Google Cloud Digital Leader (GCDL) — Questions 901975

991 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

A company wants to detect and prioritize vulnerabilities in their Compute Engine VMs and GKE clusters. They also need a centralized view of security findings across their organization. Which service should they use?

A.Cloud IDS
B.Web Risk API
C.Security Command Center
D.Chronicle
AnswerC

SCC provides vulnerability scanning and centralized security management.

Why this answer

Security Command Center (SCC) is the central vulnerability and threat detection service for GCP. It finds misconfigurations, vulnerabilities, and threats across services like Compute Engine and GKE, and provides a dashboard for prioritization. Chronicle is a SIEM for log analysis, not vulnerability scanning.

Cloud IDS is for network intrusion detection. Web Risk API is for checking URLs against threat lists.

902
MCQeasy

Which layer of Google's defence-in-depth security model includes the use of TLS for data in transit?

A.Data security
B.Operational security
C.Deployment security
D.Physical security
AnswerA

Data security includes encryption in transit (TLS) and at rest.

Why this answer

Data security covers encryption of data at rest and in transit. Physical security is about data centers. Operational security covers processes.

Deployment security is about secure infrastructure deployment.

903
Multi-Selecteasy

A company wants to adopt a hybrid cloud strategy to keep sensitive data on-premises while taking advantage of Google Cloud for analytics. Which TWO Google Cloud products enable this architecture? (Choose 2)

Select 2 answers
A.BigQuery
B.Anthos
C.Cloud Run
D.Secret Manager
E.Cloud VPN
AnswersB, E

Anthos allows managing workloads across on-premises and Google Cloud.

Why this answer

Anthos provides a consistent platform across on-premises and cloud. Cloud VPN or Cloud Interconnect can connect on-prem to Google Cloud. Secret Manager is for secrets; Cloud Run is serverless; BigQuery is analytics but does not enable hybrid architecture.

904
MCQmedium

A company wants to analyze petabytes of sales data using SQL queries with sub-second response times for dashboards. They need a fully managed, serverless solution that separates storage and compute. Which service meets these requirements?

A.BigQuery
B.Cloud SQL
C.Cloud Spanner
D.Dataflow
AnswerA

BigQuery is serverless, petabyte-scale, and optimized for SQL analytics with sub-second interactive queries.

Why this answer

BigQuery is a serverless data warehouse that stores petabytes and uses SQL with fast query performance via columnar storage and separation of compute and storage.

905
MCQmedium

An organisation needs to run a batch analytics job every night that processes terabytes of data stored in Cloud Storage. The job is expected to run for 3 hours and can tolerate interruptions. The compute resources should be as cost-effective as possible. Which Compute Engine VM type should be used?

A.Standard (on-demand) VMs
B.Custom machine types
C.Preemptible VMs
D.Sole-tenant nodes
AnswerC

Preemptible VMs offer substantial discounts (up to 80%) and are suitable for fault-tolerant batch workloads.

Why this answer

Preemptible VMs are significantly cheaper than standard VMs and are ideal for batch jobs that can tolerate interruptions. They can be preempted at any time but can be restarted. Standard VMs are for long-running, fault-intolerant workloads.

Sole-tenant nodes are for compliance, not cost savings. Custom machine types allow tailoring resources but do not inherently save cost like preemptible VMs.

906
Multi-Selecteasy

A startup is building a mobile app that needs to store user profiles and preferences with low latency. The data is unstructured and frequently read/written. Which TWO Google Cloud database services are most suitable? (Choose 2)

Select 2 answers
A.Bigtable
B.Memorystore
C.Cloud Spanner
D.Cloud SQL
E.Firestore
AnswersA, E

Bigtable is a wide-column NoSQL database that can handle high write/read throughput; it is also suitable if the data volume is extremely high.

Why this answer

Firestore is a NoSQL document database optimised for mobile/web apps with low-latency reads/writes. Bigtable is also NoSQL but designed for high-throughput time-series data. Memorystore is a cache, not a primary database.

Cloud SQL is relational. The best options are Firestore for user profiles and preferences (unstructured, low-latency) and Bigtable if the scale is very high, but typically Firestore is the go-to for mobile. However, the question asks for TWO; Bigtable is also NoSQL and can be used for user data but is overkill.

Alternatively, Firestore and Memorystore can be combined: Firestore as primary, Memorystore as cache. But Memorystore is a cache, not a database. The question says 'database services'.

So likely Firestore and Bigtable are both NoSQL databases. But for user profiles, Firestore is more appropriate. I'll select Firestore and Bigtable as two NoSQL options.

907
MCQhard

A team wants to enforce that resources in a specific folder must have a label with key 'cost-center' and value 'finance'. Which Google Cloud feature can enforce this requirement?

A.IAM Conditions
B.Organization policies with a constraint on labels
C.Active Assist recommendations
D.Cloud Audit Logs
AnswerB

Organization policies can enforce label requirements.

Why this answer

Organization policies can enforce constraints on labels. Using a custom organization policy, you can require that certain labels be present on resources within a folder. This is done via the 'constraints/gcp.resourceLabels' constraint.

908
MCQhard

A telecommunications company has completed a cloud migration but finds that its business agility — the speed at which it can launch new products — has not improved. An analysis reveals that while the infrastructure is now cloud-based, the software development and release processes remain unchanged: quarterly release cycles, lengthy change approval boards, and manual testing. What does this situation illustrate?

A.The company chose the wrong cloud provider; a different provider's infrastructure would enable faster releases
B.Cloud infrastructure adoption without modernizing software delivery practices (CI/CD, automated testing, continuous deployment) does not unlock agility; the delivery process is the bottleneck
C.Quarterly release cycles are appropriate for telecommunications products that require extensive regulatory testing, and the lack of agility is not a problem
D.The company must rebuild all applications as microservices before cloud can provide agility benefits
AnswerB

This is the core lesson. Cloud is an enabler of agility, not a guarantor. Without automated CI/CD pipelines, continuous testing, and frequent deployment cadences, quarterly releases persist regardless of whether code runs on cloud or on-premises VMs. DevOps practices and cloud infrastructure must be adopted together.

Why this answer

This illustrates that cloud infrastructure adoption without changing software delivery practices provides limited agility benefits. Cloud's agility potential is unlocked by complementary practices: CI/CD pipelines, automated testing, trunk-based development, and feature flags that enable continuous delivery. Quarterly release cycles with manual testing create the same bottleneck regardless of whether the infrastructure is on-premises or in the cloud.

909
MCQeasy

A startup wants to launch a new application and expects unpredictable traffic patterns. They want to avoid upfront hardware costs and only pay for resources they use. Which cloud deployment model best meets their needs?

A.Private cloud
B.Hybrid cloud
C.Public cloud
D.Multi-cloud
AnswerC

Public cloud like Google Cloud provides pay-as-you-go, elastic scaling, and no upfront costs.

Why this answer

Public cloud offers pay-as-you-go pricing, on-demand scaling, and no upfront hardware costs, ideal for unpredictable workloads. Private and hybrid models typically involve capital expenditure.

910
MCQhard

A global e-commerce company serves customers from multiple continents. They want to guarantee fast page load times and minimize latency. Which Google Cloud service is most suitable for this transformation?

A.Cloud SQL for data caching
B.Cloud Storage multi-regional buckets
C.Cloud CDN with global external HTTP(S) load balancing
D.Compute Engine with large VMs
AnswerC

Cloud CDN caches content at edge locations, drastically reducing latency for global users.

Why this answer

Cloud CDN with global external HTTP(S) load balancing is the most suitable solution because it caches static and dynamic content at edge locations worldwide, reducing latency for users across multiple continents. The global load balancer provides anycast IP addresses that route traffic to the nearest healthy backend, while Cloud CDN serves cached content directly from the edge, minimizing round-trip time and improving page load times.

Exam trap

Google Cloud often tests the misconception that multi-regional storage alone (Option B) provides low latency, but candidates must understand that storage redundancy does not equal edge caching or request routing, which are essential for minimizing page load times across continents.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a managed relational database service, not a caching solution; it does not reduce latency for static content delivery and would introduce database overhead for page loads. Option B is wrong because Cloud Storage multi-regional buckets provide geo-redundant object storage but lack edge caching and request routing optimization; they require additional services like Cloud CDN to minimize latency. Option D is wrong because Compute Engine with large VMs addresses compute capacity, not latency; it does not distribute content geographically or cache responses, and users would still experience high latency from distant regions.

911
MCQeasy

An organization wants to use Google Cloud for processing healthcare data subject to HIPAA regulations in the United States. Which contractual document must the organization obtain from Google before storing Protected Health Information (PHI) in Google Cloud?

A.A Non-Disclosure Agreement (NDA) to prevent Google from disclosing the existence of the healthcare application
B.A Business Associate Agreement (BAA), which is legally required by HIPAA before any covered entity can process Protected Health Information with a cloud provider
C.A Data Processing Agreement (DPA) as required under GDPR for European data subjects
D.An ISO 27001 certificate issued by Google Cloud demonstrating information security compliance
AnswerB

The BAA is non-negotiable for HIPAA compliance. Google Cloud offers a BAA that covers specific services for HIPAA workloads. Without a BAA in place, any PHI stored in Google Cloud constitutes a HIPAA violation — technical security controls alone do not satisfy the legal requirement.

Why this answer

Under HIPAA, a covered entity or business associate must obtain a Business Associate Agreement (BAA) from any cloud service provider that will create, receive, maintain, or transmit Protected Health Information (PHI). Google Cloud offers a BAA that contractually binds Google to comply with HIPAA Security and Privacy Rules, including safeguarding PHI and reporting breaches. Without a signed BAA, storing PHI in Google Cloud would violate HIPAA regulations.

