Google Cloud Digital Leader (GCDL) — Questions 151225

507 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
Drag & Dropmedium

Drag and drop the steps to migrate an on-premises MySQL database to Cloud SQL using Database Migration Service into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The migration process requires setting up the destination, connecting to the source, creating and starting the migration, then promoting.

152
MCQmedium

A security team is reviewing a developer's request to be granted the 'Owner' role on a production Google Cloud project 'just in case they need broad access.' The security team rejects this and instead grants a more specific role. Which security principle does the security team's decision enforce?

A.Defense in depth, by ensuring multiple security layers protect the project
B.Separation of duties, by ensuring no single person has too many responsibilities
C.Principle of least privilege, by granting only the minimum permissions necessary for the developer's specific role and tasks
D.Zero trust networking, by treating the developer's device as untrusted
AnswerC

The Principle of Least Privilege is the core concept here. Owner role is far broader than necessary. By granting a specific role matching actual requirements, the security team limits the blast radius if the developer's account is compromised and reduces the risk of accidental destructive actions.

Why this answer

The security team's decision to reject the overly broad 'Owner' role and grant a more specific role directly enforces the principle of least privilege. This principle dictates that users should be granted only the minimum permissions necessary to perform their job functions, reducing the risk of accidental or malicious misuse of elevated access. In Google Cloud, this is implemented by assigning predefined or custom IAM roles with precisely scoped permissions rather than broad roles like Owner.

Exam trap

Google Cloud often tests the principle of least privilege by presenting a scenario where a broad role is requested 'just in case,' and candidates may confuse it with separation of duties or defense in depth, but the key is that the decision limits permissions to the minimum needed for the task.

How to eliminate wrong answers

Option A is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, encryption, monitoring) across the infrastructure, not the granularity of a single IAM role assignment. Option B is wrong because separation of duties ensures that critical tasks are divided among multiple individuals to prevent fraud or error, whereas this scenario is about limiting permissions for a single developer, not splitting responsibilities. Option D is wrong because zero trust networking focuses on verifying every request as if it originates from an untrusted network, often through device authentication and network segmentation, not on the scope of IAM roles granted to a user.

153
MCQeasy

A small e-commerce company runs its website on Compute Engine instances behind a Global External HTTP(S) Load Balancer. They are concerned about application-layer DDoS attacks, such as SQL injection and cross-site scripting (XSS), that could compromise customer data and degrade performance. The company wants a managed solution that provides both DDoS protection and web application firewall (WAF) capabilities without requiring constant manual updates. They have a limited budget and prefer a solution that is easy to configure and does not require extensive infrastructure changes. What should they implement?

A.Enable Cloud Armor with preconfigured WAF rules and configure it on the load balancer.
B.Configure VPC firewall rules to block suspicious IP addresses.
C.Set up Cloud NAT to route all traffic through a single IP address.
D.Use Cloud VPN to connect users to the load balancer.
AnswerA

Cloud Armor offers DDoS protection and WAF rules that can be easily applied to a load balancer.

Why this answer

Cloud Armor is a managed, Google Cloud-native service that provides both DDoS protection and a web application firewall (WAF) with preconfigured rules for SQL injection and XSS. It integrates directly with the Global External HTTP(S) Load Balancer, requires no manual updates (rules are maintained by Google), and is cost-effective because it charges based on policy usage rather than infrastructure overhead. This meets the company's need for easy configuration, minimal infrastructure changes, and managed security.

Exam trap

The trap here is that candidates confuse network-layer security tools (VPC firewall rules, Cloud NAT, Cloud VPN) with application-layer security, assuming any Google Cloud networking feature can block web attacks, but only Cloud Armor provides managed WAF and DDoS protection at the application layer.

How to eliminate wrong answers

Option B is wrong because VPC firewall rules operate at the network layer (Layer 3/4) and cannot inspect application-layer payloads like SQL injection or XSS; they only block IP addresses, not malicious content. Option C is wrong because Cloud NAT is used for outbound internet access from private instances, not for inbound traffic protection or application-layer filtering; it does not provide DDoS or WAF capabilities. Option D is wrong because Cloud VPN creates an encrypted tunnel for site-to-site connectivity, not for protecting public-facing web traffic from application-layer attacks; it does not inspect HTTP/HTTPS payloads or mitigate DDoS.

154
Multi-Selectmedium

Which TWO actions are the customer's responsibility under the GCP shared responsibility model?

Select 2 answers
A.Managing user accounts and authentication
B.Encryption of data at rest by default
C.Configuring IAM policies to control access
D.Network infrastructure maintenance
E.Physical security of data centers
AnswersA, C

Correct: Customers manage their users and authentication methods.

Why this answer

Options B and D are correct. Configuring IAM policies and managing user accounts are customer responsibilities. Physical data center security and network infrastructure maintenance are Google's responsibilities.

Encrypting data at rest using default settings is Google's responsibility, but customer can choose additional encryption.

155
MCQeasy

A startup wants to launch a new product globally within 2 weeks. If it relied on traditional on-premises infrastructure, provisioning servers would take 6–8 weeks. By using the public cloud, the startup can launch on time. Which cloud benefit does this scenario illustrate?

A.Economies of scale — the cloud provider has more purchasing power than the startup.
B.Speed and agility — cloud resources are provisioned in minutes, enabling faster time-to-market.
C.Geographic reach — the cloud provider has data centers in more regions.
D.Reliability — cloud providers have better uptime SLAs than on-premises servers.
AnswerB

Cloud's on-demand provisioning eliminates the 6–8 week hardware procurement cycle, allowing the startup to go from idea to global deployment in days.

Why this answer

Option B is correct because the scenario directly highlights how public cloud resources can be provisioned in minutes via APIs and automation, compared to the 6–8 weeks required for on-premises hardware procurement and setup. This speed and agility enable the startup to meet the 2-week launch deadline, demonstrating a core cloud benefit of rapid time-to-market.

Exam trap

The trap here is that candidates may confuse 'speed and agility' with 'geographic reach' because both involve rapid deployment, but the scenario explicitly contrasts provisioning time (weeks vs. minutes) rather than data center locations.

How to eliminate wrong answers

Option A is wrong because economies of scale refer to cost advantages from bulk purchasing, not provisioning speed; the scenario does not mention cost savings or pricing. Option C is wrong because geographic reach relates to deploying resources in multiple regions for low-latency access, but the scenario focuses on a single global launch timeline, not multi-region distribution. Option D is wrong because reliability and uptime SLAs address service availability, not the speed of resource provisioning; the scenario is about meeting a launch deadline, not ensuring continuous operation.

156
MCQeasy

A company runs a web application on Compute Engine. During seasonal sales, traffic spikes unpredictably. The operations team wants to ensure the application scales automatically without manual intervention while minimizing cost. Which solution should they implement?

A.Create a managed instance group with a fixed number of instances.
B.Use an unmanaged instance group and manually add instances.
C.Use a managed instance group with autoscaling based on CPU utilization.
D.Use a single large VM with vertical scaling.
AnswerC

Autoscaling automatically adjusts instance count based on CPU utilization, providing elasticity and cost efficiency.

Why this answer

A managed instance group (MIG) with autoscaling based on CPU utilization is the correct solution because it automatically adjusts the number of VM instances in response to real-time traffic spikes, ensuring the application scales out during high demand and scales in during low demand. This eliminates manual intervention and optimizes cost by only running the necessary number of instances based on a target CPU utilization threshold (e.g., 60-80%).

Exam trap

Google Cloud often tests the distinction between horizontal and vertical scaling, where candidates mistakenly choose vertical scaling (Option D) because they think a larger VM is simpler, but they overlook the downtime, hard limits, and lack of elasticity required for unpredictable traffic spikes.

How to eliminate wrong answers

Option A is wrong because a managed instance group with a fixed number of instances cannot handle unpredictable traffic spikes; it would either be over-provisioned (wasting cost) or under-provisioned (causing performance degradation). Option B is wrong because an unmanaged instance group requires manual addition and removal of instances, which contradicts the requirement for automatic scaling without manual intervention. Option D is wrong because vertical scaling (resizing a single VM) has a hard limit on machine size, causes downtime during resizing, and does not provide the elasticity needed for unpredictable spikes, leading to either overpaying for idle capacity or failing to handle load.

157
MCQeasy

Google Cloud encrypts all customer data at rest by default without any configuration required. A customer asks: 'Do we need to do anything special to encrypt our data stored in Cloud Storage?' What is the correct answer?

A.Yes, customers must enable encryption in the Cloud Storage bucket settings for each bucket.
B.No, Google Cloud encrypts all data at rest automatically using AES-256 — no configuration is needed.
C.Only data in premium storage tiers is encrypted; Standard storage requires manual encryption.
D.Customers must purchase the Security Command Center Premium tier to enable data encryption.
AnswerB

All Google Cloud storage services encrypt data at rest by default with AES-256. Customers receive encryption without any setup, and can optionally use CMEK for key management control.

Why this answer

Option B is correct because Google Cloud automatically encrypts all customer data at rest using AES-256 encryption, with no configuration required. This default encryption applies to all Cloud Storage buckets, regardless of storage class or region, and the encryption keys are managed by Google Cloud unless the customer chooses to use Customer-Managed Encryption Keys (CMEK) or Customer-Supplied Encryption Keys (CSEK).

Exam trap

The trap here is that candidates may assume encryption requires explicit action (like enabling a setting or purchasing an add-on) because many cloud providers or on-premises systems require manual configuration, but Google Cloud encrypts all data at rest by default with no customer effort.

How to eliminate wrong answers

Option A is wrong because it implies that encryption must be manually enabled per bucket, but Google Cloud encrypts all data at rest by default without any bucket-level configuration. Option C is wrong because it falsely claims that only premium storage tiers are encrypted; in reality, all storage tiers—including Standard, Nearline, Coldline, and Archive—are encrypted at rest by default. Option D is wrong because it suggests that encryption requires purchasing Security Command Center Premium, which is a security and threat detection service, not a prerequisite for data encryption.

158
Multi-Selecteasy

A company is adopting cloud to improve operational efficiency. Which TWO benefits are directly associated with cloud's resource pooling characteristic?

Select 2 answers
A.Cost optimization
B.Dedicated hardware
C.Custom hardware
D.Multi-tenancy
E.Increased downtime
AnswersA, D

Sharing resources reduces costs through economies of scale.

Why this answer

Option A is correct because resource pooling allows the cloud provider to dynamically allocate and reallocate physical and virtual resources among multiple customers based on demand, which drives cost optimization through economies of scale and higher utilization rates. Option D is correct because multi-tenancy is a direct outcome of resource pooling, where a single physical infrastructure serves multiple tenants securely, maximizing resource usage and reducing per-tenant costs.

Exam trap

Google Cloud often tests the misconception that resource pooling implies dedicated or custom hardware for performance, when in fact it relies on shared, standardized infrastructure to achieve cost and efficiency gains.

159
MCQhard

A company's application traffic is served by a Google Cloud global HTTP load balancer. They want to understand how request traffic distributes across backend instances in different regions. Which metric best represents this distribution?

A.`compute/instance/cpu/utilization` per instance group.
B.`loadbalancing/https/request_count` filtered by backend service and region.
C.`networking/vm_flow/egress_bytes_count` per VM.
D.`logging/log_entry_count` filtered by region.
AnswerB

This load balancer metric counts requests per backend service/region. Monitoring it across regions shows exactly how traffic distributes, identifying imbalances or regional routing issues.

Why this answer

The `loadbalancing/https/request_count` metric, when filtered by backend service and region, directly shows the number of requests handled by each regional backend. This allows you to see how traffic is distributed across regions, which is exactly what the question asks for.

Exam trap

The trap here is that candidates confuse metrics that measure backend health or resource usage (like CPU utilization) with metrics that directly measure traffic distribution, leading them to pick a metric that only indirectly relates to request counts.

How to eliminate wrong answers

Option A is wrong because `compute/instance/cpu/utilization` measures CPU usage, not request distribution, and is not specific to load balancer traffic. Option C is wrong because `networking/vm_flow/egress_bytes_count` tracks outbound bytes from VMs, not inbound request counts from the load balancer. Option D is wrong because `logging/log_entry_count` counts log entries, not HTTP requests, and filtering by region would show log volume, not traffic distribution.

160
MCQhard

A healthcare provider wants to use AI to analyze medical images while complying with HIPAA. They need a secure environment that supports model training and inference. Which Google Cloud capability is most critical for this transformation?

A.Cloud Healthcare API with AI Platform
B.BigQuery for storing and querying images
C.Cloud Vision API for image classification
D.Google Kubernetes Engine (GKE) with custom containers
AnswerA

Cloud Healthcare API ensures HIPAA compliance and enables AI model training with proper de-identification.

Why this answer

Cloud Healthcare API provides HIPAA-compliant storage and interoperability, plus integration with AI Platform for model development. Option B is wrong because GKE containers are flexible but require additional configuration for compliance. Option C is wrong because Cloud Vision API is not HIPAA-covered by default.

Option D is wrong because BigQuery is for analytics, not image analysis.

161
MCQeasy

A company exports all their Google Cloud logs to Cloud Storage for long-term retention required by their compliance policy (7-year log retention). Which Cloud Logging feature enables routing logs to Cloud Storage?

A.Cloud Logging automatically archives all logs to Cloud Storage with no configuration needed.
B.Configure a Cloud Logging sink (log router) that routes logs to a Cloud Storage bucket.
C.Enable log streaming in Cloud Storage settings to receive logs from Cloud Logging.
D.Use the Cloud Logging API to periodically download logs and upload them to Cloud Storage.
AnswerB

Log sinks route selected log entries to a destination (Cloud Storage, BigQuery, Pub/Sub). A sink pointing to a GCS bucket with 7-year retention achieves the compliance archival requirement.

Why this answer

Cloud Logging uses sinks (log routers) to export logs to supported destinations, including Cloud Storage. A sink defines a filter and a destination; when configured, it routes matching log entries to the specified Cloud Storage bucket for long-term retention. This is the only native mechanism for continuous, automated log export without custom scripting.

Exam trap

The trap here is that candidates assume Cloud Logging automatically archives logs to Cloud Storage (Option A) because of the 'retention' wording, but in reality, sinks are required for any export, and the default retention is only 30 days.

How to eliminate wrong answers

Option A is wrong because Cloud Logging does not automatically archive logs to Cloud Storage; logs are retained for a default period (30 days for logs in the default bucket) and must be explicitly routed via a sink for long-term storage. Option C is wrong because Cloud Storage does not have a 'log streaming' setting; logs are written as objects, not streamed, and the feature described does not exist. Option D is wrong because using the Cloud Logging API to periodically download and upload logs is not a built-in feature; it would require custom code, introduces latency and potential data loss, and violates the principle of using native routing via sinks.

162
MCQmedium

A startup based in London wants to expand its SaaS application to serve customers in 15 countries across North America, Asia, and Europe — all within 6 months. Without cloud infrastructure, building data centers in each region would take years and cost hundreds of millions. How does cloud specifically enable this global expansion timeline?

A.Cloud providers handle all legal and regulatory compliance in each country, so the startup only focuses on code.
B.Google Cloud's existing global region infrastructure allows the startup to deploy in new markets within hours using the same code and IaC, without building physical data centers.
C.Cloud providers assign local account managers who negotiate office leases and hire local staff on the startup's behalf.
D.The startup doesn't need to worry about data localization because cloud data is globally distributed by default.
AnswerB

Google's pre-built global regions eliminate the years-long data center construction timeline. Infrastructure-as-code makes multi-region deployment repeatable and fast — hours instead of years.

