P1 (Priority 1) case?

A.4 hours
B.8 hours
C.1 hour
D.15 minutes
AnswerD

Premium support provides a 15-minute response time for P1 issues.

Why this answer

Premium support offers a 15-minute response time for P1 cases, along with a Technical Account Manager (TAM) and other benefits.

870
MCQmedium

A company uses Google Cloud and wants to understand their monthly cloud spend before the invoice arrives, track spending trends, and identify the top cost drivers across all services. Which built-in Google Cloud tool provides this visibility?

A.Cloud Monitoring dashboards with cost metrics.
B.Cloud Billing reports and cost breakdown in the Billing console.
C.Cloud Asset Inventory — it lists all resources and their costs.
D.Google Cloud pricing calculator — it shows estimated costs.
AnswerB

The Cloud Billing console provides pre-built reports: cost by service, cost by project, cost over time, and spend forecasts. Billing export to BigQuery enables deeper custom analysis.

Why this answer

Cloud Billing reports and cost breakdown in the Billing console provide built-in, out-of-the-box visibility into monthly spend before the invoice arrives, spending trends, and top cost drivers across all services. This tool aggregates billing data from all projects and services, allowing you to filter by time range, project, service, or SKU, and view cost trends and breakdowns without additional configuration.

Exam trap

The GCDL exam often tests the misconception that Cloud Monitoring can natively show cost metrics, but in reality, cost metrics require billing export to BigQuery and custom dashboard setup, whereas Cloud Billing reports provide this visibility immediately without additional configuration.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring dashboards with cost metrics require you to export billing data to BigQuery and then create custom dashboards, which is not a built-in, out-of-the-box solution for immediate cost visibility. Option C is wrong because Cloud Asset Inventory lists all resources and their metadata, but it does not provide cost data or spending trends; it is designed for asset discovery and governance, not cost analysis. Option D is wrong because the Google Cloud pricing calculator is a planning tool used to estimate costs before deployment, not a tool for viewing actual incurred spend or tracking trends.

871
Multi-Selectmedium

A security team needs to implement the principle of least privilege for a group of data scientists who only need to query BigQuery datasets, but not modify or delete them. Which THREE IAM roles should be granted? (Choose 3)

Select 3 answers
A.roles/bigquery.dataEditor
B.roles/bigquery.dataViewer
C.roles/bigquery.admin
D.roles/bigquery.user
E.roles/bigquery.jobUser
AnswersB, D, E

Allows viewing dataset metadata and querying data.

Why this answer

BigQuery Data Viewer allows querying datasets. BigQuery Job User allows running jobs. BigQuery User is a broader role that includes querying but also other permissions.

The combination of these allows read-only querying.

872
MCQmedium

A developer is deploying a web application on Compute Engine and needs to distribute traffic across multiple VM instances in different regions. They also need SSL termination and health checks. Which Google Cloud networking service should they use?

A.Cloud Load Balancing
B.VPC peering
C.Cloud Armor
D.Cloud CDN
AnswerA

HTTP(S) Load Balancer is global, supports SSL termination, and distributes traffic across backends with health checks.

Why this answer

Cloud Load Balancing (HTTP(S) Load Balancer) is a global, scalable load balancing service that distributes traffic across instance groups in multiple regions, provides SSL termination, and performs health checks. Cloud CDN is for caching content; Cloud Armor is for security policies; VPC peering connects networks.

873
MCQhard

A healthcare organization needs to store and analyze large volumes of patient diagnostic imaging data (e.g., DICOM files) in Google Cloud. The data must be stored in a cost-effective manner for long-term retention, with the ability to query metadata and run analytics using SQL-like queries. Which combination of Google Cloud services best meets these requirements?

A.Cloud Storage (Standard) for images, Datastore for metadata
B.Cloud Storage (Archive) for images, Cloud Spanner for metadata
C.Cloud Storage (Nearline) for images, BigQuery for metadata analytics
D.Cloud Filestore for images, Cloud SQL for metadata
AnswerC

Nearline is cost-effective for long-term retention with low access frequency; BigQuery provides SQL analytics on metadata.

Why this answer

Option C is correct because Cloud Storage Nearline provides cost-effective long-term storage for large imaging files with retrieval flexibility, while BigQuery enables SQL-based analytics on metadata extracted from DICOM headers, meeting both retention and query requirements without the cost of standard storage or the complexity of transactional databases.

Exam trap

Google Cloud often tests the misconception that 'cost-effective long-term storage' must use Archive storage, ignoring that Nearline is sufficient for data accessed occasionally (e.g., quarterly analytics) and that BigQuery is the only service listed that provides native SQL analytics on metadata at scale.