Exam trap

The trap here is that candidates confuse a generic data protection document (like a DPA or NDA) with the HIPAA-specific BAA, or mistakenly believe that a security certification alone satisfies the contractual requirement for handling PHI.

How to eliminate wrong answers

Option A is wrong because a Non-Disclosure Agreement (NDA) only prevents disclosure of confidential information, but it does not impose the specific HIPAA-required safeguards, breach notification obligations, or permitted use restrictions that a BAA provides. Option C is wrong because a Data Processing Agreement (DPA) is mandated under GDPR for processing personal data of European data subjects, not for HIPAA compliance in the United States; HIPAA requires a BAA, not a DPA. Option D is wrong because an ISO 27001 certificate demonstrates that Google Cloud has an information security management system, but it is a certification, not a contractual document, and does not fulfill the HIPAA requirement for a signed BAA that includes specific privacy and security provisions.

912
MCQhard

An engineer is deploying a globally distributed application that requires strong consistency across multiple continents with a 99.999% uptime SLA. The data model is relational with SQL queries. Which database service should they use?

A.Cloud Spanner
B.Firestore in multi-region mode
C.Cloud SQL with cross-region replication
D.Bigtable with replication
AnswerA

Spanner offers strong consistency, global distribution, and 99.999% SLA. It is the only choice for globally consistent relational data.

Why this answer

Cloud Spanner is the only Google Cloud database that provides globally distributed, strongly consistent relational data with a 99.999% SLA.

913
MCQeasy

A fashion retailer wants to use cloud to better understand customer preferences and launch trend-responsive product lines faster. Which capability most directly enables the retailer to sense market trends earlier and respond faster than competitors?

A.Real-time analytics on social media, search trends, and purchase signals to detect emerging preferences earlier, combined with cloud-integrated supply chain APIs for faster product launches
B.Moving the ERP system to a cloud-hosted VM to reduce infrastructure management overhead
C.Training the design team on cloud-based graphic design software for faster product visualization
D.Storing all historical sales data in cloud object storage for cheaper archival
AnswerA

This is the data-to-action pipeline that creates competitive advantage: real-time social/search data ingested at cloud scale reveals trends early; ML identifies patterns; supply chain APIs allow rapid response. The combination of early trend detection and fast execution creates a competitive moat.

Why this answer

Option A is correct because it directly addresses the retailer's goal of sensing market trends earlier and responding faster. Real-time analytics on social media, search trends, and purchase signals enable early detection of emerging preferences, while cloud-integrated supply chain APIs allow for rapid product launches by automating and accelerating the procurement and production processes. This combination of sensing and response capabilities is the most direct enabler of competitive advantage in trend-responsive retail.

Exam trap

The GCDL exam often tests the distinction between operational improvements (like moving to a VM or using cloud storage) and strategic capabilities that directly enable competitive advantage through sensing and response; the trap here is that candidates may confuse general cloud benefits (cost savings, reduced overhead) with the specific capability needed for trend responsiveness.

How to eliminate wrong answers

Option B is wrong because moving an ERP system to a cloud-hosted VM primarily reduces infrastructure management overhead and may improve scalability, but it does not directly enable earlier sensing of market trends or faster product launches; it is an operational improvement, not a strategic sensing and response capability. Option C is wrong because training the design team on cloud-based graphic design software improves product visualization speed, but it does not provide real-time market trend sensing or supply chain integration; it addresses a downstream design step, not the upstream trend detection or rapid launch process. Option D is wrong because storing historical sales data in cloud object storage for cheaper archival provides cost savings and long-term data retention, but it does not enable real-time analytics or faster response to current trends; archival storage is passive and not designed for active trend sensing or agile supply chain integration.

914
MCQeasy

A business analyst needs to understand why cloud services bill differently for compute (VMs) versus object storage. Compute VMs are billed per second while they are running; Cloud Storage is billed per GB-month of data stored. Which cloud pricing principle explains why these billing units are different?

A.Cloud providers bill different resources differently to maximize revenue by charging the highest rates for the most-used services
B.Cloud resources are billed based on their natural unit of consumption: compute time for VMs (per second running) and data volume over time for storage (per GB-month) — matching billing to how each resource is actually consumed
C.Storage is charged per GB-month because cloud providers cannot measure storage usage per second accurately
D.The billing difference is a temporary situation; cloud providers are working toward a single universal billing unit for all services
AnswerB

This is the correct explanation. Billing models match consumption patterns: VMs consume CPU/memory as long as they run (time-based), while storage accumulates data that persists over time (data×time). This measured service model ensures billing is proportional to actual resource use.

Why this answer

Option B is correct because cloud providers align billing units with the natural consumption pattern of each resource. Compute VMs consume CPU and memory continuously while running, making per-second billing the most granular and fair measure of actual usage. Object storage, by contrast, incurs cost primarily from the capacity occupied over time, so billing per GB-month directly reflects the resource's persistent footprint.

This principle ensures customers pay only for what they use, in the unit that matches the resource's operational behavior.

Exam trap

The trap here is that candidates confuse pricing strategy with technical feasibility, assuming storage cannot be measured per second (Option C) or that providers are moving to a single unit (Option D), when the real principle is matching billing to the resource's natural consumption model.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes revenue maximization as the driving principle; in reality, cloud providers use cost-based pricing tied to resource consumption, not arbitrary rate-setting for popular services. Option C is wrong because cloud providers can and do measure storage usage per second (e.g., via continuous capacity monitoring), but billing per second would be impractical and not meaningful since storage cost is driven by sustained occupancy, not instantaneous access. Option D is wrong because there is no industry effort toward a single universal billing unit; different resources inherently have different consumption models (time-based vs. capacity-based), and this diversity is fundamental to cloud pricing.

915
Multi-Selectmedium

A security team needs to detect and respond to threats across their Google Cloud environment. Which THREE services should they use together? (Choose 3)

Select 3 answers
A.Mandiant
B.Cloud Logging
C.Cloud Armor
D.Security Command Center
E.Chronicle
AnswersA, D, E

Threat intelligence and incident response capabilities.

Why this answer

Security Command Center for vulnerability scanning and threat detection, Chronicle for SIEM and incident response, and Mandiant for threat intelligence and forensic investigation.

916
MCQmedium

A company wants to adopt a zero-trust security model for accessing Google Cloud resources. Which Google Cloud technology BEST supports this approach?

A.Cloud VPN
B.BeyondCorp Enterprise
C.Cloud Identity-Aware Proxy (IAP)
D.Firewall Rules
AnswerB

BeyondCorp Enterprise provides a comprehensive zero-trust security framework.

Why this answer

BeyondCorp Enterprise is Google's zero-trust security model that allows access based on identity and context, without VPNs.

917
MCQhard

A regulated financial services firm must ensure that its data never leaves a specific geographic region (EU) for compliance with GDPR data residency requirements. Which Google Cloud features help enforce this requirement?

A.Select EU regions for all resources and apply the `gcp.resourceLocations` org policy to restrict resource creation to EU regions only.
B.Enable Cloud Armor on all load balancers to block non-EU traffic.
C.Use HTTPS for all connections to ensure data is encrypted when it leaves the EU.
D.Enable Google Workspace's regional storage settings to restrict where emails are stored.
AnswerA

Selecting EU regions keeps data at rest in the EU. The gcp.resourceLocations org policy prevents accidental creation of resources in non-EU regions, enforcing data residency at the policy level.

Why this answer

Option A is correct because the `gcp.resourceLocations` organization policy constraint explicitly restricts the physical location where Google Cloud resources can be created. By setting this policy to allow only EU regions, the organization ensures that no compute, storage, or database resources can be provisioned outside the EU, directly enforcing GDPR data residency requirements. This policy is evaluated at resource creation time and applies to all projects under the organization, providing a hard enforcement boundary.

Exam trap

The GCDL exam often tests the distinction between network-level controls (like Cloud Armor) and data residency controls (like org policies), leading candidates to mistakenly choose a security tool that blocks traffic rather than a policy that restricts resource location.

How to eliminate wrong answers

Option B is wrong because Cloud Armor is a web application firewall that filters HTTP/S traffic based on IP addresses or geo-location, but it does not prevent data from being stored or processed outside the EU; it only controls incoming network requests, not where data resides. Option C is wrong because HTTPS encrypts data in transit, but encryption does not control the geographic location of data at rest or processing; data can still leave the EU while encrypted, violating residency requirements. Option D is wrong because Google Workspace's regional storage settings apply only to Workspace data (e.g., Gmail, Drive), not to the customer's own applications or data stored in Google Cloud services like Compute Engine or Cloud Storage, and the question is about a regulated financial services firm using Google Cloud, not Workspace.

918
MCQmedium

A team needs to process and analyze streaming data in real-time as it arrives from IoT sensors. The pipeline must apply transformations, filter events, and write results to BigQuery. Which Google Cloud service is designed for this stream processing use case?

A.Cloud Dataproc
B.Cloud Dataflow
C.Cloud Composer
D.BigQuery Streaming Insert
AnswerB

Dataflow is Google's managed Apache Beam service for real-time stream (and batch) data processing. It ingests from Pub/Sub, transforms data on-the-fly, and writes to BigQuery — the standard GCP streaming pipeline pattern.

Why this answer

Cloud Dataflow is the correct choice because it is a fully managed, serverless service designed specifically for stream and batch data processing. It uses Apache Beam as its programming model, enabling you to apply transformations, filter events, and write results to BigQuery in real-time, exactly matching the described pipeline requirements.

