Google Cloud Digital Leader (GCDL) — Questions 301375

507 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQmedium

A company wants to proactively identify underutilized Compute Engine VMs (high provisioned capacity but low actual usage) to reduce costs. Which Google Cloud tool provides recommendations for right-sizing VMs?

A.Cloud Monitoring — set alerts for low CPU utilization.
B.Active Assist Recommender — ML-based VM rightsizing recommendations.
C.Cloud Asset Inventory — lists all VMs and their configurations.
D.Cloud Billing budgets — set spending limits to prevent overspend.
AnswerB

Active Assist analyzes historical VM utilization and recommends specific machine type downgrades (e.g., n2-standard-8 → n2-standard-4) with projected savings. Available in the console and via API.

Why this answer

Google Cloud's Active Assist provides intelligent recommendations including VM rightsizing recommendations. These are powered by ML analysis of actual VM CPU and memory utilization over the past 8 days. The recommendations appear in the Cloud Console (Compute Engine → VM instances → Recommendations) and in the Recommender API.

Rightsizing recommendations suggest optimal machine types based on observed usage, often identifying VMs that can be downsized to save significant costs.

302
Matchingmedium

Match each Google Cloud security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identity and Access Management – fine-grained access control

Key Management Service for encryption keys

DDoS protection and web application firewall

Perimeter security to prevent data exfiltration

Centralized vulnerability and threat monitoring

Why these pairings

These are core security services in Google Cloud.

303
Multi-Selecthard

A company is planning to migrate a legacy monolithic Linux application to Google Cloud. They want to minimize changes initially but have the flexibility to modernize later. Which three approaches should they consider?

Select 3 answers
A.Use Cloud Run for stateless containers
B.Replatform to App Engine Flexible Environment
C.Use Migrate for Anthos
D.Refactor to microservices on GKE
E.Rehost on Compute Engine using a custom image
AnswersA, C, E

If the application can be containerized, Cloud Run allows running containers without managing infrastructure, with minimal changes, and offers scalability.

Why this answer

Option A is correct because Cloud Run allows you to deploy stateless containers without modifying the application code, minimizing initial changes while providing serverless scalability and the flexibility to modernize later by refactoring into microservices. This approach supports containerized workloads from a legacy monolithic app with minimal lift-and-shift effort.

Exam trap

Google Cloud often tests the distinction between 'minimal changes' (rehosting or container lift-and-shift) and 'modernization' (refactoring or replatforming), leading candidates to incorrectly select options that require significant code or architecture changes.

304
MCQmedium

A company uses Cloud SQL for PostgreSQL and needs to run complex analytical queries on the same dataset without affecting the performance of the transactional database. What should they do?

A.Schedule periodic exports to Cloud Storage and query with BigQuery
B.Create read replicas of the Cloud SQL instance and run queries on the replicas
C.Upgrade the Cloud SQL instance to a higher machine type
D.Use BigQuery to directly query Cloud SQL via federated queries
AnswerB

Read replicas offload reads without affecting primary instance performance.

Why this answer

Option D is correct because using Cloud SQL read replicas offloads read-only queries from the primary instance. Option A is wrong because BigQuery is for data warehousing, not real-time replication. Option B is wrong because exporting to Cloud Storage is not for live queries.

Option C is wrong because increasing machine type may not isolate analytical loads.

305
MCQeasy

A non-profit organization with limited IT staff wants to use cloud to improve its fundraising and donor management without hiring technology specialists. Which type of cloud service model is most appropriate for this organization's need?

A.Infrastructure as a Service (IaaS), where the organization provisions VMs and installs donor management software
B.Software as a Service (SaaS), where a fully managed donor management application is subscribed to and used without any infrastructure management
C.Platform as a Service (PaaS), where the organization deploys custom-built donor management code
D.Private cloud, where the organization builds its own cloud infrastructure for complete data control
AnswerB

SaaS is the right model. The non-profit subscribes to a ready-to-use donor management application (e.g., Salesforce Nonprofit, Bloomerang, Blackbaud) with no infrastructure to manage. Updates, security, backups, and scaling are all handled by the SaaS provider. The organization's limited IT staff can focus on using the tool, not running it.

Why this answer

Software as a Service (SaaS) is the most appropriate model because it provides a fully managed, ready-to-use donor management application over the internet. The organization's limited IT staff can simply subscribe and use the software without provisioning servers, installing applications, or managing infrastructure, directly addressing the need to avoid hiring technology specialists.

Exam trap

Google Cloud often tests the misconception that IaaS is always the 'foundation' for any cloud solution, but the trap here is that candidates overlook the organization's specific constraint of limited IT staff and choose IaaS, failing to recognize that SaaS eliminates all infrastructure and software management overhead.

How to eliminate wrong answers

Option A is wrong because IaaS requires the organization to provision and manage virtual machines, install the donor management software, and handle OS patching and scaling, which still demands significant IT expertise. Option C is wrong because PaaS requires the organization to write, deploy, and maintain custom code for the donor management application, which necessitates software development skills the organization lacks. Option D is wrong because a private cloud involves building and managing dedicated cloud infrastructure on-premises or hosted, which requires extensive IT staff for hardware, virtualization, and maintenance, contradicting the goal of avoiding technology specialists.

306
MCQeasy

A developer needs to run a custom analysis script on a large dataset once a month. The script runs for about 10 minutes. They want to avoid provisioning servers and only pay for the actual compute time used. Which Google Cloud compute option should they choose?

A.App Engine Standard Environment
B.Compute Engine preemptible VM
C.Google Kubernetes Engine with a single pod
D.Cloud Functions
AnswerD

Cloud Functions is serverless, execute on demand, and charge only for compute time.

Why this answer

Cloud Functions is the correct choice because it is a serverless, event-driven compute service that automatically scales to zero when not in use, charging only for the actual compute time consumed during execution. The 10-minute monthly script fits within Cloud Functions' 9-minute maximum timeout (recently extended to 60 minutes for HTTP-triggered functions in some regions), making it ideal for infrequent, short-lived tasks without provisioning servers.

Exam trap

Google Cloud often tests the misconception that serverless options like Cloud Functions cannot handle long-running tasks, but the 9-minute (or extended 60-minute) timeout is sufficient for many batch jobs, leading candidates to incorrectly choose preemptible VMs or Kubernetes for what is effectively a short-lived, infrequent workload.

How to eliminate wrong answers

Option A is wrong because App Engine Standard Environment requires an app to be deployed and running continuously, incurring costs even when idle, and it is designed for always-on web applications rather than infrequent batch jobs. Option B is wrong because Compute Engine preemptible VMs are short-lived instances that can be terminated at any time within 24 hours, requiring manual provisioning and management, and they charge per second of uptime even if the script runs only once a month. Option C is wrong because Google Kubernetes Engine with a single pod still requires a cluster of nodes to be provisioned and running, leading to continuous costs for the underlying VMs, and it introduces unnecessary orchestration overhead for a simple monthly script.

307
MCQmedium

A company's finance team wants to understand why their cloud bills vary significantly month to month, unlike their fixed on-premises IT costs. Which fundamental cloud pricing characteristic explains this variability?

A.Cloud providers change their prices frequently, causing unpredictable costs
B.Consumption-based pricing means cloud costs scale directly with actual usage, unlike fixed on-premises costs
C.Cloud providers apply hidden fees that vary randomly each month
D.Cloud costs are fixed like on-premises costs; the variability must be caused by billing errors
AnswerB

This is the correct explanation. Cloud is utility-like pricing: a compute-heavy month costs more than a quiet month. Finance teams must shift from thinking about fixed IT budgets to variable cost management tied to business activity levels.

Why this answer

Option B is correct because cloud computing operates on a consumption-based (pay-as-you-go) pricing model, where costs are directly tied to the amount of resources consumed (e.g., compute hours, storage GB, data transfer). Unlike fixed on-premises IT costs, which are incurred regardless of actual usage (e.g., hardware depreciation, facility leases), cloud bills fluctuate as usage scales up or down. This fundamental characteristic explains the month-to-month variability observed by the finance team.

Exam trap

Google Cloud often tests the misconception that cloud pricing is unpredictable or error-prone, when in fact the variability is a deliberate feature of consumption-based pricing, not a flaw or hidden fee.

How to eliminate wrong answers

Option A is wrong because cloud providers do not change their prices frequently; instead, they typically announce price reductions or new tiers well in advance, and pricing is stable over short periods. Option C is wrong because cloud providers are transparent about their pricing models and do not apply hidden fees that vary randomly; all charges are itemized in the billing dashboard based on metered usage. Option D is wrong because cloud costs are not fixed like on-premises costs; the variability is a direct result of consumption-based pricing, not billing errors, and cloud billing systems are highly accurate.

308
MCQhard

A data team has an IAM policy on a BigQuery dataset as shown. Alice needs to run a query that joins across multiple datasets. She receives a permission error. What is the most likely cause?

A.The policy denies all users except Bob
B.Alice lacks the jobUser role to run queries
C.Alice does not have permission to read the dataset
D.Bob’s dataOwner role prevents others from querying
AnswerB

Query execution requires jobUser role in addition to data access.

Why this answer

Option B is correct because the BigQuery `jobUser` role is required to run query jobs, including those that join across datasets. The IAM policy shown only grants dataset-level permissions (like `dataViewer` or `dataOwner`), but Alice lacks the `jobUser` role at the project level, which is necessary to submit a query job. Without this role, she receives a permission error even if she has read access to the datasets.

Exam trap

The trap here is that candidates assume dataset-level read permissions (like `dataViewer`) are sufficient to run queries, but BigQuery requires the separate `jobUser` role at the project level to execute query jobs.

How to eliminate wrong answers

Option A is wrong because the policy does not deny all users except Bob; it only grants specific roles to Bob and others, and does not include an explicit deny statement. Option C is wrong because the error occurs when joining across datasets, which requires the `jobUser` role to run the query job, not just read permission on the dataset. Option D is wrong because Bob's `dataOwner` role does not prevent others from querying; it grants full control over the dataset but does not block other users' permissions.

309
MCQmedium

A media company has a web application that serves video content globally. The application is deployed on Compute Engine instances behind a TCP load balancer in a single region. Users in distant regions experience high latency. The company wants to improve performance for all users while keeping operational overhead low. They also need to handle sudden spikes in traffic during live events. What should they do?

A.Deploy additional instances in multiple regions and use a global HTTP(S) load balancer with Cloud CDN.
B.Use Cloud Run for the application and enable automatic scaling globally.
C.Move the application to Google Kubernetes Engine and use horizontal pod autoscaling.
D.Increase the machine type of existing instances and add more instances in the same region.
AnswerA

Reduces latency and handles traffic spikes globally.

Why this answer

Option A is correct because deploying instances in multiple regions and using a global HTTP(S) load balancer with Cloud CDN reduces latency by serving content from edge locations close to users. Cloud CDN caches video content at Google's global edge points of presence (PoPs), while the global HTTP(S) load balancer provides anycast IP-based traffic distribution across regions, handling traffic spikes through automatic scaling and distributed capacity.

Exam trap

The trap here is that candidates may think Cloud Run or GKE with autoscaling alone can solve global latency, but they overlook the need for multi-region deployment and edge caching, which are essential for reducing geographic latency and handling global traffic spikes with low operational overhead.

How to eliminate wrong answers

Option B is wrong because Cloud Run does not support automatic scaling globally across multiple regions; it is a regional service and would require manual multi-region setup or additional services like a multi-cluster ingress, increasing operational overhead. Option C is wrong because moving to Google Kubernetes Engine with horizontal pod autoscaling only addresses scaling within a single cluster and does not solve global latency or provide multi-region load balancing without additional complex configuration. Option D is wrong because increasing machine types and adding instances in the same region does not reduce latency for distant users; it only improves capacity within that single region, failing to address geographic distance.

310
MCQmedium

A company's PostgreSQL database has grown to 50 TB and their application requires near-zero downtime, automatic failover, and the ability to scale reads horizontally without the migration complexity of switching to Spanner. Which Google Cloud database product is specifically designed as a fully managed, highly scalable PostgreSQL-compatible database?

A.Cloud SQL (PostgreSQL)
B.AlloyDB for PostgreSQL
C.Cloud Spanner
D.Bare metal PostgreSQL on Compute Engine
AnswerB

AlloyDB provides full PostgreSQL compatibility with enterprise-grade performance (4× faster OLTP, 100× faster analytics), 99.99% HA, and horizontal read scaling — without changing application code.

Why this answer

AlloyDB for PostgreSQL is a fully managed, PostgreSQL-compatible database service designed for high scalability, near-zero downtime, and automatic failover. It separates compute and storage to enable horizontal read scaling with read pools, and it uses a columnar engine for analytical acceleration, making it ideal for large workloads like 50 TB without the migration complexity of Spanner.

Exam trap

The trap here is that candidates confuse Cloud SQL's PostgreSQL offering with AlloyDB's PostgreSQL compatibility, overlooking Cloud SQL's storage and scaling limitations for large, high-availability workloads.

How to eliminate wrong answers

Option A is wrong because Cloud SQL for PostgreSQL is limited to 30 TB of storage and does not support automatic horizontal read scaling or near-zero downtime failover at the scale of 50 TB. Option C is wrong because Cloud Spanner is a globally distributed, strongly consistent database that is not PostgreSQL-compatible and requires significant application migration to change from PostgreSQL semantics. Option D is wrong because bare metal PostgreSQL on Compute Engine is not a fully managed service; it requires manual configuration for failover, scaling, and maintenance, and does not provide the automatic, near-zero downtime capabilities specified.

311
Drag & Dropmedium

Drag and drop the steps to recover a Compute Engine VM from a snapshot in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The recovery process involves using the snapshot to create a disk, detaching the old boot disk, attaching the new one, and starting the VM.

312
MCQhard

A machine learning team wants to train, evaluate, deploy, and monitor ML models in a unified platform without managing infrastructure, and with built-in support for experiment tracking, model versioning, and A/B testing between model versions. Which Google Cloud product provides this end-to-end managed ML platform?