How to eliminate wrong answers

Option A is wrong because Cloud Storage Standard is not cost-effective for long-term retention (higher per-GB cost than Nearline/Archive) and Datastore is a NoSQL document database optimized for transactional workloads, not for SQL-like analytics on large metadata sets. Option B is wrong because Cloud Storage Archive has the lowest storage cost but imposes retrieval delays (minutes to hours) unsuitable for frequent analytics, and Cloud Spanner is a globally distributed relational database designed for high-availability transactions, overkill and expensive for metadata querying. Option D is wrong because Cloud Filestore is a network-attached file system for high-performance computing workloads (e.g., NFSv3), not designed for object storage of DICOM files, and Cloud SQL is a relational database for OLTP, not for scalable analytics on large metadata volumes.

874
MCQhard

A platform engineering team is designing a self-service cloud environment for development teams. They want developers to be able to provision approved cloud resources quickly without waiting for central IT approval for every request, while still ensuring compliance with security and cost policies. Which architectural approach best balances developer agility with governance?

A.Require all resource provisioning requests to be submitted as tickets to the central IT team for manual review and approval before any resources are created
B.Give all developers Owner access to all Google Cloud projects so they can provision any resources without delays
C.Provide a self-service catalog of pre-approved, policy-compliant infrastructure templates with automated provisioning, budget alerts, and org policy guardrails — enabling developer agility while enforcing compliance automatically
D.Allow developers to provision resources freely in a shared sandbox project only, keeping production entirely controlled by central IT
AnswerC

This is the platform engineering approach: build the rails, not the roads. Pre-approved templates (Terraform modules, Config Connector blueprints) let developers self-serve within defined boundaries. Org policies prevent non-compliant configurations. Budget alerts enforce cost controls. Developers move fast; governance is automated, not manual.

Why this answer

Option C is correct because it uses a self-service catalog with pre-approved, policy-compliant templates (e.g., Deployment Manager or Terraform configurations) combined with Organization Policy Service guardrails and automated budget alerts. This approach allows developers to provision resources on demand while enforcing security and cost policies automatically, balancing agility with governance without manual bottlenecks.

Exam trap

Google Cloud often tests the misconception that giving developers full access (Option B) or restricting them to a sandbox (Option D) are acceptable trade-offs, when in fact the correct answer requires a policy-as-code approach that enforces guardrails automatically without manual intervention.

How to eliminate wrong answers

Option A is wrong because requiring manual ticket-based approval for every request creates a central IT bottleneck that destroys developer agility, contradicting the goal of self-service provisioning. Option B is wrong because giving all developers Owner access to all projects violates the principle of least privilege, bypasses all governance controls, and creates severe security and compliance risks. Option D is wrong because restricting developers to a shared sandbox project only does not address their need to provision approved resources in production-like environments; it still forces central IT control for production, failing to balance agility with governance across the full lifecycle.

875
MCQhard

A DevOps engineer needs to grant a CI/CD pipeline (running on Compute Engine) permissions to deploy a Cloud Run service. The pipeline uses a service account. What is the correct approach to assign the necessary IAM role to the service account?

A.Create a new service account, grant the Cloud Run Deployer role, and export a key file to the instance
B.Grant the Cloud Run Deployer role to the Compute Engine default service account
C.Use the Cloud Run service agent with the roles/run.serviceAgent role
D.Grant the Cloud Run Admin role to the user account running the pipeline
AnswerB

Attach a service account to the instance and grant it the Cloud Run Deployer role to allow deployment.

Why this answer

The best practice is to attach the service account to the Compute Engine instance and grant the Cloud Run Deployer role to that service account.

876
MCQeasy

A startup wants to organize its Google Cloud resources by separating development, staging, and production environments. They also need to apply common IAM policies across all projects in each environment. Which resource hierarchy component should they use to group projects per environment?

A.Organization node
B.Tags
C.Folders
D.Labels
AnswerC

Folders are containers for projects and can be used to group projects by environment. IAM policies on folders are inherited by child projects.

Why this answer

Folders allow grouping of projects and are used to reflect organizational structure or environment separation. IAM policies applied at the folder level are inherited by all projects within that folder.

877
MCQeasy

A company wants to automatically scale their Compute Engine managed instance group based on the number of requests per second. Which metric should they use?

A.CPU utilization
B.HTTP load balancing serving capacity
C.Instance group size
D.custom metric from Cloud Monitoring
AnswerD

Custom metrics allow you to export application-level request rates.

