Google Cloud Digital Leader (GCDL) — Questions 976991

991 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
Multi-Selecthard

Which TWO of the following are important considerations when designing a cloud solution for data residency compliance? (Choose exactly 2.)

Select 2 answers
A.Enabling Cloud Data Residency policies
B.Selecting a Cloud Storage region to store data within required jurisdiction
C.Choosing the lowest-cost storage class
D.Using a single availability zone for all data
E.Encrypting all data at rest
AnswersA, B

Policies prevent data from moving outside allowed regions.

Why this answer

Options A and D are correct. A is correct because data must stay in specific geographic boundaries. D is correct because Cloud Data Residency policies enforce location constraints.

B is incorrect because storing data in a single zone does not guarantee residency; zones are within a region. C is incorrect because encryption does not change data location. E is incorrect because storage class affects availability, not residency.

977
MCQhard

A solutions architect is designing a system that must remain available even if an entire Google Cloud region becomes unavailable due to a major disaster. Which deployment approach achieves this goal?

A.Deploying the application across multiple zones within the same Google Cloud region
B.Using a single zone but enabling automatic VM restart policies
C.Deploying the application across multiple Google Cloud regions so that if one region fails, other regions continue serving traffic
D.Enabling Cloud Backup for all VMs in the deployment to allow rapid restoration after a regional failure
AnswerC

Multi-region deployment is required to survive a full regional outage. By running active or active-passive instances in multiple distinct geographic regions, the system continues operating when any single region fails. Each region is geographically and infrastructure-independently isolated.

Why this answer

Option C is correct because deploying across multiple Google Cloud regions ensures that if an entire region becomes unavailable, traffic can be rerouted to healthy regions, achieving disaster recovery across regional failures. This approach leverages Google Cloud's global load balancing (e.g., External HTTPS Load Balancer with backend services in multiple regions) and regional managed instance groups to maintain availability even when a complete region is lost.

Exam trap

Google Cloud often tests the distinction between zonal and regional fault tolerance, and the trap here is that candidates confuse multi-zone deployment (which handles zonal failures) with multi-region deployment (which is required for regional disaster recovery).

How to eliminate wrong answers

Option A is wrong because deploying across multiple zones within the same region protects against zonal failures but does not protect against a regional disaster, as all zones in a region share the same regional control plane and can fail together. Option B is wrong because using a single zone with automatic VM restart policies only recovers from transient failures within that zone, not from a complete regional outage where the zone itself is unavailable. Option D is wrong because enabling Cloud Backup for all VMs allows data restoration after a failure but does not provide automatic failover or continuous availability; the system would still experience downtime while backups are restored, and it does not address the need for immediate traffic redirection during a regional disaster.

978
MCQeasy

A company has set a budget alert at 80% and 100% of $10,000 for a specific project. The project has a billing account linked. What happens when the cost reaches $8,000?

A.The project is automatically suspended.
B.All resources in the project are deleted.
C.The billing account is disabled.
D.A notification is sent to the configured Pub/Sub topic.
AnswerD

Budget alerts send notifications to Pub/Sub or email when spending exceeds thresholds.

Why this answer

Budget alerts trigger notifications at the defined threshold percentages. At $8,000 (80% of $10,000), the alert fires but does not automatically stop spending.

979
MCQmedium

A company is running a latency-sensitive application on Compute Engine instances in a single zone. They want to improve availability without sacrificing low latency. Which strategy should they use?

A.Deploy instances in multiple zones within the same region
B.Use Cloud CDN to cache content
C.Use larger machine types with more vCPUs
D.Deploy instances in multiple regions
AnswerA

Multiple zones in the same region provide redundancy with low latency.

Why this answer

Deploying instances in multiple zones within the same region provides high availability by distributing workloads across physically separate data centers (zones) while keeping network latency low, as intra-region latency is typically under 1-2 ms. This approach protects against zonal failures without the added latency of cross-region communication, which can be 10-100 ms or more.

Exam trap

The trap here is that candidates confuse high availability with geographic distribution, assuming multiple regions are always better, but the question explicitly requires low latency, which multi-region deployments cannot guarantee due to increased network distance.

How to eliminate wrong answers

Option B is wrong because Cloud CDN caches static content at edge locations to reduce latency for content delivery, but it does not improve the availability of a latency-sensitive application's compute instances or handle dynamic request processing. Option C is wrong because using larger machine types with more vCPUs improves performance for compute-bound tasks but does not provide redundancy or fault tolerance; a single zone failure would still take down all instances. Option D is wrong because deploying instances in multiple regions introduces significant cross-region network latency (often 10-100+ ms), which violates the requirement to maintain low latency for the application.