Why this answer

Option B is correct because Google Cloud's global infrastructure, consisting of regions and zones interconnected by a high-speed private network, allows the startup to deploy its SaaS application in new markets within hours using Infrastructure as Code (IaC) tools like Terraform or Deployment Manager. This eliminates the need to build and operate physical data centers, which would take years and cost hundreds of millions, directly enabling the 6-month expansion timeline.

Exam trap

Google Cloud often tests the misconception that cloud providers fully automate non-infrastructure business tasks (like legal compliance or local hiring) or that cloud data is automatically globally distributed without user control, leading candidates to overestimate the scope of cloud provider responsibilities.

How to eliminate wrong answers

Option A is wrong because cloud providers do not handle all legal and regulatory compliance; they provide compliance certifications and tools (e.g., Google Cloud's Compliance Reports Manager), but the startup remains responsible for ensuring its application and data handling meet local laws like GDPR or CCPA. Option C is wrong because cloud providers do not assign local account managers to negotiate office leases or hire local staff; these are business operations tasks unrelated to cloud infrastructure services. Option D is wrong because cloud data is not globally distributed by default; data localization requirements often mandate that data remain within specific geographic boundaries, and cloud providers offer features like data residency controls and Customer-Managed Encryption Keys (CMEK) to comply, not automatic global distribution.

163
MCQhard

A city government deploys thousands of IoT sensors (traffic, air quality, energy usage, waste levels) and analyzes the data in real time to optimize traffic signals, dispatch waste collection vehicles proactively, and adjust street lighting automatically. What concept describes this use of cloud and IoT?

A.E-government — providing digital access to government services online.
B.Smart city — using cloud, IoT, and AI to optimize city operations and resource utilization in real time.
C.Digital twin — creating virtual replicas of city infrastructure.
D.Edge computing — processing data locally at each sensor to reduce cloud bandwidth.
AnswerB

Smart city combines IoT sensors → cloud ingestion → real-time analytics → automated response to make cities more efficient. Traffic, utilities, waste management, and public safety all benefit from this approach.

Why this answer

A smart city uses digital technology — IoT sensors, cloud analytics, AI, and connectivity — to optimize city operations, improve resident quality of life, and use resources more efficiently. Cloud platforms receive sensor data via IoT Core or Pub/Sub, process it with Dataflow, analyze patterns with BigQuery and AI, and trigger automated responses (traffic signal changes, dispatch notifications). This is one of the most impactful applications of cloud transformation at city scale.

164
MCQeasy

What is the difference between a Service Level Indicator (SLI), a Service Level Objective (SLO), and a Service Level Agreement (SLA)?

A.SLI is the contract with customers; SLO is the internal target; SLA is the measurement.
B.SLI is the measured metric; SLO is the internal target for that metric; SLA is the contractual customer commitment.
C.SLI, SLO, and SLA are all the same thing — different names for uptime guarantees.
D.SLA is measured in milliseconds; SLO is measured in percentage; SLI has no unit.
AnswerB

SLI measures performance (e.g., 99.95% availability). SLO sets the internal reliability goal (e.g., maintain 99.9%). SLA is the customer contract (e.g., credit if < 99.5%).

Why this answer

Option B is correct because it accurately defines the relationship: an SLI is a specific metric (e.g., request latency at the 99th percentile), an SLO is the internal target for that metric (e.g., 99.9% of requests under 200ms), and an SLA is the contractual commitment to a customer (e.g., 99.9% uptime with financial penalties). This aligns with Google Cloud's Site Reliability Engineering (SRE) practices, where SLIs are measured, SLOs are internal goals, and SLAs are legal agreements.

Exam trap

Cisco often tests the confusion between SLI, SLO, and SLA by swapping their definitions, so the trap here is assuming SLI is the contract or that all three terms are synonymous, when in reality they form a hierarchy of measurement, target, and agreement.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: an SLI is not a contract (that's an SLA), an SLO is not an internal target (it is), and an SLA is not a measurement (that's an SLI). Option C is wrong because SLI, SLO, and SLA are distinct concepts with different purposes—SLIs are metrics, SLOs are targets, and SLAs are contracts—they are not interchangeable terms for uptime guarantees. Option D is wrong because it incorrectly assigns units: SLIs can have various units (e.g., milliseconds, percentage, count), SLOs are typically expressed as percentages or thresholds, and SLAs are not measured in milliseconds but define contractual commitments.

165
MCQmedium

A company stores its data in Google Cloud. The security team asks: can Google employees access our customer data without our knowledge or consent? What does Google's commitment ensure?

A.Google employees have unrestricted access to all customer data as part of the infrastructure service agreement.
B.Google commits that customer data is not accessed without authorization, with access logged via Access Transparency and governed by contractual data processing commitments.
C.Google uses customer data to train its global AI models to improve services.
D.Customer data stored in Google Cloud is automatically accessible by government agencies on request.
AnswerB

Google's contractual commitments (Cloud Data Processing Addendum), Access Transparency logging, and technical controls ensure customer data is only accessed for authorized purposes, with full auditability.

Why this answer

Option B is correct because Google Cloud's Access Transparency feature logs all data access attempts by Google personnel, and contractual data processing commitments under the Cloud Data Processing Addendum (CDPA) prohibit unauthorized access. This ensures that customer data is not accessed without explicit authorization, and any access is logged and auditable, aligning with the security team's concern about knowledge and consent.

Exam trap

Cisco often tests the misconception that cloud providers have unfettered access to customer data or use it for model training, but the correct answer hinges on understanding that Google Cloud's contractual and technical controls (like Access Transparency) explicitly prevent unauthorized access and do not use customer data for AI training.

How to eliminate wrong answers

Option A is wrong because Google employees do not have unrestricted access; access is strictly controlled, logged via Access Transparency, and governed by contractual commitments. Option C is wrong because Google Cloud explicitly prohibits using customer data to train its global AI models; this is a common misconception, and Google's AI training uses publicly available data or data with explicit consent, not customer data. Option D is wrong because customer data is not automatically accessible by government agencies; any government request must follow legal processes, and Google provides transparency reports and notifies customers where legally permitted.

166
MCQeasy

A development team builds a mobile app using Firebase. They need a real-time database that syncs data across all connected clients instantly (e.g., a collaborative to-do app where all users see updates in real-time). Which Firebase/Google Cloud service provides this?

A.Cloud SQL with read replicas to distribute updates to clients.
B.Cloud Firestore or Firebase Realtime Database for real-time data sync across all connected clients.
C.BigQuery streaming inserts for real-time data delivery to mobile clients.
D.Cloud Pub/Sub subscriptions on the mobile clients.
AnswerB

Firestore provides real-time listeners — when data changes, the SDK automatically delivers updates to all subscribed clients. This enables truly real-time collaborative apps without polling.

Why this answer

Cloud Firestore and Firebase Realtime Database are the only Firebase/Google Cloud services that provide real-time data synchronization across all connected clients. They use persistent WebSocket connections or HTTP long-polling to push updates instantly to every subscribed client, making them ideal for collaborative apps like a shared to-do list.

Exam trap

Cisco often tests the misconception that any 'real-time' or 'streaming' service (like BigQuery streaming inserts or Pub/Sub) can serve as a real-time database for mobile clients, ignoring the need for persistent client connections and built-in data synchronization.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a relational database that does not natively support real-time client sync; read replicas distribute read traffic but do not push updates to mobile clients. Option C is wrong because BigQuery streaming inserts are designed for ingesting large volumes of data for analytics, not for delivering real-time updates to individual mobile clients. Option D is wrong because Cloud Pub/Sub is a message-oriented middleware for decoupling services, not a database; mobile clients would need a separate backend to subscribe and persist state, adding latency and complexity.

167
MCQmedium

A company wants to allow a third-party security firm to conduct a penetration test against their Google Cloud environment to identify vulnerabilities. What is Google Cloud's policy on penetration testing?

A.Customers must submit a formal request to Google and wait for written approval before any penetration testing.
B.Customers are authorized to penetration test their own GCP resources without prior Google approval, within the Acceptable Use Policy.
C.Penetration testing is illegal in cloud environments and customers should use vulnerability scanners instead.
D.Google automatically performs penetration testing on all customer resources monthly and shares the report.
AnswerB

GCP customers can test their own resources (VMs, apps, APIs) without notifying Google. Tests must comply with Google's AUP — targeting other customers' resources or Google's core infrastructure is prohibited.

Why this answer

Google Cloud's policy explicitly authorizes customers to conduct penetration testing on their own GCP resources without prior approval from Google, as long as the testing complies with the Acceptable Use Policy. This is because Google treats the customer's environment as their own responsibility, and the shared responsibility model places security testing under the customer's control. Option B correctly reflects this policy, which is documented in Google Cloud's security testing guidelines.

Exam trap

The trap here is that candidates may assume all cloud providers require prior approval (like AWS's old policy), but Google Cloud explicitly allows testing without approval, making Option A a common distractor.

How to eliminate wrong answers

Option A is wrong because Google Cloud does not require customers to submit a formal request or wait for written approval before penetration testing; instead, testing is authorized as long as it adheres to the Acceptable Use Policy. Option C is wrong because penetration testing is not illegal in cloud environments; Google Cloud explicitly permits it for customer resources, and vulnerability scanners are a complementary tool, not a replacement. Option D is wrong because Google does not automatically perform penetration testing on all customer resources monthly; the shared responsibility model means customers are responsible for testing their own resources, and Google does not share such reports with customers.

168
MCQeasy

A company wants to enable its developers to write and run code in various programming languages (Python, Node.js, Go) without provisioning or managing any servers. The code should execute in response to HTTP requests. Which Google Cloud product is designed for this serverless, function-level execution model?

A.Cloud Functions, which executes code functions in response to events or HTTP requests with no server management required
B.Compute Engine, which provides virtual machines for running code in any language
C.Cloud SQL, which runs SQL queries in response to HTTP requests
D.Persistent Disk, which stores code that can be executed on demand
AnswerA

Cloud Functions is exactly the right fit: serverless, supports multiple languages, triggered by HTTP requests, billed per invocation, scales from zero automatically. Developers focus on writing function code with no infrastructure concerns.

Why this answer

Cloud Functions is the correct choice because it is Google Cloud's event-driven, serverless compute platform that allows developers to write and deploy single-purpose functions in languages like Python, Node.js, and Go. These functions automatically scale and execute in response to HTTP triggers (e.g., HTTP requests) without any server provisioning or management, directly matching the requirement for a function-level execution model.

Exam trap

Google Cloud often tests the distinction between serverless compute (Cloud Functions) and managed services that still require server management (Compute Engine) or are not compute services at all (Cloud SQL, Persistent Disk), leading candidates to confuse database or storage services with code execution platforms.

How to eliminate wrong answers

Option B is wrong because Compute Engine provides virtual machines (VMs) that require manual provisioning, scaling, and management of servers, which contradicts the 'no server management' requirement. Option C is wrong because Cloud SQL is a fully managed relational database service (MySQL, PostgreSQL, SQL Server) that executes SQL queries, not arbitrary code in response to HTTP requests. Option D is wrong because Persistent Disk is a block storage service for attaching durable storage to Compute Engine instances; it cannot execute code or respond to HTTP requests on its own.

169
MCQmedium

A hospital runs a patient records system that must remain on-premises due to strict regulatory data residency requirements. However, they also want to use cloud-based AI for diagnostic imaging analysis. Which cloud deployment model best describes their architecture?

A.Public cloud — all workloads run in a provider's infrastructure.
B.Private cloud — all workloads run in the hospital's own infrastructure.
C.Hybrid cloud — combining on-premises infrastructure with public cloud services.
D.Multi-cloud — using multiple public cloud providers simultaneously.
AnswerC

Hybrid cloud connects on-premises (patient records, regulatory compliance) with public cloud (AI imaging analysis). This is the textbook hybrid cloud pattern for regulated industries.

Why this answer

The hospital must keep patient records on-premises to comply with data residency regulations, but wants to leverage cloud-based AI for diagnostic imaging. A hybrid cloud model combines on-premises infrastructure (for sensitive data) with public cloud services (for AI processing), allowing data to remain resident while compute-intensive tasks are offloaded. This matches the scenario exactly, as hybrid cloud enables workload distribution across private and public environments.

Exam trap

Cisco often tests the misconception that 'hybrid cloud' requires equal distribution of workloads, but the trap here is that candidates may confuse 'multi-cloud' (multiple public providers) with 'hybrid cloud' (private + public), failing to recognize that on-premises infrastructure is a key component of hybrid cloud.

How to eliminate wrong answers

Option A is wrong because a public cloud would require all workloads, including patient records, to run in the provider's infrastructure, violating the on-premises data residency requirement. Option B is wrong because a private cloud would keep everything on-premises, failing to utilize cloud-based AI services for diagnostic imaging. Option D is wrong because multi-cloud involves using multiple public cloud providers, but does not inherently include on-premises infrastructure, so it cannot satisfy the data residency constraint.

170
MCQmedium

A company has multiple teams deploying to Google Cloud and wants to allocate cloud costs by team. Each team should see only their own costs and be accountable for their spending. Which Google Cloud feature enables this cost allocation and visibility?

A.Create one large project for all teams and split the bill manually at month-end.
B.Use separate projects per team within a folder structure, with resource labels for sub-team cost attribution.
C.Purchase dedicated hardware for each team so costs are inherently separate.
D.Use Cloud Identity to create separate accounts for each team and bill separately.
AnswerB

Separate projects give each team their own billing boundary. Cloud Billing reports costs by project. Labels provide further granularity. Billing budgets per project keep teams accountable.

Why this answer

Option B is correct because Google Cloud's resource hierarchy allows you to create separate projects per team within a folder structure, and resource labels provide granular cost attribution for sub-teams or environments. This enables each team to see only their own costs via billing export and cost breakdowns in the Cloud Billing console, ensuring accountability without manual splitting.

Exam trap

Google Cloud often tests the misconception that Cloud Identity can be used for billing separation, but Cloud Identity is for user authentication and directory services, not for cost allocation or billing account management.

How to eliminate wrong answers

Option A is wrong because creating one large project for all teams and splitting the bill manually at month-end is error-prone, lacks real-time visibility, and violates the principle of least privilege for cost data. Option C is wrong because purchasing dedicated hardware for each team is not a Google Cloud feature; it contradicts the cloud's shared infrastructure model and would eliminate the benefits of elasticity and pay-as-you-go pricing. Option D is wrong because Cloud Identity is used for identity and access management, not for billing separation; separate accounts would require separate billing accounts, which is not a scalable or recommended approach for team-level cost allocation.

171
MCQmedium

A company has deployed a critical application on Google Cloud and wants to understand what happens to their workloads during a Google Cloud data center maintenance event (e.g., host system upgrades). What Google Compute Engine feature handles this automatically for most VMs?

A.VMs are terminated and restarted automatically on new hardware, causing a few minutes of downtime.
B.Live migration transparently moves VMs to healthy hosts during maintenance with no VM downtime.
C.VMs are snapshotted, the snapshot is restored on new hardware, and the VM is restarted.
D.Customers must subscribe to Google Cloud support to receive advance notice and schedule their own maintenance windows.
AnswerB

Compute Engine's live migration moves running VMs between physical hosts during maintenance events. The VM continues running — there's no stop/start cycle and no application downtime.