Why this answer

Option D is correct because the company needs to scale based on requests per second, which is a custom application-level metric. Cloud Monitoring allows you to create custom metrics from your application, and managed instance groups can use these custom metrics for autoscaling, enabling precise scaling based on actual request throughput rather than proxy indicators.

Exam trap

The trap here is that candidates often confuse 'HTTP load balancing serving capacity' with request rate, but that metric measures the load balancer's backend capacity utilization (a ratio), not the raw number of requests per second, which requires a custom application metric.

How to eliminate wrong answers

Option A is wrong because CPU utilization is a system-level metric that does not directly correlate with requests per second; an instance could be CPU-bound for other reasons, leading to inaccurate scaling. Option B is wrong because HTTP load balancing serving capacity is a metric related to the load balancer's capacity, not the number of requests per second hitting the application; it measures backend capacity utilization, not request rate. Option C is wrong because instance group size is a static count of instances, not a metric that drives scaling decisions; using it as a scaling metric would create a circular dependency.

878
MCQmedium

A product manager asks a cloud engineer: 'What exactly is an API, and why is it important for our cloud-based application?' Which explanation is most accurate and useful for a non-technical product manager?

A.An API is a programming language used to write cloud applications, similar to Python or Java
B.An API is a defined contract that allows software components, services, and applications to communicate and exchange data with each other — enabling integration between cloud services and third-party systems without requiring knowledge of each other's internals
C.An API is a user interface that allows non-technical staff to access cloud resources through a web browser
D.An API is a security certificate that authenticates cloud services to prevent unauthorized access
AnswerB

This is accurate and useful for a product manager. APIs define how services talk to each other (what to send, what to expect back) without requiring implementation details. Cloud's power comes largely from APIs: your application can call a translation API, payment API, maps API, and ML API to compose sophisticated functionality from independent services.

Why this answer

Option B is correct because an API (Application Programming Interface) is a defined contract—typically using HTTP methods (GET, POST, PUT, DELETE) and data formats like JSON or XML—that enables software components to communicate and exchange data without exposing internal implementation details. For a cloud-based application, APIs are crucial because they allow seamless integration between cloud services (e.g., AWS Lambda, Azure Functions) and third-party systems, enabling modularity, scalability, and interoperability. This explanation is most accurate and useful for a non-technical product manager as it focuses on the functional role of APIs rather than misleading technical jargon.

Exam trap

The GCDL exam often tests the misconception that an API is a programming language or a user interface, tempting candidates who confuse interface types (API vs. GUI) or overgeneralize from common cloud terms like 'API gateway' without understanding the core definition.

How to eliminate wrong answers

Option A is wrong because an API is not a programming language; it is an interface or protocol that allows different software components to interact, whereas Python and Java are general-purpose programming languages used to implement APIs. Option C is wrong because an API is not a user interface (UI) for non-technical staff; a web-based UI like a dashboard or console provides graphical access to cloud resources, while APIs are programmatic endpoints typically consumed by developers or automated systems. Option D is wrong because an API is not a security certificate; while APIs often use authentication mechanisms like OAuth 2.0 or API keys for secure access, the API itself is the communication contract, not a certificate.

879
MCQeasy

A company wants its internal applications to be accessible via a custom domain name (e.g., `app.company.com`) that routes to their Google Cloud load balancer. Which Google Cloud service manages DNS records for this?

A.Cloud CDN — it manages domain names for cached content.
B.Cloud DNS
C.Cloud Load Balancing — it automatically assigns domain names.
D.Cloud Armor — it routes traffic based on domain names.
AnswerB

Cloud DNS manages DNS zones and records. An A record pointing app.company.com to the load balancer's IP address routes users from the custom domain to the GCP load balancer.

Why this answer

Cloud DNS is the correct service because it is Google Cloud's managed DNS service that translates human-readable domain names (like app.company.com) into IP addresses. It allows you to create and manage DNS records (such as A, CNAME, or ALIAS records) that point your custom domain to the IP address or hostname of your Google Cloud load balancer, enabling traffic routing to your internal applications.

Exam trap

The trap here is confusing services that handle traffic (like Cloud Load Balancing or Cloud Armor) with the service that manages DNS records, leading candidates to pick a service that operates at a different layer of the network stack.