Exam trap

The GCDL exam often tests the distinction between data ingestion (BigQuery Streaming Insert) and data processing (Dataflow), leading candidates to mistakenly choose the streaming insert option because it contains the word 'streaming' and seems directly related to real-time data.

How to eliminate wrong answers

Option A is wrong because Cloud Dataproc is a managed Hadoop/Spark service optimized for batch processing and large-scale data analytics, not for real-time stream processing with built-in support for event-time windows and exactly-once semantics. Option C is wrong because Cloud Composer is a managed workflow orchestration service based on Apache Airflow, designed for scheduling and coordinating batch jobs, not for continuous stream processing. Option D is wrong because BigQuery Streaming Insert is a method for ingesting data into BigQuery in near real-time, but it does not provide the transformation, filtering, or pipeline processing capabilities required; it is a data ingestion endpoint, not a stream processing engine.

919
MCQeasy

A company wants to enforce the principle of least privilege by granting a service account only the permissions necessary to publish messages to a specific Pub/Sub topic. Which IAM approach should they use?

A.Grant the roles/editor role to the service account at the project level
B.Grant the roles/pubsub.subscriber role to the service account at the topic level
C.Grant the roles/pubsub.publisher role to the service account at the topic level
D.Grant the roles/pubsub.publisher role to the service account at the project level
AnswerC

This restricts the permission to only the specified topic.

Why this answer

IAM allows granting roles at specific resource levels. To grant only publish permission on a specific topic, you should add the service account as a member and assign the Pub/Sub Publisher role (roles/pubsub.publisher) directly on that topic. Granting the role at the project level would give too broad access.

Using a custom role with only the required permission is also correct but more complex; however, the simplest correct approach among the options is to assign a predefined role at the topic level.

920
MCQhard

A data engineering team is building a streaming pipeline that ingests clickstream events from a website, processes them in real-time (e.g., aggregations, filtering), and loads the results into BigQuery for analysis. They also need the ability to replay events in case of failures. Which combination of services is MOST appropriate for the streaming ingestion and processing?

A.Cloud Storage and Cloud Functions
B.Pub/Sub and Cloud Dataflow
C.Pub/Sub and Cloud Functions
D.Apache Kafka on Compute Engine
AnswerB

Pub/Sub provides reliable, scalable message ingestion with replay, and Dataflow processes streams in real-time with exactly-once semantics.

Why this answer

Pub/Sub for ingestion allows event replay (by setting a subscription's retention), and Dataflow for stream processing handles real-time transformations and writes to BigQuery.

921
MCQmedium

A company wants to enforce a policy that prevents all projects in the organization from enabling certain Google Cloud APIs. Where should the policy be applied to ensure it is inherited by all projects, including future ones?

A.On the organization node
B.On the billing account
C.On each individual project
D.On the folder containing the projects
AnswerA

Organization node policies are inherited by all folders and projects.

Why this answer

Organization policies applied at the organization node are inherited by all folders and projects under it. This is the most efficient way to enforce a blanket restriction across the entire resource hierarchy.

922
MCQhard

A company is migrating an on-premises Oracle database to Cloud Spanner. They need to move 10 TB of data with minimal downtime. Which migration strategy should they use?

A.Create a VPN tunnel and use Oracle GoldenGate for replication
B.Export the Oracle database as CSV files, upload to Cloud Storage, and import into Spanner using Dataflow
C.Use gcloud commands to stream data from Oracle to Spanner
D.Use Database Migration Service (DMS) with continuous replication
AnswerD

DMS supports Oracle to Spanner migrations using CDC, minimizing downtime.

Why this answer

Database Migration Service (DMS) supports continuous migration from Oracle to Cloud Spanner with minimal downtime using change data capture (CDC).

923
MCQhard

Refer to the exhibit. A data processing job must complete within 2 hours. The job can be interrupted but must resume from the last checkpoint. Which two instances should be used to minimize cost while meeting the requirement?

A.worker-2 and worker-4
B.worker-1 and worker-2
C.worker-2 and worker-3
D.worker-1 and worker-3
AnswerA

Both are preemptible, offering lowest cost for interruptible workloads.

Why this answer

Worker-2 and worker-4 are preemptible (spot) instances, which are significantly cheaper than standard instances. The job can be interrupted and resume from the last checkpoint, so preemptible instances are suitable. This combination minimizes cost while meeting the 2-hour completion requirement because preemptible instances have a maximum runtime of 24 hours and can be terminated earlier, but the checkpointing allows the job to complete within the 2-hour window even if interrupted.

Exam trap

Google Cloud often tests the misconception that preemptible instances are unreliable for any time-bound job, but the key is that checkpointing allows resumption, so they are cost-effective for jobs that can tolerate interruptions within the allowed window.

How to eliminate wrong answers

Option B is wrong because worker-1 is a standard (non-preemptible) instance, which costs more than preemptible instances; using it unnecessarily increases cost. Option C is wrong because worker-3 is a standard instance, and pairing it with worker-2 (preemptible) still incurs higher cost than using two preemptible instances. Option D is wrong because both worker-1 and worker-3 are standard instances, resulting in the highest cost without any benefit for a fault-tolerant, checkpointed job.

924
MCQmedium

An engineer needs to store database passwords and API keys securely. The secrets must be encrypted at rest with a customer-managed key and automatically rotated every 90 days. Which service should they use?

A.Cloud Secret Manager
B.Cloud KMS
C.Datastore
D.Cloud Storage with encryption
AnswerA

Secret Manager stores secrets, supports rotation, and can use CMEK via Cloud KMS.

Why this answer

Secret Manager is designed for storing secrets like API keys and passwords, with built-in rotation and integration with Cloud KMS for CMEK.

925
MCQmedium

According to the NIST definition of cloud computing, which characteristic allows users to unilaterally provision computing resources such as server time and network storage without requiring human interaction with the service provider?

A.Broad network access
B.On-demand self-service
C.Resource pooling
D.Measured service
AnswerB

On-demand self-service allows users to provision resources (compute, storage) automatically through a portal or API without human interaction with the provider — core to the cloud experience.

Why this answer

NIST's five essential characteristics of cloud computing are: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. 'On-demand self-service' specifically describes the ability for users to provision capabilities automatically without provider interaction — using a web console or API to spin up VMs, databases, or storage instantly, without calling a salesperson or waiting for manual provisioning.

926
Multi-Selecteasy

A company wants to implement a CI/CD pipeline for their Cloud Run services. Which THREE Google Cloud services should they use? (Choose 3)

Select 3 answers
A.Cloud Operations Suite
B.Cloud Build
C.Cloud Deploy
D.Cloud Deployment Manager
E.Container Registry (or Artifact Registry)
AnswersB, C, E

Builds container images and runs tests.

Why this answer

Cloud Build is the correct service because it is Google Cloud's fully managed CI/CD platform that can automatically build, test, and deploy code from a repository. For Cloud Run services, Cloud Build can trigger builds on code changes, run tests, and then deploy the container image directly to Cloud Run using a cloudbuild.yaml configuration file.

Exam trap

The trap here is that candidates confuse Cloud Deploy (a continuous delivery service for managing rollout strategies like canary or blue/green) with Cloud Build (the actual CI engine that builds and pushes images), or they mistakenly think Cloud Operations Suite is part of the pipeline because it monitors the deployed service.

927
MCQmedium

An organization needs to protect a web application hosted on Google Cloud from DDoS attacks and SQL injection attempts. They want a managed security service that integrates with Cloud Load Balancing. Which service should they use?

A.Cloud IDS
B.reCAPTCHA Enterprise
C.Cloud Armor
D.VPC firewall rules
AnswerC

Cloud Armor provides DDoS protection and WAF capabilities.

Why this answer

Cloud Armor is Google's managed DDoS protection and Web Application Firewall (WAF) service. It integrates with Cloud Load Balancing to filter traffic based on IP, geo, and HTTP headers, and includes preconfigured rules (e.g., OWASP) to block SQL injection. Cloud IDS is for network intrusion detection. reCAPTCHA Enterprise is for bot detection.

VPC firewall rules are for network-level access control.

928
MCQeasy

Which principle states that a user should be granted only the permissions necessary to perform their job functions?

A.Principle of least privilege
B.Defence in depth
C.Separation of duties
D.Zero trust
AnswerA

Least privilege means giving only the permissions needed to perform a job.

Why this answer

The principle of least privilege is the security concept of granting minimal required permissions. Separation of duties divides tasks among multiple people. Zero trust is a broader security model.

Defence in depth is layered security.

929
MCQmedium

An organization needs to store archival data that must be retained for 10 years and is accessed less than once a year. Which Cloud Storage class offers the lowest storage cost?

A.Archive
B.Standard
C.Coldline
D.Nearline
AnswerA

Archive is the cheapest option for data accessed less than once a year, with 365-day minimum storage.

Why this answer

Archive storage is the lowest-cost storage class for long-term retention, with a 365-day minimum storage duration and higher retrieval costs.

930
MCQmedium

Refer to the exhibit. A DevOps engineer wants to create a chart showing the rate of items sold per second over time. What is a limitation of this metric for that purpose?

A.The metric kind is GAUGE, so it cannot be used to calculate rate
B.The interval should include a startTime
C.The metric has no labels to filter
D.The value should be DOUBLE instead of INT64
AnswerA

GAUGE metrics are snapshots; rate requires DELTA or CUMULATIVE.

Why this answer

Option A is correct because a GAUGE metric type represents a point-in-time value (e.g., current number of items), not a cumulative counter. To calculate a rate (items per second), you need a CUMULATIVE counter metric that monotonically increases, allowing Cloud Monitoring to compute the derivative over time. GAUGE metrics lack the necessary monotonicity and cumulative semantics, so they cannot be used to derive a meaningful rate of change.