Why this answer

Google Compute Engine uses Live Migration to automatically move running VMs from a host undergoing maintenance (e.g., host system upgrades) to a healthy host without interrupting the VM. This process preserves the VM's memory, network connections, and disk state, resulting in zero VM downtime. It is enabled by default for most VM instances, except those with GPUs or certain machine types that explicitly opt out.

Exam trap

The trap here is that candidates confuse Live Migration with a restart or snapshot-based recovery, assuming maintenance always causes downtime, when in fact Google's Live Migration provides seamless, zero-downtime maintenance for the vast majority of VM instances.

How to eliminate wrong answers

Option A is wrong because VMs are not terminated and restarted; Live Migration moves them transparently with no downtime, not a few minutes of downtime. Option C is wrong because snapshots are not used for maintenance events; Live Migration transfers the VM's live memory and disk state directly, not via snapshot-and-restore. Option D is wrong because Google Cloud does not require customers to subscribe to support for maintenance handling; Live Migration is automatic and free for eligible VMs, and advance notice is provided only for VMs that cannot be live-migrated (e.g., those with GPUs).

172
MCQeasy

An organization wants to ensure business continuity by replicating critical data to a different region. Which Google Cloud feature should they use?

A.Cloud Storage dual-region or multi-region
B.Cloud Dataflow
C.Compute Engine instance groups
D.Cloud VPN
AnswerA

These storage classes automatically replicate data across geographic regions for disaster recovery.

Why this answer

Cloud Storage dual-region or multi-region configuration is the correct choice because it provides built-in, asynchronous replication of data across geographically separated locations, ensuring business continuity through high availability and durability. This feature automatically stores redundant copies of objects in multiple zones within a region or across regions, protecting against regional failures without requiring additional infrastructure or manual intervention.

Exam trap

Google Cloud often tests the misconception that Compute Engine instance groups or Cloud VPN provide data replication, when in fact they only manage compute or network connectivity, respectively, and candidates must recognize that native storage replication requires a storage service like Cloud Storage with dual-region or multi-region configuration.

How to eliminate wrong answers

Option B is wrong because Cloud Dataflow is a fully managed service for stream and batch data processing pipelines, not a data replication or storage solution; it does not inherently replicate data across regions for business continuity. Option C is wrong because Compute Engine instance groups provide auto-scaling and load balancing for virtual machines, but they do not replicate data; they only manage compute resources, and any data replication would require separate storage or database services. Option D is wrong because Cloud VPN establishes an encrypted tunnel between on-premises networks and Google Cloud, enabling secure connectivity but not replicating data; it is a networking tool, not a data replication or storage service.

173
MCQeasy

Which term describes the practice of building and delivering software in small, frequent iterations — releasing updates continuously rather than in large, infrequent releases — enabled by cloud automation and DevOps culture?

A.Waterfall development — a linear, sequential approach to software delivery.
B.Continuous integration and continuous delivery (CI/CD) — frequent, automated software releases.
C.Technical debt management — paying off historical codebase problems before release.
D.Change advisory board (CAB) process — committees approving each software release.
AnswerB

CI/CD automates build, test, and deployment pipelines to deliver software changes rapidly and reliably. Cloud services (Cloud Build, etc.) are purpose-built to support CI/CD workflows.

Why this answer

Option B is correct because CI/CD is the practice of automating the build, test, and deployment pipeline to deliver small, frequent updates continuously. This is directly enabled by cloud automation (e.g., AWS CodePipeline, Azure DevOps) and DevOps culture, which break away from large, infrequent releases. The question's description of 'small, frequent iterations' and 'releasing updates continuously' is the textbook definition of CI/CD.

Exam trap

Cisco often tests the distinction between CI/CD as a delivery practice and CAB as a governance process, trapping candidates who confuse 'frequent releases' with 'approval gates' — the key is that CI/CD automates releases, while CAB introduces manual approval delays that prevent continuous delivery.

How to eliminate wrong answers

Option A is wrong because Waterfall development is a linear, sequential model where each phase (requirements, design, implementation, testing, deployment) completes before the next begins, resulting in large, infrequent releases — the exact opposite of the continuous delivery described. Option C is wrong because technical debt management is a maintenance activity that addresses accumulated code issues (e.g., refactoring, fixing workarounds) to improve future velocity, not a release strategy for building and delivering software in small iterations. Option D is wrong because the Change Advisory Board (CAB) process is a governance mechanism that reviews and approves changes before deployment, often introducing delays and batch releases, which contradicts the continuous, automated release model.

174
MCQmedium

A DevOps team wants to implement a release process where a new application version is first deployed to 5% of production traffic, monitored for errors, then gradually increased to 100% if metrics remain healthy. Which deployment strategy does this describe?

A.Blue/green deployment, where two identical environments run simultaneously and traffic is switched atomically
B.Canary deployment, where a new version receives a small percentage of traffic first and is progressively rolled out as metrics confirm it is healthy
C.Rolling deployment, where instances are updated sequentially one at a time until all run the new version
D.Recreate deployment, where the old version is terminated before the new version is deployed
AnswerB

Canary deployment precisely matches the description: 5% traffic initially, monitoring, then gradual increase to 100%. The term comes from the mining practice of using canaries to detect dangerous gas — the canary deployment detects problems before full rollout.

Why this answer

This describes a canary deployment, where the new version is initially exposed to a small subset of users (e.g., 5% of traffic) and then gradually rolled out to 100% only if key metrics (latency, error rate, CPU usage) remain within acceptable thresholds. Google Cloud's Deployment Manager and GKE support canary deployments via traffic splitting with services like Istio or native GKE ingress, allowing fine-grained control over the rollout percentage.

Exam trap

Cisco often tests the distinction between canary and blue/green deployments by emphasizing the 'gradual percentage increase' versus 'atomic switch' — the trap here is that candidates confuse the 5% initial traffic with blue/green's 'staging' environment, but blue/green does not use progressive traffic shifting.

How to eliminate wrong answers

Option A is wrong because blue/green deployment involves two identical environments (blue and green) with an instantaneous traffic switch, not a gradual percentage-based rollout. Option C is wrong because rolling deployment updates instances one at a time (or in small batches) without the explicit 5% initial traffic split and metric-based gating described in the question. Option D is wrong because recreate deployment terminates all old instances before deploying the new version, causing downtime and no gradual traffic shifting.

175
MCQhard

A company with fluctuating demand wants to pay only for the resources it consumes, with no long-term commitments. Which Google Cloud feature allows them to automatically adjust capacity based on real-time demand?

A.Cloud Armor
B.Committed use discounts
C.Autoscaling
D.Preemptible VMs
AnswerC

Autoscaling dynamically adjusts resources to match current demand.

Why this answer

Autoscaling is the correct answer because it automatically adjusts the number of compute resources (e.g., VM instances) up or down based on real-time demand metrics such as CPU utilization, request count, or custom metrics. This allows the company to pay only for the resources it consumes without any long-term commitments, as instances are added or removed dynamically to match current load.

Exam trap

Google Cloud often tests the distinction between cost-saving mechanisms (like Preemptible VMs or Committed Use Discounts) and dynamic scaling features, so candidates mistakenly choose a cost-optimization option instead of the correct autoscaling feature that directly addresses the requirement of adjusting capacity based on real-time demand.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service that secures applications, not a feature for adjusting compute capacity based on demand. Option B is wrong because Committed Use Discounts (CUDs) require a 1- or 3-year commitment to a specific amount of resources in exchange for discounted pricing, which contradicts the requirement of no long-term commitments. Option D is wrong because Preemptible VMs are short-lived, interruptible instances used for batch jobs or fault-tolerant workloads, but they do not automatically scale capacity based on real-time demand; they are a cost-saving option for non-critical tasks, not an autoscaling mechanism.

176
MCQmedium

A bank's innovation team proposes building a new digital lending product using cloud services. The risk team objects, citing regulatory concerns about data sovereignty and auditability in cloud environments. What is the most effective way for the innovation team to address these concerns?

A.Avoid cloud entirely for the new product and build on-premises to eliminate regulatory concerns
B.Demonstrate that Google Cloud provides the specific regulatory controls needed: data residency configuration, comprehensive audit logging, compliance certifications, and contractual frameworks that satisfy the bank's regulatory requirements
C.Ignore the risk team's concerns and proceed with cloud development, as regulators have approved cloud for all banking applications globally
D.Commission a multi-year study to determine whether cloud regulation will change before proceeding
AnswerB

The correct response is to map specific regulatory requirements to specific cloud controls. Data sovereignty → configure region constraints. Auditability → Cloud Audit Logs with immutable retention. Compliance → review applicable certifications (ISO 27001, SOC 2, FedRAMP). This addresses concerns with evidence rather than assumptions.

Why this answer

Regulatory concerns about cloud are real but addressable. Cloud providers offer compliance certifications (SOC 2, ISO 27001, banking-specific standards), data residency controls, comprehensive audit logging, and contractual frameworks (BAAs, DPAs). The innovation team should demonstrate that the specific controls required by regulators exist and are configurable, rather than treating cloud as incompatible with regulation.

177
MCQhard

A retail bank wants to launch new digital banking features quickly to compete with fintech startups while maintaining strict regulatory compliance. Which cloud transformation strategy best addresses both agility and compliance?

A.Move everything to a public cloud without additional access controls to maximize speed
B.Use a lift-and-shift migration to cloud VMs and rely on manual change management
C.Stick with on-premise systems for compliance and use cloud only for non-sensitive data
D.Implement a cloud-native architecture using GKE, Cloud Build, and Cloud IAM with compliance auditing
AnswerD

This provides agility through automated CI/CD and compliance through IAM and audit logs.

Why this answer

Option D is correct because it leverages cloud-native services like Google Kubernetes Engine (GKE) for containerized microservices, Cloud Build for CI/CD automation, and Cloud IAM for fine-grained access control, enabling rapid feature deployment while maintaining compliance through integrated audit logging and policy enforcement. This architecture decouples agility from security, allowing the bank to iterate quickly without sacrificing regulatory requirements like PCI-DSS or SOX.

Exam trap

Google Cloud often tests the misconception that compliance and agility are mutually exclusive, leading candidates to choose hybrid approaches like Option C, which actually create operational complexity and fail to deliver the speed promised by cloud-native transformation.

How to eliminate wrong answers

Option A is wrong because moving everything to a public cloud without additional access controls violates the principle of least privilege and exposes sensitive financial data to unauthorized access, failing compliance mandates like GDPR and PCI-DSS. Option B is wrong because lift-and-shift to cloud VMs with manual change management does not automate compliance checks or enable rapid scaling, leading to operational bottlenecks and increased risk of human error in audit trails. Option C is wrong because sticking with on-premise systems for compliance while using cloud only for non-sensitive data creates a hybrid silo that limits the bank's ability to launch integrated digital features quickly, as core banking functions remain on legacy infrastructure without cloud-native agility.

178
MCQmedium

An energy company is deploying smart meters across millions of homes that transmit energy consumption data every 15 minutes. Which description best characterizes the digital transformation opportunity this data creates?

A.The company can replace manual meter reading visits, reducing operational costs
B.The granular real-time consumption data enables cloud-scale analytics for demand response, predictive grid management, personalized energy recommendations, and anomaly detection — transforming the utility into an intelligent energy services company
C.The company can move its billing system to the cloud, improving invoice generation speed
D.The data can be stored in a cloud database, reducing the cost of on-premises storage
AnswerB

This captures the transformation: millions of devices generating billions of readings enable entirely new business capabilities. Dynamic demand response programs, AI-driven grid optimization, personalized conservation recommendations, and real-time fault detection are all new revenue and efficiency opportunities created by the data at cloud scale.

Why this answer

Option B is correct because the 15-minute granular consumption data from millions of smart meters creates a high-velocity, high-volume data stream that is ideal for cloud-scale analytics. This enables real-time demand response (e.g., load balancing), predictive grid maintenance (e.g., transformer overload forecasting), personalized energy-saving recommendations, and anomaly detection (e.g., meter tampering or outages). The digital transformation opportunity lies in moving from a reactive utility to a proactive, data-driven energy services company, which is only feasible with the elastic compute and storage of cloud platforms.

Exam trap

Google Cloud often tests the distinction between simple automation (e.g., cost reduction, process migration) and true digital transformation (e.g., creating new data-driven business models and services), so candidates mistakenly pick options that describe incremental improvements rather than the paradigm shift enabled by cloud-scale analytics.

How to eliminate wrong answers

Option A is wrong because while replacing manual meter reading is a benefit of smart meters, it is an operational efficiency gain, not a digital transformation opportunity — digital transformation involves fundamentally changing business models and capabilities through data and cloud analytics, not just cost reduction. Option C is wrong because moving billing to the cloud improves invoice generation speed, but this is a simple migration of an existing process (lift-and-shift) rather than a transformation that leverages real-time data for new insights and services. Option D is wrong because storing data in a cloud database reduces on-premises storage costs, but this is a basic infrastructure cost-saving measure, not a transformation that creates new value from the data itself.

179
MCQmedium

A government agency is evaluating whether to move citizen services to the cloud. Officials are concerned about vendor lock-in — specifically that they might become entirely dependent on one provider. Which approach best mitigates this risk while still allowing the agency to benefit from cloud services?

A.Avoiding cloud entirely and keeping all services on-premises to maintain full control
B.Using only one cloud provider's most specialized proprietary services for all workloads to maximize integration
C.Adopting open standards, containerized workloads, and a multi-cloud or hybrid architecture to preserve portability while benefiting from cloud services
D.Negotiating a contract with the cloud provider that forbids them from changing their service APIs
AnswerC

This is the recommended approach. Open standards (Kubernetes, open APIs, SQL-compatible databases) and containerization ensure workloads are portable across providers. A multi-cloud strategy prevents any single provider from becoming an irreplaceable dependency.

Why this answer

Option C is correct because adopting open standards (e.g., OCI container images, Kubernetes APIs), containerized workloads, and a multi-cloud or hybrid architecture ensures workload portability across providers. This approach prevents vendor lock-in by allowing the agency to migrate services between cloud platforms or back to on-premises without rewriting applications, while still leveraging cloud benefits like scalability and managed services.

Exam trap

Google Cloud often tests the misconception that avoiding cloud entirely or using a single provider's proprietary services is safer, but the correct answer emphasizes architectural portability through open standards and containerization, not contractual or avoidance-based solutions.

How to eliminate wrong answers

Option A is wrong because avoiding the cloud entirely forfeits scalability, cost efficiency, and operational benefits, and does not address vendor lock-in—it simply replaces it with hardware vendor lock-in. Option B is wrong because using only one provider's proprietary services (e.g., AWS Lambda, Azure Functions) maximizes integration but creates deep dependency on that provider's APIs and runtime, making migration nearly impossible without significant rework. Option D is wrong because negotiating a contract that forbids API changes is impractical—cloud providers continuously evolve APIs for security, performance, and features; such a clause would be unenforceable and would prevent the provider from delivering updates, effectively freezing the platform.

180
MCQeasy

A company currently spends $200,000 annually on data center costs (hardware, power, cooling, staff). After migrating to Google Cloud, their cloud bill is $120,000 annually, but they also save $50,000 in data center costs they no longer pay. What is their net annual savings from the migration?