How to eliminate wrong answers

Option A is wrong because Cloud CDN is a content delivery network that caches content at edge locations to improve latency; it does not manage DNS records or domain name resolution. Option C is wrong because Cloud Load Balancing distributes traffic across backends but does not automatically assign or manage domain names; you must configure DNS separately to point a custom domain to the load balancer's IP or hostname. Option D is wrong because Cloud Armor is a web application firewall that provides security policies (e.g., IP allowlisting/denylisting, OWASP rules) and can filter traffic based on domain names, but it does not manage DNS records or domain name resolution.

880
MCQmedium

A company needs to store petabytes of time-series IoT sensor data and query it with single-digit millisecond latency at millions of reads per second. The data has a simple key-value structure with timestamps. Which Google Cloud database is MOST appropriate?

A.Cloud Spanner
B.Cloud Bigtable
C.BigQuery
D.Firestore
AnswerB

Bigtable is the correct choice: wide-column NoSQL, designed for time-series and IoT workloads, single-digit ms latency, and scales to millions of QPS with additional nodes.

Why this answer

Cloud Bigtable is designed for petabyte-scale, low-latency, high-throughput NoSQL storage for time-series, IoT, and financial data. It scales horizontally by adding nodes.

881
Multi-Selecthard

A company runs a web application on Compute Engine. They want to improve availability by distributing traffic across multiple regions and automatically failing over if one region becomes unhealthy. Which TWO services should they combine? (Choose two.)

Select 2 answers
A.Cloud DNS with geo-routing
B.Global external HTTP(S) Load Balancer
C.Internal Load Balancer
D.External HTTPS Load Balancer with backend buckets
E.Network Load Balancer
AnswersA, B

Geo-routing directs traffic to healthy regional backends.

Why this answer

External HTTPS Load Balancer with global backend services can route traffic across regions and support failover. Cloud DNS with health checks can route traffic to healthy backends.

882
MCQmedium

A data science team needs to train a custom machine learning model using their own data. They want a unified platform that manages the entire ML lifecycle, including data preparation, training, tuning, and deployment. Which service should they use?

A.AutoML
B.Vertex AI
C.AI Platform
D.Cloud Functions
AnswerB

Vertex AI provides end-to-end ML capabilities: data labeling, training, hyperparameter tuning, and model serving.

Why this answer

Vertex AI is Google Cloud's unified ML platform that covers the full lifecycle from data to deployment.

883
MCQmedium

A retail company experiences traffic spikes during holiday sales. They need to automatically scale their web application instances based on CPU utilization. Which Google Cloud service should they configure?

A.Cloud Load Balancing
B.Google Kubernetes Engine with Horizontal Pod Autoscaler
C.Cloud Functions
D.Managed instance group with autoscaling
AnswerD

MIG autoscaling adds/removes VM instances based on CPU utilization.

Why this answer

Managed instance groups with autoscaling automatically add or remove VM instances based on metrics like CPU utilization, handling traffic spikes efficiently.

884
MCQhard

A company is running a stateful web application on Compute Engine with a SQL database. They want to use Cloud Load Balancing to distribute traffic across multiple instances in different zones. The application stores session state locally on each VM. Users report that after being directed to a different instance, their session is lost. What is the most suitable solution to maintain session persistence?

A.Store session state in Cloud SQL and share across instances
B.Configure Cloud CDN to cache session data
C.Use a global load balancer with HTTP cookies to track sessions
D.Enable session affinity (sticky sessions) on the load balancer
AnswerD

Session affinity ensures that requests from the same user are sent to the same backend instance, preserving local session state.

Why this answer

Cloud Load Balancing supports session affinity (sticky sessions) based on client IP or HTTP cookie, which directs a user to the same backend instance. Moving session state to a central database (Cloud SQL) or Memorystore also works but changes the application. Enabling HTTP cookies is a client-side solution not reliable.

Using a header-based approach is less common.

885
MCQhard

A cloud operations engineer notices that the managed instance group 'my-mig' has been scaling up frequently, but the application performance is still degraded. The CPU utilization metric shows high values. What is most likely the issue?

A.The target size is set to 10, which is lower than the current needed capacity.
B.The instance group is using preemptible VMs which are being reclaimed frequently.
C.The autoscaler is using a cooldown period that is too long, preventing it from scaling down.
D.The scaling metric is not appropriate; consider using a custom metric that better reflects application load.
AnswerD

CPU utilization is not always the best indicator; a custom metric like request latency or queue depth might be better.

Why this answer

Option D is correct because the autoscaler is using CPU utilization as the scaling metric, but high CPU does not necessarily correlate with application performance degradation. If the application is bottlenecked on memory, I/O, or request queuing, CPU may remain high while throughput suffers. A custom metric (e.g., requests per second, latency, or queue depth) would better reflect actual application load and enable more accurate scaling decisions.