Exam trap

Google Cloud often tests the misconception that any numeric metric can be used to compute a rate, when in fact only CUMULATIVE counters support rate-of-change calculations in Cloud Monitoring.

How to eliminate wrong answers

Option B is wrong because including a startTime in the interval is not a limitation of the metric itself; it is a standard parameter for time-series queries and does not prevent rate calculation. Option C is wrong because the absence of labels does not prevent rate calculation; labels are for filtering and aggregation, not for the fundamental ability to compute a rate. Option D is wrong because the data type (INT64 vs DOUBLE) does not affect the ability to calculate a rate; Cloud Monitoring can compute rates on integer values, and the limitation is the metric kind (GAUGE vs CUMULATIVE), not the value type.

931
Multi-Selecthard

A company is migrating a large on-premises Oracle database to Google Cloud. They want to reduce licensing costs and modernize the architecture. Which THREE strategies should they consider? (Choose 3)

Select 3 answers
A.Convert to Cloud SQL for PostgreSQL
B.Migrate to Firestore
C.Use Database Migration Service (DMS) for homogenous migration
D.Use Bare Metal Solution for Oracle
E.Migrate to Cloud Spanner
AnswersA, D, E

PostgreSQL is open-source, eliminating Oracle license fees.

Why this answer

Migrating to Cloud Spanner avoids Oracle licensing and provides horizontal scaling. Bare Metal Solution is for lift-and-shift without modernization. Converting to Cloud SQL for PostgreSQL reduces license costs but may require schema changes.

Option D is for migration tooling, not a long-term strategy; option E is a different database type.

932
MCQeasy

A company needs to store large volumes of unstructured data (images, videos, backups, documents) with high durability and global accessibility. Which Google Cloud service is designed for object storage at any scale?

A.Persistent Disk
B.Cloud Storage
C.Cloud Filestore
D.Cloud Spanner
AnswerB

Cloud Storage is Google's globally distributed object storage for unstructured data. It stores any type of file (images, videos, backups, datasets) at any scale with 11 nines durability.

Why this answer

Cloud Storage is Google Cloud's fully managed, scalable object storage service designed for unstructured data such as images, videos, backups, and documents. It offers high durability (99.999999999% annual durability) and global accessibility via a unified namespace, making it the correct choice for storing large volumes of unstructured data at any scale.

Exam trap

The GCDL exam often tests the distinction between block, file, and object storage services, leading candidates to confuse Persistent Disk (block) or Cloud Filestore (file) with object storage for unstructured data.

How to eliminate wrong answers

Option A is wrong because Persistent Disk provides block storage for Compute Engine instances, not object storage, and is designed for low-latency access to structured data rather than unstructured data at global scale. Option C is wrong because Cloud Filestore is a managed file storage service (NFS) for shared file systems, optimized for structured workloads like high-performance computing, not for object storage of unstructured data. Option D is wrong because Cloud Spanner is a globally distributed relational database service for transactional and analytical workloads, not an object storage solution for unstructured data.

933
MCQhard

A DevOps engineer uses Terraform to manage Google Cloud resources. They want to ensure that a specific Cloud Storage bucket is deleted before the Terraform destroys other dependent resources. The bucket holds the Terraform state file. What is the correct approach to handle this dependency in Terraform?

A.Use `depends_on` in the state bucket resource to depend on all other resources
B.Use `lifecycle` block with `create_before_destroy = true`
C.Use `depends_on` in all other resources to depend on the state bucket
D.Use `terraform state rm` to remove the bucket from state before destroying
AnswerC

By making other resources depend on the state bucket, Terraform will destroy the state bucket after those resources.

Why this answer

Terraform does not guarantee the order of destruction based on implicit dependencies alone. To ensure a specific destroy order, the engineer should use `depends_on` to explicitly declare that the state bucket must be destroyed last (i.e., other resources depend on it). Alternatively, they can move the state file to a different location before destroying.

However, the question asks for the correct approach within Terraform configuration.

934
MCQmedium

A company's cloud operations team is implementing a tagging strategy for cost allocation. They want to ensure that the 'cost-center' label is present on every Compute Engine VM and Cloud Storage bucket created in their Google Cloud organization. Currently, some resources are created without this label. Which combination of controls best enforces and remediates this requirement?

A.Organization Policy custom constraint to prevent creation of resources without the 'cost-center' label (preventive), plus Cloud Asset Inventory to identify existing unlabeled resources for remediation (detective)
B.Only organization policy — once new resources are blocked, existing unlabeled resources don't matter
C.Only Cloud Asset Inventory monitoring — alerting on unlabeled resources is sufficient without preventing their creation
D.Grant all engineers the 'Labels Admin' role to encourage them to add labels voluntarily
AnswerA

This is the complete two-layer approach: prevention (org policy blocks future non-compliant resources at creation time) and detection/remediation (Cloud Asset Inventory finds existing unlabeled resources so they can be labeled retroactively). Together they address both the future and existing state.

Why this answer

A preventive control (org policy custom constraint requiring the label) stops future non-compliant resources. A detective/corrective control (Cloud Asset Inventory + Cloud Functions or Security Command Center) finds and remediates existing unlabeled resources. Both are needed for comprehensive enforcement.

935
Multi-Selecthard

A security team needs to detect and respond to threats across their cloud environment. Which THREE services should they use together? (Choose 3)

Select 3 answers
A.Security Command Center
B.Cloud IDS
C.Cloud Audit Logs
D.Mandiant
E.Chronicle
AnswersA, D, E

SCC provides visibility into vulnerabilities and threats.

Why this answer

Security Command Center provides vulnerability and threat detection. Chronicle is a SIEM for log analysis and threat detection. Mandiant offers threat intelligence and incident response.

Cloud IDS is network-based. Cloud Audit Logs are for auditing, not detection.

936
MCQeasy

What is the primary purpose of Google Cloud Armor?

A.To accelerate content delivery globally
B.To protect applications from DDoS attacks and application-level threats
C.To provide outbound internet connectivity to private instances
D.To manage virtual private cloud networking
AnswerB

Cloud Armor is a WAF and DDoS protection service for applications behind Cloud Load Balancing.

Why this answer

Cloud Armor is a web application firewall (WAF) that provides DDoS protection and security rules to protect applications distributed across Google Cloud. Cloud CDN accelerates content, Cloud NAT provides outbound internet access, and VPC is for virtual networking.

937
MCQeasy

A company's DevOps team wants to orchestrate a complex workflow that involves calling multiple Google Cloud APIs in sequence — first running a Cloud Build job, then checking the results, then either deploying to Cloud Run or sending a notification. Which Google Cloud product is designed for orchestrating multi-step workflow logic?

A.Cloud Scheduler, which triggers a series of jobs at specified cron intervals
B.Google Cloud Workflows, which orchestrates multi-step processes by calling APIs in sequence with conditional logic, error handling, and state management
C.Cloud Pub/Sub, by publishing messages between pipeline stages to trigger each subsequent step
D.Cloud Run, by writing the orchestration logic as a container application that calls other services sequentially
AnswerB

Workflows is the purpose-built orchestration service. It defines steps that call Cloud Build API, evaluate results, and conditionally proceed to Cloud Run deployment or notification — exactly the described use case. It handles retries, parallelism, and state automatically.

Why this answer

Google Cloud Workflows is the correct choice because it is a fully managed orchestration platform specifically designed to define multi-step workflows that call Google Cloud APIs and external services in sequence. It supports conditional logic (e.g., if-then-else), error handling (e.g., retries with exponential backoff), and state management, making it ideal for the described scenario of running a Cloud Build job, checking results, and conditionally deploying to Cloud Run or sending a notification.

Exam trap

The trap here is that candidates confuse a simple trigger or messaging service (like Cloud Scheduler or Pub/Sub) with a full orchestration engine, overlooking the need for conditional logic and state management that only Google Cloud Workflows provides.

How to eliminate wrong answers

Option A is wrong because Cloud Scheduler is a cron-based job scheduler that triggers tasks at fixed intervals, not an orchestrator that can handle conditional branching, error handling, or stateful sequencing of API calls. Option C is wrong because Cloud Pub/Sub is a messaging service for asynchronous event-driven communication; while it can trigger subsequent steps, it lacks built-in orchestration features like conditional logic, error handling, and workflow state management, requiring custom code to implement the full workflow. Option D is wrong because Cloud Run is a serverless container runtime; writing orchestration logic as a container application would require manual implementation of sequencing, state management, and error handling, and it does not provide native workflow orchestration capabilities like Google Cloud Workflows does.

938
Multi-Selecthard

A global e-commerce company is moving its user-facing application to Google Cloud to improve performance for customers worldwide. They need low-latency content delivery and fast DNS resolution. Which TWO Google Cloud services should they use? (Choose 2)

Select 2 answers
A.Cloud CDN
B.Cloud DNS
C.Cloud Interconnect
D.Cloud Armor
E.Cloud Load Balancing
AnswersA, B

Cloud CDN caches content at edge locations, reducing latency.

Why this answer

Cloud CDN uses Google's global edge cache to deliver content with low latency. Cloud DNS provides fast, reliable DNS resolution. Cloud Load Balancing distributes traffic but does not cache content; Cloud Armor is for security; Cloud Interconnect is for hybrid connectivity.

939
MCQhard

A financial services company is designing a multi-cloud architecture with Google Cloud and AWS. They need to encrypt data at rest in Google Cloud using a key stored in their on-premises Hardware Security Module (HSM). What is the best approach?