A.$30,000 (cloud cost increase of $120K minus the $50K DC savings)
B.$80,000 annual savings ($200,000 previous cost minus $120,000 cloud cost)
C.$50,000 (only the data center cost savings count)
D.$120,000 (the entire cloud bill is savings)
AnswerB

Total previous cost: $200,000 data center. Total new cost: $120,000 cloud. Net annual savings = $200,000 - $120,000 = $80,000 (the $50K DC savings is part of the $200K → cloud shift).

Why this answer

Option B is correct because the net annual savings are calculated as the difference between the previous total cost ($200,000) and the new total cost after migration. The new total cost is the cloud bill ($120,000) plus any remaining data center costs. Since the company saves $50,000 in data center costs they no longer pay, the remaining data center costs are $200,000 - $50,000 = $150,000.

However, the question states they 'save $50,000 in data center costs they no longer pay,' meaning those costs are eliminated entirely, so the new total cost is just the cloud bill of $120,000. Thus, savings = $200,000 - $120,000 = $80,000.

Exam trap

Cisco often tests the misconception that savings are simply the difference between the old and new cloud costs, or that only direct cost reductions count, rather than requiring a full TCO comparison including eliminated on-premises expenses.

How to eliminate wrong answers

Option A is wrong because it incorrectly subtracts the $50,000 data center savings from the cloud bill, treating the cloud cost as an increase rather than a replacement cost, and ignores the original $200,000 baseline. Option C is wrong because it only counts the $50,000 data center cost savings, ignoring the fact that the cloud bill of $120,000 is a new cost that must be subtracted from the original total to find net savings. Option D is wrong because it treats the entire $120,000 cloud bill as savings, which would only be true if the previous data center costs were zero, not $200,000.

181
Matchingmedium

Match each Google Cloud migration term to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Move workloads without modification

Tool to migrate VMs to GCP

Physical device for large offline data transfers

Online data transfer from other cloud or on-prem

Automated data import into BigQuery

Why these pairings

These are common migration approaches and tools in GCP.

182
MCQmedium

A company uses Cloud Storage to store backup files. The files are accessed on average once per year. To minimize storage costs while complying with a 365-day retention policy, which storage class should they use?

A.Coldline
B.Archive
C.Nearline
D.Standard
AnswerB

Archive storage is the cheapest for long-term archival, with a 365-day minimum storage duration, aligning perfectly with the retention policy and access pattern.

Why this answer

Archive storage class is the correct choice because it offers the lowest storage cost for data that is accessed less than once per year, while still meeting the 365-day retention policy. Archive has a 365-day minimum storage duration, which aligns perfectly with the retention requirement, and its retrieval costs are acceptable given the infrequent access pattern.

Exam trap

Google Cloud often tests the misconception that Archive is only for data that is never accessed, but it actually allows retrieval with higher latency and costs, making it suitable for data accessed as infrequently as once per year with a 365-day retention policy.

How to eliminate wrong answers

Option A (Coldline) is wrong because Coldline has a 90-day minimum storage duration and higher storage cost than Archive, making it less cost-effective for data accessed once per year. Option C (Nearline) is wrong because Nearline has a 30-day minimum storage duration and higher storage cost than Archive, and is designed for data accessed less than once per month, not once per year. Option D (Standard) is wrong because Standard has no minimum storage duration but has the highest storage cost, making it the most expensive option for long-term, rarely accessed data.

183
MCQeasy

A data engineering team needs to build a pipeline that reads event data from Pub/Sub in real time, applies transformations and aggregations, and writes results to BigQuery — all without managing any infrastructure. Which Google Cloud product is designed for this serverless stream and batch data processing use case?

A.Cloud Dataflow, Google Cloud's serverless stream and batch data processing service built on Apache Beam
B.Cloud Composer, Google Cloud's managed Apache Airflow service for workflow orchestration
C.Cloud Dataproc, Google Cloud's managed Spark and Hadoop service
D.BigQuery directly, using streaming inserts to load Pub/Sub data in real time
AnswerA

Dataflow is exactly right: serverless (no infrastructure management), supports both streaming (from Pub/Sub) and batch, applies transformations and aggregations, and writes natively to BigQuery. The Pub/Sub → Dataflow → BigQuery pattern is one of the most common data engineering pipelines on Google Cloud.

Why this answer

Cloud Dataflow is Google Cloud's fully managed, serverless service for both stream and batch data processing, built on Apache Beam. It directly reads from Pub/Sub, applies transformations and aggregations using the Beam SDK, and writes the results to BigQuery without requiring any infrastructure management, making it the correct choice for this use case.

Exam trap

Google Cloud often tests the distinction between a data processing service (Dataflow) and a data ingestion or orchestration service, leading candidates to mistakenly choose BigQuery streaming inserts or Cloud Composer for real-time transformations.

How to eliminate wrong answers

Option B is wrong because Cloud Composer is a workflow orchestration service (managed Apache Airflow) designed to schedule and coordinate tasks, not to perform real-time stream processing or data transformations. Option C is wrong because Cloud Dataproc is a managed Spark and Hadoop service that requires cluster management and is not serverless; it is better suited for batch processing and big data analytics on existing clusters, not for serverless stream processing. Option D is wrong because BigQuery streaming inserts can load data from Pub/Sub but do not provide built-in transformations or aggregations; they are a data ingestion method, not a full data processing pipeline, and lack the serverless stream processing capabilities of Dataflow.

184
MCQmedium

A manufacturing company deploys sensors in its factories that send data to cloud platforms for real-time analysis. The cloud-based system predicts equipment failures 48 hours in advance, enabling maintenance before failures occur. What operational model shift does this represent?

A.The company is automating its accounting system using cloud software.
B.A shift from reactive (break-fix) maintenance to predictive maintenance, enabled by IoT sensor data and cloud AI/ML.
C.The company is replacing human maintenance workers with robots.
D.The factory is migrating its ERP system to the cloud to improve supply chain visibility.
AnswerB

Predictive maintenance is a classic IoT + cloud + ML transformation: sensors collect data → cloud processes it → ML predicts failures → maintenance is proactively scheduled before breakdowns occur.

Why this answer

Option B is correct because the scenario describes a shift from reactive maintenance (fixing equipment after it fails) to predictive maintenance, where IoT sensors collect real-time data and cloud-based AI/ML models analyze it to forecast failures 48 hours in advance. This transformation leverages cloud computing's scalability and advanced analytics to prevent downtime, rather than simply automating existing processes or replacing human roles.

Exam trap

Google Cloud often tests the distinction between operational model shifts (e.g., reactive to predictive) and simple technology replacements (e.g., automating accounting or migrating ERP), so candidates mistakenly choose options that describe a different cloud benefit (like cost savings or scalability) rather than the specific shift in maintenance strategy.

How to eliminate wrong answers

Option A is wrong because it misrepresents the operational shift as accounting automation, while the question focuses on equipment maintenance and failure prediction, not financial processes. Option C is wrong because it incorrectly suggests replacing human workers with robots, whereas the scenario uses cloud AI/ML to augment human decision-making for maintenance scheduling, not to eliminate workers. Option D is wrong because it confuses the shift with ERP migration for supply chain visibility, but the core change is about maintenance strategy (predictive vs. reactive), not enterprise resource planning or supply chain management.

185
MCQhard

A logistics company collects GPS data from 50,000 trucks every 30 seconds. Previously they sampled only 1% of this data due to storage costs. In the cloud, they store and analyze 100% of the data and discover route optimization patterns that reduce fuel costs by 12%. Which concept does this illustrate about cloud and data?

A.Cloud storage is cheaper per GB than on-premises — the only benefit is cost reduction.
B.Cloud scale removes data storage and analysis constraints, enabling companies to derive business insights from complete datasets that were previously too costly to collect and process.
C.GPS data is only useful when analyzed by Google's AI — the company's own analytics wouldn't find patterns.
D.The company should have used data sampling more aggressively to reduce cloud costs further.
AnswerB

On-premises cost constraints forced data sampling, hiding optimization patterns. Cloud's economics enable full-fidelity data collection and analysis at scale, revealing insights like the 12% fuel savings.

Why this answer

Option B is correct because it directly captures the core transformation that cloud computing enables: the removal of data storage and processing constraints. By moving from sampling 1% of GPS data to analyzing 100%, the company could identify route optimization patterns that were invisible in the sampled subset, leading to a 12% fuel cost reduction. This illustrates how cloud elasticity and pay-as-you-go pricing allow businesses to process complete datasets, unlocking insights that were previously economically infeasible with on-premises or limited storage.

Exam trap

Cisco often tests the misconception that cloud benefits are purely about cost savings (Option A) or that specialized AI is required (Option C), when the real transformative value is the ability to process complete datasets at scale, removing prior constraints on data volume and analysis.

How to eliminate wrong answers

Option A is wrong because it incorrectly claims that cost reduction is the only benefit of cloud storage; in reality, the primary advantage demonstrated here is the ability to store and analyze 100% of data, which enables new business insights (route optimization) that were impossible with sampling. Option C is wrong because it falsely asserts that GPS data is only useful when analyzed by Google's AI; the company's own analytics (or any cloud-based analytics service) can find patterns, and the question does not specify any dependency on Google's proprietary AI. Option D is wrong because it suggests more aggressive sampling to reduce costs, which would directly contradict the lesson learned: sampling prevented discovery of the optimization pattern, and the cloud's value is in eliminating the need for sampling, not increasing it.

186
MCQeasy

A marketing team wants to create interactive dashboards and reports for business stakeholders using data stored in BigQuery, without writing code. Which Google Cloud product is most appropriate for this self-service business intelligence requirement?

A.Looker Studio, Google's self-service data visualization tool with native BigQuery connectivity and a no-code interface
B.Cloud Dataflow, Google Cloud's stream and batch data processing service
C.BigQuery itself, where the marketing team writes SQL queries to generate reports
D.Vertex AI, Google Cloud's unified machine learning platform
AnswerA

Looker Studio is exactly designed for this use case: non-technical marketing teams creating interactive dashboards from BigQuery data through a visual interface, with no SQL or coding required. It has native BigQuery connectivity and is free to use.

Why this answer

Looker Studio (formerly Google Data Studio) is the correct choice because it is Google Cloud's self-service business intelligence tool that provides a no-code, drag-and-drop interface for creating interactive dashboards and reports. It has native, built-in connectivity to BigQuery, allowing the marketing team to visualize data without writing any code or SQL queries.

Exam trap

The trap here is that candidates may confuse BigQuery's ability to run SQL queries and generate results with a no-code self-service BI tool, overlooking that Looker Studio is the dedicated product for interactive, code-free visualization.

How to eliminate wrong answers

Option B is wrong because Cloud Dataflow is a data processing service for building stream and batch pipelines, not a self-service BI or visualization tool; it requires writing code to define data transformations. Option C is wrong because while BigQuery can generate reports via SQL queries, this requires writing code (SQL) and does not provide a no-code, interactive dashboard interface for self-service business intelligence. Option D is wrong because Vertex AI is a machine learning platform for building, deploying, and managing ML models, not a data visualization or reporting tool.

187
Multi-Selecthard

A large enterprise is evaluating moving its data analytics workloads to Google Cloud. Which TWO factors should they consider when comparing on-premises costs to cloud costs? (Choose two.)

Select 2 answers
A.Elimination of hardware maintenance labor costs
B.Increased latency due to network distance
C.Reduction in data center power and cooling expenses
D.Licensing costs for software that may not be compatible with cloud
E.Requirement to redesign applications for cloud-native services
AnswersA, C

Cloud reduces or eliminates the need for on-premises hardware maintenance staff.

Why this answer

Option A is correct because moving analytics workloads to Google Cloud eliminates the need for the enterprise to maintain its own hardware, including servers, storage, and networking equipment. This removes direct labor costs for tasks such as hardware troubleshooting, firmware updates, and physical repairs, which are instead handled by Google's infrastructure teams. This is a direct operational expenditure (OpEx) saving compared to the capital expenditure (CapEx) and ongoing maintenance of on-premises hardware.

Exam trap

Google Cloud often tests the distinction between direct cost factors (like hardware maintenance and power/cooling) and indirect considerations (like latency, licensing compatibility, and application redesign) to see if candidates can separate TCO line items from migration risks or performance trade-offs.

188
MCQeasy

A company's security policy requires that all cloud-to-cloud communication between services must be encrypted in transit. An auditor asks how Google Cloud handles encryption for network traffic between Google services within its network. What is Google's default approach to encryption in transit within its infrastructure?

A.Google does not encrypt internal traffic by default; customers must configure TLS for all service-to-service communication
B.Google encrypts all traffic between its data centers and internal services by default, with no customer configuration required
C.Google only encrypts traffic that crosses the public internet; internal network traffic is unencrypted for performance
D.Encryption in transit is the customer's responsibility for all traffic, including traffic within Google's network
AnswerB

Google uses Application Layer Transport Security (ALTS) to authenticate and encrypt all traffic between Google services and between data centers by default. This is a core Google infrastructure security commitment, not an optional feature customers must enable.

Why this answer

Google Cloud encrypts all network traffic between its data centers and internal services by default, using application-layer (e.g., gRPC with TLS) and link-layer encryption (e.g., MACsec or similar). This is a foundational security measure that requires no customer configuration, ensuring data is protected in transit even within Google's own infrastructure.

Exam trap

The trap here is that candidates often assume internal cloud provider networks are unencrypted for performance reasons, but Google Cloud encrypts all inter-service traffic by default, making options that require customer action or that claim no encryption incorrect.

How to eliminate wrong answers

Option A is wrong because Google does encrypt internal traffic by default; customers do not need to configure TLS for service-to-service communication within Google's network. Option C is wrong because Google encrypts not only traffic crossing the public internet but also internal network traffic between data centers and services, so performance is not a reason to leave it unencrypted. Option D is wrong because encryption in transit within Google's network is Google's responsibility and is handled automatically, not the customer's.

189
MCQeasy

A business user asks what makes cloud storage different from simply buying a larger external hard drive for the office. Which characteristic most clearly differentiates cloud storage from local storage devices?

A.Cloud storage is faster than local storage for all types of data access
B.Cloud storage is accessible from anywhere via the internet, scales elastically without hardware purchases, and provides built-in redundancy across multiple physical locations
C.Cloud storage cannot be used for backup, while external hard drives are purpose-built for backup
D.Cloud storage requires specialized hardware on the customer's side to access data
AnswerB

These three characteristics — universal accessibility, elastic scalability, and built-in geographic redundancy — are what fundamentally differentiate cloud storage from a local external drive. A hard drive is physically local, has fixed capacity, and has no built-in redundancy.

Why this answer

Cloud storage is fundamentally different from local storage because it provides internet-based accessibility, elastic scalability without requiring hardware procurement, and built-in redundancy across geographically distributed data centers. These characteristics enable on-demand resource provisioning and high availability, which a single external hard drive cannot offer. The correct answer, B, captures these core differentiators that align with the NIST definition of cloud computing.

Exam trap

Google Cloud often tests the misconception that cloud storage is inherently faster than local storage, leading candidates to select Option A, but the real differentiator is ubiquitous access and elasticity, not raw speed.