980
MCQhard

A company uses folders to separate environments (dev, test, prod) and teams (eng, data, security). An engineer needs to apply a policy that disables the use of 'g1-small' machine types only in the 'dev' folder under the 'eng' folder. The organization node has no existing constraints. What is the most specific way to apply this policy?

A.Apply the policy at the organization node.
B.Apply the policy at each project individually.
C.Apply the policy at the 'dev' folder.
D.Apply the policy at the 'eng' folder.
AnswerC

Applying at the dev folder under eng restricts only that folder.

Why this answer

Organization policies can be applied at the folder level. To be specific to 'dev' under 'eng', apply the policy to the 'dev' folder. Applying at a higher level would affect other subfolders.

981
MCQhard

An organization has a compliance requirement to run workloads in specific geographic regions only. They want to prevent any resources from being created outside those regions. Which Google Cloud control should they use?

A.Cloud Audit Logs
B.Organization policy with location restriction
C.VPC Service Controls
D.IAM conditions with resource location
AnswerB

The organization policy constraint gcp.resourceLocations enforces location compliance.

Why this answer

Organization policies with location restrictions allow administrators to set constraints on where resources can be created. The constraint `gcp.resourceLocations` can be used to restrict allowed regions. IAM roles control who can create resources, but not where.

VPC Service Controls restrict data access, not resource creation location. Cloud Audit Logs only record actions.

982
MCQmedium

An organization's leadership sets a goal to make all future business decisions based on data rather than intuition. They migrate from siloed departmental spreadsheets to a centralized cloud data platform where all teams access the same real-time data. What organizational concept does this represent?

A.Data warehousing — storing historical data for reporting purposes.
B.Data-driven decision making — using objective data analysis rather than intuition to guide business decisions.
C.Business intelligence — creating reports and dashboards.
D.Data governance — policies for who owns and manages data.
AnswerB

Data-driven culture requires both technology (unified data platform) and organizational change (trusting data over hierarchy or intuition). Cloud platforms enable the technology layer; leadership commitment drives the cultural change.

Why this answer

Option B is correct because the scenario describes a shift from intuition-based decisions to decisions grounded in objective data analysis, which is the essence of data-driven decision making. The migration to a centralized cloud data platform ensures all teams access the same real-time data, eliminating silos and enabling consistent, evidence-based choices across the organization.

Exam trap

Google Cloud often tests the distinction between the technology (e.g., data warehousing, BI tools) and the organizational philosophy (data-driven decision making), trapping candidates who focus on the platform migration rather than the behavioral shift it enables.

How to eliminate wrong answers

Option A is wrong because data warehousing focuses on storing historical data for reporting, not on the real-time, decision-making transformation described. Option C is wrong because business intelligence involves creating reports and dashboards from data, but the core concept here is the cultural and operational shift to using data for decisions, not just visualization. Option D is wrong because data governance deals with policies for data ownership and management, which is a supporting framework, not the primary organizational concept of using data to guide decisions.

983
MCQmedium

A company wants to set up automated checks that continuously verify their website's homepage, login page, and API endpoints are accessible from multiple global locations. If any endpoint becomes unreachable for more than 2 minutes, the on-call engineer should be alerted. Which Cloud Monitoring feature provides this?

A.Cloud Logging log-based alerts that detect 5xx errors in application logs.
B.Cloud Monitoring uptime checks that probe endpoints from global locations with alerting on failure.
C.Cloud Trace that records response times for each user request.
D.Custom scripts on Compute Engine VMs that ping endpoints every minute.
AnswerB

Uptime checks send probe requests from multiple global PoPs at configurable intervals. Failures across multiple locations trigger alerting policies — the managed solution for external availability monitoring.

Why this answer

Cloud Monitoring uptime checks are specifically designed to probe HTTP, HTTPS, or TCP endpoints from multiple global locations at configurable intervals (e.g., every 1 minute). They can trigger alerting policies when a check fails for a specified duration (e.g., 2 minutes), directly matching the requirement for continuous, multi-location endpoint accessibility verification with alerting on sustained failure.

Exam trap

The trap here is that candidates confuse log-based alerts (which detect errors in logs) with proactive uptime checks (which test connectivity), leading them to choose Option A because they think 5xx errors are the only way to detect unreachability, ignoring that a completely down endpoint may not generate logs at all.