A.Use default encryption
B.Use Cloud External Key Manager (Cloud EKM)
C.Use Cloud HSM
D.Use Cloud Key Management Service (Cloud KMS) with CMEK
AnswerB

Cloud EKM integrates with external key management systems, including on-prem HSMs, to provide encryption at rest.

Why this answer

Cloud External Key Manager (Cloud EKM) is the correct approach because it allows you to manage encryption keys in an external key management system, such as an on-premises HSM, while using those keys to encrypt data at rest in Google Cloud. This meets the requirement of storing the key in the on-premises HSM, as Cloud EKM integrates with supported external key management partners or directly with your HSM via a key management proxy, ensuring that Google Cloud never has direct access to the raw key material.

Exam trap

The trap here is that candidates often confuse Cloud HSM (which provides hardware-backed keys but within Google's infrastructure) with the ability to use an external on-premises HSM, leading them to select Cloud HSM instead of Cloud EKM.

How to eliminate wrong answers

Option A is wrong because default encryption uses Google-managed keys, which do not allow you to control or store the key in your on-premises HSM. Option C is wrong because Cloud HSM is a Google Cloud service that provides hardware-backed key storage within Google's infrastructure, not in your on-premises HSM, so it does not satisfy the requirement of using a key stored on-premises. Option D is wrong because Cloud KMS with CMEK allows you to manage your own keys, but those keys are stored in Google Cloud (either in Cloud KMS software or Cloud HSM), not in an external on-premises HSM, and CMEK does not support direct integration with external key stores.

940
Drag & Dropmedium

Drag and drop the steps to configure a load balancer for an HTTP application on Compute Engine into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The correct order is: instance group, health check, backend service, URL map, then target proxy and forwarding rule.

941
MCQhard

An organization runs a multi-region web application behind a global external HTTP(S) load balancer. They want to protect against DDoS attacks and filter traffic based on IP reputation and request headers. Which service should they integrate with the load balancer?

A.Cloud Armor
B.Cloud CDN
C.VPC firewall rules
D.Cloud NAT
AnswerA

Cloud Armor is the security service for load balancers, offering WAF and DDoS protection.

Why this answer

Cloud Armor provides WAF and DDoS protection, including IP blacklisting/whitelisting, rate limiting, and custom rules. Cloud CDN caches content, Cloud NAT provides outbound connectivity, and VPC Firewall rules are for network-level filtering inside VPC.

942
MCQhard

A data analytics team needs to run a one-time transformation on 10 TB of data stored in Cloud Storage, then load the results into BigQuery. The transformation is a custom Java application that reads files, processes them, and writes to a new location. Which service should they use to minimize operational overhead?

A.Cloud Dataflow with Apache Beam Java SDK
B.Google Kubernetes Engine (GKE) with a custom container
C.Dataproc Serverless with Spark job
D.Cloud Functions triggered by Cloud Storage events
AnswerC

Dataproc Serverless runs Spark without cluster management, ideal for one-time jobs.

Why this answer

Option C (Dataproc Serverless with Spark job) is correct because it provides a fully managed, serverless execution environment for running custom Java transformations on large datasets (10 TB) without provisioning or managing clusters. Dataproc Serverless automatically scales resources based on the job's needs, minimizing operational overhead while supporting Spark jobs that can read from Cloud Storage and write results to BigQuery.

Exam trap

Google Cloud often tests the misconception that serverless options like Cloud Functions can handle large-scale batch processing, but the trap here is ignoring the execution time and memory limits of Cloud Functions, which cannot process 10 TB of data in a single invocation.

How to eliminate wrong answers

Option A is wrong because Cloud Dataflow with Apache Beam Java SDK is optimized for stream and batch processing with a unified programming model, but it introduces additional complexity in defining pipelines and managing state, which is unnecessary for a simple one-time transformation; Dataflow also requires more setup for custom Java code compared to Spark on Dataproc Serverless. Option B is wrong because Google Kubernetes Engine (GKE) with a custom container requires manual cluster management, scaling, and orchestration, which increases operational overhead for a one-time job; it is not serverless and demands ongoing maintenance of infrastructure. Option D is wrong because Cloud Functions triggered by Cloud Storage events are designed for lightweight, event-driven processing with limited execution time (9 minutes max) and memory (8 GB max), making them unsuitable for processing 10 TB of data in a single transformation.

943
MCQhard

A security team wants to be alerted when Google Cloud personnel access their customer data. They need logs that show the reason for access and what data was accessed. Which service provides this?

A.Cloud Audit Logs
B.Access Transparency
C.Security Command Center
D.Cloud Logging
AnswerB

Access Transparency logs show actions taken by Google personnel on customer data.

Why this answer

Access Transparency logs provide detailed records of Google personnel access to customer data, including reason and scope.

944
MCQeasy

A company's security team wants to be alerted when someone with administrative permissions changes an IAM policy in their Google Cloud organization. Which Google Cloud capability enables this detection?

A.Data Access audit logs, which record when data is read from Cloud Storage buckets
B.Admin Activity audit logs combined with Cloud Monitoring log-based alerting, which records and alerts on IAM policy modifications by any principal
C.Cloud Armor, which blocks unauthorized IAM policy changes at the network layer
D.VPC flow logs, which capture all network traffic including IAM API calls
AnswerB

Admin Activity audit logs record all IAM policy changes (SetIamPolicy calls) automatically and cannot be disabled. A log-based metric in Cloud Monitoring can count these events, and an alerting policy triggers a notification whenever an IAM change is detected. This is the standard approach for IAM change monitoring.

Why this answer

Admin Activity audit logs record all changes to IAM policies and other configuration changes in Google Cloud. By combining these logs with Cloud Monitoring log-based alerting, the security team can create a specific alert that triggers whenever an IAM policy is modified by a principal with administrative permissions, enabling real-time detection of unauthorized changes.

Exam trap

The GCDL exam often tests the distinction between audit log types (Admin Activity vs. Data Access) and the specific services that handle control-plane vs. data-plane operations, leading candidates to mistakenly choose Data Access logs or VPC flow logs for IAM policy changes.

How to eliminate wrong answers

Option A is wrong because Data Access audit logs record read/write operations on user-provided data (e.g., Cloud Storage objects), not IAM policy modifications, which are configuration changes. Option C is wrong because Cloud Armor is a web application firewall that protects against network-layer attacks like DDoS and SQL injection; it does not monitor or block IAM policy changes, which are control-plane operations. Option D is wrong because VPC flow logs capture metadata about network traffic (e.g., source/destination IP, ports, protocols) but do not log IAM API calls, which are control-plane operations logged separately in Admin Activity audit logs.

945
MCQmedium

After a major production outage, the engineering team conducts a review of what happened, why it happened, and how to prevent it in the future. This document is shared with all engineering teams. What is this practice called, and why does Google's SRE culture emphasize it?

A.Performance review — identifying which engineers caused the outage for disciplinary action.
B.Blameless postmortem — documenting the incident, root causes, and preventive actions to drive systemic learning without individual blame.
C.Capacity planning review — ensuring enough servers are provisioned to prevent future outages.
D.Change advisory board (CAB) review — approving that the outage fix is safe to deploy.
AnswerB

Blameless postmortems build organizational knowledge from failures. By avoiding blame, teams can honestly analyze contributing factors, including cultural and process issues, to make permanent improvements.

Why this answer

Option B is correct because a blameless postmortem is a core SRE practice that focuses on documenting incidents, root causes, and preventive actions without assigning individual blame. Google's SRE culture emphasizes this to foster psychological safety, enabling teams to openly share failures and drive systemic improvements, which is essential for maintaining high reliability in large-scale distributed systems.

Exam trap

The trap here is that candidates may confuse a blameless postmortem with a performance review or a change management process, failing to recognize that the key differentiator is the absence of blame and the focus on systemic learning rather than individual accountability.

How to eliminate wrong answers

Option A is wrong because a performance review is an HR process for evaluating employee contributions, not a post-incident analysis; blaming individuals contradicts the blameless culture that encourages honest incident reporting. Option C is wrong because capacity planning review is a proactive process to ensure sufficient resources (e.g., servers, network bandwidth) are provisioned to meet demand, not a reactive review of a specific outage's causes and fixes. Option D is wrong because a change advisory board (CAB) review is an ITIL process for approving changes before deployment, not a retrospective analysis of an incident that has already occurred.

946
Multi-Selectmedium

Which TWO of the following are key characteristics of cloud computing as defined by NIST? (Choose 2)

Select 2 answers
A.Virtualization
B.Multi-tenancy
C.Measured service
D.Serverless computing
E.Rapid elasticity
AnswersC, E

Cloud systems automatically control and optimize resource use by metering.

Why this answer

Measured service is a key characteristic of cloud computing as defined by NIST (SP 800-145). It means that cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). This allows both the provider and consumer to monitor, control, and report usage, providing transparency for billing and chargeback.

Exam trap

Google Cloud often tests the distinction between enabling technologies (like virtualization) and the official NIST essential characteristics, so candidates mistakenly select virtualization or multi-tenancy because they are commonly associated with cloud computing but are not explicitly listed in the NIST definition.

947
MCQeasy

A security engineer wants to ensure that Google personnel cannot access customer data stored in Cloud Storage without explicit customer approval. Which Google Cloud feature should be enabled?

A.Access Transparency
B.Data Loss Prevention API
C.VPC Service Controls
D.Cloud Audit Logs
AnswerA

Access Transparency is designed to log and provide transparency into Google personnel access to customer data.

Why this answer

Access Transparency logs provide detailed records of actions taken by Google personnel on customer data, enabling customers to monitor and approve such access.

948
MCQeasy

A startup wants to deploy a web application with minimal operational overhead. They want to focus only on writing code and not managing servers, containers, or runtimes. Which Google Cloud service is designed for this purpose?