A.BigQuery ML, for training and deploying ML models using SQL within BigQuery
B.Vertex AI, Google Cloud's unified ML platform covering training, experiment tracking, model registry, deployment, and monitoring in a single managed service
C.Cloud Dataproc, for running distributed Spark ML jobs on managed Hadoop clusters
D.Cloud Functions, for deploying ML inference code as serverless functions
AnswerB

Vertex AI is the complete answer. It provides: managed training (custom containers or AutoML), Vertex AI Experiments (experiment tracking and comparison), Vertex AI Model Registry (version management), Vertex AI Endpoints (serving with traffic splitting for A/B testing), and Model Monitoring (data drift and skew detection). This is Google Cloud's end-to-end ML platform.

Why this answer

Vertex AI is Google Cloud's unified ML platform that provides an end-to-end managed service for training, evaluating, deploying, and monitoring ML models without requiring infrastructure management. It includes built-in experiment tracking, a model registry for versioning, and supports A/B testing between model versions, directly matching the question's requirements.

Exam trap

The trap here is that candidates may confuse BigQuery ML's SQL-based model training with a full ML platform, overlooking its lack of experiment tracking, model versioning, and A/B testing capabilities that Vertex AI provides.

How to eliminate wrong answers

Option A is wrong because BigQuery ML is limited to training and deploying models using SQL within BigQuery, lacking built-in experiment tracking, model versioning, and A/B testing capabilities for custom ML workflows. Option C is wrong because Cloud Dataproc is a managed Spark and Hadoop service for distributed data processing, not a unified ML platform with experiment tracking, model registry, or A/B testing features. Option D is wrong because Cloud Functions is a serverless compute service for event-driven code execution, not designed for ML model training, experiment tracking, or A/B testing between model versions.

313
MCQhard

An organization uses Security Command Center (SCC) premium tier and wants to automatically remediate a specific finding type by disabling public access to Cloud Storage buckets. What is the recommended approach?

A.Use Cloud Pub/Sub alone to listen for SCC findings and then manually remediate
B.Use IAM to deny all users except project owners from making buckets public
C.Set up a Cloud Function triggered by SCC findings to remove public access
D.Configure a Cloud Scheduler job to run a script that checks and removes public access
AnswerC

SCC can publish findings to Pub/Sub, which triggers a Cloud Function to remediate.

Why this answer

Option C is correct because Security Command Center (SCC) premium tier can publish findings to Cloud Pub/Sub, which can trigger a Cloud Function via a push subscription. The Cloud Function can then use the Google Cloud Storage API (specifically, the `storage.buckets.setIamPolicy` method) to remove the `allUsers` or `allAuthenticatedUsers` bindings that grant public access, enabling automated, event-driven remediation without manual intervention.

Exam trap

Google Cloud often tests the distinction between event-driven automation (Cloud Functions + Pub/Sub) and scheduled or manual approaches, so candidates mistakenly choose Cloud Scheduler or IAM deny policies because they think 'automation' means periodic checks or preventive controls, rather than reactive, real-time remediation.

How to eliminate wrong answers

Option A is wrong because using Cloud Pub/Sub alone only delivers the finding notification; it does not perform any remediation action, so manual steps are still required, which defeats the goal of automation. Option B is wrong because IAM deny policies cannot retroactively remove public access from buckets that already have public bindings; they only prevent future grants, and they do not automatically remediate existing public buckets. Option D is wrong because Cloud Scheduler runs on a fixed schedule, not in response to SCC findings, so it introduces latency and cannot provide real-time remediation when a finding is generated.

314
Matchingmedium

Match each Google Cloud service to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual machines (IaaS)

Unstructured object storage

Serverless data warehouse

Serverless container platform

Event-driven serverless functions

Why these pairings

These are core Google Cloud services and their primary purposes.

315
MCQmedium

A company is planning a cloud migration and wants to understand the difference between 'lift and shift' and 'cloud-native' approaches. Which statement correctly distinguishes these two migration strategies?

A.Lift and shift uses containers; cloud-native uses virtual machines.
B.Lift and shift moves applications to the cloud with minimal changes; cloud-native re-architects applications to leverage cloud-specific features and managed services.
C.Lift and shift is only possible for new applications; cloud-native is for existing applications.
D.Lift and shift costs more long-term; cloud-native costs more short-term due to licensing.
AnswerB

Lift and shift is fast with minimal changes but doesn't fully leverage cloud. Cloud-native requires more effort but maximizes benefits like autoscaling, managed databases, and serverless.

Why this answer

Option B is correct because 'lift and shift' (rehosting) involves moving applications to the cloud with minimal or no changes, often using Infrastructure as a Service (IaaS) to replicate the on-premises environment. In contrast, 'cloud-native' (re-architecting) redesigns applications to use cloud-specific features like auto-scaling, managed databases, and serverless compute, fully leveraging the cloud's elasticity and pay-as-you-go model.

Exam trap

The trap here is that candidates often confuse the tools (containers vs. VMs) with the strategy, assuming lift and shift always uses containers and cloud-native uses VMs, when in fact the opposite is true for typical implementations.

How to eliminate wrong answers

Option A is wrong because lift and shift typically uses virtual machines (VMs) to replicate on-premises infrastructure, not containers; cloud-native applications often use containers (e.g., Docker) and orchestration (e.g., Kubernetes) for microservices, not VMs. Option C is wrong because lift and shift is primarily used for existing legacy applications to migrate quickly, while cloud-native is often applied to new applications but can also involve re-architecting existing ones. Option D is wrong because lift and shift can lead to higher long-term costs due to inefficient resource utilization and licensing, while cloud-native may have higher initial development costs but lower operational costs over time due to optimized resource usage and managed services.

316
MCQmedium

A company uses Google Workspace for identity. They want employees to use their Google Workspace credentials to access third-party applications (Salesforce, Slack, etc.) without separate passwords for each app. Which technology enables this?

A.VPN — employees connect to the corporate VPN which provides access to all apps.
B.Single Sign-On (SSO) using SAML 2.0 or OIDC with Google Workspace as the Identity Provider.
C.Cloud Armor — blocks unauthorized access attempts to applications.
D.Shared service account — all employees use the same credential.
AnswerB

Google Workspace as IdP federates identity to third-party apps via SAML 2.0 or OIDC. Employees authenticate once with their Google credentials and access all federated apps without separate passwords.

Why this answer

Option B is correct because Single Sign-On (SSO) using SAML 2.0 or OIDC allows Google Workspace to act as the Identity Provider (IdP), issuing authentication tokens that third-party applications (like Salesforce and Slack) trust. This eliminates the need for separate passwords, as users authenticate once with Google Workspace and the IdP handles subsequent access via security assertions or ID tokens.

Exam trap

Google Cloud often tests the distinction between network-level access (VPN) and identity-level federation (SSO), so candidates mistakenly choose VPN because they think it 'provides access to all apps' without realizing it does not solve the separate-password problem.

How to eliminate wrong answers

Option A is wrong because a VPN provides network-layer access to corporate resources but does not eliminate separate application passwords; users still need to authenticate to each app individually. Option C is wrong because Cloud Armor is a web application firewall and DDoS protection service that blocks malicious traffic at the edge, not an identity federation or SSO technology. Option D is wrong because a shared service account violates the principle of least privilege and non-repudiation; all employees using the same credential would create severe security and audit issues, and it does not enable passwordless access to third-party apps.

317
MCQeasy

A manufacturing company wants to use sensor data from equipment to predict failures before they happen, reducing downtime. How does cloud technology enable this transformation?

A.By using edge computing to store all data locally
B.By setting up monitoring alerts for equipment failure
C.By migrating all data to a data warehouse for batch analysis
D.By offering IoT Core and AI Platform to collect data and build predictive models
AnswerD

Cloud services like IoT Core and AI Platform enable scalable data collection and machine learning for predictions.

Why this answer

Cloud provides scalable data ingestion, storage, and advanced analytics (AI/ML) to process IoT data for predictive maintenance. Option B is wrong because edge computing is for low latency, but not the core enabler. Option C is wrong because monitoring is reactive, not predictive.

Option D is wrong because batch processing is not real-time predictive.

318
MCQmedium

A company wants to migrate its existing on-premises virtual machines (VMware VMs) to Google Cloud with minimal changes to the operating system and applications. Which Google Cloud product is specifically designed for migrating on-premises VMs to Google Cloud with minimal modification?

A.Migrate to Virtual Machines (formerly Velostrata), which migrates on-premises VMware VMs to Compute Engine with minimal modification and downtime
B.Cloud Dataflow, by streaming data from on-premises VMs to Google Cloud storage
C.Anthos, by registering on-premises Kubernetes clusters with Google Cloud's management plane
D.Cloud Storage Transfer Service, by copying VM disk images from on-premises storage to Cloud Storage
AnswerA

Migrate to Virtual Machines is the purpose-built service for this. It performs VM migrations from VMware (and other sources) to Compute Engine, handling the OS and application translation automatically. The 'minimal changes' requirement is the defining characteristic — it's a lift-and-shift migration tool.

Why this answer

Migrate to Virtual Machines (formerly Velostrata) is the correct choice because it is specifically designed to migrate on-premises VMware VMs to Compute Engine with minimal modification to the OS and applications. It uses a streaming migration approach that moves the VM's disk state incrementally while keeping the VM running, resulting in minimal downtime and no need to re-architect the workloads.

Exam trap

Google Cloud often tests the distinction between general-purpose data transfer or processing services (like Dataflow or Storage Transfer Service) and specialized migration tools, tempting candidates to pick a familiar service that sounds plausible but lacks the specific VM migration capability.

How to eliminate wrong answers

Option B is wrong because Cloud Dataflow is a stream and batch data processing service, not a VM migration tool; it cannot migrate entire VMs with their OS and applications intact. Option C is wrong because Anthos focuses on managing Kubernetes clusters across environments, not on migrating individual VMware VMs with minimal modification. Option D is wrong because Cloud Storage Transfer Service is designed for bulk data transfers to Cloud Storage, not for live VM migration; it would require manual disk image creation and does not handle OS/application state or minimize downtime.

319
MCQmedium

A startup needs to quickly deploy a web application with minimal infrastructure management. They want to focus on code, not servers. Which Google Cloud service model is most appropriate?

A.Software as a Service (SaaS) using Gmail
B.Function as a Service (FaaS) using Cloud Functions
C.Infrastructure as a Service (IaaS) using Compute Engine
D.Platform as a Service (PaaS) using App Engine
AnswerD

App Engine automatically scales and manages the runtime environment, allowing developers to focus solely on code.

Why this answer

App Engine is a fully managed Platform as a Service (PaaS) that abstracts away the underlying infrastructure, allowing developers to deploy web applications without managing servers or operating systems. It automatically handles scaling, load balancing, and patching, which aligns with the startup's requirement to focus on code rather than infrastructure management.

Exam trap

Google Cloud often tests the distinction between PaaS and FaaS by presenting a scenario that requires a full web application, where candidates mistakenly choose FaaS (Cloud Functions) because they confuse 'serverless' with 'no infrastructure management,' ignoring that FaaS is unsuitable for long-running HTTP applications with stateful sessions.

How to eliminate wrong answers

Option A is wrong because Gmail is a Software as a Service (SaaS) application, not a service model for deploying custom web applications; it provides no platform for code deployment or customization. Option B is wrong because Cloud Functions is a Function as a Service (FaaS) designed for event-driven, stateless functions, not for hosting a complete web application with persistent HTTP routing and session management. Option C is wrong because Compute Engine is Infrastructure as a Service (IaaS) that requires manual provisioning, configuration, and management of virtual machines, which contradicts the goal of minimizing infrastructure management.

320
MCQeasy

Refer to the exhibit. A security administrator reviews this Cloud Audit Logs entry. What does this entry indicate?

A.The user attempted to read the object 'secret.pdf' and the request resulted in an error.
B.The user updated the IAM policy on the bucket.
C.The user attempted to delete the object 'secret.pdf'.
D.The user successfully read the object 'secret.pdf'.
AnswerA

The method is 'get' and severity ERROR shows a failed read attempt.

Why this answer

Option A is correct because the log entry shows a 'storage.objects.get' method with the resource name of a specific object, indicating that user@example.com read the object. Option B is wrong because the method is 'get', not 'delete'. Option C is wrong because the severity is ERROR, but that could be due to the object being private or other reasons; the log shows a successful read? Actually, the severity is ERROR but the method is get, meaning the request resulted in an error? The exhibit doesn't show the status.

However, the question is ambiguous. To make it clear, we should specify that the log shows an attempt to read an object that resulted in an error (e.g., 404). But since the log shows the method, we can interpret it as an access attempt.

Let's adjust the options to reflect that it shows an attempt. Better: We'll assume the log shows a read attempt that was denied. For clarity, we'll add that the severity is ERROR, meaning the request failed.

Then correct answer: The user attempted to read a secret document. Options: A) The user successfully read the object; B) The user attempted to delete the object; C) The user attempted to read the object; D) The user changed permissions. Correct: C (attempted read).

Explanation: The method is 'get', and severity ERROR indicates failure, so it's an attempt. Option A is wrong because success would be lower severity. Option B is wrong because method is get.

Option D is wrong because method is not setIamPolicy.

321
MCQhard

A global gaming company uses Cloud Spanner for their leaderboard. They notice that write latency spikes during peak hours. The database is currently deployed in a single region. Which scaling strategy should they implement to reduce write latency globally?

A.Use Cloud Spanner multi-region configuration.
B.Implement application-level caching with Memorystore.
C.Change to Cloud Bigtable for higher throughput.
D.Add more nodes to the existing Spanner instance.
AnswerA

A multi-region configuration places replicas in multiple regions, enabling lower write latency by allowing writes to be committed closer to users.

Why this answer

Cloud Spanner's multi-region configuration is designed to reduce write latency for globally distributed users by placing write-capable replicas in multiple geographic regions. This allows writes to be committed at the nearest replica, leveraging Spanner's TrueTime and Paxos-based replication to maintain strong consistency across regions. A single-region deployment forces all writes to a single location, causing high latency for distant clients during peak hours.

Exam trap

Google Cloud often tests the misconception that scaling a database horizontally by adding nodes always reduces latency, but in a single-region Spanner setup, adding nodes only increases throughput and storage, not geographic proximity, which is the root cause of high write latency for global users.