How to eliminate wrong answers

Option A is wrong because Cloud Logging log-based alerts analyze log entries (e.g., 5xx errors) but do not actively probe endpoints from global locations; they react to logs already generated, not to connectivity failures that may not produce logs. Option C is wrong because Cloud Trace is a distributed tracing tool that captures latency and request paths for individual user requests, not a monitoring feature for endpoint availability from multiple locations. Option D is wrong because custom scripts on Compute Engine VMs would require manual setup, lack native multi-location probing, and do not integrate with Cloud Monitoring's alerting policies; they are an ad-hoc solution, not a managed service.

984
MCQeasy

Which Google Cloud service helps identify and classify sensitive data such as credit card numbers or personal health information in Cloud Storage and BigQuery?

A.Security Command Center
B.Data Loss Prevention (DLP) API
C.Cloud Data Catalog
D.Access Transparency
AnswerB

DLP API is used to inspect and classify sensitive data.

Why this answer

Sensitive Data Protection (DLP API) scans content to discover and classify sensitive data.

985
Multi-Selectmedium

A media company needs to store and serve video files globally with high availability and low latency. They also need to process these videos using transcoding. Which THREE Google Cloud services should they use? (Choose 3)

Select 3 answers
A.Cloud Storage
B.Compute Engine
C.Transcoder API
D.Cloud CDN
E.BigQuery
AnswersA, C, D

Cloud Storage is object storage for video files.

Why this answer

Cloud Storage stores the video files. Cloud CDN caches content at edge locations. Transcoder API processes video transcoding.

Compute Engine is for general compute; BigQuery is for analytics; Cloud Run is for serverless apps.

986
MCQeasy

What is a key business benefit of moving from a capital expenditure (CapEx) model for IT infrastructure to an operational expenditure (OpEx) model like pay-as-you-go cloud computing?

A.Improved cash flow by avoiding large upfront hardware purchases
B.Elimination of all IT staff
C.Reduced need for software licenses
D.Guaranteed performance improvement
AnswerA

OpEx model spreads costs over time, reducing initial capital outlay.

Why this answer

Pay-as-you-go eliminates large upfront hardware costs, converting them to variable costs based on usage, which improves cash flow and agility.

987
MCQeasy

A small IT team needs to grant developers the ability to deploy instances in a project but not delete them. Which IAM best practice should they use?

A.Create a custom role with compute.instances.insert and compute.instances.delete permissions.
B.Assign all developers the primitive role of Editor.
C.Use organization policy to restrict deletion of compute instances.
D.Create a service account for each developer and grant it the compute.instanceAdmin role.
AnswerD

Service accounts are not intended for human users; key management is burdensome.

Why this answer

Option D is correct because creating a service account for each developer and granting the `compute.instanceAdmin` role provides the precise permissions needed to deploy instances (via `compute.instances.insert`) without granting the ability to delete them (the `compute.instanceAdmin` role does not include `compute.instances.delete`). This follows the IAM best practice of least privilege, ensuring developers can perform only the required actions.

Exam trap

Google Cloud often tests the misconception that organization policies can replace IAM roles for user-level permission control, but organization policies are for resource constraints, not identity-based access control.

How to eliminate wrong answers

Option A is wrong because creating a custom role with both `compute.instances.insert` and `compute.instances.delete` permissions explicitly grants the delete capability, which violates the requirement to prevent deletion. Option B is wrong because the primitive role of Editor includes broad permissions that allow deleting compute instances, as well as many other resources, which is excessive and insecure. Option C is wrong because organization policies (e.g., constraints/compute.restrictDelete) can restrict deletion at the organization or folder level, but they apply to all users and cannot selectively allow deletion for some developers while blocking it for others; they are not a substitute for IAM roles.

988
MCQmedium

An e-commerce company plans its infrastructure for peak shopping events (e.g., Black Friday) which drive 50× normal traffic. On-premises, they must maintain 50× capacity year-round. In the cloud, they provision 50× capacity only during peak periods. Which cloud characteristic enables this cost optimization?

A.Measured service — metering and reporting resource consumption.
B.Elasticity — the ability to rapidly scale resources up during peak demand and release them when no longer needed.
C.Broad network access — accessing resources from any internet-connected device.
D.Resource pooling — the provider's resources are shared among many customers.
AnswerB

Cloud elasticity lets the company provision 50× capacity for Black Friday (days) then scale back to 1× base capacity, paying only for what's used — eliminating year-round over-provisioning costs.