A.Cloud Run
B.Google Kubernetes Engine (GKE)
C.App Engine
D.Compute Engine
AnswerC

App Engine is a PaaS that handles scaling, load balancing, and runtime management automatically.

Why this answer

App Engine is a fully managed PaaS that abstracts the underlying infrastructure, allowing developers to focus solely on code. Cloud Run requires container images, Compute Engine requires full OS management, and GKE requires cluster management.

949
MCQhard

A retail company stores petabytes of customer transaction data for compliance reasons. They access data less than once a year but must retain it for 10 years. They want the lowest-cost storage. Which storage class should they choose?

A.Archive storage class
B.Coldline storage class
C.Standard storage class
D.Nearline storage class
AnswerA

Archive is the lowest-cost option for data accessed less than once a year.

Why this answer

Archive storage class is the correct choice because it is designed for data accessed less than once a year, with the lowest storage cost among Google Cloud storage classes. The customer's requirement of retaining data for 10 years with infrequent access aligns perfectly with Archive's 365-day minimum storage duration and retrieval costs that are higher but acceptable given the rare access pattern.

Exam trap

Google Cloud often tests the misconception that 'Coldline' is the lowest-cost option because of its name, but Archive is actually cheaper for data accessed less than once a year, and candidates overlook the access frequency and minimum storage duration requirements.

How to eliminate wrong answers

Option B (Coldline storage class) is wrong because it is optimized for data accessed less than once every 90 days, not less than once a year, and has higher storage costs than Archive. Option C (Standard storage class) is wrong because it is designed for frequently accessed data with no minimum storage duration and has the highest storage cost, making it unsuitable for long-term, rarely accessed compliance data. Option D (Nearline storage class) is wrong because it targets data accessed less than once every 30 days, with storage costs higher than Archive and a 30-day minimum storage duration, which does not match the yearly access pattern.

950
MCQmedium

A company has a batch processing job that runs once per day and can be interrupted without significant impact. They want to reduce costs by using Google Cloud infrastructure. Which compute option should they choose?

A.Standard persistent disk
B.Preemptible VMs
C.Sustained use discounts
D.Custom machine types
AnswerB

Preemptible VMs are low-cost, short-lived instances suitable for batch workloads that can tolerate interruptions.

Why this answer

Preemptible VMs offer significant cost savings (up to 60-91% discount) but can be terminated at any time by Google. They are ideal for fault-tolerant batch jobs. Spot VMs are similar but with a newer pricing model (no maximum runtime).

Both are good, but Preemptible is the classic answer. Custom machine types are not cost-saving by themselves; standard VMs are more expensive.

951
MCQmedium

A company is planning a cloud architecture and needs to decide between a monolithic application design and a microservices architecture. What is the most significant operational trade-off between these two approaches in a cloud environment?

A.Monoliths can only run on-premises, while microservices were designed specifically for cloud environments
B.Microservices enable independent deployment and scaling per component but introduce distributed systems complexity (network overhead, distributed tracing, service discovery, consistency challenges); monoliths are simpler to operate but scale and deploy as a unit
C.Microservices are always cheaper to operate in the cloud because each service uses fewer resources than a monolith
D.Monolithic applications cannot be scaled horizontally in cloud environments
AnswerB

This accurately captures the key trade-off. Microservices' benefits (independent scale, isolated failures, technology diversity) come with real operational costs: inter-service communication adds latency and failure modes, distributed tracing replaces simple stack traces, and data consistency across services requires careful design.

Why this answer

Monoliths are simpler to develop, test, and deploy initially but scale as a unit and create tight coupling — a change to one part requires deploying the whole application. Microservices enable independent deployment and scaling of components but introduce distributed systems complexity (network calls, service discovery, distributed tracing, eventual consistency). Neither is universally better — the trade-off depends on team size, domain complexity, and operational maturity.

952
MCQhard

A company wants to implement SLOs for their API service. They need to measure the proportion of successful requests over a 30-day window. Which metric should they use?

A.availability (uptime)
B.latency at 99th percentile
C.requests/success
D.SLI = good events / total events
AnswerD

SLI directly measures the proportion of successful requests.

Why this answer

Option D is correct because an SLI (Service Level Indicator) is defined as the ratio of good events to total events, which directly measures the proportion of successful requests over a 30-day window. This aligns with the requirement to track request success rate, not just system uptime. In Google Cloud operations, SLOs are built on SLIs that count discrete events like HTTP 200 responses versus all requests.

Exam trap

The trap here is that candidates confuse availability (uptime) with request success rate, not realizing that a service can be 'up' 100% of the time yet fail a large proportion of requests due to application errors.

How to eliminate wrong answers

Option A is wrong because availability (uptime) measures the percentage of time the service is reachable, not the proportion of individual request successes; a service can be up but still return errors for many requests. Option B is wrong because latency at the 99th percentile measures response time distribution, not success rate; it addresses performance, not correctness or error rate. Option C is wrong because requests/success is an inverted ratio that would decrease as success increases, and it is not a standard SLI formula; the correct SLI is good events divided by total events.

953
MCQmedium

A company wants to replace its VPN-based remote access with a zero-trust solution that verifies user identity and device health before granting access to internal applications. Which Google Cloud service should they use?

A.BeyondCorp Enterprise
B.Identity-Aware Proxy (IAP)
C.Cloud VPN
D.Cloud Identity
AnswerA

BeyondCorp Enterprise is the complete zero-trust product that replaces VPNs.

Why this answer

BeyondCorp Enterprise provides zero-trust access based on user identity and device context, eliminating the need for a VPN. IAP is a component but the full solution is BeyondCorp Enterprise.

954
MCQeasy

A traditional retailer currently maintains its own data centers, purchasing servers every 3–5 years and paying for facilities, power, and staff regardless of demand. When it migrates its workloads to the public cloud, which change in cost model does it experience?

A.From operational expenditure (OpEx) to capital expenditure (CapEx)
B.From capital expenditure (CapEx) to operational expenditure (OpEx)
C.From variable costs to fixed monthly costs
D.From consumption-based billing to annual depreciation cycles
AnswerB

Cloud eliminates large upfront hardware purchases (CapEx) and replaces them with pay-as-you-go usage fees (OpEx), aligning costs directly with actual business consumption.

Why this answer

When a retailer migrates from owning and maintaining its own data centers to using a public cloud, it shifts from a capital expenditure (CapEx) model—where it buys servers and pays for facilities upfront—to an operational expenditure (OpEx) model, where it pays for cloud services as a recurring, usage-based cost. This change eliminates large upfront hardware investments and replaces them with predictable monthly or consumption-based billing, aligning costs directly with actual demand.

Exam trap

The GCDL exam often tests the misconception that moving to the cloud simply changes cost from variable to fixed, when in fact the fundamental shift is from CapEx (capital expenditure) to OpEx (operational expenditure), with variable costs replacing fixed, upfront investments.

How to eliminate wrong answers

Option A is wrong because it reverses the actual shift: moving from on-premises data centers to the public cloud changes spending from CapEx (buying servers, facilities) to OpEx (pay-as-you-go), not the other way around. Option C is wrong because the cloud model typically converts fixed, upfront costs into variable, consumption-based costs, not from variable to fixed monthly costs; fixed monthly costs are more characteristic of reserved instances or committed use contracts, but the core shift is from CapEx to OpEx. Option D is wrong because consumption-based billing is the new model in the cloud, not the old one; annual depreciation cycles are associated with CapEx for owned hardware, not with cloud billing.

955
MCQmedium

A company needs to store petabytes of time-series IoT sensor data and query it with single-digit millisecond latency at millions of reads per second. The data has a simple key-value structure with timestamps. Which Google Cloud database is MOST appropriate?

A.BigQuery
B.Cloud Bigtable
C.Cloud Spanner
D.Firestore
AnswerB

Bigtable is the correct choice: wide-column NoSQL, designed for time-series and IoT workloads, single-digit ms latency, and scales to millions of QPS with additional nodes.

Why this answer

Cloud Bigtable is designed for exactly this use case — petabyte-scale, low-latency (single-digit ms), high-throughput NoSQL storage for time-series, IoT, and financial data. It scales horizontally by adding nodes. BigQuery is optimised for analytics (seconds-to-minutes latency), Cloud SQL is for OLTP (limited to tens of thousands of QPS), and Firestore is for document data with hierarchical structure.

956
Multi-Selectmedium

Which TWO statements about committed use discounts (CUDs) are true? (Choose two.)

Select 2 answers
A.CUDs provide a discount for sustained usage without any upfront commitment.
B.CUDs can be purchased for specific resources such as vCPUs and memory.
C.CUDs can be applied to any Google Cloud service automatically.
D.CUDs are applied automatically without any action from the user.
E.CUDs require a 1-year or 3-year commitment.
AnswersB, E

CUDs are purchased based on resource type and amount.

Why this answer

CUDs require a commitment of 1 or 3 years and provide a discount in exchange. They apply to specific resource usage like vCPUs and memory.

957
Multi-Selectmedium

A company uses Cloud Functions to process events from Pub/Sub. Which TWO statements about this architecture are correct? (Choose two.)

Select 2 answers
A.Cloud Functions must be associated with a VPC to access Pub/Sub.
B.Cloud Functions can acknowledge messages automatically upon successful execution.
C.Cloud Functions can be triggered by a Pub/Sub subscription.
D.Cloud Functions can run for up to 60 minutes per invocation.
E.Cloud Functions can be used to pull messages from a Pub/Sub subscription synchronously.
AnswersB, C

Cloud Functions automatically acknowledges messages on success.