How to eliminate wrong answers

Option B is wrong because application-level caching with Memorystore does not reduce write latency to the database; it only improves read performance for cached data, and writes still must go to the single-region Spanner instance. Option C is wrong because Cloud Bigtable is optimized for high-throughput, low-latency reads and writes for analytical workloads, but it does not support strong transactional consistency or SQL queries, making it unsuitable for a leaderboard that requires real-time, consistent updates. Option D is wrong because adding more nodes to the existing single-region Spanner instance increases throughput and storage capacity but does not reduce write latency for clients far from that region; the write path still requires consensus across replicas in the same geographic location.

322
Matchingmedium

Match each Google Cloud AI/ML term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Unified ML platform for building and deploying models

Train custom models with minimal code

Natural language understanding for chatbots

Image recognition and analysis

Text analysis and entity extraction

Why these pairings

These are key AI/ML offerings in Google Cloud.

323
MCQeasy

Google Cloud's operations suite includes Cloud Monitoring for metrics. What is the difference between 'monitoring' and 'observability' in cloud operations?

A.Monitoring and observability are identical terms — both describe collecting and analyzing system metrics.
B.Monitoring tracks predefined metrics and alerts on known conditions; observability is the system property enabling engineers to understand any internal state from its outputs (metrics, logs, traces).
C.Monitoring is for production; observability is for development and testing environments.
D.Observability only applies to AI systems; monitoring is for traditional applications.
AnswerB

Monitoring answers 'Is X above threshold?' Observability answers 'Why is the system behaving unexpectedly?' — requiring metrics, logs, and traces working together to illuminate unknown failure modes.

Why this answer

Option B is correct because monitoring and observability are distinct concepts in cloud operations. Monitoring involves tracking predefined metrics and setting alerts for known failure conditions, while observability is a system property that allows engineers to understand any internal state by analyzing outputs like metrics, logs, and traces. In Google Cloud, Cloud Monitoring provides monitoring capabilities, but achieving true observability requires integrating Cloud Logging and Cloud Trace to explore unknown issues.

Exam trap

Google Cloud often tests the misconception that monitoring and observability are interchangeable terms, but the trap here is that monitoring is reactive to known conditions, while observability is a proactive property for diagnosing unknown issues.

How to eliminate wrong answers

Option A is wrong because monitoring and observability are not identical; monitoring is a subset of observability, focusing on known metrics, whereas observability enables exploration of unknown states. Option C is wrong because observability is not limited to development and testing; it is critical in production to debug complex, unpredictable issues. Option D is wrong because observability applies to all systems, not just AI, and monitoring is used across all application types, not just traditional ones.

324
MCQhard

An organization's leadership wants to foster a 'fail fast' culture to accelerate innovation. A cloud environment directly supports this culture by enabling which specific capability that on-premises infrastructure could not economically provide?

A.Cloud provides better project management tools for tracking experiments.
B.Cloud's on-demand provisioning allows teams to spin up and tear down experiment environments in minutes, making the cost of a failed experiment near-zero.
C.Cloud providers guarantee that experiments will succeed because Google engineers review them.
D.Cloud includes built-in A/B testing frameworks for all applications.
AnswerB

Experiments that fail on cloud cost only the hours they ran. On-premises, failed experiments wasted weeks of procurement effort and hardware budget. Cloud makes failure cheap, enabling faster learning.

Why this answer

Option B is correct because cloud's on-demand provisioning enables rapid creation and teardown of isolated environments via APIs (e.g., AWS CloudFormation, Azure Resource Manager), reducing the cost and time of failed experiments to near-zero. This directly supports a 'fail fast' culture by removing the capital expense and provisioning delays inherent in on-premises infrastructure, where hardware procurement and setup can take weeks.

Exam trap

The trap here is that candidates confuse 'fail fast' with project management or testing frameworks, missing the core cloud differentiator: on-demand, low-cost resource elasticity that makes experimentation economically viable.

How to eliminate wrong answers

Option A is wrong because project management tools (e.g., Jira, Trello) are software applications that can run on any infrastructure, not a unique cloud capability; they do not inherently accelerate experimentation cycles. Option C is wrong because cloud providers do not guarantee experiment success; they offer SLAs for uptime and performance, but code logic and experimental outcomes remain the customer's responsibility. Option D is wrong because cloud platforms do not include built-in A/B testing frameworks for all applications; such frameworks (e.g., Google Optimize, AWS Evidently) are optional services that must be explicitly configured and are not inherent to the cloud environment.

325
MCQmedium

A company is evaluating whether to use a content delivery network (CDN) for its e-commerce website. Which scenario would most benefit from CDN implementation?

A.A small business whose customers are all located within 10 kilometers of the company's single data center
B.An e-commerce site with global customers that serves high-resolution product images and videos, where page load speed directly affects conversion rates
C.A real-time financial trading application that requires unique, uncacheable price data delivered to a single city's traders
D.An internal HR system used exclusively by employees in the company's headquarters
AnswerB

This is the ideal CDN scenario: geographically distributed users, highly cacheable content (product images and videos), and a business metric (conversion rate) that is demonstrably sensitive to latency. CDN edges serve cached content locally, dramatically reducing page load times for international visitors.

Why this answer

Option B is correct because a CDN caches static content like high-resolution images and videos at edge servers geographically closer to users, reducing latency and improving page load speed. For an e-commerce site with global customers, faster load times directly boost conversion rates, making CDN implementation highly beneficial.

Exam trap

Cisco often tests the misconception that CDNs are a universal performance solution, but the trap here is that CDNs only benefit cacheable, static, or geographically distributed content, not real-time or localized traffic.

How to eliminate wrong answers

Option A is wrong because customers are all within 10 km of a single data center, so latency is already minimal and a CDN would provide negligible benefit. Option C is wrong because real-time financial trading data is unique and uncacheable, so a CDN cannot serve stale or cached content, and the single-city user base doesn't require global distribution. Option D is wrong because an internal HR system used only by employees at headquarters has no geographic distribution or performance issues that a CDN would solve.

326
MCQmedium

Google's physical data center security includes multiple layers of protection. Which of the following is NOT a physical security measure Google uses at its data centers?

A.Biometric authentication and badge access controls at multiple security perimeters.
B.24/7 on-site security personnel who monitor the facility continuously.
C.Customers can schedule tours of Google data centers to verify security practices directly.
D.Secure hardware destruction procedures for decommissioned storage devices.
AnswerC

Google data centers are not open to customer tours — they are high-security facilities with strict access controls. Google provides third-party audit reports (ISO 27001, SOC 2) as security verification instead of physical tours.

Why this answer

Option C is correct because Google does not offer public tours of its data centers. Allowing customers to schedule tours would introduce unnecessary security risks and is not part of Google's physical security model. Instead, Google provides transparency through third-party audit reports and certifications (e.g., SOC 2, ISO 27001) to verify security practices.

Exam trap

Cisco often tests the misconception that Google offers data center tours as a transparency measure, but in reality, Google relies on independent third-party audits and certifications rather than allowing physical access to customers.

How to eliminate wrong answers

Option A is wrong because biometric authentication and badge access controls are indeed used by Google at multiple security perimeters, including the outer fence, building entrance, and server floor doors. Option B is wrong because 24/7 on-site security personnel are a standard physical security measure at Google data centers, monitoring CCTV and responding to incidents. Option D is wrong because secure hardware destruction procedures, such as degaussing, shredding, or pulverizing decommissioned storage devices, are a critical part of Google's data sanitization process to prevent data recovery.

327
MCQeasy

A company wants to reduce its Google Cloud costs without reducing its workload capacity. The team identifies that several production VMs consistently use less than 30% of their allocated CPU and memory. What is the most straightforward cost optimization action?

A.Delete the under-utilized VMs since low utilization indicates they are no longer needed
B.Right-size the VMs by migrating to smaller machine types that match actual CPU and memory consumption, reducing costs proportionally
C.Purchase Committed Use Discounts for the over-provisioned VMs to reduce their per-hour cost
D.Enable sustained use discounts by ensuring VMs run continuously throughout the month
AnswerB

Right-sizing is the direct action. If VMs use 30% of their resources, a smaller machine type that provides the resources actually needed (with some headroom for spikes) costs significantly less. Active Assist proactively surfaces right-sizing recommendations with projected savings.

Why this answer

Right-sizing VMs by migrating to smaller machine types that match actual CPU and memory consumption directly reduces the cost per hour while maintaining the same workload capacity. Since the VMs are consistently under-utilized, this approach eliminates wasted resources without affecting performance or availability.

Exam trap

Google Cloud often tests the misconception that deleting under-utilized VMs is the simplest cost-saving action, but the question explicitly states workload capacity must be maintained, making right-sizing the correct approach.

How to eliminate wrong answers

Option A is wrong because deleting under-utilized VMs would reduce workload capacity, contradicting the requirement to maintain capacity; low utilization does not mean the VMs are unnecessary. Option C is wrong because Committed Use Discounts (CUDs) reduce the per-hour cost of existing machine types but do not address the root cause of over-provisioning; you would still pay for unused capacity. Option D is wrong because sustained use discounts are automatically applied for VMs running >25% of a month and do not require enabling; they also do not reduce costs from over-provisioned resources.

328
MCQmedium

You are monitoring Compute Engine instances with Cloud Monitoring. You notice that autoscaling is not triggering even though CPU utilization is above 80% for several minutes. The managed instance group has autoscaling based on CPU utilization with a target of 0.8. What is the most likely cause?

A.The maximum number of instances is already reached.
B.The autoscaler is disabled.
C.The minimum number of instances is set too high.
D.The cool-down period is too long.
AnswerA

If the instance group has reached its max size, the autoscaler cannot add more instances, so it will not trigger.

Why this answer

The most likely cause is that the managed instance group has already reached its configured maximum number of instances. When the maximum instance count is hit, the autoscaler cannot add more instances even if CPU utilization exceeds the target of 0.8 (80%). This is a common boundary condition in autoscaling logic where the scaling policy is overridden by the hard limit.

Exam trap

The trap here is that candidates often focus on the CPU target and cool-down settings, overlooking the hard boundary of the maximum instance count, which is a fundamental constraint in autoscaling logic.

How to eliminate wrong answers

Option B is wrong because if the autoscaler were disabled, no scaling events would occur at all, but the question states that autoscaling is not triggering despite high CPU, implying the autoscaler is enabled but blocked. Option C is wrong because a high minimum number of instances would cause the autoscaler to keep instances running, not prevent it from scaling up; it would actually ensure a baseline, not block scaling. Option D is wrong because a long cool-down period delays scaling actions but does not permanently prevent them; after the cool-down expires, the autoscaler would still trigger if CPU remains high.

329
MCQmedium

A healthcare organization wants to build an application that ingests FHIR-formatted patient records from multiple hospital systems, normalizes them, and makes them queryable by clinical researchers. Which Google Cloud service is purpose-built for healthcare data interoperability?

A.BigQuery — store FHIR JSON records and query them with SQL.
B.Cloud Healthcare API with FHIR store support.
C.Cloud SQL — store patient records in a relational schema.
D.Google Forms — collect patient data directly from hospitals via web forms.
AnswerB

Cloud Healthcare API natively supports FHIR R4, HL7v2, and DICOM. It provides a standards-compliant API layer for clinical data ingestion, normalization, and research access with built-in de-identification.

Why this answer

The Cloud Healthcare API with FHIR store support is purpose-built for healthcare data interoperability because it natively handles FHIR (Fast Healthcare Interoperability Resources) standards, including resource validation, versioning, and search. It provides a managed service that ingests, normalizes, and stores FHIR-formatted patient records from multiple hospital systems, enabling secure querying by clinical researchers without requiring custom ETL pipelines.

Exam trap

Cisco often tests the misconception that any database (like BigQuery or Cloud SQL) can serve as a healthcare interoperability solution, but the trap here is that only the Cloud Healthcare API with FHIR store provides the native FHIR protocol support, validation, and compliance features required for healthcare data exchange.

How to eliminate wrong answers

Option A is wrong because BigQuery is a data warehouse for analytical queries, not a purpose-built healthcare interoperability service; it lacks native FHIR resource validation, versioning, and search capabilities, and storing raw FHIR JSON there would require custom parsing and normalization. Option C is wrong because Cloud SQL is a managed relational database service that does not support FHIR standards natively; storing patient records in a relational schema would require extensive schema design and mapping, defeating the purpose of interoperability. Option D is wrong because Google Forms is a survey tool for collecting user input via web forms, not designed for ingesting structured FHIR data from hospital systems; it cannot handle FHIR resource validation, API-based ingestion, or secure healthcare data exchange.

330
MCQmedium

A company currently uses Hadoop and Spark for batch data processing on a large on-premises cluster. They want to migrate these workloads to Google Cloud with minimal rewriting of existing Spark and Hadoop jobs. Which Google Cloud service is the best fit?

A.Cloud Dataflow — it runs all Spark and Hadoop jobs natively.
B.Cloud Dataproc — managed Apache Spark and Hadoop with minimal code changes.
C.BigQuery — it runs Spark SQL queries via BigQuery Spark stored procedures.
D.Google Kubernetes Engine — deploy Spark clusters on Kubernetes.
AnswerB

Dataproc runs native Spark, Hadoop, Hive, and Pig workloads. Existing jobs can be migrated with minimal changes by pointing them at Dataproc clusters and Cloud Storage instead of HDFS.

Why this answer

Cloud Dataproc is a managed service for running Apache Spark and Hadoop clusters on Google Cloud. It supports the same open-source versions of Spark and Hadoop that the company currently uses, allowing them to migrate their existing batch processing workloads with minimal code changes. This makes it the best fit for the stated requirement of minimal rewriting.

Exam trap

Cisco often tests the misconception that Cloud Dataflow can run Spark/Hadoop jobs natively, when in fact it requires rewriting into Apache Beam, while Dataproc is the direct managed equivalent for these frameworks.