Why this answer

Elasticity is the cloud characteristic that allows resources to be automatically provisioned to handle 50× peak traffic and then de-provisioned when demand subsides, eliminating the need to maintain idle capacity year-round. This contrasts with on-premises infrastructure, where capacity must be statically over-provisioned to handle peak loads, leading to significant cost inefficiency. The ability to scale out and scale in dynamically based on real-time demand is the core enabler of the described cost optimization.

Exam trap

The GCDL exam often tests the distinction between elasticity (dynamic scaling of resources for a single customer) and resource pooling (sharing of resources among multiple customers), leading candidates to confuse the multi-tenant efficiency of pooling with the on-demand scaling characteristic of elasticity.

How to eliminate wrong answers

Option A is wrong because measured service refers to metering and reporting resource consumption for billing and usage tracking, not the ability to dynamically adjust capacity to match demand. Option C is wrong because broad network access describes the capability to access resources from any internet-connected device via standard protocols (e.g., HTTPS, SSH), which is unrelated to scaling infrastructure for peak events. Option D is wrong because resource pooling involves the provider sharing its physical and virtual resources among multiple customers via a multi-tenant model, which improves provider efficiency but does not directly enable a single customer to scale their own resource allocation up and down on demand.

989
MCQmedium

Refer to the exhibit. The IAM policy is applied at the project level. The bucket 'sensitive-data' exists and contains objects. What is the effective access for user alice@example.com?

A.Alice can view objects in all buckets including sensitive-data.
B.Alice can view objects only in non-sensitive buckets, and can view objects in sensitive-data only after 9 AM due to condition.
C.Alice can view objects in all buckets except sensitive-data.
D.Alice can view and modify objects in all buckets.
AnswerA

Alice has the objectViewer role on the project with no condition, so she can list and read objects in any bucket.

Why this answer

The IAM policy grants the 'roles/storage.objectViewer' role to user alice@example.com at the project level. This role allows listing and reading objects in all buckets within the project, including 'sensitive-data'. The condition 'request.time < 9:00 AM' is a denial condition that only applies to the 'sensitive-data' bucket, but because the policy is applied at the project level and the condition is not met (the request is made after 9 AM), the deny effect does not apply, so Alice retains full view access to all buckets.

Exam trap

Google Cloud often tests the nuance that IAM conditions can be used to deny access only when a specific condition is met, and candidates mistakenly assume that any condition automatically restricts access, ignoring that the condition must evaluate to true for the deny to take effect.

How to eliminate wrong answers

Option B is wrong because the condition 'request.time < 9:00 AM' is a deny condition that would block access only if the request occurred before 9 AM; since the scenario does not specify a time, the default assumption is that the request is made at a time when the condition is not met, so Alice can view objects in sensitive-data at any time. Option C is wrong because the IAM policy grants the objectViewer role at the project level, which applies to all buckets, including sensitive-data, unless explicitly denied by a more specific policy; no such denial exists here. Option D is wrong because the assigned role is 'roles/storage.objectViewer', which only allows read (view) access, not write or modify access; modifying objects would require roles like 'roles/storage.objectAdmin' or 'roles/storage.objectCreator'.

990
MCQeasy

A startup is building a mobile app and needs a real-time database that synchronises data across user devices automatically. The data model is document-based, and the app needs offline support. Which database should they use?

A.Cloud Bigtable
B.Cloud SQL
C.Firestore
D.Memorystore
AnswerC

Firestore provides real-time sync, offline persistence, and a document model perfect for mobile apps.

Why this answer

Firestore is a NoSQL document database designed for mobile and web apps with real-time synchronization, offline support, and automatic multi-device sync. Cloud SQL is relational and not designed for mobile offline sync. Bigtable is for time-series.

Memorystore is a cache.

991
MCQeasy

A company wants to migrate a legacy monolithic application to Google Cloud with minimal code changes. The application runs on a specific OS version and uses a relational database. Which migration approach is most suitable?

A.Rebuild the application using serverless functions
B.Lift and shift to Compute Engine and Cloud SQL
C.Refactor the application into microservices
D.Replatform to use Cloud Run
AnswerB

Minimal changes; move as-is to VMs and managed database.

Why this answer

Option C is correct because 'Lift and shift' (rehosting) moves the application with minimal changes. Option A is wrong because refactoring requires code changes. Option B is wrong because replatforming may require changes to the platform.

Option D is wrong because rebuilding is a complete rewrite.

Page 13

Page 14 of 14