Exam trap

The trap here is that candidates assume high CPU utilization always means the application needs more compute capacity, but the question tests the understanding that the scaling metric must be aligned with the actual performance bottleneck, not just a generic system metric.

How to eliminate wrong answers

Option A is wrong because the target size being lower than needed capacity would prevent scaling up sufficiently, but the question states the instance group is scaling up frequently, so the autoscaler is actively adding instances; the issue is that scaling up is not fixing the performance problem. Option B is wrong because preemptible VMs being reclaimed would cause instance churn and potential performance degradation, but the question does not mention preemptible VMs, and the symptom of frequent scaling up with high CPU is not directly caused by preemption. Option C is wrong because a cooldown period that is too long would delay scaling down, not prevent scaling up; the issue here is that scaling up is happening but not resolving the degradation, so the cooldown period is not the root cause.

886
MCQeasy

Which tool would you use to estimate the monthly cost of running a set of Compute Engine virtual machines before deploying them?

A.Cost Management dashboard
B.Active Assist
C.Google Cloud Pricing Calculator
D.Billing export
AnswerC

This is the correct tool for upfront cost estimation.

Why this answer

The Google Cloud Pricing Calculator allows you to estimate costs for various services before deployment.

887
MCQmedium

An organization wants to detect and respond to threats across their GCP environment, including finding misconfigurations, vulnerabilities, and potential malicious activity. Which service provides a unified view of security findings?

A.Mandiant
B.Chronicle
C.Cloud Audit Logs
D.Security Command Center
AnswerD

Security Command Center provides a unified view of security findings across GCP.

Why this answer

Security Command Center is a central dashboard for security findings including vulnerabilities, misconfigurations, and threats.

888
MCQhard

A company runs a mission-critical PostgreSQL database on Google Cloud that must support automatic failover to a standby instance within 60 seconds if the primary instance fails, with minimal data loss. Which Cloud SQL configuration satisfies this high availability requirement?

A.Cloud SQL with automated daily backups, restoring from backup if the primary fails
B.Cloud SQL High Availability configuration with a synchronously replicated standby instance that automatically promotes to primary within approximately 60 seconds of primary failure
C.Cloud SQL read replicas in another region, manually promoted if the primary fails
D.Running a self-managed PostgreSQL cluster on Compute Engine VMs with a custom pacemaker/corosync HA setup
AnswerB

Cloud SQL HA is precisely the right answer. It maintains a standby instance in the same region with synchronous replication, automatically detects primary failure, and promotes the standby without manual intervention. Failover typically completes within 60 seconds, meeting the stated RTO with minimal data loss (synchronous replication means near-zero RPO).

Why this answer

Option B is correct because Cloud SQL's High Availability (HA) configuration uses a synchronous replication mechanism between the primary and standby instances. This ensures that transactions are committed on both instances before being acknowledged, meeting the requirement for minimal data loss. In the event of a primary failure, the standby is automatically promoted to primary within approximately 60 seconds, satisfying the failover time requirement.

Exam trap

The trap here is that candidates may confuse read replicas (which are asynchronous and require manual promotion) with HA standby instances (which are synchronous and automatically promoted), or assume that automated backups can meet a strict 60-second RTO/RPO requirement.

How to eliminate wrong answers

Option A is wrong because restoring from automated daily backups cannot achieve a 60-second failover; recovery time would be much longer (minutes to hours) and data loss would include all changes since the last backup. Option C is wrong because Cloud SQL read replicas use asynchronous replication, which can result in significant data loss (seconds to minutes of transactions) and require manual promotion, failing both the automatic failover and minimal data loss requirements. Option D is wrong because while a self-managed Pacemaker/Corosync cluster could theoretically meet the requirements, it is not a Cloud SQL configuration and would require significant operational overhead, violating the premise of using a managed service; the question specifically asks for a Cloud SQL configuration.

889
MCQmedium

A company has employees who use personal (unmanaged) devices to access corporate applications. The security team wants to prevent sensitive Google Workspace documents from being downloaded to personal devices. Which Google control most directly addresses this data loss prevention requirement for device-based scenarios?

A.Cloud Armor, by blocking requests from IP addresses associated with personal devices
B.Google Workspace context-aware access and endpoint management controls that restrict actions (such as downloads) for users accessing from unmanaged personal devices
C.Enabling two-factor authentication for all users, which prevents unauthorized access
D.Encrypting all Google Drive files so they cannot be read on personal devices
AnswerB

Google Workspace provides device-level context-aware access. Organizations can define policies that restrict capabilities based on device enrollment status — allowing read-only web access on unmanaged devices while blocking downloads, or requiring device enrollment to access sensitive content.