How to eliminate wrong answers

Option A is wrong because cloud storage is not universally faster than local storage; local storage (e.g., USB 3.0 or SATA SSDs) often has lower latency and higher throughput for local access, while cloud storage performance depends on network bandwidth and latency. Option C is wrong because cloud storage is commonly used for backup (e.g., AWS S3 for backup, Azure Backup) and external hard drives are not exclusively purpose-built for backup—they are general-purpose storage devices. Option D is wrong because cloud storage does not require specialized hardware on the customer side; access is typically via standard internet protocols (HTTP/HTTPS, S3 API, NFS) using commodity devices like laptops or smartphones.

190
MCQeasy

When data is transmitted between a user's browser and a Google Cloud-hosted web application over HTTPS, which security protection does this provide?

A.It prevents unauthorized users from accessing the Google Cloud Console.
B.It encrypts data in transit between the user's browser and the server, preventing eavesdropping and tampering.
C.It encrypts data stored in the server's database.
D.It authenticates the user and verifies their permissions to use the application.
AnswerB

HTTPS/TLS encrypts the connection, ensuring data cannot be intercepted or modified as it travels between the user and the application. This is encryption in transit.

Why this answer

HTTPS (HTTP over TLS) encrypts the communication channel between the user's browser and the web server using Transport Layer Security (TLS). This ensures that any data transmitted, such as login credentials or API requests, is protected from eavesdropping and tampering while in transit. It does not protect data at rest or control access to cloud management interfaces.

Exam trap

Cisco often tests the distinction between encryption in transit (HTTPS) and encryption at rest (database encryption), leading candidates to incorrectly select an option about stored data or access control.

How to eliminate wrong answers

Option A is wrong because HTTPS does not control access to the Google Cloud Console; that is managed by IAM (Identity and Access Management) policies and authentication mechanisms like OAuth 2.0. Option C is wrong because HTTPS only encrypts data in transit, not data stored in the server's database; database encryption is handled by techniques like Cloud SQL encryption at rest or customer-managed encryption keys (CMEK). Option D is wrong because HTTPS does not authenticate the user or verify their permissions; user authentication and authorization are handled by the application layer (e.g., using Firebase Authentication or IAM), not by the TLS protocol itself.

191
MCQmedium

A company's cloud costs have increased by 40% over the past quarter. The operations team wants to identify and address the root causes. Which cost optimization strategies should they investigate first?

A.Immediately upgrade all infrastructure to the latest generation hardware for better efficiency.
B.Identify idle and underutilized resources (oversized VMs, unused disks, unattached IPs), apply lifecycle policies to storage, and commit to CUDs for stable workloads.
C.Migrate all workloads to Spot VMs immediately to reduce costs by 90%.
D.Switch cloud providers to whoever has the lowest advertised list price.
AnswerB

These are the highest-impact, quickest-to-implement cost optimizations. Active Assist identifies rightsizing opportunities; lifecycle policies automate storage cost management; CUDs reduce baseline compute costs.

Why this answer

Option B is correct because the first step in cloud cost optimization is to identify and eliminate waste from idle or oversized resources, which is the most common source of cost inefficiency. Applying lifecycle policies to storage and committing to Committed Use Discounts (CUDs) for stable workloads are proven strategies to reduce costs without compromising performance. This approach aligns with Google Cloud's recommended FinOps practices, focusing on immediate, high-impact savings before considering architectural changes.

Exam trap

The trap here is that candidates often jump to aggressive cost-cutting measures like migrating to Spot VMs or switching providers, without first addressing the low-hanging fruit of resource waste, which is the most impactful and least risky initial step in cost optimization.

How to eliminate wrong answers

Option A is wrong because immediately upgrading to the latest generation hardware is a capital-intensive strategy that may not address the root cause of cost increases (e.g., idle resources) and could even increase costs if the new hardware is not right-sized. Option C is wrong because migrating all workloads to Spot VMs is risky for production or stateful workloads, as Spot VMs can be terminated at any time with only 30 seconds notice, leading to potential data loss or service disruption. Option D is wrong because switching cloud providers based solely on lowest advertised list price ignores hidden costs like data egress fees, network latency, and the operational overhead of migration, and does not address existing resource inefficiencies.

192
MCQeasy

A software team wants to host their container images securely within Google Cloud and integrate with Cloud Build for CI/CD pipelines and GKE for deployments. Which Google Cloud product serves as the managed repository for storing and managing container images?

A.Cloud Storage, by storing container images as objects in a bucket
B.Artifact Registry, Google Cloud's managed repository for container images and build artifacts with native CI/CD integration
C.Container Registry (gcr.io), the legacy Google container image service
D.Cloud Source Repositories, for storing source code and container build files
AnswerB

Artifact Registry is the intended service for hosting container images in Google Cloud. It supports Docker, Maven, npm, PyPI, and other formats, integrates natively with Cloud Build and GKE, and provides IAM-based access control and automatic vulnerability scanning.

Why this answer

Artifact Registry is Google Cloud's fully managed, next-generation repository for storing, managing, and securing container images and build artifacts. It natively integrates with Cloud Build for CI/CD pipelines and GKE for deployments, providing features like vulnerability scanning, access control via IAM, and support for multiple formats (Docker, Maven, npm, etc.). This makes it the correct choice for the team's requirements.

Exam trap

Cisco often tests the distinction between legacy and current services, so the trap here is that candidates may pick Container Registry (gcr.io) because it is familiar and historically used for container images, but they must recognize that Artifact Registry is the modern, recommended service with broader capabilities and deeper integration.

How to eliminate wrong answers

Option A is wrong because Cloud Storage is an object storage service for arbitrary data (e.g., backups, media files), not a managed container image repository; while you could manually store a container image as a blob, it lacks native container registry features like manifest management, vulnerability scanning, and seamless integration with Cloud Build and GKE. Option C is wrong because Container Registry (gcr.io) is the legacy service that has been superseded by Artifact Registry; it lacks the multi-format support, regional repository options, and advanced security features (e.g., on-demand scanning) that Artifact Registry provides, and Google recommends migrating to Artifact Registry. Option D is wrong because Cloud Source Repositories is a Git-based source code hosting service for version control and collaboration, not a repository for storing container images or build artifacts.

193
Multi-Selectmedium

A gaming company runs a real-time multiplayer game server on Google Kubernetes Engine. They want to optimize costs while ensuring low latency for players across different regions. Which three strategies should they implement? (Choose THREE.)

Select 3 answers
A.Use committed use discounts (CUDs) for sustained resource usage.
B.Use spot VMs with a node taint and toleration for game server pods.
C.Use node auto-provisioning to automatically add nodes based on pod resource requests.
D.Deploy GKE clusters in multiple regions and use a multi-cluster ingress.
E.Use preemptible VMs for game server pods.
AnswersA, C, D

CUDs provide significant cost savings (up to 57%) for predictable resource usage, lowering overall expenses.

Why this answer

Committed use discounts (CUDs) are ideal for sustained resource usage because they offer significant cost savings (up to 70%) in exchange for a 1- or 3-year commitment to a minimum level of compute resources. For a gaming server that runs continuously, CUDs reduce the per-hour cost of the underlying GKE nodes, directly optimizing long-term operational expenses without impacting latency.

Exam trap

Google Cloud often tests the misconception that spot/preemptible VMs are acceptable for stateful, latency-sensitive workloads because they are cheaper, but the exam expects you to recognize that their unpredictable termination makes them unsuitable for real-time multiplayer game servers.

194
MCQmedium

A global financial services firm is migrating its risk analysis workloads to Google Cloud to accelerate new model deployments. Which cloud benefit most directly supports faster time-to-market?

A.Security compliance
B.Rapid provisioning and deployment
C.Pay-as-you-go pricing
D.Global infrastructure
AnswerB

Resources can be provisioned in minutes, drastically reducing deployment lead time.

Why this answer

Rapid provisioning and deployment (B) directly accelerates time-to-market because it allows the firm to spin up risk analysis environments in minutes using Infrastructure as Code (IaC) tools like Terraform or Deployment Manager, rather than waiting weeks for hardware procurement. This speed enables data scientists to iterate on models faster, deploy new versions immediately, and respond to market changes without infrastructure bottlenecks.

Exam trap

Google Cloud often tests the misconception that 'global infrastructure' (D) is the key to faster deployments, but the trap here is that global reach improves latency and redundancy, not the speed of provisioning new resources.

How to eliminate wrong answers

Option A is wrong because security compliance, while critical for financial services, is a risk mitigation requirement that often slows down deployments due to audits and policy checks; it does not directly reduce time-to-market. Option C is wrong because pay-as-you-go pricing is a cost optimization model that shifts expenses from CapEx to OpEx, but it has no direct impact on how quickly workloads can be provisioned or models deployed. Option D is wrong because global infrastructure provides geographic reach and low-latency access, but it does not inherently speed up the deployment lifecycle; provisioning speed is determined by automation and resource availability, not just the number of regions.

195
MCQmedium

A company's security architect wants to implement 'privacy by design' principles when building a new customer data platform on Google Cloud. What does privacy by design mean in this context?

A.Privacy by design means the platform must refuse to collect any personal data from customers.
B.Privacy by design means privacy protections (encryption, data minimization, access controls, retention policies) are architected into the system from the start, not added after deployment.
C.Privacy by design is a legal requirement that mandates using only on-premises systems for customer data.
D.Privacy by design means storing all data in an encrypted format and using a VPN for all access.
AnswerB

Privacy by design makes privacy a foundational design principle: choosing which data to collect, how to protect it, who can access it, and when to delete it are designed before the first line of code — not discovered at audit time.

Why this answer

Privacy by design is a foundational principle that requires embedding privacy controls—such as encryption, data minimization, access controls, and retention policies—into the architecture of a system from the initial design phase, rather than retrofitting them after deployment. In the context of Google Cloud, this means using services like Cloud KMS for encryption, IAM for fine-grained access control, and data lifecycle policies to minimize data collection and enforce retention limits from the start. Option B correctly captures this proactive, integrated approach.

Exam trap

The trap here is that candidates often confuse privacy by design with a single technical control (like encryption or VPNs) or assume it prohibits data collection entirely, when in fact it is a holistic architectural approach that integrates multiple privacy controls from the outset.

How to eliminate wrong answers

Option A is wrong because privacy by design does not mandate refusing to collect any personal data; rather, it emphasizes collecting only the minimum necessary data (data minimization) and implementing protections around it. Option C is wrong because privacy by design is not a legal requirement that mandates on-premises systems; Google Cloud supports privacy by design through cloud-native services like Confidential VMs and Data Loss Prevention (DLP) that comply with regulations like GDPR. Option D is wrong because privacy by design is broader than just encryption and VPNs; it encompasses data minimization, purpose limitation, retention policies, and access controls, not just technical safeguards.

196
MCQeasy

A company's cloud team is asked to reduce the cost of a batch data processing workload that runs for 4–6 hours each night and can tolerate interruptions. The workload currently uses standard on-demand Compute Engine VMs. Which pricing option should the team evaluate first?

A.Committed Use Discounts (CUDs), by committing to 1 or 3 years of VM usage
B.Spot VMs, which offer up to 91% discount for workloads that can tolerate interruption and checkpoint/resume their work
C.Sustained Use Discounts (SUDs), which automatically apply when VMs run for more than 25% of a month
D.Reserved Instances, by purchasing capacity reservation for the nightly batch window
AnswerB

Spot VMs are the optimal choice for this scenario. The workload is batch (can checkpoint), runs nightly (predictable schedule), and tolerates interruption. Up to 91% discount is a dramatic cost reduction. The 30-second notice for Spot VM preemption is sufficient for batch jobs to save state.

Why this answer

Spot VMs are the correct first evaluation because the workload runs for a fixed 4–6 hour nightly window, can tolerate interruptions, and can checkpoint/resume its work. Spot VMs offer up to a 91% discount compared to standard on-demand VMs, making them the most cost-effective option for fault-tolerant batch processing that does not require continuous availability.

Exam trap

Google Cloud often tests the misconception that Committed Use Discounts are always the best cost-saving option, but the trap here is that candidates overlook the workload's short, interruptible nature and instead choose a long-term commitment that would waste resources during idle hours.

How to eliminate wrong answers

Option A is wrong because Committed Use Discounts (CUDs) require a 1- or 3-year commitment for a specific amount of vCPUs and memory, which is inflexible for a workload that only runs 4–6 hours per night and would result in paying for idle resources outside that window. Option C is wrong because Sustained Use Discounts (SUDs) automatically apply when a VM runs for more than 25% of a month (approximately 7.5 days), but this workload runs only 4–6 hours per night (roughly 5–7.5% of a month), so it would not trigger meaningful SUD savings. Option D is wrong because Reserved Instances (a term more common in AWS; in GCP this is equivalent to a capacity reservation) reserve capacity but do not provide a discount on the underlying VM cost, and they are typically used for guaranteed availability rather than cost reduction.

197
MCQhard

A large bank is undergoing a cloud transformation. The CTO argues that the transformation will require a 'bimodal IT' approach — running two modes of IT simultaneously. What does bimodal IT mean in this context, and what is its primary criticism?

A.Bimodal IT means using two different cloud providers for redundancy; the criticism is that it creates vendor lock-in with two providers instead of one
B.Bimodal IT runs stable core systems (Mode 1) alongside an agile innovation team (Mode 2); critics argue it creates organizational division, delays core modernization, and produces digital capabilities that eventually can't integrate with unreformed core systems
C.Bimodal IT means running both cloud and on-premises systems; the criticism is that hybrid environments are too complex to manage
D.Bimodal IT has no critics — it is universally accepted as the best approach to banking digital transformation
AnswerB

This accurately describes bimodal IT and its main criticism. The approach can be useful as a transitional strategy but is criticized for institutionalizing the divide between 'old IT' and 'digital' rather than transforming the core. Capabilities built in Mode 2 eventually need to connect to Mode 1 systems — the division doesn't disappear.

Why this answer

Bimodal IT, as described by Gartner, separates IT into Mode 1 (traditional, stable, and risk-averse systems) and Mode 2 (agile, exploratory, and fast-moving innovation teams). In a cloud transformation context, Mode 1 typically runs legacy core banking systems on-premises or in a private cloud, while Mode 2 rapidly develops cloud-native applications. The primary criticism is that this creates a permanent organizational and technical divide, where Mode 2 builds digital capabilities that cannot integrate with the unreformed, monolithic Mode 1 systems, leading to technical debt and delaying the necessary modernization of the core.

Exam trap

Cisco often tests the distinction between organizational operating models (bimodal IT) and deployment architectures (hybrid cloud, multi-cloud), so the trap here is that candidates pick Option C because they mistakenly equate 'two modes' with 'two environments' (cloud and on-premises).

How to eliminate wrong answers

Option A is wrong because bimodal IT is not about using two cloud providers for redundancy; that describes a multi-cloud strategy, not the organizational separation of stable and agile IT modes. Option C is wrong because bimodal IT is not simply running cloud and on-premises systems (hybrid cloud); it is a specific organizational and process model that separates IT into two distinct modes of operation, not just a deployment architecture. Option D is wrong because bimodal IT has been heavily criticized by industry experts (e.g., Martin Fowler, Gartner's own later analysis) for creating silos, increasing integration costs, and failing to address core system modernization; it is not universally accepted.

198
MCQeasy

A retail company's IT director says: 'We need to digitize our business.' A digital transformation consultant responds that digitization and digital transformation are different things. Which statement best captures the distinction?