Why this answer

Cloud Functions can be triggered by Pub/Sub messages. The functions scale automatically based on the number of messages, and they are stateless and short-lived.

958
Multi-Selecthard

Which THREE practices are recommended for securing a Kubernetes cluster in Google Kubernetes Engine (GKE)?

Select 3 answers
A.Use Binary Authorization to ensure only trusted container images are deployed
B.Enable node auto-repair to automatically fix security vulnerabilities in nodes
C.Enable GKE Sandbox for untrusted workloads to provide an additional layer of isolation
D.Expose the cluster control plane via a public endpoint to allow monitoring
E.Enable Workload Identity to manage access to Google Cloud APIs
AnswersA, C, E

Binary Authorization enforces deployment signing.

Why this answer

Binary Authorization is correct because it enforces deployment-time policy validation, ensuring that only container images signed by trusted authorities (e.g., via KMS) are allowed to run in GKE. This prevents the deployment of untrusted or tampered images, directly addressing supply chain security.

Exam trap

Google Cloud often tests the distinction between operational features (like node auto-repair) and security features, so candidates mistakenly assume auto-repair patches vulnerabilities when it only restores node health, not applies security updates.

959
MCQmedium

An organization wants to reduce its carbon footprint by using Google Cloud. Which of the following statements about Google Cloud's sustainability efforts is correct?

A.Google Cloud uses nuclear energy as its primary power source.
B.Google Cloud data centers are powered by 100% carbon-free energy since 2020.
C.Google Cloud matches 100% of its global electricity consumption with renewable energy.
D.Google Cloud purchases carbon offsets to neutralize all emissions.
AnswerC

Since 2017, Google matches 100% of its electricity use with renewable energy purchases.

Why this answer

Google Cloud matches 100% of its global electricity consumption with renewable energy and aims for 24/7 carbon-free energy by 2030.

960
MCQmedium

A financial services company must run a legacy Windows application that requires a specific version of IIS and custom Windows patches. The company wants to minimize operational overhead but needs full control over the OS. Which Google Cloud service is most appropriate?

A.Google Kubernetes Engine
B.App Engine Flexible Environment
C.Compute Engine
D.Cloud Run
AnswerC

Compute Engine provides IaaS with full control over the Windows OS, including custom patches and IIS.

Why this answer

Compute Engine provides IaaS, allowing full control over the OS and application stack, including custom patches and configurations.

961
Multi-Selecteasy

A company wants to monitor its Google Cloud spending and receive alerts when costs exceed a threshold. Which two services should they use together?

Select 2 answers
A.Cloud Scheduler
B.Cloud Asset Inventory
C.Cloud Logging
D.Cloud Billing Budgets and Alerts
E.Cloud Monitoring
AnswersD, E

This service allows setting budget thresholds and sending alerts via email or Pub/Sub.

Why this answer

Cloud Billing Budgets and Alerts (D) allows you to define a spending threshold and receive notifications when costs approach or exceed that limit. Cloud Monitoring (E) can ingest those budget alert events and trigger additional actions, such as sending notifications via email, SMS, or Pub/Sub, or integrating with incident management tools. Together, they provide a complete cost monitoring and alerting solution.

Exam trap

The trap here is that candidates often confuse Cloud Logging (which stores logs) or Cloud Scheduler (which runs jobs) with the actual billing alerting service, not realizing that Cloud Billing Budgets and Alerts is the dedicated service for cost thresholds and Cloud Monitoring is needed for centralized alert management.

962
MCQmedium

A cloud team wants to automatically enforce that all new Compute Engine VMs are created with a specific label (environment: production) and that no VMs are created with external IP addresses in the production project. Which Google Cloud capability enforces these organizational policies at resource creation time?

A.Cloud Monitoring alerting policies that detect and notify when non-compliant VMs are created
B.Organization Policy Service constraints that enforce no external IPs and required labels at resource creation time, blocking non-compliant VMs before they are created
C.Cloud IAM roles that prevent developers from creating VMs without the proper labels
D.Cloud Billing budget alerts that detect when VM spending exceeds expected amounts for labeled resources
AnswerB

Organization Policy Service is the correct answer. The 'compute.vmExternalIpAccess' constraint prevents external IP assignment at creation. Custom org policy constraints can enforce required labels. Both are evaluated before resource creation — if the policy would be violated, the API call is rejected.

Why this answer

Organization Policy Service constraints, specifically `compute.vmExternalIpAccess` and `compute.requireOsLogin` or custom constraints for labels, are evaluated at resource creation time. They block non-compliant VM creation before the API call succeeds, enforcing policies like 'no external IPs' and 'required labels' without relying on post-creation detection or IAM permissions.

Exam trap

The GCDL exam often tests the distinction between reactive monitoring (Cloud Monitoring alerts) and proactive enforcement (Organization Policy Service), leading candidates to pick the monitoring option because they confuse detection with prevention.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring alerting policies are reactive, not preventive; they detect non-compliant VMs after creation but do not block them. Option C is wrong because Cloud IAM roles control who can create VMs but cannot enforce specific label values or external IP restrictions at resource creation time; IAM lacks the granularity to validate resource configuration. Option D is wrong because Cloud Billing budget alerts monitor spending, not resource compliance; they cannot prevent VM creation or enforce labels or external IP policies.

963
MCQmedium

A mid-size company runs a batch processing application on a single on-premises server. The processing time varies; during month-end, the workload spikes and the server becomes overloaded, causing delays. The company wants a solution that automatically scales resources for peak times and only pays for extra capacity when used. They are considering migrating to Google Cloud. Which approach meets their needs?

A.Migrate the server to a single, larger Compute Engine instance with a static IP
B.Deploy the application on a managed instance group in Compute Engine with autoscaling
C.Rewrite the batch processing application as a Cloud Function
D.Use Cloud SQL for the database and a single Compute Engine instance for processing
AnswerB

Managed instance group with autoscaling automatically adds/removes instances based on load, and you pay only for the resources used.

Why this answer

Option C is correct because Google Cloud offers autoscaling groups in Compute Engine that can add instances during peak load and remove them when demand drops, with pay-per-second billing. Option A lacks automatic scaling. Option B provides managed services but may not directly solve scaling of their specific application.

Option D is for serverless functions, not ideal for a batch processing app that may run for hours.

964
MCQhard

A multinational corporation operates a hybrid cloud environment with on-premises data centers connected to Google Cloud via Dedicated Interconnect. The company uses Cloud Storage to store sensitive financial data and has enabled Cloud Audit Logs for admin activities. Recently, the security team noticed that an unknown actor accessed a bucket containing customer personally identifiable information (PII). The access occurred from an IP address outside the corporate network. The security team suspects that an employee's Google Cloud credentials were compromised. They need to investigate the incident thoroughly and determine the extent of the breach. The company has enabled VPC Flow Logs, but they are not sure how to correlate the audit logs with network flows. They also want to ensure that similar incidents are prevented in the future. What should the security team do first to investigate the incident?

A.Immediately revoke all service account keys and reissue them, then reset all user passwords.
B.Enable Cloud IDS to detect similar attacks and block the malicious IP address.
C.Use Cloud Logging to analyze Cloud Audit Logs and identify the user who accessed the bucket and the associated context.
D.Export VPC Flow Logs to BigQuery and analyze for the attacker's IP address.
AnswerC

Cloud Audit Logs record all resource access and are the primary source for investigating unauthorized access.

Why this answer

Option A is correct because the first step is to analyze Cloud Audit Logs to identify which identities accessed the bucket and from where. This provides the primary leads for the investigation. Option B is wrong because Cloud IDS detects network threats but does not provide historical logs of who accessed a bucket.

Option C is wrong because revoking keys assumes the compromise was via keys, but the incident involves user credentials, not service account keys. Option D is wrong because VPC Flow Logs show network traffic but do not identify the user or API calls.

965
MCQhard

An operations team tracks the following metrics for their customer portal: request latency p99, error rate, and requests per second. In Site Reliability Engineering terminology, what are these metrics called, and what do they collectively define?

A.Key Performance Indicators (KPIs) that define the overall health of the business
B.Service Level Agreements (SLAs), defining the contractual commitments made to customers
C.Service Level Indicators (SLIs), which measure specific dimensions of service behavior from the user's perspective and collectively define how reliability is quantified
D.Operational metrics that are only relevant to the infrastructure team and not to business stakeholders
AnswerC

SLIs are the specific measurable quantities that capture how users experience the service. Latency (is it fast enough?), error rate (is it working?), and throughput (is it keeping up?) are the canonical SLI types. Together they provide a quantitative picture of reliability that can be used to set SLO targets.

Why this answer

In Site Reliability Engineering (SRE), the metrics p99 latency, error rate, and requests per second are classified as Service Level Indicators (SLIs). SLIs are carefully chosen quantitative measures of specific aspects of the service's behavior, such as availability, latency, or throughput, as experienced by the end user. Collectively, these SLIs define how reliability is quantified and are used to set and monitor Service Level Objectives (SLOs).

Exam trap

The trap here is that candidates confuse SLIs with SLAs or KPIs, not realizing that SLIs are the raw measurements that feed into SLOs, which then underpin SLAs, and that they are specifically defined from the user's perspective to quantify reliability.

How to eliminate wrong answers

Option A is wrong because while these metrics can be part of business KPIs, the SRE terminology specifically calls them Service Level Indicators (SLIs), not generic KPIs, and they define reliability quantification, not overall business health. Option B is wrong because SLAs are contractual commitments based on SLOs, which are in turn derived from SLIs; the metrics themselves are not the agreements. Option D is wrong because SLIs are explicitly defined from the user's perspective and are critical for business stakeholders to understand service reliability, not just for the infrastructure team.