Why this answer

Option B is correct because Google Workspace context-aware access combined with endpoint management allows administrators to create access level policies that restrict specific actions—such as downloading, printing, or copying—based on device trust signals. When a user accesses Google Workspace from an unmanaged personal device, the policy can block the download of sensitive documents directly, addressing the data loss prevention requirement at the action level rather than just the access level.

Exam trap

The trap here is that candidates often confuse network-level controls (like Cloud Armor) or authentication controls (like 2FA) with device-level data loss prevention, failing to recognize that only context-aware access with endpoint management can enforce granular action restrictions based on device trust status.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a network security service that filters traffic at the edge based on IP addresses or geographic regions, but it cannot distinguish between managed and unmanaged devices or control application-level actions like downloads within Google Workspace. Option C is wrong because two-factor authentication (2FA) only verifies user identity at login; it does not enforce device-based restrictions or prevent a legitimate authenticated user from downloading sensitive documents to a personal device. Option D is wrong because encrypting Google Drive files protects data at rest and in transit, but it does not prevent a user with valid decryption keys from downloading and saving those files to an unmanaged device; encryption alone does not enforce download policies.

890
MCQmedium

A regional grocery chain wants to compete with national chains that have larger marketing budgets. A consultant argues that cloud adoption can help level the playing field. Which cloud advantage most directly supports this argument?

A.The regional chain can use cloud object storage to store marketing images, matching the storage capacity of national chains
B.Cloud providers offer free unlimited compute to smaller businesses to help them compete
C.Pay-per-use cloud services give the regional chain access to the same advanced analytics, personalization, and demand forecasting capabilities as national chains without requiring equivalent capital investment
D.The regional chain can hire fewer IT staff because cloud providers manage all aspects of their business operations
AnswerC

This is the core democratizing effect of cloud. By paying only for what is used, smaller businesses can deploy capabilities (ML-driven demand forecasting, personalized promotions, real-time inventory analytics) that previously required the capital budgets only large enterprises could afford.

Why this answer

Option C is correct because pay-per-use cloud services enable the regional chain to leverage advanced analytics, personalization, and demand forecasting tools that are typically available only to large enterprises with significant capital budgets. This directly addresses the core challenge of competing with national chains by providing access to sophisticated data-driven marketing capabilities without the upfront investment in infrastructure and software licenses.

Exam trap

Google Cloud often tests the misconception that cloud adoption is primarily about cost savings or storage capacity, when the real transformative advantage for smaller businesses is the ability to access advanced, capital-intensive capabilities (like AI/ML analytics) on a pay-per-use basis, which directly supports competitive parity.

How to eliminate wrong answers

Option A is wrong because object storage for marketing images addresses only a basic storage need, not the advanced analytical and personalization capabilities required to level the playing field in marketing effectiveness. Option B is wrong because cloud providers do not offer free unlimited compute to smaller businesses; they offer pay-as-you-go models and limited free tiers, but unlimited free compute is not a real offering and would not be sustainable. Option D is wrong because cloud providers manage the underlying infrastructure, not all aspects of business operations such as store management, supply chain logistics, or customer service; this overstates the scope of cloud management and does not directly address marketing competition.

891
MCQmedium

A media company runs a video transcoding pipeline on Compute Engine instances that process a large batch of jobs every night. The workload is predictable and takes about 6 hours. After transcoding, the instances are idle until the next batch. How can the company optimize costs without sacrificing the ability to complete the batch within 6 hours?

A.Use preemptible VMs with checkpointing and automatic restarts
B.Purchase committed use discounts for 1 year
C.Use sole-tenant nodes
D.Use standard VMs and turn them off manually after the batch
AnswerA

Preemptible VMs offer significant cost savings and the batch workload can handle interruptions with checkpointing.

Why this answer

Preemptible VMs are up to 80% cheaper but can be terminated at any time. However, the workload is fault-tolerant (can be restarted) and the batch can likely complete within 6 hours if the job is designed to handle interruptions. Standard VMs are more expensive, committed use discounts require 1- or 3-year commitments, and sole-tenant nodes are for isolation, not cost savings.

892
MCQmedium

A company uses Google Workspace and wants to analyze employee productivity trends by processing Gmail and Calendar data. They need a solution that integrates natively with Google Workspace and allows custom SQL queries. Which tool should they use?