How to eliminate wrong answers

Option A is wrong because Cloud Dataflow does not run Spark or Hadoop jobs natively; it uses the Apache Beam SDK, which requires rewriting jobs into Beam pipelines. Option C is wrong because BigQuery is a serverless data warehouse for SQL analytics, not a platform for running Spark or Hadoop jobs; BigQuery Spark stored procedures are for executing Spark code within BigQuery, not for migrating existing Spark/Hadoop workloads. Option D is wrong because Google Kubernetes Engine (GKE) can run Spark on Kubernetes, but this requires containerizing the jobs and managing the Kubernetes infrastructure, which involves more rewriting and operational overhead than using Dataproc's native Spark/Hadoop support.

331
MCQeasy

A development team needs a managed relational database (MySQL or PostgreSQL) for their web application. They want automatic backups, patching, and high availability without managing a database server. Which Google Cloud service provides this?

A.Compute Engine with a self-managed MySQL installation.
B.Cloud SQL
C.Cloud Bigtable
D.Cloud Storage
AnswerB

Cloud SQL is a fully managed MySQL/PostgreSQL/SQL Server service. Google handles all infrastructure: patching, backups, HA with automatic failover, and monitoring.

Why this answer

Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL, and SQL Server. It handles automated backups, patching, and high availability (via regional failover replicas) without requiring the user to manage the underlying database server, directly matching the team's requirements.

Exam trap

Google Cloud often tests the distinction between managed and unmanaged services, and the trap here is that candidates may confuse Cloud SQL with Compute Engine self-managed setups, overlooking the 'without managing a database server' requirement.

How to eliminate wrong answers

Option A is wrong because Compute Engine with a self-managed MySQL installation requires the team to manually handle backups, patching, and high availability, contradicting the requirement to avoid managing a database server. Option C is wrong because Cloud Bigtable is a NoSQL, wide-column database service, not a managed relational database (MySQL or PostgreSQL). Option D is wrong because Cloud Storage is an object storage service, not a relational database, and does not provide SQL query capabilities or automatic database patching.

332
MCQmedium

A company wants to know: if Google Cloud experiences a data breach that exposes customer data, what are Google's notification obligations under standard Cloud service terms?

A.Google has no obligation to notify customers of data breaches — customers must discover breaches themselves.
B.Google will notify affected customers of personal data breaches without undue delay per its Data Processing Addendum, enabling customers to meet their own regulatory notification obligations.
C.Google will notify all media outlets immediately upon breach detection to maximize transparency.
D.Breach notification is only available to customers with Premium support tier.
AnswerB

Google's Cloud DPA commits to breach notification. This enables customers to fulfill their own obligations (GDPR requires notifying authorities within 72 hours and affected individuals without undue delay).

Why this answer

Option B is correct because Google Cloud's standard Data Processing Addendum (DPA) contractually obligates Google to notify affected customers of personal data breaches without undue delay after confirmation. This enables customers to fulfill their own regulatory notification requirements under laws like GDPR or CCPA, as the customer remains the data controller responsible for end-user notifications.

Exam trap

The trap here is that candidates assume breach notification is optional or premium-only, but Google Cloud's standard DPA makes it a contractual right for all customers, regardless of support tier.

How to eliminate wrong answers

Option A is wrong because Google Cloud's DPA explicitly includes breach notification obligations, so customers are not left to discover breaches themselves. Option C is wrong because Google notifies affected customers, not media outlets; notifying media is not a standard contractual obligation and would violate data confidentiality. Option D is wrong because breach notification is a standard feature included in the DPA for all customers, not gated behind a Premium support tier.

333
MCQeasy

A project manager wants a cost-effective way to run batch processing jobs that run for a few hours each night. The jobs are fault-tolerant and can be interrupted. Which Compute Engine option is most suitable?

A.N2 high-CPU VMs
B.Regular VMs with committed use discounts
C.Sole-tenant nodes
D.Preemptible VMs
AnswerD

Preemptible VMs are significantly cheaper and can be terminated at any time, but suitable for fault-tolerant batch jobs.

Why this answer

Preemptible VMs are Compute Engine instances that last up to 24 hours and can be terminated at any time by Google Cloud, making them ideal for fault-tolerant, interruptible batch jobs that run for a few hours each night. They offer up to 80% cost savings compared to regular VMs, which aligns perfectly with the project manager's requirement for a cost-effective solution.

Exam trap

Google Cloud often tests the misconception that preemptible VMs are only for short-lived tasks, but the trap here is that candidates overlook the 'fault-tolerant and can be interrupted' requirement and choose committed use discounts, failing to recognize that preemptible VMs are the most cost-effective option for nightly batch jobs that can handle interruptions.

How to eliminate wrong answers

Option A is wrong because N2 high-CPU VMs are general-purpose instances optimized for compute-intensive workloads, but they do not provide the cost savings needed for interruptible batch jobs; they are billed at standard on-demand rates. Option B is wrong because regular VMs with committed use discounts require a 1- or 3-year commitment, which is not cost-effective for jobs that run only a few hours each night and do not guarantee 24/7 usage. Option C is wrong because sole-tenant nodes are dedicated physical servers for compliance or licensing needs, which incur higher costs and are unnecessary for fault-tolerant batch processing that can run on shared infrastructure.

334
MCQeasy

A company needs to analyze streaming data from IoT devices in real time. Which Google Cloud service should they use as the primary ingestion and analysis pipeline?

A.BigQuery
B.Cloud Storage
C.Dataflow
D.Cloud Pub/Sub
AnswerC

Dataflow provides stream and batch processing, ideal for real-time streaming pipelines with low latency.

Why this answer

Dataflow is the correct choice because it provides a unified stream and batch processing model based on Apache Beam, enabling real-time ingestion and analysis of streaming IoT data with exactly-once processing semantics and automatic scaling. BigQuery is a data warehouse for analytics on stored data, not a real-time ingestion pipeline. Cloud Storage is an object store for static data, not a streaming pipeline.

Cloud Pub/Sub is a messaging service for ingestion but lacks built-in analysis capabilities.

Exam trap

Google Cloud often tests the misconception that Cloud Pub/Sub alone is sufficient for real-time analysis, but the trap is that Pub/Sub is only a messaging layer and lacks built-in processing capabilities, so candidates must recognize that Dataflow is required for the analysis pipeline.

How to eliminate wrong answers

Option A is wrong because BigQuery is a serverless data warehouse designed for analytical queries on large datasets, not for real-time streaming ingestion and processing; it can ingest streaming data via the Storage Write API but requires a separate pipeline service like Dataflow for transformation and analysis. Option B is wrong because Cloud Storage is an object storage service for storing immutable blobs, not a streaming data pipeline; it cannot process or analyze data in real time. Option D is wrong because Cloud Pub/Sub is a scalable messaging middleware for ingesting and delivering event streams, but it does not perform data transformation, aggregation, or analysis; it must be paired with a processing service like Dataflow to build a complete pipeline.

335
MCQeasy

A traditional brick-and-mortar bookstore chain wants to use cloud technology to compete with online retailers. The store manager proposes putting all store inventory data in the cloud. The digital transformation advisor says this is only the first step. What does the advisor mean?

A.The company also needs to migrate its email to a cloud-based provider before transformation is complete
B.Storing data in the cloud is infrastructure migration; transformation means using that data and cloud capabilities to create new customer experiences, personalized recommendations, omnichannel shopping, and demand prediction
C.The company must also migrate its accounting software to the cloud before claiming digital transformation
D.Cloud storage alone cannot store inventory data; additional specialized database services are required
AnswerB

The advisor is making the crucial distinction between data migration (step 1) and business transformation (the goal). Cloud-hosted inventory data enables: app-based real-time stock checks, personalized recommendations using purchase history, demand forecasting to optimize buying, and online ordering with in-store pickup. That's the transformation.

Why this answer

Option B is correct because digital transformation goes beyond mere infrastructure migration (like moving data to the cloud). True transformation leverages cloud-native capabilities—such as serverless compute, AI/ML services, and real-time analytics—to reimagine business processes. In this scenario, storing inventory data in the cloud is just the first step; the bookstore must use that data to build personalized recommendation engines, omnichannel inventory visibility, and demand forecasting models, which fundamentally change how the business operates and competes.

Exam trap

Cisco often tests the distinction between 'infrastructure migration' (lift-and-shift) and 'digital transformation' (using cloud services to fundamentally change business processes), and the trap here is that candidates mistake any cloud adoption—like moving data or email—for transformation, when transformation requires leveraging cloud-native capabilities to create new value.

How to eliminate wrong answers

Option A is wrong because migrating email to a cloud provider is also an infrastructure migration, not a transformation; it does not create new customer experiences or business models. Option C is wrong because moving accounting software to the cloud is another example of lift-and-shift, not a reimagining of the bookstore's core retail operations or customer engagement. Option D is wrong because cloud storage (e.g., Amazon S3 or Azure Blob Storage) can indeed store inventory data; the advisor's point is not about technical feasibility but about the need to use that data for higher-order business innovation.

336
MCQmedium

A company's application experiences a P1 (critical) production incident at 2 AM on a Sunday. The on-call engineer resolves the issue after 3 hours but isn't sure which team members to contact or what steps to follow during an incident. What operational practice and tooling would have helped manage this incident better?

A.Increase the application's max_instances so it scales to handle the issue automatically.
B.Establish a documented incident response process with defined roles, escalation paths, and runbooks, supported by on-call rotation tooling and Cloud Monitoring alerting.
C.Move all production deployments to Sunday nights to avoid weekday incident risk.
D.Disable monitoring alerts to prevent false alarms that wake engineers unnecessarily.
AnswerB

Incident response process defines what to do and who to involve. Runbooks provide step-by-step guidance. On-call rotation ensures 24/7 coverage. Cloud Monitoring alerting ensures rapid notification.

Why this answer

Option B is correct because a documented incident response process with defined roles, escalation paths, and runbooks ensures that the on-call engineer knows exactly whom to contact and what steps to follow during a P1 incident. Combined with on-call rotation tooling (e.g., PagerDuty, Opsgenie) and Cloud Monitoring alerting, this practice reduces mean time to acknowledge (MTTA) and mean time to resolve (MTTR) by providing clear, repeatable procedures. Without such a process, the engineer wasted time determining the response, which a runbook would have eliminated.

Exam trap

Google Cloud often tests the misconception that scaling or automation alone can replace a documented incident response process, but the question explicitly asks about operational practice and tooling for managing the incident, not just fixing the technical issue.

How to eliminate wrong answers

Option A is wrong because increasing max_instances only addresses scaling under load, not the lack of an incident response process; it does not help the engineer know whom to contact or what steps to follow. Option C is wrong because moving deployments to Sunday nights does not resolve the core issue of missing incident management procedures; it merely shifts the timing and could increase risk if a deployment causes the incident. Option D is wrong because disabling monitoring alerts would prevent detection of the incident altogether, worsening the problem rather than improving the response process.

337
MCQhard

A company runs workloads across Google Cloud and on-premises environments. They want a single management plane to deploy and manage containerized applications consistently across both environments using the same tooling and policies. Which Google Cloud product provides this unified hybrid/multi-cloud management?

A.Cloud Interconnect — it connects on-premises to Google Cloud.
B.Anthos — Google's hybrid and multi-cloud application management platform.
C.Google Distributed Cloud — runs Google Cloud services inside the customer's data center.
D.Cloud Deployment Manager — deploys resources via infrastructure-as-code templates.
AnswerB

Anthos extends GKE management to on-premises and other clouds. A single Anthos control plane manages containerized workloads everywhere with consistent policies, service mesh, and observability.

Why this answer

Anthos is Google Cloud's hybrid and multi-cloud application management platform that provides a single control plane for deploying and managing containerized applications consistently across on-premises and cloud environments. It uses GKE on-prem and Anthos Config Management to enforce uniform policies, service mesh, and CI/CD pipelines, enabling the unified management described in the scenario.

Exam trap

The trap here is that candidates confuse network connectivity (Cloud Interconnect) or edge-specific solutions (Google Distributed Cloud) with a unified management plane, overlooking Anthos's role as the integrated platform for consistent container orchestration and policy enforcement across hybrid environments.

How to eliminate wrong answers

Option A is wrong because Cloud Interconnect is a dedicated network connectivity service (using VLAN attachments or partner interconnects) that links on-premises to Google Cloud, but it does not provide any application management or container orchestration plane. Option C is wrong because Google Distributed Cloud (formerly GDC) runs Google Cloud services inside the customer's data center but is focused on air-gapped or edge scenarios with a separate control plane, not a unified hybrid management plane for containerized applications across both environments. Option D is wrong because Cloud Deployment Manager is an infrastructure-as-code tool that uses YAML templates to deploy Google Cloud resources, but it does not manage containerized applications consistently across hybrid environments or provide a unified control plane.

338
MCQeasy

A startup wants to automatically rotate encryption keys used for Cloud Storage objects every 90 days. Which service should they use?

A.Use Cloud Secret Manager to store and rotate encryption keys
B.Use default Cloud Storage encryption (SSE-GCP)
C.Use Cloud HSM to store keys and rotate manually
D.Use Cloud Key Management Service (KMS) with automatic rotation schedule
AnswerD

Cloud KMS allows setting a rotation period for customer-managed keys.

Why this answer

Option D is correct because Cloud KMS supports automatic key rotation with a configurable rotation period (e.g., every 90 days). When you create a key ring and key in Cloud KMS, you can set a rotation schedule, and Cloud KMS will automatically generate a new key version on the specified date. This allows the startup to meet the 90-day rotation requirement without manual intervention, and the new key version is used for encrypting new Cloud Storage objects while old versions remain available for decrypting existing data.

Exam trap

The trap here is that candidates often confuse Cloud Secret Manager (which stores secrets but does not rotate encryption keys automatically) with Cloud KMS (which provides automatic key rotation), or they assume that default Google-managed encryption (SSE-GCP) allows customer-controlled rotation schedules, which it does not.