A.Digitization and digital transformation are synonyms; both refer to moving business operations to digital systems
B.Digitization converts analog information to digital form, while digital transformation reimagines business models, customer experiences, and operations using digital technology as the core enabler
C.Digital transformation is a subset of digitization, focused specifically on transforming customer-facing processes
D.Digitization requires cloud technology, while digital transformation can be achieved with on-premises systems alone
AnswerB

This captures the essential distinction. Digitization (scanning paper, converting spreadsheets to databases) is a prerequisite but not sufficient. Transformation means the business fundamentally changes how it creates and delivers value — not just running old processes digitally.

Why this answer

Option B is correct because it accurately distinguishes digitization (converting analog data to digital format, e.g., scanning paper invoices into PDFs) from digital transformation (fundamentally rethinking business models, customer experiences, and operations with digital technology as the core enabler, e.g., using cloud-based analytics to personalize customer journeys). The consultant's point is that digitization is a tactical step, while digital transformation is a strategic overhaul that leverages cloud, AI, and IoT to create new value chains.

Exam trap

Google Cloud often tests the confusion between digitization and digital transformation by presenting options that conflate the two as synonyms or reverse their hierarchy, so candidates must remember that digitization is a technical conversion step, while digital transformation is a strategic business reimagination enabled by cloud and modern IT architectures.

How to eliminate wrong answers

Option A is wrong because it incorrectly treats digitization and digital transformation as synonyms, ignoring that digitization is merely converting analog to digital (e.g., digitizing a paper ledger into a spreadsheet), while digital transformation involves reimagining processes and business models using cloud, APIs, and data-driven automation. Option C is wrong because it claims digital transformation is a subset of digitization focused only on customer-facing processes; in reality, digital transformation is broader, encompassing supply chain, operations, and culture, and digitization is a foundational enabler, not the superset. Option D is wrong because it falsely ties digitization to cloud technology (digitization can be done with on-premises scanners and local databases) and suggests digital transformation can be achieved with on-premises systems alone, whereas true digital transformation often requires cloud scalability, microservices, and continuous integration/delivery pipelines to enable rapid innovation.

199
MCQhard

A global enterprise must store customer data in specific geographic regions to comply with data residency laws. They also need to be able to analyze data across all regions without centralizing it. Which approach best balances compliance and analytics?

A.Deploy identical Compute Engine instances with databases in each region.
B.Use regional Cloud Storage buckets per region and BigQuery with federated queries.
C.Store all data in a single region and use Cloud CDN for fast access.
D.Use a single Cloud Storage multi-region bucket with granular access controls.
AnswerB

Federated queries allow analyzing data in place across regions, maintaining compliance.

Why this answer

Option C is correct because a multi-region deployment with BigQuery's federated queries allows querying data across regions without moving it. Option A is wrong because storing all data in a single region violates residency laws. Option B is wrong because using VMs in each region requires managing infrastructure and does not inherently provide cross-region analytics.

Option D is wrong because Cloud Storage's multi-region bucket stores data in multiple regions, which may violate data residency if data is replicated outside the required region.

200
MCQhard

A company migrates its on-premises database to Cloud SQL. The security team is concerned about who is responsible for patching the underlying operating system and database engine. Under the shared responsibility model, which of the following is true?

A.The customer must patch the operating system of the Cloud SQL instances.
B.Google Cloud is responsible for patching the operating system and database engine.
C.The customer is responsible for physical security of the data centers.
D.The customer is responsible for applying database engine patches.
AnswerB

For managed services, the provider handles underlying infrastructure maintenance.

Why this answer

Under the Google Cloud shared responsibility model, Google Cloud manages the underlying infrastructure, including patching the operating system and database engine for managed services like Cloud SQL. This is because Cloud SQL is a fully managed service where Google Cloud handles OS and database engine updates, ensuring security and compliance without customer intervention. The customer remains responsible for data, access management, and application-level configurations.

Exam trap

The trap here is that candidates confuse Cloud SQL (a managed service) with Compute Engine (IaaS), where the customer is responsible for OS and database patching, leading them to incorrectly select options A or D.

How to eliminate wrong answers

Option A is wrong because the customer is not responsible for patching the operating system of Cloud SQL instances; Google Cloud automatically manages OS patches as part of the managed service. Option C is wrong because physical security of data centers is solely Google Cloud's responsibility under the shared responsibility model, not the customer's. Option D is wrong because database engine patches are applied by Google Cloud for Cloud SQL, not by the customer, as the service handles version upgrades and security patches automatically.

201
MCQmedium

A healthcare company must comply with HIPAA and store all protected health information (PHI) only in the United States. They use Google Cloud and want to prevent any accidental data storage outside the US. Which two services should they implement?

A.VPC Service Controls and Organization Policies
B.Data Loss Prevention API
C.Identity-Aware Proxy
D.Cloud Armor
AnswerA

VPC Service Controls create a data security perimeter, and Organization Policies restrict resource locations.

Why this answer

VPC Service Controls create a security perimeter around Google Cloud resources, preventing data from being copied or moved outside allowed regions. Organization Policies allow you to set a constraint (e.g., `gcp.resourceLocations`) that restricts where resources like Cloud Storage buckets or BigQuery datasets can be created, ensuring PHI remains in the US. Together, they enforce both data exfiltration prevention and location-based resource creation restrictions.

Exam trap

Google Cloud often tests the distinction between data *protection* (DLP, IAP, Cloud Armor) and data *residency enforcement* (VPC Service Controls, Organization Policies), leading candidates to confuse content inspection or access control with geographic restriction.

How to eliminate wrong answers

Option B (Data Loss Prevention API) is wrong because it is a content inspection and redaction tool, not a data residency enforcement mechanism; it scans for sensitive data patterns but does not prevent storage outside a geographic boundary. Option C (Identity-Aware Proxy) is wrong because it controls user access to applications based on identity and context, not data location or storage restrictions. Option D (Cloud Armor) is wrong because it is a web application firewall (WAF) that protects against DDoS and OWASP Top 10 threats, with no capability to enforce data residency or prevent storage in non-US regions.

202
Multi-Selecthard

Which TWO of the following are best practices for securing a Google Cloud environment? (Choose two.)

Select 2 answers
A.Use the same SSH key for all Compute Engine instances.
B.Grant minimal permissions to users and services using IAM roles.
C.Export service account keys and use them in on-premises applications for authentication.
D.Rotate service account keys every month.
E.Enable VPC Flow Logs for all subnets.
AnswersB, E

Least privilege reduces the impact of a compromised account.

Why this answer

Option B is correct because the principle of least privilege is a foundational security best practice in Google Cloud. By granting minimal permissions using IAM roles, you limit the attack surface and reduce the risk of unauthorized access or accidental data exposure. This aligns with Google Cloud's security model where roles are predefined or custom, and permissions are additive, never implicit.

Exam trap

Google Cloud often tests the misconception that service account key rotation is a best practice, but the trap here is that the real best practice is to avoid using service account keys altogether in favor of workload identity federation or short-lived credentials.

203
Multi-Selecteasy

Which TWO are recommended practices when configuring autoscaling for Compute Engine managed instance groups?

Select 2 answers
A.Disable the cool-down period to react faster to spikes.
B.Use a load balancer in front of the instance group.
C.Use a single metric (e.g., CPU utilization) for simplicity.
D.Set both a minimum and maximum number of instances.
E.Scale based on custom metrics only.
AnswersB, D

Load balancer distributes traffic and is required for health-based autoscaling.

Why this answer

Options B and D are correct. Setting min and max instances prevents over- and under-scaling. Using a load balancer distributes traffic to the group.

Option A is wrong because multiple metrics are recommended. Option C is wrong because cooldown prevents thrashing. Option E is wrong because custom metrics can be combined with standard metrics.

204
MCQeasy

A company is migrating its on-premises data center to Google Cloud. They want to avoid large upfront hardware costs and only pay for the resources they consume. Which cloud benefit does this represent?

A.Security
B.Pay-as-you-go pricing
C.High availability
D.Scalability
AnswerB

Pay-as-you-go eliminates large upfront hardware purchases and bills based on consumption.

Why this answer

Option B is correct because the scenario describes a shift from capital expenditure (CapEx) to operational expenditure (OpEx), which is the core of pay-as-you-go pricing. This model allows the company to avoid large upfront hardware costs and only pay for the compute, storage, and network resources actually consumed, aligning with Google Cloud's consumption-based billing model.

Exam trap

The trap here is that candidates often confuse 'scalability' with 'pay-as-you-go' because both involve resource adjustment, but scalability is about dynamic capacity changes, not the financial model of avoiding upfront costs.

How to eliminate wrong answers

Option A is wrong because security is a shared responsibility model in Google Cloud, not a financial model that avoids upfront costs; it does not address the consumption-based pricing described. Option C is wrong because high availability refers to redundant infrastructure and uptime guarantees (e.g., via multi-zonal deployments), not to the elimination of upfront hardware expenses. Option D is wrong because scalability is the ability to automatically adjust resources based on demand (e.g., using managed instance groups), which is a separate benefit from the pay-as-you-go pricing model that avoids initial capital outlay.

205
MCQhard

A reliability engineering team wants to proactively identify weaknesses in their distributed system by deliberately injecting failures — killing random instances, introducing network latency, and cutting off database connections — to observe how the system responds. What is this practice called?

A.Destructive testing — deliberately breaking the system to determine the breaking point.
B.Chaos engineering — deliberately injecting controlled failures to discover system weaknesses and build resilience confidence.
C.Penetration testing — simulating attacks to find security vulnerabilities.
D.Load testing — verifying the system handles expected traffic volumes.
AnswerB

Chaos engineering tests system resilience through controlled failure injection. Each experiment validates (or reveals gaps in) the system's ability to handle unexpected failures without impacting users.

Why this answer

Option B is correct because chaos engineering is the practice of deliberately injecting controlled failures—such as killing instances, introducing latency, or cutting database connections—into a distributed system to proactively identify weaknesses and build resilience confidence. This approach aligns with Google Cloud's reliability principles, where tools like Chaos Monkey (part of the Simian Army) or Google's internal DiRT (Disaster Recovery Testing) are used to test system behavior under failure conditions.

Exam trap

Google Cloud often tests the distinction between 'destructive testing' and 'chaos engineering' by making candidates think any deliberate failure is destructive, but the key difference is that chaos engineering is controlled, hypothesis-driven, and aims to build resilience, not just find the breaking point.

How to eliminate wrong answers

Option A is wrong because destructive testing focuses on finding the breaking point of a system by pushing it to failure, often in a non-controlled manner, and does not emphasize controlled, proactive failure injection to build resilience confidence. Option C is wrong because penetration testing specifically targets security vulnerabilities (e.g., OWASP Top 10, SQL injection) and does not cover operational failures like network latency or instance termination. Option D is wrong because load testing verifies system performance under expected or peak traffic volumes (e.g., using tools like Locust or k6), not the system's response to injected failures like database disconnections or random instance kills.

206
MCQhard

A company migrated a microservices application to Google Kubernetes Engine (GKE). They set up an internal HTTP(S) load balancer to route traffic to the services. However, some pods are not receiving traffic. What is the most likely cause?

A.The service type is NodePort instead of LoadBalancer.
B.The pods have failing readiness probes that are preventing them from being added to the load balancer's backend endpoints.
C.The cluster does not have enough nodes to schedule the pods.
D.The firewall rules are not allowing traffic from the load balancer to the nodes.
AnswerB

Readiness probes determine whether a pod is ready to serve traffic. If they fail, the pod is removed from the endpoint list, causing no traffic.

Why this answer

Readiness probes determine whether a pod is ready to serve traffic. If they fail, the pod is removed from the endpoint list, causing no traffic. Firewall rules for internal load balancers are typically auto-configured.

207
MCQeasy

A company's security team wants to ensure that only approved corporate devices can access Google Cloud resources, regardless of whether the user has valid credentials. Which Google Cloud security capability enforces device-level access requirements?

A.Cloud Armor, which filters incoming requests based on IP allowlists and denylists
B.Access Context Manager, which enforces device-level access requirements as part of context-aware access control policies
C.Identity-Aware Proxy (IAP), which provides application-level authentication but without device checks
D.VPC Service Controls, which restrict access to Google APIs based on network perimeter membership
AnswerB

Access Context Manager is precisely the service for this. It allows security teams to define access levels (policies) that include device attribute requirements — managed/enrolled devices, disk encryption, screen lock. These conditions must be met in addition to valid credentials for access to be granted.

Why this answer

Access Context Manager is the correct choice because it allows security teams to define context-aware access policies that include device-level attributes such as device OS type, device ID, and whether the device is managed (e.g., via endpoint verification or third-party EMM). This enforces device-level access requirements even if the user has valid credentials, directly addressing the scenario.

Exam trap

The trap here is that candidates confuse IAP's role in user authentication with device-level enforcement, not realizing that IAP delegates device context checks to Access Context Manager via access levels.

How to eliminate wrong answers

Option A is wrong because Cloud Armor filters traffic based on IP addresses (allowlists/denylists) and other network-layer attributes, not device-level identity or management status. Option C is wrong because Identity-Aware Proxy (IAP) provides authentication and authorization at the application layer but does not natively enforce device-level checks; it relies on Access Context Manager for such context. Option D is wrong because VPC Service Controls restrict access to Google APIs based on network perimeter (e.g., VPC, IP ranges) and do not evaluate device-level attributes.

208
MCQmedium

A company wants to ensure that even if an attacker compromises an employee's password and passes MFA, the attacker cannot access sensitive Google Cloud resources from an unmanaged personal laptop. Which Google security feature enforces device trust as part of access decisions?

A.Cloud Armor — it inspects device fingerprints on incoming requests.
B.Access Context Manager with device policy conditions requiring managed, compliant devices.
C.Cloud Firewall rules that allow only corporate office IP ranges.
D.Two-step verification — the second factor proves the device is trusted.
AnswerB

Access Context Manager defines access levels with device conditions (managed enrollment, encrypted disk, OS version). These levels are enforced in VPC Service Controls and IAP policies — blocking access from unmanaged devices.

Why this answer

Access Context Manager allows you to define device policy conditions that require devices to be managed (e.g., via endpoint verification) and compliant with corporate security policies. When an attacker attempts to access sensitive Google Cloud resources from an unmanaged personal laptop, the access level will not be satisfied, and access is denied even if the user's password and MFA are valid. This enforces device trust as a distinct attribute in the access decision, separate from user authentication.

Exam trap

Cisco often tests the distinction between authentication (MFA) and device trust, so the trap here is that candidates confuse two-step verification (MFA) with device trust, thinking that a second factor inherently proves the device is trusted, when in reality MFA only proves the user's identity, not the device's security posture.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall that inspects HTTP/S traffic and can use device fingerprints (e.g., via reCAPTCHA or WAF rules), but it does not enforce device trust as a condition for access to Google Cloud resources; it operates at the network edge, not as an identity-aware access control. Option C is wrong because Cloud Firewall rules that allow only corporate office IP ranges restrict access based on network origin, not device trust; an attacker could still use a managed laptop from a corporate IP if they compromise it, and an unmanaged personal laptop from a corporate IP would bypass the intent. Option D is wrong because two-step verification (MFA) verifies the user's identity via a second factor (e.g., TOTP, push notification), but it does not prove the device is trusted; an attacker who has compromised the password and MFA (e.g., via session hijacking or phishing) can still access resources from any device.