A.Looker Studio
B.Looker
C.BigQuery
D.Dataflow
AnswerA

Looker Studio has native connectors for Google Workspace and allows custom SQL for analysis.

Why this answer

Looker Studio (formerly Google Data Studio) can connect to Google Workspace data sources and allow custom SQL for analysis, but more precisely, BigQuery can be used if data is exported. However, the best option for direct integration with Google Workspace and SQL queries is BigQuery with the Google Workspace export, but Looker Studio is for visualization, not raw SQL. Actually, the most appropriate is to use BigQuery after exporting Workspace logs.

Among options, Looker Studio is the only one that can directly query Workspace data via connectors. But the question expects Looker Studio because it's a BI tool that connects to Workspace. However, I think the correct answer is Looker Studio because it's designed for data exploration and visualization.

Let me adjust: Actually, Looker Studio can connect to Google Workspace via the Google Workspace connector and allows SQL-like queries. So option D.

893
Multi-Selecthard

A company wants to reduce its on-premises data centre footprint and improve disaster recovery by migrating to Google Cloud. Which THREE Google Cloud features directly support improved disaster recovery? (Choose 3)

Select 3 answers
A.Regional persistent disks with synchronous replication
B.Cloud Interconnect for dedicated connectivity
C.Preemptible VMs for cost savings
D.Cloud Load Balancing with global anycast IP
E.Multi-regional storage classes (e.g., Standard, Nearline)
AnswersA, D, E

Regional disks replicate data across zones in a region, providing high availability.

Why this answer

Regional persistent disks, multi-regional storage, and Cloud Load Balancing all support disaster recovery by providing geo-redundancy and traffic distribution across regions. Preemptible VMs are for cost savings, not DR.

894
MCQeasy

What access does Alice have to the Cloud Storage bucket?

A.Write objects only
B.Full control
C.Read objects only
D.Read and write objects
AnswerC

objectViewer permission allows listing and reading objects.

Why this answer

Option C is correct because the scenario describes Alice having read-only access to the Cloud Storage bucket. This is typically granted via IAM roles like 'roles/storage.objectViewer' in Google Cloud, which allows listing and reading objects but not writing or deleting them. The question implies that Alice can only view or download objects, not modify or upload them.

Exam trap

Google Cloud often tests the misconception that 'read-only' access implies the ability to list bucket contents but not download objects, whereas in Cloud Storage, read access includes both listing and downloading objects via the storage.objects.get permission.

How to eliminate wrong answers

Option A is wrong because 'Write objects only' would allow Alice to upload or overwrite objects but not read them, which contradicts the scenario where she can view objects. Option B is wrong because 'Full control' would grant Alice all permissions including read, write, and delete, which is excessive and not implied. Option D is wrong because 'Read and write objects' would allow both reading and uploading, but the scenario only indicates read access, not write.

895
MCQeasy

An organization wants to separate billing and access control for two departments, each with multiple projects. They also need to apply common IAM policies to all projects in a department. What is the recommended way to structure their resource hierarchy?

A.Use folders under the organization node, one per department, and place projects inside them
B.Place all resources in a single project and use Cloud Identity groups for access
C.Create one project per department and use labels to separate them
D.Create separate billing accounts per department and link projects directly
AnswerA

Folders enable grouping and policy inheritance for all projects within.

Why this answer

Folders sit below the organization node and above projects. They allow grouping projects by department and applying IAM policies at the folder level, which are inherited by all projects within.

896
MCQhard

A company uses Cloud Functions to process image uploads. Each image triggers a function that uses Vision API to extract text and stores results in Firestore. The function sometimes fails due to timeout when images are large. How should they redesign for reliability and scale?

A.Use Cloud Tasks with Cloud Run to process images asynchronously
B.Use Cloud Scheduler to trigger the function every minute
C.Increase the function timeout to 60 minutes
D.Use Compute Engine VMs with startup scripts
AnswerA

Cloud Tasks queues work; Cloud Run supports longer timeouts and scales to zero.

Why this answer

Cloud Functions has a timeout limit (9 minutes max for gen2). For long-running operations, use Cloud Run or migrate processing to a queue. Cloud Tasks with Cloud Run decouples and allows async processing with longer timeouts.

897
MCQmedium

A company migrating to the cloud wants to focus on building applications rather than managing servers. Which Google Cloud compute service provides a fully managed platform for web applications that automatically scales?

A.Cloud Functions
B.Google Kubernetes Engine
C.Compute Engine
D.App Engine
AnswerD

App Engine is a fully managed platform with automatic scaling for web apps.