How to eliminate wrong answers

Option A is wrong because Cloud Secret Manager is designed to store and manage secrets (e.g., API keys, passwords), not to rotate encryption keys for Cloud Storage objects; it lacks native automatic rotation scheduling for encryption keys. Option B is wrong because default Cloud Storage encryption (SSE-GCP) uses Google-managed keys that are rotated automatically by Google, but the customer cannot control or schedule the rotation period (e.g., 90 days); the rotation frequency is not configurable. Option C is wrong because Cloud HSM provides hardware-backed key storage but does not support automatic rotation; keys stored in Cloud HSM must be rotated manually, which contradicts the requirement for automatic rotation every 90 days.

339
MCQeasy

Which term describes the model where the cloud provider is responsible for the security of the cloud infrastructure, while the customer is responsible for security within their own cloud environment (data, applications, access management)?

A.Zero trust security model
B.Shared responsibility model
C.Defense in depth strategy
D.Identity federation model
AnswerB

The shared responsibility model defines that Google Cloud secures the infrastructure ('security of the cloud') while customers secure their data and applications ('security in the cloud').

Why this answer

The shared responsibility model defines the division of security responsibilities between the cloud provider and the customer. Google secures the physical infrastructure, hardware, hypervisor, and core services. The customer secures what they put in the cloud: data classification, access control, application security, network configuration, and compliance.

The boundary between provider and customer responsibility varies by service model (IaaS vs. PaaS vs. SaaS).

340
MCQmedium

A company runs a critical application on Compute Engine in us-central1. They plan to create a disaster recovery (DR) site in us-west1 that can be activated within minutes if the primary region fails. What is the most cost-effective DR strategy that meets the recovery time objective (RTO) of 30 minutes?

A.Cold standby with regular backups to Cloud Storage.
B.Warm standby in us-west1 with preemptible VMs and persistent disk snapshots.
C.Active-active deployment in both regions with load balancing.
D.Use a managed instance group in us-west1 with replication from the primary.
AnswerB

Snapshots can be used to create disks quickly, and preemptible VMs reduce cost.

Why this answer

Option B is correct because a warm standby using preemptible VMs and persistent disk snapshots provides a cost-effective DR solution that can be activated within minutes. Preemptible VMs are significantly cheaper than regular VMs, and persistent disk snapshots stored in Cloud Storage can be restored quickly to create new disks in us-west1, meeting the 30-minute RTO without the high cost of an always-on active-active deployment.

Exam trap

Google Cloud often tests the misconception that 'warm standby' always means running full instances, but here preemptible VMs combined with snapshots provide a low-cost warm standby that can be activated quickly, unlike cold standby which is too slow or active-active which is too expensive.

How to eliminate wrong answers

Option A is wrong because cold standby with regular backups to Cloud Storage typically has a much longer RTO (hours to days) due to the time required to restore full backups and provision infrastructure, failing the 30-minute RTO. Option C is wrong because active-active deployment in both regions with load balancing is the most expensive option, as it requires running full production capacity in both regions continuously, which is not cost-effective for a DR-only requirement. Option D is wrong because a managed instance group in us-west1 with replication from the primary implies continuous replication and running instances, which incurs ongoing costs similar to active-active, and does not leverage cost-saving measures like preemptible VMs or snapshot-based recovery.

341
MCQhard

A legacy on-premises application requires manual intervention for scaling and incurs high maintenance costs. The company wants to transform by adopting a microservices architecture on Google Cloud. Which Google Cloud service is most suitable for running containerized microservices in a managed environment?

A.Cloud Functions
B.App Engine
C.Google Kubernetes Engine (GKE)
D.Compute Engine
AnswerC

GKE is optimized for managing containerized microservices with autoscaling and self-healing.

Why this answer

Option C is correct because Google Kubernetes Engine (GKE) is a managed Kubernetes service designed for container orchestration, ideal for microservices. Compute Engine (A) is IaaS, Cloud Functions (B) is serverless functions, and App Engine (D) is PaaS for web applications.

342
MCQmedium

A product team is discussing how to handle a planned 48-hour maintenance window for a critical customer-facing service. The SRE team argues the maintenance window is unnecessary with proper cloud architecture. Which cloud capability eliminates the need for planned downtime maintenance windows?

A.Longer maintenance windows scheduled during off-peak hours to minimize customer impact
B.Zero-downtime deployment strategies like rolling updates and blue/green deployments, combined with cloud live migration for infrastructure maintenance
C.Notifying customers in advance of the maintenance window and offering service credits for the downtime
D.Backing up all data before the maintenance window to ensure recovery if something goes wrong
AnswerB

This is the architectural answer to planned downtime. Rolling updates deploy new code gradually (some instances get new version while others serve traffic). Blue/green deployments switch traffic atomically. Live migration moves VMs between physical hosts for maintenance without rebooting. Together, these eliminate the need for maintenance windows.

Why this answer

Option B is correct because cloud platforms like Google Cloud support zero-downtime deployment strategies (rolling updates, blue/green deployments) and live migration for infrastructure maintenance. Live migration transparently moves running VMs between hosts without interrupting the OS or applications, while blue/green deployments allow traffic to be switched to a fully updated environment before the old one is taken down. Together, these capabilities eliminate the need for planned downtime maintenance windows entirely.

Exam trap

The trap here is that candidates confuse 'reducing impact' (options A, C, D) with 'eliminating downtime' (option B), failing to recognize that only architectural strategies like live migration and zero-downtime deployments remove the need for a maintenance window altogether.

How to eliminate wrong answers

Option A is wrong because scheduling longer maintenance windows during off-peak hours still requires planned downtime, which contradicts the goal of eliminating it entirely. Option C is wrong because notifying customers and offering service credits does not prevent downtime; it only compensates for it after the fact. Option D is wrong because backing up data before a maintenance window is a recovery measure, not a prevention strategy, and does not eliminate the need for downtime during the maintenance.

343
MCQmedium

A company's operations team needs visibility into network traffic patterns, latency between services, and potential network bottlenecks across their Google Cloud deployment. Which Google Cloud product provides network performance monitoring, connectivity testing, and traffic analysis?

A.Cloud Armor, which provides DDoS protection and traffic filtering
B.Network Intelligence Center, which provides network topology visualization, connectivity testing, firewall analysis, and performance monitoring
C.Cloud DNS, which translates domain names to IP addresses
D.Cloud VPN, which creates encrypted tunnels between cloud and on-premises networks
AnswerB

Network Intelligence Center is the correct answer. It includes: Topology module (visualizes network connections), Connectivity Tests (tests reachability between endpoints), Firewall Insights (analyzes firewall rule usage), and Performance Dashboard (shows latency and packet loss). This directly addresses the network visibility requirement.

Why this answer

The Network Intelligence Center is the correct choice because it is a Google Cloud-native product specifically designed to provide network performance monitoring (latency, packet loss, throughput), connectivity testing (Connectivity Tests), and traffic analysis (Flow Tracer, Firewall Insights). It offers a unified dashboard for visualizing network topology, analyzing firewall rules, and diagnosing connectivity issues across VPCs, hybrid clouds, and on-premises environments, directly addressing the need for visibility into traffic patterns and bottlenecks.

Exam trap

The trap here is that candidates may confuse Cloud Armor's traffic filtering with network performance monitoring, or assume that Cloud VPN's encrypted tunnels inherently provide visibility into traffic patterns, when in fact neither product offers the diagnostic and monitoring capabilities of Network Intelligence Center.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) and DDoS protection service that filters incoming traffic based on security rules; it does not provide network performance monitoring, latency analysis, or connectivity testing. Option C is wrong because Cloud DNS is a managed DNS service that resolves domain names to IP addresses; it has no capability for network traffic analysis, latency monitoring, or bottleneck detection. Option D is wrong because Cloud VPN creates encrypted IPsec tunnels for secure connectivity between cloud and on-premises networks; it does not offer performance monitoring, traffic analysis, or connectivity testing features.

344
Multi-Selecteasy

Which THREE of the following are compute services offered by Google Cloud? (Choose exactly 3.)

Select 3 answers
A.Compute Engine
B.Cloud Functions
C.Cloud Storage
D.App Engine
E.Cloud SQL
AnswersA, B, D

IaaS virtual machines.

Why this answer

Compute Engine is a core Google Cloud compute service that provides virtual machines (VMs) running on Google's infrastructure. It allows you to create and manage VM instances with custom machine types, persistent disks, and networking configurations, making it a fundamental compute offering for running general-purpose workloads.

Exam trap

The trap here is that candidates confuse storage and database services (Cloud Storage, Cloud SQL) with compute services, because all are part of Google Cloud's core offerings, but only services that execute code or run applications qualify as compute.

345
Drag & Dropmedium

Drag and drop the steps to create a new Virtual Private Cloud (VPC) network with a subnet in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The correct order starts with navigating to the VPC networks page, then creating a new VPC, naming it, configuring the subnet, and finally creating it.

346
MCQmedium

Given the Cloud Run service configuration above, what happens when a new revision is created after deploying a change to the container image?

A.Traffic is split evenly between the old and new revision.
B.The service becomes unavailable until the new revision is ready.
C.Cloud Run automatically creates a new revision and routes traffic to it.
D.The new revision receives all traffic automatically.
E.Traffic continues to go to the old revision until the traffic section is updated.
AnswerE

The configuration explicitly routes traffic to a specific revision, so new revisions are not served until the traffic section is modified.

Why this answer

Option E is correct because Cloud Run, by default, does not automatically shift traffic to a new revision. When you deploy a change, a new revision is created, but it receives 0% of traffic until you explicitly update the traffic configuration (e.g., via the console, gcloud run deploy --no-traffic, or the traffic section). This allows you to test the new revision before directing any live requests to it.

Exam trap

Google Cloud often tests the misconception that Cloud Run automatically routes all traffic to the latest revision, but the default behavior actually depends on how you deploy—using --no-traffic leaves the new revision at 0% traffic, and even without that flag, the traffic update is part of the same deployment operation, not an automatic background process.

How to eliminate wrong answers

Option A is wrong because Cloud Run does not automatically split traffic evenly; traffic splitting is a manual configuration and defaults to 100% on the latest revision only if you use the default deployment behavior (which actually sends all traffic to the new revision, but only if you don't use --no-traffic). Option B is wrong because Cloud Run supports zero-downtime deployments; the service remains available on the old revision while the new revision is being created and warmed up. Option C is wrong because while Cloud Run does create a new revision automatically, it does not automatically route traffic to it; traffic routing is a separate, manual step.

Option D is wrong because the new revision does not receive all traffic automatically; by default, it receives 0% traffic unless you explicitly configure it to receive traffic or use the default deployment without --no-traffic (which actually does send all traffic, but the question's context implies a scenario where traffic is not automatically routed, as per the correct answer).

347
MCQmedium

A company's cloud costs have grown faster than its business. The FinOps team is implementing cloud cost governance. Which practice most effectively ensures that individual teams are accountable for their cloud spending?

A.Requiring all teams to use only the cheapest available cloud service options regardless of technical requirements
B.Implementing consistent resource labeling and chargeback reporting so each team's cloud spending is visible and attributed to them
C.Consolidating all cloud accounts under a single centralized IT team that controls all cloud resource creation
D.Disabling all non-production environments to eliminate spending outside of production
AnswerB

Labeling (attaching team/product/cost center metadata to every cloud resource) enables per-team cost attribution from billing data. Chargeback transfers the cost to the team's budget; showback provides visibility. Both create accountability by making spending visible and personally consequential to the team that incurs it.

Why this answer

Option B is correct because implementing consistent resource labeling and chargeback reporting directly enables cost attribution to individual teams. In Google Cloud, labels are key-value pairs attached to resources, and when combined with billing export to BigQuery, they allow granular cost breakdowns per team. This creates clear accountability by making each team's spending visible and chargeable back to their budget, which is the core principle of cloud cost governance.

Exam trap

Google Cloud often tests the misconception that cost governance is about restricting spending (options A, C, D) rather than enabling visibility and accountability through attribution mechanisms like labeling and chargeback.

How to eliminate wrong answers

Option A is wrong because forcing all teams to use the cheapest cloud service options regardless of technical requirements can lead to performance degradation, security vulnerabilities, or non-compliance, and it does not foster accountability—it imposes a blanket restriction that ignores workload-specific needs. Option C is wrong because consolidating all cloud accounts under a single centralized IT team that controls all resource creation removes team autonomy and creates a bottleneck, which often leads to shadow IT as teams bypass controls, and it does not make individual teams accountable for their spending. Option D is wrong because disabling all non-production environments eliminates testing and development, which are essential for innovation and quality assurance, and it does not address cost governance—it only cuts costs at the expense of business operations.

348
MCQeasy

A developer wants to run her application code without managing any servers, operating systems, or runtime environments. She wants to focus entirely on writing business logic. Which cloud service model best fits this requirement?

A.Infrastructure as a Service (IaaS), where the developer provisions virtual machines and installs the runtime
B.Platform as a Service (PaaS), where the developer deploys code to a managed platform that handles the OS and runtime
C.Serverless / Functions as a Service (FaaS), where the developer writes and deploys code functions and the provider manages all underlying infrastructure automatically
D.Software as a Service (SaaS), where the developer uses a fully managed application built by the cloud provider
AnswerC

FaaS/serverless is the model where the developer's only concern is the business logic in the function. There are no servers to configure, no OS to patch, no capacity to plan. The runtime is automatically managed and scaled by the provider.

Why this answer

Serverless/FaaS (Option C) is the correct choice because it abstracts away all server, OS, and runtime management, allowing the developer to deploy individual functions that execute in response to events. The cloud provider automatically scales and manages the underlying infrastructure, so the developer writes only business logic without provisioning or patching anything.

Exam trap

Google Cloud often tests the distinction between PaaS and FaaS by describing a scenario where the developer wants to avoid managing servers and runtimes, leading candidates to choose PaaS because it abstracts the OS, but the key difference is that FaaS also eliminates runtime management and allows function-level granularity, which PaaS does not fully achieve.

How to eliminate wrong answers

Option A is wrong because IaaS requires the developer to provision and manage virtual machines, install the OS, configure the runtime, and handle patching—contradicting the requirement to avoid server and OS management. Option B is wrong because PaaS still involves managing the runtime environment (e.g., choosing a runtime version, configuring scaling rules) and the developer must deploy an entire application, not just functions; it does not eliminate all infrastructure concerns as FaaS does. Option D is wrong because SaaS provides a fully built application that the developer uses, not a platform for writing and deploying custom business logic.