209
MCQhard

A multinational manufacturing company operates thousands of IoT sensors on factory equipment. These sensors generate over 50 TB of telemetry data daily. The company wants to implement predictive maintenance to reduce unplanned downtime. Their current on-premises infrastructure is maxed out, and they have a small IT team with limited data engineering expertise. They are evaluating cloud vs. on-premises options. The data is highly sensitive and must be encrypted at rest and in transit. Additionally, they need to run machine learning models near real-time and store historical data for trend analysis. The CTO is concerned about vendor lock-in, data sovereignty, and the ability to scale globally as they open new factories. Which course of action best addresses these requirements using Google Cloud?

A.Deploy Kubernetes on-premises to orchestrate microservices, and use Cloud Storage for backup only.
B.Build a new on-premises data center with dedicated GPU servers for ML training, and hire additional data engineers.
C.Use Cloud IoT Core to ingest sensor data, Cloud Pub/Sub for streaming, Cloud Dataflow for processing, and AI Platform for predictive models, all in the desired region.
D.Store all sensor data in Cloud Storage and run ad-hoc queries using BigQuery without any streaming pipeline.
AnswerC

This fully managed solution scales, meets security/compliance, and reduces operational burden.

Why this answer

Option C is correct because it leverages Google Cloud's fully managed services—Cloud IoT Core for ingestion, Pub/Sub for buffering, Dataflow for stream processing, and AI Platform for ML—to meet near-real-time predictive maintenance needs without requiring deep data engineering expertise. This architecture encrypts data at rest (Cloud Storage/AI Platform) and in transit (TLS), avoids vendor lock-in via open APIs, supports data sovereignty by deploying in a specific region, and scales globally as new factories are added.

Exam trap

Google Cloud often tests the misconception that batch processing (e.g., BigQuery on stored data) can substitute for a streaming pipeline in near-real-time scenarios, leading candidates to overlook the need for continuous ingestion and processing with services like Pub/Sub and Dataflow.

How to eliminate wrong answers

Option A is wrong because deploying Kubernetes on-premises does not address the maxed-out infrastructure, requires significant data engineering expertise for management, and fails to provide the near-real-time streaming and ML capabilities needed, while Cloud Storage for backup alone ignores the primary processing requirements. Option B is wrong because building a new on-premises data center contradicts the goal of avoiding infrastructure expansion, requires hiring additional data engineers (which the small IT team cannot support), and does not address vendor lock-in or global scaling concerns. Option D is wrong because storing all data in Cloud Storage and running ad-hoc BigQuery queries lacks a streaming pipeline, making near-real-time predictive maintenance impossible, and does not provide the continuous processing needed for ML model inference on live telemetry data.

210
MCQeasy

Which term describes the process by which organizations integrate digital technology into all areas of their business, fundamentally changing how they operate and deliver value to customers?

A.IT modernization
B.Digital transformation
C.Cloud migration
D.Agile development
AnswerB

Digital transformation is the comprehensive integration of digital technology into all business areas, changing operations, culture, and customer value delivery. Cloud is a primary enabler.

Why this answer

Digital transformation (B) is the correct term because it encompasses the holistic integration of digital technology across all business areas, fundamentally altering operations and customer value delivery. Unlike IT modernization, which focuses on updating legacy systems, digital transformation involves strategic changes in culture, processes, and customer engagement, often leveraging cloud computing, data analytics, and AI. This aligns with the GCDL domain's emphasis on how cloud technology enables business model innovation rather than just infrastructure upgrades.

Exam trap

Cisco often tests the distinction between tactical technology upgrades (like cloud migration or IT modernization) and the strategic, business-model-changing scope of digital transformation, leading candidates to confuse a component (e.g., moving to the cloud) with the holistic process.

How to eliminate wrong answers

Option A (IT modernization) is wrong because it specifically refers to updating or replacing legacy IT systems (e.g., hardware, software) to improve efficiency, without necessarily changing business models or customer value delivery. Option C (Cloud migration) is wrong because it is a tactical move of moving applications or data to cloud infrastructure (e.g., IaaS/PaaS), which is a component of digital transformation but not the overarching strategic process. Option D (Agile development) is wrong because it is a software development methodology focused on iterative delivery and collaboration, not the enterprise-wide integration of digital technology across all business functions.

211
MCQmedium

A developer needs to store application secrets (database passwords, API keys, OAuth tokens) securely so that they are not hardcoded in source code or environment variables. The secrets should be automatically versioned and rotatable. Which Google Cloud product is designed for this secure secrets management requirement?

A.Cloud Storage, by storing secrets in an encrypted bucket with restricted IAM access
B.Secret Manager, which stores secrets encrypted at rest with automatic versioning, rotation support, and fine-grained IAM access control
C.Cloud KMS, which generates encryption keys for encrypting application data
D.Cloud SQL, by storing secrets in an encrypted database table with restricted access
AnswerB

Secret Manager is the correct answer. It provides: encrypted storage for secret values, automatic versioning (each update creates a new numbered version), rotation support via Cloud Functions, per-secret IAM bindings, and audit logs for every secret access. It directly solves the hardcoded secrets problem.

Why this answer

Option B is correct because Secret Manager is Google Cloud's dedicated service for storing application secrets such as database passwords, API keys, and OAuth tokens. It provides encryption at rest using AES-256, automatic versioning (each new secret version is immutable and timestamped), and built-in rotation support via scheduled rotation policies. Fine-grained IAM roles (e.g., roles/secretmanager.secretAccessor) ensure least-privilege access without exposing secrets in source code or environment variables.

Exam trap

The trap here is that candidates confuse Cloud KMS (key management) with Secret Manager (secret storage), or assume that any encrypted storage service (like Cloud Storage or Cloud SQL) can substitute for a purpose-built secrets manager, ignoring the need for automatic versioning, rotation, and fine-grained per-secret access control.

How to eliminate wrong answers

Option A is wrong because Cloud Storage is an object storage service, not a secrets manager; while you can encrypt a bucket and restrict IAM, it lacks automatic versioning (object versioning is optional and not secret-aware), rotation policies, and fine-grained access control at the secret level (e.g., per-secret IAM). Option C is wrong because Cloud KMS is a key management service for creating and managing encryption keys used to encrypt data elsewhere; it does not store secrets directly, does not provide versioning of secret values, and does not support rotation of the secret itself (only key rotation). Option D is wrong because Cloud SQL is a managed relational database service; storing secrets in a database table requires custom application logic for encryption, versioning, and rotation, and it introduces additional attack surface (e.g., SQL injection) and operational overhead, making it unsuitable for secure secrets management.

212
MCQmedium

A company running critical applications on Google Cloud wants access to technical support with a response time under 1 hour for critical issues and a dedicated Technical Account Manager (TAM). Which Google Cloud support tier should they purchase?

A.Basic support
B.Standard support
C.Premium support
D.Enhanced support
AnswerC

Premium support provides 24/7 support, 15-minute P1 response, a dedicated Technical Account Manager (TAM), and proactive technical reviews. This meets both the <1 hour and TAM requirements.

Why this answer

Premium support is the only Google Cloud tier that includes a dedicated Technical Account Manager (TAM) and a response time under 1 hour for critical (P1) issues. Basic and Standard support offer slower SLAs and no TAM, while Enhanced support is not a valid Google Cloud tier.

Exam trap

Google Cloud often tests the misconception that 'Enhanced support' is a real Google Cloud tier, when in fact only Basic, Standard, and Premium exist, and candidates may confuse the TAM requirement with Standard support's faster SLA.

How to eliminate wrong answers

Option A is wrong because Basic support provides only online documentation and community forums, with no defined response time SLA or TAM. Option B is wrong because Standard support offers a 1-hour response for P1 issues but does not include a dedicated TAM. Option D is wrong because Enhanced support is not a Google Cloud support tier; the correct tiers are Basic, Standard, and Premium.

213
MCQmedium

Refer to the exhibit. A user receives this error when trying to SSH into a Compute Engine instance. Which IAM role should be granted to the user?

A.roles/compute.osLogin
B.roles/compute.instanceAdmin.v1
C.roles/iam.serviceAccountUser
D.roles/compute.admin
AnswerB

This role includes compute.instances.get and compute.instances.setMetadata, which are needed for SSH access.

Why this answer

The error indicates the user lacks SSH access to the Compute Engine instance. The `roles/compute.instanceAdmin.v1` role includes the `compute.instances.setMetadata` permission, which allows the user to add their SSH public key to the instance's metadata, enabling SSH access. This role also provides broader instance management capabilities, making it the correct choice for resolving SSH connectivity issues.

Exam trap

Google Cloud often tests the misconception that `roles/compute.osLogin` is required for SSH access, but the trap here is that OS Login is an alternative method that must be explicitly enabled on the instance and project, whereas the default SSH access relies on metadata-based keys, which require `roles/compute.instanceAdmin.v1` to modify.

How to eliminate wrong answers

Option A is wrong because `roles/compute.osLogin` enables OS Login, which uses IAM permissions to manage SSH keys centrally, but the error suggests the user is not using OS Login or lacks the necessary metadata configuration. Option C is wrong because `roles/iam.serviceAccountUser` allows a user to impersonate a service account, but it does not grant any permissions to access Compute Engine instances or modify SSH keys. Option D is wrong because `roles/compute.admin` is a highly privileged role that includes all Compute Engine permissions, but it is overly broad for simply granting SSH access; the more specific `roles/compute.instanceAdmin.v1` is sufficient and follows the principle of least privilege.

214
Multi-Selectmedium

Which TWO of the following are key benefits of using a cloud provider like Google Cloud? (Choose exactly 2.)

Select 2 answers
A.Access to a global network infrastructure
B.Complete removal of physical security responsibilities
C.Reduced internet latency
D.Elimination of hardware costs
E.Economies of scale leading to lower costs
AnswersA, E

Cloud providers have data centers worldwide.

Why this answer

Option A is correct because cloud providers like Google Cloud operate a vast, globally distributed network of data centers interconnected via high-capacity fiber optic cables and private peering agreements. This global infrastructure allows customers to deploy workloads close to their users, reducing latency and improving performance without building their own network. Access to this network is a fundamental benefit of cloud computing, enabling global reach and reliability.

Exam trap

Google Cloud often tests the shared responsibility model to trick candidates into thinking that physical security is completely offloaded, when in fact customers still secure their own virtual assets and data.

215
MCQhard

A financial services company is migrating a legacy monolithic application to Google Cloud. The application uses a SQL Server database and has compliance requirements to encrypt data at rest and in transit. The migration must minimize code changes. The application runs on Windows Server and currently uses Active Directory for authentication. The company wants to use Google Cloud's managed services where possible. Which approach best meets these requirements?

A.Migrate the application to Compute Engine with SQL Server on Windows VMs. Use Cloud SQL for SQL Server but keep the database on-premises for compliance.
B.Lift and shift the application to Compute Engine with SQL Server on Windows VMs. Use Cloud SQL for SQL Server with encryption enabled, and configure Active Directory via Managed Microsoft AD.
C.Containerize the application and deploy on GKE with SQL Server in a container. Use Cloud SQL for SQL Server with encryption.
D.Migrate the application to Compute Engine instances with SQL Server on Windows VMs. Use Cloud VPN for connectivity. Enable encryption on the VMs and use SSL for SQL connections.
AnswerB

Minimizes code changes, uses managed database and AD, and provides encryption.

Why this answer

Option B is correct because it uses Compute Engine (minimal code changes) with Cloud SQL for SQL Server (managed encryption at rest and in transit) and Managed Microsoft AD (integrates with existing AD). Option A is incorrect because it uses SQL Server on VMs (more operational overhead) and does not fully leverage managed services; Cloud VPN is for connectivity, not encryption. Option C is incorrect because containerizing SQL Server is complex and requires code changes.

Option D is incorrect because keeping the database on-premises does not meet the goal of using managed services.

216
MCQmedium

A consulting firm advises a client that their digital transformation strategy must include 'ecosystem thinking.' What does this mean in the context of cloud and digital transformation?

A.The company should only use cloud services from a single provider to maximize integration within that provider's ecosystem
B.Digital transformation should include building open API platforms and partner integrations that create network effects — where the company's value grows as more participants (developers, partners, customers) join and contribute
C.The company should focus on eliminating all external dependencies by building all capabilities internally on cloud infrastructure
D.Ecosystem thinking refers to the environmental sustainability of cloud infrastructure, including renewable energy usage
AnswerB

This captures ecosystem thinking correctly. Platforms like Salesforce (third-party app ecosystem), Apple App Store (developer ecosystem), and Google Maps API (partner ecosystem) create value not just from the core product but from the network of participants. Cloud enables this by making API publishing and partner integration fast and scalable.

Why this answer

Ecosystem thinking in cloud and digital transformation means designing platforms that leverage open APIs and partner integrations to create network effects. As more developers, partners, and customers connect to the platform, the overall value of the service increases exponentially, which is a core driver of cloud-native business models like those used by AWS, Salesforce, or Stripe.

Exam trap

The trap here is that candidates often confuse 'ecosystem thinking' with 'using a single cloud provider's ecosystem' (Option A), but Cisco tests the understanding that true ecosystem thinking requires open, multi-party integration and network effects, not vendor lock-in.

How to eliminate wrong answers

Option A is wrong because it describes a 'single-provider lock-in' strategy, which contradicts ecosystem thinking that thrives on multi-vendor interoperability and open standards like RESTful APIs and OAuth. Option C is wrong because it advocates for building everything internally (a 'walled garden' approach), which eliminates the external partnerships and network effects that define ecosystem thinking. Option D is wrong because it confuses 'ecosystem' with 'environmental sustainability'; while cloud providers do focus on green energy, ecosystem thinking specifically refers to business and technical ecosystems, not ecological ones.

217
MCQeasy

A company uses the lifecycle configuration above for archival data that is rarely accessed. What business benefit does this provide?

A.Improved data security through encryption
B.Faster data retrieval for frequently accessed files
C.Reduced storage costs by transitioning to cheaper tiers and deleting obsolete data
D.Automatic replication to another region for disaster recovery
AnswerC

Automated lifecycle management reduces costs without manual intervention.

Why this answer

The policy automatically moves data to cheaper storage after 30 days and deletes after 365 days, optimizing storage costs. Option A is wrong because it doesn't improve retrieval speed. Option C is wrong because security is not directly affected.

Option D is wrong because data is deleted, not replicated.

218
MCQhard

A healthcare organization is migrating a HIPAA-covered application to Google Cloud. The application processes electronic protected health information (ePHI) and must maintain strict data residency within a specific geographic region. The organization has already signed a Business Associate Agreement (BAA) with Google Cloud. During a compliance review, the security team discovers that one of the Cloud Storage buckets containing ePHI is located in the 'US' multi-region, but the organization's data residency policy requires data to be stored only in the United States region (e.g., us-central1). The bucket was created without any enforcement of organization policies. The team also finds that several Compute Engine instances in the us-central1 zone have public IP addresses and are accessible over the internet via SSH, which could expose ePHI in transit. The security team needs to remediate these issues while minimizing downtime and without violating the BAA. Which course of action should the security team take first?