966
MCQeasy

Which Google Cloud service provides a fully managed, scalable data warehouse for running SQL queries on petabyte-scale data and supports BI tools like Looker?

A.BigQuery
B.Cloud SQL
C.Cloud Storage
D.Dataflow
AnswerA

BigQuery is a serverless, highly scalable data warehouse that supports SQL queries on petabytes of data and integrates with BI tools like Looker.

Why this answer

BigQuery is a serverless data warehouse that scales to petabytes and uses SQL for analytics. Cloud SQL is for OLTP, Cloud Storage is object storage, and Dataflow is for data processing pipelines.

967
MCQeasy

A company's production database is running on a Compute Engine VM with a 500 GB Persistent Disk. The operations team wants to create a backup they can restore from in case of data corruption or accidental deletion. Which Google Cloud capability provides point-in-time backup for Persistent Disks?

A.Cloud Storage bucket replication, by continuously copying the database files to a storage bucket
B.Persistent Disk Snapshots, which capture the disk state at a point in time and enable restoration or creation of new disks from that snapshot
C.Cloud SQL automated backups, which protect databases running on Compute Engine VMs
D.VM live migration, which moves the running VM between physical hosts, automatically creating a backup in the process
AnswerB

Persistent Disk Snapshots are the correct mechanism. They capture a consistent point-in-time image of the disk (application-consistent when used with snapshot agent or after flushing I/O). Snapshots are stored in Cloud Storage, incremental after the first snapshot, and can be used to create a new disk or restore data.

Why this answer

Persistent Disk Snapshots are the correct Google Cloud feature for creating point-in-time backups of Persistent Disks. They capture the disk's data and configuration at a specific moment, allowing you to restore the disk or create new disks from that snapshot. This is the native, recommended method for backup and disaster recovery of Compute Engine VM disks.

Exam trap

The trap here is that candidates confuse Cloud SQL backups (which are for managed databases) with the need to back up a database running on a Compute Engine VM, leading them to select option C instead of the correct Persistent Disk Snapshots.

How to eliminate wrong answers

Option A is wrong because Cloud Storage bucket replication is a feature for objects in buckets, not for Persistent Disks; continuously copying database files to a bucket would require custom scripting and does not provide crash-consistent point-in-time backups of the entire disk. Option C is wrong because Cloud SQL automated backups protect Cloud SQL managed databases, not databases running on Compute Engine VMs; Cloud SQL is a separate managed service, not a feature for Compute Engine disks. Option D is wrong because VM live migration moves a running VM between physical hosts for maintenance without downtime, but it does not create a backup or capture a point-in-time state of the disk.

968
MCQmedium

A startup is building a mobile app and needs to store user profiles and preferences. The data is hierarchical and the app requires real-time synchronization across devices. Which Google Cloud database should they use?

A.Cloud Spanner
B.Firestore
C.Cloud Bigtable
D.Cloud SQL
AnswerB

Firestore offers real-time sync, offline support, and hierarchical documents perfect for mobile apps.

Why this answer

Firestore is a NoSQL document database designed for mobile apps, with real-time sync and offline support. Cloud SQL and Spanner are relational, not ideal for hierarchical data. Bigtable is for time-series/analytics, not mobile app data.

969
Drag & Dropmedium

Drag and drop the steps to set up a Cloud CDN for a backend bucket in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create and prepare the bucket, then set up a load balancer, enable CDN, and test.

970
MCQhard

A company wants to ensure that its Google Cloud resources can only be accessed from within a specific VPC network, preventing data exfiltration to the internet. They need to enforce this for Cloud Storage and BigQuery APIs. Which service should they use?

A.Cloud NAT
B.VPC Service Controls
C.VPC Firewall Rules
D.Private Google Access
AnswerB

VPC Service Controls define perimeters to prevent data exfiltration.

Why this answer

VPC Service Controls create perimeters around managed services to restrict access to only allowed VPC networks.

971
MCQeasy

A company wants to run containerized applications on Google Cloud without managing the underlying VMs or orchestrator. Which compute service should they choose?

A.Cloud Run
B.Google Kubernetes Engine (GKE)
C.Compute Engine
D.App Engine
AnswerA

Cloud Run is serverless, manages containers without cluster management.

Why this answer

Cloud Run is a fully managed serverless container platform that abstracts infrastructure. GKE requires cluster management. Compute Engine is VMs.

App Engine supports containers but with more restrictions.

972
MCQeasy

A regional hospital chain wants to improve patient outcomes by analyzing electronic health records (EHRs) from multiple departments, including radiology, pathology, and pharmacy. Currently, each department stores data in separate on-premises databases, making it difficult to correlate information. The hospital must comply with HIPAA and other data privacy regulations. They have a small IT team and limited budget for new hardware. They want to enable clinicians to run ad-hoc queries across all data and generate insights using machine learning, without managing infrastructure. Which solution best achieves these goals?

A.Purchase additional on-premises servers and implement a data warehouse with ETL processes.
B.Deploy a third-party analytics SaaS tool and export data from each department manually.
C.Migrate all data to Cloud Storage and grant clinicians access to files for manual analysis.
D.Use Cloud Healthcare API to ingest and standardize data from each department, store in BigQuery, and use BigQuery ML to build predictive models.
AnswerD

This fully managed, HIPAA-eligible solution integrates silos and enables advanced analytics without infrastructure overhead.

Why this answer

Option D is correct because it leverages the Cloud Healthcare API to ingest and standardize data from disparate on-premises databases into a unified format, stores it in BigQuery for serverless ad-hoc querying, and uses BigQuery ML to build predictive models without managing infrastructure. This fully meets HIPAA compliance through built-in data residency and access controls, while the small IT team avoids hardware procurement and maintenance overhead.

Exam trap

Google Cloud often tests the misconception that on-premises data warehouses (Option A) are the only HIPAA-compliant option, but the trap here is that cloud-native services like Cloud Healthcare API and BigQuery are fully HIPAA-eligible and actually reduce compliance burden through automated controls and managed infrastructure.

How to eliminate wrong answers

Option A is wrong because purchasing additional on-premises servers and implementing a data warehouse with ETL processes requires significant upfront hardware investment and ongoing IT management, contradicting the limited budget and small IT team constraints. Option B is wrong because manually exporting data from each department to a third-party analytics SaaS tool is error-prone, non-scalable, and introduces security risks for PHI under HIPAA, as manual processes lack automated auditing and encryption controls. Option C is wrong because migrating all data to Cloud Storage and granting clinicians access to files for manual analysis does not enable ad-hoc querying or machine learning, and raw file access violates HIPAA's minimum necessary and access control requirements.

973
MCQeasy

What is the primary benefit of using preemptible VMs on Compute Engine?

A.Support for live migration
B.Higher performance than standard VMs
C.Guaranteed availability of resources
D.Cost savings for fault-tolerant workloads
AnswerD

Preemptible VMs offer up to 80% discount, suitable for batch jobs and stateless apps.

Why this answer

Preemptible VMs are significantly cheaper than standard VMs but can be terminated at any time. They are ideal for fault-tolerant, batch workloads.

974
MCQeasy

A data analyst at a media company needs to run complex SQL queries on petabytes of user engagement data to produce weekly reports. The dataset is stored in Google Cloud. Which Google Cloud product is purpose-built for this type of large-scale analytical SQL workload?

A.Cloud SQL, Google Cloud's managed relational database service
B.BigQuery, Google Cloud's serverless data warehouse for petabyte-scale analytical SQL
C.Cloud Bigtable, Google's NoSQL wide-column database
D.Firestore, Google Cloud's serverless NoSQL document database
AnswerB

BigQuery is precisely designed for this use case. Its serverless architecture, columnar storage format, and distributed query engine make it ideal for analysts running complex SQL against massive datasets. The weekly report workload is a canonical BigQuery use case.

Why this answer

BigQuery is Google Cloud's serverless, highly scalable data warehouse specifically designed for petabyte-scale analytical SQL queries. It separates compute from storage and uses a columnar storage format and a distributed query engine to execute complex SQL on massive datasets without provisioning infrastructure, making it the ideal choice for the described workload.

Exam trap

The GCDL exam often tests the distinction between OLTP databases (Cloud SQL) and OLAP data warehouses (BigQuery), trapping candidates who see 'SQL' and assume any SQL-supporting service works for petabyte-scale analytics, ignoring the fundamental architectural differences in storage, scaling, and query execution.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a managed relational database service for OLTP workloads (e.g., MySQL, PostgreSQL, SQL Server) and is not designed for petabyte-scale analytical SQL; it has storage and concurrency limits that make it unsuitable for large-scale data warehousing. Option C is wrong because Cloud Bigtable is a NoSQL wide-column database optimized for high-throughput, low-latency read/write operations (e.g., time-series, IoT) and does not support SQL queries or complex analytical joins. Option D is wrong because Firestore is a serverless NoSQL document database for real-time mobile/web applications, not for analytical SQL workloads; it lacks SQL support and is not built for petabyte-scale aggregation or reporting.

975
MCQmedium

A company wants to run a stateful application that requires persistent, high-performance block storage attached to a single Compute Engine instance. The application needs consistent low latency. Which storage solution should they use?

A.Local SSD
B.Filestore
C.Cloud Storage
D.Persistent Disk
AnswerD

Persistent Disk provides durable, high-performance block storage for a single VM.

Why this answer

Persistent Disk provides durable block storage with consistent performance attached to a single VM. Local SSDs are ephemeral and not suitable for stateful data.

Page 12

Page 13 of 14

Page 14
Google Cloud Digital Leader GCDL Questions 901–975 | Page 13/14 | Courseiva