349
Multi-Selecteasy

Which TWO of the following are common use cases for deploying workloads to the cloud? (Choose 2)

Select 2 answers
A.High-frequency trading requiring microsecond latency
B.Air-gapped, classified workloads with no internet connection
C.Running a legacy mainframe application that requires dedicated hardware
D.Running a global SaaS application for customers worldwide
E.Data backup and disaster recovery
AnswersD, E

Cloud enables global distribution and easy scaling.

Why this answer

Option D is correct because cloud platforms like AWS, Azure, and GCP provide global infrastructure with multiple regions and edge locations, enabling SaaS applications to serve customers worldwide with low latency via CDNs and load balancers. Option E is correct because cloud storage services (e.g., Amazon S3, Azure Blob Storage) offer durable, cost-effective off-site backup and automated disaster recovery through replication across Availability Zones or Regions, often with 99.999999999% durability.

Exam trap

Google Cloud often tests the misconception that 'cloud is suitable for all workloads,' but the trap here is that candidates may select options like A or C because they sound like 'advanced' use cases, failing to recognize that cloud's shared infrastructure and network dependency make it unsuitable for ultra-low-latency or air-gapped scenarios.

350
MCQhard

A traditional bank is considering adopting open banking — exposing its financial data and transaction capabilities as APIs to third-party developers (with customer consent). This enables FinTech startups to build new financial products on top of the bank's infrastructure. What cloud capability is most essential to safely and scalably implement open banking?

A.A large data warehouse (BigQuery) to store all transaction data for developer access.
B.A managed API platform (like Apigee) that provides authentication, rate limiting, developer portal, and usage monitoring for third-party API consumers.
C.A dedicated cloud region in each country where the bank operates to minimize latency for API consumers.
D.A blockchain infrastructure to create an immutable record of all API transactions.
AnswerB

Apigee or similar API management platforms handle the controlled external exposure: OAuth/OIDC consent flows, per-developer quotas, usage analytics, and a developer portal — essential for open banking.

Why this answer

Option B is correct because open banking requires secure, scalable, and controlled exposure of APIs to third-party developers. A managed API platform like Apigee provides essential capabilities such as OAuth 2.0 authentication, rate limiting, developer portal, and usage monitoring, which are critical for ensuring safe and scalable API consumption. Without these controls, the bank cannot enforce security policies, manage access, or monitor usage effectively.

Exam trap

Google Cloud often tests the misconception that open banking is primarily about data storage or latency, when in fact the critical challenge is secure, scalable API management with authentication and rate limiting.

How to eliminate wrong answers

Option A is wrong because a data warehouse like BigQuery is designed for analytical queries on large datasets, not for real-time API exposure or access control; storing transaction data directly for developer access would bypass security and create compliance risks. Option C is wrong because while minimizing latency is beneficial, dedicated cloud regions are not the most essential capability for open banking; the core requirement is secure API management, not geographic proximity. Option D is wrong because blockchain provides an immutable ledger but does not address the fundamental needs of API authentication, rate limiting, or developer management; it adds unnecessary complexity and does not replace an API gateway.

351
MCQmedium

A company's web application faces DDoS attacks and SQL injection attempts from the internet. They need a service that sits in front of their load balancer to block malicious traffic before it reaches their application servers. Which Google Cloud service provides this protection?

A.Cloud Firewall (VPC firewall rules)
B.Cloud Armor
C.Cloud VPN
D.Cloud Identity-Aware Proxy (IAP)
AnswerB

Cloud Armor provides DDoS protection and WAF capabilities at the load balancer edge. It can block volumetric DDoS attacks and inspect HTTP content for SQL injection, XSS, and other OWASP threats before they reach application servers.

Why this answer

Cloud Armor is Google Cloud's web application firewall (WAF) and DDoS mitigation service that operates at the edge of Google's network, in front of the load balancer. It can filter incoming traffic based on Layer 7 rules (e.g., SQL injection patterns, cross-site scripting) and Layer 3/4 conditions (e.g., IP reputation, rate limiting), blocking malicious requests before they reach the load balancer or application servers. This makes it the correct choice for protecting against both DDoS attacks and SQL injection attempts at the network perimeter.

Exam trap

The trap here is that candidates confuse Cloud Armor (a WAF/DDoS protection service) with VPC firewall rules (Cloud Firewall), which only provide stateful packet filtering at the network layer and cannot inspect application-layer attacks like SQL injection.

How to eliminate wrong answers

Option A is wrong because Cloud Firewall (VPC firewall rules) operates at Layer 3/4 within the VPC network, not in front of the load balancer, and cannot inspect application-layer payloads like SQL injection patterns. Option C is wrong because Cloud VPN is a secure tunnel for connecting on-premises networks to Google Cloud, not a security service for filtering internet traffic or blocking web attacks. Option D is wrong because Cloud Identity-Aware Proxy (IAP) controls access to applications based on user identity and context (e.g., OAuth, SSO), not by inspecting traffic for malicious payloads or volumetric DDoS attacks.

352
MCQhard

An architect is evaluating whether to use a relational database or a NoSQL database for a new application that must store product catalog data. Products have highly variable attributes — a book has ISBN, author, and genre; a bicycle has frame size, wheel diameter, and material. Which database characteristic makes NoSQL document databases advantageous for this use case?

A.NoSQL databases always provide faster query performance than relational databases for all use cases
B.NoSQL document databases support flexible schemas where each document can have different fields — making them well-suited for product catalogs where different product types have different attributes
C.NoSQL databases support ACID transactions better than relational databases, making them safer for product catalog updates
D.NoSQL databases are simpler to query because they don't require learning SQL
AnswerB

Schema flexibility is the key advantage here. In a relational table, all rows share the same columns — a shared schema requires either many NULL columns (one per possible attribute across all product types) or complex entity-attribute-value designs. Document databases store each product as a flexible JSON document, accommodating variable attributes naturally without schema changes.

Why this answer

NoSQL document databases, such as MongoDB, store data in flexible, schema-less documents (often JSON or BSON). This allows each document to have a different set of fields, making them ideal for product catalogs where a book and a bicycle have entirely different attributes (e.g., ISBN vs. frame size). Relational databases require a predefined schema with fixed columns, forcing you to either create many sparse columns or use complex join tables to handle variable attributes.

Exam trap

Google Cloud often tests the misconception that NoSQL is always faster or simpler than SQL, but the real advantage here is schema flexibility, not performance or ease of querying.

How to eliminate wrong answers

Option A is wrong because NoSQL databases do not always provide faster query performance; relational databases can be faster for complex joins and aggregations, and performance depends on the specific use case and indexing. Option C is wrong because NoSQL databases typically relax ACID guarantees (e.g., eventual consistency) to achieve scalability, while relational databases offer stronger ACID transactions, making them safer for critical updates. Option D is wrong because NoSQL databases often require learning their own query languages or APIs (e.g., MongoDB's aggregation pipeline), and SQL is a standardized, widely understood language; the simplicity of querying depends on the task, not the database type.

353
Drag & Dropmedium

Drag and drop the steps to set up a Cloud Storage bucket with uniform bucket-level access into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The process begins with accessing Cloud Storage, then creating a bucket, naming it, selecting storage settings, and enabling uniform access control.

354
MCQhard

A company's cloud architect explains that their new system uses 'eventual consistency' for some data operations. A business stakeholder asks why the system won't always show the most up-to-date data immediately. What is the trade-off being made?

A.Eventual consistency is a bug — the system should be fixed to always show current data.
B.Eventual consistency trades immediate data accuracy for higher availability and better performance — all nodes will converge to the same value, just not instantaneously.
C.Eventual consistency means data is eventually deleted, which reduces storage costs.
D.Eventual consistency only applies to deleted data — new data always appears immediately.
AnswerB

In eventually consistent systems, writes propagate asynchronously. All replicas converge to the same value within a short time window. This enables higher throughput and availability than strong consistency, which requires synchronous coordination across all nodes.

Why this answer

Option B is correct because eventual consistency is a deliberate design choice in distributed systems (such as those using Amazon DynamoDB or Apache Cassandra) where the system prioritizes high availability and low-latency reads/writes over immediate consistency. Under the hood, data updates propagate asynchronously to replicas, and all nodes will eventually converge to the same value via mechanisms like gossip protocols or vector clocks, but there is a window where stale data may be returned. This trade-off is fundamental to the CAP theorem, which states that in a distributed data store, you can only guarantee two of Consistency, Availability, and Partition Tolerance simultaneously.

Exam trap

Google Cloud often tests the misconception that eventual consistency is a fault or a temporary bug, when in fact it is a deliberate design trade-off to achieve high availability and partition tolerance in distributed systems.

How to eliminate wrong answers

Option A is wrong because eventual consistency is not a bug; it is a deliberate architectural trade-off defined in the CAP theorem, and fixing it to always show current data would require sacrificing availability or partition tolerance. Option C is wrong because eventual consistency does not mean data is eventually deleted; it refers to the timing of data propagation across replicas, not data retention or deletion policies. Option D is wrong because eventual consistency applies to all data operations (writes, updates, deletes), not just deleted data; new data may also not appear immediately on all nodes until the asynchronous replication completes.

355
MCQeasy

A company runs a data processing pipeline on a single Compute Engine instance in us-west1-a. The instance reads data from Cloud Storage, processes it, and writes results back to Cloud Storage. The pipeline runs once per day and takes about 6 hours. Recently, the instance has been experiencing out-of-memory errors, causing the pipeline to fail. The operations team wants a cost-effective solution that can handle varying data volumes without manual intervention. They also want to ensure the pipeline completes within the daily window. What should they do?

A.Use a managed instance group with autoscaling based on CPU utilization.
B.Redesign the pipeline to run on Cloud Dataflow and use batch mode with autoscaling.
C.Redesign the pipeline to run on Cloud Dataflow and use streaming mode.
D.Increase the memory of the existing instance to a larger machine type.
AnswerB

Batch mode with autoscaling handles variable volumes and is cost-effective.

Why this answer

Option C is correct because redesigning the pipeline to use Cloud Dataflow batch mode with autoscaling automatically handles varying data volumes and scales resources as needed, ensuring completion within the daily window and being cost-effective (only paying for resources used). Option A is incorrect because increasing memory does not address scalability across variable data volumes and may not be cost-effective. Option B is incorrect because managed instance groups with CPU autoscaling are not designed for batch jobs; they would not scale properly for a single long-running job.

Option D is incorrect because Dataflow streaming mode is for continuous processing, not daily batch.

356
MCQeasy

A cloud architect wants to ensure that only certain users in the finance team can access a Cloud Storage bucket containing invoices. They also want to log all access attempts. Which two services should they use?

A.IAM and Cloud Audit Logs
B.Cloud NAT and Cloud Audit Logs
C.Cloud NAT and Cloud Load Balancing
D.IAM and Cloud CDN
AnswerA

IAM controls access; Cloud Audit Logs provide data access logging.

Why this answer

IAM (Identity and Access Management) is used to grant specific users (e.g., finance team members) granular access to the Cloud Storage bucket via roles like roles/storage.objectViewer. Cloud Audit Logs (specifically Admin Activity and Data Access audit logs) capture all access attempts, including who accessed the bucket, when, and from which IP address, meeting the logging requirement.

Exam trap

Google Cloud often tests the distinction between network-level services (like Cloud NAT, Cloud Load Balancing, Cloud CDN) and identity/audit services (IAM, Cloud Audit Logs), so candidates mistakenly choose networking options when the question explicitly asks about user access control and logging.

How to eliminate wrong answers

Option B is wrong because Cloud NAT (Network Address Translation) is used to enable outbound internet connectivity for private instances, not for controlling user access to Cloud Storage or logging access attempts. Option C is wrong because Cloud NAT and Cloud Load Balancing are networking services that do not provide identity-based access control or audit logging for Cloud Storage. Option D is wrong because Cloud CDN (Content Delivery Network) is used to cache content for low-latency delivery, not to restrict access to a bucket based on user identity or to log access attempts.

357
MCQmedium

A financial services company is subject to regulations requiring them to demonstrate that their cloud provider's employees cannot access customer data without the customer's explicit approval. Which Google Cloud feature most directly addresses this requirement?

A.Customer-Managed Encryption Keys (CMEK), where the customer controls the encryption key and can revoke access
B.Access Transparency and Access Approval, which log and require explicit customer approval for Google personnel access to customer content
C.Cloud Audit Logs, which record all customer actions within Google Cloud
D.VPC Service Controls, which prevent Google employees from accessing resources inside the service perimeter
AnswerB

Access Transparency logs all Google personnel access to customer content with justification codes. Access Approval requires Google to request explicit customer approval before accessing customer data. Together they directly address the regulatory requirement for customer oversight of provider access to their data.

Why this answer

Access Transparency and Access Approval directly address the regulatory requirement by providing near real-time logs of Google personnel actions on customer content and requiring explicit customer approval before such access can occur. Access Transparency logs every access attempt by Google employees, while Access Approval allows customers to approve or deny those requests, ensuring no unauthorized access without customer consent.

Exam trap

Cisco often tests the distinction between encryption key control (CMEK) and access governance (Access Transparency/Approval), leading candidates to mistakenly choose CMEK because they conflate key management with personnel access control.

How to eliminate wrong answers

Option A is wrong because Customer-Managed Encryption Keys (CMEK) give customers control over encryption keys but do not log or require approval for Google personnel access to customer content; they protect data at rest but do not govern access by Google employees. Option C is wrong because Cloud Audit Logs record actions taken by customers within their own projects, not actions by Google personnel accessing customer content. Option D is wrong because VPC Service Controls create a security perimeter to prevent data exfiltration by customers or their resources, but they do not prevent Google employees from accessing resources inside the perimeter; they are designed to control data movement, not Google personnel access.

358
MCQeasy

A team uses Google Workspace (Gmail, Docs, Sheets) for their daily work. They do not manage any servers or software installation — Google maintains everything. Which cloud service model does Google Workspace represent?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Database as a Service (DBaaS)
AnswerC

Google Workspace delivers fully managed productivity applications over the internet. No infrastructure, OS, or application management by the user — just data and user configuration.