Why this answer

App Engine is a fully managed, serverless platform that automatically scales web applications based on traffic. It abstracts away server management, allowing developers to focus solely on writing code, which aligns directly with the requirement to build applications without managing infrastructure.

Exam trap

The trap here is that candidates often confuse 'fully managed' with 'serverless' and incorrectly choose Cloud Functions (A) because it is serverless, but they overlook that Cloud Functions is not designed for hosting complete web applications with persistent HTTP routing and automatic scaling in the same way App Engine is.

How to eliminate wrong answers

Option A is wrong because Cloud Functions is a serverless compute service designed for event-driven, single-purpose functions, not for hosting full web applications with automatic scaling. Option B is wrong because Google Kubernetes Engine (GKE) is a managed Kubernetes cluster that still requires users to manage container orchestration, node pools, and scaling policies, not a fully managed platform that abstracts servers entirely. Option C is wrong because Compute Engine provides virtual machines (VMs) that require manual configuration, patching, and scaling, which contradicts the goal of not managing servers.

898
Multi-Selectmedium

An organization needs to enforce that resources in a specific project cannot use certain machine series (e.g., f1-micro) due to performance requirements. They also need to tag resources with an 'environment' label for cost tracking. Which TWO methods should they use? (Choose TWO.)

Select 2 answers
A.Use resource tags (network tags) to deny f1-micro usage
B.Add a label 'environment' to each resource for cost tracking
C.Use Cloud Audit Logs to monitor f1-micro usage and manually enforce
D.Apply a deny IAM policy to prevent creation of f1-micro instances
E.Create an organization policy with a compute.disableMachineSeries constraint at the folder or project level
AnswersB, E

Labels are key-value pairs used for billing and cost attribution.

Why this answer

Organization policies (constraints) can be used to restrict resource types, including machine series. Labels are key-value metadata for cost tracking. Tags (formerly network tags) are for firewall rules, not policy enforcement.

899
MCQhard

A retail chain with 500 stores wants to implement dynamic pricing — adjusting prices in real-time based on demand signals, competitor pricing, inventory levels, and weather forecasts. This requires processing millions of data points and updating prices across all stores within minutes. Which cloud capabilities make this possible?

A.A relational database that stores all prices with daily batch updates from a pricing spreadsheet.
B.Real-time stream processing (Pub/Sub + Dataflow) combined with ML model serving (Vertex AI) to ingest signals and compute optimized prices at scale.
C.A cloud-hosted ERP system that replaces the on-premises inventory management system.
D.A static website hosted on Cloud Storage that displays current prices.
AnswerB

Stream processing handles continuous price signals; ML models score optimal prices in real-time; elastic cloud compute handles demand spikes. This combination enables true dynamic pricing at retail scale.

Why this answer

Option B is correct because it combines real-time stream processing (Pub/Sub for ingesting millions of data points, Dataflow for processing them with low latency) with ML model serving (Vertex AI) to compute optimized prices on the fly. This architecture enables the sub-minute price updates required for dynamic pricing across 500 stores, leveraging Google Cloud's serverless, auto-scaling capabilities.

Exam trap

Google Cloud often tests the misconception that replacing an on-premises system with a cloud-hosted ERP (Option C) is sufficient for real-time processing, when in fact dynamic pricing requires dedicated stream processing and ML services, not just a migrated ERP.

How to eliminate wrong answers

Option A is wrong because a relational database with daily batch updates cannot process millions of real-time data points and update prices within minutes; batch updates introduce hours of latency, making dynamic pricing impossible. Option C is wrong because a cloud-hosted ERP system replaces on-premises inventory management but does not provide real-time stream processing or ML-based price optimization; it lacks the event-driven ingestion and model serving needed for dynamic pricing. Option D is wrong because a static website hosted on Cloud Storage merely displays current prices and has no mechanism to ingest signals, compute prices, or propagate updates across stores in real time.

900
MCQeasy

Which Google Cloud service provides threat intelligence and incident response capabilities, including access to Mandiant expertise?

A.Security Command Center
B.Chronicle
C.Mandiant
D.Cloud IDS
AnswerC

Mandiant offers threat intelligence and incident response services, including expert consulting.

Why this answer

Mandiant is Google Cloud's threat intelligence and incident response service. Security Command Center provides vulnerability scanning but not Mandiant expertise. Chronicle is a SIEM.

Cloud IDS is network intrusion detection.

Page 11

Page 12 of 14

Page 13
Google Cloud Digital Leader GCDL Questions 826–900 | Page 12/14 | Courseiva