A.Remove public IPs from all Compute Engine instances and enforce firewall rules to block SSH from the internet.
B.Configure VPC Service Controls to create a secure perimeter around the project and restrict data movement.
C.Enable customer-managed encryption keys (CMEK) on the bucket to encrypt all objects at rest.
D.Move the bucket to a regional location (e.g., us-central1) using the 'gcloud storage buckets update' command and set the location constraint.
AnswerD

Moving the bucket to a regional location ensures data stays within the US, satisfying the data residency requirement. This should be done first to avoid further violation.

Why this answer

Option D is correct because the immediate priority is to resolve the data residency violation by moving the bucket from the 'US' multi-region to a specific regional location like us-central1. The 'gcloud storage buckets update' command with the '--location' flag can change the bucket's location, but only if the bucket is empty; since the bucket contains ePHI, the security team must first copy the data to a new regional bucket and then delete the original. This directly addresses the compliance requirement without violating the BAA, as the BAA is already in place and does not restrict location changes.

Exam trap

Google Cloud often tests the misconception that security controls like encryption or network perimeters can substitute for geographic compliance, but data residency is a location-based requirement that can only be fixed by moving the data to the correct region.

How to eliminate wrong answers

Option A is wrong because removing public IPs and blocking SSH from the internet addresses network exposure but does not fix the data residency violation of the bucket being in a multi-region. Option B is wrong because VPC Service Controls create a security perimeter to prevent data exfiltration but do not change the physical location of the bucket, so the data residency policy is still violated. Option C is wrong because enabling CMEK encrypts objects at rest but does not alter the bucket's geographic location, leaving the data residency non-compliance unresolved.

219
MCQhard

Refer to the exhibit. A team deployed this Cloud Run service. During a load test, the service receives high traffic, but the number of container instances never exceeds 10. What is the most likely cause?

A.The maxScale annotation limits the maximum number of instances to 10.
B.The minScale of 2 forces at least two instances, but not the max.
C.The containerConcurrency of 80 limits the number of concurrent requests per instance.
D.The CPU limit of 1 vCPU is too low to handle the traffic.
AnswerA

The autoscaling.knative.dev/maxScale annotation sets the maximum number of instances; with value 10, it cannot scale beyond 10.

Why this answer

The `maxScale` annotation in Cloud Run directly caps the maximum number of container instances that can be created. When the service receives high traffic but never exceeds 10 instances, it indicates that the `maxScale` annotation is set to 10, preventing further scaling even if demand increases. This is the most direct and likely cause among the options.

Exam trap

Google Cloud often tests the distinction between scaling limits (maxScale) and performance tuning parameters (containerConcurrency, CPU limits), leading candidates to mistakenly attribute a hard instance cap to concurrency or resource constraints rather than the explicit annotation.

How to eliminate wrong answers

Option B is wrong because `minScale` of 2 only ensures a minimum of two instances are always running, but it does not impose any upper limit; the service could scale beyond 10 if `maxScale` were higher. Option C is wrong because `containerConcurrency` of 80 limits how many concurrent requests each instance can handle, but it does not cap the total number of instances; the service could still scale out to more instances to handle the load. Option D is wrong because a CPU limit of 1 vCPU per instance might cause performance bottlenecks, but it does not prevent the service from creating more than 10 instances; Cloud Run can still scale horizontally to additional instances even if each has a low CPU limit.

220
MCQeasy

A small startup can now access the same world-class AI, machine learning, and global infrastructure that previously only Fortune 500 companies with billion-dollar IT budgets could afford. Which cloud characteristic enables this competitive equalization?

A.Cloud providers charge smaller companies lower rates than enterprises.
B.Cloud's pay-per-use model and managed services give any organization access to enterprise-grade capabilities without large upfront capital investment.
C.Cloud providers assign dedicated infrastructure to small companies so they always have priority access.
D.Government regulations require cloud providers to offer equal service levels to all customers.
AnswerB

Pay-as-you-go pricing removes the capital barrier. Managed services (AI APIs, global load balancers, etc.) let a startup access capabilities that previously required large engineering teams and massive infrastructure budgets.

Why this answer

Option B is correct because the cloud's pay-per-use model eliminates the need for large upfront capital expenditures, while managed services (e.g., AWS RDS, Azure SQL Database, Google Cloud AI Platform) abstract away the operational complexity of maintaining enterprise-grade infrastructure. This allows a small startup to leverage the same AI/ML models, GPU clusters, and global network backbones that Fortune 500 companies use, paying only for what they consume rather than provisioning for peak capacity.

Exam trap

Cisco often tests the misconception that cloud providers offer 'lower rates' or 'dedicated infrastructure' to small companies, when in reality the equalization comes from the operational expenditure (OpEx) model and managed services that abstract complexity, not from preferential pricing or physical resource dedication.

How to eliminate wrong answers

Option A is wrong because cloud providers do not charge lower rates based on company size; pricing is typically based on resource consumption, commitment levels (e.g., reserved instances), and volume discounts, not on whether the customer is a startup or an enterprise. Option C is wrong because cloud providers use multi-tenant architectures (e.g., hypervisor-level isolation, VPCs) rather than assigning dedicated physical infrastructure to small companies; priority access is not guaranteed unless specific reserved capacity or dedicated hosts are purchased. Option D is wrong because no government regulations mandate equal service levels for all customers; SLAs vary by service tier and region, and providers like AWS, Azure, and GCP offer different performance guarantees based on the chosen plan (e.g., Standard vs.

Premium tiers).

221
MCQhard

A consumer goods company uses cloud-based demand sensing — analyzing real-time sales signals, social media trends, and weather data to adjust production runs dynamically. This has reduced stockouts by 35% and overstock waste by 28%. Which aspect of digital transformation does this most directly exemplify?

A.Cost reduction through infrastructure consolidation and server decommissioning
B.Operational transformation through real-time data integration and machine learning that enables continuous, signal-driven production decisions
C.Business continuity improvement through data backup and disaster recovery in the cloud
D.Employee productivity improvement through providing staff with cloud-based collaboration tools
AnswerB

This precisely describes what's happening: cloud enables the integration of diverse real-time signals (sales, social, weather) at a scale and speed that transforms how production decisions are made. The 35% stockout reduction and 28% waste reduction are measurable business outcomes of this operational transformation.

Why this answer

Option B is correct because the scenario describes a shift from static, forecast-based production to dynamic, signal-driven decisions using real-time data integration (sales signals, social media, weather) and machine learning. This directly exemplifies operational transformation, a core pillar of digital transformation where cloud-based analytics and AI enable continuous optimization of core business processes like manufacturing.

Exam trap

Google Cloud often tests the distinction between operational transformation (changing core business processes with data and AI) and other common cloud benefits like cost savings or disaster recovery, so candidates mistakenly pick A or C when they see 'cloud' and 'reduced waste' without analyzing the process change.

How to eliminate wrong answers

Option A is wrong because it focuses narrowly on IT infrastructure cost savings (server decommissioning), whereas the question describes a business process change in production planning, not IT consolidation. Option C is wrong because it describes business continuity (backup and disaster recovery), which is about maintaining operations during disruptions, not about using real-time data to dynamically adjust production. Option D is wrong because it refers to employee productivity via collaboration tools (e.g., cloud-based email or document sharing), not to the automated, machine-learning-driven decision-making that adjusts production runs.

222
MCQmedium

A healthcare company needs to store patient data in Google Cloud and must comply with HIPAA (Health Insurance Portability and Accountability Act). Which statement correctly describes how Google Cloud helps them achieve HIPAA compliance?

A.Storing data in Google Cloud automatically makes an application HIPAA-compliant.
B.Google offers HIPAA-eligible services and signs a Business Associate Agreement (BAA), but customers must implement their own technical safeguards and access controls.
C.HIPAA compliance is impossible on public cloud; healthcare data must stay on-premises.
D.Google Cloud's automatic data encryption fully satisfies all HIPAA technical safeguard requirements.
AnswerB

Google provides HIPAA-eligible cloud infrastructure and signs BAAs. However, HIPAA compliance requires customer actions: access control, audit logging, workforce training, and breach procedures — all customer responsibilities.

Why this answer

Option B is correct because Google Cloud provides HIPAA-eligible services and offers a Business Associate Agreement (BAA) to covered entities, but compliance is a shared responsibility. Customers must configure their own technical safeguards, such as access controls, audit logging, and encryption key management, to meet HIPAA requirements. Google Cloud does not automatically make an application compliant; the customer must implement the necessary controls.

Exam trap

Cisco often tests the shared responsibility model by presenting options that imply full vendor responsibility (like automatic compliance) or full customer responsibility (like impossibility), and the trap here is assuming that encryption alone satisfies all HIPAA technical safeguards, ignoring access control and audit requirements.

How to eliminate wrong answers

Option A is wrong because storing data in Google Cloud does not automatically make an application HIPAA-compliant; compliance requires the customer to implement technical safeguards and access controls, and to sign a BAA. Option C is wrong because HIPAA compliance is achievable on public cloud platforms like Google Cloud when using HIPAA-eligible services and signing a BAA, and many healthcare organizations successfully run workloads in the cloud. Option D is wrong because Google Cloud's automatic data encryption addresses only one aspect of HIPAA's technical safeguards; it does not satisfy all requirements, such as access control, audit controls, and integrity controls, which the customer must implement.

223
MCQhard

An SRE team is practicing 'chaos engineering' by simulating a zone-level failure in their staging environment. They find that their application does not automatically recover — traffic is not redirected and the service remains down. What architectural component is most likely missing?

A.The application needs more replicas in the failing zone to survive the failure
B.A load balancer with health checks across multiple zones is most likely missing — without it, there is no mechanism to detect the zone failure and automatically redirect traffic to healthy instances in surviving zones
C.The application needs a larger machine type to handle the full traffic load without the failed zone's capacity
D.Cloud Monitoring alerts need to be configured to notify the team when a zone fails, enabling manual traffic redirection
AnswerB

The load balancer is the key component. It must be configured with backend instances in multiple zones and health checks enabled. When the health check detects that zone A instances are unhealthy, it automatically removes them from the rotation and sends all traffic to healthy instances in zones B and C. Without the load balancer, clients connect directly to zone A and have no fallback.

Why this answer

In a zone-level failure, traffic cannot be redirected to healthy instances in surviving zones without a load balancer that performs health checks across multiple zones. Google Cloud's external or internal load balancers (e.g., HTTP(S) Load Balancer, TCP/UDP Network Load Balancer) use health checks to detect unhealthy instances and automatically route traffic only to healthy backends. Without this component, the application has no mechanism to detect the zone failure and reroute traffic, leaving the service down.

Exam trap

The trap here is that candidates may confuse 'scaling up' (larger machine types or more replicas) with 'resilience through load balancing', failing to recognize that without a load balancer with health checks, no amount of capacity in surviving zones will automatically redirect traffic.

How to eliminate wrong answers

Option A is wrong because adding more replicas in the failing zone does not help when the entire zone is unavailable; replicas in that zone would also be down. Option C is wrong because a larger machine type does not solve the lack of automatic traffic redirection; it only increases capacity in surviving zones, but without a load balancer, traffic is still not redirected. Option D is wrong because Cloud Monitoring alerts only notify the team of the failure; they do not automatically redirect traffic, and manual redirection is not a scalable or reliable solution for chaos engineering scenarios.

224
MCQhard

A CISO is implementing a Zero Trust security architecture for the company's Google Cloud environment. Under Zero Trust, which fundamental assumption about network traffic changes compared to traditional perimeter-based security?

A.Zero Trust assumes that internal network traffic is more secure than external traffic because it has passed through the corporate firewall
B.Zero Trust assumes no traffic is trusted by default regardless of network origin — every request must be explicitly authenticated and authorized based on identity, device posture, and context
C.Zero Trust assumes all traffic is malicious and blocks all requests by default, requiring explicit allowlisting for each connection
D.Zero Trust eliminates the need for encryption since all traffic is assumed to be on secure internal networks
AnswerB

This is the core Zero Trust principle: 'never trust, always verify.' A request from inside the VPC receives the same verification scrutiny as a request from the public internet. This model is more appropriate for cloud environments where the network perimeter no longer has clear meaning — employees, services, and attackers can all be inside the 'perimeter.'

Why this answer

Option B is correct because Zero Trust fundamentally shifts from implicit trust based on network location to explicit verification of every request. In Google Cloud, this means every API call, regardless of whether it originates from within the VPC or the internet, must be authenticated (e.g., using OAuth 2.0 or service account keys) and authorized based on identity, device posture, and context, as enforced by tools like Identity-Aware Proxy (IAP) and VPC Service Controls.

Exam trap

The trap here is that candidates often confuse Zero Trust's 'never trust, always verify' with a blanket denial of all traffic (Option C), when in reality it requires explicit verification for each request, not static allowlisting.

How to eliminate wrong answers

Option A is wrong because Zero Trust explicitly rejects the assumption that internal network traffic is more secure; it treats all traffic as untrusted, including traffic within the same VPC or subnet, and does not rely on a corporate firewall for trust. Option C is wrong because Zero Trust does not assume all traffic is malicious and block by default; it assumes no implicit trust but allows traffic after explicit authentication and authorization, not via static allowlisting. Option D is wrong because Zero Trust does not eliminate the need for encryption; in fact, it mandates encryption in transit (e.g., TLS 1.3) and at rest for all traffic, as internal networks are no longer considered trusted boundaries.

225
MCQhard

A financial services company is migrating its on-premises monitoring system to Google Cloud. They need to collect metrics, logs, and traces from multiple projects and provide a unified view for their operations team. Security requires that logs containing sensitive data be stored with additional encryption and access controls. Which combination of services should they use?

A.Cloud Monitoring, Cloud Logging, and Cloud Trace with Logging's _Required and _Default buckets.
B.Cloud Monitoring, Cloud Logging, and Cloud Trace with a custom sink to a BigQuery dataset that uses CMEK.
C.Cloud Monitoring and Cloud Logging with Log Analytics.
D.Cloud Monitoring, Cloud Logging, and Cloud Trace with Cloud Audit Logs.
AnswerB

This provides all three telemetry types and enables CMEK for logs stored in BigQuery, meeting encryption and access control requirements.

Why this answer

Option B is correct because the company needs to collect metrics, logs, and traces (requiring Cloud Monitoring, Cloud Logging, and Cloud Trace) and must store logs containing sensitive data with additional encryption and access controls. A custom sink to BigQuery with CMEK provides customer-managed encryption keys for the BigQuery dataset, and BigQuery's native access controls (IAM, row-level security) satisfy the requirement for additional access controls beyond the default Logging buckets.

Exam trap

Google Cloud often tests the misconception that the _Required and _Default buckets are sufficient for compliance, but they lack CMEK and granular access controls, which are essential for sensitive data handling.

How to eliminate wrong answers

Option A is wrong because the _Required and _Default buckets are built-in Logging storage buckets that use Google-managed encryption keys (GMEK) by default and do not provide the additional encryption (CMEK) or granular access controls required for sensitive data. Option C is wrong because it omits Cloud Trace entirely, which is needed for collecting traces, and Log Analytics alone does not provide the separate, encrypted storage with custom access controls for sensitive logs. Option D is wrong because Cloud Audit Logs are a specific type of log (administrative activity, data access, etc.) and not a storage or encryption mechanism; they do not enable CMEK or custom access controls for sensitive data.

Page 2

Page 3 of 7

Page 4

All pages