Why this answer

Google Workspace is a classic example of Software as a Service (SaaS) because users access applications like Gmail, Docs, and Sheets via a web browser without managing the underlying infrastructure, operating systems, or software installations. Google handles all maintenance, security patching, and uptime, which aligns with the SaaS model where the provider delivers fully functional software over the internet. Unlike IaaS or PaaS, the end-user does not control the runtime environment or deploy custom code on the platform.

Exam trap

Cisco often tests the misconception that any cloud service involving 'platform' or 'infrastructure' terms must be PaaS or IaaS, but the trap here is that Google Workspace is a fully managed application suite, not a platform for building or hosting custom code, so candidates mistakenly select PaaS when they see 'Google' and think of App Engine.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) provides virtualized computing resources like virtual machines, storage, and networks, where the user manages the OS and applications — Google Workspace users do not provision or manage any virtual servers. Option B is wrong because Platform as a Service (PaaS) offers a runtime environment for developers to deploy custom applications without managing the underlying infrastructure, but Google Workspace delivers ready-to-use applications, not a development platform. Option D is wrong because Database as a Service (DBaaS) specifically provides managed database instances (e.g., Cloud SQL, Amazon RDS), whereas Google Workspace is a suite of end-user productivity applications, not a database service.

359
MCQhard

A company uses Google Cloud across 5 teams, 20 projects, and 3 regions. They want to enforce a standard that all resources include specific labels (e.g., `team`, `environment`, `cost-center`) for cost attribution and governance. What is the most scalable way to enforce this labeling standard?

A.Send monthly reminders to all teams via email to add labels to their resources.
B.Enforce labeling through IaC templates with required label variables in CI/CD pipelines, and use Cloud Asset Inventory to audit compliance.
C.Manually add labels to all existing and new resources through the Cloud Console.
D.Grant only project owners permission to create resources, and rely on them to enforce labeling.
AnswerB

IaC templates with required label variables prevent deployment of unlabeled resources. CI/CD policy gates reject non-compliant configurations. Cloud Asset Inventory provides ongoing audit of label compliance across all projects.

Why this answer

Option B is correct because it combines Infrastructure as Code (IaC) templates with required label variables in CI/CD pipelines to enforce labeling at resource creation time, and uses Cloud Asset Inventory to audit and detect non-compliant resources. This approach is scalable across 5 teams, 20 projects, and 3 regions because it automates enforcement and provides continuous compliance monitoring without manual intervention.

Exam trap

The trap here is that candidates may choose a manual or human-dependent option (like A or D) because they underestimate the scale and automation requirements of a multi-team, multi-project environment, failing to recognize that only IaC with automated auditing provides scalable enforcement.

How to eliminate wrong answers

Option A is wrong because sending monthly reminders is a manual, reactive process that does not prevent non-compliant resources from being created, and it does not scale across multiple teams and projects. Option C is wrong because manually adding labels through the Cloud Console is error-prone, does not scale to 20 projects and 3 regions, and cannot enforce labeling on new resources automatically. Option D is wrong because relying solely on project owners to enforce labeling is not scalable or auditable; it depends on human compliance and does not provide automated enforcement or detection of violations.

360
Multi-Selectmedium

Which TWO statements about Cloud Identity-Aware Proxy (IAP) are correct?

Select 2 answers
A.IAP encrypts data at rest by default
B.IAP can be used to protect access to Compute Engine VMs via SSH and RDP without a VPN
C.IAP only works with Google Cloud applications
D.IAP uses the identity of the user and the context of the request to decide whether to allow access
E.IAP requires using a third-party identity provider
AnswersB, D

IAP allows SSH/RDP without public IPs or VPNs.

Why this answer

Option B is correct because Cloud IAP enables identity-based access to Compute Engine instances via SSH and RDP without requiring a VPN or bastion host. IAP uses the user's identity and request context to create a secure tunnel, forwarding traffic to the instance over HTTPS and verifying the user's credentials before allowing the connection.

Exam trap

Google Cloud often tests the misconception that IAP is limited to Google Cloud services or that it requires a third-party identity provider, when in fact IAP supports hybrid access and can use Google-managed identities without external IdPs.

361
MCQmedium

A CTO explains to her board that moving to cloud reduces the company's 'total cost of ownership' compared to running an on-premises data center. Which cost category is most commonly underestimated in on-premises TCO calculations?

A.Hardware acquisition costs, which are typically overestimated in on-premises environments
B.IT staff labor costs for ongoing maintenance, patching, hardware replacement, and operations, which are frequently underestimated in on-premises TCO
C.Software licensing costs, which are always higher on-premises than in the cloud
D.Internet bandwidth costs, which are negligible on-premises
AnswerB

Labor is the most underestimated cost in on-premises TCO. Hardware maintenance, OS patching, firmware updates, capacity planning, hardware failure response, data center cooling management — these represent substantial ongoing costs that are often not fully attributed to infrastructure when comparing against cloud.

Why this answer

Option B is correct because on-premises TCO calculations frequently underestimate the labor costs associated with ongoing IT staff tasks such as applying security patches, performing hardware replacements, managing firmware updates, and handling day-to-day operations. These operational expenses (OpEx) accumulate over the lifecycle of the data center and often exceed the initial capital expenditure (CapEx) for hardware, making them a critical but overlooked component in total cost of ownership comparisons with cloud providers like AWS, Azure, or GCP.

Exam trap

Cisco often tests the misconception that hardware acquisition costs are the primary driver of on-premises TCO, when in reality the underestimated labor for ongoing maintenance and operations is the most common blind spot in TCO comparisons.

How to eliminate wrong answers

Option A is wrong because hardware acquisition costs are typically a well-understood and accurately estimated capital expense in on-premises TCO, not overestimated; the common mistake is underestimating ongoing operational costs, not hardware. Option C is wrong because software licensing costs are not always higher on-premises; many enterprise licenses (e.g., Microsoft SQL Server, Oracle) can be more expensive in the cloud due to bring-your-own-license (BYOL) restrictions or per-core pricing models, and the statement is an absolute that ignores licensing portability and hybrid scenarios. Option D is wrong because internet bandwidth costs are not negligible on-premises; they can be significant for data center connectivity, especially for high-throughput or geographically distributed workloads, and cloud providers often charge egress fees that make bandwidth a non-trivial cost factor.

362
MCQmedium

Google operates its data centers using 100% renewable energy and has committed to running all operations on carbon-free energy 24/7 by 2030. How does this sustainability posture benefit a company that migrates its workloads to Google Cloud?

A.Companies must purchase separate carbon offset credits to claim sustainability benefits from using Google Cloud.
B.The company's Scope 2 carbon emissions decrease because Google's infrastructure runs on renewable energy and operates more efficiently than typical enterprise data centers.
C.Only companies that purchase the Google Cloud Carbon Footprint add-on receive sustainability benefits.
D.Sustainability benefits are only available in specific geographic regions where Google has solar farms.
AnswerB

Google's 100% renewable energy commitment means customer workloads run on clean energy. Hyperscale data center efficiency also means less energy per compute unit vs. typical on-premises data centers.

Why this answer

Option B is correct because when a company migrates workloads to Google Cloud, it inherits Google's carbon-free energy procurement for its infrastructure. This directly reduces the company's Scope 2 emissions (indirect emissions from purchased electricity) since Google's data centers are powered by 100% renewable energy and operate with industry-leading efficiency (e.g., average PUE of 1.10). The company does not need to purchase separate offsets or add-ons to realize this benefit.

Exam trap

The trap here is that candidates may think sustainability benefits require additional purchases or are regionally restricted, when in fact Google's global renewable energy matching and efficiency gains automatically reduce a customer's Scope 2 emissions without extra steps.

How to eliminate wrong answers

Option A is wrong because Google Cloud customers automatically benefit from Google's renewable energy matching without purchasing separate carbon offset credits; Google matches 100% of its global electricity consumption with renewable energy annually. Option C is wrong because the Google Cloud Carbon Footprint tool is a free feature that provides visibility into gross carbon emissions, but the sustainability benefit (reduced Scope 2 emissions) exists regardless of using that tool. Option D is wrong because Google's renewable energy matching is global—it applies across all regions where Google Cloud operates, not only in regions with solar farms, through the use of renewable energy certificates (RECs) and power purchase agreements (PPAs).

363
MCQeasy

A company wants to send transactional emails (receipts, password resets) and marketing emails at scale from their application. Which approach is recommended when using Google Cloud?

A.Use Gmail to manually send all transactional emails.
B.Integrate a third-party email delivery service (e.g., SendGrid, Mailgun) with the GCP application.
C.Use BigQuery to store and send emails directly to customers.
D.Deploy an SMTP server on Compute Engine and send emails directly from GCP IP addresses.
AnswerB

Third-party email services provide the deliverability, API access, bounce handling, and analytics needed for transactional email at scale. Google Cloud doesn't include a native email sending service.

Why this answer

Option B is correct because Google Cloud does not provide a native transactional email service, so integrating a dedicated third-party email delivery service like SendGrid or Mailgun is the recommended approach. These services handle deliverability, reputation management, and compliance with email standards (e.g., SPF, DKIM, DMARC), which are critical for high-volume transactional and marketing emails. Using GCP's native services like Cloud Functions or App Engine to send emails directly would rely on SMTP relays that often have strict sending limits and poor deliverability.

Exam trap

Cisco often tests the misconception that GCP provides a built-in email sending service (like AWS SES) or that a self-managed SMTP server on Compute Engine is a viable solution, ignoring the critical importance of IP reputation and deliverability at scale.

How to eliminate wrong answers

Option A is wrong because Gmail is designed for personal or small-scale use, not for programmatic, high-volume transactional email; it has strict sending limits (e.g., 500 recipients per day for free accounts) and lacks APIs for automated bulk sending. Option C is wrong because BigQuery is a data warehouse for analytics, not an email delivery service; it has no SMTP or API capabilities to send emails directly to customers. Option D is wrong because sending emails directly from GCP IP addresses via a self-managed SMTP server on Compute Engine leads to poor deliverability, as GCP IP ranges are often blacklisted by major email providers (e.g., Gmail, Outlook) due to past abuse, and managing reputation, SPF/DKIM/DMARC, and bounce handling is complex and unreliable at scale.

364
MCQhard

A global fintech company needs a database that can handle financial transactions across 50+ countries with consistent, ACID-compliant operations, SQL queries, and automatic global replication with no downtime for maintenance. Which Google Cloud database service meets all these requirements?

A.Cloud SQL (PostgreSQL)
B.Cloud Spanner
C.Cloud Bigtable
D.Firestore
AnswerB

Cloud Spanner provides ACID transactions, SQL support, and automatic global replication across multiple regions with 99.999% availability. It's designed for exactly this global financial transaction use case.

Why this answer

Cloud Spanner is the only Google Cloud database that provides ACID-compliant transactions, full SQL support, and automatic synchronous global replication with no downtime for maintenance. It is designed for horizontally scalable, globally distributed applications that require strong consistency across regions, making it the ideal choice for a fintech company operating in 50+ countries.

Exam trap

Cisco often tests the misconception that Cloud SQL can be made globally consistent with replication, but Cloud SQL replicas are read-only and asynchronous, so they cannot provide the strong ACID writes across regions that Cloud Spanner offers.

How to eliminate wrong answers

Option A is wrong because Cloud SQL (PostgreSQL) is a single-region, single-write database that does not support automatic global replication or horizontal scaling across multiple regions; it requires manual failover and downtime for major maintenance. Option C is wrong because Cloud Bigtable is a NoSQL, wide-column database that does not support SQL queries or ACID transactions across rows; it is designed for high-throughput analytical workloads, not transactional financial operations. Option D is wrong because Firestore is a NoSQL document database that does not support SQL queries and provides only eventual consistency in multi-region mode, not the strong ACID consistency required for financial transactions.

365
MCQhard

A security audit finds that a company's application service accounts have been granted broad IAM roles (e.g., Storage Admin on the entire project) when they only need to read specific Cloud Storage buckets. The auditor recommends following the principle of least privilege. What is the most precise way to implement this for the Cloud Storage use case?

A.Grant the Storage Admin role at the project level but add a condition that limits it to specific operations
B.Grant Storage Object Viewer (read-only) at the specific bucket level for each service account that needs read access — not at the project level
C.Create a custom IAM role that combines all permissions from all predefined roles but removes the most dangerous ones
D.Use the same broad Storage Admin role but rotate the service account key every 90 days to reduce the window of exposure
AnswerB

This is the most precise least-privilege implementation. Storage Object Viewer grants read access to objects within a bucket. Binding it at the bucket level (not project) means the service account can only read from that specific bucket — not create buckets, not access other buckets, not delete objects. This minimizes blast radius if the service account is compromised.

Why this answer

Option B is correct because it grants the minimal required permission (Storage Object Viewer) at the specific bucket level, adhering to the principle of least privilege. This ensures the service account can only read objects in that bucket and cannot perform any other storage operations, even accidentally. Granting roles at the resource level (bucket) rather than the project level eliminates unnecessary broad access.

Exam trap

The trap here is that candidates often think project-level roles with conditions are sufficient, but conditions do not restrict the scope of resources the role applies to—only the actions or attributes—so the role still applies to all resources in the project.

How to eliminate wrong answers

Option A is wrong because granting Storage Admin at the project level, even with a condition, still grants the role's full permissions (including delete and update) on all buckets in the project, violating least privilege. Option C is wrong because creating a custom role by combining all permissions from predefined roles and removing 'dangerous' ones is imprecise and error-prone; the correct approach is to start with the minimal permissions needed (e.g., storage.objects.get) rather than removing from a broad set. Option D is wrong because rotating keys does not reduce the permissions granted; the service account still retains the overly broad Storage Admin role, which is the core security issue.

366
Drag & Dropmedium

Drag and drop the steps to enable and use Cloud Audit Logs for a project into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First navigate to audit logs, then select services and log types, save, and finally view the logs.

367
MCQeasy

What does 'durability' mean for cloud storage services, and how is it different from 'availability'?

A.Durability and availability are the same thing — both measure how often data can be accessed.
B.Durability measures the probability data won't be lost; availability measures the percentage of time data can be accessed — a service can be temporarily unavailable while data remains durable.
C.Durability refers to network speed; availability refers to storage capacity.
D.High availability automatically guarantees high durability, so both terms describe the same SLA.
AnswerB

Data can be physically safe (11-nine durability) but temporarily inaccessible during maintenance or outage (lower availability). These are orthogonal properties that storage services optimize for independently.

Why this answer

Durability measures the probability that stored data will not be lost or corrupted over time, typically expressed as a percentage (e.g., 99.999999999% for Amazon S3). Availability measures the percentage of time a service is operational and accessible, often defined in SLAs (e.g., 99.99% uptime). A service can be temporarily unavailable (e.g., due to maintenance) while the data remains intact and durable, so they are distinct concepts.

Exam trap

Cisco often tests the misconception that durability and availability are interchangeable or that one automatically implies the other, so candidates must remember that a service can be down (low availability) yet still preserve all data (high durability).

How to eliminate wrong answers

Option A is wrong because it incorrectly equates durability and availability, ignoring that durability focuses on data integrity against loss/corruption while availability focuses on uptime and accessibility. Option C is wrong because durability has nothing to do with network speed; it is about data persistence, and availability is about uptime, not storage capacity. Option D is wrong because high availability does not guarantee high durability; for example, a replicated system can be highly available but still lose data if replication is asynchronous or if a catastrophic failure occurs before replication completes.

368
Matchingmedium

Match each Google Cloud serverless compute option to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Event-driven, short-lived functions

Container-based, scales to zero

Platform as a Service (PaaS) with automatic scaling

Orchestration of services and APIs

Event routing and management service

Why these pairings

These are serverless compute options in Google Cloud.

369
MCQeasy

A mid-sized logistics company runs its core tracking application on a single on-premises server. The application is critical for real-time package tracking and customer notifications. Recently, during a regional power outage, the server went down for 6 hours, causing significant customer dissatisfaction and loss of revenue. The company wants to move to Google Cloud to improve availability and disaster recovery. They have a limited IT team with minimal cloud experience and a tight budget. The application is a monolithic Java application that currently runs on a Linux server with a MySQL database. The company needs a solution that minimizes operational overhead and provides automatic failover across regions. Which course of action should they take?

A.Refactor the application to run on App Engine and use Cloud SQL with a cross-region replica for failover.
B.Lift and shift the application to a single Compute Engine VM and use a Cloud SQL instance in the same region.
C.Deploy the application on Compute Engine with a regional managed instance group and use Cloud SQL with high availability.
D.Containerize the application and run it on Google Kubernetes Engine with a multi-cluster setup across regions.
AnswerC

Correct: This provides automatic failover across zones and managed database, balancing cost and operational overhead.

Why this answer

Option C is correct because it provides automatic failover across regions using a regional managed instance group (MIG) for the Compute Engine VMs and Cloud SQL with high availability (HA). The regional MIG distributes instances across multiple zones within a region, and Cloud SQL HA uses synchronous replication to a standby in a different zone, ensuring automatic failover without requiring application refactoring. This minimizes operational overhead for a small IT team with limited cloud experience and fits a tight budget by avoiding complex container orchestration or multi-cluster setups.

Exam trap

Google Cloud often tests the misconception that cross-region replicas provide automatic failover, but in reality, they require manual promotion, whereas Cloud SQL HA within a region provides automatic failover with synchronous replication.

How to eliminate wrong answers

Option A is wrong because refactoring the monolithic Java application to run on App Engine would require significant code changes and operational overhead, which the company's limited IT team cannot handle, and cross-region replicas for Cloud SQL do not provide automatic failover (they require manual promotion). Option B is wrong because a single Compute Engine VM and a Cloud SQL instance in the same region offer no cross-region failover; a regional power outage would still take down the application, defeating the disaster recovery goal. Option D is wrong because containerizing the application and running it on Google Kubernetes Engine with a multi-cluster setup across regions introduces high complexity and operational overhead, which is unsuitable for a team with minimal cloud experience and a tight budget.

370
MCQeasy

Which term describes a physical or conceptual object (like a factory machine, building, or supply chain) that is represented as a digital model in the cloud, allowing simulation and analysis without touching the physical object?

A.Virtual machine — a software-based simulation of a computer.
B.Digital twin — a real-time digital model of a physical object or system updated by sensor data.
C.Container — a lightweight application packaging format.
D.Microservice — a small, independently deployable application component.
AnswerB

Digital twins mirror physical entities in real time. Cloud IoT and AI enable continuous data ingestion from sensors and simulation capabilities that power manufacturing, infrastructure, and logistics optimization.

Why this answer

A digital twin is a virtual representation of a physical object or system—such as a factory machine, building, or supply chain—that is continuously updated with real-time sensor data. This model lives in the cloud, enabling simulation, monitoring, and analysis without needing to interact with the physical asset. The key differentiator is the bidirectional data flow between the physical and digital worlds, which allows predictive maintenance and optimization.

Exam trap

Google Cloud often tests the distinction between a digital twin and a virtual machine, trapping candidates who confuse 'virtual representation of a physical object' with 'virtualization of computing resources.'

How to eliminate wrong answers

Option A is wrong because a virtual machine is a software-based emulation of a physical computer, not a representation of a physical object like a machine or building; it abstracts hardware resources rather than mirroring a specific real-world entity. Option C is wrong because a container is a lightweight, portable packaging format for applications and their dependencies, designed for consistent deployment across environments, not for modeling physical assets. Option D is wrong because a microservice is a small, independently deployable component of a larger application architecture, focused on business logic, not on creating a digital replica of a physical system.

371
MCQeasy

A company's security policy requires all employees to verify their identity using more than just a password when accessing Google Cloud resources. What security feature enforces this requirement?

A.Password complexity requirements — enforcing long, complex passwords.
B.Multi-factor authentication (MFA) / Two-step verification (2SV).
C.IP allowlisting — only allowing access from office IP addresses.
D.Session timeout — automatically logging out users after 30 minutes of inactivity.
AnswerB

MFA requires a second factor beyond the password — physical security keys, TOTP apps, or other verifiers. Even if a password is stolen, the second factor prevents unauthorized access.

Why this answer

Multi-factor authentication (MFA) / Two-step verification (2SV) is the correct answer because it explicitly requires users to provide two or more verification factors (e.g., something you know, something you have, something you are) to access Google Cloud resources. This directly enforces the policy of verifying identity beyond just a password, as MFA/2SV adds an additional layer of security by requiring a second factor such as a time-based one-time password (TOTP) from an authenticator app, a hardware security key (e.g., FIDO2), or a push notification. Google Cloud Identity Platform supports this via security key enforcement and 2SV policies, ensuring that password compromise alone is insufficient for access.

Exam trap

The trap here is that candidates confuse 'stronger authentication' with 'stronger passwords' (Option A) or 'access restrictions' (Option C), failing to recognize that the core requirement is adding an independent second factor, not just hardening the single password factor.

How to eliminate wrong answers

Option A is wrong because password complexity requirements only enforce stronger passwords (e.g., length, character types) but do not add a second verification factor; they still rely solely on something you know, which does not meet the 'more than just a password' requirement. Option C is wrong because IP allowlisting restricts access based on network origin (e.g., office IP addresses) but does not verify the user's identity beyond the password; it is a network-level control, not an authentication factor. Option D is wrong because session timeout automatically ends an inactive session after a set period (e.g., 30 minutes) but does not require any additional identity verification beyond the initial password-based login; it addresses session management, not authentication strength.

372
MCQeasy

An operations team wants to receive an automated alert when their web application's HTTP error rate exceeds 5% for more than 5 minutes. Which Google Cloud product is used to configure this type of metric-based alert?

A.Cloud Logging, by configuring a log-based metric and email notification
B.Cloud Monitoring, by creating an alerting policy on the HTTP error rate metric with a 5-minute evaluation window and notification channel
C.Cloud Trace, by setting a trace sampling threshold for error requests
D.Security Command Center, by configuring a finding for high error rates
AnswerB

Cloud Monitoring is the correct service. An alerting policy specifies: the metric to watch (HTTP error rate), the threshold (5%), the evaluation window (5 minutes), and the notification channel (email, PagerDuty, Slack, etc.). This is a core Cloud Monitoring capability.

Why this answer

Cloud Monitoring is the correct service because it is purpose-built for creating alerting policies based on metrics like HTTP error rates. You can define a condition that triggers when the error rate exceeds 5% for a specified evaluation window (e.g., 5 minutes) and route the alert through a notification channel (e.g., email, Slack). This directly matches the requirement for a metric-based alert with a time-based threshold.

Exam trap

Google Cloud often tests the misconception that Cloud Logging can directly send alerts, but in reality, Cloud Logging only stores logs and log-based metrics; the alerting policy must always be configured in Cloud Monitoring.

How to eliminate wrong answers

Option A is wrong because Cloud Logging is used for storing and querying log data, not for creating metric-based alerts on HTTP error rates; while log-based metrics can be created, the alert itself must be configured in Cloud Monitoring, and Cloud Logging does not natively support email notification channels for alerts. Option C is wrong because Cloud Trace is a distributed tracing tool for analyzing request latency and performance, not for monitoring error rates or triggering alerts based on percentage thresholds. Option D is wrong because Security Command Center is a security and risk management service that provides findings for vulnerabilities and threats, not for operational metric-based alerting on web application error rates.

373
MCQmedium

What is 'infrastructure as code' (IaC), and what problem does it solve compared to manually configuring cloud resources through a web console?

A.IaC is a programming language specifically for writing cloud applications.
B.IaC defines infrastructure in version-controlled code files, enabling reproducible, automated, and consistent environment provisioning versus error-prone manual console configuration.
C.IaC is a tool that automatically discovers and documents existing cloud infrastructure.
D.IaC requires writing custom Python scripts for every cloud resource type.
AnswerB

IaC makes infrastructure reproducible (apply the same code to get the same result), version-controlled (track changes like software), automated (CI/CD pipelines), and consistent (no manual variation).

Why this answer

Infrastructure as Code (IaC) is the practice of managing and provisioning cloud resources through machine-readable definition files (e.g., YAML, JSON, HCL) rather than through manual processes like clicking in a web console. The core problem it solves is eliminating the error-prone, inconsistent, and non-reproducible nature of manual configuration by enabling version-controlled, automated, and repeatable deployments. Tools like Terraform, AWS CloudFormation, and Azure Resource Manager (ARM) templates are common IaC implementations that enforce desired state configuration and drift detection.

Exam trap

Google Cloud often tests the misconception that IaC is a specific tool or scripting language, rather than a methodology for reproducible infrastructure management, leading candidates to confuse it with automation scripts or discovery tools.

How to eliminate wrong answers

Option A is wrong because IaC is not a programming language for writing cloud applications; it is a methodology for defining and managing infrastructure resources using declarative or imperative configuration files. Option C is wrong because IaC does not automatically discover and document existing infrastructure; that is the function of tools like AWS Config or Terraformer, which are used for reverse-engineering or inventory, not for defining infrastructure from scratch. Option D is wrong because IaC does not require custom Python scripts for every resource type; it typically uses domain-specific languages (e.g., HCL for Terraform, YAML for CloudFormation) or configuration files that abstract away the need for scripting each resource individually.

374
MCQhard

A company wants to ensure that sensitive data (credit card numbers, SSNs) stored in BigQuery is automatically identified and protected. They also want ongoing scanning to detect if any new data violates their data governance policies. Which Google Cloud service provides these capabilities?

A.Security Command Center — it scans BigQuery for sensitive data automatically.
B.Cloud Data Loss Prevention (Cloud DLP) with BigQuery inspection jobs.
C.Cloud Monitoring custom dashboards with SQL queries that search for PII patterns.
D.Cloud Audit Logs — they record all BigQuery queries and can identify when sensitive columns are accessed.
AnswerB

Cloud DLP natively scans BigQuery tables to identify sensitive data using built-in and custom infoTypes. Scheduled jobs provide continuous governance monitoring; de-identification transforms protect identified data.

Why this answer

Cloud DLP with BigQuery inspection jobs is the correct choice because it provides both automated identification of sensitive data (such as credit card numbers and SSNs) within BigQuery tables and ongoing scanning capabilities via scheduled inspection jobs. Cloud DLP uses built-in infoType detectors to match patterns like credit card numbers (Luhn check) and SSNs, and can trigger actions or alerts when new data violates governance policies.

Exam trap

The trap here is that candidates confuse Security Command Center's broad security scanning with Cloud DLP's specific data-level inspection, or assume that logging or monitoring tools can perform content analysis without specialized pattern-matching engines.

How to eliminate wrong answers

Option A is wrong because Security Command Center does not natively scan BigQuery for sensitive data; it provides security posture and threat detection for cloud resources, not data-level inspection. Option C is wrong because Cloud Monitoring custom dashboards with SQL queries cannot automatically identify PII patterns; they rely on manual query construction and lack the built-in pattern matching and classification capabilities of Cloud DLP. Option D is wrong because Cloud Audit Logs record access and query activity, not the content of the data; they cannot identify or protect sensitive data within BigQuery tables.

375
Multi-Selecthard

Which THREE of the following are common benefits of adopting a cloud infrastructure compared to on-premises? (Choose 3)

Select 3 answers
A.Ability to scale globally in minutes
B.Elimination of all security vulnerabilities
C.Pay-as-you-go pricing model
D.Complete transfer of security responsibility to the provider
E.Elimination of upfront capital expenses
AnswersA, C, E

Cloud providers have global infrastructure that can be provisioned quickly.

Why this answer

Option A is correct because cloud infrastructure enables rapid global scaling by provisioning resources across multiple geographic regions within minutes, leveraging automated orchestration and APIs. This is a fundamental advantage over on-premises setups, which require lengthy procurement, shipping, and manual configuration to expand capacity.

Exam trap

Google Cloud often tests the shared responsibility model by presenting options that imply a complete transfer of security liability, leading candidates to mistakenly select Option D, when in fact the customer retains critical security duties.

Page 4

Page 5 of 7

Page 6

All pages